AZ-104 Exam 240209 577Q-conDiscusiones-251a500

- Expert Verified, Online, Free.
20% Discount
Get Unlimited Contributor Access to the all

ExamTopics Exams! Take advantage of PDF Files for
1000+ Exams along with community discussions
and pass IT Certification Exams Easily.
12 MONTHS
$499.99 $399.99
Buy Now
3 MONTHS
$199.99 $159.99
Buy Now
 Custom View Settings

Question #20 Topic 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the resources shown in the following table.
VM1 connects to VNET1.
You need to connect VM1 to VNET2.
Solution: You move VM1 to RG2, and then you add a new network interface to VM1.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
Community vote distribution

B (100%)
  mlantonis Highly Voted  2 years, 9 months ago
Correct Answer: B - No
Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.
To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to
VNET2.
Note: When you create an Azure Virtual Machine (VM), you must create a Virtual Network (VNet) or use an existing VNet. You can change
the subnet a VM is connected to after it's created, but you cannot change the VNet. You can also change the size of a VM.
Reference:
upvoted 95 times
  Narendragpt 2 years, 1 month ago

Questions Says Need to connect VM1 to VNET2 ......not saying to Move it . SO which answer is correct
upvoted 1 times
  mung 1 year, 2 months ago

You are right, but the only way to connect VM1 to VNET2 is to delete VM1 and recreate it on RG2 and connect to VNET2.
Changing VNET is not an easy task once VM is deployed and running.

upvoted 2 times
  waterzhong Highly Voted  3 years, 1 month ago
If you create a VM and later want to migrate it into a VNet, it is not a simple configuration change. You must redeploy the VM into the
VNet. The easiest way to redeploy is to delete the VM, but not any disks attached to it, and then re-create the VM using the original disks in
the VNet.
upvoted 59 times
  Tilakarasu Most Recent  1 month ago

Answer is No,
Reason : when you Move VM you can choose RG only not Vnet. (So here Vm1 cannot connect to Vnet2)
upvoted 1 times
  Andreas_Czech 8 months, 1 week ago
Selected Answer: B
tested in LAB (2023-06-06)

created all Resources, moved VM1 to RG2, created a NetInterface in RG2.
tried to connect it to VM1 -> grayed out -> must be NO
upvoted 1 times
  obaali1990 11 months ago

Selected Answer: B
The answer is NO
upvoted 1 times
  UmbongoDrink 1 year ago
Selected Answer: B
upvoted 1 times
  NaoVaz 1 year, 5 months ago
Selected Answer: B
B) "No"
The only way to change the VNET from a VM is by re-creating the VM in the desired VNET.
Reference: https://docs.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm.html
upvoted 4 times
  EmnCours 1 year, 5 months ago
Selected Answer: B
Correct Answer: B
upvoted 1 times
  Lazylinux 1 year, 8 months ago
Selected Answer: B
i Luv Honey because it is B

Remember this: Network interface ****(VM <--> VNET <---> NIC. All the three resources MUST be in the same location)***, so Before
creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
upvoted 7 times
  manalshowaei 1 year, 8 months ago
Selected Answer: B
B. No <
upvoted 1 times
  DrJoness 1 year, 10 months ago

Question appeared in exam today, April 7 2022
upvoted 3 times
  ajayasa 1 year, 11 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times
  Bere 2 years, 2 months ago

The solution says:
You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
The right answer would be:

You delete VM1. You copy the disk from West US region to East Asia region. You recreate VM1 from the disk you have copied, and then you
can connect VM1 to VNET2.
upvoted 3 times
  Gumer 2 years, 3 months ago

I failed yesterday exam scored 697 and got this series of questions
upvoted 6 times
  sachin007 2 years, 2 months ago

So close , give it another shot .Sure pass all the best
upvoted 4 times
  orion1024 2 years, 4 months ago

It says "you need to connect" not "you need to move".
So setting up the VM as multihomed should be a valid answer, hence answer A ?
Besides, it seems possible to change the primary vNIC of a VM after deployment, so I'm not getting this whole "need to delete VM to
change VNET" thing. What am I missing ?
upvoted 1 times

I found what I was missing, I mixed up VNIC and VNET. You can add multiple vNIC but they all belong to the VNET assigned to the VM at
creation, which can't be changed.
upvoted 5 times
  Kamex009 2 years, 5 months ago

This question was asked on exam taken on 08/22/2021
upvoted 4 times
  Shiven12 2 years, 7 months ago

This question came in the exam on 28/6/2021 - Passed the exam
upvoted 7 times
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
A. Yes
B. No
Correct Answer: A
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Reference:

A (100%)
Correct Answer: A - Yes
You should delete VM1. Then recreate VM1 and add the network interface for VM1.
VNET2.
Reference:
upvoted 68 times
  panileka 2 years, 5 months ago

VNET1 and VNET2 are in two different regions.. I am not sure we can connect a VM to these two networks.
upvoted 3 times
  ShivaUdari 2 years, 1 month ago

We should move the OSdisk to destination region and then creating new VM will work.
upvoted 4 times
  fedztedz Highly Voted  3 years, 2 months ago

Answer is correct. YES (A). To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new
NIC and NIC connected to VNET2
upvoted 37 times
  897dd59 Most Recent  4 months ago

should be a NO. the reason why are
1/ VM 1 to connect to VNET 2 => connect, not migrate => means, to keep the VM 1 and make sure connection is gone through to VNET2
2/ In my opinion. If this were the case => NO . The ony solution to make the VM1 to connect to VNET 2 => different region and RG =>
PEERING connectiong => VNET Peering help 2 VNET make a connection together => hence, the resources, VMs, for more specifically =>
able to connect.
I did quite a lot of case and labs, once the VNET Peering is established, the VM on VN1 can ping the VM on VNET 2 => make a connection
upvoted 2 times

Selected Answer: A
You should delete VM1. Then recreate VM1 and add the network interface for VM1.
upvoted 1 times

Selected Answer: A
A) "Yes"
upvoted 1 times
  Mev4953 1 year, 5 months ago

Redeployment :)
upvoted 2 times

Selected Answer: A
Correct Answer: A
upvoted 1 times

Selected Answer: A
Yep A is correct
upvoted 1 times

Selected Answer: A
A. Yes
upvoted 1 times
  techie_11 1 year, 10 months ago

On exam 04/12/2022. Answer correct A
upvoted 4 times

upvoted 4 times
  benvdw 1 year, 11 months ago

on exam 13/3/2022
upvoted 3 times
  josevirtual 1 year, 11 months ago
Selected Answer: A
YES - Answer is correct

upvoted 1 times
  InvisibleShadow 1 year, 11 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times
  Spandrop 2 years, 7 months ago

You delete and recreate, fine. But the question says: you delete and recreate, and then you connect ...... recreate where?! Same RG?
Different one? ... I think that the question is not clear, but the overall idea is if you have to move a VM, delete and recreate it.
upvoted 7 times
  dumz 2 years, 4 months ago

Yes, I have same concern as yours.
We should re-creare VM1 in same region as VNET2.
upvoted 2 times
  ranajoy97 2 years, 7 months ago

The correct answer is NO. In order to attach a VM to a VNET the VM and the VNET needs to be in the same zone. As VNET2 is in a separate
zone it won't work
upvoted 3 times
  Ahmed_Root 1 year, 10 months ago

I agree with you, I don't understand why all people here vote for YES !!!
upvoted 1 times

This question came in the exam on 28/6/2021 - Passed the exam
upvoted 1 times
Solution: You turn off VM1, and then you add a new network interface to VM1.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
VNET2.
Reference:
upvoted 37 times
  klasbeatz 1 year, 7 months ago

Question...If you didn't want to worry about loosing content of the VM in the OS could you just re-attach the disk to the new VM after
you create it in the new desired VNET?
upvoted 1 times
The answer is correct . NO (B).

Even if you added a new network interface, this interface will be connected to the same VNET1.
upvoted 25 times
  Hibs2016 3 years, 2 months ago

Correct specified in the constraints page at the bottom of this link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-
network-network-interface-vm
"You can connect network interfaces in the same VM to different subnets within a virtual network. However, the network interfaces
must all be connected to the same virtual network."
upvoted 6 times
  panileka 2 years, 5 months ago

i am not sure if we can connect a VM to two networks that are not in the same region..
upvoted 1 times
  Kai_123 Most Recent  9 months, 4 weeks ago
Correct Answer: B- No
upvoted 1 times
Selected Answer: B
upvoted 1 times

Selected Answer: B
B) "No"
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

Selected Answer: B
I Luv Honey Because it is B

add new interface- dual homed VM maybe different subnets but still SAME VNET hence no way..Just delete VM and maintain the HD, create
new one in other region attach the HD and then create new NIC
upvoted 1 times

So you can still attach the drive from the original VM to the new one right? So have the same content?
upvoted 1 times

Selected Answer: B
B. No <
upvoted 1 times
  dasEnder 1 year, 9 months ago

Selected Answer: B
Correct answer. NO.

upvoted 2 times

On exam 4/12/2022. B correct answer
upvoted 2 times

upvoted 3 times

The solution says:
You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
The right answer would be:

You delete VM1. You copy the disk from West US region to East Asia region. You recreate VM1 from the disk you have copied, and then you
can connect VM1 to VNET2.
upvoted 1 times
  joydeep1 2 years, 8 months ago

Correct. answered B. In exam today
upvoted 2 times
  ZUMY 2 years, 11 months ago

No is the answer : Can't attach a Network in a different Vnet ( Attach NIC option will not suggest)
upvoted 1 times
  toniiv 2 years, 12 months ago
Answer B. is correct. For two reasons: A VM cannot be connected to two different VNets, and second reason is VM cannot connect to a
Vnet in different region.
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.
You deploy virtual machines to Subscription1 as shown in the following table.
You plan to deploy the virtual machines shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16
vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas
Correct Answer:
Total regional vCPUs = 20

2 vCPUs (VM1) + 16 vCPUs (VM20) = 18 vCPUs, which means that only 2 vCPUs left to exceed usage limit.
Box 1: Yes
We can add 1 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 1 vCPU (VM3) = 19 vCPUs
Box 2: No
We cannot add 4 vCPUs. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 4 vCPU (VM4) = 22 vCPUs
Box 3: No
We cannot add 16 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 16 vCPU (VM5) = 34 vCPUs
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quota
upvoted 198 times
  trferreiraBR 3 months, 3 weeks ago

Correct - Y,N,N. I tested here in the lab enviroment!
On thing to be clear here is that people can be confused about VM's Family Bs and Ds vCPUs. They're different for sure, but Microsoft
says:
"The vCPU quotas for virtual machines and scale sets are arranged in two tiers for each subscription, in each region. The first tier is the
Total Regional vCPUs, and the second tier is the various VM size family cores such as the D-series vCPUs. Anytime a new VM is deployed
the vCPUs for the VM must not exceed the vCPU quota for the VM size family or the total regional vCPU quota. If you exceed either of
those quotas, the VM deployment won't be allowed. "
"Quota is calculated based on the total number of cores in use both allocated and deallocated. If you need additional cores, request a
quota increase or delete VMs that are no longer needed."
https://learn.microsoft.com/en-us/azure/virtual-machines/quotas
upvoted 5 times
  Spacecluster 5 months, 1 week ago

But VM2 status is stopped (deallocated). Would that not make those stopped CPUs available for other machines?
upvoted 5 times
  MatAlves 3 weeks, 4 days ago

"Quota is calculated based on the total number of cores in use both allocated and deallocated. If you need additional cores, request
a quota increase or delete VMs that are no longer needed."
upvoted 1 times
Correct YES NO NO
The deallocated VM are still using and reserving the used 16 vCPU + 2 vCPU ,so in total we only have 2 vCPU available in the region
upvoted 144 times
  656823 9 months, 3 weeks ago

Thank you! Was about to ask this.
upvoted 2 times
  walexkino 2 years, 9 months ago

it makes sense.. Thanks
upvoted 12 times
  Amir1909 Most Recent  1 day, 6 hours ago

Yes
No
No
upvoted 1 times
  devops_devops 1 month ago

This question was in exam 15/01/24
upvoted 1 times
  ric2020 1 month, 1 week ago

quotas in the table are by region and family, yes,yes,no
upvoted 1 times
  jeru81 1 week ago

last colum says: TotalRegional so it should be: Y,N,N ;)
upvoted 1 times
  lampayeah 4 months, 3 weeks ago

was in my exam september2023
upvoted 3 times
  Mehedi007 6 months, 2 weeks ago

Y: 2 vCPUs (VM1) + 16 vCPUs (VM20) + 1 vCPU (VM3) = 19 vCPUs
N: 19 vCPUs + 4 vCPU (VM4) = 22 vCPUs > Total regional vCPUs limit
N: same reason
Passed the exam on 26 July 2023. Scored 870. Similar question came.
upvoted 2 times
  SIAMIANJI 8 months, 3 weeks ago

It is Yes, Yes, No.
VM4 is a D family and there is not any other D family before deploying VM4 and we have 20 quota. So the answer for VM4 is "YES"
upvoted 2 times
  xRiot007 8 months, 1 week ago

The 20 limit of vCPUs contains all categories. The table makes it confusing and gives the impression we have 20 for each, but it's 20 in
total.
upvoted 3 times
  rmsdg 1 year, 2 months ago

Quota is calculated based on the total number of cores in use both allocated and deallocated. If you need additional cores, request a
quota increase or delete VMs that are no longer needed.
upvoted 1 times
  Backy 1 year, 3 months ago

B2ms has 2 vCPUs and not 1 as the table says
upvoted 2 times
  ZakySama 1 year, 3 months ago

Thank you...
upvoted 1 times

1) You can deploy VM3 to West US: "Yes"
2) You can deploy VM4 to West US: "No"
3) You can deploy VM5 to West US: "No"
Explanation:
Even though the VM2 is in a Stopped (Deallocated) Status and we do not get charged for the CPU\RAM resources, the quota will not have
the resources available to be consumed by other VM's.
Since the quota specifies a maximum of 20 Total regional vCPU's, we currently have 18 reserved by VM1 and VM2, so we can just deploy
VM3. VM4 and VM5 surpass our budget.
upvoted 6 times

Correct YES NO NO
The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16
vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
upvoted 4 times
  HorseradishWalrus 1 year, 5 months ago

Why is the total regional vCPUs quota set to 20? I only found: https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/azure-subscription-service-limits
But this is "Classic deployment model limits"
upvoted 1 times
  somshivam 1 year, 7 months ago

Main point to note is deallocated VM are still counted and the other details of location and
upvoted 2 times

YNN and hence answer is correct and explanation is correct
upvoted 1 times

yes No No
upvoted 1 times
  malcubierre 1 year, 8 months ago

New link: https://docs.microsoft.com/en-us/azure/azure-portal/supportability/per-vm-quota-requests
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.
You add 14 virtual machines to WEBPROD-AS-USE2.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Box 1: 2 -
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update
domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault
domain so 7 VMs will be offline.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
Correct Answer:
Box 1: 2
There are 10 update domains. The 14 VMs are shared across the 10 update domains, so 4 update domains will have 2 VMs and 6 update
domains will have 1 VM. Only one update domain is rebooted at a time.
D1 D2 D3 D4 D5 D6 D7 D8 D9 D10
vm1 vm2 vm3 vm4 vm5 vm6 vm7 vm8 vm9 vm10
vm11 vm12 vm13 vm14
Maximum Down = 2
Minimum Down = 1
Box 2: 7
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one
fault domain so 7 VMs will be offline.
14 VM in 2 Fault Domain
Rack 1 Rack 2
vm1 vm8
vm2 vm9
vm3 vm10
vm4 vm11
vm5 vm12
vm6 vm13
vm7 vm14
Maximum Down = 7
Minimum Down = 7
upvoted 602 times
  Asymptote 1 year, 3 months ago

Why Microsoft doesn't hire people like Mlantonis to restructure the Microsoft Learn.....
upvoted 25 times
  Puspendu 1 month, 1 week ago

I agree
upvoted 2 times
  Mmunger 2 days, 1 hour ago

I hope they did by now! Wish him all the best!
upvoted 1 times
  JohnnyChimpo 1 year ago

You are a legend brother. I read their god damn documentation over and over and could not get it through my thick head. Thank you
so very much for your well explained, throughout and concise answers all over this course.
upvoted 43 times
  potasio101 8 months, 1 week ago

Same or me I always look his explanation
upvoted 4 times
  studysmart 12 months ago

Thanks. This explanation makes more sense.
upvoted 3 times
  SumanSaurabh 1 year, 2 months ago

Superb
upvoted 3 times
  ZUMY Highly Voted  2 years, 11 months ago
Box 1: 2 -
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six
update domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.
Box 2: 7 -
upvoted 60 times
  mark543 Most Recent  5 months ago
where is 14 VMs ?
upvoted 1 times
  CarlosMarin 5 months, 2 weeks ago

This question was in my exam on 31/08/2023.
upvoted 3 times

upvoted 1 times
  Gregsenn 5 months, 2 weeks ago

Came on exam 29/08/23
upvoted 2 times
  fimbulvetrk 10 months ago

i just gave up to understand this question/topic so I just hope this questions doesn't appear to me
upvoted 7 times
  Bigc0ck 1 year, 1 month ago

I remember this might be on my 2nd test
upvoted 1 times

1) "2"
2) "7"
Explanation:
We have 14 VM's and 10 Update Domains. this means that 6 VM's will each be in its isolated Update Domain and 8 VM's will share a
Update Domain with another VM.
UpdateDomain1: 2 VM's
This means that when a scheduled update occurs at maximum 2 VM's will be down.
We also have 2 Fault Domains, which means that each Fault Domain will have 7 VM's inside. When a disaster occurs, at most 7 VM's will be
impacted.
upvoted 20 times
  Taher_Hares 6 months, 2 weeks ago

Good Explanation thanks
upvoted 1 times

Box 1: 2 -
Box 2: 7 -
upvoted 1 times
  bassemmkh 1 year, 6 months ago

I didn't have a clear idea about update domains until I found Saravana12g' Comment, thank you :
UD1=VM1 and VM11

UD2=VM2 and VM12
UD3=VM3 and VM13
UD4=VM4 and VM14
UD5=VM5
UD6=VM6
UD7=VM7
UD8=VM8
UD9=VM9
UD10=VM10
4 UD's are having 2 VM's each
6 UD's are having 1 VM's each
=> Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline and a minimum of 1 VM will be offline.
upvoted 24 times

Sure, this is cleaeeeer!!!!!!!
upvoted 1 times
  Jemo21 1 year, 5 months ago

Clear when you put it this way... Thanks buddy
upvoted 3 times

Yep answer is correct and explanation is correct - 2 and 7
upvoted 3 times

Box 1: 2 -
Box 2: 7 -
upvoted 2 times

Answer is correct 2 and 7 and explanation as per mlantonis (no need for me to reinvent the wheel)
upvoted 1 times
  examsir 1 year, 8 months ago

how about the 14 VMs are shared across the 10 update domain as below, then max down is 3
UD1=VM1 and VM11 and VM12
UD2=VM2 and VM13 and VM14
UD3=VM3
UD4=VM4
UD5=VM5
UD6=VM6
UD7=VM7
UD8=VM8
UD9=VM9
UD10=VM10
upvoted 1 times
  Dobby25 1 year, 11 months ago

Received this on my exam today 19/03/2022
upvoted 1 times
  marco_aimi 2 years, 1 month ago

#UPDATE DOMAIN (nr°10) & 14 VM
UD1 : VM1 & VM11
UD2 : VM2 & VM12
UD3 : VM3 & VM13
UD4 : VM4 & VM14
UD5 : VM5
UD6 : VM6
UD7 : VM7
UD8 : VM8
UD9 : VM9
UD10: VM10
Only one update domain is rebooted at a time.

so a maximum 2 VMs will be offline.
so a minimum 1 VMs will be offline.
#FAULT DOMAIN (nr°2) & 14 VM

Rack A Rack B
VM1 VM8
VM2 VM9
VM3 VM10
VM4 VM11
VM5 VM12
VM6 VM13
VM7 VM14
Fault RACK A: 14 VM -7VM OFF = 7 VM UP

Fault RACK B: 14 VM -7VM OFF = 7 VM UP
Maximum VM Down = 7
Minimum VM Down = 7
upvoted 23 times
  mikextreme 1 year, 10 months ago

Best Explain
upvoted 3 times
You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.
You need to provide internet users with access to the applications that run in Cluster1.
Which IP address should you include in the DNS record for Cluster1?
A. 131.107.2.1
B. 10.0.10.11
C. 172.17.7.1
D. 192.168.10.2
Correct Answer: A

A (100%)
Correct Answer. (A).

To be able to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 138 times
  Holydud 1 year, 5 months ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered A
upvoted 15 times
  juniorccs 2 years ago

thanks for this
upvoted 2 times
  Zonci 1 year, 8 months ago

youre my idol
upvoted 5 times
  vikki 3 years ago

Appreciate! Help a lots.
upvoted 8 times
Correct Answer: A
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.
Note: 10.X.X.X range is private.
Reference:
https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard
upvoted 97 times
  prbandeira 1 year, 2 months ago

and 192.168... and 172.00 is private too,
RFC1918 Subnets
The RFC1918 address space includes the following networks:
10.0.0.0 – 10.255.255.255 (10/8 prefix)

172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
upvoted 5 times
  JoeRogersHi 2 years, 8 months ago

Plus, that’s what “front end” means.
upvoted 5 times
  Rafi786_khan Most Recent  2 months ago
Correct Answer - A
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP
upvoted 1 times
  shadad 11 months, 2 weeks ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: A
upvoted 3 times
  MB1982 7 months ago

Did you only use ET? Did you use contributor access?
upvoted 1 times

Selected Answer: A
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.
upvoted 1 times
  cnduknthm 1 year, 3 months ago
Selected Answer: A
To be able to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 1 times
Selected Answer: A
A) " 131.107.2.1"
In Kubernetes when we expose apps we either expose them though Ingress using a single front-end loadbalancer IP, or we expose them
using Services like NodePort or LoadBalancer.
Based on the provided scenario we should map the DNS entry to the Load Balancer Front End Ip and expose applications using Ingress.
upvoted 4 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
  Socca 1 year, 6 months ago

A is correct you need a proxy that is in the same time a load balancer such as nginix and haproxy the externel users from internet uses the
public ip adress of the proxy to access internal applications and the proxy knows the internals adresses and convert the ip packet and
send them to the destination.
upvoted 2 times
  GowthamNara 1 year, 6 months ago
Selected Answer: A
ddsfsfsd
upvoted 3 times
Selected Answer: A
A is correct
upvoted 1 times

Selected Answer: A
A. 131.107.2.1
upvoted 1 times

Selected Answer: A
A is correct... For me when It says Internet users/Access and I see load balancer with front IP that's mean it's the public IP and hence is the
answer but also the Cluster IP can be considered if public LD was not there
upvoted 2 times
  Ephert 1 year, 8 months ago

This is the easiest of all if one is well versed with networking. Internet users will definitely require a public IP address to access the app
and there is only one public IP in the provided answers.
upvoted 2 times
  LHNing2 2 years ago
Selected Answer: A
aaaaaaaaaaaaaaa
upvoted 3 times
  prince89 2 years, 1 month ago
Selected Answer: A
Correct Answer : A
upvoted 2 times
  Microgen 2 years, 3 months ago

finally I answered correctly
upvoted 4 times
You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.
What should you identify?
A. five Azure Application Gateways
B. one App Service plan
C. 10 App Service plans
D. one Azure Traffic Manager
E. one Azure Application Gateway
Correct Answer: B
You create Azure web apps in an App Service plan.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

B (100%)
Correct Answer: B
Creating one App Service Plan, you can support up to 10 Web Apps. Adding any of the other resources are pointless and not noted as a
requirement.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 142 times
  Shadoken 1 year, 7 months ago

Yes, the correct is B. But i read in skillpipe that in an App Service plan:
Free: up 10
Shared: up 100
The rest plans unlimited web apps
upvoted 4 times
  Borowik9 1 year, 6 months ago

Looks like the number changed: It now ranges from 8 to 64: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-
plans#should-i-put-an-app-in-a-new-plan-or-an-existing-plan
upvoted 5 times
  Kosey 4 months ago

No, ref https://learn.microsoft.com/en-us/azure/app-service/manage-scale-up
you should search for scale instance,
+ Free - N/A
+ Basic - 3 ins
+ Standard - 10 ins
+ Premium - 30 ins
upvoted 1 times
  MothePro 10 months, 2 weeks ago

Soo.. now we need TWO App Service plan? ... *16 max apps..
upvoted 1 times
  OmegaGeneral Highly Voted  3 years, 6 months ago
Correct: you only need a single App service plan, as your web apps will share the service plans resource availability.
Adding any of the other resources are pointless and not noted as a requirement.
upvoted 64 times
  PrepaCertif Most Recent  3 months ago
I got this question on exam today, I answered B

upvoted 2 times
  iamchoy 5 months ago

To deploy 10 Azure web apps, you will need an underlying infrastructure to run those web apps. The App Service plan defines the region
(Datacenter) of the physical server where your web application will be hosted and dictates the amount of storage, RAM, and CPU the web
app will have.
To minimize costs, you would want to host all 10 web apps within the same App Service plan, given they don't require separate scaling or
resource needs. If you use 10 separate App Service plans, you would be provisioning and paying for resources for each of those 10 plans
separately.
Therefore, the answer is:

B. one App Service plan.
upvoted 2 times
  gauravit43 11 months, 2 weeks ago

I passed exam on 4th March,2023 and this question appeared in the exam. Correct answer is B
upvoted 4 times
Selected Answer: B
You create Azure web apps in an App Service plan.

upvoted 1 times
Selected Answer: B
B) "one App Service Plan"
One App Service Plan can a lot of Web Apps based on the SKU chosen: https://docs.microsoft.com/en-us/azure/app-service/overview-
hosting-plans#should-i-put-an-app-in-a-new-plan-or-an-existing-plan
upvoted 5 times
  libran 1 year, 5 months ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

Selected Answer: B
Correct Answer: B
upvoted 1 times
  JacquesV 1 year, 6 months ago

In exam on 10Aug2022
upvoted 4 times
Selected Answer: B

Creating one App Service Plan should be your first priority and what type of Plan i.e. Basic, STD, premium, Isolated will depends on needs
and once done then you can support up to 10 Web Apps.
upvoted 3 times
Selected Answer: B
B. one App Service plan

upvoted 1 times
  shash_ank 1 year, 8 months ago

Seeing all the jerky questions Microsoft asks, these types of questions bring surprise and joy lol!
upvoted 2 times
Selected Answer: B
Correct answer
upvoted 1 times

on exam 13/3/2022
upvoted 5 times
  [Removed] 2 years, 2 months ago

Correct. One App Service plan as long as they can run on the same OS as eachother. This isn't specified in the question so we could
assume it. It would need to be a Standard plan which will allow for up to 10 instances.
upvoted 3 times
  JESUSBB 2 years, 2 months ago

In the exam today 11-DEC-2021.
Ans: B. one App Service plan
upvoted 8 times
HOTSPOT -
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
Hot Area:
Correct Answer:
  olsenOnS Highly Voted  2 years, 2 months ago
Correct.
Can connect from any dev.
Will restart autom.

upvoted 55 times
  NaoVaz Highly Voted  1 year, 5 months ago

1) Internet users "can connect to the container from any device"
2) If Internet Information Services (IIS) in the container fails, "the container will restart automatically".
Explanation:
No Access restrictions are specified.
The "restartPolicy" is set as "OnFailure".
upvoted 49 times

Thank you. why we have Ostype: Windows ?
upvoted 7 times
  xRiot007 8 months, 2 weeks ago

That is the OS of the container. The client can have any OS. Communication is done over the network through port 80
upvoted 4 times
  rqFamily 1 year, 2 months ago

because the os type is windows, if you create Linux container then the os type will be Linux
upvoted 12 times
  devops_devops Most Recent  1 month ago

upvoted 4 times
  Indy429 1 month, 3 weeks ago

I love everyone who contribute to this site with in-depth explanations. Makes it so much better to really understand and retain.
upvoted 6 times
  Ahkhan 3 months ago

The second answer is wrong. It will be container will ONLY restart automatically.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-restart-policy
upvoted 1 times
  AzureNobe 3 months ago

The anser with 'only' it's manually not automatically, so it will be restart automatically.
upvoted 1 times
  nmnm22 4 months, 3 weeks ago

stupid question
upvoted 4 times

upvoted 3 times
  Kverma7 5 months, 3 weeks ago

This was in Exam 23-08-23
upvoted 3 times
  JunetGoyal 9 months, 3 weeks ago

Whoever got confuse with windows os in template, please note:
That defines the Node OS where containers are deployed.
In real world example: Like we have whts app running either on underline OS IOS or android if you have apple or samsung phone
respectively.
upvoted 4 times

Correct.
Can connect from any dev.
Will restart autom.

upvoted 4 times
  Olram 1 year, 9 months ago

Passed today. this is part of the exam. 4/23/22
upvoted 19 times
  mubba 1 year, 9 months ago

well done....
upvoted 1 times

Question appeared in exam today, April 7 2022
upvoted 4 times

upvoted 4 times
  ki01 2 months ago

900 PERCENT? bruh over here giving questions to the exam proctor to check their knowledge
upvoted 1 times
  cirspass 1 year, 11 months ago

i have a question～，there is no fill network policy，why it can acces from user of any device？
upvoted 1 times
  Paulwryan 2 years, 1 month ago

In order to connect to the container wouldn't the RDP port 3389 need to be open?
upvoted 1 times
  Odysseas 2 years, 1 month ago

It will connect via http (port 80) and will get a response from the IIS
upvoted 5 times
  helpaws 2 years, 1 month ago

So does the "osType": "Windows" is there to throw you off?
upvoted 3 times
  oscarfernand 2 years ago

yes, it's a trap
upvoted 6 times
  tmub47 2 years, 1 month ago

What is the practical scenario for a Public access with just one OS type?
upvoted 1 times
  Pear7777 1 year, 2 months ago

my question too
upvoted 1 times
  space2201 2 years ago

The osType element has nothing to do with the clients connecting to the container. It specifies the container OS type.
upvoted 12 times
  testmobile18 2 years, 1 month ago

Correct answer.
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-quickstart-template
"port": {
"type": "int",
"defaultValue": 80,
"metadata": {
"description": "Port to open on the container and the public IP address."
}
"restartPolicy": {
"type": "string",
"defaultValue": "Always",
"allowedValues": [
"Always",
"Never",
"OnFailure"
upvoted 2 times
You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a
day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1:
✑ Change the size to D8s v3.

✑ Add a 500-GB managed disk.
✑ Add the Puppet Agent extension.
✑ Enable Desired State Configuration Management.
Which change will cause downtime for VM1?
A. Enable Desired State Configuration Management
B. Add a 500-GB managed disk
C. Change the size to D8s v3
D. Add the Puppet Agent extension
Correct Answer: C
While resizing the VM it must be in a stopped state.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines/

C (100%)
Correct Answer: C
While resizing, the VM must be in a stopped state, therefore there will be a downtime.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines
upvoted 124 times
  Mahbus 8 months, 1 week ago

Nowadays you don't need to stop the vm prior to resizing, even if the vm is running, you may resize, but it will restart the vm causing
downtime anyway. Also another advantage of stopping vm prior to resizing is that it gives more choices to choose from in the vm list.
upvoted 5 times
  multcloud Highly Voted  3 years, 5 months ago
Correct answer. Resizing VM will cause downtime.

upvoted 39 times
  FlowerChoc1 Most Recent  10 months, 1 week ago

Got this question on today's exam. Yes, I passed. Thanks to you guys!
upvoted 11 times
  fimbulvetrk 10 months ago

my exam is tomorrow and I hope this one appears to me haha
upvoted 1 times
  AzureNobe 3 months ago

I hope you passed it
upvoted 1 times
  juanmpmx 10 months, 2 weeks ago

Correct Answer: C
upvoted 1 times
Selected Answer: C

upvoted 1 times
  omgMerrick 1 year ago
Selected Answer: C
C. Change the size to D8s v3.
Changing the size of an Azure virtual machine involves a stop and restart of the virtual machine, which will cause downtime for the line-of-
business application hosted on VM1. This downtime can be minimized by using Azure Availability Sets or by taking appropriate steps to
prepare for the change, such as backing up data or moving the application to another virtual machine.
Adding a managed disk, installing the Puppet Agent extension, or enabling Desired State Configuration Management should not cause
downtime for VM1.
upvoted 3 times
  2cent2 1 year, 1 month ago
Selected Answer: C
...nothing to tell.
upvoted 1 times
Selected Answer: C
C) " Change the size to D8s v3"
Reference: https://azure.microsoft.com/en-us/blog/resize-virtual-machines/
upvoted 3 times
Selected Answer: C
Correct Answer: C 🗳️
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines/
upvoted 2 times
Selected Answer: C
C is correct as resizing requires shutdown because of the hardware specs also because the current hardware cluster may not be able to
support it and hence VM will be moved to another one that have the resources to take on the new size
upvoted 2 times
  amunator 1 year, 8 months ago
Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: C

upvoted 3 times
  Carai 1 year, 9 months ago
Selected Answer: C
correct
upvoted 1 times
  Azure_daemon 1 year, 11 months ago

C is the correct answer, I actually tested it in my subscription and as soon as I restarted the resizing it shutdown the running VM
upvoted 2 times
  Chole22 1 year, 11 months ago

https://docs.microsoft.com/en-us/azure/virtual-machines/resize-vm?tabs=portal
If the virtual machine is currently running, changing its size will cause it to be restarted.
If your VM is still running and you don't see the size you want in the list, stopping the virtual machine may reveal more sizes.
upvoted 1 times
  SanjSL 2 years, 3 months ago

If the virtual machine is currently running, changing its size will cause it to be restarted.
If your VM is still running and you don't see the size you want in the list, stopping the virtual machine may reveal more sizes.
https://docs.microsoft.com/en-us/azure/virtual-machines/resize-vm?tabs=portal
upvoted 4 times
  ScoutP 2 years, 4 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 1 times
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named Git1.
Webapp1 has the deployment slots shown in the following table.
You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Swap the slots
B. Deploy the App1 update to webapp1-prod, and then test the update
C. Stop webapp1-prod
D. Deploy the App1 update to webapp1-test, and then test the update
E. Stop webapp1-test
Correct Answer: AD

AD (100%)
  sk1803 Highly Voted  2 years, 4 months ago
Answer is correct.
1.Deploy the App to “webapp1-test” which is staging environment and test it there.
2.Once the test is success swap the slots, so the new changes will be available under production.
upvoted 94 times

in that order, yes.
upvoted 3 times
  Takloy 2 years, 2 months ago

Thanks! straight to the point!
upvoted 3 times
  Shailesh866 Highly Voted  2 years, 4 months ago
The answer is correct.

- Deploying an app to a slot first(Test is this case) and swapping it into production makes sure that all instances of the slot are warmed up
before being swapped into production.
- After a swap, the slot with previously staged app now has the previous production app. If the changes swapped into the production slot
aren't as you expect, you can perform the same swap immediately to get your "last known good site" back.
upvoted 19 times
  MatAlves Most Recent  3 weeks, 1 day ago
This is probably referring to "Swap with preview (multi-phase swap)", so no need to worry about going into production immediately after
swapping the slots.
Thus, A and D should do the work.

upvoted 1 times

upvoted 2 times
  YomanB 5 months ago

this guy put this note in every question in site
upvoted 5 times

Selected Answer: AD
Deploy & test on the staging slot.

Swap the slots.
Passed the exam on 26 July 2023. Scored 870. Exact question came.
upvoted 4 times
  itguyeu 7 months, 3 weeks ago

I used free version access for this site and it helped me pass the exam. Some questions that I had on the exams, I took the exam more
than once, are not available under the free tier access, but 80% of the questions came from here. I do recommend investing a bit of
money and getting full access to this site. I didn't memorise answers but analysed them and studied as Microsoft does tweak them a bit.
This Q was on the exam.

upvoted 1 times
  jamess 9 months, 2 weeks ago

If you swap the slots it puts the test into production. Question says to test before available to users.
upvoted 1 times
  jamess 9 months, 2 weeks ago

Sorry disregard.
upvoted 1 times
  NJTH 10 months, 1 week ago

Exactly the same question was on todays exam.
(7th April 2023)
upvoted 4 times
  AzZnLuVaBoI 10 months, 3 weeks ago

On the Exam 3/29/23.
upvoted 5 times
  GBAU 1 year ago

Ah, MS, where does it say the test passes? You might have just swapped a failed app into production according to this question/answer.
upvoted 3 times
  Irism 1 year, 1 month ago

A & D, if you dont understand this question, dont even try the exam. just a tip
upvoted 1 times
  RougePotatoe 1 year ago

Bruh chill not everyone has a app development background.
upvoted 9 times

This was on my 2nd test
upvoted 2 times
  majerly 1 year, 4 months ago

today in exam AD
upvoted 5 times
Selected Answer: AD
D) " Deploy the App1 update to webapp1-test, and then test the update" & A) " Swap the slots"
Reference: https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 10 times
Selected Answer: AD
Correct Answer: AD
upvoted 1 times

upvoted 2 times
  Tinez 10 months, 3 weeks ago

Please I'd like to ask a few questions.
Did they change the alphabet where the answer is or is it still on ''AD'' as we saw in Exam topics?
upvoted 1 times
  mubba 1 year, 9 months ago

well done....
upvoted 1 times
  Carai 1 year, 9 months ago

Selected Answer: AD
it makes sense
upvoted 1 times
You have an Azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
✑ Private IP address: 10.0.0.4 (dynamic)

✑ Network security group (NSG): NSG1
✑ Public IP address: None
✑ Availability set: AVSet
✑ Subnet: 10.0.0.0/24
✑ Managed disks: No
✑ Location: East US
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Enable Azure Network Watcher in the East US Azure region.
B. Add an Azure Network Watcher connection monitor.
C. Register the MicrosoftLogAnalytics provider.
D. Create an Azure Storage account.
E. Register the Microsoft.Insights resource provider.
F. Enable Azure Network Watcher flow logs.
Correct Answer: AEF
You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
✑ In the Azure portal, enable Network Watcher

✑ Register Insights provider. NSG flow logging requires the Microsoft.Insights provider.
✑ Enable NSG flow log. NSG flow log data is written to an Azure Storage account, Subscription1 has storage.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

DEF (59%) AEF (33%) 8%
  HenriKI2 Highly Voted  2 years, 1 month ago
Selected Answer: DEF
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual
Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher. For more
information, see Network Watcher create.
Create a VM with a network security group
Enable Network Watcher (done by default with the vnet/subnet creation)
-- and register the Microsoft.Insights provider ---------todo
Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability --todo BUT !
NSG flow log data is written to an Azure Storage account. Complete the following steps to create a storage account for the log data.
So you need to create a storage account before enable the NSG flow
Download logged data
View logged data
upvoted 70 times
  _punky_ 2 years ago

Checked! This ans is correct.
upvoted 5 times
  holytoni 10 months, 1 week ago

I think its AEF. As the machine has an unmanaged disk, therefore a storage account should already be there.
upvoted 2 times

you are right but in this scenario, there is no mention of Virtual Network creation or updation. It just said the subscription contains
Network Provider registered but not VNET created or updated. So, in that Network Watcher is yet to be enabled correct?
upvoted 2 times
  Marz 1 year, 2 months ago

It is mentioned that a VM is already created. You cannot create a VM when there is nog VNET. So my conclusion is that the VNET is
there, and so Network Watcher already enabled. leaves DEF for answer.
upvoted 7 times
  jackAttew_1 Highly Voted  2 years, 1 month ago
Answer is correct so AEF.

1.Create a VM with a network security group
2.Enable Network Watcher and register the Microsoft.Insights provider
3.Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
4.Download logged data
5.View logged data
upvoted 35 times
  yeanlingmedal71 1 year, 10 months ago

D, E, F - options are changed
upvoted 5 times
  jeru81 Most Recent  6 days, 23 hours ago
Selected Answer: AEF
You have an Azure subscription named Subscription1 that has the following providers registered: STORAGE
Why D?
upvoted 1 times
  MatAlves 3 weeks, 1 day ago

Answer = EDF (in this order)
Full list of steps:

1. Create a virtual network = already exist (can't create VM without it)
2. Create a virtual machine with a network security group associated to its network interface (already exist)
3. Register Microsoft.insights provider
5. Create a storage account
6. Enable flow logging for a network security group using Network Watcher flow logs
7. Download logged data
8. View logged data
https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-tutorial
upvoted 3 times
  clg003 4 months ago
"By default, Network Watcher is automatically enabled." The only reason you would have to enable it is if you had disabled it. So A is not
the answer.
The question states you need to record the data and since there are no disks on the VM you must create storage.
Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing
through a network security group.
First step of flow logging is registering insights.

Register-AzResourceProvider -ProviderNamespace 'Microsoft.Insights'
upvoted 6 times
  ajdann 4 months, 1 week ago

https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-tutorial
upvoted 1 times
  ajdann 4 months, 1 week ago

DEF******
upvoted 2 times

The storage account (option D) is typically needed to store NSG flow logs, but since the question doesn't specify that the logs should be
retained for an extended period, enabling flow logs would suffice for the immediate need.
upvoted 2 times
  Mule102 5 months ago

D,E,F are correct,
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
upvoted 1 times
  MinhNguyen01 5 months, 3 weeks ago

Does anyone discover that this question (30) and question 61 are identical?
Question 61: https://www.examtopics.com/discussions/microsoft/view/20496-exam-az-103-topic-16-question-61-discussion/
But the answers are different. Weird.
upvoted 2 times
  binhdortmund 5 months, 2 weeks ago

Go through the link HenriKI2 provided above https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-
logging-portal
Its correct
upvoted 1 times
  MEG_Florida 6 months, 1 week ago

Storage already exists so no reason to add that stuff again.

upvoted 3 times
  8c5e41b 5 months ago

Network security groups flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing
through a network security group. Flow data is sent to Azure Storage from where you can access it and export it to any visualization
tool, security information and event management (SIEM) solution, or intrusion detection system (IDS) of your choice.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
upvoted 1 times
  sakibmas 6 months, 2 weeks ago
Not DEF => Subscription already has storage

upvoted 2 times
  ignorica 3 months, 1 week ago

and Azure Network Watcher is automatically enabled (so it cannot be A either, why would you redo work that has already been done)
upvoted 1 times
  Teroristo 6 months, 2 weeks ago

https://www.examtopics.com/discussions/microsoft/view/20496-exam-az-103-topic-16-question-61-discussion/
upvoted 1 times

"By default, Network Watcher is automatically enabled. When you create or update a virtual network in your subscription, Network
Watcher will be automatically enabled in your Virtual Network's region."
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create?tabs=portal
https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logging
According to these, the workflow should be: {Enable Network Watcher for your region (should be enabled already when the Vnet was
created) > register Microsoft.Insights provider > create Azure storage account (should be there already for managed disks) > Create a flow
log > enable traffic analytics & LA workspace.}
So, here I'd choose from the given choices E>D>F

Register Microsoft.Insights provider > create Azure storage account (unmanaged disks) > Create a flow log
upvoted 2 times

Answer is A - E - F
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log
network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
1. Create a VM with a network security group

2. Enable Network Watcher and register the Microsoft.Insights provider
3. Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
4. Download logged data
5. View logged data
Note: Storage account is already created since VMs have unmanaged disks.
Reference:
https://docs.microsoft.com/en-us/answers/questions/3619/what-is-the-difference-between-managed-disk-and-un.html
upvoted 2 times
  Josete1106 6 months, 4 weeks ago

A , E , F this is correct!
upvoted 2 times
  XtraWest 7 months, 1 week ago
Register the Microsoft.Insights resource provider.

Enable Azure Network Watcher in the East US Azure region.
Enable Azure Network Watcher flow logs .
upvoted 1 times
  raj24051961 7 months, 2 weeks ago
If we look the following link:

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
1)Register Insight Porvider
2)Create a storage account
3)Create an NSG flow log
4)Download the flow log
5)View the flow log
There is no option to enable region
Region is selected when we create virtual machine and Storage
Storage region and virtual machine region must be same
upvoted 2 times
You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible.
What should you do?
A. Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine.
B. Deploy five virtual machines. Modify the Size setting for each virtual machine.
C. Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode.
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes

D (96%) 4%

Answer is correct (D).
the main idea is to create 5 VMs asap. To do this you should let Azure do it for you with the least steps. either by using ARM template
which is not mentioned here or VM scale set. That leaves us with 2 options C or D. C is like unmanaged Scale set where you add the VMs
manually to the scale set as a unmanaged group. while D is managed scale set by Azure where it is based on configuration set during the
setup of the VM Scale set
upvoted 189 times
  Shadoken 1 year, 7 months ago

The oschestration mode have different names at the present:
In flexible orchestration mode, you manually create and add a virtual machine of any configuration to the scale set. In uniform
orchestration mode, you define a virtual machine model and Azure will generate identical instances based on that model.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 29 times
Correct Answer: D
ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model. The
virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set. It the current default VMSS behavior. (Scale set
VMs are created in a single shot).
VM (virtual machines) orchestration mode: Virtual machines created outside of the scale set can be explicitly added to the scale set. The
orchestration mode VM will only create an empty VMSS without any instances, and you will have to manually add new VMs into it by
specifying the VMSS ID during the creation of the VM. (Separately VMs are created and added to scale set later)
Reference:
upvoted 137 times
  KingChuang 1 year, 3 months ago

Out date question.
New Mode:
https://learn.microsoft.com/zh-tw/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 6 times
  AubinBakana 2 years, 5 months ago

thank you for this. I wandered what the difference was between the 2. They sound the same. Never came across a situation where
machines were to be added manually, which in my opinion defeats the purpose of using a scale set unless you've got legacy equipment
of something like that. But hey, it must be there for a reason and at least I know. Again, thank you
upvoted 3 times

Outdated question. Now it's called:
- Scale sets with Uniform orchestration
- Scale sets with Flexible orchestration
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 1 times
  mihir25 2 months, 3 weeks ago
NAME HAS BEEN CHNAGED NEW NAME IS SOMTHING LIKE THIS
FLEXIBLE ORCHESTRATION == VM ORCHASTRATION MODE

UNIFORM ORCHESTRATION == SCALESETVM ORCHASTRATION MODE
Answer according to this will be Uniform Orchastration Mode

upvoted 8 times
  udaranawodya 2 months, 2 weeks ago

good point
upvoted 2 times
Selected Answer: D
To deploy multiple virtual machine instances as quickly as possible, you should use a virtual machine scale set.
Between the given options regarding virtual machine scale sets and their orchestration mode:
- VM (virtual machines) orchestration mode allows you to manage each instance of a virtual machine as a separate entity. This is mainly
used for situations where you want to customize the instances individually.
- ScaleSetVM orchestration mode (the default mode) treats the instances in the scale set as a set, making it easier to manage them as a
group, which is ideal for deploying multiple instances quickly.
Therefore, the answer is:
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
upvoted 1 times
  oopspruu 6 months ago

Outdated terminology. Today, the correct answer will be "Uniform Orchestration Mode".
upvoted 4 times
  Mustapha_Hadrich 7 months, 2 weeks ago
Selected Answer: D
correct is D :
reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 1 times
Selected Answer: D
Correct Answer: D
ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model. The
virtual machine instance lifecycle - creation, update, deletion - is managed by the scale set. It the current default VMSS behavior. (Scale set
VMs are created in a single shot).
upvoted 1 times
  alirasouli 1 year, 3 months ago

Selected Answer: D
This question is outdated. The two Orchestration Modes are:

- Uniform orchestration: Virtual machine scale sets with Uniform orchestration use a virtual machine profile or template to scale up to
desired capacity. While there is some ability to manage or customize individual virtual machine instances, Uniform uses identical VM
instances.
- Flexible orchestration: With Flexible orchestration, Azure provides a unified experience across the Azure VM ecosystem. Flexible
orchestration offers high availability guarantees (up to 1000 VMs) by spreading VMs across fault domains in a region or within an
Availability Zone.
I can say that Uniform orchestration superceded ScaleSetVM while Flexible orchestration superceded VM mode.
Reference:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 9 times
Selected Answer: D
D) " Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode. "
Currently the correct option is the Uniform Orchestration Mode - https://docs.microsoft.com/en-us/azure/virtual-machine-scale-

sets/virtual-machine-scale-sets-orchestration-modes#scale-sets-with-uniform-orchestration
upvoted 1 times
Selected Answer: D
Correct Answer: D 🗳️
Reference:
upvoted 1 times
Selected Answer: D
Yep D
Optimized for large-scale stateless workloads with identical instances.
Virtual machine scale sets with Uniform orchestration use a virtual machine profile or template to scale up to desired capacity. While there
is some ability to manage or customize individual virtual machine instances, Uniform uses identical VM instances. Individual Uniform VM
instances are exposed via the virtual machine scale set VM API commands.
***NOTE***
You cannot add existing Machine to any type of VM scale set,
In Flexible Orchestration ScaleSet ONLY newly created VMs or VMS spawned by the Condition of the scaleset Can be added to scale set
Uniform Scaleset DO NOT allow of addition of newly created VM to the scale set
upvoted 2 times

Selected Answer: D
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode
upvoted 1 times

Selected Answer: C

upvoted 1 times
  HenriKI2 2 years, 1 month ago

Question is outdated.
Now its UNIFORM mode and FLEXIBLE mode.
Uniform : Uniform uses identical VM instances. = ScaleSetVMs
Flexible : Achieve high availability at scale with identical or multiple virtual machine types. = VM orchestration
upvoted 16 times

In the exam today 11-DEC-2021
Ans:D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
upvoted 1 times
  Snownoodles 2 years, 2 months ago
Selected Answer: D
The scalesetVM has new name 'uniform' orchestration mode, which create uniform VMs and uses VMSS API to manage.
Another orchestration mode is Flexible Orchestration mode, which uses VM API to individually manages VMs.
upvoted 6 times
You plan to create the Azure web apps shown in the following table.
What is the minimum number of App Service plans you should create for the web apps?
A. 1
B. 2
C. 3
D. 4
Correct Answer: A

B (96%) 4%
  EleChie Highly Voted  1 year, 5 months ago
Correct Answer: B
.NET Core 3.0: Windows and Linux ASP
.NET V4.7: Windows only
PHP 7.3: Windows and Linux
Ruby 2.6: Linux only
Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to
choose the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview
upvoted 80 times

Makes a lot of sense. At first I thought A, but I forgot about the fact that you can only have 1 OS per App Service Plan.
B seems to be the safest answer.
upvoted 1 times
  Ozzy3458 1 year, 4 months ago

Ruby 2.6 ca run on Windows. check it ! So the answer is correct. A is the correct answer.
RubyInstaller for Windows https://rubyinstaller.org
upvoted 7 times
  slovik 1 year, 3 months ago

Maybe it can but it's not listed as webapp runtime for windows:
$ az webapp list-runtimes --os windows
[
"dotnet:7",
"dotnet:6",
"DOTNETCORE:3.1",
"ASPNET:V4.8",
"ASPNET:V3.5",
"NODE:18LTS",
"NODE:16LTS",
"NODE:14LTS",
"PHP:7.4",
"java:1.8:Java SE:8",
"java:11:Java SE:11",
"java:17:Java SE:17",
"java:1.8:TOMCAT:10.0",
"java:11:TOMCAT:10.0",
"java:17:TOMCAT:8.5"
]
upvoted 24 times
  adeyhtech87 1 year ago

Ruby 2.7 works with only the Linux App service plan, as I can check in Jan 2023. Not sure, if Ruby 2.6 would have ever supported
Windows. So the answer is B correct. We basically need 1 service plan for Linux App setup environment and one for windows based
workload.
upvoted 7 times
  simonseztech Highly Voted  1 year, 4 months ago
Selected Answer: B
Tested on 2022-10-12 in the portal : PHP & Ruby are Linux only so the answer is 2
upvoted 18 times
  iamchoy Most Recent  5 months ago
Selected Answer: B
Azure App Service plans define the region (Datacenter) of the physical server where your web app will be hosted and the amount of
storage, RAM, and CPU the underlying virtual machine will have. One App Service plan can host multiple web apps, mobile apps, API apps,
and function apps. All apps in the same plan run on the same VM instance(s) and share the same resources.
Different runtime stacks (like .NET Core, ASP.NET, PHP, or Ruby) can coexist in the same App Service plan, provided they are supported by
the operating system of the plan (Windows or Linux).
Given the web apps you have:

- WebApp1: .NET Core 3.1 (LTS) runs on both Windows and Linux.
- WebApp2: ASP.NET v4.8 runs only on Windows.
- WebApp3: PHP 7.3 runs on both Windows and Linux.
- WebApp4: Ruby 2.6 typically runs on Linux.
You can choose to have:

1. One App Service plan for WebApp1, WebApp2, and WebApp3 all on Windows.
2. A separate App Service plan for WebApp4 on Linux.
This results in a total of 2 App Service plans.
The answer is:

B. 2
upvoted 7 times
  riccardoto 5 months, 3 weeks ago
Selected Answer: B
The correct answer is still "B", but probably this question will soon require some update.
- current LTS versioon of .NET Core is called .NET 6 (goes both in windows and Linux)
- .NET 4.7 is not available (.NET 4.8 is) - this goes in windows only
- PHP is available in versions 8.0, 8.1, 8.2 --> this goes in liinux only
- Ruby support has ended in April 2023.
All in all, the table is specifying "runtime stack", so I guess it should state more clearly that it expect answers with "code" publish mode.
Actually, one could also just deploy 1 service plan by using the "docker container" mode - though the operational effort would be higher.
upvoted 5 times
  MGJG 6 months, 1 week ago

OpenAI: f you want to minimize the number of App Service plans to just one, you would need to choose an App Service plan that can
accommodate all the different runtime stacks. In this case, you can use a "Windows" based plan since it can support .NET, ASP.NET, PHP,
and Ruby applications.
So, you would need one App Service plan for all the web apps:
App Service Plan for Multiple Runtime Stacks:
webapp1 (Runtime stack: .NET Core 3.1)

webapp2 (Runtime stack: ASP.NET v4.8)
webapp3 (Runtime stack: PHP 7.3)
webapp4 (Runtime stack: Ruby 2.6)
upvoted 1 times
  sakibmas 6 months, 2 weeks ago

Selected Answer: A
Ruby 2.6 can run on Windows

upvoted 1 times

Selected Answer: B
https://learn.microsoft.com/en-us/azure/app-service/overview#next-steps
Also you can’t use Windows and Linux Apps in the same App Service Plan.
Passed the exam on 26 July 2023. Scored 870. Exact question came.
upvoted 3 times
  LGWJ12 6 months, 2 weeks ago
Selected Answer: B
WebApp1 and WebApp2 in windows appservice plan and WebApp3 and WebApp4 in linux.
The correct answer is B.

upvoted 1 times
  Bentot 7 months ago

It is stated that Ruby 2.6, the 2.6 version can run on windows. Tricky question.
upvoted 1 times
  someonewaiting 8 months ago

I suspect that does az-104 really worth it. This question shouldn't be for operators, it should be for developers.
upvoted 3 times
  sankar07 10 months, 1 week ago
Selected Answer: B
2 is right. You need 1 for windows and 1 for linux. Because .Net 47 runs only on windows. Ruby runs only on linux. The other 2 can run on
both.
upvoted 2 times
  macrawat 11 months ago

This is a dumb question
upvoted 12 times
  kklohit 11 months, 1 week ago
Selected Answer: B
The answer is B.
Each Azure App Service plan can host multiple web apps, but each plan is limited to a specific set of features and corresponding worker
size. In this case, .NET Core 3.1, ASP .NET V 4.8, PHP 7.3, and Ruby 2.6 are all different runtime stacks, so each web app must be hosted on
a separate App Service plan. Therefore, the minimum number of App Service plans required to host all four web apps is two.
You can host WebApp1 and WebApp2 on an App Service plan that supports .NET Core and ASP.NET, and you can host WebApp3 and
WebApp4 on another App Service plan that supports PHP and Ruby.
upvoted 1 times
  hfk2020 11 months, 2 weeks ago

The .NET Core 3.1, PHP 7.3, and Ruby 2.6 runtime stacks work on both Linux and Windows operating systems.
ASP.NET V4.8 is a Windows-specific runtime stack and does not work on Linux. If you want to run ASP.NET web applications on Linux, you
can use .NET Core runtime stack, which supports cross-platform development and can run ASP.NET Core web applications on Linux as well
as Windows.
upvoted 1 times
  kilobaik 11 months, 3 weeks ago

Correct answer is B (2).
Because:
- ASP.Net can run only on Windows
- PHP, Ruby: can run only on Linux
upvoted 1 times
  psr83 12 months ago
Selected Answer: B
az webapp list-runtimes
{
"linux": [
"DOTNETCORE:7.0",
"PYTHON:3.11",
"PHP:8.2",
"RUBY:2.7",
],
"windows": [
"dotnet:7",
"dotnet:6",
"ASPNET:V4.8",
"ASPNET:V3.5",
]
}
upvoted 3 times
  psr83 12 months ago

Selected Answer: B
az webapp list-runtimes --os windows
[
"dotnet:7",
"ASPNET:V4.8",
]
$ az webapp list-runtimes --os linux
[
"DOTNETCORE:7.0",
"PHP:8.0",
"RUBY:2.7",
]
upvoted 4 times
HOTSPOT -
You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table.
You create the budget shown in the following exhibit.
The AG1 action group contains a user named admin@contoso.com only.
Hot Area:
Correct Answer:
Box 1: VM1 and VM2 continue to run
The budget alerts are for Resource Group RG1, which include VM1, but not VM2. However, when the budget thresholds you've created are
exceeded, only notifications are triggered. None of your resources are affected and your consumption isn't stopped.
Box 2: one email notification will be sent each month.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in
25 days, and an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's
reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
https://docs.microsoft.com/en-gb/azure/cost-management-billing/costs/tutorial-acm-create-budgets
Correct Answer:

The Budget’s scope is RG1, so only VM1 will be handled.
When the budget thresholds you've created are exceeded, only notifications are triggered.
To stop resources, you need to setup additional things, none of which are mentioned in the question.
Budget alerts have scope in Resource Group RG1, which includes VM1, but not VM2.
VM1 consumes 20 Euro/day, so 20 euros * 30 days = 600 euros.
The 50%, 500 Euro limit, will be reached in 25 days (25*20 = 500), so an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway, because AG1 action
group contains a user.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated,
it's reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
upvoted 322 times

Please provide clarity on Alert Recepient (email) : Admin@contoso.com..when the email will be triggered to his address?
upvoted 1 times

typo - user1@contoso.com
upvoted 1 times

sorry to trouble you. got the answer from https://www.codit.eu/blog/control-your-azure-costs-through-budget-alerts/
upvoted 1 times
  thuylevn 2 years, 6 months ago

policy apply only RG1 (VM1). so only VM1 stop
upvoted 2 times
  ivanp8571 1 year, 11 months ago

But it requires an additional configuration to shut down the VM. Budget alerts only trigger alerts
upvoted 8 times
Yo Da'man!
upvoted 5 times
  Hyrydar 2 years, 3 months ago

Sir, you are a rock star. I learn from you.
upvoted 10 times
  Hyrydar 2 years, 3 months ago

I hope addressing you as sir, is correct. If not, fill it in.
upvoted 5 times
Answer is Wrong. Correct is

- VM1 and VM2 continues to run. First the Alerts is managed only for VM1 in the scope of RG1. Second, when alert hits 100%, the action
group is a Azure app, which I assume a Azure logic App. It is not clear what this app does. accordingly, we can assume no action to stop
the VM as a spending limit. It is just an alert.
- The second answer is wrong. the alert will send an two email notification , one based on Action group AG1 and another based on the
alert recipients (the admin)
upvoted 98 times
  SnakePlissken 2 years, 9 months ago

- VM1 and VM2 continue to run. When the budget thresholds you've created are exceeded, only notifications are triggered. None of
your resources are affected and your consumption isn't stopped.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
- Only one email will be sent each month. Only if you don’t specify a particular action group, an email is sent to the alert recipients.
https://www.codit.eu/blog/control-your-azure-costs-through-budget-alerts
upvoted 49 times
  joelabc1234 2 years, 2 months ago

This is the correct answer. As stated the thresholds only affect RG1 where VM1 is located and it is not scoped on RG2 where VM2
resides.
upvoted 2 times

explain why there's only 1 email.
upvoted 1 times
  e_karma 2 years, 2 months ago

because if you see the daily consumption it is 20 usd.. multiply by 30 it comes around 600 usd..First alert is send around 500 usd..
Going by the current consumption it wont reach 700 usd when the second alert is triggered.
upvoted 5 times

Thank you @e_karma!
upvoted 2 times
  Junpeng 2 years, 6 months ago

Make more sense, upvoted.
upvoted 3 times

If you don’t specify a particular action group, an email is sent to the alert recipients. so, as we have AG1 group already in place. Only
single email will be sent.
upvoted 2 times

Do you have any links explaining your point on the email notifications? I think it would only be one email notification.
upvoted 5 times
  nzwasp 3 years, 2 months ago

I selected one email based on the math, AG1 is reached but AG2 is not reached because 30 days of 20 dollars a day is only $600. Also
even if AG2 was triggered it still wouldnt send out a 2nd email.
upvoted 12 times
  Lkk51 2 years, 8 months ago

2nd mail is from "Alert recipient" to user1@contoso.com
upvoted 2 times

the alert is for resoruce group AG1 only. So no need of looking to AG2
upvoted 2 times
  Lapiduse 3 years, 1 month ago

Agree:
- the alert will send an two email notification:
one based on Action group AG1 (admin) 50% and another based on the alert recipients (user) 100% of the budget.
upvoted 5 times

what happened if they under budget ?
=> so answer 1 email is correct (policy apply only for RG1)
upvoted 2 times

when they 100% of budget will send SMS
upvoted 1 times
  Amir1909 Most Recent  2 days, 6 hours ago
Correct
upvoted 1 times
  AntaninaD 5 months ago

Got this question on 09/09/23
upvoted 2 times
  hebbo777 2 months, 2 weeks ago

which answer and did you passed?
upvoted 1 times
  Z_MU 7 months, 1 week ago

is it me or the question is not phrased properly?!
Did you notice the second question where it says "based on the current usage cost" not daily cost?
If that is correct, then no email notification will be sent, did I understand it correctly?
upvoted 2 times
  harisavt47 11 months ago

These questions are phrased so bad...
upvoted 4 times
  zellck 1 year ago

1. VM1 and VM2 continue to run.
2. one email will be sent monthly.
https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/cost-management-budget-scenario
Budgets are commonly used as part of cost control. Budgets can be scoped in Azure. For instance, you could narrow your budget view
based on subscription, resource groups, or a collection of resources. In addition to using the budgets API to notify you via email when a
budget threshold is reached, you can use Azure Monitor action groups to trigger an orchestrated set of actions resulting from a budget
event.
upvoted 1 times
  klexams 1 year, 4 months ago

Box 2: 2 emails each month i.e. AG1 and Alert recipient.
Whenever an alert is generated, it's shown in cost alerts. An alert email is also sent to the people in the alert recipients list of the budget.
https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
upvoted 2 times

But is one email going to two recipients one email or two? i.e. is the question a poorly worded question of how many email notification
triggers will occur each month, or how many recipients will receive emails each month.
If I send an email to 20 recipients, I don't say I sent 20 emails...

upvoted 2 times

1) When the maximum amount in Budget1 is reached: "VM1 and VM2 continue to run".
2) Based on the current usage costs of the virtual machines: "one email notification will be sent each month".
Explanation:
Budgets don't by default interact with resources when thresholds are reached.
Only one email will be sent because on RG1 the VM1 will cost around 600€ (20€ per day).
upvoted 2 times
  vadi123 1 year, 5 months ago

appeared in exam 9/5/22
upvoted 1 times

The budget alerts are for Resource Group RG1, which include VM1, but not VM2. However, when the budget thresholds you've created are
exceeded, only notifications are triggered. None of your resources are affected and your consumption isn't stopped.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be
reached in 25 days, and an email will be sent.
upvoted 1 times
  JacquesV 1 year, 6 months ago

In exam on 10Aug2022
upvoted 3 times
  Gino_Slim 1 year, 7 months ago

Ugh...more math (lol)
upvoted 2 times
  most_lenyora 1 year, 6 months ago

I feel you hahaha
upvoted 1 times

Given answer is WRONG correct is
Box 1: VM1 and VM2 continue to run => budget scope is for VM1 ONLY and hence consider it, so if another option said VM1 running and
VM2 is off then it can be correct but NOT other way round
Box 2: one email notification will be sent each month. as $600 is reached which is above 500 but below 700
upvoted 2 times

Box 1: VM1 is turned off, and VM2 continues to run
The budget alerts are for Resource Group RG1, which include VM1, but not VM2.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be
reached in 25 days, and an email will be sent.
upvoted 3 times

Correct answer is
Box 1: VM1 and VM2 continue to run => it costs 600 per month for VM1 to run and hence in 2 months will exceed the budget.
Box 2: one email notification will be sent each month. => because cost 600 per month and email alert is set to 500
upvoted 3 times
  IAGirl 1 year, 8 months ago

Box 1:VM1 and VM2 continue to run.
When the budget thresholds you've created are exceeded, only notifications are triggered. None of your resources are affected and your
consumption isn't stopped
Box 2: one email notification will be sent each month
RG1 includes VM1-> 20 euro/day * 30 days = 600 Eur. So 50% os the budget will reached and an email will be sent.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
upvoted 1 times
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were
deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.
A. Yes
B. No
Correct Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell

B (100%)
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-
powershell
upvoted 96 times
  bobbywilly Highly Voted  3 years, 5 months ago

No is the correct
upvoted 14 times
  Nick7500 Most Recent  6 months ago

Only we can access 240 Questions in free trial
upvoted 1 times
  Nick7500 6 months ago

I mean only 240 questions are free in Exam Topic....?
upvoted 1 times
Selected Answer: B
upvoted 1 times
Selected Answer: B
B) "No"
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?
tabs=azure-powershell#verify-deployment
upvoted 1 times

Selected Answer: B
Correct Answer: B
upvoted 1 times
  minix 1 year, 7 months ago

came in today's exam 25/6/2022
upvoted 3 times
Selected Answer: B
I Luv Honey because it is B => check from RG =>Deployment

upvoted 2 times
Selected Answer: B
B. No .
upvoted 1 times

upvoted 4 times

Selected Answer: B
Correct: B (No)
You can find this information in the RG1 Blade - Deployments

upvoted 1 times

Here's something I could only learn here. I often went to the Activity Log for the resource or in the Azure monitor. No wonder why it never
found a good answer. :)
upvoted 3 times
  zr79 1 year, 11 months ago

Technically you're correct. But azure does in its ways
upvoted 1 times
  mg 2 years, 11 months ago

Answer is correct
To find the details of resource deployment - deployment from RG1 blade
upvoted 2 times

B is the Answer
upvoted 4 times

Answer B. is correct. You should use the Deployments blade.
upvoted 4 times
  fedztedz 3 years, 2 months ago

Answer is correct. NO
upvoted 9 times
  sanovi 3 years, 6 months ago

how to check the timing for the deployment ???
upvoted 2 times
  zyta 3 years, 6 months ago

select resource group you have, open blade "deployments", go through the list of the events. You will see there log of events with
statuses and timestamps of when the action was done
upvoted 9 times
Solution: You create a new network interface, and then you add the network interface to VM1.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
VNET2.
Reference:
upvoted 63 times
Answer is correct. NO (B)

upvoted 21 times
  UmbongoDrink Most Recent  1 year ago
Selected Answer: B
(repeated question!)
upvoted 1 times
  Nick7500 6 months ago

Only 240 questions are free on this website..?
upvoted 1 times
Selected Answer: B
B) "No"
The only way to change a VNET on a VM pis by deleting and re-creating the VM.
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

Selected Answer: B
I Luv Honey Because it is B => VM=>VNET=>VNIC cannot migrate/move MUST all be in same region so either redeploy VM or create NEW
one and attach disk to it
upvoted 1 times
Selected Answer: B
B. No .
upvoted 1 times
Selected Answer: B
Correct answer
upvoted 2 times

upvoted 4 times
  Azure_daemon 1 year, 11 months ago

once you create a VM you can change the VNET unless redeploy the VM
upvoted 1 times
  deltarj 2 years ago

q27, q28, q29 & q42 are in pack. [remember: Delete&Recreate!]
upvoted 3 times

Was on exam 15/11/2021
upvoted 6 times
  Khana 2 years, 3 months ago

repeated question
upvoted 2 times
  nfett 2 years, 9 months ago

Answer is B. repeated question.
upvoted 2 times
  Sandroal29 2 years, 10 months ago

The provided answer is correct.
upvoted 1 times

No is correct
upvoted 2 times
  NickyDee 3 years, 1 month ago

Delete and recreate VM
upvoted 3 times
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
Adatum.com has the following configurations:
✑ Users may join devices to Azure AD is set to User1.

✑ Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com.
You need to identify the local Administrator group membership on Computer1.
Which users are members of the local Administrators group?
A. User1 only
B. User2 only
C. User1 and User2 only
D. User1, User2, and User3 only
E. User1, User2, User3, and User4
Correct Answer: C
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices.
The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device.
Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners
are granted local administrator rights by default.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

C (100%)
Answer is correct . User 1 and User 2 only.

First the only user who can join Azure AD devices is User 1 . since User1 is admin on machine. So, the machine can be added.
Second, the ones that can be local admins on Windows 10 are managed under "Additional local administrators" , since this is not
mentioned, so we can assume default.
By default, the ones are global administrator and device owners (device administrators). This lead us to User1 and User2 only
upvoted 212 times
  CheapCheats 5 months ago

nice deduction
upvoted 1 times
  ik96 2 years, 4 months ago

correct answer
upvoted 14 times
  kt_tk_2020 Highly Voted  3 years, 2 months ago
ans : D,
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:
The Azure AD global administrator role

The Azure AD device administrator role
The user performing the Azure AD join
upvoted 36 times
  Ram9198 2 months, 3 weeks ago

No , do not get mislead by cloud device administrator role. The role that is automatically added is below:
Azure AD Joined Device Local Administrator Users assigned to this role are added to the local administrators group on Microsoft Entra
joined devices
upvoted 2 times
  akash2504 2 years, 9 months ago


The Azure AD device administrator role
ans is D
upvoted 5 times
  Rob89435 2 years, 6 months ago

It's the 'Azure AD joined device local administrator role' not the 'Cloud Device Administrator'.
So C is correct.
The Azure AD joined device local administrator role
upvoted 19 times
  go4adil 2 weeks, 5 days ago

Rightly explained.
Thanks
upvoted 1 times

Cloud Device Administrator
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure
portal. The role does not grant permissions to manage any other properties on the device.
answer is C
upvoted 13 times
User 1 = user performing the join

User 2 = Global Admin
There is no "Microsoft Entra Joined Device Local Administrator role" mentioned.
"At the time of Microsoft Entra join, we add the following security principals to the local administrators group on the device:
The Microsoft Entra Global Administrator role

The Microsoft Entra Joined Device Local Administrator role
The user performing the Microsoft Entra join"
https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin
upvoted 2 times
  kukuli 2 months, 2 weeks ago

Is it sufficient to practice only free dumps as 270 questions only or need to have all to pass the exam ?
upvoted 3 times
  YesPlease 4 months ago
Selected Answer: C
https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
upvoted 1 times
  Puja_Azure 7 months, 2 weeks ago

Is it sufficient if I only go through free questions available and not the paid one ? Please suggest.
upvoted 1 times
  rishisoft1 8 months ago

It should be user 1 & User 2 only.
Azure AD Cloud Device Administrator role itself does not automatically grant local administrative privileges on Azure AD Joined devices.
You need to use additional configuration steps, such as policies or group membership settings, to grant administrative access to users or
groups on the local device. So user can't be the part of local administrator group
upvoted 1 times
  AZcheck 9 months ago

User 1 & 2 only
upvoted 1 times
  CommanderBigMac 12 months ago

This question feels very badly worded
upvoted 12 times

Selected Answer: C
User1 and User2 only

upvoted 1 times
  LiamAzure 1 year, 3 months ago

Selected Answer: C
Global Admin, Azure AD joined device local administrator role, User joining the device. The additional local administrators box is for any
addition local admins you want to manually add, but default is set to none
upvoted 1 times
Selected Answer: C
C) " User1 and User2 only "
User1 because he joined the Device to the tenant so he must be Admin on the device.
By default, Local administrators on joined devices, are the device owners and Global Administrators, so User2 is also.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#how-it-works
upvoted 8 times
Selected Answer: C
Correct Answer: C 🗳️
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices.
The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a
device. Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and
device owners are granted local administrator rights by default.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
upvoted 1 times
Selected Answer: C
C is correct
*The Azure AD global administrator role
*The Azure AD device administrator role
*The user performing the Azure AD join
*Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined
devices. The default is All.
*Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet
*The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected
and None. The default is All
**remember AZ AD device admin is NOT same as Cloud device admin, MS misleading here*
upvoted 9 times
Selected Answer: C
C. User1 and User2 only

upvoted 1 times
  scottims 1 year, 9 months ago

Ans. C
Tested this in lab
Azure Joined device with User1. Was presented with a box stating domain joining and User1 would be Administrator of device.
Added User2 to Cloud Device Administrator Role. Signed into the device and tried to run cmd as administrator. Result...UAC screen
requesting administrative credentials. Entered User1 credentials and administrative cmd opened.
upvoted 1 times
Selected Answer: C
C is correct
upvoted 1 times
HOTSPOT -
You have Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following resource groups:
RG1 includes a web app named App1 in the West Europe location.
Subscription2 contains the following resource groups:
Hot Area:
Correct Answer:
Box 1: No -
RG2 is read only. ReadOnly means authorized users can read a resource, but they cannot delete or update the resource.
Box 2: Yes -
Box 3: Yes -
Note:
App Service resources are region-specific and cannot be moved directly across regions. You can move the App Service resource by creating a
copy of your existing App Service resource in the target region, then move your content over to the new app. You can then delete the source app
and App Service plan.
To make copying your app easier, you can clone an individual App Service app into an App Service plan in another region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-move-across-regions https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/move-limitations/app-service-move-limitations
Answer is Correct. Yes Yes Yes

- the lock is only effecting the resources itself with edit/delete. Which means If the resource is in a resource group with no lock types then
it is free to move to any other group even if the other group has lock type read only or delete.
However if the resource is a RG with read-only lock , it can NOT be moved. In case of no delete lock , it can be moved.
upvoted 126 times
  Gde360 2 years, 6 months ago
N,Y,Y.
The first question was tested on Azure.
Created RG1, RG2. both are in West Europe. RG2 has assigned READ-ONLY lock.
Created web-App name App11223344 (same location as RG1,RG2) in RG1.
Removing App11223344 to RG2 failed.
------------------------------
{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. Diagnostic
information: request correlation id 'fd5981c2-705b-4966-b438-cd760bd1a13f'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Web/Microsoft.Web/sites/App11223344","message":"{\"error\":
{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/2df00a78-a9c5-4c98-92ef-
aa1fbbb50e6f/resourcegroups/RG2/providers/Microsoft.Web/sites/App11223344' cannot perform write operation because following
scope(s) are locked: '/subscriptions/2df00a78-a9c5-4c98-92ef-aa1fbbb50e6f/resourceGroups/RG2'. Please remove the lock and try
again.\"}}"}]}
upvoted 240 times
  pappkarcsiii 2 years ago

Same here, can't move - N, Y, Y.
information: subscription id '082877ab-8970-41b0-8ba8-5246ccda0cbe', request correlation id 'eec62f30-ecd6-49b1-995c-
e8efc3072e0a'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Network/Microsoft.Network/virtualNetworks/test1","message":"
{\"error\":{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/082877ab-8970-41b0-8ba8-
5246ccda0cbe/resourcegroups/pk_test_2/providers/Microsoft.Network/virtualNetworks/test1' cannot perform write operation
because following scope(s) are locked: '/subscriptions/082877ab-8970-41b0-8ba8-5246ccda0cbe/resourceGroups/pk_test_2'. Please
remove the lock and try again.\"}}"}]}
upvoted 38 times
  Asten 1 year, 3 months ago

Correct. I tested it also.
upvoted 11 times
  Geezy 3 months, 2 weeks ago

Wrong answer on the first one fedztedz.....I tested it too....Answer is No,Yes,Yes
upvoted 8 times
  Mehul078 7 months, 3 weeks ago

Answer is No Yes Yes.
For first box, "when you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add
later inherit the same parent lock. The most restrictive lock in the inheritance takes precedence."
Link: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#lock-inheritance
upvoted 6 times
  Slimus 8 months, 1 week ago

I guess 'edit' also includes moving the resource.
upvoted 1 times
Correct Answer:
Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything
in the resource. For this reason, all of them are 'Y'.
Box 1: Yes
Box 2: Yes
Box 3: Yes
upvoted 80 times
  sjb666 1 year, 9 months ago

Just tried this in the lab, copying a web app to a ReadOnly locked RG and go the following:
information: subscription id 'e37b5b3d-ffdd-48c0-9660-a7beaded46eb', request correlation id '2ff3ba94-5bde-474d-a119-
955b8303e2c5'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Web/Microsoft.Web/sites/WebApp12345989","message":"{\"error\":
{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/e37b5b3d-ffdd-48c0-9660-
a7beaded46eb/resourcegroups/VM1_group/providers/Microsoft.Web/sites/WebApp12345989' cannot perform write operation because
following scope(s) are locked: '/subscriptions/e37b5b3d-ffdd-48c0-9660-a7beaded46eb/resourceGroups/VM1_group'. Please remove
the lock and try again.\"}}"}]}
So N,Y,Y.
upvoted 22 times
  ik131 7 months, 2 weeks ago

I just tested it, tried to move a resource from a rg without locks to a rg with read-only lock, got the following error: cannot perform
write operation because following scope(s) are locked: ...
Once I deleted the lock from the destination rg I was able to move the resource to that rg.
upvoted 13 times
  jasper_pigeon 4 months, 3 weeks ago

guys he commented like 2 year and half ago. there might be some changes on Azure policy
upvoted 1 times
  KpiTalisTTT 5 months, 4 weeks ago

even god makes mistakes
upvoted 19 times
No
Yes
Yes
upvoted 1 times

1. N - "A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group."
2. Y - nothing mentioned about "delete lock" move operations
3. Y - Neither rg1 or rg4 have locks.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 1 times
  EzBL 1 month, 1 week ago

No, you cannot directly move a web app from one resource group in a subscription to another resource group in a different subscription
RG3 and RG4 are in subscription2 not in subscription1, then App1 cannot be moved to them.
upvoted 1 times
  alverdiyev91 1 month, 3 weeks ago

N-Y-Y
A read-only lock on a resource group prevents users from moving any new resource into that resource group.
upvoted 2 times
  sismer 2 months ago

Anyone with a little Azure experience in real-world knows the answer is Y-Y-Y
upvoted 1 times
  Trs223333 2 months, 2 weeks ago

N Y Y. Test in lab and RG1 resource cannot be moved to GRG2
upvoted 1 times

what about others? did you test moving to Rg3 and RG4? those not in same app1 region? i got confused here
upvoted 2 times
  Ahkhan 3 months, 1 week ago

Read Lock just gives you Reader role on any resource.
Can a person with Reader role move resources across resource group?
Hence, the answer to first question is N. So it is N,Y,Y.

upvoted 2 times
  asaulu 3 months, 2 weeks ago

NYY
A read-only lock on a resource group that contains a virtual machine prevents users from moving the VM out of the resource group.
upvoted 2 times
  lexxone 3 months, 3 weeks ago

Just tested in Labs, you cannot move to Locked resource group so answers:
NYY
upvoted 3 times
  mtc9 4 months, 2 weeks ago

NYY
Moving into another resource group doesn;t move the resource accroiss region. Region of RG and region of resource are independent to
each other.
upvoted 2 times
  sjsaran 4 months, 3 weeks ago
Answer : N Y Y
upvoted 1 times
  19_12 5 months ago

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json ""A read-only lock on a resource
group prevents users from moving any new resource into that resource group""
upvoted 1 times

Shouldn't it be NNN?
The option is asking to move the App1. You cannot move App1 to RG3 or RG4 because they have different regions. You have to create a
copy in those regions and then move the app data there. That's not the same as moving App1 to the regions.
Answers should be N N N.
upvoted 6 times
  mtc9 4 months, 2 weeks ago

Moving to another rg doesn;t change the region, RG and resource can have their own regions.
upvoted 1 times
  Denis_Raymond 4 months, 2 weeks ago

In my understanding you are not moving to a different region, only to a RG.
upvoted 1 times

NYY
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations
upvoted 1 times
  marioZuo 6 months, 3 weeks ago

The 3rd question is confusing. What is so-called "move". If copy then delete is a method of "move". Then I can say VM can also "move"
from a VNET to another.
upvoted 2 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the following resource group:
✑ Name: RG1
✑ Region: West US
✑ Tag: `tag1`: `value1`
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
✑ Exclusions: None
✑ Policy definition: Append a tag and its value to resources
✑ Assignment name: Policy1
✑ Parameters:
✑ Tag name: tag2
Tag value: value2 -
After Policy1 is assigned, you create a storage account that has the following configuration:
✑ Name: storage1
✑ Location: West US
✑ Resource group: RG1
✑ Tags: `tag3`: `value3`
You need to identify which tags are assigned to each resource.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: "tag1": "value1" only -
Box 2: "tag2": "value2" and "tag3": "value3" only
Tags applied to the resource group are not inherited by the resources in that resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
  michaelmorar Highly Voted  1 year, 9 months ago
Tag assigned to RG1 - tag1: value1

Tag assigned to storage1: tag2: value2 and tag3: value3
RG1 already exists so does not receive tag2.

According to the documentation:
"Add a tag to resources"
Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by
triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.
upvoted 89 times
  ki01 2 months ago

correct answer but incorrect reasoning.
Assigning a policy goes through all the items that might be affected. meaning this new policy would go through resources and check if
they fit the filters to take action on. in this case, RG1 doesnt get anything assigned to it because resource groups are not considered
resources. if the first part was not a resource group but lets say a VM, then the policy would have added (appended) another tag to
already existing one and it would have 1 and 2. in case of the storage account, that is considered a resource so it keeps its own tag 3
and the policy adds tag 2 alongside it
upvoted 2 times
  Lazylinux Highly Voted  1 year, 8 months ago
I was not sure til i read the following, i think part important to pay attention to it the "Append a tag and its value to resources" and as per
below
Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or
updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply
to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see
https://aka.ms/modifydoc).
Ans is
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
upvoted 24 times
  Novia Most Recent  1 month, 2 weeks ago

Tag assigned to RG1 - tag1: value1 and tag2: value2
Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources. Resource groups,
subscriptions, management groups, and tags are also examples of resources.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 2 times
  NU88 1 month, 2 weeks ago

Correct Answer. This is a really good question. Confusing yet test your real world experience on Tag/Policy.
upvoted 2 times

Correct.
RG is not a resource in itself, so it will only have tag 1. Tag 2 is a policy for resources only, and tag 3 was created for the storage account.
The storage account has tag 2 as per the policy settings, and obivously has tag 3 associated as per the settings on the resource itself.
upvoted 1 times

Also, the storage account does not have tag 1, as tags applied to RGs are not automatically passed down to it's resources. You would
need to create a separate policy for that.
upvoted 2 times
  gachocop3 5 months, 3 weeks ago

answer is correct. confirm it in my lab
upvoted 2 times

As of 17/08/2023, confirmed in Lab.
"Append a tag and its value to resources" does not take effect on Resource Groups, only on Resources. Also, the policy applies on newly
created or updated resources only. The existing resources will stay as is. So given answer is correct.
Created same policy as shown here > Waited 1 Hour > Created new RG > no tags applied from policy. Created Storage Account & VM > tag
from policy applied to both.
upvoted 5 times

Correct answer:
Correct answer:
Tag assigned to RG1 - tag1: value1 and tag2: value2 -> tag2 inherit from the policy
Tag assigned to storage1: tag2: value2 and tag3: value3 -> tag2 inherit from the policy
Inherit tags
Resources don't inherit the tags you apply to a resource group or a subscription.
To apply tags from a subscription or resource group to the resources, see Azure Policies - tags.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
upvoted 3 times
  Tomix 7 months, 2 weeks ago

RG1
Tag: tag1: value1
storage1
Tags: tag1: value1, tag3: value3, tag2: value2
upvoted 1 times

Simular question was on todays exam.
(7th April 2023)
upvoted 9 times
  TheUltimateGuru 11 months, 1 week ago

This is 100% the correct answer to this question:
Tag assigned to storage1: tag1: value1, tag2: value2 and tag3: value3
Storage1 inherits 'tag1: value1' from RG1 also as storage1 was created in this resource group after it's creation and tags are indeed
inherited from the resource group IF created after tags are applied to the resource group.
Slight technicality will catch many people out!

upvoted 2 times
  SimonSM178 10 months, 3 weeks ago

that's actually 100% wrong, no documentation states that resources inherit the resource group tag. as a matter of fact, it's the
opposite: resource DO NOT inherit the tag of the resource group they belong to.
upvoted 12 times
  Trevor_VT 11 months ago

The resources does not inherit tags from the resource groups, so please do not use words like "100% correct", not true.
upvoted 10 times
  JYKL88 1 year, 2 months ago

The answer is correct. Need to follow the sequence
upvoted 1 times
  awssecuritynewbie 1 year, 4 months ago

The resource group Tag does not pass down to the resources. so Tag1: value 1 will never make it to the storage account.
But the AZURE POLICY set at the SUB level will be passed down to the NEW RESOURCES ONLY. so it will be Tag2: value 2 and Tag 3
upvoted 6 times

"The resource group Tag does not pass down to the resources", why not?
upvoted 1 times

Because tags are not inherited. If you want a tag applied you need a policy or to run a remediation task
upvoted 1 times

1) Tags assigned to RG1: "'tag1': 'value1' only"
2) Tags assigned to storage1: "'tag2': 'value2' and 'tag3': 'value3' only"
The Resource Group already existed before the Policy was created. And the policy is for resources only not resource groups.
The storage account was created with tag3 and then gets appended the tag2 because the policy.
upvoted 12 times

upvoted 4 times
  Jdrr 1 year, 5 months ago

New resources created in Subscription1 will receive tag2:value2 from policy. Additional, Storage will get tag3:value3 set on the storage
account itself. RG1 will only have tag1:value1. Confirmed in lab.
upvoted 4 times
  franekfranek 1 year, 7 months ago

Resources don't inherit the tags you apply to a resource group or a subscription. To apply tags from a subscription or resource group to
the resources, see Azure Policies - tags.
That's why tags assigned to storage1: tag2: value2 and tag3: value3
upvoted 10 times
HOTSPOT -
You have an Azure subscription named Subscription1.
In Subscription1, you create an alert rule named Alert1.
The Alert1 action group is configured as shown in the following exhibit.
Alert1 alert criteria triggered every minute.
Hot Area:
Correct Answer:
Box 1: 60 -
One alert per minute will trigger one email per minute.
Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device.
Rate limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.

✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
Correct Answer:
Box 1: 60
Box 2: 12 or 0
-If it’s a typo and it means Alert1, then Answer = 12 (60/5 = 12)
-If it is actually Alert2 then Answer = 0
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour (60/5 = 12).
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or
device. Rate limiting ensures that alerts are manageable and actionable.

Reference:
upvoted 277 times
  GohanF2 10 months, 2 weeks ago

you are the best answering the questions.
upvoted 3 times
  Gadzee 2 years ago

Alert 2 should be 0.
upvoted 7 times

This is so much work you've done for us all. They probably meant alert1 in that next question
upvoted 21 times
  krisbla Highly Voted  2 years, 9 months ago
** Take another look *

BOX 1: 60
BOX 2: Not sure if its a typo.. but it says "Alert2" .. they do not mention Alert2 only Alert1.
-If they meant Alert1 then Answer = 12
-If they meant Alert2 then Answer = 0
upvoted 23 times
E-mail: No more than 100 emails every hour for each email address
SMS: In production: No more than one SMS message every five minutes. In a test action group: No more than one SMS every one minute.
https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits
upvoted 1 times
  Kverma7 5 months, 3 weeks ago

upvoted 4 times

https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits
This is one of those questions where God knows why MS wants us to remember it. I mean this is something you can easily google while on
job.
upvoted 3 times

Email: 60. "No more than 100 emails every hour for each email address."
SMS: 12 for Aler1, or 0 for Alert2. "In production: No more than one SMS message every five minutes."
https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits#action-groups
upvoted 1 times
  NYTK 6 months, 3 weeks ago
Came in exams 21/7/2023. "60" and "12" were the selected answers.
upvoted 4 times

Exact same Q came in my exam on 30 April2023.
A. 60
B.12
upvoted 3 times
  Hongzu13 1 year ago

This was on the exam today!
upvoted 4 times

On the test, answered that SMS part wrong
upvoted 3 times
  Moradiya 1 year, 1 month ago

This was came in exam on 01/04/23
upvoted 5 times
  Lexxsuse 1 year, 1 month ago

Had this question in exam - box 2 mentions ALERT1, so the correct answer is 60/12
upvoted 17 times
  anurag1122 1 year, 1 month ago

damn, this question came in my exam yesterday. I just passed the exam though! but surely my answer for this question was wrong.
upvoted 1 times

The answer shohld be
Box 1 : 60
Box 2 : 0 (since its for alert 2)

upvoted 1 times
  jaysonpro 1 year, 4 months ago

i dont get it it says Alert2 so it should be 0 for the sms?
upvoted 2 times

1) The number of email messages that Alert1 will send in an hour is: "60"
2) The number of SMS messages that Alert2 will send in an hour is: "12"
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 1 times

Box 1: 60 -
Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or
device. Rate limiting ensures that alerts are manageable and actionable.
Reference:
upvoted 2 times
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
You create virtual machines in Subscription1 as shown in the following table.
You plan to use Vault1 for the backup of as many virtual machines as possible.
Which virtual machines can be backed up to Vault1?
A. VM1 only
B. VM3 and VMC only
C. VM1, VM2, VM3, VMA, VMB, and VMC
D. VM1, VM3, VMA, and VMC only
E. VM1 and VM3 only
Correct Answer: D
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in
several regions, create a
Recovery Services vault in each region.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault

D (100%)
Answer is correct. D
The following criteria is important for vault backup, the data source (VM) must be in the same region and subscription. It works with any
resource group or any Operating system. Accordingly the answer is correct.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 110 times
Correct Answer: D
To create a Recovery Services Vault to protect Virtual Machines, the vault must be in the same Region as the Virtual Machines. If you have
Virtual Machines in several Regions, create a
Recovery Services Vault in each Region. It works with any resource group or any Operating System.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 101 times
  WeepingMaplte Most Recent  2 months, 1 week ago
Recovery Services vault can only backup on same region and supports any resource groups.
Ans: D
Ref: https://youtu.be/u1Y4EptZqgc?si=kXQ4av-gu8Xk9shx
upvoted 1 times
Selected Answer: D
Answer: D
"For you to create a vault to help protect any data source, the vault must be in the same region as the data source."
https://learn.microsoft.com/en-us/azure/backup/backup-create-recovery-services-vault#create-a-recovery-services-vault
upvoted 1 times
  mythjava 11 months, 3 weeks ago

Answer is D.
All the VMs in the same region and subscription as that of the vault are available to configure backup.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 1 times

Selected Answer: D
VM1, VM3, VMA, and VMC only

upvoted 1 times
  raym1980 1 year, 1 month ago
Selected Answer: D
Came up in exam today, Answer: D

920/1000
upvoted 6 times
  WinaChang 1 year, 2 months ago

does anyone knows how to access page 20
the website block it likely...
upvoted 2 times
  vg123 11 months, 3 weeks ago

by purchasing contributor plan
upvoted 1 times
Selected Answer: D
D) " VM1, VM3, VMA, and VMC only "
"Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same
region as the data source." - https://docs.microsoft.com/bs-latn-ba/azure/backup/backup-create-rs-vault
upvoted 2 times
  Davin0406 1 year, 5 months ago

So this is the last page of free AZ-104 dump...is there anyone who payed for contributor access? I read some reviews, and they say error
comes out after payment so I'm worried if it's safe to pay or not:(
upvoted 2 times
  barsharl 5 months ago

There are no issues with paying. I paid and am still studying...
upvoted 1 times

I payed 1 year contributor access haha Nothing bad happened! I hope to pass the exam this month:)
upvoted 4 times
Selected Answer: D
Correct Answer: D 🗳️
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in
several regions, create a
Recovery Services vault in each region.
Reference:
upvoted 2 times
  Socca 1 year, 6 months ago

The vault must be in the same region as the VMs that you went to backup to this vault so correct answer is D
upvoted 1 times
  Raks06 1 year, 6 months ago

Correct, the VM must be in the same region as the Vault.
upvoted 1 times
  M1M31l 1 year, 6 months ago

Answer is correct. D
upvoted 1 times
  tt2tt 1 year, 6 months ago
Selected Answer: D
Correct Answer D
VMs should be in same location with recovery services vault.
This is really sad as it's last available questions from this site on az104. Is there any other site you would recommend?
upvoted 2 times
  nkhan19 1 year, 7 months ago

Selected Answer: D
They could have simply written VM1,VM2,VM3,VM4,VM5 but it seems they're more interested in in confusing a candidate than him/her
passing with proper logic.
Some questions seem to be purposefully written in this way.

upvoted 1 times
  knotty25 1 year, 7 months ago

DOES ANYONE HAS ACCESS TO ALL 250 QUESTIONS? after 150 questions, it says blocked further access.
upvoted 5 times
You have an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to configure cluster autoscaler for AKS1.
Which two tools should you use? Each correct answer presents a complete solution.
A. the kubectl command
B. the az aks command
C. the Set-AzVm cmdlet
D. the Azure portal
E. the Set-AzAks cmdlet
Correct Answer: AB
A: The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If average
CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10 instances. A
minimum of 3 instances is then defined for the deployment: kubectl autoscale deployment azure-vote-front --cpu-percent=50 --min=3 --max=10
B: Use the az aks update command to enable and configure the cluster autoscaler on the node pool for the existing cluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler

BD (68%) AB (28%) 2%
Correct Answer: B and D
We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.
A: kubectl command is used for configuring Kubernetes and not AKS cluster.
B: The az aks command is used for the AKS cluster configuration.
C: Set-AzVm cmdlet is used for VMs.
D: Azure portal, under node pools, press scale, then choose auto scale.
E: Set-AzAks, creates or updates an AKS cluster, the correct cmdlet is Set-AzAksCluster.
AKS clusters can scale in one of two ways:

- The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically
increases the number of nodes.
- The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application
needs more resources, the number of pods is automatically increased to meet the demand.
Reference:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
upvoted 205 times

I also think correct answer should be B & D
because requirement is about cluster autoscaling (nodes) and not pod autoscaling.
upvoted 1 times

I agreed already but then you pointed out the two ways:
- The cluster autoscaler
- The horizontal pod autoscaler
The 2nd uses kubectl so the answer is A and B.

upvoted 3 times
  Mozbius_ 2 years ago

Thank you for the very clear explanations!!!
upvoted 3 times

The Answer is not correct. The right is B & D.
B is for az aks command , check https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
D is for Azure portal. Under node pools, press scale, then choose auto scale.
The Answer A is not correct as it is confusing with Horizontal pod autoscale which is not asked here. The pod autoscale use kubectl.
upvoted 192 times
  jantoniocesargatica 2 years, 9 months ago

There are 2 things to understand:
a) Are we talking about pods?
b) Are we talking about nodes?
The question is regarding how to autoscale the AKS, so it means that we are talking about the nodes. As we are talking how to scale the
nodes:
a) az aks is neccesary
b) Then you scale the nodes in the portal.
The correct answers are B & D.
If we want to scale the pods, the options would be kubelet, but it is not the case. We are not talking about the containers, we are
talking about the infrastructure behind this.
upvoted 90 times

Where is the option about D?
upvoted 1 times
  juniorccs 2 years ago

thanks for the clarification
upvoted 5 times
  diligent176 3 years, 1 month ago

The article does a good job explaining the difference of "cluster autoscaler" and "horizontal pod autoscaler"...
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
FYI also - the PowerShell command that can do this same task is "Set-AzAksCluster" (not Set-AzAks). B and D it is!
upvoted 14 times
  marcellov 2 years, 9 months ago

To corroborate with your answer, kubectl autoscale "creates an autoscaler that automatically chooses and sets the number of pods that
run in a kubernetes cluster":
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#autoscale
According to Microsoft, this is a Horizontal pod autoscale, not a Cluster autoscale:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#about-the-cluster-autoscaler
upvoted 5 times

But we are not talking about the pods, we are talinkg about the nodes, so is B and D. Think that this service is managed by Azure,
and they will not allow to do this by yourself, and this is the reason why you must choose the portal.
upvoted 5 times

Do you have any links for doing the scaling in the portal?
upvoted 4 times
  SkyZeroZx Most Recent  1 month, 1 week ago
Selected Answer: BD
The Answer is not correct. The right is B & D.

B is for az aks command , check https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
D is for Azure portal. Under node pools, press scale, then choose auto scale.
upvoted 1 times
  Rednevi 4 months, 2 weeks ago
Selected Answer: BD
A. the kubectl command: kubectl is a command-line tool used for interacting with Kubernetes clusters, including managing deployments
and pods within a cluster. However, it is not used to configure cluster-level settings like autoscaling.
C. the Set-AzVm cmdlet: Set-AzVm is a PowerShell cmdlet used to manage Azure virtual machines (VMs), not AKS clusters or their
autoscaling configurations.
E. the Set-AzAks cmdlet: While the Set-AzAks cmdlet is used for managing AKS clusters in PowerShell, it is not specifically used for
configuring cluster autoscaler. Cluster autoscaler configuration typically involves different commands or settings, and it's not part of the
core Set-AzAks functionality.
To configure cluster autoscaler for AKS, you primarily use the Azure CLI (az) or the Azure portal, as these tools are specifically designed for
managing AKS cluster-level settings and configurations.
upvoted 5 times
  raj_raj22 5 months, 2 weeks ago

A and B are the right answer for this .
https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler
upvoted 2 times
  QaisFM 5 months, 4 weeks ago

Correct : AB
The cluster autoscaler is a Kubernetes component. Although the AKS cluster uses a virtual machine scale set for the nodes, don't manually
enable or edit settings for scale set autoscale in the Azure portal or using the Azure CLI. Let the Kubernetes cluster autoscaler manage the
required scale settings.
https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler
upvoted 1 times
  nahfam123 3 months ago

you wrong, A and B are not correct tools to configure cluster autoscaler for AKS1.
The kubectl command is a tool that allows you to run commands against Kubernetes clusters. You can use the kubectl command to
deploy applications, inspect and manage cluster resources, or view logs. However, you cannot use the kubectl command to enable or
disable cluster autoscaler for an AKS cluster, as this is a feature that is managed by Azure, not by Kubernetes. You need to use the
Azure CLI or the Azure portal to configure cluster autoscaler for an AKS cluster .
The az aks command is a correct tool to configure cluster autoscaler for AKS1, as explained in the previous answer. However, you need
to use another tool in addition to the az aks command, such as the Azure portal. Therefore, A and B are not a complete solution.
upvoted 1 times

Selected Answer: BD
.Open AI: To configure cluster autoscaler for an Azure Kubernetes Service (AKS) cluster (AKS1), you can use the following tools:
B. the az aks command: You can use the Azure Command-Line Interface (CLI) command az aks update to configure the cluster autoscaler
for an AKS cluster. This command allows you to enable or disable the cluster autoscaler and set parameters like minimum and maximum
node counts.
D. the Azure portal: You can also configure the cluster autoscaler for AKS using the Azure portal. Navigate to your AKS cluster in the Azure
portal, go to the "Node pools" section, and then configure the autoscaler settings for the specific node pool.
The other options (A, C, and E) are not the primary tools used to configure cluster autoscaler for AKS.
upvoted 1 times

Answer:AB
Explanation:
A: The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If
average CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10
instances. Aminimum of 3 instances is then defined for the deployment:kubectl autoscale deployment azure-vote-front --cpu-percent=50 --
min=3 --max=10
B: Use the az aks update command to enable and configure the cluster autoscaler on the nodepool for the existing cluster.
upvoted 2 times
  NYTK 6 months, 3 weeks ago

Came in exams 21/7/2023
upvoted 2 times

BD is correct!
upvoted 2 times

Answer: A and B
Autoscale pods using kubectl autoscale
example:
kubectl autoscale deployment azure-vote-front --cpu-percent=50 --min=3 --max=10
https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale?tabs=azure-cli
upvoted 2 times

A. the kubectl command
B. the az aks command
Explanation:
The kubectl command is a command-line tool used to interact with Kubernetes clusters. It allows you to manage and configure various
aspects of your AKS cluster, including enabling the cluster autoscaler. You can use kubectl to apply the necessary configuration changes to
enable the autoscaler.
The az aks command is a command-line tool provided by the Azure CLI (Command-Line Interface). It specifically deals with managing
Azure Kubernetes Service (AKS) resources. Using the az aks command, you can enable the cluster autoscaler by modifying the AKS
cluster's properties.
upvoted 2 times
Exact same Q came in my exam on 30 April2023.I choose A, B.
I want not sure between A,D. haahaahh
upvoted 7 times
  zzreflexzz 9 months, 2 weeks ago

on exam 4/29/23
upvoted 3 times
  Exilic 10 months ago

Selected Answer: BE
ChatGPT response:
The two tools you should use to configure cluster autoscaler for AKS1 are:
B. the az aks command, which provides a command-line interface for managing AKS clusters, including the ability to enable and configure
cluster autoscaler.
E. the Set-AzAks cmdlet, which is a PowerShell cmdlet for managing AKS clusters. It can be used to enable and configure cluster
autoscaler.
Therefore, options B and E are correct. Options A, C, and D are not required for this task.
"follow up question"
Will the answer be the same if I need to configure autoscaler for the AKS cluster. I do not want to scale Kubernetes pods
Yes, the answer would still be the same.
Configuring cluster autoscaler for an AKS cluster is independent of scaling Kubernetes pods. The purpose of cluster autoscaler is to
automatically adjust the size of the AKS cluster based on the resource demands of the workloads running on it, while scaling Kubernetes
pods involves adjusting the number of replicas for a specific deployment or replica set.
Therefore, to configure cluster autoscaler for an AKS cluster, you would still need to use the az aks command and the Set-AzAks cmdlet.
upvoted 1 times
  garmatey 8 months, 2 weeks ago

be more critical of chatgpt's answers....
upvoted 1 times
Selected Answer: BD
B,D is correct, A,C,E is not.

upvoted 1 times

Selected Answer: BD
We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.
Use Portal under Node Pools

upvoted 2 times
You create the following resources in an Azure subscription:
✑ An Azure Container Registry instance named Registry1

✑ An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
What should you do first?
A. Run the docker push command.
B. Create an App Service plan.
C. Run the az acr build command.
D. Run the az aks create command.
Correct Answer: C
You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image. az acr build \
--image contoso-website \
--registry $ACR_NAME \
--file Dockerfile .
Reference:
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app

A (77%) C (23%)
  VANSI Highly Voted  2 years, 9 months ago
I have this same question in the exam (passed) and does not have the option C.
So I choose the Docker push.
upvoted 160 times

Answer is Correct . C.
The question has a lot of missing steps.
If we go with Answer A. then we need the following:
- Make sure that ACR is integrated to AKS.
- docker tag has been run with the right ACR.
- docker push
- create kubectl apply with the right deployment and right ACR.
In case we go with Answer C.
- No need for docker push or tag.
- still need to make sure that ACR is integrated to AKS.
- then run kubectl apply
upvoted 89 times
  T0SHI 11 months, 2 weeks ago

C. Run the az acr build command.
ACR tasks automatically push successfully built images to your registry by default, allowing you to deploy them from your registry
immediately.
Microsoft exam - Microsoft documentation ... If you are in doubt go to:

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task#deploy-to-azure-container-instances
upvoted 3 times
  jeru81 Most Recent  1 week ago
Selected Answer: A
how weird is that?

in explanation it is written in first sentence:
You should sign in and push a container image to Container Registry...
and answer is C? - What am I missing here?
upvoted 1 times
  vsvaid 2 weeks, 1 day ago

Selected Answer: C
It is az acr command. It will create and push the image to container registry.
upvoted 1 times
  FTCaR 2 months ago

I hate how they made me create an account just to be like "Buy it now"
upvoted 2 times
  93d821b 2 months, 1 week ago

azaks command builds the autoscaler
You can also do this in azure portal. (https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler?tabs=azure-portal)
Kubectl MANAGES already existing things
https://learn.microsoft.com/en-us/answers/questions/1198828/kubectl-vs-azure-cli?cid=kerryherger
https://learn.microsoft.com/en-us/answers/questions/1198828/kubectl-vs-azure-cli?cid=kerryherger
upvoted 1 times
  SgtDumitru 2 months, 2 weeks ago

If in the options is `az acr`, choose it. If not- choose `docker push`.
upvoted 2 times
  hebbo777 2 months, 1 week ago

You mean az acr first the docker push
upvoted 1 times
  Vestibal 4 months, 3 weeks ago
Selected Answer: A
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli?tabs=azure-cli
upvoted 2 times
  rikininetysix 4 months, 3 weeks ago
Selected Answer: C
To deploy the container image named App1 to your Azure Kubernetes Service (AKS) cluster named Cluster1, you should first run the az acr
build command1. This command builds a container image in Azure Container Registry (ACR) from the source code located on your
administrative workstation. It also uploads the image to ACR, making it available for deployment to your AKS cluster.
upvoted 1 times
  Rednevi 4 months, 2 weeks ago

Building vs. Pushing: The az acr build command is used for the initial step of building a container image, which involves compiling
source code, creating a Docker image from it, and then pushing it to an Azure Container Registry. In the scenario described, the
container image (App1) is already built on your administrative workstation. Therefore, you do not need to build it again using az acr
build.
upvoted 9 times
  raj_raj22 5 months, 2 weeks ago

answer C is correct. as per Azure document it says "CR tasks automatically push successfully built images to your registry by default,
allowing you to deploy them from your registry immediately."
upvoted 1 times
Selected Answer: A
To deploy the container image to the Azure Kubernetes Service (AKS) cluster, you need to perform the following steps:
A. Run the docker push command: This option is the correct choice. Before deploying a container image to AKS, you need to push the
image to a container registry (in this case, Registry1). The docker push command is used to upload the container image to the Azure
Container Registry (ACR) so that it can be accessed by the AKS cluster.
The correct sequence of steps would be:
Build the container image for App1 on your administrative workstation.

Tag the image with the ACR repository information (e.g., Registry1.azurecr.io/App1).
Run docker push to upload the image to ACR.
Configure AKS to use the image from the ACR repository.
Create Kubernetes deployment and service definitions for App1 on AKS.
upvoted 4 times
  RickySmith 6 months, 1 week ago
Selected Answer: C
This is indeed a tricky one.

I reviewed
C - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task#deploy-to-azure-container-instances
A - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-quickstart-task-cli#build-and-push-image-from-a-
dockerfile
A references C, so Ci is correct, but in the absence of C, A is the next best one.
upvoted 1 times
  josola 3 months ago

But the image is already built, so you don't need "C" you just need to push your image.
upvoted 3 times

Answer is Run the az acr build command.
az acr build will build and push the image at the same time. Queues a quick build, providing streaming logs for an Azure Container
Registry.
docker build/push will do the same thing, but you will have to configure docker to login to the container registry.
If we go with Answer A, then we need the following:

- Make sure that ACR is integrated to AKS.
- docker tag has been run with the right ACR.
- docker push
- create kubectl apply with the right deployment and right ACR.
In case we go with Answer C.

