You need to connect an on-premises network and an Azure environment. The solution must use ExpressRoute and support failing over to a Site-to-Site VPN connection if there is an ExpressRoute failure.
What should you configure? Routing type: Number of virtual network gateways:.
You have an Azure subscription that contains a single virtual network and a virtual network gateway.
You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).
What should you configure? Azure AD configuration: P2S VPN tunnel type:.
The resources in Vnet2 can communicate with the resources in Vnet1 The resources in Vnet2 can communicate with the resources in Vnet3 The resources in Vnet2 can communicate with the resources in the on-premises network.
VM1 and VM4 can communicate VM2 and VM4 can communicate VM1 and VM5 can communicate.
ExpressRoute configuration: Peering:.
You need to implement outbound connectivity for VMScaleSet1. The solution must meet the virtual networking requirements and the business requirements.
Which three actions should you perform in sequence? First action Second action Third action.
You need to configure the default route in Vnet2 and Vnet3. The solution must meet the virtual networking requirements.
What should you use to configure the default route? a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3 a user-defined route assigned to GatewaySubnet in Vnet1 BGP route exchange route filters.
You need to implement a P2S VPN for the users in the branch office. The solution must meet the hybrid networking requirements.
What should you do? On the VPN gateway in Vnet1, set the P2S VPN tunnel type to In the litwareinc.com.tenant.
You are implementing the virtual network requirements for VM-Analyze.
What should you include in a custom route that is linked to Subnet2? Address prefix Next hop type.
You create NSG10 and NSG11 to meet the network security requirements.
For each of the following statements, select Yes of the statement is true. Otherwise, select No. From VM1, you can establish a Remote Desktop session with VM2 From VM2, you can ping VM1 From VM2, you can establish a Remote Desktop session with VM1.
You need to restrict traffic from VMScaleSet1 to VMScaleSet2. The solution must meet the virtual networking requirements.
What is the minimum number of custom NSG rules and NSG assignments required? Minimum number of custom NSG rules Minimum number of NSG assignments.
You need to implement name resolution for the cloud.liwareinc.com. The solution must meet the networking requirements.
What should you do? To implement automatic DNS name registration in cloud.litwareinc.com To implement name resolution of the cloud.litwareinc.com DNS records from the on-premises locations.
In which NSGs can you use ASG1 and to which virtual machine network interfaces can you associate ASG1? NSGs Virtual machines.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error. (See image)
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
Does this meet the goal? Yes No.
Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.
The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint.
You plan to use Azure Traffic Manager to maintain the list of endpoints.
You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.
What should you configure? Traffic Manager algorithm Endpoint type.
You have an Azure Front Door instance named FrontDoor1.
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com.
You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? First action Second action Third action.
You have a website that uses an FQDN of www.contoso.com. The DNS record for www. contoso.com resolves to an on-premises web server.
You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an Azure Front Door instance named
ContosoFD1.
You build the website on Web1.
You plan to configure ContosoFD1 to publish the website for testing.
When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message shown in the exhibit. (Click the Exhibit tab.)(See image)
You need to test the website and ContosoFD1 without affecting user access to the on-premises web server.
Which record should you create in the contoso.com DNS domain? a CNAME record that maps afdverify.www.contoso.com to ContosoFD1.azurefd.net a CNAME record that maps www.contoso.com to ContosoFD1.azurefd.net a CNAME record that maps afdverify.www.contoso.com to afdverify.ContosoFD1.azurefd.net a CNAME record that maps www.contoso.com to Web1.contoso.com.
You have the Azure load balancer shown in the Load Balancer exhibit. (See image1)
LB2 has the backend pools shown in the Backend Pools exhibit.(See image2)
You need to ensure that LB2 distributes traffic to all the members of VMSS1.
Which two actions should you perform? Add a network interface to VMSS1. Add a load balancing rule. Configure a health probe. Add a public IP address to each member of VMSS1.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ Two subnets named subnet1 and AzureFirewallSubnet
✑ A public Azure Firewall named FW1
✑ A route table named RT1 that is associated to Subnet 1
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet 1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do? On FW1, configure a DNAT rule for port 1688. Deploy an application security group that allows outbound traffic to 1688. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS). On FW1, create an outbound service tag rule for Azure Cloud.
You have an Azure Front Door instance that has a single frontend named Frontend1 and an Azure Web Application Firewall (WAF) policy named Policy1. Policy1 redirects requests that have a header containing "string1" to https://www.contoso.com/redirect1. Policy1 is associated to Frontend1.
You need to configure additional redirection settings. Requests to Frontend1 that have a header containing "string2" must be redirected to https:// www.contoso.com/redirect2.
