Question 1
Question
Question #01 Pagina35 - 31
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the virtual networks in the following table.
Subscription1 contains the virtual machines in the following table.
In Subscription1, you create a load balancer that has the following configurations:
✑ Name: LB1
✑ SKU: Basic
✑ Type: Internal
✑ Subnet: Subnet12
✑ Virtual network: VNET1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 2
Question
Question #02 Pagina35 - 32
HOTSPOT -
You have an Azure virtual machine that runs Windows Server 2019 and has the following configurations:
✑ Name: VM1
✑ Location: West US
✑ Connected to: VNET1
✑ Private IP address: 10.1.0.4
✑ Public IP addresses: 52.186.85.63
✑ DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.
You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.
Which zones should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 3
Question
Question #03 Pagina35 - 33
DRAG DROP -
You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that uses an address space of 10.0.0.0/24.
You need to create a site-to-site VPN to Azure.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choice is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Question 4
Question
Question #04 Pagina35 - 34
You have an Azure subscription that contains the resources in the following table.
VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?
Answer
-
Disassociate the NSG from a network interface
-
Change the Port_80 inbound security rule.
-
Associate the NSG to Subnet1.
-
Change the DenyWebSites outbound security rule.
Question 5
Question
Question #05 Pagina35 - 35
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
Answer
-
Move VM1 to Subscription2.
-
Move VNet1 to Subscription2.
-
Modify the IP address space of VNet2.
-
Provision virtual network gateways.
Question 6
Question
Question #06 Pagina36 - 36
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer
-
Use managed disks
-
OS disk type
-
Availability options
-
Size
-
Image
Question 7
Question
Question #07 Pagina36 - 37
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
VMSS1 is set to VM (virtual machines) orchestration mode.
You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1.
Which resource group and location should you use to deploy VM1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 8
Question
Question #08 Pagina36 - 38
HOTSPOT -
You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3.
Peering for VNET1 is configured as shown in the following exhibit.
Peering for VNET2 is configured as shown in the following exhibit.
Peering for VNET3 is configured as shown in the following exhibit.
How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 9
Question
Question #09 Pagina36 - 39
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
Does this meet the goal?
Question 10
Question
Question #10 Pagina36 - 40
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You join Computer2 to Azure Active Directory (Azure AD).
Does this meet the goal?
Question 11
Question
Question #11 Pagina37 - 41
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
Question 12
Question
Question #12 Pagina37 - 42
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
What should you do first?
Answer
-
Change the priority of the RDP rule
-
Attach a network interface
-
Delete the DenyAllInBound rule
-
Start VM1
Question 13
Question
Question #13 Pagina37 - 43
You have the Azure virtual machines shown in the following table.
A DNS service is installed on VM1.
You configure the DNS servers settings for each virtual network as shown in the following exhibit.
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
What should you do?
Answer
-
Configure a conditional forwarder on VM1
-
Add service endpoints on VNET1
-
Add service endpoints on VNET2 and VNET3
-
Configure peering between VNET1, VNET2, and VNET3
Question 14
Question
Question #14 Pagina37 - 44
HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.
You run Azure Network Watcher as shown in the following exhibit.
You run Network Watcher again as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
-
-
Box 1: No
NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2.
Box 2: Yes
Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2. We can understand for sure, that it is not applied to VM1.
Box 3: Yes
In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.
Question 15
Question
Question #15 Pagina37 - 45
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
Answer
-
Modify the address space of the local network gateway
-
Create a deny rule in a network security group (NSG) that is linked to Subnet1
-
Remove the public IP addresses from the virtual machines
-
Modify the address space of Subnet1
Question 16
Question
Question #16 Pagina38 - 46
You have an Azure subscription that contains the resources in the following table.
Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.
You need to apply ASG1 to VM1.
What should you do?
Question 17
Question
Question #17 Pagina38 - 47
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using
Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer
-
Create a connection
-
Create a local site VPN gateway
-
Create a VPN gateway that uses the VpnGw1 SKU
-
Create a gateway subnet
-
Create a VPN gateway that uses the Basic SKU
Question 18
Question
Question #18 Pagina38 - 48
HOTSPOT -
You have peering configured as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 19
Question
Question #19 Pagina38 - 49
HOTSPOT -
You have an Azure subscription that contains the resources in the following table.
You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1.
LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.)
Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 20
Question
Question #20 Pagina38 - 50
HOTSPOT -
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb1.
You need to configure slb1 to allow connectivity to VM1.
Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 21
Question
Question #21 Pagina39 - 51
You have an Azure subscription that contains the resources shown in the following table.
You need to create a network interface named NIC1.
In which location can you create NIC1?
Answer
-
East US and North Europe only
-
East US only
-
East US, West Europe, and North Europe
-
East US and West Europe only
Question 22
Question
Question #22 Pagina39 - 52
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)
You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?
Answer
-
Update the DNS suffix on VM1 to be adatum.com
-
Configure the name servers for adatum.com at the domain registrar
-
Create an SRV record in the contoso.com zone
-
Modify the Access control (IAM) settings for link1
Question 23
Question
Question #23 Pagina39 - 53
HOTSPOT -
You plan to use Azure Network Watcher to perform the following tasks:
✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
✑ Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 24
Question
Question #24 Pagina39 - 54
HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You configure the network interfaces of the virtual machines to use the settings shown in the following table.