- No need for docker push or tag.
- still need to make sure that ACR is integrated to AKS.
- then run kubectl apply
Note: If answer C is missing from the exam, then select A.
Reference:
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
upvoted 1 times
  josola 3 months ago

But the image is already built, so you don't need "C" you just need to push your image.
upvoted 2 times

To deploy App1 to Cluster1 in Azure Kubernetes Service (AKS), the first step you should take is to push the container image to the Azure
Container Registry (ACR) instance named Registry1. This can be accomplished by running the docker push command. Therefore, the
correct option is:
A. Run the docker push command.

upvoted 2 times
  RandomNickname 8 months ago
Selected Answer: A
From what I can understand from the MS url's below
It's probably not C as the image is already created, since that looks to be create and auto push.
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task
But seem to be A, docker push, locate tag, then push;
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-tutorial-prepare-acr
upvoted 1 times
  djgodzilla 10 months, 3 weeks ago

Selected Answer: C
C for question that include the Option . some don't have C option hence choose A: push
1. Create a new container registry
$ az acr create --resource-group $RG ..
2. create a dockerfile inside directory
echo "FROM hello-world" > Dockerfile
3. Build an Image and Push to ACR
run below command using the newly created Dockerfile
$ az acr build --image sample/hello-world:v1 --registry acrbuildcontainer11 --file Dockerfile .
- View the newly created container registry with the sample/hello-world repository.
Go to container registry>acrbuildcontainer11 >Services: Repositories>sample/hello/world > click v1
upvoted 3 times

In this specific case, the container image has already exists , hence might not need to rebuild and pushed using az acr build .
1. login to ACR registry
$ docker login $registryServer.azurecr.io --username UserDemo
2. Tag our container image:
$ docker tag containerdemo $registryServer.azurecr.io/Myimages/containerdemo/latest
3. Push image
$ docker push $registryServer.azurecr.io/Myimages/containerdemo/latest
📍 Check Repo: go To Container registry> Repositories
Check Myimages/containerdemo subfolder
upvoted 1 times
  Spooky7 10 months, 3 weeks ago

But docker image is build on your workstaition machine. It isn't registered in ACR yet.
upvoted 2 times
  fishbonemsk 11 months, 1 week ago

Selected Answer: A
OpenAI answer:
To deploy App1 to Cluster1, you should first push the container image to the Azure Container Registry instance named Registry1.
Therefore, the correct answer is A. Run the docker push command.
The other answers are wrong because:
B. Creating an App Service plan is used for hosting web apps, not for deploying containerized applications to AKS.
C. Running the az acr build command is used to build and push a Docker container image to an Azure Container Registry (ACR), but in this
case, the container image has already been built, so it only needs to be pushed to the ACR.
D. Running the az aks create command is used to create a new AKS cluster, not to deploy a container image to an existing cluster.
upvoted 10 times
  Andy_S 8 months, 3 weeks ago

You are not able to deploy image from LOCAL (administrative) workstation.
upvoted 1 times
You need to configure a proximity placement group for VMSS1.
Which proximity placement groups should you use?
A. Proximity2 only
B. Proximity1, Proximity2, and Proximity3
C. Proximity1 only
D. Proximity1 and Proximity3 only
Correct Answer: A
Resource Group location of VMSS1 is the RG2 location, which is West US.
Only Proximity2, which also in RG2, is location in West US
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups/

A (88%) 13%
Correct Answer: A
Placement Groups is a capability to achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency
among them, for improved application performance.
Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a
deployment constraint when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity
placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your
applications.
The VMSS should share the same region, even it should be the same zone as proximity groups are located in the same data center.
Accordingly, it should be proximity 2 only.
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups
upvoted 117 times
  Throwitawaynow Highly Voted  3 years, 2 months ago
This should be proximity 1 only, proximity 2 is not in the same region as the VMSS
upvoted 41 times
  maloumba87 1 year, 10 months ago

Proximté 2 se trouve dans la même régions que VMSS
upvoted 2 times
  Ashfarqk 2 years, 8 months ago

Did you understand the table properly???
Proximity 01 is in Central US
upvoted 8 times
  Kiano 2 years, 8 months ago

They have changed the question and the table since the comment has been made. Basically the proximity group and the VMSS1
should be in the same region.
upvoted 37 times

Hahaha
upvoted 6 times
  NarenderSingh 2 years, 4 months ago

It should be Proximity 2 only as its in the same region.
upvoted 3 times
  Azused Most Recent  1 month, 3 weeks ago

When I tried to add the VM or VMSS in the proximity placement group it shows "You must select a group in region ""same as VM/VMSS
region" , Then that mean it should be Proximity2 only right ?
upvoted 1 times
  Sai_468 1 month, 1 week ago

Yes, options seem to be tweaked.
upvoted 1 times
  Babustest 4 months, 1 week ago

Internet says the difficulty level of Az-104 is intermediate ? Who on their right mind can say that ? Or am I getting too old for this ?
- On an average, it takes around 5 mins per question for ET. This includes, answering and going through all discussions and sometimes
test it. So, for 540 questions ET itself will take around 50 hours.
- MS learning is around 20 hours, but in realty it will also take around 50 hours, if you have the habit of taking notes like me.
- If you wish to go for some additional training, example like Pluralsight like I did, it adds another 40 hours.
Each of the above training materials covers a lot of non-overlapping material. So imagine, the humongous amount of data that you need
to memorize which you learned through these trainings across the vast syllabus.
upvoted 2 times
  profesorklaus 3 months, 3 weeks ago

Completely agree with you. I stucked and thought it is 2 months job. Working on this for more than 5
upvoted 1 times
  manasa_3011 4 months ago

I agree! For completing this course, you will need a minimum of 6 months.
upvoted 1 times
  Xx_Emperor_xX 4 months, 1 week ago

Can someone with contributor access please mail the dumps on my mail : risingrex13@gmail.com, please this is urgent I need to give
exam on 8th oct!!!!
Thankyou in advance
upvoted 1 times
  Jessica_az 6 months, 2 weeks ago

On the exam (31/07/23 )
upvoted 3 times
  Kr1s 6 months, 2 weeks ago

This question was in exam on 29th July 2023
upvoted 2 times
  saim18 7 months, 2 weeks ago

Is proximity group is I'm syllabus
upvoted 1 times
  itguyeu 7 months, 3 weeks ago

I used free version access for this site and it helped me pass the exam. Some questions that I had on the exams, I took the exam more
than once, are not available under the free tier access, but 80% of the questions came from here. I do recommend investing a bit of
money and getting full access to this site. I didn't memorise answers but analysed them and studied as Microsoft does tweak them a bit.
This Q was on the exam.

upvoted 1 times

(7th April 2023)
upvoted 1 times

upvoted 3 times
  Tinez 10 months, 2 weeks ago

which one was the correct answer ?
upvoted 1 times

proximity questions were definitly on 2nd test
upvoted 3 times
  kenneth12 1 year, 2 months ago

Selected Answer: A
Correct Answer is A
upvoted 1 times

Today in exam, the key is region for vmss,
upvoted 3 times

Selected Answer: A
A - as the group is in the same region,

upvoted 1 times

Correct Answer : A
upvoted 1 times
Selected Answer: A
Answer is correct and so is explanation

upvoted 1 times
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Correct Answer: B

B (100%)
Reference:
powershell
upvoted 57 times
  Wizard69 Highly Voted  2 years, 11 months ago

I agree, you should look at the Deployments under the Resource Group
upvoted 16 times
  EmnCours Most Recent  1 year, 5 months ago
Selected Answer: B
Correct Answer: B
upvoted 2 times

upvoted 1 times
Selected Answer: B
I Luv Honey because it is B,

Can be viewed via RG Blade => deployment
upvoted 1 times

Selected Answer: B
B. No <
upvoted 1 times

upvoted 1 times

similar question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times
  N4d114 2 years ago

The correct answer is B - No.
To check date and time when RG1 create, u have to go at RG1 Resource, go to setting and click at deployment.
upvoted 1 times
Q41, 51, 52 & 53 [remember: RG1 blade-->deployment]
upvoted 3 times
  AbhiYad 2 years, 1 month ago
Selected Answer: B
upvoted 2 times
  Thanishn 2 years, 9 months ago

upvoted 1 times
  nikhilmehra 2 years, 9 months ago

deployments
upvoted 2 times

NO > RG1 -> Deployment
upvoted 2 times
  I 2 years, 11 months ago

RG1->Deployments
upvoted 3 times
  wendysgp 3 years, 1 month ago

to check go to deployments under GROUP
upvoted 2 times
  fedztedz 3 years, 2 months ago

Answer is correct . NO (B)
to check go to deployments under subscription
upvoted 5 times
  LexusNX425 2 years, 10 months ago

Or just go to deployments under RG1
upvoted 1 times
Solution: From the RG1 blade, you click Automation script.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
Reference:
powershell
upvoted 38 times

correct. Programmatic deployment are used for API/CLI
upvoted 15 times
  RDIO Most Recent  9 months, 3 weeks ago
Selected Answer: B
It's "Deployments" on RG blade

upvoted 2 times
  _fkucuk 10 months ago
Selected Answer: B
From the RG1 blade, click Deployments.

upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

upvoted 2 times
Selected Answer: B
I Luv Honey because it is B

From RG Blade => deployment
upvoted 1 times
Selected Answer: B
>B. No
upvoted 1 times
upvoted 1 times

There's not even an automatic script blade in RGs. Not that I am aware of
upvoted 1 times
  Ant0ny 2 years, 11 months ago

Correct, tested and comfirmed
upvoted 1 times

upvoted 1 times

B. No - Bcoz it's under RG1 blade Settings ->Deployment
upvoted 2 times

B. is correct. On Deployment blade you will find this information
upvoted 1 times
  TheOne1 3 years ago

Correct.
upvoted 2 times

RG1 > Deployments
upvoted 10 times
Solution: From the RG1 blade, you click Deployments.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)
Reference:
powershell
upvoted 42 times

correct
upvoted 28 times
  BJS_AzureExamTopics Most Recent  6 months, 3 weeks ago

I will respectfully disagree on A. Answer is B. You don't actually CLICK on deployments. From the reference:
You can verify the deployment by exploring the resource group from the Azure portal.
1. Sign in to the Azure portal.
2. From the left menu, select Resource Groups.
3. Check the box to the left of myResourceGroup and select myResourceGroup.
You will then see all Deploymets and their status as a result of selecting myResourceGroup. NOT clicking Deployments. It's already listed.
upvoted 1 times
  petrisorpaul 1 year, 1 month ago

Selected Answer: A
A. correct
upvoted 2 times
  sujidurga 1 year, 4 months ago

successfully achieved with 950 marks. Thanks mlantonis and fedztedz...Aprciate your continous support
upvoted 4 times
  charf94 1 year, 4 months ago
Selected Answer: A
A. correct
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
yep correct way

upvoted 1 times
Selected Answer: A
A. Yes
upvoted 1 times

upvoted 2 times

I see why they do not allow you to review a question after. makes sense with their options
upvoted 1 times

I love these "clustered" questions, like these FOUR: 41, 51, 52 & 53 (remember the only positive ans: RG1 blade - Deployments)
Thanx mlantonis and fedztedz
upvoted 5 times
  MarxMazd 2 years, 7 months ago

There are multiple repeats of same question in previous 25 pages.
upvoted 4 times
  oriduri 2 years, 9 months ago

A is correct
upvoted 2 times
  Danny1 2 years, 10 months ago

This question came in the exam, all three versions of this..!! Best of luck
upvoted 6 times

Correct
upvoted 2 times

Correct answer
upvoted 1 times
You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?
A. Azure HDInsight
B. Linux Diagnostic Extension (LAD) 3.0
C. the AzurePerformanceDiagnostics extension
D. Azure Analysis Services
Correct Answer: B
The Linux Diagnostic Extension should be used which downloads the Diagnostic Extension (LAD) agent on Linux server.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux

B (89%) 11%
Correct Answer: B
The Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure. It has the following collection
and capabilities:
- Metrics
- Syslog
- Files
A: Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. You can use open-source
frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more.
C: Azure Performance Diagnostics VM Extension is used for Windows VM only.
D: Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud.
upvoted 124 times
Not correct. Answer is B. it is linux server accordingly Linux Diagnostic Extension should be used which download the Diagnostic Extension
(LAD) agent on Linux server.
upvoted 106 times
  RRRSSS 2 years, 7 months ago

Cool, but probably there is a trick with LAD version?
Question refers to LAD 3.0, However this article refers to v 4.0 version.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
upvoted 2 times
  jimmyli 2 years, 6 months ago

no. It's actually in the link you provided, "Important
For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about
version 2.3 and earlier, see Monitor the performance and diagnostic data of a Linux VM."
so LAD version doesn't matter.
B is the right answer!
upvoted 4 times
  Sanin 2 years, 9 months ago

upvoted 5 times
  Mazinger Most Recent  12 months ago
Selected Answer: B
To monitor the metrics and logs of a Linux virtual machine in Azure, you can use the Linux Diagnostic Extension (LAD) 3.0. Therefore, the
correct answer is:
B. Linux Diagnostic Extension (LAD) 3.0
LAD is a solution provided by Microsoft to collect diagnostic data, logs, and metrics from Linux virtual machines running in Azure. LAD can
be used to monitor key performance indicators (KPIs) such as CPU, memory, and disk usage, as well as collect system logs and custom
logs.
Option A, Azure HDInsight, is a cloud-based service that provides Apache Hadoop and Spark clusters for big data processing. Option C, the
AzurePerformanceDiagnostics extension, is not a valid Azure service or feature. Option D, Azure Analysis Services, is a PaaS offering that
provides enterprise-grade analytics and BI services in the cloud. It is not designed for monitoring Linux virtual machines.
upvoted 3 times
  kenneth12 1 year, 2 months ago

Selected Answer: B
Correct Answer is B
upvoted 1 times

Selected Answer: B
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli#supported-linux-distributions
upvoted 1 times
  NotMeAnyWay 1 year, 7 months ago

Selected Answer: B
Answer B: Here's why...
Some of the feature in "the AzurePerformanceDiagnostics extension" do not work for Linux VMs: (https://docs.microsoft.com/en-
us/troubleshoot/azure/virtual-machines/performance-diagnostics#select-an-analysis-scenario-to-run)
Where as the "Linux Diagnostic Extension (LAD) 3.0" doc mentions the question's two requirements Metrics and Logs in the first two
sentances of the intoduction of this article:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux-v3
upvoted 1 times

Selected Answer: B

For sure B
the Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure, In summary is used to monitor
metrics and logs of Linux VM. It has the following collection and capabilities:
New in LAD 4.0
This extension works with both Azure deployment models (Azure Resource Manager and classic).
You can enable this extension for your VM and virtual machine scale set by using the Azure PowerShell cmdlets, Azure CLI scripts, Azure
Resource Manager templates (ARM templates), or the Azure portal.
upvoted 3 times

Selected Answer: C
C. the AzurePerformanceDiagnostics extension

upvoted 1 times
  Azurefox79 1 year, 8 months ago

Answer is correct, supports both Linux and Windows
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics
upvoted 2 times

Answer B: Here's why...
Some of the feature in "the AzurePerformanceDiagnostics extension" do not work for Linux VMs: (https://docs.microsoft.com/en-
us/troubleshoot/azure/virtual-machines/performance-diagnostics#select-an-analysis-scenario-to-run)
Where as the "Linux Diagnostic Extension (LAD) 3.0" doc mentions the question's two requirements Metrics and Logs in the first two
sentances of the intoduction of this article:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux-v3
upvoted 1 times
  MikeyNg756 1 year, 9 months ago

upvoted 1 times
  albergd 1 year, 11 months ago
Selected Answer: B
Use the Linux diagnostic extension 4.0 to monitor metrics and logs:
Azure Performance Diagnostics VM Extension is for Windows:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics-vm-extension
upvoted 1 times
  G_unit_19 1 year, 11 months ago

Selected Answer: B
It is clearly B
upvoted 1 times
  EleChie 2 years ago

Important
For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about version
2.3 and earlier, see Monitor the performance and diagnostic data of a Linux VM.
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
Azure Diagnostics extension overview

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview
upvoted 1 times
  never4baby777 2 years ago

Selected Answer: B
The Linux diagnostic extension helps a user monitor the health of a Linux VM that runs on Microsoft Azure
upvoted 1 times
  Juli98 2 years, 1 month ago

Answer is B but question is outdated :
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
Azure Monitor recently launched a new agent, the Azure Monitor agent, that provides all capabilities necessary to collect guest operating
system monitoring data. While there are multiple legacy agents that exist due to the consolidation of Azure Monitor and Log Analytics,
each with their unique capabilities with some overlap, we recommend that you use the new agent that aims to consolidate features from
all existing agents, and provide additional benefits. Learn More
The Azure Monitor agent is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows
and Linux machines.
upvoted 9 times

Thank you! Much appreciated! I was getting confused as this is exactly what I have learned in the courses.
upvoted 1 times
  El_gatux 2 years, 1 month ago

Selected Answer: C
Linux Diagnostic is part or AzurePerformanceDiagnostics extension.

upvoted 1 times
  weril 2 years, 1 month ago

Okay my lads. It's LAD
upvoted 3 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit:
Hot Area:
Correct Answer:
Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same
attributes as rules with higher priorities are not processed.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
  khengoolman Highly Voted  2 years, 4 months ago
Passed today with 947. This question appeared, correct Answer

upvoted 57 times
  nimeshabhinav 2 years, 1 month ago

It looks like all 300 questions appeared in your exam :D . I see your comments everywhere.
upvoted 75 times
  FlowerChoc1 10 months, 3 weeks ago

The dude is everywhere. What a loooooonnnng exam lol!
upvoted 6 times
  Whatsamattr81 1 year ago

I was just thinking that... What an exam.
upvoted 1 times
  Kumud31 2 years ago

YES,I bet
upvoted 2 times
  miloashis 2 years ago

VERY TRUE BRO!!
upvoted 1 times
  subramani2018 1 year, 11 months ago

Is all questions with same pattermn come from here or any changes
upvoted 2 times
  Juli98 Highly Voted  2 years, 1 month ago
Correct.
Usually :
DNS = Port 53
WEB = Port 80 (http) or 443 (https).
Rule are processed by priority order

A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because
lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher priorities are not processed.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Rule 2 Blocked DNS (Range 50-60) First match > DNS Blocked
Rule 1 Allow http (Range 50-500) First Match > http Allow.
If we delete Rule 2, Rule 1 Allows http and DNS. First match > It works.
upvoted 38 times
  Learner2022 7 months ago

Wouldn’t rule 1 is the higher priority rule as it is a lower number ？Therefore it won’t change the outcome if rule 2 is deleted?
upvoted 1 times
  Learner2022 5 months, 1 week ago

My bad. It is the priority number not the rule name that determines the priority.
upvoted 1 times
  Bigc0ck Most Recent  1 year, 1 month ago
NO DNS questions have been showing up my past 2 tests, wierd

upvoted 5 times

correct Answer
upvoted 1 times

Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have
higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that
have the same attributes as rules with higher priorities are not processed.
upvoted 7 times
  Pasmo 1 year, 9 months ago

Answer is correct
Rule 2 Blocked DNS (Range 50-60) First match > DNS Blocked. port 80 not affected
After deleting rule 2
Rule 1 Allow DNS (Range 50-500) First Match > port 53 and the port 80 and 443 is allowed.
upvoted 2 times

Question appeared in exam today. The answer is correct.
upvoted 1 times
  shyams9977 1 year, 11 months ago

This question was in exam on 20-03-2022
upvoted 1 times
  shyams9977 1 year, 11 months ago

This question on exam 20/3/2022
upvoted 1 times

upvoted 1 times

on exam 13/3/2022
upvoted 1 times
  theorut 1 year, 11 months ago

keep also in mind dns uses UDP on port 53.
upvoted 2 times
  ahyaa 1 year, 11 months ago

This question appeared in my exam today Feb 26, 2022, and I got 784! yay!! I passed!!! thank you, review buddies!!
upvoted 4 times

Do we have voucher code to unlock all questions in az104..if 50percent off, please let me know
upvoted 2 times
  H3adcap 1 year, 12 months ago

Was in exam today 17/22/2022
upvoted 3 times
  Krypt11 2 years, 3 months ago

Correct
upvoted 1 times
  omw2wealth 2 years, 4 months ago

new question hehe, hopefully i find it later in my exam !
upvoted 3 times
  nsknexus478 2 years, 4 months ago

There was a similar question previously as well.
upvoted 2 times
  pakman 2 years, 4 months ago

Correct
upvoted 7 times
You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
What should you deploy?
A. all three virtual machines in a single Availability Zone
B. all virtual machines in a single Availability Set
C. each virtual machine in a separate Availability Zone
D. each virtual machine in a separate Availability Set
Correct Answer: C
Use availability zones to protect from datacenter level failures.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/tutorial-availability-sets

C (82%) A (18%)
  allray15 Highly Voted  2 years, 11 months ago
i always get nervous when the discussion count hits 30-50+ . You know something isn't right :D , if its just below 20, then i just skip and
continue
upvoted 132 times
  ServerBrain 4 months, 3 weeks ago

you are right. but sometimes you don't have to follow the entire debate. I have learned to go with the most upvoted as the final
answer.
upvoted 1 times
  sarpay784 2 years, 8 months ago

:D :D :D :D me too
upvoted 2 times
  ciscogeek 2 years, 10 months ago

or, 30+
upvoted 4 times
  Izee24 2 years, 5 months ago

Me too.
upvoted 1 times
  kt_tk_2020 Highly Voted  3 years, 2 months ago

C is the correct answer - if you want Datacenter level high availability - vms should be deployed in different zones.
upvoted 100 times
  Somewhatbusy 3 years, 1 month ago

Availability set - Within data centre - configure update domains and fault domains
Availability zone - Within region (usually three data centres per region)
upvoted 86 times
  FitObelix 2 years, 8 months ago

Simply adding that an availability zone can have only one datacenter. That´s why i think it can´t be option A. C option ensures the
availability, even if each zone is made of only one datacenter each
upvoted 9 times
  kira1kira22 6 months, 2 weeks ago

@FitObelix , I agree , A is wrong because a zone may have only one DC
upvoted 1 times

your explanation was simple and precise unlike other sprouting nonsense here.
upvoted 13 times
  Tomix Most Recent  7 months, 2 weeks ago
C. Each virtual machine should be deployed in a separate Availability Zone.

upvoted 1 times
  GokuSS 10 months ago

C is the correct answer. Availability sets are used to protect applications from hardware failures within an Azure data center, availability
zones protect applications from complete Azure data center failures.
upvoted 3 times

(7th April 2023)
upvoted 6 times
  Jamal786 1 year, 2 months ago

ANSWER:C
Explanation: An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For example, if you create
three or more VMs across three zones in an Azure region, your VMs are effectively distributed across three fault domains and three
update domains. The Azure platform recognizes this distribution across update domains to make sure that VMs in different zones are not
updated at the same time.
Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-availability/5-review-availability-zones
upvoted 3 times

Within each Azure region are 1 to three unique physical locations, referred to as availability zones.
as some AZ has only 1 datacenter,

C should be more accurate.
upvoted 1 times
  61Reasons 1 year, 5 months ago

A is tempting, but remember, according to MSFT an AZ "could" have just ONE data center, and if that failed then no redundancy. So the
only option that is 100% sure in all situations is C.
upvoted 3 times
Selected Answer: C
Correct Answer: C
upvoted 3 times

Your confusion stops here. Answer is A. This comment jrv116psu below led me to A.
jrv116psu 9 months ago
Mlantonis ... i completely agree about the AZ AS description.. but AZ's dont have limit of number of available machines do they? it says
ensure that at least 2 machines are available... if you ave VM1 in AZ1 vm2 in AZ2, vm3 in AZ3, there's nothing stopping AZ1 and 2 going
offline... AZ3 wont autocorrect and spinup new vms... thoughts?
upvoted 2 times
  Pravda 1 year, 7 months ago

Key phrase ".... if a single Azure datacenter becomes unavailable." Can't be A, B or D. Go with C
upvoted 3 times
  suryamk 1 year, 8 months ago

Answer is C
You can think of each availability zone as a separate fault domain and update domain. So in a given azure region if you have 3 availability
zones, then it's like you have 3 fault domains and 3 update domains.
So, for example, if you create three VMs across three availability zones in an Azure region, your VMs are effectively distributed across three
fault domains and three update domains.
If one of the Availability Zones has gone down for some reason, we still have 2 VMs from the rest of the 2 availability zones. Similarly, if
there is an update or a patch to be applied, azure schedules these at different times for different availability zones. So this means, we have
just one of the availability zones affected while the update is being applied. The rest of the 2 zones are unaffected.
upvoted 3 times
  BorisBoef 1 year, 8 months ago

Selected Answer: A
Placing in three seperate zones does not garantee availability over these zones
upvoted 2 times
  GregGG 1 year, 8 months ago

Selected Answer: C
Put all VMs in "one" AZ will not guarantee redundancy.

upvoted 4 times

Selected Answer: C
C for me.. AV zone should be 3 as refers to 3 different Data centers, hence lose one 2 available
upvoted 3 times

Selected Answer: C
C. each virtual machine in a separate Availability Zone

upvoted 2 times
  epomatti 1 year, 8 months ago

Selected Answer: C
Correct answer: C - each virtual machine in a separate Availability Zone

upvoted 2 times
You have an Azure virtual machine named VM1 that runs Windows Server 2019.
You save VM1 as a template named Template1 to the Azure Resource Manager library.
You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?
A. operating system
B. administrator username
C. virtual machine size
D. resource group
Correct Answer: B
When deploying a virtual machine from a template, you must specify:
✑ the Resource Group name and location for the VM

✑ the administrator username and password
✑ an unique DNS name for the public IP
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template

D (82%) Other
not correct. Answer is Resource Group. I tried the only ones that need to be updated manually are resource group and password.
upvoted 166 times

Confident about D as well. A doesn't even make sense to me in this scenario.
upvoted 1 times
  Shailen 2 years, 7 months ago

yes D. Resource Group is the correct answer: Admin user, password, vm size and os are the part of ARM templates. But resource group
is not hence needs to be mentioned while deployment! Refer below sample ARM template for reference in which all above attributes
passed in parameter.
https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-windows/azuredeploy.json
upvoted 13 times
  Max19 1 year, 10 months ago

The file is missing by the link, please send a new one.
upvoted 2 times
  rawrkadia 2 years, 7 months ago

Confirming RG.
Manual steps: log in, deploy VM1. Accept all defaults. Go to resource > template > save to library. View library > deploy template, It pre-
populates the subscription but you have to set an RG. VM Name can be customized, admin user/pass are pulled from template.
Costs about $.15 to verify and less than 5 minutes, if you're in doubt sign up for azure pass and do it yourself.
upvoted 38 times
  cmbkc88 2 years, 7 months ago

I go adm psw. We can configure the name of rg for vm, not rg itself.
upvoted 2 times
  itmp 2 years, 7 months ago

what "adm psw" ? maybe in another question ...
upvoted 2 times
  jecawi9630 2 years, 7 months ago

@itmp adm psw means administrator password
upvoted 2 times
  IvanDan Highly Voted  3 years, 2 months ago
"what can you configure"... you can't configure a resource group, but you can choose one. A resource group should be already configured.
An administrator username is not preconfigured, so you have to make a new one. I will go with B
upvoted 47 times

You are not paying attention to the fact that this was being created from an ARM template. All these can be specified in the template. It
is not however recommended to enter keys and secrets in plain text in your code.
upvoted 3 times
  JayBee65 2 years, 8 months ago

You can select a RG for a selection - so you are configuring which RG to use.
upvoted 5 times
  vsvaid Most Recent  2 weeks, 1 day ago
Selected Answer: C
I think C
upvoted 1 times
Selected Answer: D
RG , VM Name, Disk, Nic - So answer is RG

upvoted 1 times
  ZAID1983 3 months, 3 weeks ago

correct answer is D
upvoted 1 times
  Aniruddha_dravyakar 4 months, 3 weeks ago

Answer is resource group
upvoted 1 times
  GoldenDisciple2 5 months, 1 week ago

Selected Answer: D
The answer is D
upvoted 2 times

Selected Answer: D
Tested in lab, 17/08/2023
Answer is D, Resource Group

upvoted 2 times

Exam on 23/7/31.
upvoted 4 times

According to the link provided in the solution:
"Create a resource group. An Azure resource group is a logical container into which Azure resources are deployed and managed. A
resource group must be created "before" a virtual machine."
According to the question:
"What can you configure "DURING" the deployment of VM2?"
Isn't the "Administrator Usename"?
It is asking what we can configure "DURING" the deployment, and not before it.
That's why I think answer C is correct as provided.
upvoted 2 times

B. administrator username
upvoted 2 times

Theoretically you can configure anything, just parametrize it in your template and then provide it in your deployment script :))
upvoted 3 times
  vinsom 9 months, 2 weeks ago

Answer: D
Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
Here the .json parameters section contains VM size, Username, OS details etc, with no RG information embedded. RG is created using the
CLI, before New-AzResourceGroupDeployment, using the custom template
upvoted 2 times
  Balvosko 10 months ago

Retarded question, both options are correct, you are providing both (admin password and rg ) during deployment.
upvoted 2 times
This should be a multiple answers question
Both B and D (admin Username+RG) are valid here
upvoted 3 times

Selected Answer: D

I score 920 points out of 1000 points. This was on it and my answer was: D
upvoted 9 times
  AK4U 11 months, 2 weeks ago

When you save a template of an existing VM and then choose "Deploy a custom template" from "All services" you chose the saved
template and then you can only specify the RG.
Answer is D
upvoted 1 times
  BYNeo 1 year, 3 months ago

I attended the couse before and always have to configure the Administrator Name and password first
upvoted 2 times
You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not
support multiple active instances.
At the end of each month, CPU usage for VM1 peaks when App1 runs.
You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.
What task should you include in the runbook?
A. Add the Azure Performance Diagnostics agent to VM1.
B. Modify the VM size property of VM1.
C. Add VM1 to a scale set.
D. Increase the vCPU quota for the subscription.
E. Add a Desired State Configuration (DSC) extension to VM1.
Correct Answer: E
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-dsc-configuration

B (92%) 4%
Correct Answer: B
Here we need to modify the size of the VM to increase the number of vCPU's assigned to the VM. This can be included as a task in the
runbook. The VM size property can be modified by a runbook that is triggered by metrics, but you can schedule it monthly.
C: Scheduled vertical scaling could be a solution, but then you don't need a scheduled runbook and it states that it does not support
multiple active instances. Scale Set is not a n option.
E: DSC is only useful to keep the resources on a VM (OS, File shares, etc.) in a consistent state, not to change VM properties.
Reference:
https://www.apress.com/us/blog/all-blog-posts/scale-up-azure-
vms/15823864#:~:text=If%20you%20select%20the%20option,to%20the%20next%20larger%20size
upvoted 192 times

They only part that confuses me is that I didn't think size was a determining factor when increasing processor capacity / power? Unless
this is a different when referring to VM's? I figure the two are un-related
upvoted 2 times

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered B
upvoted 18 times

I"m glad when people do this, because all 570 questions aren't on the exam. Its good to have a date when it was last on there.
upvoted 3 times
  Theguy97 1 year ago

Your comments have no value , you comment on every question and we don't know which one will be on exam or not, please careful
you affect other people
upvoted 12 times
  Durden871 11 months ago

I appreciate knowing if a question has been literally on the exam recently.
upvoted 6 times
  garmatey 10 months, 1 week ago

There just isnt a reason to assume a question isnt on the test unless people are saying it isnt...
upvoted 2 times
  Batiste2023 3 months, 3 weeks ago

Well, do you want people to comment about each particular question that has NOT been on their exam? I... don't.
upvoted 1 times

ET moderators modify comments on a regular basis
upvoted 1 times
  GenjamBhai 1 year, 8 months ago

Agreed. Correct Answer: B
Refer to https://www.youtube.com/watch?v=pQ9dQ13B2vM
upvoted 4 times

not correct. Answer is B. Scale up the VM using Automation virtual scale set runbooks which trigger a webhook
upvoted 106 times
  ScreamingHand 2 years, 8 months ago

why not create a scale set and scale up?
upvoted 1 times
  T____T 2 years, 7 months ago

the question asks about runbook specifically so you have to go with that context
upvoted 7 times
  sandipk91 2 years, 5 months ago

this the reason why we can't use scale set - "App1 that does not support multiple active instances"
upvoted 21 times
  biglebowski 2 years, 7 months ago

Do you think it's a good job to be executed in runbook every month?
upvoted 1 times
  T____T 2 years, 7 months ago

you can scale up or down via the run book check the portal.
upvoted 1 times
  alex88andru 2 years, 1 month ago

I don t get it, B. Modify the VM size property of VM1. How is this a runbook? or any relation to your B answer? Thanks
upvoted 4 times

upvoted 3 times

Desired State Configuration (DSC) extension can be used to configure and manage the desired state of a virtual machine (VM) in Azure.
DSC allows you to define the configuration of a machine in a declarative way, and it can be used to automate tasks such as adjusting the
processor performance.
upvoted 1 times

Nevermind. B is corrent, since it's asking a TASK for scheduled runbook, not a separate solution for the VM.
upvoted 1 times
  rex3 3 months, 1 week ago
Selected Answer: B
Answer B
upvoted 1 times
  Savi27 6 months, 2 weeks ago

Correct Answer: C
upvoted 1 times
  raj24051961 7 months, 1 week ago

Can anyone explain why the Desired State Configuration (DSC) extension to VM1 is selected as answer, because i don't see any relevant
information increase the capacity of VM
B: is most voted answer, but resizing the VM, we have to stop the VM
upvoted 2 times
Selected Answer: C
Correct answer: C
Azure Virtual Machine Scale Sets let you create and manage a group of load balanced VMs.
The number of VM instances can automatically increase or decrease in response to demand or a defined schedule.
Scale sets provide the following key benefits:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview
upvoted 1 times
  kennie0 4 months, 2 weeks ago

Question says VM does not support multiple active instances. so scale set is ruled out
upvoted 1 times

By modifying the VM size, you can choose a higher-tier virtual machine that offers more CPU resources, which can help handle the
increased CPU usage during peak times. This allows you to scale up the VM's processing power temporarily to meet the demands of the
financial reporting app (App1) at the end of each month.
upvoted 1 times
  ZhuBajie5953 12 months ago

i think the question is asking after you change the VM size.....how do you ensure after reboot, all the service are running. Hence, DSC
come into the picture.
upvoted 2 times
  Mo22 1 year ago

Selected Answer: B

upvoted 1 times

Correct Answer B
Came up in exam today
920/1000
upvoted 7 times
  rajagopalanr 1 year, 5 months ago

Today (13/04/2022) I Passed exam
upvoted 5 times
  F117A_Stealth 1 year, 5 months ago

Selected Answer: B

upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
  lebowski 1 year, 5 months ago
Selected Answer: B
It cannot be D: "Desired State Configuration (DSC) is a feature in PowerShell 4.0 and above that helps administrators to automate the
configuration of Windows and Linux operating systems (OSes)"
upvoted 1 times

Selected Answer: B
answer is B
upvoted 1 times
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
A. Deployment Center in Azure App Service
B. A Desired State Configuration (DSC) extension
C. the New-AzConfigurationAssignment cmdlet
D. a Microsoft Intune device configuration profile
Correct Answer: B
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx
webserver. az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM --name customScript \
--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}
Note:
There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet

✑ Azure Application Insights
Reference:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration

B (100%)
Correct Answer: B
Note: There are several versions of this question in the exam. The question has two correct answers:
upvoted 202 times
  ABhi101 2 years, 1 month ago

Thanks
upvoted 1 times

Thanks!
upvoted 2 times
  Volh 1 year, 8 months ago

thanks !
upvoted 2 times
  fedztedz Highly Voted  3 years ago

Answer is correct "B" with ARM templates, DSC is used.
upvoted 22 times
  lulzsec2019 Most Recent  7 months, 3 weeks ago

You will see this question multiple times. I promise :)
upvoted 2 times
Same as Question 67.
https://www.examtopics.com/discussions/microsoft/view/67546-exam-az-104-topic-4-question-67-discussion
upvoted 1 times

Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
upvoted 3 times
  Jamal786 1 year, 2 months ago

During my training with MS, i had this question but solution B was not given there so in that case this is the solution below:
You are going to deploy multiple Virtual machines having Windows Server Operating System by using Azure Resource Manager Template.
While completing the Virtual machines deployment you need to make sure that NGINX should be available on all the Virtual machines.
What should you do?
Answer: Azure Custom Script Extension
Explanation
A Custom Script Extension(CSE) can be used to automatically launch and execute virtual machine customization tasks post configuration.
Your script extension may perform simple tasks such as stopping the virtual machine or installing a software component. However, the
script could be more complex and perform a series of tasks.
Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-extensions/3-implement-custom-script-extensions
upvoted 5 times
Selected Answer: B

upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
  devilcried 1 year, 7 months ago

Selected Answer: B
The Azure DSC extension uses the Azure VM Agent framework to deliver, enact, and report on DSC configurations running on Azure VMs.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
upvoted 3 times
Selected Answer: B
I Luv Honey because it is B

Desired State Configuration (DSC) extension
upvoted 3 times

Selected Answer: B

upvoted 2 times
  KIRANdxc 1 year, 9 months ago

Got his question in exam !!
upvoted 2 times

upvoted 5 times
  willt 1 year, 10 months ago

Correct
upvoted 1 times

upvoted 6 times
  az4o2n 2 years ago

Thank you so much, your contributions are highly valued
upvoted 1 times

Selected Answer: B

upvoted 1 times
HOTSPOT -
You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: 10.244.0.0/16 -
The Pod CIDR.
Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your network environment. This range includes any on-
premises network ranges if you connect, or plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN connection.
This address range must be large enough to accommodate the number of nodes that you expect to scale up to. You can't change this address
range once the cluster is deployed if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16 -
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
Correct Answer:
Box 1: 10.244.0.0/16
The Pod CIDR, because containers live inside Pods.
Note: You can't change this address range once the cluster is deployed, if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16
The Service CIDR is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster
upvoted 138 times
  krisbla Highly Voted  2 years, 9 months ago
I'm writing the exam in 3 hours .. I'll go with the given selections - wish me luck!
upvoted 23 times
  JimBobSquare101 2 years, 6 months ago

Im guessing you passed as you havent been back...lol
upvoted 19 times
  kennynelcon 1 year, 9 months ago

The author won't get notification when one even replies, so it is tough to say
upvoted 3 times
  yellownikk 2 years, 9 months ago

what was the result?
upvoted 4 times

lol witch
upvoted 2 times
  shnz03 2 years, 8 months ago

Personally amazing for me and kind of funny also
upvoted 2 times
  Jessica_az Most Recent  6 months, 2 weeks ago
This question was on my exam 31/07/23.

upvoted 3 times
  GoldBear 8 months ago

This question was on my exam. 05/23
upvoted 4 times

another question, another acronym ive never heard of
upvoted 2 times
  GoldBear 8 months ago

Kubernetes are used for orchestration. The topic is covered in many articles. You only need to know the basic configuration for the AZ-
104 exam.
upvoted 1 times

(7th April 2023)
upvoted 1 times

upvoted 2 times
  mohsanarfandanish 11 months ago

Cleared Exam 930 was appeared in exam 18/3/2023 ANS most upvoted
upvoted 4 times

I score 920 points out of 1000 points. This was on it and my answer was:
Box 1: 10.244.0.0/16
you can create containers live inside Pods.
Box 2: 10.0.0.0/16
service CIDR is used to assign internal services in the AKS cluster an IP address.
upvoted 4 times
  Liriano 1 year, 3 months ago

In exam today, go with highly voted
upvoted 3 times

Today in exam, answer is correct
upvoted 2 times

Given answer is correct
upvoted 1 times

upvoted 1 times

Box 1: 10.244.0.0/16 -
The Pod CIDR.
Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your network environment. This range includes any on-
premises network ranges if you connect, or plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN
connection.
This address range must be large enough to accommodate the number of nodes that you expect to scale up to. You can't change this
address range once the cluster is deployed if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16 -
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
upvoted 1 times
  babzbabz 1 year, 8 months ago

Came on exam today (24/05-2022)
upvoted 4 times
  fodocel235 1 year, 9 months ago

B1: 10.244.0.0/16
B2: 10.0.0.0/16
upvoted 1 times

Question appeared in exam today. The answer is correct.
upvoted 3 times
HOTSPOT -
You have the App Service plan shown in the following exhibit.
The scale-in settings for the App Service plan are configured as shown in the following exhibit.
The scale out rule is configured with the same duration and cool down tile as the scale in rule.
Hot Area:
Correct Answer:
Box 1: 5 -
The maximum 5 will kept as the CPU Usage >= 30.
Box 2: 3 -
As soon as the average CPU usage drops below 30%, the count will decrease by 1. After the 5 minute cool-down it will decrease by another 1,
reaching 3.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
Correct Answer:
Box 1: 2
70% for 1h, and then 90% for 5 minutes. So, from the default of 1 it will scale out out 1 more. So, 2 in total.
Box 2: 4
90% for 1h and then 25% for 9minutes. So, from the default of 1 it will it scale in to the max 5 (60/5 = 12, which means 6 times scale out,
because we have 5 minutes period of cool down). Then when it drops to 25% for 9 minutes and it will scale in once after 5 mins (since the
average of the last 5 minutes is under 30% ), so it will decrease by 1, so 4 in total. Then it will have a cooldown of 5 minutes before scaling
in again, but since only 4 minutes left from 9 minutes (9-5 = 4), it won't scale in again. So, 4 in total.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
https://docs.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
upvoted 441 times

Box1: 2 and Box 2: 4 should be the answer
upvoted 1 times

I respect your answer mlantonis, but you explaination on box 2 confused me.
Can't we just say that while it was on 90% we all know that it stays at 5 instances. When the threshold dropped down to 25% for 9
minutes, the count decreased by 1 only since it didn't reach 10 minutes.
Nonetheless, Mlantonis is correct and explanation is also correct.
upvoted 24 times

it starts at 1. Scale out if CPU > 85% over 5 min and pause during 5 min (Cool Down).
Assuming instant scaling...and CPU still at 90% at all time (very simplified view).
If CPU is at 90% for one hour we have
0 min : 1 (default)
5 min : 2
5-10 min : Still 2 (Cooldown time)
10 min : 3 (average last 5 is still CPU>90%)
10 min-15 min : Still 3
15 min : 4
and so on until we reach 5 (maximum capacity).
The calculation provided by Fed seems not correct as it is assumed that after the cool down time, the system wait another 5 min to
collect metrics which seems not the case.
upvoted 13 times
  Exilic 1 year, 8 months ago

Also came to the conclusion 2, 4 perhaps my math is wrong
upvoted 2 times

There was no time frame specified in the question for the scale increase it only shows the threshold % at which it increases. These
questions don't give details. Do we just assume it follows the same time as the decreasing rule?
upvoted 3 times
  Chickpea2016 1 year, 2 months ago

"The scale out rule is configured with the same duration and cool down tile as the scale in rule."
upvoted 5 times

Correct!! Just to add: the last 4 mins is for the cooldown anyway so won't count regardless.
upvoted 5 times
  Moyuihftg Highly Voted  2 years, 9 months ago
I think:
2
4
upvoted 123 times
  vsvaid Most Recent  2 weeks, 1 day ago
2 and 4
upvoted 1 times
  devops_devops 1 month ago

upvoted 2 times
  SkyZeroZx 1 month, 1 week ago

Box 1: 5
If the scale out rule Tile is configured the same as the scale in tile, the CPU is set to 305 (regardless of the rule name [...(Maximum)
CpuPercentage > 85], one could presume the value is set to 30, because the instruction say "The scale out rule is configured with the same
duration and cool down tile as the scale in rule" .
With this setting scaling out starts right away with 70% CPU utilization and reaches 5.
Box 2-4
upvoted 1 times
  Salim_Khan25 1 month, 3 weeks ago

00:00 = 1 Minimum instance 80%
. 80%
. 80%
. 80%
00:10 = +1 = 2 instances (observe for 10 mins) 80%
. 80%
. 80%
. 80%
00:15 = 2 cool down for 5 mis (First answer)
. 80%
. 80%
. 80%
00:25 = 00:10 (scale event) - 00:25 for the next instance to be added
upvoted 1 times
  koles81 3 months, 1 week ago

We should take to account system file compatibility and we only know that VM1 and VM2 run same system.
upvoted 1 times
  koles81 3 months, 1 week ago

We should take to account system file compatibility and we only know that VM1 and VM2 run same system.
upvoted 1 times

Box 1: 2
Box 2: 4
upvoted 1 times

(7th April 2023)
upvoted 6 times
  Sahilbhai 7 months, 3 weeks ago

please provide the answers also it will help others to .
upvoted 1 times
  Rams_84zO6n 10 months, 3 weeks ago

mlantonis is right, i'm changing my answer to 2 and 4. I missed to notice "The scale out rule is configured with the same duration and cool
down tile as the scale in rule." Another observation i made is Max statistic works differently than Avg for the duration.
Box1: 2 - When CPU reaches 90%, Max doesn't need to wait for duration 5 min. to evaluate, so instance count goes to 2 right away. But
cooldown=5 min, so instance count stays at 2 after CPU holds at 90% for 5 minutes.
Box 2: 4 - When CPU goes below 25%, after 5 minutes count=4. Cool down 5 min, so instance count after CPU stays below 25% for 9
minutes is 4.
upvoted 2 times

Box 1: 2, Box 2: 3
Right after the 60th min, average CPU usage is below 25%. So at 60.01 min, CPU count is 4. Allowing 5 min cool down period, next check is
at 65.1 min. CPU count will decrease by 1 again. So when you check CPU count at 69th minute, it would be 3
upvoted 2 times
  Siraf 7 months, 1 week ago

You forgot the cooldown time (5 min) right after 60th min.
upvoted 1 times

1. 2 (min 1 + 1 scale out)
2. 4 (max 5 - 1 scale in)
upvoted 3 times
  JackieTYF 1 year, 3 months ago

Box 2 = 4
When it drops to 25% for 9 minutes and it will scale in once after 5 mins (since the average of the last 5 minutes is under 30% ), so it will
decrease by 1, so 4 in total. Then it will have a cooldown of 5 minutes before scaling in again, but since only 4 minutes left from 9 minutes
(9-5 = 4), it won't scale in again. So, 4 in total.
upvoted 1 times

Base on the answer, Agree with answer 5 and 3.
Reason:
Box 1: CPU Usage >= 30 will increase 1 and scale out mention (Max) 85 increase 1
Base on question 70% will for 1 hour will reach 5 already (every 5 mins increase 1).
Box2: 90% for 1 hour will be 5

the moment it drop 25% it will reduce from 5 to 4
Then base on ever 5 mins will from 1, in 9 mins will be drop from 4 to 3
upvoted 2 times
  OrwellMB 1 year, 2 months ago

Hey,
Box2:
for scale-in, (Average) Cpu% <30 for 5 minutes. So it needs 5 minutes constantly under 30% for the scale-in to take effect, not the
moment it drops!
Answer is 4 (from 5->4 at the 5th minute mark, then it will be 3 at the 10th minute, but after 9mins, it is 4)
upvoted 1 times
  bdumois 1 year, 4 months ago

Box 1: 5
If the scale out rule Tile is configured the same as the scale in tile, the CPU is set to 305 (regardless of the rule name [...(Maximum)
CpuPercentage > 85], one could presume the value is set to 30, because the instruction say "The scale out rule is configured with the same
duration and cool down tile as the scale in rule" .
With this setting scaling out starts right away with 70% CPU utilization and reaches 5.
Box 2-4
upvoted 1 times

I think:
2
4
upvoted 1 times
You have an Azure virtual machine named VM1 that runs Windows Server 2019. The VM was deployed using default drive settings.
You sign in to VM1 as a user named User1 and perform the following actions:
✑ Create files on drive C.

✑ Create files on drive D.
✑ Modify the screen saver timeout.
✑ Change the desktop background.
You plan to redeploy VM1.
Which changes will be lost after you redeploy VM1?
A. the modified screen saver timeout
B. the new desktop background
C. the new files on drive D
D. the new files on drive C
Correct Answer: C

C (100%)
Correct Answer: C
For Windows Server, the temporary disk is mounted as “D:\”.

For Linux based VM’s the temporary disk is mounted as “/dev/sdb1”.
Reference:
https://www.cloudelicious.net/azure-vms-and-their-temporary-storage
upvoted 159 times

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered C
upvoted 10 times
  Rafi786_khan 1 month, 2 weeks ago

Don't irritate people PLS
upvoted 3 times

You keep saying this on every question. There's only 40-50 questions on this exam + 5 use cases.
upvoted 1 times
  ahyaa Highly Voted  1 year, 11 months ago
In the exam on Feb 26, 2022, I passed today's exam 784. happy weekend!!
upvoted 27 times
  General45 1 year, 6 months ago

Yyyyghhhhhy
upvoted 1 times

You must have the great muscle memory to remember the questions that appeared. Congrats btw
upvoted 11 times

That's what I'm thinking. It's also weird to see people pass and then come all the way back here
upvoted 22 times
  barsharl 5 months ago

Maybe just strolling around. LOL
upvoted 2 times
  SgtDumitru Most Recent  2 months, 3 weeks ago

This question is not very well described, because it doesn't mention that D is a temporary Disk. Only if we take into account that D is
temporary, then of course after re-deployment all new data on it will be lost.
upvoted 2 times
  MCI 2 weeks, 1 day ago

By default temporary drive on windows is assigned the letter D
upvoted 1 times

On exam 31/07/2023.
upvoted 4 times
  yaguitoEC 9 months ago

Why not all?
upvoted 2 times
  rimvydukas 6 months ago

When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the Azure infrastructure, and then power it
back on, retaining all your configuration options and associated resources.
So only data on temp drive will be lost.

upvoted 6 times
  IBR 12 months ago

T F are they calling this redeployment?
upvoted 3 times

After you redeploy a VM, all the data that you saved on the temporary disk and Ephemeral disk is lost.
Ref:https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/redeploy-to-new-node-windows
upvoted 5 times

Selected Answer: C
Correct Answer: C
upvoted 3 times
Selected Answer: C
C. the new files on drive D

upvoted 3 times
Selected Answer: C
C is correct D drive is temp and Microsoft warns about its usage i.e. temp storage and lost via reboot
upvoted 2 times
  Phani1701 1 year, 8 months ago

Any data stored on D:\ will be gone after a reboot/redeployment therefore the answer is C:
upvoted 1 times

upvoted 4 times

upvoted 6 times

upvoted 2 times
  ITprof99 2 years, 1 month ago

This question on exam 01.02.22
Answer: C
upvoted 5 times
  sanbt 2 years, 2 months ago

This question on 12/12/21.
Most of the questions from this dump.
upvoted 6 times
  fabylande 2 years, 3 months ago

In exam October 16, 2021
upvoted 7 times
You have an Azure subscription.
You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?
A. the memory
B. the network adapters
C. the hard drive
D. the processor
E. Integration Services
Correct Answer: C
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machine (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or
VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the
VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image

C (100%)

Correct Answer: C
The Virtual hard disk is VHDx, it should be formated to VHD before migration from on-premises to Azure. Azure supports only generation
1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a
generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
upvoted 101 times
  josola 2 months, 4 weeks ago

Answer is still correct but now Azure supports both generation 1 and generation 2 machines and the maximum size is now 2 TB for a
OS generation 1.
upvoted 3 times

Correct. the VIrtual hard disk is VHDx, it should be format to VHD before migration from on-premis to Azure
upvoted 54 times
  Vgopi 3 years ago

Correct
upvoted 7 times
  Ahkhan Most Recent  3 months, 1 week ago
Slight update to mlantonis answer since it was written 2.5 years ago: Azure supports BOTH generation 1 and generation 2 VMs that are in
VHD file format and that have a fixed-size disk. When the answer was written, generation 2 VHD was not supported.
Ref: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
upvoted 5 times
Selected Answer: C
Correct Answer: C
upvoted 3 times

Selected Answer: C
C is correct
the VIrtual hard disk is VHDx, it should be format to VHD before using it in Azure cloud environment as Azure VMs support only VHD
format
upvoted 4 times

Selected Answer: C
C. the hard drive

upvoted 2 times

upvoted 4 times
  michaelmorar 1 year, 9 months ago

SO they've highlighted Integration Services simply to misdirect the candidates attention? Nefarious!
upvoted 5 times

upvoted 6 times
  yolap31172 1 year, 10 months ago

Not relevant to actual question, but how is that possible that this machine has two network interfaces connected to two different VNETs?
upvoted 2 times
  pr_cerda 1 year, 6 months ago

on-prem VM, in thos case Hyper-V according to the picture, so it can have multiple VNETs.
upvoted 2 times
  Hemang_Vyas 1 year, 8 months ago

Yes that is possible , Its a Hyper V VM & it can have multiple NIC which can be associated with the different VNET(different different
networks)
upvoted 2 times
Selected Answer: C
Question appeared in exam today. The answer is correct. VHDx will not work
upvoted 2 times
  LuciosVanHatter 1 year, 10 months ago

wish me luck writing tomorrow and I am stressed
upvoted 2 times

upvoted 4 times

upvoted 2 times
  okeyken1 2 years, 1 month ago

Came out 29 Dec 2021 hard disk
upvoted 6 times
  exam999999999 2 years, 2 months ago

Good luck!!
upvoted 2 times
  rigonet 2 years, 4 months ago

Correct Answer: C
C. the hard drive
- The Virtual hard disk is VHDx, it should be formated to VHD before migration from on-premises to Azure.
Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk. The maximum size
allowed for the OS VHD on a generation 1 VM is 2 TB.
Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard disk (VHD or VHDX). You
can convert a VHDX file to VHD, convert a dynamically expanding disk to a fixed-size disk, but you can't change a VM's generation.
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following
configurations:
✑ Operating system: Windows Server 2016

✑ Size: Standard_D1_v2
You run the get-azvmss cmdlet as shown in the following exhibit:
Hot Area:
Correct Answer:
The Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0 -
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.
Box 2: 4 -
Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for
all instances in the scale set.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
Correct Answer:
Box 1: 4
If you resize the Scale Set all the VMs get resized at once, thus 4 is the correct answer.
Box 2: 1
Automatic OS updates update 20% of the VMs at once, with a minimum of 1 VM instance at a time. Also 20% of 4 = 0.8.
Reference:
https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-scale-sets
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
upvoted 208 times
  yoelalan14 2 years, 2 months ago

For Box 2, what about the Automatic Updated feature that is turned "off"? Wouldn't the answer be 0?
upvoted 9 times

That is patches where as this is os upgrades
upvoted 11 times
  solarwinds123 Highly Voted  3 years, 1 month ago
The question asks "if the administrator changes the size", not if it gets scaled up vertically. I tested this, and if you resize the scale set all
the virtual machines get resized at once, thus 4 is the correct answer. For the second part, automatic OS updates update 20% of the VMs
at once, with a minimum of 1 VM instance at a time.
upvoted 104 times
  ciscogeek 2 years, 11 months ago

Most trustworthy, and correct as per other explanations and references as well.
upvoted 11 times
  oshoparsi 2 years, 10 months ago

20% 4 = 0.8 but minimum would be 1 vm.
upvoted 4 times
  quocdunginfo2 Most Recent  5 months, 2 weeks ago

EnableAutomaticUpdates = FALSE: New Windows OS update must be done manually => 0 VM
UpgradePolicy = Automatic: 20% of VMs will be upgrade at the same time (Min=1) => 1 VM
upvoted 2 times

From those who are new on this question, this is the correct answer based on latest images.
upvoted 1 times
  nchebbi 2 months, 2 weeks ago

That's not true, that flag enables in OS (VM) patching where the OS pacthes itself.
"For scale sets using Windows virtual machines, starting with Compute API version 2019-03-01, the property
virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates property must set to false in the scale set model
definition. The enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system
patches without replacing the OS disk"
Ref: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-
upgrade#requirements-for-configuring-automatic-os-image-upgrade
upvoted 1 times

I'm rethinking.....
Based on your doc, indeed it will update all 4 since here we have a scale set.
Therefore, correct answers are 4 and 1
upvoted 4 times
  szy4624 6 months, 3 weeks ago

Newbee here, where can I know the total number of VMs?
upvoted 2 times
  umavaja 4 days, 21 hours ago

It is second line on start oof question
HOTSPOT -
configurations:
upvoted 1 times
  ajith_16 6 months, 3 weeks ago

It's mentioned in the scenerio itself!
upvoted 3 times

Box 1: 4 & Box 2: 1
upvoted 2 times
  lulzsec2019 11 months ago

Guys, sorry for the noob question. where did you get the value "4"? I don't see any number 4 in the picture.
upvoted 4 times
  umavaja 4 days, 21 hours ago

HOTSPOT -
configurations:
upvoted 1 times

It's at the top in the first or second sentence
upvoted 1 times
  redbull2023 10 months, 3 weeks ago

read the question again bro
upvoted 4 times
  yellowdot 11 months, 1 week ago

Box1 - 4
This refers to the second PS cmdlt 'UpgradePolicy' which "determines what happens next after you change the scale set model" (ex. VM
size, OS ver, extensionPolicy). Box1 asks what happens when size of VM changes. Since it's set to 'automatic', the change will be applied to
all the VMs in the scale set at once
[ref: https://msftstack.wordpress.com/2016/11/15/azure-scale-set-upgrade-policy-explained/]
Box2 - 0
This refers to the first PS cmdlt 'UpgradePolicy' which "determines what happens when image publishers publishes the latest image OS
image - which in this case Microsoft released the Win Server 2016 image. Since it's set to 'false', there will be no changes made- u[dates
will need to happen manually with user intervention.
[ref: https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-service-fabric-enableautomaticupdates/ba-p/834246]
upvoted 6 times
  Standa_82 12 months ago
It seems to me that picture doesn't match questions.
upvoted 6 times
  dc2k79 1 year, 3 months ago

Box 1: 4
The first command has nothing to do with VM Resizing.
Box 2: 1
What's set to 'false' is Patch updates. This is recommended to be set to 'False' when Automatic OS upgrades are set to 'True'. What this
means is that the automatic rolling OS Upgrades will happen at 20%.
upvoted 8 times
  Bobby1977 1 year, 5 months ago

WindowsConfiguration.EnableAutomaticUpdates PropertyGets or sets indicates whether Automatic Updates is enabled for the Windows
virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS
reprovisioning.
Based on the above note, as EnableAutomaticUpdates = False the OS updates will not happen. So answers are Box1: 4 and Box 2: 0
upvoted 4 times
  tt2tt 1 year, 6 months ago

There're seven more confusing comments here, I am totally lost... as usual, I will follow the answer from mlantonis
upvoted 11 times

Me too bro
upvoted 6 times

Part one: Answer 0
The Administrator is doing a manual change to the virtual machine scale set MODEL (AKA OS Build), however this model change does not
take immediate affect for the exsiting machines in the Scale Set, see this section of the doc:
Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#how-to-update-global-
scale-set-properties)
Part 2: Answer 4
The Upgrade policy (Don't get confused with "Update" Policy, which is for OS Patches) is set to Automatic. When the Upgrade policy is set
to automatic, all the VMs may be taken down and upgraded at the same time, as per the MS docs:
Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#how-to-bring-vms-up-to-
date-with-the-latest-scale-set-model)
NB: The 20% policy for upgrades mentioned in other comments is for Extensions in a VMSS, not the actual VM scale set.
upvoted 3 times

Box 1: 0 -
Box 2: 4 -
Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS
disk for all instances in the scale set.
upvoted 2 times
  Scoobysnaks86 1 year, 8 months ago

I'm tired of these questions being more of tests of English comprehension than actually doing the job. Trick questions with diagrams that
are unimportant or intentionally misleading does not do anything to test knowledge.
upvoted 32 times
  EleChie 2 years ago

Explanation
the Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0
Box 2: 1
Below is clearly mentioned in the official Website
"The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total
instance count, subject to a minimum batch size of one virtual machine." So, 20% from 4 ~1
upvoted 5 times
  c64basic 2 years ago

So basically, what we are looking at here is the UpgradePolicy only, as neither of the two actions (resizing the VM and upGRADING the
OS) conern Windows settings. The top command (WindowsConfiguration) doesn't have anything to do with the questions.
upvoted 1 times

Box 1:
In case we want to disable the windows updates, we need to set “enableAutomaticUpdates” as false
https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-service-fabric-enableautomaticupdates/ba-p/834246
This is not a windows update but a VM size change.

upvoted 4 times

For Q2
For scale sets using Windows virtual machines, starting with Compute API version 2019-03-01, the property
virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates property must set to false in the scale set model
definition. The enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches
without replacing the OS disk. With automatic OS image upgrades enabled on your scale set, an extra patching process through Windows
Update is not required.
So its not 0 but
An upgrade works by replacing the OS disk of a VM with a new disk created using the latest image version. Any configured extensions and
custom data scripts are run on the OS disk, while data disks are retained. To minimize the application downtime, upgrades take place in
batches, with no more than 20% of the scale set upgrading at any time.
Its 4x0,2 = 0,8 => 1 (minimum)

upvoted 5 times
  hanyahmed 2 years, 1 month ago

it should be 4 and 1
upvoted 3 times
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources
in the following table:
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource
Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
A. VM1
B. RG1
C. storage2
D. container1
Correct Answer: B
View template from deployment history
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.
2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.
3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that
you provided for parameters. To see the template that you used for the deployment, select View template.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template

B (100%)
Correct answer B RG1. the only way to see both together storage and VM
upvoted 60 times

upvoted 7 times
Correct Answer: B
upvoted 51 times
This is on exam 31 Jul 2023.

upvoted 3 times

Selected Answer: B
Correct Answer B
Came up in exam today
920/1000
upvoted 7 times
  mscbgslt 1 year, 3 months ago

Same as " A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and
an additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross. "
upvoted 4 times

Selected Answer: B
Correct Answer: B
upvoted 2 times

Selected Answer: B

upvoted 3 times
Selected Answer: B
B. RG1
upvoted 1 times

upvoted 4 times
  sid132 1 year, 11 months ago

On the exam today, 4.March.2022
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

you can only deploy resources into resource group so that is where you would see the the history of your deployments!
upvoted 2 times

Selected Answer: B
Correct answer B RG1. the only way to see both together storage and VM
upvoted 2 times

yes it should be visible from resource group
upvoted 2 times
  Krypt11 2 years, 3 months ago

Correct answer B RG1.
upvoted 2 times

They really want to know that we know the portal inside out. And I'm definitely getting more practice. Easy, this one.
upvoted 1 times
  McRowdy 2 years, 8 months ago

The clue here is that it is in the same RG (RG1). Hence the answer is "B"
upvoted 1 times
You have an Azure web app named App1. App1 has the deployment slots shown in the following table:
In webapp1-test, you test several changes to App1.
You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?
A. Redeploy App1
B. Swap the slots
C. Clone App1
D. Restore the backup of App1
Correct Answer: B
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the
slots. We can easily revert the deployment by swapping back.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

B (100%)
Correct Swap slots. this is advantage of using slots. where each slot has its own host name while the app content and configuration
elements are the one who are swapped. this is done seamlessly for traffic direction and no requests are dropped or downtime happens.
upvoted 62 times

Good explanation. To the point
upvoted 1 times
  solomonmana 2 years, 1 month ago

Correct
upvoted 6 times
Correct Answer: B
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of
the slots. We can easily revert the deployment by swapping back.
Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two
deployment slots, including the production slot.
Deploying your application to a non-production slot has the following benefits:
1. You can validate app changes in a staging deployment slot before swapping it with the production slot.
2. Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being
swapped into production.
Reference:
upvoted 59 times

on the exam 31 Jul 2023
upvoted 2 times

upvoted 5 times

Selected Answer: B

I score 920 points out of 1000 points. This was on it and my answer was: B
upvoted 3 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots#roll-back-a-swap
If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by
swapping the same two slots immediately.
upvoted 2 times

"If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by
swapping the same two slots immediately."
https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots#roll-back-a-swap
upvoted 1 times

today in exam , is B
upvoted 1 times
Selected Answer: B
upvoted 2 times
Selected Answer: B
Swap slots, this is Beauty of using slots. you can test at ease and as please
upvoted 2 times
Selected Answer: B
B. Swap the slots

upvoted 2 times

upvoted 1 times
Selected Answer: B
Correct Answer
upvoted 2 times

upvoted 3 times

upvoted 2 times
  kippp 2 years, 1 month ago

i took the exam on 2/1/2021.. overal 59 question..failed the exam 652.. not even 10 question come from this dump.. they change to new
set
upvoted 3 times
  ABhi101 2 years, 1 month ago

I am depressed now, i have mine tomorrow :(
upvoted 1 times
  pmzone 2 years ago

@ABhu101 - Did the questions come from this dump ?
upvoted 1 times

is it 2022 or 2021?
upvoted 1 times
  aliashif 2 years, 1 month ago

contributor access is mandatory to access content?
upvoted 1 times
  Cloudpie 2 years, 1 month ago

Looks like it is mandatory because i am unable to browse beyond this page...Not sure if its worth it to buy the subscription as my exam
is on 31-Dec-21
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines VM1 and VM2. VM1 and VM2 run
Windows Server
2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Note: The new VM must be in the same region.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
Correct Answer:
Box 1: Any Windows computer that has Internet connectivity

For files recovery, you download and run a windows executable to map a network drive. It can only run when the OS meets the
requirements. Any computer running Windows Server 2016 or Windows 10 is suitable. File recovery can be done from any machine on the
Internet.
Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2 only as an answer.
Box 2: VM1 or a new Azure virtual machine only
For restoring a VM, you can choose 'Create new' or 'Replace existing'.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-restore-files-from-vm.md#for-windows-os
upvoted 175 times
  imartinez 2 years, 5 months ago

The provided answer from ETopics is correct
Box1: VM1 or a new Azure virtual machine only.
You and MS docs clearly says that Windows Server 2016 or Windows 10 are suitable, but these are not all OS Windows system on the
internet.
Box2 it's correct
upvoted 9 times

If you are going to read into the wording "Any" to mean literally any windows computer out there back to Windows 1, then you also
need to read into "only" in VMw and VM2 only to mean NO other computers anywhere. Its a crappy worded question, I think
generalising Any is more reasonable that generalising Only.
upvoted 4 times
  ki01 1 month, 4 weeks ago

its one of the things i hate the most about MS exams. you not only need to have the required technical knowledge but a major in
english language and atleast a bachelor in psychology to understand what the writers meant to ask. because as you said. if they
mean ANY windows, then no, because it won't run on windows 98 machine, but if they meant ANY SUPPORTED, which at the time of
writing is windows 10 and 11 (and even then not all OS versions for 10). then yeah, it will easily run on windows 10, even on home
editions.
upvoted 1 times
  bartfto 9 months, 2 weeks ago

what is Windows 1?
upvoted 3 times
  Halisson 5 months, 2 weeks ago

Windows 3.1 :D
upvoted 2 times
  Kizz 2 years, 3 months ago

Box 1 should be VM1 and VM2 only:
"Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and protected to a Recovery
Services vault."
Box 2: VM1 or New AZure VM only:
When restoring a VM, you can't use the replace existing VM option for ADE encrypted VMs. This option is only supported for
unencrypted managed disks.
https://docs.microsoft.com/en-us/azure/backup/restore-azure-encrypted-virtual-machines
upvoted 15 times
  Batiste2023 3 months ago

As far as box1 is concerned this is about the source VM.
"Any Windows computer that has Internet connectivity" is still valid as an answer regarding the destination of the restore.
upvoted 2 times
  DrMiyu 1 year, 7 months ago

Agree this should VM1 or VM2 as in the docs they wrote "Select Download Executable (for Windows Azure VMs) or Download Script
(for Linux Azure VMs, a Python script is generated) to download the software used to copy files from the recovery point."
So the scenario is made to run everything within azure. I'm expecting that this should be doable via another machine but then with
connection to the Azure / Account / configuration (that are not really specified here)
upvoted 1 times

VM1 is affected by ransomware that encrypts data.
Can we use VM1 to recover file?
upvoted 5 times
  Herald3883 1 year, 5 months ago

The key phrase is "encrypts data", not the whole disk.
upvoted 1 times
  juniorccs 1 year, 9 months ago

exactly what I thought
upvoted 1 times
File recovery can be done from any machine on internet. for restoring the VM, you can restore the backed up disk and either restore the
disk before the malware (VM) or create a any virtual machine
upvoted 93 times
  Meesaw 3 years, 1 month ago

the question is file recovery to VM1 and not from any machine on internet.
upvoted 8 times
  Netspud 2 years ago

Restore (Q2) is correct VM1 or new. But Q1, file recovery a little harder, After reading:
It constantly say VM, so they can only be restored to a VM. (Anyway the internet one says any windows PC, and support only goes back
to 7, so that not ANY windows PC).
Then there are some restrictions, that we have no idea if VM1 or WM2 comply with, along with recommendations if drivers are over a
certain size.
So assuming we can create a VM with the same OS (or client compatible OS) in the same region (which is a reasonable conclusion) we
can only recover to a New VM, because this is the only way we can be sure everything complies. But this question in my opinion is
somewhat incomplete with details.
My vote:
Q1 New Only
Q2 VM1 and New
(I am confident it is NOT internet PCs)
upvoted 1 times
  magichappens 1 year, 10 months ago

How can Q1 be not any? Every other answer excluded VM2 which does not make any sense. So only possible answer is any machine
with internet as you can mount the storage via script. Compatibility is not relevant for this question.
upvoted 4 times
  diligent176 3 years, 1 month ago

Yes, file recovery can be done from any computer with internet connection (provided it meets a few other compatibility requirements in
this article):
2nd part - the Restore can be done to the same VM1 or to a new VM
upvoted 7 times
  Miles19 2 years, 10 months ago

For file recovery, I wouldn't suggest going for the option "any computer with the internet connection" because of the OS
compatibility problem. When recovering files, you can't restore files to a previous or future operating system version. In this case,
we need either Windows Server 2016 machine or windows 10 client machines, not windows 8.1, or windows 8. Here is the link:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#for-windows-os
Therefore, I suggest the option "VM1 and VM2 only" as we definitely know that their O.S. is compatible.
upvoted 11 times
  KOSACA 3 years, 1 month ago

If you read step 3 only Windows 10 PC can be used to restore the file from Windows Server 2016. So the "Any computer with internet
activity" is not correct. So I guess the answers are correct.
upvoted 11 times

Box 1 = VM1 and VM2 Only
"When recovering files, you can't restore files to a previous or future operating system version"
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#for-windows-os
upvoted 4 times

the mars agent is for when we want to restore to the on-prem machine. and it says we don't have it so the option
of to any win computer is wrong .and to any new azure vm is also impossible because of the os type and region restriction concern on
both scenarios.on first it should be restored to just vms with os compatible not any new azure vm. and in second one it should be a vm
in the same azure region so again no all the new azure vms.
upvoted 5 times
  photon99 Most Recent  3 months, 3 weeks ago
Here is the doc link that clearly says you need to use a Windows 10 machine for file recovery from Win 2016.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#step-2-ensure-the-machine-meets-the-
requirements-before-executing-the-script
upvoted 2 times
  oopspruu 5 months, 4 weeks ago

The answer of BOX 2 is correct. However, the answer to BOX 1 is tricky.
I was able to successfully recover files to my local Windows PC today, 20/8/2023. So I'd say any windows computer with internet
connectivity is the correct answer. The only "challenge" is that it has to be a current/supported release. I don't think you can recover it on a
Windows 7 or Vista machine anymore. I am no script expert so I don't really know if the downloaded scripts checks for Windows version.
But I can definitely say you don't have to use an Azure VM to recover files from the affected VM.
upvoted 4 times

5 & 2 is correct!
upvoted 1 times
  RandomNickname 8 months, 2 weeks ago

For box 2 the answer looks correct, VM1 or a new Azure VM.
Box 1 is a little tricky as people are suggesting.

Provided the VM's are compatible as per below it could be, VM1 & VM2 only or VM1 and a new VM only but not sure I'm happy with the
latter, I guess it depends on what Microsoft are actually questioning us on.
However looking at the below URL and step 4, I'd be tempted to say, Any Windows that has internet connectivity. (Provided it's compatible)
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 2 times
  Madbo 10 months ago

In the first scenario, the correct answer is "VM1 and VM2 only" because the question asks where you can restore the latest backup of VM1,
and VM1 is not affected by ransomware. Therefore, you need to restore the backup to a compatible machine, which is either VM1 or VM2.
In the second scenario, the correct answer is "VM1 or a new Azure virtual machine only" because the question asks where you can restore
the entire VM, not just files. You can choose to create a new VM or replace the existing one, but the restore can only be done to VM1 or a
new Azure virtual machine.
upvoted 1 times

Assumption: The compromised VM must have been created using ARM deployment, and Un-encrypted.
Box 2: VM1 or new Azure VM only - referred as OLR - Original Location Recovery and ALR - Alternate location recovery -
https://learn.microsoft.com/en-us/azure/backup/about-azure-vm-restore#restore-scenarios
upvoted 1 times

Yhttps://www.youtube.com/watch?v=1_P6sfB5vRA
You can restore VM1 to VM1 or a new Azure virtual machine only
upvoted 1 times

1. Any Windows computer that has Internet
2. VM or new Azure VM only
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#choose-a-vm-restore-configuration
- Create new: Use this option if you want to create a new VM. You can create a VM with simple settings, or restore a disk and create a
customized VM.
- Replace existing: Use this option if you want to replace disks on an existing VM.
upvoted 2 times
  SedateBloggs 1 year ago

Whilst it sounds arcane, the answer to Box 1 is any computer that has internet connectivity. I have tested and can confirm I can restore
files from a Azure VM restore point that is in an Azure Recovery Vault to a physical windows 10 laptop connected to the internet . This
laptop is non Hybrid, non domain joined and happily recovered any files I chose to itself. Box2 is New or Replace existing - i also tested this
and those were the two options to fully restore VM1.
upvoted 3 times
  AzureG0d 1 year, 3 months ago

I could be wrong but when you look at the question and the answers. I legit think the answer is correct as stands (poorly worded
question). Therefore as long as it meets the requirements and as long as its ONLY a vm as outlined: "This feature is available for Azure
VMs deployed using the Resource Manager model and protected to a Recovery Services vault. File recovery from an encrypted VM backup
isn't supported."
I could be wrong because the question is very very tricky, but i'm going to trust my guy here.
As much as we love mlantonis and by all mean's he's the G.O.A.T! But i do think he has it wrong here, because it specifically states VM's
ONLY. Therefore it cannot be Any pc that has internet connectivity even though in theory that makes sense but for microsoft that doesn't
comply with their article found in the link below.
upvoted 1 times
  Shivz81 1 year, 4 months ago

@mlantonis Box 1 which one did u choose? Any Windows computer that has Internet connectivity or VM1 and VM2 only as an answer. I am
really confused.
upvoted 1 times
  Mohd1899 1 year ago
He chose VM1 VM2 because he mentioned that restore to any new machine may have compatibility issues
upvoted 1 times

Today in exam, answer correct by mlantonis
upvoted 3 times

VM1 or a new Azure virtual machine only

upvoted 3 times

Part 1: Answer 3 - VM1 and VM2 only
The File Recovery needs to be on a VM with a compatible OS to the one where the backup orginated. From the question we know that VM2
is also a Windows Server 2016, so that is the allowed. VM1 can also be used for the Recovery as it does not mention it contains "Storage
Spaces" which is one limitation of the using the origin VM.
Read Here:
(https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#step-2-ensure-the-machine-meets-the-
requirements-before-executing-the-script)
Part 2: Answer 2 - VM1 or a new Azure virtual machine only

This is referring to the entire VM restore from a restore point, not the individual File Recovery. Entire VM1 restores can be to the origin VM
(OLR) or to a new Azure VM (ALR).
IT wouldnt make sense to restore to VM2 as that would overwrite the contents of VM2 and leave you with one less VM.
Read Here:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore#concepts
upvoted 4 times

Given answer is incorrect as other also pointed out
Box 2: VM1 or a new Azure virtual machine only

For restoring a VM, you either options Create new vm or Replace existing one
upvoted 1 times
You plan to back up an Azure virtual machine named VM1.
You discover that the Backup Pre-Check status displays a status of Warning.
What is a possible cause of the Warning status?
A. VM1 is stopped.
B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
C. VM1 has an unmanaged disk.
D. A Recovery Services vault is unavailable.
Correct Answer: B
The Warning state indicates one or more issues in VM's configuration that might lead to backup failures and provides recommended steps to
ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this
class of issues.
Reference:
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/

B (100%)
  Omar_Aladdin Highly Voted  2 years, 4 months ago
Answer is Correct,
Check the REF they provided, and this REF by Microsoft also, proves that:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-manage-windows-server.md
upvoted 15 times

[Warning: This state indicates one or more issues in the VM's configuration that might lead to backup failures. It provides
recommended steps to ensure successful backups. For example, not having the latest VM Agent installed can cause backups to fail
intermittently. This situation will provide a warning state.]
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
upvoted 5 times

Correct
upvoted 2 times
  vbohr899 Highly Voted  11 months, 3 weeks ago
Cleared Exam today 26 Feb, This question was there in exam.

upvoted 10 times
  zellck Most Recent  1 year ago
Selected Answer: B
B is the answer.
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks
Warning: This state indicates one or more issues in VM’s configuration that might lead to backup failures and provides recommended
steps to ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and
falls in this class of issues.
upvoted 5 times
Selected Answer: B
Answer is correct, B: VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
The Azure VM Agent is required for managing virtual machines, and it provides the communication between the virtual machine and
Azure. The latest version of the Azure VM Agent is required for Azure Backup to work correctly. If the agent is not installed or is outdated,
the Backup Pre-Check status might display a warning.
upvoted 1 times

This came out in my exam
upvoted 7 times

Selected Answer: B
B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
upvoted 1 times

Selected Answer: B
Correct answer B
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md#backup-pre-check-
status:~:text=Warning%3A%20This%20state,a%20warning%20state.
upvoted 3 times

upvoted 5 times

Selected Answer: B
Correct Answer: B
Warning indicates one or more issues in the VM's configuration that might lead to backup failures. It provides recommended steps to
ensure successful backups. For example, not having the latest VM Agent installed can cause backups to fail intermittently. This situation
will provide a warning state.
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
upvoted 4 times
  JIGT 2 years, 1 month ago

vm is stopped
upvoted 2 times

You can backup a stopped VM.
upvoted 8 times
  Gumer 2 years, 3 months ago

Got this on 27/10 exam
upvoted 2 times
  LeomHD 2 years, 4 months ago

correcto según la URL
upvoted 1 times
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different resource group.
A. Yes
B. No
Correct Answer: B
You would need to redeploy the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

B (100%)
  JayLearn2022 Highly Voted  12 months ago
There are several versions of this question. The following are the correct and incorrect answers that will be presented.
Correct Answer: Meets the goal.

-Solution: From the Redeploy blade, you click Redeploy.
Incorrect Answers: Does not meet the goal.

-Solution: From the Overview blade, you move the virtual machine to a different subscription.
-Solution: From the Update management blade, you click Enable.
-Solution: From the Overview blade, you move the virtual machine to a different resource group.
upvoted 14 times
  Omar_Aladdin Highly Voted  2 years, 4 months ago
Redeploy the machine, Reply If i was wrong

upvoted 13 times
  theOldOne 2 years, 4 months ago

As the other questions of this type have stated. Redeploy the machine.
upvoted 5 times
  garmatey Most Recent  8 months, 2 weeks ago
What exactly does "host" mean here?

upvoted 1 times
  moshos 1 year ago
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
  Dannxx 1 year, 5 months ago

The Q says "...move the virtual machine to a different resource group", which basically does not do anything, used just for management
purposes.
upvoted 1 times
  j777 2 years ago

So, what is the difference between move and redeploy? Because from what I read redeploy is actually turning off the machine. While
moving is just going to another location without powering down. I would think you would still have the same settings.
upvoted 1 times

redeploy mean it moves the VM to a different host.
upvoted 3 times
  Dannxx 1 year, 5 months ago

The Q says "...move the virtual machine to a different resource group", which basically does not do anything, used just for management
purposes.
upvoted 2 times

Selected Answer: B
redeploy
upvoted 3 times
HOTSPOT -
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 2 -
Use two fault domains.
2 or 3 is max, depending on which region you are in.

Box 2: 20 -
Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A
higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
Reference:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks
https://github.com/Azure/acs-engine/issues/1030
  pakman Highly Voted  2 years, 4 months ago
first box: platformFaultDomainCount should be 3 (since its in East US)

ref: https://stackoverflow.com/questions/49779604/how-to-find-maximum-update-domains-fault-domains-available-in-an-azure-region
second box: platformUpdateDomainCount = 20

upvoted 82 times
  Omar_Aladdin 2 years, 4 months ago

Yeah it is a trick; UpdateDomains are up to 20 Domains only,
there isn't 30/40 update domains available for a single availability-set, so far in azure
upvoted 6 times
  vijesh_shenoy 2 years, 4 months ago

Yes, but they have the below caveat:
"You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.".
East US - you could have 2-3 fault domains.

So, Correct answer is 2 and 20
upvoted 6 times

if you can have 2 or 3 and it asks for the max of VM, why would you choose 2 fault domains ? if you have to and 50 VM, if you
domain fails you will lose 25, in the case of 3 fault domains you would loose only 18 or 18 or 14, because the 50 are split in the 3
domains...
upvoted 31 times
  MahadevVasista 2 years, 2 months ago

I agree with 3 FD , since we have condition "You need to ensure that as many virtual machines needs to be available on failure"
Having 3 FD will ensure - 1FD: 17vM, 2FD : 17VM and 3FD : 16VM each.
If One FD goes down we will have max VM's available at any given time rather than choosing 2 FD 's of 25VM each.
upvoted 8 times
  EleChie Highly Voted  2 years ago
Number of Fault Domains per region

Region Max # of Fault Domains
East US 3
East US 2 3
West US 3
West US 2 2
Central US 3
North Central US 3
South Central US 3
West Central US 2
Canada Central 3
Canada East 2
North Europe 3
West Europe 3
UK South 2
UK West 2
East Asia 2
South East Asia 2
Japan East 2
Japan West 2
South India 2
Central India 2
West India 2
Korea Central 2
Korea South 2
UAE North 2
China East 2
China East 2 2
China North 2
China North 2 2
Australia East 2
Australia Southeast 2
Australia Central 2
Australia Central 2 2
Brazil South 2
US Gov Virginia 2
US Gov Texas 2
US Gov Arizona 2
US DoD Central 2
US DoD East 2
Ref: https://github.com/MicrosoftDocs/azure-docs/blob/master/includes/managed-disks-common-fault-domain-region-list.md#number-
of-fault-domains-per-region
upvoted 17 times

And MS expects us to memorize this garbage ? Gimme a break
upvoted 33 times

https://www.azurespeed.com/Information/AzureAvailabilityZones
This link posted by RickySmith shows that they all have 3 FD's.
upvoted 1 times
  Ark_Phoenix 6 months, 1 week ago

nope, only one third of the list. The left over are all 2s. :D
upvoted 2 times
  renzoku 1 year, 4 months ago

oh god, I have to memorize that whole list
upvoted 30 times
  SkyZeroZx Most Recent  1 month, 1 week ago
Another ridiculous question, how can we remember all the maximum number of fault domain for each region?
upvoted 3 times

https://www.azurespeed.com/Information/AzureAvailabilityZones - All availability zones are now 3.
Probably best other ref for answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/availability-set-overview#how-do-availability-sets-work
"Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each
availability set can be configured with up to 3 fault domains and 20 update domains."
upvoted 10 times

Microsoft showing mercy upon AZ-104 exam contenders.
upvoted 1 times

upvoted 8 times

as many virtual machines as possible are available if the fabric fails or during servicing. - With FD=2, only 25 VMs will be available. With
FD=3, you get 33 VMs on fault. So FD=3 is better option than FD=2. As for UPD, UPD=max (UPD)=20.
upvoted 1 times
  GeeB1 11 months, 1 week ago

3 FD 20 UD
upvoted 2 times

Max. Fault domain=3
Max. Update domain =20
its none sense to remember and memorize the number of Fault Domains per region lol
upvoted 15 times

That is why we are topping up on this platform. Lol
upvoted 6 times
  Spam101198 11 months, 2 weeks ago

Max. Fault domain=3
Max. Update domain =20
upvoted 5 times

1. 3
2. 20
https://learn.microsoft.com/en-us/azure/virtual-machines/availability-set-overview#how-do-availability-sets-work
Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each
availability set can be configured with up to three fault domains and twenty update domains.
upvoted 6 times

In each availability set:
- Maximum platformFaultDomainCount is 2 or 3, depending on the region you are deploying in.\
- Maximum platformUpdateDomainCount is 20.
These regions have 3 Fault Domains:

* East US
* East US 2
* West US
* Central US
* North Central US
* South Central US
* Canada Central
* North Europe
* West Europe
The rest have 2 Fault Domains.
upvoted 6 times

I say select the maximum number for both Fault domains and update domains.
Box1: 3
Box2: 20
upvoted 5 times
  randy0077 1 year, 4 months ago

ans is 3 and 20. confirmed.
upvoted 3 times

Box 1: 2 -
Use two fault domains.
2 or 3 is max, depending on which region you are in.
Box 2: 20 -
Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots
nodes. A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
upvoted 1 times
  David1990 1 year, 5 months ago

3 20 correct answer
upvoted 2 times

I tested today, you can create 3 fault domains (max) in eastus, so the answer is 3and 20, because the update domain max is 20. Don't
know why 2, it's not right in my point of view
upvoted 2 times
  Armina 1 year, 9 months ago

update: eastUS -> 3 fault domains ( region dependent )
update domains is 20 everywhere
https://docs.microsoft.com/en-us/azure/virtual-machines/availability
upvoted 2 times

Explanations:
An availability group is a logical grouping feature that allows you to ensure in Azure that the VM resources it contains are isolated from
each other when they are deployed in an Azure data center. Azure ensures that the virtual machines within an availability group are
distributed across multiple physical servers, compute racks, storage units and network switches. If a hardware or software error occurs
in Azure, only a part of your VMs will be affected and the application as a whole remains operational and will remain available to your
customers. Availability groups are an important function for creating reliable cloud solutions.
upvoted 1 times

In a typical VM-based solution, there may be four front-end web servers and two back-end VMs. You can define two availability
groups in Azure before deploying your VMs: an availability group for the web level and an availability group for the back-end level.
When creating a new VM, you can then specify the availability group as a parameter for the "az vm create" command so that Azure
automatically ensures that the VMs created in the availability group are isolated across multiple physical hardware resources. If
there is a problem with the physical hardware running your web server or back-end VMs, you can be confident that the other
instances of your web server and back-end VMs will continue to run properly because they are on other hardware.
upvoted 1 times

Each virtual machine in the availability group is assigned to an update domain (UD) and an error domain (FD) of the underlying
Azure platform. For a specific availability group, five non-user-configurable update domains are assigned by default (Resource
Manager deployments can then be enlarged to provide up to 20 update domains) to identify the virtual machine groups and their
physical hardware elements that can be restarted at the same time. If more than five virtual machines are configured within an
availability group, the sixth virtual machine is stored in the same update domain as the first virtual machine, the seventh in the
same update domain as the second virtual machine, etc. During scheduled maintenance, the update domains may not be
restarted in order, but only one update domain will be restarted at a time. A newly started update domain waits 30 minutes
before initiating maintenance for another update domain.
upvoted 1 times

Moreover, Fault domains define the group of virtual machines that share a power source and a network switch. By default, the
virtual machines configured within your availability group are distributed over up to three error domains for Resource
Manager deployments (two error domains for classic deployments). Although availability groups cannot fully protect your
application from operating system or application failures itself, they reduce the impact of potential hardware failures, network
failures or power interruptions.
The number of error domains for managed availability groups vary by region: two or three per region.
upvoted 1 times
You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent
on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview

A (100%)
  odisor Highly Voted  2 years ago

1. Log analytics agent - Install in VM.
2. Log analytics workspace - collect the log files from Log Analytics Agent.
3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace.
upvoted 24 times
  ScoutP Highly Voted  2 years, 4 months ago

upvoted 11 times
  DimsumDestroyer Most Recent  5 months, 3 weeks ago
Selected Answer: A
Answer is correct
upvoted 1 times
  eksmp 5 months, 3 weeks ago

I see this question coming back 3 times with the following differences :
- configure the Agent configuration settings. You install the Microsoft Monitoring Agent on VM1 (question 64)
- configure the data settings. You add the Microsoft Monitoring Agent VM extension to VM1. (question 70)
- configure the data settings. You install the Microsoft Monitoring Agent on VM1 (question 71)
Everyone agrees that the second one (extension) is wrong. But everyone also seems to agree that the two others are correct ?
upvoted 4 times
  Dat_doge 11 months, 3 weeks ago

Selected Answer: A
correct
upvoted 1 times
  curtmcgirt 11 months, 3 weeks ago

did this question get reworded? all of the comments talk about "log analytics agent," but the question says to install "microsoft monitoring
(scom) agent". log analytics is being replaced by AZURE monitoring agent (not microsoft monitoring agent) in august 2024. are we all still
sure 'microsoft monitoring agent' is what needs to be installed here?
upvoted 1 times
  azaad_a 1 year, 4 months ago

Exam Question 08OCT2022
upvoted 5 times
Selected Answer: A
Correct Answer: A 🗳️
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that
automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created
and it can be configured to perform an automated response.
References:
upvoted 2 times

Correct Answer: A 🗳️
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that
automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created
and it can be configured to perform an automated response.
References:
upvoted 1 times

Selected Answer: A
Correct.
upvoted 1 times

upvoted 2 times
  MentalG 1 year, 10 months ago

900 is a score not a percentage, but congrats on you passing mate :)
upvoted 3 times

Correct
upvoted 1 times

Correct.
upvoted 2 times
HOTSPOT -
You deploy a virtual machine scale set that is configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal
  shravan101 Highly Voted  2 years, 1 month ago
box-1 : 3
box-2: 1
upvoted 42 times
  mufflon 2 years ago

why is it 1 on the second question, it decreases by 1 when CPU utilization goes below 25%, but there is no rule for when to count down
again and so on ? it only exist for the scale out rule.
upvoted 8 times

The scale in rule applies each 10 minutes. it decreases VM count by 1, meaning -6 in 60 minutes. We can't have -1 VMs and we can't
have 0 either, because the minimum is 1.
upvoted 4 times

There must be duration otherwise it will not scale in properly ,
example , if it does not consider the duration for scale in , it will never go less than 4 vms
that's why I agree Box 2 should be 2 we should consider scale out duration for scale in too
upvoted 1 times

sorry my typo mistake Box2 should be 1 scale in (-1) vm every 10 minutes.
upvoted 2 times
  Hyrydar 1 year, 5 months ago

I agree with you because it did not say when the duration for countdown starts..and by the way, the question states there are 5
instances to start with. We must not assume what these questions are asking of us. go with the strict and stated meaning of the
question. i say 3 for box1 and 4 for box2. please somebody correct if a am wrong.
upvoted 8 times
  buzzerboy 1 year, 1 month ago

wouldnt it scale in every 10 minutes and decrease count by 1 unit. From 10am to 11am there are 6 x 10 min slots. Each time it
scales in, it will bring the count down by 1 until it reaches minimum which is 1?
upvoted 2 times

Mufflon, you did not say what your answer is.
upvoted 2 times
Box-1 : 3
Initial starts 2 VM's 15 minutes have passed. at 10 minutes 1 VM was added we now have 3 VM's. Cool down is 5 Minutes before another
10 minute wait cycle starts so the answer is 3.
Box-2: 1
Initial 5 VM's 60 minutes Pass. 1 VM removed every 15 minute cycle. 10 minutes wait timer plus 5 minute cool down equals 15 minutes
cycle. Four 15 minute cycles pass equaling 60 minutes removing 4 VM's. We have 1 VM left.
Default Scale in and Out Default Durations are 10 minutes with 5 minute cool down.
The default scale set settings in Azure are:

-Minimum number of instances 1
-Maximum number of instances 10
-Scale out CPU threshold (%) 75
-Duration in minutes10
-Number of instances to increase by 1
-Scale in CPU threshold (%) 25
-Number of instances to decrease by -1
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal#create-a-rule-to-
automatically-scale-in
upvoted 30 times
  sardonique 5 months ago

unfortunately these questions are poorly formulated. Why do you assume that at the 9:00 the count is 2? there is no mention about the
cpu usage before 9:00, and moreover this is a custom policy, how do you know that the cooldown time is 5 minutes (i know that it's the
default time). I hate the lack of context in these questions
upvoted 1 times
  kcanwi 10 months, 3 weeks ago

"1 VM removed every 15 minute cycle"
May I know how you got the value 15 mins?

upvoted 1 times
  mlooney 10 months, 2 weeks ago

"Default Scale in and Out Default Durations are 10 minutes with 5 minute cool down. "
upvoted 3 times
  Slimus 8 months, 3 weeks ago

I don't see 5 min cool down value anywhere. Is it a default value?
upvoted 2 times
  EzBL Most Recent  1 month ago
Duration value is only used for data range - how much data autoscaling system has to aggregate to determine if rule applies or not.
Cooldown - how much time has to pass before next autoscale operation to trigger. So once you start you app the first autoscale may
happen not earlier than after duration value (because you need specific data range). Each next will happen every cooldown value
upvoted 1 times

upvoted 9 times

The autoscale job runs every 30 to 60 seconds, depending on the resource type. Until 9:10 AM, rules can't apply because granularity
period not reached. At 9:10 AM, count=3. It quickly jumps up every minute to max value in drop-down which is 5. Between 10-11 AM, the
count starts dropping from 5 to 1. So Box-1: 5, Box-2: 1
upvoted 3 times

1. 3 (initial count for 2 + scale out 1)
2. 1 (scale in until min. 1 instance)
upvoted 2 times
  kameltz 1 year, 1 month ago

Answers are box-1 : 3 and box-2: 1
for the second choice without any countdown duration, the default is 10 mins, so it will reach the minimum of VM.
upvoted 1 times
  Rizwannazirabbasi 1 year, 2 months ago

this is correct only .. at 10 am now VMs are it checks every ten minutes ..
utilization is down to 15 percent for 1 hour .. so it will be one for box no 2
upvoted 1 times

upvoted 2 times

today in exam, box-1 : 3
box-2: 1
upvoted 7 times
  Bobby1977 1 year, 5 months ago

B1: 3 B2:4
upvoted 9 times
  herodes 12 months ago

this is incorrect as it drops one VM per 15mins. Even though its start on 5VMs after 60 minutes it drops to 1VM. 60/15=4. 5-4=1
upvoted 1 times
  ZacAz104 1 year, 5 months ago

minimum VMs are 2 after 15 minutes 2 other should be added so it will be 4 i dont know why it says 3????!!!
upvoted 1 times
  Pieman125 1 year, 5 months ago

Because it scales up by one after 10 minutes. So after 10 minutes 1 is added, but it won't add another for another 10 minutes and only
5 more minutes have passed, so the answer is 3.
upvoted 4 times

box-1 : 3
box-2: 1
upvoted 1 times

Why is the second box not 3 aswell?
It starts with 5 instances at 10:00AM
10:25: After 25 minutes, it decreases by 1. =4
10:50: After 25 minutes, it decreases by 1. =3
10:50 - 11 - Not enough time to decrease again.
Can someone correct me on this?

upvoted 1 times

My mistake, there is no duration in minutes for the scale in.
upvoted 3 times
on exam 13/3/2022
upvoted 3 times

upvoted 5 times
  Nichols 2 years ago

Impossible to answer box-2, because we don't know the duration and cool down for scale in...
upvoted 4 times
  webfunky 1 year, 11 months ago

The answer for box-2 is 1. After creating a scale set, go the the resource, click Scaling under Settings and open the scale in rule. You will
find Duration(minutes) is defaulted to 5. I tested this scenario just to check the default duration because at the time of creating the
VMSS on the portal you don't get an option to choose duration for Scal in.
upvoted 17 times
You have web apps in the West US, Central US and East US Azure regions.
You have the App Service plans shown in the following table.
You plan to create an additional App Service plan named ASP5 that will use the Linux operating system.
You need to identify in which of the currently used locations you can deploy ASP5.
What should you recommend?
A. West US, Central US, or East US
B. Central US only
C. East US only
D. West US only
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

A (92%) 4%
  Snownoodles Highly Voted  2 years, 1 month ago
Hi guys:
What does this question want to test?
I couldn't get the point.
upvoted 38 times

This was such a trick question, like most questions on this exam. I will explain the asnwer.
You can always create a new App Service plan in any region. Granted the App Service plan can be set for 1 region only. The key word in
answer A is therefore "OR". It is possible to use ASP5 in any of the listed regions, but ONLY IN ONE of the regions. If the answer said
"AND" it would be incorrect. Since it says "OR", A is Correct.
It's absolutely ridiculous to ask questions like this in my opinion. It's like they are trying to set you up for doubt and confusion.
upvoted 2 times

Also to add:
You can also use West US because ASP5 will be a separate App Service Plan for Linux OS. ASP1 is Windows OS, but it is a different
App Service Plan than ASP1. Therefore, all regions would work.
upvoted 1 times

questions like this are intend to test the candidates and see how many they can fail and re-take the exam.
upvoted 24 times
  ServerBrain 5 months ago

some people pay for this
upvoted 2 times
  Spooky7 10 months, 2 weeks ago

There used to be a limitation in which you couldn't have Windows and Linux AppService Plan in the same RESOURCE GROUP. So most
likely this question is referencing that.
upvoted 4 times
  JESUSBB Highly Voted  2 years, 2 months ago

In the exam today 11-DEC-2021.
Ans: A. West US, Central US, or East US
upvoted 24 times
  LeomHD 2 years, 1 month ago

how do you know?
upvoted 3 times
  AZ_Guru_Wannabe 2 years ago

He took the exam, that's how he knows that question was in his exam
upvoted 47 times
  Anthony053 1 year, 4 months ago

because web apps are in the West US, Central US and East US Azure regions.
upvoted 1 times
  Deepakk Most Recent  2 months, 2 weeks ago
They are emphasizing on OS. ASP5 is for Linux and they have given ASP with region and OS to confuse us.
upvoted 1 times
  a03 4 months ago

A
App Service plan:
Free
10 per region
1 free Linux App Service plan per region
Shared
10 per resource group
Basic
100 per resource group
upvoted 2 times

What an absolutely useless question. Anyways, you can have 10 Free, and 100 Standard or 100 Premium ASP per Region.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#app-service-limits
upvoted 8 times
  Andreas_Czech 8 months ago
Selected Answer: A
Service Plan Limits:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#app-service-limits
we have Standard and Premium Plans -> unlimited Plans per Region
upvoted 3 times
  dennysheng 10 months ago

But since you have a Windows based App service plan on West US, how can a Linux app be deployed on that plan?
upvoted 2 times
  cloudbaron 9 months, 1 week ago

I think they key lies here - "in which of the currently used ****locations***"
upvoted 2 times
  JayLearn2022 12 months ago

The Answer is : A
This question is asking in which regional locations can a APP service plan be deployed to. It tells you it will be a Linux Plan to throw you off
and make you wonder if it matters. Which is does not.
Then it asks what should you recommend to make you think you are supposed to choose. The fact is you can recommend any region.
An APP service plan can be deployed in any region and multiple APP service plans can be deployed in a region.
The Plan type you choose depends on the APP's your going to deploy and whether the programing language can be run on Linux or
Windows.
https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 14 times

Thanks. Instead of complaining about useless questions, you gave a good analysis of the questions that need to be answered to arrive
at the right conclusion.
I also don't like the way I am pushed to prepare for this exam, studying these questions like I do. But complaining about it like some
people here do makes the whole effort even more pointless (if that's even possible)...
upvoted 1 times

Selected Answer: A
A is the answer.
upvoted 2 times
  CloudVillain 1 year, 1 month ago

Selected Answer: D
How can you create a single ASP5 in multiple locations in the same time? surely it's West US since it's missing a Linux App service plan!!
upvoted 1 times

Have you studied the meaning of the word "or"? ;-)
upvoted 1 times
  RougePotatoe 12 months ago

Consider the following. You have extra chromosomes Y or Y?
upvoted 4 times
Selected Answer: A
definitly on the test

upvoted 2 times
  Max_on_neptune 1 year, 2 months ago

Exam Question 01DEC22
upvoted 5 times

hello i planning to take the soon, are most of the question are similar to the one from this sample exam thanks
upvoted 1 times
  ALEX_PARIS 1 year, 2 months ago

For me the good answer is D because you already have Linux plan for Central and West US. If you want to spread your app workload
across regions for reduce latency, you actually miss a Linux plan in West US. After creating West US APP plan, you will be able to host app
instances in all 3 regions.
upvoted 3 times
  SuganthM 1 year, 2 months ago

We can host multiple apps in APP plan. They why create and pay for the same region again, its not cost effective, create in West US.
Answer D
upvoted 2 times

A - just a trick question. you can deploy app svc plan in any locations.
upvoted 4 times

Yes, but the question is "What should you recommend?". You already have Linux App service plan in the other regions so you should
'recommend' West US as you can just use the Linux AS in the other regions. Having said that they have 2 ASPs in East US, so they clearly
don't care about having multiple....
Very poorly worded question
upvoted 2 times

upvoted 2 times
  whitezik 1 year, 4 months ago

An App service plan could be any of the regions mentioned, if it was just the deploying the App based on the required OS then it could be
streamlined to the OS+region..so A makes sense
upvoted 2 times
  BD1988 1 year, 5 months ago

This question is little tricky as it is asking where to deploy a new App Service Plan that will be based on Linux. It can be deployed anywhere
and whatever is mentioned in the table has no impact on new APPSERVICE PLAN. If it were an app to be deployed out of the 4 app service
plans then we would have to analyze the table data.
upvoted 7 times
Manager template.
A. the New-AzConfigurationAssignment cmdlet
B. a Desired State Configuration (DSC) extension
C. Azure Active Directory (Azure AD) Application Proxy
D. Azure Application Insights
Correct Answer: B
Reference:

B (100%)
  reddragondms Highly Voted  2 years, 1 month ago

Correct Answer: B
upvoted 26 times
  olsenOnS Highly Voted  2 years, 2 months ago

upvoted 11 times
  fuchsm999 Most Recent  11 months, 2 weeks ago
Selected Answer: B
B is correct
upvoted 2 times
  vbohr899 11 months, 3 weeks ago

upvoted 3 times

Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
upvoted 2 times
Selected Answer: B
Answer is correct: B. a Desired State Configuration (DSC) extension
A Desired State Configuration (DSC) extension is a way to configure virtual machines in Azure using PowerShell DSC. You can use a DSC
extension to automate the installation of NGINX on the virtual machines in your scale set as part of the deployment process. This will
ensure that NGINX is available on all virtual machines after they are deployed, and it will also help you maintain consistency in your
configuration. To use a DSC extension, you would include the configuration in your Azure Resource Manager template and specify the
extension in the deployment process.
upvoted 1 times
  meeko86 1 year, 2 months ago
Selected Answer: B
Correct Answer: B
webserver.
az vm extension set \
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

upvoted 5 times
  Empel 2 years ago

Question 59 was the same, is repeated. Desired State Configuration (DSC) extension by the way
upvoted 6 times

Publish-AzVMDscConfiguration
upvoted 1 times
  blockhead72 2 years, 1 month ago

Correct. B.
upvoted 1 times
HOTSPOT -
In Azure Cloud Shell, you need to create a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the command? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-6.6.0
  ninjia Highly Voted  2 years, 1 month ago

Box 1: New-AzResourceGroupDeployment. This cmdlet allows you to use a custom ARM template file to deploy resources to a resource
group. For example:
New-AzResourceGroup -Name $resourceGroupName -Location "$location"

New-AzResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-simple-
windows/azuredeploy.json" `
-adminUsername $adminUsername `
-adminPassword $adminPassword `
-dnsLabelPrefix $dnsLabelPrefix
Box 2: -ResourceGroupName RG1. It’s one of parameters of New-AzResourceGroupDeployment to specify to which resource group you
want to deploy resources.
You could use New-AzVm to create a VM, but it doesn’t use a template. You would need to provide all parameters in the command line.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azvm?view=azps-7.0.0
upvoted 70 times
  sid132 Highly Voted  1 year, 11 months ago

upvoted 15 times
1. New-AzResourceGroupDeployment
2. -ResourceGroupName RG1
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment
upvoted 9 times
  husam421 2 years ago
New-AzResourceGroupDeployment -ResourceGroupName myResourceGroup -TemplateFile
-Name ExampleDeployment `
-ResourceGroupName RG1 `
-TemplateFile
Answer is correct
upvoted 3 times
  MaximKotov 2 years, 1 month ago

The answer is correct! Don't take the command name literally. It's using for custom template deployment. We specify the name of an
existing group and the path to the template.
upvoted 2 times
  S3ktar 2 years, 1 month ago

The resource group is already created as per the question. It is asking for the command to deploy a vm, thus the answer is "New-
AZvm".....second part "-ResourceGroupName RG1"
upvoted 1 times
  MrBlueSky 2 years, 1 month ago

No. The fact that this is a VM is already specified in the ARM template. We only need to give it a command to deploy into a resource
group, and then specify which resource group.
upvoted 4 times
  adrian_borowski 2 years, 1 month ago

Lab thing guys before posting! You are wrong. New-AzVm does NOT accept argument TemplateUri
upvoted 6 times
  Yaydel 2 years, 2 months ago

Answer is correct.
https://docs.microsoft.com/ko-kr/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-0.10.0
upvoted 3 times
  hanahjane13 2 years, 2 months ago

New-AzVm `
-ResourceGroupName "myResourceGroup" `
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-powershell
upvoted 1 times

You are wrong. New-AzVm does NOT accept argument TemplateUri
upvoted 3 times
  olsenOnS 2 years, 2 months ago

I think the answer is correct.
$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
$adminUsername = Read-Host -Prompt "Enter the administrator username"
$adminPassword = Read-Host -Prompt "Enter the administrator password" -AsSecureString
$dnsLabelPrefix = Read-Host -Prompt "Enter an unique DNS name for the public IP"
New-AzResourceGroup -Name $resourceGroupName -Location "$location"

______________________________________________
-ResourceGroupName $resourceGroupName `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-simple-
windows/azuredeploy.json" `
-adminUsername $adminUsername `
-adminPassword $adminPassword `
-dnsLabelPrefix $dnsLabelPrefix
-------------------------------------------------------------------------------
(Get-AzVm -ResourceGroupName $resourceGroupName).name

upvoted 7 times
might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution.
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run az aks.
A. Yes
B. No
Correct Answer: B
To deploy a YAML file, the command is:
kubectl apply -f <file_name>.yaml
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough

B (100%)
  j5y Highly Voted  2 years, 7 months ago
Answer: NO
To deploy a YAML file, the command is:

kubectl apply -f example.yaml
Src: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 40 times
  Acai 2 years, 6 months ago

yep yep yep
upvoted 2 times
  melatocaroca 2 years, 4 months ago

https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#deployments-and-yaml-manifests
upvoted 1 times
  achmadirvanp Highly Voted  2 years, 7 months ago
Answer is correct, Appear On Exam July 1 2021

upvoted 9 times
  obaemf Most Recent  5 months, 1 week ago
Selected Answer: B
Use kubectl apply -f example.yaml

upvoted 2 times

There are several versions of this question. The following are the correct and incorrect answers that can be presented.

-Solution: From Azure Cloud Shell, you run the kubectl client.

-Solution: From Azure Cloud Shell, you run az aks.
-Solution: From Azure CLI, you run azcopy

upvoted 3 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#deployments-and-yaml-manifests
Deployments are typically created and managed with kubectl create or kubectl apply. Create a deployment by defining a manifest file in
the YAML format.
upvoted 1 times
  spaceman12 1 year ago

Besides the comments w/ answers here is a short summary I found useful from chatgpt:
az aks is a command-line interface (CLI) tool provided by Microsoft Azure to manage and deploy Kubernetes clusters on Azure, while
kubectl is the command-line tool for interacting with a Kubernetes cluster.
The main difference between the two is the scope of their functionality:
- az aks is focused on provisioning and managing AKS clusters, including creating and scaling the cluster, managing authentication and
network configurations, and upgrading the cluster.
- kubectl is focused on interacting with and managing the components running within a Kubernetes cluster, such as deploying and
managing applications, inspecting cluster state, and troubleshooting issues.
Both tools can be used together to effectively manage an AKS cluster, with az aks being used for cluster-level tasks and kubectl for
workload-level tasks.
upvoted 4 times
  ChakaZilly 1 year ago

Yes: This is really a trick question, as Mangicurry points out you can embed kubectl-command in "az aks": az aks command invoke \
--name myAKSCluster \
--command "kubectl apply -f deployment.yaml -n default" \
--file deployment.yaml
upvoted 1 times
  Mangocurry 1 year, 1 month ago

Well, technically you can do this with az aks command invoke so this is a bad question imo :( https://learn.microsoft.com/en-
us/azure/aks/command-invoke
upvoted 1 times
Selected Answer: B
Answer: NO
upvoted 1 times

az aks? even if you didn't know the answer you gotta know this is wrong :)
upvoted 5 times
Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to
VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: B
You must install the Microsoft Monitoring Agent on VM1, and not the Microsoft Monitoring Agent VM extension.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

B (86%) 14%
Correct Answer:
You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct

Reference:
upvoted 134 times

Correct Answer is: B
Microsoft Monitoring Agent (MMA) mentioned in the question is different from Azure Monitoring Agent (AMA), the latest agent. Azure
Monitor Agent replaces the Azure Monitor legacy monitoring agents.
MMA is referred to Log Analytics Agent during its installation setup and agent connectivity verification to Azure Monitor. Refer to below
link
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard
So, I second mlantonis:


3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace
upvoted 1 times

Another trick question by MS to try and trip you up. I swear more than half of this test just comes down to your comprehensive reading
skills.
upvoted 4 times
  photon99 3 months, 3 weeks ago

Log Analytics workspace should be the Destination and not to be specified as the source. Here the source is the VM with monitoring
agent.
upvoted 1 times
  Goofer 10 months, 3 weeks ago

In 2023 you can add Microsoft Monitoring Agent VM extension to VM1
See: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal
upvoted 6 times
  Lapiduse Highly Voted  3 years, 1 month ago
I think the Answer should be - Yes.

You need to click the Add button on Portal-> Settings-> Extensions to Install the Extension on VM.
Azure Monitor currently has multiple agents because of recent consolidation of Azure Monitor and Log Analytics. The Azure Monitor Agent
is implemented as an Azure VM extension.
Windows/Linux name: Microsoft.Azure.Monitor
Windows type: AzureMonitorWindowsAgent
Linix type: AzureMonitorLinuxAgent
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc
upvoted 33 times

The question is about MMA (microsoft monitoring agent) which is the legacy agent which needs to be installed on the VM.
upvoted 1 times
  YooOY 2 years, 4 months ago

The Azure Monitor agent is only available as a virtual machine extension. The Log Analytics extension for Windows and Linux install the
Log Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for Windows and Linux install the
Dependency agent on Azure virtual machines. These are the same agents described above but allow you to manage them through
virtual machine extensions. You should use extensions to install and manage the agents whenever possible.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#virtual-machine-extensions
upvoted 2 times

so add extension does not mean the agent is installed, agent can still be missing.
upvoted 2 times
  spaceman12 1 year ago

Not quite, it seems that installing the extension will also automatically install the agernt. See table where it says Agent Installed:
Azure Monitor Agent
Reference docs here:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
upvoted 1 times
  QiangQiang 3 years ago

agreed, should be yes
upvoted 3 times
  photon99 Most Recent  3 months, 3 weeks ago
Again, Microsft should remove such LEGACY questions because MMA is being deprecated and replcaed by AMA (Azure Monitor Agent).
upvoted 2 times

Well, the point is, Microsoft probably DID remove such legacy questions. Examtopics did not... (Which, to be fair, is difficult to decide
upon - how do you know for sure that a particular question will definitely not be used anymore in the exam??)
upvoted 1 times
  Aniruddha_dravyakar 4 months, 3 weeks ago

You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent
on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
upvoted 1 times

Either the question is old or worded poorly. Assuming Azure Monitor Agent and Microsoft Monitoring Agent are 2 different things, the
Answer B is valid as you can add Azure Monitor Agent as an extension but not MMA.
However, its 2023 and AMA should replace MMA now so you can add AMA as an extension.
Not sure who to blame here. ET for an old question with old terminology or MS for wording the question so poorly.
upvoted 2 times
  Muffay 1 year, 1 month ago
Selected Answer: B
After some reasearch now I understand why it should be B:

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux?tabs=azure-cli#use-cases-and-samples
Note that the Monitoring extension is for *LINUX*, not for Windows.
I hope this question is replaced with a new one, as Azure Monitor Agent should replace the previous Microsoft Monitoring Agent, and then
it would be this extension:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal#virtual-machine-
extension-details
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
  atilla 1 year, 6 months ago

event should be logged to the System event log on the VM.. it says not that Log Analytics workspace should be used
upvoted 1 times
  sayedd 1 year, 6 months ago

So many errors in examtopics dumps and the support team is doing nothing..
What is the difference between this question and question next to this that is question 2 ??
upvoted 1 times

This question: "You add the Microsoft Monitoring Agent VM extension to VM1"
Next question: "You install the Microsoft Monitoring Agent VM extension to VM1"
upvoted 2 times

next question isnt an extension
upvoted 1 times
  Jay1111 1 year, 6 months ago

Should be No. It talks about Microsoft Monitoring agent(MMA) and not Azure Monitor agent and MMA is not available as an extension but
only as installable.
https://docs.microsoft.com/en-us/services-hub/health/mma-setup
upvoted 1 times
  Dileep75 1 year, 7 months ago

I would go with yes. I dont think we have to worry about add and install.. for me both looks same.
upvoted 1 times
  Dileep75 1 year, 7 months ago

this is funny .. the next question , they are back with install word . :( . If it comes in exam , i will go with No.
upvoted 1 times
  ThatDowntownSmell 1 year, 8 months ago

The key here ultimately is that there are two versions of this same question. Only one is going to be "yes", they aren't going to slightly
word two test questions differently and both come out as "yes". So "no" if it says add, "yes" if it says install.
upvoted 4 times
Selected Answer: B
B. NoB. No
upvoted 1 times
Selected Answer: B
B. No correct
upvoted 1 times

add vs install??? really? In a field that we often use the two words interchangeably, THIS is the trick question they decided to ask. ffs
upvoted 5 times
  Def21 1 year, 8 months ago

This is confusing. Azure Monitor agent is a replacement to old ones
"Eventually, the Azure Monitor agent will replace the following legacy monitoring agents that are currently used by Azure Monitor."
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview
It is an extension which is "installed"

"The Azure Monitor agent is implemented as an Azure VM extension with the details in the following table. It can be installed using any of
the methods to install virtual machine extensions including those described in this article."
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage
upvoted 1 times
Selected Answer: B
Latest reading of this relates option B to 'Microsoft Monitoring Agent VM extension' which is wrong. So B is the correct answer
upvoted 1 times
Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
A. Yes
B. No
Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
Reference:

A (100%)


Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
upvoted 76 times

I really think this question is one of those like 'can't see the forest from the trees'. "Adding" can mean any number of things, from
selecting from a list, uploading something or installing something. They should rephrase this to a clearer form or remove it altogether.
upvoted 1 times
  Panapi 11 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920. Thanks guys!
upvoted 5 times
  JohnAvlakiotis Highly Voted  3 years, 2 months ago

I mean what's the difference with the above? The words "add" versus "install"? That would be ridiculous...
upvoted 34 times

Agent is installed directly in the host. Extension is added in the Azure portal
upvoted 2 times
  JohnAvlakiotis 3 years, 2 months ago

I saw the difference in the extension name. Anyway, it's correct.
upvoted 9 times
  Magis 1 year, 4 months ago

In my opinion both are correct as when you add extension it installs agent in a background anyway.
upvoted 1 times

it's still ridiculous
upvoted 7 times
  j777 2 years ago

I know it's over year since you answered, but if you look at both one said agent VM extension and the other just said agent.
upvoted 3 times

Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things.
This question is important because if you're in a work environment and try to add and it's not there, you might not know what to do
unless you know that the extension need to be installed first, before it appears
It's not a trick.

upvoted 3 times
  Kalzonee3611 Most Recent  4 months, 1 week ago
That exam is trash. Honestly, some of these questions.

upvoted 1 times
  duckbae 6 months, 4 weeks ago

Selected Answer: A
Log Analytics
upvoted 1 times

There are several different versions of this question. The following are the correct and incorrect solutions you might encounter.
Correct Solution:
-Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on
VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Incorrect Solutions:
-Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent
on VM1. You create an alert in Azure Monitor and specify the storage account as the source.
-Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source.
upvoted 2 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
A. Yes A. Yes
upvoted 2 times
Selected Answer: A
A. Yes
upvoted 2 times
  watermeloner 1 year, 9 months ago

should we use VM insight nowadays
?
upvoted 1 times
Selected Answer: A
A - Yes is correct
upvoted 2 times

upvoted 2 times

upvoted 2 times
In exam today 11-DEC-2021 Ans: Yes
upvoted 3 times
  ohana 2 years, 4 months ago

Took the exam today on 17 Oct. This question came out. Ans: Yes
upvoted 4 times

I'm confused. As per https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
"The Azure Monitor agent is only available as a virtual machine extension."
So it should be B right ? Or does Microsoft considers that adding an extension is the same as installing the agent ? They shouldn't since
they clearly differentiate between this question and the previous one.
upvoted 2 times

Answer is correct.
Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This
question is important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you
know that the extension need to be installed first before it appears
It's not a trick.

upvoted 1 times

If you got the previous answer wrong, you definitely have a chance to get this one right because this question brings to your attention
that the extension is to be installed first.
Answer is correct
upvoted 1 times
All virtual machines run Windows Server 2016.
On VM1, you back up a folder named Folder1 as shown in the following exhibit.
You plan to restore the backup to a different virtual machine.
You need to restore the backup to VM2.
A. From VM1, install the Windows Server Backup feature.
B. From VM2, install the Microsoft Azure Recovery Services Agent.
C. From VM1, install the Microsoft Azure Recovery Services Agent.
D. From VM2, install the Windows Server Backup feature.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server

B (92%) 8%
  Asymptote Highly Voted  1 year, 3 months ago
Microsoft Azure Recovery Services Agent also known as MARS or Azure Backup Agent can be used to restore data for entire volume or just
individual folders and files.
reference:
https://learn.microsoft.com/en-us/azure/backup/restore-all-files-volume-mars
upvoted 12 times
  Kem81 Highly Voted  1 year, 4 months ago

A bit confused on this question. From my understanding, I thought RSV could only backup from resources located in the same region?
VM2 is in a different region here.
upvoted 6 times
  eduardokm 6 months, 2 weeks ago

MARS is a brick level backup, for VM on cloud or VM/Physical machines on-premises, as tradicional backup tools. It is for others scopes.
upvoted 1 times
  madao322 10 months, 3 weeks ago

MARS Agent can recover data without region restriction and that is why it exists on top of the normal RSV. correct me if i am wrong :)
upvoted 4 times
  JoshuaAlkar 1 year, 1 month ago

this is what I thought too
upvoted 1 times
  rishisoft1 Most Recent  8 months ago

The question asks, what will you do first? FO MARS agent will be installed on VM2. Since VM2 is another region and MARS agent can't
access it, need to copy the back up to EASt region then MARS agent can restore VM2.
upvoted 2 times

Question looks dubious. Azure docs states 'The new VM must be created in the same region as the source VM'
Reference: https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 1 times

Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-about-mars#recovery-scenarios
upvoted 2 times
  BShelat 1 year, 1 month ago

I am puzzled. Even though installing MARS agent on VM2 how can we restore VM1 's backup on VM2? VM1 and RSV are sitting in EAST US
and VM2 is sitting west US. My understanding is that one can restore in the same region only. Let me know how my understanding is
wrong.
upvoted 1 times

Perfectly right. Azure docs states 'The new VM must be created in the same region as the source VM'
Reference: https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 1 times
  UK7 1 year, 1 month ago
Selected Answer: B
Came on 21st Dec 2022 (score 930)

Answer B
upvoted 4 times

I thought it was Windows backup and recovery the image shown in the question so i would say D
upvoted 2 times

no. the screenshot is from MARS agent. So it's B.
upvoted 3 times
  Burnie 1 year, 5 months ago

Tested in lab: B
upvoted 2 times
  NassimB 1 year, 5 months ago
Selected Answer: B
you recover from the target

upvoted 2 times
  Lu5ck 1 year, 5 months ago
Selected Answer: C
nope, i think it's C because there is no Indication that VM1 is already backing up to the vault. What we see here is the local window server
backup features.
upvoted 1 times
Selected Answer: B
B. From VM2, install the Microsoft Azure Recovery Services Agent.

upvoted 2 times
  virgilpza 1 year, 5 months ago
Selected Answer: B
correct ans: B
upvoted 1 times
  WISSYWISE 1 year, 5 months ago
The answer is correct:B
upvoted 1 times
  Jenny2021 2 years, 4 months ago

The answer is correct
upvoted 2 times
HOTSPOT -
You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks.
How should you complete the template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
  ppp131176 Highly Voted  2 years, 7 months ago
Is correct: https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 41 times
  chaudha4 2 years, 5 months ago

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 12 times

Hi....Aanmelden
upvoted 2 times

upvoted 20 times
  VVR141 2 years, 7 months ago

came across any LABS ?
upvoted 3 times
  AntaninaD Most Recent  5 months ago

upvoted 12 times
  Denis_Raymond 4 months, 2 weeks ago

I also got it early this week.
upvoted 5 times
  Kritiprasan 5 months ago

Any labs that u came across the test
upvoted 1 times

1. copy
2. copyIndex
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#syntax
Add the copy element to the resources section of your template to set the number of items for a property. The copy element has the
following general format:
- The count property specifies the number of iterations you want for the property
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#property-iteration
Use the length function on the array to specify the count for iterations, and copyIndex to retrieve the current index in the array.
upvoted 10 times

i didnt know. but yeah copy - copyindex
By adding copy loop to the properties section of a resource in your template, you can dynamically set the number of items for a property
during deployment
and copyIndex to retrieve the current index in the array.
upvoted 8 times

Box1: Copy
Box2: copyIndex
upvoted 3 times

Box1: Copy
Box2: copyIndex
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources
By adding the copy loop to the resource section of your template, you can dynamically set the number of resources to be deployed. In
addition, you avoid the repetition of template syntax.
The copy loop can also be used with properties, variables and output.
Fügen Sie das copy-Element dem Ressourcenabschnitt ihrer Vorlage hinzu, um mehrere Instanzen der Ressource bereitzustellen. Das
copy-Element hat das folgende allgemeine Format:
"copy"
:{
"name": "<name-of-loop>",
"count": <number-of-iterations>,
"mode": "serial" <or> "parallel",
"batchSize": <number-to-deploy-serially>
}
The copyIndex() function returns the current iteration of the loop. copyIndex() is zero-based.
By default, Resource Manager creates the resources simultaneously. There is no limit to the number of resources provided in parallel,
except for limiting the total number to 800 resources in the template. The order in which they are created is not guaranteed.
upvoted 6 times
  epomatti 1 year, 9 months ago

Copy, copyIndex
Provided answer is correct.

upvoted 2 times

Question appeared on my exam today. April 7 2022
upvoted 6 times

upvoted 6 times
  sabyasachide 1 year, 11 months ago

How to recall this answer
upvoted 3 times

upvoted 1 times
  WS_21 1 year, 11 months ago

"copy": [
"[copyIndex
upvoted 1 times
  _punky_ 2 years, 1 month ago

LUN - is associated with index
upvoted 4 times
  deadhead82 2 years, 1 month ago

On a lighter note , you have to have a sharp memory to pass these certs.
upvoted 8 times

Yes, for Cringy Microsoft
upvoted 4 times
  Karthik3498 2 years, 1 month ago

memory is definitely required, but I don't think it should be sharp as you mean I think if we understand concepts it will be registered in
our brain
upvoted 6 times

In the exam today 11-DEC-2021 Ans: Copy - CopyIndex
upvoted 9 times

Copy
CopyIndex
https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times
Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface
named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
A. Yes
B. No
Correct Answer: A
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
also referred to as a region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

A (75%) B (25%)
Multiple NICs allow a VM to connect to different subnets.
VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.
Each NIC attached to a VM must exist in the same location and subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.
Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 21 times

Yes. Remember you goal! "You need to create a new network interface named NIC2 for VM1." You can pretty much ignore everything
expect for the location of VM1. The question only asked if you can create a new NIC for VM1 in westus not if you can connect it to any
subnets or vNets.
"Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that
exists in the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created. You
can't change the virtual network. Each NIC attached to a VM is assigned a MAC address that doesn't change until the VM is deleted."
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview#network-interfaces
upvoted 11 times

I've also tested it in a lab to see if NIC 2 being in a different resource group will affect the ability of a VM to use that NIC. VMs can use
NICs in another RG without any issues.
upvoted 3 times
  SgtDumitru Most Recent  2 months, 3 weeks ago

Yes, because VM and NIC should be in same region.
upvoted 2 times
  NoobieWon 6 months, 3 weeks ago

Although creating a resource group requires specifying a region for it to be stored in, the resources in that resource group could span
multiple regions. MS site sites "Azure resource groups are specific to Azure regions. But resources in a resource group often span multiple
regions."
upvoted 1 times

B. No
The goal is to create a new network interface named NIC2 for VM1. According to the given information, VM1 is located in West US and
connects to VNET2 using NIC1. To meet the goal, NIC2 should also be created in the same region as VM1, which is West US. However, the
solution states that NIC2 should be created in RG1, which is located in East US. Therefore, the solution does not meet the goal.
upvoted 2 times
  hidefo6963 5 months, 2 weeks ago

a resource group region does not affect the region of its resources
upvoted 4 times

Answer: A
The resource group the NIC is created in does not matter. What matters is the region the NIC is connected to. NIC's attached to VM's must
be located in the same region as the VNET/Subnet it is connected to. The NIC must also be created in the same subscription.
Each NIC attached to a VM must exist in the same Region and belong to the same subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure Region and belong to the same Subscription as the NIC.
upvoted 4 times

Answer: A
The resource group the NIC is created in does not matter. What matters is the region the NIC is connected to. NIC's attached to VM's must
be located in the same region as the VNET/Subnet it is connected to. The NIC must also be created in the same subscription.
Each NIC attached to a VM must exist in the same Region and belong to the same subscription as the VM.
Each NIC must be connected to a VNet that exists in the same Azure Region and belong to the same Subscription as the NIC.
upvoted 1 times
  Reviewer 1 year ago

Why A? the question does not show the location for VNET2 is.
upvoted 4 times

Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#create-a-
network-interface
- A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network
you connect it to.
- The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
upvoted 1 times
  dagomo 1 year ago
Selected Answer: A
Hello guys,
in this kind of questions I guess the clue is the following:
VM1 connected to VNET2 with NIC1 on location West US.
Then VNET2 location is West US and only the NICs on West US locations will be ok for the answers.
upvoted 2 times
  CloudVillain 1 year, 1 month ago

Selected Answer: B
RG2 and WestUS

upvoted 2 times

A.
NIC2 needs to be in the same location as VM which is west us. RG can be anywhere.
upvoted 2 times

Makes no sense at all, what region is NIC 1 in? A vm can only have 1 NIC at a time I thought!?
upvoted 2 times

must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.
Reference:
upvoted 1 times
  rocroberto 1 year, 4 months ago

I believe the answer wants to stress that they belong to the same region (and the fact the Resource Group is different is irrelevant)
upvoted 1 times
  nox2447 1 year, 5 months ago

So the question is basically:
You need to create X in Y.
Solution: You create X in Y, does this meet your goal?
...um yeah?
upvoted 3 times

What you need to remind in this type of questions that resource group is global resource and doesn`t belong to any region even if it is
getting region tag where it was created :) It is one of the most confusing things in Azure and this is why you will see a lot of questions
about it :)
upvoted 5 times
  shadad 1 year ago

am getting confuse always by the resource group on the question. thanks for pointing to this.
upvoted 1 times

Selected Answer: A
Correct Answer: A
upvoted 1 times
  WISSYWISE 1 year, 5 months ago

The answer is correct:A
upvoted 1 times
  ExamTopicsTST 1 year, 5 months ago

Selected Answer: A
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-
interface#:~:text=Before%20creating%20a%20network%20interface%2C%20you%20must%20have%20an%20existing%20virtual%20netwo
rk%20in%20the%20same%20location%20and%20subscription%20you%20create%20a%20network%20interface%20in
upvoted 2 times
named NIC1.
Solution: You create NIC2 in RG2 and Central US.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
  zellck Highly Voted  1 year ago
Selected Answer: B
B is the answer.
network-interface
you connect it to.
upvoted 5 times
  Slimus Most Recent  8 months, 3 weeks ago
Selected Answer: B
B - No. NIC2 must be in the same location as VM1

upvoted 3 times

Selected Answer: B
B is the answer.
A is the answer.
network-interface
you connect it to.
upvoted 2 times
Selected Answer: B
Hello guys,
upvoted 3 times

B
Reference:
upvoted 4 times

Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-
interface#:~:text=Before%20creating%20a%20network%20interface%2C%20you%20must%20have%20an%20existing%20virtual%20netwo
rk%20in%20the%20same%20location%20and%20subscription%20you%20create%20a%20network%20interface%20in
upvoted 2 times
named NIC1.
Solution: You create NIC2 in RG2 and West US.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)
  Mat_m0381 Highly Voted  1 year, 5 months ago
Selected Answer: A
Correct Answer: A
Resource Group doesn't matter in this question, as long as the NIC is in the same location as the VNET & VM
upvoted 24 times
  informix Highly Voted  1 year, 5 months ago
compare with Q74, have not idea which one is correct.

upvoted 5 times
  lucy3246 1 year, 5 months ago

location
upvoted 2 times
  BaldFury401 1 year, 4 months ago

Please explain further. How is this different than Q 74?
upvoted 1 times
  Salam_Pioneer Most Recent  3 weeks, 4 days ago
I think the answer should be B

because the location is different the vnet in west us and the RG2 in west Euorpe
upvoted 1 times
Selected Answer: A
A is the answer.
network-interface
you connect it to.
upvoted 3 times
Selected Answer: A
Hello guys,
upvoted 1 times

A
Reference:
upvoted 3 times
  Imy 1 year, 5 months ago

This doesn’t make sense should be B
upvoted 2 times
  maverick2223 1 year, 5 months ago

Correct Answer: A
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
You develop the following Azure Resource Manager (ARM) template to create a resource group and deploy an Azure Storage account to the
resource group.
Which cmdlet should you run to deploy the template?
A. New-AzResource
B. New-AzResourceGroupDeployment
C. New-AzTenantDeployment
D. New-AzDeployment
Correct Answer: B
Deployment scope.
You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment,
you use different commands.
To deploy to a resource group, use New-AzResourceGroupDeployment.
Incorrect:
Not C: To deploy to a tenant, use New-AzTenantDeployment.
Not D: To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet.
To deploy to a management group, use New-AzManagementGroupDeployment.
Not A: The New-AzResource cmdlet creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a
resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell

D (71%) B (29%)
  Tinkers69 Highly Voted  1 year, 5 months ago
Selected Answer: D
D is correct here.
We are creating RG and storage acc. in this RG.

By using New-AzResourceGroupDeployment command -> "Adds an Azure deployment to a resource group."
upvoted 39 times
  QL112233 3 weeks, 3 days ago

The question is what command used for deploy the template listed there, which deploys a storage account, which means deploy
resource to group instead of create a resource group. So B should be right
upvoted 1 times
  skydivex 11 months, 3 weeks ago

agreed..... To add resources to a resource group, use the New-AzResourceGroupDeployment which creates a deployment at a resource
group. The New-AzDeployment cmdlet creates a deployment at the current subscription scope, which deploys subscription level
resources.
upvoted 2 times
  Tarni 1 year, 4 months ago

Agree Answer should be D
1. The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the
deployment requires.
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-8.3.0
upvoted 7 times
Selected Answer: D
New-AzResource -
creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a resource group.
Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresource
New-AzResourceGroupDeployment -
adds a deployment to an existing resource group.
Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment
New-AzDeployment -
The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment
requires.
Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment
Ner-AzTenanDeployment just exceeded the scope.

upvoted 17 times
  SDiwan Most Recent  1 week ago
Selected Answer: D
Coreect answer is D.
The arm template is creating a resource group. So the scope of deployment must be subscription level
upvoted 1 times
  6Sam7 3 weeks, 2 days ago

The New-AzResourceGroupDeployment cmdlet adds a deployment to an existing resource group. This includes the resources that the
deployment requires. An Azure resource is a user-managed Azure entity, such as a database server, database, website, virtual machine, or
Storage account.
Seems B is correct
upvoted 1 times
  rr89 1 month, 2 weeks ago

Answer is B
We are creating RG
Use New-AzDeployment for deploying resources at the subscription level.
Use New-AzResourceGroupDeployment for deploying resources within a specific resource group.
upvoted 1 times
  mahesha9449295905 2 months ago

The New-AzResourceGroupDeployment cmdlet adds a deployment to an existing resource group
upvoted 2 times
Selected Answer: D
Answer is D: New-AzDeployment which is an lias to New-AzSubscriptionDeployment, the ARM template is creating a RG and a storage
account, so it should be at subscription level.
Take a look at this example & check the templateFile that's being used.
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-resource-manager/templates/deploy-to-
subscription.md#powershell
To people who are saying it should be B: New-AzResourceGroup, this cmdlet takes a param -ResourceGroupName of the resource group,
what RG will you pass there? the one you are creating??? this one is for creating resources under that RG provided via the param
ResourceGroupName
upvoted 2 times
  Mooooosa 3 months, 4 weeks ago

New-AzResourceGroupDeployment- Adds an Azure deployment to a resource group.
New-AzDeployment - Create a deployment at the current subscription scope.
check links
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-10.4.1
upvoted 1 times

Selected Answer: B
New-AzResourceGroupDeployment -ResourceGroupName <ResourceGroupName> -TemplateFile <TemplateFilePath> -

TemplateParameterFile <ParameterFilePath>
upvoted 2 times
  MCI 1 week ago

New-AzResourceGroupDeployment: 7:02:47 PM - Error: Code=ResourceGroupNotFound; Message=Resource group 'az104test' could
not be found.
New-AzResourceGroupDeployment: The deployment validation failed
This is the message you get when you run New-AzResourceGroupDeployment .

upvoted 1 times
  emanresu 4 months, 1 week ago
Selected Answer: D
To add resources to a resource group, use the New-AzResourceGroupDeployment which creates a deployment at a resource group. The
New-AzDeployment cmdlet creates a deployment at the current subscription scope, which deploys subscription level resources.
The question mentions "to create a resource group so it must be D then"

upvoted 1 times
  XtraWest 4 months, 4 weeks ago
Selected Answer: B
New-AzResourceGroupDeployment
upvoted 1 times
Selected Answer: D
The question says "to create a resource group and deploy an Azure Storage account to the resource group"
You can create a resource group inside a Subscription, hence you need to use the cmdlt that deploys to a Subscription. The correct options
are:
use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment
upvoted 1 times
  mark733050 6 months ago

If you are deploying from powershell the answer is B. New-AzResourceGroupDeployment
If you are deploying from Azure CLI the answer would be "az deployment group create"
The example JSON at the bottom of this page creates a resource group and storage account.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-resource-group?tabs=azure-cli
upvoted 1 times
  fjreoi 6 months ago

Attention, les deux réponses B et D ont été inversés sur le sujet
LA bonne réponse est : New-AzResourceGroupDeployment
upvoted 1 times

Answer(s): B
Explanation:
Deployment scope.
You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the
deployment, you use different commands.
To deploy to a resource group, use New-AzResourceGroupDeployment.
Incorrect:
Not C: To deploy to a tenant, use New-AzTenantDeployment.
Not D: To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet.
To deploy to a management group, use New-AzManagementGroupDeployment.
Not A: The New-AzResource cmdlet creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a
resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell
upvoted 1 times

For the New-AzResourceGroupDeployment the parameter "ResourceGroupName" is mandatory, and the RG1 still needs to be created.
upvoted 3 times

D is correct!!
upvoted 1 times

Selected Answer: B
To deploy an Azure Resource Manager (ARM) template, you can use the New-AzResourceGroupDeployment cmdlet in Azure PowerShell.
This cmdlet allows you to deploy a template to a resource group.
upvoted 2 times
HOTSPOT -
You have an Azure App Service app named WebApp1 that contains two folders named Folder1 and Folder2.
You need to configure a daily backup of WebApp1. The solution must ensure that Folder2 is excluded from the backup.
What should you create first, and what should you use to exclude Folder2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: An Azure Storage account -
App Service can back up the following information to an Azure storage account and container that you have configured your app to use.
App configuration -
File content -
Database connected to your app -
Note: Choose your backup destination by selecting a Storage Account and Container. The storage account must belong to the same
subscription as the app you want to back up. If you wish, you can create a new storage account or a new container in the respective pages.
Box 2: A _backup.filter file -
Exclude files from your backup.
Suppose you have an app that contains log files and static images that have been backup once and are not going to change. In such cases, you
can exclude those folders and files from being stored in your future backups. To exclude files and folders from your backups, create a
_backup.filter file in the D:\home\site
\wwwroot folder of your app. Specify the list of files and folders you want to exclude in this file.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-backup
  Muffay Highly Voted  1 year, 1 month ago
Yes, the given answer is correct.
As I was quite confused, let me add some more details:

You need a Recovery service vault if you want to backup VMs, File Shares, SAP HANA in a VM or SQL Server in a VM.
You need a Backup vault if you want to backup Azure Disks, Azure Blobs or Azure Database for PostgreSQL Server.
The question asks about an App Service, this one backs up to a storage account.
upvoted 87 times

Insightful! Thanks for sharing this
upvoted 4 times
  CK9797 Highly Voted  1 year, 4 months ago
Given answer correct.

