Topic 1, Litware. Inc Case Study 1
Overview
Litware. Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows 10 devices.
Existing Environment:
Hybrid Environment
The on-prernises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by usinq Azure AD Connect.
All the offices connect to a virtual network named Vnetl by using a Site-to-Site VPN connection.
Azure Environment
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant.
Sub1 contains resources in the East US Azure region as shown in the following table.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly.
Requirements:
Business Requirements
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Virtual Networking Requirements
Litware identifies the following virtual networking requirements:
* Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
* Ensure that the records in the cloud.litwareinc.com zone can be resolved from the on-premises locations.
* Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
* Minimize the size of the subnets allocated to platform-managed services.
* Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Hybrid Networking Requirements
Litware identifies the following hybrid networking requirements:
* Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
* Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
* The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
* Traffic between Vnet2 and Vnet3 must be routed through Vnet1.
PaaS Networking Requirements
Litware identifies the following networking requirements for platform as a service (PaaS):
* The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
* The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements.
Which two actions should you include in the solution? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . On the peerings from Vnet2 and Vnet3, select Use remote gateways.
- B . On the peering from Vnet1, select Allow forwarded traffic.
- C . On the peering from Vnet1, select Use remote gateways.
- D . On the peering from Vnet1, select Allow gateway transit.
- E . On the peerings from Vnet2 and Vnet3, select Allow gateway transit.
DRAG DROP
You need to prepare Vnet1 for the deployment of an ExpressRoute gateway. The solution must meet the hybrid connectivity requirements and the business requirements.
Which three actions should you perform in sequence for Vnet1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
HOTSPOT
You need to implement a P2S VPN for the users in the branch office. The solution must meet the hybrid networking requirements.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
You need to provide connectivity to storage1. The solution must meet the PaaS networking requirements and the business requirements.
What should you include in the solution?
- A . a service endpoint
- B . Azure Front Door
- C . a private endpoint
- D . Azure Traffic Manager
C
Explanation:
To provide connectivity to the storage1 account while meeting the PaaS networking requirements and the business requirements, you should consider what each of the options offers:
HOTSPOT
You need to recommend a configuration for the ExpressRoute connection from the Boston datacenter. The solution must meet the hybrid networking requirements and business requirements.
What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
For the first question, only ExpressRoute GW SKU Ultra Performance support FastPath feature. For the second question, vnet1 will connect to ExpressRoute gw, once Vnet1 peers with Vnet2, the traffic from on-premise network will bypass GW and Vnet1, directly goes to Vnet2, while this feature is under public preview.
Reference: ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.
To configure FastPath, the virtual network gateway must be either:
Ultra Performance
ErGw3AZ
VNet Peering – FastPath will send traffic directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway.
https://docs.microsoft.com/en-us/azure/expressroute/about-fastpath
Gateway SKU
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways
DRAG DROP
You need to implement outbound connectivity for VMScaleSet1. The solution must meet the virtual networking requirements and the business requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. T
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/skus
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#outboundrules
You need to configure the default route in Vnet2 and Vnet3. The solution must meet the virtual networking requirements.
What should you use to configure the default route?
- A . a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3
- B . a user-defined route assigned to GatewaySubnet in Vnet1
- C . BGP route exchange
- D . route filters
A
Explanation:
To configure the default route in Vnet2 and Vnet3 according to the scenario provided, the best approach would be to use User-Defined Routes (UDRs). A UDR allows you to override Azure’s default system routes or to add additional routes to a subnet’s route table. In this scenario, you want to direct the default route (0.0.0.0/0) from Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit, which is a typical use case for UDRs.
Here are the options:
Option A (a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3): This would be the correct approach. You can create a UDR for the default route (0.0.0.0/0) and apply it to the GatewaySubnet in both Vnet2 and Vnet3. This will ensure that all traffic destined for any address not within the local VNet or any peered VNets will be routed to the Boston datacenter via the ExpressRoute circuit.
Option B (a user-defined route assigned to GatewaySubnet in Vnet1): This is not correct because we need to configure the default route for Vnet2 and Vnet3, not Vnet1. Changing the routing in Vnet1 doesn’t directly affect the routing behavior of Vnet2 and Vnet3.
Option C (BGP route exchange): While BGP (Border Gateway Protocol) is used in Azure for route exchange, especially in scenarios involving ExpressRoute, simply relying on BGP without defining specific routes may not guarantee that the traffic will be routed according to the specific needs of this scenario.
Option D (route filters): Route filters are used in Azure to enable access to Microsoft peering service communities. They are not used for defining specific routes within a VNet.
Therefore, the correct choice for configuring the default route in Vnet2 and Vnet3 is A: a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3. This approach directly addresses the requirement to direct all traffic from these VNets to the Boston datacenter over the ExpressRoute circuit.
HOTSPOT
You need to restrict traffic from VMScaleSet1 to VMScaleSet2. The solution must meet the virtual networking requirements.
What is the minimum number of custom NSG rules and NSG assignments required? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
To restrict traffic from VMScaleSet1 to VMScaleSet2, Network Security Group (NSG) rules need to be created and assigned to the appropriate resources. An NSG rule is required to allow or deny traffic to or from a network interface (NIC), VM, or subnet.
Based on the requirement to only allow traffic from VMScaleSet1 to VMScaleSet2 on TCP port 443, the following can be determined:
Minimum number of custom NSG rules:
You need at least one rule to allow TCP port 443 and another to deny all other traffic that does not match any prior rules. However, because NSGs have default rules that deny all inbound traffic if no other rule allows it, you might only need to create a single rule to allow traffic on TCP port 443. But to be fully explicit and depending on the existing rules, you might also add a deny rule explicitly. So, the minimum number could be 1 (if relying on default rules) or 2 (if being explicit).
Minimum number of NSG assignments:
For NSG assignments, you would typically assign an NSG to the subnet or network interfaces of VMScaleSet2 to control the inbound traffic from VMScaleSet1. Since all VM instances in a scale set can share a single NSG, you only need to make one assignment of the NSG to cover all instances of VMScaleSet2. Therefore, the minimum number of NSG assignments is 1.
So, for the given scenario:
The minimum number of custom NSG rules required: 1 (to allow TCP port 443, assuming default rules handle the deny)
The minimum number of NSG assignments required: 1 (assign the NSG to the subnet or NICs of VMScaleSet2)
These selections are made with the assumption that the goal is to enforce the minimum necessary configuration changes while still satisfying the requirements.
HOTSPOT
You need to implement name resolution for the cloud.liwareinc.com. The solution must meet the networking requirements.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
You need to configure the default route on Vnet2 and Vnet3. The solution must meet the virtual networking requirements.