Which three actions should you perform? Create a custom rule. Create a policy. Create a frontend host. Configure a managed rule. Add a custom rule to Policy1. Create an association.
You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.
You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.
Which routing method should you use? geographic weighted priority performance.
Your company has offices in London, Tokyo, and New York.
The company has a web app named App1 that has the Azure Traffic Manager profile shown in the following table.(See image)
In Asia, you plan to deploy an additional endpoint that will host an updated version of App1.
You need to route 10 percent of the traffic from the Tokyo office to the new endpoint during testing.
What should you configure in Traffic Manager? two profiles and five endpoints two profiles and four endpoints three profiles and four endpoints one profile and five endpoints.
You configure a route table named RT1 that has the routes shown in the following table.(See image1)
You have an Azure virtual network named Vnet1 that has the subnets shown in the following table.(See image2)
You have the resources shown in the following table.(See image3)
Vnet1 connects to an ExpressRoute circuit. The on-premises router advertises the following routes:
✑ 0.0.0.0/0
✑ 10.0.0.0/16
For each of the following statements, select Yes if the statement is true. Otherwise, select No. Internet traffic from NVA1 is routed to the on-premises network Traffic from VM2 to the on-premises network is routed through NVA1 Traffic from VM1 is routed to VM2 through NVA1.
You have an Azure subscription. The subscription contains virtual machines that host websites as shown in the following table.(See image1)
You have the Azure Traffic Manager profiles shown in the following table.(See image2)
You have the endpoints shown in the following table.(See image3)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. A user that requests site1.contoso.com from the East US Azure region will connect to site1.us.contoso.com A user that requests site2.contoso.com from the East US Azure region will connect to site2.uk.contoso.com A user that requests site2.contoso.com from the Japan East Azure region will connect to site2.japan.contoso.com.
You have an Azure application gateway configured for a single website that is available at https://www.contoso.com.
The application gateway contains one backend pool and one rule. The backend pool contains two backend servers. Each backend server has an additional website that is available on port 8080.
You need to ensure that if port 8080 is unavailable on a backend server, all the traffic for https://www.contoso.com is redirected to the other backend server.
What should you do? Create a health probe Add a new rule Change the port on the listener Add a new listener.
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do? On FW1, create an outbound service tag rule for AzureCloud. Add an internet route to RT1 for the Azure Key Management Service (KMS). On FW1, configure a DNAT rule for port 1688. Deploy an Azure Standard Load Balancer that has an outbound NAT rule.
You have an Azure subscription.
You plan to implement Azure Virtual WAN as shown in the following exhibit.(See image)
What is the minimum number of route tables that you should create? 1 2 4 6.
You have an internal Basic Azure Load Balancer named LB1 that has two frontend IP addresses. The backend pool of LB1 contains two Azure virtual machines named VM1 and VM2.
You need to configure the rules on LB1 as shown in the following table.(See image)
What should you do for each rule? Enable Floating IP. Disable Floating IP. Set Session persistence to Enabled. Set Session persistence to Disabled.
Your company has 40 branch offices that are linked by using a Software-Defined Wide Area Network (SD-WAN). The SD-WAN uses BGP.
You have an Azure subscription that contains 20 virtual networks configured as a hub and spoke topology. The topology contains a hub virtual network named Vnet1.
The virtual networks connect to the SD-WAN by using a network virtual appliance (NVA) in Vnet1.
You need to ensure that BGP route advertisements will propagate between the virtual networks and the SD-WAN. The solution must minimize administrative effort.
What should you implement? An Azure VPN Gateway that has BGP enabled a NAT gateway Azure Traffic Manager Azure Route Server.
You have an Azure load balancer that has the following configurations:
• Name: LB1
• Location: East US 2
• SKU: Standard
• Private IP address: 10.3.0.7
• Load balancing rule: rule1 (Tcp/80)
• Health probe: probe1 (Http:80)
• NAT rules: 0 inbound
The backend pool of LB1 has the following configurations:
• Name: backend1
• Virtual network: Vnet2
• Backend pool configuration: NIC
• IP version: IPv4
• Virtual machines: VM1, VM2, VM3
You have an Azure virtual machine named VM4 that has the following network configurations:
• Network interface: vm4981
• Virtual network/subnet: Vnet3/Subnet3
• NIC private IP address: 10.4.0.4
• Accelerated networking: Enabled
For each of the following statements, select Yes if the statement is true. Otherwise, select No. To add VM4 to LB1, you must create a new backend pool VM1 is connected to Vnet2 Connections to HTTPS://10.3.0.7 will be load balanced between VM1, VM2, and VM3.