This question was in the exam today. layout slightly different.
70-75% of the questions are from ET
I passed today 800
upvoted 27 times
  wpestan 1 year, 2 months ago

Hi, i doubt. To configure a daily backup, we don´t need a Recovery service vault?
upvoted 2 times

I got into this trap as well.
You need a Recovery service vault if you want to backup VMs, File Shares, SAP HANA in a VM or SQL Server in a VM.
The question asks about an App Service, this one backs up to a storage account.
upvoted 25 times

Thank you so much for giving a logical reasoning! Makes it so much easier to study and remember in case a different version of
this question pops up
upvoted 1 times
  jcallahan9 11 months ago

Microsoft really needs to consolidate things. They have made things way too complicated with "gotcha" knowledge. Unbelievable
they have RSV but don't back everything up to it.
upvoted 10 times
1. Azure Storage Account

2. _backup.filter file
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#create-a-custom-backup
In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container.
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#configure-partial-backups
Partial backups are supported for custom backups (not for automatic backups). Sometimes you don't want to back up everything on your
app.
To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of
your app. Specify the list of files and folders you want to exclude in this file.
upvoted 17 times

Given ET answers are correct.
1.In your app management page in the Azure portal, in the left menu, select Backups.
2. At the top of the Backups page, select Configure custom backups.

3. In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container.
4. To back up the linked database(s), select Next: Advanced > Include database, and select the database(s) to back up.
Partial backups are supported for custom backups (not for automatic backups).
To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of
your app. Specify the list of files and folders you want to exclude in this file.
Reference:
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 10 times

First create: Azure Storage Account
To exclude Folder 2: _backup.filter
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#:~:text=Create%20a%20file,is%20(not%20deleted).
upvoted 3 times
  favela 1 year, 5 months ago

Passed today and this question came I almost forgot and choose another answer but at the end I decide to choose this answer I was
confused with others question but finally I decide to choose these answer and my score was 900
upvoted 12 times

Answer is correct!
upvoted 2 times
  qwerty100 1 year, 5 months ago

Correct Answer:
- An Azure Storage account

- a backup.filter file
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#create-a-custom-backup
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#configure-partial-backups
upvoted 2 times

Answer is correct!
"To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of
your app. Specify the list of files and folders you want to exclude in this file."
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 5 times
Manager template.
A. the Publish-AzVMDscConfiguration cmdlet
B. Azure Application Insights
C. Azure Custom Script Extension
D. a Microsoft Endpoint Manager device configuration profile
Correct Answer: C
Use Azure Resource Manager templates to install applications into virtual machine scale sets with the Custom Script Extension.
Note: The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration,
software installation, or any other configuration / management task.
To see the Custom Script Extension in action, create a scale set that installs the NGINX web server and outputs the hostname of the scale set
VM instance.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template

C (95%) 5%
  Mev4953 Highly Voted  1 year, 5 months ago
1. A Desired State Configuration (DSC) extension
upvoted 51 times
  Halisson Most Recent  3 months, 4 weeks ago
Azure VM extensions can be managed by using the Azure CLI, PowerShell, Azure Resource Manager (ARM) templates, and the Azure
portal.
From the Extensions + Applications for the VM, on the Extensions tab, select + Add.
Locate the Custom Script Extension option. Select the extension option, then select Next
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview
upvoted 2 times

upvoted 3 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or
GitHub, or provide them to the Azure portal at extension runtime.
upvoted 3 times

I dint see any NGINX questions on my previous tests
upvoted 2 times
Selected Answer: C
1. A Desired State Configuration (DSC) extension
upvoted 3 times
Selected Answer: C
GitHub
Reference:
For DSC extension, as im not a server expert,

it might be able to use for Microsoft IIS which is a native role and feature but not for the NGNIX.
Hope other can give an proper conclusion..

upvoted 4 times
Selected Answer: C
Correct Answer
upvoted 1 times
  matix781 1 year, 4 months ago
Selected Answer: C
C for sure
upvoted 1 times
  Imy 1 year, 5 months ago

Why is one person voting thrice and scewing the results
upvoted 2 times
Selected Answer: C
Correct Answer: C
upvoted 2 times

Selected Answer: C
Correct Answer: C
upvoted 2 times

Selected Answer: B
Correct Answer: C
upvoted 1 times

I scrolled down to see who had answered B here. :-D
upvoted 1 times
Selected Answer: C
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-
windows#:~:text=This%20extension%20is%20useful%20for%20post%2Ddeployment%20configuration%2C%20software%20installation%2
C%20or%20any%20other%20configuration%20or%20management%20task.
upvoted 2 times
HOTSPOT -
You have an Azure subscription. The subscription contains a virtual machine that runs Windows 10.
You need to join the virtual machine to an Active Directory domain.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: "Microsoft.Compute/VirtualMachines/extensions",
The following JSON example uses the Microsoft.Compute/virtualMachines/extensions resource type to install the Active Directory domain join
extension.
Parameters are used that you specify at deployment time. When the extension is deployed, the VM is joined to the specified managed domain.
Box 2: "ProtectedSettings":{
Example:
"apiVersion": "2015-06-15",
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('dnsLabelPrefix'),'/joindomain')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('dnsLabelPrefix'))]"
],
"properties": {
"publisher": "Microsoft.Compute",
"type": "JsonADDomainExtension",
"typeHandlerVersion": "1.3",
"autoUpgradeMinorVersion": true,
"settings": {
"Name": "[parameters('domainToJoin')]",
"OUPath": "[parameters('ouPath')]",
"User": "[concat(parameters('domainToJoin'), '\\', parameters('domainUsername'))]",
"Restart": "true",
"Options": "[parameters('domainJoinOptions')]"
},
"protectedSettings": {
"Password": "[parameters('domainPassword')]"
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template
  ExamTopicsTST Highly Voted  1 year, 5 months ago
Answer is correct.
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template
upvoted 34 times
  EmnCours Highly Voted  1 year, 5 months ago
Correct Answer:
box1: Microsoft.Compute/virtualMachines/extensions
box2: protectedSettings
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-
overview
upvoted 13 times

upvoted 4 times
  PrepaCertif 3 months ago

came on exam 16th November 2023, answer is correct
upvoted 5 times
  lulzsec2019 7 months, 1 week ago

topic 4 question 81 is missing.
upvoted 5 times

1. Microsoft.Compute/virtualMachines/extensions
2. ProtectedSettings
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-
overview
The following JSON example uses the Microsoft.Compute/virtualMachines/extensions resource type to install the Active Directory domain
join extension.
upvoted 4 times

Came on 21st Dec 2022 Exam
Answer is correct
upvoted 7 times

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-
template#:~:text=example%20uses%20the-,Microsoft.Compute/virtualMachines/extensions,-resource%20type%20to
upvoted 2 times

Correct Answer:
box1: Microsoft.Compute/virtualMachines/extensions
box2: protectedSettings
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-
overview
upvoted 2 times
HOTSPOT
You are creating an Azure Kubernetes Services (AKS) cluster as shown in the following exhibit.
Correct Answer:
  Alex2022_31 Highly Voted  1 year, 1 month ago
1) Modify the Network configuration setting

"To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure
CNI (advanced) network plugin."
Ref: https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli
2) AKS-Managed Azure Active Directory

Ref: https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli
upvoted 46 times
1. modify the Network configuration setting

2. AKS-managed Azure AD
https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli#create-an-aks-cluster
To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure
CNI (advanced) network plugin.
https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli
The AKS to ACR integration assigns the AcrPull role to the Azure Active Directory (Azure AD) managed identity associated with your AKS
cluster.
upvoted 17 times
  lulzsec2019 Most Recent  7 months, 1 week ago

topic 4 question 81 is missing.
upvoted 12 times
  ericZX 9 months, 3 weeks ago

(1) Modify the Network configuration setting
Tested in lab, if the Network configuration is Kubenet, you will not be able to add a windows node pool, you have to change it from
Kubenet to Azure CNI first.
Next step, you need to add a new node pool

All AKS clusters are created with a default first node pool, which is Linux-based. This node pool contains system services that are needed
for the cluster to function. ...The first Linux-based node pool can't be deleted unless the AKS cluster itself is deleted.
https://learn.microsoft.com/en-us/azure/aks/windows-faq?tabs=azure-cli
upvoted 4 times
  ChakaZilly 1 year ago
Increase the number of node pools (First node is linux only)
AKS-managed Azure Active Directory (Needs the ACR-Pull role)
upvoted 5 times
  examtopics999 1 year ago

https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli
"To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure
CNI (advanced) network plugin."
Above diagram uses Kubenet Network configuration - That needs to be modified to Azure CNI. Hence firt box answer is "modify the
network configuration setting"
To use Windows Server node pools, you must use Azure CNI. The use of kubenet as the network model is not available for Windows Server
containers.
Also, Windows Containers need their own Node pool as default AKS configuration is for Linux containers. There is a possibility of "increase
the number of node pools" as well - as current node pool count is 1. However, first step would be to fix Network configuration.
upvoted 7 times
  yaboo1617 10 months, 1 week ago

If first node is for Linux, then CNI is only required for the second pool. So first step would be to add a pool.
upvoted 1 times
  1475 1 year, 1 month ago

By default, an AKS cluster is created with a node pool that can run Linux containers. Use az aks nodepool add command to add an
additional node pool that can run Windows Server containers alongside the Linux node pool.
https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli
upvoted 7 times
HOTSPOT
You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named Cluster1. Cluster1 hosts a node pool named
Pool1 that has four nodes.
You need to perform a coordinated upgrade of Cluster1. The solution must meet the following requirements:
• Deploy two new nodes to perform the upgrade.
• Minimize costs.
Correct Answer:
Answer is WRONG.
I assume there is a typo, where it says "updates" it should be "update".

az aks nodepool **update** -n pool1 -g RG1 --cluster-name cluster1 **max-surge 2**
https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest
We want to edit an existing node pool, so we cannot use "add":
"Add a node pool to the managed Kubernetes cluster."
We want to update the properties of the node pool, so we need to use:

az aks nodepool update
"Update a node pool properties."
We want to set it up to use more nodes during an update, so this one is right:
--max-surge
"Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%."
upvoted 46 times
  BooMz Highly Voted  12 months ago
Based on document, it is
Box 1: Update
Box 2: --max-surge
I'm very new here, and I could be wrong. Here is the link. Please verify and don't take my word for it.
https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli
upvoted 23 times
  Halisson 3 months, 4 weeks ago

az aks nodepool update -n mynodepool -g MyResourceGroup --cluster-name MyManagedCluster --max-surge 5
upvoted 1 times
  PareshAzure1 Most Recent  1 month, 1 week ago
https://learn.microsoft.com/en-us/azure/aks/upgrade-aks-cluster?tabs=azure-cli#customize-node-surge-upgrade
# Set max surge for a new node pool

az aks nodepool add -n mynodepool -g MyResourceGroup --cluster-name MyManagedCluster --max-surge 33%
# Update max surge for an existing node pool
az aks nodepool update -n mynodepool -g MyResourceGroup --cluster-name MyManagedCluster --max-surge 5
upvoted 2 times
  houzer 1 month, 1 week ago

az aks nodepool add --name pool1 --resource-group RG1 --cluster-name cluster1 --node-count 2
This is what I would use to deploy two new nodes in the cluster, which is the first requirement.
Then I would run az aks upgrade --resource-group RG1 --name cluster1 --kubernetes-version XX to actually upgrade the cluster.
I can't test this unfortunately but it makes the most sense to me.
upvoted 3 times
  MOSES3009 3 months ago

az: This is the Azure CLI command-line tool.
aks: This part of the command is specific to the Azure Kubernetes Service (AKS) features.
nodepool update: This is the action being performed, which is updating the properties of an AKS node pool.
-n pool1: Specifies the name of the node pool (pool1) that you want to update. Replace pool1 with the actual name of your node pool.
-g rg1: Specifies the resource group (rg1) where your AKS cluster is located. Replace rg1 with the actual name of your resource group.
--cluster-name cluster1: Specifies the name of the AKS cluster (cluster1) to which the node pool belongs. Replace cluster1 with the actual
name of your AKS cluster.
--max-surge=2: Specifies the maximum number of nodes that can be added to the node pool at the same time during an upgrade. In this
example, it sets the maximum surge to 2. Replace 2 with the desired value.
This command allows you to update various properties of an AKS node pool, and in this case, it specifically sets the maximum surge
during an upgrade. The "max surge" is relevant when you perform a node pool upgrade, allowing you to control the number of additional
nodes that can be added at once during the upgrade process.
upvoted 2 times

update and max-surge
upvoted 1 times
  SamCook101 2 months, 2 weeks ago

In choices it say updates not update so that is wrong.
upvoted 1 times
  Alandt 1 month ago

It's probably a typo Jesus Christ
upvoted 1 times

Add an ARM64 node pool into your existing cluster using the az aks nodepool add.
az aks nodepool add \

--cluster-name myAKSCluster \
--name armpool \
--node-count 3 \
--node-vm-size Standard_D2pds_v5
upvoted 1 times

https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli#set-max-surge-values
Key word existing
upvoted 2 times
  fjreoi 5 months, 4 weeks ago

update (updates) AND max surge
upvoted 1 times

on exam 31/Jul/2023.
upvoted 5 times

Box 1: add
az aks nodepool add
Add a node pool to the managed Kubernetes cluster.
Box 2: --max-surge 2
Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%.
Incorrect:
* --max-count 2
Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [0, 1000]
for user nodepool, and [1,1000] for system nodepool.
However, autoscaler not mention in the question.
* --max-pods -m
The maximum number of pods deployable to a node.
* --node-count -c
Number of nodes in the Kubernetes agent pool. After creating a cluster, you can change the size of its node pool with az aks scale.
default value: 3
Reference:
https://learn.microsoft.com/en-us/cli/azure/aks/nodepool
upvoted 1 times

Updates + MAX Surge!!
upvoted 2 times

Agree with others for update.
I don't believe it's scale since this is referring to low resource as per below;
https://learn.microsoft.com/en-us/azure/aks/scale-cluster?tabs=azure-cli
And the question doesn't mention the need for a new pool, since we need to minimise costs and use existing pool to to do so, I'd have to
presume to use existing so;
1: Update
2: Max surge
See:
https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli#upgrade-an-aks-cluster
upvoted 3 times
  FreeSwan 9 months, 4 weeks ago

It's already existing cluster, So "update" an "max-surge 2" is fit in...
upvoted 4 times
  ericZX 10 months, 1 week ago

az aks nodepool update --max-surge 2 will add two new nodes
az aks nodepool scale --node-count 2 Running nodes will change from 4 to 2
so
box 1: Update
box 2: --max-surge
https://learn.microsoft.com/en-us/azure/aks/scale-cluster?tabs=azure-cli
upvoted 1 times

az aks nodepool add
Add a node pool to the managed Kubernetes cluster
Can't find az aks nodepool get-updates
az aks nodepool get-upgrades

Get the available upgrade versions for an agent pool of the managed Kubernetes cluster.
https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest
upvoted 1 times
  Slawekyo 10 months, 3 weeks ago

Since they are not asking us to update but to DEPLOY
I think the answer should be
1.Scale
2.Node count
upvoted 3 times
  Fedele 10 months, 4 weeks ago

1: Add
2: max-surge
upvoted 1 times
  Gzt 11 months, 2 weeks ago

No necessary to scale a pool because we are asked to minimize costs, so we need to use "update" with "max-surge" parameter to have
additional nodes (buffer nodes) only during upgrade https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-
cli#upgrade-an-aks-cluster
upvoted 2 times
HOTSPOT
You create the following file named Deploy.json.
You connect to the subscription and run the following commands.

Correct Answer:
  Alex2022_31 Highly Voted  1 year, 1 month ago
Answers: Yes / No / Yes
Y: The 4 resources created are the RG1 resource group + the 3 storage accounts
N: the location of the storage accounts is defined by the parameter "location" in the "resources" item that has the value of the Resource
Group (stated by the "resourceGroup().location" function that returns the location of the resource group RG1 which is in Central US)
Y: the names of the storages account have the prefix given by the copyIndex() function in "name": "
[concat(copyIndex(),'storage',uniqueString(resourceGroup().id))]", which starts at the position 0
upvoted 58 times
  jeru81 6 days, 23 hours ago

only when a resource group counts as a resource - otherwise it would be 3 resources!?!?
8)
upvoted 1 times
  tEaMpRaEn 9 months, 3 weeks ago

YNY is correct.
Resource groups, subscriptions, management groups, and tags are also examples of resources.
upvoted 4 times

how do you know central US?
upvoted 3 times

nvm my b
upvoted 2 times
  Bayer2517 11 months, 4 weeks ago

A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for
the solution, or only those resources that you want to manage as a group.
upvoted 1 times
The commands will create four new resources - NO. A Resource Group is not a resource, so it will only create 3 storage accounts as
resources.
The commands will create storage accounts in the West US Azure region - NO. Note the "location": "[resourceGroup().location]". This will
set the location to the location of the resource group, which is Central US.
"The first storage account that is create will have a prefix of 0": YES. As the name is concated starting with the copyIndex(), that is true.
upvoted 6 times

I was incorrect. A Resource Group *is* a resource, so the first answer is YES.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#terminology
resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual
networks are examples of resources. Resource groups, subscriptions, management groups, and tags are also examples of resources.
upvoted 10 times
  BE1234 Most Recent  3 months ago
resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual
networks are examples of resources. Resource groups, subscriptions, management groups, and tags are also examples of resources.
upvoted 1 times
  Jainulabadeen 3 months, 2 weeks ago

Where its mentioned about 3 storage account?
upvoted 1 times

The links in the comments helped understand this.
Y,N,Y
upvoted 2 times
YNY is the answer.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources#resource-iteration
Notice that the name of each resource includes the copyIndex() function, which returns the current iteration in the loop. copyIndex() is
zero-based.
upvoted 3 times
  sharkzor 1 year, 1 month ago

N - RG != resource
Y - Westus is in the template. no parameter override given
Y
upvoted 6 times
  djgodzilla 1 year, 1 month ago

can't speak about the override . but for
1. you already have RG1 created and it was specified in the command New-AzResourceGroupDeployment hence it adds a deployment
to an existing resource group.
and 1. = is NO ( 3 resources only)
upvoted 2 times

EDIT: the override is "location": "[resourceGroup().location]"
so :
N- 3 storage accounts
N- central us
Y- count iteration always starts with 0
Y
upvoted 5 times
  sandorh 1 year, 1 month ago

This is wrong, a resource group is a resource.
"Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources. Resource groups,
subscriptions, management groups, and tags are also examples of resources."
upvoted 3 times

the location is set to read from the resource groups location, and the resource group location is specified to central in the New-
AzResourceGroup command
upvoted 1 times

For your second Y - in the template the location is calculated using the Resource Group location. So, it actually is N - it will be the
location of the RG, which is Central US.
Combining your answer with Alexs answer will give you the correct responses then :D
upvoted 1 times
Manager template.
A. Azure Custom Script Extension
B. Deployment Center in Azure App Service
C. the Publish-AzVMDscConfiguration cmdlet
D. the New-AzConfigurationAssignment cmdlet
Correct Answer: A

A (100%)
Selected Answer: A
A is the answer.
upvoted 5 times
  Naywonni Most Recent  12 months ago
I think A is the answer

upvoted 1 times

upvoted 2 times
  DeBoer 1 year ago
Selected Answer: A
funny enough, in the first part of the set, the answer often was DSC for similar questions. Makes you wonder.
upvoted 1 times

It can be any of the 2. Either use a an Azure custom script or a desired configuration script extension.
upvoted 1 times
  Tim_May_88 1 year ago

Same as question 79. Duplication in the questions is unfortunate. We paid to see a variety of different questions across all the subject
matter domain. Please remove the duplicates.
upvoted 2 times
  Notteb 1 year ago

Selected Answer: A

upvoted 1 times
  Ashfaque_9x 1 year, 1 month ago
Selected Answer: A

upvoted 1 times
  khaled_razouk 1 year, 1 month ago

upvoted 1 times
There are two ways to ensure specific things are installed. One is by using DesiredStateConfiguration extension, and the other is by
running a custom script along with a custom script extension. In this case the only available option is custom script. So A)
upvoted 2 times

It is not the *Publish-AzVMDscConfiguration cmdlet* because that cmdlet just "uploads a Desired State Configuration (DSC) script to
Azure blob storage, which later can be applied to Azure virtual machines using the Set-AzVMDscExtension cmdlet."
https://learn.microsoft.com/en-us/powershell/module/az.compute/publish-azvmdscconfiguration?view=azps-9.2.0
upvoted 2 times

On a second thought, it might also be "the Publish-AzVMDscConfiguration cmdlet".
We can publish a DSC configuration with that one - but what is missing here is assigning the DSC configuration to the VMs. So I think A is
still the more complete solution.
upvoted 1 times
Selected Answer: A
A is correct, a Custom Script extension can be used to install custom resources after a deployment.
upvoted 2 times
HOTSPOT
You have an Azure subscription that contains a resource group named RG1.
You plan to use an Azure Resource Manager (ARM) template named template1 to deploy resources. The solution must meet the following
requirements:
• Deploy new resources to RG1.
• Remove all the existing resources from RG1 before deploying the new resources.
Correct Answer:
  sss123412 Highly Voted  1 year, 1 month ago
correct answer
-Mode
Specifies the deployment mode. The acceptable values for this parameter are:
Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template.
Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified
in the template.
There is no such mode called "All"

upvoted 41 times
  Ashfaque_9x Highly Voted  1 year ago
Passed today on 29Jan23 with a score of 970. This question was in the exam.
The provided answer is correct. "-ResourceGroupName" and "Complete".
upvoted 21 times

upvoted 5 times
1. -ResourceGroupName
2. Complete
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.3.0#-
resourcegroupname
Specifies the name of the resource group to deploy.
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.3.0#-mode
Specifies the deployment mode. The acceptable values for this parameter are:
-Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template.
- Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified
in the template.
upvoted 13 times
  zellck 12 months ago

Got this in Feb 2023 exam.
upvoted 8 times
  Paul_white 11 months, 3 weeks ago

WOULD BE WRITING MINE ON THE 25 :)
upvoted 1 times
  Onobhas01 1 year, 1 month ago

- ResourceGroupName
- Complete Mode
upvoted 1 times

Answer is correct.
"In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template."
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.2.0#-mode
upvoted 5 times
HOTSPOT
You have an Azure App Service web app named app1.
You configure autoscaling as shown in following exhibit.
You configure the autoscale rule criteria as shown in the following exhibit.
Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic.

Correct Answer:
  sss123412 Highly Voted  1 year, 1 month ago
2, 15
Initial instance is 1 as specified in first figure.
80% for 15 minutes reaches 10 minutes duration, but haven't reached second turn of scale out, so only one new instance is created.
Since cool down time is 5 minutes, which means after one scale happens, it will count 5 minutes before counting a new 10 minutes, so 15
minutes total.
upvoted 77 times
  KpiTalisTTT 7 months, 1 week ago

This is not how it works, after 5min of CD Azure doesn't need to wait another 10 min...after 5 min CD if the CPU is still greater than 70%
it will increment another instance.
upvoted 11 times
  KpiTalisTTT 7 months, 1 week ago

BTW my answers are 2 and 5
upvoted 8 times

NVM it is 2-15
upvoted 4 times

I appreciate your commitment to correcting your comment. lol I was a little confused at first. Very much appreciated.
upvoted 4 times

The counting of 10 mins starts from last scale out, not from after cool down timer.
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings#autoscale-setting-schema
Cool down (minutes)
- The amount of time to wait after a scale operation before scaling again. For example, if cooldown = “PT10M”, autoscale doesn't
attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of
instances.
upvoted 4 times

but the trigger to scale out says "if CPU use is greater than 75% for 10 minutes". shouldn't you interpret it is as 5 minutes cooldown
= 5 minutes for which no scaling action will be performed. after 5 minutes, Azure can scale again, but it needs 10 minutes of CPU
higher than 75% to perform another scale out, right? so 5 cooldown + 10 minutes (according to the rule) should be 15 minutes.
please correct me if I'm wrong
upvoted 3 times

shouldn't the second answer be 5 minutes? First time the stats are not available, so it has to wait 10 min for stats, increase
instance count, cool down for 5 minutes. Now it has stats that goes back to 10 minutes, so there is no need to wait for another 10
minutes to compute stats. So min. time to wait before additional instance creation must be 5 minutes. Do you agree?
upvoted 4 times

I don't think so, the action trigger is CPU usage greater than 70% for 10 minutes. It doesn't say "as soon as CPU usage is
greater than 70%". In my opinion, there are 5 minutes cooldown since the last scale-out, if after the scale-out CPU still is at
70%, then you need 10 minutes more.
upvoted 3 times
  Spooky7 Highly Voted  10 months, 3 weeks ago
I don't know why but it seems that majority of people commenting here don't know exactly how autoscaling works. So let me explain few
things. Duration value is only used for data range - how much data autoscaling system has to aggregate to determine if rule applies or
not. Cooldown - how much time has to pass before next autoscale operation to trigger. So once you start you app the first autoscale may
happen not earlier than after duration value (because you need specific data range). Each next will happen every cooldown value. So:
- first scale out will happen after 10 minutes (duration value)
- next scale out will happen after 15 minutes (+5 minutes of cooldown)
Therefore answer for first question is 3 instances
Second one is simpler. Scaling operation just happened. So next scaling may happen after cooldown time which is 5 minutes.
upvoted 43 times

Agree. Ref: https://vunvulear.medium.com/miss-configuration-of-azure-auto-scaling-feature-eeb1eae37721
Excerpt from the link - which seem to be they key takeaway :

"The misconfiguration was at the cooldown value, which was set to 20 minutes and was triggering the check fo the rules every 20
minutes. The wrong assumption was that after the cooldown period, Azure will wait for another 40 minutes to check the rule no. 1, 120
minutes to check the rule no. 2 and 60 minutes for rule no 3."
upvoted 2 times

atleast someone finally got it
upvoted 2 times
  sismer 1 month, 4 weeks ago

Exactly .. most people are providing wrong answers to this question. It needs a little experience with Azure to get the trick.
upvoted 2 times
First answer is 3 . After 10 mins, first scale out happens (+1), then after 5 mins of cooling the system checks if last 10 mins usage was
above thresold, then 2nd scale out (+1). So total, 3 instances after 15 mins.
2. 5 , cooling period is 5 mins, so after first scale out, wait for 5 mins and then check again the usage.
upvoted 1 times
  amsioso 2 months, 1 week ago

2, 15
"The cooldown period for each rule dictates how long after the previous scale action (whatever rule [..] was [triggered]), the rule can be
applied [again]." Source: https://github.com/MicrosoftDocs/azure-docs/issues/17169
upvoted 1 times

Sorry 3, 5
https://www.youtube.com/watch?app=desktop&v=EbiID16PDuk
https://www.linkedin.com/pulse/miss-configuration-azure-auto-scaling-feature-radu-vunvulea/
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started#cool-down-period-effects
upvoted 5 times

In order to answer the question, is important to understand how Azure scale actions are triggered.
Lets have same params as in question: 10 minutes duration of scale out verification and 5 minutes of cool down
Once action meets criteria for 10 minutes, action is triggered. After that, 5 minutes is reserved for scale out action to take in place and App
to rebalance the load.
Next, if load is still meet the auto-scale rule, it will start counting another 10 minutes to see if even after previous scale-out load is high. If
yes, only than a new instance will start running and another 5 minutes of cool down will be started.
Therefore, answer for this questions are:

1) 2 instances;
2) 15 minutes.
upvoted 1 times

The answers are 3 and 5.
"The cooldown period for each rule dictates how long after the previous scale action (whatever rule [..] was [triggered]), the rule can be
applied [again]."
Source: https://github.com/MicrosoftDocs/azure-docs/issues/17169
The first question is a bit theoretical: it makes it appear that the load stays constant at 80% for 15 minutes - which would mean that after
the seconde instance is created after 10 minutes, demand increases accordingly so that even then 80% load is maintained, with no load
decrease.
Anyway, were that to happen, then after another 5 minutes of cooling down, the rule would be allowed to be triggered again, after 15
minutes in total - to create a third instance.
upvoted 5 times
  mark55665 3 months, 2 weeks ago

agree this answer
upvoted 2 times
  Wuhao 3 months, 3 weeks ago

3,5
As it mentioned by https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-environment-auto-scale
upvoted 3 times
  MGJG 5 months, 3 weeks ago

OpenAI:
Let's say you have an Azure Virtual Machine Scale Set that's serving a web application. You've set up autoscaling rules to add instances
when the CPU usage exceeds 70% and to remove instances when it drops below 30%. After a scaling event, you've configured a 5-minute
cooldown period.
If the CPU usage goes above 70%, the autoscaler adds more instances to handle the increased load.
During the next 5 minutes, even if the CPU usage remains high, the autoscaler won't take any further scaling actions due to the cooldown
period.
After the cooldown period elapses, the autoscaler will reevaluate the metrics and potentially trigger another scaling action if the
conditions are still met.
upvoted 2 times

Answer: 2/5
Question 1 - Some folks have done a good job of explaining but people still misunderstand cooldowns so I will try one more time, maybe a
little differently.
In our case the rule requires a straight 10 minutes of data aggregation above 70 to add another node.
This does NOT mean that its additive in increments 10, 20, 30, 40, 50 and it scales out at each 10 minute interval.
And it definitely does NOT mean 10+5 = 15.
The 10 minutes is a SLIDING window based on the interval and the Cooldown
Example
|____over_70______| 10 minutes went by over 70 -- Scale up 1
|____over_70______|__STill_Over_70____| Cooldown of 5 went by and it was STILL above 70 so it scaled again.
AKA in 15 minutes it scaled 2 times because it never dropped below 70 to reset the 10 minute aggregation need.
upvoted 2 times
  Betancourt 5 months, 3 weeks ago

I think you describe the correct operation, but regarding the first question it would be 3, right?
That is, after 10min a scaling operation occurs. Afterwards there is a cooling time of 5min. So at 15 minutes it rechecks the last 10
minutes of performance and the second scaling operation occurs.
2 operations + the node that initially works = 3.
If the example were 16 minutes, it would be clear. It would be 3.

But since it is just 15min, the question remains as to whether the second scaling operation will take place. Since the statement
indicates "after" ("After CPU usage...") I understand that it does give time to the second operation.
Thanks for your time.
upvoted 5 times

Answer is 2 and 5.
Duration: The amount of time to look back for metrics. For example, timeWindow = "PT10M" means that every time autoscale runs, it
queries metrics for the past 10 minutes. The time window allows your metrics to be normalized and avoids reacting to transient
cooldown: The amount of time to wait after a scale operation before scaling again. For example, if cooldown = "PT10M", autoscale doesn't
attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances.
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
So, if cooldown = 5 min and Duration = 10 min, after one scale (say at 10:15 AM), it will wait 5 min (10:20 AM) but it will look back 10 min
which means it will look from 10:10 AM to 10:20 AM.
upvoted 4 times

Answer is 2 and 5.
Duration: The amount of time to look back for metrics. For example, timeWindow = "PT10M" means that every time autoscale runs, it
queries metrics for the past 10 minutes. The time window allows your metrics to be normalized and avoids reacting to transient
cooldown: The amount of time to wait after a scale operation before scaling again. For example, if cooldown = "PT10M", autoscale doesn't
attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances.
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
So, if cooldown = 5 min and Duration = 10 min, after one scale (say at 10:15 AM), it will wait 5 min (10:20 PM) but it will look back 10 min
which means it will look for 10:10 AM to 10:20 AM.
upvoted 2 times

above, I mean 10:20 AM , not PM
upvoted 1 times
  chiquito 8 months ago

If I understand correctly what Microsoft says about cool down, I think answer 2 will be 5 minutes.
I understand that the first 10 minutes are the initial count (add 1 instance after 10 minutes). Then auto-scaling says " let's give it 5 minutes
to cool down to see what happens". If after these 5 minutes the cpu percentage is still at 80%, add another instance, otherwise, if it is
below 70%, leave it at 2 instances.
Box1 : 2
Box2 : 5
Please correct me if I am wrong.
upvoted 1 times

Q1 is straight forward
Q2, From what I understand and reading the URL
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings#autoscale-evaluation
Duration. The amount of time to look back for metrics. For example, timeWindow = "PT10M" means that every time autoscale runs, it
queries metrics for the past 10 minutes. The time window allows your metrics to be normalized and avoids reacting to transient spikes.
Cool down (minutes). The amount of time to wait after a scale operation before scaling again. For example, if cooldown = "PT10M",
autoscale doesn't attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or
removal of instances.
So should be 5min for Q2

upvoted 2 times
  ppolychron 9 months ago

3 instances , 5 minutes
Explanation:
Lets say that the process starts at 00:00
a) At 00:10 we have enough metrics so an evaluation is performed.
Average is above 70% so increase instance by 1. Now we have 2 instances
b)Cool down is 5 minutes, so next evaluation is AT 00:15 and it checks the metrics from 00:05-00:15. Average is above 70% so increase
instance by 1. Now we have 3 instances
b)Cool down is 5 minutes, so next evaluation is AT 00:20 and it checks the metrics from 00:10-00:20 and so on.....
I was very confused from all the comments so I checked this in my LAB. The only difference is that I used a cool down of 2 minutes. I
generated traffic using apache benchmark tool (https://www.apachelounge.com/download/). After the first scale out, every 2 minutes
another scale-out would happen.
Note: CMD for Apache Tool: abs -n 15000 -c 100 https://<youapp>.azurewebsites.net/

upvoted 21 times

This is the correct answer, 3 and 5.
upvoted 1 times

And MS should ask 16 minutes not 15 minutes, otherwise someone would confuse it is triggered 2 times or just one time.
upvoted 1 times
  Ccastan1 8 months, 3 weeks ago

I agree with you
upvoted 1 times
  msxdan 9 months, 2 weeks ago

2, 10
I see a lot of people here stating different results, but to be honest, the cooldown is used to avoid scaling before the metrics are stable
What would happen if the condition is evaluated every 1 minute? it will wait for cooldown before scaling even if the condition is met
So if cooldown is 5 minutes and the evaluation is 10, when it's checking the condition the cooldown is over, so it will scale
I use a lot of AppServices with auto scaling and that's how it works, as a real example I could say that in one AppService it scales every 5
mins when there's load, the condition is checked every minute and the cooldown is 5 minutes, if people that thinks that is time + cooldown
it would be 6 mins, but it's not
Would be something like this (triggered when duration time occurs):

if (conditionIsMet) {
if (elapsedTime >= cooldown)
scale();
}
else { /**/ }
}
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started?toc=%2Fazure%2Fapp-service%2Ftoc.json#cool-
down-period-effects
upvoted 3 times

I will go 2 & 15
“The short answer is that the metric duration does not include the cool down period.”
from
https://github.com/MicrosoftDocs/azure-docs/issues/56120
upvoted 2 times

one small correction. It should be at t+14 (not t+4), instance count is 4. apologies.
upvoted 1 times
You plan to deploy the Azure container instances shown in the following table.
Which instances can you deploy to a container group?
A. Instance1 only
B. Instance2 only
C. Instance1 and Instance2 only
D. Instance3 and Instance4 only
Correct Answer: C

D (95%) 5%
  Notteb Highly Voted  1 year ago
Selected Answer: D
Answer is D.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports
deployment of a single container instance. While we are working to bring all features to Windows containers, you can find current
platform differences in the service
upvoted 42 times
  oopspruu Highly Voted  5 months, 3 weeks ago
Selected Answer: D
Read the question carefully. The instances you are about to deploy will be deployed "in a Container Group", making it a multi-instance
container group. As per the article referred below, its only available for Linux Containers for now:
deployment of a single container instance.
upvoted 6 times
  OpsWI Most Recent  1 month, 3 weeks ago
Answer is D, supports only linux

upvoted 1 times
  msstanci 4 months, 3 weeks ago

https://learn.microsoft.com/en-us/azure/container-instances/container-instances-multi-container-yaml
upvoted 1 times

Selected Answer: D
Answer is D
upvoted 1 times

Answer(s): C
Explanation:
Azure Container Instances, what Windows base OS images are supported?
Windows Server 2019 and client base images
Nano Server: 1809, 10.0.17763.1040 or newer
Windows Server Core: ltsc2019, 1809, 10.0.17763.1040 or newer
Windows: 1809, 10.0.17763.1040 or newer
Etc.
Reference:
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-faq
upvoted 1 times
  sawanti 6 months, 2 weeks ago

BRUH, you are talking about Container Instances, not Container Groups...
"Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports
platform differences in the service Overview."
upvoted 4 times
  Bentot 7 months ago

The questions is, You plan to deploy the Azure container instances and not Multi-container groups.
Found this article from Microsoft:
upvoted 1 times
  Mebyxu 11 months, 1 week ago

Selected Answer: C
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-overview#linux-and-windows-containers
upvoted 3 times
  vldt 10 months ago

actually the link you have provided is supporting the D option, not C:
"Some features are currently restricted to Linux containers: Multiple containers per container group"
upvoted 2 times
Selected Answer: D
upvoted 3 times
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups#what-is-a-container-group
upvoted 4 times
Selected Answer: D
Since the question states "... deploy to a container group?" I'd also go for D here
upvoted 2 times
  equipowindows 1 year ago

Answer is C, is a single container (just Windows), not a multigroup container (just linux).
Multi-container groups currently support only Linux containers.
For Windows containers, Azure Container Instances only supports deployment of a single container instance.
upvoted 1 times

so...D then, if we're following your explanation
upvoted 2 times
Selected Answer: D
Correct answer:D
upvoted 3 times
  Henryjb3 1 year ago

Answer is D.
upvoted 3 times
  AzureJobsTillRetire 1 year ago

I agree. I think there is no docker image for core service installation of windows server 2019
upvoted 1 times

yes - there is a core image (ltsc2019): https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-
containers/container-base-images
upvoted 1 times
  uise 1 year ago

I think the correct answer is D
upvoted 3 times
Manager template.
D. Azure AD Application Proxy
Correct Answer: A

A (100%)
  thelukas1997 Highly Voted  1 year ago
Key word 'NGINX' always will be '...extension'. It was in all of this questions.
upvoted 8 times
  Notteb Highly Voted  1 year ago
Selected Answer: A
This question comes up maybe 4 times in this dump, answer is still A

upvoted 6 times
  oopspruu Most Recent  5 months, 3 weeks ago
This question has come up probably 30 times so far. It better be on my exam now lol
upvoted 2 times

I love this question!!!!
upvoted 2 times

Selected Answer: A
A is the answer.
upvoted 3 times
  Tim_May_88 1 year ago

I have seen this question no less than 3 times in the different question sets. Please, remove the duplicates.
upvoted 3 times
  Ashfaque_9x 1 year ago
Selected Answer: A

upvoted 1 times
  GeoPoi 1 year ago
Selected Answer: A
As per previous questions, look for the extension key in the answer
upvoted 3 times
You have an Azure subscription that has the public IP addresses shown in the following table.
You plan to deploy an Instance of Azure Firewall Premium named FW1.
Which IP addresses can you use?
A. IP2 only
B. IP1 and IP2 only
C. IP1, IP2, and IP5 only
D. IP1, IP2, IP4, and IP5 only
Correct Answer: D

B (91%) 8%
Selected Answer: B
B should be the correct answer instead.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
Azure Firewall
- Dynamic IPv4: No
- Static IPv4: Yes
- Dynamic IPv6: No
- Static IPv6: No
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall requires at least
one public static IP address to be configured. This IP or set of IPs are used as the external connection point to the firewall. Azure Firewall
supports standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported.
upvoted 46 times
  xemgin Most Recent  3 months, 2 weeks ago
Selected Answer: A
Azure Firewall supports the Standard SKU and static IPv4, but it is restricted to the Regional tier only.
In the lab when setting up Azure Firewall with the Premium tier, it defaults to the Regional tier.
As of now, there isn't a direct choice to toggle between Regional and Global tiers during the Azure Firewall's initial configuration.
If you initiate the creation of a public IPv4 using the Global tier and later try to link it with Azure Firewall, the process will be unsuccessful.
This is attributed to Azure Firewall's exclusive compatibility with the Regional tier, excluding the Global tier.
upvoted 1 times
  xemgin 3 months, 1 week ago

Because there is no IP1 only, then the answer is B.
upvoted 4 times
  Babustest 4 months ago

Selected Answer: B
-Azure Firewall requires at least one public static IP address to be configured. This IP or set of IPs is the external connection point to the
firewall.
-Azure Firewall supports Standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
-Azure Firewall doesn't currently support IPv6. It can operate in a dual stack virtual network using only IPv4, but the firewall subnet must
be IPv4-only
upvoted 3 times
  AKUSORO 5 months ago
Selected Answer: B
Azure Firewall Supports Basic SKU and doesn't support IPV6

upvoted 1 times
  MatAlves 2 weeks, 4 days ago

You probably meant "Standard".
"Azure Firewall supports Standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported."
upvoted 1 times

Selected Answer: B
Azure Firewalls Only Supports:

Standard SKU Public IPs, IPv4.
It doesn't support Basic SKU and Public IP prefixes.

upvoted 2 times
  FK2019 7 months, 3 weeks ago

As per
Azure Firewall doesn't support IPv6, It can operate in a dual-stack VNet using IPv4 only.
So Answer B is correct.
upvoted 1 times
  ExamKiller020 7 months ago

Beter REF link: https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview#limitations
upvoted 1 times

Selected Answer: B
Azure Firewall doesn't currently support IPv6. It can operate in a dual stack VNet using only IPv4, but the firewall subnet must be IPv4-
only.
upvoted 4 times
  hfk2020 10 months ago

Answer is C
When deploying an Azure Firewall Premium instance, you can choose from two types of public IP addresses: Standard SKU and Global
SKU.
The Standard SKU public IP address is assigned to a specific region and can be used for Azure Firewall instances deployed within that
region only.
The Global SKU public IP address, as the name suggests, is a globally unique IP address that can be used for Azure Firewall instances
deployed in any region around the world.
In general, if you plan to deploy Azure Firewall instances in multiple regions, it is recommended to use the Global SKU. However, if you
only plan to deploy Azure Firewall instances in a single region, the Standard SKU may be more cost-effective.
upvoted 2 times
  mscert2023 11 months ago

Selected Answer: B
B = C - IPv6
upvoted 2 times
  VivekBishnoi1982 7 months, 2 weeks ago

In above link, https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
it is clearly mentioned that:
only.
upvoted 1 times
  AzureMasterChamp 11 months, 2 weeks ago

Answer should be "IP1, IP2, and IP5" as Azure firewall supports standard SKU, static public IP addresses.
upvoted 2 times
  amiray 11 months, 2 weeks ago

IP5 is in IPv6 Static which isn't supported link bellow date of 08 Feb 2023
upvoted 5 times
Selected Answer: B
Azure Firewall supports standard SKU public static IPv4 addresses.
upvoted 3 times
  ktrfrnd26 12 months ago

IPv6 not currently supported If you add an IPv6 address to a rule, the firewall fails. Use only IPv4 addresses. IPv6 support is under
investigation. https://learn.microsoft.com/en-us/azure/firewall/overview
upvoted 3 times
  skydivex 1 year ago

B is the correct answer…… Firewall supports only IPv4, Standard and Static
upvoted 4 times
  keszi 1 year ago

only.
upvoted 1 times
  infinity1989 1 year ago

C as it requires public static and stand sku ip address.
upvoted 1 times
  infinity1989 1 year ago

Answer should be B as it does not support IPv6
upvoted 2 times
  lkjsatlwjwwge 1 year ago
Selected Answer: B
Just to change the most voted answer which now shows as C. r3nenge explains why B is the answer.
upvoted 4 times

Selected Answer: B
Answer: B. IP1 and IP2 only
Azure Firewall Front-end configuration currently only supports Static IPv4

Tier is not important in this question.
upvoted 3 times
HOTSPOT
You need to deploy a virtual machine by using an Azure Resource Manager (ARM) template.
Correct Answer:
  crymo99 Highly Voted  9 months, 2 weeks ago
- dependsON: resoureceID
- storageProfile: ImageReference
ref: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
upvoted 30 times
  Kverma7 Highly Voted  5 months, 3 weeks ago

upvoted 9 times
  Navigati0n Most Recent  6 months, 4 weeks ago
The dependsOn property specifies the resources that must be created before the virtual machine can be created. In this case, the virtual
machine must depend on the network interface. The storageProfile property specifies the storage configuration for the virtual machine. In
this case, the virtual machine will use an image from the Microsoft Windows Server image gallery.
upvoted 8 times
  anjanc 7 months, 3 weeks ago

hmmmn m
upvoted 1 times
  chiquito 9 months, 1 week ago

- dependsON: resoureceID
- storageProfile: ImageReference
Reference :
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency#dependson
https://learn.microsoft.com/en-us/javascript/api/@azure/arm-compute/storageprofile?view=azure-node-latest
upvoted 7 times
HOTSPOT
You need to configure a new Azure App Service app named WebApp1. The solution must meet the following requirements:
• WebApp1 must be able to verify a custom domain name of app.contoso.com.
• WebApp1 must be able to automatically scale up to eight instances.
• Costs and administrative effort must be minimized.
Which pricing plan should you choose, and which type of record should you use to verify the domain? To answer, select the appropriate options in
the answer area.
NOTE: Each correct answer is worth one point.
Correct Answer:
  Navigati0n Highly Voted  6 months, 4 weeks ago
WebApp1 must be able to verify a custom domain name of app.contoso.com. All paid tiers (Basic, Standard, Premium, Isolated) allow for
custom domains.
WebApp1 must be able to automatically scale up to eight instances. Auto-scaling is a feature that is available in the Standard, Premium,
and Isolated tiers. It is not available in the Basic tier, which allows you to manually scale up to 3 instances.
Costs and administrative effort must be minimized.
Pricing Plan: Given these requirements, the best option is the "Standard" tier. It offers both auto-scaling and custom domains, while being
less expensive than the Premium or Isolated tiers. The Basic tier does not support auto-scaling, and the Free and Shared tiers do not
support custom domains or auto-scaling.
For verifying a custom domain, Azure uses a CNAME or TXT record. The A record cannot be used for domain verification
Pricing Plan: Standard

Record Type: TXT
upvoted 37 times
  BE1234 3 months ago

To verify a domain, Azure uses TXT and MX record.
upvoted 5 times
  lulzsec2019 Highly Voted  7 months, 3 weeks ago
New Question for June 24 2023

upvoted 18 times
exam on 31/Jul/2023
upvoted 8 times

Agree with given answer.
Basic only supports 3 instances and basic up to 10.
Record type to verify is TXT
Ref: https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
Ref: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage
upvoted 3 times
  RandomNickname 7 months ago

Typo:
"basic up to 10."
Should be, "standard up to 10."
upvoted 5 times
  stonwall12 7 months, 2 weeks ago

Correct Answer.
Box 1: Standard (Requires up to 8 instances).
Ref: https://azure.microsoft.com/en-au/pricing/details/app-service/windows/
Box 2: TXT record (Required for domain verification).

Ref: https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
Note: An 'A' record is used to map a domain name to an IP Address.

upvoted 4 times
  chiquito 7 months, 3 weeks ago

Provided answer is correct.
Box 1: Standard (basic supports only 3 instances)
Box 2: Record type TXT for the custom domain
Ref: https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
https://learn.microsoft.com/en-us/azure/dns/dns-zones-records#txt-records
upvoted 2 times
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following table.
You create an Azure Compute Gallery named ComputeGallery1 as shown in the Azure Compute Gallery exhibit. (Click the Azure Compute Gallery
tab.)
In ComputeGallery1, you create a virtual machine image definition named Image1 as shown in the image definition exhibit. (Click the Image
Definition tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No,
Correct Answer:
  mmarkiew Highly Voted  4 months ago
So many people here are making assumptions without actually testing or validating them.
The answer is YYY - Tested in Lab. Neither the region, vCPU count, nor the VM generation had any impact on my ability to select a
particular VM OS disk as a source for an image version.
upvoted 18 times

Thanks for testing guys. Appreciate it. I hope your test is a fair representation of the question though.
upvoted 1 times
  mmarkiew 4 months ago

Steps I took via the Azure Portal:
- Created a new VM in Central US. Per the Overview blade, VM generation = V2, vCPUs = 1.
- Created a new Compute Gallery in West Europe.
- Added a new VM image definition to the Compute Gallery exactly as per the definition in the question (East US, VM generation = V1,
same recommended CPUs, etc.). When configuring the image version as part of the image VM image definition deployment, I had the
option to switch between regions. I selected Central US, and was able to then select the OS disk from the Gen2 VM I created in Central
US as the source for the image version. I was then able to successfully deploy the VM image definition along with the version.
upvoted 9 times
  Batiste2023 3 months, 1 week ago

As for the first question, the documentations says: "Hyper-V generation - specify whether the image was created from a generation 1 or
generation 2 Hyper-V VHD. Default is generation 1."
https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli#image-definitions
To me that sounds as if the item on VM generation is purely descriptive, what has been used, not normative, what can or should be
used.
upvoted 1 times
  profesorklaus 4 months ago

I agree with you. I did the same and confirm.
upvoted 5 times
  KMLearn2 Highly Voted  5 months, 1 week ago
NYY
image definition needs V1 generation, but vCPU and memory are only recommendations.
Text from Azure Portal while creating image definition: "These recommendations are informational only, and do not constrain VM
specification"
upvoted 7 times
  6Sam7 Most Recent  3 weeks, 1 day ago
What is the correct answer?

upvoted 2 times

Tested in my lab as well and mmarkiew is correct. The answer is YYY, the VM generation, vCPU, location etc do not matter. We are just
creating a snapshot of that disk as far as I understand it.
upvoted 1 times
  AliNadheer 2 months ago

to me at the moment: N,N,Y
seems like VM generation and location is important to consider.
check this YT link. appreciate your thoughts.
https://www.youtube.com/watch?v=AWK1GVXdAwI
upvoted 2 times

i meant to say the answer N,Y,N
upvoted 1 times
  SgtDumitru 2 months, 1 week ago

N-Y-N
Box 1- NO: VM gen 2 is not directly supported for image definition with v1. Image & VM source regions doesn't match
Box 2 - YES: VM generations matches, along with image & VM source region
Box 3 - NO: VM generations matches, but image & VM source region doesn't
https://learn.microsoft.com/en-us/azure/virtual-machines/shared-image-galleries?tabs=azure-cli#how-do-i-specify-the-source-region-
while-creating-the-image-version
upvoted 3 times
  ICTZaakwaarnemer 3 months, 2 weeks ago

I think it should be NYN:
VM1 has a different generation than the compute gallery. Using VMs of a different generation than the gallery can lead to compatibility
issues and may not be supported, as the underlying hardware and virtualization technology can vary between different VM generations.
VM2 matches the region and vm generation. While it's not strictly required to match the CPU recommendation, it's a best practice to use
an image source with CPU settings that align well with your workload. If you anticipate using VM instances with varying CPU capabilities,
consider testing the image source in different VM sizes to ensure it functions as expected. So in short words this isn't a deal breaker.
VM3 is in a different region and compute gallery's are associated with the specific region you create them in. Cross-region operations or
using a VM from one region as an image source for a Compute Gallery in another region may not be directly supported and can lead to
complications in terms of data transfer and latency.
Used ChatGPT as source.

upvoted 2 times
  iammousumi 3 months, 4 weeks ago

what is the correct answer?
upvoted 3 times
  nightowl159 4 months, 3 weeks ago

NYN. Location does matter so only VM2 fits. The CPU is just a recommendation, not a requirement.
upvoted 5 times
  conip 5 months ago

for 3)
I love that description about region limitation:
"In Region, select the region where you want the image created. In some cases, the source must be in the same region where the image is
created. If you aren't seeing your source listed in later drop-downs, try changing the region for the image. You can always replicate the
image to other regions later."
https://learn.microsoft.com/en-us/azure/virtual-machines/image-version?tabs=portal%2Ccli2
so Y or N ?
upvoted 2 times
  Learner2022 5 months, 1 week ago

Does the location matter?
upvoted 2 times
  lahart99 5 months, 1 week ago

NNY
if you look at VM generation it's set to 1

then you look at amount of CPU allowed is 4-15
Which makes the answer NNY

upvoted 3 times
  lahart99 5 months, 1 week ago

correction 4-16*
upvoted 1 times
  Exilic 5 months, 2 weeks ago

Can anyone confirm this answer?
upvoted 5 times

NYY since both vCPUs are generation 1 for VM2 and VM3
upvoted 3 times
  Mnguyen0503 5 months, 2 weeks ago

NNY since 2 only has 2vcpu which doesn't fit the vm description.
upvoted 4 times
  Vokuhila 5 months, 1 week ago

it is recommended 4-16 vcpu, not required
upvoted 7 times
You plan to create the Azure web apps shown in the following table.
What is the minimum number of App Service plans you should create for the web apps?
A. 1
B. 2
C. 3
D. 4
Correct Answer: B

B (94%) 6%
  athli Highly Voted  5 months, 1 week ago
Selected Answer: B
Since Python on Windows is no longer supported, we have to use Linux platform.

ASP.NET is only supported on Windows platform. So we need at least 2 App Service plan
upvoted 9 times
  Tayhull2023 5 months, 1 week ago

As stated in the reference, thanks for the pointing this out!
https://learn.microsoft.com/en-us/visualstudio/python/publish-to-app-service-windows?view=vs-2022
upvoted 5 times
  Babustest Highly Voted  4 months ago
Selected Answer: B
https://learn.microsoft.com/en-us/azure/app-service/overview
Can run only on Windows: .NET, ASP.NET

Can run only on Linux: Python
Can run on either Windows/Linux: PHP
From Azure documentation:

ASP.NET Core (on Windows or Linux)
ASP.NET (on Windows)
PHP (on Windows or Linux)
Ruby (on Linux)
Node.js (on Windows or Linux)
Java (on Windows or Linux)
Python (on Linux)
HTML
Custom container (Windows or Linux)
upvoted 6 times
  Exilic Most Recent  5 months, 2 weeks ago
Selected Answer: B
ChatGPT gave me a different answer
To determine the minimum number of App Service plans needed for the web apps, you should consider the runtime stack and
compatibility. Here are the considerations for each web app:
WebApp1 - .NET 6 (LTS)

This can share an App Service plan with WebApp2 since both are .NET applications.
WebApp2 - ASP.NET V4.8

This can share an App Service plan with WebApp1 since both are .NET applications.
WebApp3 - PHP 8.1

This requires a separate App Service plan since it's a different runtime stack (PHP).
WebApp4 - Python 3.11

This also requires a separate App Service plan since it's a different runtime stack (Python).
So, you need at least two App Service plans: one for WebApp1 and WebApp2 (shared since they both use .NET), and another for WebApp3
and WebApp4 (separate since they use different runtime stacks).
The correct answer is B. 2.

upvoted 2 times
  LemonGremlin 5 months, 2 weeks ago

Correct Answer: B
.NET: Windows and Linux ASP
.NET: Windows only
PHP: Windows and Linux
Python: Windows and Linux
Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to
choose the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview
upvoted 4 times

Based on your comment, the answer could be 1 if you just use Windows for all of them.
upvoted 1 times
  JeyD 5 months, 2 weeks ago
Selected Answer: D
ChatGPT
An App Service plan defines a set of compute resources for a web app to run. These compute resources are analogous to the server farm
in conventional web hosting. One or more apps can be configured to run on the same computing resources (or in the same App Service
plan)1.
In your case, you plan to create four Azure Web Apps with different runtime stacks: .NET 6 (LTS), ASP.NET v4.8, PHP 8.1, and Python 3.11.
Since each of these web apps uses a different runtime stack, you should create a minimum of four App Service plans, one for each web
app2. This will ensure that each web app can run on the appropriate runtime stack.
upvoted 1 times
HOTSPOT
You have an Azure subscription that contains the resource groups shown in the following table.
You create the following Azure Resource Manager (ARM) template named deploy.json.
You deploy the template by running the following cmdlet.

Correct Answer:
  AntaninaD Highly Voted  5 months, 1 week ago
1. Yes. RG0 will be created with location from template file.

For subscription level deployments, you must provide a location for the deployment. The location of the deployment is separate from the
location of the resources you deploy. The deployment location specifies where to store deployment data.
2. No. Only RG0 and RG3 will be created, RG1 and RG2 already exist and can't be created.
3. No. RG3 will be created in east region.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-subscription?tabs=azure-cli#deployment-location-
and-name
upvoted 42 times
  AliNadheer 2 months, 3 weeks ago

well explained. its important to note that there is a difference between the "-location" parameter in the template and in the cmdlet
in template it will affect the location in which the RG will be created and in the cmdlet it will store the deployment metadata
upvoted 2 times

confirm - tested in LAB
upvoted 2 times
  Exilic 5 months, 1 week ago

the cmdlet says westus, not eastus.
upvoted 2 times

The "location" paramater is leading. There is another question where the cmdlet is leading.
upvoted 1 times
  Vokuhila 5 months, 1 week ago

but the cmdlet has -location westus, so it should deploy in westus
upvoted 3 times
  Halim1410 4 months, 4 weeks ago

Microsoft Document for the New-AzSubscriptionDeployment cmdlet stating that the -Location parameter is for the deployment data
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-10.3.0#parameters
upvoted 4 times

Need more discussion on this.
upvoted 1 times
  doctor4500 Highly Voted  5 months, 2 weeks ago
WRONG!
Correct Answers:
1. No. Because of location parameters RGs will be created in west us region
2. Yes. Copy 4 in arm template
3. Yes. name: [concat('RG', copyIndex())] with count 4 will produce four RG: RG0, RG1,RG2,RG3 in west us region
upvoted 24 times
  Sirgadget2000 1 month, 3 weeks ago

The template will attempt to create 4 new RGs. It will only create 2 new RGs as RG1 and RG2 are already created in the subscription. So
#2 is NO.
You cannot have 2 resource groups created with the same name in the same subscription even if they are in a different region. #3 is
NO.
upvoted 1 times
  AnttiKoo 5 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-subscription?tabs=azure-powershell
"For subscription level deployments, you must provide a location for the deployment. The location of the deployment is separate from
the location of the resources you deploy. The deployment location specifies where to store deployment data."
upvoted 7 times
  Lapiduse 5 months, 2 weeks ago

RG1 and RG2 already exist
upvoted 6 times
  S4L4LMF Most Recent  3 months, 3 weeks ago
Im not 100% sure on this but i think its:

Y > copyindex starts with 0 and location is predefined in the ARM template
N > RG1 & RG2 already exists. Since it uses the copyindex as postfix, this will fail (it starts with 0, then 1, 2, 3 but 1 and 2 already exists)
N > location is predefined in de ARM template which is EAST US
upvoted 7 times
  YesPlease 4 months ago

1) Yes: Template controls location of RGs being created. The "-Location" in command refers to where the deployment data is going to be
saved: https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-10.4.1#-location
2) No. RG1 and RG2 already exist and you can't have duplicate names for Resource Groups.
3) No. Template dictates the location of where the RG are being created.
upvoted 4 times
  Sakadia 4 months, 3 weeks ago

Answers should be:
1. Yes -->The location of the deployment is separate from the location of the resources you deploy
2. No --> For each deployment name, the location is immutable. You can't create a deployment in one location when there's an existing
deployment with the same name in a different location. In this example RG2 is in west us so you will not be able to deploy the resource
group RG2
3. No --> RG3 will be created in the east us region see reasoning in point 1.
Answers are found here: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-subscription?tabs=azure-

cli#deployment-location-and-name
upvoted 2 times
  Sakadia 4 months, 3 weeks ago

Additionaly to Answer 1:
The "Concat"-Functions starts the count at 0
upvoted 1 times
  Cremela 5 months ago

Answer should be NNY: Resources should end up in westus. RG1 and RG2 already exists so they won't be created.
upvoted 3 times
You have an Azure App Service app named App1 that contains two running instances.
You have an autoscale rule configured as shown in the following exhibit.
For the Instance limits scale condition setting, you set Maximum to 5.
During a 30-minute period, App1 uses 80 percent of the available memory.
What is the maximum number of instances for App1 during the 30-minute period?
A. 2
B. 3
C. 4
D. 5
Correct Answer: A

D (54%) B (45%)
  athli Highly Voted  5 months, 1 week ago
Selected Answer: D
Start at 2 instances, after 15 min, > 70%, then +1 instance

Cooling 5 mins, still >70%, then +1 instance
Cooling 5 mins, still > 70%, then +1 instance
Cooling 5 mins, still >70%, since max 5 instances, keep 5 instances only
upvoted 56 times
  OlehT 3 weeks, 2 days ago

You forget about Duration == 15 minutes, it will take 5 minutes cooling (time for stabilise the system but not the countdown for
another scale action). It would need additional 15 minutes to validate to measure CPU%.
upvoted 3 times
  belyo 2 weeks, 2 days ago
duration period is for scaling to trigger in first 15 mins
for the remaining time you have cooldown timer that is set to 5 mins
so in the timeframe between 15-30 min duration is satisfied as CPU utilization remains above 70%
there should be 6 instances, however it says user has set 5 max so answer D is correct
upvoted 4 times
  Jacky_exam 1 month, 3 weeks ago

Minute 0-15:
Memory usage exceeds 70%.

Autoscale rule triggered.
Instance count increased by 1 (from 2 to 3).
Cooldown period starts.
Minute 15-20 (Cooldown Period):
No further scaling can occur during the cooldown period.

Minute 20-30:
Memory usage continues to exceed 70%, but the cooldown is still in effect.
No further scaling during this time.
upvoted 3 times

This is correct, answer D!
upvoted 1 times

It's 15+5. So every 20 minutes, not 5 minutes.
Answer A is correct
upvoted 4 times
  jacobc3939 1 month ago

The starting # of instances is 2
upvoted 1 times
  RoyalFatKid 3 weeks, 1 day ago

where do you see the instance count?
upvoted 1 times
  RoyalFatKid 3 weeks, 1 day ago

please don't post
upvoted 1 times
  altairezio Highly Voted  5 months, 2 weeks ago
Selected Answer: B
2 instances then after 15min : 3 instances. After 5min cooldown start counting.
So correct answer : 3 instances
upvoted 40 times

Answer D.
for the scaler to kick in, it needs to be 15 minutes of average use above x % that is set. so once the load starts, it will wait 15 minutes
until that rule is met, and a scale up will happen.
once it scales up at the 15 minute mark, the 5 minute cooldown starts.
at 20 minute mark, the scaler will LOOK BACK at the PAST 15 minutes to see if during that time the usage was still higher than x% and
scale up again.
then it will wait another 5 minutes, check the PAST 15 minutes again, scale up again, etc. etc.
the previous performance data doesnt get thrown out after each scale, it keeps on sliding the dataset its checking forward.
imagine if this was a real app and you get hit by huge traffic surge. like your company release a new product. what this would do in
your method is scale up one instance every 20 minutes, so it might mean multiple hours of degraded performance while it catches up
to demand, while the reality and my explanation, it would kick in after 15 minutes and then keep scaling every 5 minutes which is a
much faster and reasonable solution.
upvoted 5 times
  FlaShhh 4 days, 21 hours ago

well explained
upvoted 1 times
  binhdortmund 5 days, 2 hours ago

correct! I wanna go with 3 at the beginning, but after reading the MS doc and also your text, 5 is my choice
upvoted 1 times

No, if after the cool down period the threshold is stil met, then the next scale out operation will happpen immediately (followed by
another cool down period, of course).
"The cooldown period for each rule dictates how long after the previous scale action (whatever rule initiated was), the rule can be
applied."
Source: https://github.com/MicrosoftDocs/azure-docs/issues/17169
upvoted 1 times
Selected Answer: D
Correct answer is D , there will be 5 instances. During every scale out, it will check if previous 15 mins have sustained usage of above 70%.
After 15 mins, first scale out (+1), then 20 mins (+1), 25 mins (+1), 30 mins (+1).
upvoted 2 times
  jga_private 1 week, 3 days ago
Selected Answer: D
After cool down period new instance is created

upvoted 1 times
  vsvaid 2 weeks ago
Selected Answer: D
After 15 mins - 2
20 mins - 3
25 mins - 4
30 mins- 5
upvoted 1 times

Correction, it starts with 2
After 15 mins -
20 mins - 4
25 mins - 5
30 mins- 5 - Max limit
upvoted 1 times
  OlehT 3 weeks, 2 days ago
Selected Answer: B
Start at 2 instances, 30 minutes: -15 minutes, scaling +1 == 3.

-5 minutes cooldown makes -20 minutes in total, 10 left. We need 15 minutes more to scale +1. So we need additional 5 minutes which we
down't have.
ANSWER is B, 3 instances
upvoted 3 times
  DWsk 4 weeks ago
Selected Answer: D
I'm on team D here.

I think the best way to think of the duration is just how much info the autoscaler needs in order to determine if we need to scale. But once
you have that much time worth of data, the autoscaler will keep scaling up every 5 minutes (the cooldown) until it has new data showing
the metric isn't breached.
upvoted 3 times
  SamSal001 1 month ago

The question is contrived. How would you know if memory is persistently high after adding one more?
upvoted 1 times
Selected Answer: B
Minute 0-15:
Memory usage exceeds 70%.

Autoscale rule triggered.
Instance count increased by 1 (from 2 to 3).
Cooldown period starts.
Minute 15-20 (Cooldown Period):
No further scaling can occur during the cooldown period.

Minute 20-30:
Memory usage continues to exceed 70%, but the cooldown is still in effect.
No further scaling during this time.
upvoted 2 times
  houzer 2 months ago
Selected Answer: D
Check https://www.youtube.com/watch?app=desktop&v=EbiID16PDuk if you are confused. John demonstrates how this works, the answer
in this case will be D.
upvoted 4 times
  Rastova 2 months, 1 week ago
Selected Answer: D
Answer is D
upvoted 2 times

D
5 instances.
Like @athli said.
References:
https://www.youtube.com/watch?app=desktop&v=EbiID16PDuk
https://www.linkedin.com/pulse/miss-configuration-azure-auto-scaling-feature-radu-vunvulea/
upvoted 1 times

Selected Answer: D
Start at 2 instances, after 15 min, > 70%, then +1 instance

Cooling 5 mins, still >70%, then +1 instance
Cooling 5 mins, still > 70%, then +1 instance
Cooling 5 mins, still >70%, since max 5 instances, keep 5 instances only
upvoted 3 times

ChatGPT considers that after first scale action will be completed(15 minutes duration + 5 minutes cool down), the scale up action will end,
so it WON"T trigger add another instance. Instead, it will trigger another scale action which will start Duration counting AGAIN.
upvoted 1 times
  DBFront 3 months, 1 week ago
Selected Answer: B
Start with 2 instances

15 minutes later, add 1 more instance (total 3 instances after 15 minutes)
cool down for 5 minutes (total of 20 minutes now)
metric states another 15 minutes before an event (instance #4 would occur at 35min)
Answer is B
upvoted 2 times
  cjatraining 3 months, 1 week ago

I think the confusion people are having is that during the cooldown period monitoring doesn't stop. So if the load remains at <70% during
the entire cooldown, that counts as part of the condition duration.
So at 15 minutes (technically less, due to load averaging), +1

After 5 minutes cooldown, it once again looks at the last 15 minutes, so if the load average was still over 70%, it scales again, and the 5
minute cooldown starts again.
So it will hit the max of 5.

upvoted 4 times
Selected Answer: D
https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-environment-auto-scale
The document provide the calculate method
upvoted 2 times
HOTSPOT
You have an Azure subscription that contains the container images shown in the following table.
You plan to use the following services:
• Azure Container Instances
• Azure Container Apps
• Azure App Service
In which services can you run the images? To answer, select the options in the answer area.
Correct Answer:
  Faust777 Highly Voted  4 months, 1 week ago
How the fuck "Azure Container Apps" isn't supported on windows WTF?
upvoted 17 times

MicroSoft: We'll make you suffer.
upvoted 4 times
  Kuikz Highly Voted  5 months, 1 week ago
Correct
- Azure Container Instances can schedule both Windows and Linux containers with the same API. You can specify your OS type preference
when you create your container groups.
Some features are currently restricted to Linux containers. https://learn.microsoft.com/en-us/azure/container-instances/container-
instances-overview
- Azure Container Apps supports: Any Linux-based x86-64 (linux/amd64) container image with no required base image Containers from
any public or private container registry Sidecar and init containers https://learn.microsoft.com/en-us/azure/container-apps/containers
- Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your
favorite language, be it .NET, .NET Core, Java, Node.js, PHP, and Python. Applications run and scale with ease on both Windows and Linux-
based environments.https://learn.microsoft.com/en-us/azure/app-service/overview
upvoted 6 times
  altairezio Most Recent  5 months, 2 weeks ago
https://learn.microsoft.com/en-us/azure/container-apps/containers#:~:text=Azure%20Container%20Apps%20supports%3A
upvoted 1 times

Answer is correct
Azure Container Apps supports:
Any Linux-based x86-64 (linux/amd64) container image with no required base image
Containers from any public or private container registry
Sidecar and init containers
https://learn.microsoft.com/en-us/azure/container-apps/containers
upvoted 4 times
You have an Azure AD tenant named contoso.com.
You have an Azure subscription that contains an Azure App Service web app named App1 and an Azure key vault named KV1. KV1 contains a
wildcard certificate for contoso.com.
You have a user named user1@contoso.com that is assigned the Owner role for App1 and KV1.
You need to configure App1 to use the wildcard certificate of KV1.
A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy.
B. Assign a managed user identity to App1.
C. Configure KV1 to use the role-based access control (RBAC) authorization system.
D. Create an access policy for KV1 and assign the policy to User1.
Correct Answer: A

A (78%) B (22%)
  macinpune9 Highly Voted  5 months, 1 week ago
Please check this tutorial

https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app
First Step is to Assign a managed identity to the App.
Answer: B
upvoted 22 times
  SDiwan 6 days, 23 hours ago

Option B is managed user identity. Its not necessary to have user managed identity, system identity can also work.
upvoted 1 times
  Akriu 5 months, 1 week ago

I'm also in for answer B, since answer A needs a service principal. The only way to get one for a service is a managed identity (system or
user generated).
https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal
https://learn.microsoft.com/en-us/azure/key-vault/general/authentication
upvoted 3 times

Thanks for your input!
You say that "the only way to get one for a service is a managed identity (system or user generated)." - Can you elaborate on that?
I have found these sources that says that as soon as you register a web app with Entra ID as authorization provider, the app also
receives a service principal:
- https://learn.microsoft.com/en-us/purview/create-service-principal-azure
- https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service
In that case, answer A would still be an option, as far as I can see.

upvoted 1 times
  hfk2020 Highly Voted  5 months, 2 weeks ago
In this scenario, you have an Azure App Service web app (App1) and an Azure Key Vault (KV1) containing a wildcard certificate for
contoso.com. You want to configure App1 to use the wildcard certificate from KV1. To achieve this, you need to grant the necessary
permissions to App1.
Access to Key Vault secrets and certificates is managed using Azure AD-based authentication and authorization. The Microsoft Azure App
Service principal represents the App Service web app in Azure AD.
The correct approach is to create an access policy in KV1 that grants the necessary permissions to the Microsoft Azure App Service
principal associated with App1. By doing so, you allow App1 to access the certificate stored in KV1.
So, the first step you should take is:

Once you've granted the necessary access to the App Service principal, the web app (App1) will be able to use the wildcard certificate from
KV1 for its secure connections.
upvoted 12 times
  BluAlien Most Recent  4 days, 1 hour ago
Selected Answer: B
Access can be done either using RBAC or Access Policy. In both cases the first Action is to configure a Managed User (or System) Identity to
App1 because by default Identities are disabled.
upvoted 1 times
Selected Answer: A
When a app is registered in Azure, a service principle is created for app. Create an access policy in KV1 that grants the necessary
permissions to service principle.
upvoted 2 times

"Select Next and select Vault access policy. Currently, App Service certificates support only Key Vault access policies, not the RBAC model."
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#buy-and-configure-an-app-service-
certificate
upvoted 1 times
  houzer 1 month, 3 weeks ago
Selected Answer: A
A is the correct answer. Currently, App Service certificates support only Key Vault access policies, not the RBAC model, so you first need to
create a Vault access policy.
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal
upvoted 1 times

Actually, I need to go back on that, just tested this in my lab.
I have created an app service and a key vault that supports access policies. I then attempted to create an access policy but when I got
to select a Principal, my app1 was not in the list. I first had to create a managed identity on the app service plan, and only then I was
able to create an access policy and choose app1 as a principal.
Therefore, without a managed identity you are not able to create an access policy for app1.
upvoted 1 times

I am now 1 week and 2 days smarter lol, my initial answer was correct. You don't need to select the App1 managed identity as I
assumed in the above comment, you can simply choose the Microsoft Azure App Service principal which will cover App1 as well and
eliminate the need to create a separate identity for it.
upvoted 3 times
  Issavh 1 month, 3 weeks ago

This is an excellant Question in My view.Unless you impliment it I dont think anyone can get the correct answer.Since it is provided
that,there is an already user named user1@contoso.com (RBAC) for Azure Key Vault , you cannot create an access policy straight away
without changing the access configuration From RBAC to Access Policy.In this case only option is to create an 1)Manage Identity for APP1
,2)Get the service Principal ,3)Go to Role assignment,4)Assign a role,5)select the User,Group or service principal button,6)Then Click Select
members7) and from the member window select the Service principal name8) and assign.
upvoted 1 times
  Issavh 1 month, 3 weeks ago

Small correction in the Answer C It is given as Managed User Identity to App1.That is not correct.It should be managed System-
assigned Identity to App1In that case We have to take the answer "A Create an access policy for KV1 and assign the Microsoft Azure
App Service principal to the policy." Since we have to think that changing the access configuration from RBAC to ACCESS policy is
included there,But I deally it should be Either changing the access configuration from RBAC to ACCESS policy or managed System-
assigned Identity.
upvoted 1 times

B
https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app#configure-the-web-app-to-connect-to-
key-vault
upvoted 1 times
  OrangeSG 4 months ago
Selected Answer: A
Create and assign a wildcard App Service Certificate

https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/app-service-certificate-wildcard/
upvoted 2 times
  snorfknickles 4 months, 3 weeks ago
I'd go with B, based on this alone:
"There are three ways to authenticate to Key Vault:
Managed identities for Azure resources: [...] We recommend this approach as a best practice.
Service principal and certificate: [...] We don't recommend this approach because the application owner or developer must rotate the
certificate.
Service principal and secret: [...] Although you can use a service principal and a secret to authenticate to Key Vault, we don't recommend
it."
https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts#authentication
upvoted 5 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app
upvoted 1 times
  ducklaorange 5 months, 1 week ago

Access policies are legacy based system and MS recommends RBAC, so I would go with C honestly:
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy
upvoted 1 times
  snorfknickles 4 months, 3 weeks ago

Currently, App Service certificates support only Key Vault access policies, not the RBAC model
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#buy-and-configure-an-app-
service-certificate
upvoted 2 times
  Kuikz 5 months, 1 week ago

Selected Answer: A
In order to read secrets from a key vault, you need to have a vault created and give your app permission to access it.
Create a key vault by following the Key Vault quickstart.
Create a managed identity for your application.
Key vault references use the app's system-assigned identity by default, but you can specify a user-assigned identity.
Authorize read access to secrets your key vault for the managed identity you created earlier. How you do it depends on the permissions
model of your key vault:
Azure role-based access control: Assign the Key Vault Secrets User role to the managed identity. For instructions, see Provide access to Key
Vault keys, certificates, and secrets with an Azure role-based access control.
Vault access policy: Assign the Get secrets permission to the managed identity. For instructions, see Assign a Key Vault access policy.
https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli
upvoted 1 times
  Renz123 3 months, 3 weeks ago

On your 2nd line you said "Create a managed identity for your application"
So the first step is B?

upvoted 1 times

so why even though you have in line 4 "create a managed identity for your app" have you picked A?
IMHO should be B
upvoted 3 times

Selected Answer: A
ChatGPT
"To configure App1 to use the wildcard certificate from KV1, you should perform the following steps:
Create an access policy for KV1: You need to create an access policy in the Azure Key Vault (KV1) that allows the Azure App Service (App1)
to access the certificate. Access policies define who can perform certain operations on key vault secrets, keys, and certificates. In this case,
you want to grant access to App1.
Assign the policy to the Microsoft Azure App Service principal: After creating the access policy, you should assign it to the Azure App
Service principal, not User1. This allows App1 to use the certificate stored in KV1.
So, the correct answer is:
Assigning a managed user identity to App1 (Option B) and configuring KV1 to use RBAC (Option C) are not directly related to granting
access to the certificate for App1. Option D is incorrect because you should assign the policy to the Azure App Service principal, not
User1."
upvoted 1 times
You plan to deploy the resources shown in the following table.
You need to create a single Azure Resource Manager (ARM) template that will be used to deploy the resources.
Which resource should be added to the dependsOn section for VM1?
A. VNET1
B. NIC1
C. IP1
D. NSG1
Correct Answer: B

B (92%) 8%
  Vestibal Highly Voted  4 months, 1 week ago
Selected Answer: B
Therefore, the most direct and crucial dependency for VM1 among the listed resources is NIC1 (Option B). The NIC acts as the bridge
between the VM and the other network resources like the virtual network, public IP, and network security group. Hence, it's essential to
ensure that NIC1 is deployed before VM1.
https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-arm-template
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-templates-with-dependent-
resources?tabs=CLI
upvoted 10 times
  N3m86 Highly Voted  4 months, 2 weeks ago

Answer is B
upvoted 9 times

{...,
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-11-01",
"name": "[format('{0}{1}', variables('vmPrefix'), copyIndex())]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces',format('{0}-{1}', variables('nicPrefix'),copyIndex()))]"
],
...}
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency
upvoted 1 times
  belyo 2 weeks, 2 days ago
Selected Answer: A
should be VNET
once you choose you cant go back or have to re-create the vm
i mean you cant switch VNETs only subnets/ip addresses etc.
upvoted 1 times

B
NIC1
upvoted 1 times
  Andreas_Czech 2 months, 3 weeks ago
Selected Answer: B
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/media/template-tutorial-create-templates-with-dependent-
resources/resource-manager-template-dependent-resources-diagram.png
upvoted 2 times
You create the following Azure Resource Manager (ARM) template named Template.json.
You need to deploy Template.json.
Which PowerShell cmdlet should you run from Azure Cloud Shell?
A. New-AzSubscriptionDeployment
B. New-AzManagementGroupDeployment
C. New-AzResourceGroupDeployment
D. New-AzTenantDeployment
Correct Answer: C

A (69%) D (25%) 6%
  [Removed] Highly Voted  3 months ago
Selected Answer: A
A is correct because RG is already mentioned in the template.

upvoted 5 times
  D1nk8887 Most Recent  5 days, 16 hours ago
Check question #102. That question uses the Subscription level deployment (as part of the question) to deploy RGs.
upvoted 1 times
  Arthur_zw 4 weeks, 1 day ago

Answer is C according to Bard and ChatGPT:
Here's the PowerShell command to deploy an ARM template that creates a new resource group named "Marketing":
PowerShell
New-AzResourceGroupDeployment -Name <deployment-name> `
-ResourceGroupName Marketing `
-TemplateFile <path-to-template.json> `
-location <location>
upvoted 1 times
  MCI 2 weeks ago

How could be C ?
You need to deploy a resource group to the subscription scope. The New-AzReesourceGroupDeployment deploy a resource inside the
resource groupe scope.
upvoted 1 times
  tfdestroy 1 month, 2 weeks ago

Selected Answer: C
New-AzResourceGroupDeployment -Name <deployment-name> `

-ResourceGroupName <resource-group-name> `
-TemplateFile $templateFile `
-TemplateParameterObject $parameters
upvoted 1 times

My mistake, I miss understood the question, according to the reference I found the answer should be A.
To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet:
command: New-AzSubscriptionDeployment -Location <location> -TemplateFile <path-to-template>
Since the resource group is specified in the config.
Reference:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell
upvoted 2 times
  gswar 3 months ago

A is correct as the template file is create a resource group which has to be done at the subscription level.
upvoted 2 times
  01111010 3 months, 1 week ago
Selected Answer: D
A is correct answer. Tested in the lab.

New-AzSubscriptionDeployment -Location eastus -TemplateFile template_q101.json
upvoted 4 times

A is correct. I selected D by mistake. Can't edit previous post.
upvoted 3 times
  sheilawu 2 months ago

hahaha
upvoted 1 times
  ziggy1117 3 months, 1 week ago
Selected Answer: A
Defn A bec creating an RG is in the subscription level

upvoted 2 times
  mnasiban 3 months, 1 week ago

A is Correct because we are going to create RG from Template
upvoted 1 times
  Asryi 3 months, 1 week ago

Selected Answer: A
New-AzSubscriptionDeployment is the correct answer, as the New-AzResourceDeployment is used to deploy in an existing resource group.
You can use New-AzSubscriptionDeployment(which is an alias for New-AzDeployment) to deploy resources at subscription level.
"The New-AzResourceGroupDeployment cmdlet adds a deployment to an existing resource group"

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-subscription?tabs=azure-powershell
upvoted 3 times

Selected Answer: A
A is correct.
When you deploy a resource group, you deploy it to a subscription - that's why you need to use New-AzSubscriptionDeployment.
See https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell#deployment-scope
(The command was formerly called New-AzDeployment, see https://learn.microsoft.com/en-us/powershell/module/az.resources/new-
azdeployment?view=azps-10.4.1)
New-AzResourceGroupDeployment is used for ARM template resource deployments within a resource group.
(https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-10.4.1)
As you can't add a resource group to a resource group, C cannot be correct.
upvoted 1 times
You plan to create a storage account named storage1.
You have a Bicep file named File1.
You need to modify File1 so that it can be used to automate the deployment of storage1 to RG1.
Which property should you modify?
A. kind
B. scope
C. sku
D. location
Correct Answer: A

B (56%) D (31%) 13%
  Ahkhan Highly Voted  3 months, 1 week ago
The answer is scope. We would use scope to target the resource group for storage account.
https://ochzhen.com/blog/create-resource-group-azure-bicep
upvoted 16 times
  Salam_Pioneer Most Recent  3 weeks, 4 days ago
Selected Answer: B
The correct answer is B. scope.
Here's why:
scope property explicitly specifies the resource group where the storage account will be deployed. It's essential to align this with the
desired target resource group, RG1, in this case.
kind property already indicates the type of resource being deployed (a storage account), so it doesn't need alteration.
sku property defines the performance and pricing tier, but it's not directly related to deployment targeting.
location property specifies the Azure region for deployment, but it can be set as a variable or input parameter, not necessarily within the
scope property itself.
To ensure successful deployment of storage1 to RG1, modify the scope property in File1 to reference RG1
upvoted 2 times
  Mysystemad 4 weeks ago

i was have this question in my exam 26/12/2023
upvoted 1 times

ChatGPT:
To automate the deployment of a storage account using a Bicep file, you typically need to specify the necessary properties such as the
resource's name, location, SKU (performance and replication), and other relevant configurations.
In this scenario, if you need to modify File1 to be used for deploying storage1 to RG1, you should modify the "location" property. The
"location" property defines the Azure region where the resource will be created.
Therefore, the correct answer is:
D. location
Note: you can't fully trust ChatGPT but at least it's an answer.
upvoted 1 times
  SkyZeroZx 1 month ago
Selected Answer: B
The answer is scope. We would use scope to target the resource group for storage account.
upvoted 1 times
  bhadrisn 1 month, 3 weeks ago

The answer is scope. We would use scope to specify which resource group we are deploying to. Location would give the location such as
east us, west us, or central US, etc... So, correct answer is B, Scope
upvoted 1 times

https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/file
upvoted 2 times

Selected Answer: D
To automate the deployment of a storage account using a Bicep file, you typically need to specify properties such as sku, kind, and
location. However, the specific property related to the resource group and its deployment is the location property.
In this scenario, you should modify the location property in File1 to specify the Azure region where the storage account (storage1) should
be deployed. Therefore, the correct answer is D.
upvoted 1 times

Selected Answer: B
Target scope possible values are:

-resourceGroup (default)
-subscription
-managementGroup
-tenant
upvoted 1 times

Kind: Type of execution environment (f.e. Azure Powershell)
Sku: Service level(Premium, Standard)
So we left only with 2: Location and Scope. Since only Location a required property, it fits the answer
upvoted 2 times

I cross checked, and is scope. Location is actually Geo Location, not resource location.
upvoted 4 times
Selected Answer: B
kind, sku and location are required
https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-
bicep#storageaccounts
kind: Specify the type of script. Currently, Azure PowerShell and Azure CLI scripts are supported. The values are AzurePowerShell and
AzureCLI
https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep#sample-bicep-files
upvoted 4 times
  PrepaCertif 3 months ago

in answer to 01111010 , the logical answer is A : KIND
location is the region where you deploy storage
upvoted 1 times

Correct answer: B
"so that it can be used to automate the deployment of storage1 to RG1" - Per this requirement we can automate the deployment to RG1 if
the scope is defined.
upvoted 1 times
  jg44332211 3 months, 1 week ago

Selected Answer: B
Scope is RG1
upvoted 1 times
  01111010 3 months, 1 week ago
Selected Answer: D
D (location) is the only logical answer. Here’s the rationale. Kind, sku and location are three required properties. Scope (function) is not.
Since we already 'have a Bicep file named File1' and need 'to automate the deployment of storage1 to RG1' the only variable required
updating is the location, as we can leave other two (kind & sku) as-is. Location is required property which must be modified.
upvoted 4 times

Nice train of thought here, thanks!
I wonder, though, why you say that we can leave kind and sku unchanged and location not. Might we not also leave location
unchanged?
upvoted 1 times
  01111010 3 months, 1 week ago

List of properties from MS Learn:
kind (required) - Value: 'BlobStorage', 'BlockBlobStorage', 'FileStorage', 'Storage', 'StorageV2'
Description: Indicates the type of storage account.
Bicep function scope: - When used to set the scope property, it returns a scope object. Scope is not required parameter.
SKU (required) - Value: 'Premium_LRS', 'Premium_ZRS', 'Standard_GRS', 'Standard_GZRS', 'Standard_LRS', 'Standard_RAGRS',

'Standard_RAGZRS', 'Standard_ZRS'
Description: The SKU name. Required for account creation; optional for update. Note that in older versions, SKU name was called
accountType.
Location (required) - Value: string

Description: Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US,
East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is
specified on update, the request will succeed.
upvoted 1 times

Selected Answer: A
A is correct.
You use the kind keyword to define a storage account deployment.

See https://www.jorgebernhardt.com/bicep-azure-storage-account-cli/
The scope keyword is targetScope - and its default is resourceGroup, so it's not necessary to be specified.
See the link that Ahkhan has shared: https://ochzhen.com/blog/create-resource-group-azure-bicep
upvoted 2 times
HOTSPOT
Your company purchases a new Azure subscription.
You create a file named Deploy.json as shown in the following exhibit.

You connect to the subscription and run the following cmdlet.
New-AzDeployment -Location westus -TemplateFile “deploy.json”
Correct Answer:
  Asryi Highly Voted  3 months, 1 week ago
YNY
The deployment creates 3 RGs called RG0, RG1, RG2 as the index is 0-based.
You can deploy to RG1 as the lock is delete.
You can't deploy to RG2 as the lock is read-only, hence it can't be modified.
upvoted 12 times

Correct explanation!
upvoted 1 times
  gswar Most Recent  3 months ago
YNY is correct
upvoted 3 times
  Wuhao 3 months, 1 week ago

upvoted 1 times

Yes, answer provided is correct, YNY.
Pay attention to the different resource locks for RG1 (delete) and RG2 (read-only).
Also, as Ahkhan has stated, three resource groups are created by the template, RG0, RG1 and RG2. RG3 can be created manually
afterwards.
upvoted 2 times

Index value starts with 0. So the ARM template is creating RG01, RG1, and RG2. Hence, the answer to the third one is YES.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources
upvoted 3 times

This took some digging:
https://github.com/uglide/azure-content/blob/master/articles/resource-group-create-multiple.md
Use Index value for name section
So I believe the answer for third one is NO since resource group names must be unique within an subscription.
upvoted 2 times

Thanks for the link!
It says, though, that the count for the index value starts at 0 - so the resource groups created here are RG0, RG1 and RG2. RG3 can be
created manually afterwards.
upvoted 3 times
You need to configure a proximity placement group for VMSS1.
Which proximity placement groups should you use?
A. Proximity2 only
B. Proximity1, Proximity2, and Proximity3
C. Proximity1 only
D. Proximity1 and Proximity3 only
Correct Answer: C

C (100%)
  JonWick Highly Voted  3 months, 1 week ago
Answer is correct, Proximity 1 only because they have the same location in West US.
upvoted 10 times
  amsioso Most Recent  2 months, 1 week ago
Selected Answer: C
To get VMs as close as possible, achieving the lowest possible latency, you should deploy them within a proximity placement group.
A proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close to each
other. Proximity placement groups are useful for workloads where low latency is a requirement.
upvoted 3 times

Selected Answer: C
as MS -> A proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close
to each other.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/proximity-placement-groups-portal
upvoted 1 times

Answer C is correct, as VMSS1 is in the proximity of Proximity1
upvoted 2 times
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
The subscription contains the Azure App Service web apps shown in the following table.
Correct Answer:
  arr73 Highly Voted  1 month, 1 week ago
YNN
Point 1: Yes: Using virtual network integration enables your app to access:
Resources in the virtual network you're integrated with.
Resources in virtual networks peered to the virtual network your app is integrated with including global peering connections.
Point 2: NO: Virtual network integration is used only to make outbound calls from your app into your virtual network
Point 3: NO: There are some limitations with using virtual network integration: The feature isn't available for Isolated plan apps in an App
Service Environment
Reference: https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 10 times

Your 3rd answer is wrong. It shoudl be "YES". Isolated apps does not need vnet intergation feature bcoz it is a Network-isolated
application hosting , meaning the app is deployed into a subnet, which is inside vnet in this question. Since there is peering between
vnet1 and vnet2, the app can communicate with a VM in the other vnet.
upvoted 1 times

Your 3rd answer is wrong. It shoudl be "YES". Isolated apps does not need vnet intergation feature bcoz it the app already has
Network-isolated application hosting , meaning the app is deployed into a subnet, which is inside vnet2 in this question. Since there
is peering between vnet1 and vnet2, the app can communicate with a VM in the other vnet1.
upvoted 1 times
  flamingo23 2 weeks, 2 days ago

In your link under limitations, we have " You can't reach resources across peering connections with classic virtual networks". So I think
for the first question 'N'. We cannot peer if the other vm is also virtually integrated.
upvoted 1 times

Sorry typo - other vm is also NOT virtually integrated.
upvoted 1 times
  learnboy123 Highly Voted  1 month, 2 weeks ago

YNY check https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 7 times
  houzer Most Recent  1 month, 1 week ago

Agree with YNY, the Isolated tier only means that the Web App is hosted in a private, dedicated Azure environment rather than sharing the
runtime environment with other customers (for shared plans) or dedicated which is running on... well... dedicated VM instances.
upvoted 4 times

So running Isolated plans for WebApps does not necessarily mean these are isolated from other resources by default.
upvoted 1 times

In the link under limitations, we have " You can't reach resources across peering connections with classic virtual networks". So I think
for the first question 'N'. We cannot peer if the other vm is also virtually integrated.
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
So I think it is NNN
upvoted 1 times
  Alandt 1 month, 1 week ago

GitHub Copilot
webapp1 can communicate with vm2: Yes
Explanation: webapp1 is integrated with vnet1 and vnet1 is peered with vnet2, which vm2 is connected to. So, webapp1 can communicate
with vm2.
nsg1 controls inbound traffic to webapp1: No
Explanation: nsg1 is associated with subnet1, not directly with webapp1. It controls the inbound traffic to the subnet1, not to the
webapp1.
webapp2 can communicate with vm1: Yes
Explanation: webapp2 is deployed to subnet2 and subnet2 is in vnet2. vnet2 is peered with vnet1, which vm1 is connected to. So, webapp2
can communicate with vm1.
upvoted 2 times
  SamCook101 1 month, 2 weeks ago

YNN......
upvoted 1 times
You create virtual machines in Subscription1 as shown in the following table.
You plan to use Vault1 for the backup of as many virtual machines as possible.
Which virtual machines can be backed up to Vault1?
A. VM1 only
B. VM3 and VMC only
C. VM1, VM2, VM3, VMA, VMB, and VMC
D. VM1, VM3, VMA, and VMC only
E. VM1 and VM3 only
Correct Answer: D
  arr73 Highly Voted  1 month, 1 week ago
D: VM1, VM3, VMA, and VMC only

Explanation: only the West Europe VMs:
You need a vault in every Azure region that contains VMs you want to back up. You can't back up to a different region.
Azure Backup supports application-consistent backups for both Windows and Linux VMs
There is no restriction that prevents backups from being performed on a Recovery Services Vault located in another resource Group
Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/backup-recovery
upvoted 9 times
You have an Azure subscription that contains an Azure container registry named ContReg1.
You enable the Admin user for ContReg1.
Which username can you use to sign in to ContReg1?
A. root
B. admin
C. administrator
D. ContReg1
Correct Answer: B

D (75%) B (25%)
  Andreas_Czech Highly Voted  1 month ago
Selected Answer: D
tested in LAB
when you go to this Option in the Portal - next to the "Mark" is a Explanation Field and when you hover over it, it say -> the admin user is
identical to the Name of the Container Registry.
The Name of the Container Registry is ContReg1

therefore is the admin user ContReg1 and that means D
upvoted 11 times
  Giovachia2016 3 weeks, 5 days ago

Andreas_Czech is right.
Tested in the portal:
"If activated, you can use the registry name as username and admin user access key as password to docker login to your container
registry."
upvoted 2 times
  SDiwan Most Recent  6 days, 23 hours ago
Selected Answer: D
D, is correct. admin user name matches the container registry

upvoted 1 times
  arr73 1 month, 1 week ago

B: admin
Reference: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account
upvoted 3 times
  naveedpk00 1 week, 1 day ago

Wrong. It must be the name of the container registry that is ContReg1. az acr update -n ContReg1 --admin-enabled true
upvoted 1 times
  rumino 1 month, 1 week ago
Selected Answer: B
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account
upvoted 4 times
Topic 5 - Question Set 5
Question #1 Topic 5
HOTSPOT -
You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.
You need to recommend a networking solution to meet the following requirements:
✑ Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
✑ Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual
network with a regional scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common
exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
Correct Answer:

Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual
network with a regional scope.

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from
common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known
vulnerabilities. Application gateway which uses WAF tier.
upvoted 153 times
  zvasanth2 2 years, 5 months ago

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from
common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known
vulnerabilities. SQL injection and cross-site scripting are among the most common attacks
upvoted 6 times
  fedztedz Highly Voted  3 years, 1 month ago

Answer is correct.
- Internal Load Balancer. check the example in https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
- Application gateway which uses WAF tier.
upvoted 61 times
  Gregsenn Most Recent  5 months, 2 weeks ago

On exam 29/08/23
upvoted 3 times
  WakandaF 5 months, 1 week ago

Thanks
I will do the exam this Friday 8th.

upvoted 2 times
  stonwall12 8 months ago

Internal Loader & WAF Firewall
We're communicating internally, and WAF provides SQL injection protection

upvoted 1 times
  Georges_Hawat_2000 10 months, 1 week ago

But doesn’t the application gateway provide some load balancing features?
upvoted 1 times

Correct Answer:
upvoted 7 times

Given Answer is correct
upvoted 1 times

Answer is correct.
- Internal Load Balancer

- Application gateway which uses WAF tier.
Web Application Firewall (WAF)
Provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly
targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most
common attacks. A WAF solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each
individual web application. WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network
(CDN) service from Microsoft. WAF on Azure CDN is currently under public preview. WAF has features that are customized for each specific
service. For more information about WAF features for each service, see the overview for each service.
upvoted 5 times
Protects against malicious attacks such as:
*SQL Injection
*Cross-site scripting
*Broken Authentication
*Sensitive data exposure
*XML External entities
*Broken Access control
*Security misconfiguration
*Insecure deserialization
*Vulnerable components
*Insufficient logging
More info here:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
upvoted 4 times

upvoted 3 times
  nidhogg 2 years ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 4 times
  im82 2 years, 2 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer:
- Internal Load Balancer
- Application gateway which uses WAF tier
upvoted 11 times

This one is super tough. I have not worked with Logic Apps that much, so I had to do some research here. But it's pretty interesting.
upvoted 1 times

correct answer
upvoted 1 times
  achmadirvanp 2 years, 7 months ago

upvoted 6 times
  inemumoren 2 years, 7 months ago

Answer is correct.
An internal load balancer to spread the traffic and
an application gateway with WAF tier to prevent malicious attacks.
upvoted 1 times

Always nice to see a straight forward question
upvoted 5 times

- for RG1, nothing is changed as the policy is only applied on resources not resource groups. So, the answer is tag1: value1
- for storage account, the policy is applied as a new resource is created. Also, nothing mentioned about inheritance from RG. accordingly,
the answer is tag2:value2 from policy1 and tag3: value3 as applied directly.
upvoted 4 times
  AlexLiourtas 2 years, 10 months ago

what the...?
upvoted 6 times
  3abmula 2 years, 9 months ago

Might be a correct answer, but to the wrong question :D
upvoted 9 times
  Santy7 2 years, 6 months ago

ha ha ha
upvoted 2 times
Question #2 Topic 5
Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The
virtual networks are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
What should you create?
A. three Azure Application Gateways and one On-premises data gateway
B. three virtual hubs and one virtual WAN
C. three virtual WANs and one virtual hub
D. three On-premises data gateways and one Azure Application Gateway
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

B (89%) 11%
Correct Answer: C
There can only be one hub per Azure region.

It should be 2 Virtual Hubs and 1 WAN.
Since we have just two region, it may be impossible to have 3 hubs.
Reference:
upvoted 83 times
  ldenis 1 month, 2 weeks ago

Your description is correct but the selection C is not ;)
upvoted 2 times
  MatAlves 4 months, 3 weeks ago

"Multiple virtual hubs can be created in the same region."
upvoted 1 times
  alejox96 1 year ago

This time you were wrong friend, 100% sure, this question came up in a Cloudlabs mock exam, Correct answer: B.
upvoted 12 times
  Milan1988 11 months ago

you are right.
three virtual hubs and one virtual WAN) would also not be the best solution as it would require multiple virtual hubs to be set up, which
would again add complexity to the network architecture.
upvoted 1 times
  zeal0 Highly Voted  3 years, 5 months ago
They're all wrong because the question says there are 2 Azure regions, and the below documentation says each region only has a single
hub... Should be 2 hubs and one WAN.
"Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
on-premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or
even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. There can only be
one hub per Azure region."
upvoted 51 times
  PriyankaSmriti 1 year, 1 month ago

Microsoft has removed the limitation of having only 1 hub per region.
"A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
on-premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub,
or even connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple
virtual hubs can be created in the same region."
Reference - https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 16 times

Agree. In the link below there is a very good architecture that shows almost the same example as in the question, and we can see 1
virtual WAN and 2 hubs:
https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology#architecture
The closest answer would be 'B', 3 hubs and 1 WAN. Even if we don´t have 3 regions being used, we can still create 3 hubs in 3 different
regions.
upvoted 22 times
  VivekBishnoi1982 7 months, 2 weeks ago

it is clearly mentioned in above link: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
that : Multiple virtual hubs can be created in the same region
upvoted 3 times

They are rigth,
The question mentions than regions are peered, so you just need to connect one region to the hub.
"Each region contains a virtual network. The virtual networks are peered"
upvoted 7 times
Selected Answer: B
Answer from chatgpt and it makes sense:
Option B: Three virtual hubs and one virtual WAN
Explanation:
Virtual hubs in Azure Virtual WAN provide a central point of connectivity and management for your network resources. By deploying three
virtual hubs, one for each office, you establish a direct connection from each datacenter to the Azure Virtual WAN.
Azure Virtual WAN is designed to optimize connectivity across regions, helping to minimize network latency between the datacenters and
the Azure subscription.
By using a single virtual WAN, you can centrally manage and configure the network connections for all three datacenters, streamlining
administration and ensuring consistent network policies across the infrastructure.
Therefore, option B is the most appropriate choice for minimizing network latency while connecting the datacenters to the Azure
subscription.
upvoted 1 times
  rumino 1 month, 1 week ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 2 times

Selected Answer: B
I am not sure I understand the debate. According to ms docs "Virtual WANs are isolated from each other and can't contain a common hub.
Virtual hubs in different virtual WANs don't communicate with each other". That would infer that multiple VWANs is not going to work to
connect all of these together.
upvoted 3 times
  Default858 4 months, 3 weeks ago
Selected Answer: B
B: 1 WAN, 3 hubs
Virtual WAN: The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It
contains links to all your virtual hubs that you would like to have within the virtual WAN. Virtual WANs are isolated from each other and
can't contain a common hub. Virtual hubs in different virtual WANs don't communicate with each other.
Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
on-premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or
even connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual
hubs can be created in the same region.
Reference: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 3 times
  obaemf 5 months ago
Selected Answer: B
Three virtual hubs and one virtual WAN)

upvoted 1 times
  shrsrm95 5 months, 2 weeks ago
Selected Answer: C
which genius thought you have multiple WANs in a single hub?
upvoted 1 times
  shrsrm95 5 months, 2 weeks ago

ticked the wrong box, the correct answer is B.
upvoted 1 times
  eksmp 5 months, 3 weeks ago

Virtual WAN: The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It
contains links to all your virtual hubs that you would like to have within the virtual WAN. Virtual WANs are isolated from each other and
can't contain a common hub. Virtual hubs in different virtual WANs don't communicate with each other.
Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your
on-premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or
even connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual
hubs can be created in the same region.
Based on this, I'd say B : multiple virtual hubs and 1 virtual WAN (august 2023)
upvoted 3 times
Selected Answer: B
As of 20/08/2023:
The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region.
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#resources
Also, creating 3 Virtual WAN doesn't make any sense. when WAN is supposed to be this central management mechanism, where multiple
hubs connect to.
So 1 WAN with 3 hubs.
upvoted 3 times

C. Three virtual WANs and one virtual hub.
Explanation:
A virtual WAN is a networking service in Azure that provides optimized and automated branch-to-branch connectivity. It allows you to
connect multiple on-premises sites and Azure virtual networks through a hub and spoke topology, providing centralized management and
routing.
In this scenario, you have three offices located in different cities: Miami, Los Angeles, and New York. Each office has a datacenter. To
minimize network latency, you can create a virtual WAN for each office (three virtual WANs in total) and then connect them all using a
single virtual hub.
By creating three virtual WANs and connecting them through a virtual hub, you can establish a hub and spoke network topology that
enables efficient and low-latency communication between the datacenters. This setup ensures that data traffic flows through the optimal
path, reducing latency and providing centralized management and routing.
Therefore, the correct answer is C. Three virtual WANs and one virtual hub.
upvoted 2 times
  argoth 7 months, 3 weeks ago

Selected Answer: B
The correct answer in 2023 is B.
"The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region."
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#resources
upvoted 3 times

C: 3 Virtual WANs and 1 Virtual hub.
Only 1 hub per Azure region.

upvoted 1 times
  rat001 8 months ago
Selected Answer: B
Don't listen to the C's, because "There can be multiple hubs per Azure region."
The answer is: B
Reference: https://learn.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture
upvoted 3 times
  Rwj 9 months, 1 week ago

On Exam, 04/22/2023
upvoted 2 times
Selected Answer: B
OpenAI
"The best solution to connect the three datacenters to the Azure subscription while minimizing network latency is to use a virtual WAN
with three virtual hubs, one for each datacenter. This would allow for centralized management of the network and optimized routing
between the virtual networks in the East and West Azure regions. Option B, "three virtual hubs and one virtual WAN," is the correct choice
for this scenario."
upvoted 2 times

From Udemy:
Explanation
A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your on-
premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or
even connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. There can only be
one hub per Azure region.
The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links to all
your virtual hubs that you would like to have within the virtual WAN. Virtual WAN resources are isolated from each other and cannot
contain a common hub. Virtual hubs across Virtual WAN do not communicate with each other.
There are two regions in this question, so two virtual hubs and one virtual WAN.
upvoted 1 times
Question #3 Topic 5
HOTSPOT -
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct Answer:
Box 1: 5 -
A public and a private IP address can be assigned to a single network interface.
Box 2: 1 -
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same
network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
Answer should be : 5 Network interfaces and 1 Network security group

upvoted 123 times
  Rain_walker_6ix 1 year, 8 months ago

Nice !
upvoted 2 times
Box 1: 5
A public and a private IP address can be assigned to a single network interface.
By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM's NIC,
you can associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the
private IP.
Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
upvoted 104 times
  Indy429 Most Recent  1 month, 3 weeks ago
Where would we be without fedztedz & mlantonis?🥹❤️

upvoted 2 times
  kamalpur 7 months ago

This question is explained in below video and showed practically on azure portal as well.
https://youtu.be/ldpefLkTy44
upvoted 2 times

5 Network interfaces
1 Security Group
upvoted 2 times

Box 1: 5
Box 2: 1
upvoted 4 times

on the test, easiest question
upvoted 1 times

I know Mlantonis is giving best answer with detail explanation but this guy fedztedz is also good and giving correct answers in most of the
question. You both are amazing :)
upvoted 4 times
  fabras 1 year, 3 months ago

nic 5
nsg 1
correct answer
upvoted 3 times
  mercuryit 1 year, 4 months ago

Correct answer
nic 5
nsg 1
upvoted 1 times

Given answer is correct.
Both Private and Public IP addresses can be assigned to a virtual machine's network interface controller (NIC)
upvoted 1 times

upvoted 1 times

Was on exam dated 15/11/2021
upvoted 3 times

upvoted 2 times

Answers correct. Ques was in exam today.
upvoted 5 times
  KenDo 2 years, 9 months ago
This is more of an English test than a technical question!
upvoted 4 times
  aboelnaga 2 years, 9 months ago

the answer should be 10 Network interfaces and 1 network security group
upvoted 1 times
  3abmula 2 years, 9 months ago

You can test deploy a VM with both private and public IP address and you'll figure that out. It only requires 1 NIC to have private and
public IP address.
upvoted 2 times

Lol...where do you get the amount of 10 NI's from?
upvoted 2 times
  ASIMIS 2 years, 7 months ago

With all due respect, Please stop giving answers for the sake of posting on the chat, you are misleading people to fail. You clearly just
guessed without even research or testing it yourself. Its better to keep quiet, and I dont mean this out of dis but please respect peoples
time and stop posting just for fun.
upvoted 8 times
Question #4 Topic 5
LB1 is configured as shown in the following table.
You plan to create new inbound NAT rules that meet the following requirements:
✑ Provide Remote Desktop access to VM1 from the internet by using port 3389.
✑ Provide Remote Desktop access to VM2 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?
A. a frontend IP address
B. a load balancing rule
C. a health probe
D. a backend pool
Correct Answer: A

A (72%) B (28%)
  Mercator Highly Voted  2 years, 6 months ago
I think the answer is correct. Key is port 3389 from the internet for both VMs. If we want to connect to two different machines on the same
port we need to have two different frontend IPs for the port forwarding.
upvoted 66 times

That's right, you need to know the specific IP address of the VM, otherwise, you will randomly access any VM in the LB. It is A
upvoted 5 times
  Vlako Highly Voted  2 years, 7 months ago

This does not make sense. On existing LB, you can create NAT rule right away. The frontend IP address is already there.
Imho maybe B is right, you need to set the load balancing rule for port 3389.
upvoted 40 times
  kmaneith 1 year, 3 months ago

impossible
IP1:3389 -> vm1:3389
IP1:3389 -> vm2:3389 ???
possible
IP1:3389 -> vm1:3389
IP2:3389 -> vm2:3389
or
IP1:3389 -> vm1:3389
IP1:3388 -> vm2:3389
upvoted 7 times

Load balancer has a feature called 'Floating IP' that enables to reuse the backend ports with same Loadbalancer's FronendIP.
So you are wrong.
upvoted 2 times
  kmaneith 1 year, 3 months ago

https://learn.microsoft.com/en-us/azure/load-balancer/manage-inbound-nat-rules?tabs=inbound-nat-rule-portal
upvoted 1 times
  joergsi 2 years, 1 month ago

Yes, the LB has one public IP assigned, but this is used for the Web-Server (Port 80 is in use), now we are adding a new service on port
3389 which needs a dedicated external IP.
upvoted 4 times

it does not make sense they have listed the Fronted IP address as being "public" so it is there why we need it again.
upvoted 1 times
  fazedenk 2 years, 7 months ago

Wouldn't you need a health probe first before defining a load balancing rule?
upvoted 3 times
  fazedenk 2 years, 7 months ago

You can try this out yourself; when creating a new load balancing rule; you have to add a health probe inside the rule. Unless you
are going to re-use the port 80 health probe which doesnt make sense.
upvoted 3 times
Selected Answer: A
A is the correct answer. Before we can create an inboud NAT rule in the LB, we neeed to create new ip address, after that we can create 2
single VM inbound NAT rules
upvoted 1 times
  ExamWolf 1 month, 3 weeks ago

Selected Answer: B
You dont need another frontend ip for another port.

So if you have a webserver that listening to port 80 and 443, you are going to have two public ip, make no sense.
upvoted 1 times

Since back-end pool, health probe and load balancing rule already are created, only public IP is missing.
upvoted 2 times
Selected Answer: A
Again... dont understand the debate. The question reads... "What should you create on LB1 BEFORE you can create the new inbound NAT
rules?" So I am not sure how people think they answer is B. Do they think that before they can create the rule they have to great the rule?
It can have multiple front end IPs.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
upvoted 2 times
  Vestibal 4 months, 1 week ago
Selected Answer: A
https://learn.microsoft.com/en-us/azure/load-balancer/manage-inbound-nat-rules?tabs=inbound-nat-rule-portal#add-a-single-vm-
inbound-nat-rule
Given the need to establish a point of contact for inbound network connectivity, the correct answer is A. a frontend IP address. This is
essential as it serves as the entry point for traffic, which is then directed to the appropriate resources using NAT rules.
upvoted 1 times
  sardonique 4 months, 3 weeks ago

this question is poorly formulated, you've already got all of the 4 possible answers within the LB itself. why would you need a second
public ip address? this question is weird
upvoted 1 times
  razzil 4 months, 3 weeks ago
Selected Answer: B
You can use the same IP Adress with different frontend ports
IP1:3800 -> vm1:3389
IP1:3801 -> vm2:3389
The frontend port doesn't have to be Port 3389. The Frontend and Backend Ports doesn't have to be the same.
upvoted 1 times
  KMLearn2 5 months, 1 week ago
Selected Answer: A
the question does not really make sense:

you don't need a load balancing rule, a health probe or a backend pool for single VM inbound NAT rule and there should already be a
public IP you can use.
e.g. you create 2x NAT rules: <pip>:3391 -> VM1:3389 and <pip>:3392 -> VM2:3389
but yeah, if you want <pip>:3389 then you need additional public IPs....
Source: https://learn.microsoft.com/en-us/azure/load-balancer/manage-inbound-nat-rules?tabs=inbound-nat-rule-portal#add-a-single-
vm-inbound-nat-rule
upvoted 2 times
Selected Answer: A
The whole point of NAT rules is that can access a specific port on the VM using any random port number you define in NAT rules. You can
RDP to port 3389 using something like 132.25.32.125:9999 because NAT will translate the incoming port 9999 to 3389.
What you really need is a public IP Address, without which it is not possible to RDP in the VM from Internet.
upvoted 2 times
  danrodcard 6 months ago

An inbound NAT rule forwards incoming traffic sent to frontend IP address and port combination. The traffic is sent to a specific virtual
machine or instance in the backend pool. Port forwarding is done by the same hash-based distribution as load balancing.
https://learn.microsoft.com/en-us/azure/load-balancer/components
upvoted 1 times

We want to use NAT why we need LB rule? Confusing
upvoted 1 times
  Sri944 7 months, 1 week ago

I believe the answer is Option A.
NAT rule must be explicitly attached to a VM (or network interface) to complete the path to the target; whereas Load Balancing rule need
not be. In the latter case, a VM is selected (from the back-end address pool or VMs) to complete the path to the target.
upvoted 1 times

Frontend IP Address
upvoted 1 times
  Rick2022 8 months, 1 week ago

Answer is B Tested.
You can use the same public ip with 2 rules balancing different ports for the same backend pool.
upvoted 3 times

Selected Answer: A
OpenAI
"Before creating the new inbound NAT rules, you need to create a frontend IP address on LB1. The frontend IP address will be used to
map the incoming traffic to the backend pool and backend VMs. Once you have created the frontend IP address, you can then create the
new inbound NAT rules for port 3389 to provide Remote Desktop access to VM1 and VM2 from the internet.
So the correct answer is A. a frontend IP address."

upvoted 3 times
Question #5 Topic 5
HOTSPOT -
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
Correct Answer:
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network
links).
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
upvoted 110 times
  mlantonis 2 years, 9 months ago

Box 1: Private
Box 2: Private
upvoted 41 times
Answer is correct. Private/Private

check https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios#scenario-split-horizon-functionality
upvoted 58 times
  SScott 2 years, 10 months ago

That's it, good reference
upvoted 5 times
  SkyZeroZx Most Recent  1 month ago
Correct,
OS DNS suffix has no affect on this.
Both prv ips will be listed on internal dns zone.
upvoted 1 times

Private and Private
See below:
https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios#scenario-split-horizon-functionality
upvoted 2 times
  CyberKelev 11 months, 3 weeks ago

For VM1, the A record added to the adatum.com zone will be the Private IP address only (10.1.0.4), since the DNS suffix configured in
Windows Server is Adatum.com and auto-registration is enabled in VNET1.
For VM2, no A record will be added to the adatum.com zone, since the DNS suffix configured in Windows Server is Contoso.com and auto-
registration is not enabled in VNET1 for the Contoso.com DNS zone.
upvoted 2 times

Answer is : Private Ip address only and none
upvoted 3 times

Checked in lab; the DNS records in the private zone are created using the " Virtual network links" to the VNet. The DNS name in the VM
itself has no impact on this. So yes, Both "Private" is correct.
upvoted 6 times

Exam Question on 01DEC2022
upvoted 6 times
  arifi 1 year, 1 month ago

did u pass?
upvoted 1 times

Answer is correct. Private/Private
upvoted 1 times
  vsharma041990 1 year, 6 months ago

links).
upvoted 2 times

Yep given answer is correct Private/Private
VNET and Private DNS:
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones
can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-
registration option set.
upvoted 4 times

on exam 13/3/2022
upvoted 3 times

both private because of same vnet1, you add vnet in private dns zone...
upvoted 1 times
  khengoolman 2 years, 4 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is private, private.
upvoted 9 times

The question is confusing because VM2 has a different DNS connection suffix. But because they are both part of the VNet1, they'd both be
exposed to the internal DNS zone at 168.63.129.16.
-Private IP for VM1

-Private IP for VM2
upvoted 4 times

01.Private IP Address only
02.Private IP Address only
links)
upvoted 7 times
  PektoTheGreat 2 years, 11 months ago

The keyword is "auto-registration from VNET1".
VM1 and VM2 belongs to the same VNET. So upon VM1 and VM2 creation they will be auto registered on adatum Private DNS Zone having
A Record as their Private IPs. Cheeers yo!
upvoted 8 times

Correct, both private addresses since auto registration from VNET1 has been enabled on the Azure Private DNS zone.
upvoted 3 times
Question #6 Topic 5
HOTSPOT -
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one
subnet named
Sunet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has
three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against
the collected data.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data
sources, and solutions
Box 2: ILB1 -
Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-standard-diagnostics
Correct Answer:

In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository,
data sources, and solutions.
Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP
addresses that connect to the ILB can be monitored when the diagnostics are enabled on a Network Security Group.
We cannot enable diagnostics on an internal load balancer to check for the IP addresses.
As for Internal LB, it is basic one. Basic can only connect to storage account. Also, Basic LB has only activity logs, which doesn't include the
connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
upvoted 218 times

I was about to say "why is the second one not NSG1?" Glad you confirmed NSG1 is the right answer for Q2.
upvoted 1 times

very good catch! Because yes you are right after looking at the link : https://learn.microsoft.com/en-gb/azure/load-balancer/skus#skus
you cannot do diagnostics for the load balancer you know, which is crazy i would of picked that over the NSG.
Box 2: NSG1
upvoted 6 times
  elrizos 10 months, 1 week ago

you r my hero
upvoted 2 times

Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics
upvoted 23 times
Answer is not correct. The correct answer is

- Create a Log Analytics Workspace
- NSG
As for Internal LB, it is basic one. Basic can only connect to storage account. Also Basic LB has only activity logs which doesn't include the
connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
upvoted 95 times
  Alvaroll 3 years, 1 month ago

I think the answer given is correct.
- Azure Log Analytics workspace
- ILB1 (Standard Load Balance)
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log
upvoted 4 times
  Alvaroll 3 years, 1 month ago

sorry, it's basic LB
upvoted 6 times

Basic LB no diagnositcs
https://docs.microsoft.com/en-us/azure/load-balancer/skus
upvoted 3 times
  s9p3r7 2 years, 7 months ago

but you can't enable NSG flow logs with Log Analytics Workspace, you need a storage account.
answer: storage acc and nsg
ref: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log
upvoted 4 times

ignore my previous comment as Traffic Analytics can be integrated with Log Analytics Workspace,,
upvoted 6 times
  Josete1106 Most Recent  6 months, 4 weeks ago
B&B is correct!
upvoted 1 times

1. Azure Log Analytics
2. NSG1
Note: Internal Balancer is only BASIC

upvoted 1 times

Box1: An Azure Log Analytics workspace

Box2: Box 2: NSG1
upvoted 6 times
upvoted 4 times

To collect data about the IP addresses that connect to ILB1 and run interactive queries from the Azure portal against the collected data,
you should create an Azure Log Analytics workspace.
You should enable diagnostic settings on ILB1. This will allow you to collect data about the IP addresses that connect to ILB1 and run
interactive queries from the Azure portal against the collected data.
upvoted 1 times

Correct Answer:
Box 2: NSG1
upvoted 5 times

I think it's good to pause and watch a video describing the available monitoring service for standard Load balancer (classic metrics view vs
load balancer insights). It'll allow you to understand instead of just picking an answer .
guess basic has no monitoring feature satisfying the question's requirement.
https://www.youtube.com/watch?v=qfzOTNKYTgU&ab_channel=MicrosoftAzure
upvoted 2 times

upvoted 3 times

An azure log analytics workspace
NSG1
upvoted 1 times

given answer not correct
use Log Analytics workspace, which sets Log Analytics environment with its own data repository, data sources, and solutions.
Box 2: NSG1
NSG flow logs, which provide you information about ingress and egress IP traffic through a Network Security Group associated to
individual network interfaces, VMs, or subnets. By analyzing raw NSG flow logs, and inserting intelligence of security, topology, and
geography, traffic analytics can provide you with insights into traffic flow in your environment. Traffic Analytics provides information such
as most communicating hosts, most communicating application protocols, most conversing host pairs, allowed/blocked traffic,
inbound/outbound traffic, open internet ports, most blocking rules, traffic distribution per Azure datacenter, virtual network, subnets, or,
rogue networks.
upvoted 3 times
  Akman 2 years, 3 months ago

I'm tired of entering capcha in every page turn
upvoted 5 times
  verifedtomic 2 years, 3 months ago

Just sign-up for free account. Then you'll have to enter captcha every three or so pages.
upvoted 3 times
  nzmike 2 years, 3 months ago

that's why they have the subscription...
upvoted 8 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is LAW, NSG
upvoted 11 times

The question states that you must be able to run interactive queries from
the Azure portal against the collected data.
The Azure portal exposes the load balancer metrics via the Metrics page, which is available on both the load balancer resource page for a
particular resource and the Azure Monitor page.
To view the metrics for your Standard Load Balancer resources:

Go to the Metrics page and do either of the following:
On the load balancer resource page, select the metric type in the drop-down list.
On the Azure Monitor page, select the load balancer resource.
Hence my guess is
Log Analytics
ILB1
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics
upvoted 1 times
  Mukesh_Aggarwal_07 2 years, 4 months ago

- Create a Log Analytics Workspace
- NSG
upvoted 1 times

Correct. Thank you
upvoted 1 times
Question #7 Topic 5
You have the Azure virtual networks shown in the following table.
To which virtual networks can you establish a peering connection from VNet1?
A. VNet2 andVNet3 only
B. VNet2 only
C. VNet3 and VNet4 only
D. VNet2, VNet3, and VNet4
Correct Answer: C
Address spaces must not overlap to enable VNet Peering.
Incorrect Answers:
A, B, D: The address space for VNet2 overlaps with VNet1. We therefore cannot establish a peering between VNet2 and VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-networks-faq#vnet-peering

C (100%)
Correct Answer: C
VNet1 10.11.0.0/16 = 10.11.0.1 - 10.11.255.255 (overlap VNet2)

VNet2 10.11.0.0/17 = 10.11.0.1 - 10.11.127.254 (overlap VNet1)
VNet3 10.10.0.0/22 = 10.10.0.1 - 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 - 192.168.19.254 (no overlap)
Possible peerings are:

VNet1 -> Vnet3
VNet1 -> Vnet4
If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected.
upvoted 105 times
  bogdan89 Highly Voted  3 years, 2 months ago
Tested, in this context answer is correct. Vnet 2 and Vnet 1 can not be peered and also Vnet 2 and vnet3 or vnet 4 can not be peered.
But tested more and discovered that Vnet1 can make a peering with Vnet 3 and Vnet4. Pay attention if there will be a modification in the
answer. The strange way of Microshit qestions.
upvoted 33 times
  Kopy 2 years, 6 months ago

"also Vnet 2 and vnet3 or vnet 4 can not be peered." WHY?
upvoted 1 times

ignore
upvoted 2 times
  danrodcard Most Recent  6 months ago
there is no overlap between VNet2, VNet3

upvoted 1 times

C: Vnet 3 and 4
Vnet 1 and 2 overlap
upvoted 1 times

Selected Answer: C
Correct Answer:C
upvoted 1 times
  swetha_2022 1 year, 2 months ago

Selected Answer: C
Correct Answer:C
upvoted 1 times

Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: C
Virtual Peering Requirements:

• Virtual Peering comes in two forms: Virtual Peering for within a Region and Global Virtual Peering for across regions. The question does
not limit the peering to one region. So peering permitted to VNET3 and VNET4
• Virtual Peering cannot have overlapping address spaces so no peering can be had with VNET2 until there is an address space change
(requires recreation of the VNET).
Therefore only logical answer is C: VNET3 & VNET4:
Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview)
upvoted 4 times

Selected Answer: C
Given answer is correct... Peering should NOT have overlapping Address Space/subnets
upvoted 3 times

Selected Answer: C
Possible peerings are:

VNet1 -> Vnet3
VNet1 -> Vnet4
upvoted 3 times

FYI: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
upvoted 1 times

VNet1 -> Vnet3
VNet1 -> Vnet4
upvoted 1 times

Was on exam dated 15/11/2021
upvoted 3 times
  DevOpposite 2 years, 4 months ago

how do you work this out without pen and paper?
upvoted 3 times

Correct. Thank you
upvoted 1 times

why not 2,3, and 4, the last option?
upvoted 3 times

VNET 1 and VNET2 have an IP address overlap.
upvoted 1 times

Given that VNET1's subnet is the same space as VNET2's address space, it was an obvious overlap, - and answer C was the only one which
didn't feature VNET2, the answer popped out pretty quickly
upvoted 2 times
Question #8 Topic 5
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and
Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the
Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
✑ The NVAs must run in an active-active configuration that uses automatic failover.
✑ The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
A. Deploy a basic load balancer
B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled
E. Add a frontend IP configuration, a backend pool, and a health probe
F. Add a frontend IP configuration, two backend pools, and a health probe
Correct Answer: BCF
A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-multivip-overview

BDE (41%) BCF (40%) Other
  xagiter622 Highly Voted  3 years, 3 months ago
The given answer is correct:

B - HA ports need are not supported by a basic loadbalancer
C - You need a floating ip for the active-active configuration to switch over quickly
F - You need 2 backend pools for the 2 different services
upvoted 131 times
  flurgen248 1 year, 4 months ago

It shouldn't be C, since HA ports are also active-active. Also we don't need to reuse a backend port, so floating IP isn't needed.
If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip#floating-ip
HA ports are recommended for NVAs.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview#why-use-ha-ports
Not sure about the other answers though.

upvoted 3 times
  jsexamprep 2 years, 5 months ago

Correct, this link clears up the HA ports and floating IP being enabled: https://docs.microsoft.com/en-us/azure/load-balancer/load-
balancer-ha-ports-overview
For Floating IP…This configuration does not allow any other load-balancing rule configuration on the current load balancer resource. It
also allows no other internal load balancer resource configuration for the given set of back-end instances.
upvoted 3 times

you're maybe right BCF:
Rule type #2: backend port reuse by using Floating IP
Azure Load Balancer provides the flexibility to reuse the frontend port across multiple frontends configurations. Additionally, some
application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool.
Common examples of port reuse include
"clustering for high availability, --Network virtual appliances, and exposing multiple TLS endpoints without re-encryption.
upvoted 1 times
  tsss 3 years, 3 months ago

F: 1 service are the NVAs. the other service is for backend servers
upvoted 5 times

Why do you say that? It just states 2 services, e.g. web and email
upvoted 3 times
  ValB 4 months, 2 weeks ago

Yes 2 services on the backend, BUT the NAVs need to load balanced too. So one for backend services and one for NVAs.
upvoted 1 times
The Answer is not correct. It should be BDE. Why?