What should you use to configure the default route?
- A . route filters
- B . BGP route exchange
- C . a user-defined route assigned to GatewaySubnet in Vnet1
- D . a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3
D
Explanation:
To configure the default route on Vnet2 and Vnet3, the solution must ensure that all traffic not destined for the local VNet or peered VNets is directed towards a specific next hop, such as a gateway or appliance. The requirements indicate that traffic from Vnet2 and Vnet3 should be directed to the Boston datacenter over an ExpressRoute circuit. Here are the appropriate options:
For configuring the default route on Vnet2 and Vnet3:
D. a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3
You need to provide access to storage2. The solution must meet the PaaS networking requirements and the business requirements.
Which connectivity method should you use?
- A . a service endpoint
- B . a private endpoint
- C . Azure Firewall
- D . Azure Front Door
Topic 2, Contoso Case Study 2
Overview
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab. note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Existing Environment:
Azure Network Infrastructure
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
Vnet1 contains a virtual network gateway named GW1.
Azure Virtual Machines
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the internet. The firewall on each virtual machine allows ICMP traffic.
An application security group named ASG1 is associated to the network interface of VM1.
Azure Private DNS Zones
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
Other Azure Resources
The Azure subscription contains additional resources as shown in the following table.
Requirements:
Virtual Network Requirements
Contoso has the following virtual networks requirements:
* Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
Two container groups that connect to Vnet6
Three virtual machines that connect to Vnet6
Allow VPN connections to be established to Vnet6
Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network
* The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
* A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Network Security Requirements
Contoso has the following network security requirements:
* Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
* Enable NSG flow logs for NSG3 and NSG4.
* Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
* Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
HOTSPOT
You need to meet the network security requirements for the NSG flow logs.
Which type of resource do you need, and how many instances should you create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
In which NSGs can you use ASG1 and to which virtual machine network interfaces can you associate ASG1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
NGS1 only
VM2, VM3, VM4 and VM5
HOTSPOT
You are implementing the virtual network requirements for VM Analyze.
What should you include in a custom route that is linked to Subnet2? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
You are implementing the Virtual network requirements for Vnet6.
What is the minimum number of subnets and service endpoints you should create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
What should you implement to meet the virtual network requirements for the virtual machines that connect to Vnet4 and Vnet5?
- A . a private endpoint
- B . a virtual network peering
- C . a private link service
- D . a routing table
- E . a service endpoint
B
Explanation:
There is no virtual network peering between VM4’s VNet (VNet3) and VM5’s VNet (VNet4). To enable the VMs to communicate over the Microsoft backbone network a VNet peering is required between VNet3 and VNet4.
HOTSPOT
You create NSG10 and NSG11 to meet the network security requirements.
For each of the following statements, select Yes it the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
From VM1, you can establish a Remote Desktop session with VM2:
If NSG10 is associated with Subnet1 where VM1 is located, and there is a rule that allows outbound RDP traffic (typically TCP port 3389), then VM1 should be able to initiate an RDP session with VM2. Without a specific rule blocking RDP, the answer would typically be Yes.
From VM2, you can ping VM1:
ICMP traffic (which is used by the ping command) is usually blocked by default on NSGs unless a specific rule is created to allow it. If the firewall on the VMs allows ICMP traffic, but there is no NSG rule permitting ICMP, then VM2 would not be able to ping VM1. Unless NSG11 explicitly allows ICMP traffic outbound from VM2, the answer would be No.
From VM2, you can establish a Remote Desktop session with VM1:
This would depend on whether NSG11 allows outbound RDP traffic and NSG10 allows inbound RDP traffic. If NSG10 and NSG11 are configured with the custom rules you provided, which we don’t have the specifics of, and assuming that the NSG11 does not have a rule that blocks outbound RDP traffic and NSG10 allows inbound RDP, then the answer would be Yes.
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
You need to configure GW1 to meet the network security requirements for the P2S VPN users.
Which Tunnel type should you select in the Point-to-site configuration settings of GW1?
- A . IKEv2 and OpenVPN (SSL)
- B . IKEv2
- C . IKEv2 and SSTP (SSL)
- D . OpenVPN (SSL)
- E . SSTP (SSL)
D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
HOTSPOT
Which virtual machines can VM1 and VM4 ping successfully? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: VM2, VM3 and VM4.
VM1 is in VNet1/Subnet1. VNet1 is peered with VNet2 and VNet3.
There are no NSGs blocking outbound ICMP from VNet1. There are no NSGs blocking inbound ICMP to VNet1/Subnet2, VNet2 or VNet3. Therefore, VM1 can ping VM2 in VNet1/Subnet2, VM3 in VNet2 and VM4 in VNet3.
Box 2:
VM4 is in VNet3. VNet3 is peered with VNet1 and VNet2. There are no NSGs blocking outbound ICMP from VNet3. There are no NSGs blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or VNet2 from VNet3 (NSG10 blocks inbound ICMP from VNet4 but not from VNet3). Therefore, VM4 can ping VM1 in VNet1/Subnet1, VM2 in VNet1/Subnet2 and VM3 in VNet2.
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Zone2.contoso.com is not linked to any virtual networks. Therefore, no VMs are able to resolve names in the zone.
Box 2: Yes
VM4 is in VNet3. Zone1.contoso.com has a link to VNet3 and auto-registration is enabled on the link.
Box3: No
VNet3 is linked to zone1.contoso.com and auto-registration is enabled on the link. A virtual network can only have one registration zone. You can link zone2.contoso.com to VNet3 but you won’t be able to enable auto-registration on the link.
Topic 3, Mix Questions
You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. Subnet1 contains a virtual machine named VM1. Subnet2 contains a virtual machine named VM2.
You have two network security groups (NSGs) named NSG1 and NSG2. NSG1 has 100 inbound security rules and is associated to VM1. NSG2 has 200 inbound security rules and is associated to Subnet1.
VM2 cannot connect to VM1.
You suspect that an NSG rule blocks connectivity.
You need to identify which rule blocks the connection. The issue must be resolved as quickly as possible.
Which Azure Network Watcher feature should you use?
- A . Effective security rules
- B . Connection troubleshoot
- C . NSG diagnostic
- D . NSG flow logs
You have an Azure Front Door instance that has a single frontend named Frontend1 and an Azure Web Application Firewall (WAF) policy named Policy1. Policy1 redirects requests that have a header containing "string1" to https://www.contoso.com/redirect1. Policy1 is associated to Frontend1. You need to configure additional redirection settings. Requests to Frontend1 that have a header containing "string2" must be redirected to https://www.contoso.com/redirect2.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Create a custom rule.