From the settings of VNET1 you configure the DNS servers shown in the following exhibit.
The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP address of
193.77.134.10.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 25
Question
Question #25 Pagina39 - 55
HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the resources shown in the following table.
You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1.
Which resources should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer
-
-
Box 1: IP1, VNET2, and storage1
Box 2: IP2, VNET2, and storage2
Question 26
Question
Question #26 Pagina40 - 56
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
Does this meet the goal?
Question 27
Question
Question #27 Pagina40 - 57
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
Does this meet the goal?
Question 28
Question
Question #28 Pagina40 - 58
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create two Standard public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine.
Does this meet the goal?
Question 29
Question
Question #29 Pagina40 - 59
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
Does this meet the goal?
Question 30
Question
Question #30 Pagina40 - 60
You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.
You need to ensure that users can connect to the website from the Internet.
What should you do?
Answer
-
Modify the protocol of Rule4
-
Delete Rule1
-
For Rule5, change the Action to Allow and change the priority to 401
-
Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Question 31
Question
Question #31 Pagina41 - 61
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?
Question 32
Question
Question #32 Pagina41 - 62
HOTSPOT -
You manage two Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following virtual networks:
The virtual networks contain the following subnets:
Subscription2 contains the following virtual network:
✑ Name: VNETA
✑ Address space: 10.10.128.0/17
✑ Location: Canada Central
VNETA contains the following subnets:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 33
Question
Question #33 Pagina41 - 63
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
Does this meet the goal?
Question 34
Question
Question #34 Pagina41 - 64
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You delete the BlockAllOther443 inbound security rule.
Does this meet the goal?
Question 35
Question
Question #35 Pagina41 - 65
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Does this meet the goal?
Question 36
Question
Question #36 Pagina42 - 66
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?
Question 37
Question
Question #37 Pagina42 - 67
You have an Azure subscription.
You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the IP address of the pod.
For the AKS cluster, you need to choose a network type that will support App1.
What should you choose?
Question 38
Question
Question #38 Pagina42 - 68
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You disassociate the public IP address from the network interface of VM2.
Does this meet the goal?
Question 39
Question
Question #39 Pagina42 - 69
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
Question 40
Question
Question #40 Pagina42 - 70
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
Which Azure Network Watcher feature should you use?
Answer
-
IP flow verify
-
Connection troubleshoot
-
Connection monitor
-
NSG flow logs
Question 41
Question
Question #41 Pagina43 - 71
HOTSPOT -
You have an Azure subscription that contains the public load balancers shown in the following table.
You plan to create six virtual machines and to load balance requests to the virtual machines. Each load balancer will load balance three virtual machines.
You need to create the virtual machines for the planned solution.
How should you create the virtual machines? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 42
Question
Question #42 Pagina43 - 72
HOTSPOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 43
Question
Question #43 Pagina43 - 73
You have an Azure subscription that contains two virtual machines as shown in the following table.
You perform a reverse DNS lookup for 10.0.0.4 from VM2.
Which FQDN will be returned?
Question 44
Question
Question #44 Pagina43 - 74
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Does this meet the goal?
Question 45
Question
Question #45 Pagina43 - 75
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer
-
Add a service endpoint to VNet1
-
Reset GW1
-
Create a route-based virtual network gateway
-
Add a connection to GW1
-
Delete GW1
-
Add a public IP address space to VNet1
Question 46
Question
Question #46 Pagina44 - 76
HOTSPOT -
You have an Azure subscription that contains the resources in the following table:
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 47
Question
Question #47 Pagina44 - 77
HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the private DNS zones shown in the following table.
You add virtual network links to the private DNS zones as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 48
Question
Question #48 Pagina44 - 78
HOTSPOT -
You have an Azure subscription.
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 49
Question
Question #49 Pagina44 - 79
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture.
Does this meet the goal?
Question 50
Question
Question #50 Pagina44 - 80
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a connection monitor.
Does this meet the goal?
Question 51
Question
Question #51 Pagina45 - 81
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
Does this meet the goal?
Question 52
Question
Question #52
DRAG DROP -
You have an Azure subscription that contains the resources shown in the following table.
You need to load balance HTTPS connections to vm1 and vm2 by using lb1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Question 53
Question
Question #53
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Monitor, you create a metric on Network In and Network Out.
Does this meet the goal?
Question 54
Question
Question #54
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999.
Does this meet the goal?
Question 55
Question
Question #55
DRAG DROP -
You have an Azure subscription that contains two om-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Question 56
Question
Question #56
HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 57
Question
Question #57
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?
Answer
-
Modify the address space of VNet1.
-
Add a gateway subnet to VNet1.
-
Create a subnet on VNet1 and VNet2.
-
Configure a service endpoint on VNet2.
Question 58
Question
Question #58
You have the Azure virtual machines shown in the following table.
VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table.
You need to ping VM2 from VM1.
Which DNS names can you use to ping VM2?
Answer
-
comp2.contoso.com and comp4.contoso.com only
-
comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com
-
comp2.contoso.com only
-
comp1.contoso.com and comp2.contoso.com only
-
comp1.contoso.com, comp2.contoso.com, and comp4.contoso.com only
Question 59
Question
Question #59
HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)
NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.
You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Question 60
Question
Question #60
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
Does this meet the goal?