- Basically we are just want to load balance the NVM , that's all. So, we will need HA ports for HA and failover. But since we don't want to
balance the services themselves , so we go with disabled IP floating and one backend service for NVM. check
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview#a-single-non-floating-ip-non-direct-server-return-
ha-ports-configuration-on-an-internal-standard-load-balancer
However, if we need to also Load Balance the production two services using the same LB, then we would need Floating IP and also
another backend pool for those 2 services. then the answer would be BCF.
But the question here, can LB send balance traffic to those production services. I think it can by using the health probe and some
monitoring to balance the requests sent to IPs.
upvoted 58 times
  jimmyli 3 years ago

I think it should be BCF.
The original link that examtopics provided in its answer area has made it clear floating IP is needed: https://docs.microsoft.com/en-
us/azure/load-balancer/load-balancer-multivip-overview, under Rule type #2: backend port reuse by using Floating IP section.
upvoted 4 times

If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview#rule-type-2-backend-port-reuse-by-using-
floating-ip
upvoted 1 times
  cloudbaron 9 months ago

True about Floating IP and backend port reusability.
However, in this scenario, we do not need to reuse the backend port across multiple rules. We only need to create one rule that
points to the backend pool containing the NVAs. So there is no need to enable Floating IP
upvoted 1 times
  HaoHu 3 years ago

Just think about that LB traffic will ‘passthrough’ two NVA……
upvoted 1 times
  PeterTest 3 years, 1 month ago

The question is clear about that LBs need to be able to failover, so we need to make sure 2 services can still working while only 1 LB is
available which means in the same LB, so BCF?
upvoted 5 times
  Meera_S Most Recent  3 days, 12 hours ago
Answer is correct
upvoted 1 times
Selected Answer: BCF
Common examples of port reuse include clustering for high availability, network virtual appliances, and exposing multiple TLS endpoints
without re-encryption.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip
upvoted 1 times
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview
Multiple HA-ports configurations on an internal standard load balancer
To configure more than one HA port frontend for the same backend pool, use the following steps:
1- Configure more than one front-end private IP address for a single internal standard load balancer resource.
2- Configure multiple load-balancing rules, where each rule has a single unique front-end IP address selected.
3- Select the HA ports option, and then set Floating IP to Enabled for all the load-balancing rules.
upvoted 1 times
Common examples of port reuse include clustering for high availability, network virtual appliances, and exposing multiple TLS endpoints
without re-encryption.
upvoted 2 times

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip
upvoted 1 times
  Vestibal 4 months, 1 week ago

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview
Multiple HA-ports configurations on an internal standard load balancer
To configure more than one HA port frontend for the same backend pool, use the following steps:
1- Configure more than one front-end private IP address for a single internal standard load balancer resource.
2- Configure multiple load-balancing rules, where each rule has a single unique front-end IP address selected.
3- Select the HA ports option, and then set Floating IP to Enabled for all the load-balancing rules.
upvoted 1 times
  entee28 5 months, 1 week ago
B: Only Standard LB supports HA port

C: Floating IP is required for active-active configuration
F: We have 2 services in the Prod subnet, which means 2 backend pools
upvoted 2 times
  keyboardmastermind 6 months ago

B. Deploy a standard load balancer: Standard Load Balancer is required for an active-active configuration and automatic failover.
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled: High Availability (HA) Ports are used to enable an
active-active configuration with automatic failover. Floating IP should be disabled for this scenario.
F. Add a frontend IP configuration, two backend pools, and a health probe: For the active-active configuration, you need to configure two
backend pools (one for each NVA), a frontend IP configuration, and a health probe to ensure proper load balancing and failover.
So, the correct actions are B, D, and F.

upvoted 2 times

B: Deploy a standard load balancer
HA ports need are not supported by a basic loadbalancer
C: Add two load balancing rules that have HA Ports and Floating IP enabled
You need a floating ip for the active-active configuration to switch over quickly
F: Add a frontend IP configuration, two backend pools, and a health probe

You need 2 backend pools for the 2 different services
A standard load balancer is required for the HA ports.

Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
upvoted 1 times

BCF is correct!
upvoted 1 times

I believe B,C,F options are right.
To implement an Azure load balancer for the NVAs that meets the requirements mentioned in the question,
Create a Standard Load Balancer.

Create two backend pools for the two services on the Production subnet.
Create a load balancing rule for each backend pool.
Enable Floating IP for each load balancing rule.
Azure Load Balancer does not have an understanding of Active/Passive or Active/Active. From a Load Balancing point of view, it is simply a
back end pool member answering the probe or not. It will be based on your configuration to make sure that you have an Active/Passive
setup and that the Passive node does not respond to the probe and only the active one does
upvoted 1 times
B. Deploy a standard load balancer.
E. Add a frontend IP configuration, a backend pool, and a health probe.
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled.
upvoted 1 times
  SIAMIANJI 9 months, 1 week ago
Selected Answer: BDE
ChatGPT: BDE
To implement an Azure load balancer for the NVAs that meet the requirements specified, you should perform the following three actions:
Deploy a standard load balancer:

You need a standard load balancer to support active-active configuration and automatic failover.
Add a frontend IP configuration, a backend pool, and a health probe:

You need to add a frontend IP configuration that includes a public IP address, a backend pool that includes the two NVAs in the NVA
subnet, and a health probe to monitor the health of the services on the Production subnet.
Add two load balancing rules that have HA Ports enabled and Floating IP disabled:
You need to add two load balancing rules that map the frontend IP address to the backend pool and health probe. Each rule should have
HA Ports enabled and Floating IP disabled to load balance traffic to the two services on the Production subnet that have different IP
addresses.
upvoted 2 times
  Mzrzr 7 months, 2 weeks ago

try asking chatGPT Are you sure? it changes its option each time you ask Are you sure
upvoted 7 times

Interesting answer from openAI
"To implement an Azure load balancer for the NVAs that meet the requirements, you should perform the following three actions:
A. Deploy a basic load balancer. Basic load balancer is sufficient for this scenario, as it supports automatic failover for active-active
scenarios.
C. Add two load balancing rules that have HA Ports and Floating IP enabled. HA ports are required for active-active failover, and Floating IP
is required to maintain the same IP address during failover.
E. Add a frontend IP configuration, a backend pool, and a health probe. The frontend IP configuration is used to receive incoming traffic,
the backend pool is used to route traffic to the services in the Production subnet, and the health probe is used to monitor the health of the
NVAs and remove them from the load balancer if they are not responding.
Therefore, the correct options are A, C, and E. Option B is not necessary as a basic load balancer meets the requirements. Option D is
incorrect as Floating IP is required for maintaining the same IP address during failover. Option F is incorrect as only one backend pool is
required to route traffic to the services in the Production subnet."
upvoted 1 times

The correct answers are BDE.
B. Deploy a standard load balancer: As per the requirements mentioned in the question, we need to implement an Azure load balancer for
the NVAs. A standard load balancer provides the option to use HA Ports and Floating IP, which is required to meet the active-active
configuration and automatic failover requirements.
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled: Since the two services on the Production subnet
have different IP addresses, we do not need to balance traffic to them. We only need to load balance traffic to the NVAs. Therefore, we
only need to create a load balancing rule for the NVAs, with HA Ports enabled for active-active configuration and Floating IP disabled.
E. Add a frontend IP configuration, a backend pool, and a health probe: This is required to set up the Azure load balancer. The frontend IP
configuration specifies the IP address that clients will use to access the load balancer. The backend pool contains the network interfaces of
the two NVAs. The health probe monitors the health of the NVAs and ensures that traffic is only sent to healthy NVAs.
upvoted 2 times
  levan1988 10 months, 1 week ago

chat GPT say " To implement an Azure load balancer for the NVAs that meets the requirements, you should perform the following three
actions:
A. Deploy a basic load balancer: Basic load balancers support active-active configurations, which are required in this scenario.
E. Add a frontend IP configuration, a backend pool, and a health probe: This step is required to configure the load balancer with the IP
address for the frontend, the backend pool with the IP addresses of the services to load balance, and the health probe to monitor the
availability of the services.
C. Add two load balancing rules that have HA Ports and Floating IP enabled: The load balancing rules are required to specify how the
traffic is distributed among the services in the backend pool. In this scenario, the rules should have HA Ports enabled for high availability
and Floating IP enabled for faster failover.
Therefore, the correct actions are A, E, and C. Options B, D, and F are not required or do not meet the requirements of the scenario. "
upvoted 1 times
  binhdortmund 1 month, 1 week ago

LOL when i ask ChatGPT: To meet the requirements of an active-active configuration with automatic failover for the NVAs, and load
balancing traffic to two services on the Production subnet with different IP addresses, you should perform the following actions:
Deploy a standard load balancer (B):
Standard Load Balancer is required for features like HA Ports and Floating IP.
Add a frontend IP configuration, a backend pool, and a health probe (E):
This is a basic configuration for the load balancer.

Add two load balancing rules that have HA Ports and Floating IP enabled (C):
HA Ports and Floating IP enable an active-active configuration with automatic failover.

Therefore, the correct actions are:
B. Deploy a standard load balancer

E. Add a frontend IP configuration, a backend pool, and a health probe
C. Add two load balancing rules that have HA Ports and Floating IP enabled
upvoted 1 times

chatGPT would fail this exam...
Basic load balancer do not off HA ports.

upvoted 2 times
Question #9 Topic 5
You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN
gateway named
VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1
is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
A. Download and re-install the VPN client configuration package on Client1.
B. Select Allow gateway transit on VNet1.
C. Select Allow gateway transit on VNet2.
D. Enable BGP on VPNGW1
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

A (89%) 11%
  Coldriver Highly Voted  3 years, 5 months ago
"If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must
be downloaded and installed again"
I would go with `A` is the correct option as the S2S config has been changed AFTER the P2S client installation was performed. Installation
of the client software package needs installing again post S2S config changes.
upvoted 97 times
  Sacs 3 years, 4 months ago

I agree, This is the exact verbiage from Microsoft: If you make a change to the topology of your network and have Windows VPN
clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to
the client.
upvoted 8 times
  Bl4ck 3 years, 5 months ago

I think this is correct: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered
upvoted 6 times
  bleepbl0p 3 years, 2 months ago

100% correct. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
upvoted 7 times
Correct Answer: A
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
upvoted 52 times
  hotspot02103 Most Recent  1 month, 2 weeks ago

That's the shitiest exam, total nonsense to memorise specifics and parameters which are changing year by year. You can easily google or
consult official docs ad-hoc when you need it. The important is to know the base and how stuff works.
Also MS is teaching you to draw diagrams as best practise, then you come to this question and try 5 mins to visualise the diagram in your
mind because they don't include it, but just explain with words... Instead of 5 sentences one diagram will be 5 times more efficient and
unambiguous
upvoted 1 times
  Bur_Han 10 months, 4 weeks ago

A. Download and re-install the VPN client configuration package on Client1.
D. Enable BGP on VPNGW1
upvoted 2 times
  Bur_Han 10 months, 4 weeks ago

Explanation:
The issue here is that Client1 is not able to connect to VNet2. This is because VNet2 is not connected to the VPN gateway and doesn't
have a gateway of its own. To enable traffic from Client1 to VNet2, we need to enable gateway transit on VNet1.
Gateway transit allows a virtual network to use the VPN gateway in another virtual network to access resources in that network. In this
case, enabling gateway transit on VNet1 will allow Client1 to access resources in VNet2 using the VPN gateway in VNet1.
Enabling gateway transit on VNet2 (option C) is not needed in this scenario because VNet2 doesn't have a VPN gateway. Enabling BGP
on VPNGW1 (option D) is not required because the scenario mentions that static routing is being used.
Downloading and re-installing the VPN client configuration package (option A) is not required as the point-to-site VPN connection from
Client1 to VNet1 is already established and working. The issue is with accessing resources in VNet2, which can be resolved by enabling
gateway transit on VNet1.
upvoted 1 times
  Elecktrus 7 months ago

Not, because the question says: You verify that you can connect to VNet2 from the on-premises network. So, if you have verified the
connection, yo don't need allow gateway transit
upvoted 1 times

upvoted 4 times
Selected Answer: C
The issue is that the point-to-site VPN connection from Client1 is not able to connect to VNet2. This is because virtual network peering in
Azure does not propagate gateway transit. Therefore, the VPN gateway (VPNGW1) in VNet1 cannot be used to reach VNet2. To allow
Client1 to connect to VNet2, we need to enable gateway transit on VNet2 so that the traffic from VNet1 can flow through VNet2 to reach
Client1.
Therefore, the correct answer is:

upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 2 times
Selected Answer: A
A is correct
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again and also ensure you use the same certificate and if other scenario i.e. new workstation Pt - Site vpn then
download and install client and export certificate from other workstation that is already got working connection and import into new
workstation
upvoted 4 times

Selected Answer: A
Correct
upvoted 2 times

upvoted 3 times

Answer is correct. The VPN client on the PC is no longer valid because the network topology has changed
upvoted 3 times
  Adebowale 2 years, 6 months ago

100% correct
upvoted 2 times
"A" is the correct answer. The trick here is "You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to
connect to VNet2.". - This tells us the network is actually connected fine, it is just the client (in this scenario the Win10 PC) that cannot
connect to VNet2.
upvoted 3 times
  sargis1177 2 years, 10 months ago

Actually in this case both A and B are correct answers
upvoted 3 times

No B is not correct. "You verify that you can connect to VNet2 from the on-premises network" suggests gateway transit is already
configured correctly, so B is not required.
upvoted 6 times
  NeerajY 2 years, 11 months ago

Without allowing gateway transit, can client1 connect to vnet2 even after re-installing package?
upvoted 2 times

"You verify that you can connect to VNet2 from the on-premises network" suggests it is already configured
upvoted 2 times

A is correct
upvoted 3 times

Answer A. is the good one. VPN clien re-installation is the key here.
upvoted 3 times
HOTSPOT -
You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the
following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
You create a virtual network link for contoso.com as shown in the following exhibit.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
Correct Answer:
All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So,
VM1, VM2 and VM3 will auto-register their host records to contoso.com.
None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet
(adatum.com)
Box 1: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 2: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 3: No
None of the VM will auto-register to the public Azure DNS zone named adatum.com
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 135 times

Thank you once again God.
upvoted 1 times
  NickyDee Highly Voted  3 years, 1 month ago

1. The PRIVATE zone contoso.com is linked to VNET1
2. All three VMs are in VNET1
3. All of the VMs will auto-register their host records to contoso.com
4. None of the VMs will auto-register to a public DNS zone. You cannot register private IPs on the internet (adatum)
The answer given is correct

Yes, Yes, No
upvoted 70 times
  cruisey 2 years, 9 months ago

You mean VNET 2 nor VNET 1
upvoted 17 times
  edengoforit 1 year, 7 months ago

Probably he meant VNET2 in 2.
upvoted 1 times

upvoted 1 times

Tested in lab, all 3 VMs will register to contoso.com irrespective of their DNS suffix. Answer is Y/Y/N
upvoted 1 times
  Aluksy 10 months, 1 week ago

Valid came out in my exam today 08 April 2023.
upvoted 5 times

on the test
upvoted 1 times

upvoted 4 times

Correct answer
upvoted 1 times

YES
YES
NO
upvoted 1 times

Given answer is correct YYN.. as for N VNET1 is linked to Private DNS and hence will register there due to fact auto-register is enabled
upvoted 1 times

Agree with YYN
upvoted 1 times

YYN - on exam 13/3/2022
upvoted 3 times

YES
YES
NO
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is Y Y N
upvoted 8 times

VM3 will be added to contoso.com, the connection suffix will change to contoso.com
upvoted 2 times

Correct. Thank you
upvoted 2 times
  sandipk91 2 years, 5 months ago

I think it should be Y-Y-Y
ref: https://docs.microsoft.com/en-us/azure/dns/dns-faq-private#i-have-configured-a-preferred-dns-suffix-in-my-windows-virtual-
machine--why-are-my-records-still-registered-in-the-zone-linked-to-the-virtual-network-
upvoted 1 times
You have an Azure subscription that contains the resources in the following table.
To which subnets can you apply NSG1?
A. the subnets on VNet1 only
B. the subnets on VNet2 and VNet3 only
C. the subnets on VNet2 only
D. the subnets on VNet3 only
E. the subnets on VNet1, VNet2, and VNet3
Correct Answer: D
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same
region and subscription as the resource.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm

D (100%)
Correct Answer: D
You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 74 times
Answer is correct. "D". VNET3 only

upvoted 32 times
  Vitu Most Recent  1 year, 1 month ago
Selected Answer: D
its ok
upvoted 1 times

Selected Answer: D
same region
upvoted 3 times

Because, Vnet3 and NSG are in the same region (EAST US)
upvoted 1 times

I tried it on the portal. Only VNet3 is shown under the drop down menu, when i associate to other subnets.
upvoted 4 times

Because, Vnet3 and NSG are in the same region (EAST US)
upvoted 1 times
Selected Answer: D
Correct Answer: D
upvoted 1 times
Selected Answer: D
D is correct = Summary VM-VNIC-VNET-NSG MUST ALL be in same region

upvoted 4 times
  bur88 1 year, 11 months ago

Answer D
on exam 04.03.2022. Passed 761 points.
Thank you, dear commenters!
upvoted 3 times
Selected Answer: D
Correct Answer: D
You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 2 times
  Redimido 2 years ago

Selected Answer: D
Azure network security groups can't be moved between regions. You'll have to associate the new NSG to resources in the target region.
https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-nsg-portal
upvoted 3 times

Region boundary. Answer is correct.
upvoted 2 times
  villanz 2 years, 6 months ago

628/1000 23/07/21 failed :(
upvoted 10 times
  lucy3246 1 year, 5 months ago

try again
upvoted 1 times

I also failed first time...thought I could just wing it and get by..I got 567...
Rewrite tomorrow....
upvoted 6 times
  Bertleman 2 years, 3 months ago

Same! Taking it 2nd time on Friday
upvoted 3 times

did you pass?
upvoted 1 times
  wsscool 2 years, 7 months ago

in exam 7/3/2021
upvoted 6 times
  acmaws 2 years, 7 months ago

Correct is D:
Azure network security groups can't be moved between regions
upvoted 4 times

"D" is correct. Easiest way to remember is NSG must follow region AND subscription.
upvoted 7 times
  BinSelman 2 years, 8 months ago

the given answer is correct.
upvoted 1 times
DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: Remove peering between Vnet1 and VNet2.
You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.

Step 3: Recreate peering between VNet1 and VNet2
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
COrrect Answer:
Step 1: Remove peering between Vnet1 and VNet2

You can't add address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with
another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the
peering.
Step 2: Add the 10.33.0.0/16 address space to VNet1
Step 3: Recreate peering between VNet1 and VNet2
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
upvoted 139 times
  dagomo 1 year, 2 months ago

Correct Answer but this is the best reference:
https://learn.microsoft.com/en-us/windows-server/networking/sdn/vnet-peering/sdn-vnet-peering
Once you peer a virtual network with another virtual network, you cannot add or delete address ranges in the address space.
Tip
If you need to add address ranges:
Remove the peering.

Add the address space.
Add the peering again.
upvoted 8 times
  WindowAFX 1 year, 9 months ago

Agreed but it doesn't state the current ones are peered?
upvoted 2 times

ignore me - is correct
upvoted 5 times
  shoutiv Highly Voted  1 year, 3 months ago
Since September 2022 you can update the address space for peered virtual networks without removing the peering.
"Updating the address space for peered virtual networks now is now generally available. This feature allows you to update the address
space or resize for a peered virtual network without removing the peering."
Source:
https://azure.microsoft.com/en-us/updates/resizing-of-peered-virtual-networks-is-now-generally-available/
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#resize-the-address-space-of-azure-virtual-
networks-that-are-peered
upvoted 25 times

Agree. Answers are obsolete. Now you can perform Sync and it solves the problem
upvoted 3 times

Positive, I already have used this feature.
upvoted 3 times
  DimsumDestroyer Most Recent  5 months, 3 weeks ago
This question is outdated. You can now add or remove address spaces without having to remove the peering first and re-establishing the
peering. You can simply add the address space in VNET1 and perform a resync using Powershell with Sync-AzVirtualNetworkPeering
https://learn.microsoft.com/en-us/powershell/module/az.network/sync-azvirtualnetworkpeering?view=azps-10.2.0
FROM: https://learn.microsoft.com/en-us/azure/architecture/networking/prefixes/add-ip-space-peered-vnet
** Note: This article has not yet been updated to reflect Azure networking's support for peering resync. Azure virtual networks support
adding and removing address space without the need to remove and restablish peerings; instead each remote peering needs a sync
operation performed after the network space has changed. The sync can be performed using the Sync-AzVirtualNetworkPeering
PowerShell command or from the Azure Portal.**
upvoted 3 times

Tested in Lab
1.Remove peering between Vnet1 and VNet2
2.Add 10.33.0.0/16
3.Recreate peering between VNet1 and VNet2
upvoted 2 times

Answer is correct.
upvoted 1 times
  Bartol0 1 year, 6 months ago

I see one problem. You can't add subnet 10.33.0.0/16 to vnet 10.1.0.0/16. It is out of range.
Error: The subnet address range "10.33.0.0/16" is not contained in this virtual network's address spaces.
upvoted 3 times
  Bartol0 1 year, 6 months ago

Edit: I see my mistake, you need to add address space not subnet. Mlantonis answer is correct. Tested in lab.
upvoted 2 times

upvoted 1 times

upvoted 2 times

upvoted 2 times
  husam421 2 years ago

You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with
another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the
peering. To add address ranges to, or remove address ranges from virtual networks
upvoted 1 times

upvoted 3 times
  ahmedageba 2 years ago

How many questions from this dumb
upvoted 1 times

The answer is correct, although there's a new way of the things happening now:
"Updating the address space of a virtual network that has peers will cause the peered virtual networks to not be able to connect to this
new address space until you perform a sync operation on the peerings. You can sync the peered virtual networks in the peerings tab, but
requires you have contributor permissions on the peered virtual networks."
https://azure.microsoft.com/en-us/blog/how-to-resize-azure-virtual-networks-that-are-peered-now-in-preview/
So now, it would be:

1. Change the address range
2. ReSync the Peerings
upvoted 4 times

You can check it yourself in the portal. This is the exact message it shows, once you change the address space.
upvoted 2 times

Correct answer:
- Remove peering between Vnet1 and VNet2
- Add the 10.33.0.0/16 address space to VNet1
- Recreate peering between VNet1 and VNet2
upvoted 6 times

The only problem with this answer is that peering is set from both sides. While this answer is correct in the selection, It neglects what the
impact will be on the peer from VNet2.
upvoted 2 times
  1Sri 2 years, 7 months ago

Received this question on 4th July exam.
There were many other questions from this list(around 16). I could clear the exam.
Thanks :-)
upvoted 6 times

Many organizations deploy a virtual networking architecture that follows the Hub and Spoke model. At some point, the hub virtual
network might require additional IP address spaces. However, address ranges can't be added or deleted from a virtual network's address
space once it's peered with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering manually.
https://docs.microsoft.com/en-us/azure/architecture/networking/prefixes/add-ip-space-peered-vnet
upvoted 2 times
  jitkv20 2 years, 10 months ago

But it doesnt say peering exist already to remove one? Please correct me if im wrong.
upvoted 5 times

in the table peering column.
upvoted 6 times
HOTSPOT -
RG1 contains the resources shown in the following table.
VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.
RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine.
Hot Area:
Correct Answer:
Box 1: Yes -
You can move storage -
Box 2: No -
You can't move to a new resource group a NIC that is attached to a virtual machine.
Box 3: No -
Azure Public IPs are region specific and can't be moved from one region to another.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources https://docs.microsoft.com/en-
us/azure/virtual-network/move-across-regions-publicip-powershell
Tested this in an identical lab:
1. YES. I was able to move the storage from RG1 to RG2, however it stayed in the West US region.
2. YES. I was able to move NIC1 from RG1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US
region.
3. NO. The location of IP2 did not change. However I was able to move LP2 from RG2 to RG1 as it isn't associated with any other resource,
however it stayed in the East US region.
All resources moved to the new resource groups, but the region did not change
upvoted 216 times
  rgullini 2 years, 10 months ago

Also tested, you are correct.
upvoted 17 times
  silver_bullet666 2 years, 4 months ago

I also tested and was able to move the NIC attached to a running VM to a different RG. Took a while though!
upvoted 5 times
  itgg11 2 years ago

YYN. tested in lab
upvoted 9 times

Correct Answer:
Box 1: Yes
You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate
the Storage Account.
Box 2: Yes
You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can
move a NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new
Subscription, you must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example,
you must also move the virtual machine, and other virtual machine-related resources.
Box 3: No
You can move IP2 to RG1, as it isn't associated with any other resource, however it stayed in the East US region. The location will not
change.
upvoted 134 times
  AzureCrawler001 1 year, 8 months ago

mlantonis - can I buy you a beer or coffee?
upvoted 26 times

Y-N
Mlantonis' answer
upvoted 4 times
  Georgego 1 year, 1 month ago

machine learning Antonis is a gun!
upvoted 3 times
  manortmar 2 years, 6 months ago

"as it isn't associated with any other resource" really? According to the above explanation being associated shouldn't be a problem to
move between RGs.
upvoted 3 times

Note: Resources can be everywhere regardless of the resource group they belong to. The resource group is only a collection of
metadata relative to the resources defined inside it. You can move a resource from one resource group to another group. The
resources in a resource group can be located in different regions than the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 37 times
  Amir1909 Most Recent  1 day, 6 hours ago
Yes
Yes
No
upvoted 1 times

Correct Answer:
Box 1: Yes
You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate
the Storage Account.
Box 2: Yes
Box 3: No
You can move IP2 to RG1, as it isn't associated with any other resource, however it stayed in the East US region. The location will not
change.
upvoted 1 times

Y/Y/N
When moving NIC to different RG, you only move NIC's meta-data location, not NIC itself. NIC remains in same location where VM is
located.
upvoted 1 times

we need to know if the public IP is a standard or a basic one. Standard IP will blocked RDP if now NSG on NIC.
upvoted 1 times

Y Y N is correct!
upvoted 1 times
  Durden871 11 months, 2 weeks ago

Literally just tested this albeit backwards.
RG1 - US East
RG2 - US West
Created Linux VM in RG1
My VM is up and running with the auto-created NIC attached, all in RG1. Validating....Taking awhile. This really does take awhile.
It moved to the US West located RG2 without turning off or decommissioning the VM. The location of the NIC is in US East still. The correct
answer is YYN.
upvoted 1 times
  orionduo 1 year ago

YYN
upvoted 1 times
  hitit 1 year, 4 months ago

Y-Y-N
This is my test result.
upvoted 1 times

Answer Y-Y-N
upvoted 1 times
  Jayad 1 year, 10 months ago

I know many of you have tested moving the NIC to a different RG, but, is it a supported configuration ?
upvoted 1 times

1. YES -
2. YES - I tested it personally. It will work, although you will have to update your scripts (if you have any associated with the moved NIC) to
use the new NIC's resourceID, as this one will change also.
3. NO
upvoted 1 times
  JohnPhan 2 years, 3 months ago

Yes
No - You can move HDInsight clusters to a new subscription or resource group. However, you can't move across subscriptions the
networking resources linked to the HDInsight cluster (such as the virtual network, NIC, or load balancer). In addition, you can't move to a
new resource group a NIC that is attached to a virtual machine for the cluster.
No
upvoted 2 times

You can't just move the NIC, it's part of the VM.
upvoted 2 times

I am referring to NIC1 in RG1.
upvoted 1 times

upvoted 5 times

"In addition, you can't move to a new resource group a NIC that is attached to a virtual machine for the cluster."
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
upvoted 2 times
  slsl 2 years, 1 month ago

Apply only to Microsoft.HDInsight no VMs
upvoted 1 times
You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
A. Deploy an internal load balancer
B. Peer VNET1 to another virtual network
C. Connect webapp1 to VNET1
D. Deploy an Azure Application Gateway
Correct Answer: D

C (100%)
  Az209co Highly Voted  3 years, 4 months ago
I think the answer should be C.

<https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet>
upvoted 91 times

You are unable to connect a Webapp to a Vnet, if the Vnet is not empty. In this case there is a VM.
upvoted 4 times
  slimjago 2 years, 8 months ago

based on that, webapp needs it's own VNET, right? which could be peered with VNET1. what do you think?
upvoted 3 times
  a4andrew 2 years, 3 months ago

webapp only needs it own empty(not delegated nor has any resources within) subnet, not VNET (which can contain many
subnets) and a /29 subnet is the smallest you can use for such a service.
upvoted 9 times
  tita_tovenaar 2 years, 7 months ago

correct but the network integrator in app service lets you create a subnet in the same vnet, precisely for this scenario.. check the ref
above ;-)
upvoted 6 times
  luxaflow 2 years, 4 months ago

This is correct, tested in Lab:
Was able to connect webapp to a VNet containing a VM. During connection creation, was requested to create a new subnet.
upvoted 7 times

Answer is wrong. It should be "C"
Connect the webapp to VNET using webapp VNET integration. where webapp can access the resources in the VNET.
upvoted 81 times
  itgg11 2 years ago

Answer is C. tested in the lab. web app pricing plan needed to be upgraded to Standard. There must be a vnet with a subnet that is not
being used. If the subnet is used, you can create a new one.
upvoted 5 times
  Appu008 2 years, 2 months ago

Wrong, the answer is D only. Because there is no mention that VM1 is in Vnet1, its is said that VM1 only connects to Vnet1 (it is
mentioned to distract students towards wrong answer)
upvoted 5 times
  shash_ank 1 year, 8 months ago

Once a VM is connected to a VNET, it is part of that VNET, it is inside that VNET.
VM connecting to VNET and VM being inside a VNET is one and the same. Don't overthink, it induces wrong answers
upvoted 8 times

What is the difference if a VM?? A VM cannot be in two VNets so, if has a NIC in the VNet is in it. Only if you consider that the VM
connects using a VPN or peered or any networking. I think this is not what it means here. Also if is not in VNet1, where?
upvoted 1 times
  PersonT 2 years, 6 months ago

True
https://docs.microsoft.com/nl-nl/azure/application-gateway/overview
upvoted 3 times
  sabin001 2 years, 3 months ago

Correct! VNet integration feature enables your apps to access resources in or through a VNet.
upvoted 1 times
  amsioso Most Recent  2 months ago
Answer D
You need to acces the MySQL database, not to integrate webapp1 in VNET1.
upvoted 2 times
  amsioso 2 months ago

https://learn.microsoft.com/en-us/azure/application-gateway/features
upvoted 1 times
  Yaruk 5 months, 2 weeks ago
Selected Answer: C
so simple question, why do they provide incorrect answer?

upvoted 2 times

Selected Answer: C
You can simply create a new subnet within the same vNET and connect the webapp to it. There's no need to make the solution complex by
involving Application Gateway here.
upvoted 1 times

Answer is Connect webapp1 to VNET1
The VNet Integration feature has two variations:

- Regional VNet Integration: When you connect to Azure Resource Manager virtual networks in the same region, you must have a
dedicated subnet in the VNet you're integrating with.
- Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you
need an Azure Virtual Network gateway provisioned in the target VNet.
Note: If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
The resources inside a VNet can communicate.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
upvoted 1 times

The best approach to enable webapp1 to access the data hosted on VM1 in this scenario would be to establish a secure and direct
connection between the web app and the virtual machine without involving Azure Application Gateway.
upvoted 1 times
  medaziz 8 months, 1 week ago

I think the web app is a PaaS service so it has a public IP so either we use private link or Azure Application Gateway
upvoted 1 times
  Kimoz 11 months, 1 week ago

c is the correct answer
upvoted 1 times

the best answer is D.... application gateway would provide a perfect option for webapp to connect to your resources, such as virtual
machines or storage accounts.
Connecting web app to a VNET requires specific subnet creation and few other items and consideration. It would not be my first choice if it
is my own network. but it would definitely doable.
https://learn.microsoft.com/en-us/azure/application-gateway/overview
upvoted 2 times

Selected Answer: C
The correct answer is C. Connect webapp1 to VNET1.

By connecting the web app to the virtual network, you can enable access from the web app to resources on the virtual network, including
the MySQL database hosted on VM1. This can be done by enabling VNet Integration for the web app and then selecting VNET1 as the
virtual network to integrate with. Once the integration is set up, the web app will be able to communicate with VM1 on VNET1 as if it were
on the same network.
Option A, deploying an internal load balancer, is not necessary in this scenario, as load balancing is not required.
Option B, peering VNET1 to another virtual network, is also not necessary for this scenario, as it does not address the requirement to
enable communication between the web app and the MySQL database hosted on VM1.
Option D, deploying an Azure Application Gateway, is not necessary for this scenario, as it is primarily used for load balancing and routing
of HTTP/HTTPS traffic. It does not address the requirement to enable communication between the web app and the MySQL database
hosted on VM1.
upvoted 7 times
  ConanBarb 11 months, 3 weeks ago
Selected Answer: C
C
"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications."
upvoted 1 times
Selected Answer: C
C is the correct answer.
By connecting webapp1 to VNET1 (answer C), the web app will be able to access the data hosted on VM1 through the virtual network. The
other options do not directly address the requirement to allow webapp1 access to the data hosted on VM1. An internal load balancer and
a peered virtual network may provide other benefits, but they would not by themselves ensure that webapp1 can access the data hosted
on VM1. An Azure Application Gateway is a reverse proxy that is often used for load balancing, SSL termination, and URL-based routing,
but it would not directly allow webapp1 to access the data hosted on VM1.
upvoted 2 times
  jp_mcgee 1 year, 2 months ago

Corect Answer C:
C. Connect webapp1 to VNET1

"The App Service virtual network integration feature enables your apps to access resources in or through a virtual network."
D. Deploy an Azure Application Gateway

"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications." see here:
https://learn.microsoft.com/en-us/azure/application-gateway/overview
upvoted 4 times

Selected Answer: C
Correct Answer: C
upvoted 2 times
Selected Answer: C
VNet Integration can be used

upvoted 2 times
Selected Answer: C
C is correct and means is VNET integration

upvoted 2 times

More info
Azure Web App – VNET Integration
Since we know that Azure Web App is predominately for public access and that is does NOT have Internal IP address therefore it is NOT
possible for either the Azure Web App or internal Apps or DBS to communicate with each other and this is where VNET INTEGRATION
comes into play. It Allows App Service to access the resources within the VNET
VNET Integration allows ONLY the Azure Web App to communicate internally and NOT other way round I.e. internal Apps cannot
communicate directly with Azure Web APP. Example => lets say we have Azure Web App called AppDB and this App needs to
communicate with internal Database VM in order to process requests, this can only be done via VNET Integration where AppDB
initiates the contact with DB VM and the DB VM will pass back the required information in order to satisfy the request BUT DB VM or
any other internal VM can NEVER make direct communication with AppDB I.e. IT DOES NOT allow private inbound access to your Web
App (AppDB) from the virtual Network. As per diagram below
upvoted 8 times
You create an Azure VM named VM1 that runs Windows Server 2019.
VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You need to enable Desired State Configuration for VM1.
A. Connect to VM1.
B. Start VM1.
C. Capture a snapshot of VM1.
D. Configure a DNS name for VM1.
Correct Answer: B
Status is Stopped (Deallocated).
The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
The VM needs to be started.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

B (100%)
Correct Answer: B
Status is Stopped (Deallocated). The DSC extension for Windows requires that the target Virtual Machine is able to communicate with
Azure. First you start the VM, because you need VM online to deploy DSC Extension.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
upvoted 79 times
  sri1972 Highly Voted  3 years, 1 month ago
Came in 01/09/21 exam. Passed exam with 906 marks. 98% of the questions are from this dump.
upvoted 66 times
  AlexJacobson 2 years, 8 months ago

I don't consider this "a dump", actually. I believe the vast majority of people here (me included) are actually studying for the exam hard
(reading online documentation, experimenting in their Azure subscription, etc.) and using this just as a way to plug the holes in their
knowledge (as one simply can't know every single detail and possible scenario regarding Azure).
upvoted 163 times
  StreetRat 1 year, 11 months ago

100$ agreed Alex. Secondly I dont understand why is Microsoft testing this kind of stupidity? They should give us simulations and
ask to solve the problems, make the exam 2 Hours - 10 - 15 simulations and 10 - 15 straight forward questions based on what they
have actually published rather than wondering all the time what are they going to ask.
upvoted 17 times
  greeklover84 11 months, 2 weeks ago

exactly.....plugging holes in our knowledge..... and get a feedback from people tried the exam !!!
upvoted 1 times

Agree,
here all we can get is how Microsoft structured their exam,
and we do not get absolute ansers from here,
it require candidates have the knowledge to make extra effort for securing the exam.
upvoted 2 times
  dimsok 1 year, 1 month ago

This is obviously far away from the truth
upvoted 2 times
  smaa 2 years, 2 months ago

Hi, is it 98% from the whole set? Or 98 % from topic5 questions? Thanks.
upvoted 1 times

upvoted 1 times

on exam 4/29/23
upvoted 4 times
  Rwj 9 months, 1 week ago

how many from this dump? are these legit? taking exam next week
upvoted 2 times

upvoted 5 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

I'm starting not to believe all of these "This was on my test"...then why are you here if you passed...?
upvoted 12 times
  KrisDeb 1 year, 6 months ago

B-O-T-S
upvoted 6 times

Selected Answer: B
i Luv Honey Because it is B
Start the VM as it is deallocated

upvoted 2 times
Selected Answer: B
Start the VM, correct

upvoted 1 times

upvoted 2 times

upvoted 2 times

Correct answer: B
upvoted 6 times
  rohitmedi 2 years, 5 months ago

Correct..
upvoted 1 times

I can't believe I read you need to disable the DSC. Haha... Answer is correct
upvoted 1 times

B is correct!
upvoted 4 times

Answer B. is correct. First you start the VM. You need VM online to deploy DSC Extension
upvoted 4 times
  waterzhong 3 years ago

The extension uploads and applies a PowerShell DSC Configuration on an Azure VM. The DSC Extension calls into PowerShell DSC to enact
the received DSC configuration on the VM.
upvoted 5 times
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?
A. Floating IP (direct server return) to Disabled
B. Session persistence to None
C. Floating IP (direct server return) to Enabled
D. Session persistence to Client IP
Correct Answer: D
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure
Load-Balancer For
Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.
On the following image you can see sticky session configuration:
Note:
✑ Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the
same virtual machine.
✑ Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

D (100%)
  nicktco Highly Voted  10 months, 2 weeks ago
from now on, you will see this question appears 10 times, good luck:)
upvoted 29 times
  Dush3695 6 months, 3 weeks ago

Spoiler alert :(
upvoted 4 times
  mtec2017 Highly Voted  2 years, 7 months ago
This is correct
upvoted 9 times
  01111010 Most Recent  3 months, 1 week ago
Selected Answer: D
Hey ET admins; Here's public service announcement - please cleanup 10 instances of this question. I think my dog knows how to configure
LB with persistent sessions by now.
upvoted 3 times
  Juanchooo 9 months ago

Came in my exam today 17/05/23
upvoted 1 times

upvoted 3 times

Selected Answer: D
D. Session persistence to Client IP.
To ensure that visitors are serviced by the same web server for each request, you need to enable session persistence, which maps a
client's session to a specific server. In this case, you would want to use Client IP session persistence so that subsequent requests from the
same client are sent to the same web server.
Floating IP (direct server return) is an option that enables traffic to bypass the load balancer and go directly to the backend servers. This is
typically used for scenarios where the backend servers need to return traffic directly to the client, such as for media streaming or UDP-
based protocols. However, it is not relevant for ensuring session persistence.
upvoted 4 times

This was on my 2nd test
upvoted 2 times
Selected Answer: D
Answer D: Session persistence to Client IP

https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence mode has two configuration types:
Client IP (2-tuple) - Specifies that successive requests from the same client IP address will be handled by the same backend instance.
Client IP and protocol (3-tuple) - Specifies that successive requests from the same client IP address and protocol combination will be
handled by the same backend instance.
upvoted 6 times

Correct passed with 900 score
upvoted 4 times

Selected Answer: D

upvoted 1 times
  virgilpza 1 year, 5 months ago

Selected Answer: D
this is correct - sticky/ persistent sessions to the client ip

upvoted 1 times
Selected Answer: D
Ans: D. Session persistence to Client IP

upvoted 2 times

In the exam today 11-DEC-2021
Ans: D. Session persistence to Client IP
upvoted 4 times
  stevhas 2 years, 2 months ago

Passed exam today 11/19/21 only about 25-30% of the question are in this dump. Suggestion, do not rely solely on dumps. MS learn,
udemy etc. had like 5 different case scenarios where they throw a lot of white noise in to confuse.
upvoted 4 times
  rohitmedi 2 years, 5 months ago

Correct D
upvoted 2 times

This is correct answer. What we have to do after Topic4 Q-30 ? Does anyone has valid discount code to unlock next set of questions ?
upvoted 2 times

upvoted 4 times
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1

✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
A. Yes
B. No
Correct Answer: B
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

A (68%) B (32%)
  ihavespoken Highly Voted  3 years, 2 months ago
My comments were incorrect, late night study :-). The answer is Yes. The main point i miss was that NSG-Subnet 1 is correctly modified
with TCP 3389 and NSG-VM1 is removed. In this case you should be able to connect.
- "Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port
range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1."
upvoted 112 times

we only want to have RDP to VM1, but with this rule, we would allow RDP to all VMs in the Network, because of this I would go for No
(B)
upvoted 6 times
  bartfto 9 months, 2 weeks ago

Nowhere does it say it has to be exclusive to VM1.
upvoted 3 times
  itguy2 1 year, 11 months ago

the question was specific to VM1.. didn't mention anything about all VMs so answer is A
upvoted 4 times
  Junhui74 2 years, 6 months ago

reference to https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works , answer is yes
upvoted 1 times
Agreed answer is incorrect. The answer should be Yes.
upvoted 12 times
  al2 2 years, 9 months ago

Then how come this Q has two correct answers? both this one here and the one on the next page are correct? I assume if this one is
partly correct, then I'll go with NO for this one and YES for the one next page which is "more" correct. wdyt?
upvoted 1 times
  RamanAgarwal 2 years, 8 months ago

On next question the protocol used for subnet nsg is UDP which is wrong hence the answer is No.
upvoted 2 times

It works with both TCP and UDP protocols
upvoted 2 times

Some question sets might have more than one correct solution, while others might not have a correct solution.
upvoted 6 times
By adding the rule to NSG-Subnet1 you are allowing RDP on Subnet level. Then you delete NSG-VM1, so you are able to RDP.
Note: A rule to permit RDP traffic may not be created automatically when you create your VM.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 73 times
  Slimus 8 months, 3 weeks ago

Agree! there is only one NSG on sub-net level remain.
upvoted 1 times
  lafegob 1 year, 1 month ago

yep agree , we need to remove NSG-VM1 because it has already a rule to allow UDP. And the RDP connection will use tcp but will try to
make use of udp too in order to improve the connection delay.
upvoted 1 times

Answer Yes.
Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over
TCP port 3389. It provides network access for a remote user over an encrypted channel.
https://www.cisecurity.org/insights/white-papers/security-primer-remote-desktop-
protocol#:~:text=Overview,user%20over%20an%20encrypted%20channel.
upvoted 1 times
  vsvaid Most Recent  1 day, 2 hours ago
Selected Answer: B
Need a rule for for RDP with TCP at 3389.

upvoted 1 times

B. No
The proposed solution does not meet the goal. Although the solution adds an inbound security rule to NSG-Subnet1 that allows
connections from Any source to the destination port range 3389 using the TCP protocol, it fails to remove NSG-VM1 from the network
interface of VM1.
To establish Remote Desktop connections from the internet to VM1, you would need to configure the network security groups (NSGs)
correctly. NSG-VM1 should have an inbound security rule allowing Remote Desktop Protocol (RDP) traffic (port 3389) using the TCP
protocol. Additionally, the NSG-Subnet1 should have an inbound security rule that allows the RDP traffic from the internet to the VM's
public IP address.
The correct solution would involve modifying NSG-VM1 to allow RDP traffic over TCP and ensuring that NSG-Subnet1 has an inbound
security rule allowing RDP traffic from the internet to the VM's public IP address.
upvoted 1 times
  ivan0590 9 months, 1 week ago
Selected Answer: A
Answer is A.
The question clearly states ‘You need to be able to establish Remote Desktop connections from the internet to VM1’.
It says nothing about restricting RDP traffic in the subnet.
The proposed solution is not the best possible solution, but it would work. You would be able to establish an RDP connection to VM1 and
the rest of the VMs in the subnet.
upvoted 2 times
Selected Answer: B
OpenAI
"B. No.
The solution provided is not correct as it adds an inbound security rule for TCP protocol to NSG-Subnet1 and removes NSG-VM1 from the
network interface of VM1. However, the custom inbound security rule in NSG-VM1 is for UDP protocol, not TCP, and removing NSG-VM1
from the network interface of VM1 would also remove the custom inbound security rule that allows Remote Desktop connections.
To meet the goal of establishing Remote Desktop connections from the internet to VM1, you should add a custom inbound security rule to
NSG-VM1 that allows connections from the internet to the public IP address of VM1 for port 3389 using the TCP protocol. The rule should
have a lower priority than the existing custom inbound security rule in NSG-VM1 to ensure that it is evaluated first."
upvoted 2 times
  morito 11 months, 1 week ago
Selected Answer: A
Answer is Yes, albeit its a really weird way to solve this. From applying the same NSG to an interface and a Vnet, to allowing RDP into a
whole network instead of scoping it to a single server.
upvoted 2 times

Selected Answer: B
No, this does not meet the goal because the NSG-VM1 has a custom inbound security rule that allows connections on UDP protocol to
port 3389, which is required for Remote Desktop Protocol (RDP) on Windows. By removing NSG-VM1 from the network interface of VM1,
this rule would be deleted, and RDP connections would not be allowed. The correct solution would be to add an inbound security rule to
NSG-VM1 that allows connections from the Internet to the *destination for port range 3389 and uses the TCP protocol. This would allow
RDP connections to VM1 from the Internet while still maintaining the security of the subnet using NSG-Subnet1.
upvoted 2 times
  loner_123 11 months, 2 weeks ago

"and RDP connections would not be allowed."
Who is there to deny the RDP connections? There is no NSG assigned to the VM to do this.
upvoted 3 times
Selected Answer: B
No
The custom inbound security rule in NSG-VM1 allows connections from Any source to the destination for port range 3389 using the UDP
protocol, which is required for Remote Desktop connections. Removing NSG-VM1 from the network interface of VM1 will remove this
security rule and prevent Remote Desktop connections to VM1. To allow Remote Desktop connections from the internet to VM1, you
should keep NSG-VM1 associated to the network interface of VM1 and add the necessary inbound security rule to NSG-Subnet1.
upvoted 1 times

" You remove NSG-VM1 from the network interface of VM1"
All rules in NSG-VM1 are now irrelevant.
Answer is A (Yes)
upvoted 2 times

Selected Answer: B
It menton that "You need to be able to establish Remote Desktop connections from the internet to VM1", if we choose A, mean allow
connections from the Any source to the *destination for port range 3389 and uses the TCP protocol which I do not agree.
upvoted 1 times

B, the snagg is in the *destination .. there's no designated destination
upvoted 1 times

"VM1 has a public IP address"
Connect to this public IP on 3389 which NSG-Subnet1 allows through (You add an inbound security rule to NSG-Subnet1 that allows
connections from the Any source to the *destination for port range 3389 and uses the TCP protocol).
NSG-VM1 is irrelevant as it is removed from VM1s NIC
Answer is A: Yes
upvoted 1 times
  matejka 1 year, 3 months ago

Selected Answer: A
Definitely yes. Add a rule to subnet which allows the connection and remove the rule on VM-NIC level that denies the connection.
upvoted 2 times
  CJWit 1 year, 3 months ago
the big clue is UDP..... lol
upvoted 1 times

Nope, the big clue is "You remove NSG-VM1 from the network interface of VM1"
upvoted 1 times
  hitit 1 year, 4 months ago

Yes
RDP version 8 use UDP 3389 but the later version RDP is not use UDP3389 no more.
Condition show the usp 3390 allow rule, to enable RDS, create new rule for TCP 3389
upvoted 2 times
  Jeff8989 1 year, 4 months ago
Selected Answer: A
This is a poorly worded question. RDP protocol can work on both TCP and UDP. Microsoft recommends adding NSG groups at the subnet
level as adding NSG at the NIC level can be complex when it comes to troubleshooting and management. Therefore I lean towards answer
A. But technically having a NSG attached to a subnet and another attached to the NIC at the same time works as long as the NSG rules on
both subnet and NIC level allow the same kind of traffic (with ports, protocols etc.)
upvoted 4 times

Selected Answer: A
Yes! the reason is because a SUBNET OR NIC that has no NSG will allow all traffic. The current NSG only applies to UDP 3389, which the
question states and also we know that RDP (3389) is actually TCP. So therefore by removing the NSG the traffic will flow.
upvoted 2 times
  MartyMart 1 year, 5 months ago
Selected Answer: A
Correct answer is A. Note: NSG-VM1 was removed.

upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times

✑ Priority: 100
✑ Source: Any
✑ Destination: *
Protocol: UDP -
✑ Action: Allow
Subnet1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for
port range 3389 and uses the UDP protocol.
A. Yes
B. No
Correct Answer: B
Reference:

B (79%) A (21%)
The default port for RDP is TCP port 3389.
Reference:
upvoted 59 times
  aMiPL Highly Voted  3 years ago
Such a silly question :).

By default it will not work but you can make it work so there isn't really a good answer xD.
By default servers accepts on both TCP and UDP.
UDP will work as long as client machine(the one you are connecting from) will have registry updated to use UDP by default :>
So the answer is "No" in but you can actually make it work if you change settings outside of azure.
upvoted 18 times
  vsvaid Most Recent  1 day, 2 hours ago

Selected Answer: B
We need a rule for VM Nic to allow RDP on TCP at 3389. It is not present at the moment
upvoted 1 times
  riccardoto 5 months, 3 weeks ago

Selected Answer: B
Just for sake of precision: RDP can work both through TCP or UDP (google it!).
The answer of this question though will still be "No" though, because we have two NSG enforced (one on NIC, one on Subnet) - one opens
TCP, the other opens UDP - so either connections will be blocks.
And dudes, please stop crapping these comments with answers with OpenAI, they are just not reliable and often wrong.
upvoted 1 times
Selected Answer: B
OpenAI
"No, this solution will not meet the goal. The current inbound security rule in NSG-VM1 allows Remote Desktop connections using the TCP
protocol on port 3389. The proposed inbound security rule in NSG-Subnet1 allows connections using the UDP protocol, which is not used
for Remote Desktop connections. Therefore, you should add an inbound security rule to NSG-VM1 that allows connections from the
internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol."
upvoted 1 times
Selected Answer: B
No, this solution will not meet the goal as Remote Desktop Protocol (RDP) uses TCP, not UDP. The inbound security rule should be
configured to allow connections from the internet source to the VirtualNetwork destination for port range 3389 and use the TCP protocol,
not UDP. Additionally, the NSG-VM1 should remain associated with the network interface of VM1 as it allows the RDP traffic to reach the
virtual machine.
upvoted 1 times

On my 2nd test
upvoted 1 times

Selected Answer: B
Correct Answer: B
The default port for RDP is TCP port 3389
upvoted 1 times
  pkg007 1 year, 7 months ago

I just tested - Crated an Azure VM ( windows Server ) with RDP coonections it showing RDP connection on TCP protocol port 3389. When
you try to add an inbound rule and select "RDP" - it will automatically select "TCP" protocol and Destination port range " 3389" connection
Answer is B
upvoted 2 times
Selected Answer: B
RDP works on TCP 3389

upvoted 2 times

upvoted 2 times

Selected Answer: B
No for sure 3389 is TCP not UDP

upvoted 2 times

Selected Answer: B
RDP use TCP protocol, not UDP.

upvoted 1 times
Selected Answer: B
Answer is B. Have also tested in lab, definitely can't connect to UDP 3389 alone (although it is cited on several sites that it improves the
experience in some cases).
upvoted 3 times

upvoted 1 times
  carmash 1 year, 11 months ago
Selected Answer: B
B. RDP uses TCP

upvoted 4 times
  hm67 2 years ago
Selected Answer: A
RDP default TCP not UDP. Traffic is denied by the DenyAllInbound default security rule.
upvoted 4 times

Click the wrong answer, should be B.
upvoted 1 times

✑ Priority: 100
✑ Source: Any
✑ Destination: *
✑ Protocol: UDP
✑ Action: Allow
Subnet1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork
destination for port range 3389 and uses the TCP protocol.
A. Yes
B. No
Correct Answer: A
Reference:

A (56%) B (44%)
Answer is correct. YES.

To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol. this is matches the given suggested solution.
For the existing custom rule, priority doesn't matter if it is 100 or not. As "Network security group security rules are evaluated by priority
using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic." So Azure
checks the first rule, it finds that it has UDP. then It will check the second rule, it will find allow TCP on port 3389. So it will allow. Since the
protocols are different, so those are totally different rules.
Please read the page https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 69 times
  profesorklaus 4 months, 1 week ago

Yeah, I tested it on my lab and you are right!
upvoted 2 times
  jam7272 2 years, 10 months ago

Exactly this! The rule is evaluated, if the rule is not matched it moves on to the next rule. So in this case the UDP rule is effectively
ignored because the traffic is TCP. The TCP rule then permits the traffic.
upvoted 1 times
  lcdr_scl 2 years, 8 months ago

Agree!! Yes and tested
upvoted 4 times

Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same
attributes as rules with higher priorities are not processed.
upvoted 1 times

but what the guy is saying is valid as they are both different rules (protocols)
upvoted 2 times
RDP TCP is allowed at Subnet and on VM level NSGs.

The default port for RDP is TCP port 3389.
To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol.
Reference:
upvoted 42 times
  houzer Most Recent  1 month, 3 weeks ago
Selected Answer: A
I tested in my lab and the correct answer is A. Not sure how others are getting B I followed the same instructions as detailed in the
question.
upvoted 1 times

Selected Answer: B
I don't believe A is correct and don't understand what exactly you guys have tested?
If VM1 has a public IP address, the incoming traffic from the internet would first hit the NSG associated with the network interface (NSG-
VM1). If there's no matching rule in NSG-VM1, the default behavior is to deny the traffic. The traffic won't reach the NSG associated with
the subnet (NSG-Subnet1) because the default rules of NSG-VM1 would prevent it from doing so.
Therefore, you would first have to remove NSG-VM1 in order for NSG-Subnet1 to be evaluated.
upvoted 1 times

I was wrong here.
upvoted 1 times
  DBFront 3 months, 1 week ago
Selected Answer: A
A - Yes
Allowed TCP 3389 over both NSG's
upvoted 1 times
  HALLYdre 7 months, 3 weeks ago

The answer should be NO.
The destination of the NSG rule is the Vnet , but the VNet ip range has no direct connection to the internet. The user on the internet will be
trying to connect to the Public ip on the NIC and not the Vnet ip range , there rule does not cover connection to the public ip , hence traffic
will be denied by default rule.
upvoted 2 times
  isijama 8 months, 1 week ago
Selected Answer: A
"To allow port x to the virtual machine, both NSG1 and NSG2 must have a rule that allows port x from the internet." Or, in this scenario the
port would be 3389, so the answer is YES.
upvoted 1 times
  isijama 8 months, 1 week ago

reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times
  RandomNickname 8 months, 1 week ago
Selected Answer: A
Agree with existing comments, RDP doesn't explicitly require UDP, so TCP will work.
Answer should be correct.

upvoted 1 times
  picho707 8 months, 2 weeks ago

Correct. It is "YES" because the two NSG are allowing TCP and UDP 3389 to the subnet and VM.
upvoted 1 times
Selected Answer: B
OpenAI
"No, the proposed solution is not correct.
The existing custom inbound security rule on NSG-VM1 is already allowing inbound traffic on port 3389 using the UDP protocol. However,
Remote Desktop Protocol (RDP) uses TCP protocol, not UDP.
To meet the goal of being able to establish Remote Desktop connections from the internet to VM1, you need to modify the existing
custom inbound security rule on NSG-VM1 to use the TCP protocol instead of UDP.
Adding an inbound security rule to NSG-Subnet1 is not necessary as it only affects inbound traffic to resources within the subnet and does
not have any impact on inbound traffic to VM1."
upvoted 1 times

even ChatGPT pleads the fifth:
"In your specific case, if you have an inbound NSG rule that allows traffic on port 3389 using TCP protocol and another inbound rule that
allows traffic on port 3389 using UDP protocol, both rules will be evaluated in the order described above. If there are no default rules in
the NSG, the rule with the lowest priority number will be evaluated first.
Assuming the priority numbers are the same for both rules, the next evaluation will be based on the traffic direction. Inbound rules are
evaluated first, so both rules will be evaluated. Finally, the rules will be evaluated based on their rule type. In this case, both rules are Allow
rules, so the order of evaluation does not matter."
upvoted 1 times

Selected Answer: B
B. No.
The proposed solution is not correct because it adds a new inbound security rule that allows TCP protocol on port 3389 to both NSG-
Subnet1 and NSG-VM1, but the existing inbound security rule on NSG-VM1 allows UDP protocol on port 3389, not TCP. Therefore, the
proposed solution does not meet the goal of allowing Remote Desktop connections to VM1 from the internet.
To meet the goal, a new inbound security rule should be added to NSG-VM1 that allows TCP protocol on port 3389, in addition to the
existing inbound security rule that allows UDP protocol on port 3389. The inbound security rule on NSG-Subnet1 can remain as the default
rule.
upvoted 4 times
  MrBlueSky 11 months, 2 weeks ago

This is wrong.
The existing NSG rule that allows UDP over 3389 can be ignored. RDP uses TCP, so it needs to allow TCP over port 3389. It also allowing
UDP over port 3389 doesn't break anything, even though it's not helping.
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
  Lu5ck 1 year, 6 months ago
Selected Answer: A
Removing NSG-VM1 simply means VM is no longer regulated by any NSG.

Adding rules that allow 3389 which is RDP port and on TCP protocol to NSG-Subnet means the subnet now allow RDP connections.
upvoted 1 times
  Dumber 1 year, 6 months ago

Selected Answer: A
after re-reading the solution multiple times... The anser is yes.

You add an inbound security rule to NSG-Subnet1 AND NSG-VM1.....
So both NSG's will have the TCP rule and hence it will be allowed.
upvoted 1 times
  pkg007 1 year, 7 months ago

Tested in lab - Answer is Yes
upvoted 1 times
Selected Answer: B
This wont work.
Remember there are 2 NSGs, one is assigned on NIC of the VM which has a UDP protocol and another on the Subnet which now is added
with TCP 3389.
Both the NSG-VM1 and NSG-Subnet1 are evaluated one after the other and both the rules should allow this traffic.
Either remove the NSG-VM1 or change UDP to TCP.

upvoted 2 times
  trackstar 1 year, 6 months ago

The question clearly states: You add an inbound security rule to NSG-Subnet1 and NSG-VM1
The TCP rule allowing TCP 3389 (RDP) is created on BOTH NSGs.
Therefore the answer is yes.
upvoted 2 times
HOTSPOT -
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: add an address space -
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you
specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.
Box 2: add a network interface -
The 10.2.1.0/24 network exists. We need to add a network interface.
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas
  vojehol452 Highly Voted  3 years, 2 months ago
- Add an address space

- Add a subnet
upvoted 241 times
  01111010 3 months, 1 week ago

I tested this in the lab.
Box 1: Add an address space - explanation: One can add additional address space (192.168.0.0/16) to the VNet1, without having to
delete existing (10.2.0.0/16).
Box 2: Add subnet - explanation: Defined 'default' subnet from image example (10.2.0.0/24) contains 254 IP addresses, with last IP
being 10.2.0.254. In order to assign 10.2.1.0/24 IP address to VM we need to create add new subnet.
upvoted 6 times
  Alex2022_31 1 year, 1 month ago

Agree: Add an Address Space and then Add a subnet. Just tested it on the Portal and worked :)
upvoted 8 times
  usamnkkid 11 months ago

No you can't add 10.2.1.0/24 because it overlaps with 10.2.0.0/16. Check on Lab
upvoted 6 times

No, I am wrong I am adding 10.2.1.0/24 in address space however it already exists. I need to add a subnet. I get confuse between
address spaces and subnets.
upvoted 8 times

Address spaces there can be more than one per vNET; Subnets are subsets of the address spaces, there can be more than a subnet
for each address space.
upvoted 1 times
  Throwitawaynow Highly Voted  3 years, 2 months ago

Also wrong, the subnet range being created is 10.2.0.0 - 10.2.0.255 . So if you want to add an IP address from 10.2.1.0/24 you need to add
a new subnet.
Why are so many of these wrong?

upvoted 170 times
  AbleApe 1 year ago

There are other similar dumps on the internet which have incorrect answers. My best guess is the base for these questions come from
what the Exam Topics team was able to find online. From that base their moderators can update the questions and community can
vote on what looks like the best option. Personally, I like to be able to read everyone's comments and read through the additional
information and viewpoints. Some of the questions are just bad in general and I like knowing I'm not the only one who thinks they're
bad.
upvoted 9 times
  Nicksin 2 years, 7 months ago
Yeah there's tons, dunno how anyone is passing, lol.
upvoted 16 times
  tita_tovenaar 2 years, 7 months ago

start to like this place. Tried some other sites with “correct” answers without comments and didn’t trust it, lol.
upvoted 11 times
  jecawi9630 2 years, 7 months ago

You can almost ignore the answers / look at the questions, discussions, do your own research, and at the end if you didn’t already
lose your mind, then pass the exam 🤦🏻‍♂️
upvoted 38 times

I assume like most, people use this for study and if not clear research the answer. NOT just memorise the Qs and answers given on
these cheat sheets.
upvoted 5 times
  izzotop 1 year, 4 months ago

Some of them are obviously wrong and not getting corrected. It looks like this service is intentionally kind of paired with MS behind the
scenes, to force us learn on dumps instead of us trying to learn dumps answers by hard.
upvoted 4 times
  zewenwu 3 years ago

don't you mean that the vnet range originally created is 10.2.0.0 - 10.2.255.255?
upvoted 5 times
  JamesDC 3 years ago

so what?... if you don't have any subnet how can you use those IPs?... Throw is correct!
upvoted 8 times
  tom999 2 years, 11 months ago

There is no dissent. Throw says the initial _subnet_ is 10.2.0.0 - 10.2.0.255. You say the initial vnet _address space_ is 10.2.0.0 -
10.2.255.255. Both is true.
However, in the first question you have to _first_ add an address space. (and then a subnet)
In the second question you only have to add a subnet as 10.2.1.0/24 is within the vnet's address range 10.2.0.0/16
upvoted 11 times
  PhoenixAscending Most Recent  1 week, 6 days ago
This was on my exam. The correct answer is provided by vojehol452.

upvoted 1 times
  clg003 1 month, 3 weeks ago

The VNET's address space is set to 10.2... How are you going to add a 192. subnet to a 10.2 VNET? You have to tear down the existing VNET
by deleting the subnet and redoing the address space to a 192...
Then add subnet for the second question.

upvoted 1 times
  w45ysgdfvsdgsdg 2 months ago

to add /modify a address space, we need to delete the existing subnet (otherwise it will not allow to modify address space)
upvoted 1 times

- A1: Add an address space
- A2: Add a subnet
Is correct!
upvoted 3 times

OpenAI
"Before a virtual machine on VNet1 can receive an IP address from 192.168.1.0/24, you must first add a subnet. This is because the current
address space of VNet1 is 10.2.0.0/16, which does not include the 192.168.1.0/24 address range.
Before a virtual machine on VNet1 can receive an IP address from 10.2.1.0/24, no further action is required as this address range falls
within the existing address space of VNet1 (10.2.0.0/16) and a subnet with the required address prefix can be created within this address
space."
upvoted 1 times
  habbey 9 months, 1 week ago

In don't even know what to believe anymore
upvoted 6 times
To allow a virtual machine on VNet1 to receive an IP address from 192.168.110/24, you must first add a network interface.
To allow a virtual machine on VNet1 to receive an IP address from 10.2.1.0/24, you must first add a subnet.
upvoted 2 times
  isaugar 1 year ago

1. Add an address space
2. Add a subnet
Laboratory tested 100%

upvoted 5 times
  CloudNov 1 year, 1 month ago

Please correct me if I am wrong. Box 1 should be "Delete Subnet". Without that not possible to edit the address space. Tested in lab
upvoted 2 times
  Kaya99 6 months, 3 weeks ago

you are right, vm cant get the 192 ip space until you delete and create the vnet
upvoted 1 times

definitly on test, i missed the first one. put delete a subnet by mistake
upvoted 5 times
  Georgego 1 year, 1 month ago

Have been seeing you comment quite a bit on here, thanks for the heads up! Hopefully you have picked up your certificate by now.
upvoted 2 times
  spike15_mk 1 year, 2 months ago

First Answer: delete subnet
Explanation: Current IP Address Range of VNET1 is 10.2.0.0/16 with subnet 10.2.0.0/24. We want VM1 to get IP from 192.168.1.0/24. In
order to do that we need to change the IP address range of VNET1. We can not add a new IP address range on existing one. I see so many
comments add an address space.
1.Delete Subnet 10.2.0.0/24
2.Change the IP range Address Range in Address Space from 10.2.0.0/16 to 192.168.0.0/16
3.Add Subnet with 192.168.1.0/24
Second Answer: Add Subnet
The new Subnet with address10.2.1.0/24 is in the range of IP Address range of VNET1 10.2.0.0/16(10.2.0.0 to 10.2.255.255)
upvoted 3 times

1 is wrong. One CAN add/remove/update address ranges. https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-
network#add-or-remove-an-address-range
upvoted 1 times
  rupayan87 1 year, 2 months ago

The only subnet in the vnet is of address range 10.2.0.0/24
So address range usable for any VM is 10.2.0.4 to 10.2.0.254
For assigning the IP from the space 10.2.1.0/24 you need a subnet with that IP range.
upvoted 3 times

- Add an address space
- Add a subnet
upvoted 2 times
  micropbl4 1 year, 4 months ago

ANS1: add an address space
ANS2: add a subnet
upvoted 1 times

ANS1: add an address space
ANS2: add a subnet
upvoted 3 times
  cypherx 1 year, 5 months ago

Add Address Space
Add Subnet
is correct imo, question specify 10.2.1.0/24 which is separate subnet to 10.2.0.0/24, if it was a /16 ET answer would be correct
upvoted 1 times
You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.
Each virtual machine uses a static IP address.
You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
A. 1
B. 3
C. 4
D. 12
Correct Answer: C
Each network security group also contains default security rules.
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual
Networks (VNet).
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

A (67%) B (33%)
Correct Answer: A
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many
subnets and NICs as you choose.
So, you can create 1 NSG and associate it with all 3 Subnets.
- Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4,
VM5 and VM6 static IP addresses.
- Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without
even configuring NSG.
- Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
- Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in
every NSG.
upvoted 338 times
  sumaju 4 months, 3 weeks ago

Hi mlantonis, I have the confusion about RDP to VM!. We need a separate rule for that. So 1 NSG rule will be enough?
upvoted 1 times

Yes, you need a different rule for RDP in the same NSG. You don't need another NSG
upvoted 1 times

Answer valid! This question was on the exam 22/02/2023. Scored 920. Thanks guys!
upvoted 15 times

There is no way you need 4. Congrats on the 920, but this might have been one of the few you got wrong.
From Udemy:
Explanation
Each VM has a static IP address. So, we can create multiple rules with in NSG to allow or block traffic based on IP address.
upvoted 2 times

I think he meant that mlantonis's answer was valid
upvoted 6 times

The keyword here is each VM use a static IP.
upvoted 2 times

upvoted 16 times
I believe it's wrong. I would go with 1 NSG only. NSGs can associate to multiple subnets. There is no conflict in rules so all can be in 1 NSG.
My penny.
upvoted 103 times

You guys seriously think a decent admin would allow such a mess in his network?
let's put one NSG for the whole sub while we're at it .
if MSFT really put answer A as valid in the exam . Then their sending their certified folks right to the cliff.
so much for best practices smh!
upvoted 1 times
  NoobieWon 7 months ago

Cant you have 1000 rules in a single NSG. Each one can reference a Source and a Destination
upvoted 1 times

The question categorically mentions "minimum NSG required", and not best practices.
upvoted 1 times

The knowledge it's testing here is "How many NSGs are needed to accomplish the below?"
Not "What is the best practice?"
It's gauging your understanding of NSGs

upvoted 3 times

Hmm... now that I think of it, the last prereq of deny all other traffic makes it to go for 4.
upvoted 2 times

Damn!.. I think I will choose 1 NSG, because based on priorities I believe you can answer all the requirements.
upvoted 11 times
  canbe20 3 years, 2 months ago

How it's possible with 1 NSG? Web requests for those 4 VMs require 1 NSG and RDP for VM1 requires 1 NSG, so at least 2 are
required.
upvoted 1 times
  JulienYork 3 years, 2 months ago

They have the STATIC IP,
So you will provide the static ips of the vms as destinations and create rules per vm on ONE NSG
upvoted 15 times
  RoastChicken 2 years, 7 months ago

You attach a single NSG to each subnet.
upvoted 1 times

NO NO NO, by default there will be a deny all at the bottom of all the rules. You dont need to create any deny traffic after adding
allow statements. By default there is an implicit deny all at the end. So JohnAvlakiotis is correct.
upvoted 3 times

Sorry i meant to say that your first statement was correct. You only need one NSG with several allow rules.
upvoted 1 times
  d0bermannn 2 years, 7 months ago

as one time solution agreed, 1 nsg will work,
but in enterprise network rules better to implement: 1 rule =1 service
upvoted 2 times
  Hafeezzahidi 3 years ago

keyword to this question is "Minimum NSG", so you are right
upvoted 6 times
  Libny Most Recent  3 weeks, 5 days ago

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The
same network security group can be associated to as many subnets and network interfaces as you choose.
upvoted 1 times
  Arthur_zw 4 weeks ago

ChatGPT (it was prompted correctly with all requirements and understood the task)
In summary, you would need three NSGs, each associated with its respective subnet:
NSG1 for Subnet1 (VM1 and VM2)
Allow all traffic between VM1 and VM2

Allow incoming RDP to VM1
Deny all other inbound and outbound traffic
Allow incoming web traffic (HTTP/HTTPS) to VM3 and VM4

Allow incoming web traffic (HTTP/HTTPS) to VM5 and VM6

upvoted 1 times
  Rayza31 3 months, 2 weeks ago

The fact that the answers provided in the solution section are wrong makes this very difficult to study for.
upvoted 1 times

on exam 4/29/23
upvoted 1 times

lol 4?! ET really wants you to get this question wrong. You need 1. I understand people saying 3. The 4th ask applies to all VMs, so why
even have a separate policy for it?
upvoted 1 times

Depends on how many NSGs already existed? Assuming ZERO
Answer A (1)
Lets call it NSG1

-Add Rule Priority 100 ANY-> 80/443 to IPs of VM3,4,5,6 Allow
-Add Rule Priority 101 ANY-> 3389 to IP of VM1 Allow
-Default Rule Deny Prevents all other inbound connections
Apply it to all Subnets
Job Done
upvoted 3 times

Selected Answer: B
One NSG for the web requests from the internet to VM3, VM4, VM5, and VM6.
One NSG for the connections between VM1 and VM2.
One NSG for the Remote Desktop connections to VM1.
By configuring these NSGs, you can allow the required traffic and prevent all other network traffic to VNET1.
upvoted 3 times

Wrong.
There's nothing stopping you from putting all the rules into a single NSG and then attaching the one NSG to every subnet.
upvoted 2 times
  CloudNov 1 year ago

Should be A: 1, tested in Lab
upvoted 2 times
  darthfodio 1 year, 1 month ago

The correct answer should include more than 1 NSG. MeasureUp practice questions for this exam include a question with this exact
scenario but with 7 VMs. I chose 1 NSG as my answer and got the question wrong. The answer was 3 NSGs. Microsoft also throws a hint in
the wording of the question that their expecting more than 1 NSG, by stating "network security groups (NSGs)."
upvoted 1 times

Here is the solution explanation by Measure up:
You need to create at least three security groups (NSGs). These would include:
- One NSG assigned to Subnet(x) and Subnet(y) to allow connections from the internet and deny any other connections.
- One NSG assigned to Subnet(n) to allow connections between virtual machines (VMs) and deny any other connections.
- One NSG assigned to VM to Deny (or Allow for this scenario) Remote Desktop connections.
You can assign the same NSG to multiple subnets.
The recommended method to manage network security through NSGs is to use NSGs assigned at the subnet level whenever possible.
NSGs should be assigned directly to VMs only as necessary to handle exceptions.
upvoted 1 times

References:
Create, change, or delete a network security group - https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-

security-group?tabs=network-security-group-portal
Create, change, or delete a network interface - https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-

interface?tabs=network-interface-portal
Network security groups - https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

upvoted 1 times
  spike15_mk 1 year, 1 month ago

Correct Answer is 4 NSGs
Explanation:
You can not associate multiple Subnet to 1 NSG (Subnet Level)
1. NSG1-Subnet2 (VM3 and VM4 Allow web request)
2. NSG2-Subnet3 (VM5 and VM6 Allow web request)
3. NSG3-Subnet1 (VM1 and VM2 Prevent all other network traffic to VNET1)
4.NSG4-NICVM1 (Allow Remote Desktop connections to VM1 not VM2 we must set on NIC)
upvoted 1 times
  chikorita 1 year ago

i wish there was a DOWNVOTE option
upvoted 4 times
  cassucena 1 year, 3 months ago

I would go for 01 NSG but at the simulated test by Microsoft (enterprise Skills) the answer is B, 03 NSGs.
upvoted 3 times
  shoutiv 1 year, 2 months ago

Agree, 3 NSGs. There was explanation if I remember correctly:
- First NSG assigned to Subnet 2 and Subnet3 to allow connections from internet and deny other traffic
- Second NSG assigned to Subnet1 to allow connections between Vms (1 and 2) and deny other traffic
- Third NSG assigned to VM1 to allow RDP
upvoted 1 times
  obatunde 1 year, 4 months ago
Selected Answer: A
You only need to create one NSG and you can associate it with all the three subnets
upvoted 1 times

Selected Answer: A
Correct Answer: A
upvoted 1 times
  King4o 1 year, 6 months ago

every fucking question is wrong ,I am really pissed off
upvoted 3 times

Selected Answer: B
Answer is 3 NSGs.
NSG can be associated with Subnet or NIC of the VMs,
Look at first condition, VM3,VM4 (1 NSG on subnet) & VM5, VM6 (1 NSG on subnet). there goes your A into trash.
One more is needed for RDP and block other traffic. 3 NSG it is!
upvoted 2 times
The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.
A. Remove Microsoft.Compute/virtualMachines from the policy.
B. Create an Azure Resource Manager template
C. Add a subnet to VNET1.
D. Remove Microsoft.Network/virtualNetworks from the policy.
Correct Answer: A
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to
block.
Virtual Networks and Virtual Machines are prohibited.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

A (100%)
  khengoolman Highly Voted  2 years, 4 months ago
Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A
upvoted 30 times
  nidhogg Highly Voted  2 years ago

upvoted 16 times
This was on my exam. The suggested answer to the question is correct.

upvoted 1 times
  Gregsenn 5 months, 2 weeks ago

On exam 29/08/23
upvoted 2 times

Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/governance/policy/overview#azure-policy-objects
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
upvoted 3 times
Selected Answer: A
Correct Answer: A
upvoted 1 times

Exam Question on 01DEC 2022
upvoted 6 times
  Manu_0502 1 year, 2 months ago

Hi max, how many questions came from ExamTopics?
upvoted 1 times
Selected Answer: A
Correct Answer A. Tested in LAB

upvoted 3 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
  rasmart 1 year, 10 months ago
Selected Answer: A
check comment
upvoted 1 times

upvoted 1 times
  hanahjane13 2 years, 2 months ago

A, no need to add the vnet
upvoted 3 times
  yoelalan14 2 years, 2 months ago

Answer is A because we already have the VNET in place, so the only thing that would get blocked by this policy would be the NEW vm we
are creating
upvoted 13 times
  filipov1 2 years, 2 months ago

so dump question
upvoted 5 times
  binq 2 years, 2 months ago

Love what you did here : )
upvoted 4 times
  JayJay22215 1 year, 11 months ago

If it was intentional, yes :D
upvoted 1 times

upvoted 3 times
  Beng_ali 2 years, 4 months ago

Correct answer, asked on my exam today 02/10/21
upvoted 3 times
Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server
that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
✑ The DNS Manager console

✑ Azure PowerShell
✑ Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
A. Azure CLI
B. Azure PowerShell
C. the Azure portal
D. the DNS Manager console
Correct Answer: B
Step 1: Installing the DNS migration script
Open an elevated PowerShell window (Administrative mode) and run following command install-script PrivateDnsMigrationScript
Step 2: Running the script -
Execute following command to run the script
PrivateDnsMigrationScript.ps1 -
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide

A (78%) B (22%)
  asdf12345a Highly Voted  3 years, 2 months ago
Answer is incorrect, it should be A - Azure CLI.

https://docs.microsoft.com/en-us/azure/dns/dns-import-export
- Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
supported via Azure PowerShell or the Azure portal.
PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
upvoted 128 times

Windows Server 2016 is a legacy server, isn't it? :)
upvoted 1 times

Agree. Besides, prerequisites of using PrivateDNSMigrationScript were lack to provide in the question:
1. Make sure you have installed latest version of Azure PowerShell.
2. Make sure that you've Az.PrivateDns module for the Azure PowerShell installed.
I think the point of this question is "The solution must minimize administrative effort." without proper scenario.
upvoted 2 times

Due to the statements in the document: The migration process is simple, and we've provided a PowerShell script to automate this
process.
https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide
upvoted 3 times
  amigaguy 2 months, 1 week ago

That link is for migrating legacy Azure DNS zones to modern Azure DNS zones. Migrating on-prem DNS to Azure DNS the proper
reference is: https://learn.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 1 times
  Anurag_Azure Highly Voted  2 years, 9 months ago

so basically we are just paying for a collection of questions and ability to ask others for answers....EXAMTOPICS has no responsibility to at
least mark right answers...otherwise give that access to us so that as community we correct answers too
upvoted 115 times

In my opinion Examtopic does a great job and I like to pay for this service. Incorrect answers are no problem for me and I learn a lot
from these discussions.
upvoted 40 times
  [Removed] 1 year, 6 months ago

u work for them? lol
upvoted 18 times
  Kalzonee3611 4 months, 1 week ago

If they were all correct the website wouldn't be up still :D
upvoted 1 times

Blatantly wrong answers makes me lose faith in their services. The comments are a wonderful edition, but even then sometimes the
back and forth creates a popsicle headache.
upvoted 8 times

And how would ET confirm the real answer? Ask MSFT? Not. And, don't forget even MSFT can write an ambiguous question, which
means ET would have to say "Exam answer according to MSFT is B, but really it's A. So I don't share your concern, I think doing it the
way they did was best for all of us.
upvoted 7 times

Well they could pay someone to go through and assess/fix all the oblivious wrong answers listed on questions as the answers.
upvoted 4 times

Yes, - and I am very happy with that, I enjoy reading the discussions
upvoted 31 times
  clouddba 2 years, 7 months ago

I agree which is very much exciting. ExamTopics already provided their answers and almost of their explanations
upvoted 6 times
  Makkee 2 years, 5 months ago

You're not paying anything...
upvoted 5 times
  rockhound 2 years, 5 months ago

i did pay 15 euros...
upvoted 16 times

and now it's 50 eur..... with no real increase in quality. some questions repeat 10 times, some have community answers that are
correct but are not getting put on the actual choice as correct. Sad that the quality control isnt there considering how much cash
is being charged. and the yearly pro plan is such an edge case joke
upvoted 1 times

Access to information is free though
upvoted 1 times
  VM090 2 years ago

Not 100%, only 70% access for free and remaining 30% requires sub
upvoted 17 times

Yep, that's where they got me. I take the test tomorrow and I got hit with the remaining piece costs.
upvoted 8 times
A is correct
upvoted 1 times

Correct Aswer is A & C, az cli and Portal both support importing dns files now.
Ref for portal: https://learn.microsoft.com/en-us/azure/dns/dns-import-export-portal
Ref for cli: https://learn.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 2 times
  amsioso 2 months ago
But you mange Server1 and Subscription1 from Server2. And Server2 has only the enumerated tools installed. So A.
upvoted 2 times
  JonWick 3 months, 1 week ago

the answer is Azure CLI
upvoted 1 times
  Geet_2023 3 months, 3 weeks ago

az network dns zone import -g <resource group> -n <zone name> -f <zone file name>
upvoted 1 times
  DWILK 3 months, 3 weeks ago

I don't know why they said PS was correct. Azure CLI is much better and I thought it was replacing Azure PS
upvoted 1 times
  KMLearn2 5 months ago

Selected Answer: B
I think the key point is "minimize administrative effort".

Yes, you need Azure CLI at first but then PowerShell for the PrivateDNSMigrationScript and you can call CLI commands inside of
PowerShell.
Also in the prequirements they're talking about PowerShell and not CLI:
https://learn.microsoft.com/en-us/azure/dns/private-dns-migration-guide#prerequisites
upvoted 1 times
  TinyRunner 6 months, 2 weeks ago

Answer is incorrect, it should be A.
It´s important to disclaim that when we deal with DNS migrations (expo-impo) between DNS we must handle it with their DNS FILE.
So the only way to operate with thi FILES is via Azure CLI.
" A DNS zone file is a text file containing information about every Domain Name System (DNS) record in the zone. It follows a standard
format, making it suitable for transferring DNS records between DNS systems. Using a zone file is a fast and convenient way to import
DNS zones into Azure DNS. You can also export a zone file from Azure DNS to use with other DNS systems."
https://learn.microsoft.com/en-us/azure/dns/dns-import-export#introduction-to-dns-zone-migration
upvoted 1 times

Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
References: https://docs.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 4 times
  Dush3695 6 months, 3 weeks ago

Selected Answer: B
B. Azure PowerShell
upvoted 1 times

Microsoft Q&A page that says “importing zone files via Azure PowerShell or the Azure portal is not supported currently” 1. However, you
can use Azure CLI to import and export zone files 2.
upvoted 3 times

To move the adatum.com zone to an Azure DNS zone in Subscription1 while minimizing administrative effort, you should use Azure
PowerShell.
Azure PowerShell provides a comprehensive set of cmdlets for managing Azure resources, including Azure DNS. With Azure PowerShell,
you can automate the process of creating a new Azure DNS zone, configuring the necessary DNS records, and migrating the adatum.com
zone from Server1 to the Azure DNS zone.
upvoted 1 times
  kengy 8 months, 2 weeks ago
Selected Answer: A
Azure CLI
https://learn.microsoft.com/en-us/azure/dns/dns-import-export#introduction-to-dns-zone-migration
upvoted 2 times
  zambonini 8 months, 3 weeks ago

Answer is Azure CLI
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-import-export https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide
upvoted 1 times

Selected Answer: A
I changed my mind. A is correct:

Azure DNS supports importing and exporting zone files via the Azure CLI. Importing zone files via Azure PowerShell or the Azure portal is
not supported currently.
https://learn.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 1 times
Selected Answer: B
To move the adatum.com zone to an Azure DNS zone in Subscription1 while minimizing administrative effort, you should use Azure
PowerShell.
Azure PowerShell provides a comprehensive set of cmdlets specifically designed for managing Azure resources and services, including
Azure DNS. Using Azure PowerShell, you can easily automate the process of creating an Azure DNS zone, importing the existing DNS
records from Server1, and configuring the necessary settings.
upvoted 1 times
You have a public load balancer that balances ports 80 and 443 across three virtual machines named VM1, VM2, and VM3.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
A. an inbound NAT rule
B. a new public load balancer for VM3
C. a frontend IP configuration
D. a load balancing rule
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://pixelrobots.co.uk/2017/08/azure-
load-balancer-for-rds/

A (100%)
  [Removed] Highly Voted  2 years, 4 months ago
An inbound NAT rule forwards incoming traffic to a specific virtual machine

Service: RDP
Protocol: TCP
Port: 3389
Target VM =VM3
upvoted 46 times

Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 10 times
  natka1130 Highly Voted  2 years, 4 months ago
The difference between inbound NAT rules and port mapping in load balancer rules is that inbound NAT rules apply to direct forwarding
to a VM, whereas load balancer rules forward traffic to a backend pool.
upvoted 33 times
  JonWick Most Recent  3 months, 1 week ago
answer is inbound NAT rule.

upvoted 1 times
  tomasek88 10 months, 3 weeks ago

Selected Answer: A
A is correct
upvoted 2 times
Selected Answer: A
A. an inbound NAT rule.
To direct all RDP connections to VM3 only, you need to create an inbound NAT rule that maps the RDP port (3389) to the RDP port of VM3.
You can do this by specifying the frontend IP configuration of the public load balancer, the protocol (TCP), the frontend port (3389), and
the backend port (3389) of VM3 in the inbound NAT rule. This will route all incoming RDP traffic to VM3 only, regardless of the load
balancing configuration.
upvoted 3 times
  sourabhg 1 year, 3 months ago
Selected Answer: A

Service: RDP
Protocol: TCP
Port: 3389
Target VM =VM3
upvoted 4 times

See this, 11:22
https://www.youtube.com/watch?v=ow5fZM6abtA&ab_channel=TeachMeCloud
upvoted 2 times
Selected Answer: A
Correct Answer: A
upvoted 2 times

upvoted 4 times
Selected Answer: A

upvoted 3 times
  GD01 2 years, 4 months ago

A is correct .... An inbound NAT rule forwards incoming traffic sent to frontend IP address and port combination. The traffic is sent to a
specific virtual machine or instance in the backend pool.
https://docs.microsoft.com/en-us/azure/load-balancer/components
upvoted 9 times
  Waltwhiteman 2 years, 4 months ago

Correct.
Inbound Network Address Translation (NAT) rules are an optional setting in Azure Load Balancer. These rules essentially create another
port mapping from the frontend to the backend, forwarding traffic from a specific port on the frontend to a specific port in the backend.
upvoted 5 times
  omaro 2 years, 4 months ago

Discussion button says: Exam AZ-104 topic 5 question 31 discussion.
But I see nothing
upvoted 1 times

Because there is no discussion for this question yet
upvoted 3 times
  omaro 2 years, 4 months ago

????????????????????????????
upvoted 4 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the virtual networks in the following table.
Subscription1 contains the virtual machines in the following table.
In Subscription1, you create a load balancer that has the following configurations:
✑ Name: LB1
✑ SKU: Basic
✑ Type: Internal
✑ Subnet: Subnet12
✑ Virtual network: VNET1
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
Correct Answer:
Basic Load Balancer: Backend pool endpoints for Virtual machines in a single availability set or virtual machine scale set.
Subnet12 association will be used to assign an IP for the internal load balancer, not to load balance the VMs in the Subnet.
Box 1: Yes
VM1 and VM are in the Availability Set.
Box 2: No
Both VMs are not part of any Availability Set or Scale Set.
Box 3: No
Both VMs are not part of any Availability Set or Scale Set.
Reference:
upvoted 173 times
  Mshahid 5 months, 3 weeks ago

your explanation and reasoning are so good!!! Very helpful.
upvoted 3 times

BASIC SKU : Virtual machines in a single availability set or virtual machine scale set
upvoted 6 times
  Aghora Highly Voted  3 years, 2 months ago

answer is correct
y: vm1 and vm2 is same scale set
no : both vms are in single VMs not in scale set or Av set
no: same as 2
you can not use basic load balancer to balance between single VMs . the have to be in a scale set or availability set
upvoted 61 times
  Steve1983 2 years, 7 months ago

Correct my friend!
"They are the machines or services that create a backend pool. The Basic Tier is quite limiting. It can only have a single availability set,
virtual machine scale set or a single machine. The Standard Tier can span any virtual machine in a single virtual network which includes
blends of scale sets, availability sets, and machines."
upvoted 12 times
YNN
and Why is necesary know the restrictions of basic tier of get a architect ?
upvoted 1 times
  Exams_Prep_2021 1 month, 2 weeks ago

in exam 26/12/2023
upvoted 1 times

FYI - for standard load balancer, VMs must be in the same vNET and for Basic, they must be in an availability set.
upvoted 3 times

YNN.
Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network
Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set
https://learn.microsoft.com/en-us/azure/load-balancer/skus
upvoted 2 times

Correct Answer:
upvoted 1 times

what is Vnet2 used for in the question?
upvoted 1 times

LB1 is in subnet 12 NOT in subnet 11. Now VM1 & 2 are in single availability set but they are in subnet 11 So how can LB1 sitting in subnet
12 can balance the traffic among VM1 & 2 ? VM3 & 4 are in subnet 11 with no availability set. VM5 & 6 are in subnet 12 but without
availability set. So in my opinion answer is "No" for all 3 conditions. Where am I wrong and why?
upvoted 5 times

An internal load balancer enables the following types of load balancing:
Within a virtual network. Load balancing from VMs in the virtual network to a set of VMs that reside within the same virtual network.
https://learn.microsoft.com/en-us/training/modules/configure-azure-load-balancer/4-implement-internal
Note that it mentions *within the same virtual network*, not *within the same subnet*.
upvoted 2 times

Basic SKU: Virtual machines in a single availability set or virtual machine scale set
Standard SKU: Any virtual machines or virtual machine scale sets in a single virtual network
upvoted 3 times

Y - same vnet1
N - basic LB needs VMs in AS
N - different vnet and VMs not in AS
upvoted 2 times

The questions posted by @observador081 aren't included in the "examtopics AZ-104". I think that can be posibles questions
(You can check below in the comments)
upvoted 1 times

answer is correct
upvoted 1 times

YES NO NO
YES both VMs are are in Av set
Both NOs because all VMs are not part of the AV set
upvoted 3 times

I agree with answer and mlantonis explained it really well
upvoted 3 times
  observador081 1 year, 8 months ago

You have an Azure subscription that contains a user called User1, a resource group called RG1, and a virtual machine called VM1.
You enable a system-assigned managed identity for VM1.
Which identities can you assign the Report Reader role to?
Please select only one answer.
A-User1 only
B-Only User1 and RG1
C-Only User1 and VM1
D-User1, RG1 and VM1

upvoted 1 times

A = User1 only.
Ref: https://docs.microsoft.com/en-us/answers/questions/598795/reports-reader-role.html
upvoted 1 times
  observador081 1 year, 8 months ago

You have an Azure Active Directory tenant that contains the following identities:
User1, a user in Azure Active Directory
Group1, a security group that uses dynamic user membership
Group2, a Microsoft 365 group that uses assigned membership
Group3, a security group that uses assigned membership
Which identity or identities can be added as members of Group3?
Please select only one answer.
A-User1 only
B-Only User1 and Group1
C-Only User1 and Group2
D-User1, Group1 and Group2

upvoted 1 times

B - User1 and Group1
upvoted 1 times
HOTSPOT -
You have an Azure virtual machine that runs Windows Server 2019 and has the following configurations:
✑ Name: VM1
✑ Location: West US
✑ Connected to: VNET1
✑ Private IP address: 10.1.0.4
✑ Public IP addresses: 52.186.85.63
✑ DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.
You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.
Which zones should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
Correct Answer:
Box 1: Private
Box 2: Private
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones
can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-
registration option set.
To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual
networks have full access and can resolve all DNS records published in the private zone.
upvoted 143 times
Answer is correct. Private zones only / Private zones only.

You can only link Virtual networks to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
check https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
upvoted 70 times
  conip Most Recent  5 months, 2 weeks ago

bad question or options provided
"A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however,
link multiple virtual networks to a single DNS zone."
so assuming that autoregistration is on - we can link it to just 1 private zone

upvoted 2 times

upvoted 3 times
  Bhuw 1 year, 6 months ago

IS private DNS not required to be in the region of VNET/VM ?
upvoted 2 times

Just tested it in my Azure environment - no, it is not required to be in the same region, I can add VNets from different regions.
upvoted 2 times

tested and verified
upvoted 2 times

answer is correct
upvoted 1 times

Box 1: Private
Box 2: Private
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
upvoted 2 times
  PBA1211 2 years, 11 months ago

I think it is not correcxt
1 = Private zones
2 = Adatum.com since it is set to the server , thus the nic
that takes precedent over other dns settings.
If the settings did not sauy adatum.com on the server lver, than it was both private dns
upvoted 2 times
  Ario 2 years, 9 months ago

well Adatum.com could be correct if mention auto register is enabled.
upvoted 1 times

upvoted 5 times

Both answers are correct. Private DNS zones can be linked with Vnets (not public ones). And VM can auto-register to any private DNS zone
linked with the Vnet and with auto-registration option set.
upvoted 9 times

Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to
add a custom DNS solution.
upvoted 2 times
  nasa1515 3 years, 1 month ago

Is this the right answer?
upvoted 1 times
  waterzhong 3 years, 1 month ago

To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual
networks have full access and can resolve all DNS records published in the private zone.
upvoted 3 times
  waterzhong 3 years, 2 months ago

If you enable autoregistration on a virtual network link, the DNS records for the virtual machines on that virtual network are registered in
the private zone. When autoregistration is enabled, Azure DNS also updates the zone records whenever a virtual machine is created,
changes its' IP address, or is deleted.
upvoted 5 times

Anyone got an explantion for this?
upvoted 4 times
  VipinP 3 years, 2 months ago

Auto registration happen only on private DNS and specific to region.
upvoted 9 times
DRAG DROP -
You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that
uses an address space of 10.0.0.0/24.
You need to create a site-to-site VPN to Azure.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
NOTE: More than one order of answer choice is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:
The answers are in order and are correct.
Always work from the Azure side first, it's a dependency. Dependency is the key to all order obviously...
1 - Start with a Gateway subnet. You need the subnet in place first before you can associate a VPN gateway with it, which is what is created
next.
2 - Create a VPN gateway. Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what
is available for answers, the prem side is now configured)
Now for the premice side.
3. Create a local gateway. You need the local gateway in order to complete the tunnel, then you can create a VPN connection
upvoted 296 times
  ErenYeager 2 years, 9 months ago

I hereby declare this answer fit for viewership🙃
upvoted 55 times

according this url, a vpn gateway is created first and then the subnet gateway, could you help me to clarify it?
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times

Doesn't matter. If you don't have a gateway subnet, one will be created during gateway setup.
upvoted 3 times
  ShaulS 2 years, 3 months ago

What's the fourth answer?
upvoted 1 times

4. then you can create a VPN connection
upvoted 2 times
Correct Answer:
As per documentation:
1. Create a virtual network
2. Create a VPN gateway
3. Create a local network gateway
4. Create a VPN connection
5. Verify the connection
6. Connect to a virtual machine
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal
upvoted 115 times

but vnet1 already exists.
upvoted 1 times
  Josete1106 Most Recent  6 months, 4 weeks ago
1. Create a gateway subnet

2. Create a VPN gateway
3. Create a local network gateway
4. Create a VPN connection
upvoted 6 times

The correct order of actions to create a site-to-site VPN to Azure from an on-premises network is as follows:
Create a local network gateway in Azure that represents the on-premises network, specify the public IP address of the VPN device, and
define the address space of the on-premises network.
Create a VPN gateway in Azure and configure the gateway type, VPN type, and SKU.
Create a gateway subnet in VNet1 to host the VPN gateway.
Create a VPN connection between the on-premises VPN device and the Azure VPN gateway, specify the shared key, and select the local
network gateway and the VPN gateway.
Note: Creating a custom DNS server is not necessary for creating a site-to-site VPN connection.
upvoted 1 times

The correct order of actions to create a site-to-site VPN to Azure from an on-premises network is as follows:
Create a local network gateway in Azure that represents the on-premises network, specify the public IP address of the VPN device, and
define the address space of the on-premises network.
Create a VPN gateway in Azure and configure the gateway type, VPN type, and SKU.
Create a connection between the on-premises VPN device and the Azure VPN gateway, specify the shared key, and select the local network
gateway and the VPN gateway.
Configure the on-premises VPN device to connect to the Azure VPN gateway, specify the public IP address of the Azure VPN gateway, and
configure the necessary settings, such as the authentication method, encryption algorithm, and IKE version
upvoted 1 times

create gateway subnet part of creating vpn gateway
create virtual network gateway / vpn gatewat
create local gw
create vpn connection
upvoted 2 times
  Seb 1 year, 4 months ago

Answers are in order and are Correct, more info: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times

Given Answer is Correct
1. Gateway subnet
2. VPN Gateway
3. Local Gateway
4. Create VPN Connection
upvoted 6 times

The answers are in order and are correct.
upvoted 2 times

The requirements are as per below
Create a virtual network ***( That is the Gateway Subnet)***
Create a VPN gateway, A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-
premises network to the VNet
Create a local network gateway ** The purpose for this GW is to have replica information about the on-prem VPN GW and provides it to
the Azure VPN GW*** such info is Public IP and the private IP address pool. An abstraction of the on-premises VPN appliance. Network
traffic from the cloud application to the on-premises network is routed through this gateway.
Create a VPN connection, The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises
VPN appliance to encrypt traffic
Verify the connection
Connect to a virtual machine

upvoted 7 times
  cloudera 1 year, 8 months ago

1. Gateway subnet
2. VPN Gateway
3. Local Network Gateway
4. Create VPN Connection
upvoted 2 times

You could start from VPN Gateway but will require you to create a subnet first before your can progress with creating VPN Gateway.
This mean creating a subnet is the first step.
upvoted 1 times

on exam 13/3/2022
upvoted 1 times
  FabioVi 2 years ago

Creating the gateway subnet is not mandatory, because if you go straight to create the VPN gateway and you have not previously created
the gateway subnet, Azure suggests a range for creating the gateway subnet on the fly along with VPN gateway creation... But as the
questions requires 4 responses, and there are 2 that does not make sense, so creating a gateway subnet is the first in order, and the
following 3 are OK, so answer is correct :-)
upvoted 3 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer
upvoted 8 times

Easy! :)
upvoted 1 times

Good work guys on this discussions. Very very educator and enlightening
upvoted 5 times

in exam 7/3/2021
upvoted 5 times
VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?
A. Disassociate the NSG from a network interface
B. Change the Port_80 inbound security rule.
C. Associate the NSG to Subnet1.
D. Change the DenyWebSites outbound security rule.
Correct Answer: C
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

C (100%)
Correct Answer: C
Outbound rule “DenyWebSites” is setup correctly to block outbound internet traffic over port 80. In the screenshot it states, "Associated
with: 0 subnets, 0 NIC's", so you need to associate the NSG to Subnet1.You can associate or dissociate a network security group from a NIC
or Subnet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
upvoted 110 times

Check top-right corner of image. Notice associated with 0 subnets and 0 network interfaces.
upvoted 4 times
  Hibs2016 Highly Voted  3 years, 2 months ago
Answer is correct - C. Outbound rule: DenyWebSites is setup correctly to block outbound internet traffic over port 80.
upvoted 20 times

I agree with the answer given and all the replies, but someone correct me if i am wrong. Shouldn't the proper choice given be
"associate the NSG rule with network interface" because network interface has priority over subnet in outbound flow
upvoted 1 times

Applying the NSG at the subnet level will require less administrative efforts and time spent providing the same security
requirement's provided at the NIC level.
Your approach will apply only if there´s need to block traffic to one of both VMs. In this case makes sense to apply at the NIC level.
upvoted 1 times
  kl8585 5 months ago

I agree with you. I will also add that if there were other VMs associated to the subnet but we should only block outbound access
for VM1 and VM2 then the correct answer would have been associate NSG rule with the two NIC of the specific VMs.
upvoted 1 times
  Skankhunt 3 years, 1 month ago

Agreed, in screenshot it states "Associated with: 0 subnets, 0 NIC's" ;)
upvoted 10 times
Selected Answer: C
Correct Answer: C
upvoted 1 times

Selected Answer: C

Associated with: 0 subnets, 0 NIC's and hence need to associate with Subnet1
upvoted 2 times
  rasmart 1 year, 10 months ago
Selected Answer: C
check mlantonis
upvoted 5 times

LOL!! its sad how true this is, along with fedztez and lazylinux. thank God for them
upvoted 2 times

on exam 13/3/2022
upvoted 2 times

upvoted 5 times

Easy :)
upvoted 1 times
  sourav4312 2 years, 6 months ago

Probably the easiest answer in the series.
upvoted 1 times
  Chief 2 years, 9 months ago

One of the easiest question I guess. Associate the NSG to subnet1
upvoted 4 times

C is correct
Oubound rule blocking port 80 is configured correctly
upvoted 5 times

Answer C. is correct. Outbound rule is right, you only need to associate the NSG to the Subnet to apply the rules.
upvoted 2 times
  mikl 3 years ago

Valid question - answer is correct.
Microsoft just wants us to know that a NSG has to be associated with something, to actually work.
Associated with : 0 subnets, 0 nic interfaces.

upvoted 3 times
  kannan8685 3 years, 1 month ago

yes i agree
upvoted 2 times
  fedztedz 3 years, 1 month ago

Answer is correct. "C"
upvoted 10 times
  rusll 3 years, 2 months ago

is this the type of questions that will come up in the exam (hopefully) ? i feel like im wasting my time
upvoted 1 times
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of
10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of
10.10.0.0/24.
You need to connect VNet1 to VNet2.
A. Move VM1 to Subscription2.
B. Move VNet1 to Subscription2.
C. Modify the IP address space of VNet2.
D. Provision virtual network gateways.
Correct Answer: D
The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from
different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the
VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity
types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local
network gateway in order to route traffic.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal

D (80%) C (20%)
Correct Answer: D
There is no overlap between the VNets:

VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255
Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected.
You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from
different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the
same Active Directory tenant.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
upvoted 121 times
  OlehT 3 weeks, 1 day ago

mistake: VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.10.0.255 (not 10.0.0.255)
upvoted 1 times
  Alex2022_31 1 year, 1 month ago

Correct answer and well explained
There is a typo in your VNet2 CIDR IP Rage : 10.10.0.0 - 10.10.0.255 (instead of 10.0.0.255)
:)
upvoted 8 times
  cassucena 1 year, 3 months ago

a peering is not possible in this situation? tks
upvoted 3 times

Nicely explained
upvoted 3 times
Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists. Also, No need to have the same Azure AD. They
just need to have a Virtual network gateway to communicate using Public IP where it is secured using SSTP or IKEv2
upvoted 68 times

I found answer D is the only one that makes sense as well but I actually miss "peering" here as this would be a way better way of
connecting both VNET´s. Its supported for cross tenant and cross subscription connections so it would be more accurate.
upvoted 7 times
  Ahkhan Most Recent  3 months, 1 week ago
They could have just peered the two vNets as we can peer vNets in 2 different subscriptions.
Can I enable virtual network peering if my virtual networks belong to subscriptions within different Microsoft Entra tenants?
Yes. It's possible to establish virtual network peering (whether local or global) if your subscriptions belong to different Microsoft Entra
tenants. You can do this via the Azure portal, PowerShell, or the Azure CLI.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
upvoted 2 times
Selected Answer: D
To connect VNet1 to VNet2, you need to create a site-to-site VPN connection between the two virtual networks. The first step to
accomplish this is to provision virtual network gateways in both subscriptions. Therefore, the correct answer is:
D. Provision virtual network gateways.
Once the virtual network gateways are provisioned, you can configure the VPN connection between them to enable traffic to flow between
VNet1 and VNet2. Moving VM1 to Subscription2 or modifying the IP address space of VNet2 is not required to establish the VPN
connection between the two virtual networks. Similarly, moving VNet1 to Subscription2 is not required, but you may need to create a
peering connection between the virtual networks after the VPN connection is established to enable communication between the virtual
machines.
upvoted 2 times

Selected Answer: D
Correct Answer: D
upvoted 1 times
  El7arani 1 year, 6 months ago
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: C
C. Modify the IP address space of VNet2.

B/C you have 10.10.0.0/24 , no space for GatewaySubnet
only after modifying address space, you can create Gw Subnet and then add gw for VNet-VNet
upvoted 2 times
Selected Answer: D
D is correct
Create a virtual network ***( That is the Gateway Subnet)***
Create a VPN gateway, A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-
premises network to the VNet
upvoted 3 times
  Tyy27 1 year, 7 months ago

good man for commenting the correct answers recently in these discussions
upvoted 1 times
  EleChie 1 year, 8 months ago

Answer is correct: (the VNets IP ranges are confusing many of you)
As we see the VNet2 range is not part of the VNet1 IP range, So there is no overlap between these two VNets. and therefore no need to
modify the IP address space of VNet2
upvoted 2 times

Selected Answer: D
Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists.
upvoted 1 times
  Barrie 2 years, 3 months ago

Got to think this question is out of date.
I wouldn't do any of the provided options. A global VNET peer achieves the required outcome, without the need for additional
infrastructure.
upvoted 10 times
  maxmarco71 2 years, 4 months ago

ANSWER IS "D" CORRECT
NO Overlapping. Proof using
https://network00.com/NetworkTools/IPv4CheckOverlappingNetworks/
upvoted 1 times

They should have asked - what's the best way. Because top 2 options do lead to the solution, with a little more effort.
Answer is correct
upvoted 1 times
  riccardo 2 years, 7 months ago

sorry but in order to create an vpn gateway subnet should be bigger, not /24 but at least /27. because you have to create the gateway
subnet. so I would modify the address space of vnet 2 and answer C
upvoted 2 times
  GuyForget 2 years, 5 months ago

It doesn't say anything about the subnet taking up the entire /24 address space.
upvoted 1 times
  Cosy 2 years, 7 months ago

/24 is actually bigger than /27
upvoted 4 times

Haha... I guess he worked out that 27 is bigger than 24 and therefore... haha. Good call. I hope he reads your comment.
upvoted 1 times

and you would get it wrong. The question doesn't mention subnets that the VNETs contain, so they may already have vpn gateway
subnets. There is no need at all to modify the VNETs unless you are guessing that they contain no space for a vpn gateway subnet.
There is nothing in the question to suggest this is the case.
upvoted 1 times

The smallest peering size is actually /29. Largest /2
upvoted 1 times
  Wizard69 2 years, 11 months ago

There is no overlap here:
10.0.0.0/16 - 10.0 is the network
10.10.0.0/24 - 10.10.0 is the network
Since there is no option to do a straight peering, gateway must be correct

upvoted 9 times

Answer given is correct
if you want to connect two vnets, you have two options: peering and vpn,
Virtual network gateway is required to establish vpn on this case
upvoted 7 times
  Merma 2 years, 11 months ago

The answer is "C. Modify the IP address space of VNet2." You can modify the address space of VNet2 by adding an address space that does
not have IP overlap. Lets say 13.0.0.0/16, adding a new subnet 13.0.0.0/24 and then attaching the resources to the new subnet and finally
delete the old subnet and VNet with the overlapping IP range.
upvoted 1 times
  Merma 2 years, 11 months ago

Oops, I was so wrong. 10.0 vs. 10.10 No overlap. D. Correct answer.
upvoted 3 times
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
A. Use managed disks
B. OS disk type
C. Availability options
D. Size
E. Image
Correct Answer: AC
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone
dropdown.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/create-portal-availability-zone

AC (100%)
Correct Answer: A and C
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability
zone dropdown.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones
upvoted 98 times
  MicroJ Highly Voted  3 years, 2 months ago
Explanation is correct but marked answer is wrong. should be Availability Zones and Managed Disks
upvoted 52 times
  kpcert Most Recent  2 months ago
Selected Answer: AC
Correct answer A and C, Refer 'mlantonis' explanation

upvoted 1 times

Exam Question 01DEC22
upvoted 4 times

upvoted 9 times
Selected Answer: AC

upvoted 1 times
Selected Answer: AC
Explanation is correct but marked answer is wrong. should be Availability Zones and Managed Disks
upvoted 2 times
  ScarfaceRecords 1 year, 7 months ago
AC is the correct one.
upvoted 1 times

upvoted 3 times
Selected Answer: AC
AC is correct
upvoted 2 times
  MikeHuang 1 year, 8 months ago

Selected Answer: AC
Should be A, C
upvoted 1 times
  Niraj22 1 year, 8 months ago

upvoted 1 times
Selected Answer: AC
A and C are correct answer.

upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A C
upvoted 8 times
  DevOpposite 2 years, 4 months ago

so I am drunk and I am not reading whole questions, but only reading last 3-4 lines of questions, answering questions and getting them
right. Am I ready to take exam?
upvoted 8 times
  michaelknight 2 years, 3 months ago

Absolutely, you just need to make sure that you are also drunk during the exam.
upvoted 39 times

You made me laugh to release stress
upvoted 1 times

Buddy , have you cleared the exam ? As I am doing the same , so asking you the same :P
upvoted 4 times

Ease :)
upvoted 1 times

in exam 7/3/2021
upvoted 5 times
HOTSPOT -
VMSS1 is set to VM (virtual machines) orchestration mode.
You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1.
Which resource group and location should you use to deploy VM1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: RG1, RG2, or RG3 -
The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that
metadata is stored.
Box 2: West US only -
Note: Virtual machine scale sets will support 2 distinct orchestration modes:
ScaleSetVM ‫ג‬€" Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance
lifecycle - creation, update, deletion - is managed by the scale set.
VM (virtual machines) ‫ג‬€" Virtual machines created outside of the scale set can be explicitly added to the scaleset.
Reference:
Correct Answer:
Box 1: RG1, RG2, or RG3

The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where
that metadata is stored. The location of the RG doesn't influence the choice of the location of VM. best practice would be to create the VM1
in the RG1 because the scale set is in RG1. And Microsoft recommends that resources contained in a Resource Group share the same
resource lifecycle.
Box 2: West US only
You can add the virtual machine to a scale set in the same region, zone, and resource group.
Reference:
upvoted 109 times
  tirajvid 4 months, 3 weeks ago

Box 1: RG1 only.
The VM must be in the same resource group as the scale set.
Reference : https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?
tabs=portal
upvoted 12 times

Yes, RG1 only.
"The VM must be in the same resource group as the scale set.