- B . Configure a managed rule.
- C . Create a frontend host.
- D . Create a policy.
- E . Create an association.
- F . Add a custom rule to Policy1.
HOTSPOT
You have the network security groups (NSGs) shown in the following table.
In NSG1, you create inbound rules as shown in the following table.
You have the Azure virtual machines shown in the following table.
NSG2 has only the default rules configured.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Based on the information provided in the images about the network security groups (NSGs), the rules within NSG1, and the virtual machines’ subnet assignments, we can determine the connectivity between the VMs.
NSG1 is associated with Subnet1 and has the following custom inbound rules:
Priority 101: Allow port 80 from any source.
Priority 150: Allow port 443 from any source.
Priority 200: Deny all traffic from the virtual network.
NSG2, associated with Subnet2, has only the default rules, which generally allow communication within the VNet and deny all inbound traffic from other sources unless specifically allowed by a rule.
VM1 and VM2 are in Subnet1, and VM3 is in Subnet2.
With this setup, here are the answers to the connectivity statements:
VM3 can connect to port 8080 on VM1.
Answer. No. VM1 is in Subnet1, which has NSG1 with a rule that denies all traffic from the virtual network (priority 200). Since there is no rule allowing port 8080, VM3 (which is in Subnet2) cannot connect to VM1 on port 8080.
VM1 and VM2 can connect on port 9090.
Answer. No. Both VM1 and VM2 are in Subnet1, which has NSG1 applied to it. NSG1 has a deny all rule for the virtual network traffic (priority 200), so even though they are in the same subnet, the NSG rule will block communication on port 9090.
VM1 can connect to VM3 on port 9090.
Answer. No. VM3 is in Subnet2, which is subject to NSG2’s default rules. The default rules of NSG2 would block inbound traffic from other subnets unless a specific rule is created to allow it. Additionally, NSG1 would block outbound traffic to the virtual network, so VM1 cannot initiate a connection to VM3 on port 9090.
You have an Azure virtual network that contains the subnets shown in the following table.
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall.
You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com.
What should you do?
- A . Create a network security group (NSG) and associate the NSG to Subnet2.
- B . In a firewall policy, create an application rule.
- C . In a firewall policy, create a DNAT rule.
- D . In a firewall policy, create a network rule.
You have an Azure subscription that contains the virtual networks shown in the following table.
You plan to deploy an Azure firewall named AF1 to RG1 in the West US Azure region.
To which virtual networks can you deploy AF1?
- A . Vnet1 only
- B . Vnet1 and Vnet2 only
- C . Vnet1, Vnet2, and Vnet4 only
- D . Vnet1 and Vnet4 only
- E . Vnet1, Vnet2. Vnet3, and Vnet4
HOTSPOT
You have an Azure application gateway named AppGW1 that provides access to the following hosts:
* www.adatum.com
* www.contoso.com
* www.fabrikam.com
AppGW1 has the listeners shown in the following table.
You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies
HOTSPOT
You need to connect an on-premises network and an Azure environment. The solution must use ExpressRoute and support failing over to a Site-to-Site VPN connection if there is an ExpressRoute failure.
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
To connect an on-premises network to an Azure environment with a solution that uses ExpressRoute and supports failover to a Site-to-Site VPN connection in case of an ExpressRoute failure, you should use the following configurations:
Routing type:
For supporting both ExpressRoute and Site-to-Site VPN, you would use a Route-based VPN type. Policy-based VPNs do not support the dynamic routing that is necessary for ExpressRoute and VPN failover scenarios.
Number of virtual network gateways:
You would typically need 2 virtual network gateways for this scenario: one for the ExpressRoute connection and another for the Site-to-Site VPN connection. Azure supports the coexistence of ExpressRoute and Site-to-Site VPN connections, allowing you to configure them for high-availability scenarios. Each type of connection requires a separate gateway.
Therefore, the appropriate options are "Route-based" for the routing type and "2" for the number of virtual network gateways.
You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN. Users will authenticate by using an on premises Active Directory domain.
Which additional service should you deploy to support the VPN authentication?
- A . a certification authority (CA)
- B . a RADIUS server
- C . an Azure key vault
- D . Azure Active Directory (Azure AD) Application Proxy
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
HOTSPOT
You have an Azure subscription that contains a single virtual network and a virtual network gateway. You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You fail to establish a Site-to-Site VPN connection between your company’s main office and an Azure virtual network.
You need to troubleshoot what prevents you from establishing the IPsec tunnel.
Which diagnostic log should you review?
- A . IKEDiagnosticLog
- B . GatewayDiagnosticLog
- C . TunnelDiagnosticLog
- D . RouteDiagnosticLog
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics
IKEDiagnosticLog = The IKEDiagnosticLog table offers verbose debug logging for IKE/IPsec. This is very useful to review when troubleshooting disconnections, or failure to connect VPN scenarios.
GatewayDiagnosticLog = Configuration changes are audited in the GatewayDiagnosticLog table.
TunnelDiagnosticLog = The TunnelDiagnosticLog table is very useful to inspect the historical connectivity statuses of the tunnel.
RouteDiagnosticLog = The RouteDiagnosticLog table traces the activity for statically modified routes or routes received via BGP.
P2SDiagnosticLog = The last available table for VPN diagnostics is P2SDiagnosticLog. This table traces the activity for Point to Site.
https://docs.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics
Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.
The departments at the company use the Azure subscriptions as shown in the following table.
All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.
You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.
What is the minimum number of ExpressRoute circuits required?
- A . 1
- B . 2
- C . 3
- D . 4
- E . 5
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
You have an Azure virtual network and an on-premises datacenter.
You need to implement a Site-to-Site VPN connection between the datacenter and the virtual network.
Which two resources should you create? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a virtual network gateway
- B . Azure Firewall
- C . a local network gateway
- D . Azure Web Application Firewall (WAF)
- E . an on-premises data gateway
- F . an Azure application gateway
- G . a user-defined route
AC
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
You have the Azure resources shown in the following table.
You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint.
You need to ensure that you can use the service endpoint to connect to the read-only endpoint of
storage1 in the paired Azure region.
What should you do first?
- A . Configure the firewall settings for storage1.
- B . Fail over storage1 to the paired Azure region.
- C . Create a virtual network in the paired Azure region.
- D . Create another service endpoint.
DRAG DROP
You have two Azure subscriptions named Subscnption1 and Subscription2. Subscription1 contains a virtual network named Vnet1. Vnet1 contains an application server. Subscription2 contains a virtual network named Vnet2.
You need to provide the virtual machines in Vnet2 with access to the application server in Vnet1 by using a private endpoint.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You have an Azure virtual network named Vnet1.
