Topic 1, Contoso Ltd, Case Study
Background
Contoso, Ltd. is a financial services company based in Boston. MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.
General
Contoso’s Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region. Users connect to resources from Windows 10 computers by using the built-in SSTP VPN software.
Recent changes
The company implements the following changes:
Extend the IP address space of VNet1 and create subnets in the new IP address space. Allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.
Enable a service endpoint on contosostoragel to provide direct access to the storage content from all Configure all business critical VM workloads to use encryption keys stored in all five key vaults.
Enable a private endpoint on CosmbsDBT to provide direct access to its content from VNetl.
Develop an automated process to deploy Azure VMs by using A2ure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.
Deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.
Deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.
Requirements
General requirements
You must adhere to the principle of least privilege when granting access to resources.
Reverse DNS lookup
You must identify the reason for the differences between reverse DNS lookup results in the
hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmnameJ.contoso.com for all three virtual networks.
Public DNS lookup
You must verify that the Azure public DNS rone is currently used to resolve DNS name requests for www.contoso.com and recommend.a solution that uses the Azure public DNS zone.
Windows VPN
You must verify if VPN client connectivity issues are related to routing and recommend a solution.
MacOS VPN
You must verify if Remote ID and local ID VPN client settings on the MAcOS devices are properly configured.
Azure Storage connectivity
You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on- premises connections to contosostorage are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.
Cosmos DB connectivity
You must verify if on-premises connections to ContosoDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.
DNS issues
Reverse DNS lookups from VNetl return two records. One DNS record is in the format
[vmname].contoso.com and the other DNS record is in the format
[vmname].internal.cloudapp.net. Reverse DNS lookups from VNet2 and VNet3 return DNS
names in the format
[vmname].internal.cloudapp.net.
VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.
Public DNS lookup
You are notified that name resolution requests for www,contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.
Connectivity and routing issues
Window VPN
Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.
Sales department VPN.
The sales department users connect by using the MacOs VPN client.
Azure Storage Connectivity
Server Message Block (SMB)-mount from VMs on VNet2 and VNet3 to file shares In contosostorage1 are failing
Azure Storage Explorer connection using access keys from on-premses computer to
contosostorage1 are failing
Cosmos DB connectivity
You observe that connections to ConsomosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to
CosmosDB1 from VNet1 are using the private endpoint.
Azure Key vault
Access attempts to Azure Key vault oy VM workloads intermittently fail with the HTTP response code 429. You must identify the reason for the failures and recommend a solution.
SharePoint
SharePoint In VNet2
SharePoint traffic between tiers is blocked by NSGs which is causing application failures. You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.
SharePoint in VNet3.
ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3. You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.
Permission issues
Azure Biccp
You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.
Data engineering team
You must identify the role-based access control (RBAQ roles required by the data engineering team to access the storage account by using Azure portal. The team requires minimum permissions to backup and restore blobs in contosostorage1. The Contoso data engineering tearn.js unable to view the contosostorage1 account in the Azure portal.
Azure VM deployment
Azure VM deployments that uses Azure Bicep are failing with an authorization error. The error indicates three are insufficient access permissions retrieve password of the local administrator account in the key vault.
VM1 and VM2
RT12 must be configured to route internal traffic from VM1 through VM2. You observe that internet traffic from VM1 is routed directly to the internet.
VM2
You configure VM2 to route internet traffic from VM1. After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You that routing for VM2 is configured correctly.
HOTSPOT
You need to troubleshoot the Azure Key Vault issues.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Key Vault transaction limit.
Based on the given scenario, the issue is related to the number of transactions per second (TPS) being throttled. The Azure Key Vault has a transaction limit, which varies depending on the service tier. In the provided images, the error message states that the request rate is too large, indicating that the transaction limit has been reached. To resolve this issue, you can either distribute the transactions over a longer period, implement a retry policy, or consider upgrading to a higher service tier if the current tier’s transaction limit is insufficient for your needs.
Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/service-limits
Box: 2 Distribute requests across additional Azure Key vaults
In the provided scenario, the issue is that the Azure Key Vault is experiencing throttling due to too many requests per second. Throttling occurs when the number of requests exceeds the allowed limits for a given time period. To resolve this issue, you should distribute the requests across additional Azure Key Vaults. By doing so, you can balance the load and prevent exceeding the request limits, thus avoiding throttling.
Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/overview-throttling
HOTSPOT
You need to troubleshoot the sales department issues.
How should you configure the system? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Subject name of the root certificate.
This is the value that should be configured as the system Remote ID for the VPN client on the sales department devices. The system Remote ID is used to identify the VPN server that the client is connecting to, and it must match the value that is configured on the VPN gateway in Azure. For Azure VPN Gateway, the system Remote ID is the subject name of the root certificate that is used for authentication1. Therefore, option C is correct.
A detailed explanation with references is as follows:
As mentioned in the scenario, the sales department devices are using Point-to-Site VPN connections to access Azure resources. A Point-to-Site VPN connection lets you create a secure connection to your virtual network from an individual client computer2. To configure a Point-to-Site VPN connection, you need to create a virtual network gateway of type VPN in Azure, and then install a VPN client on each device that needs to connect2. The VPN client configuration includes several settings, such as the VPN server address, the tunnel type, and the authentication method. One of these settings is the system Remote ID, which is used to identify the VPN server that the client is connecting to1. The system Remote ID must match the value that is configured on the VPN gateway in Azure, otherwise the connection will fail.
For Azure VPN Gateway, there are three authentication methods available for Point-to-Site VPN connections: certificate-based authentication, OpenVPN with Azure AD authentication, and OpenVPN with certificate-based authentication2. For certificate-based authentication, which is used in this scenario, the system Remote ID is the subject name of the root certificate that is used for authentication1. The root certificate is uploaded to Azure when creating a Point-to-Site VPN connection, and it must be installed on each device that needs to connect2. The subject name of the root certificate can be obtained by using PowerShell or OpenSSL commands1. For example, using PowerShell:
$cert = Get-ChildItem -Path Cert:CurrentUserMy | Where-Object {$_.Subject -like “ContosoRootCert”} $cert.Subject
The output of this command will show the subject name of the root certificate that matches ContosoRootCert. This value should be configured as the system Remote ID for the VPN client on each device.
Box 2: Subject name of the client certificate
In the provided scenario, the sales department is using a VPN to connect to the corporate network, and the VPN server is configured to use certificate-based authentication. To troubleshoot the sales department issues, you should configure the system Local ID to use the subject name of the client certificate. The subject name of a client certificate uniquely identifies the client and is used during the certificate-based authentication process. This allows the VPN server to verify the client’s identity and grant access to the corporate network.
This is the value that should be configured as the system Local ID for the VPN client on the sales department devices. The system Local ID is used to identify the VPN client that is connecting to the VPN server, and it must match the value that is configured on the VPN gateway in Azure. For Azure VPN Gateway, the system Local ID is the subject name of the client certificate that is used for authentication1. Therefore, option A is correct.
A detailed explanation with references is as follows:
As mentioned in the scenario, the sales department devices are using Point-to-Site VPN connections to access Azure resources. A Point-to-Site VPN connection lets you create a secure connection to your virtual network from an individual client computer2. To configure a Point-to-Site VPN connection, you need to create a virtual network gateway of type VPN in Azure, and then install a VPN client on each device that needs to connect2. The VPN client configuration includes several settings, such as the VPN server address, the tunnel type, and the authentication method. One of these settings is the system Local ID, which is used to identify the VPN client that is connecting to the VPN server1. The system Local ID must match the value that is configured on the VPN gateway in Azure, otherwise the connection will fail.