If the scale set is regional (no availability zones specified), the virtual machine must also be regional."
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?
tabs=portal#exceptions-to-attaching-a-vm-to-a-virtual-machine-scale-set
upvoted 4 times

you are right!
upvoted 1 times

Yes Box 1: RG1, RG2, or RG3
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-groups
" Resources in a resource group can be in regions other than that of the resource group."
upvoted 1 times

for VMSS there is an exceptional in attach VM to scale set should be in same RG, and if its zonal selected should be in same zone
upvoted 1 times
  DrMiyu 1 year, 7 months ago

Completely agree even if it say "Should" you use. TO be honest, I wanted to asnwer different because I think I should use "RG1 only"
except if there is a good reason behind (cost / department / etc) and so to have all my VM in the same RG for easier management.
upvoted 8 times
  maria_saprykina 1 year, 2 months ago

Yes you can use any RG, but here it asks what RG you SHOULD use? That sounds like by this question Microsoft encourages us to follow
their recommendations, and the answer should be RG1 only.
upvoted 9 times
Answer is correct. The location of the RG doesn't influence the choice of the location of VM. The location of the VM should be the same like
the VM Scale set (single zone or zone redundant )
upvoted 63 times
  itgg11 1 year, 11 months ago

Answer is not correct. I just tested it in the lab and a new VM needed to be in the SAME resource group and region. Otherwise, a given
VMSS was not available.
upvoted 14 times

Not sure how you tested it...Did you consult Bill Gates!!
Anyway the VMSS set should and would be available as long as you are in the right subscription, it will give you option to chose the
resource group then you can chose the VMSS.
Just remember this RG and Subscriptions ONLY hold the meta data of the resources, what matters is the region
upvoted 3 times
  gargaditya Most Recent  1 month, 2 weeks ago

ANSWER= RG1 only (same RG as VMSS), West US only (same Region as VMSS)
You can only attach new VMs (non identical) to a Virtual Machine Scale Set in Flexible orchestration mode.
NOTES:
-The VM must be in the same resource group as the scale set.
-If the scale set is regional (no availability zones specified), the virtual machine must also be regional. <and both VM and VMSS must be in
same region>
-If the scale set is zonal or spans multiple zones (one or more availability zones specified), the virtual machine must be created in one of
the zones spanned by the scale set. For example, you can't create a virtual machine in Zone 1, and place it in a scale set that spans Zones 2
and 3.
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?tabs=portal-1%2Cportal-
2%2Cportal-3#exceptions-to-attaching-a-new-vm-to-a-virtual-machine-scale-set
upvoted 2 times
  gargaditya 1 month, 2 weeks ago

More details/additional info:
• Virtual Machines Scale Sets provide a logical grouping of platform-managed virtual machines.
• With scale sets, you create a virtual machine configuration model, automatically add or remove additional instances based on CPU or
memory load, and automatically upgrade to the latest OS version.
• Traditionally, scale sets allow you to create virtual machines using a VM configuration model provided at the time of scale set creation,
and the scale set can only manage virtual machines that are implicitly created based on the configuration model.
• Scale set orchestration modes allow you to have greater control over how virtual machine instances are managed by the scale set.
There are 2 modes- Uniform & Flexible
upvoted 1 times
  gargaditya 1 month, 2 weeks ago

• Virtual Machine Scale Sets with Uniform orchestration use a virtual machine profile or template to scale up to desired capacity.
While there is some ability to manage or customize individual virtual machine instances, Uniform uses identical VM instances.
• Flexible orchestration :
o Allows to mix DIFFERENT virtual machine types or Spot and on-demand VMs together
o offers high availability guarantees by spreading VMs across fault domains in a region or within an Availability Zone (Uniform works
within same AZ)
o You can only attach new VMs (non identical) to a Virtual Machine Scale Set in Flexible orchestration mode.
upvoted 1 times
  Siraf 6 months, 3 weeks ago

Answer is:
- Resource group: RG1 only
- Location: West US
You can only attach VMs to a Virtual Machine Scale Set in Flexible orchestration mode.
The VM must be in the same resource group as the scale set.
If the scale set is regional (no availability zones specified), the virtual machine must also be regional.
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-attach-detach-vm?tabs=portal
upvoted 11 times
  ikidreamz 6 months ago

same region = RG1 and West US
upvoted 2 times
  pokrz26 7 months, 4 weeks ago

The VM must be in the same resource group as the scale set. --> https://learn.microsoft.com/en-us/azure/virtual-machine-scale-
sets/virtual-machine-scale-sets-attach-detach-vm?tabs=portal#exceptions-to-attaching-a-vm-to-a-virtual-machine-scale-set
So the answer is
Box 1: RG1 only

Box 2: West US only
upvoted 9 times

Focus on the "should" like others have.
Following MS url below;
So for Box 1;
It can be R1, RG2, RG3, but should be RG1.
For Box 2;
Should be in West US.

upvoted 2 times

The question is poorly written. "Should" is a very ambiguous term. The VM can be created in any RG, but best practices tell us that it
should be done in RG1 to have similar lifecycle. So, in theory, both RG1 only and R1,2,3 should be correct answers.
upvoted 2 times
  manthlan 1 year, 3 months ago

Question asks,"Which resource group and location should you use to deploy VM1? " not "can". So it should be RG1.Isn't it?
upvoted 5 times

upvoted 1 times

Tested in lab with this result:
Resource group: RG1 only
Location: West US Only
When you are going to create de vm1 you can read this:
You can add your virtual machine to a virtual machine scale set to design highly available and scalable application architecture. Virtual
machines inside a scale set can be deployed into fault domains or Availability zones. The scale set must be set to flexible orchestration
mode, and in the same region and resource group.
upvoted 5 times

Correct Answer:
Box 1: RG1, RG2, or RG3

The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where
that metadata is stored. The location of the RG doesn't influence the choice of the location of VM. best practice would be to create the VM1
in the RG1 because the scale set is in RG1. And Microsoft recommends that resources contained in a Resource Group share the same
resource lifecycle.
Box 2: West US only

You can add the virtual machine to a scale set in the same region, zone, and resource group.
Reference:
upvoted 1 times

I can see it both ways. But they gave us all three RGs as a choice together. Tough call, and for MSFT's part not "fair". They need more
context or a better word.
upvoted 1 times
  pingpongset 1 year, 7 months ago

If the location is "West US", should not it also determine the resource group, which is RG2, and not RG1, RG2, or RG3? Because a resource
group uses a location too.
upvoted 1 times

Given answer is correct..
RG holds the meta data of resources and hence its location dont matter but Resources should mostly be in same region and in this case
the VM and the VMSS MUST be in same region
upvoted 2 times
  rafacazus 1 year, 8 months ago

Creating virtual machines in virtual machine scale set is only allowed for scale sets with flexible orchestration mode. When you create a
VM, you can optionally specify that it is added to a virtual machine scale set. A VM can only be added to a scale set at time of VM creation.
The newly created VM must be in the same resource group as the Flexible scale set regardless of deployment methods.
Tested in the lab.
https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets
upvoted 1 times

"should" is the word. Not "can". Best practice is to put the VM in a scale set in the same resource group.
Answer is A and C
upvoted 4 times

Answer is not correct.
Resource groups should be RG1
"The newly created VM must be in the same resource group as the Flexible scale set regardless of deployment methods."
source https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets
upvoted 13 times
HOTSPOT -
You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3.
Peering for VNET1 is configured as shown in the following exhibit.
How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1. VNET2 and VNET3 -
Box 2: VNET1 -
Gateway transit is disabled.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Correct Answer:
VNet1: Peered with VNet2 and VNet3

VNet2: Peered with VNet1
VNet3: Peered with VNet1
Box 1. VNET2 and VNET3

VNet1 is peered with VNet2 and VNet3. Also Gateway transit is disabled.
Box 2: VNET1 only

Gateway transit is disabled, so it can only communicate with the connected VNET1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
upvoted 111 times
  mdyck Highly Voted  2 years, 9 months ago

Answer Correct. Gateway transit is disabled so they can only communicate with VNET1.
upvoted 20 times
  fedev21 2 years ago

As far as I know virtual peering is not transitive and Spoke-to-Spoke traffic is not allowed. Enabling Gateway transit allows for cross-
premises communication but not for Spoke-to-Spoke traffic. The only way to make possible spoke-to-spoke traffic is to use an NVA in
the HUB VNet
upvoted 9 times
  Devgela 2 years, 9 months ago

Agree with mdyck
upvoted 4 times

If Gateway Transit was enabled, then they all would be able to communicate between eachother, since VNET1 is Peering with both
VNET2 and VNET3?
upvoted 1 times

No, for this to work you need use defined routes and either Azure Firewall or an NVA. mdyck is wrong.
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-
network-peering
upvoted 6 times
  shadad Most Recent  11 months, 2 weeks ago

Box 1. VNET2 and VNET3

VNet1 is peered with VNet2 and VNet3
Box 2: VNET1 only
Gateway transit is disabled
upvoted 3 times

Came on 21st Dec 2022
Answer is correct
upvoted 1 times

upvoted 1 times

today in exam, answer is correct
upvoted 3 times

Answer Correct
upvoted 1 times

Given answer is correct but explanation for part 2 is not
Gateway transit only applies when there is a VPN gateway created and Gateway transit is a peering property that lets one virtual network
use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity hence really allows for reduced cost
and administrative effort since only one VPN GW to manage and pay for
So in summary the Gateway transit option that you enable allows you to use the VPN GW for rooting, Now assuming the VPN GW has all
necessary routes then yes communication between VNET2 and VNET3 is possible but if for argument sake that the VPN GW dont have
routes of VNET2 and VNET3 then both VNETs will NOT be able to communicate
upvoted 8 times
  vaisat 2 years, 1 month ago

Second port is INCORRECT -
1. Packets from VNET1 can be forwarded VNET2 and VNET3.
2. Packets from VNET2 can be routed to BOTH VNET1 and VNET3.
This is insured by default parameter "Traffic forwarded from remote virtual network".
Please note, "Gateway Transit" parameter has nothing to do with this. Gateway might not even exist in this example.
upvoted 2 times

Your 2nd answer is not correct.
upvoted 1 times

tested in the lab. GW transit must be enabled to allow for routing packets between vnet3 and vnet2
upvoted 2 times

Correct answer:
-VNET2 and VNET3
- VNET1 only
upvoted 4 times

If we were to enable GW Transit, which VNET? Is it VNET1?
upvoted 1 times
  a4andrew 2 years, 3 months ago

What would happen if Gateway Transit was enabled?
upvoted 1 times
  walkwolf3 2 years, 3 months ago

Then all three vnets can talk to each other.
upvoted 2 times

upvoted 3 times

Easy :)
upvoted 1 times

Answer is correct, but explanation is not.
Gateway transit only applies when there is a VPN gateway created.
Since there is no mention of that, all that matters are the peerings between the Vnets.
Vnet1 -> Vnet2 and Vnet3
Vnet2 -> Vnet1
Vnet3 -> Vnet1
This means that Vnet2 cannot see Vnet3.
Am I wrong?
upvoted 5 times
  amf 2 years, 6 months ago

You are right. Gateway transit only applies when there is a VPN gateway created. So the explanation given is not correct.
upvoted 1 times

You are absolutely right..
Gateway transit only applies when there is a VPN gateway created and Gateway transit is a peering property that lets one virtual
network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity hence really allows for
reduced cost and administrative effort since only one VPN GW to manage
upvoted 3 times
  Chief 2 years, 9 months ago

Correct answer. Gateway transit is disabled so they only communicate with the connected VNETs
upvoted 3 times
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site
connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
A. Yes
B. No
Correct Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

B (100%)
Correct Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client
computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to
connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S
VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
upvoted 92 times

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
upvoted 14 times

Mlantonis, pls make a cloud training platform,
you are really good at passing knowledge.
upvoted 13 times

I second, I took course from Cloud academy but was useless.
upvoted 3 times

Sounds about right huh
upvoted 1 times

Mlantonis if you are alive, God Bless You !!
upvoted 22 times
B is correct:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate
from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication
fails.
upvoted 21 times
  margotfrpp Most Recent  9 months, 4 weeks ago
Selected Answer: B
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
Given answer is correct and explanation correct as Certificate is needed

upvoted 1 times

upvoted 3 times

The solution was so dull I got confused for a moment. Who would think of that? haha...
upvoted 2 times

"A client certificate that is generated from the root certificate. The client certificate installed on each client computer that will connect to
the VNet. This certificate is used for client authentication." - see https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-
point-to-site-resource-manager-portal
upvoted 2 times

Answer B. is correct as well as the explanation.
upvoted 3 times

Copy the cert from the first computer and install it on the 2nd
upvoted 2 times

Answer is correct. B
upvoted 7 times

Create a self-signed root certificate
Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate. For additional parameter information, see New-
SelfSignedCertificate.
upvoted 5 times
  DA0410 3 years, 4 months ago

B is correct
upvoted 10 times
Solution: You join Computer2 to Azure Active Directory (Azure AD).
A. Yes
B. No
Correct Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
Reference:

B (100%)
Correct Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed. Instead export the client certificate
from Computer1 and install the certificate on Computer2.
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client
computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to
connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S
VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
upvoted 40 times

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
upvoted 10 times
Answer is correct No
upvoted 13 times
  JayLearn2022 Most Recent  12 months ago

-Solution: You export the client certificate from Computer1 and install the certificate on Computer2.

-Solution: You join Computer2 to Azure Active Directory (Azure AD).
-Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
upvoted 6 times

Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: B
Given answer is correct and explanation correct as Certificate is needed

upvoted 2 times
  Olami2021 1 year, 8 months ago

Answer is No
upvoted 1 times

upvoted 3 times

Correct answer: B
upvoted 1 times

Haha... Easy
upvoted 1 times
  anoj_cha 2 years, 4 months ago

What's the point of these comments in all these questions?
upvoted 6 times
  oriduri 2 years, 9 months ago

B is Correct
upvoted 1 times

B is Correct
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
upvoted 2 times

Answer B. is correct as well as the explanation.
upvoted 2 times

B is correct. You need to install the certificate on computer2.
upvoted 5 times
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
A. Yes
B. No
Correct Answer: B

B (83%) A (17%)
You need to use a custom policy definition, because there is not a built-in policy and Resource Lock is an irrelevant solution.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 86 times
  arseyam Highly Voted  3 years, 4 months ago
An example of such policy is found here

https://markgossa.blogspot.com/2018/11/azure-policy-deny-inbound-rdp-from.html
upvoted 19 times

as they said there is more than one way to skin a cat, that is a developer style)
upvoted 1 times
  _Paul_ Most Recent  1 month ago
Selected Answer: B
Resource lock is not applicable.

upvoted 1 times

No, creating a resource lock and assigning it to the subscription will not meet the goal of automatically blocking TCP port 8080 between
virtual networks when an NSG is created.
To achieve this goal, you can create an Azure Policy that enforces the required network security rule across all the virtual networks in the
subscription. The policy should specify the rule that blocks TCP port 8080 traffic between the virtual networks. When a new NSG is created,
it will automatically be associated with the policy, and the required network security rule will be enforced.
Resource locks are used to prevent accidental deletion or modification of Azure resources. They do not affect the behavior or
configuration of resources such as NSGs.
upvoted 4 times
  cambis 11 months, 3 weeks ago
Selected Answer: B
Correct Answer: B
upvoted 2 times
Selected Answer: A
correct
upvoted 1 times
  01111010 3 months, 1 week ago

It's the opposite of correct. Answer is 'B. No'.
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B

Lock has nothing to do with this situation, it is used on RG and resources
upvoted 1 times

haha... Common, please!
upvoted 2 times

No is answer
upvoted 3 times
  Aniruddha_dravyakar 2 years, 11 months ago

Lock is used to restrict creattion or accidental deletion of any resource. .. I dont think it is used for blocking traffic
upvoted 3 times
  StixxNSnares 2 years, 11 months ago

Correct - B
upvoted 3 times

In NSG, create a inbound security rule that set TCP8080 -> Deny and the priority number should be smaller.
upvoted 4 times

Answer B. is correct. Nothing to do with RG locks
upvoted 5 times
  macross 3 years ago

Allow-Deny 8080 (NSG) answer is correct
upvoted 2 times
  asaz 3 years, 1 month ago

by default NSG blocks all the ports. it has to be explicitly defined which port to open.
upvoted 3 times
  janshal 3 years, 1 month ago

There is no Connectivity Between different Vent so unless you connect them trough VPN Gatway or Vnet Peering there will be No access
from any Ports so i say A
Tricky One
upvoted 1 times
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
A. Change the priority of the RDP rule
B. Attach a network interface
C. Delete the DenyAllInBound rule
D. Start VM1
Correct Answer: D
Incorrect Answers:
A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority.
B: The network interface has already been added to VM.
C: The Outbound rules are fine.
Reference:

D (100%)
  prashantjoge Highly Voted  3 years, 2 months ago
nevertheless a stupid question

upvoted 179 times
  j777 1 year, 11 months ago

So, if you're so smart what are you doing on this site?
upvoted 34 times

I wonder how moderators approve these comments in the first place that has no value to add
upvoted 13 times

the same way the approved about 100 comments on this exam from some guy telling to email him to get the "real questions" :).
there is no moderation, there's probably just a hold to give the illusion that someone looks at these before "approving".
upvoted 1 times
  Codelawdepp 5 months, 3 weeks ago

Error number 1: Plug not inserted. As an administrator, you must also be capable of solving the simplest everyday puzzles and not
assume others possess your own technical skills. ;-)
upvoted 4 times

The more stupid questions they give, the higher chances of passing the exam!
upvoted 40 times
  JD908 7 months, 3 weeks ago

If only the exam had mostly questions like "You'd like to start using Azure but you don't have a computer. You go out and buy a cat
does this solve the issue?"
upvoted 10 times
  Kalzonee3611 4 months, 1 week ago

YES (upvote correct answer) :D:D
upvoted 2 times
  tgrimm 7 months, 3 weeks ago

LOL. Too funny!
upvoted 2 times

Correct Answer: D
Αny resource with a dynamically assigned public IP address will display the 'name' you gave it when the resource it is assigned to is offline.
A static address will be shown regardless of the resource state. This means that we need to start the VM1.
A: RDP rule has the highest priority. priority.

B: The network interface has already been added to VM1.
C: DenyAllInBound has really low priority.
Reference:
upvoted 147 times

Wouldn't you need to configure a public IP in order to RDP from the other computer to the VM? Or are you saying its only showing an
internal IP because the VM is not started?
upvoted 2 times
  bur4an 1 year, 2 months ago

Azure GOD!
upvoted 7 times
  Allfreen 2 years ago

Good Explanation
upvoted 3 times

Excellent observation !
upvoted 2 times
  c5ad307 Most Recent  2 weeks, 3 days ago
How do I even know if the VM is already started or not? No info is given.
It's just the only answer that makes sense

upvoted 1 times
  Cobster98 7 months, 3 weeks ago

It says is "running windows 10" which makes me believe the vm is started. Also, there is no mention of what subnet or network your
computer is on, only that it has internet access, should there not be a public IP attached to this network interface??
upvoted 1 times
  NaniCynic 8 months, 1 week ago

VM does not work in O-F-F mode:
Agree with answer D

upvoted 1 times

So what exactly is the "DenyAllInBound" rule doing?
upvoted 1 times
exactly as it sounds. denies everything coming in. In general, it is desired that firewall would block everything that isn't approved. so
the idea of that rule is that you create other rules with higher priority ( lower number) which allow specific traffic that you want. for
example RDP and internet connections. when traffic comes in it gets evaluated from the top priority to bottom until a rule is found that
allows it or denies it in particular. so if there is a rule to allow rdp at the top, the RDP traffic comes in, the NSG goes through the list,
finds the RDP rule first and stops reading other rules because it already got a pass. vice versa if there wasnt an RDP rule, the NSG
would check all of the rules until it reached DenyALL and deny the connection based on that.
to put it simply, the denyall rule at the end is put in so you wouldn't have to type out a couple of hundred different ports that you want
to block and instead would need to allow just a couple of ports that you do actually need
upvoted 1 times
Selected Answer: D
"Computer1 is connected to the Internet." - that threw me off a bit. So it is configured to connect to internet but at this point is not actually
connected to internet because it is not running? never mind. Only D seems the be best option compared to other options.
upvoted 1 times
Selected Answer: D
This question can be answered by rule of elimination:
A. Change the priority of the RDP rule --> Priority is already lowest so no need
B. Attach a network interface --> Question states its already attached so no need
C. Delete the DenyAllInBound rule --> Obviously never to that, but it would also not solve this because it has lowest priority by default
D. Start VM1 --> Remains as the only viable option
upvoted 5 times
  _fvt 1 year, 1 month ago
Selected Answer: D
Correct Answer: D
You need to stop the VM before attaching a network interface, so starting the VM is the first you should do after attaching it:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm
And anyways the other proposed answers are wrong:

A: wrong: RDP rule is correct and have Higher Priority than the Deny one.
B: wrong: We already have a network interface with a public IP attached and the correct NSG allowing RDP, adding another one will not
solve our issue.
C: wrong: You cannot delete a default rule, and this rule is a default one. And in all cases this rule have lower priority than the RDP one so
not an issue.
upvoted 4 times
  matejka 1 year, 3 months ago

It's really important to know that IP address is displayed as a name rather than numerical representation for a not running machine. A
funny question indeed.
upvoted 7 times

if the Ip were static, was displayed, and you not know if VM is started or stopped. When IP is dynamic, it cannot be displayed, cause will
be random assigned, WHEN VM is started. That is the indicator that the VM is stopped.
upvoted 1 times
Selected Answer: D
Correct Answer: D
upvoted 1 times
Selected Answer: D
D is correct
upvoted 1 times

Selected Answer: D
for C , you cannot delete the given rules

D is correct
upvoted 1 times
  ron_azenkot 2 years ago

look i am no expert but i am pretty sure that to use something you need to start it
answer is d
upvoted 2 times
  Sharathjogi 2 years, 1 month ago

Wow...common..question has to be like this :)
upvoted 1 times
  TheBody 2 years, 2 months ago

This is not a question about knowing an obscure fact about whether a public IP address shows when a VM is on or off, it's a pure problem
solving question.
The RDP rule already has the highest priority so it can't be A or C.
The question states the network interface has been added and that's shown in the exhibit so it can't be B.
That leaves D. And if the virtual machine is not switched on then the symptom described(can't connect via RDP) would be present.
Even in Azure checking that stuff is plugged in and turned on is a good first troubleshooting step.
upvoted 7 times
  ShockWaveSix 2 years, 3 months ago

Even in Azure... "Is it plugged in? Is it turned on?"
upvoted 7 times
You have the Azure virtual machines shown in the following table.
A DNS service is installed on VM1.
You configure the DNS servers settings for each virtual network as shown in the following exhibit.
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
What should you do?
A. Configure a conditional forwarder on VM1
B. Add service endpoints on VNET1
C. Add service endpoints on VNET2 and VNET3
D. Configure peering between VNET1, VNET2, and VNET3
Correct Answer: D
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
Incorrect Answers:
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP
addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-peering-overview

D (100%)
Correct Answer: D
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs. Virtual network peering
enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The
traffic between virtual machines uses the Microsoft backbone infrastructure.
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the
Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service
Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the
VNet.
upvoted 88 times

Answer is correct. D.
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs
upvoted 75 times

upvoted 2 times
Selected Answer: D
Correct Answer: D
upvoted 2 times
Selected Answer: D
D is correct and peering is required to reach the DNS

upvoted 1 times

Answer is correct D
But FYI ___ conditional forwarder is for external DNS not for internal (local) one " VM1 is Confiured as Internal DNS Server"
upvoted 5 times
  valkyrieShadow 1 year, 10 months ago

This article explains why connecting two networks using either S2S or Peering utilizes custom DNS configured on either the VNET or VNIC.
And explains precedence and how forwarding and recursive queries work in Azure networks. Link: https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#specify-dns-servers
upvoted 2 times
  ra_aly 1 year, 11 months ago
Selected Answer: D
[D]- it's saying local DNS on VM1, conditional forwarder is external DNS not local so answer is D.
upvoted 2 times

upvoted 2 times
Selected Answer: D
a: A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as contoso.com, to forward
queries to.
b-c no
upvoted 3 times

In exam today! October 16, 2021
upvoted 6 times

D does look like the best answer but there's a lot more to do after the peering.
Answer is correct
upvoted 3 times
  bsdhjbfu3423asdfd 2 years, 7 months ago

Correct answer is A. Configure a conditional forwarder on VM1
Virtual Peering doesn't help to resolve DNS
upvoted 3 times
  Mack279 2 years, 5 months ago

It does help, in what sense that you set the DNS server if you cant reach that virtual server hosting the dns server role in the first place?
So Peering is needed before everything else works for VM1 as the dns server.
upvoted 1 times
  CloudyTech 2 years, 7 months ago

Answer is A
upvoted 1 times
  ykmoh 2 years, 8 months ago

Correct answer is A. Configure a conditional forwarder on VM1
Virtual Peering doesn't help to resolve DNS
A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such
as contoso.com, to forward queries to. Instead of the local DNS server trying to resolve queries for records
in that domain, DNS queries are forwarded to the configured DNS for that domain
upvoted 3 times

You would use a conditional forwarder to forward requests from one DNS server to another DNS server in a another namespace.
upvoted 4 times

but the devices can't reach the DNS server, so peering between vnets must be first
upvoted 5 times
  armandolubaba 2 years, 8 months ago

upvoted 1 times
  Aniruddha_dravyakar 2 years, 10 months ago

Enabling peering is must
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.
You run Azure Network Watcher as shown in the following exhibit.
You run Network Watcher again as shown in the following exhibit.

Hot Area:
Correct Answer:
Box 1: No -
It limits traffic to VM2, but not VM1 traffic.

Box 2: Yes -
Yes, the destination is VM2.
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Correct Answer:
Box 1: No
NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2.
Box 2: Yes
Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2.
We can understand for sure, that it is not applied to VM1.
Box 3: Yes
In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.
upvoted 199 times
  Dunkelheit 1 year, 3 months ago

Box 1: Agree
Box 2: No - The TCP rule is an inbound rule which states that traffic is allowed to VM2 if it comes from VM1. It has higher priority than
the TCP - Deny rule. So if the rule would apply to VM2, the traffic via port 8080 should succeed, IF there is something on VM2 using Port
8080.
upvoted 27 times
  deepeshukla 11 months, 3 weeks ago

Agree with this. It should be NNY
upvoted 11 times
  Penguinyo 2 years ago

Box 2 - what if the 8080 port on VM2 was not open on any service ?
upvoted 7 times
  dave160222 1 year, 9 months ago

We can't say for sure if VM2 is listening on tcp port 8080. But if you ignore rule 100, and pretend you did not see it, then you can still
answer the question. VM1 can ping VM2 and rule 101 would block ICMP from vm1 to vm2. So the NSG is not applied (and it does not
matter what TCP ports VM2 is listening on)
upvoted 2 times

both rules are for TCP
Ans: N,N,Y
1. rule is for inbound the traffic is outgoing from VM1 - so doesn't matter and it was succeeded to go
2. if NSG1 applied to VM2; then rule 100 should applied and allow traffic from VM1-VM2 for TCP 808
3. Yes, since both in same VNET they can communicate by default and next hop for ICMP showing VM2
upvoted 3 times
  ValB 1 month, 2 weeks ago

Rule 101 is for TCP, not ICMP. TCP and ICMP are different protocols. So rule 101 does not apply to ICMP. However, the question
from my side is the following: does NSG block ICMP when there is nothing about ICMP in the shown table? Should we understand
that when these rules were added, there is still there the default rule at the end (with 65k priority) that blocks everything?
Because if there is, then it should have blocked the ICMP, which would mean that this NSG is not applied to VM2.
upvoted 1 times

Sorry, correction: actually ICMP is allowed by default within a VNET.
upvoted 1 times
  matt_dns 2 years, 1 month ago

I agree box 2 is Yes but not because of anything network watcher is showing, network watcher contradicts the NSG. Rather I read this
as another cruel question that simply means the NSG would affect routing for VM2 were it applied, it clearing hasn’t been applied here
(unless there’s a subnet NSG we know nothing about which we have to assume there isn’t).
upvoted 6 times

Ans: NNY. Box 2: yes the NSG1 should be applied to VM2 to allow correct communication as it is in exhibit2. But there is problem the
VM1 cannot connect to VM2. On last image we can see that VM1 is reachable from VM2.
Therefore the conclusion of this is NSG1 hasn't been applied yet.
upvoted 16 times
  NalChi 1 year, 12 months ago

I Agree his opinion. NGS1 only allows TCP traffic but its ICMP commnication was succeed : it means VM2 does not applies to NGS1
upvoted 8 times

YYY
NSG is limiting/blocking VM1 traffic to VM2

VM1 traffic cannot reach VM2 so NSG inbound rules applied on VM2
VMs in vnet can communicate by default i.e. ICMP working
upvoted 3 times
  Andersonalm Highly Voted  3 years, 2 months ago
N-Y-Y
upvoted 43 times

Please explain why you say this.
upvoted 2 times
  signalincode 2 years, 5 months ago

This answer is wrong.
upvoted 3 times
  signalincode 2 years, 5 months ago

2nd question asks if NSG is applied to VM2. The NSG allows all TCP traffic from VM1 subnet to VM2 subnet, yet TCP connectivity test
on port 8080 is showing unreachable from VM1. The image also shows ICMP traffic is reaching and returning from VM2 to VM1.
Therefore, the NSG is not applied to VM2.
upvoted 11 times
  Ali1982 2 years ago

icmp is not the tcp/udp
upvoted 4 times
  hebbo777 Most Recent  3 months, 3 weeks ago

both rules are for TCP
Ans: N,N,Y
1. rule is for inbound the traffic is outgoing from VM1 - so doesn't matter and it was succeeded to go
2. if NSG1 applied to VM2; then rule 100 should applied and allow traffic from VM1-VM2 for TCP 808
3. Yes, since both in same VNET they can communicate by default and next hop for ICMP showing VM2
upvoted 2 times
  emanresu 4 months, 1 week ago

My guess
N - not applying to VM1
Y - Applying to VM2
Y - Internet Control Message Protocol (ICMP) is a protocol that devices "within a network" use to communicate problems with data
transmission.
upvoted 3 times

3rd option - NO
its vnet peering so next-hop type in Diagnostic tests is = "VirtualNetworkPerring" but Hopy by hop details shows next hop for VM1 actual
IP address of VM2 likewise its directly connected network
tested in LAB
upvoted 2 times
  GoldenDisciple2 6 months ago

1. No - Inbound rules apply to it's destination which is VM2 (172.16.2.0/24). NSG1 is not actively limiting VM1's traffic only what's is allowed
to the destination which is VM2.
2. Yes - Same explanation.
3. Yes - Network Watcher configuration shows a next hop of 172.16.2.4 which is the IP of VM2 so they must be in the same VNet.
upvoted 2 times

N Y Y is correct!
upvoted 3 times

ok so based on this comment section I will be purely guessing on this question...
upvoted 23 times

LMAO hilarious.
upvoted 1 times

my thinking:
NSG1 is working on subnet level.
Box1: No, NSG1 is not limiting Subnet1 or VM1's traffic
Box2: Yes, VM2's IP is in 172.16.2.0/24 (Subnet2). Regarding the unreachable TCP test, I am assuming there is another Nic level NSG on
VM2 (blocking TCP traffic)
upvoted 2 times

NNY
As per first Network Watcher test, TCP connection from VM1 to VM2 did not succeed. NSG1 specifically allows VM1 subnet to connect to
VM2 subnet on TCP.
As per second Network Watcher test is working but NSG1 blocks ICMP
So NSG1 was NOT applied to VM2 or its subnet.
1) NSG1 if applied to VM1 or its subnet will limit VM1 traffic. It will allow TCP traffic only to VM2 subnet, rest is denied.(ICMP also)
2) NSG1 was not applied to VM2 as per second Network Watcher test, ICMP connection from VM1 to VM2 did succeed.
3) Next hop is VM2 IP which implies they are part of the same vnet.
upvoted 8 times
  Hillah 4 months ago

Well explained
upvoted 1 times

Your assumption is taken based on an outbound rule when the problem states thats a inbound rule.
upvoted 1 times
  quocdunginfo2 7 months, 2 weeks ago

I agreed that "Box 2 should be No" because ICMP from VM1 to VM2 succeeded
upvoted 1 times
  Mnguyen0503 5 months, 2 weeks ago

As far as we know, there's a chance that vm2 is not set up to listen on port 8080, that's a non well-known port anyway. Icmp is a
different story. So 2 can be Y.
upvoted 2 times
  liza1234 11 months ago

box1: Yes
NSG1 limits the traffic to only TCP that's why network watcher status is UNREACHABLE.
ICMP is not a TCP traffic. It is also not UDP.
Thus, protocol should be set to ANY.
ANY basically means allowing ALL traffic.
box2: Yes
box3: Yes
upvoted 1 times
  liza1234 11 months ago

correct answer: Y-Y-Y
box1: Yes
NSG1 limits the traffic to only TCP that's why network watcher status is UNREACHABLE.
ICMP is not a TCP traffic. It is also not UDP.
Thus, protocol should be set to ANY.
ANY basically means allowing ALL traffic.
box2: Yes
box3: Yes
upvoted 1 times
  msingh20 12 months ago

No - NSG1 only limits traffic to subnet 2 (which vm2 is on)
No - If it did apply the connection would succeed as the rule allows the subnet of VM1 to reach the subnet of VM2.
No- net watcher confirms this
No
upvoted 1 times

Here is my take:
Box 1: No
Neither of the Inbound rules in the NSG limit traffic to 172.16.1.0/24 subnet where VM1 lives.
Box 2: No*
Actually not enough information to know either way. Both tests are from Subnet 172.16.1.0/24 to 172.16.2.0/24. Nothing in the NSG1
blocks traffic between the two subnets (given the Allow has a higher priority to the Deny and they are both scoped for the same
Ports/Protocol), which is also the same result as if they were in the same VNET with no NSG applied to anything anyway.
*I would say No though because the rule is defined to the Subnet, not the IP of the VM, which implies it's designed to apply at the Subnet
level. It is grasping at straws but that's all we have. There is no other way to answer this question.
Box 3: Yes
I don't think anyone disagrees on this.
upvoted 3 times
  JDWaters 1 year ago

Box 1: interesting wording. note that it doesn’t say NGS1 limits traffic “To” VM1 or “From” VM1. It just says “NGS1 limits VM1 Traffic”. I gotta
go with YES on this one, but I question whether the folks that came up with this question were more interested in playing word games,
than testing our knowledge of Azure.
Box 2: Yes
Box 3: Yes, I gotta agree with mlantonis. In Network Watcher you can see that the next hop from VM1 is VM2, so…….
upvoted 2 times

N
NSG is inbound and destination is VM2/subnet2. So doesnt apply to vm1 but does it limit the traffic? No coz the nsg does not apply to
anywhere.
N. VM1 should reach VM2 if the nsg applies.
Y. Next hop reachable is the proof
upvoted 7 times

YYY
1) NSG1 limits traffic from VM1 to VM2 subnet, so it applies to VM1.
2) NSG1 limits traffic VM1 to VM2 subnet, so it applies to VM2.
3) successful ping implies they are part of the same vnet, different subnets.
upvoted 4 times
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each
virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises
network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises
network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
A. Modify the address space of the local network gateway
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
C. Remove the public IP addresses from the virtual machines
D. Modify the address space of Subnet1
Correct Answer: B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by
using the RDP or
SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

B (100%)
Correct Answer: B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network
connect by using the RDP or
SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
upvoted 89 times
  jmartinezm Highly Voted  3 years, 4 months ago

Definitely B. A makes no sense
upvoted 35 times
  MorningCoffee Most Recent  4 months, 3 weeks ago
None of these answers make any sense. The subnet is a private IP range. You would have to associate the NSG with each NIC for the rules
to affect the public IP address assigned to each NIC on each VM. Also, you'd probably use a Firewall if you weren't retarded.
upvoted 1 times
  FlowerChoc1 10 months ago

Cleared the exam on 04/12/2023. This question came up. Make sure to read the comments in the discussion. It's really helpful.
upvoted 4 times

Selected Answer: B
exp: removing Public IPs will prevent the applications access on port 443 to users on the internet which is a requirement. Deny rule is a
more appropriate solution
upvoted 1 times
Selected Answer: B
Yes, it's B. Obviously.
But these MS answers re: NSGs are seriously leading newer folks into dangerous territory: you DO NOT create Deny rules for specific
ports. Instead, DENY everything - and only open what you NEED.
Anything else is a disaster waiting to happen - especially in this scenario with machines directly facing the internet...
TL/DR: answer B for the test but do the right thing in a real environment
upvoted 5 times

B - but I don't think it's that straightforward.
I might be wrong , but I see it more like : adding 2 rules
1. high prio allow RDP from gateway CIDR
2. (above prio -1 )deny RDP from internet.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
  Jey117 1 year, 7 months ago
Selected Answer: B
- You wake up.

- VNet1 contains a subnet named Subnet1.
- Subnet1 contains three Azure virtual machines.
- Each virtual machine has a public IP address.
- You drink some coffee.
- The virtual machines host several applications that are accessible over port 443 to users on the Internet.
- You make a sandwidch.
- Your on-premises network has a site-to-site VPN connection to VNet1.
- You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-
premises network.
- You travel to the moon for vacations.
- You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-
premises network.
- When you are back you receive a medall.
- You figure out how to overcome speed of light.
- The solution must ensure that all the applications can still be accessed by the Internet users.
upvoted 8 times
Selected Answer: B

upvoted 3 times
Selected Answer: B
Correct answer is: Deny direct RDP or SSH access through an NSG.
You do need public IPs for the VMs mainly because internet users need to be able to reach the VM via TCP 443. If LB is in place/mentioned,
the VM won't necessarily need public IP.
upvoted 3 times
  patoalcorta 2 years, 8 months ago

Definitely B. Why would anyone think of A?
upvoted 4 times
  raulgar 2 years, 10 months ago

B is correct, configure a nsg rule.C can't be because vm need access through internet
upvoted 2 times
  tux_alket 2 years, 11 months ago

I would say B is the correct Answer
upvoted 3 times
  allray15 2 years, 11 months ago

Tested - B correct and only place where you can allow source which can connect to RDP.
upvoted 2 times

Answer is correct.
Create a deny rule in NSG connected to subnet1
upvoted 2 times

B is correct.
add a port 3389 blocking rule to NSG in Vnet
upvoted 3 times
Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.
You need to apply ASG1 to VM1.
What should you do?
A. Associate NIC1 to ASG1
B. Modify the properties of ASG1
C. Modify the properties of NSG1
Correct Answer: A
Application Security Group can be associated with NICs.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups

A (100%)
  bogdan89 Highly Voted  3 years, 2 months ago
Full explanation:
Correct Answer is A:
Associate Virtual Machines

An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group,
and then use the application security group as a source or destination in NSG rules.
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the
virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups
that this NIC should join, and then click Save to commit the change.
https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 118 times
Correct Answer: A
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to
group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without
manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing
you to focus on your business logic.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group
upvoted 77 times
  DeBoer Most Recent  1 year ago
Selected Answer: A
You can use the Tthe Networking blade of virtual machine to add a machine to one or more ASGs
upvoted 1 times

Selected Answer: A
Correct Answer: A
upvoted 3 times
Selected Answer: A
A is correct
upvoted 3 times

ASG are not much covered in the Learn module, not that I remember. Answer is correct
upvoted 5 times

Answer is correct.
Application security group ASG can be associated with NIC
upvoted 4 times

A is answer
Associate Virtual Machines
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the
virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups
that this NIC should join, and then click Save to commit the change.
https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 5 times
  aMiPL 3 years ago

ASG cannot only be added to NIC so the only option according to MS docs.
upvoted 2 times
  ckyap 3 years ago

Came in exam 1st Feb 2021. Selected A
upvoted 5 times

All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface
assigned to the application security group is in. For example, if the first network interface assigned to an application security group
named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1.
You cannot add network interfaces from different virtual networks to the same application security group.
upvoted 5 times
  macross 3 years ago

Good explanation - thank you.
upvoted 1 times
  Hardikm007 3 years, 1 month ago

ASG are NOT in exams. Check on site.
upvoted 4 times

Answer is correct. "A"
ASG is a virtual grouping of VMs through their NIC. Accordingly, you need to connect NIC to ASG.
upvoted 18 times

Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to
group virtual machines and define network security policies based on those groups
upvoted 4 times
  chenmat 3 years, 2 months ago

Answer: A
Refer https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group/
upvoted 5 times
  Andersonalm 3 years, 2 months ago

Answer C
upvoted 1 times
  jelly_baby 3 years, 2 months ago

Don't spam answers without an explanation. Everyone's saying A but you say C but don't explain why? Shut up.
upvoted 61 times
  az104bd 2 years, 11 months ago
I can feel that brother !!!!! :D
upvoted 3 times
  antonio_ferraz 3 years, 2 months ago

Answer A.
In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3 is a member of the AsgLogic
application security group. NIC4 is a member of the AsgDb application security group. Though each network interface in this example is a
member of only one network security group, a network interface can be a member of multiple application security groups, up to the Azure
limits. None of the network interfaces have an associated network security group. NSG1 is associated to both subnets and contains the
following rules:
upvoted 4 times
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises
network by using
Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
A. Create a connection
B. Create a local site VPN gateway
C. Create a VPN gateway that uses the VpnGw1 SKU
D. Create a gateway subnet
E. Create a VPN gateway that uses the Basic SKU
Correct Answer: ADE
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

ABC (84%) Other
Correct Answer: A, B and C
For a site to site VPN, you need:

- a local gateway
- a gateway subnet
- a VPN gateway
- a connection to connect the local gateway and the VPN gateway
However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute
connection, VNET1 must already be configured with a gateway subnet so we don't need another one.
Note: BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN
gateway.
upvoted 177 times

Reference:
https://azure.microsoft.com/es-es/pricing/details/vpn-gateway
upvoted 20 times

Th question asked to pick 3 options. I believe a correct answer can also be BCD as well.
upvoted 3 times
  Leandroalonso Highly Voted  3 years, 2 months ago
Vnet1 is already connected by ExpressRoute, wich we presume that the subnet gateway was already created.
SKU need to be VpnGw1 because Basic does not coexist with ExpressRoute.
So, answers should be A, B and C.

upvoted 137 times

Do you have a link for Basic not working with ExpressRoute?
upvoted 1 times
  jimmyli 3 years, 1 month ago

here: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
in which it reads, "Next, create your Site-to-Site VPN gateway. For more information about the VPN gateway configuration, see
Configure a VNet with a Site-to-Site connection. The "GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and
HighPerformance VPN gateways. ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. The
VpnType must be RouteBased."
upvoted 18 times
  irosh412 2 years, 9 months ago

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#add
upvoted 2 times

I think you are 100% right
upvoted 6 times
  VladanO 1 year, 8 months ago

You right.
answer: A,B,C
See link https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
"ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU."
upvoted 2 times
  CHOKRIBS88 Most Recent  4 months ago

Can this question appear in the exam after the new update of july 2023?
upvoted 3 times
  yoursminetoo 4 months, 4 weeks ago

Answer is B,C,D
upvoted 1 times

Yes, a VPN gateway with the VPNGW1 SKU (Virtual Network Gateway SKU) can coexist with ExpressRoute.
Azure allows for the coexistence of VPN gateways and ExpressRoute connections within the same virtual network. This configuration is
known as "VPN coexistence" or "VPN ExpressRoute coexistence." It enables you to have both VPN-based connectivity and ExpressRoute
connectivity to your Azure resources, providing flexibility and redundancy.
upvoted 1 times
  quocdunginfo2 7 months, 2 weeks ago

Selected Answer: ABC
BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN
gateway.
upvoted 1 times
Selected Answer: BDE
OpenAI
"To connect VNet1 to the on-premises network using a site-to-site VPN while minimizing cost, you should perform the following three
actions:
B. Create a local site VPN gateway: A local site VPN gateway represents the on-premises VPN device. By creating a local site VPN gateway,
you can establish a connection between your on-premises network and Azure.
D. Create a gateway subnet: The gateway subnet is a subnet dedicated to hosting the VPN gateway. You need to create a gateway subnet
within VNet1 to deploy the VPN gateway.
E. Create a VPN gateway that uses the Basic SKU: The Basic SKU is the most cost-effective option for a VPN gateway. It provides the
necessary functionality for site-to-site connectivity between your on-premises network and Azure.
So, the correct actions to perform are B, D, and E."

upvoted 1 times

Me
Does basic SKU support express route
ChatGPT
I apologize for the confusion in my previous response. The Basic SKU does not support ExpressRoute connectivity. It only supports site-
to-site VPN connectivity.
If you want to prepare the environment for automatic failover in case of ExpressRoute failure, you would need to use the High
Performance or Ultra Performance SKU for the VPN gateway.
Therefore, the correct actions to perform in this scenario would be:
A. Create a connection: This refers to creating a connection object that represents the link between your virtual network and the on-
premises network.
C. Create a VPN gateway that uses the VpnGw1 SKU: This SKU supports ExpressRoute connectivity and provides the necessary
performance and capabilities for automatic failover in case of ExpressRoute failure.
D. Create a gateway subnet: A gateway subnet is required to host the VPN gateway.
So, the correct actions to perform are A, C, and D.

upvoted 1 times
It can't be D or E. Since express route exist already, it must have a gateway subnet. BasicSKUs can't co-exist with express route gateway.
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 2 times
  wolf13 11 months, 4 weeks ago

Create a local site VPN gateway
This will allow you to provide the local gateway settings, for example public IP and the on-premises address space, so that the Azure VPN
gateway can connect to it.
Create a Connection
You need to link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your
on-premises network and Azure through
ExpressRoute will be established.
Create a VPN gateway that uses the VpnGw1 SKU
The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. ExpressRoute-VPN
Gateway coexist configurations are not supported on the Basic SKU. The VpnType must be RouteBased.
upvoted 1 times

Following mIantonis, seems logical.

Just maybe not in the ABC order, rather CBA i believe
upvoted 1 times
Vnet1 is already connected by ExpressRoute, wich we presume that the subnet gateway was already created.
SKU need to be VpnGw1 because Basic does not coexist with ExpressRoute.
So, answers should be A, B and C.

upvoted 1 times
  Babushka 1 year, 3 months ago
Come on folks, should know your ABC

upvoted 1 times

co-exist with expressroute so must use VpnGw1. the rest is just standard vpn gateway setup steps.
upvoted 1 times

ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. The VpnType must be RouteBased.
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 3 times
Gateway subnet is already there with ER on VNet1

Basic VNG does not support coexistence
upvoted 3 times

Just here to let everyone know it's not E at all. Express doesn't support Basic SKU
upvoted 2 times

ABC is correct
Subnet GW already exist (catchy one)
Basic GW will not work with expressroute
upvoted 2 times
HOTSPOT -
You have peering configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: vNET6 only -
Peering status to both VNet1 and Vnet2 are disconnected.
Box 2: delete peering1 -
Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
Reference:
https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/

Correct Answer:
Box 1: vNET6 only

Peering status to both VNet1 and Vnet2 are disconnected. So, only communication inside vNET6.
Box 2: delete peering1

Peering to vNET1 is enabled but disconnected. We need to delete the peering from both virtual networks, and then re-create them. You
can't add address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 104 times

mlantonis - while i agree with your answer for Box2, one of the statement is incorrect. https://learn.microsoft.com/en-us/azure/virtual-
network/virtual-network-peering-overview#resize-the-address-space-of-azure-virtual-networks-that-are-peered . You can change
address space of peered network. You need to sync the networks after peering
upvoted 1 times

You are correct, but this new feature was released in 2022, so there is no compliance option in this question.
upvoted 1 times

The Answer is correct.
- Since both peerings are disconnected. then only communication inside VNet6
- It should be to create peerings on Vnet1 to enable. However, since it is an option here. Then the nearest one is to delete the peering also
on Vnet6 then recreate again.
upvoted 73 times

Confirmed.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-
disconnected
upvoted 16 times
  Bigc0ck Most Recent  1 year, 1 month ago
I remember a similar question like this, might be it on 2nd test

upvoted 5 times
  obaali1990 10 months, 4 weeks ago

Sorry for writing twice
upvoted 3 times

Correct Answer:
Box 1: vNET6 only

Peering status to both VNet1 and Vnet2 are disconnected. So, only communication inside vNET6.
Box 2: delete peering1

Peering to vNET1 is enabled but disconnected. We need to delete the peering from both virtual networks, and then re-create them. You
can't add address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 2 times

Box 1: vNET6 only it is default behavior
Box 2: delete peering1 and redo it to establish connection state up
upvoted 2 times

On exam 4/12/2022. answer correct
upvoted 2 times

upvoted 2 times
  Appu008 2 years, 2 months ago
most dumb options for second question
upvoted 2 times

Correct answer:
- VNET6 only
- Delete peering 1
upvoted 3 times
  _cube_ 2 years, 4 months ago

Box 1: vNET6 only is not correct imho.
The NSG default rules allow communication in between the virtual networks within the same subscription and I just tested it so the last
option (all vnets in the same subscription) is in my opinion the correct one.
upvoted 1 times

Honestly, I didn't even notice that the peerings were disconnected because it seemed too easy.
upvoted 1 times

You seeing that and understanding what it means is the entire point of this question
upvoted 1 times

"The peering status is "Disconnected"
To resolve this issue, delete the peering from both virtual networks, and then re-create them." - https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 2 times
  Crhistian 2 years, 9 months ago

Why they dont include the complete answer...
delete and recreate the peering.
upvoted 4 times

upvoted 1 times

Given answers are correct
1.peering status disconnected so connection with other VNETs
upvoted 3 times

Both answers are correct. To re-create peering first you need to delete current one.
upvoted 5 times

peering1/2 shows "disconnected" so only VNet6.
Other options are not valid - so delete, and re-create.

upvoted 4 times
HOTSPOT -
You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1.
LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.)
Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.)
Hot Area:
Correct Answer:
Box 1: Yes -
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.
Box 2: Yes -
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend
endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows.
You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health
probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop
sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted.
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
Correct Answer:
Box 1: Yes
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.
Box 2: Yes
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the
backend endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive
new flows. You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom
response to a health probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails,
Load Balancer will stop sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound
connectivity is impacted.
Box 3: No
There will be no loadbalancing between the VMs.
Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.
Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network.
upvoted 143 times
  techrat 1 year, 11 months ago

agreed. it's on my exam yesterday and I passed it with 923.
upvoted 19 times

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
upvoted 14 times

I'm a bit torn on the first answer, couldn't they both technically be in the same scale set, therefore the answer could also be no?
upvoted 2 times

Azure GOD!!!!!!
upvoted 3 times
  denccc Highly Voted  2 years, 9 months ago
Answer seems correct to me:

- For Basic Sku load balancer, network interface and load balancer have to be in the same availability set. (Y)
- Principal of LB (Y)
- Deletion of rule: there will no loadbalancing to the VM's (N)
upvoted 13 times
  MOSES3009 Most Recent  3 months ago
y-y-y ; deleting the rule not means that Lb will not balance the request that are coming; more than that, will allow all connections coming
to frontend IPand balance to backend
upvoted 1 times
  markb258 2 months, 3 weeks ago

I think the question needs to specify if its an internal or public load balancer.
From what I could find:
If its an internal load balancer, with no rules it will now allow any traffic.
But for a public load balancer allows traffic on all ports by default.
I would answer no in this scenario

upvoted 1 times
  markb258 2 months, 3 weeks ago

Also depends on basic\standard
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
upvoted 1 times

Answer seems correct to me:
- For Basic Sku load balancer, network interface and load balancer have to be in the same availability set. (Y)
- Principal of LB (Y)
- Deletion of rule: there will no loadbalancing to the VM's (N)
upvoted 4 times

YYN..given answer is correct and as per other comments
upvoted 2 times

More info
Load Balancing rules: Determines how inbound traffic gets disturbed to the backend pool instances – example - incoming request on
Port 80 can be either redirected to backend pool instances on different port or can be same port 80 ..so means you remove the rule
then LB1 will NOT load balance
Backend pool endpoints

STD LB: Any virtual machines or virtual machine scale sets in a single virtual network Basic LB: Virtual machines in a single availability
set or virtual machine scale set
upvoted 2 times

I think Box 1 should be 'No'. Basic Load Balancer supports "Virtual machines in a single availability set or virtual machine scale set", so
availability set is not the only option to Basic LB.
I just did a test, if you put 2 VMs in a VMSS that in a single placement group, you can add this VMSS into Basic LB's backend pool.
Any suggestions?
upvoted 2 times
  Mozbius_ 1 year, 10 months ago

True. The question should have been formulated as [VM1 is in the same SET as VM2]. That being said in the context of the question I
believe the intent of the question is to test if you are aware that a basic load balancer doesn't work with individual VMS and only
supports AVAILABILITY & SCALE sets. In such context availability set is an ok answer. If I see that exact formulation in the exam I will let
the testers know how badly is that question formulated.
upvoted 1 times
  J_Dawg 2 years, 8 months ago

Y-Y-Y
Check the link provided in the answer: LB Basic SKU is "Open by default. Network security group optional."
upvoted 4 times

How will it know what to load-balance? :)
upvoted 4 times

I checked based on your comment. You are totally wrong and misreading the documentation .
"TCP connections stay alive on an instance probe down. All TCP connections end when all probes are down."
What you find is related to NSGs protecting the LB!!
upvoted 2 times
  mashk19 2 years, 9 months ago

Am I missing something here? If you delete the load balancing rule, surely you'd still have the load balancer? And the Load Balancer's job
is to spread traffic between the machines sitting behind it?
upvoted 3 times
  nzmike 2 years, 3 months ago

You've got the load balancer still sure, but what's telling it what to do? No rule(s), no balancing.
upvoted 3 times
  Moyuihftg 2 years, 9 months ago

Answer is correct
upvoted 2 times
  fdelacortina 2 years, 9 months ago

I would say that is Y, Y, Y. Because if you delete rule 1, LB would not balance traffic from port 80 to port 80.
upvoted 1 times
  hamzajeljeli 2 years, 9 months ago

Any confirmation that this is a correct answer ?
upvoted 1 times
  Ario 2 years, 9 months ago

yes answer is correct
upvoted 2 times
HOTSPOT -
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb1.
You need to configure slb1 to allow connectivity to VM1.
Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Change the private IP address of VM1 to static
Box 1: Remove the public IP address from VM1
Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are
accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to
your VMs.
Box 2: Create and configure an NSG
NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not
allowed to reach this resource.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
Correct Answer:

Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections
are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet
traffic to your VMs. Load balancer and the public IP address SKU must match when you use them with public IP addresses. Only Basic SKU
IPs work with the Basic SKU load balancer and only Standard SKU IPs work with Standard SKU load balancers.
Box 2: Create and configure an NSG

NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is
not allowed to reach this resource.
upvoted 157 times

the only reason to remove public IP is due to its nature (dynamic)
only Basic SKU Public IP can be Dynamic or Static

Standard SKU public IP can only be STATIC
Standard SKU LB needs Standard SKU public IP or else remove it.

upvoted 13 times

mlantonis is correct as always.
Tested in lab. If the VM has a dynamic (hence basic) public IP it cannot be chosen to the B-E pool with the following error msg:
"The SKU of the resource's IP address is different from the SKU of the load balancer."
upvoted 5 times

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:
Box1: Remove the public IP address from VM1

Box2: Create and configure an NSG
upvoted 13 times

Box 1: Remove Publilc IP.
But not seen anything that was forcing this as the option. Found this "The default outbound access IP is disabled when a public IP
address is assigned to the virtual machine, or the virtual machine is placed in the backend pool of a Standard Load Balancer with or
without outbound rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the default
outbound access IP is disabled." here : https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-
portal?tabs=option-1-create-load-balancer-standard.
My big issues is I don't see any of the answers as a "MUST". Typical MS question.
upvoted 2 times
  Pradh Highly Voted  2 years, 1 month ago
Guys !! its simple! Don't get confused with complicated text book explanation in comment section .
1) Remove Public IP address from VM1 --> Reason being when you create a LB and add VM to backend pool make sure VM doesn't have a
Public IP assigned to it .
2) Create and configure an NSG . --> key thing to notice in question is "STANDAR LB " . Backend pool VM in standard LB should
compulsorily have NSG associated to it and configured with required port to be allowed.
I created an LB with Basic sku and not standard..
Example :
With basic sku LB i was able to connect vm via rdp without any nsg..
Now when I tested with standard LB I had to configure and NSG for the vm nic and allow port 3389 to rdp it.. Without nsg it won't allow to
connect
upvoted 38 times
  Ganchev Most Recent  4 months, 2 weeks ago
I am a bit confused. Just testet the scenario and I was able to SSH access the VM1 over LB1's FrontEnd IP. No NSG exists, VM1 has its Public
IP and even that no problem to SSH from home PC.
upvoted 1 times

Did you create a Standard or a Basic LB? The scenario you are describing seems to be related to a Basic LB which allows connection by
default whilst a Standard LB needs a NSG to be attached to it in order to filter connections. The question specifies a Standard LB so I
believe you need a NSG to achieve the goal described in the scenario.
upvoted 1 times

upvoted 3 times

Summary: There is no correct answer for Box 1 or 2
Maybe historically there were limitations but as Feb 2023, they do not apply.
Justification:
Lab Test Results (Feb '23):

Created Standard SKU LB
Created VM (FreeBSD) with :

-Basic PIP
-Dynamic LIP
-In an Availability Set
-NO Network Security Group
Attempted to create a Backend Pool in the LB:

-I could create a BackEnd pool (IP Configuration) on the LB and add this VM above to the Backend pool of the LB.
So there is actually NOTHING you MUST do to CREATE the backend pool.

There is no correct answer for Box 1
NEXT
I created a new load balancing rule for TCP22 on the LB to the backend pool with the VM in it. Succeeded no problem
Attempted Connection to FrontEnd PIP of LB on TCP22 in Putty and got the certificate pop up you would accept. Accepted the certificate
and got the login prompt
So there is actually NOTHING you MUST do to CONNECT to VM1 from the LB

There is no correct answer for Box 2
It was all good practice for me for my exam anyway :)

upvoted 3 times

box1: remove IP because dynamic IP is not compatible with standard LB.
box2: NSG because Standard load balancer is built on the zero trust network security model. Standard load balancers and standard public
IP addresses are closed to inbound connections unless opened by Network Security Groups.
upvoted 4 times

Given Answer
upvoted 1 times
  Dumber 1 year, 6 months ago

please see:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#securebydefault
- Standard load balancer is built on the zero trust network security model.
- Standard Load Balancer is secure by default and part of your virtual network. The virtual network is a private and isolated network.
- Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security
Groups. NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual machine resource,
traffic isn't allowed to reach this resource. To learn about NSGs and how to apply them to your scenario, see Network Security Groups.
- Basic load balancer is open to the internet by default.
- Load balancer doesn't store customer data.

upvoted 3 times

Given Answer is correct and mlantonis is well explained
upvoted 2 times

Just tested in the Azure portal. I was able to put the VM in the backend pool WITHOUT a NSG. The dynamic IP addresses are not
compatible with a standard load balancer, as those IP's are basic. Basic Ip's cannot be mixed and used with a standard LB. The dynamic
addresses had to be deleted from the NIC, and a static one created. mlantonis actually wrong on this one. Also, front facing LB's do not
need Vms with public IP addresses as they have one themselves. Delete it
Box2: Change Private IP address to static
again, you do not need a NSG to connect a VM to a backend pool
upvoted 2 times

Pls check this -
For a standard load balancer, the VMs in the backend pool are required to have network interfaces that belong to a network security
group.
Link: https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-cli
upvoted 1 times

upvoted 1 times
I think that Box1 should be to change the private IP to static. If I understood well the documentation, you need both a static private IP
address and a NSG. Box 1 asks what you "must" do. I don't think you "must" delete the public IP address, it just won't work.
upvoted 1 times
  FabioVi 2 years ago

Correct. Regarding box 2, reason is because Standard Load Balancer is "Closed to inbound flows unless allowed by a network security
group"
https://docs.microsoft.com/en-us/azure/load-balancer/skus#skus
upvoted 3 times
  marco_aimi 2 years, 1 month ago

guys, joke? Dinamic for LB??????????????
upvoted 3 times
  chaudha4 2 years, 5 months ago

Verified it in Azure by setting this up.
Box 1: Remove the public IP address from VM1 - You can only attach virtual machines in the backend pool that have a standard SKU public
IP configuration or no public IP configuration. Since the Public IP of VM is dynamic, the IP must be a Basic SKU IP. You cannot add such a
VM (with Basic SKU IP) to a standard SKU load balancer. The VM does not even show up in the backend pool portal for selection unless you
remove the public IP or convert it to a Standard SKU IP.
Box 2: Create and configure an NSG - Standard load balancer is built on the zero trust network security model. Standard load balancers
and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. NSGs are used to
explicitly permit allowed traffic.
upvoted 12 times
  Mozbius_ 1 year, 10 months ago

Thank you for the precision / explanation.
upvoted 1 times

Why not:
Create and assign an NSG to VM1
Change the private IP address of VM1 to static
?
upvoted 5 times

Before you can create the backend pool you must set the private IP to static, otherwise this may change on reboot, and the backend pool
would not be valid..
Before you connect as many people have called out - "Basic SKU Load Balancers use Basic SKU IP Addresses, which aren't compatible with
Standard SKU Load Balancers as they require Standard SKU IP Addresses" The IP Addresses are Dynamically assigned, therefore making
them, "Basic SKU.". So remove the public IP address.
You don't NEED a NSG.

upvoted 3 times

Actually you do :) "Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by
Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual
machine resource, traffic isn't allowed to reach this resource. "
So answer must be 1) Change private IP 2) Create NSG
upvoted 3 times

Just tested in the Azure portal. I was able to put the VM in the backend pool WITHOUT a NSG. The dynamic IP addresses are not
compatible with a standard load balancer, as those IP's are basic. Basic Ip's cannot be mixed and used with a standard LB. The
dynamic addresses had to be deleted from the NIC, and a static one created. mlantonis actually wrong on this one. Also, front facing
LB's do not need Vms with public IP addresses as they have one themselves. Delete it
Box2: Change Private IP address to static
again, you do not need a NSG to connect a VM to a backend pool
upvoted 3 times
You need to create a network interface named NIC1.
In which location can you create NIC1?
A. East US and North Europe only
B. East US only
C. East US, West Europe, and North Europe
D. East US and West Europe only
Correct Answer: B
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
Reference:

B (100%)
Correct Answer: B
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
If you try to create a NIC on a location that does not have any Vnets you will get the following error: "The currently selected subscription
and location lack any existing virtual networks. Create a virtual network first."
Reference:
upvoted 101 times

It doesnt say what purpose we want the NIC for, so we're assuming it needs to connect to VNET1? If we assume this, then yes it needs
to be in USEAST1.
But it doesnt say what the plan is for the NIC, so wouldnt that mean we can put it anywhere?
upvoted 2 times

pay attention to what mlantonis saying. In order to create a NIC you must have/attach it to existing VNET.
upvoted 2 times
  farasatkhan Highly Voted  2 years, 9 months ago

Correct.
"Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a
network interface in."
upvoted 20 times
  VV11_SS22 Most Recent  6 months, 1 week ago
NIC and VNET are region bound , so East US

upvoted 1 times
  kodathedog 6 months, 1 week ago

The portal now gives you the option to create a new virtual network (and new subnet) as well as select an existing virtual network, which
makes the answer to this question more tricky!
upvoted 2 times

the question is not properly asked. sometimes they just want to confuse us
upvoted 2 times

Selected Answer: B

I score 920 points out of 1000 points. This was on it and my answer was: B
upvoted 4 times
  DagoMad 1 year, 2 months ago
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 3 times

"Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a
network interface in."
upvoted 1 times

it doesnt say ithat it is for vnet1
upvoted 2 times
Selected Answer: B
Here is summary .. VNET=>VNIC=>VM=>NSG=>AV set all MUST be in same location

upvoted 4 times
  djhyfdgjk 1 year, 6 months ago

Such an idiot ..
upvoted 2 times

upvoted 2 times

upvoted 5 times
  areza 2 years, 1 month ago

passed 902. in exam 29.12.21 - answer B
upvoted 2 times
  JohnPhan 2 years, 3 months ago

The correct answer is B
upvoted 1 times

Can only create a NIC in a region that has a VNet. Since we've only been told of 1 VNet, that will be the only option.
upvoted 3 times

Correct answer. Ques was in exam today
upvoted 4 times

How did you find the exam overall?
upvoted 1 times
  Davar39 2 years, 9 months ago

Correct answer. If you try to create a NIC on a location that does not have any Vnets you will get the following error :
"The currently selected subscription and location lack any existing virtual networks. Create a virtual network first."
upvoted 11 times
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)
You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?
A. Update the DNS suffix on VM1 to be adatum.com
B. Configure the name servers for adatum.com at the domain registrar
C. Create an SRV record in the contoso.com zone
D. Modify the Access control (IAM) settings for link1
Correct Answer: A
If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you must
either use Fully
Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.
Reference:

B (100%)
Correct Answer: B
Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for
adatum.com to. You configure this by configuring the name servers for adatum.com at the domain registrar.
upvoted 200 times

Answer is correct: B. However How do you know it's a public DNS zone? I can be private DNS too.
upvoted 1 times
The question crearly states that adatum.com is a PUBLIC Azure DNS zone, while contoso.com is a PRIVATE Azure DNS zone.
And the question is only asking about adatum.com, so it can't be a private DNS zone.
upvoted 4 times

I think the answer should be B
upvoted 32 times

you are absolutely right
upvoted 3 times
  Hillah Most Recent  4 months ago
Answer A because "VM1 can resolve other hosts on the Internet" yet it's not registered
upvoted 1 times
  NoobieWon 5 months, 1 week ago

What would you say the "Microsoft" answer is? If the Admin was to do option A is there no chance it would work?
upvoted 1 times

I believe the correct answer is Option B.
It is not true that using Azure Provided DNS automatically applies the appropriate DNS suffix to your virtual machines in Azure.
When you use Azure Provided DNS, Azure automatically assigns DNS server IP addresses to your virtual network. However, it does not
automatically apply the DNS suffix to your virtual machines.
upvoted 1 times

B is correct --A is not the correct answer because updating the DNS suffix on VM1 to adatum.com only affects the hostname resolution for
that specific suffix, and it will not help to resolve names in the adatum.com zone.
upvoted 1 times
  Blippen 1 year, 1 month ago

Selected Answer: B
Correct Answer: B
upvoted 1 times
  HMO 1 year, 5 months ago

"For all other options you must either use Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual
machines" This one is for private DNS not for public DNS
upvoted 3 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B

Public DNS..you need create record for it @ your Domain Registrar..this is really NOT Azure question more of generic networking question
upvoted 6 times
  Sheriff_of_beacon 1 year, 6 months ago

That joke never gets old :)
upvoted 3 times
  Jaydude 9 months, 3 weeks ago

Oh yes it does!
upvoted 2 times
  AzureCrawler001 1 year, 8 months ago
Selected Answer: B
create DNS records for the domain name

upvoted 1 times
Selected Answer: B
You still need to register the domain. B is correct.

upvoted 2 times

You need a DNS forwarder to accomplish this but since there's no option given for that you need to choose for A - update the DNS suffix in
VM1. Question is still vage.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 3 times
  kyu1979 2 years ago

the answer is b
upvoted 1 times
Selected Answer: B
You have to register your public DNS zone.

upvoted 3 times
  pooya2008 2 years ago

Correct answer is B.
upvoted 1 times
HOTSPOT -
You plan to use Azure Network Watcher to perform the following tasks:
✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
✑ Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: IP flow verify -
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables
you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify
then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.
Box 2: Connection troubleshoot -
Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and
another VM, an FQDN, a
URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at
a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using
connection-troubleshoot.
Reference:
Correct Answer:
Box 1: IP flow verify
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability
enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP
flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you
which.
Box 2: Connection troubleshoot

Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and
another VM, an FQDN, a
URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the
connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot
connections using connection-troubleshoot.
upvoted 137 times

Box1: IP flow verify

Box2: Connection troubleshoot
upvoted 12 times
  Kem81 1 year, 4 months ago

thanks for confirming. I'll be sitting the exam at the end of October.
upvoted 5 times

How did it go?
upvoted 2 times
IP Flow Verify
"You might override Azure's default rules, or create additional rules. At some point, a VM may become unable to communicate with other
resources, because of a security rule. IP flow verify then tests the communication and informs you if the connection succeeds or fails."
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#diagnose-network-traffic-filtering-
problems-to-or-from-a-vm
Connection Troubleshoot
"The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4
address"
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#connection-troubleshoot
upvoted 19 times

upvoted 1 times
  babakeyfgir 1 month ago

It was in EXAM, thanks Examtopic.
upvoted 1 times

1. IP flow verify
2. Connection troubleshoot
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP,
remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is
returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from
or to the internet and from or to the on-premises environment.
upvoted 3 times

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-overview
The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual
machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they're
implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations
make troubleshooting connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect
connectivity issues. The results returned can provide insights into whether a connectivity issue is due to a platform or a user
configuration issue. Connectivity can be checked with PowerShell, Azure CLI, and REST API.
upvoted 3 times

Here 1/5/23
upvoted 3 times
  kf01234 1 year, 3 months ago

A & C (from teacher and slide)
Today just finished the total summary of AZ104 extended course (before the exam)
upvoted 1 times

Correct today came this question and I choose IP flow and troubleshoot passed 900 score
upvoted 3 times

Box1: IP flow verify
Box2: Connection troubleshoot
upvoted 1 times

IP Flow Verify: This can used to check if packet is allowed or denied to or from a virtual machine. If a packet is being denied by security
group, you can see which rule is denying the packet
Connection Troubleshoot: Check the connection from a virtual machine to virtual machine, fully qualified domain name, URI or IPv4
address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in
time, rather than monitoring it over time.
upvoted 2 times

upvoted 1 times

On exam 01.02.22
Answer:
Box 1: IP Flow Verify
Box 2: Connection Troubleshoot
upvoted 3 times
  Tshetu 2 years, 2 months ago

The question came in the exam today 03/12/21.
upvoted 2 times

upvoted 1 times

Nice Explanation, Well done Guys!!!
upvoted 1 times
  chaewon 2 years, 8 months ago

What is the difference between NSG diagnostic and IP flow verify?
upvoted 1 times

I guess you mean NSG flow logs and IP Flow Verify
NSG flow logs is to show the actual traffic that happens from/to VM.
For IP flow verify is more on testing. You can validate and see if the connection between each resources. If the connection fails, IP flow
verify tells you which security rule allowed or denied the communication
upvoted 3 times
  Kiano 2 years, 9 months ago

The answer is correct:
Explanation/Reference: Task 1: IP flow verify IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The
information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the
name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators
quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Task 2: With the addition of Connection Troubleshoot, Network Watcher will see an incremental increase in its capabilities and ways for
you to utilize it in your day to day operations. You can now, for example, check connectivity between source (VM) and destination (VM, URI,
FQDN, IP Address). References: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
https://azure.microsoft.com/en-us/blog/networkwatcher- connection-troubleshoot-now-generally-available/
upvoted 6 times
HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You configure the network interfaces of the virtual machines to use the settings shown in the following table.
From the settings of VNET1 you configure the DNS servers shown in the following exhibit.
The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP
address of
193.77.134.10.
Hot Area:
Correct Answer:
Box 1: Yes -
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
Box 2: No -
You can set DNS servers per VM or cloud service to override the default network settings.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#name-resolution-dns
Correct Answer:
NIC configured DNS servers takes precedence over VNET configured DNS servers.
Box 1: Yes
VM1 uses the VNET configured DNS 193.77.134.10.
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
The DNS is set on the VNET level.
Box 2: No
VM2 uses the NIC configured DNS 192.168.10.15.
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.
Box 3: Yes
VM3 uses the NIC configured DNS 192.168.10.15
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.
upvoted 141 times
  lisley 1 year, 2 months ago

why are Box 2 and 3 different (Yes and No) but with the same explanation?
upvoted 8 times

Because the IP addresses in the question are different ;)
upvoted 9 times
  Voldemort 2 years, 4 months ago

Great Explanation Buddy!
upvoted 7 times
  Kent_020 2 years, 3 months ago

Where did you get the '192.168.10.5' from the info given?
----------------
VM1 uses the VNET configured DNS 193.77.134.10
upvoted 3 times
  odisor 2 years ago

Both VMs have 192.168.10.15 assigned to their NICs
upvoted 2 times
  Alses1970 Highly Voted  2 years, 9 months ago
1. Yes - as per link the DNS is set on the VNET level

2. No - this VM has 192.168.10.5 set as DNS server so it overrides the default DNS set on VNET1
3. Yes - this VM has 192.168.10.5 set as DNS server so it overrides the default DNS set on VNET1
upvoted 28 times
  karthikwarrior Most Recent  1 month, 1 week ago
Appeared in exam 7 January 2024..Came here assure ppl that these questions are still valid..90% questions are from dumps
upvoted 2 times
  karthikwarrior 1 month, 1 week ago

Appeared in exam 7 January 2024..Came here assure ppl that these questions are still valid..90% questions are from dumps
upvoted 1 times

Agree with Y,N,Y
As far as I can find, if NIC on VM set to auto will distribute the vnet IP and scope including vnets DNS.
If set as custom on the VM this will override and be prefered.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#can-i-override-my-dns-settings-on-a-per-vm-or-cloud-
service-basis
upvoted 1 times
upvoted 2 times

Here is my problem with this question. It is not possible to set a NICs DNS to "None".
The question is invalid.
It is either set to "Inherit from virtual network" or "Custom", in which case you must provide a DNS Server address.
I think they wanted to test your knowledge on default DNS assignments for a NIC but couldn't bring themselves to basically put the
answer to part of the question in the question as that is the way the option is worded in the portal, so they throw a "None" in. VERY POOR,
it should be "Default Setting" or "Unchanged".
upvoted 1 times

PS: From my experience trying to set DNS servers using the VMs internal DNS setting can seriously screw up your VM and prevent it
from getting network access. You have to change the DNS settings in Azure to reset them back to Azure managed (DHCP locally on
host) to fix.
upvoted 1 times
  Mat_m0381 1 year, 4 months ago

The answer is YNY
Others comment is correct, please find the link below
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#can-i-override-my-dns-settings-on-a-per-vm-or-cloud-
service-basis
upvoted 1 times

answer y/n/y
upvoted 1 times

upvoted 2 times

YES NO YES as per others comments
upvoted 1 times
  TtotheA2021 2 years ago

Common guys thi question is so easy. you have too look right to the DNS, see explanation MLANTONIS he is 100% correct.
most of you are confusing on the NIC and DNS, the dns ip of vm2 192.168.10.15 overrules custom ip.
YNY
upvoted 2 times

VM1 uses the VNET configured DNS 193.77.134.10
upvoted 2 times

passed 902. in exam 29.12.21 - answer y/n/y
upvoted 4 times

upvoted 2 times

Andwer correct . Ques in exam today
upvoted 4 times
  riri5678 2 years, 9 months ago

Am I missing something? VM 2 and VM 3 have the exact same info, so how can VM2 be no and VM3 be yes?
upvoted 1 times
  riri5678 2 years, 9 months ago

*Same info DNS serverwise
upvoted 2 times

Different question, different answer
upvoted 1 times
  Franpb90 2 years, 8 months ago

Different IP in the question.
upvoted 1 times
HOTSPOT -
RG1 contains the resources shown in the following table.
You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1.
Which resources should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: IP1, Storage1 -
IP addresses and storage accounts can be moved.
Virtual networks cannot be moved.

There is no lock on RG1.
Box 2: None -
There is a delete lock on RG2.
Note: When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the
lock from the parent.
The most restrictive lock in the inheritance takes precedence.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting
all authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources https://docs.microsoft.com/en-us/azure/azure-
resource-manager/management/move-support-resources
Correct Answer:
Box 1: IP1, VNET2, and storage1

Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything
in the resource.
upvoted 187 times

Tested it in Lab today. RO or Delete locks does not have any impact for Move operation and it doesn`t matter if it comes from RG level
or are directly attached to the resource.
VNETS can be moved as well. Only limitation is VNET Peering needs to be disabled first. But is is not a case for this question.
Correct Answer:

upvoted 26 times

Answer is correct. But mention if the resource group has RO lock. Resources can't be moved to another group.
upvoted 2 times
  habbey 9 months, 1 week ago

You got box 1 wrong because any resource that has a resource lock cannot be modified in any way and that includes moving said
resource to another resource group
upvoted 3 times
  habbey 8 months, 3 weeks ago

...any resource that has a read-only lock cannot be modified in any way**
upvoted 2 times
  garmatey 8 months ago

moving the resource is modifying where the resource is located, not modifying the resource.
upvoted 2 times

I think you are wrong.
As far as I know, having a lock of any type on a resource won't stop you from moving the resource to another RG.
Now, if the lock is not on the resource, but on the target RG, then you would only be able to move the resource if the lock type is
Delete. A Delete lock on the RG doesn't restrict the addition of new resources to the RG, it only restricts the deletion of the resources
already present in the RG.
On the other hand, you won't be able to move the resource if the target RG has a Read-only lock.
upvoted 1 times

"The resource group is read only and tags on the resource group can't be modified. Not Locked resources CAN BE added, moved,
changed, or deleted from this resource group."
Refer: https://learn.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#locking-modes-and-states
upvoted 2 times
  Abubaker3030 1 year, 8 months ago

The question should specify the resources are available in RG2, because if not there's nothing to move from RG2 to RG1. Its a
misleading question
upvoted 31 times

i think the question is missing some tables and resources lol
upvoted 18 times
  umavaja 1 week, 6 days ago

Yes, I dont see IP1 and VNET1 Storage1. All of have assumed entire table
upvoted 1 times
Don't see a table with IP1, storage1 and VNET1. To test anyway, I created storage2, VNET2 and IP2 in RG1. Then I applied the locks as
stated in the tables. I was able to move all resources from RG1 to RG2. After that I could also move all resources from RG2 back to RG1.
So based on the current information, I go for answer:

IP1, VNET2, and storage1
IP2, VNET2, and storage2
upvoted 91 times

I made some tests too and I can move VNET from 1 RG to another RG even there is lock.
upvoted 8 times
  lksilesian 2 years, 3 months ago

This is the first question I tested in lab - because I could not find a definitive answer and could not take it on faith. But you are right, no
matter what lock is set - I was able to move resources. The -> ONLY <- situation where I was NOT able to MOVE resources is when i set
READ-ONLY lock on the DESTINATION resource group.
upvoted 23 times
  pmzone 2 years ago

If the Read-only Lock is applied on either Source or target RG, the movement of resources won't happen.
upvoted 12 times
  Vad133 1 year, 1 month ago

Agree! Tested in Azure today. Moving a resource = changing its property (RG). If resource is read-only then no property can be
changed and moving fails.
upvoted 3 times
  GiJoe1987 1 year, 11 months ago

The vet has a read only lock on it in rg1 so it can't be moved. Thou as you said I thought we would be able to move all resources for rg2
as it is only a delete lock not a read-only lock.
upvoted 1 times
  cyna58 2 years, 9 months ago

Your answer is correct. We can move all resources
upvoted 6 times

upvoted 1 times
  MatAlves 1 week, 5 days ago

"A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group."
upvoted 1 times
  MatAlves 1 week, 5 days ago

Couldn't find anything saying locks on RESOURCES prevent move operations though.
upvoted 1 times
  PhoenixAscending 1 week, 6 days ago

A similar question was on my exam, but there was also a virtual machine in RG1. However, you should be able to move all resources to
both resource groups.
upvoted 1 times

I love how there are two comments next to each other, one month apart, saying that they tested it and then one says you can move
everything, the other says you can move nothing. One of them is lying.
From what i'm reading in https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
quote:
A read-only lock on a resource group that contains a virtual machine prevents users from moving the VM out of the resource group.
This implies that if the read-only lock is set up at RG level, the RG becomes read-only and no resources can be moved in or out.
The question is a mess, because it says RG1, then gives a table with <...>2 resources. and misses the table completely with <..>1 resources.
(1/2)
upvoted 1 times

From my reading in the provided link. what you need to know is this:
If RG has Read-Only lock on it - resources CAN'T be moved out or in to it and none of those resources can be deleted.
If RG has Delete Lock on it - the resources CAN be moved in or out from the RG.
If only a resource has a Read-only lock - that resource CAN be moved to other RG.
If only a resource has a Delete Lock - that resource CAN be moved to other RG.
Going by the first table that says RG1 has no locks and RG2 has delete lock. i conclude that because of the table. ALL resoruces can be
moved both ways.
2/2
upvoted 1 times

Read-Only only impacts services if you try to move/update/create something INSIDE them. Therefore if a RG have a Read-Only lock, you
can't move somethin inside it, otherwise you CAN.
Resource lock on VNET, IP or SG doesn't affect it when trying to moving them from on RG to another since we don't change the content.
Based on first table(where both RG doesn't have Read-Only locks), we can move any resource from RG1 to RG2 and vice versa.
upvoted 1 times
  Hannirac 3 months, 3 weeks ago

I have just tested in lab same scenario, all 3 resources were moved to the RG2 from RG1.
Even though the documentation says that you cannot modify a resource with a lock "read-only" which is my understanding meaning that
you cannot move the resource as well.
All resources can be moved both ways. So mlantonis is right as always.
upvoted 1 times
  Viggy1212 4 months, 1 week ago

Oct 9, 2023 :
This question is missing some information but I'll try to give some pointers.
1) I created a new RG test1 and test2. Added Read only lock to RG test1 and Delete lock to test2.
2) Created StorageAccts in both RGs. SG1 in RG test1 and SG2 in RG Test2.
I tried to move the SG1, from RG1 to RG2 => Operation Failed
Then tried to move SG2, from RG2 to RG1 => Operation Failed.
As long as locks are enabled, we cannot move any resources.
Hope this helps.

upvoted 2 times
  lormar72 4 months, 3 weeks ago

The question is incomplete
upvoted 1 times
  JD908 5 months ago

The question looks incomplete is there a missing table?
upvoted 2 times

The question is... incomplete? I don't see any table with RG2 resources.
upvoted 2 times

I wonder who tf at Microsoft is coming up with these questions? When you need to know this, you'll know. The information is actually in
Azure. If you try something and it fails, troubleshoot why it failed and try again. This is basic IT stuff. You would think that a "Read-Only"
lock would make a document "Read-Only" as in you can only do that one thing on it but that's not the case. I'm sure as an Azure Admin,
you'd find that out when you needed to find that out.
Please forgive me for venting. I feel like some of these questions contradict each other at times.
upvoted 3 times

And if the source RG has read-only lock, we can't move resource from it to another RG.
upvoted 1 times

upvoted 1 times

The question itself seems incorrect because of all the typos...
upvoted 2 times
  eeo123 7 months, 4 weeks ago

Question is totally screwed up and/or is missing information, but after testing, here's what I found:
-You CANNOT move a resource TO or FROM a RG with a Read-Only lock
-You CAN move a resource that has a read-only lock, as long as neither the source nor the destination RG have a read-only lock.
Tested with both a Storage Account and a VNET.

upvoted 5 times
You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
A. Yes
B. No
Correct Answer: B
A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management

B (100%)
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have
a standard SKU public IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are
assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 72 times

Also the LB is internal so no public IP.
upvoted 3 times

upvoted 7 times

It's not valid, because:
LB1: Standard SKU
VM1: Basic SKU public IP
upvoted 16 times

The thing is this is a STANDARD, LB which can not work with BASIC ip's.
upvoted 3 times

I lab tested it, they can. Lab was with a Public LB though. It just didn't care the VM had a basic dynamic LIP and a basic dynamic
PIP, I could still attach it to the backend pool, create a rule to LB a port and connect to it through the LB's PIP.
upvoted 1 times

Basic SKU: If you are creating a public IP address in a region that supports availability zones, the Availability zone setting is set to None
by default. Basic Public IPs do not support Availability zones. Standard SKU: A Standard SKU public IP can be associated to a virtual
machine or a load balancer front end
upvoted 1 times

B. No
Tested this and as you are creating the back end it says:
"You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines
must have a standard SKU public IP or no public IP."
-It does not matter if the VM is stopped or started.
-The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if
they do have them they have to be standard SKU. Vms can only be from a single network.
-When they dont have a public IP they are assigned an ephemeral IP.
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-
load-balancer-standard#create-virtual-machines
upvoted 26 times

upvoted 1 times

These questions that have you memorize or Cram the SKUs are the most pointless ones imo. I mean this info is just 1 google search away.
But no, Azure Admins needs to know every single SKU by heart as per MS
upvoted 4 times

IF VM has a basic IP, LB is a basic LB with basic IP. It can work as well.
upvoted 1 times
  Eugene77 9 months ago

The question and discussions are not very clear. What is a problem with adding VM1 and VM2 by private IP addresses? Internal LB will
work.
upvoted 1 times

as LB is standard then IP should be standard only.
upvoted 1 times

Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU
resources.
upvoted 1 times
Selected Answer: B
upvoted 1 times

Simply put you cannot mix the SKU type for a Load Balancer and a Public IP. Both in this case should be Standard SKUs:
Read Here (Under the important section as the bottom of the SKU section):
(https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku)
upvoted 2 times

upvoted 1 times

upvoted 1 times

The moment I saw Basic SKU for the Public IP, I know it's a NO straight away.
upvoted 2 times
  NareshNK 2 years, 9 months ago

So you need a standard sku public IP address and not basic Sku.
upvoted 1 times
  stepient 2 years, 9 months ago

Tested, you can't add a VM with a public IP address to an internal LB backend pool.
upvoted 7 times
  mdyck 2 years, 9 months ago

I would say yes you can connect the VM. The actions will put the VM1 into the same state as VM2.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs. Vms
can only be from a single network.
When they dont have a public IP they are assigned an ephemeral IP.
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-
load-balancer-standard#create-virtual-machines
upvoted 1 times
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
A. Yes
B. No
Correct Answer: B

Reference:

B (100%)
upvoted 37 times

It's not valid, because:
LB1: Standard SKU
VM1: Standard SKU public IP
upvoted 29 times

upvoted 5 times

-Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of
each virtual machine.

-Solution: You disassociate the public IP address from the network interface of VM2.
-Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
-Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
upvoted 12 times
  azureMoneyMan 1 week, 4 days ago

Correct Solution: You disassociate the public IP address from the network interface of VM2. Along with the one above
upvoted 1 times
  AntaninaD Most Recent  5 months ago

upvoted 6 times
  Spoon3r 5 months ago

Doing God’s work.. thank you
upvoted 2 times
  ojogbon 10 months, 2 weeks ago

On the exam Apr 2nd, 2023
upvoted 5 times
Selected Answer: B
upvoted 1 times

on exam 13/3/2022
upvoted 1 times

upvoted 1 times

upvoted 1 times
  cowboy 2 years, 9 months ago

Tested only Standard sku public IP can be added to backend pool.
upvoted 1 times
  NareshNK 2 years, 9 months ago

Both Vm should have standard sku ip address.
upvoted 10 times
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each
virtual machine.
A. Yes
B. No
Correct Answer: A

Reference:

A (83%) B (17%)
upvoted 69 times

upvoted 4 times

One of the few slip-ups from Azure Jesus. The provided answer is correct, the reasoning is correct but missed that VM1 has a basic SKU.
upvoted 3 times

Nope AJ is correct, thought it was the other question.
upvoted 2 times
  stdevops 2 years, 3 months ago

you need to start VM also
upvoted 3 times

No, the VM can remain stopped.
upvoted 1 times

It's valid, because:
LB1: Standard SKU
upvoted 17 times

Answer correct.
You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines
must have a standard SKU public IP or no public IP.
upvoted 11 times
  sardonique Most Recent  4 months, 3 weeks ago

I don't understand, it is an internal load balancer, you place your VM behind an internal Load balancer when you do not want to expose
them, what is the need of public ip in the first place? some questions are really weird
upvoted 4 times

upvoted 2 times

I think the answer should be no.
The load balancer is an internal load balancer and nothing to do with SKU of a public ip is relevant in making the VMs to work.
upvoted 3 times

upvoted 1 times



upvoted 5 times
  EzBL 4 weeks, 1 day ago

The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but
if they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are
assigned an ephemeral IP
I a valid answ
er if You disassociate the public IP address from the network interface of VM2
upvoted 1 times
  meeko86 1 year, 1 month ago

Selected Answer: A
For this series question, there are two possible answers:

1. You create two Standard public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual
machine.
2. You disassociate the public IP address from the network interface of VM2.
upvoted 2 times
  kusucu 1 year, 4 months ago
Selected Answer: A
mlatonis is right
upvoted 2 times
Selected Answer: A
Answer correct.
You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines
must have a standard SKU public IP or no public IP.
upvoted 1 times
  DragonDagger 1 year, 6 months ago
Selected Answer: A
A is correct
upvoted 1 times

A- on exam 13/3/2022 (the one above as well)
upvoted 3 times

upvoted 2 times

upvoted 1 times
  FDZ83 1 year, 11 months ago

Correct: YES
Tested in lab:
no matter LB internal o public, vm in backend can keep their public ip (even if it's no sense in load balancing env...). The only requirement
is SKU of public ip:
LB standard=>standard PIP
LB Basic=>basic PIP
Stopped Vm can be added to backend pool
The answers to this question could be:
-add standard public ip to vm
-remove public ip from vm
upvoted 4 times

Selected Answer: A
mlantonis has the correct answer

upvoted 1 times
  Oskarma 2 years ago
Selected Answer: A
Tested in Lab:
Correct: A. Yes
You can only attach virtual machines in same location that have a standard SKU public IP configuration or no public IP configuration. All IP
configurations must be on the same virtual network.
upvoted 3 times
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)
Export the client certificate from Computer1 and install the certificate on Computer2.
from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication
fails.
upvoted 74 times
  RamanAgarwal 2 years, 8 months ago

Same certificate can be used on multiple client machines ?
upvoted 11 times
  Rayane 1 year, 1 month ago

Yes, because this is a root certificate that you will export, if I'm not wrong
upvoted 3 times

upvoted 9 times
  lss83 Most Recent  1 year, 3 months ago
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
upvoted 2 times
Selected Answer: A
mlatonis is right
upvoted 3 times

There is a good explanation, if you want to dive in
https://www.youtube.com/watch?v=uN0Daq77nQc&ab_channel=ROHITTECH
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times

upvoted 6 times
  michaeltheknight 1 year, 11 months ago

taking mine tomorrow. finding this site was a blessing. it's great to not have to betate with myself whether an approach is correct or
not and to see how others go about it :)
upvoted 1 times
  michaeltheknight 1 year, 11 months ago

*debate
upvoted 1 times
  Teringzooi 1 year, 11 months ago

Selected Answer: A

upvoted 1 times
  ExameHero 2 years ago

ExamTopics is the Best!!!
upvoted 2 times

Correct answer: A
upvoted 5 times
  sachin007 2 years, 2 months ago

Good Job , best wishes :)
upvoted 1 times

upvoted 2 times
  MrJR 2 years, 6 months ago

Answer seems correct "If you want to install a client certificate on another client computer, you can export the certificate."
upvoted 5 times

Correct
upvoted 3 times
  lock12333 2 years, 9 months ago

aaaaaaaaaaaaaaaaaaaaaaaaaaaa
upvoted 4 times

you jammed a finger in keyboard, so pity)
upvoted 1 times
  denccc 2 years, 9 months ago

Correct
upvoted 1 times
You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server
only.
You need to ensure that users can connect to the website from the Internet.
What should you do?
A. Modify the protocol of Rule4
B. Delete Rule1
C. For Rule5, change the Action to Allow and change the priority to 401
D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Correct Answer: C
HTTPS uses port 443.
Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher priorities are not processed.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:
✑ Modify the action of Rule1.

✑ Change the priority of Rule6 to 100.
✑ For Rule4, change the protocol from UDP to Any.
Reference:

C (88%) 12%
Correct Answer: C
HTTPS uses port 443.

Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher
numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with
lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
upvoted 92 times

Note: There are several versions of this question in the exam.
The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:
✑ Modify the action of Rule1.
✑ Change the priority of Rule6 to 100.
✑ For Rule4, change the protocol from UDP to Any.
Reference:
upvoted 40 times

Why it works with destination set to Virtualnetwork not the PublicIP ?
upvoted 2 times
  aner 1 year, 2 months ago

It works because Source (users on the Internet) is set to Any. The destination (web server) is ok to be VirtualNetwork because the
web server's VM is a part of Virtual network.
upvoted 2 times
Answer C is correct
Although not the best solution (opening range 50-5000, when you only whant to allow https/443)
upvoted 38 times

Absolutely agree...that's what I am thinking, we are unnecessarily opening lot of ports here, instead of allowing just 443.
upvoted 5 times
  ppuff 1 year, 7 months ago

microsoft testing logic lol
upvoted 4 times
  c5ad307 Most Recent  2 weeks, 2 days ago
Correct answer C: The stupidiest solution is also the correct answer...

upvoted 1 times
  Arthur_zw 3 weeks, 6 days ago

For Rule5, change the Action to Allow and change the priority to 401, this would also expose RDP on port 3389 to public users and this
does not satisfy the requirement to use the VM as web server only
upvoted 1 times

Only C is a viable option. Option D will not work because Rule2 will take action.
upvoted 1 times

Some of these rules seem redundant e.g Rule2 and Rule5 as they are. I guess its just to throw you off.
upvoted 2 times
  UWSFish 9 months, 2 weeks ago

It does not speak well for Micosoft that their correct answer is very shitty IT.
upvoted 6 times
  Phlogiston 1 year ago

Yes, as many have commented, the correct answer is also a stupid answer that you would, if you were halfway competent, never
implement in the real world. It is a poorly designed question that aspires to meet the goal of testing your ability to synthesis and analyze
information, rather than simply regurgitate facts from memory. The best designed questions will require that you not only be able to
recall facts but that you be able to use those facts to troubleshoot, resolve problems, or create solutions. However, the correct responses
to the questions should not be bonkers stupid as this one is.
upvoted 7 times
  MightyMonarch74 1 year ago

Another terrible question with a ridiculous answer that does not reflect the real world!
upvoted 5 times

Microsoft want to tell us, this is not security exam so do not expect the best secured answer is the correct one,
do n't expect the best practice has been implemented for each question
this is a way to stop you for a simple question thinking about which answer you should select here.
upvoted 3 times

he works for microsoft
upvoted 2 times
  lombri 1 year ago
Selected Answer: D
No, it is not a good practice to open a range of ports from 400 to 500 for security reasons. In general, it is recommended to only open the
specific ports that are required for a particular service to function, and to limit access to only the minimum set of IP addresses that need it.
For example, in the scenario described, you only need to open port 443 to allow incoming HTTPS traffic to the web server. Opening a
wider range of ports could expose the system to unnecessary security risks, as it increases the attack surface of the system.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal
upvoted 2 times

I would agree with you if the priority for answer D is set to 499 or below
in fact 501 priority eliminate this option completely because of Rule2
so the answer is C
upvoted 3 times
  hubble13 1 year ago

I want an option for this question as "non of the above" lol!!! Really? Are we going to get such kind of option in the exam?
upvoted 2 times
Selected Answer: C
This is why Microsoft always get hacked.

BRAVO
upvoted 5 times

Selected Answer: C
mlantonis is right
upvoted 1 times

The correct answer for this is madness. As other users have commented, if any IT engineer left all those ports open, they would get fired
lol. I know this isn't an option but surely you would just delete Rule 1 and set Rule 2 to priority 400 and allow? What is MS trying to do!? get
us fired? just wow
upvoted 3 times

My boss would fire my ass
upvoted 2 times

upon further investigation, you would also need to modify the rule to only allow internet traffic to the VM ofc. This is a really bad
question and not something anyone should do in real world scenario.
upvoted 1 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
  blasdelezo 1 year, 6 months ago
Selected Answer: C
Once traffic matches a rule, processing stops

upvoted 1 times
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
A. Yes
B. No
Correct Answer: B
You should use a policy definition.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:

B (100%)
You need to use a custom policy definition, because there is not a built-in policy.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing
when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your
resources.
Reference:
upvoted 59 times
  dasnc Highly Voted  3 years, 5 months ago
Answer is correct
upvoted 13 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

Selected Answer: B
B is clearly the correct answer

upvoted 2 times

haha... sorry I couldn't help it :)
upvoted 1 times

Answer is No
upvoted 1 times
  tg01234 2 years, 11 months ago

Answer is No.
upvoted 2 times
NO is the answer
upvoted 3 times

Answer B. is correct, this is more related to Policies
upvoted 2 times

Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the
resources in that resource group.
upvoted 3 times

Tricky one but Vnets cannot communicate with other Vnets by default....
upvoted 5 times

Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a
condition is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by
using aliases. When a resource property field is an array, a special array alias can be used to select values from all array members and
apply a condition to each one. Learn more about conditions.
upvoted 4 times
  Akanyang 3 years, 3 months ago

what is the answer yes or no?
upvoted 1 times
  raBLar 3 years, 2 months ago

answer: no
upvoted 2 times
  Bhaskardegala 3 years, 2 months ago

Answer is No
upvoted 2 times
HOTSPOT -
You manage two Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following virtual networks:
The virtual networks contain the following subnets:
Subscription2 contains the following virtual network:
✑ Name: VNETA
✑ Address space: 10.10.128.0/17
✑ Location: Canada Central
VNETA contains the following subnets:
Hot Area:
Correct Answer:
Box 1: Yes -
With VNet-to-VNet you can connect Virtual Networks in Azure across different regions.
Box 2: Yes -
Azure supports the following types of peering:
✑ Virtual network peering: Connect virtual networks within the same Azure region.
✑ Global virtual network peering: Connecting virtual networks across Azure regions.
Box 3: No -
The virtual networks you peer must have non-overlapping IP address spaces.
Reference:
https://azure.microsoft.com/en-us/blog/vnet-to-vnet-connecting-virtual-networks-in-azure-across-different-regions/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
Correct Answer:
VNET1: 10.10.10.0 - 10.10.10.255

VNET2: 172.16.0.0 - 172.16.255.255
VNETA: 10.10.128.0 - 10.10.255.255
Box 1: No
To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a
Gateway Subnet and thus to establish a VNet to VNet VPN connection.
Box 2: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.
Box 3: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 207 times
  go4adil 2 weeks, 1 day ago

Agree with mlantonis: N-Y-Y
Three ways can be used for VNET to VNET2 connection in different RGs as well as different Subscriptions:
i. VNET-to-VNET - similar to Site-to-Site (IPSec) but differs in the way Local Network Gateway is configured. VPN-GW on both sides
ii. Site-to-Site (IPSec) - similar to VNET-to-VNET but differs in the way Local Network Gateway is configured. VPN-GW on one side & Local
GW on the other side
iii. VNET Peering - doesn't use a VPN gateway
upvoted 1 times
  go4adil 2 weeks, 1 day ago

"When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. If your default subnet
encompasses the entire address range, there are no IP addresses left to create more subnets. You can either adjust your subnets
within the existing address space to free up IP addresses or specify another address range and create the gateway subnet there."
Address space of VNET1 is 10.10.10.0/24 which is fully used by subnet11. Hence, no spare IP addresses left to use for gateway
subnet.
Ref:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
upvoted 1 times

Box 3: NO - "You have two subscriptions named Subscription1 and Subscription2". How are you going to do VNET peering for two
different subscriptions? Also consider same scenario from the question below:
upvoted 2 times
  TinyRunner 6 months ago

You can do peering across deafferents subscriptions and tenants. At the moment on creating the peering you will need to provide
the resource id of the remote vnet as a condition to create the peering,
upvoted 3 times
  efayed 7 months, 4 weeks ago

No, you can do peering between different subscription
https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-deployment-models-subscriptions
upvoted 3 times

Please see this - it is under Requirements and Constraints. What you are referring to is just the limitation of a deployment model:
The virtual networks can be in the same, or different subscriptions. When you peer virtual networks in different subscriptions,
both subscriptions can be associated to the same or different Microsoft Entra tenant. If you don't already have an AD tenant, you
can create one.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-
and-constraints
upvoted 1 times

Please ignore. I misread.
upvoted 2 times
  piotrekpal 1 year, 8 months ago

About Box 1: Site-to-Site connection is dedicated to Azure - On Premise connection NOT Azure-Azure.
upvoted 5 times

Not entirely true, i though so myself but then realized can be done with some difference here is link you can read..MS is so
confusing sh*t...Make it simple Stupid
I just dont see why not keep it peering for vnet-vnet and S-S for Azure and On-prem
Hope this helps
upvoted 7 times

you are correct... nice findings.... as the link explains, VNET to VNET is the same as S2S, but the IP settings are done automatically.
you do not need to create gateway subnet.... the correct answers is YES, Yes, Yes
upvoted 2 times

You DO need a subnet.
See documentation here:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#create-the-
vnet1-gateway
upvoted 2 times

We can modify the subnet11 and add Gatewaysubnet, thus YES, a site-to-site connection can be established between VNET1 and
VNET2
upvoted 3 times

that way every question in the exam will have a yes answer... you are not asked to modify address range here.
upvoted 6 times
  przema86 1 year, 2 months ago

I am also choosing Yes, Yes, Yes,
Box1: - they are not asking "do you have all required elements to establish site-to-site VPN". Question is only if that "...can
be established between VNET1 and VNET2?" (assume that all required technical missing you can arrange in some way). I
would guess that question is to check if we understand subnetting etc.
upvoted 3 times
  Thuncroow Highly Voted  2 years, 9 months ago
The answer should be N-Y-Y :

1: No because to create a Vnet to Vnet VPN you need to have a special gateway subnet. Here the Vnet has only /24 CIDR blocks of address
space and this space is already taken by its Subnet. Hence there is no sufficient address space to create a gateway subnet and thus to
establish a Vnet to Vnet VPN connection.
For 2 & 3 : They address spaces for the Virtual network don't overlap, we can thus establish a peering connection between the Virtuals
Networks.
upvoted 87 times
  shnz03 2 years, 8 months ago

I disagree. Address space /24 can create /27 or /28 for gateway subnet which btw is the recommended prefix by MS. Also I have tested
it. So Y Y Y
upvoted 12 times

That's nonesense.
If you did what you are suggesting you would have, for example:
subnet1: 10.10.10.0 - 10.10.10.255
gateway subnet: 10.10.10.0/27 which would be 10.10.10.0 - 10.10.10.31 which would clearly overlap with subnet1
upvoted 7 times

In theory yes you can break down the /24 subnet into smaller subnets, then use one of the subnets as Gateway subnet, but in reality
you will not have enough addresses left to use for users and devices. Besides the question does NOT mention subnetting the
addresses. The key to answering questions is to use only what is mentioned in the question. So no, you cant use that subnet.
Box 1 - NO
Box 2 - Yes
Box 3 - Yes
upvoted 6 times
  Bon_ 2 years, 5 months ago

You didn't look at the subnet breakdown for VNet1 close enough. Subnet11 takes up the entire address space provided by VNet1, so
there's no room to add a gateway subnet. Therefore, the first answer is NO.
upvoted 10 times
First box is Yes:
"Configuring a VNet-to-VNet connection is a simple way to connect VNets. When you connect a virtual network to another virtual
network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises
location"
upvoted 3 times
  Moyuihftg 2 years, 9 months ago

Yes, good observation!
upvoted 7 times
  MrJR 2 years, 6 months ago

Well you could create the gateway subnet in VNET2 but would that be a S2S connection between VNET2 and VNET1 instead of VNET1
and VNET2. Is the question saying that the connection must be established from VNET1. That's tricky.
upvoted 1 times
  clg003 Most Recent  3 months, 3 weeks ago
No Yes Yes...
Totally agree with Mlantonis...
Box 1 no; they purposely eliminated the possibility of other subnets to make sure you understand that Site to Site requires Gateway
Subnet.
Box 2 and 3 Yes; They do not overlap so you're good to go.
upvoted 1 times
  KM 5 months, 2 weeks ago

Answer is YYY
VNET1 and VNETA can be peer:

VNET1: 10.10.10.0/24 - First IP 10.10.10.0, Last IP 10.10.10.255
VNETA: 10.10.128.0/17 - First IP 10.10.128.0, Last IP 10.10.255.255
upvoted 1 times
  nomanmalik101 6 months ago

whom should we follow? discussion of examtopic answers?
upvoted 1 times

what the hell? every second question has confusion. Why are we not able to get the exact answers even after paying huge amount?
upvoted 1 times

N Y Y is correct!
upvoted 3 times
  NurSalman 7 months, 2 weeks ago

Thats a lot of wrong answers, i payed 40 dollar for this.
upvoted 13 times

We're preparing for a Microsoft Exam. We all pay for something wrong.
upvoted 1 times
  Nedu1 6 months, 2 weeks ago

lols....
upvoted 1 times

Agree with N,Y,Y
For Box1:
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#about-the-gateway-subnet
"If you see an error that specifies that the address space overlaps with a subnet, or that the subnet isn't contained within the address
space for your virtual network, check your VNet address range. You may not have enough IP addresses available in the address range you
created for your virtual network. For example, if your default subnet encompasses the entire address range, there are no IP addresses left
to create additional subnets. You can either adjust your subnets within the existing address space to free up IP addresses, or specify an
additional address range and create the gateway subnet there."
upvoted 2 times

upvoted 7 times

NYY is the answer.
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#about-the-gateway-subnet
The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address
range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and
services use.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses
needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others.
We recommend that you create a gateway subnet that uses a /27 or /28.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-and-
constraints
upvoted 2 times
  medijv 1 year, 3 months ago

Y,Y,Y
https://stackoverflow.com/questions/62307832/site-2-site-between-2-azure-vnets
upvoted 4 times

Box 1 is also Yes.
Quote from Microsoft:
While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if
you have the available address space to do so. This will accommodate most configurations.
My final answer is YYY.
Reference:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
upvoted 3 times

today in exam , NNY
upvoted 4 times

Box 1: No
To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a
Gateway Subnet and thus to establish a VNet to VNet VPN connection.
Box 2: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.
Box 3: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 1 times
  King4o 1 year, 6 months ago

Honestly ,Sick and tired of Exam Topics ,NYY
upvoted 6 times

To be honest we should say Microsoft not exam topic,
there are many questions that have not enough details to select the best correct answer among 2-3 correct options !
upvoted 3 times
  QulFi 1 year, 7 months ago

However, I think that:
Box1: NO
You cannot create an additional subnet for VPN, because there is already a network that fills the entire VNET1 address space.
VNET1 10.10.10.0/24
Subnet11 10.10.10.0/24
Box2: Yes
Box3: Yes
upvoted 2 times
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using
an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
A. Yes
B. No
Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/

B (100%)
  IHensch Highly Voted  2 years, 8 months ago
"Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated!
upvoted 81 times
  alexandrud 2 months, 1 week ago

This Question was in my exam today and I specifically looked at the "Attach network interface" button and it was grayed out (not
enabled like in this screenshot). The answer is NO for the question. Adding the inbound rule will change nothing.
upvoted 3 times
  sztiki 1 year, 8 months ago

Reading all the other options in this case, probably that's the answer. Pretty annoying though...
upvoted 3 times
  nNeo 2 years, 8 months ago

Very good observation !!!
upvoted 11 times

even public IP is not visible in network interface!!
upvoted 1 times

You want to establish a successful connection from 131.107.100.50 over TCP port 43, and the solution suggests to create a deny inbound
rule with low priority. It doesn’t make any sense.
Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load
balancer. The destination port and address range are for the destination computer, not the load balancer.
AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where
the Azure health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be
overridden.
upvoted 53 times

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations
https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules
http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
upvoted 9 times

The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons:
- Load Balancer backend pool VM is unhealthy.
- Load Balancer backend pool VM is not listening on the probe port.
- Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs.
- Other misconfigurations in Load Balancer.
Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default
rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 12 times
  dimsok Most Recent  1 year ago
a cost of 64999???????
upvoted 2 times

Was on my 2nd test
upvoted 1 times

Here 1/5/23
upvoted 1 times

upvoted 1 times

Selected Answer: B
this is to ensure connections to App1 can be established successfully from 131.107.100.50 over TCP port 443, not denying.
upvoted 1 times

Selected Answer: B
B is the Answer..!
upvoted 1 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

upvoted 4 times

Correct answer: B
After considering the issue a bit more I've realized that AllowAzureLoadBalancerInBound security rule only applies to the traffic originated
by the Load Balancer - health probes, etc.
So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting
this rule will solve the issue.
upvoted 1 times
  szabi777 1 year, 11 months ago

The VM is turned off as the Attach network interface option is avalilable. The solution is to turn on the VM.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-existing-vm
upvoted 4 times
  AbhiYad 2 years, 1 month ago

There is no Public IP for VM2 to establish connection from external computer.
As rule already allows inbound connection, need to create Public IP for VM2 to facilitate connections.
upvoted 2 times

Correct answer: B
upvoted 2 times
  Saravana12g 2 years, 5 months ago

No.
Rule BlockAllOther441 is blocking all the Inbound Traffic including Load Balancer traffic and hence the Load Balancer traffic is also not
reaching to access the App.
upvoted 1 times
  qyy 2 years, 6 months ago

ALB forwarded the request to VM1. VM1 should have a similar inbound rule configured.
upvoted 1 times
  RMJ21 2 years, 8 months ago

answer it would B for me. There is no Public IP address assigned, that means the VM is stopped and deallocated. We have to start first the
VM
upvoted 3 times
an Azure Load
Balancer.
Solution: You delete the BlockAllOther443 inbound security rule.
A. Yes
B. No
Correct Answer: B
Reference:

B (51%) A (49%)
Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200) and it allows inbound traffic over TCP 443 from source
131.107.100.50. App1 (VM1 and VM2) is in a VNet, so this rule applies. Unfortunately, we still cannot access App1, so the issue is
somewhere else, maybe the VMs are off, or the firewall is blocking it.
upvoted 74 times

It's a tricky question. It might also be YES.
The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons:
- Load Balancer backend pool VM is unhealthy.
- Load Balancer backend pool VM is not listening on the probe port.
- Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs.
- Other misconfigurations in Load Balancer.
Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default
rule that allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 28 times
This question was in my exam today, and I specifically looked at the "Attach network interface" button and it was grayed out (not
enabled like in this screenshot). Creating the Allow inbound from the LB may fix the issue. This was my answer for that question
today and I scored 909. Not sure if it was the correct answer though, but here I think it is still NO.
upvoted 3 times
  alexander_890512 8 months, 2 weeks ago

Hello guys, the NIC is not attached to any vm, look at the attach options.
upvoted 6 times
  Nighty470 4 months, 3 weeks ago

'Detach..' being grayed out only means that the VM has only one NIC attached, which cannot be removed for obvious reason.
'Attach..' being active means that the VM is not running.
upvoted 3 times
  pcfixok 4 months, 3 weeks ago

You're right! So simple!
upvoted 1 times

The communication on these ports with 168.63.129.16 is not subject to the configured network security groups. So answer is No.
Dont worry about 168.63.129.16.
https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
upvoted 4 times

Answer should be A (yes) I think. Because deleting rule BlockAllOther443, would cause default rule 65001 to allow the traffic from the
loadbalancer reach VM1/VM2
upvoted 3 times
  kansaj 2 years, 4 months ago

also the destination is for virtual network only so its doesn't matter still wouldn't work
upvoted 2 times
Answer should be A (yes) I think. Because deleting rule BlockAllOther441, would cause default rule 65001 to allow the traffic from the
loadbalancer reach VM1/VM2
upvoted 45 times
  MichalGr 2 years, 6 months ago

you could be right... I just wonder if there's a typo...
BlockAllOther441 [screen] / BlockAllOther443 [ans.]
upvoted 5 times
  FDZ83 1 year, 11 months ago

Correct: yes
Traffic come from LB, not directly from internet (vm has not public ip). So the rule that permits connection is 65001, we have only to
remove the rule that blocks 443.
upvoted 3 times

An active "Attach network interface" suggests that VM2 is not running.
upvoted 7 times

omg thank you, ive been looking through the comments of all three of these questions looking for this answer
upvoted 1 times

I think you are spot on. the VM is off. Answer: B
upvoted 2 times

but VM1 may be running. The NSG is tied to subnet
upvoted 2 times

Question is ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
upvoted 1 times
  nchebbi Most Recent  2 months, 3 weeks ago
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2).
Standard SKU must be used, Basic SKU is typically for testing ONLY, see Ref1
1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources,
unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) Ref1
2. The security rule we remove will allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though
not sending traffic to them, that's why it's failing.Ref2
Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline
Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 1 times

From Ref1: " The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is
closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious
IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer,
traffic is not allowed to reach this resource."
Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is
only used for testing since the basic type is open to connections from the internet by default and doesn't require network security
groups for operation."
upvoted 1 times
Selected Answer: A
Flow 131.107.100.50 -> LB -> servers. Deleting the rule will allow second half of the flow. So, it solve the problem.
upvoted 1 times

Selected Answer: A
allow the LB to health probe

upvoted 2 times
  JD908 5 months ago

Question literally says "You verify that the Load Balancer rules are configured correctly". If its configured correctly than why would you
delete one of the rules?
upvoted 1 times
  hidefo6963 5 months, 1 week ago
Selected Answer: A
There is a rule 65001 that allows the LB to access VMs, and the rule 200 blocks it for port 443.
Most probably the NSG2 is shared between Vm1 and Vm2.
The active button "Attach Network Interface" indicates VM2 is stopped, but nothing is known about VM1 which is supposed to be able to
accept connections.
upvoted 1 times
  rimvydukas 6 months ago

Selected Answer: A
Ok, lets dig in :) Rule with prio 100 allows required traffic from required IP but the App1 still is not working. Why? Because of the rule with
prio 200. Why? Because as we can see from the rules - App1 is on 443 port. So most likely health probes are also configured against this
port and these health probes are blocked with rule with prio 200. LB thinks that VMs are not active and does not send the traffic to these
VMs. When we'll delete this rule, health probes will start to work because of rule with prio 65001 and everything will start to work again:)
And one more thing, maybe not so important in this case. "Attach Network Interface" button is active, so VM2 is probably powered off. But
we still have VM1 left in any case :)
upvoted 3 times

in a lab starting a VM really makes the "Attach..." button inactive
upvoted 1 times

N is correct!
upvoted 1 times

Traffic from 131.107.100.50 over TCP port 443 is allowed, however, to get to app1 the traffic must go through the LB, which is being
blocked by the "Blockallother443" rule.
Is any of this incorrect?

upvoted 3 times

Yea.
If LB health probe is down not traffic will pass.
upvoted 1 times
  3GS 7 months, 2 weeks ago

Correct. correct answer is Yes. You can see more clearly in Question #132 (Topic 5)
upvoted 1 times
  krzysiekr 9 months, 3 weeks ago
"Attach network interface" Button is enabled! That means, VM is Stopped and deallocated!"
Copied from another.
upvoted 2 times
  bsaksham 10 months, 3 weeks ago

Azure evaluates network security group (NSG) rules in ascending order by priority value, with lower numbers taking precedence over
higher numbers. When a traffic flow matches a rule with a deny action, the traffic is blocked and the NSG evaluation stops. Therefore, the
allow rule with a priority of 100 will not be applied if there is a matching deny rule with a higher priority of 200.
so First is Yes!!
upvoted 1 times
  Dimedrol1 11 months, 2 weeks ago
Selected Answer: B
I believe that answer should be - "B".

My logic is:
Our VM is working behind the LoadBalancer, which means, when client from 131.107.100.50 connects to our Application, in fact he's
connecting to our LoadBalancer, which forwards the request further, but this "second hop" will be from our LoadBalancer's internal
address (e.g. 10.0.1.3), not from 131.107.100.50.
So - adding or removing the "Allow_131.107.100.50" gives nothing. No connection could be made directly from 131.107.100.50. (BTW -
check, the VM's got only internal IP)
upvoted 2 times
  3GS 7 months, 2 weeks ago

See Question #132 (Topic 5). It's the same but more clearly
upvoted 1 times
  ChakaZilly 12 months ago

Correct answer Yes: Rule 100 is not relevant. Rule 200 blocks on the NIC-level. When you delete Rule 200 "the allow rule" of 65001 kicks in.
upvoted 1 times
  MeysamBayani 1 year ago

I think so we have to assign network security group to subnet. right now it assign to NIC
upvoted 1 times

and Also I think the NIC not Attached to any WM
upvoted 1 times

I test in lab when in network blade statues of Attach network interface is not gray out it is mean the VM is stope
upvoted 1 times
  JoshuaAlkar 1 year, 2 months ago

why ya all confusing other students with your comments? its the same question as above, the VM is powered off as no NetWork interface
attached as mentioned in the last question's discussion
upvoted 1 times

upvoted 3 times
an Azure Load
Balancer.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
A. Yes
B. No
Correct Answer: B
The rule currently has the highest priority.
Reference:

B (80%) A (20%)
Allow_131.107.100.50 rule has a higher priority (100). The issue is not related with the priority of the rule.
upvoted 40 times
  Dalias Highly Voted  2 years, 9 months ago
Answer is correct.
Current rule is already at the highest priority.. i hope such questions appear in the exams to take away some of the stress.
upvoted 18 times
  sakibmas Most Recent  6 months ago
Selected Answer: B
create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
upvoted 2 times

That won't solve the issue because the current NSG rule has the higher priority
upvoted 1 times
Actually this adding the inbound rule that allows any traffic from the AzureLoadBalancer source and has the cost of 150 may resolve
the issue. This Question was in my exam today and I specifically looked at the "Attach network interface" button and it was grayed
out (not enabled like in this screenshot).
upvoted 2 times

upvoted 1 times

Stop commenting like that dude..
Most Highly voted answers are still wrong on ET.
upvoted 3 times
  kf01234 1 year, 3 months ago

Selected Answer: A
Delete 200 makes 65501 workable

upvoted 2 times

no dude
upvoted 2 times
  reagan3698 1 year, 3 months ago
Selected Answer: B
Just checked in Azure. The Attach Network Interface icon is lit, this means the VM is powered off.
upvoted 5 times
  JoshuaAlkar 1 year, 2 months ago

It's mentioned in previous discussion, Its clear that VM is powered off
upvoted 1 times

why are you upset it is being mentioned here as well?
upvoted 1 times

Selected Answer: B
Correct Answer: B
upvoted 1 times

Correct Answer is B:
But the solution is -
After considering the issue a bit more I've realized that AllowAzureLoadBalancerInBound security rule only applies to the traffic originated
by the Load Balancer - health probes, etc.
So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting
this rule will solve the issue.
upvoted 1 times

rule name allow_131.107.100.50 has to be updated the destination to “any” will solve this issue>??
upvoted 1 times
  szabi777 1 year, 11 months ago

The VM is turned off as the Attach network interface option is avalilable. The solution is to turn on the VM.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-existing-vm
upvoted 4 times
  MrAzureGuru 2 years, 3 months ago

Beware that "You modify the priority" can also mean increasing the number, not just decreasing (as other questions usually demand you
do).
upvoted 2 times

As observed by IHensch in the 2 previous questions, the VM is stopped ("Attach network interface" is enabled). So unless the VM is started
nothing will change.
upvoted 5 times
  Saravana12g 2 years, 5 months ago

No.
Rule BlockAllOther441 is blocking all the Inbound Traffic including Load Balancer traffic and hence the LoadBalancer traffic is also not
reaching to access the App.
upvoted 3 times
  kerker 2 years, 7 months ago

VM is not running
So Start the vM
:))
upvoted 10 times

Allow_131.107.100.50 already has the highest priority so making this higher will have zero effect.
upvoted 1 times

An active "Attach network interface" suggests that VM2 is not running.
upvoted 4 times
  RMJ21 2 years, 8 months ago

answer is correct.
upvoted 1 times
Solution: You assign a built-in policy definition to the subscription.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
  STH Highly Voted  3 years, 7 months ago
there is no such built-in policy (yet), that is why we need a custom one
upvoted 82 times

My god these trick questions everywhere. It's more about comprehensive reading and paying attention to silly details rather than
focusing on actual solutions on these exam questions. Ridiculous.
upvoted 5 times

Exactly. I will memorise ALL of the built-in policies to ensure I am well prepared for the MS exam.
upvoted 98 times
  zzzzzz12345 2 years, 5 months ago

MS almost leads everyone to cheating with exam-dumps, I see no other reasonable way of understanding questions like this :)
upvoted 43 times
  Def21 1 year, 8 months ago

It might be intentional that they have ~10-20% of very detailed questions. You get most of them wrong, but you still easily
succeed (I think you need to have 70% score). However, if you happen to have expertise on a specific topic, it benefits you.
upvoted 3 times

This is How Microsoft was Built on theft of other technologies and label it Windows logo..So old habits die hard
upvoted 10 times
  urbanmonk 4 months ago

lol, We need this kind of humor here because iterating over these questions is no child's play
upvoted 4 times

I can lend U the Blue Book Bill Gates gave me, it contains Summary bullet points style of All MS Technologies
upvoted 16 times
  DodgyD 3 years, 1 month ago

Not sure what you are referring to ..There are many Built-in Policy Definitions for you to choose from. Sorting by Category will help you
locate what you need..
I'd say ans: B, too - as a custom policy would be required for specific ports.
upvoted 5 times

agreed, if there is no device drivers [for winmodem for example], write it yourself [true unixway] ))
upvoted 1 times

I cannot agree you more!
upvoted 4 times
resources.
Reference:
upvoted 54 times
  majerly Most Recent  1 year, 4 months ago
Today in exam , is B
upvoted 6 times

Answer is B passed today score 900
upvoted 6 times

Selected Answer: B
there is no such built-in policy (yet), that is why we need a custom one
upvoted 2 times
Selected Answer: B
Nothing relates to the solution no such thing in NSG

upvoted 2 times

Correct Answer B: NO
We need to use a custom policy definition, because there is no such a built-in policy.
upvoted 1 times

I would have answered A here. Thank heavens I have spent time going through these. So there's no such a built-in role huh?! :)
upvoted 4 times

Me too...
upvoted 2 times

Hello STH, Well done for the clarification
upvoted 1 times

Sorry ignore previous
No is answer
when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs . unless you peer the networks or create
VPN gateway
upvoted 3 times

No is correct!
when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs So i think that the answer to All Q in this
series is YES. unless you peer the networks or create VPN gateway
upvoted 2 times

Answer B. is correct. You need to create a custom policy
upvoted 4 times

again, when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs So i think that the answer to All Q in
this series is YES. unless you peer the networks or create VPN gateway between them, they will NOT be able to Talk to each other
upvoted 3 times
  Laurent_Byanjira 3 years ago

AllowVNetInBound
ALLOWVNETINBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow
I think you are not right. This default rule will allow Vnet to communicate by default
upvoted 1 times
  oooMooo 3 years, 1 month ago

You need to use a custom policy definition.
upvoted 11 times
You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the
IP address of the pod.
For the AKS cluster, you need to choose a network type that will support App1.
What should you choose?
A. kubenet
B. Azure Container Networking Interface (CNI)
C. Hybrid Connection endpoints
D. Azure Private Link
Correct Answer: B
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your
network space.
Incorrect Answers:
A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure
virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes.
Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.
C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networking
Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-network

B (100%)
  fedztedz Highly Voted  3 years ago
Answer is correct "B". To have previously reserved IP address for a certain Pod, you should use Azure Container Networking Interface (CNI)
upvoted 70 times
  zzzzzz12345 2 years, 5 months ago

The answer for this question is "B", correct.
However, in real world, this is many times seen as a bad-practice: in k8s you should prefer connect to "services" instead of "pods-ips".
Very bad practice...
upvoted 18 times

upvoted 9 times
Correct Answer: B
upvoted 49 times
Selected Answer: B
Correct Answer: B
Nodes = Kubenete
Pods = CNI
upvoted 18 times
  robin1337 1 year, 6 months ago

"On-premises clients connect to App1 by using the IP address of the pod." - seriously, who connects to an App by providing the ClusterIP
of a Pod? Pods are ephemeral and get a new IP assigned when they restart. Asking a question in that way is like MS encourages bad
practices.
upvoted 5 times

I noticed this too and kind of thought why are they connecting to a POD? no Load balancer or anything just strait to the pod IP address.
LOL
upvoted 2 times
  alen995454 1 year, 7 months ago
Nodes = Kubenete
Pods = CNI
upvoted 11 times

Selected Answer: B
If using Kubnetes Networking then receive an IP address from logically different address space to Azure Virtual Network Subnet and NAT
is then used to translate IPs from the PODs to the Azure virtual Network and vice versa
If using Azure Container Networking Interface (ACNI): then All PODs get IP from the subnet and can be accessed directly, the ONLY
problem with such method is that it could lead to IP address exhaustion
upvoted 9 times

On exam 4/12/2022. correct answer
upvoted 3 times

upvoted 2 times
  MMsdk 1 year, 10 months ago

Did you have over 200 questions in your exam?
upvoted 9 times

upvoted 3 times

upvoted 4 times

Correct answer: B
upvoted 8 times

B is correct
upvoted 2 times
  waterzhong 2 years, 11 months ago

With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly.
upvoted 5 times

CNI is correct
upvoted 2 times
  emv 3 years ago

In AKS, you can deploy a cluster that uses one of the following two network models:
Kubenet networking - The network resources are typically created and configured as the AKS cluster is deployed.
Azure Container Networking Interface (CNI) networking - The AKS cluster is connected to existing virtual network resources and
configurations.
upvoted 12 times
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
Solution: You disassociate the public IP address from the network interface of VM2.
A. Yes
B. No
Correct Answer: B

A (100%)
upvoted 94 times
  andrew_ura 1 year, 2 months ago

Public IP of the VM is basic SKU, not standad. And if "The LB needs to be a standard SKU to accept individual VMs outside an availability
set or vmss. VMs do not need to have public IPs but if they do have them they have to be standard SKU. ", then it will fail!?
B - No is correct
upvoted 1 times
  curtmcgirt 12 months ago

-we're _removing_ the public IP from vm2, so it doesn't matter anymore if the public IP sku is basic or standard.
-the lb _IS_ a standard SKU, so it can accept these individual VMs that have no public IPs.
upvoted 2 times

It's valid, because:
LB1: Standard SKU
VM1: No public IP
VM2: No public IP
upvoted 33 times
  KelvinTan 2 years, 6 months ago

disassociate the public IP address from the network interface of VM2
upvoted 2 times

Mlantonis oil dey your head
upvoted 2 times
  haazybanj 1 year, 7 months ago
Baba werey. Dis one no be Naija o.Answer is right
upvoted 2 times
  MoOshin 1 month, 1 week ago

No be small thing!
upvoted 1 times
You can only attach virtual machines that have a standard SKU public IP configuration or no public IP configuration. All IP configurations
must be on the same virtual network.
ALso, VMs do not have to be powered on when adding them to a backend pool.
So answer should be A (Yes)

upvoted 91 times

2 possible ways - either no Public IPs on BE VMs or Std Public IPs on both VMs matching Std LB SKU
upvoted 9 times

Tested in a Lab Feb '23. Standard SKU LB had ZERO problems using VMs with basic PIPs and LIPs in the backend pool.
upvoted 4 times

That's cloud something that wasn't possible now it is. So "A" was probably right long ago, but not anymore.
upvoted 1 times

upvoted 9 times

That's what I thought!
upvoted 4 times
  fastlearner21 Most Recent  9 months, 2 weeks ago
Can someone explain why ET has answer B. How is this answer selected on ET platform?
upvoted 2 times



upvoted 3 times

why post all this on multiple different questions and not make sure its correct...
upvoted 1 times

Your provided guidelines for option 2 is not valid
upvoted 1 times
Selected Answer: A
For this series question, there are two possible answers:

1. You create two Standard public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual
machine.
2. You disassociate the public IP address from the network interface of VM2.
upvoted 4 times

Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
It's A....they need to update this.

upvoted 1 times
  Pramodswagh 1 year, 7 months ago
Selected Answer: A
Need is to have either standard sku public ip or no public ip so answer is yes.

upvoted 1 times
Selected Answer: A
A for sure
As the Basic Public IP SKU had been removed and the LB is STD which means can support singles VMs to be added and dont need be in AV
set or VM scale set and all are in same region
upvoted 2 times
Selected Answer: A
VM1 has no public IP, VM2 has public IP.
To add VM1 and VM2 as LB back-end pools - you can either remove the public IP of VM2 or assign standard SKU public IP to both the VMs.
upvoted 1 times

upvoted 1 times
  Jeo007 1 year, 11 months ago
Selected Answer: A
I have chosen also the A, but it shows me that B is the correct answer.
do anybody knows why?
upvoted 1 times

upvoted 1 times
Selected Answer: A
Answer: A
You can only attach virtual machines that have a standard SKU public IP configuration or no public IP configuration. All IP configurations
must be on the same virtual network.
upvoted 1 times
Selected Answer: A
My ans
upvoted 1 times
  [Removed] 2 years, 1 month ago
Selected Answer: A
Correct answer is A. VM2 is using a Basic SKU public IP address which is not compatible with a Standard ILB. Therefore you must remove
the public IP.
upvoted 1 times
  Takloy 2 years, 1 month ago
Selected Answer: A
love this voting comment feature.

upvoted 1 times
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
A. Yes
B. No
Correct Answer: A
Reference:

A (100%)
resources.
Reference:
upvoted 53 times
  tuta Highly Voted  3 years, 2 months ago

given answer is correct
upvoted 15 times

-Solution: You configure a custom policy definition, and then you assign the policy to the subscription.