You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region. The virtual machines must be prevented from accessing any Azure Storage
resources.
Which two outbound network security group (NSG) rules should you create? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . an allow rule that has the IP address range of Vnet1 as the source and destination of Sq1.EastUS
- B . a deny rule that has a source of VirtualNetwork and a destination of Sq1
- C . a deny rule that has a source of VirtualNetwork and a destination of 168.63.129.0/24
- D . a deny rule that has the IP address range of Vnet1 as the source and destination of Storage
A, D
Explanation:
To ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region and are prevented from accessing any Azure Storage resources, you should create the following outbound network security group (NSG) rules:
DRAG DROP
You have an Azure subscription that contains the resources shown in the following table.
The IP Addresses settings for Vnet1 are configured as shown in the exhibit.
You need to ensure that you can integrate WebApp1 and Vnet1.
Which three actions should you perform in sequence before you can integrate WebApp1 and Vnet1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
To integrate WebApp1 with Vnet1, the following actions need to be performed in sequence:
Modify the address space of Vnet1:
The address space for Vnet1 currently is 10.3.0.0/16, and the subnet also has the same address range which leaves no room for further subnetting. You would need to create a smaller subnet within this address space for the integration with WebApp1.
Create a service endpoint:
Service endpoints are needed to secure your critical Azure service resources to only your virtual networks. By enabling a service endpoint, traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network.
Add a private endpoint:
A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. The private endpoint uses an IP address from your VNet, effectively bringing the service into your VNet.
These actions would enable private connectivity between WebApp1 and Vnet1, ensuring that the traffic between your web app and the virtual network is kept on the Azure backbone network, secure from the public internet.
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com.
The subscription contains the following resources:
* An Azure App Service app named App1
* An Azure DNS zone named contoso.com
* An Azure private DNS zone named private.contoso.com
* A virtual network named Vnet1
You create a private endpoint for App1. The record for the endpoint is registered automatically in Azure DNS.
You need to provide a developer with the name that is registered in Azure DNS for the private endpoint.
What should you provide?
- A . app1.privatelink.azurewebsites.net
- B . app1.contoso.com
- C . app1.contoso.onmicrosoft.com
- D . app1.private.contoso.com
HOTSPOT
You have the Azure App Service app shown in the App Service exhibit.
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit.
The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Based on the information provided in the screenshots regarding Azure App Service and its VNet Integration and Private Endpoint connections, let’s address the statements provided:
Subnet2 can contain only App Service apps in the ASP1 App Service plan.
No, this statement is not necessarily true. A subnet can contain multiple app services from different App Service plans, not just a single one like ASP1. The App Service plan determines the location, features, cost, and compute resources associated with an app, but multiple plans can use the same subnet for integration.
As12 will use an IP address from Subnet2 for network communications.
Yes, if the Azure App Service ‘as12’ is integrated with a VNet that includes Subnet2, it will use an IP address from Subnet2’s range for network communications within that VNet.
Computers in Vnet1 will connect to a private IP address when they connect to as12.
No, the screenshots do not show any configured private endpoint connections for the ‘as12’ app service, which would be required for ‘as12’ to have a private IP address within the VNet. Without a private endpoint, computers in Vnet1 would connect to the public IP address of ‘as12’, unless further configuration is done outside of what is shown in the screenshots.
You have an Azure subscription that contains the public IP addresses shown in the following table.
You plan to deploy a NAT gateway named NAT1.
Which public IP addresses can be used as the public IP address for NAT1?
- A . IP3 and IP5 only
- B . IP5 only
- C . IP1, IP3, and IP5 only
- D . IP3 only
- E . IP2 and IP4 only
A
Explanation:
For a NAT gateway in Azure, you need to use a Standard SKU public IP address with a static allocation method. Basic SKU public IP addresses and dynamically assigned IP addresses are not supported with NAT gateways.
Based on the table provided:
IP3 is IPv4, uses Standard SKU, and is static.
IP5 is IPv6, uses Standard SKU, and is static.
Therefore, the public IP addresses that can be used as the public IP address for NAT1 are:
You have a website that uses an FQDN of www.contoso.com. The DNS record tor www.contoso.com resolves to an on-premises web server.
You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an Azure Front Door instance named ContosoFD1. You build the website on Web1.
You plan to configure ContosoFD1 to publish the website for testing.
When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message shown in the exhibit.
You need to test the website and ContosoFD1 without affecting user access to the on-premises web server.
Which record should you create in the contoso.com DNS domain?
- A . a CNAME record that maps www.contoso.com to ContosoFD1.azurefd.net
- B . a CNAME record that maps www.contoso.com to Web1.contoso.com
- C . a CNAME record that maps afdverify.www.contoso.com to ContosoFD1.azurefd.net
- D . a CNAME record that maps afdverify.www.contoso.com to afdverify.ContosoFD1.azurefd.net
C
Explanation:
When configuring an Azure Front Door instance with a custom domain, you typically encounter this issue if you’re trying to add a domain to Azure Front Door that is already in use elsewhere. To avoid affecting user access to the on-premises web server while testing, you would use an afdverify subdomain to test the custom domain configuration with Azure Front Door.
The correct record to create is:
C. a CNAME record that maps afdverify.www.contoso.com to ContosoFD1.azurefd.net
This record allows Azure Front Door to verify the domain without affecting the current DNS setup for www.contoso.com. After verification, you can complete the configuration for the custom domain in Azure Front Door. Once testing is successful and you’re ready to go live, you can then update the CNAME record for www.contoso.com to point to ContosoFD1.azurefd.net, which would direct all traffic to the Azure Front Door instance.
You have an Azure Virtual Desktop deployment that has 500 session hosts.
All outbound traffic to the internet uses a NAT gateway.
During peak business hours, some users report that they cannot access internet resources. In Azure Monitor, you discover many failed SNAT connections. You need to increase the available SNAT connections.
What should you do?
- A . Add a public IP address.
- B . Bind the NAT gateway to another subnet.
- C . Deploy Azure Standard Load Balancer that has outbound rules.
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource
You have an Azure subscription that contains the public IPv4 addresses shown in the following table.
You plan to create a load balancer named LB1 that will have the following settings:
* Name: LB1
* Location: West US
* Type: Public
* SKU: Standard
Which public IPv4 addresses can be used by LB1?
- A . IP1 and IP3 only
- B . IP3 only
- C . IP3 and IP5 only
- D . IP2only
- E . IP1, IP2. IP3. IP4. and IP5
- F . IP1, IP3, IP4, and 1P5 only
B
Explanation:
For a Standard SKU public load balancer in Azure, you must use a Standard SKU public IP address. Furthermore, the resources must be in the same location.