Your company, named Contoso, Ltd., has an Azure subscription that contains the resources shown in the following table.(See image)
You plan to deploy Azure Front Door. The solution must meet the following requirements:
• Requests to a URL of https://contoso.azurefd.net/uk must be routed to App1uk.
• Requests to a URL of https://contoso.azurefd.net/us must be routed to App1us.
• Requests to a URL of https://contoso.azurefd.net/images must be routed to the storage account closest to the user.
What is the minimum number of backend pools and routing rules you should create? Backend pools Routing rules.
You have an Azure subscription that contains the resource groups shown in the following table.(See image1)
You have the virtual networks shown in the following table.(See image2)
Vnet1 contains two virtual machines named VM1 and VM2. Vnet2 contains two virtual machines named VM3 and VM4.
You have the network security groups (NSGs) shown in the following table that include only default rules.(See image3)
You have the Azure load balancers shown in the following table.(See image4)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. VM2 can be added to the backend pool of Lb2 VM4 can access VM3 via port 1433 by using the frontend address of Lb2 VM1 can be accessed via port 80 from the internet by using the frontend address of Lb1.
You have an Azure subscription that contains the resources shown in the following table.(See image)
Gateway1 provides access to App1 by using a URL of https://app1.contoso.com.
You create a new web app named App2.
You need to configure Gateway1 to enable access to App2 by using a URL of https://app2.contoso.com. The solution must minimize administrative effort.
What should you configure on Gateway1? a backend pool and a routing rule a listener and a routing rule a listener, a backend pool, and a routing rule a listener and a backend pool.
You have two Azure virtual networks in the East US Azure region as shown in the following table.(See image)
The virtual networks are peered to one another. Each virtual network contains four subnets.
You plan to deploy a virtual machine named VM1 that will inspect and route traffic between all the subnets on both the virtual networks.
What is the minimum number of IP addresses that you must assign to VM1? 1 2 4 8.
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do? On FW1, configure a DNAT rule for port 1688 Deploy a NAT gateway. Add an internet route to RT1 for the Azure Key Management Service (KMS). To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
You have an on-premises network.
You have an Azure subscription that includes a virtual network named VNet1 and a private Azure Kubernetes Service (AKS) cluster named AKS1. VNet1 is connected to your on-premises environment via an Azure ExpressRoute circuit. AKS1 is connected to VNet1.
You need to implement an off-cluster ingress controller for AKS1. The solution must provide connectivity from the on-premises environment to containerized workloads hosted on AKS1.
Which Azure service should you use? Azure Application Gateway Azure Front Door Azure Traffic Manager Azure Load Balancer.
You are planning an Azure Front Door deployment that will contain the resources shown in the following table.(See image)
Users will connect to the App Service through Front Door by using a URL of https://www.fabrikam.com.
You obtain a certificate for the host name of www.fabrikam.com.
You need to configure a DNS record for www.fabrikam.com and upload the certificate to Azure.
What should you do? Upload the certificate to Set the DNS record target to.
You have an Azure subscription that contains an app named App1. App1 is hosted on the Azure App Service instances shown in the following table.(See image)
You need to implement Azure Traffic Manager to meet the following requirements:
• App1 traffic must be assigned equally to each App Service instance in each Azure region.
• App1 traffic from North Europe must be routed to the App1 instances in the North Europe region.
• App1 traffic from North America must be routed to the App1 instances in the East US Azure region.
• If an App Service instance fails, all the traffic for that instance must be routed to the remaining instances in the same region.
How should you configure the Traffic Manager profiles? Minimum number of Traffic Manager profiles required Routing method for the traffic in each region.
You have an Azure subscription that contains the Azure App Service web apps shown in the following table.(See image)
You need to deploy Azure Traffic Manager. The solution must meet the following requirements:
• Traffic to https://www.fabrikam.com must be directed to App1eu.
• If App1eu becomes unresponsive, all the traffic to https://www.fabrikam.com must be directed to App1us.
You need to implement Traffic Manager to meet the requirements.
Which two resources should you create? a Traffic Manager profile that uses the priority routing method a Traffic Manager profile that uses the geographic routing method a CNAME record in a DNS domain named fabrikam.com a TXT record in a DNS domain named fabricam.com a real user measurements key in Traffic Manager.
You have an Azure subscription that contains an app named App1. App1 is deployed to the Azure App Service apps shown in the following table.(See image)
You need to publish App1 by using Azure Front Door. The solution must ensure that all the requests to App1 are load balanced between all the available worker instances.
What is the minimum number of origin groups and origins that you should configure? Origin groups Origins.
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do? On FW1, configure a DNAT rule for port 1688. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS). Deploy an application security group that allows outbound traffic to 1688. Deploy an Azure Standard Load Balancer that has an outbound NAT rule.
You have an Azure virtual machine named VM1.
You need to capture all the network traffic of VM1 by using Azure Network Watcher.
To which locations can the capture be written? blob storage only blob storage, a file path on VM1, and a premium storage account a file path on VM1 only blob storage and a file path on VM1 only blob storage and a premium storage account only a premium storage account only.
You have an Azure virtual network that contains the subnets shown in the following table.
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall.
You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com.
What should you do? In a firewall policy, create a DNAT rule. Create a network security group (NSG) and associate the NSG to Subnet2. In a firewall policy, create a network rule. In a firewall policy, create an application rule.
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? an Azure Monitor workbook a Log Analytics workspace a storage account an Azure Sentinel workspace an Azure Monitor data collection rule.
You have an Azure subscription that contains the virtual machines shown in the following table.(See image)
Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule:
✑ Priority: 100
✑ Port: Any
✑ Protocol: Any
✑ Source: Any
✑ Destination: Storage
✑ Action: Deny
You create a private endpoint that has the following settings:
✑ Name: Private1
✑ Resource type: Microsoft.Storage/storageAccounts
✑ Resource: storage1
✑ Target sub-resource: blob
✑ Virtual network: Vnet1
✑ Subnet: Subnet1
For each of the following statements, select Yes if the statement is true. Otherwise, select No. From VM2, you can create a container in storage1 From VM1, you can upload data to a blob storage container in storage1 From VM2, you can upload data to a blob storage container in storage1.
You have an Azure firewall shown in the following exhibit. On Firewall1, forced tunneling On Firewall1, management by Azure Firewall Manager.
You have an Azure subscription that contains the resources shown in the following table.(See image)
Users on HP1 connect to App1 by using a URL of https://app1.contoso.com.
You need to ensure that the IDPS on FW1 can identify security threats in the connections from HP1 to Server1.
Which two actions should you perform? Enable TLS inspection for FW1. Import a server certificate to KV1. Enable threat intelligence for FW1. Add an application group to HP1. Add a secured virtual network to FW1.
You have an Azure subscription that contains the resources shown in the following table.(See image)
Subnet1 contains three virtual machines that host an app named App1. App1 is accessed by using the SFTP protocol.
From NSG1, you configure an inbound security rule named Rule2 that allows inbound SFTP connections to ASG1.
You need to ensure that the inbound SFTP connections are managed by using ASG1. The solution must minimize administrative effort.
What should you do? From NSG1, modify the priority of Rule2. From each virtual machine, associate the network interface to ASG1. From Subnet1, create a subnet delegation. From ASG1, modify the role assignments.
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains 20 subnets and 500 virtual machines. Each subnet contains a virtual machine that runs network monitoring software.
You have a network security group (NSG) named NSG1 associated to each subnet.
When a new subnet is created in Vnet1 an automated process creates an additional network monitoring virtual machine in the subnet and links the subnet to NSG1.
You need to create an inbound security rule in NSG1 that will allow connections to the network monitoring virtual machines from an IP address of 131.107.1.15. The solution must meet the following requirements:
• Ensure that only the monitoring virtual machines receive a connection from 131.1071.15.
• Minimize changes to NSG1 when a new subnet is created.
What should you use as the destination in the inbound security rule? an application security group a service tag a virtual network an IP address.
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do? On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS). On FW1, create an outbound service tag rule for Azure Cloud. Deploy a NAT gateway. On FW1, configure a DNAT rule for port 1688.
You have an Azure application gateway named AppGw1.
You need to create a rewrite rule for AppGw1. The solution must rewrite the URL of requests from https://www.contoso.com/fashion/shirts to https://www.contoso.com/buy.aspx?category=fashion&product=shirts.
How should you complete the rule? Box1 Box2.
You have an Azure subscription that contains a user named Admin1 and a resource group named RG1.
RG1 contains an Azure Network Watcher instance named NW1.
You need to ensure that Admin1 can place a lock on NW1. The solution must use the principle of least privilege.
Which role should you assign to Admin1? User Access Administrator Resource Policy Contributor Network Contributor Monitoring Contributor.
You need to use Traffic Analytics to monitor the usage of applications deployed to Azure virtual machines.
Which Azure Network Watcher feature should you implement first? NSG flow logs IP flow verify Connection monitor Packet capture.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
A subnet named Subnet1 in Vnet1 -
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG). You configure a service tag for Microsoft.Storage and link the tag to Subnet1.
Does this meet the goal? Yes No.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ A subnet named Subnet1 in Vnet1
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1.
Does this meet the goal? Yes No.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ A subnet named Subnet1 in Vnet1
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You configure the firewall on storage1 to only accept connections from Vnet1.
Does this meet the goal? Yes No.
|