-Solution: You create a resource lock, and then you assign the lock to the subscription.
-Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider
-Solution: You assign a built-in policy definition to the subscription.

upvoted 8 times

Today in exam , is A
upvoted 2 times

Yes custom policy not built
upvoted 1 times

Selected Answer: A
Correct Answer: A
You need to use a custom policy definition, because there is not a built-in policy
upvoted 2 times

upvoted 2 times

Selected Answer: A
A is the correct answer

upvoted 1 times

I sure won't forget this one, ha!
upvoted 7 times

A is correct!
upvoted 8 times

Answer A. is correct. Custom policy is the key
upvoted 4 times
  TheOne1 3 years ago

Correct
upvoted 3 times

Answer is correct
upvoted 3 times
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure
virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
Which Azure Network Watcher feature should you use?
A. IP flow verify
B. Connection troubleshoot
C. Connection monitor
D. NSG flow logs
Correct Answer: C
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology
changes between the VM and the endpoint
Incorrect Answers:
A: The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction
(inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails,
IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.
B: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address.
The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather
than monitoring it over time, as connection monitor does.
D: The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied
by an NSG.
Reference:

C (100%)
Correct Answer: C
Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the
connection every 60 seconds, so you can monitor latency over time.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 85 times
  hstorm Highly Voted  3 years, 5 months ago
I was really not sure, but found this about connection monitor:
"Lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every 60 seconds,
so you can monitor latency over time."
So guess answer is right

upvoted 41 times
  kulei Most Recent  6 months, 3 weeks ago

C, this was on exam 072523, I passed the exam with a score of 840,
upvoted 3 times
Selected Answer: C

I score 920 points out of 1000 points. This was on it and my answer was: C
upvoted 9 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network
topology changes between the VM and the endpoint.
Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a
connection, you may find that you can decrease the latency by moving your Azure resources to different Azure regions.
upvoted 1 times
  lombri 1 year ago

Connection Monitor is a feature of Azure Network Watcher that enables you to monitor network connectivity between virtual machines
within or across virtual networks, and on-premises resources. It helps you diagnose and resolve connectivity issues by providing real-time
insights into the health of your network connections, including RTT, jitter, and packet loss metrics.
upvoted 1 times
Selected Answer: C
The key is the word “average” which needs to run for a period of time which is what connection monitor does. If it is a one time only then it
would be connection troubleshoot
upvoted 4 times
  tahirMScert 1 year, 4 months ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 3 times

Today in exam is C
upvoted 2 times
Selected Answer: C
Correct Answer: C
upvoted 1 times

upvoted 5 times
Selected Answer: C
Actually B is correct answer too, the only reason i Chose C is because of this statement
You need to view the ***average round-trip time (RTT)*** of the packets from VM1 to VM2
Average RTT which means overtime and NOT one time result which Connection troubleshoot does, so because it said average then had to
be connection monitor,
Just note: Connection Monitor is New replacing the Network Performance Monitor
upvoted 2 times
Selected Answer: C
Correct Answer: C
Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the
connection every 60 seconds, so you can monitor latency over time.
Reference:
upvoted 2 times

passed 902. this question in exam 29.12.21 - answer C
upvoted 3 times

Connection Monitor.
Please check this link:
upvoted 2 times
  ddb116 2 years, 10 months ago

Answer is C
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal
The monitoring data includes the percentage of checks that failed and the round-trip time (RTT).
upvoted 2 times

C answer
upvoted 5 times
HOTSPOT -
You have an Azure subscription that contains the public load balancers shown in the following table.
You plan to create six virtual machines and to load balance requests to the virtual machines. Each load balancer will load balance three virtual
machines.
You need to create the virtual machines for the planned solution.
How should you create the virtual machines? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: be created in the same availability set or virtual machine scale set.
The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine.
Box 2: be connected to the same virtual network
The Standard tier can span any virtual machine in a single virtual network, including blends of scale sets, availability sets, and machines.
Reference:
https://www.petri.com/comparing-basic-standard-azure-load-balancers
  HGD545 Highly Voted  2 years, 3 months ago
Correct:
Standard SKU: any virtual machines or virtual machine scale sets in a single virtual network.
Basic SKU: Virtual machines in a single availability set or virtual machine scale set.
https://docs.microsoft.com/en-us/azure/load-balancer/skus>
upvoted 38 times

Here, there isn't the option "any virtual machines or virtual machine scale sets in a single virtual network".
• LB1 – Basic: Be created in the same availability set or virtual machine scale set
• LB2 – Standard: Be connected to the same virtual network
At Standard LB - Backend pool endpoints column: "Any virtual machines or virtual machine scale sets in a single virtual network"
https://learn.microsoft.com/en-us/azure/load-balancer/skus
upvoted 2 times
  garmatey Highly Voted  8 months, 2 weeks ago
I really hate how the words "basic" and "standard" are pretty close to synonyms. It'd be like a restaurant having two sizes of drink: Regular
or Medium.
upvoted 22 times
  googlearch Most Recent  2 years, 1 month ago

The VMs should be in same VNet is applicable for both cases Basic nd standard LB, what a crap question
upvoted 17 times

passed 902. this question in exam 29.12.21 - answer C
upvoted 8 times
  cktck 2 years ago

XD??????
upvoted 24 times
  kaloszertest 2 years, 1 month ago

What's the point of load balancing a single machine?
upvoted 2 times

There is no point which is why you wouldn't. But for a basic SKU load balancer it can only be attached to a single availability set. So you
would create an availability set, then when you create your VMs add them to that availability set. At which point, you can now load
balance multiple VMs with a Basic SKU availability set.
upvoted 2 times

You are NOT LOAD balancing single machine but a set of same machines that were created by scaling out due to LOAD. Just sayin'
upvoted 3 times

he's referring to this:
The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single
machine.
upvoted 5 times

Correct.
upvoted 17 times
HOTSPOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure
virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises
VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select
the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 4 -
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 2 -
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption
that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.
Box 3: 2 -
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
  Darkren4eveR Highly Voted  2 years, 8 months ago
2
2
2
Appear in the Microsoft Exam Test Prep
upvoted 109 times

How could this be, if I have 2 times 2 Gateways I would need 4 public IP-Addresses, correct?
upvoted 2 times
  tyohaina 1 year, 3 months ago

But not in Azure. The question specifies, how many of these are required in AZURE.
upvoted 9 times
  skydivex 1 year ago

with that logic, how do you explain "local network gateways required in Azure"?
When local network gateway refers to the on-premise network..... the correct answer is 4-2-2..... you need 4 public IP to setup
redundant S2S VPN.
upvoted 5 times

The "local network gateway" IS an azure resource (the on-prem VPN thing is called "VPN Device" in Microsoft Azure
terminology)
(Hence correct answer is: 2-1-2)
You can try to create a "Local NW GW" yourself in Portal "Create a local network gateway to represent the on-premises site
that you want to connect to a virtual network. The local network gateway specifies the public IP address of the VPN device and
IP address ranges located on the on-premises site. Later, create a VPN gateway connection between the virtual network
gateway for the virtual network, and the local network gateway for the on-premises site."
And if you try to create a VPN Gateway Standard in Active-Active mode you will see that only one VNet is required. The A-A
config takes care of the rest.
Hence the following _in Azure_:

2 Public IPs (assuming Active-Active, which comes from <2 minutes requirement)
1 VNet (see config of VPN GW in Azure)
2 Local Gateways (as you have 2 "VPN Devices" on-prem)
upvoted 13 times
  holytoni 10 months, 2 weeks ago

Yes you're right.
1 x virtual network gateway resource in azure always represents two actual virtual gateways. In an active active solution
both are up at the same time. In active passive only one.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#step-2---create-the-vpn-
gateway-for-testvnet1-with-active-active-mode
Therefore the right solution is 2-1-2.
upvoted 4 times
  albertozgz 2 years, 4 months ago

" longer than two minutes", Thus, we dont need Active - Active, we are in "Multiple on-premises VPN devices", thus 2-2-2 is the correct
upvoted 4 times
  rigonet 2 years, 3 months ago

As you can read at https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable:
"For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For unplanned issues, the connection
recovery will be longer, about 1 to 3 minutes in the worst case."
So, with active/passive the connection recovery can take up to 3 minutes. We need and active/active scenario.
· 2 Public IPs
· 2 Virtual Gateways
· 2 Local Gateways
upvoted 7 times

Hey fellow study buddies, there can be only ONE virtual network gateway in a Virtual network.
But when you create one, it spuns two instances in an active-standby configuration.
upvoted 8 times
  magichappens 2 years ago

I also got these answers in my exam prep but I don´t get it. As you only need to deploy one virtual network gateway instance this is
very misleading. You even can´t deploy more that one per virtual network if I am not mistaken.
upvoted 2 times

Just got the question again in MeasureUp and this time they changed it. So correct answer is:
- 2 Public IP´s
- 2 Local network gateways
- 1 Virtual network gateway
And that finally makes sense to me. However I am struggling with MeasureUp question quality as this is misleading exam
preperations.
upvoted 14 times

I agree mostly, 2,2,2.
Details are here:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
But the questions state failure of a single azure or local gateway. So we need to use "Dual-redundancy: active-active VPN gateways for
both Azure and on-premises networks". As best I can tell (because it is not explicit), we only need two public IP's on the premises
gateways. The reason for this being Azure will "dial out" or "connect" to the premises gateways, thus Azure not needing public IPs to
create the circuit. This should also be OK for the other requirements too.
upvoted 2 times

CHANGE MY MIND
Although after seeing this: https://azure.microsoft.com/en-gb/blog/vnet-peering-and-vpn-gateways/, which even for a vnet to vnet
vpn requires 2 ips (for a single ipsec gateway).
I am going to switch to 4,2,2
upvoted 4 times
  Gadzee 2 years ago

4,2,2
Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and
two connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec
tunnels between your Azure virtual network and your on-premises network.
All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously,
upvoted 1 times

What is the minimum number of public IP addresses, virtual network gateways, and local network gateways "required in
Azure"?
Only 2 in Azure.
upvoted 4 times
Correct Answer:
The questions asks how many are required in Azure, so the on-premise ones should not be counted.
Box 1: 2
2 public IP addresses in the on-premises data center, and 2 public IP addresses in the VNET for the active-active. The most reliable option
is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 1
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned
disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or
VNet-to-VNet connections.
Box 3: 1
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
upvoted 105 times
  Tayhull2023 2 months, 4 weeks ago

First of, Your the man with these questions, but I have to question that first box and your logic toward it. The question does say how
many are required in "Azure", however if we take that into consideration than the 3rd question would be 0 since local gateways are not
in Azure. I think they just worded this poorly and it should be 4, 1 2.
upvoted 1 times
  tweedo 2 years, 6 months ago

2-1-2:
2 Public IP addresses (each Azure VPN gateway spawns 2 VPN endpoints, each with its own IP
1 - single Azure VPN gateway is redundant by default
2= two on-premise VPN devices are mentioned, and single local network gateway can only be set up with a SINGLE ip for on-premise
VPN device, two local network gateway are needed for redundancy.
upvoted 29 times

I disagree with your box 3 answer. It should be 2. Every VPN device in the data center must have a local network gateway by which the
VPN gateway can connect to. There are two on-prem devices, so two local network gateways
upvoted 7 times

Correct. Assuming that you have two VPN Devices on-prem in Active-Active mode.
The "local network gateway" is an azure resource (the on-prem VPN thing is called "VPN Device" in Microsoft Azure terminology)
You can try to create a "Local NW GW" yourself in Portal "Create a local network gateway to represent the on-premises site that you
want to connect to a virtual network. The local network gateway specifies the public IP address of the VPN device and IP address
ranges located on the on-premises site. Later, create a VPN gateway connection between the virtual network gateway for the virtual
network, and the local network gateway for the on-premises site."
And if you try to create a VPN Gateway Standard in Active-Active mode you will see that only one VNet is required. The A-A config
takes care of the rest.
Hence the following _in Azure_:

2 Public IPs (assuming Active-Active, which comes from <2 minutes requirement)
1 VNet (see config of VPN GW in Azure)
2 Local Gateways (as you have 2 "VPN Devices" on-prem)
upvoted 2 times
  darsy2001 2 years, 8 months ago

you are mixing active-active with active-standby in your explanation
upvoted 3 times

Yes, but actually there are two configurations to talk about.
The Azure VPN GW config and the on-prem VPN Devices config.
You can have Azure GW config in A-A (requiring 1 GW Vnet and 2 PIPs), and the on-prem VPN Devices in Active-Passive (requiring
only one public ip and thus 1 Local Network Gateway)
Active-Passive for on-prem could have explained why Mlantonis answers 1 on box 3. But doesnät rhyme with his own motivation "
active-active VPN gateways for both Azure and on-premises network"
upvoted 2 times
  MatAlves Most Recent  1 week, 5 days ago
"A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway"
You can only have ONE VNG (which will need to be in active-standby mode)
1 - Azure IP for the VNG
2 - LGs with non-azure ip addresses.
upvoted 1 times

GitHub Copilot
public IP addresses: 2
Explanation: You need two public IP addresses in Azure, one for each VPN gateway instance.
virtual network gateways: 1
Explanation: You only need one virtual network gateway in Azure. This gateway will have two instances for redundancy.
local network gateways: 2
Explanation: You need two local network gateways in Azure, one for each on-premises VPN device.
upvoted 1 times
  Azused 1 month, 3 weeks ago

In an Azure VPN gateway we can create connections with on-premises by active - active
Hence the answer is 4 PIP, 1 Azure Virtual Network Gateway, 2 Local network gateway
"Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and two
connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec tunnels between
your Azure virtual network and your on-premises network."
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
upvoted 1 times
  Azused 1 month, 3 weeks ago

*2 PIP
upvoted 1 times
  clg003 1 month, 3 weeks ago

222
SInce they want them up in less than 2 minutes it has to be active active bec all active passive setups can be down for 3 minutes. Since
there are two on prem VPN devices you need to go with Dual-redundancy: active-active VPN gateways for both Azure and on-premises
networks.
upvoted 1 times

2 public IP addresses for the Azure virtual network gateways (active and standby). Each virtual network gateway requires a unique public
IP address.
2 Azure virtual network gateways in the same virtual network (VNet1). One gateway will be the active gateway, and the other will be the
standby gateway.
2 on-premises VPN devices (routers or VPN appliances). Configure two local network gateways in Azure, each representing one on-
premises VPN device. Associate the corresponding local network gateway with the active or standby virtual network gateway.
upvoted 2 times

Why can't you just deploy a zone redundant IP for the Azure VPN gateway and also make the Azure VPN gateway zone redundant?
upvoted 1 times

Mlantonis where are you! we need your wisdom!
upvoted 5 times

Correct answer should be 2 - 1 - 2
The question is asking about resources to create in "Azure". The public IP for On-prem VPN devices is not an azure resource.
So 2 Public IPs in Azure, 1 Virtual Network Gateway (You are only allowed 2 total per vNET: 1 VPN, 1 ExpressRoute. You cannot have 2 of
same type), 2 Local Gateways in Azure to represent both VPN devices on-prem.
upvoted 5 times
  LGWJ12 6 months, 2 weeks ago

2
2
1
Explanation
Using two public IP addresses ensures that you have two separate endpoints for your VPN tunnels, allowing for redundancy and failover.
Having two virtual network gateways in Azure (each associated with a different public IP address) provides redundancy in case one of the
gateways or its associated resources fails. This minimizes the potential for downtime.
A single local network gateway represents your on-premises VPN devices and doesn't need redundancy in this scenario.
So, the correct options are:
Public IP Addresses: 2
Virtual Network Gateways: 2
Local Network Gateway: 1
upvoted 1 times
  1uke 6 months, 3 weeks ago

My answer is:
1 Public IP in Azure (assigned to the Azure VNet Gateway)
1 Azure VNet Gateway (active/stand-by, the single PIP is zonally redundant and will 'float' between the two Gateway appliances.
2 Local Network Gateways (one representing each of 2 the onsite VPN devices)
upvoted 4 times
  alexvv89 4 months, 3 weeks ago

Totally agree with 1uke.
Public IP Addresses - You would need a minimum of one public IP address for the Azure VPN Gateway to be reachable over the internet.
Azure VPN Gateway instances are deployed in an active-passive configuration to provide high availability without needing additional
public IPs. Azure automatically handles the failover.
Virtual Network Gateways: You need a single Azure VPN Gateway deployed into your Gateway subnet in VNet1. Azure VPN Gateways
are already set up for high availability. In Azure, the VPN Gateway is deployed in pairs, with each instance having its own public IP
address. Azure takes care of automatic failover, so you don't need to provision multiple VPN Gateways yourself for high availability.
Local Network Gateways: Azure Local Network Gateway objects define the settings for your on-premises VPN devices. Given that you
have two VPN devices, you would need two Local Network Gateway objects, each one pointing to one of the on-premises VPN devices.
upvoted 1 times
  Learner2022 6 months, 3 weeks ago

Should be 4 2 2
upvoted 1 times

1 , 1, 2 is correct!
upvoted 3 times
  Navigati0n 6 months, 4 weeks ago

Public IP addresses: You need two public IP addresses, one for each Azure virtual network gateway. Each gateway requires a unique public
IP address to establish the site-to-site VPN connection.
(tricky) Virtual network gateways: You need two virtual network gateways, one in Azure to represent the Azure side of the VPN connection
and one in the on-premises data center to represent the on-premises side of the VPN connection. Each virtual network gateway provides
the VPN endpoint for its respective network.
Local network gateways: You need two local network gateways, one in Azure to represent the on-premises data center and one in the on-
premises data center to represent the Azure virtual network. Each local network gateway defines the IP address ranges and connectivity
details for its respective network.
since the question is about the minimum number of ... required in Azure: Virtual network gateways and Local network gateways required
just 1, 1.
Therefore, the correct answers are:
Public IP addresses: 2
Virtual network gateways: 1
Local network gateways: 2
upvoted 1 times

Therefore, the correct answers are:
Public IP addresses: 2
Virtual network gateways: 1
Local network gateways: 1
upvoted 1 times

2, 2, 2 - As per Bing AI
upvoted 1 times

It should be 2-1-2.
You can only have 1 Azure Nnet Gateway per Vnet

upvoted 1 times
You have an Azure subscription that contains two virtual machines as shown in the following table.
You perform a reverse DNS lookup for 10.0.0.4 from VM2.
Which FQDN will be returned?
A. vm1.core.windows.net
B. vm1.azure.com
C. vm1.westeurope.cloudapp.azure.com
D. vm1.internal.cloudapp.net
Correct Answer: B

D (100%)
Answer D
Tested in lab, and got vm1.internal.cloudapp.net.
upvoted 100 times
  t1ck3ts Highly Voted  2 years, 8 months ago

Correct Answer: D
testadmin1@VMTEST1:~$ ping -c 5 VMTEST1

PING VMTEST1.qb3monnoaiyubgstehdkra0paa.ax.internal.cloudapp.net (10.0.0.4) 56(84) bytes of data.
64 bytes from vmtest1.internal.cloudapp.net (10.0.0.4): icmp_seq=1 ttl=64 time=0.013 ms
--- VMTEST1.qb3monnoaiyubgstehdkra0paa.ax.internal.cloudapp.net ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4073ms
rtt min/avg/max/mdev = 0.013/0.036/0.044/0.012 ms
testadmin1@VMTEST1:~$
upvoted 65 times
  Jitu1989 2 years, 2 months ago

Thanks for response. Do you all use PAYG service or is there service provided like AWS for a year.
upvoted 3 times
  beem84 2 years, 2 months ago

Look up Azure pass or you can get a free account with 200USD credit which you can convert to PAYG after 30 days.Free account has
some restrictions but should be fine for labs.
upvoted 4 times

For me Azure Pass is pretty pricy as it gets used up very fast
upvoted 2 times
Selected Answer: D
D vm1.internal.cloudapp.net
how determinate this i pass how solutions architect ?
upvoted 1 times
  tuklea1 5 months ago
Selected Answer: D
Answer is D tested in Lab

nslookup -type=ptr 10.0.0.4
Server: UnKnown
Address: 168.63.129.16
Non-authoritative answer:
4.0.0.10.in-addr.arpa name = vm1.internal.cloudapp.net
upvoted 2 times
  Bayer 5 months ago

Geez, we are all a bunch of dummies,I also upvoted D
upvoted 1 times
  Blippen 1 year, 1 month ago
Selected Answer: D
Answer is D:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#reverse-dns-
considerations
upvoted 1 times
  alikhan1234 1 year, 2 months ago
Selected Answer: D
D 100% is correct
upvoted 1 times
  Zordrak 1 year, 3 months ago
Selected Answer: D
Answer D, can test and prove.

upvoted 3 times
Selected Answer: D
d correct
upvoted 1 times

Selected Answer: D
Correct Answer: D
upvoted 1 times

Selected Answer: D
internal.cloudapp.net is default DNS suffix for Azure provisioned DNS if no specific DNS is configured in the network
upvoted 9 times

Selected Answer: D
D for Sure..
Reverse DNS is supported in all ARM based virtual networks. You can issue reverse DNS queries (PTR queries) to map IP addresses of
virtual machines to FQDNs of virtual machines.
All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net
Forward lookup on FQDNs of form [vmname].internal.cloudapp.net will resolve to IP address assigned to the virtual machine.
If the virtual network is linked to an Azure DNS private zones as a registration virtual network, the reverse DNS queries will return two
records. One record will be of the form [vmname].[privatednszonename] and the other will be of the form
[vmname].internal.cloudapp.net
upvoted 11 times

Selected Answer: D
Correct answer is D
upvoted 1 times

upvoted 3 times
  azay 1 year, 11 months ago
Selected Answer: D
Correct extension
upvoted 1 times
Selected Answer: D
Correct Answer: D
internal.cloudapp.net is correct extension.
upvoted 1 times
  JudeSharp 2 years ago

Answer should be D
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#reverse-dns-
considerations
All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net
upvoted 1 times
an Azure Load
Balancer.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
A. Yes
B. No
Correct Answer: A
Reference:

B (54%) A (46%)
  Bursuc03 Highly Voted  2 years, 8 months ago
The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in
VM2 being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows
the AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.
upvoted 155 times

But before is applied the rule 100 and fails, you must explain that, the only reason is that the packet is not ariving at all to the
Loadbalancer.
So adding another rule not solve the problem
upvoted 2 times

There is one rule that is necessary - and it's not covered by the first rule here.
See: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#required-security-rules
YES is correct!
upvoted 1 times

I think is YES. I had it in the exam today and we can exclude that the machine is stopped. In the exam the "Attach network
interface" was grayed out (Passed with 909. Than you everyone btw, especially mlantonis). My answer was YES today.
upvoted 6 times

Very good, the first answer that explains the correct reason for the failure
upvoted 10 times
  biglebowski 2 years, 7 months ago

The question is about connections "from 131.107.100.50". Why do you try to fix it by adding LB traffic? We don't know the IP of LB.
Let's focus on 131.107.100.50 only.
upvoted 6 times

The load balancer is the reason the traffic is being blocked. Read the OP this chain replies to it explains it about as simply and
clearly as possible.
upvoted 3 times
  GabeCanada 2 years, 7 months ago

The answer is correct. 1- The fact the VM2 is offline does not mean anything, question states App1 is hosted on VM1 too so we
can't assume both are offline (that's the exact reason a LB is deployed in the first place so you can shut down one VM and keep
services running). 2- The question is displaying the NSG (required if using LB) so we can verify the rules, it will show up the
same way if looked from VM1 so offline VM is irrelevant. 3- Rule 1 allows 443 from an specific IP, rule 2 deny all including LB 4-
its suggested by the question a new rule that will allow LB traffic on 443 as well, before the deny which makes the answer
correct. This could be done by moving rule 2 down just below the LB allow any rule.
upvoted 12 times

"Rule 1 allows 443 from an specific IP"
Yea, and that specific IP is failing to connect to App1, even though the highest priority rule is supposed to be specifically
allowing it. So it seems like the issue is with something else besides the rules since the highest priority rule is specifically
allowing a connection that is failing.
What am I missing?
upvoted 5 times

agree, the NSG is attached to subnet as can be seen in exhibit, hence either of the VMs are unhealthy for the LB due to rule 200.
upvoted 3 times
  nzalex1 2 years, 3 months ago

Thanks, true. The issue here is deeper than it looks and the issue is broken health probes by rule 200, you are right
upvoted 4 times
  darsy2001 Highly Voted  2 years, 8 months ago
the "attach network interface" button is available. I have tested this in lab and this button only appears clikable when the vm is stopped.
Should this be the problem in the whole series of questions?
upvoted 35 times
  ukivanlamlpi 12 months ago

i don't think a VM can create without network interface
upvoted 1 times
  mbravo 2 years, 8 months ago

"The effective network security configurations for VM2 are shown" - this doesn't mean that the NSG is attached to the VM. From the
show exhibit, it is clear that this NSG is attached to a subnet which renders your comment obsolete.
upvoted 2 times

why ? if VM is off no traffic is ever going to get there.
upvoted 4 times
  boyzz 1 year, 9 months ago

doesn't mean that the "other" VM (VM1) also has the same attach network interface option enabled as it is off.. the screenshot
clearly shows only VM2 and not VM1 and we definitely cannot afford to think VM1 is off too. So the AzLB rule in NSG takes
precedence
upvoted 1 times

how so?! if the VM is powered off that mean the whole NSG rules stuff is misleading, the admin should start the VM before even
begin to start NSG rules evaluation
upvoted 7 times
  belyo Most Recent  1 week, 5 days ago
Selected Answer: A
funniest part is default rule 65001 AllowAzureLoadBalancerInBound does the same job, however you cannot change the priority or delete
it, so it renders it useless...
so described proposal should work technically
also deleting the rule with 200 priority should also work [this answer come in earlier in question set]
upvoted 1 times
  amsioso 1 month, 3 weeks ago

YES
Azure Load Balancer probes: Allow incoming traffic from the source as the AzureLoadBalancer service tag. This rule is created by default
for NSGs. You must not override it with a manual Deny rule to ensure smooth operations of your application gateway.
https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#inbound-rules
upvoted 1 times
Selected Answer: A
From the exibit we can see that the NSG is applied only to the subnet (it's not applied to none of the network interfaces of VM1 nor VM2).
1. the first rule is required for standard LB as they are closed by default in order to allow traffic to flow to the backend pool resources,
unless you have NSG on the VM NIC or subnet. (basic SKU is open by default.) See Ref1
Standard SKU should be used, as Basic SKUis tipycally for testing ONLY, see Ref1.
2. The security rule we add is allow the LoadBalancer to check the health of theVMs, the LB is marking them as unhealthy, though not
sending traffic to them, that's why it's failing.See Ref2
Ref1: https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-load-balancer-security-baseline
Ref2: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
upvoted 1 times

From Ref1: " The Standard Load Balancer is designed to be secure by default and part of a private and isolated Virtual Network. It is
closed to inbound flows unless opened by network security groups to explicitly permit allowed traffic, and to disallow known malicious
IP addresses. Unless a network security group on a subnet or NIC of your virtual machine resource exists behind the Load Balancer,
traffic is not allowed to reach this resource."
Ref1: "Note: Using a Standard Load Balancer is recommended for your production workloads and typically the Basic Load Balancer is
only used for testing since the basic type is open to connections from the internet by default and doesn't require network security
groups for operation."
upvoted 1 times

Selected Answer: A
traffic flow => IP 131.107.100.50 -> LB (whatever IPs) -> Servers IPs. Rule 1 take care on first half of the flow. Rule 2 denied second half of
the flow. This is why is required one rule between 1 and 2, as an exception if you want, that will allow second half of the flow = one rule to
allow access from LB to server/s.
upvoted 1 times
  Tayhull2023 5 months ago

Okay so the answer of the load balancer needing to be at priority 150 / allow makes sense to me except that the deny is only for 443,
couldn't the load balancer just be using 80? This question has me stumped even after reading all the references.
upvoted 2 times
  Alex1184 6 months ago

It specifies the Load Balancer rules have been created correctly. Part of the set-up of rule 100 would be to specify the Health Probe...so
rule 200 cannot be blocking it.
I think the answer here must be No, certainly creating a rule that allows all Traffic makes no sense, when Rule 100 appears to do what you
need....
upvoted 1 times

what the hell? every second question has confusion. Why are we not able to get the exact answers even after paying a huge amount?
upvoted 4 times

Answer is N!
upvoted 2 times
  pri32 8 months, 3 weeks ago
Selected Answer: B
Don't able to find any concept of setting up the cost to set the priority. If the statement is re[laced with the priority of 150 then it can be
yes but in current scenario it is no.
upvoted 2 times
  lulek 8 months, 3 weeks ago

fact1: Traffic arrives to VMs from LB with LB IP address (not the end client ip) (not 131.107.100.50)
fact2: LB lives in it's own subnet, so in order to communicate with any VM it has to cross subnets => the NSG rules kick in:
The first rule is always skipped as the source is never: 131.107.100.50, but IP of LB
The second rule kicks in and denies the access.
So, if we add the suggested rule in between it will work => traffic from LB IP will be allowed on 443
Answer: A
The VM2 might be actually stopped. The connection should work anyway, because VM1 might be UP (we don't know the actual state of it,
so assuming that both VMs are down is an unjustified assumption)
The bottom line is that the existing rules block traffic for LB IP.
upvoted 4 times
  Eugene77 9 months ago

Very tricky question that cannot have correct answer at all. With knowing nothing about LB, another VMs, subnets and all NSG used in this
configuration nobody can ensure that required connection will work.
upvoted 3 times

Selected Answer: B
Answer is no
'Allows any traffic FROM the AzureLoadBalancer'. Wrong way.
You need traffic TO the loadbalancer
BlockAlltOher443 blocks traffic to the loadbalancer
upvoted 1 times
Selected Answer: B
Guys, wake up . The network interface is detached (see top left options of the page).
this is why the VM isn't reachable
upvoted 7 times

my friend, this attach network interface to add additional NIC only, it doesn't mean the NIC detached!
upvoted 1 times
  monroesteffie 9 months, 1 week ago

what is the correct ans yes or no
upvoted 1 times
  solomwn 8 months ago

if is detached , then is no
upvoted 1 times

Azure evaluates network security group (NSG) rules in ascending order by priority value, with lower numbers taking precedence over
higher numbers. When a traffic flow matches a rule with a deny action, the traffic is blocked and the NSG evaluation stops. Therefore, the
allow rule with a priority of 100 will not be applied if there is a matching deny rule with a higher priority of 200.
So NO!!
upvoted 1 times
  cillo2000 11 months, 1 week ago

It has to be B: "You verify that the Load Balancer rules are configured correctly." Why would you need another rule if the rules are verified
as correct?
Anyway:
Adding the rule of priority of 150 just removes the effectiveness of the "BlockAllOther443" rule.
There is some other issue causing the problem - maybe the "attach network interface" option being available, as mentioned by others.
upvoted 2 times
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Add a service endpoint to VNet1
B. Reset GW1
C. Create a route-based virtual network gateway
D. Add a connection to GW1
E. Delete GW1
F. Add a public IP address space to VNet1
Correct Answer: CE
C: A VPN gateway is used when creating a VPN connection to your on-premises network.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It
is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec
tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet
filtering and processing engine.
Incorrect Answers:
F: Point-to-Site connections do not require a VPN device or a public-facing IP address.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-
gateway/vpn-gateway-connect-multiple-policybased-rm-ps

CE (86%) 11%
Correct Answer: C and E

upvoted 55 times

First time seeing your answer very short without explanation :(.
upvoted 10 times

Which order? E and C?
upvoted 1 times
  MikeHugeNerd Highly Voted  3 years, 6 months ago
Answer in proper order: E, C

upvoted 52 times
  FreeSwan Most Recent  4 months, 2 weeks ago

Answer E,C
P2S client doesn't have fixed IPs.

Policy based on combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels.
upvoted 3 times

Answer is E & C
When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The VPN type that you
choose depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings.
If you want to use a PolicyBased VPN type, you must use the Basic SKU. PolicyBased VPNs (previously called Static Routing) are not
supported on any other SKU. PolicyBased Basic VPN Gateway does not support Point-to-Site connectivity. https://learn.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-about-skus-legacy.
upvoted 14 times

D. Add a connection to GW1
upvoted 3 times

Answer is C and E ( Order does not matter as this is not drag and drop question)
The policy type VNG does not support Point to Site VPN .
You cant have 2 VNG in the same VNET .
So the existing policy-based VNG must be deleted so you can create a route based VPN
upvoted 2 times

Selected Answer: CD
Policy-based virtual network gateways are typically used with certain firewall devices and support a specific type of VPN configuration.
They do not support point-to-site connections.
Wouldnt we need a point-to-site connection from an on-premises computer to VNet1, and so we will need to use a route-based virtual
network gateway instead.
So C and D
upvoted 1 times

Selected Answer: CD
OpenAI
"To configure a point-to-site connection from an on-premises computer to VNet1, you need to perform the following two actions:
D. Add a connection to GW1: You need to add a point-to-site connection to GW1. This will allow the on-premises computer to connect to
VNet1 via GW1.
C. Create a route-based virtual network gateway: You need to create a route-based virtual network gateway to ensure that the point-to-
site connection can be established from the on-premises computer to VNet1.
Therefore, the correct answers are D and C.
The other options are not required for setting up a point-to-site connection from an on-premises computer to VNet1.
A. Adding a service endpoint to VNet1 is used for enabling the traffic from the subnet to use the service provided by Azure services
privately.
B. Resetting GW1 is not required for this task.
E. Deleting GW1 would remove the virtual network gateway, which is not required.
F. Adding a public IP address space to VNet1 would not be required for a point-to-site connection."
upvoted 2 times

CE
--VPN types--
choose depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type.
upvoted 3 times
  P123123 1 year, 1 month ago

"you would use VPN type RouteBased because P2S requires a RouteBased VPN type."
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#vpntype
upvoted 4 times

Selected Answer: CE
E then C. point to site is only supported by route-based vpn gateway.

upvoted 6 times

Policy-based VPN: (IKEv1): 1 S2S/connection tunnel; no P2S
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
upvoted 2 times
Selected Answer: CE
or establishing point-to-
site
connectivity,
you need a route-based
VPN type
upvoted 3 times

For establishing point-to-site connectivity, you need a route-based VPN type
upvoted 2 times
Selected Answer: C
Correct Answer: C and E

upvoted 1 times

upvoted 5 times
Selected Answer: CE
Yep Delete Existing GW and create New route-based GW
choose depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type. A
VPN type can also depend on the hardware that you're using. S2S configurations require a VPN device. Some VPN devices only support a
certain VPN type
PolicyBased VPNs can only be used on the Basic gateway SKU. This VPN type is not compatible with other gateway SKUs.
upvoted 11 times

You can have only 1 tunnel when using a PolicyBased VPN.
You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN Gateway configurations require
a RouteBased VPN.
RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment model. RouteBased VPNs
use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. The tunnel interfaces
then encrypt or decrypt the packets in and out of the tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as
any-to-any (or wild cards). The value for a RouteBased VPN type is RouteBased.
upvoted 3 times

Selected Answer: CE
C and E is correct
upvoted 2 times

Selected Answer: CE
Correct Answer is C,E

E - Delete GW (policy based)
upvoted 2 times
HOTSPOT -
You have an Azure subscription that contains the resources in the following table:
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is
configured as shown in the following exhibit:
Hot Area:
Correct Answer:
Box 1: No -
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration
virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does
belong to a resolution virtual network.
Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from
any of the virtual machines within the registration virtual network.
Reference:
Correct Answer:
VNet1 (NOT A Registration Netvork) : VM5

VNet2 (IS A Registration Netvork) : VM1, VM6 and VM9
So here we go:
1. VM5 is in VNet1 - answer is NO.

3. VM6 is in VNet2 - answer is YES.
upvoted 128 times
  Borbz Highly Voted  3 years, 2 months ago

I think the Answer is correct.
NO, NO, YES.
the second answer is NO because VM5 belongs to Vnet1 and the DNS is registered to Vnet2 therefore VM5 cannot reach the DNS service.
upvoted 89 times

NNY
upvoted 12 times
  Skankhunt 3 years, 1 month ago

Agreed, there is no mention of Vnet peering, thus we can assume the two Vnet's is not connected.
upvoted 14 times
  Geet_2023 Most Recent  3 months, 3 weeks ago

Question: VM6 can resolve VM1.adatum.com also, correct?
upvoted 1 times

upvoted 7 times

N coz vm5 = vnet1
N coz vm5 = vnet1
Y coz vm6 = vnet2 which is linked to the private dns zone.
upvoted 2 times

upvoted 5 times

Box 1: No -
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration
virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does
belong to a resolution virtual network.
Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works
from any of the virtual machines within the registration virtual network.
Reference:
upvoted 7 times

NO NO YES
VM5 is on VNET1 which is not associated with private DNS, where is VM6 is in VNET2 which is linked to private DNS and hence can resolve
upvoted 3 times

VNet1 (NOT A Registration Netvork) : VM5

VNet2 (IS A Registration Netvork) : VM1, VM6 and VM9
upvoted 1 times
  spoondev1 2 years, 3 months ago

Is this not a AZ303 question?
upvoted 3 times
  AKAKAKAK 2 years, 3 months ago

In my opinion Answer is:
NO: Since no mention that the private DNS zone is connected to VNET1. Thus VM5 will not be registered automatically in the adatum.com
zone.
NO: Same rationale. Since it's not mentioned the VNET1 is linked to private zone, hence VM5 will not be able to ressolve VM9.adatum.com
YES: Since VM6 is part of VNET2 and VNET has auto-registeration of DNS enabled on this zone which means VNET2 is linked to this private
Zone, hence it can ressolve all the records populated in this zone.
upvoted 3 times

upvoted 4 times
  CARIOCA 2 years, 8 months ago

This question is very divided in the feedback, after all what would be the answer and which justified it?
After a debate of 14 comments, is the final answer to the question the same or not?
My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should
be responsible for changing the submitted template.
I think the debate is healthy, but a better organization is needed following an established pattern because in some issues they get very
confused and generate more doubts than clarifications.
upvoted 5 times

Why don't you appoint yourself as official moderator?
upvoted 7 times
  Veronika1989 2 years, 8 months ago

I think No, No, No
1. VM5 is in Vnet1
2. VM2 is in Vnet1
3. V9 record already exists
upvoted 1 times

So why does that make 3 No? Please explain your logic
upvoted 2 times
  RhinoMan 1 year, 7 months ago

The question is whether it can resolve it or not. Its registered and with the same suffix and the source vnet for vm5 is registered with
the zone so it will be able to resolve it hence the answer is Y
upvoted 1 times

NO,NO,YES
Answers are correct: To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the
zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. VNet1 is not linked to the
Private DNS, so cannot resolve
upvoted 9 times
  johanc68 2 years, 7 months ago

How do you know that VNET1 is not linked as a resolution virtual network only? It's not stated in the question I believe.
upvoted 1 times

ZUMY is correct have a look at this link below
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal
upvoted 2 times

Answers are correct: To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the
zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. VNet1 is not linked to the
Private DNS, so cannot resolve
upvoted 2 times

This seems pretty simple.
How I see it.
VNet1 (NOT A - Registration Netvork) : VM5

VNet2 (IS A - Registration Netvork) : VM1, VM6 and VM9
So here we go:

upvoted 25 times
HOTSPOT -
The subscription contains the private DNS zones shown in the following table.
You add virtual network links to the private DNS zones as shown in the following table.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links https://docs.microsoft.com/en-us/azure/dns/private-dns-
autoregistration
  az_21 Highly Voted  2 years, 7 months ago
A virtual network can be linked to private DNS zone as a registration or as a resolution virtual network.
Registration virtual network:

A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it.
Resolution virtual network:

One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated
to it.
1. Yes
No registration zone for VNET2.
2. Yes
A virtual network can have multiple resolution zones associated to it.
3.Yes
No registration zone for VNET2.
upvoted 145 times
  go4adil 2 weeks ago

1. Yes
We can enable auto-registration for Link2/VNET2 in Zone2.com because VNET2 has no registration zone associated to it currently.
Remember, every virtual network can only have one registration zone associated with it.
2. Yes
A new Link for VNET1 to Zone3.com can be added by associating it as resolution zone with Zone3. Remember, a virtual network can
have one registration and multiple resolution zones associated to it. So, VNET1 will have Zone1 as registration and Zone3 as resolution
zone.
3. Yes
A new Link for VNET2 to Zone1.com with auto-registration enabled is possible as currently VNET2 doesn't have any zone associated to it
as registration zone. Zone2 is associated to VNET2 as resolution zone.
upvoted 1 times

Ref:
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 1 times

Sorry I don't agree.
ref: https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
1. Yes - "When you link a virtual network with a private DNS zone with this setting enabled", suggested is needs to be done when
created, but you could recreate the link to do it.
2. No - "A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled", so if
auto VM enabled only one zone.
3. No - as above, only one zone with Auto VM, although technically you could delete the other link and it would then work, but that
seems out the scope of the question.
Again another somewhat poorly written question. But I would say Yes, No, No.
upvoted 32 times

Please test and verify before you make certain claims.
In my understanding verified by tests:
Y-Y-Y
"You can enable auto registration for Link2": Yes

This setting can be changed on an already existing link (provided that the change doesn't yield two VNET links with both auto
registration on them, that will fail).
"You can add a virtual network link for VNET1 to Zone3.com": Yes
One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones
associated to it.
"You can add a virtual network link for VNET2 to Zone1.com and enable auto registration": Yes
The current link(s) for VNET2 does not have auto registration, so a new link with auto. reg. can be added.
upvoted 13 times
  JimmyYop 1 year ago

Tested in Lab, above answer is correct YES YES YES
upvoted 7 times

About second and third question not agree with you because "However, every virtual network can only have one registration zone
associated with it." So it could have many zones but only one with registration enabled.
upvoted 4 times

upvoted 2 times

Yes - zone can only have one reg network (auto-reg enabled), currently none
Yes - zone can have 1 reg network and multiple resolution networks (auto-reg not enabled)
No - Zone1 already has a reg nw (vnet1)

upvoted 12 times

YNN
"A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one
registration zone associated with it."
All three VNETs already have a zone association, so no additional link can be added.
upvoted 1 times
  KingTN 5 months, 2 weeks ago

one more point to make it clear :
When creating a link between a private DNS zone and a virtual network. You have the option to enable autoregistration. With this
setting enabled, the virtual network becomes a registration virtual network for the private DNS zone.
upvoted 1 times

"A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it."
"One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones
associated to it."
upvoted 3 times
  mashk19 Highly Voted  2 years, 8 months ago
1. Yes
2. Yes. You can link VNET1 to Zone3.com A private DNS zone can have multiple registration virtual networks. However, every virtual
network can only have one registration zone associated with it.
3. No. Auto registration is already enabled on Zone 1. When you add a link from VNET2 to Zone
upvoted 66 times
  ostych 1 year, 10 months ago

Correct, tested in the LAB.
Y
Y
N - Error in azure: Failed to create virtual network link 'link5'. Error: A virtual network can only be linked to 1 Private DNS zone(s) with
auto-registration enabled; conflicting Private DNS zone is ...
upvoted 12 times

Update:
Y
Y
Y
There was leftover of wrong config in third one.
upvoted 9 times
  lancegong 1 year, 7 months ago

Yes. I am agree with you. Tested and the correct answer should be YYY. It is true that if vnet2 has auto-registration enabled in
zone2, you won't be able to enable auto-registration for vnet2 to add another zone. But the Box 1 simply asks you if you can
enable auto-registration or not which doesn't mean vnet2 has auto-registration enabled when you answer the Box 3.
upvoted 2 times

You're overthinking this, I guess... I'd go with YYN.
upvoted 1 times

Ok, I realised I wasn't thinking enough here, the correct answer is YYY:
2) Y: "One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple
resolution zones associated to it." (see https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-
links#resolution-virtual-network)
3) "A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one
registration zone associated with it." (https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-
links#registration-virtual-network)
upvoted 1 times

Auto Registration is a Zone-to-VNet mapping. If one VNet is auto-registered with a Private Zone, that does not mean another VNet
cannot be Auto-Registered with it.
A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it.
upvoted 4 times
  ppp131176 2 years, 7 months ago
For 2. are you sure? shouldn't this be no? Wouldn't zone3 be the second registration zone?
upvoted 8 times

No, because zone 3 does not have autoregistration enabled, so this would be a resolution zone not a registration zone
upvoted 4 times
  zvasanth2 2 years, 5 months ago

The 3rd question must be yes. after adding the 3rd question to the existing list looks below:
Link1 - Zone1 - VNET1 - Yes
Link2 - Zone2 - VNET2 - No
Link3 - Zone3 - VNET3 - No
Link4 - Zone1 - VNET2 - Yes
This is the definition for "Registration virtual network"

point 1- A private DNS zone can have multiple registration virtual networks.
point 2- However, every virtual network can only have one registration zone associated with it.
Link1 and Link4 satisfies the point1 and point2

point1 - Zone is having multiple registration virtual networks like VNET1, VNET2
point2 - VNET2 is not associated with any other zone registered.
Link2 has VNET2 but that is a resolution not a registration
So answer must be Y Y Y
upvoted 13 times
  J4U 2 years, 5 months ago

3. Yes. Going by (2), a zone can have multiple registrations while a VNET can have only one. So VNET2 can register to Zone 1.
upvoted 6 times
  Yogesh25 Most Recent  2 weeks, 4 days ago
I have to waste my 30 min to setup the resorces to try this one out....and here is what i got,
1. Yes - We can enable auto register provided there is no conflict
2. Yes - There is no impact of location on setting up Vnet link but in case v-net is already registered with another private zone then auto
registration can't be enabled.
3. No, above reason.
upvoted 1 times

Tested in Lab, correct answer is Yes, Yes, and for the 3rd box NO because if you try to create the link with enable auto registration it will
error out and it will actually tell you that a virtual network can only be linked to one private DNS zone with auto-registration enabled. Do
not waste much time on this, this is the correct answer.
upvoted 1 times
  ziggy1117 3 months ago

Y - Y - Y. I tested this myself in a real environment. best to test it vs. making comments here without any test.
1. Y. You can click the checkbox to Enable Auto-Reg. Note: You can do this to any VNET as long as that VNET is not linked to another Zone
with Auto-reg ON. So if VNET is in another zone but Auto-reg is OFF, then you can enable Auto-Reg in Only One Zone
2. Y. You can add Vnet1 to Zone3 but make sure Auto Reg is OFF. You cannot add Vnet1 to Zone3 with Auto Reg is ON.
3. Y. You can add Vnet2 to Zone1 and set to Auto Reg ON because VNET2 has no link yet to any zone with Auto Reg ON.
to summarize:
Zones can have multiple VNETs. Each VNET can be set to Auto Reg ON
VNETs can be linked to multiple Zones but they can only Auto Reg to one Zone
upvoted 4 times

I tested it in my LAB an here are results:
1. YES - you can enable auto registration for link2
2. YES - you can add virtual network link VNET1 to zone3
3. Yes - you can add virtual network link VNET2 to zone1.
upvoted 1 times

what the hell? every second question has confusion. Why are we not able to get the exact answers even after paying a huge amount?
whom should we follow? Discussion or Examtopic?
upvoted 5 times

Y Y NO is correct!
upvoted 1 times

Yes.
Auto-registration can be enabled for Link2 because VNET2 is not currently a registration virtual network for any other private DNS zone.
So it can become the registration virtual network for Zone2.com if auto-registration is enabled for Link2.
Yes.
You can create a link between VNET1 and Zone3.com. However, because VNET1 is already a registration virtual network for Zone1.com,
you cannot enable auto-registration for this new link. This is because "every virtual network can only have one registration zone associated
with it."
No.
You cannot enable auto-registration for this potential new link between VNET2 and Zone1.com because, as per the provided explanation,
"every virtual network can only have one registration zone associated with it." Since VNET2 has already been linked to Zone2.com with
auto-registration enabled (as per answer 1), it cannot become the registration virtual network for Zone1.com as well.
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links#registration-virtual-network
upvoted 3 times

Agree with Y,N,N
Q1: Y. Looks like it needs to be done when the link is created, and doesn't specify it it can be retroactively enabled, but yes can be done.
https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration
Q2 + Q3, N. Already linked.

"From the virtual network perspective, private DNS zone becomes the registration zone for that virtual network. A private DNS zone can
have multiple registration virtual networks. However, every virtual network can only have one registration zone associated with it"
upvoted 4 times
  rishisoft1 7 months, 4 weeks ago

Answer will be yes for 3. When auto-registration is not enabled while linking its called resolution means VNET is not registered with DNS
and it using for resolution and one VNET can have multiple resolution . refer this for detailed info - https://learn.microsoft.com/en-
us/azure/dns/private-dns-virtual-network-links
upvoted 1 times
  Zonci 8 months, 4 weeks ago

Y Y N is the correct answer guys
upvoted 3 times
  SimoneP 9 months ago

A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however,
link multiple virtual networks to a single DNS zone.
upvoted 1 times

Number of private DNS zones a virtual network can get linked to with auto-registration enabled=1
Number of private DNS zones a virtual network can get linked=1000
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-dns-limits
upvoted 1 times
  Sumit_Kumar 9 months, 3 weeks ago

https://dev.to/kaiwalter/using-azure-private-links-and-private-dns-zones-with-globally-distributed-resources-4ce3
upvoted 1 times

auto registration could be enabled even after private DNS zone created.
1. Yes
2. No (since another zone)
3. No (since another zone)
upvoted 1 times
  mfalkjunk 10 months, 2 weeks ago

Yes
Yes
No
https://www.youtube.com/watch?v=Hiohn35DIqA
Great explanation of Azure DNS, zones, registrations and links.
upvoted 1 times
HOTSPOT -
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
Hot Area:
Correct Answer:
Reference:
https://medium.com/charot/deploy-azure-bastion-preview-using-an-arm-template-15e3010767d6
  dookiecloud Highly Voted  2 years, 8 months ago
answer is correct
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your VNet address space with a /27 subnet mask. For example, 10.1.1.0/27.
https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal
upvoted 52 times
  rigonet Highly Voted  2 years, 3 months ago

This question is outdated.
At this very moment you can read at documentation:
+ Subnet Name | AzureBastionSubnet
AzureBastionSubnet addresses | A subnet within your VNet address space with a subnet mask /26 or larger.
For example, 10.1.1.0/26.
upvoted 45 times

Correct. Have just gone to create a new Bastion resource in my lab. This info message is given:
To associate a virtual network with a Bastion, it must contain a subnet with name AzureBastionSubnet and a prefix of at least /26.
Also see documentation here:

https://docs.microsoft.com/en-gb/azure/bastion/quickstart-host-portal
For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24,
etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to
work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of
host scaling in the future.
upvoted 22 times

Thank you
upvoted 2 times
  zixys Most Recent  5 months, 2 weeks ago
I passed on September 3, 2023. The options for this exam were updated to 10.0.0.0/26, not 27
upvoted 22 times

Thanks my friend, I hope you get very rich and one day you'll become the president of Microsoft. If that day comes, can you please
erase az-104 from the planet? Thank you president.
upvoted 4 times

1. AzureBastionSubnet
2. 10.10.10.0/27
upvoted 13 times

1. AzureBastionSubnet
2. 10.10.10.0/27
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#subnet
Azure Bastion requires a dedicated subnet: AzureBastionSubnet. You must create this subnet in the same virtual network that you want to
deploy Azure Bastion to.
For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.).
All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but
we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling
in the future.
upvoted 3 times

Came on 21st Dec 2022
Answer is correct
upvoted 4 times

When creating Azure Bastion, it requires some configuration,
1. Subnet name must be "AzureBastionSubnet".
2. Subnet size must be /26 or larger.
3.For host scaling /26 is recommended
4.etc.
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
upvoted 2 times

upvoted 2 times

/26 or larger (/25 /24 etc) is now the recommended. /27 is the closest in this case.
upvoted 1 times

upvoted 5 times

Today in exam, answer is correct
upvoted 3 times
  kukeleku 1 year, 4 months ago

Had this question on my exam today(19-09-2022), I answered AzureBastionSubnet 10.10.10.0/27.
upvoted 6 times

The only question that came today on my exam was so different the scenario was 10 vents but all vents peer so the question was how
many azure bastion requires I choose only one as all vents is peering. Passed today with score 900
upvoted 2 times

answer is correct*
https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal
upvoted 1 times
  anantasthana2002 1 year, 6 months ago
Answer is correct
upvoted 1 times

upvoted 3 times

Answer is correct
zure Bastion is a service you provide that allows you to connect to a virtual machine using your browser and the Azure portal. Azure
Bastion is a fully managed PaaS service that you can deploy to your virtual network. This service enables secure and seamless RDP and
SSH connections to your virtual machines via TLS directly in the Azure portal. When connecting through Azure Bastion, your virtual
machines do not require a public IP address, agent, or special client software.
Bastion provides secure RDP and SSH connections to all virtual machines in the virtual network where the service is deployed. Using Azure
Bastion prevents your virtual machines from making RDP and SSH ports publicly available. At the same time, we continue to enable secure
access via RDP/SSH.
Azure Bastion requires a subnet called AzureBastionSubnet within your virtual network. The subnet must have at least the subnet mask
/27, or be larger.
The following Microsoft Docs articles contain more information on the topic:
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
upvoted 1 times
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture.
A. Yes
B. No
Correct Answer: A
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet
capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining
information on network intrusions, to debug client-server communications and much more.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

A (81%) B (19%)
  mashk19 Highly Voted  2 years, 8 months ago
If you initiated a packet capture from VM1 to VM2 and ran a capture for three hours, wouldn't you have file which contained all traffic
between VM1 and VM2?
upvoted 23 times

Yes exactly
upvoted 2 times

yes you would, considering you didn't specify any filtering which is optional.
upvoted 4 times

Ans is YES.
upvoted 1 times
  kilowd 1 year, 8 months ago

Answer is YES
Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer
network.
Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve
network problems and determine whether network security policies are being followed.
upvoted 3 times
  dookiecloud Highly Voted  2 years, 8 months ago
No
Should use connection monitor for a period of time

upvoted 13 times
  erenklclar 1 year, 8 months ago

Tested in the lab. A is correct.
upvoted 1 times
  loganharris 2 years, 7 months ago

this link supports yes. links to more information about packet capture
upvoted 4 times
  Luke7389 1 year, 11 months ago

Connection monitor doesn't capture packets, Network Watcher does therefore A is correct
upvoted 3 times
- Connection troubleshoot enables a one-time connectivity and latency check between a virtual machine and Bastion host, application
gateway, or another virtual machine.
- Packet capture enables you to capture your virtual machine traffic.
Yes - https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions
upvoted 1 times

A. Yes
Creating a packet capture using Azure Network Watcher is a valid solution to inspect network traffic between VM1 and VM2. Network
Watcher provides network monitoring and diagnostic capabilities in Azure, including the ability to capture packets flowing between
resources within a virtual network.
upvoted 1 times

There are several versions of this question. The following are the possible Correct and Incorrect solutions.
Correct solution: Meets the goal.

-Solution: From Azure Network Watcher, you create a packet capture.
Incorrect solution: Does not meet the goal.

-Solution: From Azure Monitor, you create a metric on Network In and Network Out.
-Solution: From Azure Network Watcher, you create a connection monitor.
-Solution: From Performance Monitor, you create a Data Collector Set (DCS).
upvoted 12 times
Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine.
Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics,
gaining information on network intrusions, to debug client-server communications and much more.
upvoted 3 times

upvoted 3 times

Still on test 01/05/2023
upvoted 6 times

Selected Answer: B
it specifically says from VM1 to VM2. Nature of packet capture is to run the capture in a VM/machine, it does not matter where the traffic is
sent to. You use filter if you want to see certain packets including where it goes, type of traffic etc etc. Yes you can use this tool for VM to
VM but it is not the best tool to use it. For the purpose, I'd got with Connection Monitor.
upvoted 2 times

OK I have to change it to A now - I saw this one "Packet Capture enables you to capture all traffic on a VM in your virtual network." from
here https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 5 times
Selected Answer: A
Answer is YES
upvoted 1 times
  kay000001 1 year, 6 months ago

Answer is yes. This is a copy and paste straight from exam-104 text book:
The Packet Capture tool allows you to capture network packets entering or leaving your virtual machines. It is a powerful tool for deep
network diagnostics. You can capture all packets, or a filtered subset based on the protocol and local and remote IP addresses and ports.
You can also specify the maximum packet and overall capture size, and a time limit (captures start almost immediately once configured).
Packet captures are stored as a file on the VM or in an Azure storage account, in which case NSGs must allow access from the VM to Azure
storage. These captures are in a standard format and can be analyzed off-line using common tools such as WireShark or Microsoft
Message Analyzer.
**Also, if you go into Network Watcher, you will see under diagnostic tools - Packet Capture.
upvoted 7 times
Selected Answer: A
I will go A
upvoted 1 times
Selected Answer: B
Answer B - No
• **Packet Capture**: Is run on a VM to monitor the in and out flows of IP traffic. It is not used to monitor traffic BETWEEN two VMs.
MS Docs: ("Packet Capture enables you to capture all traffic on a VM in your virtual network.")
• **Connection Monitor**: Is used to monitor connectivity and latency between VMs over a period of time.
MS Docs: ("Connection Monitor allows you to monitor connectivity and latency between a VM and another network resource.")
Read Here:
https://docs.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 3 times

IGNORE the above, as the question states all traffic: Answer A - Yes
"You need to inspect **all** the network traffic from VM1 to VM2 for a period of three hours."
You will need Packet Capture. as it has an option to specify ALL protocols
NB: (exam-topics, needs an option to delete your own comment).

upvoted 5 times
  Traian 1 year, 5 months ago

It is better this way I was wondering why packet capture and not connection monitor myself.Your wrong answer and the follow up
were really helpful
upvoted 1 times
Selected Answer: A
Connection monitor doesn't capture packets, Network Watcher does therefore A is correct
upvoted 1 times

Should be A:
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual
network.
Capture packets to and from a VM

Advanced filtering options and fine-tuned controls, such as the ability to set time and size limitations, provide versatility. The capture can
be stored in Azure Storage, on the VM's disk, or both. You can then analyze the capture file using several standard network capture
analysis tools.
Packet capture helps to diagnose network anomalies both reactively and proactivity.
References:
upvoted 1 times
Selected Answer: A
Packet capture is correct similar to wireshark, it allows for Sources/Des IP, Ports and times allocation and can be triggered automatically
via VMs alert
upvoted 3 times
  rafacazus 1 year, 8 months ago
Selected Answer: A
It should be the packet capture as we've got in the configuration 'Time limit' field - the duration of the capture session to the file.
Connection monitor has got the 'Test frequency' setting - how frequently sources will ping destinations, we're not collecting the traffic for
the future inspection. The idea in the Connection monitor is to pass a test.
upvoted 2 times

Selected Answer: A
Packet capture can be set to specified interval and connection monitor is for end-to-end monitoring specific connections. Here you have to
capture all network traffic.
upvoted 2 times
Solution: From Azure Network Watcher, you create a connection monitor.
A. Yes
B. No
Correct Answer: A
Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

B (88%) 12%
  Deevine78 Highly Voted  2 years, 8 months ago
No.
We need to inspect all the network traffic "from" VM1 "to" VM2 and not between the 2 VMs.
Even if we were using Connection monitor, this one would inspect only network traffic over a specific port.
And for a period of 3 hours, packet capture session time limit default value is 18000 seconds or 5 hours.
upvoted 48 times
  ShaulSi 2 years, 2 months ago

I have checked this and indeed connection monitor setup asks you for port and indeed the question asks you for all traffic.
upvoted 11 times
  azslayer 1 year, 8 months ago

No
upvoted 2 times
  skydivex 12 months ago

packet capture definitely makes more sense since connection monitor only inspects TCP traffic. I think you are correct. :)
upvoted 2 times



upvoted 12 times
  Faust777 Most Recent  3 months, 3 weeks ago

how and why answer is'nt just do shit in network watcher? wtf is this primordial setting of capture packets bs?
upvoted 2 times

B. No
Creating a connection monitor in Azure Network Watcher will not meet the goal of inspecting all the network traffic from VM1 to VM2 for a
period of three hours. Connection monitors in Azure Network Watcher are used to monitor the connectivity between two points in a
network, but they do not capture and inspect the actual network traffic.
To inspect network traffic between VM1 and VM2, you would need to use a network capture tool or software that can capture and analyze
network packets. Azure Network Watcher itself does not have the capability to capture network traffic.
upvoted 1 times
Selected Answer: B
No.
Connection monitor won't provide the same level of detail as packet capture will;
"Connection Monitor provides unified, end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature
supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related
metrics for your Azure deployments."
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 1 times
Selected Answer: B
B is the answer.
Connection Monitor provides unified, end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature
supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related
metrics for your Azure deployments.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 5 times

Selected Answer: A
Yes
Here are some points to consider when deciding between creating a connection monitor or a packet capture:
Connection monitors:
Provide ongoing monitoring of connectivity between two resources

Can alert you if connectivity is lost or degraded
Do not capture the actual packets, so you cannot view the contents of the traffic
Packet captures:
Allow you to view the contents of the traffic

Can be useful for analyzing specific issues or problems
Require you to manually start and stop the capture
upvoted 1 times

still on test
upvoted 3 times

Selected Answer: A
"Packet Capture enables you to capture all traffic on a VM in your virtual network."
https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 1 times

upvoted 3 times
Selected Answer: B
B. No - With Packet capture, You can Set a time constraint on the packet capture session. The default value is 18000 seconds or 5 hours.
upvoted 2 times

Answer A - Yes
• **Packet Capture**: Is run on a VM to monitor the in and out flows of IP traffic. It is not used to monitor traffic BETWEEN two VMs.
MS Docs: ("Packet Capture enables you to capture all traffic on a VM in your virtual network.")
• **Connection Monitor**: Is used to monitor connectivity and latency between VMs over a period of time.
MS Docs: ("Connection Monitor allows you to monitor connectivity and latency between a VM and another network resource.")
Read Here:
https://docs.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 3 times

IGNORE the above, as the question states all traffic: Answer B - No
"You need to inspect **all** the network traffic from VM1 to VM2 for a period of three hours."
You will need Packet Capture. as it has an option to specify ALL protocols
NB: (exam-topics, needs an option to delete your own comment).

upvoted 2 times
  RhinoMan 1 year, 7 months ago

Selected Answer: B
A connection is not traffic its a to a specific port not all

upvoted 1 times

Monitor communication between a virtual machine and an endpoint
Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a
connection, you may find that you're able to decrease the latency by moving your Azure resources to different Azure regions.
Capture packets to and from a VM

Advanced filtering options and fine-tuned controls, such as the ability to set time and size limitations, provide versatility. The capture can
be stored in Azure Storage, on the VM's disk, or both. You can then analyze the capture file using several standard network capture
analysis tools.
upvoted 1 times

I would go with Yes based on the following guide from Microsoft:
upvoted 1 times

Selected Answer: B
The answer should be NO

upvoted 2 times

Selected Answer: B
No
upvoted 1 times
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
A. Yes
B. No
Correct Answer: B
Use the Connection Monitor feature of Azure Network Watcher.
Reference:

B (100%)
  SilverFox22 Highly Voted  2 years, 4 months ago
At least we can agree that this one is No :)

upvoted 36 times
  skydivex 12 months ago

A Data Collector Set organizes data collection points, such as performance counters and event trace data, into a single collection. Data
Collector Sets enable you to schedule data collection, so that you can analyze the results and view reports later.
upvoted 2 times
  bur88 1 year, 11 months ago

I agree Answer is: No.
Correct answer is packet capture in Azure Network Watcher.
upvoted 5 times

right lol love after war
upvoted 1 times

well played haha
upvoted 2 times


upvoted 14 times

Good, keep up the good work
upvoted 1 times
  Slimus Most Recent  9 months, 1 week ago
No, there is no such thing as "Data Collector Set (DCS)" in the Network Watcher
upvoted 1 times
Selected Answer: B
I agree Answer is: No.

upvoted 1 times

On exam 4/12/2022. B correct answer
upvoted 2 times

upvoted 2 times

Selected Answer: B
Here it is a definitive NO! ... hopefully :)

upvoted 1 times

upvoted 2 times

Performance Monitor and a Data Collector Set huh. RIP Windows Server 70-410.
upvoted 6 times

Nice try, but no banana. You need the trusty Connection Monitor in this scenario
upvoted 6 times

Sorry, my cocky answer above is incorrect, - Connection Monitor will only inspect traffic on a specific port, - we need Packet Capture, -
which will capture all traffic
upvoted 35 times
  AravindITGuy 2 years, 8 months ago

Answer No - Connection monitor is used for packets, RTT, etc
upvoted 2 times
DRAG DROP -
You need to load balance HTTPS connections to vm1 and vm2 by using lb1.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-public-zone-redundant-portal
  [Removed] Highly Voted  2 years, 1 month ago
Answer is correct:
1) Remove the Public IP addresses. They are basic Public IPs and we're using a Standard Load Balancer which aren't compatible.
2) Create a backend pool and health probes.
3) Create a load balancer rule.
upvoted 77 times
  Allfreen 1 year, 11 months ago

This is correct Answer
Remove NSG1
Remove Public IP
create Health Probe
what if NSG blocks port 80 for health prob ?

upvoted 2 times

What if the machines are actually off? Seriously, just read the information that are given. NSG is not blocking port 80 by default so it
is irrelevant.
upvoted 14 times

It does not mention NSG being associated with those VMs or Vnet. Its in the subscription but we don't know if its in use at all or in
use for different resources.
upvoted 4 times
  Aymenwerg Highly Voted  2 years, 4 months ago
The Answer is correct :

Create a backend pool.
Create health probes.
Create a load balancer rule.
upvoted 14 times

That is not the answer provided, and your answer is wrong (the one provided is correct).
1 is remove the Public IPs (basic IP's can't be used with a standard LB). Also a pool is only NEEDED for a basic LB.
2. and 3. are correct.
2. Create a health probe
3. Create a lb rule.
upvoted 9 times
  Zippy12 1 year, 10 months ago

How is this highly voted? Two of the steps you've listed (creating a backend pool and health probe) aren't even separate steps in the
answer options.
upvoted 13 times
Answer is correct:
1) Remove the Public IP addresses. They are basic Public IPs and we're using a Standard Load Balancer which aren't compatible.
2) Create a backend pool and health probes.
3) Create a load balancer rule.
Standard LB cannot coexist with Basic public IP

If you remove NSG, all the traffic are blocked
upvoted 1 times

IF U remove NSG, all the traffic are blocked
upvoted 4 times

correct, Standard LB = Zero Trust
upvoted 2 times

Given answer is correct;
https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal
During the creation of the load balancer, you'll configure:
Frontend IP address
Backend pool
Inbound load-balancing rules
Health probe
upvoted 3 times

Answer is correct.
- [ ] Remove the public IP addresses from vm1 and 2 - SLB can’t work with basic sku IP addresses
- [ ] Create health probe and backend pool on lb1 - Need health probe and back-end pool for the LB
- [ ] Create a LB rule on LB1 - need a load balancing rule for LB
upvoted 11 times

Basic Public IPs are compatible with both Basic and Standard Load Balancers in Azure. However, Standard Public IPs can only be used with
Standard Load Balancers.
upvoted 1 times
Availability set
Health probe
Load balancing rule
upvoted 1 times

No need for an AS for Standard LB, only Basic
upvoted 3 times

Funny fact: Feb 2023, I created a standard LB and had no issues creating a backend pool and adding a VM that had basic PIP and dynamic
LIP (and no NSG at all). Added a LB rules and could connect to it through the LB.
Don't believe me? Try it yourself.
upvoted 3 times

correct:
1. remove public ip
2. create hp and be pool
3. create lb rule
upvoted 3 times

upvoted 5 times

Answer is correct
upvoted 1 times
  MitchelLauwers1993 1 year, 11 months ago

came in exam today
upvoted 2 times

Answer is correct
upvoted 2 times

Regarding availability set - you can only add a VM into an availability set when the VM is being created, you cannot add a VM into an
availability set after the VM is created.
upvoted 2 times
  gbgmail 1 year, 11 months ago

You can use the Add-AzureRmAvSetVmToAvailabilitySet powershell command to add an existing VM to an availability set. That being
said, the original answer is correct.
upvoted 1 times

I forgot to post the link:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/change-availability-
set#:~:text=A%20VM%20can%20only%20be,both%20Linux%20and%20Windows%20VMs.&text=If%20your%20VM%20is%20attached,scr
ipt%20to%20handle%20that%20case.
upvoted 1 times
  Invisired 2 years, 3 months ago

Create Availability Set - to acomotade vms
Health probes
Load Balancer rule
upvoted 1 times

The given answer is correct. No need for Availability Set since LB1 is a Standard Load Balancer, and Standard LBs can balance traffice to
VMs that are in the same vNET. Availability Set is needed only for Basic Load Balancers
upvoted 5 times
  ppavank06 2 years, 3 months ago

correct
upvoted 1 times
Solution: From Azure Monitor, you create a metric on Network In and Network Out.
A. Yes
B. No
Correct Answer: B
Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

B (100%)
  MrBlueSky Highly Voted  2 years, 1 month ago
God bless all you people putting the wrong answers on these so we can have people confidently correct you.
upvoted 18 times
  pappkarcsiii Highly Voted  2 years ago
Selected Answer: B
You use the Packet Capture, not Connection Monitor nor Network watcher
upvoted 13 times
  pmsiva 1 year, 4 months ago

https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions
upvoted 1 times
  InvalidNickname Most Recent  7 months, 3 weeks ago
And now I am more confused.

upvoted 1 times

still test
upvoted 1 times

No. Azure Monitor does not even inspect traffic.
upvoted 3 times

Yes, Azure Monitor is about measuring traffic throughput, not about packet inspection.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 2 times

upvoted 4 times

Selected Answer: B
Answer is B: No
You use the Packet Capture, not Connection Monitor nor Network watcher
upvoted 3 times
  Lincoln01 2 years ago

This is not right. Should be the connection Monitor feature of the Network watcher.
upvoted 1 times

As described here:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine.
upvoted 6 times
  Aymenwerg 2 years, 4 months ago

Need to use connection monitor
upvoted 3 times

nope, you create a packet capture.
upvoted 37 times
an Azure Load
Balancer.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
  Zarzi Highly Voted  2 years, 3 months ago
i'm not a robot

upvoted 36 times
  GBAU Highly Voted  1 year ago
Selected Answer: B
Answer B (No)
When an Azure Load Balancer get created, it will probe backend to detect if the backend service is healthy or not, the probe packet is sent
from source address "AzureLoadBalancer", the IP address of "AzureLoadBalancer" is always 168.63.129.16.
https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules/
What is happening here is the LB Health Probe of TCP 443 to VM1 & VM2 are getting blocked by Rule 200 so it thinks both VM1 and VM2
are down. Hence App1 is failing as the LB won't direct any 443 traffic anywhere as it considers all Hosts are down.
Make a new rule above 200 or move rule 65001 up to <200, so the Health Probe will start working again, it will find a health host and start
to direct 443 traffic from 131.107.100.50 to it.
App1 is alive!
upvoted 20 times
  Student2023 10 months, 2 weeks ago

For this question (and other questions with similar context) this is the first time the explanation made total sense.
Thank you!
upvoted 3 times
  Zuurpruim Most Recent  5 months, 3 weeks ago
Selected Answer: B
"Attach Network Interface" is not greyed out which means the VM is powered off. That is the reason it's not working.
upvoted 2 times
  conip 4 months, 4 weeks ago

I think sticking to the reason of greyed out "attach button" is misleading.
APP is on VM1 and VM2 - even if VM2 is shutdown it should still be served by VM1 - they do share NSG as its attached to subnet so we
still need to focus on NSG logic
upvoted 1 times

still on test
upvoted 3 times

Selected Answer: B
as rule 200 will still block port 443.

upvoted 2 times

and we want to allow traffic from 131.107.100.50 over TCP port 443, not deny it.
upvoted 1 times

upvoted 3 times
Selected Answer: B
Correct Answer: B
upvoted 1 times

upvoted 1 times

You need to start the VM - check Attach Network which is available. This happens only when VM is turned off.
upvoted 6 times
  JJoh 2 years ago

The screen cap already work, you do not need to do anythings
upvoted 1 times
  hberesford 2 years, 1 month ago

you need to change the priority of the inbound rule
upvoted 2 times

I mean the priority should not be 6995
upvoted 1 times

64999 it should be 150
upvoted 2 times
  SK_2_SK 2 years, 2 months ago

Answer is No. You need to start VM.
upvoted 3 times

Correct answer: B
upvoted 11 times

Answer is correct :
No.
upvoted 3 times
DRAG DROP -
You have an Azure subscription that contains two on-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
  Sirkhunz Highly Voted  2 years, 4 months ago
Doing my AZ-104 this month, please pray for me

upvoted 62 times
  Isidro56 7 months, 2 weeks ago

Good luck! This is a tought, popular, fun, interesting, valuable, exam. Thanks exam topics for facilitating this material.
upvoted 3 times
  Kalzonee3611 3 months, 3 weeks ago

Nothing about this exam is fun
upvoted 13 times
  GepeNova 2 years, 4 months ago

good look for me tomorrow
upvoted 6 times

**luck
upvoted 5 times
  bogard 2 years, 3 months ago

did you pass?
upvoted 2 times
  gregigitty 2 years, 2 months ago

We need to know! :-)
upvoted 3 times

If he is not back to this site, he passed the exam 😊
upvoted 62 times
  shadad 12 months ago

LOL come on.
i returned after i passed TEAMS administrator :)
upvoted 3 times
  im82 Highly Voted  2 years, 2 months ago

Correct answer:
1. Create Azure Virtual WAN
2. Create Virtual Hub
3. Create VPN sites
4. Connect VPN sites to virtual hub
upvoted 60 times
  clg003 Most Recent  3 months, 3 weeks ago

Correct Answer but this doc clearly say to do all of these steps...
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
But the last step in their sequence is Connect a VN to the Virtual Hub. So I assume you leave that one out.
upvoted 2 times

Create Virtual WAN > Create Hub > Create VPN Sites > Connect VPN sites to Hub
upvoted 1 times

Answe is correct
upvoted 2 times

1. Create Virtual WAN
3. Create VPN sites
4. Connect VPN sites to hub
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
upvoted 5 times
  sabsyed 1 year ago

Correct answer 👍
upvoted 1 times

Even if you didn't know for sure you can kinda fake it till you make it with something like this:
You need to pick 4/5 so only one has to go
2 options are about creating virtual wan+hub resources and 3 of them are about connecting.
There has to only be one way to connect in the answer (virtual network or VPN site) (so both wan+hub are needed either way to get to 4)
but we have two apparent processes
Either you
-"Connect the virtual networks to the hub"
or
-"Create VPN Sites" &
-"Connect VPN site to the hub" (what VPN sites, you have to create them, bingo, above option)
Go with the one that gives you 4 steps :)

upvoted 6 times

correct:
Create a virtual WAN
Configure virtual hub Basic settings
Configure site-to-site VPN gateway settings
Create a site
Connect a site to a virtual hub
Connect a VPN site to a virtual hub
upvoted 2 times
  perko28 1 year, 5 months ago

Wish me luck. Exam in 4 hours....
upvoted 4 times

how did it go? My exam is next week...
upvoted 1 times

mine it is next week 11/11/2022
upvoted 1 times
  MoSea 1 year, 3 months ago

mine is on the same day! Good luck to you!!
upvoted 1 times

Correct answer:
1. Create Azure Virtual WAN
3. Create VPN sites
4. Connect VPN sites to virtual hub
upvoted 4 times

I can see your comments all over the questions haha
So helpful, thank you!
upvoted 1 times

On exam 4/12/2022. correct answer
upvoted 2 times
  nipi 1 year, 10 months ago

Create a virtual WAN
Configure hub Basic settings
Configure site-to-site VPN gateway settings
Create a site
Connect a site to a hub
Connect a VPN site to a hub
Connect a VNet to a hub
Download a configuration file
View or edit your VPN gateway
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
upvoted 4 times

upvoted 1 times

upvoted 2 times

upvoted 1 times

upvoted 3 times
  practical_93 2 years ago

Looks like you got all the 341 questions on your exam. I see your comment on every single question lol
upvoted 12 times
HOTSPOT -
You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
Hot Area:
Correct Answer:
  speed2fast Highly Voted  2 years, 4 months ago
Solution seems wrong. Should be No/Yes/No (not tested)
No: Server2 uses Server1 for DNS. Server1 has no host2.contoso.com record for 131.107.50.50. It would work if VNET1 hat a virtual
network link to the private zone contoso.com.
Yes: Server2 uses Server1 for DNS. Server1 has a host1.contoso.com record for 131.107.10.15
No: Server3 uses 10.10.0.4 as DNS (inherited from VNET2). 10.10.0.4 (Server1) has no record for host2.contoso.com. The virtual network
link for the private zone contoso.com on VNET2 won't be used since the DNS from VNET1 is set on VNET2. VNET1 DNS is not aware of the
private zone contoso.com. It would work if VNET1 had a virtual network link to the private zone contoso.com.
upvoted 108 times
  przema86 1 year, 2 months ago
I agree with this answers N/Y/N
I hate such questions, such scenarios doesn't exist in real life. If I would see such thing in production I would shout on engineers.
upvoted 23 times

Answer 3 is not correct.
I had to test in the lab to make sure.
Answer 3 is YES.
Server3 is able to resolve host2.contoso.com
Reason:
Server3 is connected to VNET2 which is linked to a private DNS zone containing an "A" record for host2.contoso.com 131.107.50.50.
upvoted 23 times

Are you really sure you also setup the peering in your lab? Server3 would actually reach the DNS Server1 and would resolve to a
different IP. I think it´s No/Yes/No
upvoted 5 times

where did you read sth about peering?
upvoted 1 times

got it
upvoted 1 times

I agree with this. The answer should be No, Yes, No.
upvoted 2 times

I got the same thing
upvoted 3 times
  alex_p 2 years, 4 months ago

How Server3 uses 10.10.0.4 for DNS Server!? Could you explain, please? For NIC3 we have DNS settings "Inherit from virtual
network". In addition Server3 is in VNET2. VNET2 is linked to the private zone contoso.com which has a record for
host2.contoso.com. So Server3 would be able to resove it. I think the 3th is YES!
N-Y-Y
upvoted 29 times

Alex-p I can see where you are coming from
upvoted 1 times
  nzalex1 2 years, 3 months ago

Vnet2 has DNS 10.10.10.4 configured. Unless forwarder on this DNS configured to Azure (and we don't have this info), the linked
private zone will not have an effect
upvoted 5 times

VNET2 don't have 10.10.10.4 as DNS server. That DNS server is of NIC2, which belong to VNET1. VNET2 is linked to
private.contoso.com, which as a record for host2.contoso.com. Hence it should resolve.
upvoted 2 times
  Sharathjogi 1 year, 10 months ago

I take my words back, NIC configured DNS takes precedence over VNET configured DNS.
upvoted 4 times
  slimshady Highly Voted  2 years, 4 months ago

I just tested this for myself, results were:
server 2 resolve host2.contoso.com - NO - only host1 exists in the server1-hosted DNS zone, so cannot resolve - and setting server2 to use
server1 as a DNS server means it does not use any other DNS servers.
server 2 resolve host1.contoso.com - YES to the server1 hosted DNS address ie. 131.107.10.15
server3 resolve host2.contoso.com - YES to the Azure hosted DNS address ie. 131.107.50.50.
server3 can also resolve host1.contoso.com to the Azure hosted DNS address (of course).
hope this helps :)
upvoted 54 times

Agree with slimshady!
upvoted 1 times
  slimshady 2 years, 4 months ago

actually I just noticed after reading the comments again that i forgot to set the server1 DNS server on VNET2 - when i did this and
updated the servers, server3 could no longer resolve host2.contoso.com as it was using the server1 hosted DNS server. so i say the
answer is NO-YES-NO
upvoted 48 times
  ejml 2 years, 4 months ago

slimshady, in your test, have you peered the vnet's?. Thanks
upvoted 3 times
  mdwSysOps 11 months, 2 weeks ago

This is the right answer!!
upvoted 1 times
  rnd3131 Most Recent  3 weeks, 2 days ago
DNS in Peered VNets

Independent DNS Configuration: Each VNet in Azure can be configured with its own DNS servers. When you peer VNets, these
configurations remain independent. A VNet does not inherit or override the DNS server settings of the VNet it is peered with.
Resolution Across Peered VNets: Resources in peered VNets can resolve DNS names as per their respective VNet’s DNS settings. If a
resource in VNet A needs to resolve a name managed by a DNS server in VNet B, it can do so if the DNS server in VNet B is accessible and
if the necessary DNS forwarding or conditional forwarding is set up.
Custom DNS Scenarios: In scenarios where you have custom DNS servers, you might need to configure DNS forwarding or conditional
forwarding to ensure proper name resolution across peered VNets.
Azure-Provided DNS: If you are using Azure-provided DNS, the resolution of names for resources in Azure (like VMs) works across peered
VNets without additional configuration.
upvoted 2 times

what a shit design. just fire the engineer and fix this question.
upvoted 3 times

Server 2 connects Server 1 DNS.
1. No - No entry for host2
2. Yes - host1 found 131.10710.15
Server 3 used VNET2

3. Yes - host2 found as 131.107.50.50
So resolved
upvoted 2 times

In the exam today, 18/08/2023. First question was different, it was Server1
upvoted 5 times

what the hell? every second question has confusion. Why are we not able to get the exact answers even after paying huge amount?
upvoted 5 times
  quocdunginfo2 6 months, 1 week ago

Server 2 => NIC2 => 10.10.0.4 => host2.contoso.com => No entry => No
Server 2 => NIC2 => 10.10.0.4 => host1.contoso.com => 131.107.10.15 => Yes
Server 3 => NIC3 => VNET2 => 10.10.0.4 => host2.contoso.com => No entry => No
upvoted 13 times

N Y N is correct!
upvoted 3 times

I do not understand how answers provided in the site can have so many incorrect answers. Exam topics needs to do better.
upvoted 7 times

becareful not to select the same wrong answers from ET in the actual microsoft exam.
You can get life time banned because they have an alghoritm
upvoted 6 times

How do you know this?
upvoted 1 times

Agree with N,Y,Y.
Comment from hanyahmed makes the most sense.
For box3 see:

"After you create a private DNS zone in Azure, you'll need to link a virtual network to it. Once linked, VMs hosted in that virtual network can
access the private DNS zone. Every private DNS zone has a collection of virtual network link child resources. Each one of these resources
represents a connection to a virtual network. A virtual network can be linked to private DNS zone as a registration or as a resolution virtual
network."
upvoted 2 times
  picho707 8 months, 2 weeks ago

I see it this way.
Server2 => NIC2 => NIC2 DNS 10.0.0.4 = YES
Server2 => NIC2 => NIC2 DNS 10.0.0.4 = YES
Server3 => NIC3 => VNET2 DNS Provided 10.0.0.4 = YES
upvoted 2 times

The correct answer is No/Yes/No
upvoted 2 times

1. No (Server 2 – NIC2 resolves based on Server 1 DNS)
2. Yes (Server 2 – NIC2 resolves based on Server 1 DNS)
3. Yes (Server 2 – NIC3 resolved inherit VNET2)
upvoted 7 times

Server2 = Nic2 - DNS server 10.10.0.4 = A-Record Host2.contoso.com = Not available
Server2 = Nic2 - DNS server 10.10.0.4 = A-Record Host1.contoso.com = 131.107.10.15
Server3 = Nic3 - Azure private DNS = A-Record Host2.contoso.com = 131.107.50.50
Answers are: N-Y-Y
upvoted 7 times

- [ ] No - Host2 is A record on private zone. Server2 is on VNET1 which is not attached to the private zone
- [ ] Yes - host1 is both on private and public zone. Server2 can access public zone and resolves host1 to the 131.107.10.15 IP
- [ ] Yes. - host2 is only on private zone. VNET2 attached to private zone. Server3 is on VNET2 and resolves host2 to 131.107.50.50
upvoted 2 times

vnet1 uses azure dns.
vnet2 is linked to azure private zone contoso.com, but
vnet2 uses 10.0.0.4 server1 dns.
.
server2 nic 2 is in vnet1, but nic specifies 10.0.0.4 dns.
server3 nic 3 is in vnet2, and uses 10.0.0.4 dns inherited from vnet2.
.
10.0.0.4 server1 dns has no host2 record.
10.0.0.4 server1 dns says host1 is at the .15 address.
.
no, server2 can't resolve host2.
yes, server2 resolves host1 to the .15 address.
no, server3 can't resolve host2.
upvoted 4 times
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
A. Modify the address space of VNet1.
B. Add a gateway subnet to VNet1.
C. Create a subnet on VNet1 and VNet2.
D. Configure a service endpoint on VNet2.
Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of
10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq

A (100%)
  pakman Highly Voted  2 years, 4 months ago
Correct. Modify the address space of VNET1, since it'd be overlapping with the one of VNET2 if you don't.
upvoted 33 times

upvoted 1 times

A - modify the address space of VNET1
You have to do this because to eliminate the overlap between VNET1 and VNET2
upvoted 2 times
Selected Answer: A
A is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-and-
constraints
upvoted 4 times

A as the only correct option. addresses cannot overlap for peering to happen.
upvoted 2 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Correct Answer: A
upvoted 1 times
Selected Answer: A
Correct. Modify the address space of VNET1, since it'd be overlapping with the one of VNET2 if you don't.
upvoted 1 times
  Efficia 2 years ago

Selected Answer: A
Correct Answer: A
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
upvoted 4 times

upvoted 4 times

Correct A
Both VNETs have the same address space
upvoted 1 times
VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table.
You need to ping VM2 from VM1.
Which DNS names can you use to ping VM2?
A. comp2.contoso.com and comp4.contoso.com only
B. comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com
C. comp2.contoso.com only
D. comp1.contoso.com and comp2.contoso.com only
E. comp1.contoso.com, comp2.contoso.com, and comp4.contoso.com only
Correct Answer: B
Reference:
https://medium.com/azure-architects/exploring-azure-private-dns-be65de08f780 https://simpledns.plus/help/dns-record-types

C (97%)
  Quantigo Highly Voted  2 years, 4 months ago
Correct Answer C: comp2.contoso.com only

A record: Is used to map a DNS/domain name to an IP
Ref:https://www.cloudflare.com/learning/dns/dns-records/dns-a-record/
TXT records in a lot of cases get used to prove ownership of a domain, it has other purposes too.
Reference:
https://support.google.com/a/answer/2716800?
hl=en#:~:text=TXT%20records%20are%20a%20type,and%20to%20ensure%20email%20security.
PTR: A Reverse DNS lookup is used by remote hosts to determine who 'owns' an IP address.
Reference:
https://www.mailenable.com/kb/content/article.asp?ID=ME020206
CNAME records get used to redirect a DNS name or subdomain name to another DNS name or domain name or subdomain name.
reference: https://support.dnsimple.com/articles/cname-record/
It would do good to read up on DNS record types and what they are used for, you will be lost if you don't have a basic understanding of it.
https://ns1.com/resources/dns-types-records-servers-and-queries
DNS is a key component In the IT field.
I hope this info will help.
upvoted 114 times

So agree man! you just reminded me to review DNS and DNS alone.
upvoted 4 times
  slimshady Highly Voted  2 years, 4 months ago
tested this, i say it is C - comp2.contoso.com ONLY. i created each of the records in my Azure DNS zone, a TXT record is not resolvable, an A
record is resolvable, the CNAME is pointing to comp1 which again is not resolvable, and the PTR record should be an IP to a name, when i
created the PTR record it wanted me to enter a domain name eg. contoso.com, not an IP address but i put the IP address in anyway, and it
did not resolve. So i say it is C - comp2 ONLY
upvoted 38 times
  AZ_Guru_Wannabe 1 year, 12 months ago

good testing thx
upvoted 2 times
  friendlyvlad Most Recent  8 months, 3 weeks ago

C must be correct. When you ping an IP address, the DNS resolver is not involved. The rest of the choices will require the DNS resolver.
BTW the PTR record is wrong. Its value must be domain and not IP.
upvoted 3 times
  habbey 9 months, 2 weeks ago

anybody know why we cant use comp3 ?
upvoted 1 times

Comp3 is a CNAME for Comp1 - which refers to a TXT record. TXT records are not for name resolution. So neither, Comp1 and Comp3,
do not translate to the right IP address, 10.0.0.5. And that's what the the DNS name that we're looking for here is supposed to do.
C is the right answer.

upvoted 3 times
Selected Answer: C
A record resolves ip address 10.0.0.5 to comp2.contoso.com. The only other name we could find is a alias name (CNAME) record. But there
is no CNAME entries listed for comp2 so C is the answer
upvoted 1 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/dns/dns-zones-records#record-types
Each DNS record has a name and a type. Records are organized into various types according to the data they contain. The most common
type is an 'A' record, which maps a name to an IPv4 address.
upvoted 6 times

upvoted 11 times
  SunilSenthil 4 months ago

and what did you answer? did you get it right?
upvoted 1 times

You can't ping a txt record even if the text in the record is formatted as an IP address
Pinging a CNAME that points to a text record has the same result.
You can't ping a PTR record
Basically you can only ping an A record or a CNAME pointing to an A record (ignoring IP6)
upvoted 3 times
  typales2005 1 year, 1 month ago

Selected Answer: C
Was in the 09/01/2023 exam

upvoted 5 times

Correct answer schould be Comp2.contoso.com AND Comp3.contoso,com, because comp in the end also resolves to wanted IP. but that
aswwr is not there, so only C
upvoted 2 times
  andi_y 1 year, 2 months ago

This is not correct. COMP3.contoso.oom redirects to COMP1.contoso.com BUT COMP1.contoso.com is a TXT RECORD and so not
pingable. So the only correct answer is C (COMP2.contoso.com)
upvoted 2 times

C. comp2 only. A record resolves fwd lookup.
upvoted 1 times
  sesky 1 year, 3 months ago

Who creates these sorts of answers? Can't get any more wrong!
upvoted 2 times

C
Comp 1 - TXT - it's just a text record used for domain validation, and is not used for resolving address
Comp2 - A Record - the actual record for IPv4-to-Domain resolution (others are CNAME and AAAA).
Comp 3 - CNAME - This is CNAMing to another computer and not Comp2
Comp4 - PTR - this record does not resolve to an IP. It resolves to a domain name.
Only correct choice is 'C'
upvoted 2 times
  crazyrobban 1 year, 3 months ago
Selected Answer: C
So many people saying B? The question clearly states what you can -ping- VM2 with.
Answer is C.
upvoted 1 times
  LUISCA2021 1 year, 3 months ago

Selected Answer: B
nslookup working in any DNS

upvoted 1 times
  LUISCA2021 1 year, 3 months ago

The correct option is B. nslookup working in all DNS , this question in the exam 20 oct 22.
upvoted 1 times

who said anything about nslookup? the question says "ping," so the txt and ptr records, and a cname pointing at a txt record, don't do
us any good.
upvoted 1 times
Selected Answer: C
Correct Answer: C
upvoted 1 times

You can lookup for any DNS records by using command line cmd:
1. nslookup -q=ptr google.com "PTR record"
2. nslookup -q=a google.com "A record" "IP address"
3. nslookup -q=mx google.com "Mail exchange record "
4. nslookup -q=cname google.com "Alias name"
5. nslookup -q=txt google.com "info"
6. nslookup -q=ns google.com "Identify DNS servers"
7. nslookup -q=dchid google.com "Inormation related to DHCP"
upvoted 4 times

now do 'ping' like the question says.
upvoted 1 times

Your point being!!
upvoted 1 times
HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)
NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.
You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://www.thomasmaurer.ch/2019/09/how-to-enable-ping-icmp-echo-on-an-azure-vm/
  speed2fast Highly Voted  2 years, 4 months ago
Answer is wrong. We need to undo the DENY_PING rule with the principle of least privilege.
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 379 times

Thank you, I was about to freak out when I revealed ET's asnwer.
The only logical answer is

Ontbound
10.1.0.10
10.1.0.11
110
upvoted 1 times

this is the correct answer
upvoted 3 times
  techrat 1 year, 11 months ago

I can confirm it's speed2fast is correct. it's on my exam yesterday, I passed with score 923 and got 100% correct on all of the network
related questions.
upvoted 22 times
  Fananico 2 years, 3 months ago

I test it your answer is current
upvoted 9 times

Correct answer:
Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
the given solution is not correct.
upvoted 38 times

What about inbound? Keep the rest the same.
upvoted 3 times
  yolap31172 2 years ago

Since VM1 and VM2 are in the same subnet, NSG would apply both inbound and outbound rules to traffic. Your inbound rule could
let the ICMP request reach VM2, but existing outbound rule would prevent it from going out of VM1 in the first place.
Having an outbound rule with priority 110 overrides the existing Deny rule.
upvoted 18 times
  FlaShhh 4 days ago

well explained
upvoted 1 times
  rnd3131 Most Recent  3 weeks, 2 days ago
direction is outbound because sourceprefix is virtualnetwork

upvoted 1 times

This is correct!
Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
upvoted 3 times
  Jzx 10 months, 2 weeks ago

Ping doest work if you mention only one direction.. ie VM1-->VM2
ping contains icmp echo request VM1---->VM2 & ICMP echo response VM2----> VM1 so its biderectional.. the given answer makes more
sense...
upvoted 2 times
  tech07 7 months, 2 weeks ago

NSG rules are stateful
upvoted 3 times
  Andrew04 11 months ago

I've tested on my tenant:
Outbound rule
Source 10.0.0.10 (VM1)
Dest 10.0.0.11 (VM2)
Priority 110
Protocol ICMP
it works!
upvoted 3 times

upvoted 8 times
  Zeppoonstream 1 year, 1 month ago

Why is source and destination not 10.1.0.10; 10.1.0.11 ? Dont you need the rule to be vice versa?
upvoted 2 times
  Zeppoonstream 1 year, 1 month ago

Edit: Ok got it. Its about the handshake. Only one connection is needed. You dont need to ensure that a inbound rule exists, because
the traffic is already allowed by the outbound rule.
upvoted 2 times
  Archie1206 1 year, 3 months ago

ping need to be two way, so the source and destination should both be 10.1.0.10/10.1.0.11. and direction outbound
upvoted 1 times

to override the existing rule DENY_PING:
Inbound
10.1.0.10
10.1.0.11
110
upvoted 2 times

inbound/outbound is allowed within VNET, BUT rule 111 stop the outbound. So we need a higher priority rule to allow this outbound for
VM1 ping to VM2. And with principle of least privilege in mind. Answer is:
Outbound
10.1.0.10
10.1.0.11
110
upvoted 7 times
  pkkalra 1 year, 5 months ago

as speed2fast said.
Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
Please note that the rule won't block outbound response from VM2.
NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without
obstruction. NSGs will not end active TCP connections either.
upvoted 3 times

cant believe they got this wrong sounds stupid you have to mention source ip destination less priority
Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
upvoted 1 times

Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
upvoted 1 times

Correct answer:
Direction: Outbound
Source 10.1.0.10 (VM1)
Priority: 110
upvoted 2 times
  gg905 1 year, 9 months ago

If you do Priority 111, will it overwrite the existing deny rule?
upvoted 1 times

upvoted 3 times
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
Correct Answer: B
the certificate needs to be installed on the machine you are counting from.
upvoted 32 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#clientcert
from the self-signed root certificate, and then export and install the client certificate. If the client certificate isn't installed, authentication
fails.
upvoted 2 times

You have to export a self signed certificate from the root certificate and install it in the machine.
upvoted 1 times

No. You need the cert on comp2.
upvoted 1 times
  Oualy 1 year, 4 months ago

Correct Answer: B
You must export the client certificate from Computer1 and install the certificate on Computer2.
The point-to-site connection uses a self-signed certificate.
upvoted 3 times
Selected Answer: B
Correct Answer: B
upvoted 2 times
  bduhamel 1 year, 11 months ago
Selected Answer: B
Answer is B
upvoted 1 times
Selected Answer: B
Correct Answer: B
you need to install certificate on the machine you are counting from.
upvoted 1 times
Selected Answer: B
Correct approach would be to export Cert from Computer1 and install it on Computer2
upvoted 1 times
  nileshlg 2 years, 1 month ago

Selected Answer: B
Answer is B
upvoted 1 times
A. Session persistence to Client IP and protocol
B. Protocol to UDP
C. Session persistence to None
D. Floating IP (direct server return) to Enabled
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal

A (100%)
  HananS Highly Voted  2 years, 1 month ago
The following options are available:
None (hash-based) - Specifies that successive requests from the same client may be handled by any virtual machine.
Client IP (source IP affinity two-tuple) - Specifies that successive requests from the same client IP address will be handled by the same
virtual machine.
Client IP and protocol (source IP affinity three-tuple) - Specifies that successive requests from the same client IP address and protocol
combination will be handled by the same virtual machine.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal
The answer is A
upvoted 11 times
  SANDEEPGO Most Recent  5 months, 3 weeks ago
Get ready!!! This question will now appear a million times in the next pages
upvoted 4 times

Selected Answer: A
A is the answer.
Session persistence: Client IP and protocol
- Traffic from the same client IP and protocol is routed to the same backend instance
upvoted 2 times
  Manu_0502 1 year, 1 month ago
Selected Answer: A

upvoted 1 times
Selected Answer: A

upvoted 1 times

upvoted 3 times

Selected Answer: A
Correct Answer: A
upvoted 1 times

on exam 13/3/2022
upvoted 1 times
Selected Answer: A
Straight forward easy question

upvoted 2 times
Selected Answer: A
Answer is correct: A
Session persistence!
upvoted 2 times
  Sukorak 2 years, 2 months ago

Anser is correct :A
upvoted 4 times
  Sukorak 2 years, 2 months ago

Answer is correct: A
upvoted 3 times
You have an Azure subscription that uses the public IP addresses shown in the following table.
You need to create a public Azure Standard Load Balancer.
Which public IP addresses can you use?
A. IP1, IP2, and IP3
B. IP2 only
C. IP3 only
D. IP1 and IP3 only
Correct Answer: C
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU
resources.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses

C (100%)
  Sukorak Highly Voted  2 years, 2 months ago
Answer is correct: C
upvoted 14 times
  shadad Highly Voted  11 months, 2 weeks ago
Selected Answer: C

I score 920 points out of 1000 points. This was on it and my answer was: C
upvoted 13 times

Answer: C
A Basic Load Balancer can use the Basic SKU Public IP address's, but a Standard load balancer requires a Standard SKU Public IP address.
Excerpt from link below:

The standard SKU is required if you associate the address to a standard load balancer. For more information about standard load
balancers, see Azure load balancer standard SKU.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-public-ip-address
Excerpt from link below:

Key scenarios that you can accomplish using Azure Standard Load Balancer include:
-Enable support for load-balancing of IPv6.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#why-use-azure-load-balancer
upvoted 6 times
Selected Answer: C
C is the answer.
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU
resources.
upvoted 2 times

C is the most correct. I don't think you can currently use IP6 for load balances yet. Needs to be IPv4 but all IPs are listed as 6 and there is
no "None" option so just roll with it.
upvoted 3 times

My bad, seems they can. (I was sure I read a few hours ago they couldn't)
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
upvoted 3 times

Selected Answer: C
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU
resources.
upvoted 1 times

IP3 as both SKUs of IL and PIP have to be the same i.e. Standard
upvoted 2 times

upvoted 4 times

today in exam is C
upvoted 2 times

Selected Answer: C
Correct Answer: C
upvoted 1 times

Selected Answer: C
Basic SKU IP can not be combined with standard LB.
upvoted 2 times

None of the given, because noone is using ipv6!
All jokes aside, its C
upvoted 3 times
Selected Answer: C
BASIC SKU not an option here.

upvoted 2 times
  amiri7171 2 years ago
Selected Answer: C
upvoted 2 times

Weird question this one, because IP1 is an iPv6 Basic address but it says that it's Static. That is not supported as part of the Basic SKU. But
regardless, the answer is correct: C. Because you can't mix SKUs with Load Balancers.
upvoted 2 times
  blockhead72 2 years, 1 month ago

Selected Answer: C
C is correct
upvoted 2 times
You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.
You need to restrict network traffic between the pods.
What should you configure on the AKS cluster?
A. the Azure network policy
B. the Calico network policy
C. pod security policies
D. an application security group
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/aks/use-network-policies

B (97%)
Selected Answer: B
I think the correct answer is B.

The question describes “the pods will use kubernet networking.”
To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).
Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and
kubenet (Linux).
Hence, the correct answer is B.
Reference
upvoted 39 times

To summarize. You need calico network policy because this question explicitly stated "pods will use kubernet networking." which
means you need a policy that can support kubernet networking.
Look at supported networking options of the following link.

https://learn.microsoft.com/en-us/azure/aks/use-network-policies#differences-between-azure-network-policy-manager-and-calico-
network-policy-and-their-capabilities
upvoted 7 times
  ITprof99 Highly Voted  2 years, 1 month ago
On exam 01.02.22
Answer: B
upvoted 18 times
  YesPlease Most Recent  3 months, 4 weeks ago
Selected Answer: B
B) Calico Network Policies

Question specifically calls out Kubernet: https://learn.microsoft.com/en-us/azure/aks/use-network-policies#differences-between-azure-
network-policy-manager-and-calico-network-policy-and-their-capabilities
upvoted 1 times
  muzzying 4 months ago

If you go to AKS in the portal and try to create, selecting the Kubernet networking will grey out the 'Azure Network Policy' leaving only the
'Calico' policy to choose.
upvoted 1 times

Option A: Azure network policy
Azure network policy provides a built-in network security solution for AKS clusters. It allows you to define network traffic rules at the
Kubernetes namespace level using standard Kubernetes NetworkPolicy objects. With Azure network policy, you can control ingress
(incoming) and egress (outgoing) network traffic between pods based on IP addresses, ports, and protocols.
upvoted 1 times
  Haroldgm 7 months, 3 weeks ago
Selected Answer: B
In the exam June 24, 2023

upvoted 3 times

upvoted 6 times
Selected Answer: A
To restrict network traffic between pods in an Azure Kubernetes Service (AKS) cluster, you should configure the Azure network policy.
upvoted 2 times

Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/aks/use-network-policies#differences-between-azure-network-policy-manager-and-calico-
network-policy-and-their-capabilities
upvoted 3 times

upvoted 3 times

Calico Network Policy Supported networking options
- Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux)
upvoted 1 times

Selected Answer: B
was in the 09/01/2023 exam

upvoted 7 times

B for kubenet.
Azure NPM:
Linux, Windows Server 2022
Azure CNI
Calico Network Policy:

Linux, Windows Server 2019 and 2022
Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux)
upvoted 2 times
  Makarand123 1 year, 3 months ago

There's other way also using 'linkered' service mesh but not given here
upvoted 1 times

Selected Answer: B
B. the Calico network policy Most Voted

upvoted 1 times

upvoted 1 times
  mmtechsolutionsinc 1 year, 11 months ago
Selected Answer: B
I think the correct answer is B.

The question describes “the pods will use kubernet networking.”
To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).
Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and
kubenet (Linux).
Hence, the correct answer is B.
Reference
upvoted 3 times

Caligula policy.
upvoted 4 times
  daniel1ionut 2 years ago

On exam 05/02/22
Asnwer:B
upvoted 4 times
HOTSPOT -
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the
VPN Gateway and subnets in the following table:
Subnet1 contains a virtual appliance named VM1 that operates as a router.
You create a routing table named RT1.
You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Correct Answer:
Box 1: 10.0.0.0/16
Address prefix
destination-> Vnet 1 (Address space of Vnet1)
Box 2: Virtual appliance

Next hop type
VM1 ->Virtual Appliance. You can specify IP address of VM 1 when configuring next hop as Virtual appliance.
Box 3: Gateway Subnet

Assigned to
This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout Table ->
subnet ->Associate.
upvoted 172 times

finally he's back lol
upvoted 51 times

Box1: 10.0.0.0/16
Box2: Virtual appliance
Box3: GatewaySubnet
upvoted 17 times
  Tom900 Highly Voted  3 years, 2 months ago
Answer is correct.
See the explanation below from AZ-103 source.
Address prefix- destination-> Vnet 1 (Address space of Vnet1)

2. Next Hop - VM1 ->Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)
3.Assignment - This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from
Rout Table -> subnet ->Associate
upvoted 56 times

Agree!
upvoted 2 times
  picho707 Most Recent  8 months, 1 week ago
Microsoft naming convention drives me nuts!!!.

upvoted 7 times
  yaboo1617 10 months ago

ROUTE Address prefix = TO
ROUTE Next Hop = THROUGH
ROUTE Assignment = FROM
upvoted 20 times

1. 10.0.0.0/16
2. Virtual appliance
3. GatewaySubnet
https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
upvoted 4 times

traffic to vnet1 addresses 10.0.0.0/16
VM1 as the next hop as router is a Virtual Appliance
outside traffic comes through GatewaySubnet
upvoted 2 times

Answer is correct.
upvoted 2 times

See the explanation below from AZ-103 source.
Address prefix- destination-> Vnet 1 (Address space of Vnet1)

2. Next Hop - VM1 ->Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)
3.Assignment - This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from
Rout Table -> subnet ->Associate
upvoted 1 times

upvoted 1 times

upvoted 3 times
  Tokawa 2 years, 4 months ago

Why is this not an IP address for Subnet1?
upvoted 1 times

Answer is correct:
- Source: 10.0.254.0
- Next Hop: NVA
- Assigned to 10.0.0.0/16. This covers 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24
upvoted 2 times

I can picture this question coming in every single test. Answer is correct
upvoted 2 times

In 30 July 2021
upvoted 5 times
  _UNA_ 2 years, 7 months ago

You can watch this video for more clarity https://www.youtube.com/watch?v=sBII38Fngmk
upvoted 5 times
  MimeTalk 2 years, 6 months ago

thanks for sharing
upvoted 2 times

This question came in Exam
upvoted 2 times
  Raj_az104 2 years, 10 months ago

How did we get 10.0.0.0/16
upvoted 3 times

Because we want all data from the /16 to go to the router.
upvoted 6 times
  SnakePlissken 2 years, 9 months ago

10.0.0.0/16 is the IP address space of VNET1.
upvoted 1 times
A. Floating IP (direct server return) to Enabled
B. Floating IP (direct server return) to Disabled
C. a health probe
D. Session persistence to Client IP and Protocol
Correct Answer: D
Load-Balancer For
Sticky Sessions set Session persistence to Client IP.
On the following image you can see sticky session configuration:
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. Idle Time-out (minutes) to 20
2. Protocol to UDP
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

D (100%)
Correct Answer: D
Load-Balancer for Sticky Sessions set Session persistence to Client IP.
upvoted 53 times
  Hibs2016 Highly Voted  3 years, 2 months ago

Answer is correct, D - Session Persistence to Client IP and Protocol
upvoted 34 times
Selected Answer: D
D is the answer.
upvoted 1 times
Selected Answer: D

upvoted 2 times

upvoted 3 times

Selected Answer: D
Correct Answer: D
upvoted 1 times

Selected Answer: D
D is correct and is called Sticky Sessions like Microsoft ones sticks never let go!!
upvoted 3 times
Selected Answer: D

upvoted 2 times
Selected Answer: D
Correct answer.
upvoted 1 times
Selected Answer: D
Session Persistence is correct

upvoted 3 times

it is right answer "Session persistence"
upvoted 1 times

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is D
upvoted 7 times
  kashi1983 2 years, 6 months ago

Answer is D.
upvoted 2 times
  nimz77 2 years, 6 months ago

came in 8.8.2021 exam.
upvoted 4 times
  nimz77 2 years, 6 months ago

Same in 8.8.2021 exam.
upvoted 2 times

in exam 7/3/2021
upvoted 3 times
  lucky_18 2 years, 7 months ago

came in exam on June 28 2021
upvoted 3 times
HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table:
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
✑ Priority: 100
✑ Name: Rule1
✑ Port: 3389
✑ Protocol: TCP
✑ Source: Any
✑ Destination: Any
✑ Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.
Hot Area:
Correct Answer:
Answer is correct . No, Yes, Yes.

No: VM1 has default rules which denies any port open for inbound rules
Yes: VM2 has custom rule allowing RDP port
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
upvoted 191 times
  namkio0o 1 year, 4 months ago

Not agree. NO, NO, Yes.
for the second NO: NSG1 is associated with subnet which blocks RDP and in order for RDP to work, both the subnet and the NIC NSGs
need to allow RDP in.
upvoted 20 times

Box 2: YES - "NSG1 is associated to Subnet1" - VM2 is in Subnet2
upvoted 3 times
  otonx 1 year, 2 months ago

read again the question \, you are misleading
upvoted 2 times

VM2 is associated with NSG2, not NSG1. So the answer is yes.
upvoted 1 times
  Pwnisnoob 3 years, 1 month ago

No yes no. With nsg rdp ports need to be open in both
upvoted 8 times

N, Y, Y. You opened inbound traffic from literally anywhere on VM2. Why would it work on the internet, but not VM1? There's no
mention of them being on a different network. Outbound is allow all by default. Inbound is the opposite.
upvoted 2 times

defualt NSG allows all traffic for inbound which means rdp is allowed as well.
upvoted 3 times
  Julie444 2 years, 8 months ago

Exactly no one pays attention to the Q! RDP people, RDP.
upvoted 1 times

Subnet1 and Subnet2 are in a virtual network named VNET1.
check default NSG rule https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

upvoted 3 times

I would suggest Yes to box 3 because
Yes: NSG2 is using the default rules - deny all - but has a higher priority rule allowing RDP protocol from anywhere on the NIC, so RDP
access from VM1 is permitted. Without this rule, if a default rule NSG was applied to the NIC, RDP would fail regardless of VMs being in
same subnet.
upvoted 5 times

Intra-Subnet traffic
It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. For
example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to
communicate with each other. Another rule would have to be added specifically to allow this.
upvoted 6 times
  Lapiduse 3 years ago

Agree, nothing to add
No, Yes, Yes.
upvoted 4 times
Correct Answer:
Box 1: No
NSG1 has default rules, which denies any port open for inbound rules
Box 2: Yes
NSG2 has custom Rule1, allowing RDP port 3389 with TCP.
Box 3: Yes
VM1 and VM2 are in the same Vnet. By default, communication is allowed.
upvoted 140 times

Box3 is questionable. The question asked specifically on if VM1 can RDP into VM2.
The VMs are on azure. The only ways I can think of that will allow you to RDP into the other server are through RDP or bastion which
will require the use of RDP on the first server. Nested RDP is not supported.
"Only one level of nested Remote Desktop connection is supported. Establishing a Remote Desktop connection from inside a nested
Remote Desktop connection isn't supported."
https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/run-remote-desktop-connection-session
upvoted 2 times

In theory, if you ignore the fact that you probably RDP'd into VM1, you could RDP into VM2. Unless someone can come up with a way
that would allow you to connect to VM1 that doesn't use bastion or RDP i'm going to say you can't RDP into VM2 because nested
RDP is not supported.
upvoted 1 times

Well I just tested in azure with RDP (downloaded file) then from VM1 tried RDC (remote desktop connection app) into vm2 over
public IP and it worked so you can RDP then RDC into another vm. Both uses port 3389
upvoted 4 times

upvoted 1 times
  rnd3131 3 weeks, 2 days ago

Default Inbound Security Rules:
AllowVNetInBound:
Priority: 65000
Allows all inbound traffic from resources in the same Virtual Network (VNet).
Source: VirtualNetwork
Destination: VirtualNetwork
Source and Destination Port Ranges: Any
Protocol: Any
Action: Allow
upvoted 1 times
  bodjy 3 weeks, 6 days ago

I have tested today with score 870 most of question came from ET question and be carful for wrong answers from the site and try to
understand the solution not suppose most voted answers is the correct answers
upvoted 1 times

There are 2 NSG. NSG1 applied to subnet 1. NSG2 apply to VM2. For a host is subnet 1 to accept traffic from Internet, both Subnet NSG
and NIC NSG should allow traffic.
- VM1 is in subnet 1 and it doesn't have a NIC associated NSG, so subnet NSG1 applies which denies Inbound Internet traffic by default.
Answer No.
- VM2 is in subnet 2, which doesn't have an associated subnet NSG and has NSG2 applied to the VM. NSG2 allows traffic RDP traffic from
anywhere, so RDP connection is possible. Answer Yes.
- Same policy as before (Source=Any), then VM1 can RDO to VM2. Answer Yes.
upvoted 1 times

No : NSG1 restricts RDP to Subnet1/VM1. Default NSG denies all inbound
Yes: NSG2 Rule1 allows this. Since Subnet2 has no NSG and VM2 is in Subnet2, NSG2 only applies
Yes: allowed by default
upvoted 1 times

N-N-Y.
I verified this in lab.
No: VM1 has default rules which denies any inbound from any port
No: NSG of Subnet takes priority for all Inbound Traffic. So NSG of Subnet denies all inbound traffic from the internet. NSG of NIC in VM
will not be reached.
Yes: Vnet communication is allowed
upvoted 1 times
  neolisto 2 months, 3 weeks ago

VM2 is in different subnet.
Your answer regarding BOX2 is incorrect.
SubNet1, to which VM1 is connected, is under NSG1.

But not VM2. VM2 isn't attached to NSG1, cuz it's attached to NSG2 and NSG2 have an OPENED 3389 which is used for RDP. It means,
everyone from Internet can have an RDP connection to VM2.
So, should be - BOX2: YES.

upvoted 1 times
upvoted 3 times
  VV11_SS22 6 months, 1 week ago

Correct Answer is . No, Yes, Yes.
upvoted 1 times
  Benzitho 9 months, 1 week ago

Correct Answer : Yes, Yes , Yes
Box1: The default inbound rule allows traffic from all sources to all destinations on all ports and protocols, unless a more specific rule is
defined that overrides this rule. This means that if you create a new VM and associate it with an NSG that has only the default inbound
rule, the VM will be accessible from anywhere on the internet.
Box 2: NSG2 has custom Rule1, allowing RDP port 3389 with TCP.
Box 3:VM1 and VM2 are in the same Vnet. By default, communication is allowed.
upvoted 1 times
  sawanti 6 months, 1 week ago

Bro, what a bullsh*t. By default you can't connect from the internet. You can just outbound to the internet. NYY is correct
upvoted 2 times

NYY is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules
upvoted 1 times

The correct answer is NO -> Yes -> Yes.
1. VM1 is in subnet 1 which has default Inbound rules. SO traffic is blocked from the internet.
2. As VM2 is in SUbnet 2 and NSG 2 with Custom RDP port allow rule on NSG2 is attached to VM2's NIC level and as Subnet 2 doesn't have
any NSG attached, so any traffic from internet will reach the NSG2 from VNET -> SUbnet2 -> NSG2. And on NSG2, due to custom allowed
rule of 3389, RDP will work from the internet over VM's public IP.
3. Azure routes traffic within a VNET automatically. As NSG2 has RDP port allowed from any source, so VM1 can connect to VM2 over it's
private IP.
upvoted 2 times

I think the answer is No -> No -> Yes.
NSG1 is attached to Subnet1 which is with the default rule. In the Default rule, there's no allowance of RDP from Internet.Hence, RDP
won't work on VM1 from the internet.
For second box, the VM2 has NSG2 attached on it’s NIC and VM2 is attached to Subnet 2, which doesn’t seem to have any Security rule /
separate custom NSG attached (at least didn’t see in the question), so I presume that Subnet 2 has Default NSG rule whereas VM2’s NIC
has allowance for RDP. But since the Vm2 inbound traffic on port 3389 is blocked at Subnet 2 level due to default rule, so Internet to VM2
is ‘No’.
Since within VNET / Subnet all traffic allowed, so RDP is allowed by default. Hence, it’s ‘Yes’.
upvoted 1 times
  perix 1 year, 1 month ago

Did test in the lab.
n, n, y
When I removed nsg1 or added rdp rule to nsg1 only then vm2 could be connected from the internet with RDP.
upvoted 1 times
  perix 1 year, 1 month ago

It is N, Y, Y I tested wrong.
My bad.
upvoted 5 times

similar question on the test! makee sure to understand this as they wills withc it up
upvoted 3 times

N VM1 > subnet1 > NSG1 applies = no rdp allowed.
Y VM2 > subnet2 > NIC > NSG2 applies = rdp allowed.
Y same VNET = no restriction between subnets by default. RDP is allowed on both VMs themselves.
upvoted 3 times
You have an Azure subscription that contains two virtual machines named VM1 and VM2.
You create an Azure load balancer.
You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.
Which two additional load balancer resources should you create before you can create the load balancing rule? Each correct answer presents part
of the solution.
A. a frontend IP address
B. an inbound NAT rule
C. a virtual network
D. a backend pool
E. a health probe
Correct Answer: DE
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/components

DE (85%) Other
  tp42 Highly Voted  1 year, 9 months ago
Selected Answer: DE
D and E.
You can't create a LB without FrontEnd IP, so if we have a LB we also have a FrontEnd IP already. You can however create a LB without a
backend pool and without any rules. If you want to add a rule to your LB later you have to create a backend pool and health probe first.
Those are mandatory properties for a rule. I also tested it in my lab to be sure.
upvoted 65 times
  Jayz5436 1 year, 9 months ago

Tried in my lab as well this is correct. You need a frontend ip to create an empty load balancer which in this case the question says that
it's created. adding a load balancing rule requires you to specify backend pool and health probe
upvoted 6 times

Yes, you`re right. It says LB is created already og ask about LB rule. To get created the LB requires frontend IP must first be created ,
which is not issue in this case
upvoted 1 times

Do you guys can't read? Where is it stated "it's created"???? It says "YOU CREATE" meaning you are in the process of creating that.
There is a difference between create and created, so correct answer is A and D - Frontend IP is necessary and Backend pool (as
we wan't to load balance VMs) is also necessary. Those are the steps before load balancing rules
upvoted 1 times

Well, you never know with how these questions are worded - but your line of thought doesn't convince me.
There are three points in time mentioned:
- past: subscription and VMs
- present: load balancer
- future plans: what the question is about
In order not to blur past and present, it says "you create" - and that implies that you're already done doing that. Otherwise, in
fully correct English, you would have to say "you are creating".
I say the answers as given are correct.

upvoted 2 times
  kennynelcon Highly Voted  1 year, 9 months ago
Selected Answer: AD
Answer ; A and D
Select; Frontend IP
When done with configuration steps.
Select Next: Backend pools

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal
upvoted 8 times
Selected Answer: AD
whenever you create a LB, At least 1 frontend IP needs to be added for creating a Load Balancer
its a error/warning so you cannot skip it unlike the rest parameters.
frontend ip & backend pool
upvoted 1 times
  belyo 1 week, 2 days ago

taking it back, its says LB is created, so you need a backend pool & probes ...
upvoted 1 times
Selected Answer: DE
The question is: Which two additional load balancer resources should you create before you can create the load balancing rule?
The procedure is:
Frontend IP configuration
Backend pool
Health probes
Load Balancer rules
The the 2 additional resources before the rules are:
Backend pool
Health probes
upvoted 1 times
  Superego 2 months, 1 week ago

A and D from as per my understanding.
It's under the LB creation process rather than the LB is already there.
Based on that, the key word is "before" you can create the load balancing rule.
upvoted 3 times
  Superego 6 months ago

A and D based on my test.
Just had a try. Before creating Inbound rules, there're 3 preceding steps:
(1)Basics -> (2)Frontend IP configuration -> (3)Backend pools
And on step (4)Inbound rules -> Add load balancing rule, it requests mandatory resources which are "Frontend IP address" and "Backend
pool".
Regarding "Health probe", you can create a new one on this step itself. This means not BEFORE you can create the load balancing rule but
in parallel.
upvoted 3 times

Selected Answer: AD
Azure Load Balancer is NOT created. You are creating that, so the answer is AD.
upvoted 3 times

To create a load balancing rule to load balance HTTPS traffic between VM1 and VM2 using an Azure load balancer, you would need to
create the following two additional load balancer resources:
A. A frontend IP address: This IP address is used to receive incoming traffic and distribute it to the backend resources. It acts as the entry
point for the load balancer.
D. A backend pool: This defines the backend resources (in this case, VM1 and VM2) that will receive the load-balanced traffic. The load
balancer distributes incoming traffic across the resources in the backend pool based on the configured load balancing rule.
Therefore, options A and D are the correct answers.

upvoted 4 times
Selected Answer: DE
DE is the answer.
https://learn.microsoft.com/en-us/azure/load-balancer/components
upvoted 1 times
  FindOcult 1 year, 3 months ago

I don't think that options A, B, and C are Load Balancer resources. Am I right?
upvoted 1 times

Selected Answer: DE
this makes sense, you would need a frontendip but the LB has been created so to have a rule for the LB you would need the backend pool
and health probe
upvoted 2 times
Selected Answer: DE
Correct Answer: DE
upvoted 1 times
Selected Answer: DE
D & E. I have just double checked this in the portal, mandatory fields are Health Probe and Backend Pool.
upvoted 2 times
Selected Answer: DE
DE seems correct - I might be wrong but if you have an LB, it follows that you already have a Frontend IP?
So you need a Backend Pool and Health Probe
Experts, please jump in and correct me!

upvoted 1 times
Selected Answer: AB
Should be A,B
Get an Frontend IP
Get an Backend Pool
Then we will be able to set up load balancing rules

upvoted 1 times

Do you mean A,D?
upvoted 2 times

Sorry Im wrong
https://docs.microsoft.com/en-us/azure/load-balancer/manage-rules-how-to
According to this Article,
We need
A. Get an Frontend IP
D. Get an Backend Pool
E. Health Probe
B and C apparently is wrong.
Since D. Get an Backend Pool - This is mentioned and we know it's VM1 and VM2 but never saying a pool has been created
So it left us A D and E
But D Option got mentioned and test asks for 2 answers, I would choose A and E, but Assume that all combinations btw those 3
might be considered as correct.
upvoted 2 times
You have an on-premises network that contains a database server named dbserver1.
You plan to deploy three Azure virtual machines. Each virtual machine will be deployed to a separate availability zone.
You need to configure an Azure VPN gateway for a site-to-site VPN. The solution must ensure that the virtual machines can connect to dbserver1.
Which type of public IP address SKU and assignment should you use for the gateway?
A. a basic SKU and a static IP address assignment
B. a standard SKU and a static IP address assignment
C. a basic SKU and a dynamic IP address assignment
Correct Answer: C
VPN gateway supports only Dynamic.
Note: VPN gateway requires a public IP address for its configuration. A public IP address is used as the external connection point of the VPN.
Specify in the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The
public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when
the gateway is deleted and re- created.
Reference:

B (87%) 13%
  RichardBill Highly Voted  1 year, 5 months ago
Selected Answer: B
Ok this one is new but Lets talk about it: So this would be a "Zonal Gateway at least right"? Theres no talk about the gateway being
Zoneredundant but for it to be even Zonal it needs to be an AZ-SKU Tier right? And those always come with a Standard Public IP SKU which
is Static? So B? Heres my source https://docs.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways The
explanation given here is definitley rubbish
upvoted 25 times
  skate_grizzly_123 4 months, 4 weeks ago

"The VPN gateway supports both standard and basic SKU public IP addresses, but the type of SKU you can use depends on the SKU of
the VPN gateway itself1. For example, you can use a standard static Public IP for gateway SKUs like VpnGw1AZ, VpnGw2AZ, VpnGw3AZ,
VpnGw4AZ, and VpnGw5AZ2." --> Those 3 VM's deployed in AZ so a Public IP should be standard static
upvoted 1 times

It's c.
VPN Gateway supports only "dynamic".
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 2 times
  MatAlves 5 months ago

the link you mentioned says about the Public IP:
"Assignment: The assignment is typically autoselected and can be either Dynamic or Static."
upvoted 1 times

no dynamic type only supported under basic ip address type , and we need to create standard ip address type to support zonal so ip
address must be static
upvoted 2 times
  margotfrpp Highly Voted  9 months, 3 weeks ago
Selected Answer: B
Focus on this part of the question: " Each virtual machine will be deployed to a separate availability zone."
ALWAYS REMENBER THAT :
- Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.
- Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network.
So in this case it's Standart
upvoted 20 times
  Patesso 7 months, 1 week ago

C'est toujours la meme question que vous traitez?
upvoted 1 times
  ValB 3 months, 1 week ago

C'est toujours ENGLISH dude.
upvoted 3 times

That's a stupid comment. Let people write in whatever language they're comfortable. You work with what you can read - if you're
an English speaker, there's plenty of content available here for you...
upvoted 2 times

No, your comment doesn't make sense: what if someone post an answer with an explanation which is brilliant, but many don't
understand it because he did not use English. Wouldn't that be a pity? Of course it would. On the other hand, an answer in
English will be understood linguistically by everyone because the very questions themselves are in English, so if someone
would not understand English, then he would not even understand the questions, so this website would be completely useless
to him/her.
upvoted 2 times

Speak English. You are on English site
upvoted 5 times

Speak English. You are on English site
upvoted 2 times

Availability zones and availability sets are different things
upvoted 1 times
  argoth 7 months, 3 weeks ago

There is no reference to Load Balancers in the question.
upvoted 4 times
Selected Answer: B
Answer is B, When availability zones are involved always Standard SKU is needed. When you select "Standard SKU" in public ip, by default
assignment is set to static and you cannot change that.
See the image for public ip creation in this article => https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times

What's the fking difference between Basic and Standard? It's like saying Normal and Average.
upvoted 2 times

Selected Answer: B
I am not sure where some of you guys get C saying that VPN Gateway supports only dynamic PiP. When you are creating it you are actually
choice locked into a Standard PiP as far as the Public IP Address SKU goes: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-
create-gateway-portal
upvoted 1 times

So the answer is definitely B
upvoted 1 times
  MatAlves 5 months ago

Selected Answer: B
"Assignment: The assignment is typically autoselected and can be either Dynamic or Static."
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times

Selected Answer: B
Azure VPN gateways support both dynamic and static IP address assignment options.
By using a Standard SKU public IP address with a static IP address assignment, you can ensure a reliable and consistent VPN gateway
configuration for your site-to-site VPN. This will allow the virtual machines deployed across different availability zones in Azure to connect
securely to dbserver1 in your on-premises network.
upvoted 6 times
  Chochi 8 months ago

I will go with B
see link https://stackoverflow.com/questions/51881442/azure-static-ip-for-vpn
upvoted 1 times
Selected Answer: B
The correct answer is B. a standard SKU and a static IP address assignment

upvoted 1 times
  yana_b 11 months, 2 weeks ago

Correct answer is B
Open your portal -> Create new resource -> in Market place type in 'Virtual network gateway' => create new
-> make a note that the IP SKU is fixed text, no option to change it at all and is set to 'Standard'
-> Assignment is set to 'static' and greyed out (can not be changed at all)
upvoted 2 times
  ozlaoliu 11 months, 2 weeks ago
Selected Answer: B
Both Bing AI and ChatGPG chose B. a standard SKU and a static IP address assignment
upvoted 4 times

Answer is B as Microsoft never ask an exam question where the answer for a solution is one of their basic offerings.😂
upvoted 5 times

Please do not make this assumption on the exams as a go-to solution. It is not as if the exam authors sit around a table and say to one
another that they should design questions that only have higher priced SKUs as the correct answer. That said, a lot of the exam content
will likely test "marketing and sales" knowledge. So, you should know your SKUs.
upvoted 2 times

Selected Answer: B
B is the answer.
Standard IPs can be non-zonal, zonal, or zone-redundant. Zone redundant IPs can only be created in regions where 3 availability zones are
live. IPs created before zones are live won't be zone redundant.
upvoted 1 times
  Irism 1 year, 1 month ago

still not clear if B or C for me
upvoted 2 times

Standard SKU supports availability zones but basic SKU does not. For VPN, Dynamic IPv4 is supported only in non availability zones. Static
IPv4 is supported for both AZ and non-AZ. So for this particular scenario it has to be standard SKU since VPN will need to be in AZ and
since VPN is in AZ only static IP can be assigned. So answer is "B".
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses
upvoted 7 times
  cwamboo 1 year, 1 month ago
Selected Answer: B
B
"Zone-redundant gateways and zonal gateways both rely on the Azure public IP resource Standard SKU. The configuration of the Azure
public IP resource determines whether the gateway that you deploy is zone-redundant, or zonal. If you create a public IP resource with a
Basic SKU, the gateway will not have any zone redundancy, and the gateway resources will be regional."
https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways
upvoted 1 times
  MrJJ10 1 year, 2 months ago
Selected Answer: C
I'm going with C.