Based on the table provided:
IP1 is a Basic SKU and cannot be used with a Standard SKU load balancer.
IP2 is a Basic SKU and cannot be used with a Standard SKU load balancer, and also it is dynamic, which is not suitable.
IP3 is Standard SKU and in the correct location (West US), so it can be used.
IP4 is Basic SKU and in the wrong location (West US 2), so it cannot be used.
IP5 is Standard SKU but in the wrong location (West US 2), so it cannot be used with LB1 located in West US.
The correct answer is:
B. IP3 only
This is because IP3 is the only IP address that meets both the SKU and location requirements for LB1.
You are configuring two network virtual appliances (NVAs) in an Azure virtual network. The NVAs will be used to inspect all the traffic within the virtual network.
You need to provide high availability for the NVAs. The solution must minimize administrative effort.
What should you include in the solution?
- A . Azure Standard Load Balancer
- B . Azure Traffic Manager
- C . Azure Application Gateway
- D . Azure Front Door
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha?tabs=cli
You have five virtual machines that run Windows Server. Each virtual machine hosts a different web app.
You plan to use an Azure application gateway to provide access to each web app by using a hostname of www.contoso.corn and a different URL path for each web app, for example: https://www.contoso.com/app1.
You need to control the flow of traffic based on the URL path.
What should you configure?
- A . rules
- B . rewrites
- C . HTTP settings
- D . listeners
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/application-gateway/url-route-overview
You have an Azure application gateway for a web app named App1. The application gateway allows end-to-end encryption.
You configure the listener for HTTPS by uploading an enterprise signed certificate.
You need to ensure that the application gateway can provide end-to-end encryption for App1.
What should you do?
- A . Set Listener type to Multi site.
- B . Increase the Unhealthy threshold setting in the custom probe.
- C . Upload the public key certificate to the HTTPS settings.
- D . Enable the SSL profile for the listener.
C
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal
https://docs.microsoft.com/en-us/azure/application-gateway/create-ssl-portal#configuration-tab
HOTSPOT
Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.
The development department at the company is creating an application named App1. Every 10 minutes. App1 will use a list of end points and connect to the first available endpoint. You plan to use Azure Traffic Manager to maintain the list of endpoints.
You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
To minimize the impact of DNS caching when using Azure Traffic Manager with an application that connects to the first available endpoint from a list of endpoints, you should configure the Traffic Manager profile as follows:
Traffic Manager algorithm:
Priority: This routing method allows you to prioritize traffic to a particular endpoint over others. It ensures that all requests are sent to the highest-priority (primary) endpoint if it is available. If the primary endpoint is not available, Traffic Manager routes traffic to the next highest-priority endpoint. This setup minimizes the impact of DNS caching by always directing clients to the same endpoint, as long as it is available.
Endpoint type:
Azure endpoint: Since the web service instances are hosted in Azure and are accessible through public endpoints, you will use the Azure endpoint type for Traffic Manager.
These settings will direct App1 to consistently connect to the same endpoint (the one with the highest priority), assuming it is available, which is the desired behavior to minimize the impact of DNS caching. Traffic Manager will automatically failover to the next available endpoint based on the priority order defined, should the highest-priority endpoint become unavailable.
You have an Azure application gateway named AppGW1 that balances requests to a web app named App1.
You need to modify the server variables in the response header of App1.
What should you configure on AppGW1?
- A . HTTP settings
- B . rewrites
- C . rules
- D . listeners
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url
You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF).
FD1 uses a frontend host named app1.contoso.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region.
You need to configure FD1 to block requests to app1.contoso.com from all countries other than the United States.
What should you include in the WAF policy?
- A . a frontend host association
- B . a managed rule set
- C . a custom rule that uses a rate limit rule
- D . a custom rule that uses a match rule
You have an application named App1 that listens for incoming requests on a preconfigured group of 50 TCP ports and UDP ports.
You install App1 on 10 Azure virtual machines.
You need to implement load balancing for App1 across all the virtual machines. The solution must minimize the number of load balancing rules.
What should you include in the solution?
- A . Azure Standard Load Balancer that has Floating IP enabled
- B . Azure Application Gateway V2 that has multiple listeners
- C . Azure Application Gateway v2 that has multiple site hosting enabled
- D . Azure Standard Load Balancer that has high availability (HA) ports enabled
You have the Azure load balancer shown in the Load Balancer exhibit.
LB2 has the backend pools shown in the Backend Pools exhibit.
You need to ensure that LB2 distributes traffic to all the members of VMSS1.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Add a network interface to VMSS1.
- B . Configure a health probe.
- C . Add a public IP address to each member of VMSS1.
- D . Add a load balancing rule.
BD
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-balancer-standard
You have the Azure Traffic Manager profiles shown in the following table.
You plan to add the endpoints shown in the following table.
Which endpoints can you add to Profile2?
- A . Endpoint1 and Endpoint4 only
- B . Endpoint1, Endpoint2, Endpoint3, and Endpoint4
- C . Endpoint1 only
- D . Endpoint2 and Endpoint3 only
- E . Endpoint3 only
You have two Azure App Service instances that host the web apps shown the following table.
You deploy an Azure application gateway that has one public frontend IP address and two backend pools.
You need to publish all the web apps to the application gateway. Requests must be routed based on the HTTP host headers.
What is the minimum number of listeners and routing rules you should configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.
You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.
Which routing method should you use?
- A . geographic
- B . weighted
- C . performance
- D . priority
HOTSPOT
You configure a route table named RT1 that has the routes shown in the following table.
You have an Azure virtual network named Vnet1 that has the subnets shown in the following table.
You have the resources shown in the following table.
Vnet1 connects to an ExpressRoute circuit.
The on-premises router advertises the following routes:
* 0.0.0.0/0
* 10.0.0.0/16
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
DRAG DROP
You have an Azure Front Door instance named FrontDoor1.
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com. You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
HOTSPOT
You have the hybrid network shown in the Network Diagram exhibit.
You have a peering connection between Vnet1 and Vnet2 as shown in the Peering-Vnet1-Vnet2 exhibit.
You have a peering connection between Vnet1 and Vnet3 as shown in the Peering -Vnet1-Vnet3 exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Your company has offices in and Amsterdam. The company has an Azure subscription. Both offices connect to Azure by using a Site-to-Site VPN connection.
The office in Amsterdam uses resources in the North Europe Azure region. The office in New York uses resources in the East US Azure region.
You need to implement ExpressRoute circuits to connect each office to the nearest Azure region. Once the ExpressRoute circuits are connected, the on-premises computers in the Amsterdam office must be able to connect to the on-premises servers in the New York office by using the ExpressRoute circuits.