For Azure VPN Gateway, there are three authentication methods available for Point-to-Site VPN connections: certificate-based authentication, OpenVPN with Azure AD authentication, and OpenVPN with certificate-based authentication2. For certificate-based authentication, which is used in this scenario, the system Local ID is the subject name of the client certificate that is used for authentication1. The client certificate is generated from a root certificate that is uploaded to Azure when creating a Point-to-Site VPN connection, and it must be installed on each device that needs to connect2. The subject name of the client certificate can be obtained by using PowerShell or OpenSSL commands1. For example, using PowerShell:
$cert = Get-ChildItem -Path Cert:CurrentUserMy | Where-Object {$_.Subject -like “ContosoClientCert”} $cert.Subject
The output of this command will show the subject name of the client certificate that matches ContosoClientCert. This value should be configured as the system Local ID for the VPN client on each device.
You need to troubleshoot the CosmosDB1 issues from the on-premises environment.
What should you use?
- A . route command
- B . Network Watcher next hop diagnostic tool
- C . Network Watcher Connection troubleshoot diagnostic tool
- D . nslookup command
C
Explanation:
This tool helps you troubleshoot network connectivity issues from a virtual machine to a given endpoint. It tests for reachability from the virtual machine to the endpoint and provides information about why a connection fails1. In this case, you can use this tool to troubleshoot the connectivity issues from the on-premises environment to CosmosDB1.
HOTSPOT
You need to resolve the Azure virtual machine (VM) deployment issues.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Enable access to Azure Resource Manager for template deployment. In the given scenario, you are trying to resolve Azure VM deployment issues. To configure an Azure Key Vault access policy setting for VM deployment, you need to enable access to Azure Resource Manager for template deployment. This will allow the VM deployment process to access the secrets and certificates stored in the Key Vault during the deployment of the VM using an ARM (Azure Resource Manager) template.
Reference: – https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app
Box 2: Grant the Microsoft.KeyVault/vaults/deploy/action permission
This is the permission that you should configure on an RBAC Key Vault role to resolve the Azure virtual machine (VM) deployment issues. This permission allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template1. Therefore, option C is correct.
A detailed explanation with references is as follows:
As mentioned in the scenario, the Azure virtual machine (VM) deployment issues are caused by the inability of Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template. To resolve this issue, you need to configure an RBAC Key Vault role that grants Azure Resource Manager the permission to access the key vault.
RBAC Key Vault roles are roles that can be assigned to users, groups, or applications to manage access to key vault secrets, keys, and certificates2. RBAC Key Vault roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources3.
With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements3:
✑ The security principal: The user, group, or application that you want to grant or deny access to the resource.
✑ The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.
✑ The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.
To configure a role assignment that allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template, you need to grant the Microsoft.KeyVault/vaults/deploy/action permission1. This is a special permission that grants Azure Resource Manager a limited permission to get secrets from the key vault during resource deployment1. This permission does not grant any other permissions to Azure Resource Manager on the key vault or its contents1.
To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure portal, follow these steps1:
✑ In the Azure portal, navigate to the Key Vault resource.
✑ Select Access control (IAM), then select Add > Add role assignment.
✑ Under Role, select a built-in or custom role that includes the Microsoft.KeyVault/vaults/deploy/action permission. For example, you can select Key Vault Administrator or Key Vault Secrets User.
✑ Under Assign access to, select Azure AD user, group, or service principal.
✑ Under Select, enter Azure Resource Manager in the search field and select it.
✑ Select Save to create the role assignment.
To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure CLI or PowerShell, see Grant permissions for template deployment.
HOTSPOT
You need to troubleshoot and resolve issues reported for contosostorage1.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Configure service endpoint for subnet on VNet2 and VNet3.
This is what you should do to resolve issues accessing contosostorage1 from VNet2 and VNet3. A service endpoint is a feature that enables you to secure your Azure Storage account to a specific virtual network subnet1.
As mentioned in the scenario, contosostorage1 is a storage account that has firewall and virtual network settings enabled. This means that only requests from allowed networks can access the storage account2. By default, storage accounts accept connections from clients on any network, but you can configure firewall rules to allow or deny access based on the source IP address or virtual network subnet2.
In this scenario, you want to allow access to contosostorage1 from VNet2 and VNet3, which are peered with VNet1. To do this, you need to configure service endpoints for the subnets on VNet2 and VNet3 that need to access the storage account1. A service endpoint is a feature that enables you to secure your Azure Storage account to a specific virtual network subnet1. When you enable a service endpoint for a subnet, you can then grant access to the storage account only from that subnet1. This way, you can restrict access to your storage account and improve network performance by routing traffic through an optimal path.
To configure service endpoints for a subnet using the Azure portal, follow these steps1:
✑ In the Azure portal, navigate to the Virtual Network resource.
✑ Select Subnets, then select the subnet that needs to access the storage account.
✑ Under Service endpoints, select Microsoft.Storage from the drop-down list.
✑ Select Save to apply the changes.
To configure service endpoints for a subnet using the Azure CLI or PowerShell, see Enable a service endpoint.
After configuring service endpoints for the subnets on VNet2 and VNet3, you also need to grant access to contosostorage1 from those subnets. To do this, you need to modify the firewall rules on the storage account2.
To modify the firewall rules on the storage account using the Azure portal, follow these steps2:
✑ In the Azure portal, navigate to the Storage Account resource.
✑ Select Firewalls and virtual networks under Settings.
✑ Under Allow access from selected networks, select Add existing virtual network.
✑ Select the virtual network and subnet that have service endpoints enabled for Microsoft.Storage.
✑ Select Add to save the changes.
To modify the firewall rules on the storage account using the Azure CLI or PowerShell, see Configure Azure Storage firewalls and virtual networks.
Box 2: Configure the firewall settings on contosostorage1.
The issue reported is that on-premises connections to contosostorage1 are unsuccessful. The main reason for this could be that the firewall settings on the storage account are blocking the connections. By configuring the firewall settings on contosostorage1 to allow the on-premises IP addresses, you can ensure that the on-premises connections are successful.
As mentioned in the scenario, contosostorage1 is a storage account that has firewall and virtual network settings enabled. This means that only requests from allowed networks can access the storage account1. By default, storage accounts accept connections from clients on any network, but you can configure firewall rules to allow or deny access based on the source IP address or virtual network subnet1.
In this scenario, you want to allow access to contosostorage1 from the on-premises environment, which is connected to Azure using a Site-to-Site VPN connection. A Site-to-Site VPN connection lets you create a secure connection between your on-premises network and an Azure virtual network over an IPsec/IKE VPN tunnel2. To allow access to contosostorage1 from the on-premises environment, you need to configure the firewall settings on contosostorage1 to include the public IP address of your VPN device or gateway3.
To configure the firewall settings on contosostorage1 using the Azure portal, follow these steps1:
✑ In the Azure portal, navigate to the Storage Account resource.
✑ Select Firewalls and virtual networks under Settings.
✑ Under Allow access from selected networks, select Add existing virtual network.
✑ Select VNet1 and the subnet that has service endpoints enabled for Microsoft.Storage.
✑ Under Firewall, enter the public IP address of your VPN device or gateway under Address Range.
✑ Select Save to apply the changes.