Check out section "Can I get my VPN gateway IP address before I create it?"
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq
"Zone-redundant and zonal gateways (gateway SKUs that have AZ in the name) both rely on a Standard SKU Azure public IP resource.
Azure Standard SKU public IP resources must use a static allocation method."
upvoted 2 times

My Apologies, I Meant Anserr "B" not C.
Clicking to fast
upvoted 3 times
HOTSPOT -
VNET1, VNET2, and VNET3 are peered.
VNET1 and VNET2 are linked to an Azure private DNS zone named contoso.com that contains the records shown in the following table.
The virtual networks are configured to use the DNS servers shown in the following table.
Hot Area:
Correct Answer:
Box 1: Yes -
VM1 is in VNET1. In VNET1 Server1 resolves to 131.107.3.3

Box 2: No -
VM2 is in VNET2. VNET2 uses custom DNS server 192.168.05
Box 3: Yes
  randy0077 Highly Voted  1 year, 5 months ago
Hi Admin,
This looks like incomplete question or something is missing. Could you please correct this and add more discussion?
upvoted 70 times
  ivan0590 9 months ago

With some deduction, you can complete the question yourself.
The IP of VM4 is used as custom DNS in VNET2 and VNET3. Therefore, VM4 is a DNS server.
The table shown after ‘VNET1, VNET2, and VNET3 are peered’ is just displaying the records for the custom DNS server.
So, some VMs use the private Azure DNS Zone and others use the custom DNS server. And both DNSs have server1 and server2
records.
Knowing all that, you can now figure out what IP will be resolved in each case.
upvoted 5 times
  spike15_mk Highly Voted  1 year, 2 months ago
CORRECT ANSWER
YES
NO
YES
YES -For VM1,server1.contoso.com resolves to 131.107.3.3
VM1 is connected to VNET1 which has Default(Azure-Provided) DNS Server and linked to Azure Private DNS Server contoso.com
(131.107.3.3 and 131.107.3.4 DNS Servers). That means VM1 has these 2 DNS servers for resloving.
DNS Servers for VNET1
server1.contoso.com = 131.107.3.3
server2.contoso.com = 131.107.3.4
NO-For VM2,server1.contoso.com resolves to 131.107.3.3
VM2 belongs to VNET2 has Custom DNS:192.168.0.5 IP of VM4 ( not takes from dedault Azure: the server1.contoso.com = 131.107.3.4 and
server2.contoso.com = 131.107.3.4) -NO
VM2 will resolve from VM4 (DNS Server1.contoso.com=131.107.2.3 and Server2.contoso.com=131.107.2.4)
YES- For VM3,server2.contoso.com resolves to 131.107.2.4
VM3 belongs to VNET3 has Custom DNS:192.168.0.5 IP of VM4 ( not takes from default Azure: the server1.contoso.com = 131.107.3.4 and
server2.contoso.com = 131.107.3.4)
VM3 will resolve from VM4 (DNS Server1.contoso.com=131.107.2.3 and Server2.contoso.com=131.107.2.4)
upvoted 44 times

Sport On .. Well done
upvoted 2 times
  Brockssn 10 months, 2 weeks ago

Y, Y, Y.
VM2 is resolving a FQDN of server 1. The vnet DNS does not state it is contoso.com, so therefore resolving the FQDN would resolve
correctly.
upvoted 2 times
  MoOshin Most Recent  1 month, 1 week ago

YNN
VM2 and VM3 are both using the same DNS, and that DNS server is in VNET3 that cannot resolve the private DNS zone.
upvoted 2 times
  chair123 4 months, 1 week ago

Fudge this, I think its YYN
Any solid answer here?
upvoted 2 times
  postuond 1 week ago

I think that question has changed.
upvoted 1 times

No table for vm4 DNS to confirm.
However, Vnet can have more than resolver
So 1 Y and 2 is Y
3 is No cuz Vent 3 not linked to private zone only 1 and 2.
Anyone can confirm with lab?

upvoted 1 times

Agree with Y,Y,Y and best explained by Trevor_VT
See;
"If you choose to link your virtual network with the private DNS zone without autoregistration, the virtual network is treated as a
resolution virtual network only. DNS records for virtual machines deployed this virtual network won't be created automatically in the
private zone. However, virtual machines deployed in the virtual network can successfully query for DNS records in the private zone. These
records include manually created and auto registered records from other virtual networks linked to the private DNS zone.
One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated
to it."
upvoted 3 times

Another fucked-up question, still there untouched after months... They should really add a REPORT button instead of new SALES each
week :)
upvoted 17 times

Two Observations from given information:
- [ ] VNET1 has default DNS server so it will be resolved by the private zone.
- [ ] VNET2 and VNET3 has DNS servers listed to IP address of VM4, which is in VNET3. So VMs on VNET2 and VNET3 will be resolved by the
DNS server in VM4.
Based on those observations:

- [ ] Yes - Is VM1 resolved by private zone? Yes. So it resolves name to 137.107.3.3
- [ ] No - Is VM2 also resolve by private zone? No, It is resolved by VM4. Why? VM2 in VNET2. VNET2 has DNS server that points to VM4,
which is in VNET3. So VM2 uses dns zone in VM4 to resolve the name.
- [ ] Yes - Is VM3 resolved by dns zone in VM4? Yes. VM3 in VNET3. VNET3 has DNS server that points to VM4. So it will resolve name to IP
address 131.107.2.4
upvoted 2 times
  Trevor_VT 10 months, 4 weeks ago

This is one of the several questions asking which one has higher priority - the (custom) DNS bound to a VNET or the private DNS zone
linked to the same VNET. According to my test (and also the answer from chatGPT), the private DNS zone has priority. It is the only one
which is used if the request is going to a domain hosted by the private DNS zone. If the request is going to a domain which is not in the
provate DNS zone, then the default or custom DNS for the VNET is used.
Based on this, the answers are Y-Y-Y
Why - because both VM1 and VM2 are linked to the private DNS zone, where we have the record for server1.contoso.com -> 131.107.3.3
Also, asuming that the missing explanation of the second table says "VM4 is DNS server and it has the following records", and VM3 points
to this DNS server, it will see and resolve the server2.contoso.com -> 131.107.2.4. Note that VNET3 (where VM3 is) is not linked to the
private DNS zone.
upvoted 15 times

I don't know how you tested this, I do know, though, that ChatGPT is not to be trusted (yet) with answering these questions.
One thing is certain, your take on this is wrong, custom defined DNS servers do take priority over VNET zone links:
"Private DNS zones linked to a VNet are queried first when using the default DNS settings of a VNet. Azure provided DNS servers are
queried next. However, if a custom DNS server is defined in a VNet, then private DNS zones linked to that VNet are not automatically
queried, because the custom settings override the name resolution order."
(https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone#private-dns-zone-resolution)
upvoted 3 times
  Zemar 10 months, 3 weeks ago

I am betting on your explanation as it makes good sense. Thanks for this
upvoted 5 times
  msingh20 11 months, 2 weeks ago

Im assuming we are missing a line above the table saying "VM4 is a DNS server that contains the following records". If that is the case the
answer is YNY
Server 1 , A , 131.107.2.3
Server 2 , A, 131.107.2.3
upvoted 4 times

i think this question has been edited.
vnet1 uses azure dns.
vnet2-3 use 192.168.0.5 vm4 for dns (which we can assume is what the unlabeled 2nd table contains).
all vnets are peered so all could use 192.168.0.5 vm4 dns if they wanted.
.
vm1 is in vnet1, so vm1 uses azure dns.
vm2-4 are in vnet3, so vm2-4 use 192.168.0.5 vm4 dns.
.
yes, vm1 resolves 'server1' to the 3.3 address via azure dns.
no, vm2 resolves 'server1' to the 2.3 address via 192.168.0.5 vm4 dns. (not 3.3 via azure dns)
yes, vm3 resolves 'server2' to the 2.4 address via 192.168.0.5 vm4 dns.
upvoted 4 times

YNY is the answer.
1. Resolved using Azure Private DNS.

2. Resolved using custom DNS server.
3. Resolved using custom DNS server.
upvoted 5 times
  shadad 12 months ago

You mean YNN
if 2 and 3 can resolve the custom DNS then both should have the same answer NN
upvoted 3 times

in the question, the ip addresses resolved are different for the "from vm2" and "from vm3" parts. that's why vm2 is N and vm3 is Y.
upvoted 2 times

holly! how did i miss this part? now i see this and it is resolve the table above it :(
you are right YNY.
upvoted 1 times

Hello guys,
the answer should be YNN.
Explanation:
When you set custom DNS servers you are specifying the list of DNS servers to be given to VMs via DHCP, which means they will not be
querying the Azure private DNS.
https://learn.microsoft.com/en-us/answers/questions/1150496/private-dns-vs-custom-dns-for-one-vnet
upvoted 4 times
  picho707 8 months, 1 week ago

You are correct. The information in question does not say anything about the custom DNS servers being setup as forwarders of the
Azure private DNS zone either. This should be Y/N/N.
upvoted 2 times

There are 3 questions which question is your statement an answer to?
VM2/3 (vNet 3/4) both use VM4 as the DNS server.

VM4's DNS entries are:
server1: 131.107.2.3 doesn't match question 2
server2: 131.107.2.4 match question 3
upvoted 1 times
  jp_mcgee 1 year, 2 months ago

After: "VNET1, VNET2, and VNET3 are peered."
Missing Line: "VM4 has a DNS server that is authoritative for a zone named Contoso.com and contains the records shown in the following
table."
upvoted 16 times

They are all peered so i guess YYY?
upvoted 2 times

who can find the official link on which DNS takes precedence: vnet linked DNS or vnet DNS?
anyhow this is incomplete question but im gonna assume 192.168.0.5 is the DNS for the 131.107.2.0 records. so answer is
Y = VM1 > VNET1 > Azure priv DNS > server1 is 131.107.3.3
Y = VM2 > VNET2 > Azure priv DNS and Custom DNS > I'm gonna say Azure priv will resolve this because of contoso.com,192.168.0.5 does
not have contoso.com zone > server1 is 131.107.3.3
N = VM3 > VNET3 > Custom DNS > server2 is 131.107.3.4 for the same reason as above.
upvoted 6 times
  SandCloud 10 months ago
this is the right anwser, custom dns override
upvoted 1 times

Tested in lab with peered VNET and a Local DNS server:
- From VM1, server1.contoso.com resolves to 131.107.3.3: yes
VNET1 has linked private DNS zone constoso.com and it uses Default (Azure-provided) DNS
(VM1 is on VNET1)
-From VM2, server1.contoso.com resolves to 131.107.3.3: no
VNET2 has linked private DNS zone constoso.com, but it uses 192.168.0.5 DNS
(VM2 is on VNET2)
-From VM3, server2.constoso.com resolves to 131.107.2.4: Yes
No private dns zone linked

(VM3 is on VNET3)
upvoted 14 times

Default DNS won't resolve the private Zone.
upvoted 1 times
  randy0077 1 year, 4 months ago

considering 192.168.0.5 is DNS server. ans should be YNY.
upvoted 1 times
HOTSPOT -
You have two Azure virtual machines as shown in the following table.
You create the Azure DNS zones shown in the following table.
You perform the following actions:
✑ ‫׀‬¢‫ ¾׀‬fabrikam.com, you add a virtual network link to vnet1 and enable auto registration.
✑ For contoso.com, you assign vm1 and vm2 the Owner role.
Hot Area:
Correct Answer:
Box 1: Yes -
The DNS zone uses the Public IP address of vm1.
Box 2: Yes -
Fabrikam.com is a Private DNS zone. The private IP address is used.
Note: The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you
link a virtual network with a private DNS zone with this setting enabled, a DNS record gets created for each virtual machine deployed in the
virtual network.
For each virtual machine, an A record and a PTR record are created. DNS records for newly deployed virtual machines are also automatically
created in the linked private DNS zone.
Note: If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you
must either use
Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
  RichardBill Highly Voted  1 year, 5 months ago
N Y Y? Only private AZ DNS Zones can use auto registration. The set DNS search suffix in the client changes nothing about that
upvoted 64 times
  skate_grizzly_123 4 months, 4 weeks ago

A virtual machine with a DNS suffix configured in Windows will register its DNS record to the private DNS zone. However, the Azure
DHCP service ignores any DNS suffix when it registers the private DNS zone. For example, if your virtual machine is configured for
'contoso.com' as the primary DNS suffix, but the virtual network is linked to the 'fabrikam.com' private DNS zone, the virtual machine's
registration appears in the 'fabrikam.com' private DNS zone.
upvoted 3 times

I agree whit you
upvoted 4 times
  klexams Highly Voted  1 year, 3 months ago
N = none of the actions in question added the VM1 record to contoso.com dns
Y = vnet1 is linked and auto-rego is enabled, records get added automatically.
Y = vnet1 is linked and auto-rego is enabled, records get added automatically.
upvoted 19 times
  vroh Most Recent  4 months, 2 weeks ago
Got this in exam

upvoted 3 times

I checked it in my subscription. N-Y-Y.
No record added to contoso. Two records added to fabricam.
upvoted 3 times
  conip 5 months, 2 weeks ago

can we assume that VMs were up already?
if YES - then auto-registration wouldn't work so it would be NO NO NO - IMHO
upvoted 1 times

N Y Y is correct!
upvoted 2 times

N,Y,Y
Public DNS can't auto register only private dns zone.
upvoted 2 times
  FasterN8 10 months, 3 weeks ago

I'm trying to figure out the effects of VM1 and VM2 being owner of contoso.com. Wouldn't that automatically add them to the DNS zone?
Maybe as a SRV record and not an A record though...
upvoted 1 times

NYY is the answer.
upvoted 5 times

No/Yes/Yes
upvoted 3 times
  atspace 1 year, 3 months ago

N - Public Ips wont auto register DNS
Y - Auto registration is enabled
N - Linux won't do auto registration
upvoted 9 times

The MS doc doesn't say anything about Linux VMs anymore, just...
The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network.
upvoted 2 times
  [Removed] 1 year, 3 months ago
Linux does auto register.
upvoted 6 times

Where has it been stated that Linux does not support auto-registration?
According to this link there the restrictions don't include OS type:
upvoted 1 times

Good catch with the Linux VM. This is the correct answer.
upvoted 1 times
  Al007 1 year, 3 months ago

Checked in lab environment - Linus does auto register
upvoted 14 times
  adrianspa 1 year, 4 months ago

NYY. Adding a VM with the OWNER role does not change anything in the name resolution process
upvoted 4 times

so the contoso.com is public DNS and you cannot auto registration. but it just says if it would have the record but it does it has that value
in the box at the top right?
upvoted 1 times
  JoeGV 1 year, 4 months ago

DNS records are created automatically only for the primary virtual machine NIC. If your virtual machines have more than one NIC, you can
manually create the DNS records for other network interfaces.
DNS records are created automatically only if the primary virtual machine NIC is using DHCP. If you're using static IPs, such as a
configuration with multiple IP addresses in Azure, auto registration doesn't create records for that virtual machine.
Answer should be YNN Based on the above restrictions.
upvoted 1 times

Did the question mentioned anything about static? No it doesn't. Don't go too deep
upvoted 2 times
  ETokLayaa 1 year, 4 months ago

I think it should be N N Y
upvoted 1 times
  kukeleku 1 year, 4 months ago

I agree on N Y Y, based on auto registration on public DNS is not possible!
upvoted 2 times

i think you only manualy add public ips in public dns
upvoted 1 times
You have an on-premises datacenter and an Azure subscription.
You plan to connect the datacenter to Azure by using ExpressRoute.
You need to deploy an ExpressRoute gateway. The solution must meet the following requirements:
✑ Support up to 10 Gbps of traffic.

✑ Support availability zones.
✑ Support FastPath.
✑ Minimize costs.
Which SKU should you deploy?
A. ERGw1AZ
B. ERGw2
C. ErGw3
D. ErGw3AZ
Correct Answer: D
ErGw3Az supports FastPath.
The following table shows the features supported across each gateway type.
Note: ExpressRoute virtual network gateways can use the following SKUs:
Standard -
HighPerformance -
UltraPerformance -
ErGw1Az -
ErGw2Az -
ErGw3Az -
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways

D (61%) A (39%)
  GaneshPP Highly Voted  1 year, 4 months ago
Cant believe Azure expects us to memorize these abbreviations!

upvoted 101 times

We are talking about Microsoft here, so unfortunately I am not surprised. 😔
upvoted 1 times
  rnd3131 3 weeks, 1 day ago

you can now access learn.microsoft.com during exams.
upvoted 1 times

Its all about marketing. It benefits them in the long run if all the certified admins have sku features memorized. We are most likely to
gravitate towards their solutions as opposed to 3rd parties if we already memorized their offerings
upvoted 13 times
  DaviZZZZ 8 months, 1 week ago

Jejeje that is true....
upvoted 3 times
  curtmcgirt Highly Voted  11 months, 4 weeks ago
final answer: GTFOHms

upvoted 34 times
As if anyone really knows these things by heart. When you need to deploy something like this, you search for the right documentation
anyways, so why tf is this even a question?
upvoted 2 times

Gateway SKU | VPN Gateway and ExpressRoute coexistence | FastPath
Standard SKU/ERGw1Az | Yes No
High Perf SKU/ERGw2Az | Yes | No
Ultra Performance SKU/ErGw3Az | Yes | Yes
So only ErGw3Az supports FastPath & Availability Zones

upvoted 2 times
  james2033 6 months ago
Selected Answer: D
Quote “ErGw3AZ, ErGw2AZ, ErGw1AZ equivalent to Ultra Performance SKU. The only difference in this SKU is that you can pin instance to
Zone or use Zonal redundant.”
at https://github.com/MicrosoftDocs/azure-docs/issues/27933#issuecomment-476258007
https://learn.microsoft.com/en-us/answers/questions/885158/whats-the-difference-between-ergw3az-vs-ultraperfo
upvoted 2 times

Questions like these are what make me hate Azure certifications so much.
They ask super specific questions that you have to learn by heart, when you shouldn't, and nobody in real life does.
Also, they don't allow brain dumps. Instead, they want you to rely on their terrible documentation and only use tests officially supported
by Microsoft.
Try passing the exam using only that. Yes, you can do it, but seriously, good luck...
Perhaps the reason people resort to brain dumps has to do with all that nonsense?
I understand they ask complex questions to test your knowledge, but questions like this one are not complex, they are just pure evil.
upvoted 14 times

Like one of my friends said: "Microsoft will make people suffer"
upvoted 1 times
  MaCK0y 8 months ago

Unfortunately this not just Microsoft though. Other vendors do the same. Have you done LPIC? They have multiple choice questions
where you need to answer which option for a command is the correct one. -t -T, etc.. Why TF would you need to remember that by
heart when you can literally get the answer in real life from within the terminal by using -h or --help or the man command.
upvoted 1 times
  Balvosko 9 months, 3 weeks ago

This is a joke, right ? This question is just first april joke.
upvoted 8 times
  Phil_Spencer 11 months ago

As head of Xbox Game Studios i think this question is pretty dumb. A better question would have being "What's the price of Xbox Game
Pass Ultimate".
upvoted 20 times
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
upvoted 2 times
  SKR94 1 year ago

No comment...
upvoted 3 times
  Mugamed 1 year ago

How random :-o
upvoted 2 times

I will most certainly leave feedback on the exam if I have this or similar type of questions. It's ridiculous.
upvoted 7 times
  ageorgieva 1 year, 2 months ago

Selected Answer: A
came here for the comments :D

upvoted 11 times

Tu as mis A pour faire venir les gens dans les commentaires aussi mdr
upvoted 1 times

Notre pule in votre gure
upvoted 1 times
  ValB 3 months ago

English dude! We are on an English website!
upvoted 1 times
  Mohaamed 1 year, 2 months ago

daaamn so now we have to memorize these ridicules abbreviations!!!!!
upvoted 6 times
  Maython20 1 year, 3 months ago
Selected Answer: D
ErGw3Az supports FastPath.
upvoted 7 times
  Oualy 1 year, 4 months ago

ErGw3AZ support fastpath
Answer : D
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways
upvoted 10 times

More specifically
Ultra Performance SKU/ErGw3Az
upvoted 1 times
  DeltaSM 1 year, 5 months ago
Selected Answer: D
ErGw3AZ seem to be the answer.

Answer: D
upvoted 6 times
  Jaydude 9 months, 2 weeks ago

More like answer :D
upvoted 3 times
HOTSPOT -
You have a virtual network named VNET1 that contains the subnets shown in the following table:
You have Azure virtual machines that have the network configurations shown in the following table:
For NSG1, you create the inbound security rule shown in the following table:
For NSG2, you create the inbound security rule shown in the following table:
Hot Area:
Correct Answer:
Box 1: Yes -
The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or
Subnet1 where
VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the
NSG1 rule has a higher priority (or lower value) than the NSG2 rule.
Box 2: Yes -
No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.
Box 3: Yes -
No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are
thus applied.
Reference:
I believe it should be No, Yes, Yes. The NSG2 on the NIC of VM1 blocks the request that passes through NSG1 which is attached on the
subnet. There is no priority bypass between NSGs. Traffic is filtered independently between NSGs.
upvoted 285 times

This is wrong. "A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher
numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist
with lower priorities (higher numbers) that have the same attributes as rules with higher priorities aren't processed.
Azure default security rules are given the highest number with the lowest priority to ensure that custom rules are always processed
first."
So it should be Yes - Yes - Yes.
Source: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 1 times

@Indy, NSG1 is at subnet level and NSG2 is at VM level, so, when the traffic flows, NSG1 subnet is evaluated first and then if passed,
NSG2 subnet at VM level is evaluated. Here, the number priority doesnt come into picture. So, correct answer is No, Yes, Yes
upvoted 4 times

You are right, I misread. Thank you
upvoted 3 times

typo NSG2 (remove subnet) at VM level
upvoted 1 times

With reference to https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
The rules are applied first at the Vnet level and then if allowed at the vnet level, only then at the vm/nic level.
Hence, NYY
upvoted 6 times
  kl8585 4 months, 4 weeks ago

I agree, referencing the example in the link you posted it says:
"To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet."
So in this case we are not talking about priority, we just have rules evaluated BEFORE or AFTER. That means, if the rules were
inverted and traffic was blocked from NSG1, then what was written in the rules of NSG2 wouldn't evene matter because the traffic
wouldn't have reached the NIC.
upvoted 1 times

This is a bit confusing but remember, NSGs attached at the subnet level get priority. Since NSG1 is attached to VNET1- Subnet1, it takes
priority over NSG2, which is attached to VM1(this would have to be attached to the NIC).
upvoted 4 times
  BJack 1 year, 1 month ago

Subnet attached NSGs don't have priority over NIC attached NSGs. It depends of whether he traffic is inbound or outbound -
upvoted 13 times

NSG1 also has a lower priority (101) as well so it would take priority based on the rule priority.
upvoted 1 times
  01111010 3 months, 1 week ago

We can't compare NSG priorities from different groups. There's a hierarchy:
1. VNET NSG is evaluated
2. Subnet NSG is next
3. NIC/IP NSG follows
upvoted 1 times

I will add that this is for incoming traffic, for outgoing is the reverse order.
upvoted 2 times
  rusll 3 years, 2 months ago

I agree, mixing the rules would create a problem : in case we have two rules with the same priority, how would we decide ...
upvoted 5 times
  Patesso 7 months, 2 weeks ago

Pour le trafic entrant les regles NSG attachees au Reseau sont prioritaires
upvoted 1 times
  aaa112 Highly Voted  3 years, 1 month ago

1. NO - VM1 has the NSG1 on Subnet1, which allows traffic over port 1433 between Subnet2 and Subnet1. BUT NSG2 also applied on NIC
level for VM1 that blocks the traffic on port 1433. Hence No traffic allowed. Answer is NO.
2. YES - For VM2 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.
3. YES - For VM3 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.
upvoted 174 times

Here explanation priority Subnet over NIC: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-
works
upvoted 4 times
  RogerDingo 3 years, 1 month ago

thanks for confirming.. i came to the same conclusion as you.
upvoted 9 times
  monus 2 years, 4 months ago

yes, NSG at subnet as well as VM has to be open in order to allow traffic
upvoted 1 times

but by default tcp3389 blocked in nsg for vm3 right..
upvoted 2 times

as TCP is bi-directional is am wondering is it NO-NO-YES
VM2 would never be able to confirm anything to VM1 on that blocked tcp port...
upvoted 1 times

Shouldn't it be
NO
YES
YES?
Like the answer is litterally in the question, first Q1 can't be a YES. It has to be NO.
upvoted 1 times

I see a lot of people saying that Q1 should be No, but look at the Priorities. Priority 101 is higher than Priority 125 and will thereby be
override by 101, so following that logic, it should be:
Yes
Yes
Yes
upvoted 1 times

1. VM2 to VM1. VM1 is in subnet 1 that has NSG1 associated. This NSG allow inbound TCP 1433. Vm1 has NSG2 associated, which denies
traffic from VM2 specifically. Priority doesn’t have anything to do with traffic evaluation because they’re different rules. Then answer No.
2. VM1 to VM2. VM2 is in subnet2 that has no subnet NSG associated, and no VM NSG. VM1 and VM2 are in different subnets in the same
VNET, or same address space. Then traffic is allowed. Answer Yes.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
3. VM2 to VM3. VM2 and VM3 are in the same subnet AND no defined NSGs that deny traffic. Answer Yes.
upvoted 1 times

N-Y-Y
Intra-Subnet traffic
It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VMs within it. By default, virtual
machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. If you add a rule to NSG1 that
denies all inbound and outbound traffic, VM1 and VM2 won't be able to communicate with each other.
In our example, its explicit in the NSG NIC rule that VM2 cannot connect to VM1 in the said port
upvoted 1 times

No, yes, and yes.
upvoted 1 times

so even though they are applied to different VM's the NSG1 has priority? NO
upvoted 1 times

For Inbound traffic, -> Subnet -> NI, NSG rules are evaluated in this sequence.
For Outbound traffic, NI-> Subnet -> Vnet , NSG rules are evaluated in this sequence.
If there is any explicit deny ( with high priority within that NSG) at any level, traffic will be blocked. So the answer is NYY.
upvoted 1 times

N N Y Here's what I'm thinking about the 2nd one:
Network Security Groups have default rules that you can't remove: DenyAllOutBound and DenyAllInBound. "You can't remove the default
rules, but you can override them by creating rules with higher priorities." https://learn.microsoft.com/en-us/azure/virtual-
network/network-security-groups-overview#denyallinbound
While the rules of NSG1 and NSG2 don't explicitly block traffic from VM1 to VM2, they do not allow it either. They would still have the
default deny all rules at the bottom that can't be removed. Correct me if I'm wrong.
upvoted 3 times
  kl8585 4 months, 3 weeks ago

For second one:
VM2 has no NSG - so all the traffic inbound and outbound is allowed inside the VNET;
VM1 inbound traffic is restricted by NSG1 and NSG2. Outbound rules are not specified, so I assume there are the default ones that
ALLOW all traffic.
So for 2nd answer should be YES.
Ref. for default rules: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

upvoted 2 times

reason why box1 is NO: VM1 is hosting SQL; on VM1's NIC there is NSG2; NSG2 is blocking incoming requests on port 1433 from subnet 2.
Now both VM2 and VM3 happen to be connected to subnet2. so neither VM2 nor VM3 will be able to reach the SQL server on VM1, even if
traffic is allowed at the subnet level. think about the flow: The requests are coming from VM2 and VM3 on subnet2, they will reach subnet1
because both subnets belong to the same vNet, the requests are allowed by NSG1 to reach VM1 and right there they will be blocked at the
NIC level by NSG2
upvoted 1 times

Port 1433 - SQL Port
VM2 - Default NSG rules apply - Blocks incoming at Port 1433
VM1 - NSG1 - at Subnet1 - allows incoming on Port 1433 , NSG2- at NIC on VM1 blocks incoming from VM2 to VM1 (125) - so answer is NO
on VM2 from VM1 - incoming at Port 1433 (VM2) - Subnet 2 - Default NSG , VM2 (default NSG) - which blocks Port 1433 - ) default Rule
65000 (Port - any , Source : Virtual Network , Destination : Virtual Network , ALLOW) ---- answer is YES
Incoming on VM3 is same as VM2 , on same Subnet 10.10.2.0 - default rules - same as above - YES
upvoted 2 times

N Y Y is correct!
upvoted 1 times

do we compare priority between two NSG ?
I am confused in this case
What I think is every priority in within same NSG and not between NSGs
upvoted 1 times
  lulzsec2019 7 months, 3 weeks ago

I'm confused. I thought if there's no NSG applied, default is auto-deny? so why 2 and 3 are Y?
upvoted 3 times
  rteinformatica 5 months ago

Inside the same VNET, traffic is allowed
upvoted 1 times

Looking at the comments and;
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
Agree with N,Y,Y.

As far as I understated the two NSG rules are processed independently.
upvoted 1 times
HOTSPOT -
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routes in the following table:
You apply RT1 to Subnet1 and Subnet2.
Hot Area:
Correct Answer:
IP forwarding enables the virtual machine a network interface is attached to:
✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine
needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes -
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No -
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes -
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding
Y = RT is not applied to VM3. VM3 will have the default route between subnets in a vnet.
N = VM2 > Subnet2 has RT applied to it. VM3 is the next hop which is turned off.
Y = VM3 has has IP forwarding enabled which can fwd traffic from VM1 to VM2.
upvoted 48 times
  martin_k1 Highly Voted  1 year, 4 months ago
YNY
if UDR was not set, connectivity between three VMs would work by default.
1) With UDR, it still works, but return traffic from VM1 and VM2 to VM3 goes straight to VM3 instead of subnet gateway (which is one of
reserverd subnet IPs)
2) and 3) are clear.

upvoted 13 times
YNY is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#enable-or-
disable-ip-forwarding
upvoted 6 times
  mbaybarsk 1 year, 9 months ago

N/N/Y
VM3 subnet does not have a route for VM1 subnet. The default route drops packets that belong to 10.0.0.0/8 -> No
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
VM2 cannot connect to VM1 because the router (VM3) is offline -> No
VM1 can connect to VM2 as there's a routing table -> Yes

upvoted 4 times

What pythonier said, because UDR is only applied to subnet 1 & 2.
upvoted 1 times
  pythonier 1 year, 5 months ago

Y/N/Y - VM3 is on the same VNET as VM2 and VM1, therefore, no routes are needed
upvoted 17 times

I believe this is correct. Ordinarily all three should be able to speak to each other as they're all subnets within the same VNet. However, the
route table directs them to the machine that is switched off, thus breaking contact. Answer is correct
upvoted 12 times
  ExamKiller020 6 months, 1 week ago

This is the comment that I was looking for
upvoted 1 times

Agree.
upvoted 2 times

Correct
I believe this to be correct
upvoted 6 times
Your on-premises network contains an SMB share named Share1.
✑ A web app named webapp1

✑ A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1.
What should you deploy?
A. an Azure Application Gateway
B. an Azure Active Directory (Azure AD) Application Proxy
C. an Azure Virtual Network Gateway
Correct Answer: C
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1
or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to
it.
Incorrect Answers:
B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
Reference:

C (100%)
Correct Answer: C
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE
(IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally
facing public IP address assigned to it.
A: Application Gateway is for http, https and Websocket - Not SMB

B: Application Proxy is also for accessing web applications on-prem - Not SMB. Application Proxy is a feature of Azure AD that enables
users to access on-premises web applications from a remote client.
Reference:
upvoted 108 times

you were missed until now , welcome back
upvoted 13 times

Better Ref:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-s2s-vpn
upvoted 1 times

welcome back lol
upvoted 3 times
  Wizard69 Highly Voted  2 years, 11 months ago
With the answers that we have:

Application Gateway is for http, https and Websocket - Not SMB
Application Proxy is also for accessing web applications on-prem - Not SMB
So the only answer can be VPN Gateway
upvoted 39 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual
network and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure
virtual networks over the Microsoft network. Multiple connections can be created to the same VPN gateway. When you create multiple
connections, all VPN tunnels share the available gateway bandwidth.
upvoted 4 times

Selected Answer: C
Correct answer: C
upvoted 1 times

This was on the test
upvoted 2 times
  rocroberto 1 year, 3 months ago

This question appeared today in my exam. I answered C. Passed with 810 :-)
60/70% of questions are from here. Thanks guys!!!
Keep up the good work
upvoted 6 times
Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: C
Given answer is correct..comments as per others

upvoted 1 times

C - on exam 13/3/2022
upvoted 3 times
  Snownoodles 2 years, 1 month ago
Selected Answer: C
C is correct.
To achieve the goal, the web app needs to integrate with Vnet so that web app can get an IP from vnet.
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 1 times

upvoted 5 times
  lucky_18 2 years, 7 months ago

came in exam on June 28 2021
upvoted 5 times

C is correct
upvoted 3 times
  PektoTheGreat 2 years, 11 months ago

Keyword is "On-Premise" so the answer is C. VNG. Isn't it amazing? ^_^
upvoted 4 times

Answer C. is correct, you need a Virtual Network Gateway to create a site-to-site VPN connection to on-prem
upvoted 4 times

Answer is correct. "C" Virtual Network Gateway"
upvoted 13 times
  Lbaz 3 years, 4 months ago

sorry did't understand well, answer is C or A??
upvoted 2 times
  kvnpri 3 years, 3 months ago

Answer is C Virtual Network gateway
upvoted 11 times
  finolweb 3 years, 1 month ago

Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-
available web front end in Azure.
upvoted 2 times
Manager template.
D. the New-AzConfigurationAssignement cmdlet
Correct Answer: C
Note:
✑ Deployment Center in Azure App Service

✑ a Microsoft Intune device configuration profile
Reference:

C (92%) 8%
Correct Answer: C
upvoted 85 times

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
https://docs.microsoft.com/en-us/samples/mspnp/samples/azure-well-architected-framework-sample-state-configuration
upvoted 14 times
  waterzhong Highly Voted  3 years, 2 months ago

upvoted 18 times
  marioZuo Most Recent  6 months, 3 weeks ago
Old friend
upvoted 5 times

Exactly what I felt, after all these harsh networking questions...
upvoted 3 times

i hope i get this question half as many times on the exam as it appears here.
upvoted 6 times

upvoted 1 times
Selected Answer: C
C is the answer.
upvoted 2 times

Correct answers for this question:
upvoted 4 times
Selected Answer: C
Correct Answer: C
upvoted 1 times

Selected Answer: C
C is correct..see below
A Desired State Configuration (DSC) extension
webserver.
az vm extension set \

upvoted 2 times
  elmertar 2 years ago
Selected Answer: C

upvoted 1 times
  peymani 2 years ago

support the correct answer "C"
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
upvoted 1 times
  peymani 2 years ago

Selected Answer: C
The Publish-DscConfiguration cmdlet publishes a Windows PowerShell Desired State Configuration (DSC) configuration document on set
of computers. This cmdlet does not apply the configuration. Configurations are applied by either the Start-DscConfiguration cmdlet when
it is used with the UseExisting parameter or when the DSC engine runs its consistency cycle.
https://docs.microsoft.com/en-us/powershell/module/psdesiredstateconfiguration/publish-dscconfiguration?view=dsc-1.1
upvoted 3 times
Selected Answer: C
I will go with ans C.

upvoted 2 times

if no DSC is offered than it is azCSE... right? (see Q59T4 and Q74T4)
upvoted 1 times
  johnseong97 2 years ago

Selected Answer: C
Correct Answer: C
upvoted 1 times
Selected Answer: A
Publish-AzVMDscConfiguration cmdlet
upvoted 1 times
  brunomd 2 years, 2 months ago

Correct is C.
I thought that the correct was A, but does not, because of this:
"The Publish-AzVMDscConfiguration cmdlet uploads a Desired State Configuration (DSC) script to Azure blob storage, which later can be
applied to Azure virtual machines using the Set-AzVMDscExtension cmdlet."
upvoted 1 times
  mdmdmdmd 2 years, 5 months ago

This question is in the wrong topic, should be topic 3 "Deploy and manage Azure compute resources". It's also repeated in some form
there.
upvoted 1 times
Your on-premises network contains a VPN gateway.
You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.
A. a network security group (NSG)
B. service endpoints
C. Azure Peering Service
D. Azure Firewall
Correct Answer: A

B (100%)
  additionalpylons Highly Voted  1 year, 5 months ago
Selected Answer: B
I believe it should be B
"Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. "
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 41 times
  johnboy222 Highly Voted  1 year, 3 months ago
Admin, Let’s get this fixed please. The correct answer is B.

upvoted 18 times
  Sri944 Most Recent  7 months, 1 week ago
Selected Answer: B
Service Endpoints allow you to extend the Azure virtual network's private address space to Azure services, such as Azure Storage. By
enabling Service Endpoints, the traffic between VM1 and storage1 remains within the Azure network fabric, utilizing the Microsoft
backbone network.
upvoted 3 times
Selected Answer: B
It is not A
NSG is a set of rule that "Allow" or "Block"
Why community and admin responses are totally different in many questions ??
upvoted 2 times
  arnovanb 7 months, 3 weeks ago

Selected Answer: B
B is the answer
upvoted 1 times
  SimoneP 9 months ago

Selected Answer: B
B service endpoint
upvoted 1 times

Why is every question on this ETE wrong and the community is discussing over what is right. This brings confusion as there are multiple
options: Microsoft wrong Community right - Results in Wrong answer while being right
Community wrong, Micrsoft right - Results in wrong answer

Community right - Results in Unreliable questions
upvoted 2 times

I think that Exam Topics don't get the questions an their answers, they just get the questions and then they try to answer them. That
would explain why they fail so much.
Microsoft has nothing to do with it.
upvoted 2 times
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints
enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
upvoted 4 times

Answer should be B
backbone network. "
"Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your
virtual networks, through forced-tunneling, without impacting service traffic."
upvoted 3 times
Selected Answer: B
service endpoints to ensure traffic uses ms backbone network, it does not go out to the internet.
upvoted 2 times

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview Check Limititations. So Ans is NSG
upvoted 4 times
  engnr2000 10 months, 1 week ago

The mention of the "on-premises network" is a distraction. Both resources are part of an AZ Subscription.
upvoted 1 times
  Andrew04 11 months, 1 week ago

but the traffic is from VM1 to storage1, not from on-prem, so endpoint should be the good answer
upvoted 3 times

Endpoints can't be used for traffic from your premises to Azure services. For more information, see Secure Azure service access from on-
premises
upvoted 3 times
  engnr2000 10 months, 1 week ago

You're correct, however, the mentioned "on-premises network" is a distraction. Both resources are part of an AZ Subscription.
upvoted 2 times

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-
overview#:~:text=Virtual%20Network%20(VNet)%20service%20endpoint%20provides%20secure%20and%20direct%20connectivity%20to%
20Azure%20services%20over%20an%20optimized%20route%20over%20the%20Azure%20backbone%20network.
upvoted 2 times
  pythonier 1 year, 5 months ago

Selected Answer: B
Service endpoints and Private endpoints are the services that allows you to use MSFT backbone to communicate with Azure services
upvoted 2 times
  DanishHassan 1 year, 5 months ago

Selected Answer: B
Correct Answer is B
upvoted 1 times

Selected Answer: B
Correct Answer: B
upvoted 4 times
You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network.
Which tunneling protocol should you use?
A. IKEv1
B. PPTP
C. IKEv2
D. L2TP
Correct Answer: C
A Site-to-Site (S2S) VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1
or IKEv2) VPN tunnel.
IKEv2 supports 10 S2S connections, while IKEv1 only supports 1.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal https://docs.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

C (100%)
C. IKEv2 IPsec
keyword is "Route-Based" coz "Policy-based" only supports IKEv1.
upvoted 24 times
  JonWick Most Recent  3 months, 1 week ago
IKEv2 is correct
upvoted 1 times
  Shaanwar2001 4 months, 1 week ago

Keyword is several on-premises locations and an Azure virtual network. IKEv2 supports 10 S2S, IKEv1 supports only one.
upvoted 4 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps#azure-support-for-policy-based-
vpn
upvoted 4 times

Selected Answer: C
Correct Answer: C
upvoted 2 times
Selected Answer: C
Correct Answer: C
upvoted 2 times
  DeltaSM 1 year, 5 months ago
Selected Answer: C
Answer: C
upvoted 2 times
You configure Azure Site Recovery to replicate VM1 between the US East and West US regions.
You perform a test failover of VM1 and specify VNET2 as the target virtual network.
When the test version of VM1 is created, to which subnet will the virtual machine be connected?
A. TestSubnet1
B. DemoSubnet1
C. RecoverySubnetA
D. RecoverySubnetB
Correct Answer: A

B (93%) 7%
Selected Answer: B
B is the answer.
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping
The subnet of the target VM is selected based on the name of the subnet of the source VM.
- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.
- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.
upvoted 53 times

"Alphabetical order": Microsoft's "cleverness" 🤣
upvoted 1 times

I can't understand. Where do you see that the vm1'subnet is any similar to demosubnet1?
upvoted 2 times

There are two rules:
1) If a destination subnet exists with the same name as the source subnet, then that one will be selected as a failover target.
2) If a subnet of the same name does not exist in the destination VNET, then the first subnet according the alphabetical order will be
selected.
Rule 2 applies for this question, B is therefore the correct answer.
See zellck's source:

https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#specify-a-subnet
upvoted 6 times
  Rams_84zO6n Highly Voted  10 months, 3 weeks ago
Selected Answer: B
LOL, alphabetical order my a.... Never would have guessed

upvoted 22 times

AZURE IS INFURIATING. Alphabetical Order? I swear there are 10 rules and exceptions for Everything. Its A unless B is applied on a
friday in June with then moon is full, then its z.
upvoted 4 times

It''s pretty silly. Should be done using CIDR match, but hey "lOgeec" :))
upvoted 2 times
  Exams_Prep_2021 Most Recent  1 month, 2 weeks ago
in exam 26/12/2023
upvoted 2 times
  Rafi786_khan 1 month, 2 weeks ago

How many questions from ET?
upvoted 1 times
  Navi2098 1 month, 2 weeks ago

Can you please let me how many questions comes from these dumps.. if I will study exam topics material and also Microsoft website
notes. Than will possibility to pass exam.
upvoted 1 times
  YesPlease 3 months, 4 weeks ago

Selected Answer: B
B) Apparently if the target subnet doesn't have the same name, then it picks it via alphabetical order.
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#specify-a-subnet
upvoted 2 times
  VladimL 5 months, 3 weeks ago

I really had this question on my exam today, 08/22/2023. Thought it is a bad joke. Thank you "zellck"!
upvoted 5 times
  Atul_0902 11 months, 1 week ago

Source subnet name is Subnet2, so A is correct
upvoted 3 times
  Jared144 11 months, 3 weeks ago
Selected Answer: B
upvoted 1 times
Selected Answer: A
logically when you failover same subnet CIDR means less work to do.
upvoted 1 times

but obviously Azure doesn't follow logic by default . Answer is B .
"Specify a subnet
- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target
subnet.
You can modify the target subnet in the Network settings for the VM.
2. IP address assignment during failover
- Same address space: IP address of the source VM NIC is set as the target VM NIC IP @.If the address isn't available, the next available
IP is set as the target.
- Different address space: The next available IP address in the target subnet is set as the target VM NIC address. <<-- this means it can
be a different IP CIDR. "
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#set-up-ip-addressing-for-target-vms
upvoted 3 times

I also think A. https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-architecture
upvoted 1 times

and this https://learn.microsoft.com/en-us/azure/site-recovery/concepts-network-security-group-with-site-recovery#azure-to-azure-
replication-with-nsg which states "Site Recovery can create replicas of Contoso VNet and Contoso Subnet on the target Azure region
when replication is enabled for the VM."
upvoted 1 times

Selected Answer: A
A. TestSubnet1
https://learn.microsoft.com/en-us/azure/site-recovery/concepts-network-security-group-with-site-recovery
upvoted 5 times
  sss123412 1 year, 1 month ago

A is correct.
If no specific subnet is specified, VM1's test version would be deployed to the same subnet in VNET2, same subnet refers to the same
address .
upvoted 5 times

- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target
subnet.
upvoted 7 times
  azhunter 1 year, 1 month ago

Correct answer A
https://learn.microsoft.com/en-us/azure/site-recovery/concepts-network-security-group-with-site-recovery
upvoted 3 times
  wpestan 1 year, 1 month ago

all networks is in overlap exception RecoverySubnetA, are there any problem?
upvoted 1 times
A. Protocol to UDP
B. Session persistence to None
C. Floating IP (direct server return) to Disabled
Correct Answer: D

D (90%) 10%
Selected Answer: D
D is the answer.
Session persistence: Client IP
- Traffic from the same client IP is routed to the same backend instance
upvoted 6 times
  krzychuPl89 Highly Voted  9 months, 4 weeks ago

Somebody realy wants us to remember this ...
upvoted 5 times
  lulzsec2019 Most Recent  11 months, 1 week ago
This question appeared at least 5 times.

upvoted 4 times

upvoted 2 times

Selected Answer: C
Correct answer: C
Session persistence to Client IP
Reference: https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
upvoted 1 times

I meant to select D. :)
Reference is still correct.

upvoted 1 times
Selected Answer: D
Correct Answer
upvoted 1 times

Correct Answer
upvoted 2 times
Selected Answer: D
To ensure that visitors are serviced by the same web server for each request, you should configure session persistence to "Client IP" on
the Azure load balancer.
upvoted 2 times
Manager template.
B. a Microsoft Endpoint Manager device configuration profile
C. Deployment Center in Azure App Service
D. a Desired State Configuration (DSC) extension
Correct Answer: D

D (100%)
  Ashfaque_9x Highly Voted  1 year, 1 month ago
Selected Answer: D
Correct Answer
upvoted 5 times
  vsvaid Most Recent  1 week, 4 days ago
These questions are like filler question to relax the people, appearing regularly after some questions so that people do not feel
overwhelmed.
upvoted 1 times

I love it!!!
upvoted 2 times

No way... This question AGAIN :-D
upvoted 2 times
Selected Answer: D

upvoted 3 times
  Ras_Al_Ghul 1 year, 1 month ago
Selected Answer: D
correct answer D
upvoted 3 times
B. Session persistence to Client IP
C. Protocol to UDP
D. Idle Time-out (minutes) to 20
Correct Answer: B

B (100%)
i hope i get this question on the exam half as often as it appears here.
upvoted 22 times
I feel like I've seen this same question about 10 times already
upvoted 1 times
  loic90 10 months, 1 week ago

La réponse est la B
upvoted 1 times

upvoted 2 times
Selected Answer: B
B is the answer.
upvoted 2 times
Selected Answer: B
Correct answer: B
Session persistence to Client IP
Reference: https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
upvoted 1 times
Selected Answer: B
Correct Answer
upvoted 1 times

Selected Answer: B
correct
upvoted 2 times
You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named
VNET1 and VNET2 that are peered.
You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1.
You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1.
Which port should you configure for the inbound security rule?
A. 22
B. 443
C. 389
D. 8080
Correct Answer: B

B (71%) A (29%)
  bajjiteam Highly Voted  1 year, 1 month ago
Correct answer A....As Bastion connects to VM via port 22/3389..Azure portal connects to Bastion via port 443..as the question is to
inbound rule for vm from Bastion...Correct answer is PORT 22...option A
upvoted 20 times
  hbor 10 months, 3 weeks ago

Correct Answer is B. The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port
3389/22 are NOT required to be opened on the AzureBastionSubnet https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
upvoted 5 times
  mmarkiew 3 months, 4 weeks ago

I disagree. You're talking about traffic from Internet -> Bastion. The question is asking about traffic from Bastion -> VMs. Read
further down in that link you provided.
"Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other
target VM subnets for port 3389 and 22."
I think the correct answer is A, and we have to assume that these are Linux VMs Bastion is connecting to over SSH.
upvoted 3 times
  clg003 2 months, 2 weeks ago

If you look at the rules created in that section they are all outbound rules, not inbound. The question doesn't specifically say
much. It doesn't say windows and it doesn't say Linux so you cant differentiate between 22 and 3389. The Bastion Subnet is in the
same VNET as the VM subnet so by default it shouldn't require a rule, the default rule would allow its access. The only rule I can
see you would definitely need would be from outside the VNET to the Bastion Subnet would would be 443.
upvoted 1 times

You are correct! Fascinating how the majority can be wrong on some questions...
The source you are quoting from is this article: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg

upvoted 1 times
Selected Answer: B
Correct Answer
B. 443
Using Bastion your RDP/SSH session is over TLS on port 443.

https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
If you say port 22 then what about windows VM as it is not mentioned that the VM is windows or Linux? You will have to allow port 443 in
NSG.
upvoted 19 times

The question did not say windows or linux.
It just said VM.
and the two possible answers are 22 for Linux and 3389 for Windows.
Correct answer A
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#ports
upvoted 1 times
  MatAlves Most Recent  1 week, 1 day ago
Answer - B: the question mentioned "allow INBOUND access"
Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress
traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet.
Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target
VM subnets for port 3389 and 22.
If answer was related to Egress Traffic, both A and C would be correct.
https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
upvoted 1 times
  rnd3131 3 weeks, 1 day ago
Selected Answer: A
https://learn.microsoft.com/nl-nl/azure/bastion/bastion-overview
see drawing
upvoted 1 times

Correct answer A
Port 22.
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#ports
upvoted 2 times
Selected Answer: B
Azure Bastion's Communication: Azure Bastion, regardless of SKU, uses HTTPS (port 443) to establish secure connections to virtual
machines within a virtual network. It doesn't interact directly with ports like 22 (SSH), 389 (LDAP), or 8080 (HTTP).
NSG Configuration: To enable inbound access to the virtual machines via Bastion1, you need to create an inbound security rule in NSG1
that allows traffic on port 443 from Bastion1's IP address or subnet.
Port 22 (SSH): This is typically used for direct SSH connections, but Bastion doesn't use it for its own communication.
Port 389 (LDAP): This is used for LDAP directory services, not Bastion's functionality.
Port 8080 (HTTP): This is sometimes used for web services, but Bastion uses HTTPS (port 443) for secure connections.
upvoted 2 times

Yest another poorly formulated question from Microsoft. It looks almost formulated to trick and confuse people. It is not clear whether we
are talking about incoming trafic to the bastion (in which case I would go with port 443) or the traffic from bastion to VMs (in which case I
will go with port 22 for SSH). "Thanks" Microsoft, but no thanks!
upvoted 2 times

Selected Answer: B
Azure Bastion provides access to a private network from an external network, such as the Internet. So we need port 443, in case it has to
travel over the Internet.
upvoted 1 times

The question is not formed correctly. It asked port for access between Bastion and VM, when in reality the question is: Which port to open
to connect to Bastion itself ?
upvoted 1 times

The bastion connects to VMs on their private IP address so that you only have to allow traffic from Bastion and not the outside world,
that's what I once read in Microsoft doc. And it makes sense. I'm just worried that we're assuming that these are Linux machines because
there is no hint. We're doing it for sanity.
upvoted 1 times
Selected Answer: B
Havent tested this but read the covo and thought I would add my 2 cents...
Since bastion resides in the same VNET as the VMs and connects over private IP, you don't have to do anything for bastion to connect to
the VMs. You would need to ensure that traffic from outside the VNET can reach the Bastion Subnet (port 443).
upvoted 2 times
  burns25 3 months, 3 weeks ago
Selected Answer: A
Check this video...minute 10 on going''

upvoted 1 times
  burns25 3 months, 3 weeks ago

I have to correct me...Correct answer is "B"- 443 - as explained minute 22
https://www.youtube.com/watch?v=lZ_u57gJBNo&t=943s
upvoted 2 times

The MS article that the John Savill references in the video is this one: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
It clearly says about the traffic between the bastion host and the VMs it's servicing: "Egress Traffic to target VMs: Azure Bastion will
reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM subnets for port 3389 and 22."
The answer therefore, clearly, is A (as you initially stated)!

upvoted 1 times

This question is bit tricky. NSG rule to enable access to vm via Bastion. So effectively the access is internet -> Bastion -> VM. Internet to
Bastion is through port 443. Then Bastion to VM will be SSH/RDP (22/3389).
So the correct answer is 443.
upvoted 3 times

Not a trick question
"You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1."
Point to note is traffic from "Bastion to the VM", it is either 22 or 3389
upvoted 1 times
  mmarkiew 3 months, 4 weeks ago

You're contradicting yourself.
upvoted 2 times
  XtraWest 4 months, 3 weeks ago
Selected Answer: B
To allow inbound access to the virtual machines via the Azure Bastion Basic SKU host named Bastion1, you should configure the inbound
security rule on NSG1 for TCP port 443 - as per Bing AI
upvoted 1 times
  athli 5 months ago

Selected Answer: A
In order to connect to the Linux VM via SSH, you must open inbound port 22 for SSH.
https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh-linux
upvoted 1 times
  ducklaorange 5 months ago

Again, a very poorly framed question. But my vote is for A (22).
Here's why: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
Listed as Key Benefit:
You don't need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP,
you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need
to securely connect to your virtual machines. For more information about NSGs, see Network Security Groups.
RDP and SSH are ports 3389 and 22 respectively.
Having to configure port 443 would remove one of those key benefits as well as I understand it.
upvoted 2 times

For more information:
https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
Assume the NSG is applied on the VNETs, not the AzureBastion.
From personal experience, we delete Bastion resources when not in use as they cost $$$ even when not in use. Would I have to reapply
the NSG everytime to it? It's silly.
upvoted 1 times
  Marianeiro 5 months ago

Correct answer is B port 443 -
Azure Bastion is deployed specifically to AzureBastionSubnet.
Ingress Traffic:
Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress
traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet. Note that the source can be either the Internet or a set of
public IP addresses that you specify.
https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg#apply
upvoted 3 times
HOTSPOT
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the servers
shown in the following table.
You plan to migrate contoso.com to Azure.
You create an Azure virtual network named VNET1 that has the following settings:
• Address space: 10.0.0.0/16
• Subnet:
o Name: Subnet1
o IPv4: 10.0.1.0/24
You need to move DC1 to VNET1. The solution must ensure that the member servers in contoso.com can resolve AD DS DNS names.
How should you configure DC1? To answer, select the appropriate options in the answer area.

Correct Answer:
  tunaparker Highly Voted  1 year, 1 month ago
I think the answers should be:
1) Obtain an IP address automatically

The first 4 IP addresses within a subnet space are getting reserved for Azure automatically. Thus, 10.0.1.3 can't be the right answer.
10.0.2.1 is in the VNET space but falls out of the subnet space. 192.168.2.1 is just out of the VNET.
2) Configure VNET1 to use a custom DNS server

This VNET1 should use our pre-created DNS server as its DNS server so tahat the member servers in contoso.com can resolve AD DS DNS
names.
Pls do not hesitate to correct me if I am wrong :)

upvoted 41 times
  AX341 1 year ago

Reading this, makes me think you are right: https://social.technet.microsoft.com/wiki/contents/articles/23377.how-to-manage-your-
dcdns-servers-with-dynamic-ips-in-azure.aspx
upvoted 3 times
  SKR94 1 year ago

IDK...
1) ok
2) if you set IP address automatically, what do you set in custom DNS? I think is better create a private DNS...
upvoted 6 times

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Azure DNS private zones is the preferred solution and gives you flexibility in managing your DNS zones and records.
upvoted 3 times

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-
resolution-that-uses-your-own-dns-server
VMs and role instances

Your name resolution needs might go beyond the features provided by Azure. For example, you might need to use Microsoft
Windows Server Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios, Azure enables
you to use your own DNS servers.
Private DNS Zones do not support Active Directory Integration

upvoted 3 times
  Phlogiston Highly Voted  1 year ago
Another dumb correct response. The only correct responses appear to be to use a dynamic IP address and custom DNS. But, in the real
world, you would never configure a DC to use a dynamic IP address. Imagine the chaos if it is rebooted and acquires a different IP address
and the SRV records are possibly not updated, not to mention the fact that now the client DNS configurations are pointing to an incorrect
DNS address and won't be able to resolve A and SRV records for the domain. Madness.
upvoted 22 times

But continuing with your line of thought. You can't use any of the static addresses given there. So the only option is to use automatic
assignment.
upvoted 1 times

I agree with your thinking. You never setup DCs with a dynamic address for the reasons explained. Now because you're moving (no
recreating it) the DC, which is already a DNS server then the second answer should be a custom DNS.
upvoted 1 times
  rnd3131 Most Recent  3 weeks, 1 day ago
correcting its 443, because azure/bastion takes care of the vm network side. as in if you don't block it with a specific rule it works.
upvoted 2 times
  flamingo23 2 weeks, 1 day ago

Are you still with the previous question? :) OK let's move on.
upvoted 2 times

The answer is wrong.
1. Ideally you should use a static address for a DC, but the ones given are reserved by Azure. So you can't use 10.0.1.3 because it's
reserved in the subnet address space 10.0.1.0/24. Then the only option in that subnet is to use DHCP and use static assignment.
2. Best approach will be to use a Private DNS zone, but the question is about moving the DC, which is already a DNS server. Then the
answer is to configure the VNET to use a custom DNS server (the DC in this case).
upvoted 1 times

within the VM the IP configuration should be DHCP client. In the Azure Platform you can create a static IP assignment on the DHCP server,
so that it will provide always the same IP. You normally do not want a DC to change IP!
upvoted 2 times

A&A is correct!
Obtain an IP address automatically

Configure VNET1 to use a custom DNS server
upvoted 4 times

Single DC is very poor setup, but since the questions says "resolve AD DS DNS names" which appears to imply Active Directory Integration,
which private zones doesn't support I'm going to say custom dns for Q2.
ref: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-
resources
"If you need to use existing DNS infrastructure (for example, Active Directory integrated DNS), ensure that the DNS server role is deployed
onto at least two VMs and configure DNS settings in virtual networks to use those custom DNS servers."
Q1: 5 IP's in subnet are reserved, first 4 and last 1.
ref: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
"Are there any restrictions on using IP addresses within these subnets?

Yes. Azure reserves the first four and last IP address for a total of 5 IP addresses within each subnet"
upvoted 2 times

not sure , I can understand what is the right answer here.
"For environments where name resolution across Azure and on-premises is required, it is recommended to use DNS Private Resolver
service along with Azure Private DNS Zones. It offers many benefits over virtual machines based DNS solution, including cost reduction,
built-in high availability, scalability, and flexibility.
If you need to use existing DNS infrastructure (for example, Active Directory integrated DNS), ensure that the DNS server role is deployed
onto at least two VMs and configure DNS settings in virtual networks to use those custom DNS servers."
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-resources
upvoted 1 times

2) Custom DNS zone
Deploy ADDS in Azure VNET:
If the new deployed Domain Controllers (DC) VMs will have also the role of DNS servers, it's recommended to configure them as custom
DNS server at the Azure Virtual Network level.
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain
not sure about the IP
upvoted 1 times

Answer is 10.1.0.3 and configure Vnet1 to use a custom DNS server
upvoted 4 times

10.1.0.3 is not possible. you can use 10.1.0.4 and higher.
upvoted 4 times

IP: Automatic
Name Resolution: Custom
1: As soon as you move DC1 to VNET1, irrespective of the DNS/IP config, Server1 can not resolve AD DS DNS names as there is ZERO
mention of a P2P VPN between onsite where Server1 still is and the VNET...
however
2: Lets assume the question means if Server 2 is also moved as well, or if there is a VPN\Express Route:
You don't want to give a DC a DHCP IP but you are going to have too!:
-10.0.2.1 and 192.168.2.1 are not in any defined subnet in the vNET.
-10.0.1.3 is a reserved IP in a /24 network and can not be assigned
You need to point DNS for any domain members to the DC for AD DNS resolution so it has to be a Custom IP (of whatever gets assigned to
DC1). (Private DNS zones don't support Active Directory DNS Zone Integration).
Just pray no one shuts down DC1 and it gets a different IP when it starts up.
Who decides the answers to these questions? This one couldn't be more wrong.
upvoted 4 times
  SimoneP 9 months, 3 weeks ago

I like your answer but:
For environments where name resolution across Azure and on-premises is required, it is recommended to use DNS Private Resolver
service along with Azure Private DNS Zones. It offers many benefits over virtual machines based DNS solution, including cost reduction,
built-in high availability, scalability, and flexibility. so I go with "Create an Azure Private DNS zone"
upvoted 1 times

Ref: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-
resources
upvoted 1 times

1. Obtain an IP address automatically
2. Create an Azure Private DNS zone named contoso.com
https://learn.microsoft.com/en-us/azure/dns/private-dns-overview
Azure Private DNS provides a reliable and secure DNS service for your virtual network. Azure Private DNS manages and resolves domain
names in the virtual network without the need to configure a custom DNS solution. By using private DNS zones, you can use your own
custom domain name instead of the Azure-provided names during deployment. Using a custom domain name helps you tailor your virtual
network architecture to best suit your organization's needs. It provides a naming resolution for virtual machines (VMs) within a virtual
network and connected virtual networks.
upvoted 4 times

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-
resolution-that-uses-your-own-dns-server
VMs and role instances

Your name resolution needs might go beyond the features provided by Azure. For example, you might need to use Microsoft Windows
Server Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios, Azure enables you to use your
own DNS servers.
Private DNS Zones do not support Active Directory Integration

upvoted 2 times

upvoted 1 times
  SedateBloggs 12 months ago

you dont use private DNS zones for AD DS: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-
resolution-for-vms-and-role-instances and quoting "Your name resolution needs might go beyond the features provided by Azure.
For example, you might need to use Microsoft Windows Server Active Directory domains, resolve DNS names between virtual
networks. To cover these scenarios, Azure enables you to use your own DNS servers.". This would lend itself to Auto IP and using
custom DNS - NOT private zones
upvoted 2 times

Best practise is to always have VMs in Azure assigned automatically. For a DC it makes sense to reserve the address in the "sort of DHCP"
Azure does so it always gets the same one ;-)
You can also eliminate the answers quite easily:

Azure reserves the first four and last IP address for a total of 5 IP addresses within each subnet. So 10.0.1.3/24 can't be used;
10.0.2.1 is also in the first 5 of another subnet - so can't use that either.
192.168.2.1 isn't even in the address space...
As to the custom DNS, yes, point the VNET at the custom DNS server (the DC). Bonus points of you point the DNS settings op de DC's VM
to Azure's DNS servers in the VM's properties (saves you a lot of work in resolving private DNS zones of e.g. Private Endpoints ;-) )
upvoted 4 times
  ant650 1 year ago

Should be obtain automatically. x.x.x.1 is reserved for gateway, x.x.x.2-3 reserved for Azure DNS
upvoted 1 times
  bouk75 1 year, 1 month ago

IP address: 10.0.1.3 shouldn't able to be use
Azure reserves the first four and last IP address for a total of 5 IP addresses within each subnet.
For example, the IP address range of 192.168.1.0/24 has the following reserved addresses:
192.168.1.0 : Network address

192.168.1.1 : Reserved by Azure for the default gateway
192.168.1.2, 192.168.1.3 : Reserved by Azure to map the Azure DNS IPs to the VNet space
192.168.1.255 : Network broadcast address.
upvoted 9 times
  elrizos 10 months, 2 weeks ago

Correct
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#are-there-any-restrictions-on-using-ip-addresses-within-
these-subnets
upvoted 1 times

I feel the correct answers are
IP address: 10.0.1.3
Name Resolution: Configure VNET1 to use a custom DNS server
upvoted 7 times

I see you posted you got very high score in this exam. So this is one of the questions you got the wrong answer? hehe
upvoted 1 times

i believe is correct
-IP 10.0.1.3 same range new network o IPv4: 10.0.1.0/24
-create a private dns contoso.com
upvoted 2 times

- create can be wrong, its better use a custon dns
upvoted 3 times

upvoted 1 times
A. Session persistence to None
B. a health probe
C. Session persistence to Client IP
Correct Answer: C

C (100%)
  lulek Highly Voted  8 months, 2 weeks ago
My favourite question - I always get it right! ;)

upvoted 18 times
  Naywonni 8 months ago

me too haha
upvoted 3 times
upvoted 10 times
Another one... I can dream the answer at this point

upvoted 1 times
  james2033 5 months, 2 weeks ago

Selected Answer: C
Quote "Client IP (2-tuple) - Specifies that successive requests from the same client IP address are handled by the same backend instance."
at https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence .
upvoted 1 times
  MonkeyMan89 6 months, 3 weeks ago

My favorite! Hope I get it like 8 times on the exam too.
upvoted 1 times
  fessebook 7 months ago

That question again! You must be kidding me...
upvoted 2 times

Selected Answer: C
C is correct.
upvoted 1 times

upvoted 1 times
Selected Answer: C
C is the answer.
upvoted 2 times
  B0SS930 1 year ago

Imagine this question not to be asked in the exam itself.
upvoted 4 times
Selected Answer: C
this question is maybe 10 times in this dump.

upvoted 5 times
Selected Answer: C
Correct Answer
C. Session persistence to Client IP
upvoted 4 times

Similar question on the test
upvoted 2 times
You need to deploy an Azure firewall named AF1 to RG1 in the West US Azure region.
To which virtual networks can you deploy AF1?
A. VNET1, VNET2, VNET3, and VNET4
B. VNET1 and VNET2 only
C. VNET1 only
D. VNET1, VNET2, and VNET4 only
E. VNET1 and VNET4 only
Correct Answer: C

C (73%) E (26%)
Selected Answer: C
C. VNET1 only
No idea why people are saying option E as the question clearly states that "You need to deploy an Azure firewall named AF1 to RG1 in the
West US", so RG1 in the West US region means the correct answer is C(VNET1).
upvoted 44 times
  r3nenge 1 year ago

Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
upvoted 26 times

THANK YOU!
upvoted 5 times

You right
"Are there any firewall resource group restrictions? Yes. The firewall, VNet, and the public IP address all must be in the same resource
group."
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 11 times
  mmarkiew 4 months ago

Also just confirmed in Lab. I couldn't deploy the firewall to a different resource group than the VNET. Got the following error: "Azure
Firewall cannot be used with a from a different resource group." The error message in Azure Portal is also a bit off - I assume it
should read "...with a VNET from...".
upvoted 4 times

But it says which virtual networks *can* you deploy AF1....
upvoted 3 times
  biscaldis 1 year ago

That's correct. This is the only case in which the resource group must be the same
upvoted 3 times
Selected Answer: E
Should be E - Vnet 1 and Vnet 4.
As all resources, the resource group is just a logical grouping and the real limitations do come from the region. An Azure Firewall can be
used with peered networks, but as the question does not mention peering the firewall cannot be applied to networks in another region.
"You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual
networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central
firewall virtual network. Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues
across regions. For best performance, deploy one firewall per region."
I also just tried it out, I cannot connect an Azure Firewall to a VNET which is in another region.
upvoted 15 times

upvoted 5 times
details details details

upvoted 1 times
  Arthur_zw 3 weeks, 2 days ago

Google Bard
No, the Azure Firewall itself cannot belong to a different resource group than the resource group it protects. Azure Firewall requires tight
integration with the resources it secures, including virtual networks and subnets. This integration isn't possible if the firewall resides in a
separate resource group.
Azure Firewall needs to be deployed in the same resource group as the resources it protects for several reasons:
Policy enforcement: Azure Firewall applies its network security policies to resources within the same resource group. Placing it in a
different group weakens its ability to effectively secure those resources.
Resource association: Certain features of Azure Firewall, like IP Groups and Application Rules, require direct association with resources
within the same resource group.
Management and access control: Managing and controlling access to Azure Firewall is easier when it's within the same resource group as
the resources it protects.
upvoted 1 times

Selected Answer: C
E is not correct, I have tested this in my LAB. When you try to create an Azure Firewall in RG1, you cannot select the VNET in RG2. It will
actually tell you "Azure Firewall cannot be used with a VNET from a different resource group".
Therefore, the correct answer is C - VNET1 only as it is deployed in RG1.
upvoted 3 times

Selected Answer: C
C: seems most relevant here as per comments here and the links provided confirming restrictions implementing Azure Firewall
upvoted 1 times
  Rwj 8 months, 3 weeks ago

VNET 1 Only
upvoted 1 times
Selected Answer: C
C is correct.
upvoted 1 times
  RDIO 9 months, 3 weeks ago
Selected Answer: C
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-
restrictions:~:text=Yes.%20The%20firewall%2C%20VNet%2C%20and%20the%20public%20IP%20address%20all%20must%20be%20in%20t
he%20same%20resource%20group.
upvoted 2 times
  madao322 11 months ago

Selected Answer: C
Firewall must be in the same RG with other needed resources. MS allows you to allocate resources in different RG/location/VNet but many
of them just dont work. Additionally, moving resources will also casuse undesible system error as well. TBH, that is not understandable
upvoted 3 times

Microsoft's words: "Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group."
Source:
upvoted 2 times

Selected Answer: B
Same region and resource group as af1

upvoted 1 times
  NIOBruno 12 months ago
Selected Answer: C
C: Is correct
upvoted 1 times
  herodes 12 months ago
Selected Answer: C
Its states you need to deploy to RG1 and West US, based on this there is only one solution and its VNET1
upvoted 1 times

Here's a funny thing. The Faqs page I've been posting is incorrect. I was able to create a firewall with the public IP address in another RG
but in the same region.
The firewall must be in the same region and RG as the vNet.

The firewall does not need to be in the same RG as the public ip address.
The firewall does need to be in the same region as the public ip address.
upvoted 5 times
  r3nenge 1 year ago
Selected Answer: C

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
upvoted 3 times

C is the answer.
"RG1 in the West US Azure region"

upvoted 3 times

upvoted 2 times

Isn't C the answer then? =)
upvoted 1 times
You have an on-premises network.
You have an Azure subscription that contains three virtual networks named VNET1. VNET2. and VNET3. The virtual networks are peered and
connected to the on-premises network. The subscription contains the virtual machines shown in the following table.
You need to monitor connectivity between the virtual machines and the on-premises network by using Connection Monitor.
What is the minimum number of connection monitors you should deploy?
A. 1
B. 2
C. 3
D. 4
Correct Answer: B

B (76%) A (22%)
  dagomo Highly Voted  1 year ago
Selected Answer: B
Connection monitor resource: A region-specific Azure resource.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#before-you-begin
upvoted 23 times
  vbohr899 Highly Voted  11 months, 3 weeks ago

upvoted 16 times
  shrsrm95 5 months, 1 week ago

so what? you could've passed while getting this specific question wrong
upvoted 5 times
  werdy92 11 months, 2 weeks ago

So you came back, scrolled through all of the ~450 questions until you found the ones which where in your exam and posted this
because of altruism? I dont think so.
upvoted 41 times
  ldenis 1 month, 1 week ago

You should thank him instead
upvoted 1 times
  rugoki 8 months, 1 week ago

good notice my loyal minion!
that creature has posted same message on 34 questions I have used the power of google to track it! Its a marketing bot. or a very
strange being
upvoted 5 times

you are right !!
upvoted 1 times

Why wouldn't you believe that? This is a great deed from someone who just took the exam and is back to help the others. I
appreciate this.
upvoted 20 times
Selected Answer: B
This was on my exam. I think the suggested answer to the question is correct.
upvoted 1 times

As for now - correct response is A - 1.
When comes to MS Azure Docs, it barely mention a case like this. But it says that is Cross-Region and Cross-Workspace.
The line which says "A region-specific Azure resource" is for the service itself where is gonna to deploy, store logs, etc., not for the regions
which it can monitor.
upvoted 1 times

So what is the answer A or B? :)
upvoted 1 times

I think answer is A = 1 Connection monitor will be enough since Vnets are peered
Also, here says max Connection non per region is 100

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#scale-limits
upvoted 1 times

this question came in the exam 25/9/2023
upvoted 4 times
  ed79 7 months, 1 week ago

Its B
Region: Select a region for your connection monitor. You can select only the source VMs that are created in this region.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#before-you-begin
upvoted 2 times
Selected Answer: B
Connection monitor resource: A region-specific Azure resource.

All the following entities are properties of a connection monitor resource.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal
upvoted 1 times

Answer: B
Select a region for your connection monitor. You can select only the source VMs that are created in this region.
As we have two regions, we need to create to connection monitors.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#create-a-connection-monitor
upvoted 5 times
  kalyan1986 9 months ago

I checked the portal https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal
The unique parameter is the "region" while creating a connection monitor and nothing else.
Since we have 2 regions in this question, the answer shud be 2
upvoted 1 times

Selected Answer: B
2 regions = 2 connection monitors

upvoted 2 times

Selected Answer: A
For sure. https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview . One connection monitor instance can

connect (a) on-premise network (b) VMs, VMSS (with NW extensions). I don't think region would matter given VNETs are peered and have
on-premise connectivity.
upvoted 1 times
  Leunis 10 months, 3 weeks ago

Selected Answer: A
The key is in the VNET peering. Only 1 monitor is required technically.

upvoted 1 times
You should deploy at least 2 connection monitors: one to monitor connectivity between the virtual machines in VNET1 and the on-
premises network, and another one to monitor connectivity between the virtual machine in VNET2 and the on-premises network. The
virtual machine in VNET3 is not connected to the on-premises network, so it does not need to be monitored for connectivity to it.
Therefore, the answer is B. 2.

upvoted 2 times

Selected Answer: C
Because Vnet1,VNET2, vnet3

upvoted 1 times

B likely but the Doc sucks nonethless
Connection monitor resource: A region-specific Azure resource. All the following entities are properties of a connection monitor resource.
upvoted 2 times
  not_mlantonis 11 months, 3 weeks ago

Answer is B, 2.
Network Watcher can monitor cross-region traffic, but it is enabled on a regional basis.
All subscriptions that have a virtual network are enabled with Network Watcher. When you create a virtual network in your subscription,
Network Watcher is automatically enabled in the virtual network's region and subscription. This automatic enabling doesn't affect your
resources or incur a charge. Ensure that Network Watcher isn't explicitly disabled on your subscription.
upvoted 6 times
HOTSPOT
You plan to deploy the following Azure Resource Manager (ARM) template.
Correct Answer:
  FabrityDev Highly Voted  1 year, 1 month ago
I would say that the correct answer is NO NO NO.
Box 1: instead of "netname" there should be the value of netname variable

Box 2: I don't see Resource Group mentioned anywhere in the template
Box 3: I don't see parameters being referred anywhere in the template, only variables are referred, e.g. "sku" variable.
upvoted 28 times

You're wrong
Box 2 = YES
There's only one resource group specified: East US. So from the template it will be automatically assumed that it needs to find the
resource in the one you're deploying to. reference: https://learn.microsoft.com/en-us/azure/azure-resource-
manager/templates/template-functions-resource#remarks-3
upvoted 1 times
  pino1 1 year, 1 month ago

Box 1: No - "netname" is the name of the variable
Box 2: No - the LB must be in the same region as the virtual network, but the Resource group can be anywhere
Box 3: No - There are no parameter defined in the template
upvoted 13 times
  VinayV 10 months, 3 weeks ago

You have posted the question with wrong answer?
upvoted 1 times
  DeBoer Highly Voted  1 year ago
It's NO - YES - NO
Box 1: NO - the value of 'netname' is 'App1', so it's created in the App1 subnet (not netname)
Box 2: YES - There's no OTHER resource groups specified so it assumes it needs to find the resource in the one you're deploying to.
reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#remarks-3
Box 3: NO - 'sku' is a variable, not a parameter - so you can't use it as a parameter.
upvoted 20 times

The resourceId property that the source that you reference is talking about is not mentioned in the template in the question. So I don't
see how it applies here.
upvoted 1 times

Ok, I didn't look properly at first, resourceId is mentioned in the variables section. I still don't see the added value of the source you
quote - but I do agree that the correct answer would be NYN.
upvoted 2 times
  Alandt Most Recent  1 month, 1 week ago
I get so tired of these "yes or no" questions. It's basically 3 questions in 1. Disgusting material.
upvoted 3 times

For question 2:
This link (the error described in it and the cause for it described in the answer) suggest that the load balancer and the VNET must be in the
same RG:
https://learn.microsoft.com/en-us/answers/questions/203973/problem-creating-an-azure-internal-load-balancer-w
So the answer to Q2 would be YES.

upvoted 1 times

1: No
2: Yes -- I know its worded poorly, but for it to work the answer is yes it must be deployed there. I believe the intent is to demonstrate that
it has to be in the same RG as VNET1, even though I know it wasn't called out what RG.
3: No
upvoted 4 times
  WimTS 6 months, 1 week ago

N,Y,N
Since VNET1 is supplied as a variable, it will search it in the RG you are deploying it to.
If it would need to be in another RG, you would need to specify the complete path no?
So it needs to be in the same RG as where you deploy the LB
upvoted 3 times

All No! Thanks!
upvoted 2 times
  Azure_2023 7 months, 1 week ago

Q2: NO
https://learn.microsoft.com/en-us/azure/load-balancer/move-across-regions-internal-load-balancer-portal
'Resource group to choose the resource group where the target load balancer will be deployed. You can select Create new to create a new
resource group for the target internal load balancer or choose the existing resource group that was created above for the virtual network.
Ensure the name isn't the same as the source resource group of the existing source internal load balancer.'
upvoted 1 times

N,Y,N
Box1: As others have said. No, netname is the variable so App1
Box2: Yes. On creation you'll need to specify the vnet RG.

See below URL for reference.
https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal
Box 3: No, can't have a variable as a parameter.
upvoted 1 times

I went through the linked page you provided, and while it chooses the same RG for vnet and load balancer, it might do that only for
convenience. It does not state anywhere in that page that the RG must be the same.
upvoted 1 times
  Doman01 10 months, 2 weeks ago

NO-YES-NO
Yes, Azure Load Balancer must be in the same resource group as the virtual network (vnet) it is being used with. This is because Load
Balancer is a resource that is used to distribute incoming network traffic across multiple virtual machines (VMs) in a backend pool. The
VMs in the backend pool must also be in the same resource group as the Load Balancer and vnet.
When you create a Load Balancer, you must specify the vnet it will be used with, and the resource group that both the Load Balancer and
vnet belong to. If you try to create a Load Balancer in a different resource group than the vnet, you will receive an error message.
It's important to note that while the Load Balancer and vnet must be in the same resource group, they can be in different regions.
However, for optimal performance, it's recommended to keep them in the same region to minimize latency.
upvoted 4 times

you don't really know what you're talking about. RSG are logical containers only
upvoted 1 times
  werdy92 11 months, 2 weeks ago
N - netname will be resolved to App1
Y - the answer uses incorrectly "the resource group" when "a resource group" was meant. It is obvious that a VNET with name VNET1 is
needed here since it is the value of the variable. So this VNET must be present in whatever RG this will be deployed to. It does not matter
that there is no mention of resource groups.
N - sku is not a parameter
upvoted 7 times

Yes, no, yes
upvoted 1 times
  ChakaZilly 12 months ago

Second box, Yes: if question is read as: "LB1 can be deployed only to a resource group that contains a VNET named VNET1" because ARM-
templates requires a VNET named VNET1.
upvoted 3 times

NNN is the answer.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/variables
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/parameters
upvoted 4 times

1. subnet name is "APP1".
2. no RG defined.
3. sku is a variable and fixed as "Standard" already.
upvoted 1 times

No;No;Yes
upvoted 2 times
  DanSuaricius 1 year, 1 month ago

Answer are: NO NO NO
Box 1: No - The name of the subnet indicated in the template is APP1
Box 2: No - No reference about the Resource Group
Box 3: No - The label "Parameters" is empty so there are no parameter defined for this template.
upvoted 4 times
You have an Azure subscription that contains a storage account. The account stores website data.
You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location.
A. private endpoints
B. Azure Firewall rules
C. Routing preference
D. load balancing
Correct Answer: C

C (94%) 6%
Selected Answer: C
C is correct.
https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-routing
upvoted 18 times
  FabrityDev 1 year, 1 month ago

I agree, the source provided justifies this choice in my opinion.
upvoted 3 times
  [Removed] Highly Voted  10 months, 2 weeks ago
Selected Answer: C
The correct option to configure for ensuring inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location
is option C, Routing preference.
Routing preference in Azure Traffic Manager allows you to specify how to route traffic to your Azure service endpoints based on various
criteria, such as the geographic location of the client or the endpoint, the performance of the endpoint, or the priority of the endpoint.
By configuring routing preference, you can direct incoming user traffic to the Microsoft point-of-presence (POP) closest to the user's
location, ensuring the best possible user experience. This can be achieved by selecting the "Performance" routing method in Azure Traffic
Manager, which uses DNS-based traffic routing to direct users to the endpoint that offers the best performance from the user's location.
upvoted 8 times
  OrangeSG 3 months, 2 weeks ago

Network routing preference for Azure Storage
https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-
routing
You can choose between the Microsoft global network and internet routing as the default routing preference for the public endpoint of
your storage account.
By default, clients outside of the Azure environment access your storage account over the Microsoft global network. The Microsoft
global network is optimized for low-latency path selection to deliver premium network performance with high reliability. Both inbound
and outbound traffic are routed through the point of presence (POP) that is closest to the client.
upvoted 1 times
Selected Answer: C
This was on my exam recently.

upvoted 1 times

Routing Preference is the answer. This question came on 11/14 in my exam.
upvoted 2 times

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview
upvoted 1 times
C obviously.
upvoted 2 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-routing
By default, clients outside of the Azure environment access your storage account over the Microsoft global network. The Microsoft global
network is optimized for low-latency path selection to deliver premium network performance with high reliability. Both inbound and
outbound traffic are routed through the point of presence (POP) that is closest to the client. This default routing configuration ensures
that traffic to and from your storage account traverses over the Microsoft global network for the bulk of its path, maximizing network
performance.
upvoted 2 times
  er101q 1 year ago

D. load balancing.
To ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location, you should configure load
balancing. Azure Traffic Manager provides global load balancing for the endpoint for the storage account, routing traffic to the closest
Microsoft POP based on the lowest latency.
upvoted 1 times

you're right in that an LB will use the closest POP. But: you can't put a storage account behind a LB (okay, you can, if you use the SA as a
static website, but that's pretty out of scope here, I think - and you'd better use CDN for that anyways)
upvoted 1 times
Selected Answer: C
The article linked by Muffray explains it well enough why it should be C.

upvoted 3 times

Selected Answer: A
A. Private endpoints
https://intellipaat.com/blog/how-to-use-azure-cdn/#no5
upvoted 1 times
Selected Answer: A
A. private endpoints
To ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location, you should configure Azure
Traffic Manager for your storage account
Routing preference is not a valid option for ensuring that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the
user's location.
upvoted 1 times

I don't agree. Private endpoints are used to limit exposure to to public internet. If you check
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
you will see that POP is not mentioned anywhere in the article. On the other hand, network routing preference is related directly to POP
used.
upvoted 1 times

Can you provide a source for that statement?
upvoted 1 times
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named Subnet1.
Subnet1 is in a virtual network named VNet1.
You need to prevent VM1 from accessing VM2 on port 3389.
What should you do?
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network
interface of VM1.
B. Configure Azure Bastion in VNet1.
C. Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1.
D. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
Correct Answer: A

A (89%) 11%
  AK4U Highly Voted  11 months, 2 weeks ago
Answer is correct. However, it will prevent VM1 from connecting to any machine using 3389, not just VM2
upvoted 13 times

The rule could be further tightened by specifying both source and destination in the rule. That would address your concern.
upvoted 3 times
  GBAU Highly Voted  1 year ago
A: The rule works although it will prevent VM1 from connecting to anything on 3389 they way it is described in the question (no limit to the
destination IP detailed).
Configuring a Bastion will do nothing to prevent VM1 from accessing VM2 in anyway.
C & D are wrong as they are SOURCE port Deny not destination port Deny.
A connection to remote port of 3389 is not going to be from a source port of 3389 (especially if RDP is already listening on these VMs as
that port will be unavailable as a source port), it could be any port in 1024-65535.
upvoted 7 times
  CyberKelev Most Recent  11 months, 2 weeks ago
Selected Answer: D
upvoted 1 times
  shimondaz 5 months ago

that wont prevent vm1 too access vm2 on 3389 since VM1 anf vm2 are on the same subnet , NSG assigned on the subnet would
prevent access from outside the subent.
upvoted 1 times
  Elm2021 8 months, 2 weeks ago

I thought the same but it is just that, with D, Both Devices (VM1 And VM2) will be restricted to access the same Port.
upvoted 2 times

Correct Answer is A, however it will prevent VM1 from connecting using RDP not only to VM2 but to any other VM created...to my
understanding is a poorly designed rule, but it will work.
upvoted 2 times

which is crazy . what are they tying to teach people. "How to lock yourself up"?
upvoted 4 times

Well, you could still use SSH to access the server, no?
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui
upvoted 1 times
Selected Answer: A
A is the answer.
upvoted 1 times

We need to deny destination port 3389, not source port 3389, hence A.
upvoted 2 times
  AndreaStack 1 year ago
Selected Answer: A
Correct Answer: A
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the
network interface of VM1.
By creating an outbound security rule in a network security group (NSG) to deny destination port 3389, you can prevent VM1 from
accessing port 3389 on VM2. By applying the NSG to the network interface of VM1, you can enforce the security rule specifically for VM1.
This solution provides a centralized way to manage and enforce network security for VM1, and it helps to prevent unwanted access to port
3389 on VM2 from VM1.
***If it was D. "Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to
Subnet1" you could prevent access to port 3389 on VM2 from ANY SOURCE (including VM1). By applying the NSG to Subnet1, you can
apply the security rule to both VM1 and VM2.
The question asked "to prevent VM1 from accessing VM2 on port 3389", not from any source.
upvoted 2 times

Anyway, missing the "least privilege" requirement, both two answers (A&D) could be good.
But I choose A, for above explained reason!
upvoted 1 times

D is not an answer because it is referring to source port 3389, not destination port 3389.
upvoted 1 times
  Kimoz 1 year ago

A is correct , if you appied NSG on the inbound ov VM2 no other vms will access it also as well , and here in the question he mentioned
that you want to prevent VM1 means the action should be taken in VM1
upvoted 2 times

To prevent VM1 from accessing VM2 on port 3389, you need to create an NSG with an inbound security rule that denies traffic from the
source port 3389. Then you need to apply the NSG to Subnet1, which will block the traffic to all the virtual machines in the subnet.
upvoted 1 times
Selected Answer: A
A is correct. It will prevent connections from VM1 on port 3389 to any destination, including the other VM. Question does not say that VM1
should be able to access other VMs on this port so it's fine to block all outgoing connections.
upvoted 4 times

Selected Answer: A
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the
network interface of VM1.
upvoted 1 times

Correct answer A
upvoted 2 times
You need to manage outbound traffic from VNET1 by using Firewall1.
A. Configure the Hybrid Connection Manager.
B. Upgrade ASP1 to the Premium SKU.
C. Create a route table.
D. Create an Azure Network Watcher.
Correct Answer: C

C (100%)
  fatihaxi Highly Voted  1 year, 1 month ago
Route all traffic to the firewall

When you create a virtual network, Azure automatically creates a default route table for each of its subnets and adds system default
routes to the table. In this step, you create a user-defined route table that routes all traffic to the firewall, and then associate it with the
App Service subnet in the integrated virtual network.
Section3 in document.
https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall
upvoted 30 times

I have to (reluctantly) agree; normally I'd say RTs are for IaaS resources only and ASPs are a PaaS resource. However - all other answers
make even less sense. IF we assume that the ASP has VNet integration and the switch to send all traffic across the VNet has been
toggled then yes, a RT would work to force the traffic to the AF.
upvoted 2 times

Agree with that
upvoted 1 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall#3-route-all-traffic-to-the-firewall
When you create a virtual network, Azure automatically creates a default route table for each of its subnets and adds system default
routes to the table. In this step, you create a user-defined route table that routes all traffic to the firewall, and then associate it with the
App Service subnet in the integrated virtual network.
upvoted 6 times
  er101q Most Recent  1 year ago
A. Configure the Hybrid Connection Manager.
Before you can manage outbound traffic from VNET1 using Firewall1, you need to have the Hybrid Connection Manager configured. The
Hybrid Connection Manager is required for Firewall1 to function as an outbound-only firewall. Once the Hybrid Connection Manager is
configured, you can manage outbound traffic from VNET1 using Firewall1.
upvoted 1 times

No mention of Firewall to function as an outbound-only firewall.
No mention of needing to ensure App1 goes through the firewall (App1 is a red herring)
The ONLY thing you need to do is "manage outbound traffic from VNET1 by using Firewall1"
Hence C: Create a route table.

upvoted 2 times
  KingChuang 1 year, 1 month ago
Selected Answer: C
Step 3. Route all traffic to the firewall
https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall
upvoted 1 times
Selected Answer: C
As described by fatihaxi and the source

it is the route table creation
upvoted 1 times
Selected Answer: C

upvoted 1 times
  sss123412 1 year, 1 month ago

Correct answer B.
Outbound traffic management using Azure Firewall is only available for App Service apps or function apps that are hosted on an App
Service plan in the Premium SKU
upvoted 1 times

The question is not asking how to get APP1 to connect through the firewall, its asking how to get VNET1 to connect through the Firewall
(so you can manage its traffic). APP1 is a red herring in this question.
upvoted 1 times

Where did you get that information from? I looked into
as well as source provided by fatihaxi and didn't find such information. On the other hand, creating a route table is explicitly described.
upvoted 1 times

Definitly on the test and I answered it wrong lmao
upvoted 2 times

No one asked. If you want to comment then give some details. Which answer did you pick? Which answer is correct in your opinion?
upvoted 1 times
  Onobhas01 1 year, 1 month ago

Dude mind your business. Though you don't care, some people actually care if a question has been in the exams recently.
upvoted 3 times

Spend more time learning less time worrying about which questions are going to be on the test ROFL.
upvoted 1 times
All the resources connect to a virtual network named VNet1.
You plan to deploy an Azure Bastion host named Bastion1 to VNet1.
Which resources can be protected by using Bastion1?
A. VM1 only
B. contoso.com only
C. App1 and contoso.com only
D. VM1 and contoso.com only
E. VM1, App1, and contoso.com
Correct Answer: A

A (97%)
  martin_k1 Highly Voted  9 months, 4 weeks ago
Be aware when checking CyberKelev comments - I think he is a troll as most of the time he posts wrong answers. Always verify with other
comments
upvoted 76 times
Selected Answer: A
A is the answer.
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native
SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you
provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the
Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client
software.
upvoted 25 times
  Tayhull2023 Most Recent  2 months, 3 weeks ago
Using the word "protected" here is odd to me, but Bastion is a form of RDP, its only going to reach the VM. Answer is A.
upvoted 1 times

Selected Answer: E
E. VM1, App1, and contoso.com can all be protected by using Bastion1.

upvoted 1 times

Well, I think, you're wrong. Bastion is used for secure access to VMs and that's it.
upvoted 1 times
  Niq_Gnaw 3 months, 1 week ago

Get tf out here
upvoted 2 times
  im7Adi 8 months ago

I guess F is the right answer
upvoted 2 times

Selected Answer: A
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned.
Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the out-side world, while still providing secure access
using RDP/SSH.
"Protection against port scanning : Your VMs are protected against port scanning by rogue and malicious users because you don't need to
expose the VMs to the internet."
upvoted 2 times
Selected Answer: A
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion
protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
upvoted 3 times

E. VM1, App1, and contoso.com.
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP/SSH connectivity to the virtual machines within a
virtual network. By deploying Bastion1 to VNet1, you can protect the access to all the resources connected to the virtual network,
including VM1, App1, and contoso.com. Bastion1 provides a secure and streamlined way to access the virtual machines within VNet1
without the need to configure a public IP address or a VPN.
upvoted 1 times

Bastion only connects to RDP and SSH in the back end. Neither a WebApp and a AD DS listen on 3389 or 22 (i.e. provide no services on
these ports) so Bastion can't even connect to them, let alone protect them.
Bastions protect VMs by allowing you to connect to them to manage them in a more secure way (i.e. RDP to Windows and SSH to Linux)
upvoted 4 times
  pramodk78 1 year ago
Selected Answer: A
correct answer A -- https://learn.microsoft.com/en-us/azure/bastion/bastion-overview

upvoted 6 times
A. Session persistence to None
B. a health probe
C. Session persistence to Client IP and protocol
Correct Answer: C

C (100%)
  Mugamed Highly Voted  1 year ago
Selected Answer: C
For the hundredth time, it's ,C.

upvoted 26 times
upvoted 15 times
  Pakawat 8 months ago

i hope so
upvoted 1 times
  ki01 Most Recent  1 month, 4 weeks ago
at first i was angry about repeating questions, but now that i have gone through almost 500 of them, i am thankful to see this one like an
old friend. It just means i don't have to play connect the dots with another question that has 7 resource tables in it...
upvoted 2 times

Quote "Client IP (2-tuple) - Specifies that successive requests from the same client IP address are handled by the same backend instance."
at
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence
upvoted 1 times
Selected Answer: C
C is the answer.
upvoted 3 times
  Gardener01 1 year ago

Correct - Answer C
upvoted 4 times
A. a health probe
B. Floating IP (direct server return) to Enabled
C. Session persistence to Client IP and protocol
D. Protocol to UDP
Correct Answer: C

C (100%)
  amar_dhillon Highly Voted  11 months, 4 weeks ago
lol, everyone is so fed up seeing this question again and again that no one commented on this one. This is the comment no one will read,
hopefully, 😂
upvoted 38 times
  brucespr 9 months, 3 weeks ago

Sorry you failed ... I read it :D
upvoted 1 times

they keep adding more new copies of it.
upvoted 2 times
  Jared144 Highly Voted  11 months, 3 weeks ago
I love seeing this one, one less question to learn out of the 43,356 questions we have to get through
upvoted 16 times

The az-104 exams itself is repetition of questions and so this is normal
upvoted 3 times

If only every single question in the exam was this question when I take it lol
upvoted 2 times
  emanresu Most Recent  4 months, 1 week ago
Whoever said that the definition of insanity is doing the same thing over and over again and expecting different results has obviously
never had to go through AZ-104 questions
upvoted 4 times
Selected Answer: C
Quote "https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence"
at
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts#session-persistence
upvoted 2 times

Must be a joke ...
upvoted 1 times

Kagebunshin no jutsu!
upvoted 4 times
i hope I will find the same occurrences of this question during my exam
upvoted 2 times
  Rachy 9 months, 3 weeks ago

This question is always a breeze :)
upvoted 1 times

Hope to get this question 7 times on my exam 😂
upvoted 2 times
  zone9gardening 10 months, 1 week ago

You know what!! I will vote B this time.
upvoted 1 times
  Naebun 8 months, 3 weeks ago

hhahaha
upvoted 1 times

This better be on the exam
upvoted 4 times
  vg123 11 months, 3 weeks ago

this makes me happy in the tiring revision
upvoted 4 times

C IS THE CORRECT ANSWER!!!!
upvoted 1 times
You have an Azure subscription that contains 10 virtual machines and the resources shown in the following table.
You need to ensure that Bastion1 can support 100 concurrent SSH users. The solution must minimize administrative effort.
A. Resize the subnet of Bastion1
B. Configure host scaling.
C. Create a network security group (NSG)
D. Upgrade Bastion1 to the Standard SKU
Correct Answer: D

D (75%) A (25%)
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#instance
When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the
number of instances. This is called host scaling.
Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. Once the
concurrent sessions are exceeded, an additional scale unit (instance) is required.
upvoted 13 times
  BobbyMc3030 8 months ago

This appears to be correct. This link has a nice table to visualize it but in short, basic sku can only do up to 20-24 connections on two
instances so max 20-48. https://reimling.eu/2021/07/azure-bastion-supports-scalability-for-ssh-rdp-connections-with-the-new-standard-
sku/ .
upvoted 2 times

Agreed, going by that page, a Basic Bastion can only support up to 80 concurrent SSH connections as it is deployed with 2
instances/scale units and you can't add more to a Basic SKU).
upvoted 2 times
  MOSES3009 Most Recent  3 months ago
Just one advice here - read, think and ONLY after post. Standard SKU for bastion support up to 50 instances. /26 it have 64 IPs, with 59
usable. That it means the IPs are ENOUGH to deploy maxim supported number of bastion instances. The relation between number of
session and required IPs in the bastion subnet is not 1 to 1 - is 25 to 1. That means one IP is used for one instance that can support up to
25 concurrent sessions. For 100 sessions, you need 4 instances that will need 4 IPs. I hope I bring some clarity here.
upvoted 3 times

both A and D are true, and as always, quite many of these questions are so badly formulated or even worse they are conceived to trick you
into giving a wrong answer. this is so bad
upvoted 2 times
Selected Answer: D
Agree with D:
In the first instance, bastion should be update from basic to standard as per comments here.
This is due to bastion only 2 max instances with 40 ssh connections each.
With standard this can be up to 50 instances to meet the request with 40 SSH sessions each instance.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-limits
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#instance
A is incorrect as it's not what you would FIRST do.

upvoted 1 times

Answer: D
Basic SKU: 2 instances (50 connections at most)

Standart SKU: you can specify the number of instances between 2-50 (25 connections by instance at most).
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-limits
upvoted 2 times
  gshzwi 8 months, 2 weeks ago

i think subnet can`t be resize? need to re-create the Bastion to others larger subnet?
upvoted 1 times
Selected Answer: A
/26 just support 64ip. We need 100 concurrent connections.

upvoted 3 times
  MRL110 4 months, 3 weeks ago

Who said the bastion is only going to be accessed from within it's own subnet?
upvoted 1 times
  _fkucuk 9 months, 2 weeks ago
Selected Answer: D
D. Upgrade Bastion1 to the Standard SKU.
To support 100 concurrent SSH users, you need to upgrade the Basic SKU Azure Bastion to the Standard SKU. The Basic SKU only supports
10 concurrent SSH users, while the Standard SKU supports up to 100 concurrent SSH users.
Resizing the subnet of Bastion1 or creating an NSG would not directly address the need to support more concurrent SSH users, and host
scaling is not applicable in this scenario.
upvoted 4 times

Selected Answer: A
/26 just support 64ip. We need 100

upvoted 4 times

Yes, but the question is "What should you do FIRST?"
And the basic tear does not support 100 concurrent users, so that needs to be taken care of FIRST...
upvoted 1 times
  elior19940 1 year ago

is it new question?
upvoted 3 times

Not anymore. :-)
upvoted 1 times
  yousseftn 1 year ago
Selected Answer: D
In general when you deploy the Azure Bastion Basic SKU Microsoft deploys two instances which supports 20-24 concurrent sessions which
means each instance support 10-12 sessions.
https://reimling.eu/2021/07/azure-bastion-supports-scalability-for-ssh-rdp-connections-with-the-new-standard-sku/
upvoted 3 times
B. Protocol to UDP
D. Floating IP (direct server return) to Disabled
Correct Answer: A
  Jared144 Highly Voted  11 months, 3 weeks ago
I'm never going to remember this one :(

upvoted 22 times

Hahaha, I see where you are going :)
upvoted 2 times
  StevieTests Highly Voted  11 months, 4 weeks ago
this is a joke at this point

upvoted 13 times

they keep adding more new copies of it
upvoted 4 times
  amdk Most Recent  1 week, 2 days ago

I believe it's E
upvoted 1 times

WHEN DOES IT END
upvoted 2 times

this question has become like a little island in the ocean, where we can come and rest inbetween hundreds of confusing, inaccurate,
incomplete and infuriating questions and just have a little banter between us all
upvoted 1 times

If this question isnt on my test at least 27 times imma be upset.
upvoted 4 times
  Azwscp2023 4 months, 1 week ago

I cant find most voted answer here :(
upvoted 2 times

Do not take the exam if you're wrong on this question.
upvoted 8 times
  antropaws 7 months, 1 week ago

Wait, this is not right, this question is spam.
upvoted 1 times

I wish they'd repeat this question. I don't think its emphasized enough
upvoted 3 times
Well, it was on todays exam, and I'm pretty sure I got it right ;-)
upvoted 7 times
  Roy010 7 months, 3 weeks ago

This is the only question you could not get wrong :D
upvoted 3 times
  puyas 11 months, 1 week ago

Guys I think a question about Session persistence to Client IP and protocol might be in the exam
upvoted 7 times
  ruqing888 11 months ago

it better be in the exam
upvoted 6 times
  Andreew883 11 months, 1 week ago

The response is A.
upvoted 1 times
  joykdutta 11 months, 3 weeks ago

Same question 10 times
upvoted 4 times
  studysmart 11 months, 3 weeks ago

You again....
Give a thumb up if you're curious on what has been discussed on this question.
upvoted 9 times
DRAG DROP
You have a Windows 11 device named Device and an Azure subscription that contains the resources shown in the following table.
Device1 has Azure PowerShell and Azure Command-Line Interface (CLI) installed.
From Device1, you need to establish a Remote Desktop connection to VM1.
Correct Answer:
  Teroristo Highly Voted  6 months, 2 weeks ago
Explanation:
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native
SSH or RDP client already installed on your local computer.
The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local
SSH key pair and Azure Active Directory (Azure AD).
Using the native client requires the Standard SKU tier for Azure Bastion. First, we need to upgrade the SKU of our Azure Bastion instance.
Second, we need to enable the native client support from the configuration settings of Bastion1 in the Azure Portal.
Third, we need to sign in to our Azure account and select the subscription containing the Bastion resource as shown below:
upvoted 16 times

az login
az account list
az account set --subscription "<subscription ID>"
Lastly, we run the following command to connect via RDP. You’ll then be prompted to input your credentials. You can use either a local
username and password, or your Azure AD credentials.
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
upvoted 7 times
  bsaksham Highly Voted  10 months, 3 weeks ago
Correct Answer!
Nobrainer :)
Just learn from ET, no need for another study material. I passed the exam yesterday with 930 out of 1000. Best of luck guys
upvoted 15 times
  Rams786 5 months ago

What is ET?
upvoted 1 times
  ValB 3 months, 1 week ago

Enemy Territory (game). 😂
upvoted 4 times
  shimondaz 5 months ago

ET = examtopics.com
upvoted 1 times
  voraciousreader 10 months, 3 weeks ago

is that true, does most the questions came from ET?
upvoted 2 times
  SachinBisht009 Most Recent  4 months, 3 weeks ago
From Bastion1, select Native Client Support.

Upgrade Bastion1 to the Standard SKU.
From VM1, enable just-in-time (IIT) VM access.
upvoted 1 times
  BJS_AzureExamTopics 6 months, 3 weeks ago

I have been told by a few people that took the exam that these questions are exactly what is on the exam. THE QUESTIONS ARE
CHANGING ON JULY 28, 2023. If you are using these questions and answers, take your test by the 22nd.
upvoted 4 times
  Rogit 6 months, 3 weeks ago

This was on exam yesterday but I got it wrong and failed the exam, hopefully I pass on second attempt
upvoted 4 times

Given answer looks correct as per the information here
upvoted 1 times

Why does it need to be standard?
upvoted 3 times
  SimoneP 9 months, 1 week ago

https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
This configuration requires the Standard SKU tier for Azure Bastion.
upvoted 3 times

*) Select native client support
The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local
SSH key pair and Azure Active Directory (Azure AD). Additionally with this feature, you can now also upload or download files, depending
on the connection type and client.
3) From Azure CLI on device1 run: az network bastion rdp

https://learn.microsoft.com/en-us/cli/azure/network/bastion?view=azure-cli-latest#az-network-bastion-rdp
upvoted 2 times
  lombri 11 months ago

Navigate to the Configuration page for your Bastion resource. Verify that the SKU Tier is Standard. If it isn't, select Standard.
Select the box for Native Client Support, then apply your changes.
To connect via RDP, use the following command (az network bastion rdp --name "<BastionName>" --resource-group "
<ResourceGroupName>" --target-resource-id "<VMResourceId>")
upvoted 10 times
  pramodk78 11 months, 1 week ago
Answer seems ok as per link https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
upvoted 6 times

new question :(
upvoted 4 times
  voraciousreader 11 months, 1 week ago

Will we get questions exactly from ET? does ET alone is enough to clear the exam? please guide.
upvoted 3 times
  KingChuang 9 months, 4 weeks ago

ET enough~
Passed. Score 9xx
upvoted 2 times

Nope, learn MS Learn in addition and Youtube. But it all depends on you. Follow the discussions too
upvoted 1 times
  voraciousreader 11 months, 1 week ago

yay, first comment
upvoted 1 times
C. Protocol to UDP
Correct Answer: B
  bec123123 Highly Voted  10 months, 3 weeks ago
I'm just mad now

upvoted 25 times
  sheilawu 3 months, 2 weeks ago

Yap it become so annoying
upvoted 2 times
  ivan0590 Highly Voted  9 months ago
If I continue to see this question, I'm pretty sure I will have a nightmare in which someone kills me while continuously screaming "Session
persistence to Client IP!"
upvoted 14 times
  Chris2603 8 months, 1 week ago

at least we all know the answer now lol
upvoted 2 times
If I don't get this question on the actual exam, Imma be pissed.

upvoted 2 times
  SamCook101 2 months, 1 week ago

Does anyone get this question in the exam ?
upvoted 1 times
  Kalzonee3611 3 months, 3 weeks ago

This a new question? :D:DD:D::DD:D:
upvoted 3 times
  agimenezch 4 months, 3 weeks ago

ACETATE
upvoted 1 times

Matrix vibes.
It looks like a "deja vu" feeling...
upvoted 2 times
  antropaws 7 months, 1 week ago

Probably something wrong with the system.
upvoted 2 times
  mikehen 8 months ago

If anyone gets this wrong on the exam they deserve to fail hahahaha
upvoted 6 times
  Pakawat 8 months ago

again and again
upvoted 4 times
  joykdutta 9 months, 2 weeks ago
It is the way or trick to increase the total number of questions
upvoted 5 times
  Madbo 10 months, 1 week ago

The correct option is B. Session persistence to Client IP.
To ensure that visitors are serviced by the same web server for each request, we need to configure session persistence on the Azure load
balancer. Session persistence is also known as affinity, and it ensures that all requests from a client are sent to the same backend server.
This is important for applications that maintain session state, such as web applications that require authentication or shopping carts.
upvoted 3 times
  ozlaoliu 11 months, 1 week ago

I don't understand what is the point to add this question again since it has already appeared more than 10 times.
upvoted 5 times

Take it easy, that is the beauty of the game. Life itself is full of repetition. Repetition makes life easier and enjoyable.
upvoted 9 times
You have an Azure subscription that has the public IP addresses shown in the following table.
You plan to deploy an Azure Bastion Basic SKU host named Bastion1.
Which IP addresses can you use?
A. IP1 only
B. IP1 and IP2 only
C. IP3, IP4, and IP5 only
D. IP1, IP2, IP4, and IP5 only
E. IP1, IP2, IP3, IP4, and IP5
Correct Answer: B

A (81%) B (19%)
  eliasalg Highly Voted  6 months, 4 weeks ago
Selected Answer: A
Tested in sandbox
- IPv4 - Static - Standard - Global:
Error during the selection in the interface - A Global Tier PublicIPAddress cannot be attached to Bastions.
- IPv4 - Static - Standard - Regional:
OK
- IPv4 - Static - Basic - Regional
Error during the selection in the interface - Static public IP addresses cannot be associated.
- IPv4 - Dynamic - Basic - Regional
Error during the selection in the interface - The SKU type for the public IP address does not match the SKU type of the load balancer (?? I
don't know why this message).
- IPv6 - Static - Standard - Regional:
Error during deployment (The selected IPv6 public IP address is not supported for Azure Bastion. To fix this, please recreate your Azure
Bastion with an IPv4 public IP address. (Code: PublicIpAddressVersionNotSupported))
upvoted 21 times
  MentalTree 2 months ago

Global tier: (Standard) Supported via cross-region load balancers.
Got this q on my test, answered B, got 100%

upvoted 1 times

I am not sure what you tested but that's not correct. You cannot use Global PiPs, it has to be a Regional one.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-bastion
upvoted 1 times
  Hillah 4 months ago

thanks mate
upvoted 2 times
  jupi17 Highly Voted  9 months, 2 weeks ago
The answer is correct: B

Azure Bastion supports standard SKU public IP addresses:
upvoted 19 times
From your link : "Public IP addresses are available in two SKUs; standard, and basic. The selection of SKU determines the features of the
IP address. The SKU determines the resources that the IP address can be associated with." - Can a BASIC Bastion support STANDARD
IPs ?
upvoted 3 times
  amkaz104 7 months, 1 week ago

This link has it clarified - https://learn.microsoft.com/en-us/azure/bastion/configuration-settings - Bastion whether its basic or
standard requires Standard Public IPs which are static.
upvoted 5 times
  MatAlves Most Recent  1 week ago
Azure Bastion Basic SKU does NOT support Global Tier IPs.
Standard: "Supported via cross-region load balancers."
upvoted 1 times
Selected Answer: A
I tested in my lab and you cannot use dynamic IP addresses, basic SKU, or the Global. If you try to associate a Bastion with a Global Public
IP you will get "Cannot be associated with this Bastion.
Correct answer: A
upvoted 1 times

Selected Answer: A
Answer should be IP1

bastion be it standard or basic SKU only supports regional tier meaning if you have Vnets in 3 regions then you need to deploy 3 bastions
one for every region, however if you have those Vnets peered then you can have one bastion service deployed and it can reach VMs in
other regions.
Bastion must have static IP either private or public; to use public IP you must have Standard SKU, private ip is mainly used for developers.
upvoted 1 times
  CHOKRIBS88 2 months, 3 weeks ago

Answer should be A : Global tier is not supported in Basic Ip Public
upvoted 1 times
  MentalTree 2 months ago

Answer is B.
The Public IP address SKU must be Standard.

The Public IP address assignment/allocation method must be Static.
The Public IP address name is the resource name by which you want to refer to this public IP address.
You can choose to use a public IP address that you already created, as long as it meets the criteria required by Azure Bastion and isn't
already in use.
Global tier: (Standard) Supported via cross-region load balancers.

Got this q on my test, answered B, got 100%

upvoted 3 times
Selected Answer: B

already in use.
upvoted 3 times

Prerequisites
An Azure account with an active subscription.