Which ExpressRoute option should you use?
- A . ExpressRoute Local
- B . ExpressRoute FastPath
- C . ExpressRoute Direct
- D . ExpressRoute Global Reach
D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-global-reach
HOTSPOT
You have the Azure environment shown in the exhibit.
You have virtual network peering between Vnet1 and Vnet2. You have virtual network peering between Vnet4 and Vnet5.
The virtual network peering is configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
HOTSPOT
You have an Azure subscription.
You have the on-premises sites shown the following table.
You plan to deploy Azure Virtual WAN.
You are evaluating Virtual WAN Basic and Virtual WAN Standard.
Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Azure Virtual WAN offers a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. It supports various connection types like Site-to-Site VPN, Point-to-Site VPN, and ExpressRoute connections. Depending on the Virtual WAN tier (Basic or Standard), certain functionalities and connection types are supported.
Virtual WAN Basic typically supports basic VPN features and connectivity.
Virtual WAN Standard provides all the features of Basic, plus it supports ExpressRoute, Point-to-Site (P2S) VPN, and much more advanced features like VPN and ER connectivity, BGP routing, multiple connections, and custom BGP settings.
Given this:
Site1 with 500 users connected via ExpressRoute would require Virtual WAN Standard because Basic does not support ExpressRoute connections.
Site2 with 100 users connected via Site-to-Site VPN could be supported by either Virtual WAN Basic or Standard, as both support Site-to-Site VPN connections. However, considering the number of users and potential need for advanced features, Virtual WAN Standard might be more appropriate.
Site3 with 1 user connected via Point-to-Site VPN would typically only require Virtual WAN Basic, as it’s a single user and Basic supports P2S VPN. However, if advanced features of P2S VPN are required, such as Azure AD authentication, then Virtual WAN Standard would be necessary.
Based on these considerations, here are the selections:
Virtual WAN Basic: Can be used for Site2 and Site3 only.
Virtual WAN Standard: Can be used for Site1, Site2, and Site3.
The selection depends on the specific features and scalability requirements of each site’s connection to Azure. If the only consideration is the type of connectivity, then Basic could suffice for Site2 and Site3, while Standard is required for Site1. However, if advanced features are a consideration, Standard may be the appropriate choice across all sites.
Azure virtual networks in the East US Azure region as shown in the following table.
The virtual networks are peered to one another. Each virtual network contains four subnets.
You plan to deploy a virtual machine named VM1 that will inspect and route traffic between all the subnets on both the virtual networks.
What is the minimum number of IP addresses that you must assign to VM1?
- A . 1
- B . 2
- C . 4
- D . 8
HOTSPOT
You have an Azure subscription that contains two virtual networks named Vnet1 and Vnet2.
You register a public DNS zone named fabrikam.com.
The zone is configured as shown in the Public DNS Zone exhibit.
You have a private DNS zone named fabrikam.com.
The zone is configured as shown in the Private DNS Zone exhibit.
You have a virtual network link configured as shown in the Virtual Network Link exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Yes
DNS queries from the internet use the public DNS zone. In the public DNS zone, www.fabrikam.com is a CNAME record that resolves to appservice1.fabrikam.com which resolves to 131.107.1.1.
Box 2: No
DNS queries from the internet use the public DNS zone. There is no DNS record for server1.fabrikam.com in the public DNS zone.
Box 3: No
The private DNS zone is linked to VNet1, not VNet2. Therefore, resources in VNet2 cannot query the private DNS zone.
You plan to deploy an Azure virtual network.
You need to design the subnets.
Which three types of resources require a dedicated subnet? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . VPN gateway
- B . Azure Bastion
- C . Azure Active Directory Domain Services (Azure AD DS)
- D . Azure Application Gateway v2
- E . Azure Private Link
ABD
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You disable the WAF rule that has a ruleld of 920300.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You configure a custom cookie and an exclusion rule.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You create a WAF policy exclusion request headers that contain 137.135.10.24.
Does this meet the goat?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
* A virtual network named Vnet1
* A subnet named Subnet1 in Vnet1
* A virtual machine named VM1 that connects to Subnet1
* Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You configure the firewall on storage1 to only accept connections from Vnet1.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
* A virtual network named Vnet1
* A subnet named Subnet1 in Vnet1
* A virtual machine named VM1 that connects to Subnet1
* Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
* A virtual network named Vnet1
* A subnet named Subnet1 in Vnet1
* A virtual machine named VM1 that connects to Subnet1
* Three storage accounts named storage1, storage2. and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG). You configure a service tag for Microsoft Storage and link the tag to Subnet1.
Does this meet the goal?
- A . Yes
- B . No
Your company has a single on-premises datacenter in New York. The East US Azure region has a peering location in New York.
The company only has Azure resources in the East US region.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
Which type of ExpressRoute circuits should you create?
- A . ExpressRoute Local
- B . ExpressRoute Direct
- C . ExpressRoute Premium
- D . ExpressRoute Standard
A
Explanation:
Reference: https://azure.microsoft.com/en-us/pricing/details/expressroute/
You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure.
Which two Azure resources should you configure? Each correct answer presents a part of the solution. NOTE: Each correct selection is worth one point. (Choose two.)
- A . a virtual network gateway
- B . Azure Application Gateway
- C . Azure Firewall
- D . a local network gateway
- E . Azure Front Door
AD
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/bgp-howto
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit.
Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You reset the gateway of Vnet1.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit.
Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You enable BGP on the gateway of Vnet1.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
HOTSPOT
You have an Azure environment shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Based on the information presented in the graphic and the understanding of Azure networking, the following can be determined:
For VM1:
VM1 is in VNET1 which has a Site-to-Site VPN connection to the on-premises datacenter, so it can communicate with it.
VNET1 is peered with VNET2 with gateway transit allowed, so VM1 can communicate with VM2.
There is no direct peering between VNET1 and VNET3, but since VNET2 is peered with both VNET1 and VNET3, and VNET2 allows gateway transit, VM1 can also communicate with VM3 through VNET2.
So for VM1, the answer is: "the on-premises datacenter, VM2, and VM3 only."
For VM2:
VM2 is in VNET2 which is peered with VNET1 and VNET3. Therefore, VM2 can communicate with VM1 and VM3.
VNET2 has a Site-to-Site VPN connection to the on-premises datacenter, so VM2 can also communicate with the on-premises datacenter.
So for VM2, the answer is: "the on-premises datacenter, VM1, and VM3 only."
HOTSPOT
You have an Azure private DNS zone named contoso.com that is linked to the virtual networks shown in the following table.
The links have auto registration enabled.