To configure the firewall settings on contosostorage1 using the Azure CLI or PowerShell, see Configure Azure Storage firewalls and virtual networks.
HOTSPOT
You need to resolve the issue.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Assign the Contributor role to the team members.
In the given scenario, the team members are unable to create or manage resources in the Azure portal. To allow them to do so, you should assign the Contributor role to the team members. The Contributor role allows users to create and manage resources within the scope of their access, but they cannot grant access to others. The Reader role only provides read access to resources and does not allow creation or management of resources. The Reader and Data Access role is not a valid combined role in Azure.
Reference: – Azure built-in roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
As mentioned in the scenario, the team members are unable to create resources in Azure Portal. This indicates that they do not have sufficient permissions to perform this operation.
To grant them permissions, you need to assign them an Azure role that allows creating and managing Azure resources.
Azure roles are roles that can be assigned to users, groups, or applications to manage access to Azure resources1. Azure roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources2.
With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements2:
✑ The security principal: The user, group, or application that you want to grant or deny access to the resource.
✑ The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.
✑ The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.
To assign an Azure role that allows creating and managing Azure resources, you can use the Contributor role. The Contributor role is a built-in role that has full access to all resources except granting access to others1. This means that users who are assigned the Contributor role can create and manage any type of Azure resource, such as virtual machines, storage accounts, web apps, etc.
To assign the Contributor role using the Azure portal, follow these steps3:
✑ In the Azure portal, navigate to the scope where you want to assign the role. For example, a subscription or a resource group.
✑ Select Access control (IAM), then select Add > Add role assignment.
✑ Under Role, select Contributor from the drop-down list.
✑ Under Assign access to, select User, group, or service principal.
✑ Under Select, find and select the users or groups that you want to assign the role to. You can type in the Select box to search the directory for display name or email address.
✑ Select Save to create the role assignment.
To assign the Contributor role using the Azure CLI or PowerShell, see Assign Azure roles using CLI or PowerShell.
Box 2: Assign the Storage Blob Data Contributor role to the team members.
A detailed explanation with references is as follows:
As mentioned in the scenario, the team members are unable to perform backups and restores of blob data. This indicates that they do not have sufficient permissions to access blob storage resources. To grant them permissions, you need to assign them an Azure role that allows read/write/delete permissions to blob storage resources.
Azure roles are roles that can be assigned to users, groups, or applications to manage access to Azure resources2. Azure roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources3. With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements3:
✑ The security principal: The user, group, or application that you want to grant or deny access to the resource.
✑ The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.
✑ The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.
To assign an Azure role that allows read/write/delete permissions to blob storage resources, you can use the Storage Blob Data Contributor role. The Storage Blob Data Contributor role is a built-in role that has full access to blob storage resources except granting access to others1. This means that users who are assigned the Storage Blob Data Contributor role can perform backups and restores of blob data.
To assign the Storage Blob Data Contributor role using the Azure portal, follow these steps 4:
✑ In the Azure portal, navigate to the scope where you want to assign the role. For example, a storage account or a container.
✑ Select Access control (IAM), then select Add > Add role assignment.
✑ Under Role, select Storage Blob Data Contributor from the drop-down list.
✑ Under Assign access to, select User, group, or service principal.
✑ Under Select, find and select the users or groups that you want to assign the role to. You can type in the Select box to search the directory for display name or email address.
✑ Select Save to create the role assignment.
To assign the Storage Blob Data Contributor role using the Azure CLI or PowerShell, see Assign Azure roles using CLI or PowerShell.
HOTSPOT
You need to resolve the connectivity issue with the on-premises database named CosmosDB1.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Deploy an Azure virtual machine (VM) that hosts a DNS service.
In the given scenario, CosmosDB1 is an on-premises database, and you need to make it accessible by host name using VNet1. To achieve this, you should deploy an Azure virtual machine that hosts a DNS service. This will allow you to configure custom DNS settings for VNet1, enabling the resolution of the on-premises database’s host name.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server
Box 2: Configure DNS conditional forwarding in the on-premises DNS infrastructure.
In the given scenario, you need to resolve the connectivity issue with the on-premises database named CosmosDB1, and it must be accessible by hostname from the on-premises environment. To achieve this, you should configure DNS conditional forwarding in the on-premises DNS infrastructure. DNS conditional forwarding allows you to specify that DNS queries for a specific domain (in this case, the Azure Cosmos DB) are forwarded to a specific DNS server or set of servers. This ensures that the on-premises environment can resolve the hostname of CosmosDB1 by forwarding the DNS queries to the appropriate DNS server responsible for that domain.
Reference:
HOTSPOT
You need to resolve the connectivity issue with the on-premises database named CosmosDB1.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Deploy an Azure virtual machine (VM) that hosts a DNS service.
In the given scenario, CosmosDB1 is an on-premises database, and you need to make it accessible by host name using VNet1. To achieve this, you should deploy an Azure virtual machine that hosts a DNS service. This will allow you to configure custom DNS settings for VNet1, enabling the resolution of the on-premises database’s host name.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server
Box 2: Configure DNS conditional forwarding in the on-premises DNS infrastructure.
In the given scenario, you need to resolve the connectivity issue with the on-premises database named CosmosDB1, and it must be accessible by hostname from the on-premises environment. To achieve this, you should configure DNS conditional forwarding in the on-premises DNS infrastructure. DNS conditional forwarding allows you to specify that DNS queries for a specific domain (in this case, the Azure Cosmos DB) are forwarded to a specific DNS server or set of servers. This ensures that the on-premises environment can resolve the hostname of CosmosDB1 by forwarding the DNS queries to the appropriate DNS server responsible for that domain.
Reference:
HOTSPOT
You need to resolve the connectivity issue with the on-premises database named CosmosDB1.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Deploy an Azure virtual machine (VM) that hosts a DNS service.
In the given scenario, CosmosDB1 is an on-premises database, and you need to make it accessible by host name using VNet1. To achieve this, you should deploy an Azure virtual machine that hosts a DNS service. This will allow you to configure custom DNS settings for VNet1, enabling the resolution of the on-premises database’s host name.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server
Box 2: Configure DNS conditional forwarding in the on-premises DNS infrastructure.
In the given scenario, you need to resolve the connectivity issue with the on-premises database named CosmosDB1, and it must be accessible by hostname from the on-premises environment. To achieve this, you should configure DNS conditional forwarding in the on-premises DNS infrastructure. DNS conditional forwarding allows you to specify that DNS queries for a specific domain (in this case, the Azure Cosmos DB) are forwarded to a specific DNS server or set of servers. This ensures that the on-premises environment can resolve the hostname of CosmosDB1 by forwarding the DNS queries to the appropriate DNS server responsible for that domain.
Reference:
HOTSPOT
You need to troubleshoot and resolve the reverse DNS lookup issues.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Verify that VNet1 is configured to use the built-in Azure resolution As mentioned in the scenario, you need to troubleshoot and resolve the reverse DNS lookup issues. Reverse DNS lookup is a process of resolving an IP address to a host name 2. For example, if you have a virtual machine with an IP address of 10.0.0.4 and a host name of vm1.contoso.com, you can use reverse DNS lookup to find the host name from the IP address.
One way to perform reverse DNS lookup in Azure is to use the built-in Azure resolution. The built-in Azure resolution is a feature that allows reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default1. This feature works for both IPv4 and IPv6 addresses, and it supports both public and private IP addresses. The built-in Azure resolution uses the host name of the virtual machine as the reverse DNS record.
To use the built-in Azure resolution, you need to configure your virtual network to use the default Azure-provided DNS servers. These are the DNS servers that are automatically assigned to your virtual network when you create it3. You can verify or change the DNS server settings of your virtual network using the Azure portal, PowerShell, CLI, or REST API.
To verify that VNet1 is configured to use the built-in Azure resolution using the Azure portal, follow these steps:
✑ In the Azure portal, navigate to the Virtual Network resource.
✑ Select DNS servers under Settings.
✑ Check if Default (Azure-provided) is selected under DNS servers. If not, select it and click Save to apply the changes.
After configuring your virtual network to use the built-in Azure resolution, you can test the reverse DNS lookup using tools such as nslookup or dig. For example, you can use the following command to perform a reverse DNS lookup for an IP address of 10.0.0.4: nslookup -type=PTR 10.0.0.4
The output should show the host name of the virtual machine that has that IP address.
Box 2: Create an in-addr.arpa private DNS zone and link it to VNet1, VNet2, and VNet3.
Reverse DNS lookup issues are related to resolving IP addresses to their corresponding hostnames. In the given scenario, the issue is with reverse DNS lookups for the resources in the three virtual networks. Creating an in-addr.arpa private DNS zone and linking it to VNet1, VNet2, and VNet3 would ensure that the reverse DNS lookups can be resolved correctly across all three virtual networks.
Reference:
HOTSPOT
You need to troubleshoot and resolve the reverse DNS lookup issues.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Verify that VNet1 is configured to use the built-in Azure resolution As mentioned in the scenario, you need to troubleshoot and resolve the reverse DNS lookup issues. Reverse DNS lookup is a process of resolving an IP address to a host name 2. For example, if you have a virtual machine with an IP address of 10.0.0.4 and a host name of vm1.contoso.com, you can use reverse DNS lookup to find the host name from the IP address.
One way to perform reverse DNS lookup in Azure is to use the built-in Azure resolution. The built-in Azure resolution is a feature that allows reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default1. This feature works for both IPv4 and IPv6 addresses, and it supports both public and private IP addresses. The built-in Azure resolution uses the host name of the virtual machine as the reverse DNS record.
To use the built-in Azure resolution, you need to configure your virtual network to use the default Azure-provided DNS servers. These are the DNS servers that are automatically assigned to your virtual network when you create it3. You can verify or change the DNS server settings of your virtual network using the Azure portal, PowerShell, CLI, or REST API.
To verify that VNet1 is configured to use the built-in Azure resolution using the Azure portal, follow these steps:
✑ In the Azure portal, navigate to the Virtual Network resource.
✑ Select DNS servers under Settings.
✑ Check if Default (Azure-provided) is selected under DNS servers. If not, select it and click Save to apply the changes.
After configuring your virtual network to use the built-in Azure resolution, you can test the reverse DNS lookup using tools such as nslookup or dig. For example, you can use the following command to perform a reverse DNS lookup for an IP address of 10.0.0.4: nslookup -type=PTR 10.0.0.4
The output should show the host name of the virtual machine that has that IP address.
Box 2: Create an in-addr.arpa private DNS zone and link it to VNet1, VNet2, and VNet3.
Reverse DNS lookup issues are related to resolving IP addresses to their corresponding hostnames. In the given scenario, the issue is with reverse DNS lookups for the resources in the three virtual networks. Creating an in-addr.arpa private DNS zone and linking it to VNet1, VNet2, and VNet3 would ensure that the reverse DNS lookups can be resolved correctly across all three virtual networks.
Reference:
HOTSPOT
You need to troubleshoot and resolve the reverse DNS lookup issues.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Verify that VNet1 is configured to use the built-in Azure resolution As mentioned in the scenario, you need to troubleshoot and resolve the reverse DNS lookup issues. Reverse DNS lookup is a process of resolving an IP address to a host name 2. For example, if you have a virtual machine with an IP address of 10.0.0.4 and a host name of vm1.contoso.com, you can use reverse DNS lookup to find the host name from the IP address.
One way to perform reverse DNS lookup in Azure is to use the built-in Azure resolution. The built-in Azure resolution is a feature that allows reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default1. This feature works for both IPv4 and IPv6 addresses, and it supports both public and private IP addresses. The built-in Azure resolution uses the host name of the virtual machine as the reverse DNS record.
To use the built-in Azure resolution, you need to configure your virtual network to use the default Azure-provided DNS servers. These are the DNS servers that are automatically assigned to your virtual network when you create it3. You can verify or change the DNS server settings of your virtual network using the Azure portal, PowerShell, CLI, or REST API.
To verify that VNet1 is configured to use the built-in Azure resolution using the Azure portal, follow these steps:
✑ In the Azure portal, navigate to the Virtual Network resource.
✑ Select DNS servers under Settings.
✑ Check if Default (Azure-provided) is selected under DNS servers. If not, select it and click Save to apply the changes.
After configuring your virtual network to use the built-in Azure resolution, you can test the reverse DNS lookup using tools such as nslookup or dig. For example, you can use the following command to perform a reverse DNS lookup for an IP address of 10.0.0.4: nslookup -type=PTR 10.0.0.4
The output should show the host name of the virtual machine that has that IP address.
Box 2: Create an in-addr.arpa private DNS zone and link it to VNet1, VNet2, and VNet3.
Reverse DNS lookup issues are related to resolving IP addresses to their corresponding hostnames. In the given scenario, the issue is with reverse DNS lookups for the resources in the three virtual networks. Creating an in-addr.arpa private DNS zone and linking it to VNet1, VNet2, and VNet3 would ensure that the reverse DNS lookups can be resolved correctly across all three virtual networks.
Reference:
HOTSPOT
You need to troubleshoot and resolve the reverse VPN connectivity issues.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
BOX1: Review the output of the route print command on the client computer. A Windows VPN connection is a point-to-site connection that allows a client computer to connect to an Azure virtual network gateway using IKEv2 or SSTP protocols1. To troubleshoot Windows VPN connectivity issues, you need to check the configuration and status of the VPN client on the client computer.
One of the common problems that can cause Windows VPN connectivity issues is incorrect routing configuration on the client computer1. The client computer needs to have a route that directs the traffic destined for the target subnet in Azure to the VPN interface. If the route is missing or incorrect, the traffic will not reach the Azure virtual network gateway.
To check the routing configuration on the client computer, you can use the route print command in a command prompt window. This command displays the routing table of the client computer, which shows the destination network, the gateway address, and the interface for each route2. You can compare the output of this command with the expected routes for your VPN connection.
For example, if your target subnet in Azure is 10.0.0.0/24 and your VPN interface has an IP address of 172.16.0.1, you should see a route like this in the output of route print: Destination Network | Gateway Address | Interface 10.0.0.0/24 | On-link | 172.16.0.1
This route means that any traffic destined for 10.0.0.0/24 will be sent directly to the VPN interface (On-link) with an IP address of 172.16.0.1.
If you do not see this route or see a different gateway address or interface, you need to correct the routing configuration on the client computer. You can use the route add command to add a new route or use the route change command to modify an existing route 2.
Box 2: Download the VPN client package and install it on the client computer
A Windows VPN connection is a point-to-site connection that allows a client computer to connect to an Azure virtual network gateway using IKEv2 or SSTP protocols1. To establish a Windows VPN connection, you need to install a VPN client package on the client computer that contains the configuration files and certificates required for the connection1. One of the common problems that can cause Windows VPN connectivity issues is missing or outdated VPN client package on the client computer1. The VPN client package may be missing if it was not installed properly or deleted accidentally. The VPN client package may be outdated if the Azure virtual network gateway configuration has changed since the package was downloaded.
To resolve this problem, you need to download the latest VPN client package from the Azure portal and install it on the client computer1.
To download the VPN client package, follow these steps:
✑ Go to the Azure portal and select your virtual network gateway.
✑ On the Overview page, click Point-to-site configuration.
✑ On the Point-to-site configuration page, click Download VPN client.
✑ Select the appropriate version of Windows for your client computer and click Download.
✑ Extract the contents of the downloaded ZIP file to a folder on your client computer.
✑ Run the executable file in the folder to install the VPN client package.
HOTSPOT
You need to troubleshoot the issues with the SharePoint workload in VNet2.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1 = Use IP flow verify.
IP flow verify is a feature of Azure Network Watcher that checks if a packet is allowed or denied to or from a virtual machine. It can help diagnose connectivity issues caused by network security groups, user-defined routes, or Azure Virtual Network Manager rules1. IP flow verify can also return the name of the rule that denied the packet, which can be useful for troubleshooting2.
Connection troubleshoot is another feature of Azure Network Watcher that helps reduce the time to diagnose and resolve network connectivity issues. However, it can only test TCP or ICMP connections from certain Azure resources, such as virtual machines, Azure Bastion instances, or application gateways3. Connection troubleshoot can also detect issues such as high VM CPU utilization, DNS resolution failures, or inability to open a socket at the specified source port3.
In this scenario, you need to collect the required logs for the SharePoint workload in VNet2. Since you are not testing a specific TCP or ICMP connection, but rather checking if packets are allowed or denied by any network configuration, IP flow verify is more suitable than connection troubleshoot. You can use IP flow verify to check the direction, protocol, local IP, remote IP, local port, and remote port of the packets and see which rule is blocking them12.
To use IP flow verify, you need to enable a network watcher in the same region as the virtual machines you want to troubleshoot. Then you can use the Azure portal, PowerShell, or Azure CLI to run IP flow verify and get the results24.
Box 2 = Use Traffic analytics
To troubleshoot issues related to the SharePoint workload in VNet2, we can use Traffic Analytics. It is a networking monitoring solution that uses Network Watcher to analyze and report on traffic flows in your Azure virtual network. With Traffic Analytics, you could see information about the traffic flow patterns and security concerns detected across Azure subscriptions using network security group (NSG) flow logs. IP Flow Verify is used to verify if packets are flowing as expected between two endpoints within an Azure virtual network or between a public IP address and an endpoint inside an azure virtual network. But it doesn’t provide visibility into overall traffic patterns or identify potential security threats. Connection Troubleshoot can be used when you have connectivity problems while interacting with a specific instance of a resource type being served out from Microsoft datacenters over Internet, but for troubleshooting SharePoint workloads related issue which might not necessarily correspond to internet routing/connectivity problems this may not apply.
You need to resolve the issue with internet traffic from VM1 being routed directly to the internet.
What should you do?
- A . Modify IP address prefix of RT12
- B . Associate RT12 with Subnet1a.
- C . Associate RT12 with Subnet2a.
- D . Modify the next hop type of RT12.
B
Explanation:
This will ensure that the route table RT12, which has a route to direct internet traffic to the virtual network gateway VNG1, is applied to the subnet where VM1 is located. This will override the default route that sends internet traffic to the internet gateway.
HOTSPOT
You need to troubleshoot and resolve the public DNS lookup issues.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
BOX 1: Run the command: nslookup -type=a www.contoso.com 8.8.8.8 nslookup is a command-line tool that queries DNS servers for information about domain names and IP addresses. It can be used to troubleshoot DNS issues and verify DNS configurations1.
The -type option specifies the type of DNS record to query. The -type=a option queries for A records, which map domain names to IPv4 addresses1. The www.contoso.com argument specifies the domain name to query. The 8.8.8.8 argument specifies the DNS server to use for the query, which is a public DNS server provided by Google2.
By running this command, you can verify if the Azure Public DNS zone is configured according to the requirements by checking if the A record for www.contoso.com matches the expected IPv4 address. If the A record is missing or incorrect, you can use the Azure portal, PowerShell, or Azure CLI to create or update it in your DNS zone3.
Box2: Create NS records
NS (Name Server) records are used to delegate a domain or subdomain name to a set of authoritative DNS servers, which can provide information about that domain. In this scenario, there appears to be an issue with resolving the domain in question via public DNS lookup since it’s only resolving locally on one server and not across all networks. By creating NS records for the domain, authoritative nameservers will be identified and designated as responsible for providing accurate information about the specific zone. This will ensure your domain is properly distributed on various different network zones and help users globally reach your website without any delays or connectivity problems. Alternatively, SRV (Service locator) record is used when you have multiple servers offering similar services such as email or SIP but want to use a weight system indication greater trustworthiness/proximity of datacenters within providers dns infrastructure. And SOA (Start Of Authority) – indicates who in control of the DNS zone and provides other related information such as the serial number and default TTL values. Therefore, option A. Create NS records would be the best solution for resolving public DNS lookup issues in this scenario. References: – "NS record," Microsoft Docs, accessed March 27, 2023. [Online]. Available: https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/create-a-dns-record-for-domain-access#ns-record – "SRV record," Cloudflare Help Center, accessed March 27, 2023. [Online]. Available: https://support.cloudflare.com/hc/en-us/articles/216672888-SRV-Record-Setup – "SOA record," DigitalOcean Product Documentation, accessed March 27, 2023. [Online]. Available: https://www.digitalocean.com/community/tutorials/how-to-manage-dns-using-the-digitalocean-control-panel#start-of-authority-record
You need to resolve the VM2 routing issue.
What should you do?
- A . Modify the IP configuration setting of the Azure network interface resource of VM1.
- B . Add a network interface to VM1.
- C . Add a network interface to VM2.
- D . Modify the IP configuration setting of the Azure network interface resource of VM2.
D
Explanation:
To resolve the VM2 routing issue, you should modify the IP configuration setting of the Azure network interface resource of VM2. This will ensure that VM2 can communicate with other resources in the virtual network.
Troubleshooting connectivity problems between Azure VMs involves several steps such as checking whether NIC is misconfigured, whether network traffic is blocked by NSG or UDR, whether network
traffic is blocked by VM firewall, whether VM app or service is listening on the port and whether the problem is caused by SNAT1.
Topic 2, Fabrikam Inc.
Fabrikam Inc. runs an online reservation service that allows agents to manage online registrations for various hotels, vacation rentals, and customers.
The company has on-premises infrastructure and services that are hosted in Azure. The on-premises infrastructure includes servers that run Active Directory Domain Services (AD DS). Azure services include virtual machines (VMs) that are in one subscription and the following environments: development, testing, and production. Each environment is located in a different virtual network (VNet).
The company has a perimeter network that supports connections to the internet. The perimeter network is also hosted in a separate VNet All of the VNets are connected by using virtual network peering.
The company’s subscription contains the following Azure virtual machines (VMs):
The Web Server (IIS) role is installed on VM4 The operating system firewall for each VM allows inbound ping requests.
The company’s subscription includes the following network security groups (NSGs):
NSG1, NSG2. NSG3, and NSG5 use the default inbound security rules. NSG4. NSG5. and NSG10 use the default outbound security rules.
NSG4 has the following inbound security rule:
NSG10 has the following inbound security rules:
Network Policy Server (NPS) is installed on an on-premises server named SRV2. The NPS extension for Azure AD multi-factor authentication (MFA) is configured on the server as well.
The virtual network peering connections are in the following table.
You provision a virtual network gateway named VNetGW in the perimeter network. The virtual network gateway uses SKU VpnGw1 and the public IP address 16.4.4.4.
The virtual network gateway will provide:
• Network routing to customer data centers using site-to-site VPN connections.
• Network routing to Azure for the scheduling agents and sales employees using a point-to-site VPN connection.
The company’s site-to-site VPN connections with customers are shown in the following table.
The point-to-site VPN is configured as shown in the following table;
The company’s user and group memberships are shown in the following table:
The scheduling agents, warehouse, and sales groups are members of the self-service password reset (SSPR) group named SSPR-group.
Azure AD Connect is installed on an on-premises server named SRV1. In addition;
• The server uses a pass-through authentication agent.
• The SSPR feature is enabled
• The SSPR feature is applied only to a group named SSPR-group
• The scheduling agents’ internet connectivity must be blocked when connected to the point-to-site VPN.
• Sales employees must use the default VPN client on MacOS computers to connect to Azure.
• Azure AD Connect must synchronize all user accounts from AD DS to Azure AD.
• Pass-through authentication is required for all users.
• Azure AD multi-factor authentication (MFA) is requited for all users.
• All admin user accounts must be in an organizational unit (OU) named Admins.
VM3
Users report issues connecting from VM3 to resources at Margie’s Travel. The administrator for Margie’s Travel has verified that their VPN gateway is working correctly. You must verify whether the Fabrikam virtual network gateway is available.
VM10
All ping tests bust be performed by using the ICMP protocol. You are unable to ping VM10 from VM1 Alpine Ski House
You discover during testing that scheduling agents are experiencing latency when accessing resources at the Alpine Ski House. You suspect that the issue is related to
ICMP latency.
Contoso Suites
You receive reports that VM1 is unable to access resources at Contoso Suites Blue Yonder Airlines
The administrator of a partner company named Blue Yonder Airlines reports VPN disconnections and IPsec failure to connect errors.
Other resource issues
• MFA requests on SRV2 are failing with a security token error.
• You are unable to ping VM10 from VM1.
Admin1
You receive the following error on SRV1 only when trying to synchronize an administrator named Admin1: 8344 insufficient access rights to perform the operation
Admin2
An administrator named Admin2 reports they cannot connect to the web server public IP address on VM4 from VM2.
Agent 1
A scheduling agent named Agent1 reports issues authenticating to Azure AD.
Used 1
A scheduling agent named User1 reports that they can access the internet when connected to the point-to-site VPN.
User2
A user named User2 reports the following error when registering for SSPR: Your administrator has
not enabled you to use this feature.
Sales team
Sales team employees report that they are unable to connect by using point-to-site VPN.
You need to resolve the issue with Admin1.
What should you do?
- A . Configure Azure AD Connect filtering to include the Admins organizational unit.
- B . Reset the Azure AD Connect service account password in AD DS.
- C . Enable security inheritance in Active Directory Domain Services (AD DS).
- D . Start a full import in Azure AD Connect.
C
Explanation:
The error 8344 insufficient access rights to perform the operation indicates that the Azure AD Connect service account does not have the required permissions to synchronize the Admin1 account. This could be because the Admin1 account is in an organizational unit (OU) that has security inheritance disabled, which prevents the service account from inheriting the necessary permissions from the parent OU. To resolve this issue, you should enable security inheritance in AD DS for the OU that contains the Admin1 account. This will allow the service account to synchronize the Admin1 account to Azure AD. Alternatively, you could also grant the service account explicit permissions on the Admin1 account, but this would be more tedious and less scalable than enabling security inheritance.
HOTSPOT
You need to resolve the connectivity issues for VM1 to Contoso Suites.
What parameters should you configure for each peering connection? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Connection: VNet1-VNet4 Parameters are: AllowGatewayTransit: Enabled
Connection: VNet4-VNet1 Parameters are: UseRemoteGateways: Enabled
To resolve the connectivity issues for VM1 to Contoso Suites, you need to configure the peering connections between VNet1 and VNet4 correctly. The peering connection from VNet1 to VNet4 should have the AllowGatewayTransit parameter enabled, which allows VNet1 to use the virtual network gateway in VNet4 as a transit point for traffic. The peering connection from VNet4 to VNet1 should have the UseRemoteGateways parameter enabled, which allows VNet4 to use the remote gateway in VNet1 for traffic destined to Contoso Suites. The IP Allocation parameter should be set to Dynamic for both peering connections, which allows Azure to assign IP addresses from the address space of the peered virtual network. The ServiceEndpoint parameter should be set to None for both peering connections, as there is no need to enable service endpoints for this scenario.
You need to troubleshoot the issue reported by Blue Yonder Airlines.
Which diagnostic log should you review?
- A . RouteDiagnosticLog
- B . GatewayDiagnosticLog
- C . TunnelDiagnosticLog
- D . IKEDiagnosticLog
D
Explanation:
To troubleshoot the issue reported by Blue Yonder Airlines, you need to review the IKEDiagnosticLog, which contains information about the Internet Key Exchange (IKE) protocol that is used to establish IPsec VPN connections. The IKEDiagnosticLog can help you identify the cause of the VPN disconnections and IPsec failure to connect errors, such as mismatched authentication parameters, incorrect pre-shared keys, or network connectivity issues. You can enable and download the IKEDiagnosticLog from the Azure portal or by using PowerShell commands
HOTSPOT
You need to troubleshoot the issues related to VM3.
How should you complete the web link? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You need to troubleshoot the issue with SRV2.
Which PowerShell cmdlet should you run?
- A . Confirm-MsolDomain
- B . Get-MsolDomamFederationSettings
- C . Get-MsolDomamVerificationDns
- D . Get-MsolServicePrincipalCredential
- E . Get-Mousers
D
Explanation:
To troubleshoot the issue with SRV2, you need to run the Get-MsolServicePrincipalCredential PowerShell cmdlet, which returns the credentials that are associated with a service principal in Azure AD. The service principal is an identity that represents an application or a service that interacts with Azure AD. In this case, the service principal is used by the NPS extension for Azure AD MFA to communicate with Azure AD and perform MFA requests. The credentials of the service principal include a certificate and a key that are used to authenticate the service principal to Azure AD. If the credentials are expired or invalid, the MFA requests will fail with a security token error. To resolve this issue, you need to renew the credentials of the service principal by using the New-MsolServicePrincipalCredential cmdlet.
You need to resolve the issue with VM10.
What should you do?
- A . In the NSG10 inbound security rule that has a priority of 100, change the destination to ASG10
- B . In NSG10, remove the inbound security rule that has a priority of 100.
- C . In the NSG10 inbound security rule that has a priority of 100, change the protocol to Any
- D . Add an outbound security rule to NSG1 that allows outbound traffic from ASG1 to ASG10. Configure the rule to use a priority of 100.
B
Explanation:
To resolve the issue with VM10, you need to remove the inbound security rule that has a priority of 100 in NSG10, which is blocking ICMP traffic from ASG1 to ASG10. The rule has a source of Any, a destination of VirtualNetwork, a protocol of ICMP, and an action of Deny. This means that any ICMP traffic from outside the VNet4 address space will be denied by NSG10, which is attached to subnet4. This prevents VM1 from pinging VM10 by using ICMP, as VM1 is in VNet1 and not in VNet4. By removing this rule, you can allow ICMP traffic from ASG1 to ASG10, as there is no other rule in NSG10 that explicitly denies it. Alternatively, you could also modify the rule to change the source to VirtualNetwork or the action to Allow, but removing the rule is simpler and more effective.
HOTSPOT
You need to troubleshoot issues that scheduling agents report accessing Alpine Ski House resources.
Which tool and port should you test? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Tool: psping
Port: 443
To troubleshoot the issues that scheduling agents report accessing Alpine Ski House resources, you need to test the network latency by using the psping tool and the port 443. The psping tool is a command-line utility that can measure network performance and connectivity by sending TCP or UDP packets to a target host and reporting the round-trip time (RTT) and other statistics. The port 443 is the default port for HTTPS, which is the protocol used by Alpine Ski House to secure their web traffic. By using the psping tool with the port 443, you can test the latency of the HTTPS connection from VM3 to Alpine Ski House and compare it with the expected latency. If the latency is higher than expected, it could indicate a network issue that affects the performance of accessing Alpine Ski House resources.
You need to resolve the issue repotted by Admin2.
What should you do?
- A . Add a rule to N5G2 that allows outbound traffic to the internet over port 80.
- B . Disassociate NSG2 from Subnet12.
- C . Configure a second network interface on VM4.
- D . Disassociate NSG5 from NIC4.
D
Explanation:
To resolve the issue reported by Admin2, you need to disassociate NSG5 from NIC4, which is the network interface of VM4. NSG5 is a network security group that has an inbound security rule that denies traffic from ASG2 to ASG5 over port 80. This rule prevents Admin2 from connecting to the web server public IP address on VM4 from VM2, as VM2 is in ASG2 and VM4 is in ASG5. By disassociating NSG5 from NIC4, you can remove the rule that blocks the traffic and allow Admin2 to access the web server on VM4. Alternatively, you could also modify or remove the rule in NSG5, but disassociating NSG5 from NIC4 is simpler and more effective.
HOTSPOT
You need to troubleshoot the issues reported by User1.
Which commands should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Location in Azure:
Get-AzVirtualNetworkGateway
Location on Client Computer:
ipconfig /all
To troubleshoot the issues reported by User1, you need to use the Get-AzVirtualNetworkGateway PowerShell cmdlet in Azure and the ipconfig /all command on the client computer. The Get-AzVirtualNetworkGateway cmdlet returns information about the virtual network gateways in a subscription or a resource group. You can use this cmdlet to verify the status and configuration of the VNetGW virtual network gateway, which provides point-to-site VPN connectivity for User1. The
ipconfig /all command displays the IP configuration information for all network adapters on the client computer. You can use this command to check the IP address, subnet mask, default gateway, and DNS servers assigned to User1 when connected to the point-to-site VPN. This can help you identify any misconfiguration or connectivity issues that affect User1’s access to Azure resources.
HOTSPOT
You need to troubleshoot the issues reported by Agent1.
What should you review? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Audit Logs
Azure AD connect logs
You need to resolve the problem reported by User2.
What should you do?
- A . Enable all users for the self-service password reset feature.
- B . Enable the warehouse group for the self-service password reset feature.
- C . Assign an Azure AD Premium Pi license to User2
- D . Identify and resolve the misconfigured directory information for User2.
- E . Instruct User2 to wait 24 hours and try again.
C
Explanation:
To resolve the problem reported by User2, you need to assign an Azure AD Premium P1 license to User2. User2 is a member of the warehouse group, which is enabled for the self-service password reset (SSPR) feature. However, User2 cannot register for SSPR because they do not have a valid license that supports SSPR. To use SSPR, a user must have one of the following licenses: Azure AD Premium P1, Azure AD Premium P2, Enterprise Mobility + Security (EMS) E3 or EMS E5. By assigning an Azure AD Premium P1 license to User2, you can enable them to use the SSPR feature and reset their password without contacting the helpdesk
Topic 3, Misc. Questions Set
A company connects their on-premises network by using Azure VPN Gateway. The on-premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).
A new subnet should be unreachable from the on-premises network. You need to implement a solution.
Solution: Configure a route table with route propagation disabled.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
The proposed solution of configuring a route table with route propagation disabled will not meet the goal of making the new subnet unreachable from the on-premises network.
Route tables in Azure are used to control traffic flow within a virtual network and between virtual networks. By default, each subnet in an Azure virtual network is associated with a system-generated route table, which contains a default route that enables traffic to flow to and from all the subnets within the virtual network.
Disabling route propagation in a custom route table would prevent any new routes from being propagated to the associated subnets. However, it would not prevent traffic from the on-premises network from reaching the new subnet since traffic between the virtual network and the on-premises network would still use the default route in the system-generated route table.
To meet the goal of making the new subnet unreachable from the on-premises network, you would
need to create a new route table with a route that sends traffic destined for the new subnet to a null
interface. This would cause the traffic to be dropped and the subnet to be effectively unreachable
from the on-premises network.
Reference:
Microsoft documentation on how to create a custom route table and associate it with a subnet: https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-custom-route-table.
Microsoft documentation on how to configure a route to a null interface: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal#to-route-to-a-null-interface.
A company connects their on-premises network by using Azure VPN Gateway. The on-premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).
A new subnet should be unreachable from the on-premises network.
You need to implement a solution.
Solution: Disable peering on the virtual network.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
Disabling peering on the virtual network will not prevent the on-premises network from reaching the new subnet. Virtual network peering is a way to connect virtual networks and allows resources in both virtual networks to communicate with each other securely. It does not affect connectivity between on-premises and virtual network resources.
A better solution would be to create a network security group (NSG) and associate it with the new subnet. The NSG can be configured to deny traffic from the on-premises network to the new subnet. This way, the new subnet will be isolated from the on-premises network.
Reference:
Azure Virtual Network peering: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Azure Network Security Groups: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
A company connects their on-premises network by using Azure VPN Gateway. The on-premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).
A new subnet should be unreachable from the on-premises network. You need to implement a solution.
Solution: Scale the gateway to Generation2.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
Scaling the gateway to Generation2 will not prevent the on-premises network from reaching the new subnet. Scaling the gateway changes the hardware configuration of the VPN gateway, but it does not affect the routing or connectivity between the on-premises network and the virtual network.
A better solution would be to create a network security group (NSG) and associate it with the new subnet. The NSG can be configured to deny traffic from the on-premises network to the new subnet. This way, the new subnet will be isolated from the on-premises network.
Reference:
VPN Gateway Generation 2: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwgen2
A company connects their on-premises network by using Azure VPN Gateway. The on-premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).
A new subnet should be unreachable from the on-premises network. You need to implement a solution.
Solution: Configure subnet delegation.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
The proposed solution, which is to configure subnet delegation, does not meet the goal of making the new subnet unreachable from the on-premises network. Subnet delegation is a mechanism to delegate management of a subnet to another resource such as a Network Virtual Appliance or a Service Endpoint. It does not provide any means to restrict or isolate a subnet from the rest of the network.
To meet the goal, you can use Network Security Groups (NSGs) to restrict traffic to and from the new
subnet. NSGs allow you to define inbound and outbound security rules that specify the type of traffic
that is allowed or denied based on different criteria such as source or destination IP address,
protocol, port number, etc. By creating a custom NSG and defining rules that deny traffic to and from
the new subnet, you can effectively make that subnet unreachable from the on-premises network.
Therefore, the correct answer is option B, "No".
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).
An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error: Error getting auth token
You need to resolve the issue.
Solution: Restart the Azure AD Connect service.
Does the solution meet the goal?
- A . Yes
- B . No
A
Explanation:
A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).
An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error: Error getting auth token
You need to resolve the issue.
Solution: Use a global administrator account with a password that is less than 256 characters to configure Azure AD Connect.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
No, restarting the Azure AD Connect service would not resolve the issue described in the scenario. The error message "Error getting auth token" indicates there is a problem with authentication, which is preventing password writeback from being enabled during the Azure AD Connect configuration.
To resolve this issue, you should first confirm that the Azure AD Connect server can authenticate to the Azure AD tenant by using a valid set of credentials. If authentication is successful, then you can investigate other possible causes such as network connectivity issues, misconfigured firewall rules, expired certificates, etc.
Therefore, the correct answer is option B, "No".
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-authentication
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-writeback#troubleshooting-steps
A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).
An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error: Error getting auth token
You need to resolve the issue.
Solution: Use a global administrator account that is not federated to configure Azure AD Connect. Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
The proposed solution to use a global administrator account that is not federated to configure Azure AD Connect does not directly address the error message "Error getting auth token" described in the scenario, so it is unlikely to solve the issue.
To resolve this issue, you should verify that the Azure AD Connect server can authenticate to the Azure AD tenant using valid credentials. If authentication is successful, then you can investigate other possible causes such as network connectivity problems, misconfigured firewall rules, expired certificates, etc.
Therefore, the correct answer remains option B, "No".
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-authentication
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-password-writeback
A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).
An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error: Error getting auth token
You need to resolve the issue.
Solution: Disable password writeback and then enable password writeback.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
The solution of disabling and re-enabling password writeback may not meet the goal of resolving the issue.
According to 1, there are other steps that you should try before disabling and re-enabling password writeback, such as:
✑ Confirm network connectivity
✑ Restart the Azure AD Connect Sync service
✑ Install the latest Azure AD Connect release
✑ Troubleshoot password writeback
If none of these steps work, then you can try to disable and re-enable password writeback as a last resort.
A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.
The company reports that the Azure VM backup job is failing.
You need to troubleshoot the issue.
Solution: Install the VM guest agent by using administrative permissions.
Does the solution meet the goal?
- A . Yes
- B . No
A
Explanation:
Yes, installing the VM guest agent by using administrative permissions could resolve the issue of the Azure VM backup job failing after enabling backups for the VM through the Azure portal. When backing up a virtual machine in Azure, it is necessary to install the VM guest agent to enable proper communication between the VM and the backup service. An administrative user account is required to install the agent.
Therefore, the solution mentioned in the question is correct and the answer is A. Yes.
Reference:
Back up a virtual machine in Azure (Microsoft documentation)
A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.
The company reports that the Azure VM backup job is failing.
You need to troubleshoot the issue.
Solution: Create a new manual backup in Backup center.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
It is unlikely that creating a new manual backup in Backup center would resolve the issue of an Azure VM backup job failing after enabling backups for the VM through the Azure portal. To troubleshoot the issue, the administrator should first check the Azure VM backup job logs and identify the specific error message or code provided. This can help identify the underlying issue and the appropriate solution.
Therefore, the solution mentioned in the question is incorrect and the answer is B. No.
Reference:
Troubleshoot Azure VM backup failures (Microsoft documentation)
A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.
The company reports that the Azure VM backup job is failing.
You need to troubleshoot the issue.
Solution: Enable replication and create a recovery plan for the backup vault.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
The solution does not meet the goal. Enabling replication and creating a recovery plan for the backup vault is not relevant to troubleshooting an Azure VM backup job failure. The administrator should troubleshoot the issue by checking the VM’s disk configuration, checking the status of the VM guest agent, and ensuring that the backup policy is configured correctly.
A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.
The company reports that the Azure VM backup job is failing.
You need to troubleshoot the issue.
Solution: Configure the retention range for the current VM backup policy.
Does the solution meet the goal?
- A . Yes
- B . No
B
Explanation:
It is unlikely that configuring the retention range for the current VM backup policy would resolve the issue of the Azure VM backup job failing after enabling backups for the VM through the Azure portal.
To troubleshoot the issue, the administrator should first check the Azure VM backup job logs and identify the specific error message or code provided. This can help identify the underlying issue and the appropriate solution.
Therefore, the solution mentioned in the question is incorrect and the answer is B. No.
Reference: Troubleshoot Azure VM backup failures (Microsoft documentation)
HOTSPOT
A company deploys an Azure Firewall.
The company reports the following log entry:
For each of the following questions, select Yes or No.
Explanation:
No, Yes, No
DRAG DROP
A customer has an Azure subscription. Microsoft Defender for servers is enabled for the subscription. The customer has not configured network security groups.
The customer configures a resource group named RG1 that contains the following resources:
• A virtual machine named VM1.
• A network interface named NIC1 that is attached to VM1.
The customer grants a user named Admin1 the following permission for RG1:
Microsoft.Security/locations/jitNetworkAccessPolicies/write.
Admin1 reports that the JIT VM access pane in the Azure portal does not show any entries.
When you view the same pane, VM1 appears on the Unsupported tab.
You need to ensure that Admin1 can enable just-in-time (JIT) VM access for VM1. The solution must adhere to the principle of least privilege.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
DRAG DROP
A company has an Azure virtual network (VNet). An administrator creates a subet in the VNet named AzureSastionSubnet. The administrator deploys Azure Bastion to AzureBastionSubnet.
The administrator creates a default network security group named nsg-Bastion. The following error message display when the administrator attempts to assign nsg-Bastion to AzureBastionSubnet:
Network security group nsg-Bastion does not have necessary rules for Azure Bastion Subnet AzureBastionSubnet
You need to resolve the issues with the inbound security rules.
Which port or set of ports should you configure?
Explanation:
Ports or set of ports: 443 Source: Internet and GatewayManager
Ports or set of ports: 5071, 8080 Source: Virtual Network
Ports or set of ports: 443 Source: AzureLoadBalancer
A company uses Azure virtual machines (VMs) in multiple regions.
The VMs have the following configuration:
The backend pool of an internal Azure Load Balancer (ILB) named ILB1 contains VM1 and VM2. The ILB uses the Basic SKU and is in a resource group RG2.
Virtual network peering has been configured between VNet1 and VNet2.
Users report that they are unable to connect to resources on VM1 and VM2 by using ILB1 from VM3.
You need to resolve the connectivity issues.
What should you do?
- A . Redeploy VM1 and VM2 into availability zones.
- B . Move ILB1 to RG1.
- C . Redeploy the ILB using the Standard SKU.
- D . Move VM1 and VM2 into RG3.
C
Explanation:
To resolve the connectivity issues, you need to redeploy the ILB using the Standard SKU. According to 1, Basic Load Balancer does not support Global VNet Peering, which is required for cross-region communication between VMs in different VNets. Standard Load Balancer supports Global VNet Peering and can load balance traffic across regions and availability zones.