One standard SKU public IP address in your subscription. The IP address can't be associated with any resources.
upvoted 1 times
  Nutmeg756 3 months, 2 weeks ago
Selected Answer: B
Azure Bastion deployments require a Public IP address, except Developer SKU deployments. The Public IP must have the following
configuration:

already in use.
upvoted 2 times
  B1gflp 4 months ago

A is correct. explicitly stated https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
upvoted 2 times
  agimenezch 4 months, 3 weeks ago

ALL
upvoted 1 times
  hesham2023 5 months ago

Azure Bastion requires a Static / Sku=Standard / Public IPv4 regional address , Global Tier PublicIPAddress cannot be attached to Bastions.
upvoted 2 times
  mark733050 6 months ago
Selected Answer: A
Azure Bastion requires a Public IP address. The Public IP must have the following configuration:

already in use.
upvoted 4 times

I don't see how this supports A as an answer. Why would B not be correct?
upvoted 1 times

The answer is correct: A
upvoted 1 times
  GoldBear 6 months, 1 week ago

Global tier is not support with Bastion - https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
upvoted 2 times

Azure Bastion requires astandard SKU public IP addresswith astaticassignment method12.The public IP address cannot be associated with
any other resources1.The public IP address name is the resource name by which you want to refer to this public IP address
upvoted 1 times

B is correct!
upvoted 2 times
B. Floating IP (direct server return) to Enabled
C. a health probe
Correct Answer: D
  johan13 Highly Voted  9 months, 2 weeks ago
I bet this is not the last time I see this question before I reach the end :)
upvoted 7 times

If I were to bet against you, I would probably lose with a 99.99% chance...
upvoted 4 times
what if you whole exam is 60x this question :P

upvoted 1 times
  hotspot02103 1 month, 1 week ago

nice question! first time see it!
upvoted 1 times

if this one actually comes up in exam i will probably get kicked out due to laughing like a maniac
upvoted 1 times
  tripleaholic 3 months ago

dude..
upvoted 1 times

This question become a joke here
upvoted 2 times
  Rocketeer 4 months ago

I like it :). Makes me move faster on the questions.
upvoted 2 times
  PTark 5 months ago

It would be so funny if this appear multiple times on the real exam.
upvoted 3 times
  Shobbs 5 months, 2 weeks ago

im so mad at this question
upvoted 3 times

wait what !
upvoted 3 times

wow new question! :P
upvoted 4 times
B. Idle Time-out (minutes) to 20
C. a health probe
Correct Answer: D

D (100%)
  johan13 Highly Voted  9 months, 2 weeks ago
Haha like I said in the previous question's comment ;)

upvoted 14 times

amazing comedy :D
upvoted 1 times

LOL!
In the previous question, I replied to you that if I were to bet against you, I would lose. I said that without knowing that this was the
next question.
Sadly, I was right...
upvoted 6 times
  fessebook Highly Voted  7 months ago

Just dying now lol
upvoted 5 times
You have got to be kidding me...

upvoted 1 times
  tripleaholic 3 months ago

i ain't play no game no more
upvoted 1 times

Admin has run out of question :
Admin : Copy Paste question that everyone dooes not know the answer :D *
upvoted 4 times

Wow another new question! ;P
upvoted 1 times
  kengy 8 months, 2 weeks ago
Selected Answer: D
Pehaps the right answer - Session persistence to Client IP

But I'm not 100% sure :) LOL
upvoted 2 times

HAHAHAHAHAH
upvoted 1 times
You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual machine named VM1 and a storage account named storage1.
VM1 is associated to the resources shown in the following table.
You need to move VM1 to Sub2.
Which resources should you move to Sub2?
A. VM1, Disk1, and NetInt1 only
B. VM1, Disk1, and VNet1 only
C. VM1, Disk1, and storage1 only
D. VM1, Disk1, NetInt1, and VNet1
Correct Answer: D

D (93%) 7%
  _fkucuk Highly Voted  9 months, 1 week ago
Selected Answer: D
When you move a virtual machine from one subscription to another, you need to ensure that all the dependent resources are also moved
along with it.
In the given scenario, VM1 is associated with the resources Disk1 (OS Disk), NetInt1 (Network Interface), and VNet1 (Virtual Network), and
the storage account named storage1 is not associated with VM1.
Therefore, to move VM1 to Sub2, you need to move the following resources:
VM1: This is the virtual machine that you want to move to Sub2.
Disk1: This is the OS disk for VM1, and it contains the operating system and boot files.
NetInt1: This is the network interface that is attached to VM1 and provides connectivity to the virtual network.
VNet1: This is the virtual network that is associated with VM1, and it provides the network connectivity to the virtual machine.
upvoted 23 times
  Grafting Most Recent  6 months, 3 weeks ago
Selected Answer: A
Should be A.
Subnet 2 is already part of vnet1 so why does it need moving

upvoted 2 times
  dicknl 6 months, 3 weeks ago

Sub2 is a subscription
upvoted 3 times
  extopics888 7 months, 3 weeks ago

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/networking-move-limitations
upvoted 3 times
  extopics888 7 months, 3 weeks ago

D is correct.
upvoted 1 times
Selected Answer: D
Given answer looks correct all resources in this list can be moved as per article;
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
upvoted 2 times

Provided answer D is correct.
We should move VM1, Disk1, NetInt1, and VNet1 to sub2. The only resource that could cause an issue was NetInt1 if it was associated to a
Public IP Standard sku address.
There is a limitation with moving Public IPs between subscriptions:
Public IPs with Basic SKU could be moved between subscriptions

Public IPs with Standard SKU can't be moved between subscriptions
You will need to Disassociate it first.
As there is no such info in the question, all the resources can be moved to sub2.
Ref: https://learn.microsoft.com/en-us/answers/questions/559276/move-virtual-machines-to-a-new-subscription-within
upvoted 2 times
Selected Answer: D
D is correct.
upvoted 3 times
D. Floating IP (direct server return) to Enabled
Correct Answer: A
  teamoo Highly Voted  7 months, 1 week ago
This is one of those questions, that in the exam I'm going to have to pretend to be reading it before answering, just so it wouldn't be
suspicious.
upvoted 13 times

it's the one you can save time on.
upvoted 2 times
  nmnm22 Most Recent  4 months, 3 weeks ago

this question came in the exam 25/9/2023
upvoted 3 times
  KMLearn2 4 months, 3 weeks ago

This is a complete different question as T5-123 and T5-124 because the answer is not D!
Humming "I'm going slightly mad" from Queen.... :D

upvoted 1 times
  Shobbs 5 months, 2 weeks ago

i think they should filter similar question again and again.
upvoted 1 times
  Data_Analytics 7 months ago

Sjoe, this one looks new - some how it feels like I might have seen something similar before.
upvoted 1 times

let me think ...
upvoted 3 times

Wow another new question!
upvoted 1 times

Please update this dump with real new questions. This question appeared in the dump more than 6 times already.
upvoted 3 times

my bet, across both variations of it, should be about 20 times
upvoted 1 times
  Killic 7 months, 1 week ago

I wish it was only 6 times.
upvoted 1 times

Even more
upvoted 1 times
C. a health probe
Correct Answer: D
  fessebook Highly Voted  7 months ago
in 20 years we still be remenbering it

upvoted 11 times
  Yogesh25 Most Recent  3 weeks, 1 day ago
And here it comes again.... :-)

upvoted 1 times

Come on moderator do your job and clean these duplicates out please.
upvoted 4 times
  DimsumDestroyer 5 months, 2 weeks ago

This is making me laugh so hard. How many times has this been filling up spaces for this dumps?
upvoted 2 times

i wouldn't be suprised if they want to refresh the update timer on the exam to say " UPDATED A DAY AGO!" and what they do is just
copy and paste one question and it's updated. Then again, i wouldn't put it past ET to just have a random function set to take current
date and subtract 1-3 days so they would always be fresh.
i mean their pro sale had 1.5 hours remaining 12 hours ago and now it has 15 hours remaining and their contributor access sale has
been "expiring tonight!" for the past 3 years, so they are not bound by mortal concepts like time or integrity.
upvoted 1 times

Wow super new question!
upvoted 1 times

Enough we get it Already!
upvoted 3 times

Yes so enough
upvoted 1 times
A. Session persistence to Client IP
D. Protocol to UDP
Correct Answer: A
  antropaws Highly Voted  7 months, 1 week ago
I'm going to ask for a refund.

upvoted 24 times
  Fr3ggel Highly Voted  3 months, 1 week ago
Hopefully it's also mitiple times in the real exam ;-)

upvoted 6 times
  ki01 Most Recent  1 month, 4 weeks ago
i'm running out of (barely) funny or (barely) insightful things to write at this point... i just want it all to end.... :(
upvoted 1 times
  sailorastro 1 month, 4 weeks ago

hang in there buddy, you got this
upvoted 1 times

I must admit, after seeing 400+ questions and being on my way to 500, seeing this question over and over again makes me happy cause
I'm gonna be done with this faster. Keep spamming that shit, I am tired from all these damn questions LOL
upvoted 3 times
  Faust777 4 months, 1 week ago

Duplicates were added to fool us and make us think they ET has added new questions form the new exam update..
upvoted 4 times

upvoted 1 times
  Abdulka 6 months ago

this is number 200 seeing this question in this ET
upvoted 1 times

Alzheimer is writing ...
upvoted 2 times
  azpro9999 7 months, 1 week ago

Damn first time seeing this questions lmao
upvoted 2 times
  amkaz104 7 months, 2 weeks ago

Agree!! What a waste..
upvoted 1 times

Super new question!
upvoted 1 times
wtf is going on with this question being added over and over?
upvoted 1 times

3 times in a row, 5 times on this page... and 20 times in total or so
Please remove the duplicates of this question
upvoted 3 times
Manager template.
B. a Microsoft Endpoint Manager device configuration profile
C. Azure Application Insights
Correct Answer: D

A (70%) D (30%)
  chiquito Highly Voted  7 months, 3 weeks ago
Please, clean this dump. Remove duplicate, triplicate questions. This is not a new question. Update with real new questions. Thank you!
upvoted 13 times
  ki01 Highly Voted  1 month, 4 weeks ago
Selected Answer: A
A. Session persistence to Client IP is the correct one

upvoted 7 times
Selected Answer: D
DSC extension
upvoted 3 times

upvoted 2 times

The Answer to this question is: the Publish-AzVMDscConfiguration cmdlet.
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
he Publish-AzVMDscConfiguration cmdlet takes in a configuration file, scans it for dependent DSC resources, and then creates a .zip file.
The .zip file contains the configuration and DSC resources that are needed to enact the configuration. The cmdlet can also create the
package locally by using the -OutputArchivePath parameter. Otherwise, the cmdlet publishes the .zip file to Blob Storage, and then
secures it with an SAS token.
upvoted 1 times

I have seen this question more than 3 times. If they remove the duplicate question, then we need to focus only on the real question and
not on the duplicate questions.
upvoted 2 times

Another old friend
upvoted 4 times
Manager template.
D. a Microsoft Endpoint Manager device configuration profile
Correct Answer: A
  arnovanb Highly Voted  7 months, 3 weeks ago
Haven't seen this one in a while ;-)

upvoted 10 times
  Rocketeer 4 months ago

me too :)
upvoted 1 times
  learnboy123 Most Recent  1 month, 3 weeks ago
What are doing these clowns?

upvoted 1 times

i think i will add mastery of script extensions and session persistence in my resume
upvoted 2 times
  [Removed] 2 months, 3 weeks ago

Looks familiar
upvoted 1 times
You have an Azure subscription that contains a Recovery Services vault named Vault1.
You need to enable multi-user authorization (MAU) for Vault1.
Which resource should you create first?
A. an administrative unit
B. a managed identity
C. a resource guard
D. a custom Azure role
Correct Answer: C

C (100%)
  RandomNickname Highly Voted  7 months, 3 weeks ago
Selected Answer: C
Given answer looks correct, see;
https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault
Before you start

Testing scenarios
Create a Resource Guard
Enable MUA on a Recovery Services vault
Protected operations on a vault using MUA
Authorize critical operations on a vault
Disable MUA on a Recovery Services vault
upvoted 12 times
  raj24051961 Most Recent  7 months, 2 weeks ago
Selected Answer: C
https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault
upvoted 3 times
  capitainekurck 7 months, 3 weeks ago
Selected Answer: C
https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-
vault#before-you-start
Before you start
Ensure the Resource Guard and the Recovery Services vault are in the same Azure region.
Ensure the Backup admin does not have Contributor permissions on the Resource Guard. You can choose to have the Resource Guard in
another subscription of the same directory or in another directory to ensure maximum isolation.
Ensure that your subscriptions containing the Recovery Services vault as well as the Resource Guard (in different subscriptions or tenants)
are registered to use the providers - Microsoft.RecoveryServices and Microsoft.DataProtection . For more information, see Azure
upvoted 3 times
an Azure Load Balancer.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150.
A. Yes
B. No
Correct Answer: A

A (77%) B (23%)
  yettie79 Highly Voted  7 months, 2 weeks ago
Answer is 'NO' B, there is rule in place to allow 131.107.100.50 over TCP port 443 with higher priority of 100. Adding a new rule of priority
of 150 will not made any difference.
upvoted 24 times

The existing rule with priority 100 has source ip of the client (131.107.100.50). But the app1 is behind a LB, so the source ip should be of
the LB and not the client. So adding, 150 priority will overrule the rule with 200 priority which is curently blocking the requests from LB
to App1
upvoted 1 times

The rule is added to VM2 which hosts App2
upvoted 1 times
Selected Answer: A
Presuming it's the health probe on 443 which is at fault and is required to ensure LB is processing as intended, the given answer is correct.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
"Azure Load Balancer rules require a health probe to detect the endpoint status. The configuration of the health probe and probe
responses determines which backend pool instances receive new connections. Use health probes to detect the failure of an application.
Generate a custom response to a health probe. Use the health probe for flow control to manage load or planned downtime. When a
health probe fails, the load balancer stops sending new connections to the respective unhealthy instance. Outbound connectivity isn't
affected, only inbound."
upvoted 14 times
Selected Answer: A
The existing rule with priority 100 has source ip of the client (131.107.100.50). But the app1 is behind a LB, so the source ip should be of
the LB and not the client. So adding, 150 priority will overrule the rule with 200 priority which is curently blocking the requests from LB to
App1
upvoted 1 times
Selected Answer: A
This has already been a previous question, and from that discussion, A is the right answer.
upvoted 2 times

The VM IS OFF. Thats why its not working (look at the top where it says "attach network"
Adding that rule isn't going to change anything, as there is already a higher priority rule allowing that traffic.
So...no. that isn't going to fix the issue.
upvoted 3 times

look further and read: ...(attached to network interfaces: Subnet11) 8)
upvoted 1 times

Selected Answer: A
The LB traffic is behind the 200 443 deny. That's why it cant get thru. The IP allow @100 is a red herring. Its testing to see if you know that
the traffic will appear as if its coming come from the LB and not the client IPs.
upvoted 1 times
  alexandrud 3 months ago

The answer is B.
The VM2 is certainly turned off (because the "Attach network interface" option is available / If the VM2 was turned on, the option would be
grayed out), therefore the VM2 is not reachable.
The NSG is attached to the Subnet, so another rule that allows any traffic from the AzureLoadBalancer with the priority 150 will not be
evaluated. There is something else that makes the App1 not to be accessible from the 131.107.100.50 IP (It could be that the VM1 is also
turned off, or something else).
Note that the Load Balancer rules are configured correctly ("You verify that the Load Balancer rules are configured correctly.").
upvoted 3 times

I take it back. This Question was in my exam today and I specifically looked at the "Attach network interface" button and it was grayed
out (not enabled like in this screenshot). I passed the exam with 909 and my answer today was YES (big thanks to everyone that posted
here, especially mlantonis).
upvoted 6 times
  FredTedJanBobDeanFrankRogerJoe 3 months, 1 week ago

Selected Answer: A
Tested. Without the rule, the LB is unable to complete health probes and access to the web page is cutoff. Azure even provides a nice
warning message if it detects a rule that will get in the way of Load Balancing but still lets you do it. This was tested using an NSG
connected to the subnet. Having NSGs connected to each VM that permitted the Load Balancer traffic did not take precedence over the
Subnet NSG which still blocked the health probes. Answer is YES.
upvoted 2 times
Selected Answer: B
Answer is No.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#probe-source-ip-address
For Load Balancer's health probe to mark up your instance, you must allow 168.63.129.16 IP address in any Azure network security groups
and local firewall policies. The AzureLoadBalancer service tag identifies this source IP address in your network security groups and permits
health probe traffic by default.
upvoted 1 times

Make a correction, answer shall be Yes.
Explanation above still valid.
upvoted 2 times
  kennie0 4 months ago

I'm going with YES.
upvoted 1 times

a variant of this question came in the exam 25/9/2023
upvoted 2 times

131.107.100.50 is a frontendip, so rule 100 accepts 443 from this IP.
When you create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a priority of 150 you are
allowing anything from the LoadBalancer not just from the frontendIP.
If you look at it, doing this actually makes the rule that has priority 65001 have a higher priority, or 150.
upvoted 3 times

Correct answer is NO ......VM is not powered ON , there is no NIC public IP !!!!
upvoted 8 times

it is a pair of VMs, the second one still can be online.
upvoted 1 times
  rimvydukas 6 months, 1 week ago

Selected Answer: A
Solution will meet the goal. 100 rule allows the traffic from required IP, but we still can't access 443 port. This is most probably because
200 rule, which is blocking health probe from LB itself. When health probe traffic is blocked - LB will not pass traffic to the nodes which is
not responding to healt probes. 65001 rulle allows everything from LB, but if client still can't access 443 port it is not reached because of
200 rule match (health probe on 443 port). If we'll create 150 rule which will allow any traffic from LB - everything will work :) Simple.
upvoted 10 times

Bro, you need to study more for this exam if that's your explaination.. You can't connect to the VM because it's Stopped (deallocated).
Rule 100 still applies, so nothing will solve this problem. To solve this problem, you need to Start VM or Fix and Start the VM, so answer
B is correct
upvoted 3 times
  JeremyChainsaw 6 months, 3 weeks ago

Question was on the Exam. I chose Yes, add 150 priority to allow traffic from the LB on the MS trusted network.
The LB needs to be able to talk to the backend pool, which is currently not allowed.
exam passed.
upvoted 4 times

You pass the exam with this one wrong my man.
upvoted 3 times
  Learner2022 6 months, 3 weeks ago

Selected Answer: B
There is already a rule with higher priority’s that allows the traffic.
upvoted 3 times

Answer is NO!
upvoted 1 times
Your on-premises network contains a VPN gateway.
You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.
A. Azure Application Gateway
B. service endpoints
C. Azure AD Application Proxy
D. Azure Virtual WAN
Correct Answer: B

B (100%)
Selected Answer: B
Given answer is correct see;
backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints
enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet."
upvoted 9 times

in exam 26/12/2023
upvoted 2 times
  Jiqa 7 months, 3 weeks ago

Selected Answer: B
Probably correct answer - B:

backbone network."
upvoted 2 times
You create an Azure VM named VM1 that runs Windows Server 2019.
VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You need to enable Desired State Configuration for VM1.
A. Connect to VM1.
B. Start VM1.
C. Capture a snapshot of VM1.
D. Configure a DNS name for VM1.
Correct Answer: B

B (100%)
  karthikwarrior Highly Voted  7 months, 3 weeks ago
All these are repeated questions, and if you are at this point then you have contributor access and paid subscription.. so we miss Mlantos
comments here..
upvoted 15 times
  karthikwarrior 7 months, 3 weeks ago

mlantonis
upvoted 5 times
Selected Answer: B
Given answer is correct, see;
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
"The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure and the location of the
configuration package (.zip file) if it is stored in a location outside of Azure."
upvoted 5 times
  azpro9999 Most Recent  7 months, 1 week ago
B is correct, look at the picture, u can start VM = its off..

upvoted 3 times
  azpro9999 7 months, 1 week ago
This type of config require the computer to be on.
upvoted 1 times

Selected Answer: B
If we need to connect to the VM, it should be running. The provided screenshot shows that it is stopped.
Ref: https://learn.microsoft.com/en-us/azure/automation/quickstarts/dsc-configuration#enable-a-virtual-machine
upvoted 4 times
HOTSPOT
The subnets have the IP address spaces shown in the following table.
You plan to create a container app named contapp1 in the East US Azure region.
You need to create a container app environment named con-env1 that meets the following requirements:
• Uses its own virtual network.
• Uses its own subnet.
• Is connected to the smallest possible subnet.
To which virtual networks can you connect con-env1, and which subnet mask should you use? To answer, select the appropriate options in the
answer area.
Correct Answer:

Its VNET 3 only and /23
So we need a /23 mask, this means 512 IPs
I am a total newbie with this so i tried to find out what the possible IP Ranges are:
- VNET 1
10.1.128.0/23 = 10.1.128.0 - 10.1.129.255 (512 IPs)
- Sub 1
10.1.128.0/24 = 10.1.128.0 - 10.1.128.255 (256)
-> Not enough IPs available
- VNET 2
192.168.0.0/16 = 192.168.0.0-192.168.255.255
- Sub21
192.168.0.0 /17 = 192.168.0.0 - 192.168.127.255
- Sub22
192.168.128.0/17 = 192.168.128.0 - 192.168.255.255
-> The subnets take out the whole range of VNET 2
- VNET 3
172.16.0.0/16 = 172.16.0.0 - 172.16.255.255
- Sub3
172.16.1.0/24 = 172.16.1.0 - 172.16.1.255
-> VNET 3 still has most of the range for a /23 available. For example we could make the following /23 subnet: 172.16.2.0/23 = 172.16.2.0 -
172.16.3.255
Please correct me if i am wrong!

upvoted 19 times

VNET 3 only and /23.
Why? According to Microsoft - Consumption only environment - Container Apps. It needs a subnet with IPs in Range 512.
-/23 is the minimum subnet size required for virtual network integration.
-The Container Apps runtime reserves a minimum of 60 IPs for infrastructure in your VNet. The reserved amount may increase up to
256 addresses as apps in your environment scale.
Reference:
https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=azure-cli#consumption-only-environment
upvoted 6 times

Your explanation is right but selected answer is wrong. /23 is the subnet size to be used. This gives answer for second box. And for
the first box, from the given conditions, you choose, VNET2, because, /23 size is available only in subnet 21 and subnet 22. but
subnet 21 and 23 is only attached to VNET2. So, answer for first box is VNET2
upvoted 1 times

Ok, my assumption is wrong. I thought we have to use only from the above subnets, but after reading the question correctly, i
had another thought of which VNETs has space and to which VNET we can have the environment allocated. So, it should be
VNET3 as it has space. VNET2 space is not available.
upvoted 2 times

Your reasoning sounds correct to me. But its a very silly question, having to number crunch IP subnets like this is a CCNA.
upvoted 5 times

Azure manages its own networking environment, so yes the required knowledge should be akin to CCNA.
upvoted 1 times
  Novia Most Recent  1 month, 1 week ago
the Answer should be

BOX 1 VNET 1 or VNET3 only
BOX2 /24
we have subnet mask either /24 or /17 from all subnets. the question did not say you can create a new subnet! therefore, /24 is the
samllest subnet you can CHOOSE from the two.
Both VNET1 and VNET 3 have the subnets with mask /24
upvoted 3 times
  vish9 2 months, 1 week ago

s per the following link /27 is the minimum subnet required https://learn.microsoft.com/en-us/azure/container-apps/networking?
tabs=workload-profiles-env%2Cazure-cli#consumption-only-environment
Hence all three VNets can be used because those are bigger than /27. To keep the subnet smallest we should use /26 prefix.
upvoted 2 times
  Razoir 3 months ago

To meet the requirements of creating a container app environment named con-env1 that uses its own virtual network, its own subnet, and
is connected to the smallest possible subnet, you should connect con-env1 to vnet1 and use subnet1 with the smallest subnet mask
available.
The available options are:
vnet1: 10.1.128.0/23, subnet1: 10.1.128.0/24

vnet2: 192.168.0.0/16, subnet21: 192.168.0.0/17
vnet3: 172.16.0.0/16, subnet3: 172.16.1.0/24
So, the correct options are:
Connect con-env1 to vnet1

Use the subnet subnet1 with the subnet mask 10.1.128.0/24
upvoted 2 times
  RonZhong 4 months, 3 weeks ago

Q1: VNET 1 & VNET 3
Q2: /24 from Subnet1 or Subnet 3 (bigger than /27 & /23 as required below)
Container Apps has two different environment types, which share many of the same networking characteristics with some key differences.
1. Workload profiles environment: /27 is the minimum subnet size required for virtual network integration.
2. Consumption only environment: /23 is the minimum subnet size required for virtual network integration.
upvoted 3 times
  RonZhong 4 months, 3 weeks ago

Link here: https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=azure-cli
upvoted 2 times
  ovas 4 months, 3 weeks ago

Why not VNET1 and VNET3? Because the question asks for a smaller subnet, and the smaller subnet has a subnet mask of 24
upvoted 2 times

VNET3 and /23
upvoted 3 times

You're the only one who seems to have understood the question correctly.
upvoted 1 times

I meant one of the very few.
upvoted 1 times
  [Removed] 5 months, 1 week ago

VNet1 and VNet3 only have one subnet, that meets the first requirement.
They both use /24 and that is the smallest subnet mask in chart 2, meeting the third requirment.
upvoted 3 times

Vnet1 only since that only has the subnet/23
upvoted 3 times
  Mnguyen0503 5 months, 1 week ago

I agree that the minimum subnet is /23, so that will make vnet3 the only option with /16 address space. Pay attention to the
requirements with own vnet and own subnet. Since vnet 1 has exactly /23 and it has already use the portion of it for subnet 1, there's
no available address space to support another /23. You will need to size up to anything larger or equal to /22. So answer is vnet 3 and
/23.
upvoted 4 times
  o0o0 5 months, 1 week ago

But any /23 that you will make from VNET3 will contain subnet3 (which is /24) and therefore the requirement of it own subnet will be
broken.
upvoted 1 times

Nope. 172.16.2.0/23 doesn't contain 172.16.1.0/24. You underestimated how big a /16 network is. That's a class B network easy
upvoted 1 times

In addition, vnet2 is no go because all of its address space is filled up by subnet 21 and 22
upvoted 3 times

Environment selection
Container Apps has two different environment types, which share many of the same networking characteristics with some key differences.
Environment type Description Supported plan types

Workload profiles Supports user defined routes (UDR) and egress through NAT Gateway. The minimum required subnet size is /27.
Consumption, Dedicated
Consumption only Doesn't support user defined routes (UDR) and egress through NAT Gateway. The minimum required subnet size is /23.
Consumption
Answer is 23
https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=azure-cli
upvoted 1 times

You seem to suggest that /27 as minimum is wrong and it must be /23? Why?
upvoted 1 times
All the virtual networks are peered. Each virtual network contains nine virtual machines.
You need to configure secure RDP connections to the virtual machines by using Azure Bastion.
What is the minimum number of Bastion hosts required?
A. 1
B. 3
C. 9
D. 10
Correct Answer: B

A (75%) B (17%) 8%
  hfk2020 Highly Voted  5 months, 2 weeks ago
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each
peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs
deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering, see About virtual
network peering.
Azure Bastion works with the following types of peering:
Virtual network peering: Connect virtual networks within the same Azure region.
Global virtual network peering: Connecting virtual networks across Azure regions.
Answer is A
upvoted 19 times
  KM Highly Voted  5 months, 2 weeks ago
Answer is A.
We required only one Bastion.
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
upvoted 8 times
  MatAlves Most Recent  1 week ago
Answer is either 1 or 3 (if we consider it's NOT Global Network Peering):
"Azure Bastion works with the following types of peering:
Global virtual network peering: Connecting virtual networks across Azure regions."
upvoted 1 times
  murtazad52 1 month, 2 weeks ago
Selected Answer: A
Only below region Azure Bastion is allowed
Azure Bastion is available in any of these regions via the Azure portal:
West US
East US
West Europe
South Central US
Australia East
Japan East
upvoted 2 times

Selected Answer: D
When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is
per virtual network, not per subscription/account or virtual machine.
As its a full mesh connection. And there are 10 VNet. It should have 10.
upvoted 1 times
  MrTheoDaProphet 2 months ago

I think its A.
Explanation:
deployed in a peered VNet without deploying an additional bastion host.
Reference: https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
upvoted 1 times
  MentalTree 2 months, 1 week ago

B. 3
Explanation:
network peering.
The question states that VNET peering is enabled, NOT Global VNET peering, thus you need a bastion host in each region.
upvoted 4 times

Doesn't the very fact that a vnet in one region is peered to vnets in ither regions mean that global peering is effectively used?
Otherwise you could not pair vnets in different regions!
upvoted 2 times
  amsioso 1 month, 2 weeks ago

YES "All the virtual networks are peered." So we have Global virtual network peering-> Answer A-> 1 Bastion
upvoted 1 times
  MentalTree 2 months, 1 week ago

Source: https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
upvoted 2 times

I've tested this and the answer is WRONG. I connected from a bastion host on East US2 to a VM in another region (East US).
upvoted 1 times
I agree, but please make a point of providing correct answer (in your opinion) rather than just stating 'answer is wrong'. Sometimes
admins change the answer in which case your comment will throw people off and cause confusion - even after your successful lab test.
My $0.02.
upvoted 1 times
  Link3z 5 months, 1 week ago
Selected Answer: B
Cada bastión se compone de dos MV que permiten 20 RDP cada una, en total hay 90 MV a las que conectar, por lo que hacen falta 3 x 2 x
20 = 120 para alcanzar los 90
upvoted 2 times

INSTANCE = 20 RDP. but this is HOST. HOST=/= INSTANCE
upvoted 1 times
  jorgecarlop 4 months, 3 weeks ago

Eso serían conexiones simultáneas a las máquinas, para desplegarlo y que funcione llegaría con uno.
upvoted 2 times
  Kuikz 5 months, 1 week ago
Selected Answer: A
Answer A
upvoted 2 times
  zer0p0int 5 months, 2 weeks ago
Selected Answer: A
As per https://learn.microsoft.com/en-us/azure/bastion/vnet-peering, with global peering a single Bastion host will suffice.
upvoted 5 times
HOTSPOT
Each virtual machine contains only a private IP address.
You create an Azure bastion for VNet1 as shown in the following exhibit.
Correct Answer:
  hidefo6963 Highly Voted  5 months, 1 week ago
the 1st is "No"

mstsc is a native client and is supported only by Standard Bastion
the 2nd is "Yes"?
if the poor wording means connecting through Azure Portal by SSH, that's what Basic Bastion supports.
the 3rd is "No"
No peering from the Bastion enabled Vnet1
upvoted 23 times

First question is 'Yes' - rationale: mstsc is is a command line interface used to run the Microsoft Remote Desktop (RDP) client. Based on
Bastion Basic SKU, access via RDP is supported on Basic and Standard Bastion. Link reference:
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#skus
upvoted 3 times
I would say
NO
YES
NO
Basic SKU cannot connect to VM using a native client
upvoted 16 times

Yes, it can. Check https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#skus
upvoted 1 times

Moderator, please disregard this response. I was wrong.
upvoted 1 times
  mnasiban 3 months, 1 week ago

https://learn.microsoft.com/en-us/azure/bastion/native-client
upvoted 2 times
  amsioso Most Recent  1 month, 2 weeks ago
NYN
https://learn.microsoft.com/en-us/azure/bastion/vm-upload-download-native
"This feature requires the Standard SKU. The Basic SKU doesn't support using the native client."
upvoted 1 times

Box 1 should be NO
Native client is not supported in Bastion Basic SKU.
upvoted 1 times

NYN
Basic plan for bastion does not support native client. The RDP support is not the same as native client, this is separate, do not get
confused.
https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows
https://learn.microsoft.com/en-us/azure/bastion/native-client
upvoted 2 times

The first option is NO: MSTSC is the native client which is supported only for Standard SKU.
Don't confuse the support of the RDP protocol on both Basic and Standard skus with the native Client MSTSC support on the Standard
SKU.
"Once you sign in to your target VM, the native client on your computer opens up with your VM session via MSTSC."
https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows
upvoted 1 times
  IT_infra 4 months ago

So which thing will the correct answer?
upvoted 1 times

No-Yes-No
upvoted 1 times
  Betancourt 5 months, 1 week ago

Hello, I disagree with the second answer.
2) NO, Azure Portal uses TLS, port 443 to connect through Bastion.
https://learn.microsoft.com/en-us/azure/bastion/bastion-overview, look the image.
upvoted 3 times
  Tayhull2023 4 months, 4 weeks ago

"The options available on the Bastion page are dependant on the Bastion SKU tier. If you're using the Basic SKU, you connect to a
Windows computer using RDP and port 3389, and to a Linux computer using SSH and port 22."
https://learn.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
upvoted 2 times

Yes, Basic Bastion supports ssh using port 22.
upvoted 1 times

Answer is correct
The following table shows the availability of features per corresponding SKU.
Feature Basic SKU Standard SKU

Connect to target VMs in peered virtual networks Yes Yes
Connect to Linux VM using SSH Yes Yes
Connect to Windows VM using RDP Yes Yes
Since Vnet3 has no peering with Vnet1 bastion1 cannot be used
upvoted 13 times
HOTSPOT
The subscription contains the subnets shown in the following table.
The subscription contains the storage accounts shown in the following table.
You create a service endpoint policy named Policy1 in the South Central US Azure region to allow connectivity to all the storage accounts in the
subscription.

Correct Answer:
  conip Highly Voted  5 months, 1 week ago
I would go for
YNN
1) YES
Virtual networks must be in the same region as the service endpoint policy.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations
2) NO -
By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service
as VNET2 is in diff region this policy is definetly not applied to subnet 2
3) NO -
Policy allows all storage accounts + IMHO its not full vnet3 to be considered.
upvoted 16 times

I agree, article state if an endpoint is applied but no policy you can access all resources in the endpoint.
"Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that
subnet. Access to all other storage accounts is denied."
upvoted 3 times
  entee28 Highly Voted  5 months, 1 week ago
Answer is correct
Box 1: Y
Virtual networks must be in the same region as the service endpoint policy
Box 2: N
VNet2 is in SEA Region, so it can only connect to the stoacc in SEA Region through Service Endpoint, which is storage3
Box 3: Y
VNet3 is in the South Central US region, and so is the storage2
upvoted 12 times
  conip 5 months, 1 week ago

with 3 I would agree to YES if we assume there is only subnet3 there - so the statement should be only storage2 can be accessed from
subnet3 (not vnet3 entirely)
upvoted 4 times
  amsioso 1 month, 1 week ago

Y, N, Y
upvoted 1 times
  ziggy1117 Most Recent  3 months ago

Y-N-N
You create a service endpoint policy named Policy1 in the South Central US Azure region to allow connectivity to all the storage accounts in
the subscription. Thus all Vnets with the service endpoint can access any storage in the subscription
So VNET2 and VNET3 can access storage 1, 2, and 3

upvoted 1 times
Manager template.
A. the New-AzConfigurationAssignment cmdlet
Correct Answer: D

D (100%)
  GODUSGREAT 3 months, 4 weeks ago
Selected Answer: D
yes, we all know now

upvoted 2 times
  vkiran2408 4 months, 2 weeks ago

repeated questin answer is D
upvoted 1 times
You have an Azure subscription that contains a resource group named RG1 and a virtual network named VNet1.
You plan to create an Azure container instance named container1.
You need to be able to configure DNS name label scope reuse for container1.
What should you configure for container1?
A. the private networking type
B. the public networking type
C. a new subnet on VNet1
D. a confidential SKU
Correct Answer: B

B (100%)
  Vokuhila Highly Voted  5 months, 1 week ago
Selected Answer: B
Answer is correct:
Public networking type allows you to assign a DNS name label to the container instance that is globally unique within Azure, and it's
accessible from the internet. This is typically used when you want to expose a service hosted in a container to the public.
Private networking type would not allow you to configure DNS name label scope reuse because it doesn't expose the container instance to
the public internet, and it typically operates within a virtual network (VNet) for private communication.
Creating a new subnet on VNet1 (Option C) is related to configuring the network settings of the virtual network and isn't directly related to
configuring DNS name label scope reuse for the container instance.
A confidential SKU (Option D) is not related to DNS name label scope reuse or networking configurations. It is used for specific security
and confidentiality requirements.
upvoted 22 times
  hidefo6963 Highly Voted  5 months, 1 week ago
checked that in a lab, DNS name reuse is available only when the public networking type selected
upvoted 10 times
  AntaninaD Most Recent  5 months, 1 week ago
Selected Answer: B
For Azure portal users, you can set the DNS name reuse policy on the Networking tab during the container instance creation process
using the DNS name label scope reuse field.
Available after choosing public network type
https://learn.microsoft.com/en-us/azure/container-instances/how-to-reuse-dns-names#create-a-container-instance
upvoted 2 times

Answer is correct.
https://learn.microsoft.com/en-us/azure/container-instances/how-to-reuse-dns-names
upvoted 1 times
HOTSPOT
VNET1, VNET2, and VNET3 are peered.
VM4 has a DNS server that is authoritative for a zone named contoso.com and contains the records shown in the following table.
The virtual networks are configured to use the DNS servers shown in the following table.

Correct Answer:
  gcertq Highly Voted  5 months, 2 weeks ago
Looks like section of question is missing, but I’d go with NYN.

upvoted 16 times
  gcertq 5 months, 1 week ago

Assuming the IP from last question is an A-record in private DNS zone. VM3 will not get that IP because it uses custom DNS.
upvoted 2 times
  lahart99 Highly Voted  5 months ago
it's NNN
VNET 1,2,3 are peered
VM4 has Authority.
VM3 and VM4 are in same VNET
But last question has wrong IP address so NO

upvoted 6 times

VM4 is authoritative for a zone named contoso.com,
so you always come to this dns server. if you use custome or azure default.
because azure default do a lookup to the same server in the end.
that is why you don't have a table in the question for azure default.
upvoted 1 times
  Novia 1 month, 1 week ago

Azure provided DNS doesn't resolve record in custom DNS even the VNETs are peered.
upvoted 1 times
  SolHamchaa 1 month, 4 weeks ago

Answer should be YNY. A portion of the question is missing.
upvoted 2 times

The first question should be YES too because VNET1 is using default DNS server and as all VNET are peered, it will look up to VM4 to
resolve DNS.
upvoted 1 times

NYN... There is no way 3 is Y because it has a 2.4 IP which doesn't exist in the question.
upvoted 3 times

WOW true;
Server1=131.107.3.3
Server2=131.107.3.4 NOT 131.107.2.4
upvoted 1 times
  Vestibal 4 months ago

This is one of the several questions asking which one has higher priority - the (custom) DNS bound to a VNET or the private DNS zone
linked to the same VNET. According to my test (and also the answer from chatGPT), the private DNS zone has priority. It is the only one
which is used if the request is going to a domain hosted by the private DNS zone. If the request is going to a domain which is not in the
provate DNS zone, then the default or custom DNS for the VNET is used. Based on this, the answers are Y-Y-Y Why - because both VM1 and
VM2 are linked to the private DNS zone, where we have the record for server1.contoso.com -> 131.107.3.3 Also, asuming that the missing
explanation of the second table says "VM4 is DNS server and it has the following records", and VM3 points to this DNS server, it will see
and resolve the server2.contoso.com -> 131.107.2.4. Note that VNET3 (where VM3 is) is not linked to the private DNS zone.
commentary: Trevor_VT
upvoted 4 times

Apologies its NYN the 3 IP is wrong
upvoted 5 times

Wrong correct ANS is NYY
even though VNET2 has a VM acting as an authoritative DNS server, VMs in VNET1 that are using Azure-Provided DNS servers will not
directly use the authoritative DNS server in VNET2 for DNS resolution. Instead, they will rely on the Azure-Provided DNS servers assigned
to VNET1 for resolving DNS queries.
If you want VMs in VNET1 to use the authoritative DNS server in VNET2, you would need to configure custom DNS settings on those VMs
to point to the IP address of the authoritative DNS server in VNET2. This would override the default Azure-Provided DNS settings and
direct DNS queries to the specific DNS server you've configured.
upvoted 3 times
  FireByFriction 5 months, 2 weeks ago

This makes no sense to me.
upvoted 4 times
  thymetime 5 months, 2 weeks ago

Some information are missing here. See Topic 5 Question 93 https://www.examtopics.com/discussions/microsoft/view/78995-exam-az-
104-topic-5-question-93-discussion/
upvoted 5 times
DRAG DROP
You plan to create an Azure Resource Manager (ARM) template to deploy a new virtual machine named VM1. VM1 must support the capture of
performance data.
You need to specify resource dependencies for the ARM template.
In which order should you deploy the resources? To answer, move all resources from the list of resources to the answer area and arrange them in
the correct order.
Correct Answer:
Correct order
First, create a network
2nd, create an interface
3rd, create VM
4th, install an extension.
upvoted 35 times
  obidiya22 5 months ago

Correct
upvoted 1 times
  cloudbaron Most Recent  2 months, 1 week ago
The virtual network needs to exist before the network interface can be created.
The network interface needs to be prepared with the Azure Monitor extension before the virtual machine uses it to capture performance
data.
The virtual machine can only be deployed once all the required resources are in place.
So
1. Network
2. NIC
3. Monitor Extension
4. VM
upvoted 1 times

answer is correct
upvoted 1 times
Manager template.
A. a Desired State Configuration (DSC) extension
B. a Microsoft Intune device configuration profile
D. the New-AzConfigurationAssignment cmdlet
Correct Answer: A

A (100%)
  WELCOMEEEBRO 1 month, 4 weeks ago

itexamslab.com
correct
upvoted 2 times

Selected Answer: A
...BUT have you considered session persistence? >;)

upvoted 4 times
  GODUSGREAT 3 months, 4 weeks ago

Selected Answer: A
correct
upvoted 1 times
Selected Answer: A
Answer correct
upvoted 3 times
All the virtual machines have only private IP addresses.
You deploy an Azure Bastion host named Bastion1 to VNet1.
To which virtual machines can you connect through Bastion1?
A. VM1 only
B. VM1 and VM2 only
C. VM1 and VM3 only
D. VM1, VM2, and VM3
Correct Answer: B

B (75%) D (25%)
VM1 and VM2, because they are peered.

upvoted 12 times
  Basim1291 Highly Voted  5 months, 1 week ago
Selected Answer: B
B is correct because of peering

upvoted 6 times
  01111010 Most Recent  3 months, 1 week ago
Selected Answer: B
Correct answer is B (VM1 and VM2) because Bastion is deployed to VNEt1, which is peered with VNet2.
D would be correct answer if Bastion was deployed in VNet2, which is not the case.
upvoted 3 times
  peterwheat 3 months, 3 weeks ago
Selected Answer: B
VNet1 and VNet are peered and VNet2 and VNet3 are also peered. However VNet1 and VNet3 are not peered with each other. If gateway
transit is not allowed - and it is not stated -, then there is no connection between VNet1 and VNet3. Bastion is deployed in VNet1.
upvoted 3 times
  Tobi0815MU 3 months, 3 weeks ago

VM1,VM2 as Bastion does not support chained peered configuration, only HUB-Spoke ones
upvoted 3 times
  Vestibal 4 months ago

Selected Answer: D
network peering.
upvoted 1 times
  01111010 3 months, 1 week ago

Hmm, using your quote and provided link... it can be use to connect to VMs deployed "IN PEERED VNet"....so, logically non-peered
VNets = no Bastion access from VNet1, thus excluding VNet3 (and VM3). Correct answer is B (VM1 & VM2).
upvoted 1 times
Selected Answer: D
vm1, vm2 and vm3 because of peering

upvoted 3 times
  lahart99 5 months ago

isnt vm2 also perred with vnet1, and 3? so isn't it VM1,2 and VM3??
upvoted 1 times
  ec2user 4 months, 3 weeks ago

vnet3 isn't peered with vnet1. hence can't include vm3 imho
upvoted 4 times
  lahart99 5 months ago

Answer should be VM1, VM2 and VM3
upvoted 2 times
Manager template.
A. a Microsoft Intune device configuration profile
C. Azure Application Insights
D. Deployment Center in Azure App Service
Correct Answer: D

B (100%)

D??????
upvoted 1 times
  SOz92 4 months, 2 weeks ago
Selected Answer: B
Simply incredible
upvoted 1 times
  Link3z 5 months, 1 week ago
Selected Answer: B
Jajajajaja, en serio la pusieron mal??

upvoted 3 times
  rnrjunkie 5 months, 1 week ago

it's B
upvoted 2 times
  Ameet9 5 months, 1 week ago

Selected Answer: B
B is correct
upvoted 3 times
  Browniez 5 months, 1 week ago
Selected Answer: B
If you still have to check this question answer then its time to take some rest XD.
upvoted 4 times
  DeVullers 5 months, 1 week ago
Selected Answer: B
Answer is indeed B. I have seen this question many times.
You've 2 correct solutions with this one.

1. Desired State Configuration (DSC) extension
2. Azure Custom Script extension
Reference: Topic 5: Question 99

upvoted 3 times
  Tofik 5 months, 1 week ago

Selected Answer: B
Answer is B. I have seen this question like 20/30 times

upvoted 3 times
  aymes73 5 months, 2 weeks ago

The answer is B
upvoted 1 times
  Ted_1997 5 months, 2 weeks ago
Selected Answer: B
question exists multiple times and its B

upvoted 2 times
  maxustermann 5 months, 2 weeks ago
Selected Answer: B
100% its B
upvoted 1 times
  kdelgado 5 months, 2 weeks ago

Correcto answer B.
upvoted 1 times

Answer is B
upvoted 2 times
You plan to migrate 50 virtual machines from VMware vSphere to the subscription.
You create a Recovery Services vault.
What should you do next?
A. Configure an extended network.
B. Create a recovery plan.
C. Deploy an Open Virtualization Application (OVA) template to vSphere.
D. Configure a virtual network.
Correct Answer: D

D (100%)
  01111010 Highly Voted  3 months, 1 week ago
Selected Answer: D
Correct Answer (D) - In order to migrate 50 VMs to Azure using Azure Site Recovery, one needs:
- Recovery Service Vault (which is created)
- Configure virtual network
- configure extended network (next step after)
upvoted 5 times

Correct, see this reference:
https://learn.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure
upvoted 3 times
Selected Answer: D
Correct answer is D, the migration approach in the question is by using ASR and not Azure migrate. So, OVA template is not needed,
configure Vnet is the next step
upvoted 1 times
  amh21 1 month, 4 weeks ago

The correct answer is C -
To migrate VMware vSphere VMs to Azure, you need to set up an Azure Migrate appliance that is used for discovery, assessment, and
migration of VMware VMs. You can set up the appliance using an OVA template that you download from the Azure portal and import into
VMware vSphere.
The other options are not correct because:
Configuring an extended network is not required for migration. You only need to set up a virtual network that Azure VMs will join after
migration.
Creating a recovery plan is not necessary for migration. A recovery plan is used to orchestrate failover and recovery of replicated machines
in Azure Site Recovery.
Configuring a virtual network is not the next step after creating a Recovery Services vault. You need to set up the Azure Migrate appliance
first, and then configure the replication settings, which include the virtual network.
https://learn.microsoft.com/en-us/azure/migrate/tutorial-migrate-vmware
upvoted 2 times
  samk01 3 months, 1 week ago

The most appropriate next step after creating a Recovery Services vault, given the options, would be:
C. Deploy an Open Virtualization Application (OVA) template to vSphere.
This step involves deploying the Azure Site Recovery Configuration Server as an OVA template on the vSphere environment. The
configuration server is a key component of the Site Recovery process, and it facilitates the discovery of VMs, manages replication, and
coordinates recovery operations. Once this is deployed and configured, you can then proceed to set up replication, and after that, create
and configure recovery plans.
upvoted 4 times
  Fr3ggel 3 months, 1 week ago

C is correct i think.
https://learn.microsoft.com/en-us/azure/site-recovery/vmware-azure-deploy-configuration-server .
"You deploy an on-premises configuration server when you use Azure Site Recovery for disaster recovery of VMware VMs and physical
servers to Azure. The configuration server coordinates communications between on-premises VMware and Azure. It also manages data
replication. This article walks you through the steps needed to deploy the configuration server when you're replicating VMware VMs to
Azure."
"The configuration server must be set up as a highly available VMware VM with certain minimum hardware and sizing requirements.
For convenient and easy deployment, Site Recovery provides a downloadable Open Virtualization Application (OVA) template to set up
the configuration server that complies with all the mandated requirements listed here."
upvoted 2 times

This sees to be vaguely related to the disaster recovery series from on-premise to Azure:
https://learn.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial
On the first steps it points to this link
https://learn.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure
Which says to create a recovery vault and then a network. So I suppose this is correct but there is Azure Migrate now for this. Typical MS
question. Good luck.
upvoted 2 times
HOTSPOT
Each virtual network has 50 connected virtual machines.
You need to implement Azure Bastion. The solution must meet the fallowing requirements:
• Support host scaling.
• Support uploading and downloading files.
• Support the virtual machines on both VNet1 and VNet2.
• Minimize the number of addresses on the Azure Bastion subnet.
How should you configure Azure Bastion? To answer, select the options in the answer area.
Correct Answer:
  trferreiraBR Highly Voted  3 months, 2 weeks ago
Subnet size: /26

The recommended subnet size for Azure Bastion is /26
"Subnet size must be /26 or larger (/25, /24 etc.)."
"For host scaling, a /26 or larger subnet is recommended. Using a smaller subnet space limits the number of scale units"
"For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24,
etc.)"
Public IP: Standard SKU with a static allocation

Only Azure Bastion Standard SKU supports 'Host scaling' and 'Upload or download files'. Besides that, Public IP address recomended by
Microsoft must be Standard and Static
References:
https://learn.microsoft.com/en-us/azure/bastion/bastion-faq
upvoted 7 times
  AliNadheer Most Recent  2 months, 2 weeks ago

1- you need subnet size /25 = 128IPs that can host upto 126 vms since /25 is not in the answer box then then best answer here is /24=256
which can host upto 254 vms.
2- sku should be standard with static allocation
upvoted 2 times

Subnet size: /24. The problem with /26 is that it provides only 64 IPs (minus the 5? that Azure reserves). There are 50 VMs on each VNET
that must be supported. If we assume that means with simultaneous connections, 100 IPs are required and /26 is too small.
upvoted 4 times

What are you talking about? The question is about the size of the bastion subnet, not the whole vnets together and a single bastion
station support up to 50 connections (to 50 VMs).
upvoted 1 times

Sorry, I was wrong about the number if connections per bastion instance. One bastion instance supports between 2 and 25
sessions, depending on how light or heavy the sessions are, so even with heavy usage sessions, we need 100/2=50 bastion
instances, therefore a /26 size for bastion subnet (meaning 62-5=57 IP addresses) should be enough.
upvoted 1 times

I correct myself. One Bastion only supports a max of 50 connections anyways, so a /26 will do :) Sorry for the confusion!
upvoted 6 times

As far asI understand it, you can have between 2 and 50 bastion session hosts per Bastion (on a standard SKU) - with each of these
hosting up to 25 sessions.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-
limits
So the limit is much higher than 50 sessions per Bastion.
/24 is correct then.
When the documentation talks about /26 as the minimum recommended subnet size, it assumes average requirements for
concurrent sessions. (Smaller subnets would not be able to accommodate these.) But as the question states the need for 100
concurrent sessions, /26 is to small a subnet, just as you initially stated.
upvoted 1 times

I don't get it how did you figure out that /26 is too small. I mean /26 means 62-5=57 IP addresses for the bastion subnet and we
need a minimum of 4 bastion instances (each supporting up to 25 light usage sessions, so total 100 connections). Even for
heaviest usage sessions, which means max 2 sessions per bastion instance, we would need 50 bastion instances, so /26 is more
than enough even for that case.
upvoted 2 times
  Wonder55 3 months, 2 weeks ago

Answer is correct.
/26
Standard SKU with a static allocation

https://learn.microsoft.com/en-us/azure/bastion/configure-host-scaling
upvoted 2 times
You need to ensure that all the traffic between VNet1 and VNet2 traverses the Microsoft backbone network.
A. a private endpoint
B. peering
C. Express Route
D. a route table
Correct Answer: C

B (83%) A (17%)
  marcelloavvale Highly Voted  1 month, 2 weeks ago
Selected Answer: B
The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
ExpressRoute private peering supports connectivity between multiple virtual networks. Although this behavior happens by default when
linking virtual networks to the same ExpressRoute circuit, Microsoft doesn't recommend this solution. To establish connectivity between
virtual networks, VNet peering should be implemented instead for the best performance possible.
https://learn.microsoft.com/en-us/azure/expressroute/virtual-network-connectivity-guidance
upvoted 6 times
  FlaShhh Most Recent  4 days, 1 hour ago

am i the only one who saw 'Microsoft backbone network' and instantly thought private endpoint
upvoted 1 times
  binhdortmund 2 days, 15 hours ago

:) yeah its due to the word "endpoint" cause we ve had "service endpoint"
upvoted 1 times
  Arthur_zw 3 weeks, 1 day ago

I guess express route is selected here because Microsoft is petty and want you to know that peering is different from global peering. It is
stupid
upvoted 1 times
  Andreas_Czech 4 weeks ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#connectivity
upvoted 1 times
  bferdan 1 month ago

Selected Answer: A
a private endpoint: https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-private-endpoint

upvoted 2 times

Selected Answer: B
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like
traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.
upvoted 1 times

Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
upvoted 1 times

Selected Answer: B
ExpressRoute is for on-prem to Azure, not in-between Azure.

Therefore -> peering
upvoted 1 times
  SamCook101 1 month, 2 weeks ago

A - Private Endpoint
upvoted 2 times
You have the Azure virtual networks shown in the following table.
Which virtual networks can you peer with VNet1?
A. VNet2, VNet3, and VNet4
B. VNet2 only
C. VNet3 and VNet4 only
D. VNet2 and VNet3 only
Correct Answer: B

C (100%)
  tfdestroy Highly Voted  1 month, 1 week ago
Selected Answer: C
Vnet1 and Vnet2 overlap therefor the Vnet3 & Vnet4 is correct and should be able to peer together
| Name | Address space | Subnet | Resource group | Azure region |
| VNet1 | 10.11.0.0/16 | 10.11.0.0/17 | | West US |
| VNet2 | 10.11.0.0/17 | 10.11.0.0/25 | | West US |
| VNet3 | 10.10.0.0/22 | 10.10.1.0/24 | | East US |
| VNet4 | 192.168.16.0/22 | 192.168.16.0/24 | | North Europe |
upvoted 6 times
  SamCook101 Highly Voted  1 month, 2 weeks ago
C - VNET 3 and VNET4

upvoted 6 times
  amsioso Most Recent  1 month, 1 week ago
Selected Answer: C
C. 1 and 2 overlap so 3 and 4 only.

upvoted 4 times

Selected Answer: C
comment just to mark C

upvoted 2 times
  marcelloavvale 1 month, 2 weeks ago

Selected Answer: C
VNet3 and VNet4 only.

VNet2 range overlaps VNet1
upvoted 4 times
You are creating a new Azure container instance that will have the following settings:
• Container name: cont1
• SKU: Standard
• OS type: Windows
• Networking type: Public
• Memory (GiB): 2.5
• Number of CPU cores: 2
You discover that the Private setting for Networking type is unavailable.
You need to ensure that cont1 can be configured to use private networking.
Which setting should you change?
A. Memory (GiB)
B. Networking type
C. Number of CPU cores
D. OS type
E. SKU
Correct Answer: B

D (75%) B (25%)
  SkyZeroZx 3 weeks, 3 days ago

Okay how is this supposed to determine that I can be a solutions architect?
upvoted 1 times
  Andreas_Czech 4 weeks ago
Selected Answer: D
D, OS type
https://learn.microsoft.com/en-us/azure/container-instances/media/container-instances-quickstart-portal/qs-portal-04.png
upvoted 1 times

Selected Answer: D
D OS TYPE
Currently
upvoted 4 times

Selected Answer: D
Answer: D
Private networking is Not supported yet for Windows containers

upvoted 1 times
  arr73 1 month, 1 week ago

D: OS TYPE
Private networking is Not supported yet for Windows containers
In this link of the documentation we can see that in the networking section, there is a comment that says "Private: this is not yet available
for windows containers"
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-quickstart-portal
upvoted 2 times

D, OS type
upvoted 1 times

The page you shared doesn't mention what you just stated. Where is Mlantonis?
upvoted 1 times

Correction: you are right. It's on the picture, so you can not search on the page. But you are correct. OS Type is the answer
upvoted 1 times
  babakeyfgir 1 month, 1 week ago

are yyou sure?`
upvoted 1 times

Yes bro, because private networking is not supported for Windows containers.
upvoted 1 times
  lennychan 1 month, 2 weeks ago

Selected Answer: B
Correct: B. Networking type
choose option "Networking type:" Private

https://learn.microsoft.com/en-us/azure/container-instances/container-instances-quickstart-portal
upvoted 2 times

Incorrect. the page tells you "Private: this is not yet available for windows containers". Just the picture where they choose the tenant.
upvoted 1 times
Topic 6 - Question Set 6
Question #1 Topic 6
You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the
following table:
You plan to schedule backups to occur every night at 23:00.
Which virtual machines can you back up by using Azure Backup?
A. VM1 and VM3 only
B. VM1, VM2, VM3 and VM4
C. VM1 and VM2 only
D. VM1 only
Correct Answer: B
Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Azure Backup supports backup of VM that are shutdown or offline.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtual-
machines/linux/endorsed-distros

B (100%)
Correct Answer: B
Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
The Backup service installs the backup extension whether or not the VM is running.
upvoted 120 times
  laszeklsz 1 year, 3 months ago

good to see you, old friend
upvoted 23 times
Answer is Correct. "B". Backup is supported for the whole VM for all the OS types mentioned. Also, backup operation can be done while
VM is offline or shutdown
upvoted 68 times
  Madbo Most Recent  10 months, 1 week ago

Azure Backup can back up the following operating systems:
Windows Server
Windows client operating systems (Windows 7 and later)
Linux
Based on this, you can back up VM1, VM2, and VM4 using Azure Backup, as they are running Windows Server 2012 R2, Windows Server
2016, and Windows 10 (a Windows client operating system) respectively. VM3 cannot be backed up using Azure Backup as it is running
Ubuntu Server.
Therefore, the answer is B. VM1, VM2, VM4, and VM3.

upvoted 1 times
Selected Answer: B
According to Microsoft's official documentation on Azure Backup, the supported operating systems for VM backup using Azure Backup
are:
Windows Server 2019, 2016, 2012 R2, and 2012

Windows Server Essentials
Windows 10 (64-bit)
Ubuntu 20.04 LTS, 18.04 LTS, and 16.04 LTS
Based on this information, we can conclude that the answer is B. VM1, VM2, VM3, and VM4 can all be backed up using Azure Backup.
upvoted 1 times
Selected Answer: B
B.
All OSs are supported.
Shutdown or not, VMs can still be backed up.
You don’t have to stop your virtual machines (VMs) in order to backup them in Azure. You can backup your VMs while they are running or
while they are in a deallocated state.
However, No, you cannot delete a virtual machine (VM) while it is being backed up. The backup process requires the virtual machine to be
available and running so that the backup data can be captured. If you try to delete a VM while it is being backed up, the deletion process
will be blocked until the backup is complete.
upvoted 1 times

B. VM1, VM2, VM3, and VM4.
Azure Backup can be used to back up Windows and Linux virtual machines that are running in Azure. All four virtual machines in the table,
VM1, VM2, VM3, and VM4, are Azure virtual machines, which means they can be backed up by using Azure Backup. You can schedule
backups to occur at a specific time every day, including 23:00, by using the Recovery Services vault, Vault1.
upvoted 1 times

B. VM1, VM2, VM3 and VM4
All OSes listed are supported. shutdown or not, VMs can still be backed up.
upvoted 2 times
Selected Answer: B
Correct B
upvoted 1 times
Selected Answer: B
I luv Honey Because it is B

Here is Summary:
**Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
**Azure Backup supports backup of 64-bit Windows 10 operating system.
**Azure Backup supports backup of 64-bit Debian operating system from Debian 7.9+.
**Azure Backup supports backup of VM that are shutdown or offline or online

upvoted 3 times

on exam 13/3/2022
upvoted 3 times
  stormshaun 1 year, 11 months ago
Selected Answer: B
You can back all types of OSes and even those that are shutdown.
upvoted 2 times
  Fusionaddware 1 year, 11 months ago
Selected Answer: B
Correct B
upvoted 1 times
Selected Answer: B
I agree, all of them
upvoted 1 times
  hosseny 2 years, 6 months ago

upvoted 3 times

in exam 7/3/2021
upvoted 5 times

This is a logical problem.
upvoted 3 times

"B". Backup is supported for the whole VM for all the OS types mentioned. Also, backup operation can be done while VM is offline or
shutdown
upvoted 4 times
Question #2 Topic 6
You have an Azure subscription that contains a virtual machine named VM1.
You plan to deploy an Azure Monitor alert rule that will trigger an alert when CPU usage on VM1 exceeds 80 percent.
You need to ensure that the alert rule sends an email message to two users named User1 and User2.
What should you create for Azure Monitor?
A. an action group
B. a mail-enabled security group
C. a distribution group
D. a Microsoft 365 group
Correct Answer: A

A (100%)
  Batiste2023 Highly Voted  3 months, 2 weeks ago
Selected Answer: A
Correct.
"Alerts consist of:

- Action groups
- Alert conditions
- User response
- Alert processing rules"
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview
upvoted 5 times
  babakeyfgir Most Recent  1 month ago
It was in EXAM, thanks Examtopic.

upvoted 1 times
Selected Answer: A
option A - Action Group

upvoted 1 times
  taki_ananasek 3 months, 2 weeks ago
Selected Answer: A
A s correct
upvoted 2 times
Question #3 Topic 6
You have the Azure virtual machines shown in the following table:
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
A. Create a new Recovery Services vault
B. Create a storage account
C. Configure the extensions for VM3 and VM4
D. Create a new backup policy
Correct Answer: A
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines
(VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replicatio

A (100%)
Correct Answer: A
VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with
VM3 and VM4.
For storage account, it is created automatically by Azure.
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure
services.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication
upvoted 100 times

Nice to see you again man
upvoted 1 times
Answer is correct. "A" Create a new Recovery Services Vault. As the VM3 and VM4 are in a different region. then we need to create a new
one in the same region of VM3 and VM4 (data source). For storage account, it is created automatically by Azure.
for more details checl https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault#create-a-recovery-services-vault
upvoted 77 times
in exam 26/12/2023
upvoted 1 times
  WeepingMaplte 2 months, 1 week ago

Create a new Recovery Service vault, because RSV for VM1 and VM2 is in different region.
Ref: https://youtu.be/K1NFwu5PNrU?si=fAx3EGXbYhO9_bOa
upvoted 1 times
  petersoliman 11 months ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

Steps: 1) Create Recovery Service vault
2) Create Backup Policy
3) Select Azure Resources
4) Schedule Backup
upvoted 1 times

vault and vm have to be in the same region. in this case, the current vault is in west europe.
vm3 and vm4 is in north europe, so answer is A. Create a new Recovery Services vault
upvoted 2 times
Selected Answer: A
Correct Answer: A
VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with
VM3 and VM4.
For storage account, it is created automatically by Azure.
upvoted 3 times
Selected Answer: A
VM3 and VM4 need their own ARSV as are in different region to VM1 and VM2
upvoted 3 times

On exam 4/12/2022. Correct answer A
upvoted 3 times

upvoted 2 times

upvoted 4 times

On exam 01.02.22
Answer: Create a new Recovery Services Vault
upvoted 4 times
  MaxToRo 2 years, 2 months ago

Is right!
upvoted 1 times
  barcellos 2 years, 6 months ago

A - Vm3 and vm4 are in a different region.
upvoted 1 times
  Merkur76 2 years, 6 months ago

came in exam 07/30/2021 - passed
A my answer
upvoted 3 times

Recovery Services Vault and the VMs need to be in the same Region and Subscription for backups.
The Storage account must be in the same region as the Recovery Services vault to store the reports.
The Log Analytics workspace can be in any region. It does not need to be in the same region as the recovery services vault.
Blobs cannot be backed up to service vaults.
upvoted 2 times
Question #4 Topic 6
HOTSPOT -
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.
You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.
You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Correct Answer:
You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
upvoted 212 times

upvoted 5 times

User 1 already has a group name Group1... the correct answer is as follow:
Box 1: 4
Box 2: 2
You need 2 Additional Action Groups (1xUser1 and User3, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
Check the question again..... it is asking how many new alerts and groups.
upvoted 1 times
  wwwmmm 7 months, 2 weeks ago

Even with new, group1 and 2 here more likely refer to user group, the question is asking for action group
upvoted 1 times
  Katlegobogosi 9 months, 2 weeks ago

where do you see "new" in the question?
upvoted 1 times
  KrisJin 9 months, 2 weeks ago

Don't mess things up if you do not know anything
upvoted 2 times

Box1: 4
Box2: 3
upvoted 12 times
  Chisom_J 2 years, 9 months ago

thanks for the explanation
upvoted 14 times
Answer is correct. 4 Alert rules and 3 action groups

upvoted 46 times
  SIAMIANJI Most Recent  9 months, 2 weeks ago
Box 1: 4
Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3).
upvoted 2 times

on exam 4/29/23
upvoted 3 times
  FlowerChoc1 10 months ago

Cleared the exam on 04/12/2023. This question came.
Box 1: 4
Box 2:3
upvoted 2 times

exp: You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Storage Metrics :
- Used Capacity - Ingress/Egress - transactions
- Transactions -Availability
- Success Server Latency - Success E2E Latency
Storage:
StorageDelete - StorageRead - StorageWrite
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftclassicstoragestorageaccounts
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-
categories#microsoftstoragestorageaccountsblobservices
upvoted 1 times
upvoted 2 times

upvoted 4 times

rules are 4 as quite obvious.
AG are 3:
user1 n 3
user1
user1 , 2 n 3
upvoted 3 times

upvoted 4 times

Today in exam, 4 and 3
upvoted 1 times

Correct Answer:
Box 1: 4
Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
upvoted 1 times

given answer is correct
upvoted 1 times

Box 1: 4 1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges
Box 2: 4 As appose to others' comments below, my answer is 4.
'Activity Log' for restored required two action groups - one for Delete x 1 and Restore x1.Otherwise, when the storage account is restored
User2 will get notified, we don't want that based on the table.
upvoted 1 times

On exam 4/12/2022. Correct answer 4 and 3
upvoted 4 times

upvoted 1 times

upvoted 2 times
Question #5 Topic 6
You have an Azure subscription that contains the identities shown in the following table.
User1, Principal1, and Group1 are assigned the Monitoring Reader role.
An action group named AG1 has the Email Azure Resource Manager Role notification type and is configured to email the Monitoring Reader role.
You create an alert rule named Alert1 that uses AG1.
You need to identity who will receive an email notification when Alert1 is triggered.
Who should you identify?
A. User1 and Principal1 only
B. User1, User2, Principal1, and Principal2
C. User1 only
D. User1 and User2 only
Correct Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

D (62%) C (38%)
Correct Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service
principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
upvoted 150 times
  wsrudmen 1 year, 10 months ago

Yes it's not sent to a group. But User2 inherits of the Monitoring Reader role.
So he will receive also the notification
upvoted 24 times
  trackstar 1 year, 6 months ago

Answer is D
Azure states: Email is only sent to Azure Active Directory (Azure AD) user members of the role. Email isn't sent to Azure AD groups or
service principals.
So members of a role can receive emails, user 2 has inherited the role from the group.
So both User 1 and User 2 receive the email.
upvoted 5 times

When you set up the Resource Manager role:
Assign an entity of type User to the role.

Make the assignment at the subscription level.
Make sure an email address is configured for the user in their Azure AD profile.
upvoted 2 times

Did you actually test this? The question doesn't involve sending an email to a group but is instead concerned with role assignment
inheritance from the group. The link you're all posting isn't necessarily relevant. User 2 should inherit the role assignment from the
group, you can easily validate that in the portal.
I am waiting out the 24hr lag period before testing. Alert group scoped to email on VM creation or deletion, one user assigned role
directly and one via group. Will report back.
upvoted 13 times
  panjie_s 2 years, 4 months ago

result?
upvoted 7 times
  [Removed] Highly Voted  2 years, 8 months ago

Answer is D.
AG sends to users that have 'reader' role, User2 inherits that role through Group1 membership.
upvoted 54 times

Anwser c: User1 only
Can't be true, just send 10 seconds reading this from MS Docs:
Only the users in the Manager Role receive the email alert, not the group members or Principals.
upvoted 13 times

why does this have 6 upvotes?
upvoted 1 times

Now 8?
Yall, this person is wrong. No where in that documentation does it say "not the group ***members*** or Principals."
It does however say "The email is only sent to Azure Active Directory user members of the selected role, not to Azure AD
***groups*** or service principals."
upvoted 1 times

Folks that do say it's D are saying that's the answer because User 2 inherits Manager Role through Group 1. The AG is configured to
send alert on the role which User 2 will have.
upvoted 2 times
  Razvan123 1 year, 6 months ago

You should not confuse group email (generated on group creation) with individual emails for group members.
upvoted 3 times
  green_arrow 2 years, 7 months ago

I'm agree
upvoted 5 times
  houzer Most Recent  1 month, 1 week ago
Tested in lab, correct answer is D. User2 inherits the role from Group1, hence he will also receive an email besides User1.
upvoted 2 times
  neolisto 2 months, 2 weeks ago
Selected Answer: D
Correct answer is D. I have tested it in a lab.
Logic of this alert is very simple.
User1 received an email because he is directly assigned to the Monitoring Reader role (which is in Action group).
User2 received alert because he has the same role as a User1, because he inherited this role from the Group1 assignment. It means, that
notification was received not because Group1 was selected as a target of notifications in AG1 (1. Cuz it's not; 2. Group can't be assigned as
an email receiver, because groups physically have no emails. Service Principals also can't have email address), but because of AG1
condition is set for Monitoring Reader role. Email was sent to User2, because User2 has the same role as a User1. Even if User1 is assigned
directly and User2 inherit this role from his Group in AAD.
upvoted 6 times
  ImpulseEEE 2 months, 3 weeks ago
Selected Answer: C
mlantonis Highly Voted 2 years, 6 months ago

Correct Answer: C
principals.
upvoted 2 times
  SamCook101 2 months ago

Things changes alot in Azure within 2 years, Im still confused whether its C or D but since someone has more like doesn't mean right
answer .
upvoted 1 times
  samk01 3 months, 1 week ago

User1 and User2 are Azure AD users. User1 is directly assigned the Monitoring Reader role, and User2 is a member of Group1, which is
also assigned the Monitoring Reader role.
However, since emails are not sent to groups, we would not consider User2 despite their membership in Group1. Furthermore, since
emails are not sent to service principals (like Principal1 and Principal2), they would also not receive the email.
Thus, only the direct user members of the Monitoring Reader role will receive the email. Based on the information provided:
The correct answer is:
C. User1 only
upvoted 2 times

Selected Answer: D
User2 has Monitoring Reader role

upvoted 2 times

Yes.
That is exactly what everyone who puts C forward as the right answer needs to understand: User2 has Monitoring Reader role and
WILL receive that email...
upvoted 1 times
  NoobieWon 5 months ago

"Send an email to the subscription members, based on their role.
A notification email is sent only to the primary email address configured for the Azure AD user.
The email is only sent to Azure Active Directory user members of the selected role, not to Azure AD groups or service principals.
See Email."
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
upvoted 1 times
  Ferlin 5 months, 2 weeks ago
Selected Answer: C
principals.
Reference:
upvoted 1 times

Selected Answer: C
Agree with C as per explanation mlantonis.
See;
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
"Send an email to the subscription members, based on their role.

A notification email is sent only to the primary email address configured for the Azure AD user.
The email is only sent to Azure Active Directory user members of the selected role, not to Azure AD groups or service principals.
See Email."
upvoted 2 times
  rishisoft1 7 months, 4 weeks ago

When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is only
sent to Azure Active Directory (Azure AD) user members of the role. Email isn't sent to Azure AD groups or service principals.
upvoted 1 times
  mahe0204 8 months ago
Selected Answer: C
Correct Answer is C - User1 Only
User1: User1 is assigned the Monitoring Reader role, so they will receive the email notification when Alert1 is triggered.
User2: Although User2 is a user and a member of Group1, which is assigned the Monitoring Reader role, individual users take precedence
over groups for email notifications. Therefore, User2 will not receive the email notification.
Principal1: Principal1 is a Managed Identity and is not a member of any group. Therefore, Principal1 will not receive the email notification.
Principal2: Principal2 is a Managed Identity and a member of Group1, which is assigned the Monitoring Reader role. However, individual
users take precedence over groups for email notifications. Therefore, Principal2 will not receive the email notification.
To summarize, only User1 will receive the email notification when Alert1 is triggered because they have the Monitoring Reader role
assigned directly.
upvoted 1 times

source?
upvoted 2 times
Selected Answer: D
User1 and User2 only

upvoted 1 times
  SedateBloggs 11 months, 2 weeks ago

I Lab'd this by creating a test user account and adding that test user to an azure group that had an Azure Role assignment setup against it
(i happened to use the Contributor role, but it can be any role). The test user did NOT have any direct azure role assigned it it. I then setup
an action group with the action to email the azure resource manager role (and selected contributor). I then tested the action group and a
few minutes later the test email popped into the test users mailbox. This to me indicates that even though the role assignment is to a
group, the users nested in that group would receive the alert from the action group. I would therefore suggest it is User 1 and User 2 in
this scenario
upvoted 17 times
  lombri 11 months, 3 weeks ago
Selected Answer: D
in this scenario, User2 is a member of Group1, which is assigned the Monitoring Reader role. As a result, User2 will inherit the Monitoring
Reader role from the group and will be able to receive email notifications when the alert rule named Alert1 is triggered.
upvoted 2 times
  manthlan 1 year ago

If an email is not going to be sent to group1 in the first place ,so how is user2 as a member of the group going to receive the email?
upvoted 2 times

Everyone be like "Email will not be sent to Azure AD groups or service principals."
I be like, "What about Azure AD groups MEMBERS"
Mail enabled groups exist, so they definitely wouldn't get any notification email from the above, but what about the members of the
group, they inherit the assignment that would qualify them for the email?
I think I have to assume it means both, the Group and its members leaving C the answer.
upvoted 2 times

As in, when MS coded it, they only parse the Role Membership for Users and they ignore Groups and Principals. They do not traverse
Groups (and possibly sub-groups) in the role looking for more Users. They shortcutted their coding, maybe to reduce load and latency
on the actions process.
upvoted 2 times
Question #6 Topic 6
HOTSPOT -
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup policy named Policy1 as shown in the exhibit. (Click the Exhibit tab.)
You configure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM.
You need to identify the number of available recovery points for VM1.
How many recovery points are available on January 8 and January 15? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 6 -
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
Box 2: 8 -
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
Reference:
https://social.technet.microsoft.com/Forums/en-US/854ab6ae-79aa-4bad-ac65-471c4d422e94/daily-monthly-yearly-recovery-points-and-
storage-used? forum=windowsazureonlinebackup
Answer is correct in case yearly backup is also in the question.

If we assumed we have yearly, then the answer will be:
- @8 JAN: 5 daily backups ( 1 weekly backup included) + 1 monthly = 6
- @ 15 JAN: 5 daily backups ( 1 weekly backup included) + 1 weekly + 1 monthly +1 yearly = 8 backups
upvoted 141 times

The question is how many recovery points, not how many backups?
backups : 7 and 9
recovery points: 6 and 8 (because one of the daily and one of the weekly overlaps)
upvoted 2 times

in other words, 2nd box should be 7 which is not included in the four choices. because yearly backup is not mentioned, the correct
answer should be 5 daily backups including the latest weekly backup + 1 weekly for the previous weekend + 1 monthly backup
upvoted 10 times
  Thomas_L 2 years, 9 months ago

its 6. We retain the 5 daily backups from January 4th - January 8th. There is a weekly backup on the 4th that we do NOT include in the
count because it's already backed up by the 5-day retention period of the daily backups.
Then we have a monthly backup on the 2nd, that is outside the 5-day retention period.
5 daily backups + 1 monthly backup = 6 backup points.
upvoted 38 times
  Yahowmy 3 months, 1 week ago

Why did we not count the weekly point when we counted the monthly point which is also included in the 2nd daily backup?
upvoted 1 times

I understand this explanation very good, however Weeklys started on the 1st @ 1400, and yes you only retain 5 Daily backups,
which would be the 4th-8th. The monthly is scheduled to take place on the 2nd and Retain
for 20 weeks. Not understanding why would you count a Weekly Back (Sunday at 2pm) as part of the Daily when Weekly's are
maintained for 20 weeks. I think the count would be 7 (5 Daily(4th-8th) + 1 Weekly(Sunday) +
1 monthly(2nd which is a Friday)). I understand that 7 is not part of the presented answers so you would have to go with 6. My
real world Weekly backups run seperately from the Daily.
upvoted 3 times
  ygnacioL 3 months, 3 weeks ago

Totally agree
upvoted 1 times
  Otijames 6 months, 1 week ago

I don't understand why you all start counting the daily retention period from 4th..is it not to be counted from the 1st jan?
Pleaseeee help me here??
upvoted 1 times
  Miles19 2 years, 10 months ago
correct.
upvoted 2 times
Correct Answer:
Box 1: 6
8th January = 5 daily backups (1 weekly backup included) + 1 Monthly = 6 backups
Box 2: 8
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
15th January is a Friday = 5 daily backups (Monday - Friday) + 2 Weekly (2 Sundays) + 1 Monthly = 8 backups
upvoted 82 times

I don't understand why you all start counting the daily retention period from 4th..is it not to be counted from the 1st jan?
Pleaseeee help me here??
upvoted 1 times

But the month started on the 2nd and the daily starts counting from the 1st - 5th so it should be
1. 4 daily + 1 daily/weekly/monthly = 5
2. 4 daily + 1 daily/weekly/monthly + 1 yearly =7
upvoted 1 times
  jose 2 years, 4 months ago

The answer is correct, but the explanation is not because 15th January is Thursday. So:
5 daily backups (11th Sunday weekly backup included) + 1 weekly backup (4th Sunday) + 1 Monthly + 1 Yearly = 8 backups
Box 2: 8.
upvoted 29 times

Jose you are spot on. mlantonis missed a yearly backup on 09.01. 6 and 8 recovery points still.
upvoted 7 times
  Henryjb3 1 year ago

Why is the 1 weekly backup included in box 1 then not included in box 2?
upvoted 2 times
  31c21da Most Recent  3 weeks, 3 days ago

I see someone asking why the first week's backup starts from the 4th. I was also initially confused by this. In fact, the 'Retention of daily
backup point' refers to how many days of backups you can retain. Therefore, the logic is on 8th, you can only retain the backups from the
4th to the 8th, as the daily backups before the 3rd would have already been automatically deleted.
upvoted 1 times
  Bloodygeek 1 month ago

Answer is correct.
Box 1 on 8 JAN
Had 5 daily backups. 4,5,6,7,8 JAN
1 weekly backup. However, 4 JAN was a Sunday. The time of weekly backup is the same as the daily backup. So this does not count
1 Monthly backup 2 JAN.
No Yearly backup as it only starts at 9 JAN.
In total, it had 5+1=6 backups.
Box 2 on 15 JAN
Had 5 daily backups. 11,12,13,14,15 JAN
2 weekly backup. However, 11 JAN was a Sunday covered by daily backup for 5 days retention. The time of weekly backup is the same as
the daily backup. So there was only 1 valid weekly backup.
1 Monthly backup 2 JAN.
1 Yearly backup 9 JAN.
In total, it had 5+1+1+1=8 backups.
upvoted 2 times

Is important to be careful what this question is asking: Recovery Points or Backups ?
1 recovery point can be used for multiple backups, which means that if a Weekly RP & Daily RP overlaps, there will be only 1 RP but 2
Backups.
Box 1:
5 Daily RP (4, 5, 6, 7, 8 Jan)
0 Weekly RP (4 Jan is already present in Daily RP, so no new RP is added)
1 Monthly RP (2 Jan)
TOTAL: 6 RP
Box 2:
5 Daily RP (11, 12, 13, 14, 15 Jan)
1 Weekly RP (4 Jan; 11 Jan is already present in Daily RP)
1 Yearly RP (9 Jan)
TOTAL: 8 RP
upvoted 2 times

Is important to be careful what this question is asking: Recovery Points or Backups ?
1 recovery point can be used for multiple backups, which means that if a Weekly RP & Daily RP overlaps, there will be only 1 RP but 2
Backups.
Box 1:
5 Daily RP (4, 5, 6, 7, 8 Jan)
0 Weekly RP (4 Jan is already present in Daily RP, so no new RP is added)
TOTAL: 6 RP
Box 2:
5 Daily RP (11, 12, 13, 14, 15 Jan)
1 Weekly RP (4 Jan; 11 Jan is already present in Daily RP)
1 Yearly RP (9 Jan)
TOTAL: 8 RP
upvoted 8 times

This correct.
upvoted 1 times
  tccrew 3 months ago

Can someone explain to me why the weekly backup should be included in the 5 daily backups for 8 Jan?
upvoted 1 times

For Box 1: 6
Date Daily Backup Weekly Backup Monthly Backup
Thursday Jan-1 N (Deleted)

Friday 2 N (Deleted) Y (A)
Saturday 3 N (Deleted)
Sunday 4 Y (B) Y (B)
Monday 5 Y (C)
Tuesday 6 Y (D)
Wednesday 7 Y (E)
Thursday 8(14:00) Y (F)
A-B-C-D-E-F 6 copies.
Daily backup and weekly backup on Jan-4 is the same copy (B)
upvoted 3 times

Box 2: Will be 8. Reason is the retention of weekly and monthly backup points.
upvoted 1 times

the misleading thing here is that the weekly, monthly and even the yearly backup starting same hour, so are overlapping with the daily
one
upvoted 1 times
  01111010 3 months, 1 week ago

On Jan 8th: 5 daily + 1 monthly (on 2nd Jan) = 6 backups
On Jan 15th: 5 daily + 1 monthly (on2nd Jan) + 1wekly (4th Jan) + 1 Yearly (9th Jan) =8 backups.
upvoted 1 times

i hated this question, it came in my exam 25/9/2023. have no idea whats the right solution, good luck to all
upvoted 4 times

So the puzzle , starting 1 Jan (Thursday ) till 15 Jan (Thursday) -- will have Daily backups , and on Sunday there will be Weekly backup as
well at 2.00AM , Monthly every 2 day of Month and on 9 Jan yearly
on 8 Jan (Thrs) at 2.00 AM - we see , daily backup of [ Wed (7), Tues (6) , Mon (5),Sun(4)(weekly) , Sat (3) = 5 ] and Monthly Friday(2) === so a
total 6 [ Fri(2) , Thrs (1) are not retained and Fri(9) yearly did not happen yet ]
on 15 Jan (Thrs) --we See Dailys for [14(Wed)+13(Tue)+12(Mon)+11(Sun)+10(Sat) = 5 ] + Weekly on Sundays [4 (Sun) = 1] + [Monthly on
2(Friday) =1 ] + [yearly on 9 (Fri) =1] = 8
upvoted 3 times
  MonkeyIntelligence 8 months, 1 week ago

you need to be an effin mathematician to solve this. why is this even a question?
upvoted 3 times
  Frank_2022 9 months ago

Box 1: 6
8th January = 5 daily backups (1 weekly backup included) + 1 Monthly = 6 backups
Box 2: 8
5 daily backups (11th Sunday weekly backup included) + 1 weekly backup (4th Sunday) + 1 Monthly + 1 Yearly = 8 backups
upvoted 1 times

It probably doesnt count the yearly backup, as it just started 9 days after creation of that job, so it doesnt count as a complete yearly
backup for now ...
upvoted 1 times

Box 1: 6
Box 2: 8
That is the only question i had to memorize it answer just in case. My exam machine was bad and i lost time on it before they let me
proceed the exam on another one. i had to do what i had to do :( . its still better to know the calculation of the backups as explained by
mlantonis .
upvoted 6 times

I am blind, or can someone please explain to me why for Box 1 there wouldn't be 7 (even though there is no 7 in the answer)??
5 daily
1 weekly
and the monthly update happens on the 2nd day of every month. so why wouldn't we have also 1 monthly if the policy is applied on
January 1st?
upvoted 1 times

Ahh i just read the explanation "5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the
monthly recovery point". Thats a bit tricky
upvoted 1 times
Question #7 Topic 6
HOTSPOT -
You have the web apps shown in the following table.
You need to monitor the performance and usage of the apps by using Azure Application Insights. The solution must minimize modifications to the
application code.
What should you do on each app? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
  ShanYuen Highly Voted  2 years, 2 months ago
Correct.
Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the PowerShell Gallery. It replaces
Status Monitor.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-detailed-instructions
upvoted 27 times
  wsrudmen Highly Voted  1 year, 10 months ago
Correct
There are two ways to enable application monitoring for OnPrem, VM or App Services Web APP:
- Auto-instrumentation by using Application Insight Agent
Manual instrumentation by installing the Application Insight SDK through code
So as it's mentioned the solution must minimize the modification then it's Application Insight Agent
upvoted 21 times
  flyingcolours87 Most Recent  7 months, 4 weeks ago
Answer is in the question. You need to monitor the performance and usage of the apps by using 'Azure Application Insights.' - Ans:
Application Insights Agent.
upvoted 6 times
  umavaja 1 week, 4 days ago

Great...Detail observation
upvoted 1 times

old school video explaining how app insight agent works.
https://youtu.be/2grHLBHpdG0
upvoted 3 times

Both C, D can be used for Application Insights.
But Application insights SDK requires editing your application code so answer should be D which doesn't requires code editing.
upvoted 6 times

Auto-instrumentation application monitoring (ApplicationInsightsAgent).
This method is the easiest to enable, and no code change or advanced configurations are required. It's often referred to as "runtime"
monitoring. For App Service, we recommend that at a minimum you enable this level of monitoring. Based on your specific scenario, you
can evaluate whether more advanced monitoring through manual instrumentation is needed.
Manually instrumenting the application through code by installing the Application Insights SDK.
upvoted 5 times
  Timock 2 years ago

Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the PowerShell Gallery. It replaces
Status Monitor. Telemetry is sent to the Azure portal, where you can monitor your app.
Note:
The module currently supports codeless instrumentation of .NET and .NET Core web apps hosted with IIS. Use an SDK to instrument Java
and Node.js applications.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
upvoted 8 times
  haitao1234 2 years, 2 months ago

Correct, key is to minimize code change to application.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
upvoted 1 times
  MrMacro 2 years, 2 months ago

Answer looks correct based on the link provided.
Agent-based application monitoring (ApplicationInsightsAgent).
This method is the easiest to enable, and no code change or advanced configurations are required. It is often referred to as "runtime"
monitoring. For Azure App Services we recommend at a minimum enabling this level of monitoring, and then based on your specific
scenario you can evaluate whether more advanced monitoring through manual instrumentation is needed.
The following are support for agent-based monitoring:
.NET Core
.NET
Java
Nodejs
upvoted 6 times
Question #8 Topic 6
You have an Azure virtual machine named VM1.
You use Azure Backup to create a backup of VM1 named Backup1.
After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.

✑ Copy a file named Budget.xls to a folder named Data.
✑ Reset the password for the built-in administrator account.
✑ Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1.
You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?
A. Modify the size of VM1.
B. Reset the password for the built-in administrator account.
C. Add a data disk.
D. Copy Budget.xls to Data.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore

D (77%) C (19%)
If it's a single selection, I would select D. However, the test result reveals it should be two (C and D).
I have tested this in Azure.

Prepare
1. Create a Windows VM with size D2S_v3.
2. Backup the VM.
Made changes after the backup.
1. Modify the VM size to DS1_v2.
2. RDP to the VM and create a new file.
3. Reset the password for the built-in administrator.
4. Add a data disk to the VM.
Restore the VM from the backup. Here are the results:

1. VM size remains as DS1_v2.
2. RDP to VM with the changed password.
3. Data disk is gone.
4. A new file is gone.
Conclusion, VM size and password will not be overridden by the restore process.
You will need to perform the changes again:
1. Add a data disk
2. Copy the file.
upvoted 64 times
  Baconrind 1 year, 3 months ago

Data disk is not gone, it just becomes unattached, as there is no option to re-attach disk, the only "change to perform again" is Copy
Budget.xls to Data. No need to add/create a data disk again it already exists.
upvoted 13 times
  Dhanishetty 1 year, 1 month ago

If it already exists, then why copy Budget.xls again. ?
Just simply Attaching will be enough.?
upvoted 6 times
  rugoki 8 months ago

case file might be in a different disk saved
upvoted 2 times

Answer is C.
The new file is not gone. It said "copy file to a folder named Data". It never said "copy to the data disk".
upvoted 5 times

Also, if wanna be a bit more pedantic :-). The data disk was added AFTER the file copy, so this proves the files was NOT copied to the
data disk.
upvoted 3 times

oppss.. Correction: yes the file IS gone. So agreed answer is:
1. Add a data disk.
2. Copy the file.
upvoted 4 times

Sadly I agree.
Ref: https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks-from-a-restore-point
Suggest all disks are replaced by the ones in the snapshot.
ALTHOUGH the disk is not deleted, and still available in the RG (but you have to assume it needs added back).
For me the safest answer is D, that file is defo gone.
upvoted 6 times
  Nilvam 2 years ago

Data disk will not gone (deleted). It will be unmapped.
upvoted 5 times
  sourabhg Highly Voted  1 year, 3 months ago
Selected Answer: D
The correct answer is D, i.e., copy the file again.

a. You don't need to resize the VM after backup. The latest size will be applicable.
b. The latest credentials will work.
c. This one is a bit ambiguous. The additional data disk will not be deleted after the restoration. However, you will have to attach it again to
the VM.
D. The file will be lost and needs to be created again.
upvoted 11 times
Selected Answer: A
You need to ensure that all the changes to VM1 are restored.
I am the only one saying A? All changes are reverted by restoring backup, but the vm size you need to revert manual!
upvoted 1 times

as usual some questions are so badly formulated, with the purpose to check how crazy you are, trying to understand what IQ test these
guys had in mind
upvoted 1 times

it is a best practice to have a separate data disk to store Data
however reading the premises carefully, it is written nowhere that
the VM has a data disk attached, and even if it was there,
you cannot assume that the folder named "data" is located in the data disk. So "D" is the safest answer
upvoted 1 times

this question came in my exam 25/9/2023
upvoted 4 times
  dejedi 5 months, 1 week ago
Selected Answer: D
Here is a key ...

✑ Modify the size of VM1.
✑ Copy a file named Budget.xls to a folder named Data.
✑ Add a data disk to VM1.
File copied before attaching the Disk .We Shouldnt assume the file was copied to that disk attached
upvoted 2 times

Selected Answer: D
Agree with D;
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
A-C are all retained if replace existing is used as far as I can tell.
upvoted 1 times
Selected Answer: D
Copy Budget.xls to Data.

upvoted 1 times

The correct answer is C. Add a data disk.
When you use the "Replace existing" option to restore a virtual machine from an Azure Backup, the entire virtual machine is replaced with
the backup data, including the operating system disk and all data disks that were attached to the virtual machine at the time the backup
was taken.
upvoted 1 times
Selected Answer: C
In Backup does not exist new added Disk in meanwhile. We should add this Disk again
upvoted 1 times
Selected Answer: D
D is the answer.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
upvoted 2 times

Stupid, ambiguous question that should not have made it past QA. Assuming that events are described in order, the file is copied to a
folder named Data, which must exist on C:. That said, we do not know with any certainty where this folder resides because there is no
explicit indication. It could reside on the C: drive but this is based on an inference that the question posits the activities in the order they
were performed. However, the similarity between the folder name (Data) and the "data" disk in the question also causes the reader to
make an inference about the location of the folder. The best answer is, therefore, C because you will always have to attach the additional
drives after a restoration. D: is also valid if the Data folder is on the data drive, but we have no way of knowing this with any certainty.
/rant off
upvoted 4 times

B. Reset the password for the built-in administrator account.
This change should be performed again because restoring a virtual machine from a backup using the "Replace existing" option will restore
the virtual machine to its state at the time the backup was created. Any changes made after the backup was created will be lost and will
need to be performed again. In this case, resetting the password for the built-in administrator account is a change that was made after
the backup was created, so it will need to be performed again after restoring the virtual machine from the backup.
upvoted 3 times

I agree.
The new password was overwritten after the restore . The password needs to be reset again.
B
upvoted 1 times
  spike15_mk 1 year, 2 months ago

Correct Answer is C
Explanation:
When we create Backup1 we create backup with Size of VM1, folder Data as mention (without Budget.xls inside) and password for the
built-in administrator account.
✑ Modify the size of VM1.(size of VM exist in backup)
✑ Copy a file named Budget.xls to a folder named Data.(Data folder exist in backup without Budget.xls)
✑ Reset the password for the built-in administrator account.(Old Password exist on Backup)
✑ Add a data disk to VM1. (Not Exist in Backup)
When we do Replace Existing Option restore VM1 from Bakup1:

✑ Modify Size of VM1 will be replaced with old one
✑ All the matched Files in Data Folder will be replaced from Backup1 and new ones which exist in our case Bidget.xls will remain
✑ Password for build-in Administrator Account will replaced from the Backup1
✑ In Backup does not exist new added Disk in meanwhile. We should add this Disk again
upvoted 1 times
Selected Answer: D
I overthought this initially. The correct answer imo is D (not tested).

What 'Replace existing' restore does is restore the data disk from the backup. This means the following things will remain unchanged:
✑ Modified size of VM1.
✑ Added data disk to VM1. (It might get unmapped, and can simply be mapped) The option says 'add'.
The only thing that changes is a copy of the file to 'Data' folder. Given that 'Data' folder is located in the same disk, the copied file will
disappear upon restore. Hence, D. Copy Budget.xls to Data.
"If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM
configuration."
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 6 times

today in exam is C
upvoted 2 times
  Wonkas 1 year, 4 months ago

Which answer should go for C OR D in exam ? 83 % voted D ? But Examtopics Answer is C , still we believe on ET Answer?
upvoted 3 times
  Wonkas 1 year, 4 months ago

Correction : Which answer should go for C OR D in exam ? 83 % voted C ? But Examtopics Answer is D, still we believe on ET Answer?
upvoted 2 times
Question #9 Topic 6
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)
You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods
tab.)
Hot Area:
Correct Answer:
Box 1: No -
Two methods are required.
Box 2: No -
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: Yes -
As a User Administrator, User3 can add security questions to the reset process.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-
directory/authentication/active-directory-passwords-faq
Answer is not correct. It should be

- NO: User2 needs 2 authentication methods. Security questions are not enough to reset password
- NO: User1 is not part of the SSPR Group1
- NO: to be able to add security questions to the process. you need Global admin role
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites
& https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions
upvoted 138 times
  picho707 8 months, 1 week ago

See below what MS Chat AI has to say about this:
Stop Responding
Yes, user administrators can manage self-service password reset policies. By default, administrator accounts are enabled for self-
service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you
have defined for your users, and this policy can’t be changed
upvoted 1 times
  mrshegz 2 years, 6 months ago

what is SSPR
upvoted 1 times

Sometimes, Some People Remember...
upvoted 79 times
  mdmahanti 1 year, 6 months ago

Sometime, Silly Points Resurface
upvoted 11 times
  raydel92 2 years, 5 months ago

Self Service Password Reset
upvoted 51 times
  DodgyD 3 years ago

Agree: User administrator role do not have permissions to manage MFA.
upvoted 2 times

Did not see exactly the information regarding to add security questions to the process, however I do find that User Administrator
permission is able to reset password from the link.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#password-reset-permissions
upvoted 2 times
C0rrect Answer:
Box 1: No
Two methods are required (Mobile phone and Security questions).
Box 2: No
Box 3: No
To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot
add security questions to the reset process. User Administrator doesn’t have MFA permissions.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr
https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 120 times
  PrepaCertif Most Recent  5 months ago
Tested in LAB : No, No, No

upvoted 1 times

NNN
https://learn.microsoft.com/en-us/answers/questions/356305/in-azure-could-the-user-administrator-have-permiss
upvoted 1 times

N N N is correct!
upvoted 2 times

Took a bit of digging, but here are my answers:
- NO: User2 must provide two authentication methods before they can reset their password
- NO: User 1 is not enabled for SSPR
- NO: A User must have the role of global Administrator or Authentication Policy Administrator to change SSPR
(https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr).
upvoted 3 times

Box 1: No
Two methods are required (Mobile / Security questions).
Box 2: No
Box 3: No
User3 is User Administrator, With a two-gate policy, administrators don't have the ability to use security questions.
Admin users cannot do the following:
- Cannot manage MFA.
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 1 times

Only Authentication administrators can do so not global globa can give authentication admin role to someone though).
upvoted 1 times

NNN is the answer.
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 2 times

upvoted 4 times

Was on the 09/01/2023 exam.
upvoted 5 times
  RKETBO 1 year, 2 months ago

The Number of methods required to reset option determines the minimum number of available authentication methods or gates a user
must go through to reset or unlock his password. It can be set to either 1 or 2. Since this option is set to 2, user2 will not be able to reset
his password after only one method has been run.
User1 is a member of group1. Self-service password reset is enabled only for group2.
As a user administrator, user3 cannot add security questions to the reset process.
The following Technet articles contain more information about the topic
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
upvoted 1 times

N - need mobile phone too
N - user2 is not in the group1
N - apparently it needs GA
upvoted 4 times

Box 1: No
Two methods are required (Mobile phone and Security questions).
Box 2: No
Box 3: No
To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot
add security questions to the reset process. User Administrator doesn’t have MFA permissions.
upvoted 2 times
  dani12 1 year, 6 months ago

SSP stands for Self Service Password reset.
upvoted 2 times

For sure NO NO NO and as per others comments - read mlantonis
upvoted 3 times
  ra_aly 1 year, 10 months ago

why azure exams are so confusing and there is a lack of knowledge, there are conflicting opinions and unclear direction.
upvoted 4 times

It is Microsoft my friend..Tell me anything about Microsoft that makes sense..yet people buy it!! Linux is the King Kong of the Universe
upvoted 1 times

on exam 13/3/2022
upvoted 5 times
  ZacAz104 2 years ago

correct answer i think is Yes-No-No because user2 is only member of Group2
upvoted 1 times
Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?
A. Assign the User administrator role to User1.
B. From the Device settings blade, modify the Maximum number of devices per user setting.
C. Create a point-to-site VPN from the home network of User1 to Azure.
D. From the Device settings blade, modify the Users may join devices to Azure AD setting.
Correct Answer: B
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user
reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.
Incorrect Answers:
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.
D: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected
and None. The default is All.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal http://techgenix.com/pros-and-cons-azure-
ad-join/

B (92%) 8%
Correct Answer: B
Keyword: "user was able to connect the device in the past".
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user
reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed. By default, the
maximum number of devices per user is 50.
Azure portal -> Azure Active Directory -> Devices

Azure portal -> Azure Active Directory -> Users > Select a user > Devices
upvoted 96 times

Or maybe he has changed of home network and in that case is answer C
upvoted 1 times

Ref:
https://learn.microsoft.com/zh-tw/azure/active-directory/devices/device-management-azure-portal
https://learn.microsoft.com/zh-tw/troubleshoot/azure/active-directory/maximum-number-of-devices-joined-workplace
upvoted 1 times
  balflearchen Highly Voted  3 years ago
For those who choose D, please read the question carefully, "You verify that User1 was able to join devices to Azure AD in the past." So the
join device setting should be ok, but he already reach the maximum number of devices per user. Answer B is correct.
upvoted 68 times

Agree.
upvoted 2 times
  Sam2969 2 years, 9 months ago

agree.
by default the maximum number of devices per user is 50
upvoted 4 times
  amh21 Most Recent  1 month, 4 weeks ago
The correct answer is D.

This is because this setting controls whether users can join their devices to Azure AD or not. If this setting is disabled or restricted, User1
will not be able to join the personal device to Azure AD from the home network.
B is not correct because modifying the Maximum number of devices per user setting will not help if User1 is already below the limit. This
setting only affects the number of devices that a user can join to Azure AD, not the ability to join them.
upvoted 1 times

Yes, option B is the correct answer. By modifying the "Maximum number of devices per user" setting, you can allow User1 to join the
personal device to Azure AD. The default value for this setting is 20 devices per user, so if User1 has already reached this limit, they will be
unable to join additional devices to Azure AD.
upvoted 2 times

Selected Answer: C
Answer C make the most sense

upvoted 1 times

upvoted 4 times

D. From the Device settings blade, modify the Users may join devices to Azure AD setting.
The reason for this is that if the "Users may join devices to Azure AD" setting is set to "No", then even if a user has the necessary
permissions to join a device to Azure AD, they will be unable to do so. By modifying this setting to "Yes", you are allowing User1 to join
their personal device to Azure AD from their home network. The other options, such as assigning the User administrator role to User1 or
modifying the maximum number of devices per user setting, would not necessarily resolve the issue with User1's ability to join their
device to Azure AD. A point-to-site VPN from the home network of User1 to Azure may or may not be necessary, depending on the specific
network configuration and security requirements.
upvoted 1 times
Selected Answer: B
user1 was able in the past and is no longer, so he maxed out the number of devices he's allowed to join.
upvoted 2 times
Selected Answer: B
Correct Answer: B
upvoted 1 times
Selected Answer: B
If you picked A....you're the reason breaches happen.

upvoted 5 times

*nods*
upvoted 1 times

Selected Answer: B

User did add devices in past
3 years ago migration took place hence user properly during that time been adding devices and hence run out of quota
upvoted 3 times

I think B and C are valid. I don't have to explain B. But if there is a conditional access policy C will be correct. This is an assumption, but I
have seen question were wilder assumptions need to be made.
upvoted 2 times
Selected Answer: B
Correct Answer: B
Key: "user was able to connect the device in the past".

upvoted 1 times

Damn! keep forgetting this one. Answer is B!
upvoted 2 times

in exam 7/3/2021
upvoted 5 times

Answer B is correct. Nothing has changed, so max devices user quota has reached.
upvoted 2 times

Manage devices
There are two locations to manage devices in Azure AD:
Azure portal > Azure Active Directory > Devices

Azure portal > Azure Active Directory > Users > Select a user > Devices
upvoted 2 times
HOTSPOT -
You have two Azure App Service app named App1 and App2. Each app has a production deployment slot and a test deployment slot.
The Backup Configuration settings for the production slots are shown in the following table.
Hot Area:
Correct Answer:
  Mozbius_ Highly Voted  1 year, 9 months ago
NNY
On January 15th you will have 9 backups as 0 day retention is defined as indefinite.
[How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.]
https://docs.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest
The DevOps / Web apps backup in the questions only includes the production slot. One cannot restore a test slot from a production slot
backup.
[If a slot is not specified, the API will create a backup for the production slot.]
https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/backup-slot
January 6th backup will still be within the 30 days retention as of January 15th.
upvoted 71 times
  Citmerian 1 year, 3 months ago
app1 dont' have a retention configured but option " keep at least one backup" is yes. on 15th have one backup.
Y,N,Y
upvoted 7 times
  DimsumDestroyer 5 months, 2 weeks ago

This is wrong. First question is N. The "at least" part of the phrase is implying at the lowest, you will have 1 backup. 0 day retention
mens all daily backups are kept indefinitely. The question is asking if you will ONLY have 1 backup for App1 at Jan 15th which is
because by that point you have 9 backups starting from January 6.
upvoted 1 times

N for the first question. Just had a try on the Azure Portal, the explanation for "Retention":
"Keep your backup files for up to 60 days, or enter 0 to keep them indefinitely."
upvoted 2 times

Well sported ...Well done ..I totally missed it .
upvoted 2 times

great, i love when they use zero and don't mean zero...
upvoted 21 times

Hahaha crazy and confusing ,,, they can simply use unlimited shiittt
upvoted 1 times
  bluefoot Highly Voted  1 year, 9 months ago

NNY
1. https://docs.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest
--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.
2. didn't mention test slot backup at all
3. https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/restore-slot
we can restore a specific backup to another app (or deployment slot, if specified).
upvoted 30 times

It is mentioned in a Question:
Each app has a production deployment slot and a test deployment slot.
upvoted 1 times

However, The Backup Configuration settings is provided for the production slots so answer is NO.
upvoted 6 times
  Superego Most Recent  2 months, 1 week ago

As per my understanding, for box 2 - Y
The test slot backup should be handled by Azure automatically and the default back strategy is "App backups happen automatically every
hour."
upvoted 1 times
  KotNinja 3 months, 3 weeks ago

Yes, Yes, and Yes.
1) On January 15, 2021, App1 will have only one backup in storage.
App1 backs up every day and keeps at least one backup. However, the retention period for App1 is 0 days, meaning that any backup older
than the most recent one is immediately deleted. Since App1 backs up every day, on January 15, App1 will indeed have only the backup
from January 15 in storage.
Answer: Yes
2) On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021.
App2 backs up every day with a retention period of 30 days. Thus, the backup from January 15, 2021, would be retained until February 14,
2021. So, on February 6, you can still access the backup from January 15.
Answer: Yes
3) On January 15, 2021, you can restore the backup of the App2 production slot from January 6, 2021.
For App2, the backup from January 6, 2021, will be retained until February 5, 2021 (because of the 30-day retention period). So, you can
indeed restore from this backup on January 15.
Answer: Yes
upvoted 4 times
  Faust777 4 months ago

NNY On January 15, 2021, App1 will have only one backup in storage: No. App1 is configured to backup every day starting from January 6,
2021, and retains each backup for 30 days. So on January 15, 2021, there will be 10 backups in storage (from January 6 to January 15).
On February 6, 2021, you can access the backup of the App2 test slot from January 15, 2021: No. The backup configuration settings
provided are for the production slots of App1 and App2. Unless the test slots have the same settings, we cannot assume that a backup
from January 15, 2021 for the App2 test slot will be accessible on February 6, 2021.
On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot: Yes. The backups for App2 are
retained for 30 days. So a backup from January 6 would still be available on January 15 and could be restored to any slot including the test
slot.
upvoted 4 times

NNY On January 15, 2021, App1 will have only one backup in storage: No. App1 is configured to backup every day starting from January
6, 2021, and retains each backup for 30 days. So on January 15, 2021, there will be 10 backups in storage (from January 6 to January 15).
But you didnt mention that the question says rentention day is zero
upvoted 1 times
  RickySmith 6 months ago

NYY
Assumption - Basic tier is not used.
Some inferences here.
Since only production specs are specified, production backup is custom, test backup is automatic.
1)N - Set to 0 for indefinite retention.
https://learn.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest#az-webapp-config-backup-update-optional-
parameters
2)Y - Test backup is automatic.
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#automatic-vs-custom-backups
3)Y - You can restore a backup by overwriting an existing app by restoring to a new app or slot.
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#back-up--restore-vs-disaster-recovery
In a nutshell, depending on how you interpret the question, the answers can be right or wrong.
This is a good example of a miserable question.

upvoted 7 times

I think you're right. Thank you.
upvoted 1 times

Y N Y is correct!
upvoted 1 times

Agree with NNY and with comments.
1: No 0 means retain all backups.
""Select your retention. Note that 0 means never delete backups."
See;
https://petri.com/backing-azure-app-service/
2: No only production is backed up as per exam question.
3: Y: As far as I can find can be restored to any slot. See;
See;
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#back-up--restore-vs-disaster-recovery
"Specify the restore destination in Choose a destination. To restore to a new app, select Create new under the App Service box. To restore
to a new deployment slot, select Create new under the Deployment slot box.
If you choose an existing slot, all existing data in its file system is erased and overwritten. The production slot has the same name as the
app name."
upvoted 2 times

N - 0 means indefinite days, not zero days.
N - test slots are not backed up
N - test slots are not backed up.
upvoted 3 times

Correction. Last Box is Yes : you can restore a production backup to the test slot.
upvoted 4 times
  Reddy9874 10 months, 1 week ago

For custom backups, the retention period can be "0-30 days or indefinite" (selecting 0 doesn't mean indefinite)
Answer is YNY
upvoted 2 times

"selecting 0 doesn't mean indefinite" - it actually does. "--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention." https://learn.microsoft.com/en-
us/cli/azure/webapp/config/backup?view=azure-cli-latest&viewFallbackFrom=azure-cli-latest--retention
upvoted 1 times
  macrawat 10 months, 3 weeks ago

Actually, the question is vague, the tier of the app service is not provided.
For Basic tier, only the production slot can be backed up and restored.
source :
upvoted 1 times

NNY is the answer.
https://learn.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest#az-webapp-config-backup-update-optional-
parameters
--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.
upvoted 4 times
  kameltz 1 year, 1 month ago

NNY
N, --retention (How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.)
upvoted 1 times
  Vitu 1 year, 1 month ago

I think tha one backup of production and nothing for test. My answer is YNY
upvoted 2 times
  MyZ 1 year, 2 months ago

You cannot backup and restore test slot
Backup and restore are supported in Basic, Standard, Premium, and Isolated tiers. For Basic tier, only the production slot can be backed
up and restored.
upvoted 1 times
  shoutiv 1 year, 2 months ago

NNY
N - If you go to Azure Portal -> App Service -> Backups then Set Schedule -> Retention you have information "Keep your backup files for up
to 30 days, or enter 0 to keep them indefinitely", so there will be 9 backups
N - Test slot doesnt have any backups configured
Y - From Azure Portal -> Backups -> Select backup and click 'Restore' -> You have "Choose destination" where you can choose App Service
and Deployment slot (new or existing)
upvoted 13 times

No
Yes "Each app has a production deployment slot and a test deployment slot."
Yes
upvoted 2 times

Probably there variants of these questions where only one of the slots appear or both, in which case the asnwers would look differently
for each of the variants.
upvoted 1 times

After looking at the question again. Thinking it's actually N N Y as mentioned above only production slots shown so not entirely sure
what the test slots are configured like.
upvoted 2 times
  Nzudin 11 months, 3 weeks ago

yes you are correct
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-
premises Active
Directory domain. The domain contains the users shown in the following table.
You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
✑ Number of methods required to reset: 2

✑ Methods available to users: Mobile phone, Security questions
✑ Number of questions required to register: 3
✑ Number of questions required to reset: 3
You select the following security questions:
✑ What is your favorite food?

✑ In what city was your first job?
✑ What was the name of your first pet?
Hot Area:
Correct Answer:
Box 1: No -
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing
passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through Self-service password reset (SSPR). They
can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD.
An administrator cannot use secret
Questions & Answers as a method to reset password.
Box 2: Yes -
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to
contact IT staff.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
  Mozbius_ Highly Voted  1 year, 9 months ago
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is
enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always
test password reset functionality as a user without any Azure administrator roles assigned.
With a two-gate policy, administrators don't have the ability to use security questions.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-password-policy-differences
Therefore I would say N N Y as SecAdmin1 and BillAdmin1 are both administrators.

NOTE: I have tried to test in lab but was unsuccessful (somehow SSPR isn't even recognized as being enabled, hell one of the user is taking
forever to show an updated assigned role).
upvoted 60 times

Answer: NO, NO, YES
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should
always test password reset functionality as a user without any Azure administrator roles assigned.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
upvoted 16 times
  AzureMasterChamp 11 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
upvoted 1 times
  Mtijnz0r 1 year, 9 months ago

SSPR for Administrators isn't enabled on the tenant. SSPR for Administrators (SSPR-A) was the first implementation of SSPR. After SSPR
for Users (SSPR-U) was introduced, users could have two separate configurations.
The old SSPR-A implementation is used when an Azure AD account has an admin role, such as Global Administrator or Billing
Administrator. However, the SSPR management on the Azure portal is for SSPR-U only. Therefore, SSPR-A might not be enabled on the
tenant.
https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/password-writeback-error-code-sspr-009
upvoted 4 times
  awssecuritynewbie Highly Voted  1 year, 4 months ago
So after some research it does look like "Security questions aren't used as an authentication method during a sign-in event. Instead,
security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't
use security questions as verification method with SSPR."
so it means the administrator cannot use security questions as verification method for SSPR. so it would be N N Y . check the link the first
line of the link. PLEASE LIKE THIS COMMENT
Ref https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 45 times

LIKE SHARE AND SUBSCRIBE!
upvoted 2 times
  DonVish 1 year, 2 months ago

So it SSPR is not used for any kind of administrator ? Global , Local ..etc. ?
upvoted 1 times

Admins CAN use SSPR. But they can not use security questions to reset passwords.
upvoted 4 times
No
No
Yes
upvoted 1 times
  TripleFires 1 week, 2 days ago

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#administrator-password-policy-differences
>>>
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it
prohibits security questions. Office and mobile voice calls are also prohibited for trial or free versions of Microsoft Entra ID.
A two-gate policy applies in the following circumstances:
All the following Azure administrator roles are affected:
Application administrator
Application proxy service administrator
Authentication administrator
Billing administrator
......
Security administrator
upvoted 2 times
  MatAlves 3 days, 11 hours ago

So N-N-Y?
upvoted 1 times
  PhoenixAscending 1 week, 6 days ago

This was on my exam. I think the correct answer is provided by Mozbius.
upvoted 1 times

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
NYY
upvoted 1 times

NNY
upvoted 3 times

N N Y is correct!
upvoted 1 times

How can you have this question wrong?
upvoted 1 times
  kmsalman 9 months, 3 weeks ago

Number of security questions required to reset password is 3. My opinion is that user can also not self reset the password by answering
just one question. So the Answer should be N, N, N
upvoted 2 times

Re-read the question. They are asking about if user1 will have to answer this question (but no ONLY this question). Of course user1
must answer the 2 qustions.
They are not asking about reset password, but answer that question
upvoted 1 times

NNY is the answer.
enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always
test password reset functionality as a user without any Azure administrator roles assigned.

- Billing administrator
- Security administrator
upvoted 8 times

N
N
Y
"Administrator accounts can't use security questions as verification method with SSPR."
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 3 times
  LauLauLauw 1 year ago

NNY
This link shows the list of administrators that arre not able to use security questions.
upvoted 3 times

Answer is NNY
upvoted 1 times
  omerco61 1 year, 1 month ago

NNY
"Administrator accounts can't use security questions as verification method with SSPR."
Quote from microsoft
Link:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 1 times
  compldc72 1 year, 3 months ago

Agree with N N Y
upvoted 2 times

NNY
Application administrator
Application proxy service administrator
Authentication administrator
Azure AD Joined Device Local Administrator
Billing administrator
Compliance administrator
Device administrators
Directory synchronization accounts
Directory writers
Dynamics 365 administrator
Exchange administrator
Global administrator or company administrator
Helpdesk administrator
Intune administrator
Mailbox Administrator
Partner Tier1 Support
Partner Tier2 Support
Password administrator
Power BI service administrator
Privileged Authentication administrator
Privileged role administrator
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
User administrator
upvoted 11 times
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User1 to create the user accounts.
Does that meet the goal?
A. Yes
B. No
Correct Answer: A
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

A (86%) 14%
  awssecuritynewbie Highly Voted  1 year, 4 months ago
Selected Answer: A
ARE YOU GUYS HIGH?? IT SAYS

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com."
SO IF USER 1 has created the new tenant then obv it can create users within it as well and it is GA.
upvoted 128 times
  go4adil 1 week, 5 days ago

Correct Answer is - A (Yes)
To add or delete users, you must be a User Administrator or Global Administrator.
https://learn.microsoft.com/en-us/entra/fundamentals/add-users
Since User 1 created new tenant 'external.contoso.onmicrosoft.com', User 1 is its Global Admin by default and has the right to create
user accounts.
https://learn.microsoft.com/en-us/answers/questions/1163804/need-clear-understanding-on-the-permissions-global
upvoted 1 times

Thanks man, I was high indeed
upvoted 1 times

Agree Lol
upvoted 2 times

It's crazy that so many people voted no and it's honestly kind of depressing. I know these exam dumps are broken so the comments
are super helpful. With that said, seeing 29 people vote "no" means it's hard to know who to trust, which I guess is good because I
sometimes go back and test for myself. You can create a whole new directory, but you can't edit its contents? Wut.
upvoted 4 times
  ltkiller Highly Voted  1 year, 8 months ago
Selected Answer: B
B:No, when you create a new tenant, the creator is the only global admin and owner, he must first give access to others to allow anything.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant#your-user-account-in-
the-new-tenant
upvoted 16 times

User1 create a New Tenant. When you create a new Azure AD tenant, you become the first user of that tenant ad the Owner. As the first
user, you're automatically assigned the Global Admin role.
ANSWER: Yes
upvoted 15 times

Yes, but User 1 created the Tenant..
upvoted 15 times
  Manual_Override 1 year, 2 months ago

Damn I didn't notice that detail....
upvoted 3 times

Its OK. there are many version of this Q here and the exam on my case was showing the right input on the Question which is the
user1. i wont blame you.
upvoted 2 times

There's a different flavor of this question, where it's being asked whether User2-3-4 can create new users in the new tenant
upvoted 3 times

your explanation means the answer is A. User1 is the tenant creator who is then the global admin and owner. So User1 can create user
accounts.
upvoted 3 times

So why Solution: You instruct User1 to create the user accounts if User1 is mentioned tenant creator ?
upvoted 2 times

the same reason why we have to sit this exam at all.
upvoted 5 times
  TheLadyAce Most Recent  3 months, 2 weeks ago
This question came before the right answer was A

upvoted 1 times
  ajdann 3 months, 3 weeks ago
Selected Answer: A
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com."

upvoted 1 times
Selected Answer: A
A
User 1 created the tenant thus its the global admin of that tenant and able to create users
upvoted 1 times
  maxustermann 5 months, 2 weeks ago
Selected Answer: A
Since User1 created the new tenant he automatically became the global admin of this tenant.
upvoted 1 times
  Siraf 5 months, 3 weeks ago

Answer is A:
1 - To add or delete users, you must be a User Administrator or Global Administrator: https://learn.microsoft.com/en-us/azure/active-
directory/fundamentals/add-users?view=azure-devops.
2 - When you create a new Azure AD tenant, you become the first user of that tenant. As the first user, you're automatically assigned the
Global Administrator role. https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/create-new-tenant#your-user-account-
in-the-new-tenant.
Conclusion: Correct answer is A
upvoted 2 times
  levan1988 5 months, 3 weeks ago

Selected Answer: A
A is correct
upvoted 1 times
Selected Answer: B
Answer should be B:
If we check the following linke, there is no indication as Global Administrator can create an user account
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
Global Administrator
✑Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory
✑Assign administrator roles to others
✑Reset the password for any user and all other administrators
User Adminstrator
✑Create and manage all aspects of users and groups
✑Manage support tickets
✑Monitor service health
✑Change passwords for users, Helpdesk administrators, and other User Administrators
upvoted 2 times

User 1 is Global Admin and OWNER of the new tenant (he created the new tenant). So, he is GOD en the tenant, he can do ANYTHING.
BtW, when i create a new tenant in LAB, usuallly use only the Global Admin, and of course, i can create new users and asign roles to
them
upvoted 1 times
  Angurajesh 8 months ago
Selected Answer: A
In the given scenario, User1, who is a Global Administrator, creates a new Azure Active Directory tenant named
external.contoso.onmicrosoft.com. As a Global Administrator, User1 has the necessary permissions to create new user accounts in the
Azure AD tenant.
Therefore, instructing User1 to create the user accounts in the new external.contoso.onmicrosoft.com tenant is a valid and appropriate
solution. User1 has the required privileges and can perform the necessary administrative actions to create new user accounts within the
newly created Azure AD tenant.
upvoted 1 times
  Angurajesh 8 months ago

In the given scenario, User1, who is a Global Administrator, creates a new Azure Active Directory tenant named
external.contoso.onmicrosoft.com. As a Global Administrator, User1 has the necessary permissions to create new user accounts in the
Azure AD tenant.
Therefore, instructing User1 to create the user accounts in the new external.contoso.onmicrosoft.com tenant is a valid and appropriate
solution. User1 has the required privileges and can perform the necessary administrative actions to create new user accounts within the
newly created Azure AD tenant.
upvoted 1 times

Answer is A, User 1 is the OWNER of the tenant.
upvoted 1 times

Selected Answer: A
Think this is the first time i've seen a Yes to this question, all the others were no.
upvoted 2 times

Selected Answer: A
A is correct.
upvoted 1 times
  sofunny 10 months, 1 week ago

Selected Answer: A
Chosen Answer is A
upvoted 1 times
Selected Answer: A
It is A not because User1 is GA but because User1 is owner of the account (implicitly granted because User1 created the AD tenant). As a
owner, User1 can create user accounts.
upvoted 2 times
  Charithcool 10 months, 3 weeks ago

Selected Answer: A
Let's get votes up for Answer A. The only answer possible without a question.
upvoted 1 times
You have an existing Azure subscription that contains 10 virtual machines.
You need to monitor the latency between your on-premises network and the virtual machines.
A. Service Map
B. Connection troubleshoot
C. Network Performance Monitor
D. Effective routes
Correct Answer: C
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between
various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor
the performance of Azure ExpressRoute.
You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and
mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor

C (100%)
Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 184 times

great summary, thank you!
upvoted 4 times

Should be updated to "Connection Monitor" as Network Performance Monitor is deprecated.
upvoted 8 times

Connection Monitor in Azure Network Watcher true
upvoted 2 times
Correct Answer: C
Network Watcher is a Suite of tools offering but not limited to the following:
- Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
- Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
- IP Flow - latency and network issues at the VM LEVEL
- Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
upvoted 81 times
  Madbo Most Recent  10 months ago
C. Network Performance Monitor is the correct option in this scenario. It provides monitoring and diagnostics tools to help you optimize
the performance and availability of your network infrastructure. It can be used to monitor the network connectivity and latency between
your on-premises network and Azure resources, including virtual machines. Service Map provides a visual representation of your
application and server dependencies, Connection troubleshoot is used for identifying and resolving connection issues, and Effective
routes is used to verify the effective routes of a virtual machine's network interface.
upvoted 1 times
Selected Answer: C
C is the answer.
https://learn.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance
between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints
and monitor the performance of Azure ExpressRoute.
upvoted 3 times
Selected Answer: C
monitoring latency between on-prem and vms - NPM is your friend. But NPM has retired.
upvoted 1 times
Selected Answer: C
Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 1 times
Selected Answer: C
Network Performance Monitor is correct however it is been replaced with Connection Monitor which is part of Network watcher tool set
upvoted 2 times
Selected Answer: C
Correct. See comments of magichappens about the deprecated name

upvoted 1 times
Selected Answer: C
Network Performance Monitor is correct

upvoted 1 times

@NickyDee Thank you for the Summary
upvoted 1 times
  CloudyTech 2 years, 7 months ago

Network Performance Monitor is correct
upvoted 1 times

C is okay
upvoted 4 times

Answer is correct. Network Performance Monitor is the tool: https://docs.microsoft.com/fr-fr/azure/network-watcher/migrate-to-
connection-monitor-from-network-performance-monitor
upvoted 3 times

Configure the solution
Add the Network Performance Monitor solution to your workspace from the Azure marketplace. You also can use the process described in
Add Azure Monitor solutions from the Solutions Gallery.
Open your Log Analytics workspace, and select the Overview tile.
Select the Network Performance Monitor tile with the message Solution requires additional configuration.
upvoted 2 times
  tinyflame 3 years, 1 month ago

Network monitoring is out of scope for the exam, is this still a question?
upvoted 2 times
  DodgyD 3 years ago

I believe network monitoring is included in exam per the exam guide.
upvoted 2 times
  balflearchen 3 years ago
Ha ha, funny, if this happened in your exam session, can you ignore it and say it should not be in my exam?
upvoted 3 times

Answer is correct. "C" Network Performance Network
upvoted 6 times

Connection Troubleshoot from Network Watcher can monitor latency. you can test all 10 VMs from one place in Azure, and its minimal
effort.
upvoted 1 times
  balflearchen 3 years ago

In question, you need to monitor the latency between your "ON-PREMISES" network and the virtual machines. So connection
troubleshooting is wrong.
upvoted 3 times

AZ-104 Exam 240209 577Q-conDiscusiones-251a500

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AZ-104 Exam 240209 577Q-conDiscusiones-251a500

Uploaded by

Copyright:

Available Formats

- Expert Verified, Online, Free.

Get Unlimited Contributor Access to the all

 Custom View Settings

VM1 connects to VNET1.

You need to connect VM1 to VNET2.

Does this meet the goal?

Community vote distribution

  mlantonis Highly Voted  2 years, 9 months ago

  Narendragpt 2 years, 1 month ago

  mung 1 year, 2 months ago

Changing VNET is not an easy task once VM is deployed and running.

  waterzhong Highly Voted  3 years, 1 month ago

  Tilakarasu Most Recent  1 month ago

  Andreas_Czech 8 months, 1 week ago

tested in LAB (2023-06-06)

  obaali1990 11 months ago

  UmbongoDrink 1 year ago

  NaoVaz 1 year, 5 months ago

  EmnCours 1 year, 5 months ago

  Lazylinux 1 year, 8 months ago

i Luv Honey because it is B

  manalshowaei 1 year, 8 months ago

  DrJoness 1 year, 10 months ago

  ajayasa 1 year, 11 months ago

  Bere 2 years, 2 months ago

The right answer would be:

  Gumer 2 years, 3 months ago

  sachin007 2 years, 2 months ago

  orion1024 2 years, 4 months ago

  orion1024 2 years, 4 months ago

  Kamex009 2 years, 5 months ago

  Shiven12 2 years, 7 months ago

VM1 connects to VNET1.

You need to connect VM1 to VNET2.

Does this meet the goal?

Community vote distribution

  mlantonis Highly Voted  2 years, 9 months ago

Correct Answer: A - Yes

  panileka 2 years, 5 months ago

  ShivaUdari 2 years, 1 month ago

  fedztedz Highly Voted  3 years, 2 months ago

  897dd59 Most Recent  4 months ago

  UmbongoDrink 1 year ago

  NaoVaz 1 year, 5 months ago

  Mev4953 1 year, 5 months ago

  EmnCours 1 year, 5 months ago

  Lazylinux 1 year, 8 months ago

  manalshowaei 1 year, 8 months ago

  techie_11 1 year, 10 months ago

  ajayasa 1 year, 11 months ago

  benvdw 1 year, 11 months ago

  josevirtual 1 year, 11 months ago

YES - Answer is correct

  InvisibleShadow 1 year, 11 months ago

  Spandrop 2 years, 7 months ago

  dumz 2 years, 4 months ago

  ranajoy97 2 years, 7 months ago

  Ahmed_Root 1 year, 10 months ago

  Shiven12 2 years, 7 months ago

VM1 connects to VNET1.

You need to connect VM1 to VNET2.

Does this meet the goal?

Community vote distribution