You create the virtual machines shown in the following table.
You manually add the following entry to the contoso.com zone:
✑ Name: VM1
✑ IP address: 10.1.10.9
For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
The manual DNS record will overwrite the auto-registered DNS record so VM1 will resolve to 10.1.10.9.
Box 2: No
The DNS record for VM1 is now a manually created record rather than an auto-registered record.
Only auto-registered DNS records are deleted when a VM is deleted.
Box 3: No
This answer depends on how the IP address is changed. To change the IP address of a VM manually, you would need to select ‘Static’ as the IP address assignment. In this case, the DNS record will not be updated because only DHCP assigned IP addresses are auto-registered.
Reference: https://docs.microsoft.com/en-us/azure/dns/dns-faq-private
HOTSPOT
Your company has an Azure virtual network named Vnet1 that uses an IP address space of 192.168.0.0/20. Vnet1 contains a subnet named Subnet1 that uses an IP address space of 192.168.0.0/24.
You create an IPv6 address range to Vnet1 by using a CIDR suffix of /48.
You need to enable the virtual machines on Subnet1 to communicate with each other by using IPv6 addresses assigned by the company. The solution must minimize the number of additional IPv4 addresses.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/ipv6-overview
https://docs.microsoft.com/en-us/azure/virtual-network/ipv6-add-to-existing-vnet-powershell
1) Correct: /64
The subnets for IPv6 must be exactly /64 in size. This ensures future compatibility should you decide to enable routing of the subnet to an on-premises network since some routers can only accept /64 IPv6 routes.
Source: https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
2) Correct: Public IPv6 Address
Add IPv6 configuration to NIC. "Configure all of the VM NICs with an IPv6 address using Add-AzNetworkInterfaceIpConfig"
Source: https://docs.microsoft.com/en-us/azure/load-balancer/ipv6-add-to-existing-vnet-powershell
HOTSPOT
You plan to deploy Azure Virtual WAN.
You need to deploy a virtual WAN hub that meets the following requirements:
✑ Supports 10 sites that will connect to the virtual WAN hub by using a Site-to-Site VPN connection
✑ Supports 8 Gbps of ExpressRoute traffic
✑ Minimizes costs
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
DRAG DROP
You have two Azure virtual networks named Hub1 and Spoke1. Hub1 connects to an on-premises network by using a Site-to-Site VPN connection.
You are implementing peering between Hub1 and Spoke1.
You need to ensure that a virtual machine connected to Spoke1 can connect to the on-premises network through Hub1.
How should you complete the PowerShell script? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering
DRAG DROP
You have three on-premises sites. Each site has a third-party VPN device.
You have an Azure virtual WAN named VWAN1 that has a hub named Hub1. Hub1 connects two of the three on-premises sites by using a Site-to-Site VPN connection.
You need to connect the third site to the other two sites by using Hub1.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
HOTSPOT
You are planning an Azure solution that will contain the following types of resources in a single Azure region:
✑ Virtual machine
✑ Azure App Service
✑ Virtual Network gateway
✑ Azure SQL Managed Instance
App Service and SQL Managed Instance will be delegated to create resources in virtual networks.
You need to identify how many virtual networks and subnets are required for the solution.
The solution must minimize costs to transfer data between virtual networks.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit.
Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You download and reinstall the VPN client configuration.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
No, this solution does not meet the goal. Downloading and reinstalling the VPN client configuration on Client1 will not change the ability of Client1 to communicate with Vnet2. The ability for a P2S VPN client to communicate across a VNet peering connection depends on the configuration of the gateways and the network.
In this scenario, the virtual network peering is configured to allow gateway transit, and Vnet2 is set to use the remote gateway. However, you need to ensure that:
The VPN gateway for Vnet1 is configured to allow point-to-site clients to use Azure’s internal routing to access resources in Vnet2. This is typically allowed by default but should be verified.
Network security groups (NSGs) and/or route tables are not blocking the traffic from Client1 to Vnet2.
The address space of Vnet2 does not overlap with the address space for the P2S VPN clients. Azure uses the address space specified for the VPN client pool to route traffic from the clients through the gateway.
If all the above are correctly configured and Client1 still cannot communicate with Vnet2, you may need to check for any other routing issues or misconfigurations that might be preventing communication between the networks.
HOTSPOT
You have an Azure subscription that contains the route tables and routes shown in the following table.
The subscription contains the subnets shown in the following table.
The subscription contains the virtual machines shown in the following table.
There is a Site-to-Site VPN connection to each local network gateway.
For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
You have an Azure application gateway named AGW1 that has a routing rule named Rule1. Rule 1 directs traffic for http://www.contoso.com to a backend pool named Pool1. Pool1 targets an Azure virtual machine scale set named VMSS1.
You deploy another virtual machine scale set named VMSS2.
You need to configure AGW1 to direct all traffic for http://www.adatum.com to VMSS2.
The solution must ensure that requests to http://www.contoso.com continue to be directed to Pool1.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Add a backend pool.
- B . Modify an HTTP setting.
- C . Add an HTTP setting.
- D . Add a listener.
- E . Add a rule.
ADE
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview
HOTSPOT
You have an Azure Traffic Manager parent profile named TM1. TM1 has two child profiles named TM2 and TM3.
TM1 uses the performance traffic-routing method and has the endpoints shown in the following table.
TM2 uses the weighted traffic-routing method with MinChildEndpoint = 2 and has the endpoints shown in the following table.
TM3 uses priority traffic-routing method and has the endpoints shown in the following table.
The App2, App4, and App6 endpoints have a degraded monitoring status.
To which endpoint is traffic directed? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-nested-profiles
Traffic from West Europe:
Basedd on TM1 table, West Europe will trigger TM2. However, as the MinChildEndpoint is set to 2, and App4 is degraded (down), the entire TM2 will not be considered available.
This goes back to the origin TM1 that uses performance traffic-routing method, which means the closest location is App1 and naturally be the next best performance instance. Hence, Answer = App1
Traffic from West US:
Based on TM1 table, West US will trigger TM3. However, both App2 and App6 were degraded (down), so none of them can be considered.
This goes back to the original TM1 that uses performance traffic-routing method, from TM1, the other 2 US locations would be App2 and App3. But App2 we know it’s already degraded (unavailable), hence the only option would be App3. Answer = App3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You add a rewrite rule for the host header.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#limitations
HOTSPOT
You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com.
You have the routing rules shown in the following table.
Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-route-matching
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com.
You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a certificate from an allowed certification authority (CA).
What should you include in the solution?
- A . an enterprise application in Azure Active Directory (Azure AD)
- B . Active Directory Certificate Services (AD CS)
- C . Azure Key Vault
- D . Azure Application Gateway
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https
HOTSPOT
You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2.
You have the NAT gateway shown in the NATgateway1 exhibit.
You have the virtual machine shown in the VM1 exhibit.
Subnet1 is configured as shown in the Subnet1 exhibit.
For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
VM1 is in Zone2 whereas the NAT Gateway is in Zone1. The VM would need to be in the same zone as the NAT Gateway to be able to use it. Therefore, VM1 cannot use the NAT gateway.
Box 2: Yes
NATgateway1 is configured in the settings for Subnet2.
Box 3: No
The NAT gateway does not have a single public IP address, it has an IP prefix which means more than one IP address. The VMs the use the NAT Gateway can use different public IP addresses contained within the IP prefix.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource
You have the Azure environment shown in the exhibit.
VM1 is a virtual machine that has an instance-level public IP address (ILPIP).
Basic Load Balancer uses a public IP address. VM1 and VM2 are in the backend pool.
NAT Gateway uses a public IP address named IP3 that is associated to Subnet A.
VNet1 has a virtual network gateway that has a public IP address named IP4.
When initiating outbound traffic to the internet from VM1, which public address is used?
- A . IP1
- B . IP2
- C . IP3
- D . IP4
You plan to publish a website that will use an FQDN of www.contoso.com.
The website will be hosted by using the Azure App Service apps shown in the following table.
You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com between AS1 and AS2.
You need to ensure that Traffic Manager routes traffic for www.contoso.com.
Which DNS record should you create?
- A . two A records that map wmv.contoso.com to 131 107 100 1 and 131 107 200 1
- B . a CNAME record that maps www.contoso.com to TMprofile1.azurefd.net
- C . a CNAME record that mapswww.contoso.comtoTMprofile1.trafficmanager.net
- D . a TXT record that contains a string ofas1.contoso.com and as2.contoso.com in the details
C
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/quickstart-create-traffic-manager-profile
https://docs.microsoft.com/en-us/azure/app-service/configure-domain-traffic-manager
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
The parameter here should be RemoteAddr not Request header. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variable-required
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance.
You need to configure the policy to meet the following requirements:
✑ Log all connections from Australia.
✑ Deny all connections from New Zealand.
✑ Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute.
What is the minimum number of objects you should create?
- A . three custom rules that each has one condition
- B . one custom rule that has three conditions
- C . one custom rule that has one condition
- D . one rule that has two conditions and another rule that has one condition
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. NOTE: Each correct answer selection is worth one point. (Choose two.)
- A . an Azure Monitor workbook
- B . a Log Analytics workspace C a storage account
- C . an Azure Sentinel workspace
- D . an Azure Monitor data collection rule
BC
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
A storage acccount is used to store network security group flow logs.
A Log Analytics workspace is used by Traffic Analytics to store the aggregated and indexed data that is then used to generate the analytics.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#enable-flow-log-settings
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following table.
Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule:
✑ Priority: 100
✑ Port: Any
✑ Protocol: Any
✑ Source: Any
✑ Destination: Storage
✑ Action: Deny
You create a private endpoint that has the following settings:
✑ Name: Private1
✑ Resource type: Microsoft.Storage/storageAccounts
✑ Resource: storage1
✑ Target sub-resource: blob
✑ Virtual network: Vnet1
✑ Subnet: Subnet1
For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Yes, Yes, Yes
NSG rules applied to the subnet hosting the private endpoint are not applied to the private endpoint. So the NSG1 doesn’t limit storage access from either VM1 or VM2. https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#network-security-group-rules-for-subnets-with-private-endpoints
HOTSPOT
You have an Azure firewall shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1:
If forced tunneling was enabled, the Firewall Subnet would be named AzureFirewallManagementSubnet. Forced tunneling can only be enabled during the creation of the firewall. It cannot be enabled after the firewall has been deployed.
Box 2:
The “Visit Azure Firewall Manager to configure and manage this firewall” link in the exhibit shows that the firewall is managed by Azure Firewall Manager.
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
What should you use?
- A . Azure Monitor
- B . IP flow verify
- C . Connection Monitor
- D . Azure Internet Analyzer
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ Two subnets named subnet1 and AzureFirewallSubnet
✑ A public Azure Firewall named FW1
✑ A route table named RT1 that is associated to Subnet1
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
- A . Deploy an application security croup mat allows outbound traffic to 1688.
- B . Deploy an Azure Standard Load Balancer that has an outbound NAT rule
- C . On fW1.configure a DNAT rule for port 1688.
- D . Add an internet route to RI1 for the Azure Key Management Service (KMS).
C
Explanation:
To ensure that the virtual machines can be activated, you need to allow outbound traffic to the Azure Key Management Service (KMS) for activation. The KMS uses the TCP port 1688 for activation services.
The virtual machines in Subnet1 are routing all their traffic (0.0.0.0/0) to the Azure Firewall FW1 based on the rule in the route table RT1. Therefore, you need to configure FW1 to allow traffic to KMS for activation.
The best option here would be:
C. On FW1, configure a DNAT rule for port 1688.
This DNAT rule will translate the destination for outbound traffic on port 1688 to the correct KMS endpoint for activation. It’s important to note that while DNAT is typically used for inbound connections, Azure Firewall rules can also be used to ensure proper handling of outbound traffic to specific public services.
Options A and B are not relevant in this context because:
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
What should you include in the solution?
- A . a service tag
- B . a private endpoint
- C . a subnet delegation
- D . an application security group
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
DRAG DROP
You have an Azure virtual network named Vnet1 that connects to an on-premises network.
You have an Azure Storage account named storageaccount1 that contains blob storage.
You need to configure a private endpoint for the blob storage.
The solution must meet the following requirements:
✑ Ensure that all on-premises users can access storageaccount1 through the private endpoint.
✑ Prevent access to storageaccount1 from being interrupted.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
DRAG DROP
You have an Azure virtual network named Vnet1 that connects to an on-premises network.
You have an Azure Storage account named storageaccount1 that contains blob storage.
You need to configure a private endpoint for the blob storage.
The solution must meet the following requirements:
✑ Ensure that all on-premises users can access storageaccount1 through the private endpoint.
✑ Prevent access to storageaccount1 from being interrupted.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe Azure region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
What should you do first?
- A . Create a private link.
- B . Create a new subnet.
- C . Create a NAT gateway.
- D . Create a gateway subnet and deploy a virtual network gateway.
B
Explanation:
To provide an Azure App Service app with access to the resources in an Azure virtual network, while minimizing costs, the first step you should take is:
B. Create a new subnet.
Here’s why this is the best option among the given choices: