Examtopic AZ300

- Expert Verified, Online, Free.
 Custom View Settings
Topic 1 - Question Set 1
Question #1 Topic 1
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table:
VNet1 is in RG1. VNet2 is in RG2. There is no connectivity between VNet1 and VNet2. An administrator named Admin1 creates an Azure virtual
machine VM1 in
RG1. VM1 uses a disk named Disk1 and connects to VNet1. Admin1 then installs a custom application in VM1.
You need to move the custom application to VNet2. The solution must minimize administrative effort.
Which two actions should you perform? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer: Explanation

References:
https://blogs.technet.microsoft.com/canitpro/2014/06/16/step-by-step-move-a-vm-to-a-different-vnet-on-azure/
https://4sysops.com/archives/move-an-azure-vm-to-another-virtual-network-vnet/#migrate-an-azure-vm-between-vnets
  Cern77 7 months, 1 week ago

There
is no answer ... But the correct answer is : - Create a NIC on VNet 2 - Attach
it to the VM1.
upvoted 3 times
  JasonYin 6 months, 1 week ago

Virtual machines (VMs) in Azure can have multiple
virtual network interface cards (NICs) attached to them. A common scenario is to
have different subnets for front-end and back-end connectivity. You can
associate multiple NICs on a VM to multiple subnets, but those subnets must all
reside in the same virtual network (vNet)
upvoted 11 times
  NoNotSpam 6 months, 1 week ago

Cern77
is incorrect. As JasonYin states a VM can have multiple NICs but they must be
in the same VNET (but can be in different subsets within that VNet)
upvoted 6 times
  bvdh 6 months ago
the
easyest way would be to backup the vm and re-create one from the
backup
upvoted 7 times
  bolbol 5 months, 3 weeks ago

1-
Delete VM 2- Recreate VM from Disk in the proper VNET
upvoted 30 times
  Bonna 5 months, 2 weeks ago

Delete
VM1 and Create a new virtual machine
upvoted 2 times

1.
Create a new network interface in RG2 and 2. Move VM1 to RG2 You can move a VM
and its associated resources to another resource group by using the Azure portal
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm
upvoted 2 times
  onlyfunmails 5 months, 1 week ago

Agree,
as question specifically mentioned about two RGs we think about resource
movement in first place.
upvoted 2 times
  AnshMan 4 months, 3 weeks ago

Your
statement of moving the VM to RG2 works if the two RG are part of same VNET.
Here they're of different VNETs, only possible option is Delete VM1, re-create a
new VM in RG2 with VNET2 using VM1 data disks.
upvoted 3 times
  Ekramy_Elnaggar 5 months, 1 week ago

There
is no answer ... But the correct answer is : - Create a NIC on VNet 2 - Attach
it to the VM1.
upvoted 1 times
  Andy001 3 months, 1 week ago

This
is an incorrect answer. There is no way to attach several VNets to a single
VM
upvoted 4 times

1-
Backup the VM from the old Sub/VNet 2- Restore the VM from the old
Sub/VNet
upvoted 2 times
  Carlos 4 months, 3 weeks ago

it's
simply to backup the VM in VNet1, and then restore in VNet2
upvoted 2 times
  Stan007 4 months, 3 weeks ago

1)Delete
Vm1 2)Create a new virtual machine
upvoted 1 times
  Ekramy_Elnaggar 4 months, 2 weeks ago

Found
the full question. @ question 14 , so the correct answer is : 1- Delete VM1 2-
Create a new VM
upvoted 3 times
  lorimer1 4 months, 1 week ago

The 'easiest' way is: • Stop and deallocate the VM. •
Delete the VM, but choose to 'keep the attached disks'. • Recreate the VM in the
target Vnet by specifying the original disk. Attach data disks
upvoted 5 times

I
passed the Exam last Thursday 2/1/2020 , my score : 893/1000 . 90% of the Exam
was from this dump 53 Questions ( 40 MCQ Qs , 1 Case Study - 4 Qs , 9 Lab
Simulation Qs ) Good Luck all
upvoted 8 times
  Sweb 3 months, 2 weeks ago

I
passed on 2020-01-27. My exam was the same breakdown of questions as Ekramy. I'd
say this did cover ~80% of the questions though.
upvoted 1 times
  AS007 3 months, 3 weeks ago

1.
Select the VM and Disk 2. Move both to the new RG. 3. Attach the new NIC for
vNET2
upvoted 1 times
  SilentH 3 months, 3 weeks ago

According
to the reference link: " What we need to do is identify the disk used by the VM,
delete the VM itself while retaining the disk, and recreate the VM in the target
virtual network and attach the original disk to it."
upvoted 3 times
  anagar 3 months, 1 week ago

The
options here are missing. I found the question on another site which has two
drop-down boxes shown and the correct answers are - 1. Delete VM1 (First
drop-down) 2. Create new virtual machine (Second Drop-down)
upvoted 3 times
  Shiven 3 months ago

First
Action: Create a Network Interface in RG2 Detach a
Network Interface Delete VM1 Move a Network interface
to RG2 Second Action: Attach a network interface
Create a network interface in RG2 Create a Virtual machine
Move VM1 to RG2 Ans: Create a Network Interface in RG2 Move VM1
to RG2
upvoted 2 times
  Shiven 2 months, 1 week ago

https://teckadmin.wordpress.com/2019/07/06/how-to-move-vm-from-one-vnet-to-another-vnet/
Unfortunately, today is not possible/supported to change directly a VNET for an
existing VM. the only way to operate this change is export the VM definition,
drop the VM preserving disks, then re-create the VM with the same settings,
except for the new VNET assignment, and attaching previous disks
https://docs.microsoft.com/en-gb/archive/blogs/igorpag/how-to-change-subnet-and-virtual-network-for-azure-virtual-machines-asm-arm
1- Delete VM 2- Recreate VM from Disk in the proper VNET
upvoted 4 times
  sivak 1 month, 2 weeks ago

You
can move a VM and its associated resources to another resource group using the
portal. References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm
upvoted 1 times
  Famous_Guy 1 month ago

As
per latest information. Create a Recovery Services Vault in Azure and do Backup
and Restore. (Less Administrative steps)
https://www.solutionsdelve.com/azure/how-to-move-a-vm-to-a-different-virtual-network-in-azure
upvoted 1 times
  Noor001 3 weeks, 5 days ago

The
correct answer is: - Delete the virtual machine - Recreate the virtual
machine.
upvoted 2 times
  Derektx 3 weeks, 5 days ago

1.
Create a new network interface in RG2 and 2. Move VM1 to RG2
upvoted 2 times
  xpuneet 2 days, 2 hours ago

Delete
the VM in VNet1 keeping Disk retained. Create VM in VNet2 with the retained
disk.
upvoted 1 times
Question #2 Topic 1
You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources
in the following table.
Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource
Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?
A. Container1
B. VM1
C. Storage2
D. RG1
Correct Answer: D
  tubadc 5 months, 1 week ago

I
choose D
upvoted 4 times
  Musk 5 months ago

Why?
Any reason?
upvoted 1 times
  Jt909 5 months ago

From
my test a single template for VM1 and Storage2 can be found only on
RG1
upvoted 1 times

Answer D: Choose 'Deployments' from the Resource Group
blade
upvoted 1 times
  anagar 3 months, 1 week ago

Answer
is D because the 'Resource Group' RG1 will contain both VM1 and
Storage2
upvoted 3 times
  Samin 2 months, 4 weeks ago

Answer
is D for sure.
upvoted 1 times
  TYT 1 month ago

RG1
will have VM1 and Storage2
upvoted 1 times
  Pankaj7121 1 week, 5 days ago

Answer
is D
upvoted 1 times
Question #3 Topic 1
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of
10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. Vnet2 contains an Azure virtual machine named VM2 and has an IP address space of
10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
A. Modify the IP address space of VNet2.
B. Move VM1 to Subscription2.
C. Provision virtual network gateways.
D. Move VNet1 to Subscription2.
Correct Answer: C

C
-
https://azure.microsoft.com/en-us/blog/vnet-peering-and-vpn-gateways/
upvoted 4 times
  cacasodo 21 hours, 26 minutes ago

This is the actual statement from Microsoft that tells
us VPN Gateways can be used for VNET connections across AAD tenants:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal#can-i-establish-a-vnet-to-vnet-
connection-across-azure-active-directory-aad-tenants
upvoted 1 times

Answer: C As tubadc linked ... vnet peering or gateways
... gateway was the only option given.
upvoted 3 times
  Srini300 3 months, 3 weeks ago

isn't it an overlapping Vnets situation ? I think we
have to re address Vnet2.
upvoted 1 times

No
because 10.0.0.0/16 is a different address space than 10.10.0.0/24. The /16 uses
the first two octects of a subnet therefore 10.0.x.x is different than
10.10.x.x.
upvoted 4 times

You are right, it was my bad that i over looked at
address space.Thanks
upvoted 2 times
  starnb 2 months, 1 week ago

C
is the answer because the IP range isn't overlapping and Vnet Gateways provide
connectivity across subscriptions associated with different Tenants. There is no
need to move VMs in this case.
upvoted 2 times

VNet
Peering is the best option, but based on the options, they can be connected
through gateways.
upvoted 2 times

Answer
is C
upvoted 1 times
Question #4 Topic 1
You have an Azure Active Directory (Azure AD) tenant.

You have an existing Azure AD conditional access policy named Policy1. Policy1 enforces the use of Azure AD-joined devices when members of
the Global
Administrators group authenticate to Azure AD from untrusted locations.
You need to ensure that members of the Global Administrators group will also be forced to use multi-factor authentication when authenticating
from untrusted locations.
What should you do?
A. From the Azure portal, modify session control of Policy1.
B. From multi-factor authentication page, modify the user settings.
C. From multi-factor authentication page, modify the service settings.
D. From the Azure portal, modify grant control of Policy1.

Correct Answer: D
  cjsammaejs 5 months, 2 weeks ago

D
is correct.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/controls
upvoted 9 times
  Protonenpaule 1 month, 2 weeks ago

Yes,
D:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa#configure-the-conditions-for-multi-factor-
authentication
upvoted 2 times

Option-D
is correct.
upvoted 1 times
  milind8451 1 week, 6 days ago

Azure
AD-> Security -> Conditional Access -> Grant (Edit) Option D is
correct.
upvoted 1 times
Question #5 Topic 1
HOTSPOT -
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the
answer area.
Hot Area:

There
is no answer ... But answer is: - 5 NICs - 1 NSG
upvoted 35 times

Don't we need 5 Nic's for private IP and 5 for public
IP?
upvoted 1 times
  pentum7 3 months, 1 week ago

1
NIC will have a private ip and may or may no have a public ip:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
so 5 NICs is correct
upvoted 5 times
  NoNotSpam 6 months, 1 week ago

Agreed.
A NIC can only be attached to a single VM, thus 5 are necessary. A NSG can be
assigned to zero or more NICs or Subnets; since the rules need to be the same,
only one NSG rule set is needed, which will be applied to each NIC.
upvoted 2 times

Or if 5 VMs are in the same subnet, you can link the NSG
to subnet.
upvoted 2 times
  reddy98321 2 months ago

5
NIC snd 1 NSG
upvoted 6 times

Have
5 NIC (one each for 1 VM). Assign one Nw Sec group.
upvoted 1 times

I
think we will need 5 nics and one security group,
upvoted 1 times
Question #6 Topic 1
You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
A. From the Azure portal, modify the Access control (IAM) settings of RG1.
B. From the Azure portal, modify the Policies settings of RG1.
C. From the Azure portal, modify the Access control (IAM) settings of VM1.
D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
  Musk 5 months, 1 week ago

I
believe it's A. I just did it through Azure portal, RG, IAM, add role assignment
choosing my VM1
upvoted 1 times
  Amrinder101 5 months ago

A
is correct
upvoted 2 times
  Sedge 5 months ago

The
question asks what should you do first. Sure, Access control (IAM) needs to be
done, but not first. Before you can modify access, you need to create a service
principle to manage that access for. The correct answer is indeed 'D' - you
need to set this up with a Managed Service Identity first. How a system-assigned
managed identity works with an Azure VM: 1. Azure Resource Manager receives a
request to enable the system-assigned managed identity on a VM. 2. Azure
Resource Manager creates a service principal in Azure AD for the identity of the
VM. The service principal is created in the Azure AD tenant that's trusted by
the subscription. 3. Azure Resource Manager configures the identity on the VM by
updating the Azure Instance Metadata Service identity endpoint with the service
principal client ID and certificate. 4. After the VM has an identity, use the
service principal information to grant the VM access to Azure resources. To call
Azure Resource Manager, use role-based access control (RBAC) in Azure AD to
assign the appropriate role to the VM service principal. To call Key Vault,
grant your code access to the specific secret or key in Key Vault.
upvoted 17 times

The
ques says - You need to ensure that a service running on VM1 can manage the
resources in RG1 by using the identity of VM1. So the identity is already been
setup for vm.
upvoted 2 times
  PDR 4 months ago

I
agree with Sedge and think it is D because .... the question says : VM1 runs
services that WILL be used to deploy resources to RG1. **** (This suggests to me
that the identity has not been set up yet - it is saying it will run the
services not that it already can do) You need to ensure that a service running
on VM1 can manage the resources in RG1 by using the identity of VM1. *** (this
is saying that you need to ensure that it can, that it needs to be done by using
the identity, no mention of there already being anything done to enable the
identity) Ultimately though it comes down to semantics and it is frustrating
when MS gives questions that this that could be interpreted in more than one way
with arguably egual validity - would be much better if they were completely
clear and we can just be tested on knowledge and not second guessing what the
question writer was thinking.
upvoted 7 times
  2cool2touch 4 months, 2 weeks ago

I
tend to agree with you.
upvoted 1 times
  superbutt 4 months, 1 week ago

A
is correct
upvoted 2 times
  AS007 3 months, 3 weeks ago

Its
"D" Reason - "manage the resources in RG1 by using the identity of VM1" It
never says that managed identity is enabled. Process is : 1. Enable Managed
Identity on VM. 2. Modify IAM. 3. Enable Required Access
upvoted 4 times
  Samin 2 months, 4 weeks ago

Andswer
is D , 100%.
upvoted 1 times

The
correct answer is D since the Managed Identities provide Service Principles
without need to store Passwords in Key Vault, Config Files or
Databases.
upvoted 2 times
  Protonenpaule 2 months ago

D
is correct, which is a prerequisit to successfully implement
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
upvoted 1 times

The
question doesn't say that the Managed Identity is enabled. This is a
prerequisite.
upvoted 1 times
  joilec435 3 weeks, 4 days ago

that
is D
upvoted 1 times

I
think answer is D
upvoted 1 times
Question #7 Topic 1
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains the virtual networks in the following table:
Subscription1 contains the virtual machines in the following table:
The firewalls on all the virtual machines are configured to allow all ICMP traffic.
You add the peerings in the following table:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal
  looker 7 months, 1 week ago

I
thin VM2 cannot ping VM3, because they didn't establish bi-direction
connection
upvoted 16 times
  piotr 6 months, 2 weeks ago

Must
be error in question since you cannot configure unidirectional VNET
peering.
upvoted 1 times

Answer should be Yes, no, no. In early version of
Azure, we have to create peer on each vnet. Azure improved vnet peering recently
and create peering bi-direction.
upvoted 11 times
  bootyholeman 3 months, 2 weeks ago

You
still have a choice to create unidirectional peering like in the table above.
So: Yes Yes No simple table mapping
upvoted 1 times

the
option is called "Configure virtual network access settings". If you set "Allow
virtual network access from VNET1 to VNET2" to disabled it will be
unidirectional
upvoted 1 times

but
not sure if ping is going to work with the unidirectional peering, have to
check.
upvoted 1 times
  moglie 6 months ago

Ans:
Y,N,N . source:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq
----- If your peering connection is in an Initiated state, this means you have
created only one link. A bidirectional link must be created in order to
establish a successful connection. For example, to peer VNet A to VNet B, a link
must be created from VNetA to VNetB and from VNetB to VNetA. Creating both links
will change the state to Connected.
upvoted 16 times
  pinox1 6 months ago

I
think the answer is: yes-yes-no (no, because no peering vnet2 and
vnet1)
upvoted 5 times
  bvdh 5 months, 4 weeks ago

Answer
is correct, no peering between vnet2 and vnet1 so no routing, no traffic, no
ping. rest of vnets are peered
upvoted 3 times

The
Answer is YES, YES, NO No peering between VNET1 and VNET2 Pinox1 is
correct
upvoted 4 times
  gboyega 5 months, 2 weeks ago

The
correct answer is YES,NO,NO You need to create the Peering in both VNET, in this
case only VM1 and VM3 have that.
upvoted 3 times
  cjsammaejs 5 months, 2 weeks ago

I
tested this in our R&D subscription with 2 vnets, with each vnet in separate
RG. The answer is Yes, No, No. ICMP need peering both directions to work. The
peering status shows disconnected when only one direction is peered. I had it
peered bidirectionally, and testing ping both ways and it worked. Then in
removed one peer direction and this caused the ping test to fail. For a yes,
yes, no answer, VNET3 > VNET1 would also have to be peered, which is missing
from the list.
upvoted 7 times

Isn't
peering bidirectional?
upvoted 3 times
  Benkyoujin 5 months, 1 week ago

Yes,
during setup now it sets up both connections. However, technically it’s possible
for one to become disconnected. Otherwise, why would the question only call out
one specific bidirectional config? Also, lots of questions are quite old and at
one point you did have to create both ends separately.
upvoted 2 times

Ans:
Y, N, N A bidirectional link must be created in order to establish a successful
connection. For example, to peer VNet A to VNet B, a link must be created from
VNetA to VNetB and from VNetB to VNetA. Creating both links will change the
state to Connected.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#my-vnet-peering-connection-is-in-initiated-state-why-cant-i-
connect
upvoted 6 times

Answer: Yes, No, No The VM2 can't connect to VM3 because
the peering will be in the initiated state: Initiated state - no connection ...
Only one of the pair of links has been created ... Create the 2nd link to become
connected state Disconnected state - no connection ... One of the pair of links
has been deleted ... Delete the link and re-create Connected state ... Running
fine
upvoted 4 times

YES
- VNET1 to VNET3YES YES - VNET2 to VNET3 NO - no VNET2 to VNET1 You can create
unidirectional connection, it will work - checked it. ping/imcp doesn't require
bidirectional connection. if you have V1-V2 only, V1 will be able to pint V2 but
not vise versa - tried it in lab
upvoted 3 times
  Jt909 2 months, 2 weeks ago

YES-NO-NO
Just tried in a LAB. ICMP requires bi-direction connections. As soon as in a
peering you set "Disabled" in Configuration\Allow virtual Network Access From
Vnet3 to Vnet2 you loose ICMP.
upvoted 2 times
  Novix 2 months, 1 week ago

Ummm,
ICMP requires connectivity in both directions. PING is exactly that, you send a
ping an wait for the reply. If you check the results of a windows ping it has
packets sent and packets received. Not possible with unidirectional
connection.
upvoted 1 times
  2cool2touch 2 months, 1 week ago

i
take my previous comment back. It is YYN. I am still not sure why it required
#3, vnet3 to vnet1 peering but as long as u are in same subscription and have
rights, you only need to peer in one direction, other direction is done for
u.
upvoted 2 times
  htchen829 1 month, 3 weeks ago

Just
do lab, you will know the answer is Y, N, N although newer version will create
bi-direction peering for you, you can still delete one of them manually, so you
can get the answer. Do the lab is easy, why don't you verify by
yourself?
upvoted 1 times
  AbdulAzeez 1 month, 2 weeks ago

Yes,Yes,No
upvoted 1 times

I
don't think you really do the lab.
upvoted 2 times

Only
VMs 1 and 3 have bidirectional peering, so they can ping each other. 2 and 3
cannot. 1 and 2 cannot (no peering). Answer will be: Yes, No, No. If your
peering connection is in an Initiated state, this means you have created only
one link. A bidirectional link must be created in order to establish a
successful connection. To peer VNet A to VNet B, a link must be created from
VNetA to VNetB and from VNetB to VNetA. Creating both links will change the
state to Connected.
upvoted 1 times

yes
no no
upvoted 2 times
  Marshal_ 3 weeks, 3 days ago

I hate how they word the questions. Technically VM2 can
send a ping to VM3 but just not get a reply. You have to assume a successful
ping / reply is what they are asking.
upvoted 2 times
  TYT 2 weeks, 5 days ago

so
true!
upvoted 1 times
  tmaylexmark 3 weeks, 1 day ago

VNET3
subnet is assigned a non-routable IP. How does this impact the peering
relationships?
upvoted 1 times

This
is an old question, how VNET peering works, has changed now. Given answer are
correct with respect to how peering used to work before however for modern
peering connections, questions is incomplete.
upvoted 2 times
Question #8 Topic 1
HOTSPOT -
You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure? To answer, select the appropriate settings to the answer area.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

I
don’t think cloud app is necessary. Access to portal is asked in question and
not to specific app.
upvoted 2 times
  Benkyoujin 4 months, 2 weeks ago

The
portal is technically a cloud app the answer is correct.
upvoted 6 times

the
answer is correct because it specifies the portal and that means you need to
configure the cloud apps section, select apps, and choose "Microsoft Azure
Management" as the cloud app as that is the portal app.
upvoted 4 times

The
answer is wrong. Cloud App is not needed. The question says access to USERS is
needed. You should select 1. Users and Groups 2. Conditions 3. Grant
upvoted 3 times
  Myk 3 months ago

Wrong.
SilnetH below has the exact example and indeed the given answer was correct
all along.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management
upvoted 2 times

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
upvoted 2 times
  superbutt 4 months, 1 week ago

The
answer is correct.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policies
upvoted 6 times

The
answer is correct and you can look at
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management
for a specific example to the Azure portal.
upvoted 9 times

To
create a policy for Azure management, you select Microsoft Azure Management
under Cloud apps when choosing the app to which to apply the policy. I think
Cloud App needs to be selected. Any thoughts? The question says three settings -
Users/Groups, Conditions, Cloud Apps (Azure mgmt portal). And of course, Grant.
Looks like All the above?
upvoted 1 times
  milind8451 3 weeks, 3 days ago

Don't
be confused, given ans is right. Azure Portal is also a cloudapp which need to
be allowed. Already tested in lab.
upvoted 3 times
  aimar047 3 weeks, 1 day ago

1. Users and Groups 2. Conditions 3. Grant
upvoted 1 times
  lepperboy 1 week, 3 days ago

what
a tricky question - according to this article, technically its; 1. Users and
groups 2. Cloud apps (selecting microsoft azure management) 3. Conditions 4.
Grant. This is where you actually define requires MFA. Keen to know if anyone
actually saw this question in the exam?!
upvoted 1 times
  mukulag 4 days, 3 hours ago

https://docs.microsoft.com/en-in/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management
Users and groups Cloud apps or actions Conditions Grant Under Assignments,
select Users and groups Under Include, select All users. Under Exclude, select
Users and groups and choose your organization's emergency access or break-glass
accounts. Select Done. Under Cloud apps or actions > Include, select Select
apps, choose Microsoft Azure Management, and select Select then Done. Under
Conditions > Client apps (Preview), set Configure to Yes, and select Done.
Under Access controls > Grant, select Grant access, Require multi-factor
authentication, and select Select.
upvoted 1 times
Question #9 Topic 1
You configure Azure AD Connect for Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) for an on-premises network.
Users report that when they attempt to access myapps.microsoft.com, they are prompted multiple times to sign in and are forced to use an
account name that ends with onmicrosoft.com.
You discover that there is a UPN mismatch between Azure AD and the on-premises Active Directory.
You need to ensure that the users can use single-sign on (SSO) to access Azure resources.
A. From on-premises network, deploy Active Directory Federation Services (AD FS).
B. From Azure AD, add and verify a custom domain name.
C. From on-premises network, request a new certificate that contains the Active Directory domain name.
D. From the server that runs Azure AD Connect, modify the filtering options.
Correct Answer: B

Answer
is B
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/hybrid/tshoot-connect-objectsync#upn-suffix-is-not-verified-with-azure-ad-tenant
upvoted 7 times

B
is correct. Refer to the article by Sweb below.
upvoted 2 times

UPN
mismatch can be removed after adding domain of you on-prem to Azure AD, so
option B is correct.
upvoted 2 times
Question #10 Topic 1
You have an Active Directory forest named contoso.com.

You install and configure AD Connect to use password hash synchronization as the single sign-on(SSO) method. Staging mode is enabled.
You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs.
You need to ensure that the synchronization completes successfully.
What should you do?
A. From Azure PowerShell, run Start-AdSyncSycnCycle ""PolicyType Initial.
B. Run Azure AD Connect and set the SSO method to Pass-through Authentication.
C. From Synchronization Service Manager, run a full import.
D. Run Azure AD Connect and disable staging mode.
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-operations

D
is correct.
upvoted 5 times
  siddappa 1 week ago

Correct answer is D
upvoted 2 times
DRAG DROP -
You have an Azure Active Directory (Azure AD) tenant that has the initial domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and
arrange them in the correct order.
Select and Place:

References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
  Oz 7 months ago
There
is no reference about what has to be moved but my guess is it is cmdlets. 1)
New-AzureADDomain Creates a custom domain in Azure AD 2)
Get-AzureADDomainVerificationDnsRecord Retrieve the domain verification DNS
record from Azure for a custom domain< make changes to the Public DNS zone as
per p.2> 3) Confirm-AzureADDomain Validate the ownership of a
domain.
upvoted 12 times
  chukks_19 6 months, 3 weeks ago

If
the answer is drag and drop: Add a custom domain name. Add a record to the
public contoso.com DNS zone. Verify the domain.
upvoted 43 times

I
think the answer would be Add a Custom Domain name to the Azure AD tenent Add a
MX or TXT record to the zone file in the public domain registry Verify the
domain
upvoted 2 times
  Abbas 4 months ago

From
the link, the 3 steps are: Add your custom domain name to Azure AD Add your DNS
information to the domain registrar Verify your custom domain name
upvoted 7 times
  richie13 1 month, 1 week ago

https://www.examtopics.com/assets/media/exam-media/02520/0004500001.jpg
upvoted 4 times

chukks_19
is exactly right. Refer to the link posted by richie13 for options. Add a custom
domain name, add a record to the public dns zone and verify the
domain.
upvoted 2 times
HOTSPOT -
You have an Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:

References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

The
three different storage account options are: General-purpose v2 (GPv2) accounts,
General-purpose v1 (GPv1) accounts, and Blob storage accounts. General-purpose
v2 (GPv2) accounts are storage accounts that support all of the latest features
for blobs, files, queues, and tables. Blob storage accounts support all the same
block blob features as GPv2, but are limited to supporting only block blobs.
General-purpose v1 (GPv1) accounts provide access to all Azure Storage
services, but may not have the latest features or the lowest per gigabyte
pricing.
upvoted 2 times
  JatinA 5 months, 2 weeks ago

ZRS
and GZORS(Preview) is available only in GPv2. It is not available in GPv1 and
Blob storage. So, GPv1 and GPv2 are not exactly same. Other than that there is
difference of access tiers. GPv2 supports Hot/Cool/Archive 3 access tiers. GPv1
does not support access tiers. Though blob storage does
upvoted 3 times
  Stan007 4 months, 2 weeks ago

Box
1: storageaccount1 and storageaccount2 only Box 2: All the storage
accounts
upvoted 13 times
  SilverFox 3 months ago

The
questions should state: 1) Which accounts can you use for Azure Table Storage?
2) Which accounts can you use for Azure Blob Storage? and therefore Stan007 is
correct.
upvoted 4 times
  Mher 2 months, 2 weeks ago

Box
1: storageaccount1 and storageaccount2 only Box 2: All the storage accounts
Note: The three different storage account options are: General-purpose v2
(GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
– General-purpose v2 (GPv2) accounts are storage accounts that support all of
the latest features for blobs, files, queues, and tables. – Blob storage
accounts support all the same block blob features as GPv2, but are limited to
supporting only block blobs. – General-purpose v1 (GPv1) accounts provide access
to all Azure Storage services, but may not have the latest features or the
lowest per gigabyte pricing.
upvoted 1 times
  manhattan 1 month, 1 week ago

incomplete
double question, this is question is better explained in question 71,
Topic1
upvoted 2 times
  zubat_90 1 week, 3 days ago

This was on the exam - I went with Box 1:
storageaccount1 and storageaccount2 only Box 2: All the storage
accounts
upvoted 1 times
  MukeshKhamparia 2 days, 21 hours ago

Table
Storage - Storageaccount1 and Storageaccount2 Blob Storage - All Storage
account
upvoted 1 times
You have an Azure subscription that contains 100 virtual machines.

You regularly create and delete virtual machines.
You need to identify unattached disks that can be deleted.
What should you do?
A. From Microsoft Azure Storage Explorer, view the Account Management properties.
B. From Azure Cost Management, create a Cost Management report.
C. From the Azure portal, configure the Advisor recommendations.
D. From Azure Cost Management, open the Optimizer tab and create a report.
Correct Answer: D

Answer:
A https://cloud.netapp.com/blog/reduce-azure-storage-costs
upvoted 6 times

Not
from the Account Management properties
upvoted 3 times
  Mor 7 months, 1 week ago

D
is correct
upvoted 3 times
There is not an Optimizer tab under Cost Management
blade? MS does have powershell scripts to find out unused disks managed or
unmanaged. For this question, A is the only option for me.
upvoted 2 times
  kimiura 5 months, 4 weeks ago

A:
for me
upvoted 2 times
  JakeCallham 5 months, 2 weeks ago

Answer
should A, Option D does not exist,.
upvoted 2 times

Cern77
is correct, the correct answer is A. Under subscription and Storage account and
Blob,
upvoted 2 times

Home
-> Cost Management + Billing -> Cost Management: Pay-As-You-Go - Overview
-> Optimize with recommendations. This seems to resolve the issue of unused
disks. So, the answer D seems to be correct. Answer A is also doable though it
is a manual process to check every disk.
upvoted 3 times

what
you just said refers to Answer C !
upvoted 1 times

Option
D does not exist, or is not called like that. I think option C is the right one,
because the right option is named like that.
upvoted 6 times
  tubadc 4 months, 2 weeks ago

Agreed,
C is the only available option at the portal
upvoted 3 times
  RRRN 4 months, 2 weeks ago

D,
optimize with recommendation is available under cost management
overview
upvoted 2 times

Answer: D
https://docs.microsoft.com/en-us/azure/cost-management/overview "You can
determine optimal VM usage and identify idle VMs or remove idle VMs and
unattached disks'
upvoted 2 times
  Mathew 4 months ago

that
is Cloudyn .. no more in azure ...To view cost optimization recommendations for
a subscription, open the desired scope in the Azure portal and select Advisor
recommendations... but that also not mentioned ..unused disks
upvoted 1 times
  bofh 3 months, 3 weeks ago

it
does exist and the answer is d
upvoted 1 times

The
answer is D although it's not accurately labeled because it's actually Cost
Management + Billing > Cost Management > Optimize with recommendations.
The description under this is "View Advisor recommendations to identify unused
or underutilized resources. Take action to reduce waste."
upvoted 10 times
  Myk 3 months ago

Its
kinda like inception as you have described. D describing C.
upvoted 1 times
  Minimal1988 3 months ago

for
100 VMs the right way would be with powershell! but this answer is not
available. So it can only be the Storage Explorer.
upvoted 1 times
  Tasneem 2 months, 2 weeks ago

I
think the correct answer is c:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
upvoted 1 times
  Happiman 2 months, 2 weeks ago

Answer:A You can find unused disks in the Azure Storage
Explorer console. Once you drill down to the Blob containers under a storage
account, you can see the lease state of the residing VHD (the lease state
determines if the VHD is being used by any resource) and the VM to which it is
leased out. If you find that the lease state and the VM fields are blank, it
means that the VHD in question is unused. The ManagedBy property stores the Id
of the VM to which Managed Disk is attached to. If the ManagedBy property is
$null then it means that the Managed Disk is not attached to a VM
upvoted 3 times
  fla8 2 weeks ago

I
can not agree on this, I have an active vm, in the storage explorer, under blob,
I can see the lease state and vm name are all blank. but the vm is running with
the disk.
upvoted 1 times
  fla8 2 weeks ago

ah,
that is not for VHD, it is for diag. there is no VHD in my storage
explorer.
upvoted 1 times
  satgo 2 months, 2 weeks ago

Answer
is C
upvoted 3 times

D
is correct. "Recommendations show how you can optimize and improve efficiency by
identifying idle and underutilized resources. "
https://docs.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview
upvoted 1 times
  Happiman 1 month, 3 weeks ago

It is a an underutilized resources, which means "VMs"
not disks.
upvoted 2 times
  AmineHZ 1 month, 4 weeks ago

for
me the correct answer is A
upvoted 2 times
  TheMo 1 month, 1 week ago

Answer
is C - Azure Advisor It is mentioned under Additional Tools in the following
link
https://docs.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview
More Description: Azure Advisor -
https://docs.microsoft.com/en-us/azure/advisor/advisor-overview#what-resources-does-advisor-provide-recommendations-for
upvoted 2 times
  dean1984kirsten 1 month ago

Answer
is A:
https://www.checkyourlogs.net/using-azure-storage-explorer-to-remove-unattached-vm-disks/
upvoted 3 times
  Corona_Virus 1 month ago

Answer
is A You can find unused disks in the Azure Storage Explorer console. Once you
drill down to the Blob containers under a storage account, you can see the lease
state of the residing VHD (the lease state determines if the VHD is being used
by any resource) and the VM to which it is leased out. If you find that the
lease state and the VM fields are blank, it means that the VHD in question is
unused. Reference:
https://cloud.netapp.com/blog/reduce-azure-storage-costs
upvoted 2 times

Leaning
towards A because of the verbiage in the options.
upvoted 2 times

D
does not exist, not is Cloudyn. C correct
upvoted 1 times
  Santosh43 3 weeks, 4 days ago

Looks
like A is the Answer.
upvoted 2 times
  AnilV 1 week, 5 days ago

Answer
should be A.
https://www.checkyourlogs.net/using-azure-storage-explorer-to-remove-unattached-vm-disks/
upvoted 1 times
You have an Azure subscription that contains 10 virtual machines.

You need to ensure that you receive an email message when any virtual machines are powered off, restarted, or deallocated.
What is the minimum number of rules and action groups that you require?
A. three rules and three action groups
B. one rule and one action group
C. three rules and one action group

D. one rule and three action groups
Correct Answer: C

1
action group to send an email alert 3 rules - Each rule can only monitor a
single signal, so one will be needed for each signal type (Restart, Shutdown,
Deallocated)
upvoted 11 times
  pgcloud 2 months, 3 weeks ago

C
is correct, three actions and one rule
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-action-rules
upvoted 5 times

C
is correct. Three rules and one group!
upvoted 1 times
  keithtemplin 3 weeks, 1 day ago

"Azure
Alerts are currently limited to either 2 metric, 1 log, or 1 activity log signal
per alert rule. To alert on more signals, please create additional alert rules."
Straight off a new rule creation
upvoted 1 times

Answer
is C
upvoted 1 times
You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Upload a configuration script.
B. Create an automation account.
C. Create a new virtual machine scale set in the Azure portal.
D. Create an Azure policy.
E. Modify the extensionProfile section of the Azure Resource Manager template.
Correct Answer: CE
References:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
  praiser 5 months ago

Should
be D and E E - provide the template to SUPPORT that the web server components
WILL be installed D - create a policy to ENSURE that the extensionProfile is set
accordingly when deploying the template Both are part of the solultion and
complement each other very well.
upvoted 3 times

I
don't think so. WIth a policy you don't force things, but audit
things.
upvoted 1 times

C
will not be automate deployment. So its incorrect. I think D and E
upvoted 1 times

This
article
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-app
shows 3 ways for windows : Custom Image - Custom Script Extension - Automation
with DSC. To me C+E is for Custom Script Extension, but A+B is Automation with
DSC. Really hard to decide!
upvoted 1 times

C
& E Look good. As the VM is native Azure image, it comes with the Azure VM
agent on it that can be used to install and software. Custom scripts and
extensions are needed when the default Azure VM agent is not enough. In this
case, installing web server components is a native thing that can be done on the
server so no custom script should be needed.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows
upvoted 11 times

scale
set must be provisioned using ATM template, it cannot be created in the portal.
should be extension (in the template) + custom script (blob reference in the
template)
upvoted 2 times
  InsomniumBR 3 months, 2 weeks ago

I
think the answer is A and C. Create a configuration script and use the Azure
Portal (Cloud Shell) for deploy a scale set.
upvoted 3 times
  JohnAvlakiotis 3 months, 2 weeks ago

A
and E
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-deploy-app
upvoted 9 times
  jwang 1 month, 1 week ago

I
believe is A & E as well. E - You define file URIs in the extersionProfile
section of the template. A - You need a place to store the script file(s).
Reference:
upvoted 3 times

C
can not be! "AUTOMATE". It is A and E. you must modifiy the script an then
upload the script!
upvoted 5 times

Answer is :C&E First create a customized scale
set&VMs and modify the extensionProfile To reduce the configuration
management and time to provision a VM, you can create a custom VM image that is
ready to run your application as soon as an instance is provisioned in the scale
set. For more information on how to create and use a custom VM image with a
scale set, see the following tutorials:
upvoted 1 times
  dg63 1 month, 1 week ago

Answer
should be A and C. There is "extensionProfile" section in an Azure Resource
manager template. You define the extension in the Azure desired state
configuration (DSC) script. You need to define a VMSS and a configuration script
(DSC).
upvoted 1 times

Oops
- with typo correction Answer should be A and C. There is NO "extensionProfile"
section in an Azure Resource manager template. You define the extension in the
Azure desired state configuration (DSC) script. You need to define a VMSS and a
configuration script (DSC).
upvoted 1 times
  raaahul 1 month ago

The
given answers are correct. Reference 1.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-create-vmss
Create a virtual machine scale set 2.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
Azure VM extensions can be deployed with Azure Resource Manager templates. The
JSON schema, which is detailed in the previous section can be used in an Azure
Resource Manager template to run the Custom Script Extension during
deployment.
upvoted 2 times

Answer
give is correct C & E.
upvoted 1 times

A
and E
upvoted 1 times

C
and E
upvoted 1 times
  P0d 1 week, 4 days ago

Steps
to automate: 1) Create VM 2) Export template of created VM 3) Modify template
and configure ExtensionProfile, and add Scaleset in configuration and
Application to be installed 4) save this template as local json file by
copypasting to text editor 5) Create Automation Account 6) From automation
account Create runbook and add template path to runbook
https://docs.microsoft.com/en-us/azure/automation/automation-deploy-template-runbook
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/export-template-portal
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/quick-create-template-windows
upvoted 1 times
  bhendi 1 week, 1 day ago

Its
CE, did it in labs
upvoted 4 times
  SIDNEY1 1 week ago
Agreed,
it is C and E. I just did this in the lab too. Check this link out:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template.
Then go to the middle of the page and read this: Create Custom Script Extension
definition When you define a virtual machine scale set with an Azure template,
the Microsoft.Compute/virtualMachineScaleSets resource provider can include a
section on extensions. The extensionsProfile details what is applied to the VM
instances in a scale set. It's C and E, without a doubt.
upvoted 3 times
  vic88sanchez 1 week ago

originally
i thought A and E But as i looked at everyone's response, tried in the lab and
thought thru it, the better answer is C and E You go thru the process of
creating the scale set thru the portal, you then review the template before
creating and add to the extensions. you then save the template and build using
the saved template.
upvoted 3 times
You have an Azure subscription.

You have 100 Azure virtual machines.
You need to quickly identify underutilized virtual machines that can have their service tier changed to a less expensive offering.
Which blade should you use?
A. Customer insights
B. Monitor
C. Advisor
D. Metrics
Correct Answer: C
References:
https://docs.microsoft.com/en-us/azure/advisor/advisor-cost-recommendations
  Khang 2 months, 2 weeks ago

C
is correct answer
upvoted 5 times
  AmineHZ 1 month, 4 weeks ago

C
is the correct answer
upvoted 1 times

C
is correct
upvoted 2 times

An app uses a virtual network with two subnets. One subnet is used for the application server. The other subnet is used for a database server. A
network virtual appliance (NVA) is used as a firewall.
Traffic destined for one specific address prefix is routed to the NVA and then to an on-premises database server that stores sensitive data. A
Border Gateway
Protocol (BGP) route is used for the traffic to the on-premises database server.
You need to recommend a method for creating the user-defined route.
Which two options should you recommend? Each correct answer presents a complete solution.
A. For the virtual network configuration, use a VPN.
B. For the next hop type, use virtual network peering.
C. For the virtual network configuration, use Azure ExpressRoute.
D. For the next hop type, use a virtual network gateway.
Correct Answer: AC
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Wrong
Answer , Correct Answer is : A, D
upvoted 12 times
  onlyfunmails 5 months ago

As
it uses BGP routing, so it should be ExpressRoute, so correct Answer: C &
D
upvoted 5 times

I
don't think this is the reason. ExpressROute must use BGP, but BGP can be used
by regular VPNs too. I think the reason of A and C is discarding the other 2. D
is wrong because if you have an NVA you set the next hope address to an IP
address of the NVA instead.
upvoted 8 times
  onlyfunmails 4 months, 4 weeks ago

Agree,
thanks for correcting.
https://docs.microsoft.com/bs-latn-ba/azure/vpn-gateway/vpn-gateway-bgp-overview
Can I use BGP with my VNet-to-VNet connections? Yes, you can use BGP for both
cross-premises connections and VNet-to-VNet connections.
upvoted 2 times

A
and C are the right Answers and the link explains it well.
upvoted 2 times

Answer
is AD, and here is why The virtual network gateway must be created with type
VPN. You cannot specify a virtual network gateway created as type ExpressRoute
in a user-defined route because with ExpressRoute, you must use BGP for custom
routes.
upvoted 4 times

I
think the answer is A, C because the question states that each answer presents a
"complete solution." Therefore, I don't think the answer can be D because it
does not represent a complete solution.
upvoted 14 times

The
"complete solution" bit is the key to the answer, can only be A and C.
upvoted 1 times

I'd
say A,C B - there is no such a hop D - next hop should be Virtual
Appliance
upvoted 1 times
  FailureIsnotAnOption 3 months, 1 week ago

"Each
answer is a complete solution" A and C
upvoted 2 times

tricky
question! It can not be Express Route that user-defined route are not supported!
So we must use an VPN Gateway ! Peering make no sense. Answer is A and
D
upvoted 2 times
  Minimal1988 2 months, 4 weeks ago

SlientH
is correct! the Answer is right A,C
upvoted 2 times
  xfit 2 months, 1 week ago

The
correct answer is A and D. Apart from the fact that the information is found in
the MS link provided (see below) many of you are incorrectly interpreting the
question. The part you need to focus on is "You need to recommend a method for
creating the user-defined route" . THAT IS ALL, the rest of the question is a
distraction and irrelevant. Therefore the complete method to accomplish this is
to use a VPN with the VNG as the next hop. "The virtual network gateway must be
created with type VPN. You cannot specify a virtual network gateway created as
type ExpressRoute in a user-defined route because with ExpressRoute, you must
use BGP for custom routes."
upvoted 2 times

D
is totally wrong, you use NVA, so next hop should NVA's IP not VGW.
upvoted 1 times

A and C
upvoted 2 times
  silverdeath 1 month, 3 weeks ago

Wrong
Answer, it's : A & D
upvoted 1 times
  SilNilanjan 1 month, 2 weeks ago

A
& D are the correct answers
upvoted 1 times
  Gorha 1 month, 1 week ago

A
and D correct
upvoted 1 times
  vasanchez 1 month, 1 week ago

A
and D They want a user defined route and a BGP custom route, they are asking
specifically for the users defined route, so that eliminates C as you cant use
as a user defined route and B is totally out of the question.
upvoted 1 times
  hilmit 1 month ago

The
question asks for "presents complete solution". So, A is no brainer. How about
C? When we check BGP with Express Route about user defined routes, it clearly
states that "You can use user-defined routes for forcing traffic from the
Express Route to, for example, a Network Virtual Appliance.". So, C is also true
because we have NVA and we can force Express Route to use user-defined routes
for NVA. So, A-C is true
upvoted 2 times
  P0d 2 weeks ago

Why
in same VNET configuration we should use either VPN and Express route. We can
use only one route for the VNET. As we know Express route is used for on-premise
to Azure connect. As both subnets are exist in same VNET so we need a VPN and
for that we can use route to VPN gateway.
upvoted 1 times
  P0d 2 weeks ago

But
in question it says that we have DB on premises which we need to have route. And
in that scenario we use Express Route and for the next hop we can use VPN
gateway as it's resides on Azure side. As a result I stay on answers C and
D
upvoted 1 times
You manage a solution in Azure that consists of a single application which runs on a virtual machine (VM). Traffic to the application has increased
dramatically.
The application must not experience any downtime and scaling must be dynamically defined.
You need to define an auto-scale strategy to ensure that the VM can handle the workload.
Which three options should you recommend? Each correct answer presents a complete solution.
A. Deploy application automatic vertical scaling.
B. Create a VM availability set.
C. Create a VM scale set.
D. Deploy application automatic horizontal scaling.
E. Deploy a custom auto-scale implementation.
Correct Answer: CDE

C
is incorrect. You cannot create Vm Scale set after creation of VM
upvoted 1 times
  vishg 4 months, 2 weeks ago

What
is the correct answer ?
upvoted 1 times

CDE
upvoted 8 times

A&B
Cannot be the answers hence C, D, E are correct. Vertical scaling means adding
more cpu. disk etc and availability set are to protect against HW failure of
underlying hosts.
upvoted 3 times

I
think C,D,E because availability set - the application must "application must
not experience any downtime " but a scale set automatically implements placement
groups which work in a similar way to availability sets using fault and update
zones. MS docs never recommend using scale sets and availability sets together
and I dont even think it is possible? D & E because horizontal scaling means
increasing the number of instances as opposed to vertical scaling which
increases the instances resources.You can use metrics from application insights
to trigger scaling. I didnt think both D and E were correct , but seeing that A
and B are not correct then I must choose E aswell
upvoted 6 times

I
think it's C, D, & E because the answer cannot be A as a vertical scale
change would require a restart of the VM thus violating the requirement of "must
not experience any downtime". The answer cannot be B as an availability set is
more of an HA solution than a scaling solution.
upvoted 6 times
  jcarlos 2 months, 1 week ago

i
would say answer is BCD to meet high availabilty and auto scale requirements
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones
upvoted 4 times
  keithtemplin 3 weeks, 5 days ago

The
requirements of "The application must not experience any downtime" is the
missing option in CDE. If you setup scale sets in on Availability Zone, you app
can still go down in that zone is off line. jcarlos is correct IMHO based on
the link he provided. However depending on when the test was written and this
feature became available could be the determining factor to which is correct. I
am betting on BCD.
upvoted 1 times
  ldopson001 2 months, 1 week ago

CDE,
Virtual scaling requires a reboot (requirement says no downtime), Availability
sets are for HA not scaling. So we need VMSS, Horizontal scaling, and a custom
implementation to increase.decrease by one or more VMs.
upvoted 8 times
  Rajuuu 3 weeks, 5 days ago

Answer
should be BCD ..As it requires Autoscaling .
upvoted 1 times
  nadjar007 2 weeks, 3 days ago

Virtual
machines in a scale set can be deployed across multiple update domains and fault
domains to maximize availability and resilience to outages due to data center
outages, and planned or unplanned maintenance events. Answer. BCD
upvoted 1 times

You
can not create scaleset from this VM, you can use its image to create a new VM
scale set. Options are not perfect as per answer but since A and B are totally
wrong so only remaining options are C,D and E.
upvoted 1 times
DRAG DROP -
You develop a web app that uses the tier D1 app service plan by using the Web Apps feature of Microsoft Azure App Service.
Spikes in traffic have caused increases in page load times.
You need to ensure that the web app automatically scales when CPU load is about 85 percent and minimize costs.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-get-started
  NS 7 months, 3 weeks ago

You
cann't add a rule without adding a scale condition first. So, I think the right
answer should be: - Configure the web app to the standard app service tier -
Enable autoscaling on the web app - Configure a scale condition - Add a scale
rule
upvoted 25 times

Disagree,
moderator section is correct.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-get-started
one rule will have multiple connections.
upvoted 2 times
  levm39 4 months ago

you
are wrong, first are conditions, rules are inside conditions. (in the same link
you pasted)
upvoted 2 times

Add a condition before a rule .... from the ms lab:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
upvoted 3 times

I
ran through this in my lab and the answer in order is: 1. Configure the web app
to the Standard App Service tier 2. Enable autoscaling on the web app 3.
Configure a Scale condition 4. Add a Scale rule The reason why is that the Scale
rule is *within* the Scale condition; therefore, "Configure a Scale condition"
must come before "Add a Scale rule".
upvoted 9 times
  Karls 3 months, 2 weeks ago

I
did in my lab too. Correct answer are NS and SilenH
upvoted 2 times

Add
scale condition before adding the rule
upvoted 2 times
HOTSPOT -
You have Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the
subnets in the following table.
Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT1.
You need to route all inbound traffic to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
  Cern77 5 months, 3 weeks ago

Correct:
upvoted 6 times
  CloudGuy0 2 months, 3 weeks ago

I
think its incorrect. Why are you using the vNet IP Space if you are deploying
the Virtual Gateway Appliance to the Gateway Subnet?
https://docs.microsoft.com/en-us/windows-server/networking/sdn/manage/use-network-virtual-appliances-on-a-vn
Answer: 10.0.254.0/24 Virtual Appliance Gateway Subnet
upvoted 2 times
  realsaid 2 months, 2 weeks ago

You are very wrong. The question says you need to route
all traffic destined for Vnet1 address space. The answers are very
correct.
upvoted 6 times
  BenDova 1 month ago

10.0.0.0/16
because you need to route inbound traffic to the vnet address space Virtual
appliance - this lets you specify vm1 ip as next hop Gatewaysubnet - because
inbound traffic is coming in to whatever VPN/ER gateway is deployed here
therefore route needs to be applied here.
upvoted 2 times
  milind8451 1 month ago

1.
Address Prefix 10.0.0.0/16 - Because routing table will be applied to this VNET.
2. Next hop type "Virtual appliace" - because as mentioned in ques all inbound
traffic must be routed through VM1 which will act as virtual appliance 3.
Assigned to "Gateway Subnet" - because all incoming traffic to this vnet will
first hit the Gateway which is in gateway subnet.
upvoted 8 times
You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor
authentication
(MFA) in Azure Active Directory (Azure AD).
You need to select authentication mechanisms that can be used for both MFA and SSPR.
Which two authentication methods should you use? Each correct answer presents a complete solution.
A. Short Message Service (SMS) messages
B. Azure AD passwords
C. Email addresses
D. Security questions
E. App passwords
Correct Answer: AB
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods
  vishg 4 months, 1 week ago

SMS
& APP
upvoted 6 times
  Babin 4 months ago

The
link says Microsoft Authentication App in the list
upvoted 1 times
  Mathew 3 months, 3 weeks ago
Password MFA
and SSPR SMS MFA and SSPR App passwords MFA only in certain cases
upvoted 2 times

MFA
verification options fo users: - Call to phone - Text message to phone -
Notification through mobile app - Verification code from mobile app or hardware
token Password Reset Methods available to users: - Mobile app notification -
Mobile app code - Email - Mobile phone - Office phone - Security questions So,
SMS is clear. But there isn't any other coincidence except that "App password"
do reference to "MFA: Notification through mobile app" and "Passw Reset: Mobile
app code" then will be A and E.
upvoted 5 times
  rods 3 months, 3 weeks ago

Microsoft
highly recommends Administrators enable users to select more than the minimum
required number of authentication methods in case they do not have access to
one. Authentication Method Usage Password MFA and SSPR Security questions SSPR
Only Email address SSPR Only Microsoft Authenticator app MFA and SSPR OATH
Hardware token Public preview for MFA and SSPR SMS MFA and SSPR Voice call MFA
and SSPR App passwords MFA only in certain cases Based on the above, A and B are
correct.
upvoted 17 times
  JohnAvlakiotis 3 months, 2 weeks ago

True
upvoted 3 times
  Burtzz 3 months, 2 weeks ago

Agree,
can’t use email on Mfa, can’t use app passwords on SSPR, can’t use, can’t use
security question on mfa
upvoted 2 times

A and B
upvoted 2 times
  Khang 2 months ago

Should
be A&E
upvoted 1 times
  VangaDB 1 month, 2 weeks ago

Khang
-- don't pass wrong answer. first read -- @JohnAvlakiotis - already passed the
link and clear answer from there.
upvoted 2 times

A
and E
upvoted 1 times

MFA
and SSPR: - Password (B) - Microsoft Authenticator app - SMS (A) - Voice
Call
upvoted 1 times
  joilec435 4 weeks ago

AE
answer
upvoted 1 times
A
and E
upvoted 1 times

answer
should be A and E
upvoted 1 times
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
How can I freeze or lock my production/critical Azure resources from accidental deletion? There is way to do this with both ASM and ARM
resources using Azure resource lock.
References:
https://blogs.msdn.microsoft.com/azureedu/2016/04/27/using-azure-resource-manager-policy-and-azure-lock-to-control-your-azure-resources/
  CloudGuy0 2 months, 3 weeks ago

Answer
is correct. Resource Lock prevents changes to a resource. It does not lock a
configuration in place across multiple iterations.
upvoted 6 times

CloudGuy0,,,,, Are you OK?
upvoted 3 times
  Dann1112 4 days, 18 hours ago

I think he is just... elaborating ? /u\
upvoted 1 times

Answer
B - Locks can be applied to resource, resource group, or subscription. However,
it doesn't validate that NSGs have specific rules. Its simply prevents you from
changing or deleting resources.
upvoted 1 times

You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were
deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the RG1 blade, you click Automation script.
A. Yes
B. No
Correct Answer: B
There
is no Automation script to click from the RG blade.
upvoted 3 times
  licna 3 months, 2 weeks ago

It
used to be there, but now there really isn't this 'Automation script' option on
a resource group blade. Anyway, you'd have to choose the 'Deployments' item to
meet the goal.
upvoted 3 times

From
the RG1 blade, you click Deployments.
upvoted 14 times

Deployments
upvoted 2 times
  codeoptimus 1 month, 3 weeks ago

There's
actually no such blade called automatic script. The answer is correct. The only
way to view such info is through the Deployment blade under the settings
section.
upvoted 2 times

There
is no blade for Automation script blade under RG. Instead you can view the date
and time of deployment from "Deployments" blade under RG.
upvoted 1 times
Solution: From the Subscription blade, you select the subscription, and then click Resource providers.
A. Yes
B. No
Correct Answer: B
  Ramanraghav 1 month, 3 weeks ago

Resource
providers section just shows the Providers that are registereded or not
registered within the subscription So not possible
upvoted 2 times

The
answer is B because you need to use the deployments blade to see when resources
were provisioned.
upvoted 2 times

You
have to click deployments.
upvoted 1 times

You
can view the date and time of deployment from "Deployments" blade under Resource
group. Respurce provider doesn't tells anything about deployed resources in your
subsciption.
upvoted 2 times
Solution: From the RG1 blade, you click Deployments.
A. Yes
B. No
Correct Answer: A

Correct:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-deployment-operations
upvoted 5 times
HOTSPOT -
You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: always -
Endpoint status is enabled.
Box 2: Never -
After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage
account as an exception to enable Azure Backup service to access the network restricted storage account.
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows https://azure.microsoft.com/en-us/blog/azure-
backup-now-supports-storage-accounts-secured-with-azure-storage-firewalls-and-virtual-networks/
  iselectkane321 6 months ago

BOX
1 wrong?
upvoted 8 times

You
right, only 10.2.0.0/24 is allowed to access this storage account ...
10.2.9.0/24 is not in 10.2.0.0/24 !
upvoted 17 times
  Rafael1984 2 months, 4 weeks ago

endpoint
is enable, Box 1 is right.
upvoted 1 times
  Fred_Freedom 2 months, 3 weeks ago

@Rafael1984
The endpoint is enable though, it is enable to 10.2.0.0/24, but not to
10.2.9.0/24. So, the endpoint is not enable to 10.2.9.0/24. So, I think that the
correct answer for BOX 1 is "never", but not "always".
upvoted 3 times

I
disagree, the endpoint is enabled it will have access...the answer is
correct
upvoted 1 times

Subnet
1 and subnet Prod are in the same vnet, so if there is a private endpoint in
Prod subnet, the resources from subnet 1 should be able to access it. This means
Box 1 is correct.
upvoted 1 times

I
was wrong, and realized after reading the comment from Onlyfunmail. Box 1 is
wrong, because from the other subnet you don't have access to it.
upvoted 3 times

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources
only VMs in the same subnet which was added storage account will only have
access. If it is intended to allow any VMs in subnet, then it should have option
to specify VNET only, however storage account specifically asks VM and
subnet...
upvoted 4 times

check
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources
Section: Confirm access is denied to storage account
upvoted 7 times
  sami777 2 months, 2 weeks ago

So
after reading onlyfunmails comments answer will be both box = never.
upvoted 7 times

Agreed,
the 10.2.9.0/24 is part of the first subnet listed in the exhibit. The endpoint
status is not enabled. So box 1 is Never. Box 2 is Never too, the trusted MS
services checkbox is unchecked.
upvoted 2 times

never, never
upvoted 4 times
  steviev 2 months, 1 week ago

The
screenshot does not show the subnet 10.2.9.0/24. There is a scrolling bar that
shows there are likely to be additional subnets in there but not reflected in
the question/screenshot. I believe the subnet is probably there so answer is
'always' for box 1
upvoted 1 times
  Mathai 2 months, 1 week ago

I
think that is a typo.. They probably thought of 10.2.0.0/24 but instead typed
10.2.9.0/24.. if it's 10.2.0.0/24 , box 1 is always and for 10.2.9.0/24 box 1 is
never.
upvoted 2 times
  mshehata 2 months ago

It should be
never,never. But there is something wrong with the screenshot, the address range
does not appear like in screenshot, only the added subnet.
https://postimg.cc/FdFm68HD
upvoted 2 times

never,
never. it's a diffrent subnet
upvoted 1 times

Answer
should be No,no. Only the VMs in the Prod subnet will be able to access the
service endpoint. VM's in other subnet within same virtual network will not get
direct access through the service endpoint
upvoted 2 times

Never
and Never it is.
upvoted 2 times

never
never HostMin: 10.2.0.1 00001010.00000010.00000000 .00000001
HostMax: 10.2.0.254 00001010.00000010.00000000 .11111110 HostMin:
10.2.9.1 00001010.00000010.00001001 .00000001 HostMax:
10.2.9.254 00001010.00000010.00001001 .11111110
upvoted 2 times
  DamianDeLaVinya84 2 weeks, 5 days ago

I
don't understand why question2 = Never. Azure Backup works with unmanaged hard
disks. I don't see any reason on the exhibit that prevents Azure Backup to do
back ups.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/backup-and-disaster-recovery-for-azure-iaas-disks
upvoted 2 times
  TYT 1 week, 6 days ago

Allow
trusted Microsoft Services box is not checked in the exhibit.
upvoted 1 times
HOTSPOT -
You plan to create an Azure Storage account in the Azure region of East US 2.
You need to create a storage account that meets the following requirements:
- Replicates synchronously
- Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Zone-redundant storage (ZRS)

Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails
GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-
us/azure/storage/common/storage-redundancy-zrs
  bizie 8 months ago

GRS
is highlighted and not ZRS
upvoted 16 times
Agree,
ZRS provides synchronous redundancy within an availability zone aka different
data center within the same region.
upvoted 13 times
  kondapaturi 5 months, 3 weeks ago

ZRS
is correct Zone-redundant storage (ZRS) replicates your data synchronously
across three storage clusters in a single region. Zone-redundant storage (ZRS)
and geo-zone-redundant storage (GZRS/RA-GZRS) (preview) are available only for
standard General-purpose V2, BlockBlobStorage, and FileStorage accounts in
certain regions.
upvoted 16 times
You
right:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
upvoted 1 times
  kondapaturi 5 months, 3 weeks ago

StorageV2
is correct because it supports ZRS in standard. StorageV1 will not supports ZRS
in standard.
upvoted 3 times

ZRS
upvoted 4 times
  Fred_Freedom 2 months, 3 weeks ago

I
would say that both ZRS and GRS can be the answer for BOX1. GRS can copy data
synchronously in the primary region, but asynchronously in the secondary region.
So, ZRS may be a better choice than GRS.
upvoted 2 times

ZRS
and V2
upvoted 2 times

Box
1: Zone-redundant storage (ZRS) Zone-redundant storage (ZRS) replicates your
data synchronously across three storage clusters in a single region. LRS would
not remain available if a data center in the region fails GRS and RA GRS use
asynchronous replication. Box 2: StorageV2 (general purpose V2) ZRS only support
GPv2. References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
upvoted 3 times
  Khang 2 months, 2 weeks ago

Box1:
ZRS Box2: Storage V2
upvoted 2 times

the
synchronous redundancy is only in LRS and ZRS so it's ZRS, and the ZRS is
supported only for GPV2
upvoted 1 times

Wrong
highlighted, right ans is ZRS as GRS does asynchronous replication.
upvoted 1 times

Zone
redundant storage is correct. Can have multiple data centres in one region -
question mentions 1 data centre outage only.
upvoted 1 times

I
think answer is ZRS as its synchronous. GRS is Asynchronous
upvoted 1 times
  ochiwi 4 days ago

answer
is right .. Questions asks in a single DC Geo-redundant storage (GRS) copies
your data synchronously three times within a single physical location in the
primary region using LRS. It then copies your data asynchronously to a single
physical location in the secondary region
upvoted 1 times
DRAG DROP -
You have an on-premises file server named Server1 that runs Windows Server 2016.
You have an Azure subscription that contains an Azure file share.
You deploy an Azure File Sync Storage Sync Service, and you create a sync group.
You need to synchronize files from Server1 to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Select and Place:
Correct Answer:
Step 1: Install the Azure File Sync agent on Server1

The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2: Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.
Step 3: Add a server endpoint -

Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must
contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on
registered server.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
You plan to use the Azure Import/Export service to copy files to a storage account.
Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution.
A. a dataset CSV file
B. an XML manifest file
C. a driveset CSV file
D. a PowerShell PS1 file
E. a JSON configuration file
Correct Answer: AC
A: Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add
entries in the dataset.csv file
C: Modify the driveset.csv file in the root folder where the tool resides.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files

Dataset
and driveset are correct.
upvoted 2 times
You create an Azure Storage account named contosostorage.

You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
A. 80
B. 443
C. 445
D. 3389
Correct Answer: C
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

Option
B :- 443 as it is the SSL port number
upvoted 1 times

SMB
proto 445
upvoted 4 times

File
Share uses SMB port 445. Answer is correct. This can be done only through
445.
upvoted 5 times
HOTSPOT -
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routers in the following table.
You apply RT1 to Subnet1 and Subnet2.

Hot Area:
Correct Answer:
IP forwarding enables the virtual machine a network interface is attached to:

✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
✑ Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.
The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine
needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.
Box 1: Yes -
The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.
Box 2: No -
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.
Box 3: Yes -
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding
  lorimer1 4 months, 2 weeks ago

All yes. All subnets within a vnet are routable to each
other by default i.e. the routing provided by VM3 is unecessary (seems to be a
trick question?)
upvoted 3 times

The
routing table entry for subnet2 still there so it it will forward traffic to
vm3. connection fail
upvoted 2 times

I
think its yes, no, yes like suggested. "You apply RT1 to Subnet1 and Subnet2" if
you apply the route table to subnet2 it will not get to subnet1, only using the
forward on the subnet3... i think...
upvoted 3 times
  CapSandy 1 week ago

You are referring to the default routes that will act to
allow traffic within all subnets under a Vnet. But when a UDR is in place, it
overrides and takes precedence. And hence route goes via VM3 and since it
shutdown it drops the traffic.
upvoted 1 times

What
is this question? All on same vnet so can talk to each other by default. The
routes being added even require traffic to devices in the same subnet to go
through the NVA, too?
upvoted 2 times

Answers
are: yes no yes because forwarding is done via VM3. Read below. Azure routes
network traffic in subnets by default. But in some cases, we want to use custom
traffic routes to define where and how traffic flows. In this case, we use route
tables. A route table defines the next hop for our traffic and determines where
the network traffic needs to go.
upvoted 16 times
  certificatores 1 month, 3 weeks ago

even
the answer is right, Azure network services should be smart enough to route that
traffic from default route if forwarded route is wrong. I don't get why Azure do
not support this very basic functionality
upvoted 1 times
  Khang 2 months, 1 week ago

Yes/No/Yes
upvoted 5 times
  Ash_123 2 months ago

One
thing that is not clear to me is when route table is configured as Address
Prefix - 10.0.1.0/24, Next hop Type - Virtual Appliance, Next hop Address -
10.0.3.4. Then doesn't it mean that it allows connectivity from subnet 1
(10.0.1.0/24) to VM3 so in other words VM1 can establish connection with VM3 but
is vice cersa also true? i.e. can VM3 also establish netwrok connection with
VM1, is it bi-directional?
upvoted 2 times
  sumitbagga05 1 month, 3 weeks ago

I
have created a same lab for this. And verified answer is correct.
upvoted 3 times

yes
no and yes
upvoted 1 times

HOTSPOT -
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: add an address space -

Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you
specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.
Box 2: add a network interface -

The 10.2.1.0/24 network exists. We need to add a network interface.
References:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-networks-static-private-ip-arm-pportal

The
existence of the default subnet means the answer is add a NIC? Is the default
subnet also going to be the same as the address space in this instance? The
command output didn’t show the CIDR...
upvoted 1 times

VNET
CIDR: 10.2.0.0/16 means, defaut subnet CIDR: 10.2.0.0/24. So, VM in default
subnet won't get the requested IP. Need to create a subnet with CIDR:
10.2.1.0/24 and create VM in that subnet. So, answer Add Subnet.
upvoted 12 times
  Ekramy_Elnaggar 5 months ago

Correct
answers are: - add an address space - add a subnet
upvoted 28 times

Definitely
add a subnet for the second, unless the rest of the script shows the correct
subnet. Since the cidr for the vnet ends in 0.0 I’d also assume default subnet
would start form 0.0 and not 1.0 anyway.
upvoted 4 times
  mmo 4 months ago

here
a link to a version of the question with a bigger picture. you see here the
10.2.0.0/24 but also not the 10.2.1.0/24
https://vceguide.com/hotspot-734/
upvoted 5 times
  Andy001 3 months, 1 week ago

Thus,
the correct answer is “Add a subnet”
upvoted 1 times
  NeerajKS 3 months, 2 weeks ago

The second answer will be to add a subnet with a CIDR of
10.2.1.0/24. The s no need to add a NIC. The NIC will be automatically
added.
upvoted 1 times
  Iyke 2 months, 3 weeks ago

Add
a subnet is a definite answer.
upvoted 2 times

Add
a subnet is right
upvoted 1 times
  Russel 2 months, 2 weeks ago

Without
adding subnet NIC addition won't be possible so definitely answer will be add a
subnet.
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured
is shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: No -
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration
virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong
to a resolution virtual network.
Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from
any of the virtual machines within the registration virtual network.
References:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
  Happiman 2 months, 1 week ago

Shouldn't it be NO, YES,YES?
upvoted 5 times
  Jolin130 1 month, 1 week ago

because vm5 is in Vnet1, and Vnet1 is not linked to the
private zone nor Vnet2, so vm5 cannot resolve the domain name.
upvoted 4 times
  BenDova 4 weeks, 1 day ago

The
ans is correct...N,N,Y
upvoted 4 times
  Jolin130 1 month, 1 week ago

because vm5 is in Vnet1, and Vnet1 is not linked to the
private zone nor Vnet2, so vm5 cannot resolve the domain name.
upvoted 5 times

You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named VNet2 in the same region. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
A. Add a gateway subnet to VNet1.
B. Create a subnet on VNet1 and VNet2
C. Modify the address space of VNet1
D. Configure a service endpoint on VNet2
Correct Answer: C
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of
10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints

Correct.
upvoted 6 times
  heikoj 3 weeks, 3 days ago

Agreed
upvoted 2 times
  Nexus22 1 week, 3 days ago

Correct:
Peering must have non-overlapping IP address spaces
upvoted 3 times

SIMULATION -
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.
When you are finished performing all the tasks, click the "Ñext' button.
Note that you cannot return to the lab once you click the "Ñext' button. Scoring occur in the background while you complete the rest of the exam.
Overview -
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be
available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be
possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the task, if you
successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to
complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the
exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab -

You may start the lab by clicking the Next button.
Your company plans to store several documents on a public website.
You need to create a container named bios that will host the documents in the storagelod8322489 storage account. The solution must ensure
anonymous access and must ensure that users can browse folders in the container.
What should you do from the Azure portal?
Correct Answer: See explanation below.

Azure portal create public container
To create a container in the Azure portal, follow these steps:
Step 1: Navigate to your new storage account in the Azure portal.
Step 2: In the left menu for the storage account, scroll to the lob service section, then select Blobs.
Select the + Container button.
Type a name for your new container: bios
Set the level of public access to the container: Select anonymous access.
Step 3: Select OK to create the container.

References:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal
  mm2 6 months, 3 weeks ago

on
public access level you need to choose the anonymous rather than as showed
private
upvoted 2 times

What
is the correct answer ? Anonymous blob level access OR Anonymous Container level
access ? As per lab, we need to create a container named "BIOS". If we upload
documents in "BIOS" and give Blob level acess, this also works fine. Please
confirm.
upvoted 1 times

I
assume to the container since best practice is always to assign minimum required
and the question only mentions the container - at blob would be even broader
access.
upvoted 3 times
  JatinA 5 months, 1 week ago

Anonymous
Container Level Access.
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources
upvoted 7 times

It
would need to be Anonymous Container Level access since the question states that
anonymous users need to be able to view and navigate through the folders of the
container and they wouldn't be able to enumerate the contents of the container
if they were limited to Anonymous Blob Level access.
upvoted 6 times
  2cool2touch 2 months ago

Container
level access should be chosen to support the following requirement: "ensure
that users can browse folders in the container"
upvoted 1 times
  sumitbagga05 2 months ago

So
what will be the answer
upvoted 1 times

Anonymous
read access for container need to be applied, so browse access condition can be
met.
upvoted 1 times
  TYT 3 weeks, 1 day ago

Create
a container and select 'Container (anonymous read access for containers and
blobs)' option.
upvoted 6 times

SIMULATION -
Overview -
possible by design.
To start the lab -

Your company plans to host in Azure the source files of several line-of-business applications.
You need to create an Azure file share named corpsoftware in the storagelod8322489 storage account. The solution must ensure that
corpsoftware can store only up to 250 GB of data.

Step 1: Go to the Storage Account blade on the Azure portal:
Step 2: Click on add File Share button:
Step 3: Provide Name (storagelod8322489) and Quota (250 GB).

References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share

250
GB not 5120 :D
upvoted 3 times
  thala 2 months, 3 weeks ago

Qouta
is in GIB on Azure
upvoted 1 times
  Nilabh 2 months, 3 weeks ago

Gibibytes
to Gigabytes 250 GiB = 268.435456 GB
upvoted 1 times

250
GB=232.83 GIB
upvoted 5 times

then 250GB is 232.83075(250x1000^3/1024^3) ??? It's
non-sense.
upvoted 1 times

Step
3: Provide Name (corpsoftware, not storagelod8322489) and Quota (250
GB).
upvoted 3 times

Go
to storage account, file shares, add a new file share and give the quota as 250
GB. I am thinking you don't have to worry about GB v GiB. I would just give 250
GB.
upvoted 3 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to back up all the Azure virtual machines in your Azure subscription at 02:00 Coordinated Universal Time (UTC) daily.
You need to prepare the Azure environment to ensure that any new virtual machines can be configured quickly for backup. The solution must
ensure that all the daily backups performed at 02:00 UTC are stored for only 90 days.
What should you do from your Recovery Services vault on the Azure portal?

Task A: Create a Recovery Services vault (if a vault already exists skip this task, go to Task B below)
A1. From Azure Portal, On the Hub menu, click All services and in the list of resources, type Recovery Services and click Recovery Services
vaults.
If there are recovery services vaults in the subscription, the vaults are listed.
A2. On the Recovery Services vaults menu, click Add.
A3. The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource group, and Location
Task B.
B1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, click Backup, then on the Getting Started
with Backup blade, select Backup goal.
The Backup Goal blade opens. If the Recovery Services vault has been previously configured, then the Backup Goal blades opens when you click
Backup on the
Recovery Services vault blade.
B2. From the Where is your workload running? drop-down menu, select Azure.
B3. From the What do you want to backup? menu, select Virtual Machine, and click OK.
B4. Finish the Wizard.

Task C. create a backup schedule
C1. Open the Microsoft Azure Backup agent. You can find it by searching your machine for Microsoft Azure Backup.
C2. In the Backup agent's Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
C3. On the Getting started page of the Schedule Backup Wizard, click Next.
C4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
C5. Select Blob Storage you want to protect, and then click OK.
C6.In the Select Items to Backup page, click Next.
On the Specify Backup Schedule page, specify
Schedule a backup every: day -
At the following times: 2.00 AM -
C7. On the Select Retention Policy page, set it to 90 days, and click Next.
C8. Finish the Wizard.

References:
https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault
Wouldn't
this be done in the Azure portal itself? You can specify the backup policy when
creating the new backup. Select the schedule for 2:00 (UTC), daily retention for
90 days and untick all other retention options.
upvoted 17 times

yes,
backup policies. leave only daily configuration with retention 90 days. untick
other weekly, monthly etc
upvoted 7 times

Correct
Answer: 1- Open the Recovery Service Vault ( if not there then create one ) 2-
Click on Backup policies 3- Create New Policy ( Frequency: Daily, Time: 2 AM
UTC, Retention Range: 90 days) 4- Uncheck other weekly, monthly,
etc...
upvoted 25 times

we
should update default policy only, as requirement that new VM should same
schedule.
upvoted 4 times
  sgebb 4 months ago

The
goal is that the new vms are able to be configured quickly for backup, not to
actually enforce it by default
upvoted 2 times

Default
policy already exist for VM so only change the time and retention range change
in the default policy should be enough.
upvoted 5 times

Yes,
it should be done from Azure Portal. Question itself says, what you should do
from Azure portal "Recovery service vault".
https://docs.microsoft.com/en-in/azure/backup/tutorial-backup-vm-at-scale
upvoted 3 times
  Stu101 4 months ago

Agree
with Ekramy_Alnaggar and sgebb
upvoted 1 times
  tmurfet 2 months, 1 week ago

IMHO
best practice would be new policy, otherwise how do you easily know you've
implemented a policy? Suggest leaving default alone.
upvoted 1 times

I would change settings of DefaultPolicy, think about
how does the exam itself to tell if our answers is correct or incorrect. People
may create new policy with different names, the exam may only check settings
against DefaultPolicy...
upvoted 2 times

Although
I dont like to touch Default Policies but the keyword of "can be configured
quickly" may mean the exam writer wants us to know the possibility of modifying
default policy. Also, what jasonYin said, the script that checks the result
doesnt know what name to use and checking the DefaultPolicy name makes more
sense.
upvoted 1 times
  Khang 2 months ago

Agree
with @Ekramy
upvoted 1 times
  manhattan 1 month, 2 weeks ago

I
believe that agent was used in old versions.... I've tried and cannot modify the
default policy (it's all grayed out), creating a new policy you can schedule and
modify setting
upvoted 1 times

go
to Recovery services vault, Click on +backup (or you can go to back up
policies), select the type, give the time, number of days (90) and save. Nothing
else should be left checked. When you create a new backup policy, nothing
(weekly etc.) will be checked any way.
upvoted 1 times
  kumar123 1 week, 5 days ago

create a VM with any config. Once VM created, under
backup you can create RSV for daily backup at 2:00 and set retention for 90
days.
upvoted 1 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to connect several virtual machines to the VNET01-USEA2 virtual network.
In the Web-RGlod8322489 resource group, you need to create a virtual machine that uses the Standard_B2ms size named Web01 that runs
Windows Server
2016. Web01 must be added to an availability set.

Step 1: Choose Create a resource in the upper left-hand corner of the Azure portal.
Step 2: In the Basics tab, under Project details, make sure the correct subscription is selected and then choose Web-RGlod8322489 resource
group
Step 3: Under Instance details type/select:
Virtual machine name: Web01 -

Image: Windows Server 2016
Size: Standard_B2ms size
Leave the other defaults.
Step 4: Finish the Wizard

arability
set to be created. not marked on this pic
upvoted 9 times
  ify 4 months ago

i
believe you first create an availability set before you start deploying the
virtual machine web01 in the Web-RGlod8322489 resource group. when deploying the
VM, use the recommend size, OS, and under availability set choose the one you
just created.
upvoted 1 times
  dharmaraj1987 2 months, 1 week ago

you
can create availability set while creating vm.
upvoted 3 times
  Stu101 4 months ago

Availability
Set must be created. Also attach the VM to the VNET as mentioned in the question
- VNET01-USEA2 virtual network ( on a safer side , though it is not asked as a
hard requirement).
upvoted 3 times
  JasonYin 3 months, 2 weeks ago

You will have option to create Availability Set and VNET
when you create a new VM through Azure Portal Wizard.
upvoted 7 times
  Andy001 3 months ago

You
must ensure the new VM Web01 is in the same location as the VNet
VNET01-USEA2
upvoted 2 times

availability
set,vnet and vm size need to be selected
upvoted 1 times

Web01
must be added to an availability set. this requirement is not satisfied in the
explanation, if not present already you can create it during the VM creation too
under availability set(create new)
upvoted 1 times
We
must create a new Availability Set and a VNET with the name asked while creating
this VM
upvoted 1 times

Availability
options needs to be change to Availability set and then existing set options
will be available.
upvoted 1 times

Assumptions:
VNET already exists, VM doesn't exist, Availability Set doesn't exist. Go to
create a VM, select the correct RG, Win Server, Size etc., Add new availability
set with domains (2, 3 or what ever), give the credentials and create. If VNET
or VM or Availability Set exists or doesn't exist, it is the same process. If it
doesn't exist, create one and make sure to add it to the VM.
upvoted 2 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You recently created a virtual machine named Web01.
You need to attach a new 80-GB standard data disk named Web01-Disk1 to Web01.

Add a data disk -
Step 1: In the Azure portal, from the menu on the left, select Virtual machines.
Step 2: Select the Web01 virtual machine from the list.
Step 3: On the Virtual machine page, , in Essentials, select Disks.
Step 4: On the Disks page, select the Web01-Disk1 from the list of existing disks.
Step 5: In the Disks pane, click + Add data disk.
Step 6: Click the drop-down menu for Name to view a list of existing managed disks accessible to your Azure subscription. Select the managed
disk Web01-Disk1 to attach:
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/attach-disk-portal

Would
you set LUN to 1, or leave it to 0?
upvoted 1 times

Does
not matter which lun you chose
upvoted 2 times
  Ijaz 4 months ago

will
it be a premium SSD or standard SSD
upvoted 1 times
  RazorCrest 3 months, 2 weeks ago

it
is not specified. more power to you &I.... any managed disk type will
do.
upvoted 1 times

Create
new VM or VM already create, in disks attach new disk with standard 80GB
only.
upvoted 5 times
  tmurfet 2 months, 1 week ago

Is
80 GiB the accepted size or (converting GB to GiB) 85.9? which can only be
entered as = 86 Gib? I would guess that 80 Gib is accepted but does anyone know
for sure?
upvoted 1 times

as
the question mentioned Standard Data Disk, I am leaning towards HDD and not
SSD
upvoted 1 times

Go
to the VM, click on add new data disk, Leave LUN as 0 or 1 - doesn't matter,
give your disk a name, go to size and select standard data disk ( I don't think
HDD or SSD matter because it was not stated if it is for Dev/Test use or cost
effective or anything), so I guess you can select what ever. Add custom size as
80 GB and click OK. That's it.
upvoted 2 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to allow connections between the VNET01-USEA2 and VNET01-USWE2 virtual networks.
You need to ensure that virtual machines can communicate across both virtual networks by using their private IP address.
The solution must NOT require any virtual network gateways.

Virtual network peering enables you to seamlessly connect two Azure virtual networks. Once peered, the virtual networks appear as one, for
connectivity purposes.
Peer virtual networks -

Step 1. In the Search box at the top of the Azure portal, begin typing VNET01-USEA2. When VNET01-USEA2 appears in the search results, select
it.
Step 2. Select Peerings, under SETTINGS, and then select + Add, as shown in the following picture:
Step 3. Enter, or select, the following information, accept the defaults for the remaining settings, and then select OK.
Name: myVirtualNetwork1-myVirtualNetwork2 (for example)
Subscription: elect your subscription.
Virtual network: VNET01-USWE2 - To select the VNET01-USWE2 virtual network, select Virtual network, then select VNET01-USWE2. You can
select a virtual network in the same region or in a different region.
Now we need to repeat steps 1-3 for the other network VNET01-USWE2:
Step 4. In the Search box at the top of the Azure portal, begin typing VNET01- USEA2. When VNET01- USEA2 appears in the search results,
select it.
Step 5. Select Peerings, under SETTINGS, and then select + Add.
References:
  AnaFP 3 months ago

I
think it's not necessary to make a peering the second time. Just connecting
VNet1 with VNet2, the peering is done.
upvoted 14 times
  aimar047 3 days, 10 hours ago

"You need to ensure that virtual machines can
communicate across both virtual networks by using their private IP address." If
one peering side is created, the peering connection tab won't appear "connected"
state . it requires both sides !
upvoted 1 times

Assumption:
Both VNETS already exists. Go to any VNET -> Peerings -> Add -> Give a
name -> select the other VNEt -> give a name for the peering from other
side -> make sure allow vnet access as enabled (both) -> Click OK. If
VNETs do not exist, make sure to create two VNETs with non-overlapping address
space, else you won't be able to Peer and you will get an error and it won't let
you create peering.
upvoted 4 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to host several secured websites on Web01.
You need to allow HTTPS over TCP port 443 to Web01 and to prevent HTTP over TCP port 80 to Web01.

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group
contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of
Azure resources.
Step A: Create a network security group
A1. Search for and select the resource group for the VM, choose Add, then search for and select Network security group.
A2. Select Create.
The Create network security group window opens.

A3. Create a network security group
Enter a name for your network security group.
Select or create a resource group, then select a location.
A4. Select Create to create the network security group.
Step B: Create an inbound security rule to allows HTTPS over TCP port 443
B1. Select your new network security group.
B2. Select Inbound security rules, then select Add.
B3. Add inbound rule -

B4. Select Advanced.
From the drop-down menu, select HTTPS.
You can also verify by clicking Custom and selecting TCP port, and 443.
B5. Select Add to create the rule.
Repeat step B2-B5 to deny TCP port 80
B6. Select Inbound security rules, then select Add.
B7. Add inbound rule -

B8. Select Advanced.
Clicking Custom and selecting TCP port, and 80.
B9. Select Deny.
Step C: Associate your network security group with a subnet
Your final step is to associate your network security group with a subnet or a specific network interface.
C1. In the Search resources, services, and docs box at the top of the portal, begin typing Web01. When the Web01 VM appears in the search
results, select it.
C2. Under SETTINGS, select Networking. Select Configure the application security groups, select the Security Group you created in Step A, and
then select Save, as shown in the following picture:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
  Rakeshsuryawanshi 5 months, 1 week ago

Question
is about the Website (AppService) not about a website on Virtual machine. not
sure why the explanation show this path
upvoted 2 times

it
is mentioned "You plan to host several secured websites on Web01" , so Web01
must be a VM not an App service.
upvoted 5 times

1-
If VM >> Create NSG with 2 rules and assign to Subnet 2- If Web App
>> Configure HTTPS Only : ON
upvoted 3 times
  lorimer1 4 months, 2 weeks ago

The nic already has a network security group so should
update the rules on that i.e. no need to create a 2nd NSG
upvoted 4 times

All
inbound connections are blocked by default in NSG. You only need to add a rule
to allow 443
upvoted 9 times
  Novix 2 months, 2 weeks ago

Technically
you still need the deny. It has no mention of external traffic. So you need to
assume that AllowVnetInBound also needs port 80 blocked.
upvoted 2 times
  levm39 2 months, 2 weeks ago

the
explanation also shows at the end Application Security Groups, this is
wrong!
upvoted 1 times

I
am wondering why you shouldn't update existing NSG. It may impact other VMs in
the VNET. I was thinking to create a new NSG and replace the current one with
the new NSG with appropriate Allow for HTTPS and Deny for HTTP
upvoted 3 times
  Ahmed911 4 weeks, 1 day ago

You don't need to create NSG, just go the
VM>Networking>then add "Allow" 443 to the inbound rules. HTTP already not
allowed by default, if you found it just delete the rule.
upvoted 4 times

This
is definitely a VM. Go to VM -> Networking -> Add Inbound Port Rule ->
Source: Any, Source Port ranges : *, Destination: Any, Destination Port Range:
443 (https), Action: Allow, Priority: More than 100, Name: anything -> Add.
Same with Port 80 for HTTP. Or As Ekramy_Elnaggar suggested, create NSG and do
the same thing as above.
upvoted 2 times

SIMULATION -
Overview -
possible by design.
To start the lab -

Your on-premises network uses an IP address range of 131.107.2.0 to 131.107.2.255.
You need to ensure that only devices from the on-premises network can connect to the rg1lod8322490n1 storage account.
Correct Answer: See solution below.

Step 1: Navigate to the rg1lod8322490n1 storage account.
Step 2: Click on the settings menu called Firewalls and virtual networks.
Step 3: Ensure that you have elected to allow access from 'Selected networks'.
Step 4: To grant access to an internet IP range, enter the address range of 131.107.2.0 to 131.107.2.255 (in CIDR format) under Firewall,
Address Ranges.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
  yazdan2905 6 months, 1 week ago

131.107.2.0/24
upvoted 23 times
  schmee 3 months, 1 week ago

Remove
the "Allow trusted MS services to access this storage account"?
upvoted 2 times

Yes,
because it mentions that it should be allowed from given IP range only so MS
services shouldn't be allowed.
upvoted 1 times

enabled
by default. no need to remove. "Allow trusted MS services to access this
storage account"
upvoted 1 times

Untick "Add your client IP address ......"
upvoted 2 times

Go
to storage account, firewalls and virtual networks, Selected networks, Give the
address range in CIDR format, make sure to uncheck add your client IP and
uncheck allow trusted microsoft services and click Save.
upvoted 1 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to store media files in the rg1lod8322490 storage account.
You need to configure the storage account to store the media files. The solution must ensure that only users who have access keys can download
the media files and that the files are accessible only over HTTPS.

We should create an Azure file share.
Step 1: In the Azure portal, select All services. In the list of resources, type Storage Accounts. As you begin typing, the list filters based on your
input. Select
Storage Accounts.
On the Storage Accounts window that appears.
Step 2: Locate the rg1lod8322490 storage account.
Step 3: On the storage account page, in the Services section, select Files.
Step 4: On the menu at the top of the File service page, click + File share. The New file share page drops down.
Step 5: In Name type myshare. Click OK to create the Azure file share.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-portal

Step
6: Go to Shared access signature blade and under "allowed permissions" uncheck
the boxes: write, delete, add, create, update, process, so that you have Read
and List checked only. Under "Allowed protocols" ensure you have "HTTPS only"
checked.
upvoted 7 times
Access
keys is asked in question and not SAS. Wrong answer
upvoted 6 times

lol,
your step 6 doesn't do anything because that blade is used used to "Generate SAS
and connection string", it does absolutely nothing)
upvoted 1 times
  Oz 6 months, 4 weeks ago

I
think the right solution for this task is creating a blob (container) and not
the file share. Here what Microsoft says about purpose of blob storage: "it’s
ideal for streaming and storing media" Ref:
https://azure.microsoft.com/en-us/services/storage/blobs/ Blob storage supports
SAS (session access signature) for HTTPS or combined HTTPS\HTTP access. It can
be changed from storage account Settings \ Shared access signatures.
upvoted 24 times
  gurby 5 months, 2 weeks ago

secure
transfer needs to be enabled on the storage account to enforce HTTPS.
upvoted 1 times

I
tested with both File share and Blob (Container). Both worked. Though I
personally think Blob is a better solution as it is recommended for media
files.
upvoted 1 times
  sigma 5 months, 1 week ago

I'd
go with the Blob container as question specifically mentions "media files" which
is aligned to the Microsoft documentation.
upvoted 1 times

media
files >> Blobs Secure Transfer is On by default, so nothing to
change
upvoted 13 times

This
is correct answer.
upvoted 2 times
  Veekee 3 months, 3 weeks ago

Step
3 : On Configuration enable secure transfer required Step 4 : Create a blob
container
upvoted 2 times
  JasonYin 3 months, 2 weeks ago

Key words: Media File: create a Blob container Access
Keys only : to be private container, no need SAS HTTPS : Configuration >
Secure transfer required* > Enabled
upvoted 13 times
  RiteshAg 1 week ago

Perfect Answer, thanks alot.
upvoted 1 times
  Sparty 2 months, 3 weeks ago

Do
you need to upload the media files as Block Blob after creation of the Blob
container because the container will not contain any blob by default after
creation.
upvoted 1 times
  milind8451 4 weeks, 1 day ago

I
think blob storage should be created for media files instead of File Storage.
For 2nd task you needn't to do anything because by default it is HTTPS and there
is a shared key already created under "Access Keys" blade which can be used for
access.
upvoted 1 times

@ExamTopics
people , could you guys please confirm which one is the correct
answer.
upvoted 2 times

Read
my ans above, that is correct. I tested it.
upvoted 1 times

Go
to the storage account, add a new container, select blob because media files
preferred storage is a blob. You don't have to do anything else because HTTPS is
ON by default. You can check by going to SAS and you can see that HTTPS is
ON.
upvoted 4 times

Step1:
Create blob storage for media files instead of File Storage. Step2: You needn't
to do anything because by default it is HTTPS and there is a shared key already
created under "Access Keys" blade which can be used for access. if you are not
sure whether it is HTTPS or not, just check the access url of storage account
and it is HTTPS not HTTP so secured by default. Tested in lab so I verify
it.
upvoted 2 times

SIMULATION -
Overview -
possible by design.
To start the lab -

Another administrator attempts to establish connectivity between two virtual networks named VNET1 and VNET2. The administrator reports that
connections across the virtual networks fail.
You need to ensure that network connections can be established successfully between VNET1 and VNET2 as quickly as possible.

You can connect one VNet to another VNet using either a Virtual network peering, or an Azure VPN Gateway.
To create a virtual network gateway
Step 1: In the portal, on the left side, click +Create a resource and type 'virtual network gateway' in search. Locate Virtual network gateway in
the search return and click the entry. On the Virtual network gateway page, click Create at the bottom of the page to open the Create virtual
network gateway page.
Step 2: On the Create virtual network gateway page, fill in the values for your virtual network gateway.
Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to open the 'Choose a virtual network'
page. Select the
VNet. If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network. If you
previously created a valid gateway subnet, this setting will not appear.
Step 4: Select Create New to create a Gateway subnet.
Step 5: Click Create to begin creating the VPN gateway. The settings are validated and you'll see the "Deploying Virtual network gateway" tile on
the dashboard.
Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal?

Think
we should be using Peering here it's much faster, as Virtual network gateways
can take up to 45 mins to finish set up.
upvoted 13 times
  VK 6 months, 1 week ago
>>The
administrator reports that connections across the virtual networks fail. Is that
the reason why the answer deals with creating virtual network gateway instead of
simple vnet peering?
upvoted 1 times
  sigma 5 months, 1 week ago

Check
both the VNETs. If both are in same subscription (assuming it would be in the
lab), then VNET peering is the right choice.
upvoted 1 times

VNET
peering can be between 2 VNETS in 2 different subscriptions
upvoted 4 times
  Mathai 2 months ago

Ekramy
is right.. Please see this for more information
https://azure.microsoft.com/en-us/blog/vnet-peering-and-vpn-gateways/
upvoted 1 times
  Sun_mon 1 week, 3 days ago

Is
the correct answer peering for this question or we have to create Virtual
network gatway
upvoted 1 times
  Benkyoujin 5 months ago

Mentions
quickly so means VNET. Could also be a scenario where an existed peering is
disconnected or something so you’ll have to delete and recreate.
upvoted 5 times

Got
it in my 103, one of the peering connection disabled, just enabled.
upvoted 14 times

Nowaday,
you cann't enable/disable peering connection in Portal. Only I can see "delete"
option. Maybe, other case, it would be that configuration option of "Allow
forwarded traffic from Vnet01 to Vnet02", it was "Disabled". Then, we need
review both peering and check that it is Enable to can send traffic between both
vnets.
upvoted 1 times

Allow
forwarded traffic doesn't make sense if you have two vnets, it makes sense if
you have more.
upvoted 1 times
  maniaX 2 months, 1 week ago

Allow
forwarded trafic makes sence only if you have more vnets which have no peering
between them but you have peering just with vnet where virtual network appliance
(VNA) is located. Then if you enable this feature traffic will flow over vnet
with VNA to others vnet, so you are able to connect them without
peering.
upvoted 2 times
  pola22 3 months, 2 weeks ago

@karls
We have an option to disable/enable peering at Configuration --> Configure
virtual network access settings --> disable/enable
upvoted 2 times

The
setting you mentioned does not disable/enable peering - it actually
disables/enables communication between the two virtual networks, but it does not
impact on the "Peering status"
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
upvoted 1 times
  riyamalin 1 month, 1 week ago

agree
with Andy001
upvoted 1 times
  turtle666 3 months ago

https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal#peer-virtual-networks
upvoted 1 times

If
the vnets were created through the classic deployment method, peering is not
possible, you must create a VPN. I guess that is what is happening here. "A
virtual network peering cannot be created between two virtual networks deployed
through the classic deployment model. If you need to connect virtual networks
that were both created through the classic deployment model, you can use an
Azure VPN Gateway to connect the virtual networks."
upvoted 1 times
  PS36363 2 months, 1 week ago

Assuming
we take the route of creating Virtual Network Gateways, wouldn't we need to
create two seperate Gateways one for VNET1 and One for VNET2. Then we need to go
to connections to enable connection between VNET1->VNET2 and VNET2->VNET1.
The solution mentioned does not include these steps. Please let me know if I am
missing something here.
upvoted 1 times

Yes.
You need to add a connection on both vnet gateways to other gateway to complete
the process. I am not sure how we can do that in the exam though? Wait 45
minutes for the deployment to complete? I would try vnet peering first before
the gateway option, tbh.
upvoted 2 times

The
best option is to go to the vnets and see if there is a peering. If there is a
peering, check if something is disabled or something and make the change to get
the Peering status to connected. Check on both VNETS. If no peering exists,
create one. The other approach is creating virtual network gateways. This takes
a lot of time to create, and you have to create two of them. If gateway subnets
doesn't exist in the VNETs, you have to go and create those first before
creating Virtual network gateways. After half hour or hour, come back once the
VNG are created, then add connections by going to the VNG and through keys. This
options is very unlikely and not realistic, in my opinion.
upvoted 3 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to configure VM1 to be accessible from the internet.
You need to add a public IP address to the network interface used by VM1.

You can add private and public IP addresses to an Azure network interface by completing the steps that follow.
Step 1: In Azure portal, click More services > type virtual machines in the filter box, and then click Virtual machines.
Step 2: In the Virtual machines pane, click the VM you want to add IP addresses to. Click Network interfaces in the virtual machine pane that
appears, and then select the network interface you want to add the IP addresses to. In the example shown in the following picture, the NIC
named myNIC from the VM named myVM is selected:
Step 3: In the pane that appears for the NIC you selected, click IP configurations.
Step 4: Click Create public IP address.
Step 5: In the Create public IP address pane that appears, enter a Name, select an IP address assignment type, a Subscription, a Resource
group, and a
Location, then click Create, as shown in the following picture:
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-multiple-ip-addresses-portal
  BenDova 3 weeks, 2 days ago

I
would leave the default setting for ip address assignment which i think is
dynamic.
upvoted 1 times

Go
to the VM, Networking, Network Interface, IP config, Add IP Config, public IP as
Enabled, then you will see an option IP Address, create new, give assignment as
static and save.
upvoted 3 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You need to allow RDP connections over TCP port 3389 to VM1 from the Internet. The solutions must prevent connections from the Internet over
all other TCP ports.

Step 1: Create a new network security group
Step 2: Select your new network security group.
Step 3: Select Inbound security rules. Under Add inbound security rule, enter the following
Destination: Select Network security group, and then select the security group you created previously.
Destination port ranges: 3389 -
Protocol: Select TCP -

References:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

Step
4: Now you have to connect your rules with the network interface or a subnet. In
your NSG got to Settings, Network Interfaces, + Associate (or Settings, Subnets,
+ Associate) and choose the right NIC (or subnet)
upvoted 5 times
  RRRN 4 months, 1 week ago

why
new NSG require to be created. cant the rule be added in already assigned NSG
inbound security rule
upvoted 9 times
  atulk 3 months, 2 weeks ago

I
agree with RRRN. There is already a default NSG. Should just update
it.
upvoted 5 times
  krals 2 months, 3 weeks ago

yes,
you dont have to create NSG anymore, it has been applied automatically. So the
only thing you have to do is to go to VM and just add an Inbound Rule.
upvoted 3 times

Go
to the VM, Networking, Add inbound Rule, TCP, 3389, Priority >100, Allow,
Give a name and save. Do the same thing for Deny, TCP, All, 101, Give a name and
Save.
upvoted 2 times
HOTSPOT -
You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual machines will run the latest version of
Windows Server
2016 Datacenter by using an Azure Marketplace image.
You need to complete the storageprofile section of the template.
How should you complete the storageProfile section? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
"¦
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2016-Datacenter",
"version": "latest"
},
"¦
References:
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate
  Protonenpaule 2 months ago

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/cli-ps-findimage#table-of-commonly-used-windows-images
upvoted 2 times
You have an Azure tenant that contains two subscriptions named Subscription1 and Subscription2.
In Subscription1, you deploy a virtual machine named Server1 that runs Windows Server 2016. Server1 uses managed disks.
You need to move Server1 to Subscription2. The solution must minimize administration effort.
A. Create a new virtual machine in Subscription2
B. In Subscription2, create a copy of the virtual disk
C. Create a snapshot of the virtual disk
D. From Azure PowerShell, run the Move-AzureRmResource cmdlet
Correct Answer: D
To move existing resources to another resource group or subscription, use the Move-AzureRmResource cmdlet.
References:
https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-move-resources#move-resources
  sasi 6 months, 1 week ago

A.
In subscription 2 create a copy of the disk
upvoted 1 times

it
is B
upvoted 2 times
  dumpmaster 5 months, 4 weeks ago

It's
D:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm#use-the-azure-portal-to-move-a-vm-to-a-different-subscription
upvoted 14 times

Move-AzureRmResource
Moves a resource to a different resource group or subscription.
upvoted 3 times

D
is corect
upvoted 3 times

D
is correct. The Move-AzureRmResource cmdlet moves existing resources to a
different resource group. That resource group can be in a different
subscription.
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/move-azurermresource?view=azurermps-6.13.0
upvoted 7 times

Should
be D.
upvoted 3 times
  mohamadakl 2 days, 15 hours ago

Managed
Disks in Availability Zones can't be moved to a different subscription. B.Create
a copy of of the disk
https://docs.microsoft.com/en-in/azure/azure-resource-manager/management/move-limitations/virtual-machines-move-limitations
upvoted 1 times
  MukeshKhamparia 1 day, 16 hours ago

D.
From Azure PowerShell, run the Move-AzureRmResource cmdlet
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/move-azurermresource?view=azurermps-6.13.0
upvoted 1 times

You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?
A. the processor
B. the memory
C. Integration Services
D. the hard drive
E. the network adapters
Correct Answer: D
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or
VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the
VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=azure virtual-machines windows
toc.json

this
question is obsolete, Azure now supports both Gen1(vhd) and Gen2(vhdx) disk
formats
upvoted 1 times

Wrong,
Azure supports only VHD format. please check
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
Before you upload a Windows virtual machine (VM) from on-premises to Azure, you
must prepare the virtual hard disk (VHD or VHDX). Azure supports both generation
1 and generation 2 VMs that are in VHD file format and that have a fixed-size
disk. The maximum size allowed for the VHD is 1,023 GB.
upvoted 7 times

Yes
you are right.
upvoted 1 times

Azure
doesn't support .VHDX but it convert for you when you migrate to Azure so the
answer is correct
upvoted 2 times

D
is correct
upvoted 1 times

You have an Azure policy as shown in the following exhibit.
What is the effect of the policy?
A. You can create Azure SQL servers in any resource group within Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
Correct Answer: B
You are prevented from creating Azure SQL servers anywhere in Subscription 1 with the exception of ContosoRG1

C.
You are prevented from creating Azure SQL Servers in ContosoRG1 only.> This
is not B :-)
upvoted 1 times

My
mistake, B is right ...
upvoted 9 times

:D
:D :D :D :D :D
upvoted 1 times

B
is correct
upvoted 5 times
  Ahmed911 2 months ago
So tricky
question :)
upvoted 3 times

Exclusion
word is the key here, not sure if Microsoft still ask such questions.
upvoted 1 times
  timguy 1 week, 3 days ago

B
- Policy is aobut to "Not allowed resource types: the servers". :-( no right
to deploy. Ahh but wait - policy does not count for our ContosoRG1 because of
the EXCLUSION. Only we are allowed. So B
upvoted 1 times
DRAG DROP -
You have an Azure subscription that is used by four departments in your company. The subscription contains 10 resource groups. Each
department uses resources in several resource groups.
You need to send a report to the finance department. The report must detail the costs for each department.
Select and Place:
Correct Answer:
Box 1: Assign a tag to each resource.

You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. After you apply tags, you can retrieve all the
resources in your subscription with that tag name and value. Each resource or resource group can have a maximum of 15 tag name/value pairs.
Tags applied to the resource group are not inherited by the resources in that resource group.
Box 2: From the Cost analysis blade, filter the view by tag
After you get your services running, regularly check how much they're costing you. You can see the current spend and burn rate in Azure portal.
1. Visit the Subscriptions blade in Azure portal and select a subscription.
1. You should see the cost breakdown and burn rate in the popup blade.
2. Click Cost analysis in the list to the left to see the cost breakdown by resource. Wait 24 hours after you add a service for the data to
populate.
3. You can filter by different properties like tags, resource group, and timespan. Click Apply to confirm the filters and Download if you want to
export the view to a
Comma-Separated Values (.csv) file.
Box 3: Download the usage report
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags https://docs.microsoft.com/en-
us/azure/billing/billing-getting-started
  RRRN 4 months, 1 week ago

adding
tag to resource group is not enough?
upvoted 2 times

Each
department uses resources in several resource groups. so need to tag each
resource
upvoted 6 times

fdd comment is right
upvoted 1 times
  fda 3 months, 4 weeks ago

Tags
applied to the resource group are not inherited by the resources in that
resource group
upvoted 8 times
You have an Azure subscription that contains a resource group named RG1. RG1 contains 100 virtual machines.
Your company has three cost centers named Manufacturing, Sales, and Finance.
You need to associate each virtual machine to a specific cost center.
What should you do?
A. Add an extension to the virtual machines
B. Modify the inventory settings of the virtual machine
C. Assign tags to the virtual machines
D. Configure locks for the virtual machine
Correct Answer: C
References:
https://docs.microsoft.com/en-us/azure/billing/billing-getting-started https://docs.microsoft.com/en-us/azure/azure-resource-
manager/resource-group-using-tags

Correct
upvoted 2 times
HOTSPOT -
Your company has a virtualization environment that contains the virtualization hosts shown in the following table.
The virtual machines are configured as shown in the following table.
All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).
You plan to migrate the virtual machines to Azure by using Azure Site Recovery.
You need to identify which virtual machines can be migrated.
Which virtual machines should you identify for each server? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Incorrect Answers:
VM1 cannot be migrates as it has BitLocker enabled.
VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB.
VMC cannot be migrates as the Data disk on VMC is larger than 4TB.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm-requirements

May
this is an old question, but you can use Azure Site Recovery for large disk (up
to 8 TB):
https://azure.microsoft.com/en-us/updates/site-recovery-large-disks-8tb/
upvoted 5 times
  Adrian1405 5 months, 2 weeks ago

VMC
server is Generation 2, which is not supported for migration.
upvoted 2 times

According
to what I read here it IS suporten
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-common-questions
upvoted 4 times

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#azure-vm-requirements
OS disk size Up to 2,048 GB. Data disk size Up to 8,192 GB when
replicating to managed disk (9.26 version +)
Up to 4,095 GB when replicating to storage account
upvoted 5 times

for
Hyper-V,
OS disk size Up to 2,048 GB for generation 1 VMs.
Up to 300 GB for generation 2 VMs. Data disk VHD
size Up to 4,095 GB
upvoted 7 times
  mmo 3 months, 2 weeks ago

8
TB only Physical servers ! here we talk about Hyper-V and VMware
upvoted 1 times

Correction
VMware is supported only Hyper-V not for 8 TB
upvoted 1 times

The
answer provided is correct - VM3, VMA, and VMB can be migrated only
https://docs.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix
upvoted 5 times
  Shiven 2 months, 4 weeks ago

VMware:
Operating system disk size Up to 2,048 GB. Data disk size Up to 8,192 GB when
replicating to managed disk (9.26 version onwards) Up to 4,095 GB when
replicating to storage account Hyper-V: Operating system disk size Up to 2,048
GB for generation 1 VMs. Up to 300 GB for generation 2 VMs. Data disk VHD
size Up to 4,095 GB
upvoted 3 times
  bigbob22 2 weeks, 3 days ago

Sorry, why could VM1 be migrated to AZURE ?
upvoted 1 times
  bigbob22 1 week, 6 days ago

Oh, check the questions again! vm1 with bitlocker. so
only vm3.
upvoted 1 times
HOTSPOT -
You have an Azure subscription that contains multiple resource groups. You create an availability set as shown in the following exhibit.
You deploy 10 virtual machines to AS1.

Hot Area:
Correct Answer:
Box 1: 6 -
Two out of three update domains would be available, each with at least 3 VMs.
An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these update domains. This
approach ensures that at least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Box 2: the West Europe region and the RG1 resource group
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/regions-and-availability

same
region, any resource group won't support for AS? Could not find any where
specifically.
upvoted 1 times
  vishg 4 months, 3 weeks ago

Only
support same region same RG
upvoted 3 times

New
VM must be add in same RG. Box 2 is correct.
https://social.technet.microsoft.com/wiki/contents/articles/51828.azure-vms-availability-sets-and-availability-zones.aspx
upvoted 1 times
  N3v3rmann 3 months, 3 weeks ago

"Two
out of three update domains would be available, each with at least 3 VMs." I
think we will have within the planned maintenance 2*2 =4 vms? We have 3 Update
Domains and 2 Fault Domain within the maintenance we have 2 Update Domains with
2 Fault Domains ?? Some ideads?
upvoted 1 times

I
think maintanance is an update domain so one update domain is down. the rest two
will have (10 vms/3 update domains)*2 active update domains = 6.66. Either 6 or
7 but the question is "at least" so 6.
upvoted 7 times
You have an Azure subscription that contains two storage accounts named storagecontoso1 and storagecontoso2. Each storage account contains
a queue service, a table service, and a blob service.
You develop two apps named App1 and App2. You need to configure the apps to store different types of data to all the storage services on both
the storage accounts.
How many endpoints should you configure for each app?
A. 2
B. 3
C. 6
D. 12
Correct Answer: A
Each app needs a service endpoint in each Storage Account.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

The
question as it is fomulated here is ambiguous. Service Endpoints exist to allow
you to communicate directly from a vNet to a number of Azure public services.
Creating a service endpoint in a vNet allows you to communicate privately with
the relevant Azure service (a storage account for example). The service endpoint
provides a secure and fast route between your vNet and the Azure service.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Answer 2 is under the following assumptions. 1) Applications App1 and App2
reside in its own subnet/VNET (this is not stated in the question) 2) Each VNET
has Microsoft.storage endpoint enabled. (this will make 2 the correct answer) 3)
Each storage account is configured with the firewall to allow traffic for 2
VNETs\subnet only
upvoted 1 times

Because
it only referes to endpoints, not to service endpoints, it refers to the URLs
that you need to configure in the app, which is 3 x 2 = 6. The right answer is
C
upvoted 2 times
  piotr 6 months, 1 week ago

A
is wrong, answer is C. Two storage accounts, each with 3 services (blob, file,
table). Each app need to connect to all services on each account so total number
is 6. "You need a separate private endpoint for each storage service in a
storage account that you need to access, namely Blobs, Data Lake Storage Gen2,
Files, Queues, Tables, or Static Websites."
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
upvoted 6 times
  MarcoZ 5 months, 3 weeks ago

The
question doesn't say anything about secure access, so private endpoints is not
requested as part of the solutions. Based on the lack of information in the
question, the answer should be 2 (A).
upvoted 1 times
  chris46 5 months, 1 week ago
But
if its not an Endpoint then its just a public connection. The questions ask for
endpoints.
upvoted 1 times

Each
Storage account service has its own endpoint:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#storage-account-endpoints
So i would say that C is the correct answer.
upvoted 4 times

The
combination of the unique account name and the Azure Storage service endpoint
forms the endpoints for your storage account. For example, if your storage
account is named mystorageaccount, then the default endpoints for that account
are: Blob storage: http://mystorageaccount.blob.core.windows.net Table
storage: http://mystorageaccount.table.core.windows.net Queue storage:
http://mystorageaccount.queue.core.windows.net Azure Files:
http://mystorageaccount.file.core.windows.net Based on that, you will need 6
endpoints as we have 2 different storage accounts, and each has 3 storage types.
So correct answer is : C
upvoted 17 times
  SJAz300 4 months ago

Answer
is D - 12 1 sets for 2 storage acc 1.Blob storage:
http://mystorageaccount.blob.core.windows.net 2.Table storage:
http://mystorageaccount.table.core.windows.net 3.Queue storage:
http://mystorageaccount.queue.core.windows.net 4.Azure Files:
http://mystorageaccount.file.core.windows.net 5.Data Lake Storage 6.Static
website
upvoted 1 times

I
don't see azure files, data loake and static website here ". Each storage
account contains a queue service, a table service, and a blob service.", do
you?
upvoted 1 times
  Daren 2 months ago

Ok
the File endpoint I can understand, even though they do not mention it. But how
come did you think about the dfs endpoint & static website? Those are
"features" that have to be enabled before you can use those endpoints.
upvoted 1 times
  Jt909 2 months, 1 week ago

From
an app perspective if we use only 2 endpoints where the data will go? Randomly
on tables or queues? I think that 6 endpoints are needed to correctly map the
destinations.https://docs.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string
upvoted 1 times

The
questions seems pretty clear to me (except that you may think of the File
service as they say "all storage services" ) but since the question does not
mention File service, I would not consider it. Not sure why would anyone think
of service endpoints which is a completely different thing ?!?!? So the answer
is 6: 1 endpoint for each storage service (blob,table,queue) for each
account.
upvoted 1 times

C
is correct
upvoted 1 times
  Allon 1 month, 1 week ago

The
question states 'for each app'. That would be 3, one for storage, one for blob
and one for table. Not 6 as it is requesting per app.
upvoted 2 times
  Allon 1 month, 1 week ago

and
then twice (for each storage account) makes the total 6.
upvoted 1 times
  BigTone 1 month ago

I
believe the answer is 3 Endpoint. The question asks how many endpoints per app,
not total number of endpoints. These are endpoints in the app, not storage
account endpoints 3 endpoints per app - 1 for table storage, 1 for queue storage
and 1 for blob storage
upvoted 4 times

There
are two storage accounts. so three end points for one storage account and three
for the other. so 6 is correct.
upvoted 1 times
  Mvii 4 weeks ago

It's
2 as you need only 1 for the whole storage account.
https://github.com/Azure/azure-sdk-for-net/blob/5e30a0ca3873d54a310924925e35043dd9f3b6a0/sdk/storage/Azure.Storage.Blobs/README.md
https://github.com/Azure/azure-sdk-for-
net/blob/44e3a885d76ef753b2dd7bb177639c036c585617/sdk/storage/Azure.Storage.Queues/README.md
upvoted 1 times

each
storage service require its own endpoint, like blob.core.windows.net and
.file.core.windows.net, .table.core.windows.ney. each one has secondary endpoint
too. My answer will 12
upvoted 1 times

2
is right ans as when you enable private endpoint you get 1 endpoint for whole
storage acconut not its subunits (blob, file, table, queue). So 2 endpoints for
each app and "A" is right answer. I checked in lab.
upvoted 2 times
HOTSPOT -
You have a virtualization environment that contains the virtualization servers in the following table.
The virtual machines are configured as shown in the following table.

All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker).
You plan to use Azure Site Recovery to migrate the virtual machines to Azure.
Which virtual machines can you migrate? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Incorrect Answers:
VM1 cannot be migrates as it has BitLocker enabled.
VM2 cannot be migrates as the OS disk on VM2 is larger than 2TB.
VMC cannot be migrates as the Data disk on VMC is larger than 4TB.
References:

Same
as Question53
https://azure.microsoft.com/en-us/updates/site-recovery-large-disks-8tb/
upvoted 2 times

Just
to clarify, data disks up to 8TB are only supported for VM Ware, not for
Hyper-V. Hyper-V is still limited to 4TB.
upvoted 2 times

So,
from Server1 only VM3 and from Server2 VMA,VMB and VMC
upvoted 8 times
  ChePunk 2 months, 2 weeks ago

@Cern77
This is not the same as Question 53, because the table 1 is different. But, I
think the answer is correct though.
upvoted 1 times
  vik291 2 months, 1 week ago

Server
2 must be VMA, VMB and VMC, considering 8TB is allowed for VmWare.
upvoted 7 times

That`s
true. But I`m not sure if this is something they added only recently (support
for 8TB data disk VMware).
upvoted 3 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to migrate a large amount of corporate data to Azure Storage and to back up files stored on old hardware to Azure Storage.
You need to create a storage account named corpdata8548984n1, in the corpdatalod8548984 resource group. The solution must meet the
following requirements:
- corpdata8548984n1 must be able to host the virtual disk files for Azure virtual machines
- The cost of accessing the files must be minimized
- Replication costs must be minimized

Step 1: In the Azure portal, click All services. In the list of resources, type Storage Accounts. As you begin typing, the list filters based on your
input. Select
Storage Accounts.
Step 2: On the Storage Accounts window that appears, choose Add.
Step 3: Select the subscription in which to create the storage account.
Step 4: Under the Resource group field, select corpdatalod8548984.
Step 5: Enter a name for your storage account: corpdata8548984n1
Step 6: For Account kind select: General-purpose v2 accounts (recommended for most scenarios)
General-purpose v2 accounts is recommended for most scenarios. General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices
for Azure
Storage, as well as industry-competitive transaction prices.
Step 7: For replication select: Read-access geo-redundant storage (RA-GRS)
Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account. RA-GRS provides read-only access to the data in
the secondary location, in addition to geo-replication across two regions.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account https://docs.microsoft.com/en-
us/azure/storage/common/storage-account-overview

The
requirement is "Replication cost should be minimized" It means that data
redundancy should be set to LRS not RA-GRS. RA-GRS cost is the
highest.
upvoted 31 times

I
believe access tier should be selected as cool to reduce cost as access to
backup files will be categorized with infrequent access.
upvoted 6 times
  Sategi 5 months, 3 weeks ago

requirement:
The cost of accessing the files must be minimized accessing "cool access tier"
is more expensive therefore i suppose correct answer is HOT access tier storage
Data in the cool access tier can tolerate slightly lower availability, but
still requires high durability, retrieval latency, and throughput
characteristics similar to hot data. For cool data, a slightly lower
availability service-level agreement (SLA) and higher access costs compared to
hot data are acceptable trade-offs for lower storage costs. from:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
upvoted 8 times

Access
data cost should be minimize. Cannot select cold
upvoted 5 times

you mean cool :-) and should be Hot
upvoted 1 times
  Tom_A 5 months, 1 week ago

Wouldn’t
storage account general-purpose v1 be the cheapest option in terms of the
replication charges and access (cheaper storage transactions)
upvoted 1 times

Technically
yes, but MS is trying to depreciate it. So not a valid strategy.
upvoted 2 times

-
corpdata8548984n1 host the virtual disk files >>> BLOB (I would choose
V2) - The cost of accessing the files must be minimized >>> HOT -
Replication costs must be minimized >>> LRS
upvoted 12 times
  GSH 2 weeks, 3 days ago

You
got it, same as 2 other prep sites...and this site's AZ:103 test
answer...
upvoted 1 times
  NeerajKS 3 months, 1 week ago

The ask is simple and straight forward 1. Replication
cost should be minimized - For this we should choose LRS and not RA-GRS 2. he
cost of accessing the files must be minimized - This is possible when the access
tier is set to Cool Tier.
upvoted 1 times
  Myk 2 months, 4 weeks ago

For
your 2nd answer i think it should also be hot not cool as hot tiers are cheaper
to "access" than cool ones.
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers?tabs=azure-portal
Data access costs: Data access charges increase as the tier gets cooler. For
data in the cool and archive access tier, you're charged a per-gigabyte data
access charge for reads.
upvoted 3 times

The
question asks : the cost of accessing should be minimized in this case the tier
would be hot. Cool would be the case when it is asked that "Cost of storing the
data should be minimized"
upvoted 3 times

Bloob
+ LRS + COOL
upvoted 2 times

delete
upvoted 1 times

create
a storage account with GPv2 (allows blob storage), LRS (to save costs), hot
tier.That's it.
upvoted 3 times

Agree
it should be LRS - not RA-GRS. No mention of requirements for cross region
replication and this will drive up costs also.
upvoted 1 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to move backup files and documents from an on-premises Windows file server to Azure Storage. The backup files will be stored as blobs.
You need to create a storage account named corpdata8548984n2. The solution must meet the following requirements:
- Ensure that the documents are accessible via drive mappings from Azure virtual machines that run Windows Server 2016
- Provide the highest possible redundancy for the documents
- Minimize storage access costs

Step 1: In the Azure portal, click All services. In the list of resources, type Storage Accounts. As you begin typing, the list filters based on your
input. Select
Storage Accounts.
Step 2: On the Storage Accounts window that appears, choose Add.
Step 3: Select the subscription in which to create the storage account.
Step 4: Under the Resource group field, select Create New. Create a new Resource
Step 5: Enter a name for your storage account: corpdata8548984n2
Step 6: For Account kind select: General-purpose v2 accounts (recommended for most scenarios)
General-purpose v2 accounts is recommended for most scenarios. General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices
for Azure
Storage, as well as industry-competitive transaction prices.
Step 7: For replication select: Read-access geo-redundant storage (RA-GRS)
Read-access geo-redundant storage (RA-GRS) maximizes availability for your storage account. RA-GRS provides read-only access to the data in
the secondary location, in addition to geo-replication across two regions.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account https://docs.microsoft.com/en-
us/azure/storage/common/storage-account-overview
  anji 5 months, 3 weeks ago

To
minimize storage access cost, we should set this to "Cool" instead of
"Hot"
upvoted 8 times

Access
costs in Cool Storage are higher than in Hot.
https://azure.microsoft.com/en-us/pricing/calculator/?service=storage
upvoted 19 times

"Ensure
that the documents are accessible via drive mappings from Azure virtual machines
that run Windows Server 2016". This seems to be missing in solution. So, we need
to create a File Share as well.
upvoted 7 times

Nope,
we have 3 types of storage accounts: 1- GPV2: supports all types including File
shares 2- GPV1: supports all types including File shares [ but it is not
recommended anymore ] 3- Blob: supports blobs only [ don't support File shares ]
so this statement is mentioned in order to direct you to the GPV2 choice
:)
upvoted 6 times

Should
also be GRS and not RA-GRS, right. Says to minimise costs and maximise
redundancy, RA-GRS doesn’t increase redundancy over GRS but is more
costly.
upvoted 10 times

Create
Sotrage account with the following specs: 1- Drive mappings from Azure virtual
machines ( So: GPV2 ) 2- Minimize storage access costs (So: Hot access tier )
3- Provide the highest possible redundancy for the documents ( So: GRS
)
upvoted 22 times

-Minimize
storage access costs: Hot tier has expensive storage cost and cheaper access
cost whereas cold tier has expensive access cost and cheaper storage cost so I
need t to choose cold tier for storage
upvoted 2 times
  Russel 1 month, 2 weeks ago

For
highest redundancy RA-GRS will be required as in GRS manual failover will be
required.Where in RA-GRS automatically document will be available from secondary
region if main region fail.
upvoted 1 times

for
minimizing storage cost the best option is Cool access tier; Host access tier
actually provides a high storage cost with a lower cost of accessing
data
upvoted 1 times

a7ebak wenta betgeeb men el akher :)
upvoted 1 times

Correct
anwer is "Cool" because Data storage prices Hot is more expensive than Cool, but
Hot is more expensive in Operations and data transfer prices than cool.
https://www.apptio.com/emerge/essential-guide-azure-blob-storage-pricing/
upvoted 1 times
  N3v3rmann 3 months, 1 week ago

Correct
Answer is "HOT" you have to differ between storage and access cost. The storage
cost are higher in hot but the access costs are lower. (Compared to "cool"). The
question asks for the access not storage. But we have to ensure that the files
should be accessd by drive mappings, so i think we have to create a file share,
too? No one?
upvoted 8 times
  dfrye 3 months, 1 week ago

Task
is asking you to create a storage account only, so I believe MS will only check
how did you configure it regardless of what you created in that storage account
later.
upvoted 2 times

The
scenario requires a solution for backups and documents. Blobs storage was
specifically mentioned and I associate them with backups. Blobs haven't been
addressed. I think you have to create both a file share for the documents, and a
container for the backups.
upvoted 2 times

"Microsoft
recommends using GZRS for applications requiring maximum consistency,
durability, and availability, excellent performance, and resilience for disaster
recovery."(https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy)
So I guess the answer is GZRS
upvoted 1 times
  Mokaw 1 month, 1 week ago

Geo-zone-redundant
storage (GZRS) (preview) is still in the preview stage so it is not applicable
to the exam. GRS is the best option so far.
upvoted 2 times
  TYT 4 weeks ago

Why
not RA-GRS?
upvoted 1 times

Actually,
I read the question again. Create a storage account, GPV2, hot tier and select
GRS. It says minimize costs so you don't have to use RA-GRS. Both performance
are identical.
upvoted 2 times
  huyhoang8344 1 week, 3 days ago

1.GRZ-hot
(v2) 2.Create fileshare
upvoted 1 times
  MukeshKhamparia 16 hours, 53 minutes ago

Create
Sotrage account with the following specs: 1- Drive mappings from Azure virtual
machines ( So: GPV2 ) 2- Minimize storage access costs (So: Hot access tier ) 3-
Provide the highest possible redundancy for the documents ( So: RA_GZRS
)
upvoted 1 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You need to deploy two Azure virtual machines named VM1003a and VM1003b based on an Ubuntu Server image. The deployment must meet the
- Provide a Service Level Agreement (SLA) of 99.95 percent availability
- Use managed disks

Step 1: Open the Azure portal.
Step 2: On the left menu, select All resources. You can sort the resources by Type to easily find your images.
Step 3: Select the image you want to use from the list. The image Overview page opens.
Step 4: Select Create VM from the menu.
Step 5: Enter the virtual machine information. Select VM1003a as the name for the first Virtual machine.The user name and password entered
here will be used to log in to the virtual machine. When complete, select OK. You can create the new VM in an existing resource group, or
choose Create new to create a new resource group to store the VM.
Step 6: Select a size for the VM. To see more sizes, select View all or change the Supported disk type filter.
Step 7: Under Settings, make changes as necessary and select OK.
Step 8: On the summary page, you should see your image name listed as a Private image. Select Ok to start the virtual machine deployment.
Repeat the procedure for the second VM and name it VM1003b.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed

Additional
to Step 5: Under Availibility options select Availibility Set (next field you
have to create a new as if not any present), because of the requirement ("-
Provide a Service Level Agreement (SLA) of 99.95 percent availability").
Availibility Set has a SLA of 99.95%. Avalibility zone of 2 even 99.99%. But you
need 99.95% as stated in the requirement.
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/ Next
tab "Disks" open the advanced drop down menu and ensure that "use managed disks"
is selected to "Yes"
upvoted 30 times

Agree,
availability set should be configured to achieve 99.95% SLA and both VMs should
be in the same availability set. See section "Configure multiple virtual
machines in an availability set for redundancy" from the reference.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability
upvoted 11 times
Go
to Virtual Machines, +New or create, Select Ubuntu Image, Select Size, Create a
new availability set with (2,3 or any domains) to get 99.95% availability. Go
to create a new VM, Ubuntu Image, Add it to the same availability set that you
created above, select size, save.
upvoted 2 times

Once VM created, go to Disk blade and add a managed
disk.
upvoted 1 times
  crossroads 4 days, 10 hours ago

VM
created default with managed disk only
upvoted 1 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You need to deploy an Azure virtual machine named VM1004a based on an Ubuntu Server image, and then to configure VM1004a to meet the
- The virtual machines must contain data disks that can store at least 15 TB of data
- The data disk must be able to provide at least 2,000 IOPS
- Storage costs must be minimized

Step 1: Open the Azure portal.
Step 2: On the left menu, select All resources. You can sort the resources by Type to easily find your images.
Step 3: Select the image you want to use from the list. The image Overview page opens.
Step 4: Select Create VM from the menu.
Step 5: Enter the virtual machine information. Select VM1004a as the name for the first Virtual machine.The user name and password entered
here will be used to log in to the virtual machine. When complete, select OK. You can create the new VM in an existing resource group, or
choose Create new to create a new resource group to store the VM.
Step 6: Select a size for the VM. To see more sizes, select View all or change the Supported disk type filter.To support 15 TB of data you would
need a Premium disk.
Step 7: Under Settings, make changes as necessary and select OK.
Step 8: On the summary page, you should see your image name listed as a Private image. Select Ok to start the virtual machine deployment.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-vm-generalized-managed

disk
should be managed. when the size which allows the proper IOPS is selected for
system disk choose standard hdd as there is statement "reduce costs". for 15TB
disk you need to check which disk tipe standard hdd, standard/premium ssd is
>= 2k IOPS (and choose the cheapest)
upvoted 3 times
  cloudnoob19 6 months, 1 week ago

"The
data disk must be able to provide at least 2,000 IOPS" - Standard HDD (S70) has
max IOPS of 2000. Standard SSD (E70) should be chosen
upvoted 12 times
  MaheshBeeravelli 6 months ago

Yes
Stadard SSD must be chosen for IOPS and reduce cost as all types support disk
size 32,767 GiB so there won't be a problem with 15TB.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-types
upvoted 3 times

I
guess, Standard HDD should be selected instead of SSD. As mahesh mentioned 32767
is supported by standard HDD S80. It has a max of 2000 IOPS
upvoted 2 times

you
mean S70 Standard HDD, it supports up to 16TB
upvoted 5 times

The
Q mention about at least 2000 of IOPS so i would say that Standard HDD is not
the right one since has max. 2000 of IOPS. I would go with Standard
SSD.
upvoted 2 times

If
S70 meets the minimum IOPS, it is the right choice because it’s cheaper than
SSD.
upvoted 1 times

Standard
HDD: up to 1.3K IOPS Standard SSD: up to 2K IOPS Premium SSD: up to 16K IOPS
so in order to minimize the costs and also achieve the 2K IOPS >>
Standard SSD
upvoted 1 times

Update:
numbers changed , so we have the following new limits : Standard HDD: Up to [
32K GiB , 500 MiB/s , 2K IOPS ] Standard SSD: Up to [ 32K GiB , 750 MiB/s , 6K
IOPS ] Premium SSD: Up to [ 32K GiB , 900 MiB/s , 20K IOPS ] Ultra Disk:
Up to [ 65K GiB , 2K MiB/s , 160K IOPS ] Ref:
upvoted 4 times
  VRD13 3 months, 2 weeks ago

Price
of E70 - $1,228.80 Price of P70 - $1,638.40 So E70 drive if it have to be
single! Another solution could be Storage Pool using 2x S60 drives, what will
costs you only 2x $262.14 = $524.28 and give up to 2600 iops (in pool) since
each disk will do 1300 iops.
upvoted 1 times

They
want a "data" disk of 15TB, not an OS disk. Why can't you choose your VM image
and add "Data disks" on the disks tab). I think this is correct. On Disks tab
click on Create and attach a new disk, name your new data disk, assign the size
by clicking "change size" and choose an account type of Standard HDD to minimize
cost, 16384 GiB as the size with Max IOPS of 2000.
upvoted 6 times

1.
Create a VM with Ubuntu image 2. For the O/S disk, use a Standard HDD
(minimizing costs) 3. For the data disk, use a Standard SSD and size of 16384
GiB (E70) as you must provide "at least 2,000 IOPS" and 15TB data. Note: The
Standard HDD provides a max of 2,000 IOPS which doesn't meet the "at least"
requirement. Expand Advanced and ensure that "Use managed disks" is enabled
(should this be disabled to meet minimize costs requirement?)
upvoted 7 times

Standard
SSD sizes E70 Up to 4,000 iops- dated 11/04/2019
upvoted 1 times
  LoveAZ 1 month, 2 weeks ago

for
the VM Size, Can I Use "Standard A1 v2" since it is the cheapest ?
upvoted 1 times

You
should use a disk with at least 2000iops, so the answer is NO, Standard E70
should be the right answer, 16Gb space, 4000IOPS
upvoted 2 times
  satgo 1 month, 1 week ago

Disk
size in GiB. So need to convert to TB. 1 TB = 931.32257461548 GiB, 15 TB =
13969.838619232 GiB.
upvoted 1 times

Go
to the VM, Disks, Add a new disk: We have to select Standard because of costs -
Now: Standard SSD v Standard HDD Both are cost efficient. The closest options
are SSD: E70 ( 4000 IOPS, 16384 GiB close to 15TB), HDD (Max IOPS: 2000, 16384
GiB close to 15TB). Two things to note: HDD is preferred for Dev/Test although
it doesn't say in the question. SSD is preferred to provide consistent
performance at lower costs. The Q says At least 2000 IOPS - so if you select
HDD, you need to go for S80 because of IOPS which might actually increase the
costs, plus you are paying for twice of 15 TB for nothing. IOPS will be ATMOST
2000 - not ideal. The best and close option would be to select SSD - Standard -
E70. IMO.
upvoted 3 times

Standard
SSD E70 should be the right choice
upvoted 1 times
  mohamadakl 2 days, 14 hours ago

To
Minimize the cost Standard HDD : Max IOPS 2,000
upvoted 1 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to create 100 Azure virtual machines on each of the following three virtual networks:
- VNET1005a
- VNET1005b
- VNET1005c
All the network traffic between the three virtual networks will be routed through VNET1005a.
You need to create the virtual networks, and then to ensure that all the Azure virtual machines can connect to other virtual machines by using their
private IP address. The solutions must NOT require any virtual gateways and must minimize the number of peerings.
What should you do from the Azure portal before you configuring IP routing?

Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears. Click Virtual network when it appears
in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:
Name: VNET1005a -
Address space: 10.0.0.0/16 -
Subnet name: subnet0 -
Resource group: Create new -

Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: Repeat steps 3-5 for VNET1005b (10.1.0.0/16, 10.1.0.0/24), and for VNET1005c 10.2.0.0/16, 10.2.0.0/24).
References:
https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic

This
explanation might be useful:
https://stackoverflow.com/questions/55582611/create-3-vnets-where-all-traffic-is-routed-through-one-vnet-hub-and-spoke
upvoted 1 times

I
have better reference for hub and spoke VNET topology:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?toc=%2fazure%2fvirtual-
network%2ftoc.json
It has more generic topology for hybrid on-premises network with hub and 2
spokes. However, it has setting "allow forwarded traffic" set for all peering
connections to allow traffic flow from spoke to spoke via hub.
upvoted 2 times

not
sure if without GW you are able to achieve this. I was unlucky with allow
forwarded traffic
upvoted 1 times

I’ll
try it
upvoted 1 times

Unlucky
too
upvoted 1 times

Create
a peer set to both other vnets from VNET1005a. Allow Gateway Transit
upvoted 2 times

Peer
with the hub and allow forwarded traffic and add UDRs. No gateway settings as
the question explicitly says no VPN. Right?
upvoted 3 times

The
question said: "before you configuring IP routing" , so it should be as
follows: 1- Create the 3 VNETs ( if not done already ) 2- Create VNet Peering
between VNET1005a & VNET1005b ( 2-way ) 3- on VNET1005b Peering, enable
"Allow forwarded traffic from VNET1005a toVNET1005b" 4- Create VNet Peering
between VNET1005a & VNET1005c ( 2-way ) 5- on VNET1005c Peering, enable
"Allow forwarded traffic from VNET1005a to VNET1005c"
upvoted 45 times

Peerings
are NOT transitive, so I believe we need to create peerings between all vnets.
"solution must minimize the number of peerings" is here just to trick the
student I think
upvoted 2 times
  GreyHawken 3 months, 1 week ago

Don't
think it matters they are not transitive. "All the network traffic between the
three virtual networks will be routed through VNET1005a." C and B should never
need to talk to each other aka no need for peerings between them.
upvoted 5 times
  Strifelife 3 months ago

You
need to create the virtual networks, and then to ensure that all the Azure
virtual machines can connect to other virtual machines by using their private IP
address.
upvoted 1 times

Thank
you Ekramy_Elnaggar! This is the correct answer. According to the requirements,
we should create a classic HUB-and-SPOKE topology with NVA as a router. Since
the question is "What should you do before you configuring IP routing", then all
we need is just to create 3 VNets, configure peering B <-> A <-> C,
and allow forwarded traffic on peerings A->B and A->C
upvoted 7 times
  heftjustice 2 months, 3 weeks ago

This
is not possible via "forwarded traffic" you need NVA for that. Best is to use
VNG for large no of spokes or peer directly if the spokes are less.
upvoted 1 times

I
think we should create 2 peering (from hub to each spoke), Allow forwarded
Traffic on each peering, create a VM in the hub which will act as a router, then
create UDR on each spoke to force the traffic to that VM(router) in
Hub.
upvoted 1 times
  braddo94 2 months ago

question
states 'What should you do from the Azure portal before you configure IP
routing?' so potentially creating the 3 x VNET's is enough?
upvoted 1 times

spoke
and hub topology, create the 3 Vnets, enable peering between spokes and hub and
enable the ip forwarding in the hub, that's all before configuring the IP
forwarding
upvoted 1 times
  azstudent101 1 month, 2 weeks ago

If
you require connectivity between spokes, consider deploying Azure Firewall or an
NVA for routing in the hub, and using UDRs in the spoke to forward traffic to
the hub. The deployment steps below include an optional step that sets up this
configuration. Ref:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
upvoted 1 times

In
my opinion, two peering are enough, just activate the forwarding on both sides
"Configure forwarded traffic settings= This setting allows forwarded traffic
from one Net to another net"
upvoted 1 times

Deploy
VNET A, B and C. Create Vnet peerings A<->B and B<->C and viceversa.
Allow "Forwarded Traffic" in each peerings.
upvoted 1 times
  TYT 4 weeks ago

You
need to create AB and AC.
upvoted 1 times
  djchinzz 3 weeks, 5 days ago

You're on the right path mate. This all needs to be ARM;
when you peer VNET A and B, all you need to do is select "Allow virtual network
access from VNET A/B = Enabled" for the peering between A and B and B and A.
Then, for the peering between B and A only, select "Allow forwarded traffic from
VNETA = Enabled". You don't need any peering between B and C. Allow forwarded
traffic means that traffic not originating from VNET A (so VNET C) is allowed to
come into VNET B. Repeat the same process between B and C. Then you'll have a
hub and spoke design. Traffic from B will get to C via A. Because you're not
traversing any traffic to ExpressRoute or a VPN or a classic VNET, you don't
need any gateway.
upvoted 1 times

Assumptions:
VNETS already present. 1. Create Peering between A <-> B 2. Make sure to
allow VNET access as enabled A to B and B to A 3. As traffic needs to flow
through A, you have to allow forwarded traffic from A to B. Repeat the same
steps to create peering between A <-> C You don't need any peering between
B <-> C because traffic can flow through A. However, creating a Peering
between B <-> C doesn't harm as far as I know. If the assumption is wrong
that VNETs exist, create three VNETs with non-overlapping addresses and create
subnets.
upvoted 1 times
  Sun_mon 2 weeks, 2 days ago

The
question said: "before you configuring IP routing" , so it should be as follows:
1- Create the 3 VNETs ( if not done already ) 2- Create VNet Peering between
VNET1005a & VNET1005b ( 2-way ) 3- on VNET1005b Peering, enable "Allow
forwarded traffic from VNET1005a toVNET1005b" 4- Create VNet Peering between
VNET1005a & VNET1005c ( 2-way ) 5- on VNET1005c Peering, enable "Allow
forwarded traffic from VNET1005a to VNET1005c"
upvoted 2 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to deploy several Azure virtual machines and to connect them to a virtual network named VNET1007.
You need to ensure that future virtual machines on VNET1007 can register their name in an internal DNS zone named corp8548984.com. The zone
must NOT be hosted on a virtual machine.
What should you do from Azure Cloud Shell?
To complete this task, start Azure Cloud Shell and select PowerShell (Linux), Click Show Advanced settings, and then enter corp8548984n1 in the
Storage account text box and File1 share text box. Click Create storage, and then complete the task.

Step 1: Launch Cloud Shell from the top navigation of the Azure portal.
Step 2: Select PowerShell -
When you start the Azure Cloud Shell for the first time, you will be prompted to create a storage account in order to associate a new Azure File
Share to persist files across sessions.
Step 3: Click Show Advanced settings.
Step 4: Enter corp8548984n1 in the Storage account text box and File1 share text box. Click Create storage.
Step 5: Enter the following command at the powershell command prompt:

New-AzDnsZone -Name "corp8548984.com"
-ResourceGroupName "mycloudshell"
-ZoneType Private
-RegistrationVirtualNetworkId VNET1007
Note: A DNS zone is created by using the New-AzDnsZone cmdlet with a value of Private for the ZoneType parameter.
References:
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-powershell https://docs.microsoft.com/en-us/azure/cloud-
shell/quickstart-powershell https://docs.microsoft.com/en-us/powershell/module/az.dns/new-azdnszone?view=azps-1.5.0
  Isu 5 months, 3 weeks ago

I
guess "-RegistrationVirtualNetworkId" switch should be replaced by
"-ResolutionVirtualNetworkId"
upvoted 2 times

I
think we should use New-AzPrivateDnsZone - "Private DNS" because of "internal
DNS" is requested. And then link this private DNS to the Vnet.
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-powershell
upvoted 3 times
  Mvii 3 weeks, 3 days ago

Correct.
upvoted 1 times

what
it means by Powershell(Linux) ? Bash ?
upvoted 1 times

Commands
were changed, correct answer should be: 1- Get-AzVirtualNetwork -Name "VNET1007"
>> and Copy the VNET ID 2- New-AzDnsZone -Name "corp8548984.com"
-ResourceGroupName "mycloudshell" -ZoneType Private
-RegistrationVirtualNetworkId
"/subscriptions/fbdcff9e-af3d-43e8-b691-41d0ba60b51d/resourceGroups/mycloudshell/providers/Microsoft.Network/virtualNetworks/vnet1007"
upvoted 5 times

or
easier to do it like this : $vnet = Get-AzVirtualNetwork -Name "VNET1007"
New-AzDnsZone -Name "corp8548984.com" -ResourceGroupName "myCloudShell"
-ZoneType Private -RegistrationVirtualNetworkId $vnet.Id
upvoted 16 times
  Kevin1991 5 months ago

New
updated cmd for creating a Private DNS zone by specifying virtual network IDs
-------------- New-AzDnsZone -Name "corp8548984.com" -ResourceGroupName
"mycloudshell" -ZoneType Private -ResolutionVirtualNetworkId
"/subscriptions/fbdcff9e-af3d-43e8-b691-41d0ba60b51d/resourceGroups/mycloudshell/providers/Microsoft.Network/virtualNetworks/vnet1007"
-------------
https://docs.microsoft.com/en-us/powershell/module/az.dns/new-azdnszone?view=azps-3.2.0&viewFallbackFrom=azps-1.5.0
upvoted 3 times

As
its mentioned VNET1007 can register their name in an internal DNS zone $vnet =
Get-AzVirtualNetwork -Name "VNET1007" $zone = New-AzPrivateDnsZone -Name
"corp8548984.com" -ResourceGroupName $vnet.ResourceGroupName $link =
New-AzPrivateDnsVirtualNetworkLink -ZoneName corp8548984.com `
-ResourceGroupName $vnet.ResourceGroupName -Name "mylink" ` -VirtualNetworkId
$vnet.id -EnableRegistration
upvoted 6 times

This
work: 1) az network vnet create --name VNET1007 -g RG1 --location eastus
--address-prefixes 10.3.0.0/16 --subnet-name subnet01 --subnet-prefixes
10.3.0.0/24 2) az network vnet list --output table 3) az network private-dns
zone create --name corporxxxx.com -g RG1 4) az network private-dns link vnet
create -g RG1 -n myVnetLink --zone-name corporxxxx.com -v VNET1007 -e 5) az
network private-dns zone list
upvoted 1 times

Private
DNS can be created via GUI now. In the past that wasn't the case. I think this
task is no longer relevant
upvoted 2 times

Oddly
enough. If you try to do the powershell codes above and the Private DNS using
the portal. You get different results. For some reason the powershell codes
create a dns entry in DNS zones while the portal creates a dns entry in the
Private DNS zones. So i wouldnt say that the portal does it the same way as
the powershell codes do.
upvoted 1 times
  qr 2 months, 1 week ago

az
network dns zone create -g <RGName> -n corp8548984.com --zone-type Private
--registration-vnets VNET1007
upvoted 1 times

$ResVirtualNetwork
= Get-AzVirtualNetwork -Name "VNET1005a" -ResourceGroupName "user-hjqgbfnkfrfa"
New-AzDnsZone -Name "corp8548984.com" -ResourceGroupName "user-hjqgbfnkfrfa"
-ZoneType Private -RegistrationVirtualNetworkId $ResVirtualNetwork.id
upvoted 3 times

If
anyone wondering how to remember these commands, just learn to use --help
command in Azure shell. You will get all commands and examples listed.
upvoted 2 times

New-AzPrivateDnsZone -Name "corp8548984.com"
-ResourceGroupName "RG1" - This will do.
upvoted 1 times
  Gjferweb 1 week, 4 days ago

Solution commands being deprecated: New-AzDnsZone:
Creation of private DNS zones using this API is no longer allowed. Please use
privatednszones resource instead of dnszones resource. Refer to
https://aka.ms/privatednsmigration for details.
upvoted 1 times
  keithtemplin 6 days, 19 hours ago

Here
is what I just did in my lab using the new commands: Install-Module -Name
Az.PrivateDns -force $vnet = Get-AzVirtualNetwork -Name VNET1007 $zone =
New-AzPrivateDnsZone -Name az30062.int -ResourceGroupName az-300-62 $link =
New-AzPrivateDnsVirtualNetworkLink -ZoneName az30062.int ` -ResourceGroupName
az-300-62 -Name "az30062.int-link" ` -VirtualNetworkId $vnet.id
-EnableRegistration Install-Module -Name Az.PrivateDns -force $vnet =
Get-AzVirtualNetwork -Name VNET1007 $zone = New-AzPrivateDnsZone -Name
az20062.int -ResourceGroupName az-300-62 $link =
-EnableRegistration
upvoted 1 times

Sorry
Double Pasted, Here arethe commands: Install-Module -Name Az.PrivateDns -force
$vnet = Get-AzVirtualNetwork -Name VNET1007 $zone = New-AzPrivateDnsZone -Name
az30062.int -ResourceGroupName az-300-62 $link =
-EnableRegistration
upvoted 1 times

SIMULATION -
Overview -
possible by design.
To start the lab -

Another administrator reports that she is unable to configure a web app named corplod8548987n3 to prevent all connections from an IP address
of 11.0.0.11.
You need to modify corplod8548987n3 to successfully prevent the connections from the IP address. The solution must minimize Azure-related
costs.

Step 1:
Find and select application corplod8548987n3:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications.
Step 2:
To add an IP restriction rule to your app, use the menu to open Network>IP Restrictions and click on Configure IP Restrictions
Step 3:
Click Add rule -

You can click on [+] Add to add a new IP restriction rule. Once you add a rule, it will become effective immediately.
Step 4:
Add name, IP address of 11.0.0.11, select Deny, and click Add Rule
References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

Step
1. From Azure portal, type App Services. Find web app name and click on it.
Step2. Scroll down to Networking from the menu to the left.
upvoted 5 times

And
... here it is : "prevent all connections from an IP address of 11.0.0.11" Then,
set a deny rule on the correspondent IP ...
upvoted 4 times
Just
to add, when you add 11.0.0.11, it automatically converts it into 11.0.0.11/32
CIDR. Here, 32 means only one IP address.
upvoted 2 times

This
is correct, I did it in lab.
upvoted 1 times

App
> Networking > Access Restrictions > Add Deny rule
upvoted 6 times

Funny
how the graphic now changes from IP restrictions(as shown in the original dump
answer) to Access Restrictions. But yes you are correct that is now the
current graphic.
upvoted 1 times

After
you add the Deny rule for 11.0.0.11 (rule 100), I believe you need to add
another rule to allow all other IP address with a CIDR of 0.0.0.0/0. I made this
second rule with a priority of 110.
upvoted 5 times

Very good point...!
upvoted 3 times

I
don't think it is a firewall with implicit "deny all" rule at the end
upvoted 1 times

https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#blocking-a-single-ip-address
upvoted 5 times
  satgo 1 month ago

https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#blocking-a-single-ip-address
Need to add 0.0.0.0 AllowAll
upvoted 3 times

Based
on the new changes, you have to go to App Services, Go to the App, Networking,
Access Restrictions: Add a rule to deny traffic from the specific IP address.
You have to explicitly add a new rule to allow the traffic from other address by
adding a "Allow All' rule at 0.0.0.0 as satgo (credits) mentioned (great point).
Because when you add a deny rule, Azure will add one more rule by default with a
priority of a huge number, so you have to add a Allow All rule with less
priority.
upvoted 3 times

Go
to APp service -> Networking -> Access restrictions -> "Add Rule" It
needs IP address block (CIDR), so just mention IP address here, it will itself
convert to 11.0.0.11/32.
upvoted 2 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You need to add a deployment slot named staging to an Azure web app named corplod@lab.LabInstance.Idn4. The solution must meet the
- When new code is deployed to staging, the code must be swapped automatically to the production slot.
- Azure-related costs must be minimized.

Step 1:
Locate and open the corplod@lab.LabInstance.Idn4 web app.
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications.
Step 2:
Open your app's resource blade and Choose the Deployment slots option, then click Add Slot.
Step 3:
In the Add a slot blade, give the slot a name, and select whether to clone app configuration from another existing deployment slot. Click the
check mark to continue.
The first time you add a slot, you only have two choices: clone configuration from the default slot in production or not at all.
References:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-staged-publishing

The
published answer is just part of the solution. There is another requirement to
publish new changes automatically. Here are the steps: 1) From the web apps
blade, open a newly created staging slot 2) Go to Settings section, then
Configuration, then General Settings tab from the menu on top. 3) Scroll down to
Deployment Slot section and change Auto Swap Enabled option to ON. 4) Save
changes.
upvoted 47 times

Thanks
a lot Oz !
upvoted 2 times

Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots#Auto-Swap
upvoted 5 times

1)
Create Staging slot 2) From Staging slot > Configuration > General
Settings > Auto swap enabled = "On" & Auto swap deployment slot =
"Production"
upvoted 11 times
  tibor21 2 months, 1 week ago

I
don't find Auto Swap
upvoted 1 times

While
creating deployment slot,you have to select "do not clone.. "
upvoted 1 times

DevOps
exam
upvoted 1 times
  PeterWL 2 months, 3 weeks ago

And
we also should change the App Service Plan to Standard(S1) because there is a
requirement as bellow: "Azure-related costs must be minimized"
upvoted 2 times

Go
to the App, Create a staging slot (if it doesn't exist), and go to configuration
and enable Auto Swap with Production. PeterWL brought a good point about costs,
but I am not sure if we want to change the plan because we didn't create the Web
App or the service plan. Costs can be reduced in other ways too, may be it is
just to trick I guess.
upvoted 2 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to deploy an application gateway named appgw1015 to load balance internal IP traffic to the Azure virtual machines connected to
subnet0.
You need to configure a virtual network named VNET1015 to support the planned application gateway.

Step 1:
Click Networking, Virtual Network, and select VNET1015.
Step 2:
Click Subnets, and Click +Add on the VNET1015 - Subnets pane that appears.
Step 3:
On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.
Step 4:
Locate subnet0 and add it.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

you
need to add empty subnet. GW subnet is not supported
upvoted 12 times
  MGW 5 months, 3 weeks ago

The
simulation is: you need to deploy an application gateway (you have to do more
than described in the solution: add an application gateway, search for subnet0
(or create it). SLA 99,5% is provided to each Application Gateway Cloud Service
having two or more medium or larger instances, or deployments capable of
supporting autoscale or zone redundancy
upvoted 3 times
  SomeITGuy 5 months, 1 week ago

I
read this as it is all about connecting VNET1015 with the VNet subnet0 is in. So
either VNet-peering or VPN Gateway. The solution presented plans for VPN Gateway
but VNet-peering might also work. If the networks are in different regions it
might not work since Global VNet peering has some limitations.
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#can-application-gateway-communicate-with-instances-
outside-of-its-virtual-network-or-outside-of-its-subscription
Question states "... to support the planned application gateway" so this is not
about creating the App Gateway
upvoted 3 times

it
is mentioned "to load balance internal IP traffic to the Azure virtual machines"
>> the question is talking about Web Application Gateway , not Virtual
Network Gateway! Application Gateway:
https://docs.microsoft.com/en-us/azure/application-gateway/overview
upvoted 4 times

So,
you have to create a dedicated Subnet (Application Gateway subnet) as the
application gateway subnet can contain only application gateways. No other
resources are allowed.
upvoted 14 times

Gateway
subnet is NOT supported to deploy application gateway. as per latest docs you
just need to create EMPTY Subnet to deploy application gateway.
upvoted 3 times

https://docs.microsoft.com/en-us/azure/application-gateway/quick-create-portal
upvoted 6 times

backend
server subnet = subnet0
upvoted 4 times

I
think this How-To covers completely what is asked in the question since they ask
to configure an application gateway to load balance internal ip traffic to
virtual machines connected to subnet0. Network that in the How-To is named
myVNet should be named VNET1015 and network named myBackendSubnet should be
named VNET1015 to adapt the How-To to this lab requirements
https://docs.microsoft.com/en-us/azure/application-gateway/configure-application-gateway-with-private-frontend-ip
upvoted 2 times
  supershysherlock 2 months, 3 weeks ago

It's
just asking for an empty subnet to be created. You plan to deploy an application
gateway named appgw1015 to load balance internal IP traffic to the Azure virtual
machines connected to subnet0. Therefore sunbet 0 isn't empty. We need to create
a new empty subnet to support the proposed app gateway.
upvoted 9 times
  heftjustice 2 months, 3 weeks ago

upvoted
answer by Ekramy.
upvoted 1 times
  Derek_O2018 2 months ago

The
name of the application gateway subnet can be any value. Adding a gateway subnet
like shown in the solution will not meet the requirements of the task as it
applies for virtual network gateways. The tutorial link posted by Ekramy
contains the solution.
upvoted 1 times

Far fromthe question, the gateway subnet should be
/27,28,29 to Create a smaller address space for your application gateway subnet
so you're not wasting IP addresses unnecessarily
upvoted 2 times

Ekramy's
link has additional details. You have to create a subnet for App Gateway. if it
already exists, add it to the App Gateway.
upvoted 1 times
  BenDova 2 weeks, 5 days ago

Note:
if you create a subnet called appgateway with /27 cidr, Azure will default to
this subnet when creating the application gateway
upvoted 2 times

Application
Gateway is needed with VNET1015 Backend servers are on VNET0 Peering have to be
deployed between these 02 VNETs FrontEnd IP is private IP (on Aapplication GW
setting
upvoted 1 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to connect a virtual network named VNET1017 to your on-premises network by using both an Azure ExpressRoute and a site-to-site VPN
connection.
You need to prepare the Azure environment for the planned deployment. The solutions must maximize the IP address space available to Azure
virtual machines.
What should you do from the Azure portal before you create the ExpressRoute and the VPN gateway?

We need to create a Gateway subnet
Step 1:
Go to More Services > Virtual Networks
Step 2:
Then click on the VNET1017, and click on subnets. Then click on gateway subnet.
Step 3:
In the next window define the subnet for the gateway and click OK
It is recommended to use /28 or /27 for gateway subnet.

As we want to maximize the IP address space we should use /27.
References:
https://blogs.technet.microsoft.com/canitpro/2017/06/28/step-by-step-configuring-a-site-to-site-vpn-gateway-between-azure-and-on-premise/
  bizie 7 months, 3 weeks ago

why
not a /29
upvoted 1 times

MS
recommends /27 or /28 for the Gateway subnet. Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-add-gateway-portal-resource-manager
The solution needs to maximize addresses available to VMs, then it should be
/28 for Gateway subnet, i.e. less space for gateways more for VMs.
upvoted 13 times
  Jake__ 6 months, 3 weeks ago

I
think you read the referenced wrong or it changed. MS states to use /27 or
larger (Meaning more IP, and lower cider notation ex: /24 is larger than /27)
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-add-gateway-portal-resource-manager
"We recommend creating a gateway subnet with a /27 or larger (/26, /25, etc.).
Then, click OK to save the values and create the gateway subnet."
upvoted 9 times
  FailureIsnotAnOption 3 months ago

THIS
IS CORRECT. SEE URL
upvoted 4 times

The
smallest is /29. Not sure which answer is good one. So, while you can create a
gateway subnet as small as /29, we recommend that you create a gateway subnet of
/27 or larger (/27, /26, /25 etc.). Look at the requirements for the
configuration that you want to create and verify that the gateway subnet you
have will meet those requirements.
https://docs.microsoft.com/pl-pl/azure/vpn-gateway/vpn-gateway-vpn-faq
upvoted 1 times

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-classic
and they mentioned /27
upvoted 5 times
  megasema 5 months, 1 week ago

You cannot use /27 because if I'm not mistaken Azure
reserves 3 IP's from each subnet. First for Default GW, second two for
DNS.
upvoted 1 times

/27
According to step 3 in the page below: "Important!: The Gateway Subnet must be
/27 or a shorter prefix (such as /26 or /25)."
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#new
upvoted 2 times

I'll
go with /27 based on this article
upvoted 4 times

Create
Gateway Subnet "GatewaySubnet" with CIDR /27
upvoted 5 times
  kavvaru 4 months ago

The
goal is to maximize address space for the VM's ie, minimize the address space
for the gateway subnet as VM's cannot exist in the gateway subnet. If
recommended is to use /27 or /28 for the gateway subnet, taking into account to
minimize the address range for gateway subnet, you should use /28 as it is even
smaller range than /27 enabling more addresses for the VM if needs be in the
other subnets.
upvoted 6 times
  bolbol 4 months ago

Agreed,
MS says that it's recommended to create the GW Subnet in /27 or /28. so /28 will
maximize the number of IP for VMs:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#VNetGateway
upvoted 6 times

/27
If coexsitng gateways are planned. Source:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 4 times
  DanielRO 2 months, 2 weeks ago

/28 to maximize the ip address range for vms.
upvoted 1 times
  Russel 2 months, 1 week ago

It
should be /27. The gateway subnet must be /27 or a shorter prefix, (such as /26,
/25), or you will receive an error message when you add the ExpressRoute virtual
network gateway.
upvoted 3 times

To maximize subnet space, it should be /29. "While you
can create a gateway subnet as small as /29, we recommend that you create a
gateway subnet of /27 or larger (/27, /26 etc.) if you have the available
address space to do so. This will accommodate most configurations."
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways
upvoted 1 times

I
would say /27 would be more appropriate answer as this is VPN and Express Route
configuration that requires larger address space than most. So /29 would be the
least /27 would the the best given ExpressRoute is in configuration and you want
to maximise VM address space in that scenario.
upvoted 2 times

Agree
with /27. Normally we should use /27 or /28 for the GateWay Subnet. But since
coexistence is planned => MS recommends us to use /27 or a lower prefix such
as /26, /25. Considering that we should maximize the IPs available, we will use
/27.
upvoted 1 times
  Liohei 1 month, 3 weeks ago

The
smallest gateway subnet which can contain BOTH ExpressRoute gateway and VPN
gateway is /27. Only VPN gateway - /29 (not recommended though) Only
ExpressRoute gateway - /28 Both - /27
upvoted 3 times
I
believe /27 is correct, as mentioned in Question, you need to have ExpressRoute
and VPN gateway.
---------------------------------------------------------------------------------------
When you are planning your gateway subnet size, refer to the documentation for
the configuration that you are planning to create. For example, the
ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet
than most other configurations. Additionally, you may want to make sure your
gateway subnet contains enough IP addresses to accommodate possible future
additional configurations. While you can create a gateway subnet as small as
/29, we recommend that you create a gateway subnet of /27 or larger (/27, /26
etc.) if you have the available address space to do so. This will accommodate
most configurations.
upvoted 2 times

Specify
a subnet address range in CIDR notation which falls within the virtual network’s
address space: 10.3.0.0/16. If the gateway is an ExpressRoute type and you plan
on creating a VPN gateway to coexist with it, the prefix of the CIDR notation
must be 27 or smaller.
upvoted 1 times

Create
a gateway subnet of /27 or larger (preferred) to work for both.
upvoted 1 times

MS
recommends /27 or larger though /28 and /29 are also possible but not
recommended so will use /27 here.
upvoted 1 times
  Gjferweb 1 week, 3 days ago

the question is some what vague, if you need to maximize
vms address space should be /29, if gtw address space /27. Azure reserve 5 ips
so /29 you get 3 devices, /28 11 and /27 27 devices. /29 is not recommended but
tue question dońt ask for recomendation, it state maximize so /29 could be an
answer. :-(
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. You add the users in the following table.
Which user can perform each configuration? To answer, select the appropriate options in the answer area.
Hot Area:

Box 1: User1 and User3 only.
The Owner Role lets you manage everything, including access to resources.
The Network Contributor role lets you manage networks, but not access to them.
Box 2: User1 and User2 only -

The Security Admin role: In Security Center only: Can view security policies, view security states, edit security policies, view alerts and
recommendations, dismiss alerts and recommendations.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

For
question 2, it will be User 1 only. Security admin can't add other
users
upvoted 6 times
  SilverFox 2 months, 4 weeks ago

Box1:
User 1 & User 3 Box2: User 1
upvoted 4 times
  riya123 3 months, 2 weeks ago

Box
1: User1 only. Box 2: User1 and User2 only
upvoted 1 times
  simonxinyu 3 months, 1 week ago

Network
Contributer: Lets you manage networks, but not access to them. So Box 1: User1
and User2
upvoted 2 times

Sorry.
Box 1: User 1 and User 3
upvoted 2 times

Box1:
Which of the following user/users would be able to add a subnet to the virtual
network? User 1 & User 3 Box 2: Which of the following user/users would be
able to add the Reader role to the virtual network? User 1
upvoted 13 times
  Russel 2 months, 1 week ago

Shiven
is correct .I tried in lab security admin can't add reader role in virtual
network.
upvoted 2 times

I
found the complete question here - https://www.itexams.com/exam/AZ-300
upvoted 3 times

https://www.itexams.com/static/img/exams/Microsoft-AZ-300-1.0/xmlfile-259_1.jpg
upvoted 1 times

Security
Admin cannot add other users. Only the owner can in this case. Second question
is User-1 only.
upvoted 1 times
  Sun_mon 6 days ago

Correct
answer is User1 for box1 and user 1 and 2 for Box 2
upvoted 1 times
  Pigi_102 3 days, 21 hours ago

User1 and User3 for Box1 ( Owner have all privileges and
Network Contributor can create and manage resources but not access so creation
is possible ) User1 only on Box2 ( Security admin an view and uodate permission,
not create ).
upvoted 1 times
You have an Azure subscription that contains three virtual networks named VNet1, VNet2, and VNet3. VNet2 contains a virtual appliance named
VM2 that operates as a router.
You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network.
You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3.
You need to provide connectivity between VNet1 and VNet3 through VNet2.
Which two configurations should you perform? Each correct answer presents part of the solution.
A. On the peering connections, allow forwarded traffic
B. Create a route filter
C. On the peering connections, allow gateway transit
D. Create route tables and assign the table to subnets
E. On the peering, use remote gateways
Correct Answer: CE
Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the
peered virtual network to flow through the gateway.
The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to
this virtual network.
References:

I
would think that based on the reference solution from Microsoft, the right
answer is AC Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?toc=%2fazure%2fvirtual-
network%2ftoc.json
See "Spoke connectivity section" there. 1) allow forwarded traffic is
configured for all VNET peerings 2) User Defined Routes (UDR) are configured for
each subnet "allow gateway transit" and "allow forwarded traffic" options make
sense when you need to extend spoke VNETs to on-premises network via HUB-located
gateway.
upvoted 6 times

try
to do it in the lab. it doesn't work. you need to have GW transit and GW
configured. I was not able to communicate only with forwarded traffic.
upvoted 2 times

in
this scenario, transit is required.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
Gateway transit is a peering property that enables one virtual network to
utilize the VPN gateway in the peered virtual network for cross-premises or
VNet-to-VNet connectivity. can also configure spokes to use the hub VNet gateway
to communicate with remote networks. To allow gateway traffic to flow from spoke
to hub, and connect to remote networks, you must: Configure the VNet peering
connection in the hub to allow gateway transit. Configure the VNet peering
connection in each spoke to use remote gateways. Configure all VNet peering
connections to allow forwarded traffic.
upvoted 2 times

yes,
AD. Your typo rectified here for others. Still you replied in bottom.
upvoted 7 times

Sorry
answer is AD too bad I cannot edit the previous post.
upvoted 21 times
  Jaa9 6 months, 1 week ago

Correct
answer is AD. A: Vnet2 where the NVA is placed need to be allowed to forward
traffic from Vnet1 to Vnet3 and vica versa B: User Defined Route (UDR) must be
created on each Subnet in Vnet1 and Vnet3 to override system (default) routes
and send traffic between these Vnet's via the NVA
upvoted 9 times

D:
User Defined Route (UDR) must be created on each Subnet in Vnet1 and Vnet3 to
override system (default) routes and send traffic between these Vnet's via the
NVA
upvoted 3 times

correct
answer is : A, D
upvoted 11 times

Agree.
Also "Each correct answer presents part of the solution.". Gateway transit and
remote gateways would be in a scenario where onpremises transitive connections
would be required.
upvoted 3 times
  bbbb 4 months, 2 weeks ago

This
is quite a confusing question but I tend to agree with Oz - the answer is AC.
In the link Oz provides it discusses this sort of scenario and the
considerations of a spoke topology using UDRs and "Allow forwarded
traffic".
upvoted 1 times

Whoops,
did the same thing...should read AD haha.
upvoted 3 times

OK
so after looking at the Github code i think it is in fact AC after all:
"virtualNetworkPeerings": [ {
"name": "spoke1-hub-peer",
"allowForwardedTraffic": true,
"allowGatewayTransit": false,
"useRemoteGateways": true,
"remoteVirtualNetwork": {
"resourceGroupName": "hub-vnet-rg",
"name": "hub-vnet" }
} Notice that the spoke configuration uses the "allowForwardedTraffic"
option, as well as "useRemoteGateways".
upvoted 1 times
  Abbas 3 months, 3 weeks ago

A
and D are correct. The link given in the explanation has the same scenario
explained and a link to user defined routes explains about the table.
upvoted 4 times

I
think D is wrong! A and E are right!
upvoted 1 times

Correct
ans is Cand E. You can also configure spokes to use the hub gateway to
communicate with remote networks. To allow gateway traffic to flow from spoke to
hub, and connect to remote networks, you must: Configure the peering connection
in the hub to allow gateway transit. Configure the peering connection in each
spoke to use remote gateways. Configure all peering connections to allow
forwarded traffic.
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
upvoted 1 times

"You
need to provide connectivity between VNet1 and VNet3 through VNet2." It's not
about remote gateways or connectivity outside the Vnets. So A (to forward
traffic from a spoke vnet to another spoke) and D (without UDR and NVA as next
hop IP traffic won't flow beetwen the spokes). Tested in production, not
lab.
upvoted 4 times

Shiven,
this time I think you`re wrong. Jt909 is right, his explanation is correct. I
would also chose A & D without any doubt.
upvoted 1 times

Cleary A&D
upvoted 3 times

A
and D should be the answer. There is no VPN gateway involved so no need for
Allow Gateway Transit.
upvoted 6 times
  Marshal_ 1 month, 1 week ago

There is gateway involved "VNet2 contains a virtual
appliance named VM2 that operates as a router." CE work in a lab as long as you
use a gateway and define routes.
upvoted 1 times

it's
clearly A and D
upvoted 3 times

No
doubt, A and D are correct.
upvoted 5 times
DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Select and Place:

Step 1: Remove peering between Vnet1 and VNet2.
You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2
References:

IMHO
Box 2 "Protecting from web vulnerabilities" should be Application gateway. it's
component Web Application firewall will fit the bill. Security Center is a
monitoring and alerting solution not an actual protection from web
vulnerabilities. Ref:
upvoted 1 times

-
Remove peering between VNet1 and VNet2 - Add the 10.33.0.0/16 address space to
VNet1 - Recreate peering between VNet1 and VNet2
upvoted 20 times

You
can't add address ranges to, or delete address ranges from a virtual network's
address space once a virtual network is peered with another virtual network. To
add or remove address ranges, delete the peering, add or remove the address
ranges, then re-create the peering. To add address ranges to, or remove address
ranges from virtual networks, see Manage virtual networks.
upvoted 1 times
  SilentH 3 months ago

I
don't understand the question. How can we "add" 10.33.0.0/16 to VNet1 when VNet1
has an address space of 10.1.0.0/16? Isn't 10.33.0.0/16 entirely outside of the
VNet1 address apce? It seems like 10.33.0.0/16 is a different VNet (e.g. VNet3).
Can someone please explain?
upvoted 1 times
  wigger 3 months ago

From
the VNet1 blade select "Address space" under Settings > type new address
space in text box provided and click save (disk icon)...
upvoted 1 times

Please
do not mix Address spaces and Subnets )
upvoted 4 times
  SaurabhAzure 1 month, 1 week ago

10.33.0.0/16
is actually not in 10.1.0.0/16. 10.1.0.0/16 means all addresses between 10.1.0.0
to 10.1.255.255.
upvoted 1 times
HOTSPOT -
You are designing a virtual network to support a web application. The web application uses Blob storage to store large images. The web
application will be deployed to an Azure App Service Web App.
You have the following requirements:
Secure all communications by using Secured Socket layer (SSL)
✑ SSL encryption and decryption must be processed efficiently to support high traffic load on the web application
✑ Protect the web application from web vulnerabilities and attacks without modification to backend code
✑ Optimize web application responsiveness and reliability by routing HTTP request and responses to the endpoint with the lowest network
latency for the client.
You need to configure the Azure components to meet the requirements.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Azure application Gateway

Azure Application Gateway supports end-to-end encryption of traffic. Application Gateway terminates the SSL connection at the application
gateway. The gateway then applies the routing rules to the traffic, re-encrypts the packet, and forwards the packet to the appropriate back-end
server based on the routing rules defined.
Any response from the web server goes through the same process back to the end user.
Box 2: Azure Security Center -

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and
provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises.
Box 3: Azure Traffic Manager -

Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure
regions, while providing high availability and responsiveness.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell https://docs.microsoft.com/en-
us/azure/traffic-manager/traffic-manager-overview https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Box
2: Should be Azure application Gateway and not Azure Security Center. Azure
Application Gateway has Web Application Firewall (WAF) functionality that
protects the Web App from OWASP attacks. Security Center doesn't give any
protection for the Web App, only recommendation on security features.
upvoted 28 times

Correct:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
upvoted 2 times
  simonyu 3 months, 2 weeks ago

this
link is for WAF, not application gateway.
upvoted 1 times
  pradjhun 5 months, 3 weeks ago

Look at the link
https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy
Security Center is correct answer
upvoted 3 times

Security
Center is to audit the security of your Azure resources, not to protect against
web attacks
upvoted 7 times

-
App Gateway - App Gateway - Traffic Manager
upvoted 27 times
  AnilV 2 months, 3 weeks ago

AppGW
Security Center TM
https://docs.microsoft.com/en-in/azure/security-center/security-center-intro
upvoted 3 times
  AnilV 2 weeks, 2 days ago

AppGW
AppGW TM is correct
upvoted 2 times

AppGW Security Center Traffic Manger Answer is Security
Center since it protect the web vulnerability, not the "Attack" itself. WAF
protects the external attach, and Security Center does on the internal
vulnerability.
upvoted 2 times

App
Gateway AppGateway Traffic Manager Requirement: "Protect the web application
from web vulnerabilities and attacks without modification to backend code". The
security centre can provide recommendations but the WAF in AppGateway integrates
OWASP rules to eliminate web vulnerabilities and threats.
upvoted 5 times
  joshp 2 weeks, 2 days ago

https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
-App Gateway -App Gateway -Traffic Manger The above document states "Protection
Protect your web applications from web vulnerabilities and attacks without
modification to back-end code."
upvoted 1 times
  2cool2touch 1 week, 6 days ago

The
overall question requirement is to protect from Web Vulnerabilities and Protect
against attacks. However the drop down is NOT about attacks. That portion is
ONLY for Web Vulnerabilities. Hence Security Center should be correct as it
protects agains Vulnerabilities. Choosing App Gateway in option A already
protects against attacks hence overall requirements are satisfied. - App GW -
Security Center - Traffic Manager
upvoted 1 times
  vrana 1 week, 5 days ago

Security
Center can also prevent from threats and more sophisticated. Hecen correct
answer is - App Gateway - Security Center - Traffic Manager.
upvoted 1 times
HOTSPOT -
You have Azure Storage accounts as shown in the following exhibit.
Hot Area:
Correct Answer:
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob
storage accounts.
✑ General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
✑ Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
✑ General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per
gigabyte pricing.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
You are planning to create a virtual network that has a scale set that contains six virtual machines (VMs).
A monitoring solution on a different network will need access to the VMs inside the scale set.
You need to define public access to the VMs.
Solution: Deploy a standalone VM that has a public IP address to the virtual network.
Does the solution meet the goal?
A. Yes
B. No
Correct Answer: A

Answer
B.
upvoted 5 times

@piotr
what is the correct solution ?
upvoted 1 times

Answer
is B
upvoted 3 times

piotr
/ Jaa9, request you to please explain it more. Thanks for your help.
upvoted 2 times

Could
you explain your choice ? I think it's A because. That VM could monitor the here
mentioned VMSS. This is maybe not optimal and secured, but it will
work.
upvoted 2 times

"A
monitoring solution on a different network will need access to the VMs inside
the scale set." Only deploying a VM with a public IP will not be a solution. It
would need to be configured as a router, proxy or whatever, and I guess the
monitoring solution needs direct access to the VM in the Scale Set, there would
be a need to deploy an agent on the monitored VM's etc. So, answer B should be
correct.
upvoted 4 times
  d9753250 4 months, 2 weeks ago

Couldn't you use the VM as gateway for the microsoft
monitoring agents in the other 6 vm's? Than the answer would be A.
upvoted 1 times
  Naverick 4 months, 1 week ago

The ideal solution should be to deploy a public load
balancer in front of the VMSS. Just deploying a VM with a public IP does
nothing at all. Answer should be B.
upvoted 2 times

Wrong,
if monitor solution need to access individual VMs, loadbalancer can't do this,
you can't exactly know which VM you are currently monitoring. A single VM with
public IP access can be configured as an jumpbox or proxy or router, it can meet
the question's need.
upvoted 1 times

Answer
is A: • Connect to VM instances using RDP or SSH: To connect to VM
instances using RDP or SSH, you can configure a scale set to automatically
assign a public IP address. This option is turned off by default. The VMs are
inside a virtual network, making it impossible to connect to them using RDP or
SSH. Connect to VM instances using a jumpbox: You can create a standalone
VM inside the same virtual network to act as a jumpbox to connect to another
scale set instance in the set. The standalone VM gets a public IP address, which
can be connected using RDP or SSH. Once connected to the VM, you can use it to
connect to other instances using the internal
upvoted 5 times

The
correct answer is B A scale set is created inside a virtual network, and
individual VMs in the scale set are not allocated public IP addresses by
default. This policy avoids the expense and management overhead of allocating
separate public IP addresses to all the nodes in your compute grid. If you do
need direct external connections to scale set VMs, you can configure a scale set
to automatically assign public IP addresses to new VMs.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-overview
upvoted 3 times
  pokerpa71 3 months, 1 week ago

The
correct answer is "A" -
https://docs.microsoft.com/en-gb/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-ipv4-per-virtual-machine
- "Public IPv4 per virtual machine" In general, Azure scale set virtual machines
do not require their own public IP addresses. For most scenarios, it is more
economical and secure to associate a public IP address to a load balancer or to
an individual virtual machine (aka a jumpbox), which then routes incoming
connections to scale set virtual machines as needed (for example, through
inbound NAT rules).
upvoted 2 times

The
question does not state what type of VM, it could be a virtual Router (I.E. Palo
Alto, Fortinet) that can do the routing. It also DOES not state to setup NAT on
the VM. Based on the text pokerpa71 pasted, my vote is "A" Yes it meets the
requirements.
upvoted 1 times
  keithtemplin 1 week, 5 days ago

I
just went back through this practice question and I realized that the monitoring
part of the question has nothing to do with the Solution. The Solution meets
the "You need to define public access to the VMs". The by product of this is
that you can now monitor each VM on their separate public IP.
upvoted 1 times
  Sas1234 3 months, 1 week ago

A:
Connect to VM instances using a jumpbox: You can create a standalone VM inside
the same virtual network to act as a jumpbox to connect to another scale set
instance in the set. The standalone VM gets a public IP address, which can be
connected using RDP or SSH. Once connected to the VM, you can use it to connect
to other instances using the internal IP address.
https://learning.oreilly.com/library/view/architecting-microsoft-azure/9781788991735/99c2fad9-1cb9-45d8-9003-f95d9a1200f1.xhtml
upvoted 2 times

Answer
B. A VM on a different Vnet may also only have private IP.
upvoted 2 times

Sorry.
Forget my answer.
upvoted 1 times
  jcarlos 3 months ago

There
are two different requirements to be met: connect to VM in the scale set from
public and monitor the VM in the scale set from a monitoring solution in a
different net. With the machine deployed with public IP in the same network as
the scale set and acting as jump box the first requirement is met, but not the
second since there is nothing done to ensure scale set network is reachable from
monitoring network (such as peering both networks if possible or connecting them
using virtual gateway).So, I would say B
upvoted 6 times

I
agree with @jcarlos. The answer A addresses the second requirement only - "You
need to define public access to the VMs", but it does not help us to meet the
first requirement. Thus, I would choose B.
upvoted 2 times

Correct
Answer: A Explanation/Reference: Public IP addresses are necessary because they
provide the load balanced entry point for the virtual machines in the scale set.
The public IP address will route traffic to the appropriate virtual machines in
the scale set.
upvoted 2 times
  ccarlton 2 months, 2 weeks ago

This is a terrible question. Just creating a VM with a
public IP alone in the same subnet as the scale set doesn't give the monitoring
solution in the other network the ability to monitor the machines in the scale
set. That new VM will need a public IP, but it will also need additional stuff,
NOT mentioned to achieve the other network visibility.. B is the
answer.
upvoted 3 times

you can access the stand-alone VM thru its public IP
address
upvoted 2 times

Option
A is correct. New standalone VM with a public access has access to all the VMs
in the scaleset. Any external monitoring system can thus access the scaleset VMs
through this standalone VM (of course, new VM will need some additional
configuration)
upvoted 3 times

also
agree with B. Key item in question - does not specify which network requires
access, so it may be another internal network.
upvoted 1 times
Solution: Implement an Azure Load Balancer.
A. Yes
B. No
Correct Answer: B
  Santosh_Nalikul 5 months, 2 weeks ago

Why
A is not correct ?
upvoted 1 times

A
is indeed a valid answer, the questions is, is this the most optimal way?
https://subscription.packtpub.com/book/virtualization_and_cloud/9781788991735/1/ch01lvl1sec17/vm-scale-sets
upvoted 1 times
  maheshyadav 5 months, 1 week ago

B
is right since a Load Balancer is created when creating VMSS. If it was
Application Gateway instead of LB
upvoted 1 times

A
Load Balancer would not make sense - the monitoring solution will need access to
all the VM's inside the Scale Set, and not to one by one in a round-robin mode.
Answer B should be correct.
upvoted 10 times
  wlfjck 4 months, 2 weeks ago

it
should be A, as load balancer + VMSS, you can configure inbound NAT rules for
each VM inside of VMSS
upvoted 6 times

The
correct answer is B A scale set is created inside a virtual network, and
upvoted 2 times
  pokerpa71 3 months, 1 week ago

The
correct answer is "A" -
https://docs.microsoft.com/en-gb/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#public-IPv4-per-virtual-machine
- : "Public IPv4 per virtual machine" In general, Azure scale set virtual
machines do not require their own public IP addresses. For most scenarios, it is
more economical and secure to associate a public IP address to a load balancer
or to an individual virtual machine (aka a jumpbox), which then routes incoming
connections to scale set virtual machines as needed (for example, through
inbound NAT rules).
upvoted 5 times

Answer
is A
https://azure.microsoft.com/en-in/blog/virtual-machine-scale-set-insights-from-azure-monitor/
upvoted 2 times

There are four solutions, three of them are Deploy a
standalone VM that has a public IP address to the virtual network. Implement an
Azure Load Balancer. Design a scale set to automatically assign public IP
addresses to all VMs.
upvoted 2 times

B
is correct answer. You need deterministic access to individual VMs in the
scaleset (e.g. you want to access vm1 out of 6 VMs). A loab balancer, even with
the sticky session on, will take you to some VM based on routing rules which may
not be the VM that you want to access. So load balancer is not a good
solution.
upvoted 1 times

Exactly.
You need to be able to access a specific VM in the scale set for
monitoring.
upvoted 2 times
Solution: Design a scale set to automatically assign public IP addresses to all VMs.
A. Yes
B. No
Correct Answer: B

Answer
A. If all VM have public IP, monitoring solution will be able to reach
them.
upvoted 19 times
  jwang 1 month, 1 week ago

Correct.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq
upvoted 1 times

In
general, Azure scale set virtual machines do not require their own public IP
addresses. For most scenarios, it is more economical and secure to associate a
public IP address to a load balancer or to an individual virtual machine (aka a
jumpbox), which then routes incoming connections to scale set virtual machines
as needed (for example, through inbound NAT rules). However, some scenarios do
require scale set virtual machines to have their own public IP addresses. An
example is gaming, where a console needs to make a direct connection to a cloud
virtual machine, which is doing game physics processing. Another example is
where virtual machines need to make external connections to one another across
regions in a distributed database.
upvoted 11 times

Yes,
the correct answer is A A scale set is created inside a virtual network, and
upvoted 5 times

There are four solutions, three of them are Deploy a
standalone VM that has a public IP address to the virtual network. Implement an
Azure Load Balancer. Design a scale set to automatically assign public IP
addresses to all VMs.
upvoted 2 times

Stand
alone VM as a jump box works, but the load balancer may not. You need specific
access to a VM to monitor. Having the scale set automatically assigning public
IPs also will work.
upvoted 2 times
  DP80 4 weeks ago

The
answer seems to be A. You can actually design a vmss with a public IP in each
vm. This is what I found on Microsoft docs => To create a virtual machine
scale set that assigns a public IP address to each VM, make sure the API version
of the Microsoft.Compute/virtualMachineScaleSets resource is 2017-03-30, and add
a publicipaddressconfiguration JSON packet to the scale set ipConfigurations
section. Example: "publicipaddressconfiguration": { "name": "pub1",
"properties": { "idleTimeoutInMinutes": 15 } } Link -
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq
upvoted 1 times
HOTSPOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure
virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure VPN gateway fails, or a single on-premises
VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select
the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 4 -
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.
Box 2: 2 -
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption
that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.
Box 3: 2 -
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

You
only need 2 public IP addresses in Azure, one per gateway. Other side public IP
does not count as these are not Azure resources.
upvoted 17 times
  ChinaBandit 5 months, 1 week ago

All
4 Gateways are AZ resource. Question is do the dynamically assigned Public IP
addresses on the Azure side VPN Gateway count?
upvoted 1 times

4
is correct. You have to create 2 local gateways in Azure that depicts on-prem
gateways + 2 Azure Gateways
upvoted 3 times
  qr 2 months, 2 weeks ago

Armrinder101
is correct. 4 is required.
upvoted 2 times

As
Amrinder said 4 is correct. You give the local network gateway a name, the
public IP address of the on-premises VPN device, and specify the address
prefixes that are located on the on-premises location. So we should give 2
Public IPs for VPN Gateway and 2 for LNG (which is on-premises public
IPs).
upvoted 3 times

Is
4:
https://docs.microsoft.com/pt-br/azure/vpn-gateway/vpn-gateway-highlyavailable
upvoted 1 times

 Adrian1405 5 months, 2 weeks ago
I
would say that the correct answer is 3 Public IP address. The best fits Multiple
on-premises VPN devices scenario
https://docs.microsoft.com/pt-br/azure/vpn-gateway/vpn-gateway-highlyavailable
upvoted 4 times
  maheshyadav 5 months, 1 week ago

You
need only 1 Gateway (Azure VPN gateway in an active-active configuration, and
create two local network gateways and two connections for your two on-premises
VPN devices as described above. The result is a full mesh connectivity of 4
IPsec tunnels between your Azure virtual network and your on-premises network)
This will provide full active-active connection
upvoted 3 times

the
question said "In Azure" , so: 2 Public IPs , 1 VPN Gateway in active/active
config , 2 Local Network Gateways I already implemented this before.
upvoted 14 times

Question
is "What is the minimum number of public IP addresses, virtual network gateways,
and local network gateways required in Azure?" , which means 3 resources all in
Azure.
upvoted 2 times
  sameer2803 1 month ago

you
are missing this line "the failure will not cause an interruption that is longer
than two minutes.". they are ok with a downtime of 2mins so we don't have to be
active-active.
upvoted 1 times
  tester18128075 4 months, 3 weeks ago

I
have an active-passive VPN gateway, this requires one Public IP , one VPN
gateway and two local gateways. Only thing not sure is the failover time will be
2 minutes or not
upvoted 2 times

You
only need 1 public IP address in azure, refer to below
For planned maintenance, the connectivity should be restored within 10 to 15
seconds. For unplanned issues, the connection recovery will be longer, about 1
minute to 1 and a half minutes in the worst case. So the correct answer should
be 1. 1 IP 2. 2 Gateway instances
upvoted 2 times

I
would go further and say, only need 1 gateway that needs to be created.
According to the doc "Every Azure VPN gateway consists of two instances in an
active-standby configuration". This supports the failover recovery under 2
minutes. Azure manages the standby gateway instance behind the scenes, but need
only one gateway created by the user. The question says how many vpn gateways,
not how many gateway instances. Overall it is a terribly vaguely composed
question.
upvoted 3 times

2,
2, 2 -
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell
upvoted 2 times
Sorry,
just 2 gateway. But link above shows this clearly.
upvoted 1 times
  Bonna 4 months, 1 week ago

2-2-2
Benkyoujin is correct, here is the good link
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell
upvoted 1 times

Every
Azure VPN gateway consists of two instances in an active-standby configuration.
For any planned maintenance or unplanned disruption that happens to the active
instance, the standby instance would take over (failover) automatically, and
resume the S2S VPN or VNet-to-VNet connections. The switch over will cause a
brief interruption. For planned maintenance, the connectivity should be restored
within 10 to 15 seconds. For unplanned issues, the connection recovery will be
longer, about 1 minute to 1 and a half minutes in the worst case. So I think
active-standby will be good enough one Public IP , one VPN gateway and two
local gateways.
upvoted 27 times
  Daren 2 months, 1 week ago

Correct.
I started to believe that I`m the only one thinking like this. Thanks!
upvoted 1 times
  shayer0 3 months, 1 week ago

It
should be 1 Virtual network gateway (in active/stand-by mode as they can
tolerate 2 minutes interruption), so one Azure IP as well. And 2 Local network
Gateways. The IPs for these 2 local network gateways are not Azure IP, they are
VPN device IPs. so answers is: 1-1-2
upvoted 16 times
  Daren 2 months, 1 week ago

This
is correct. I had to read all the dumb shit above to get to this clear
explanation.
upvoted 4 times
  Gjferweb 1 month, 3 weeks ago

It also say the minimum, no most reliable, so i go with
active pasive gtw which can tolerate at most 1:30 min at most
upvoted 1 times

1 Public IP address 1 Active/Standby VPN Gateway 2 Local
Network Gateways
upvoted 8 times
  thirstylion 2 months ago

Dual
redundancy is the most reliable option as suggested. As per that I think the
answers are correct.
upvoted 1 times
  jayrush 2 months ago

This
same question was in AZ103 and answer is 2,2,2
upvoted 1 times

from
doc we have : For planned maintenance, the connectivity should be restored
within 10 to 15 seconds. For unplanned issues, the connection recovery will be
longer, about 1 minute to 1 and a half minutes in the worst case ( so here we
are in the active/passive mode we need only one public IP) + The local network
gateways corresponding to your VPN devices must have unique public IP addresses
in the "GatewayIpAddress" property ( here we need 2 public IPs) so the total is
3 IPs, one Virtual gateway + 2 local network gateways
upvoted 1 times
  Gorha 1 month, 2 weeks ago

3
IP addresses: One for the two virtual gateways that are deployed in
active-passive, when one fails the other takes over using the same IP address.
Two IP addresses for the local gateways. 2 virtual gateways, active-passive 2
local gateways representing on premises
upvoted 1 times
  Tino 1 month ago

guys,
i think that 1 public IP for the active/standby setup will be enough for the
requirements: "For any planned maintenance or unplanned disruption that happens
to the active instance, the standby instance would take over (failover)
automatically, and resume the S2S VPN or VNet-to-VNet connections. The switch
over will cause a brief interruption. For planned maintenance, the connectivity
should be restored within 10 to 15 seconds. For unplanned issues, the connection
recovery will be longer, about 1 minute to 1 and a half minutes in the worst
case."
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#multiple-on-premises-vpn-devices
With active/active: no downtime, 2 IPs, 1 gateway and 2 local gateways with
active standby:a max of 1 min and a half in downtime (lesser than requirements),
1 IP, 1 gateway and 2 local gateways
upvoted 5 times

You
need 4 Public IPs on Azure, as 2 needed for VPN Gateway and 2 for Local gateway
(These 2 IP are actually of on-prem VPN devices). 2 VPN Gateway and 2 Local
gateways are required for high availability on Azure. If they didn't mention
high availability of VPN Gateway then only 1 can do the job in practical
way.
upvoted 1 times

4
2 2 for active active you can do 2 ips per gateway
upvoted 1 times
  ReffG 2 weeks, 2 days ago

as
active/passive setup is sufficient you need the following things IN AZURE: 1
Public IP for the Virtual Network Gateway 1 Virtual Network Gateway (2min
failure tolerance, always deployed with 2 instances that share the Public IP in
active/passive config) 2 Local Network Gateways (Needs the public IPs of local
devices but not IN AZURE devices)
upvoted 1 times

HOTSPOT -
You have peering configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1: vNET6 only -
Box 2: Modify the address space -

The virtual networks you peer must have non-overlapping IP address spaces.
References:
Why
modifying the address space? We don't even know which address space are used
here, hence maybe is no overlapping at all.
upvoted 9 times
  looker 7 months ago

agree,
i think the answer should be 'delete peering1'. according to:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#vnet-peering
: If your VNet peering connection is in a Disconnected state, it means one of
the links created was deleted. In order to re-establish a peering connection,
you will need to delete the link and recreate it.
upvoted 34 times
  kobiazure 3 months, 2 weeks ago

as
fasr as i understand , you cannot disconnect the peering , you can only delete
it
upvoted 3 times

You
observation seems correct.
upvoted 2 times
  slbteam08 1 month, 4 weeks ago

From:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues
The peering status is "Disconnected" => To resolve this issue, delete the
peering from both virtual networks, and then re-create them.
upvoted 9 times
  milind8451 4 weeks ago

Either
the question is incomplete or answer is wrong. We don't see any IP address
ranges so how can we know if there is any address overlapping. I think the best
answer is to delete the peering.
upvoted 2 times
You have an Azure Kubernetes Service (AKS) cluster named Clus1 in a resource group named RG1.
An administrator plans to manage Clus1 from an Azure AD-joined device.
You need to ensure that the administrator can deploy the YAML application manifest file for a container application.
You install the Azure CLI on the device.
Which command should you run next?
A. kubectl get nodes
B. az aks install-cli
C. kubectl apply ""f appl.yaml
D. az aks get-credentials --resource-group RG1 --name Clus1
Correct Answer: C
kubectl apply ""f appl.yaml applies a configuration change to a resource from a file or stdin.
Incorrect Answers:
A: kubectl get nodes gets a list of all nodes.
B: az aks install-cli download and install the Kubernetes command-line tool.
D: az aks get-credentials gets access credentials for a managed Kubernetes cluster
References:
https://kubernetes.io/docs/reference/kubectl/overview/
https://docs.microsoft.com/en-us/cli/azure/aks
  [Removed] 6 months, 1 week ago

I
think the answer should be D. See
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough#connect-to-the-cluster
upvoted 14 times

D
is right and should be performed before C is done. Option C is to deploy the
YAML file.
upvoted 5 times

Thinking
more about it, I think B is correct because you first download the kubectl in
order to later run the commands
upvoted 13 times
  ChePunk 2 months, 2 weeks ago

I
agree with Musk that the correct answer is B, because you can read this article
about the following up steps after installed Azure CLI on your on-premise
device.
upvoted 2 times
  STFN2019 3 weeks, 6 days ago

Precisely
upvoted 1 times
  cjsammaejs 5 months ago

I
agree with Musk, it is probably B.
https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-install-cli
What is missing from the list is "az login". You have to do this command before
running C or D and it is not listed. An Azure AD joined device does not
pre-empt either az login or get credentials from my testing. and the question
asks what would you do after installing AZ CLI. Kubectl is not installed by
installing AZ Cli.
upvoted 5 times

Question
says, You install the Azure CLI on the device. Which command should you run
next? Obviously "C", run YAML file. Since CLI is already installed....
upvoted 2 times
  cjsammaejs 4 months, 1 week ago

the
Azure CLI install does not install kubectl. For Kubectl to get installed you
have to run B after installing the Azure Cli.
upvoted 5 times

But
B is the command to install the CLI! Example says this was done
already.
upvoted 2 times
  Naverick 4 months, 1 week ago

https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest
B downloads and installs kubectl, the Kubernetes command-line too. This is
different from Azure CLI which installs the "AZ" module.
upvoted 1 times

To
manage a Kubernetes cluster, you use kubectl, the Kubernetes command-line
client. If you use Azure Cloud Shell, kubectl is already installed. To install
kubectl locally, use the az aks install-cli command:
upvoted 1 times

You
install the Azure CLI on the device. so az commands available ...next az aks
install-cli so answer is B
upvoted 2 times

D
should be the answer irrespective of installation is in progress or completed
because it ask for the command to be run next. so as a second step admin should
be given the permissions to deploy the file.
upvoted 1 times

1.
Install AZ CLI using ... MSI ... - it is only Azure CLI, not Kubernetes 2. !!! B
- run az aks install-cli to install Kubernetes CLI, which is kubectl !!! only
then kubectl apply etc.
upvoted 7 times
  FailureIsnotAnOption 3 months ago

C
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-deploy-application
upvoted 1 times

D
is right, before you can do anything on the aks you must connect with
him.
upvoted 2 times

From
MS'
B - install az aks cli or you don't have kubectl available. D - login with
get-credential A verify access kubectl get nodes C apply yaml command
upvoted 3 times

Answer: C: Deploy the application To deploy your
application, use the kubectl apply command. This command parses the manifest
file and creates the defined Kubernetes objects. Specify the sample manifest
file, as shown in the following example:
upvoted 1 times
  blackalbum 2 months, 1 week ago

Definitely
D !! Check out this link.
upvoted 1 times

It`s
tricky, but I think the correct answer is az aks get-credentials
--resource-group RG1 --name Clus1 and I`ll explain why. The sequence is as
follows: 1. az aks install-cli 2. az aks get-credentials --resource-group "RG
name" --name "Cluster name" 3. kubectl get nodes 4. kubectl apply -f
somefile.yaml So you need to get the credentials of you AKS cluster in order to
connect & merge cluster as current context. Hope this helps.
upvoted 3 times

Now
I realized they said you installed Azure CLI. So next step is to run az aks
install-cli. I`d go with this option.
upvoted 1 times

az
aks get-credentials --resource-group RG1 --name Clus1 ( this command to get the
k8s cluster config file) before starting using kubectl command
upvoted 1 times

Correct
answer should be "D". Option B install kubectl CLI Option C is making use of
kubectl CLI You can avoid all this and just use AZ AKS commands. Option D should
be correct.
upvoted 1 times
  riyamalin 1 month ago

tested...D
is correct.
upvoted 1 times
  BigTone 1 month ago

If
you read the question carefully, it state you have installed Azure CLI, not the
Kubernetes CLI. These are 2 completely different products. You have to install
the Azure CLI to be able to run any CLI based commands. Before you can run any
product based CLI commands (docker, kubernetes etc.) you must install the
command set. So, in my view the answer would be B. az aks install-cli, this
installs the Kubernetes command set Then you would connect to the cluster with
az aks get-credentials, then kubectl get nodes and finally kubectl apply
-f
upvoted 1 times
  DP80 4 weeks ago

The
answer is B! It clearly says - "An administrator plans to manage Clus1 from an
Azure AD-joined device". So, that implies this is done on a device but, not on
Azure Cloud Shell. Then, it says - "You install the Azure CLI on the device" so,
there's no way Kubernetes command-line client (kubectl) to pre exist on that
device. So, the next command you MUST run is the following to install kubectl.
az aks install-cli Source -
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 2 times
  mspav 3 weeks, 4 days ago

has
anyone attended this question in the exam as that will give a clear picture on
what Microsoft is expecting? I think the answer is B
upvoted 1 times
  RanjeetAulakh 3 weeks ago

By
looking at the getting started guide i think. 1. First you create the cluster
using az aks create ...(other params) 2. Then you install the Kubectl using az
aks install-cli 3. Then you get credential for the kubectl management using az
aks get-credentials --resource-group myResourceGroup --name myAKSCluster 4. Then
you can use kubectl command like kubectl get nodes Reference to get started
guide https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough So the
answer should be B we cannot assume the admin has already installed the Kubectl
on their device even if we assume if they have kubectl installed then answer
should be D because they need to get credential to Set Kubectl context for the
cluster
upvoted 1 times
  Rishabhjain 2 weeks, 2 days ago

correct
answer is D. I did a lab for it. First need to save credentials from AKS
cluster, so that kubelet can perform actions on AKS cluster. After that we can
call kubectl commands.
upvoted 1 times
Question #1 Topic 2
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group
named
Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group.
A. Yes
B. No
Correct Answer: A
The Contributor role lets you manage everything except access to resources. It allows you to create and manage resources of all types,
including creating Azure logic apps.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor

The
answer is No, correct one is "Logic App Contributor"
upvoted 2 times

They
are not asking if this is the minimum required privilege to meet the
requirement, they are just asking if this role meets the requirement, thus the
answer is yes
upvoted 13 times

The
answer is Yes ..The Contributor roles enable to create Logic Apps.
upvoted 1 times
Question #2 Topic 2
A company backs up data to on-premises servers at their main facility. The company currently has 30 TB of archived data that infrequently used.
The facility has download speeds of 100 Mbps and upload speeds of 20 Mbps.
You need to securely transfer all backups to Azure Blob Storage for long-term archival. All backup data must be sent within seven days.
Solution: Backup data to local disks and use the Azure Import/Export service to send backups to Azure Blob Storage.
A. Yes
B. No
Correct Answer: A
  deadsoul0 2 months ago

The
answer should be B. 20 Mbps upload speed would take about 150 days to transfer
30TB of data
upvoted 2 times
  billynomates 2 months ago

That's
the point IMPORT/EXPORT service = Physical shipment of disks....which is the
only solution with the bandwidth constraint.
upvoted 8 times
  tmurfet 2 months ago

Download
locally to local disks and ship disks to Azure data center. So A.
upvoted 4 times

Use
shipping technique using Import/Export and not use the Upload
facility.
upvoted 1 times
Question #3 Topic 2
Solution: Create a file share in Azure Files. Mount the file share to the server and upload the files to the file share. Transfer the files to Azure Blob
Storage.
A. Yes
B. No
Correct Answer: B
Has
to be B as we are limited by 20 Mbps upload speed.
upvoted 1 times
  milind8451 4 weeks ago

"Securely",
tells that right option is B.
upvoted 1 times
Question #4 Topic 2
Solution: Use the Set-AzureStorageBlobContent Azure PowerShell command to copy all backups asynchronously to Azure Blob Storage.
A. Yes
B. No
Correct Answer: B

We
are limited by 20Mbps upload speed so B.
upvoted 2 times
Question #5 Topic 2
HOTSPOT -
You are developing a back-end Azure App Service that scales based on the number of messages contained in a Service Bus queue.
A rule already exists to scale up the App Service when the average queue length of unprocessed and valid queue messages is greater than 1000.
You need to add a new rule that will continuously scale down the App Service as long as the scale up condition is not met.
How should you configure the Scale rule? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:

Shouldn't
be ActiveMessage? As MessageCount include deadletter and transfered
upvoted 12 times

1)
Service Bus queue 2) Message count 3) Average 4) Less than or Equal to 5)
Decrease Count by
upvoted 25 times
  Karen_12321 2 months ago

And
why average instead of total?
upvoted 1 times
  Yannor 2 months ago

Because
it says "A rule already exists to scale up the App Service when the average
queue length of unprocessed and valid queue messages is greater than
1000."
upvoted 8 times

since
the scale out rule mentions Valid message, the scale in rule should also include
Active Message Count, rather than Message count which will include dead lettered
messaged.
https://docs.microsoft.com/en-us/azure/service-bus-messaging/message-counters
upvoted 3 times
  AnujD 1 week, 4 days ago

It
should be 'ActiveMessageCount' as that would be the actual 'unprocessed' message
count.
upvoted 2 times
Question #6 Topic 2
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2016 and hosts 10 virtual machines
that run Windows
Server 2016.
You plan to replicate the virtual machines to Azure by using Azure Site Recovery.
You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1.
You need to add Host1 to ASR1.
What should you do?
A.
✑ Download the installation file for the Azure Site Recovery Provider.
✑ Download the storage account key.
✑ Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
B.
✑ Download the vault registration key.
✑ Install the Azure Site Recovery Provider on Host1 and register the server.
C.
✑ Download the storage account key.
✑ Install the Azure Site Recovery Provider on Host1 and register the server.
D.
✑ Download the vault registration key.
✑ Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial
Currently there are no comments in this discussion, be the first to comment!
Question #7 Topic 2
You plan to migrate an on-premises Hyper-V environment to Azure by using Azure Site Recovery. The Hyper-V environment is managed by using
Microsoft
System Center Virtual Machine Manager (VMM).
The Hyper-V environment contains the virtual machines in the following table:
Which virtual machine can be migrated by using Azure Site Recovery?
A. FS1
B. CA1
C. DC1
D. SQL1
Correct Answer: D
References:

how
about A: FS1. It also meets all conditions with Option D.
upvoted 1 times

Linux
Generation 2 VMs aren't supported
upvoted 3 times
  [Removed] 6 months, 1 week ago

only
Windows is supported for Gen 2
upvoted 5 times
  kewl 5 months, 2 weeks ago

Yes
D is the correct answer
upvoted 4 times
  Hilly 6 months ago

Not
FS1 bec Gen 2 supports max os of 300GB
upvoted 3 times

Answer
was valid , but now it is not as Gen2 is supported now.
upvoted 2 times

So,
DC1 : Not supported as it is Gen2 && OS disk > 300 GB FS1 : Not
supported as it is Gen2 && Linux VM CA1 : Not supported as bit locker is
enabled SQL1: Supported
upvoted 23 times

Ekramy_Elnaggar is correct. The answer is still valid.
VHDx is only supported for Windows and the OS disk has to be less then 300GB
(VHD support is up to 2048 GB). So A and B are not possible to migrate and
because bitlocker is on in C only answer D is valid.
upvoted 2 times

Can not change my comments from eralier. I meant with
vhd = GEN1 machines with vhdx = GEN2 machine.
upvoted 2 times

thanks
for the explanation
upvoted 2 times

Correct
Answer: B Up to 300 GB OS disk size is supported for generation 2 VMs and
BitLocker is not enabled. Incorrect Answers: A: Only up to 300 GB OS disk size
is supported for generation 2 VMs. C: BitLocker must be disabled before you
enable replication for a VM. D: Linux Generation 2 VMs aren't
supported.
upvoted 2 times

Correct
Answer: SQL1 Up to 300 GB OS disk size is supported for generation 2 VMs and
BitLocker is not enabled. Incorrect Answers: DC1: Only up to 300 GB OS disk size
is supported for generation 2 VMs. CA1: BitLocker must be disabled before you
enable replication for a VM. FS1: Linux Generation 2 VMs aren't
supported.
upvoted 2 times

Correct
Answer: SQL1 Up to 300 GB OS disk size is supported for generation 2 VMs and
BitLocker is not enabled. Incorrect Answers: DC1: Only up to 300 GB OS disk size
is supported for generation 2 VMs. CA1: BitLocker must be disabled before you
enable replication for a VM. FS1: Linux Generation 2 VMs aren't
supported.
upvoted 1 times

Hi,
can anyone share the MS Docs about "FS1: Linux Generation 2 VMs aren't
supported." Thanks!
upvoted 1 times

https://docs.microsoft.com/bs-cyrl-ba/azure/virtual-machines/windows/generation-2
upvoted 1 times
  aimar047 1 day, 11 hours ago

Check VM Type line in the table
upvoted 1 times
Question #8 Topic 2
DRAG DROP -
You have an on-premises network that you plan to connect to Azure by using a site-to-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16. VNet1 contains a subnet named Subnet1
that uses an address space of 10.0.0.0/24.
You need to create a site-to-site VPN to Azure.
Select and Place:

There
is no drag and drop but here is the correct order for creating S2S VPN between
Azure VNET and on-premises VPN server. 1) Create VNET (if not created already)
2) Create Gateway subnet 3) Create Virtual Network gateway of VPN type, assign
Public IP to it in a process of creation 4) Create Local gateway (to represent
on-premises VPN server and far end subnets) 5) Create VPN connection
upvoted 30 times

Yes,
that's it :
https://blogs.technet.microsoft.com/canitpro/2017/06/28/step-by-step-configuring-a-site-to-site-vpn-gateway-between-azure-and-on-
premise/
upvoted 1 times

updated
version:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
upvoted 1 times

I
think the address space need to be changed since it can overlap. 10.0.0.0/24 can
overlap with 10.0.0.0/16 ip addresses. eg: 10.0.0.5 overlaps in both address
space
upvoted 2 times

Those
are VNET and its subnet, which is correct. On-premise range not mentioned
here.
upvoted 4 times

1)
Create Gateway subnet 2) Create Virtual Network gateway of VPN type, assign
Public IP to it in a process of creation 3) Create Local gateway (to represent
on-premises VPN server and far end subnets) 4) Create VPN connection
upvoted 15 times

Correct.
Just found the graphic thats supposed to go with this.
https://www.itexams.com/exam/AZ-101 Question 5
upvoted 4 times
  HS007 3 months, 4 weeks ago

Answer
Area: Actions: *Create a gateway subnet *Create a custom DNS Server *Create a
local Gateway *Create an Azure Content Network (CDN)profile *Create a VPN
Gateway *Create a VPN connection Ekramy_Elnaggar answer is right.
upvoted 4 times

Select and Place / Drag and Dop is missing ;(
upvoted 1 times
  Andy001 2 months, 2 weeks ago

@Myk
has kindly provided a link to the full question -
https://www.itexams.com/exam/AZ-101 (Question 5)
upvoted 2 times
Question #9 Topic 2
You have an Azure subscription named Subscription1 that contains two Azure networks named VNet1 and VNet2. VNet1 contains a VPN gateway
named
VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1
is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
A. Select Allow gateway transit on VNet1.
B. Download and re-install the VPN client configuration package on Client1.
C. Enable BGP on VPNGW1.
D. Select Allow gateway transit on VNet2.
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

A
should be the correct answer
upvoted 1 times

agreed,
once transit is enable access to vnet2 will work
upvoted 1 times

Question
implies the config of azure networks changed, so B. Other device works so
gateway transit already is on.
upvoted 12 times
  Bonna 4 months ago

Agree
Clients using Windows can access directly peered VNets, but the VPN client must
be downloaded again if any changes are made to VNet peering or the network
topology. Non-Windows clients can access directly peered VNets. Access is not
transitive and is limited to only directly peered VNets.
upvoted 4 times
Agree
with Benkyoujin Clients using Windows can access directly peered VNets, but
the VPN client must be downloaded again if any changes are made to VNet peering
or the network topology. Non-Windows clients can access directly peered VNets.
Access is not transitive and is limited to only directly peered VNets.
upvoted 3 times

For
point-to-site connections Follow the steps in: Configure VPN gateway transit for
virtual network peering. After virtual network peering is established or
changed, download and reinstall the point-to-site package so that the
point-to-site clients get the updated routes to the spoke virtual network.
Courtsey =
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues
upvoted 3 times

Answer
is B. SSTP is only supported on Windows. If you make a change to the topology of
your network and have Windows VPN clients, the VPN client package for Windows
clients must be downloaded and installed again in order for the changes to be
applied to the client.
upvoted 6 times
  silverdeath 1 month, 1 week ago

there
is no correct answer, you can check the documentation below, since the routing
is static (policy-based)
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about Can I
have Site-to-Site and Point-to-Site configurations coexist for the same virtual
network? Yes. For the Resource Manager deployment model, you must have a
RouteBased VPN type for your gateway. For the classic deployment model, you need
a dynamic gateway. We do not support Point-to-Site for static routing VPN
gateways or PolicyBased VPN gateways.
upvoted 2 times
HOTSPOT -
Your company has offices in New York and Los Angeles.
You have an Azure subscription that contains an Azure virtual network named VNet1. Each office has a site-to-site VPN connection to VNet1.
Each network uses the address spaces shown in the following table:
You need to ensure that all Internet-bound traffic from VNet1 is routed through the New York office.
Hot Area:
Correct Answer:

I
believe that on the on-prem network we should select 0.0.0.0 so that the
Internet traffic can flow through the VPN.
upvoted 2 times

0.0.0.0
will allow traffic from any source including other networks.
upvoted 8 times

0.0.0.0/0
is correct as MS docs says -
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm
upvoted 2 times

https://docs.microsoft.com/en-us/powershell/module/azurerm.network/set-azurermvirtualnetworkgatewaydefaultsite?view=azurermps-6.13.0
upvoted 1 times
  jf23fj3o 3 months, 1 week ago

the 192.168.0.0/20 network is the traffic selector on
the on prem site, so that it knows to put that traffic on the VPN.
192.168.0.0/20 is the correct selection
upvoted 5 times

No,
its 0.0.0.0/0 Read here -
upvoted 1 times

"Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic
selectors."
upvoted 6 times

You need to set a "default site" among the
cross-premises local sites connected to the virtual network. Also, the
on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
upvoted 2 times

You
need to set a "default site" among the cross-premises local sites connected to
the virtual network. Also, the on-premises VPN device must be configured using
0.0.0.0/0 as traffic selectors. Ref :
upvoted 2 times

Shouldn't
it be 0.0.0.0 to allow all traffic?
upvoted 3 times

The
Set-AzureRmVirtualNetworkGatewayDefaultSite cmdlet assigns a forced tunneling
default site to a virtual network gateway. Forced tunneling provides a way for
you to redirect Internet-bound traffic from Azure virtual machines to your
on-premises network;
upvoted 3 times
  AnilV 2 weeks, 2 days ago

Forced tunneling must be associated with a VNet that has a route-based VPN
gateway. You need to set a "default site" among the cross-premises local sites
connected to the virtual network. Also, the on-premises VPN device must be
configured using 0.0.0.0/0 as traffic selectors.
upvoted 2 times

On-premises
VPN device must be configured using 0.0.0.0/0 as traffic selectors. SO other 2
options are wrong.
upvoted 4 times
  xpuneet 1 day, 1 hour ago

0.0.0.0./0
is correct answer
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq Can I
advertise default route (0.0.0.0/0) to Azure VPN gateways? Yes. Please note this
will force all VNet egress traffic towards your on-premises site, and will
prevent the VNet VMs from accepting public communication from the Internet
directly, such RDP or SSH from the Internet to the VMs.
upvoted 1 times
You have a Microsoft SQL Server Always On availability group on Azure virtual machines.
You need to configure an Azure internal load balancer as a listener for the availability group.
What should you do?
A. Create an HTTP health probe on port 1433.
B. Set Session persistence to Client IP.
C. Set Session persistence to Client IP and protocol.
D. Enable Floating IP.
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-alwayson-int-listener

Step
4: Set the load balancing rules The load balancing rules configure how the load
balancer routes traffic to the SQL Server instances. For this load balancer, you
enable direct server return because only one of the two SQL Server instances
owns the availability group listener resource at a time. Floating IP (direct
server return) Enabled
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-portal-sql-alwayson-int-listener
upvoted 9 times

Answer
should be A
upvoted 2 times

D
is correct. The rule uses TCP and not HTTP.
upvoted 3 times
You set the multi-factor authentication status for a user named admin1@contoso.com to Enabled.
Admin1 accesses the Azure portal by using a web browser.
Which additional security verifications can Admin1 use when accessing the Azure portal?
A. an app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app
B. a phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft
Authenticator app
C. a phone call, an email message that contains a verification code, and a text message that contains an app password
D. an app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app
Correct Answer: B
References:

App
passwords MFA only in certain cases
upvoted 1 times

Why
not D..Looks fine..Use a Password and then a MFA using Text and notification
using App password
upvoted 1 times

because
the Microsoft authenticator app has both notification and code
capability.
upvoted 1 times
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three global administrators named Admin1, Admin2, and Admin3.
The tenant is associated to an Azure subscription. Access control for the subscription is configured as shown in the Access control exhibit. (Click
the Exhibit tab.)
You sign in to the Azure portal as Admin1 and configure the tenant as shown in the Tenant exhibit. (Click the Exhibit tab.)
For each of the following statement, select Yes if the statement is true. Otherwise, select No.
Hot Area:
  anotherman88 4 months, 2 weeks ago

Options
and answers are: Admin 1 can add Admin 2 as owner of the subscription = YES
Admin 2 can add Admin 1 as owner of the subscription = NO Admin 2 can create a
resource group in the subscription = NO
upvoted 3 times

Only
admin3 is owner, then admin1 and 2 cannot add someone as owner. It seems nor
admin1 and 2 have rights on the subscription, then cannot even create a resource
group. Isn't it ? Then answer is 3 times NO.
upvoted 2 times

Options
and answers are: Admin 1 can add Admin 2 as owner of the subscription = No
Admin 2 can add Admin 1 as owner of the subscription = NO Admin 2 can create a
resource group in the subscription = yes
upvoted 3 times

I
mean to YES, NO, NO You are signed in as Admin1so only admin1 can perform
those
upvoted 2 times

Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
All global admin doesnt have default access to All Azure Subscriptions, but
they can get access using elevated access.
upvoted 2 times

This
article said: As a Global Administrator in Azure Active Directory (Azure AD),
you might not have access to all subscriptions and management groups in your
directory. Then, Admin1 can't add Admin2, and viceversa by default. So, It's
mean NO, NO, NO.
upvoted 3 times
  Lubomir 2 months, 2 weeks ago

Admin1
did elevate his access (has this option YES set on the picture). Therefore it
should be Yes, No, No. Elevate access for a Global Administrator - Under Access
management for Azure resources, set the toggle to Yes. When you set the toggle
to Yes, you are assigned the User Access Administrator role in Azure RBAC at
root scope (/). This grants you permission to assign roles in all Azure
subscriptions and management groups associated with this Azure AD directory.
This toggle is only available to users who are assigned the Global Administrator
role in Azure AD.
upvoted 3 times

Answer
is No, No Yes Here are the reasons, Admin 1 and 2 are not owner of the
subscription and therefore cannot add each other, only admin 3 can do that
Assign a subscription administrator "To make a user an administrator of an
Azure subscription, an existing administrator assigns them the Owner role (an
RBAC role) at the subscription scope. The Owner role gives the user full access
to all resources in the subscription, including the right to delegate access to
others."
https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator
upvoted 3 times

I
stand corrected to my previous answer. I would now say Yes, Yes, Yes based on
the exhibit shown and the passage relating to Elevated Privileges found in the
article below: "When you set the toggle to Yes, you are assigned the User
Access Administrator role in Azure RBAC at root scope (/). This grants you
permission to assign roles in all Azure subscriptions and management groups
associated with this Azure AD directory. This toggle is only available to users
who are assigned the Global Administrator role in Azure AD."
https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
upvoted 2 times

Answer is Yes/No/No since only admin1 elevated its role
to /(root).
upvoted 5 times
  Corona_Virus 1 month, 1 week ago

Answer
Area
https://www.examtopics.com/discussions/microsoft/view/5902-exam-az-103-topic-1-question-9-discussion/
upvoted 3 times
  ArulLivingston 1 week, 6 days ago

Options
and answers are: Admin 1 can add Admin 2 as owner of the subscription = YES
Admin 2 can add Admin 1 as owner of the subscription = YES Admin 2 can create a
resource group in the subscription = NO
upvoted 3 times
  2cool2touch 1 week, 4 days ago

Upvoting
Global Admins can elevate themselves so Admin1 and Admin2 should be yes. Global
Admin (User Access Administrator) dont have rights to create
(https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#management-group-access).
Admin2 cant create a resource group without getting additional rights which is
not mentioned in the scenario. so Y/Y/N
upvoted 2 times

All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?
A. the default for all the roles in Azure AD Privileged Identity Management
B. an Azure AD Identity Protection user risk policy
C. an Azure AD Identity Protection sign-in risk policy
D. the multi-factor authentication service settings
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

I
don't think it's D. That applies to disabling MFA for connections from trusted
IPs, not to whitelisting access.
upvoted 1 times

correct.
i dont think right option is here
upvoted 1 times

Poorly
worded or incorrect? I don’t know if they are really meaning to ask about
trusted IPs or setting the portal ‘app’ to require MFA, etc.
upvoted 1 times

This
requires : location condition in Azure Active Directory Conditional Access , but
I don't see this option in the question!
upvoted 2 times

Answer
is C Administrators can also choose to create a custom Conditional Access policy
including sign-in risk as an assignment condition. Ref:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
upvoted 13 times

Agree
with comments here suggesting none of the answers are technically correct. The
only way to implement this is to configure a Conditional Access Policy, but this
is none of the options listed. Also Risky sign-ins or Users only shows alerts,
and does not enforce anything.
upvoted 1 times

Apologies,
it seems Ekramy is right, option C - as you can in fact configure Sign-in Risk
policies that could apply to admins based on sign-in location, etc.
upvoted 1 times

Answer
is D. The Trusted IPs feature of Azure Multi-Factor Authentication is used by
administrators of a managed or federated tenant. The feature bypasses two-step
verification for users who sign in from the company intranet. Ref:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
upvoted 6 times

D
is the right answer.
upvoted 2 times
  thirstylion 2 months, 1 week ago

There
are two ways of doing it, conditional access and service settings. Conitional
access is a premium feature. I think D is the correct answer.
upvoted 2 times

Answer is D: Azure added the public IP address as a port
of MFA, which is very weak.
upvoted 2 times
  SaurabhAzure 2 months ago

The
answer is certainly not D(multi factor authentication), because no where in the
question it is mentioned that we need MFA. All we need is to have a conditional
access policy. This can be achieved by option C
upvoted 4 times

that
can be done only with the conditional access policy
upvoted 1 times
  timguy 1 week, 2 days ago

also
exams in whizlab say D. Mut maybe they are copieng from here.
upvoted 1 times
You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1.
Subscription1 has a user named User1. User1 has the following roles:
✑ Reader
✑ Security Admin
✑ Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users.
What should you do?
A. Assign User1 the Owner role for VNet1.
B. Assign User1 the Network Contributor role for VNet1.
C. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
D. Remove User1 from the Security Reader and Reader roles for Subscription1.
Correct Answer: A

B
is currect.
upvoted 1 times

Wrong.
If you just give it Network Contributor role for Vnet1 the addrole / add co
administrator functionality is disabled.
upvoted 6 times

You
are right! Sorry my mistake
upvoted 2 times
HOTSPOT -
You are creating an app that uses Event Grid to connect with other services. Your app's event data will be sent to a serverless function that checks
compliance.
This function is maintained by your company.
You write a new event subscription at the scope of your resource. The event must be invalidated after a specific period of time.
You need to configure Event Grid to ensure security.
What should you implement? To answer, select the appropriate options in the answer area.
Hot Area:

References:
https://docs.microsoft.com/en-us/azure/event-grid/security-authentication
  anotherman88 4 months, 2 weeks ago

Options
and Solution: WebHook Event Delivery = SAS Tokens Topic Publishing = Validation
Code Handshake
upvoted 4 times

anotherman88
is correct Here is a brief explnanation SAS tokens Custom topics use either
Shared Access Signature (SAS) or key authentication. Microsoft recommends SAS,
but key authentication provides simple programming, and is compatible with many
existing webhook publishers. In this case we need the expiration time provided
by SAS tokens. ValidationCode handshake Event Grid supports two ways of
validating the subscription: ValidationCode handshake (programmatic) and
ValidationURL handshake (manual). If you control the source code for your
endpoint, this method is recommended References:
https://docs.microsoft.com/en-us/azure/event-grid/security-authentication
upvoted 7 times

Q#6 here is
the full question :
https://www.examtopics.com/exams/microsoft/az-202/view/7/
upvoted 5 times

Check
upvoted 1 times

Isn't
the other way around? WeHook uses ValidationCode handshake (programmatic) and
ValidationURL handshake (manual) ->
https://docs.microsoft.com/en-us/azure/event-grid/security-authentication#webhook-event-delivery
Custom Topic uses SAS and Key authentication -->
https://docs.microsoft.com/en-us/azure/event-grid/security-authentication#custom-topic-publishing
upvoted 4 times
You are building a custom Azure function app to connect to Azure Event Grid.
You need to ensure that resources are allocated dynamically to the function app. Billing must be based on the executions of the app.
What should you configure when you create the function app?
A. the Windows operating system and the App Service plan hosting plan
B. the Docker container and an App Service plan that uses the B1 pricing tier
C. the Windows operating system and the Consumption plan hosting plan
D. the Docker container and an App Service plan that uses the S1 pricing tier
Correct Answer: C
References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale

Answer
is C: The main word that gives it away is billing only based on function
execution. It is the consumption(dynamic) plan of function apps that gives you
that behavior.
upvoted 3 times

The
other options are based on an app service plan with a pre-warmed
instance
upvoted 1 times
  GCOz 3 weeks, 6 days ago

Would
there is a charge for Windows Server which will be recurring irrespective or
function being used? Please suggest.
upvoted 1 times

https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale
"When you're using the Consumption plan, instances of the Azure Functions host
are dynamically added and removed based on the number of incoming events.
"
upvoted 1 times
You have an Azure Service Bus.

You need to implement a Service Bus queue that guarantees first-in-first-out (FIFO) delivery of messages.
What should you do?
A. Enable partitioning
B. Enable duplicate detection
C. Set the Lock Duration setting to 10 seconds
D. Enable sessions
E. Set the Max Size setting of the queue to 5 GB
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-service-bus-queues-compared-contrasted
  mihlo74 3 months, 1 week ago

it
would be "D" as in service bus queues, we can guarantee FIFO through the use of
messaging sessions). Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-service-bus-queues-compared-contrasted
upvoted 6 times

https://docs.microsoft.com/en-us/azure/service-bus-messaging/message-sessions
upvoted 1 times

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Add a service endpoint to VNet1.
B. Add a public IP address space to VNet1.
C. Create a route-based virtual network gateway.
D. Reset GW1.
E. Delete GW1.
F. Add a connection to GW1.
Correct Answer: CE
  Babin 5 months ago

Listed
answers are wrong. Atleast option B is correct.
upvoted 1 times
  jesaca7 4 months, 4 weeks ago

From:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about ***We do
not support Point-to-Site for static routing VPN gateways or PolicyBased VPN
gateways. As in the questions it says: policy-based virtual network gateway
named GW1 will not be valid with the config
upvoted 8 times

Agree
with jasaca7
upvoted 1 times

Correct.
And answer is correct as well:
https://www.linkedin.com/pulse/route-based-vpn-vs-policy-based-aka-dynamic-static-more-shawn-travers
upvoted 4 times

Can
I update my policy-based VPN gateway to route-based? No. An Azure Vnet gateway
type cannot be changed from policy-based to route-based or the other way. The
gateway must be deleted and recreated, a process taking around 60 minutes. The
IP address of the gateway will not be preserved nor will the Pre-Shared Key
(PSK). Delete any connections associated with the gateway to be deleted. Delete
the gateway: Azure portal Azure PowerShell Azure PowerShell - classic Create a
new gateway of the type you want and complete the VPN setup.
upvoted 2 times

Given
answer is correct.. You can't modify the policy based one to route, you need to
delete the gateway and create a new route based one.
upvoted 1 times

DRAG DROP -
You have an on-premises network that includes a Microsoft SQL Server instance named SQL1.
You create an Azure Logic App named App1.
You need to ensure that App1 can query a database on SQL1.
Select and Place:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection
  evanadarsh 5 months, 2 weeks ago

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection
upvoted 7 times
DRAG DROP -
You are designing a solution to secure a company's Azure resources. The environment hosts 10 teams. Each team manages a project and has a
project manager, a virtual machine (VM) operator, developers, and contractors.
Project managers must be able to manage everything except access and authentication for users. VM operators must be able to manage VMs, but
not the virtual network or storage account to which they are connected. Developers and contractors must be able to manage storage accounts.
You need to recommend roles for each member.
What should you recommend? To answer, drag the appropriate roles to the correct employee types. Each role may be used once, more than once,
or not at all.
You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
DRAG DROP -
You have an Azure subscription that contains an Azure Service Bus named Bus1.
Your company plans to deploy two Azure web apps named App1 and App2. The web app will create messages that have the following
requirements:
✑ Each message created by App1 must be consumed by only a single consumer.
✑ Each message created by App2 will consumed by multiple consumers.
Which resource should you create for each web app? To answer, drag the appropriate resources to the correct web apps. Each resource may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:

Queue-Single Consumer Topics-Multiple Consumers
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions
upvoted 5 times
You have an Azure subscription that contains the resources shown in the following table.
Subnet1 is on VNET1. VM1 connects to Subnet1.

You plan to create a virtual network gateway on VNET1.
You need to prepare the environment for the planned virtual network gateway.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
A. Modify the address space used by VNET1.
B. Modify the address space used by Subnet1.
C. Create a subnet named GatewaySubnet on VNET1.
D. Create a local network gateway.
E. Delete Subnet1.
Correct Answer: AE

maybe
A and B as we can change subnet size and add the GW
upvoted 6 times

As
it is two ways to achieve the goal assume A and B will be the correct
answer
upvoted 4 times
  DP80 3 weeks, 4 days ago

B
is wrong! You can't change the size of an existing subnet. Tried it out my self
on Azure portal.
upvoted 3 times
  pinox1 6 months, 2 weeks ago

A
and C
upvoted 19 times

Yes,
it's right, I did in Lab.
upvoted 2 times

yes,
We cannot delete Subnet1 not modify it if it has attached resources (VM1 in our
case) - I've tried local network gateways does't make sense. We do can modify
VNET address space (I've tried)
upvoted 3 times

you
can modify it to make it larger, i have tried that /16
upvoted 2 times

Wrong!
The answer is A & E. Read the question carefully - "Each correct answer
presents a complete solution". On the other hand, the question is about
preparing it but not adding the gateway - "You need to prepare the environment
for the planned virtual network gateway". Answer A & E are the two different
ways of preparation.
upvoted 4 times

C
is mandatory..
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#do-i-need-a-gatewaysubnet
upvoted 3 times

No,
the question is about preparing it but not adding the gateway - "You need to
prepare the environment for the planned virtual network gateway". So, C is
wrong!
upvoted 1 times

A:
The whole Vnet address space is used for Subnet1, and we need to have an address
space for GatewaySubnet C: VPN Gateway nust have a GatewaySubnet
upvoted 2 times
  petermogaka91 1 week, 1 day ago

yeah,
but subnet1 takes all the address space, so no room to create a subnet. A and E
are correct. It's all about having space for the gateway subnet
upvoted 1 times
  ChinaBandit 5 months, 2 weeks ago

It's
B and C. VNET address space cannot be modified. Solution is to shrink existing
Subnet (B). And then create the GatewaySubnet in the saved space. (C)
upvoted 2 times
  cjsammaejs 5 months, 1 week ago

I
believe VNET address space can be modified after its creation.
upvoted 2 times

It
can be, only if there is no peering.
upvoted 1 times
  ChinaBandit 5 months ago

Thanks
for the replies. I have double checked this
https://docs.microsoft.com/en-us/azure/virtual-network/manage-virtual-network#add-or-remove-an-address-range
So i think the right answer would be to extend VNET1 by change the CIDR from
/24 to e.g. /16.
upvoted 2 times
  gemaad26 1 week, 2 days ago

with the given CIDR block that cannot be done. I tried
it.
upvoted 1 times

IMHO
the key piece in the question is that you are preparing the environment to
create the gateway. Not actually creating the gateway. Two ways to prepare the
environment are to either delete the subnet or to resize the subnet.
upvoted 5 times
  sigma 5 months ago

Agreed
upvoted 1 times

Answer
is correct [ A, E ] , will explain : A. Modify the address space used by VNET1
>>> an option B. Modify the address space used by Subnet1 >>>
not an option as you can't modify subnet address after creating it, you can only
delete the whole subnet. C. Create a subnet named GatewaySubnet on VNET1
>>> this is an implementation step for the GW and the question asking
for preparation steps, not implementation steps. D. Create a local network
gateway. >>> >> this is an implementation step for the GW and the
question asking for preparation steps, not implementation steps E. Delete
Subnet1. >> an option ( as then you have free space to create the
GatewaySubnet and also you can later create small subnet for the VMs )
upvoted 17 times

C
is preparation step (pre-requisite) for VNG. A & C
upvoted 2 times

onlyfunmails
is correct. Once subnet is deleted a new one can be created which takes less ips
and then there will be room for a GW
upvoted 1 times
  sameer2803 4 weeks ago

you
can perform the step C only when step B is done. and they are asking for first
two steps. so C is correct but stands as third step. so the first two is A and
E
upvoted 1 times
  Karls 4 months ago

A,
E are correct. Question says "Each correct answer presents a COMPLETE
solution".
upvoted 4 times

Sorry,
I don't sure about E is a correct solution. Question said: Each answer presents
a COMPLETE solution. A: It's correct because we can add new address space to a
subnet. => OK B: It's correct too if we think that VM is not associate with
subnet01 ("in table: address space - Not applicable"). If we think that it isn't
associate, we can modify subnet if it don't any any VM associate (I checked).
Then, we can modify 10.1.1.0/24 to a new subnet with less IPs, changing address
space to 10.1.1.0/25. In this way, we have subnet1 from 10.1.1.0 to 10.1.1.127
ip address. Then we will have an address space from 10.1.1.128 to 10.1.1.255
free. So, we can create GatewaySubnet for example with 10.1.1.128/28 address
space. E: Deleted Subnet1. We can do this solution only if subnet1 don't have
any VM associate, else we can't deleted. So, if there isn't a VM then is better
solution B and modify subnet, because if we deleted subnet1 we can create a
Gatewaysubnet but we already need subnet1 to attach the VM.
upvoted 1 times

B.
Modify the address space used by Subnet1 >>> not an option as it is
being used by VM1. In case subnet is not used by any resource, address range can
be changed.
upvoted 1 times

Assuming
that Subnet1 is already used by other resources like VMs, but if not used then
its address space can be modified easily . tricky question :)
upvoted 1 times

I
mean , there is VM1 in the exhibit , so assuming that VM1 has an IP from Subnet1
>> then you can't modify the address space of Subnet1 !
upvoted 1 times

VM1
address space is not applicable, so it is powered off. we can delete
subnet1
upvoted 2 times

So
thinking again, it should be [ A ,C ] LOL
upvoted 4 times
  tester18128075 4 months, 3 weeks ago

A
and C are correct. VNET address space can be updated. New ranges can also be
added.
upvoted 1 times

The
question says , two ways to prepare for the implementaion and each is a complete
solution. The problem here is that the subnet is cunsuming the whole adress
space. so the tow ways to solve the problem are: 1- modify the adress space to
have the space to be able to create gateway subnet afterwards 2- delete the
subnet, so we can create smaller subnet. please note that we cannot modify a
used subnet
upvoted 2 times

also,
we can delete the subnet as the VM is poweredoff as shown int table.
upvoted 1 times

A-E
is correct. Think issue is clear. We do not have an subnet for the gw. - A is
one way, so the address space could be extendend and we can create a new subnet
for the gw. - B can not be correct, because a subnet does not have an adress
space. it has an address range. - C can not be correct because we have not
subnet free in this virtual network. - D is the second way how we can handle
this issue. Because through the deletion we can create a new subnet with a
smaller ip range, so we have enough ip´s for the gw network.
upvoted 3 times

sorry
meant "e" is the seocnd way how we can handle this issue.
upvoted 1 times
  abcdefghijkl 3 months, 1 week ago

A
and D, First modify the Address Space of VNET1 (eg. /24 to /23) and then create
GW subnet on VNET1 (got available space from CIDR /23)
upvoted 1 times

Answer is A/E
upvoted 2 times

I was wrong. It's A/C. Once a VM is attached to a Vnet,
the Vnet cannot be either modified or deleted until the VM's interface gets
removed.
upvoted 3 times
  vrana 2 weeks, 6 days ago

it
is A & E. B not possible because a VM is attached to it. C will be needed
but that is second step and before that, either A or E has to be done. Since
question asks for 2 answers, hence A & E.
upvoted 2 times

The
only two things you can do from the list (Without extra un-listed steps) is: A -
Modify the address space used by VNET1. C - Create a subnet named GatewaySubnet
on VNET1. While agree with the logic of implementation vs prepare, this is a
Microsoft test and they like what can be done with the info given. So I have ti
dismiss the logic and go down this path of A & C Why are the other wrong? B
- " Modify the address space used by Subnet1." - Just not possible D - "Create a
local network gateway." - Not part of the solution E - "Delete Subnet1." - Would
require extra steps to handle the attached VM1
upvoted 1 times
  pieixoto 2 weeks, 1 day ago

By your own logic you are sunk on C as well. You cannot
create the gateway subnet on VNET1 while the entire address space of VNET1 is in
use by Subnet1. Each answer must be a COMPLETE solution to the
question.
upvoted 1 times

Right
ans A and C. because you can edit VNET address and just make it /16. You can not
delete subnet1 because VM is assigned to it. So 2nd correct option is create
Gateway subnet and you already created space in VNET by making it /16 so a new
subnet can be accomodated.
upvoted 2 times

you can delete a subnet. Question is - 2 ways to prep.
one way to modify the VNET address and other way to delete the subnet, so that
GW can be added.
upvoted 1 times
  BenDova 1 week, 3 days ago

You
need 2 complete solutions to accomodate the gateway subnet: Either increase the
vnet address space or delete subnet1.
upvoted 2 times
  kpham 1 week, 3 days ago

A&E
are the right answers. C - created subnet named "GatewaySubnet" and it's not
gateway subnet.
upvoted 1 times
A company hosts virtual machines (VMs) in an on-premises datacenter and in Azure. The on-premises and Azure-based VMs communicate using
ExpressRoute.
The company wants to be able to continue regular operations if the ExpressRoute connection fails. Failover connections must use the Internet and
must not require Multiprotocol Label Switching (MPLS) support.
You need to recommend a solution that provides continued operations.
What should you recommend?
A. Set up a second ExpressRoute connection.
B. Increase the bandwidth of the existing ExpressRoute connection.
C. Increase the bandwidth for the on-premises internet connection.
D. Set up a VPN connection.
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/expressroute-vpn-failover

Why
not A?
upvoted 1 times

"Failover
connections must use the Internet" so VPN
upvoted 6 times
Failover
must not use MPLS, express route uses MPLS. So A is wrong. D is right
upvoted 4 times

Failover
connections must use the Internet and must not require Multiprotocol Label
Switching (MPLS) support, ExpressRoute requires MPLS from an ISP so A does not
work. D is the correct answer, you can set up site-to-site VPN between beween
azure and onpremise
upvoted 6 times
You have a web app named WebApp1 that uses an Azure App Service plan named Plan1. Plan1 uses the D1 pricing tier and has an instance count
of 1.
You need to ensure that all connections to WebApp1 use HTTPS.
A. Scale up Plan1.
B. Modify the connection strings for WebApp1.
C. Scale out Plan1.
D. Disable anonymous access to WebApp1.
Correct Answer: A
The D1 (Shared) pricing tier does not support HTTPS.

Just
to use SSL, why can't D1 plan use SSL? Using the default azurewebsites.net
domain you can work with SSL.
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
upvoted 2 times

No,
because Shared plan don't include SSL
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/ So
proposed solution is correct, you need to scale up to Basic
upvoted 4 times

A
is correct. Have to scale up plan
upvoted 4 times

You have an Azure subscription that contains an Azure Service Fabric cluster and a Service Fabric application named FabricApp.
You develop and package a Service Fabric application named AppPackage. AppPackage is saved in a compressed folder named AppPackage.zip.
You upload AppPackage.zip to an external store.
You need to register AppPackage in the Azure subscription.
A. Run the New-ServiceFabricApplication cmdlet.
B. Repackage the application in a file named App.sfpkg.
C. Create a new Service Fabric cluster.
D. Copy AppPackage.zip to a blob storage account.
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-package-apps#create-an-sfpkg
HOTSPOT -
Your company runs several Windows and Linux virtual machines (VMs).
You must design a solution that implements data privacy, compliance, and data sovereignty for all storage uses in Azure. You plan to secure all
Azure storage accounts by using Role-Based Access Controls (RBAC) and Azure Active Directory (Azure AD).
You need to secure the data used by the VMs.
Which solution should you use? To answer, select the appropriate solutions in the answer area.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/security/security-storage-overview
You develop an entertainment application where users can buy and trade virtual real estate. The application must scale to support thousands of
users.
The current architecture includes five Azure virtual machines (VM) that connect to an Azure SQL Database for account information and Azure
Table Storage for backend services. A user interacts with these components in the cloud at any given time.
✑ Routing Service "" Routes a request to the appropriate service and must not persist data across sessions.
✑ Account Service "" Stores and manages all account information and authentication and requires data to persist across sessions
✑ User Service "" Stores and manages all user information and requires data to persist across sessions.
✑ Housing Network Service "" Stores and manages the current real-estate economy and requires data to persist across sessions.
✑ Trade Service "" Stores and manages virtual trade between accounts and requires data to persist across sessions.
Due to volatile user traffic, a microservices solution is selected for scale agility.
You need to migrate to a distributed microservices solution on Azure Service Fabric.
Solution: Create a Service Fabric Cluster with a stateful Reliable Service for each component.
A. Yes
B. No
Correct Answer: B
  Babin 3 months, 4 weeks ago

There
are no explanation or links references given. Why not option A?
upvoted 1 times
Because
the Routing service says it must be stateless therefore a stateful solution
won't work.
upvoted 11 times
users.
Trade Service "" Stores and manages virtual trade between accounts and requires data to persist across sessions.
Solution: Create a Service Fabric Cluster with a stateless Reliable Service for Routing Service. Create stateful Reliable Services for all other
components.
A. Yes
B. No
Correct Answer: A
users.
Solution: Create a Service Fabric Cluster with a stateful Reliable Service for Routing Service. Deploy a Guest Executable to Service Fabric for each
component.
A. Yes
B. No
Correct Answer: B

Routing
Service requirement = "must not persist data across sessions." Stateful would
keep that data
upvoted 2 times
DRAG DROP -
You are developing a web app that uses a REST interface to connect to Azure Storage with HTTPS. This app uploads and streams video content
that can be accessed from anywhere in the world.
You have different storage requirements for each part of the app. A hierarchical namespace must be created.
Which storage services should you implement? To answer, select the appropriate services to the correct actions. Each service may be used once,
more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Streaming video content
https://azure.microsoft.com/en-in/solutions/architecture/digital-media-video/
Random R/W - Page Blobs
https://docs.microsoft.com/en-us/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs
Access application data from anywhere
https://docs.microsoft.com/en-us/azure/storage/common/storage-decide-blobs-files-disks
upvoted 7 times
You create an Azure Time Series Insights event handler. You need to send data over the network as efficiently as possible and optimize query
performance.
What should you do?
A. Create a query plan
B. Send all properties
C. Use a Tag ID
D. Use reference data
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/time-series-insights/how-to-shape-query-json

Answer
D: see
https://docs.microsoft.com/en-us/azure/time-series-insights/time-series-insights-add-reference-data-set
upvoted 2 times

can
you explain, the link you mentioned does not explain the scenario, how creating
a reference data set , sends dat over the network??
upvoted 1 times

The
link describes reference data as a way to "reduce the number of bytes
transferred over the network" thus best answering the question's requirement
which is to "send data over the network as efficiently as possible". Also, in
the link for scenario one, it describes reference data as joining two attributes
(messageId and deviceLocation) which meets the question's requirement to
optimize query performance. The answer is D.
upvoted 4 times

I'd
say this reference:
https://docs.microsoft.com/en-us/azure/time-series-insights/how-to-shape-query-json
is more clear... it points best practices and why, for both, improve performance
and also Send data over the network as efficiently as possible, so D is
ok
upvoted 2 times

I
think this is from Azure IOT and this topic isn't included in AZ-300.
upvoted 3 times
You are creating an IoT solution using Azure Time Series Insights.
You configure the environment to ensure that all data for the current year is available.
What should you do?
A. Add a disaster recovery (DR) strategy.
B. Set a value for the Data retention time setting.
C. Change the pricing tier.
D. Create a reference data set.
Correct Answer: D

Answer:
B Set the data retention value
upvoted 11 times

Answer
is B Each of your Azure Time Series Insights environments has a setting that
controls Data retention time. The value spans from 1 to 400 days. The data is
deleted based on the environment storage capacity or retention duration,
whichever comes first. Ref:
https://docs.microsoft.com/en-us/azure/time-series-insights/time-series-insights-concepts-retention
upvoted 8 times

This
is difficult to answer based on the above because the answer could also be 'C'
depending on the existing plan (S1?). Depending on how much data is coming in,
the plan may need to be ugpraded to S2. Ref:
https://azure.microsoft.com/en-us/pricing/details/time-series-insights/
upvoted 1 times
  abcdefghijkl 3 months, 2 weeks ago

you
shouldn't consider that far as question is never mention about data size and
current plan.
upvoted 1 times

Answer
is B Data Retention Value
upvoted 1 times

Answer
is B, because, if we don't change the retention setting, default value is 30
days. ------------------------------------------------ Purge old data is the
default setting for Azure Time Series Insights environments. Purge old data is
preferred when users want to always have their most recent data in their Time
Series Insights environment. The Purge old data setting purges data once the
environment’s limits (retention time, size, or count, whichever comes first) are
reached. Retention is set to 30 days by default. The oldest ingested data is
purged first (the "First In First Out" approach).
upvoted 1 times
Azure
IOT isn't AZ-300 topic.
upvoted 2 times

I'd
also say answer is B. Documentation states default retention period is 30 days
with the purge data setting.
upvoted 1 times
DRAG DROP -
You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Windows Server 2016. Server1 has 2 TB of data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the actions? To answer, move all actions form the list of actions to the answer area and arrange them in the
correct order.
Select and Place:
Correct Answer:
At a high level, an import job involves the following steps:

Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.
Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
Step 2: From the Azure portal, create an import job.
Create an import job in your target storage account in Azure portal. Upload the drive journal files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Provide the return address and carrier account number for shipping the drives back to you.
Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job
Update the delivery tracking number in the import job details and submit the import job.
The drives are received and processed at the Azure data center.
The drives are shipped using your carrier account to the return address provided in the import job.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

You have 5 TB of data that you need to transfer to Subscription1.
You plan to use an Azure Import/Export job.
What can you use as the destination of the imported data?
A. an Azure Cosmos DB database
B. Azure SQL Database
C. Azure File Storage
D. Azure Data Lake Store
Correct Answer: C
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to
an Azure datacenter.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service

Import
/Export job only covers for Blob and File Storage. Hence the answer is C .File
storage.
upvoted 2 times
You have an Azure subscription that contains the resources in the following table.
Store1 contains a file share named Data. Data contains 5,000 files.
You need to synchronize the files in Data to an on-premises server named Server1.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Download an automation script
B. Create a sync group
C. Install the Azure File Sync agent on Server1
D. Create a container instance
E. Register Server1
Correct Answer: BCE

Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (E): Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage
Sync Service.
Step 3 (B): Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must
contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on
registered server.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Processing stops once traffic matches a rule, as a result, any rules that exist with lower priorities (higher numbers) that have the same
attributes as rules with higher priorities are not processed.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
  bizie 7 months, 3 weeks ago

With
port 3389 open, wouldnt you be able to connect to both? With port 53 being
blocked the DNS services itself would be blocked, but connections to both would
be allowed as RDP?
upvoted 3 times

Wrong
- if you remove Rule2, users can still only access HTTP as there is no other
rule allowing UDP/53 (which is DNS). Only TCP/53 is then allowed but this is for
DNS zone transfers not queries.
upvoted 8 times

Yes,
You are right: https://support.microsoft.com/en-ie/help/556000
upvoted 1 times
  ChinaBandit 5 months, 2 weeks ago

DNS
port 53 is listed as 'TCP/UDP' here
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
upvoted 4 times

Rule
2 says protocol - any, which means tcp and udp, so dns will work.
upvoted 7 times

The
answer is correct, if you delete rule1, both DNS port and internet will fall
within rule2
upvoted 2 times

The
answer is DNS is mostly UDP Port 53, but as time progresses, DNS will rely on
TCP Port 53 more heavily. DNS has always been designed to use both UDP and TCP
port 53 from the start1 , with UDP being the default, and fall back to using TCP
when it is unable to communicate on UDP, typically when the packet size is too
large to push through in a single UDP packet. So its depends how DNS configured
.. DNS should work
upvoted 2 times
  Bladiebla 1 month ago

I
Think "cannot connect to the web server and the DNS server on VM1" is the
correct anwer. Because the blocking rule 3. Web = 80 by default but also 443.
You can connect to port 80 but rule3 will block the port 80 traffic back to the
internet user. When the webserver use 443 the anwer is correct. I think it's a
crappy question with to few information.
upvoted 4 times
  SIDNEY1 6 days, 10 hours ago

Correct
me if I'm wrong. The first box should be neither DNS nor HTTP. The first inbound
rule stops DNS, that leaves us to check for HTTP. Inbound rule allows HTTP/S
request in, now I now these rules are stateful, but there's an explicit deny in
the outbound rule stopping port 80 going out - so the HTTP request will be
denied, I think? The answer to the second box is fine. What do you
think?
upvoted 1 times
You plan to back up an Azure virtual machine named VM1.

You discover that the Backup Pre-Check status displays a status of Warning.
What is a possible cause of the Warning status?
A. VM1 does not have the latest version of WaAppAgent.exe installed
B. A Recovery Services vault is unavailable
C. VM1 has an unmanaged disk
D. VM1 is stopped
Correct Answer: A
The Warning state indicates one or more issues in VM's configuration that might lead to backup failures and provides recommended steps to
ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this
class of issues.
References:
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/
  Examtopicisawesome 3 months, 2 weeks ago

Warning:
This state indicates one or more issues in VM’s configuration that might lead to
backup failures and provides recommended steps to ensure successful backups. Not
having the latest VM Agent installed, for example, can cause backups to fail
intermittently and falls in this class of issues.
upvoted 2 times

A
is correct.
upvoted 2 times

You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1. You have a computer Computer1
that runs Windows
10. Computer1 is connected to the Internet.
You add a network interface named Interface1 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
A. Attach a network interface
B. Start VM1
C. Delete the DenyAllOutBound outbound port rule
D. Delete the DenyAllInBound inbound port rule
Correct Answer: B
Incorrect Answers:
A: The network interface has already been added to VM.
C: The Outbound rules are fine.
D: The inbound rules are fine. Port 3389 is used for Remote Desktop.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Processing stops once traffic matches a rule. As a result, any rules that exist with lower priorities (higher numbers) that have the same
attributes as rules with higher priorities are not processed.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

B
correct, no public IP assigned in exhibit. It will assign when vm
starts
upvoted 8 times

how
do you know from the exhibit the VM is not started?
upvoted 1 times
  theoneandonly 3 months, 3 weeks ago

in
only shows Reference to "IP" under Public Address. If it's started, you schould
see the IP-Address X.X.X.X
upvoted 16 times
  Famous_Guy 4 weeks, 1 day ago

impressed.
upvoted 4 times
  tkr_Dhana 3 weeks, 2 days ago

Awesome
upvoted 2 times
  Dann1112 3 days, 13 hours ago

Amazed
upvoted 1 times

Brilliant
upvoted 2 times

Warning
symbol indicates the VM needs a restart.
upvoted 1 times

C
is correct
upvoted 1 times

sorry
B
upvoted 1 times
You are designing an Azure solution.

The solution must meet the following requirements:
Distribute traffic to different pools of dedicated virtual machines (VMs) based on rules
Provide SSL offloading capabilities
You need to recommend a solution to distribute network traffic.
Which technology should you recommend?
A. server-level firewall rules
B. Azure Application Gateway
C. Azure Traffic Manager
D. Azure Load Balancer
Correct Answer: B
If you require "SSL offloading", application layer treatment, or wish to delegate certificate management to Azure, you should use Azure's layer 7
load balancer
Application Gateway instead of the Load Balanacer.
Incorrect Answers:
D: Because Load Balancer is agnostic to the TCP payload and TLS offload ("SSL") is not provided.
References:
HOTSPOT -
In Subscription1, you create an alert rule named Alert1. The Alert1 action group is configured as shown in the following exhibit.
Alert1 alert criteria is triggered every minute.

Hot Area:
Correct Answer:
Box 1: 60 -
One alert per minute will trigger one email per minute.
Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device.
Rate limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
References:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-monitor/overview.md

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 11 times
Answer
is correct
upvoted 1 times
HOTSPOT -
You have an Azure subscription named Subscription1 that contains the resources in the following table.
A web server runs on VM1 and VM2.

When you request a webpage named Page1.htm from the Internet, LB1 balances the web requests to VM1 and VM2., and you receive a response.
On LB1, you have a rule named Rule1 as shown in the Rule1 exhibit. (Click the Exhibit tab.)
You have a health probe named Probe1 as shown in the Probe1 exhibit. (Click the Exhibit tab.)
Hot Area:
Correct Answer:
Box 1: No -
Session Persistence is None.
Box 2: Yes -
Web requests uses the HTTP protocol, not the TCP protocol.
Box 3: No -
Note: Azure Load Balancer provides health probes for use with load-balancing rules. Health probe configuration and probe responses determine
which backend pool instances will receive new flows. You can use health probes to detect the failure of an application on a backend instance.
You can also generate a custom response to a health probe and use the health probe for flow control to manage load or planned downtime.
When a health probe fails, Load Balancer stops sending new flows to the respective unhealthy instance.
References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
  cloudnoob19 6 months, 2 weeks ago

Box
2: No - Web requests uses the TCP protocol, not the UDP protocol. The question
asks about Rule1 and not Probe1. Box 3: Yes - VM2 will be deemed unhealthy which
means all traffic will be routed to VM1
upvoted 6 times

The
image appears to be changed since I commented. Box 2: Yes - Web requests uses
TCP protocol, not UDP
upvoted 5 times

Box
2: Yes Box 3: Yes. VM2 will be deemed unhealthy which means all traffic will be
routed to VM1
upvoted 4 times
  Karls 4 months ago

BOX
1: NO BOX 2: YES BOX 3: YES
upvoted 22 times

No
Yes No The probe isn't applied to a specific Vm but to the LB itself. so
doesn't make sence at all !
upvoted 1 times

sense*
upvoted 1 times

Box
3 is "No". The probe is probing the VM to make sure it's healthy. If the VM
doesn't respond back with a response code of 200, then it's deemed unhealthy and
the LB won't send traffic to it. It doesn't make sense that the probe points to
itself. Ref:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
upvoted 1 times
  decimusindi 3 months, 1 week ago

Probe
endpoint returns an HTTP response code other than 200 (for example, 403, 404, or
500). This will mark down the health probe immediately. 403 is file not found so
3) is YES.
upvoted 6 times

UDP (User Datagram Protocol) is an alternative
communications protocol to Transmission Control Protocol (TCP) used primarily
for establishing low-latency and loss-tolerating connections between
applications on the internet. so the answer is Box1: No Box 2: No Box 3:
Yes
upvoted 3 times

Box1:
No, Box2: No (TCP Port 80 is HTTP and the web request is not fail), Box3: Yes
(VM2 is unhealthy and the LB route all web request to VM1)
upvoted 1 times
  thala 2 months, 3 weeks ago

Http
is normaly transmitted over TCP but nothing precludes it from transit over
UDP.
upvoted 1 times

probe HTTP path configuration is wrong. It has to be "/"
only or "/api/infrastructure/healthprobe"/ (for example). Probe will work if
prob1.htm gets removed.
upvoted 1 times

really hope I
don't see this vague question when I sit the exam. 1) happy with this being NO
as persistence is not enabled 2) ridiculous question - how can we tell if UDP is
allowed on port 80 in the NSG? http over UDP is permissable 3) also ridiculous
- do we assume that /probe.htm (like the aforementioned page1.htm) relates to
files held on web1 or web2? or is the question here really that this probe is
not configured correctly, in which case will any of the load balancing work at
all??? If I see this question on the exam, I would say NO, NO, YES and ensure I
leave a comment stating my discontent!
upvoted 2 times
  thirstylion 1 month, 2 weeks ago

No,Yes,Yes
upvoted 1 times

no
no yes
upvoted 1 times

I
think this is a classic trick question. Read the question and settings
carefully. If you delete the HTML page on node 2, the LB will still send
another request to that resource. Why? Because the threshold is set to 2
before node 2 will be deemed unhealthy. So technically the answers provided are
correct.
upvoted 1 times
  Sun_mon 5 days, 15 hours ago

not
sure what is the correct answer, microsoft says first is no, yes, no
upvoted 1 times
users.
Solution: Deploy a Windows container to Azure Service Fabric for each component.
A. Yes
B. No
Correct Answer: B

What
is the issue? Service Fabric supports containers.
upvoted 2 times
  JatinA 5 months ago

I
guess we don't need a separate container for each component. We just need one
container. Thats why answer is NO.
upvoted 1 times

it
is mentioned "Due to volatile user traffic, a microservices solution is selected
for scale agility" , so we need to separate components as it might have
different scalability requirements , so I guess it is A not B
upvoted 4 times

I
think the reason the answer is NO is due to the routing service. It needs to be
stateless so the suggested solution does not natively meet this
requirement.
upvoted 8 times

B
is correct. Since routing service is stateless
upvoted 1 times

B
is correct. Since routing service is stateless
upvoted 2 times

answer
is YES because you need separate containers for Stateless Services and Stateful
Services
upvoted 3 times
  BeCalmAndSmile 3 weeks, 6 days ago

Should
be YES. You can deploy existing applications as guest executables, Service
Fabric stateless or stateful Reliable services or Reliable Actors in containers,
and you can mix services in processes and services in containers in the same
application.
upvoted 2 times
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to create several virtual machines in different availability zones, and then to configure the virtual machines to load balanced connections
from the internet.
You need to create an IP address resource named ip1006 to support the planned load balancing solution.
The solution must minimize costs.

We should create a public IP address.
Step 1: At the top, left corner of the portal, select + Create a resource.
Step 2: Enter public ip address in the Search the Marketplace box. When Public IP address appears in the search results, select it.
Step 3: Under Public IP address, select Create.
Step 4: Enter, or select values for the following settings, under Create public IP address, then select Create:
Name: ip1006
SKU: Basic SKU
IP Version: IPv6
IP address assignment: Dynamic
Subscription: Select appropriate
Resource group: Select appropriate
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address
  yazdan2905 6 months, 1 week ago

Why
IPv6 and not IPv4? and why not static IP?
upvoted 1 times
  sktiwari 6 months ago

can you please
explain why IPv6 not IPv4?
upvoted 1 times
  MGW 6 months ago

Think,
it deals with: While public IPv4 addresses can be assigned to several Azure
resources, an IPv6 public IP address can only be assigned to an Internet-facing
load balancer. The load balancer can load balance IPv6 traffic to Azure virtual
machines. Learn more about load balancing IPv6 traffic to virtual machines.
(https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-overview?toc=%2fazure%2fvirtual-network%2ftoc.json)
upvoted 1 times

 dumpmaster 5 months, 3 weeks ago
You
can use Ipv4 or Ipv6, just needs to be Standart.
upvoted 3 times

IPv4
can be attached to both load balancers and network interfaces, whereas IPv6 can
be attached only to load balancers. As the question says, it need to be attached
to load balancers we can use anything. Doesn't matter.
upvoted 2 times

It just has be standard as SLA is 99.99 which can be
aith AZ only
upvoted 1 times

IPv4
only? "If you selected the Standard SKU, you do not have the option to select
IPv6. You can only create an IPv4 address when using the Standard SKU" And
according to a closed feedback, this is when the load balancer is Standard SKU.
It is possible to set IPv6 with Standard SKU when creating the IP address.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address#
upvoted 1 times

Wrong, you can select standard with IPv4 only, just
tried it on my production.
upvoted 1 times

Sorry i meant IPv6
upvoted 1 times

Note:
Standard SKU addresses are Static for both IPv4 and IPv6.
upvoted 2 times
  Jesch75 4 months ago

Basic
SKU do not support Availability Zone scenarios. You need to use Standard SKU
public IP for Availability Zone scenarios
upvoted 5 times

The
solution must minimize costs. You will need to choose ipv6 and basic SKU and
yes ipv6 and basic SKU supports availability zones, availability zones are
created during VM deployment, not in public IP resource creation
upvoted 2 times
  escom123 3 months, 3 weeks ago

Jesch75 is correct: you must choose standard SKU. In
order to use availability zones in the load balancer you have to choose standard
SKU for the load balancer, which in turn has to match the SKU you chose for the
public ip
upvoted 2 times

Availability zone No This setting only appears if you select a supported
location. For a list of supported locations, see Availability zones overview. If
you selected the Basic SKU, None is automatically selected for you. If you
prefer to guarantee a specific zone, you may select a specific zone. Either
choice is not zone-redundant. If you selected the Standard SKU: Zone-redundant
is automatically selected for you and makes your data path resilient to zone
failure. If you prefer to guarantee a specific zone, which is not resilient to
zone failure, you may select a specific zone. Standard_LB and Standard Public_IP
would be a right choice.
upvoted 4 times

Have
just double-checked in Portal: Basic IPv6 doesn't provide
Zone-Redundancy
upvoted 1 times

What
I understand from this is that placing VMs in Availability Zones then using
Basic IPv6 and Basic LB will work -- but it just won't be Zone-redundant. The
published solution appears to confirm that scenario.
upvoted 1 times
  raju11 3 months, 1 week ago

its,
it should "Standard". Check the below link
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm
under "Basic" sku features, "Do not support Availability Zone scenarios. You
need to use Standard SKU public IP for Availability Zone scenarios. "
upvoted 2 times

I just did the practical and found that if the network
traffic from the internet is to be load balanced, we need to have the IPv4 and
not the IPv6. It will not work. From the SKU perspective it can be either Basic
or Standard. The only thing to keep in mind is that when you create the Load
Balancer, use the same SKU.
upvoted 1 times

One thing I just noticed is that we can use the IPv6 as
well for the Public IP and that will be used in addition to the IPv4 in the
LB
upvoted 1 times
  wigger 3 months, 1 week ago

"Basic
Public IPs do not support Availability zones."
upvoted 3 times

VMs
in availability zones are only supported with Standard SKU LBs. A Standard SKU
LB defaults the IP address to Standard as well. So in short, Standard all the
way.
upvoted 1 times
  Ansul 2 months, 1 week ago

It
should be standard .
upvoted 2 times

Only
Azure Standard Load Balancer supports availability zones scenarios. and IP
standard SKU is required if you associate the address to a Standard load
balancer.
upvoted 3 times
  thirstylion 1 month, 2 weeks ago

Check
this out:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-public-zone-redundant-portal
upvoted 1 times
  shyan391 1 month ago

Can basic
public IP be attached to load balancer, and behind load balancer, servers are in
different availability zone?
upvoted 1 times

Azure
"Standard" Load Balancer supports availability zones scenarios and Standard Load
balancer needs a public IP of sku "Standard". "Basic" sku public IP Do not
support Availability Zone scenarios. You need to use Standard SKU public IP for
Availability Zone scenarios. So you can create IPv4 standard public IP with
standard LB for zone redundancy.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-availability-zones
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm
upvoted 1 times

You
have to create a Standard because there are VMs in different zones. IPV4 can be
used for both Network Interface and also as a LB, IPV6 can only be used as a LB.
Selecting IPV4 or IPV6 doesn't impact the costs. I would pick IPV4.
upvoted 1 times
  hilmit 2 weeks, 2 days ago

The
"Availability Zone" feature is used to trick audience in this question. Because
solution do not ask for "End to end design should have %99.99 SLA", you can load
balance VMs with AZ from a basicSku Load Balancer. So, basic and Ipv6 (to
ensure only can be used by LoadBalancer) is correct
upvoted 2 times
  ReffG 5 days, 2 hours ago

Deploy
a Basic LB and try to create a BackendPool with VMs that are associated to
AZs...won't work. Therefore Standard LB SKU required.
upvoted 1 times
You have an Azure subscription that contains the storage accounts shown in the following table.
You enable Azure Advanced Threat Protection (ATP) for all the storage accounts.
You need to identify which storage accounts will generate Azure ATP alerts.
Which two storage accounts should you identify? Each correct answer presents part of the solution.
A. storagecontoso1
B. storagecontoso2
C. storagecontoso3
D. storagecontoso4
E. storagecontoso5
Correct Answer: AE
Example:
Storage Threat Detection is available for the Blob Service.
References:
https://azure.microsoft.com/en-us/blog/advanced-threat-protection-for-azure-storage-now-in-public-preview/

as
it's enabled only for blob service, should not the answers be AB?
upvoted 20 times

AB
should be the right answer
upvoted 13 times

From
MS: Advanced threat protection for Azure Storage is currently available only for
Blob storage.
upvoted 2 times

Advanced
threat protection for Azure Storage is currently available only for Blob storage
https://docs.microsoft.com/en-us/azure/storage/common/storage-advanced-threat-protection?tabs=azure-portal
upvoted 9 times
  kailash 1 month ago

correct
so Answer is A&B
upvoted 3 times

I
agree with AB, Dumps have errors
upvoted 4 times

Answer
should be A and B as ATP is applicable only for Blobs
upvoted 1 times
  victorin 1 week, 2 days ago

A&B are the correct answers... Advanced threat
protection for Azure Storage is currently available only for Blob Storage.
https://docs.microsoft.com/en-us/azure/storage/common/storage-advanced-threat-protection?tabs=azure-portal
upvoted 3 times
named
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
A. Yes
B. No
Correct Answer: B
The DevTest Labs User role lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#devtest-labs-user
named
Solution: On Dev, you assign the Logic App Contributor role to the Developers group.
A. Yes
B. No
Correct Answer: B
The Logic App Contributor role lets you read, enable and disable logic app.
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor
Answer
A. Logic App Contributor: Lets you manage logic apps, but you can't change
access to them. Logic App Operator: Lets you read, enable, and disable logic
apps, but you can't edit or update them.
upvoted 22 times

Yes,
it's A
upvoted 4 times
  chris46 5 months ago

B,
the dev need the ability to create.
upvoted 5 times

Agree
with Chris46. Logic App Contributor: Lets you manage logic apps, but you can't
change access to them. Logic App Operator: Lets you read, enable, and disable
logic apps, but you can't edit or update them.
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
upvoted 1 times

It
is A. Logic App Contributor gives permission to manage logic apps. it implies
permissiom to create logic apps. Evident by the permission included in the role
Microsoft.Logic/*. Also tested in the Azure port.
upvoted 10 times

Logic
app contributor allows you to create logic app - tested and verified. Answer is
A
upvoted 12 times
  Sean2020 2 months, 4 weeks ago

It is A. built-in-roles#contributor - "Create and manage
resources of all types"
upvoted 2 times
  agomes 2 months, 2 weeks ago

Answer
A. (2) This link says
< https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor>https://docs.microsoft.com/en-
us/azure/role-based-access-control/built-in-roles#logic-app-contributor
Logic App Contributor: Manages Logic Apps resources. We tested and Logic App
Contributor can create Logic App, so as per my understanding, 1st link content
should be changed.
upvoted 1 times

After
checking the access permissions of Logic App Contributor as bellow:
"Microsoft.Logic/*" means "Manages Logic Apps resources."
"Microsoft.Authorization/*/read" means "Read roles and role assignments" And
with the testing result of agomes, the correct answer should be A.
upvoted 1 times

Agree
it is A
upvoted 1 times
  victorin 1 week, 2 days ago
The answer is A. "Contributor: Lets you manage
everything except granting access to resources, Create and manage resources of
all types."
upvoted 1 times
  mashandpie 3 days, 17 hours ago

Agree
that this answer should be A as Logic App Contributor role includes -
Microsoft.Resources/deployments/* - meaning Create and manage a deployment -
upvoted 1 times
HOTSPOT -
You have an Azure Service Bus and a queue named Queue1. Queue1 is configured as shown in the following exhibit.
Hot Area:
Correct Answer:
  Krimish 7 months, 2 weeks ago

Once
message is expired after two hours , it will be moved to deal
lettering.
upvoted 5 times

message is dropped after 2 hrs unless set for dead
letter queue "Expired messages can optionally be moved to a dead-letter queue by
setting the EnableDeadLetteringOnMessageExpiration property, or checking the
respective box in the portal. If the option is left disabled, expired messages
are dropped" ... see
https://docs.microsoft.com/en-us/azure/service-bus-messaging/message-expiration
upvoted 2 times

The
first box is correct because the message will be removed to the dead letter
queue, and messages in the dead letter queue should be deleted manually. Refer
to:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/message-expiration
"Expired messages can optionally be moved to a dead-letter queue by setting the
EnableDeadLetteringOnMessageExpiration property," "Note that there is no
automatic cleanup of the DLQ. Messages remain in the DLQ until you explicitly
retrieve them from the DLQ and call Complete() on the dead-letter message." But
I don't agree to the second answer Because the message will be locked for max 5
minutes after read by a receiver, and deleted after completing process of the
receiver, not immediately.
upvoted 3 times
  Derek_O2018 1 month, 4 weeks ago

I
believe that the reasoning behind answer 2 is the fact that successful
processing of a message involves calling the complete method. This will remove
the lock and delete the message immediately.
upvoted 4 times
Question #1 Topic 3
You have an Azure App Service API that allows users to upload documents to the cloud with a mobile device. A mobile app connects to the service
by using
REST API calls.
When a new document is uploaded to the service, the service extracts the document metadata. Usage statistics for the app show significant
increases in app usage.
The extraction process is CPU-intensive. You plan to modify the API to use a queue.
You need to ensure that the solution scales, handles request spikes, and reduces costs between request spikes.
What should you do?
A. Configure a CPU Optimized virtual machine (VM) and install the Web App service on the new instance.
B. Configure a series of CPU Optimized virtual machine (VM) instances and install extraction logic to process a queue.
C. Move the extraction logic into an Azure Function. Create a queue triggered function to process the queue.
D. Configure Azure Container Service to retrieve items from a queue and run across a pool of virtual machine (VM) nodes using the extraction
logic.
Correct Answer: C

Explain
please
upvoted 2 times
  RegisK 3 days, 19 hours ago

Azure
function reduce costs as it is stateless
upvoted 1 times
Question #2 Topic 3
DRAG DROP -
Fourth Coffee has an ASP.Net Core web app that runs in Docker. The app is mapped to the www.fourthcoffee.com domain.
Fourth Coffee is migrating this application to Azure.
You need to provision an App Service Web App to host this docker image and map the custom domain to the App Service web app.
A resource group named FourthCofeePublicWebResourceGroup has been created in the WestUS region that contains an App Service Plan named
AppServiceLinuxDockerPlan.
Which order should the CLI commands be used to develop the solution? To answer, move all of the Azure CLI commands from the list of
commands to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:

Why does it matter the order of the last 2 items?
hostname or container can be put in place in any either sequence
upvoted 6 times

Agree
with ccarlton. Hostname can be created as the final step. It shouldn't
matter.
upvoted 3 times
Question #3 Topic 3
You create a social media application that users can use to upload images and other content.
Users report that adult content is being posted in an area of the site that is accessible to and intended for young children.
You need to automatically detect and flag potentially offensive content. The solution must not require any custom coding other than code to scan
and evaluate images.
What should you implement?
A. Bing Visual Search
B. Bing Image Search
C. Custom Vision Search
D. Computer Vision API
Correct Answer: D
https://docs.microsoft.com/en-au/azure/cognitive-services/computer-vision/home
upvoted 5 times

I
think Cognitive services are not part of AZ-300 syllabus.
upvoted 1 times
Question #4 Topic 3
DRAG DROP -
You plan to create a Docker image that runs an ASP.NET Core application named ContosoApp. You have a setup script named setupScript.ps1 and
a series of application files including ContosoApp.dll.
You need to create a Dockerfile document that meets the following requirements:
✑ Call setupScript.ps1 when the container is built.
✑ Run ContosoApp.dll when the container starts.
The Dockerfile document must be created in the same folder where ContosoApp.dll and setupScript.ps1 are stored.
Which four commands should you use to develop the solution? To answer, move the appropriate commands from the list of commands to the
answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
  FailureIsnotAnOption 3 months, 2 weeks ago

I'm
no expert at this, for sure. But when I look up references to this that include
"dotnet" AND "contosoapp.dll" it seems that the last choice should be the
CMD/Entrypoint option. Please advise.
upvoted 1 times

https://docs.microsoft.com/en-us/azure/app-service/containers/tutorial-custom-docker-image
upvoted 1 times

The
only source I've found from MS:
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/docker/building-net-docker-images?view=aspnetcore-3.1
For what i recall there are subtle differences between CMD and ENTRYPOINT, but
I'll choice RUN/CMD because RUN it's used to setup and executes things. This was
also useful https://goinbigdata.com/docker-run-vs-cmd-vs-entrypoint/
upvoted 5 times
Question #5 Topic 3
DRAG DROP -
You have a web app named MainApp. You are developing a triggered App Service background task by using the WebJobs SDK.
This task automatically invokes a function in the code whenever any new data is received in a queue.
You need to configure the services.
Which service should you use for each scenario? To answer, drag the appropriate services to the correct scenarios. Each service may be used
once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-compare-logic-apps-ms-flow-webjobs

Webjobs
and Flow
upvoted 1 times

It should be Webjobs and logic apps
upvoted 2 times
  RamanRaman 5 months, 2 weeks ago

From
the mentioned link, Here are two scenarios for which WebJobs may be the best
choice: You need more control over the code that listens for events, the
JobHost object. Functions offers a limited number of ways to customize JobHost
behavior in the host.json file. Sometimes you need to do things that can't be
specified by a string in a JSON file. For example, only the WebJobs SDK lets you
configure a custom retry policy for Azure Storage. You have an App Service
app for which you want to run code snippets, and you want to manage them
together in the same Azure DevOps environment.
upvoted 4 times

This
is the correct solution. WebJobs and WebJobs.
upvoted 1 times

WebJobs
and Logic Apps
Logic Apps --> Azure DevOps: source control, testing, support, automation,
and manageability in Azure Resource Manager
upvoted 1 times

Both
should be webjobs as per the reference link: ou have an App Service app for
which you want to run code snippets, and you want to manage them together in the
same Azure DevOps environment.
upvoted 6 times

upvoted 1 times

See
comparison table and summary
upvoted 1 times

regarding
Azure DevOps, and paraphrasing the Microsoft document... "Here are two
scenarios for which WebJobs may be the best choice: You need more control
over the code that listens for events, the JobHost object. Functions offers a
limited number of ways to customize JobHost behavior in the host.json file.
Sometimes you need to do things that can't be specified by a string in a JSON
file. For example, only the WebJobs SDK lets you configure a custom retry policy
for Azure Storage. You have an App Service app for which you want to run code
snippets, and you want to manage them together in the same Azure DevOps
environment." so... for option 2 -> Webjobs
upvoted 2 times

And
also I would add for option 1 -> Logic App, following this info:
https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-servicebus
upvoted 1 times
  sagnikmukh 2 months, 1 week ago

It
should be Webjobs and logic apps
upvoted 1 times

logic apps and webjobs
upvoted 2 times
Question #6 Topic 3
DRAG DROP -
You are developing Azure WebJobs.
You need to recommend a WebJob type for each scenario.
Which WebJob type should you recommend? To answer, drag the appropriate WebJob types to the correct scenarios. Each WebJob type may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/app-service/webjobs-create#webjob-types
Question #7 Topic 3
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.

What is the effect of the move?
A. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
B. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
C. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
D. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
Correct Answer: D
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and
geographical region.
The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region.
References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
Published
solution is wrong. Correct is: B: The App Service plan for WebApp1 remains in
West Europe. Policy2 applies to WebApp1.
upvoted 2 times
  tulpe123 1 month, 3 weeks ago

but thats answer D
upvoted 6 times
  Rafael1984 1 month, 2 weeks ago

answer
D
upvoted 4 times
  Famous_Guy 4 weeks ago

you
did Typo :)
upvoted 2 times
  bluecloudy 1 month ago

D:
correct answer
upvoted 2 times

App
servie plan is restricted to a geographical region and cannot move between
regions.Period.
upvoted 2 times

You can move an app to another App Service plan, as long
as the source plan and the target plan are in the same resource group and
geographical region. None of the options are right.
upvoted 2 times

yes
true!
upvoted 1 times
  rb09 1 week ago

So,
answer should be B
upvoted 1 times
  rb09 1 week ago

Reason
being - you don't mover both.. app service plan & App.
upvoted 1 times
Question #8 Topic 3
You create the following Azure role definition.

{
"Name": "Role1",
"Id": "80808080-8080-8080-8080-808080808080",
IsCustom : false,
"Description": "",
"Actions" : [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read"],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}
You need to create Role1 by using the role definition.
Which two values should you modify before you create Role1? Each correct answer presents part of solution.
A. IsCustom
B. DataActions
C. Id
D. AssignableScopes
E. Description
Correct Answer: AD
Part of example:
"IsCustom": true,
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId3}"
The following shows what a custom role looks like as displayed in JSON format. This custom role can be used for monitoring and restarting
virtual machines.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId3}"
]
}
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Not
ID because "The unique ID of the custom role. For Azure PowerShell and Azure
CLI, this ID is automatically generated when you create a new role." Not
DataActions because there are actions in the example Not Description because it
is set to NULL (I.E. "") Answers are: IsCustom because "Indicates whether this
is a custom role. Set to true for custom roles." and the question said it is a
custom role AssignableScopes because it is a required field and is
blank
upvoted 1 times
Question #9 Topic 3
You have an Azure App Service named WebApp1.

You plan to add a WebJob named WebJob1 to WebApp1.
You need to ensure that WebJob1 is triggered every 15 minutes.
What should you do?
A. Change the Web.config file to include the 1-31 1-12 1-7 0*/15* CRON expression
B. From the properties of WebJob1, change the CRON expression to 0*/15****.
C. Add a file named Settings.job to the ZIP file that contains the WebJob script. Add the CRON expression to the JOB file 1-31 1-12 1-7 0*/15*
D. Create an Azure Automation account and add a schedule to the account. Set the recurrence for the schedule
Correct Answer: B
You can enter a CRON expression in the portal or include a settings.job file at the root of your WebJob .zip file, as in the following example:
{
"schedule": "0 */15 * * * *"
}
References:
https://docs.microsoft.com/en-us/azure/app-service/webjobs-create

infp:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-timer?tabs=csharp
upvoted 1 times

You have an on-premises virtual machine named VM1 configured as shown in the following exhibit.
VM is started.
You need to create a new virtual machine image in Azure from VM1.
Which three actions should you perform before you create the new image? Each correct answer presents part of the solution.
A. Remove the Backup (volume shadow copy) integration service
B. Generalize VM1
C. Run Add-AzureRmVhd and specify a blob service container as the destination
D. Run Add-AzureRmVhd and specify a file share as the destination
E. Reduce the amount of memory to 16 GB
Correct Answer: ABC

Sysprep removes all your personal account and security information, and then prepares the machine to be used as an image.
The Add-AzureRmVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disks.
References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/add-azurermvhd?view=azurermps-6.13.0
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource

Should
be B and C
upvoted 1 times

It
says which three?
upvoted 1 times

It
seems googleing' for similar questions, that there is an "F" option: A. Remove
the Backup (volume shadow copy) integration service B. Generalize VM1 C. Run
Add-AzureRmVhd and specify a blob service container as the destination D. Run
Add-AzureRmVhd and specify a file share as the destination E. Reduce the amount
of memory to 16 GB F. Convert the disk type to VHD in this case, it has sense
and it would be B, C ad F
upvoted 19 times

and
add that I didn't see any info in documentation about "shadow copies" removal as
a problem or other integration services like those in the exhibit... so it makes
sense F option as the disk appears as VHDX in the exhibit and it should be
converted to VHD before uploading to Azure
upvoted 3 times

Agree.
More details at this article -
upvoted 1 times

both bellow articles mention the F option convert to vhd
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=/azure/virtual-
machines/windows/toc.json
and
https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/add-azurermvhd?view=azurermps-6.13.0
says The Add-AzureRmVhd cmdlet uploads on-premises virtual hard disks, in .vhd
file format, to a blob storage account >>>> so i´ll go with mihlo
options
upvoted 1 times
  MoniqueArduin 2 months, 3 weeks ago

ABC
is correct: Remove the Backup (volume shadow copy) integration service Refernce:
https://devblogs.microsoft.com/setup/delete-shadow-copies-to-compact-vhds-and-avhds/
upvoted 4 times

A is not correct. The existence of the backup
integration service does not imply that shadow copies exist or that the
existence of shadow copies is an issue for conversion of the VHDX to a VHD.
Compacting the disk is not a requirement for this task.
upvoted 1 times
  Happiman 2 months ago

Answer is BCF,
F. Convert the disk type to VHD
upvoted 3 times
DRAG DROP -
You need to use an Azure logic app to receive a notification when an administrator modifies the settings of a virtual machine in a resource group
named RG1.
Which three components should you create next in the Logic Apps Designer? To answer, move the appropriate components from the list of
components to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: an Azure Event Grid trigger

First add an Event grid trigger that monitors the resource group for your virtual machine.
Step 2: a conditional control -

To run your logic app workflow only when a specific event happens, add a condition that checks for virtual machine "write" operations.
Step 3: an action -
Now add an action so that you get an email when the specified condition is true.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app
HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.
You need to deploy a load-balancing solution for two Azure web apps named App1 and App2 to meet the following requirements:
✑ App1 must support command injection protection.
✑ App2 must be able to use a static public IP address.
✑ App1 must have a Service Level Agreement (SLA) of 99.99 percent.
Which resource should you use as the load-balancing solution for each app? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: AGW1 -
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common
exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL
injection and cross-site scripting are among the most common attacks.
Box 2: ELB1 -
Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses also enable Azure resources to
communicate outbound to Internet and public-facing Azure services with an IP address assigned to the resource.
Note: In Azure Resource Manager, a public IP address is a resource that has its own properties. Some of the resources you can associate a
public IP address resource with are:
✑ Virtual machine network interfaces
✑ Internet-facing load balancers
✑ VPN gateways
✑ Application gateways
References:
https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview https://docs.microsoft.com/en-us/azure/virtual-network/virtual-
network-ip-addresses-overview-arm

Application
Gateway is 99.95% SLA according o several Azure pages
upvoted 3 times

AG
V2 is zone-reduntant based with SLA 99.99% to be used for APP1.
upvoted 2 times

onlyfunmails
is right. question is redundant now:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant
upvoted 1 times

just
to update on this. correct answers would be Box 1 :AGW2 and Box 2: ELB(internet
facing -
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm#public-ip-addresses)
upvoted 1 times

AGW2
doesn't mention enabling WAF though?
upvoted 1 times

Why
is App2 ELB? App gateway also supports external IPs.
upvoted 1 times

Based
on SLA 99.95 for AG2, answer would be ELB1 ILB1
upvoted 1 times

I
think the question has a typo. The Application Gateway (even v2) only has an SLA
of 99.95 -
https://azure.microsoft.com/en-in/support/legal/sla/application-gateway/v1_2/
I'd suggest that the App Gateway with WAF meets App1 requirements (WAF gives
the SQL injection protection) and the App2 can be done with a public load
balancer. You wouldn't use an App Gateway for App2 alone as it would be more
costly than a public load balancer. Also you'd only use an internal load
balancer for connectivity between say some web apps and back-end
databases.
upvoted 16 times
HOTSPOT -
You have a task that includes a WebJob that should run continuously. The WebJob Log exhibit shows the text that is displayed when the WebJob
runs. (Click the WebJob Log tab.)
The WebJob is configured as shown in the WebJob Configuration exhibit. (Click the WebJob Configuration tab.)
The WebJob is not functioning as expected. The WebJob Code exhibit has a comment that shows where code should be added. (Click the WebJob
Code tab.)
You need to identify any issues with the WebJob. For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
  Oat 6 months ago

Which
is correct ?
upvoted 1 times
  Oat 5 months, 2 weeks ago

NO
NO YES YES
upvoted 1 times

-
The WebJob will run continuously as the code is written :
No - The text WebJob setup starting will output to the WebJob logs :
No - The timer-elapsed code will be invoked and run at least once:
Yes - The WebJob settings are properly configured in the Azure
portal: Yes
upvoted 13 times

No
- no while(true) ? No - the program will exit before the timer even executed
once. Timers are background threads Yes -
upvoted 2 times
should
be NO NO YES YES look at
https://vceguide.com/when-the-webjob-runs-click-the-webjob-log-tab/
upvoted 1 times
  ruiz 2 weeks, 5 days ago

NO,NO,NO,Yes
upvoted 1 times

because
the process will stop immediately
upvoted 2 times
Question #1 Topic 4
You have the Azure virtual machines shown in the following table.
You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
A. Create a new backup policy
B. Create a new Recovery Services vault
C. Configure the extensions for VM3 and VM4
D. Create a storage account
Correct Answer: B
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines
(VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services
References:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication

Location:
Select the geographic region for the vault. To create a vault to protect virtual
machines, the vault must be in the same region as the virtual machines. Ref:
https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault
upvoted 16 times

This
is correct explanation!
upvoted 1 times
Question #2 Topic 4
You have an Azure Active Directory (Azure AD) domain that contains 5,000 user accounts. You create a new user account named AdminUser1.
You need to assign the User administrator administrative role to AdminUser1.
What should you do from the user account properties?
A. From the Directory role blade, modify the directory role
B. From the Licenses blade, assign a new license
C. From the Groups blade, invite the user account to a new group
Correct Answer: A
Assign a role to a user -
1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory.
2. Select Azure Active Directory, select Users, and then select a specific user from the list.
3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as
Conditional access administrator.
4. Press Select to save.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
Question #3 Topic 4
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to prevent users from accidentally deleting blob data from Azure.
You need to ensure that administrators can recover any blob data that is deleted accidentally from the storagelod8322489 storage account for 14
days after the deletion occurred.

Task A: Create a Recovery Services vault (if a vault already exists skip this task, go to Task B below)
A1. From Azure Portal, On the Hub menu, click All services and in the list of resources, type Recovery Services and click Recovery Services
vaults.
If there are recovery services vaults in the subscription, the vaults are listed.
A2. On the Recovery Services vaults menu, click Add.
A3. The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource group, and Location
Task B. Create a backup goal -

B1. On the Recovery Services vault blade (for the vault you just created), in the Getting Started section, click Backup, then on the Getting Started
with Backup blade, select Backup goal.
The Backup Goal blade opens. If the Recovery Services vault has been previously configured, then the Backup Goal blades opens when you click
Backup on the
Recovery Services vault blade.
B2. From the Where is your workload running? drop-down menu, select Azure.
B3. From the What do you want to backup? menu, select Blob Storage, and click OK.
B4. Finish the Wizard.
Task C. create a backup schedule
C1. Open the Microsoft Azure Backup agent. You can find it by searching your machine for Microsoft Azure Backup.
C2. In the Backup agent's Actions pane, click Schedule Backup to launch the Schedule Backup Wizard.
C3. On the Getting started page of the Schedule Backup Wizard, click Next.
C4. On the Select Items to Backup page, click Add Items.
The Select Items dialog opens.
C5. Select Blob Storage you want to protect, and then click OK.
C6.In the Select Items to Backup page, click Next.
On the Specify Backup Schedule page, specify Schedule a backup every day, and click Next.
C7. On the Select Retention Policy page, set it to 14 days, and click Next.
C8. Finish the Wizard.

References:
https://docs.microsoft.com/en-us/azure/backup/backup-configure-vault

this
is wrong. recovery service cannot be used for blob db. for this case, we
should enable soft delete and set the retention days to 14.
upvoted 40 times
  mochi 4 months, 4 weeks ago

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete?tabs=azure-portal
1. In the Azure portal, select your storage account. 2. Navigate to the Data
Protection option under Blob Service. 3. Click Enabled under Blob soft delete
4. Enter the number of days you want to retain for under Retention policies
5. Choose the Save button to confirm your Data Protection settings
upvoted 37 times

you
Missed "You plan to prevent users from accidentally deleting blob data from
Azure." 1] under your storage account select 'LOCK' 2] Add new Lock Type =
DELETE
upvoted 3 times

@Famous_Guy
LOCK will lock the storage account for data deletion whether it is accidentally
or deliberatly. So Lock is not the right solution here. Just Soft delete should
be enabled.
upvoted 2 times

From
"Data Protection" > Enable "Blob soft delete" for 14 days
upvoted 7 times
  RazorCrest 3 months, 1 week ago

Agree.
This should be Soft Delete with 14 day retention.
upvoted 3 times

Should
enable soft delete with 14 days retain.
upvoted 2 times

Should
use Data protection -> "Blob soft delete"
upvoted 3 times
  CoolG 2 months ago

Agree
, this should be soft delete.
upvoted 2 times

Go
to your storage account, data protection, enable the blob soft delete and set it
to 14 days, you don't have to use the Recovery Services vault at all.
upvoted 3 times
Question #4 Topic 4
You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com.
You have a Microsoft account that you use to sign in to both tenants.
You need to configure the default sign-in tenant for the Azure portal.
What should you do?
A. From the Azure portal, configure the portal settings
B. From the Azure portal, change the directory
C. From Azure Cloud Shell, run Set-AzureRmContext
D. From Azure Cloud Shell, run Set-AzureRmSubscription
Correct Answer: B
Change the subscription directory in the Azure portal.
The classic portal feature Edit Directory, that allows you to associate an existing subscription to your Azure Active Directory (AAD), is now
available in Azure portal. It used to be available only to Service Admins with Microsoft accounts, but now it's available to users with AAD
accounts as well.
To get started:
1. Go to Subscriptions.
2. Select a subscription.
3. Select Change directory.
Incorrect Answers:
C: The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant,
subscription, and environment information.
References:
https://azure.microsoft.com/en-us/updates/edit-directory-now-in-new-portal/

C,
asked to set default, not to switch in between.
https://docs.microsoft.com/en-us/powershell/module/azurerm.profile/set-azurermcontext?view=azurermps-6.13.0
upvoted 3 times
  AWSAzureGCPArch 4 months, 2 weeks ago

Correct
answer is A. Click settings to see 'Portal Settings'. Look for ''Looking to
switch directories or filter subscriptions? 'Click here'.Select the default
Directory from the 'Set your default directory' dropdown.
upvoted 13 times

Correct
answer is A , the question is talking about Azure Portal not Azure PS.
upvoted 9 times

IMO
the answer is B. If you go to switch directory in the Portal, it allows you to
select the default directory (which is by default the last directory used).
Also, the Set-AzureRMContext only applies to the current PS session as far as I
know.
upvoted 2 times

Answer
is D C:\PS> Select-AzureSubscription -Default -SubscriptionName
ContosoFinance -SubscriptionDataFile "C:\subs\MySubscriptions.xml" This command
changes the default subscription to "ContosoFinance." It saves the setting in
the Subscriptions.xml subscription data file, instead of the default
subscription data file.
upvoted 1 times

AWSAzureGCPArch
is right
upvoted 1 times

Confirmed
that 'A' is correct by testing with my account against several different tenants
I have access too.
upvoted 2 times

Answer
C Set-AzContext -SubscriptionId
upvoted 1 times
  Strifelife 3 months ago

Actually
B seems to be right. It's feature that was requested.
https://feedback.azure.com/forums/223579-azure-portal/suggestions/6239996-choose-default-directory
upvoted 1 times
  ChePunk 2 months ago

Agree
with @AWSAzureGCPArch, the correct answer is "A". I try it on my Azure portal,
it works.
upvoted 1 times
  Russel 2 months ago

B
is correct switch directory will give the option of change default
directory.
upvoted 1 times

I
tested in my multi-tenant portal and found that "B" is correct. Go to portal
click on "Switch Directory" and here you will get list of all directories, just
click on "star" sign on directory name whom you want to set as
default.
upvoted 2 times
Question #5 Topic 4
HOTSPOT -
You network contains an Active Directory domain named adatum.com and an Azure Active Directory (Azure AD) tenant named
adatum.onmicrosoft.com.
Adatum.com contains the user accounts in the following table.
Adatum.onmicrosoft.com contains the user accounts in the following table.
You need to implement Azure AD Connect. The solution must follow the principle of least privilege.
Which user accounts should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: User5 -
In Express settings, the installation wizard asks for the following:
AD DS Enterprise Administrator credentials
Azure AD Global Administrator credentials
The AD DS Enterprise Admin account is used to configure your on-premises Active Directory. These credentials are only used during the
installation and are not used after the installation has completed. The Enterprise Admin, not the Domain Admin should make sure the
permissions in Active Directory can be set in all domains.
Box 2: UserA -
Azure AD Global Admin credentials are only used during the installation and are not used after the installation has completed. It is used to
create the Azure AD
Connector account used for synchronizing changes to Azure AD. The account also enables sync as a feature in Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions
Agree:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#before-you-install-azure-ad-connect
upvoted 5 times

Documentation
says "If you use Express settings" but if you want to follow the least
privileges principle you may need to follow the advanced setup path which allows
you to use a different level.
upvoted 2 times
Question #6 Topic 4
You sign up for Azure Active Directory (Azure AD) Premium.

You need to add a user named admin1@contoso.com ad an administrator on all the computers that will be joined to the Azure AD domain.
What should you configure in Azure AD?
A. Providers from the MFA Server blade
B. General settings from the Groups blade
C. Device settings from the Devices blade
D. User settings from the Users blade
Correct Answer: D
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local
administrators group on the device:
✑ The Azure AD global administrator role
✑ The Azure AD device administrator role
The user performing the Azure AD join
In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:
1. Sign in to your Azure portal as a global administrator or device administrator.
2. On the left navbar, click Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.
5. To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.
References:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

so
the correct answer is : C
upvoted 18 times

Agree,
as per the Devices blade under Device Settings, you can configure "Additional
local administrators on Azure AD joined devices" and select members.
upvoted 10 times

the
correct answer ( to my understanding) is D. The explanation given is just
unrelated and irrelevant to question asked. you assign admin role to users via
user setting and he/she assumes admin role .. simple as that. but I cant figure
out why the explanation talks about devices using AD join.
upvoted 2 times

The
answer is C. You must go to device settings to add additional local
administrators devices joining Azure AD.
upvoted 8 times
  Matt_t 5 months, 1 week ago

The
explanation talks about c but the answer is selected as D. Is this correct
?
upvoted 1 times

I
don’t see this option in device settings now. Does it require a different
license?
upvoted 1 times
  wigger 3 months, 1 week ago

"Requires
AD Premium tenant"
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
upvoted 1 times

Correct
answer is C = Additional local administrators on Azure AD joined devices Change
to Selected and select the Users or Groups
upvoted 5 times

The
answer is C, under modify the device administrator role, configure Additional
local administrators on Azure AD joined devices.
upvoted 1 times

C
is correct:
http://www.rebeladmin.com/2017/12/step-step-guide-add-additional-local-administrators-azure-ad-joined-devices/
upvoted 3 times

Go
to Azure AD blade -> Devices -> Device Settings Here you will see option
of "Additional local Administrator on Azure AD joined devices", click on
selected and add the name of administrator whom you want to add. So option "C"
is correct. Tested in lab.
upvoted 4 times

However
if they ask to choose 2 answers then D is also correct as you can assign role
"Cloud Device Administrator" from "User"->"Assigned Roles" blade which will
also do the same job.
upvoted 1 times
Question #7 Topic 4
SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to protect on-premises virtual machines and Azure virtual machines by using Azure Backup.
You need to prepare the backup infrastructure in Azure. The solution must minimize the cost of storing the backups in Azure.

First, create Recovery Services vault.
Step 1: On the left-hand menu, select All services and in the services list, type Recovery Services. As you type, the list of resources filters. When
you see
Recovery Services vaults in the list, select it to open the Recovery Services vaults menu.
Step 2: In the Recovery Services vaults menu, click Add to open the Recovery Services vault menu.
Step 3: In the Recovery Services vault menu, for example,
Type myRecoveryServicesVault in Name.
The current subscription ID appears in Subscription. If you have additional subscriptions, you could choose another subscription for the new
vault.
For Resource group select Use existing and choose myResourceGroup. If myResourceGroup doesn't exist, select Create new and type
myResourceGroup.
From the Location drop-down menu, choose West Europe.
Click Create to create your Recovery Services vault.
References:
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-vm-at-scale

"The
solution must minimize the cost of storing the backups in Azure." - Should the
Backup Configuration be changed to Locally-redundant replication to meet this
requirement?
upvoted 10 times

The
Services Recovery Vault needs to be edited, after being created, under Setings -
Properties - Backup Configuration - Update - LRS because we are asked to
minimize cost.
upvoted 22 times

LRS
should be configured for storage account to minimize cost.
upvoted 1 times
Question #8 Topic 4
You have an Azure virtual machine named VM1 that you use for testing. VM1 is protected by Azure Backup.
You delete VM1.
You need to remove the backup data stored for VM1.
A. Delete the storage account
B. Stop the backup
C. Modify the backup policy
D. Delete the Recovery Services vault
Correct Answer: C
Azure Backup provides backup for virtual machines "" created through both the classic deployment model and the Azure Resource Manager
deployment model "" by using custom-defined backup policies in a Recovery Services vault.
With the release of backup policy management, customers can manage backup policies and model them to meet their changing requirements
from a single window. Customers can edit a policy, associate more virtual machines to a policy, and delete unnecessary policies to meet their
compliance requirements.
Incorrect Answers:
D: You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault
is still configured to receive backup data.
References:
https://azure.microsoft.com/en-in/updates/azure-vm-backup-policy-management/

I
think it is B. you need to stop backup and the you will be able to remove
it
upvoted 23 times

Yes,
even while stopping it will ask to retain/delete its backup also.
upvoted 2 times

Yes,
B is correct. Explenation for D is correct also. But you have to stop the backup
and have to choose what you want to do with the backup data. Here you choose
"delete". When you have soft delete enabled you have to wait for 14 days. If its
not enabled you can delete the recovery vault immeditly. hope it
helps.
upvoted 2 times

It
can't be C. A backup policy applies to multiple VMs, including the future ones
if that is the default policy. You don't need to edit any policy in order to
delete backups.
upvoted 2 times

I
beleive it is B. Stop backup and delete recovery services vault, if no other
backups.
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-vm-at-scale
upvoted 4 times
  Carlos 4 months, 2 weeks ago

The
right answer is B as seen on this link -
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-vm-at-scale.
@AnshMan is equally correct
upvoted 4 times

answer
is B
upvoted 1 times
  VivianZh 1 month ago

B is correct.
I tried out it on Azure portal.
upvoted 3 times

Answer
is B ..Stop the backup.
upvoted 1 times

"C"
is correct option. Verified at Lab. Since VM is deleted so you can not stop the
backup by going to VM. So you need to go to vault -> Backup policies ->
<choose the policy which is applied to your deleted VM> click on it ->
Now list of all VMs displayed which are being backup using this policy. Right
click on your deleted VM and "stop backup", once you stop backup now "delete
backup data" which was greyed out earlier will be available, just click and
delete backup data too.
upvoted 4 times
  ExamGuy01 6 days, 16 hours ago

Is
milind8451 correct? You can't really stop the backup from the VM backup blade
since the VM is already deleted... So i would agree with C as correct
answer.
upvoted 1 times
Question #9 Topic 4
You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?
A. the AzurePerformanceDiagnostics extension
B. Linux Diagnostic Extension (LAD) 3.0
C. Azure Analysis Services
D. Azure HDInsight
Correct Answer: A
You can use extensions to configure diagnostics on your VMs to collect additional metric data.
The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on
the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-monitoring

to
me it's B Linux Diagnostic Extension LAD 3.0 - source
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux
upvoted 16 times

Yes,
it appears to be B.
upvoted 5 times
Yes B, A only works on Windows computers.
upvoted 3 times

it
works for linux too
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics
upvoted 2 times

maybe
you are right it's confusing, the extension is only for windows
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/performance-diagnostics-vm-extension
but the Azure performance diagnostic service works in most VMs, so probably is
B
upvoted 1 times
  lalaala 3 months ago

lol.
no it doesn't..
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-overview?toc=/azure/virtual-
machines/extensions/toc.json,
upvoted 1 times
  Tsachi 3 months, 3 weeks ago

this
is definitely B. Linux:
Windows:
upvoted 3 times

i
belive it is A ,if linux or win , the sys knows , which type
upvoted 1 times

Performance
diagnostics for Azure virtual machines. Supported operating systems Windows
Windows 10, Windows 8, Windows 8 Enterprise, Windows 8 Pro, Windows 8.1,
Windows Server 2016, Windows Server 2012, Windows Server 2012 Datacenter,
Windows Server 2012 R2, Windows Server 2012 R2 Datacenter, Windows Server 2012
R2 Standard, Windows Server 2012 Standard, Windows Server 2008 R2, Windows
Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server
2008 R2 Foundation, Windows Server 2008 R2 SP1, Windows Server 2008 R2 Standard.
Linux Oracle Linux Server 6.10 [*], 7.3, 7.6, 7.5 (Oracle-Database-Ee 13.8
marketplace image), CentOS 6.5 [*], 7.6, RHEL 7.2, 7.5, 8.0 [*], Ubuntu 14.04,
16.04, 18.04, Debian 8, 9, 10 [*], SLES 12 SP4 [*]
upvoted 1 times
  Ansul 2 months, 1 week ago

Answer is B
upvoted 3 times

Answr is B:
LAD3.0 captures metrics and syslogs
upvoted 3 times

the
AzurePerformanceDiagnostics extension
upvoted 1 times
B
is correct.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-overview?toc=/azure/virtual-machines/extensions/toc.json
upvoted 1 times

Performance diagnostic is only specific to VM
performance -
Question is related to metrics and logs, which will be done by either win or
linux diagnostic extension -
(for linux)
(for windows)
upvoted 2 times
  ExamGuy01 2 days, 16 hours ago

Use
Linux Diagnostic Extension to monitor metrics and logs ref:
upvoted 1 times
You have two Azure virtual machines named VM1 and VM2.
You have two Recovery Services vaults named RSV1 and RSV2. VM2 is protected by RSV1.
You need to use RSV2 to protect VM2.
A. From the RSV2 blade, click Backup. From the Backup blade, select the backup for the virtual machine, and then click Backup
B. From the RSV1 blade, click Backup items and stop the VM2 backup
C. From the VM2 blade, click Disaster recovery, click Replication settings, and then select RSV2 as the Recovery Services vault
D. From the RSV1 blade, click Backup Jobs and export the VM2 job
Correct Answer: C
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

not
sure if B is not a better option. You need to stop a backup and then you are
able to change the recovery vault.
upvoted 13 times

Agree,
First RSV1 backup need to be stopped.
upvoted 6 times

Agree
with the other comments here. First, you can't backup a VM that is already being
backed up by a RSV. Secondly, using the replication feature, without any further
detail (including whether the RSV2 is in the same region or not) doesn't really
fulfill the basic requirement. Admittedly, the question is worded rather
vaguely. I guess going by the exact wording, C is worded incorrectly as there
isn't "technically" a separate Replication Settings blade/tab as such but is
part of the Advanced settings under Disaster Recovery.
upvoted 3 times

C
is incorrect , you cannot replicate VM to the same rejoin
upvoted 2 times

There
is a comment in the article bellow: "Verify that another backup service is not
running"
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-troubleshoot#basic-troubleshooting
So, I agree all of you, the correct answer is B.
upvoted 3 times

C: is correct.
You can use RSV2 under VM->Disaster Recovery->Advanced
setting->Replication settings.
upvoted 2 times
  tmurfet 1 month, 4 weeks ago

Was
this verified by testing?
upvoted 1 times

Yes,
verified with a test. C is correct.
upvoted 1 times
  Derek_O2018 1 month, 3 weeks ago

I
believe that the answer is B. The replication settings of a VM serve to create a
new environment in case of a disaster. This question is in the context of
backing up a VM.
upvoted 3 times
  mhkim91 1 month, 2 weeks ago

I
think the question is too vague to pick up an answer. But once you make RSV1 and
RSV2 in the different region and go on "C", it does work. I've tested it on my
Azure subscription.
upvoted 3 times
  Gjferweb 3 weeks ago

It seems C is
correct BUT the vault or resource group can NOT be in the same region of source
VM, which isn´t stated in the question.
upvoted 1 times
  frenzy 3 weeks, 4 days ago

The
question does not state VM2 is backed up by RSV1. It just states that it is
protected by RSV1. Therefore C is the correct answer.
upvoted 3 times

U
need to first stop the Backup before apply the change to Recovery
vault..
upvoted 1 times

"C"
is correct, verified in lab.
upvoted 1 times
You have a resource group named RG1. RG1 contains an Azure Storage account named storageaccount1 and a virtual machine named VM1 that
runs Windows
Server 2016.
Storageaccount1 contains the disk files for VM1.
You apply a ReadOnly lock to RG1.
What can you do from the Azure portal?
A. Start VM1
B. Upload a blob to storageaccount1
C. View the keys of storageaccount1
D. generate an automation script for RG1
Correct Answer: C
ReadOnly allows authorized users to read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all
authorized users to the permissions granted by the Reader role.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources

not
sure if viewing the keys and listing the keys are considered equivalent..
microsoft doc says this "A ReadOnly lock on a storage account prevents all
users from listing the keys." ( URL :
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources)
upvoted 8 times

It's
D, I did a lab for this question.
upvoted 23 times

Answer
is D, I have tried this on my subscription
upvoted 19 times
  Nilabh 2 months, 3 weeks ago

I
just checked It's D - "Access blocked The resource is locked Cannot access the
data plane because of a read lock on the resource or its parent."
upvoted 2 times

A/B/C
are excluded from docs,
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources#how-locks-are-applied
upvoted 3 times

I
tested is well. Its D
upvoted 3 times
  aydarsh 1 month ago

Answer
is B: Upload a blob to storageaccount1
upvoted 1 times

No,
you can't. Try in lab.
upvoted 2 times

Here
is a para from MS docs - A ReadOnly lock on a resource group that contains a
virtual machine prevents all users from starting or restarting the virtual
machine. These operations require a POST request
upvoted 1 times

When
you enable "Read only" lock on a RG , you can not see Access keys of all storage
account under that RG. Tried it in lab. So ans is "D".
upvoted 4 times

D
is correct. Tested on lab.
upvoted 1 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You plan to grant the members of a new Azure AD group named corp8548987 the rights to delegate administrative access to any resource in the
resource group named corp8548987.
You need to create the Azure AD group, and then to assign the correct role to the group. The solution must use the principle of least privilege and
minimize the number of role assignments.

Step 1:
Click Resource groups from the menu of services to access the Resource Groups blade
Step 2:
Click Add (+) to create a new resource group. The Create Resource Group blade appears. Enter corp8548987 as the Resource group name, and
click the Create button.
Step 3:
Select Create.
Your group is created and ready for you to add members.
Now we need to assign a role to this resource group scope.
Step 4:
Choose the newly created Resource group, and Access control (IAM) to see the current list of role assignments at the resource group scope.
Click +Add to open the Add permissions pane.
Step 5:
In the Role drop-down list, select a role Delegate administration, and select Assign access to: resource group corp8548987
References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://www.juniper.net/documentation/en_US/vsrx/topics/task/multi-task/security-vsrx-azure-marketplace-resource-group.html

the
role is called User Access Administration
upvoted 15 times

There
is no role ''Delegated Admin..." available in azure
upvoted 1 times

1)
Create Security Group 2) On the RG Assign the "User Access Administrator" role
to the newly created group
upvoted 10 times

The
question said: " delegate administrative access to any resource in the resource
group named" The Permissions of "User Access Administrator" by example "Compute"
are READ access, so you don't have administrative access. In my opinion: 1)
Create Security Group corp8548987 2) Create AD group named corp8548987 3) In
corp8548987 select IAM / +Add / Add Role Assigment / Select Owner Role / Select
Now only corp8548987 resource group can be administrated by corp8548987
segurity groyp members.
upvoted 10 times
  raju11 3 months, 1 week ago

Create
a new AD group called corp8548987 in "azure AD portal" and switch to the
resource group page and in that under "AccessControl", do the role of assignment
of Owner/Contributor. I believe it should be "Owner" as the ask is to delegate
administrative access.
upvoted 2 times

let's
say that the lab is asking to provide LEAST (minimun) permission to a group and
that group could "delegate access" it means, they are able to provide
permissions to specific resources to any user... SO... IMHO... I think the role
should (RBAC) "User Access Administrator" -> Lets you manage user access to
Azure resources. This is more restrictive that owner in the sense that you are
not asked in the lab to allow full access but "delegate admin access" so, better
option is to choose "User Access Administrator" as the role. Make
sense?
upvoted 12 times

Yes,
"User Access Administrator" is a right answer
upvoted 1 times

Tested
in a lab. Azure AD User1 added to corp8548987 AD group. Assigned "User Access
Administrator" role to the group in IAM of the corp RG. Logon in-private with
User1 and assigned owner permission to corp RG using Azure AD User2. All
OK
upvoted 5 times
  PS36363 2 months, 1 week ago

You
need to create AD group named corp8548987 You also need to create resource group
named corp8548987. Then go to the IAM from RG corp8548987 and select role “User
Access Administrator” Under ‘Select’ your AD group corp8548987 will appear, now
select this and click on ‘Save’.
upvoted 11 times

it's
the contributor role
upvoted 1 times
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Owner - Has full access to all resources including the right to delegate access
to others. Contributor - Can create and manage all types of Azure resources but
can't grant access to others. Reader - Can view existing Azure resources. User
Access Administrator - Lets you manage user access to Azure resources AD group
and "User Access Administrator" for me is the correct answer
upvoted 1 times

Least
privilege - User Access Admin to delegate access. That being said, you need to
create both RG and AD group. Then go to the RG, IAM then Click on Add, Add Role
Assignment where the Role will be User Access Administrator which lets you
manage the resources, select the AD group.
upvoted 1 times
You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual
machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?
A. an Azure Key Vault and an access policy.
B. an Azure Storage account and an access policy.
C. Azure Active Directory (AD) Identity Protection and an Azure policy.
D. a Recovery Services vault and a backup policy.
Correct Answer: A

Azure
key vault will securely store your passwords which can be accessed by
applications without viewing it in plain text.
upvoted 3 times
DRAG DROP -
You maintain an existing Azure SQL Database instance. Management of the database is performed by an external party. All cryptographic keys are
stored in an
Azure Key Vault.
You must ensure that the external party cannot access the data in the SSN column of the Person Table.
Will each protection method meet the requirement? To answer, drag the appropriate responses to the correct protection methods.
Each response may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/security/azure-database-security-overview
  Serena_C 3 months ago

I think this
should be cell-level encryption, according to MS doc below, Cell-level
encryption is available to encrypt specific columns or even cells of data with
different encryption keys.
https://docs.microsoft.com/en-us/azure/security/fundamentals/database-security-overview
upvoted 2 times
  Syd 2 months, 4 weeks ago

Correct.
Answer no,no,no,no Alwayson is for high availability and disaster recovery
solution introduced when SQL Server 2012 was launched and above
versions.
upvoted 1 times
  jcarlos 2 months, 3 weeks ago

Completely
agree unless there is typo in the answer and they mean always encrypted (there
is no such thing AlwaysOn Encryption). If there is an error in the wording then
it would be yes-no-no-no
upvoted 3 times

yep,
or a trap for alwayson availability groups? if a trap, kinda lame
upvoted 1 times

This
is certainly a typo in the question. It should be "Always encrypted"
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15
upvoted 3 times
  AnilV 2 weeks, 1 day ago

it
should be always encrypted
upvoted 1 times

AlwaysOn
dosent exist... Always Encrypted does... All No.
upvoted 1 times
  Daltonic75 2 months ago

Same
question but different answer in
upvoted 3 times

agree with that Yes No Yes NO
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15
In SQL Database, the VIEW permissions aren't granted by default to the public
fixed database role. This enables certain existing, legacy tools (using older
versions of DacFx) to work properly. Consequently, to work with encrypted
columns (even if not decrypting them) a database administrator must explicitly
grant the two VIEW permissions.
upvoted 2 times

You are correct but I am thinking each answer must be a
correct solution. If you assign the public fixed data base role, you cannot just
assume the column was encrypted. Therefore the only answer that presents a
correct solution to the question is always encrypted setting.
upvoted 1 times

YES/NO/NO/NO
upvoted 5 times

Always
Encrypted is a feature designed to protect sensitive data, such as credit card
numbers or national identification numbers (for example, U.S. social security
numbers), stored in Azure SQL Database or SQL Server databases. So it should be
"Always Encrypted" instead of "Always on Encryption". I think its a
ttypo.
upvoted 1 times
Your network contains an Active Directory forest named fabrikam.com. The forest contains two child domains named corp.fabrikam.com and
research.fabrikam.com.
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com.
You install Azure AD Connect and sync all the on-premises user accounts to the Azure AD tenant. You implement seamless single sign-on (SSO).
You plan to change the source of authority for all the user accounts in research.fabrikam.com to Azure AD.
You need to prevent research.fabrikam.com from resyncing to Azure AD.
Solution: From the Azure Active Directory admin center, you delete a custom domain.
A. Yes
B. No
Correct Answer: B
Instead you should customize the default synchronization rule.
Note:
To delete a custom domain name, you must first ensure that no resources in your directory rely on the domain name. You can't delete a domain
name from your directory if:
✑ Any user has a user name, email address, or proxy address that includes the domain name.
✑ Any group has an email address or proxy address that includes the domain name.
✑ Any application in your Azure AD has an app ID URI that includes the domain name.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-create-custom-sync-rule
Solution: You use the Synchronization Service Manager.
A. Yes
B. No
Correct Answer: B
Note: The Synchronization Service Manager UI is used to configure more advanced aspects of the sync engine and to see the operational
aspects of the service.
References:
You have an Azure solution that uses Multi-Factor Authentication for added security when users are outside of the office. The usage model has
been set to Per
Authentication.
Your company acquires another company and adds the new staff to Azure Active Directory (Azure AD). New staff members must use Multi-Factor
Authentication.
You need to change the usage model to Per Enabled User.
A. Create a new Multi-Factor Authentication provider and reconfigure the usage model.
B. Create a new Multi-Factor Authentication provider with a backup from the current Multi-Factor Authentication provider data.
C. Use the Azure portal to change the current usage model.
D. Use Azure CLI to change the current usage model.
Correct Answer: B
Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your
existing server with activation credentials from the new provider.
References:
https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server/
  RazorCrest 3 months, 1 week ago

A
and B are not an option because you can no longer create MFA Provider
upvoted 5 times

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
indicates that this can be done using Portal or PowerShell -- don't see Azure
CLI mentioned.
upvoted 1 times

Correction,
you have to first delete the existing MFA provider -- so this question is no
longer valid at all --
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider
upvoted 2 times

Effective
September 1st, 2018 new auth providers may no longer be created. Existing auth
providers may continue to be used and updated, but migration is no longer
possible. Multi-factor authentication will continue to be available as a feature
in Azure AD Premium licenses.
upvoted 1 times

This
ques invalid as per current changes in Azure.
upvoted 1 times
Your network contains an on-premises Active Directory and an Azure Active Directory (Azure AD) tenant.
You deploy Azure AD Connect and configure pass-through authentication?
Your Azure subscription contains several web apps that are accessed from the Internet.
You plan to enable Azure Multi-Factor Authentication (MFA) for the Azure tenant.
You need to recommend a solution to prevent users from being prompted for Azure MFA when they access the web apps from the on-premises
network.
What should you include in the recommendation?
A. a site-to-site VPN between the on-premises network and Azure
B. an Azure policy
C. an Azure ExpressRoute circuit
D. trusted IPs
Correct Answer: D
The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses
two-step verification for users who sign in from the company intranet. The feature is available with the full version of Azure Multi-Factor
Authentication, and not the free version for administrators.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips

Answer is D
but using a trusted IP is the "WORST" MFA that any business has to
use.
upvoted 1 times
You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com.
You need to enable two-step verification for Azure users.
What should you do?
A. Create an Azure AD conditional access policy.
B. Configure a playbook in Azure Security Center.
C. Enable Azure AD Privileged Identity Management.
D. Install an MFA Server.
Correct Answer: A
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
Solution: You use the Azure AD Connect wizard.
A. Yes
B. No
Correct Answer: B
Note: The Synchronization Service Manager UI is used to configure more advanced aspects of the sync engine and to see the operational
aspects of the service.
References:
  Adrian1405 5 months, 1 week ago

I
would choose Yes. From Azure AD Connect wizard reconfigure the entire
configuration and exclude research.fabrikam.com domain.
upvoted 17 times

I
agree, once you Clone the existing rule, you modified and exclude the child
domain from synching
upvoted 1 times

Using
Azure AD Connect Wizard doesn't seem appropriate for: "You plan to change the
source of authority for all the user accounts in research.fabrikam.com to Azure
AD."
upvoted 2 times
HOTSPOT -
You are developing an Azure Web App. You configure TLS mutual authentication for the web app.
You need to validate the client certificate in the web app. To answer, select the appropriate options in the answer area.
NOTE: Each correct selection s worth one point.
Hot Area:
Correct Answer:

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#enable-client-certificates
upvoted 5 times
You have a Recovery Service vault that you use to test backups. The test backups contain two protected virtual machines.
You need to delete the Recovery Services vault.
A. From the Recovery Service vault, delete the backup data
B. Modify the disaster recovery properties of each virtual machines
C. Modify the locks of each virtual machine
D. From the Recovery Service vault, stop the backup of each backup item
Correct Answer: D
You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is
still configured to receive backup data.
Remove vault dependencies and delete vault
In the vault dashboard menu, scroll down to the Protected Items section, and click Backup Items. In this menu, you can stop and delete Azure
File Servers, SQL
Servers in Azure VM, and Azure virtual machines.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault

A.
You have to delete backup data before you can delete the recovery services
vault
upvoted 1 times

Misread,
the question asked "What should you do first?" D is correct
upvoted 17 times

We
are missing one thing here, while stop backup, there is an option to "delete
backup data". So answer would be "stop backup", for what we do first?.
upvoted 2 times

what
about the existing locks ? the question mentioned "protected VMs" and there is
an answer saying "stop locks on each VM"
upvoted 3 times

I
think here "protected" means they are being backed up. Also, I don't think the
backup entity is logically tied to the VM, so a VM RO lock probably wouldn't
prevent you from stopping a backup.
upvoted 7 times
Solution: You use Active Directory Domains and Trusts from a computer joined to fabrikam.com.
A. Yes
B. No
Correct Answer: B
Note:
To delete a custom domain name, you must first ensure that no resources in your directory rely on the domain name. You can't delete a domain
name from your directory if:
✑ Any user has a user name, email address, or proxy address that includes the domain name.
✑ Any group has an email address or proxy address that includes the domain name.
Any application in your Azure AD has an app ID URI that includes the domain name.
References:
HOTSPOT -
Your organization has developed and deployed several Azure App Service Web and API applications. The applications use Azure SQL Database to
store and retrieve data. Several departments have the following requests to support the applications:
You need to recommend the appropriate Azure service for each department request.
What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql
  Serena_C 3 months ago

Why Box 3 is
MSI? not key vault?
upvoted 1 times

I
think its because of this.
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
Tutorial: Secure Azure SQL Database connection from App Service using a
managed identity
upvoted 3 times
  test777 19 hours, 21 minutes ago

In
the question it says "Protect Azure SQL Database connection strings" and link
that you've provided says "Secure Azure SQL Database connection". Connection and
connection string is not that same thing, MSI can not protect connection string,
so if question text is correct, I think Key Vault should be the answer
upvoted 1 times

I
think Key vault is for box 3 as well because They want to protect the connection
string which can be stored securely in a key vault. Managed identity can not
secure connection string.
upvoted 3 times
Question #1 Topic 5
SIMULATION -
Overview -
possible by design.
To start the lab -

You need to create a function app named corp8548987n1 that supports sticky sessions. The solution must minimize the Azure-related costs of
the App Service plan.

Step 1:
Select the New button found on the upper left-hand corner of the Azure portal, then select Compute > Function App.
Step 2:
Use the function app settings as listed below.
App name: corp8548987n1
Hosting plan: Azure App Service plan (required for sticky sessions)
Pricing tier of the App Service plan: Shared compute: Free
Step 3:
Select Create to provision and deploy the function app.
References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal

Sticky
sessions is on by default, so you just need to create a function app in a free
App Service plan. Setting can be viewed in configuration->general settings
of the function app. Setting name is ARR affinity.
upvoted 12 times

This
correct, you just need to make sure to select the App service plan during
deployment
upvoted 2 times
  megasema 5 months, 1 week ago

Free App service plan doesn't support functions, you
would need at least Basic one.
upvoted 2 times

Agree,
should be at least Basic plan for functions,
https://azure.microsoft.com/en-in/pricing/details/app-service/plans/
upvoted 1 times

I
think now is named Session affinity
upvoted 2 times

Free
service plan has "session affinity"
upvoted 2 times

ARR
Affinity option exist in the :F1: Free: ASP tier
upvoted 2 times

So,
"1) Create Function App 2) Hosting Plan: App Service Plan ( required for sticky
sessions ) 3) ASP pricing Tier : Free"
upvoted 13 times
  Mathew 4 months, 1 week ago

any
Runtime stack ?
upvoted 2 times

For
Operating System, you must select the Windows option otherwise you cannot modify
the Sku size to select the Free pricing tier.
upvoted 1 times

Using
Linux, you can have Free F1, I did a lab and verified.
upvoted 5 times
  sameer2803 3 weeks, 5 days ago

when
u create a function app in shared app service plan it gives a warning "
'AlwaysOn' is not enabled. Your app may not function properly". And 'AlwaysOn'
can only be enabled in basic app service plan. so they should not allow the
function app to be deployed in free tier at the first place. but I guess to
answer this question we are good with the answer displayed.
upvoted 1 times

Sticky
session is on by default as others mentioned. You just have to create a Function
App, select a run time stack (I choose .Net), Hosting plan should be App Service
Plan, OS - Linux/Windows, and select the Free plan. I found a free one in Linux
and click create.
upvoted 2 times
Question #2 Topic 5
SIMULATION -
Overview -
possible by design.
To start the lab -

You need to create a web app named corp8548987n2 than can be scaled horizontally. The solution must use the lowest possible pricing tier for
the App Service plan.

Step 1:
In the Azure Portal, click Create a resource > Web + Mobile > Web App.
Step 2:
Use the Webb app settings as listed below.
Web App name: corp8548987n2
Hosting plan: Azure App Service plan
Pricing tier of the Pricing Tier: Standard
Change your hosting plan to Standard, you can't setup auto-scaling below standard tier.
Step 3:
Select Create to provision and deploy the Web app.
References:
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-web-how-to-create-a-web-app-in-an-ase
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/

Not
sure if standard plan is the right answer. Question doesn't specify autoscaling,
only scaling. If objective is lowest possible price then Basic plan also
supports manual scaling upto 3 instances.
upvoted 13 times

Question
also says "The solution must use the lowest possible pricing tier for the App
Service plan". So, I agree with you...Basic Service Plan seems more
appropriate.
upvoted 4 times

Agreed,
the question doesn't require autoscale but just the ability to scale. The Basic
plan allows for manual scaling and so I think Basic is correct.
upvoted 1 times

Maybe
we are supposed to notice that the name is prefixed "corp" and therefore a
production workload - and thus S1 is the right answer.
upvoted 1 times

B1 will do since it supports manual scaling.
upvoted 2 times
  Famous_Guy 3 weeks, 6 days ago

Horizontal
scaling is Adding more instances. I did lab and found that you need Minimum Plan
B1 to scale upto 3 instances. I don't know where do u see Basic / Standard
Service Plan ?
upvoted 1 times

It
doesn't say Auto scaling, so you can go with B1 which allows manual scaling up
to 3 instances to save costs. S1 is the easiest answer if it says anything about
autoscaling.
upvoted 1 times
Question #3 Topic 5
SIMULATION -
Overview -
possible by design.
To start the lab -

You need to deploy an application gateway named appgw1015 to meet the following requirements:
✑ Load balance internal IP traffic to the Azure virtual machines connected to subnet0.
✑ Provide a Service Level Agreement (SLA) of 99,99 percent availability for the Azure virtual machines.

Step 1:
Click New found on the upper left-hand corner of the Azure portal.
Step 2:
Select Networking and then select Application Gateway in the Featured list.
Step 3:
Enter these values for the application gateway:
appgw1015 - for the name of the application gateway.
SKU Size: Standard_V2 -

The new SKU [Standard_V2] offers autoscaling and other critical performance enhancements.
Step 4:
Accept the default values for the other settings and then click OK.
Step 5:
Click Choose a virtual network, and select subnet0.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway-portal

internal
IP is only supported by "standard" version. you need to have an empty subnet to
deploy AG (GW subnet is not supported)
upvoted 3 times

true
i agree
upvoted 1 times

and
you need to connect to particular VM/IP/etc. there is no option to connect to
subnet
upvoted 3 times

Couple
of questions: Since Vm are connected to Subnet0, how do you connect a AG to
Subnet0? AG requires empty subnet. How to achieve 99.99 SLA? AG only give
99.95.
upvoted 2 times

you
need to put your VM to AZ
upvoted 1 times

99.99%
SLA - sounds like Availablity Zone required so Standard V2 with 2 availability
zones connected?
upvoted 4 times

Yes,
you will need to pick 2 availability zone to get the 99.99% SLA, if I could
paste screenshot I would from my lab environment
upvoted 3 times
  PeterWL 2 months, 1 week ago

Can
anyone give me any MS Official articles to confirm that AG_V2 will be guaranteed
SLA 99.99%?
https://azure.microsoft.com/en-us/support/legal/sla/application-gateway/v1_2/
We can get the SLA of Backend Pool of VMs to 99.99%
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_9/
upvoted 1 times
  bhendi 3 weeks, 6 days ago

This
sheit should be the standard Load Balancer with Internal type which supports
99.99% availability . no need got AG.
upvoted 1 times
  bhendi 3 weeks, 6 days ago

This
should be the standard Load Balancer with Internal type which supports 99.99%
availability . no need got AG.
https://azure.microsoft.com/en-us/support/legal/sla/load-balancer/v1_0/
upvoted 1 times

You
need to deploy an application gateway named appgw1015
upvoted 1 times

In
Application Gateway create Tier: Standart v2 (It supports AZ) Enable
Auto-Scaling: False Scale Units: 2 Availability Zone: select 1-2 or 2-3 or 1-3..
Required for %99.99 SLA Fill up the rest Next Page - FrontEnds Frontend Ip
adress type: Both, because we are required to load internal ip traffic.. so we
need private ip address also. you will not be able choose Private only, because
Standart v2 requires public also. Fill the rest, done!
upvoted 6 times

This
looks correct. We need both public and private ips. Not sure if we have to
create those?
upvoted 1 times

Max
SLA for Application GW is 99.95% as per MS Docs. Internal IP can be load
balanced by V1 App GW too, tested in LAB.
https://azure.microsoft.com/en-us/support/legal/sla/application-gateway/v1_2/
upvoted 1 times
Question #4 Topic 5
SIMULATION -
Overview -
possible by design.
To start the lab -

You need to deploy an Azure load balancer named ib1016 to your Azure subscription. The solution must meet the following requirements:
✑ Support the load balancing of IP traffic from the Internet to Azure virtual machines connected to VNET1016\subnet0.
✑ Provide a Service Level Agreement (SLA) of 99,99 percent availability for the Azure virtual machines.
✑ Minimize Azure-related costs.
To complete this task, you do NOT need to wait for the deployment to complete. Once the deployment starts in Azure, you can move to the next
task.

Step 1:
On the top left-hand side of the screen, click Create a resource > Networking > Load Balancer.
Step 2:
In the Create a load balancer page enter these values for the load balancer: myLoadBalancer - for the name of the load balancer.
Internal - for the type of the load balancer.
Basic - for SKU version.
Microsoft guarantees that apps running in a customer subscription will be available 99.99% of the time.
VNET1016\subnet0 - for subnet that you choose from the list of existing subnets.
Step 3: Accept the default values for the other settings and click Create to create the load balancer.

SLA=99,99
is not equal to Basic: We guarantee that a Load Balanced Endpoint using Azure
Standard Load Balancer, serving two or more Healthy Virtual Machine Instances,
will be available 99.99% of the time. Basic Load Balancer is excluded from this
SLA.
upvoted 10 times

Type
has to be "Public" due to "Support the load balancing of IP traffic from the
Internet to Azure virtual machines connected to VNET1016\subnet0"
upvoted 8 times

AKU has to be Standard as they required 99.99% uptime
which can be achieve by AZ only which require standard SKU
upvoted 3 times
  justdoit 5 months, 1 week ago

SKU should be "Standard".
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
upvoted 2 times

The
question states that the LB need to load balance traffic from the internet.
Where is the public IP set?
upvoted 1 times

1)
Create Azure Load Balancer 2) Type: Public 3) SKU: Standard 4) Public IP Address
: New one ( Standard ) 5) Availability zone: Zone-redundant
upvoted 29 times
  Deker 3 months, 1 week ago

would
you add the VNET1016\subnet0 to the backed pool of the public load
balancer?
upvoted 1 times
  terences 2 months, 2 weeks ago

remember to select "type" as internal then you can
specify the VNET and subnet
upvoted 3 times

No,
the type needs to be public. The question clearly says the traffic's from the
internet.
upvoted 1 times
  sameer2803 3 weeks, 5 days ago

to
add to this, after the LB is created add backend pool from the given
vnet/snet
upvoted 2 times

Basic Load Balancer does not provide 99.99 % uptime
guarantee. There is no MS Document or article referring to that. Rather it says
"No SLA is provided for Basic Load Balancer". So choose Standard for SKU.
upvoted 2 times

1)
Create Standard Sku LB 2) Assign subnet0 to the backend pool of the LB
upvoted 2 times

Create
a Load Balancer Standard Internal - so you can assign the VNET and Subnet Public
IP - New Availability Zone - Zone Redundant. If you select Public, then you can
go to backend pools and add the VNET but I don't see an option for adding a
Subnet to the LB in the back end pool.
upvoted 2 times

Agreed,
Basic SKU is excluded from 99.99% SLA commitment.
upvoted 1 times
  ReffG 4 days, 2 hours ago

It
mentions IP traffic form the Internet so it should be public, but for a public
LB you cannot select the VNET\Subnet0...what should one go for?? Basically a
public LB still can load balance the traffic to machines in that subnet but
backendpool config Looks different...
upvoted 1 times
Question #5 Topic 5
Your company is developing an e-commerce Azure App Service Web App to support hundreds of restaurant locations around the world.
You are designing the messaging solution architecture to support the e-commerce transactions and messages. The solution will include the
following features:
You need to design a solution for the Inventory Distribution feature.
A. Azure Service Bus
B. Azure Relay
C. Azure Event Grid
D. Azure Event Hub
Correct Answer: A
Microsoft Azure Service Bus is a fully managed enterprise integration message broker. Service Bus is most commonly used to decouple
applications and services from each other, and is a reliable and secure platform for asynchronous data and state transfer.
One common messaging scenario is Messaging: transfer business data, such as sales or purchase orders, journals, or inventory movements.
Incorrect Answers:
B: The Azure Relay service enables you to securely expose services that run in your corporate network to the public cloud.
References:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
Question #6 Topic 5
You are responsible for mobile app development for a company. The company develops apps on Windows Mobile, IOS, and Android.
You plan to integrate push notifications into every app.
You need to be able to send users alerts from a backend server.
Which two options can you use to achieve this goal? Each correct answer presents a complete solution.
A. Azure Web App
B. Azure Mobile App Service
C. Azure SQL Database
D. Azure Notification Hubs
E. a virtual machine
Correct Answer: BD
The Mobile Apps client enables you to register for push notifications with Azure Notification Hubs.
The following platforms are supported:
✑ Xamarin Android releases for API 19 through 24 (KitKat through Nougat)
✑ Xamarin iOS releases for iOS versions 8.0 and later
Universal Windows Platform -
✑ Windows Phone 8.1

✑ Windows Phone 8.0 except for Silverlight applications
References:
https://docs.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library
  LaurN 1 week, 4 days ago

A
and D - > you will create Web App :
https://docs.microsoft.com/en-us/previous-versions/azure/app-service-mobile/app-service-mobile-android-get-started
you cre
upvoted 2 times
  FloJoe 1 day, 2 hours ago

Windows
Mobile - lol
upvoted 1 times
Question #7 Topic 5
HOTSPOT -
You are developing an Azure Function that will be triggered using a webhook from an external application. The Azure Function will receive JSON
data in the body of the request.
Calling applications send an account ID as part of the URL. The number at the end of the URL is an integer. The format for the URL resembles the
following: /api/ account/1
The Azure Function must accept all incoming requests without requiring keys or tokens.
You need to complete the attributes for the Azure Function.
How should you complete the code? To answer, select the appropriate options in the answer area.
Hot Area:

Maybe
is: Block 1: FunctionName Block 2: HttpTrigger Block 3: Anonymous Block 4:
/account/ Block 5: int accountId
upvoted 11 times
  InsomniumBR 3 months, 1 week ago

For
me it is a little bit wrong. The parameter account should be
"account/{accountId}" Source:
https://docs.microsoft.com/en-us/sandbox/functions-recipes/routes?tabs=csharp
upvoted 7 times

Explaining
better, the route should have the accountId parameter:
"account/{accountId}"
upvoted 3 times
  RegisK 2 days, 1 hour ago

According
to "Adding parameters to function routes" on page
https://docs.microsoft.com/en-us/sandbox/functions-recipes/routes?tabs=csharp :
Block 4 : ProcessItem/{accountId:int} because you rewrite the app function
name here Block 5 : string accountId
upvoted 1 times
Question #8 Topic 5
HOTSPOT -
You are developing a workflow solution using Azure technologies.
What should you implement to meet each requirement? To answer, select the appropriate options in the answer area.
Hot Area:

Box
1: Logic Apps only - You can manually trigger a logic app deployed in Azure from
Visual Studio. On the Logic App Designer toolbar, choose Run Trigger. To check
the status and diagnose problems with logic app runs, you can review the
details, such as inputs and outputs, for those runs in Visual Studio. Box 2:
Durable functions only - Box 3: Durable functions and Logic Apps References:
https://docs.microsoft.com/en-us/azure/logic-apps/manage-logic-apps-with-visual-studio
https://docs.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-create-portal
upvoted 3 times
  misogsk 3 months, 1 week ago

Incorrect,
You can debug durable functions Durable functions does not have any ready
compopnents to be used Logic apps can't be deployed via Azure DevOps
upvoted 1 times

Durable
functions only Logic Apps only Durable functions only
upvoted 1 times

Bonna
is right if the explanation provided is correct for the same question under
AZ-202 on this site.
upvoted 1 times
Box
1: Durable functions only Box 2: Logic Apps only Box 3: Durable functions
only
upvoted 3 times

Shiuld
be the n.34 https://quizlet.com/ch/482793011/az300-flash-cards/
upvoted 2 times
Question #9 Topic 5
HOTSPOT -
You are developing a SMS-based testing solution. The solution sends users a question by using SMS. Early responders may qualify for prizes.
Users must respond with an answer choice within 90 seconds. You must be able to track how long it takes each user to respond. You create a
durable Azure
Function named SendSmsQuizQuestion that uses Twilio to send messages.
You need to write the code for MessageQuiz.
Hot Area:
  Atef 4 months ago

Box
1 should be DateTime expiration = context.CurrentUtcDateTime.AddSeconds(90); Box
2 Should be var timeoutTask = context.CreateTimer(expiration,
cts.Token);
upvoted 9 times
  simonxinyu 3 months, 2 weeks ago

upvoted 14 times
  DP80 1 month ago

The
following code implements a similar functionality =>
https://github.com/Azure/azure-functions-durable-extension/blob/master/samples/precompiled/PhoneVerification.cs
upvoted 1 times
  tboggie 2 weeks, 1 day ago

Would
this type of question come up in the exam? Doesn't look like an AZ-300
question.
upvoted 3 times
  cacasodo 2 days, 20 hours ago

This article provides some understanding as well:
https://docs.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-timers?tabs=csharp
upvoted 1 times

HOTSPOT -
You are developing a solution that requires serverless code execution in Azure.
The solution has two functions that must run in a specific order.
You need to ensure that the second function can use the output from the first function.
Hot Area:
Correct Answer:
Is
this really in AZ300 or from another exam?
upvoted 10 times

I
believe it is in AZ-300, it's in 302 as well. We are expected to be able to read
the code well enough to deduce the answer -- the solution is found by noticing
the location of "try" so orchestrate is before "try" and the two "activity"s
follow. That's my theory anyway.
upvoted 3 times

This
is from DevOps
upvoted 2 times

So
we will not see this in AZ300?
upvoted 2 times

https://docs.microsoft.com/en-us/sandbox/functions-recipes/durable-setup
upvoted 1 times

This article might help understanding:
https://docs.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-overview?tabs=csharp#chaining
upvoted 1 times
You are developing an app that references data which is sharded across multiple Azure SQL databases.
The app must guarantee transactional consistency for changes across several different sharding key values.
You need to manage the transactions.
A. Elastic database transactions with horizontal partitioning.
B. Distributed transactions coordinated by Microsoft Distributed Transaction Coordinator (MSDTC).
C. Server-coordinated transactions from .NET application.
D. Elastic database transactions with vertical partitioning.
Correct Answer: A
References:
https://docs.microsoft.com/mt-mt/azure/sql-database/sql-database-elastic-transactions-overview?view=azurermps-6.13.0

HOTSPOT -
You are creating a bot for a company by using QnA Maker.
You need to ensure that the company can update the bot without third-party assistance.
What should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/cognitive-services/qnamaker/overview/overview
  cacasodo 1 day, 21 hours ago

I couldn't find good documentation on the difference
between QnA Maker runtime versus Management Service properties.
upvoted 1 times

You are developing a speech-enabled home automation control bot.
The bot interprets some spoken words incorrectly.
You need to improve the spoken word recognition for the bot.
A. The Skype for Business Channel and use scorable dialogs for improving conversation flow.
B. The Web Chat Channel and Speech priming using a Bing Speech Service and LUIS app.
C. The Skype Channel and use scorable dialogs for improving conversation flow.
D. The Cortana Channel and use scorable dialogs for improving conversation flow.
Correct Answer: B
  levm39 3 months, 3 weeks ago

correct
but confusing: Speech priming improves the recognition of spoken words and
phrases that are commonly used in your bot. For speech-enabled bots that use the
Web Chat and Cortana channels, speech priming uses examples specified in
Language Understanding (LUIS) apps to improve speech recognition accuracy for
important words
https://docs.microsoft.com/bs-latn-ba/azure/bot-service/bot-service-manage-speech-priming?view=azure-bot-service-3.0
upvoted 5 times

How
come this one is an AZ-300 ques?? Conginitive is not part of syllabus, cross
checked in MS docs.
upvoted 4 times

For
some reason, I feel that a lot of questions in Topic-5 seems to be not in scope
of the exam.
upvoted 3 times
DRAG DROP -
Your company develops a bot that uses QnA Maker knowledge bases and Language Understanding Intelligence Services (LUIS). You create the
QnA Maker service, knowledge bases, and the LUIS app.
The bot application must use LUIS to determine which QnA Maker knowledge base to use.
You need to integrate LUIS with the QnA Maker knowledge bases and maximize the effectiveness for selecting the QnA Maker knowledge bases
before testing the bot.
Select and Place:
Correct Answer:

I
think the answer is right. Ref:
https://docs.microsoft.com/en-us/azure/cognitive-services/qnamaker/tutorials/integrate-qnamaker-luis
upvoted 5 times

HOTSPOT -
You create a virtual machine scale set named Scale1. Scale1 is configured as shown in the following exhibit.
Hot Area:
Correct Answer:
Box 1:
The Autoscale scale out rule increases the number of VMs by 2 if the CPU threshold is 80% or higher. The initial instance count is 4 and rises to
6 when the 2 extra instances of VMs are added.
Box 2:
The Autoscale scale in rule decreases the number of VMs by 4 if the CPU threshold is 30% or lower. The initial instance count is 4 and thus
cannot be reduced to
0 as the minimum instances is set to 2. Instances are only added when the CPU threshold reaches 80%.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/autoscale-best-practices https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-common-scale-patterns
  theoneandonly 3 months, 3 weeks ago

Why
6 machines? We can't see the duration on the screenshots. Per default it's 10
minutes for autoscale to kick in.
upvoted 1 times

no
default is 5 minutes, I created a new scale set and the default duration was
5
upvoted 10 times

instance
count is 4 and scale is out increases by 2 that will give you 6
instances
upvoted 9 times
  Redsal 3 weeks ago

by
default the time duration is 10, i just created one on portal and
confirmed.
upvoted 2 times
  Redsal 3 weeks ago

Since
the default time is 10 so the correct answer should be 4,4
upvoted 1 times
  andy0983011 2 weeks, 4 days ago

Duration,
The amount of time monitored before the metric and threshold values are
compared. You can find that is 10 minutes.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal
upvoted 2 times
  aimar047 2 weeks ago

Tricky
question as the default Duration value not mentioned in the question. The page
posted by andy0983011 is an example of 10 minutes. Scale set rule settings not
posted in the question.
upvoted 2 times

Very
tricky ques, since duration time is not mentioned and default amount of time
monitoring threshold values is 10 minutes and Since 6 minute time is mentioned
here so correct ans is 4 and 4. i.e. Vm count will remain same, no
changes.
upvoted 3 times
HOTSPOT -
Your company hosts multiple website by using Azure virtual machine scale sets (VMSS) that run Internet Information Server (IIS).
All network communications must be secured by using end to end Secure Socket Layer (SSL) encryption. User sessions must be routed to the
same server by using cookie-based session affinity.
The image shown depicts the network traffic flow for the web sites to the VMSS.
Use the drop-down menus to select the answer choice that answers each question.
Hot Area:
Box 1: Public -
The following example shows site traffic coming from both ports 8080 and 8081 and being directed to the same backend pools.
Box 2: Application Gateway -

You can create an application gateway with URL path-based redirection using Azure PowerShell.
Box 3: Path-based redirection and Websockets
References:
https://docs.microsoft.com/bs-latn-ba/azure//application-gateway/tutorial-url-redirect-powershell

this
is multiple web sites, not path based route. So I think "Routing Rule and
backend listeners" may be correct
https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-multiple-sites-powershell
upvoted 12 times
  Daren 1 month, 3 weeks ago

that`s
my understanding as well
upvoted 1 times

I
think so
upvoted 1 times

For reference regarding websockets:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-websocket
upvoted 1 times

SIMULATION -
Overview -
possible by design.
To start the lab -

You need to create a virtual network named VNET1008 that contains three subnets named subnet0, subnet1, and subnet2. The solution must meet
the following requirements:
✑ Connections from any of the subnets to the Internet must be blocked
✑ Connections from the Internet to any of the subnets must be blocked
✑ The number of network security groups (NSGs) and NSG rules must be minimized

Step 1: Click Create a resource in the portal.
Step 2: Enter Virtual network in the Search the Marketplace box at the top of the New pane that appears. Click Virtual network when it appears
in the search results.
Step 3: Select Classic in the Select a deployment model box in the Virtual Network pane that appears, then click Create.
Step 4: Enter the following values on the Create virtual network (classic) pane and then click Create:
Name: VNET1008
Address space: 10.0.0.0/16
Subnet name: subnet0
Resource group: Create new
Subnet address range: 10.0.0.0/24
Subscription and location: Select your subscription and location.
Step 5: In the portal, you can create only one subnet when you create a virtual network. Click Subnets (in the SETTINGS section) on the Create
virtual network
(classic) pane that appears.
Click +Add on the VNET1008 - Subnets pane that appears.
Step 6: Enter subnet1 for Name on the Add subnet pane. Enter 10.0.1.0/24 for Address range. Click OK.
Step 7: Create the third subnet: Click +Add on the VNET1008 - Subnets pane that appears. Enter subnet2 for Name on the Add subnet pane.
Enter 10.0.2.0/24 for
Address range. Click OK.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/create-virtual-network-classic
  Krimish 7 months, 2 weeks ago

create
a NSG and add inbound and outbound rule to block internet traffic. In NSG you
need to define port 80,443 and protocol TCP. Now associate this NSG to all
subnets.
upvoted 5 times

create
NSG and block the internet for outgoing connections. The incoming connections
always have internet blocked (unless someone will open some ports). If this is a
case you need to add incoming rule to block any traffic from internet. Then
assign it to subnet/VM
upvoted 7 times

default
NSG's security rules blocks internet connection, so i would say that creating
the NSG and assigned it to subnet is enough.
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
upvoted 2 times

Connections
from any of the subnets to the Internet must be blocked so outbound need to add
deny internet
upvoted 1 times

But
how do you define internet, but 80,443 are not Internet. These are just
webpages.
upvoted 2 times

create
NSG and block allInbound traffic any port potocal and destination Internet.
https://www.petri.com/blocking-internet-access-azure-vms
upvoted 2 times

I've
found the NSG rules to be a bit random at times when creating/removing them, but
effectively you need to define a deny any inbound and outbound rule. Using the
source or destination "Service Tag" option and then selecting "Internet" allows
you to specify traffic to be blocked only to/from the internet, otherwise you
can end up preventing other traffic (e.g. inter-vnet) from working. Make sure
you associate the NSG with the vnet/subnets.
upvoted 3 times
  Ijaz 4 months ago

so
we will need to have 2 inbound and 2 outbound rules (port 80 & 443) with
service tag "internet"
upvoted 1 times

it
would be 1 inbound and 1 outbound rule to block all ports service tag internet?
- we are blocking all traffic to / from internet , not just http and
https
upvoted 5 times
  fda 3 months, 4 weeks ago

Need
to create an NSG and add an outbound rule to block the internet traffic. The
NSG default inbound rules block all inbound traffic except from Azure load
balancer and VNet traffic. So by default Internet traffic is not allowed. The
NGS contains by default a rue that allows Internet traffic. No add a rule to
deny the Internet traffic. Assign the NSG to the subnets.
upvoted 4 times

By
default the subnets are isolated from Internet, right? Do we really need a NSG?
"The number of network security groups (NSGs) and NSG rules must be
minimized"
upvoted 1 times

You need to create a NSG with outbout block using
service tag. How can we use service tags to block outbound traffic to the
Internet for our virtual machines now? It’s easy. First, you will create the
Deny-to-Internet rule: Source: Virtual Network Source Port Range: * Destination:
Service Tag Destination Service Tag: Internet Protocol: Any Action: Deny
Priority: 4096 Name: Deny-AllInternet
upvoted 13 times

Btw,
no need to use Ports... Just use Service Tags in the NSG Source and
Desntination
upvoted 2 times

Why
not create a NSG with one inbound rule and one outbound rule - Service Tag
Internet, ports - 0 to 65535 so there won't be any traffic to and fro from the
internet? Then associate this NSG with the subnets.
upvoted 1 times
  AmarKavita 11 hours, 56 minutes ago

THIS
IS INTERESTING...I FEEL the above answer does it if you do not create a public
ip for your machines then there is no inbound or outbound traffic allowed... i
mean why create NSG when they get blocked by default.
upvoted 1 times
A company is migrating an existing on-premises third-party website to Azure. The website is stateless.
The company does not have access to the source code for the website. They do not have the original installer.
The number of visitors at the website varies throughout the year. The on-premises infrastructure was resized to accommodate peaks but the extra
capacity was not used.
You need to implement a virtual machine scale set instance.
What should you do?
A. Use an autoscale setting to scale instances vertically
B. Create 100 autoscale settings per resource
C. Scale out by one instance when the average CPU usage of one of the instances is over 80 percent
D. Use Azure Monitor to create autoscale settings using custom metrics
E. Use an autoscale setting with unlimited maximum number of instances
F. Use a webhook to log autoscale failures
Correct Answer: D
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-custom-metric

it
could be C as well
upvoted 3 times

No
it couldn't, they said the extra capacity wasn't used, so it doesn't *look* like
the actual utilization was 80% or higher. Cryptic question, but I reckon the
only answer can be D.
upvoted 1 times
  PeterWL 2 months ago

The
D is correct, because Scale In is also needed.
upvoted 4 times
  AnujD 1 week, 2 days ago

The
ques is simple but demands well thoughts. Only scale out is not required. Since
the usage is unknown Scale in also needs to be considered. Hence Option D as
based on Metrics VMs will be set.
upvoted 1 times

For further knowledge:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-custom-metric
upvoted 1 times

You create several Azure virtual machines in Subscription1. All of the virtual machines belong to the same virtual network.
You have an on-premises Hyper-V server named Server1. Server1 hosts a virtual machine named VM1.
You plan to replicate VM1 to Azure.
You need to create additional objects in Subscription1 to support the planned deployment.
Which three objects should you create? Each correct answer presents part of the solution.
A. Hyper-V site
B. Azure Recovery Services Vault
C. storage account
D. replication policy
E. Azure Traffic Manager instance
F. endpoint
Correct Answer: ABD

A,
B, And C is the answer. Storage account needed.
upvoted 1 times

Storage
account is not explicity created.. its all handled internally while creating
recovery service vault. So A, B & D Is correct "There's no need to specify
storage accounts to store the backup data. The Recovery Services vault and the
Azure Backup service handle that automatically." (Source:
https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault)
upvoted 14 times
VK
is correct, storage is not created explicitly Answers are ABD
upvoted 2 times

BCD
https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure-for-hyperv
you only have to prepare the azure side
upvoted 21 times

I
agree!
upvoted 1 times
  haim 2 months, 3 weeks ago

question
specifically asks for what needs to be created in subscription1? In that case
BCD would be correct.
upvoted 3 times

Why
three objects should you create, not four? Please refer to:
https://docs.microsoft.com/en-us/azure/site-recovery/tutorial-prepare-azure-for-hyperv
Create a storage account and a recovery services vault
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial
Create Hyper-V site and set up a replication policy. So A, B, C, D are the
answers.
upvoted 1 times
  AlexFromGalax 2 months, 1 week ago

Because
it is asked for 3 only
upvoted 3 times

There.
is no need to create Hyper V site ..
upvoted 1 times

Incorrect
…Answer should be BCD
upvoted 1 times

Question
should ask for 4 options instead of 3 as A,B,C and D are correct.
upvoted 1 times
  FloJoe 1 day, 1 hour ago

I
am no nowhere near to be an expert for Hyper-V but I think Hyper-V is running
on-premis and not in azure right? I cannot find a "Hyper V site" in Azure
portal. Hence I recon the answer should be BCD, same as mmo states.
upvoted 1 times
Topic 6 - Testlet 1
Question #1 Topic 6
Introductory Info
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study
before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem
statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the
subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Humongous Insurance is an insurance company that has three offices in Miami, Tokyo and Bangkok. Each office has 5.000 users.
Existing Environment -
Active Directory Environment -

Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com. The functional level of the forest is
Windows Server 2012.
You recently provisioned an Azure Active Directory (Azure AD) tenant.
Network Infrastructure -
Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to the Internet.
Each office has several link load balancers that provide access to the servers.
Active Directory Issue -

Several users in humongousinsurance.com have UPNs that contain special characters.
You suspect that some of the characters are unsupported in Azure AD.
Licensing Issue -
You attempt to assign a license in Azure to several users and receive the following error message: "Licenses not assigned. License agreement
failed for one user."
You verify that the Azure subscription has the available licenses.
Requirements -
Planned Changes -
Humongous Insurance plans to open a new office in Paris. The Paris office will contain 1,000 users who will be hired during the next 12 months.
All the resources used by the Paris office users will be hosted in Azure.
Planned Azure AD Infrastructure -

The on-premises Active Directory domain will be synchronized to Azure AD.
All client computers in the Paris office will be joined to an Azure AD domain.
Planned Azure Networking Infrastructure
You plan to create the following networking resources in a resource group named All_Resources:
- Default Azure system routes that will be the only routes used to route traffic
- A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
- A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
- A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
You plan to enable peering between Paris-VNet and AllOffices-VNet. You will enable the Use remote gateways setting for the Paris-VNet peerings.
You plan to create a private DNS zone named humongousinsurance.local and set the registration network to the ClientResources-VNet virtual
network.
Planned Azure Computer Infrastructure
Each subnet will contain several virtual machines that will run either Windows Server 2012 R2, Windows Server 2016, or Red Hat Linux.
Department Requirements -
Humongous Insurance identifies the following requirements for the company's departments:
- Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The
initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource groups.
- During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Authentication Requirements -
Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing resources in Azure.
Question
HOTSPOT -
You are evaluating the connectivity between the virtual machines after the planned implementation of the Azure networking infrastructure.
Hot Area:
Correct Answer:
Once the VNets are peered, all resources on one VNet can communicate with resources on the other peered VNets. You plan to enable peering
between Paris-
VNet and AllOffices-VNet. Therefore VMs on Subnet1, which is on Paris-VNet and VMs on Subnet3, which is on AllOffices-VNet will be able to
connect to each other.
All Azure resources connected to a VNet have outbound connectivity to the Internet by default. Therefore VMs on ClientSubnet, which is on
ClientResources-VNet will have access to the Internet; and VMs on Subnet3 and Subnet4, which are on AllOffices-VNet will have access to the
Internet.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview https://docs.microsoft.com/en-
us/azure/networking/networking-overview#internet-connectivity

Question
and Explanations are not related. Find the proper questions, What should you do?
A. From the Directory role blade, modify the directory role B. From the Groups
blade, invite the user accounts to a new group C. From the Profile blade, modify
the usage location Correct Answer: C
upvoted 1 times

Ignore
this
upvoted 3 times

This
explanation doesn't explain anything related to internet connectivity and then
question related to internet connectivity asked. Not relevant information
provided so ignore this question.
upvoted 1 times

Well
you're right there isn't a lotta explicit information provided but I think the
question's asking if people know that by default subnets have internet
connectivity or not. They do, in Azure so the answers are Yes, Yes and
Yes.
upvoted 1 times
Question #2 Topic 6
Introductory Info
Case Study -

Overview -

Licensing Issue -
Requirements -
Planned Changes -

network.
Question
DRAG DROP -
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Select and Place:
Correct Answer:
Step 1:
First you create a storage account using the Azure portal.
Step 2:
Select Automation options at the bottom of the screen. The portal shows the template on the Template tab.
Add the storage account to the library.
Step 3:
Share the template.
Scenario: Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource
group. The initial configuration of the web apps will be identical. The web administrators have permission to deploy web apps to resource
groups.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-quickstart-create-templates-use-the-portal
Why
to create an automation account? it should be create resource group and web as
the first choice
upvoted 6 times

Again,
question and explanation are not related at all: You need to define a custom
domain name for Azure AD to support the planned infrastructure. Which domain
name should you use? A. ad.humongousinsurance.com B. humongousinsurance.local C.
humongousinsurance.com D. humongousinsurance.onmicrosoft.com Correct Answer:
C
upvoted 1 times

ignore
this
upvoted 2 times

Bhenchod
upvoted 3 times

1)
Create RG , and then deploy a web app to the RG 2) From the Automation script
blade of the RG , click "Add to Library" 3) From the Templates service, select
the template, and then share the template to the web admins
upvoted 32 times

Agree
with Ekramy, this is the only logical sequence.
upvoted 1 times

Ekramy
is right but Q is outdated. If anyones wondering where it is, it is in RG ->
Settings bllade -> Export Template -> Add to library
upvoted 2 times
Question #3 Topic 6
Introductory Info
Case Study -

Overview -


Licensing Issue -
Requirements -
Planned Changes -

network.
Question
You need to resolve the licensing issue before you attempt to assign the license again.
What should you do?
A. From the Directory role blade, modify the directory role
B. From the Groups blade, invite the user accounts to a new group
C. From the Profile blade, modify the usage location
Correct Answer: C
License cannot be assigned to a user without a usage location specified.
Scenario: Licensing Issue -

  Dann1112 1 day, 19 hours ago

Not all Microsoft services are available in all
locations. Before a license can be assigned to a user, you must specify the
Usage location. You can set this value in the Azure Active Directory > Users
> Profile > Settings area in Azure AD. Any user whose usage location is
not specified inherits the location of the Azure AD organization. Source:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups#assign-licenses-to-users-or-groups
upvoted 1 times
Question #4 Topic 6
Introductory Info
Case Study -

Overview -


Licensing Issue -
Requirements -
Planned Changes -

network.
Question
You need to define a custom domain name for Azure AD to support the planned infrastructure.
Which domain name should you use?
A. ad.humongousinsurance.com
B. humongousinsurance.local
C. humongousinsurance.com
D. humongousinsurance.onmicrosoft.com
Correct Answer: C
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The initial domain name cannot be
changed or deleted, but you can add your corporate domain name to Azure AD as well. For example, your organization probably has other
domain names used to do business and users who sign in using your corporate domain name. Adding custom domain names to Azure AD
allows you to assign user names in the directory that are familiar to your users, such as "ãlice@contoso.com.' instead of 'alice@domain
name.onmicrosoft.com'.
Scenario:
Network Infrastructure: Each office has a local data center that contains all the servers for that office. Each office has a dedicated connection to
the Internet.
Humongous Insurance has a single-domain Active Directory forest named humongousinsurance.com
Planned Azure AD Infrastructure: The on-premises Active Directory domain will be synchronized to Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

can
the on-premise ad have the same domain name with the azure ad?
upvoted 1 times
Topic 7 - Testlet 10
Question #1 Topic 7
Introductory Info
Case Study -
Background -
Best For You Organics Company is a global restaurant franchise that has multiple locations. The company wants to enhance user experiences and
vendor integrations. The company plans to implement automated mobile ordering and delivery services.
Best For You Organics hosts an Azure web app at the URL https://www.bestforyouorganics.com. Users can use the web app to browse restaurant
location, menu items, nutritional information, and company information. The company developed and deployed a cross-platform mobile app.
Requirements -
Chatbot -
You must develop a chatbot by using the Bot Builder SDK and Language Understanding Intelligence Service (LUIS). The chatbot must allow users
to order food for pickup or delivery.
The chatbot must meet the following requirements:
Ensure that chatbot is secure by using the Bot Framework connector.
Use natural language processing and speech recognition so that users can interact with the chatbot by using text and voice. Processing must be
server-based.
Alert users about promotions at local restaurants.
Enable users to place an order for delivery or pickup by using their voice.
Greet the user upon sign-in by displaying a graphical interface that contains action buttons.
The chatbot greeting interface must match the formatting of the following example:
Vendor API -
Vendors receive and provide updates for the restaurant inventory and delivery services by using Azure API Management hosted APIs. Each vendor
uses their own subscription to access each of the APIs.
APIs must meet the following conditions:
API usage must not exceed 5,000 calls and 50,000 kilobytes of bandwidth per hour per vendor.
If a vendor is nearing the number of calls or bandwidth limit, the API must trigger email notifications to the vendor.
API must prevent API usage spikes on a per-subscription basis by limiting the call rate to 100 calls per minute.
The Inventory API must be written by using ASP.NET Core and Node.js.
The API must be updated to provide an interface to Azure SQL Database objects must be managed by using code.
The Delivery API must be protected by using the OAuth 2.0 protocol with Azure Active Directory (Azure AD) when called from the Azure web app.
You register the Delivery API and web app in Azure AD. You enable OAuth 2.0 in the web app.
The delivery API must update the Products table, the Vendor transactions table, and the Billing table in a single transaction.
The Best For You Organics Company architecture team has created the following diagram depicting the expected deployments into Azure:
Architecture -
Issues -
Delivery API -
The Delivery API intermittently throws the following exception:
"System.Data.Entity.Core.EntityCommandExecutionException: An error occurred while executing the command definition. See the inner exception
for details. -->System.Data.SqlClient.SqlException: A transport-level error has occurred when receiving results from the server. (provider: Session
Provider, error: 19 "" Physical connection is not usable)"
Chatbot greeting -
The chatbot's greeting does not show the user's name. You need to debug the chatbot locally.
Language processing -
Users report that the bot fails to understand when a customer attempts to order dishes that use Italian names.
App code -
Relevant portions of the app files are shown below. Line numbers are included for reference only and include a two-character prefix that denotes
the specific file to which they belong.
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution.
Determine whether the solution meets the stated goals.
You need to meet the vendor notification requirement.
Solution: Update the Delivery API to send emails by using a Microsoft Office 365 SMTP server.
A. Yes
B. No
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-configure-notifications

Chatbot
is not in Az-300 syllabus.
upvoted 2 times
  AnilV 2 weeks, 1 day ago
Why
it does not work ? An API integration should work right ?
upvoted 1 times
Question #2 Topic 7
Introductory Info
Case Study -
Background -
Requirements -
Chatbot -
server-based.
Vendor API -
Architecture -
Issues -
Delivery API -
Chatbot greeting -
App code -
Question
Solution: Configure notifications in the Azure API Management instance.
A. Yes
B. No
Correct Answer: A
References:
Question #3 Topic 7
Introductory Info
Case Study -
Background -
Requirements -
Chatbot -
server-based.
Vendor API -
Architecture -
Issues -
Delivery API -
Chatbot greeting -
App code -
Question
Solution: Update the Delivery API to send emails by using a cloud-based email service.
A. Yes
B. No
Correct Answer: B
References:
Question #4 Topic 7
Introductory Info
Case Study -
Background -
Requirements -
Chatbot -
server-based.
Vendor API -
Architecture -
Issues -
Delivery API -
Chatbot greeting -
App code -
Question
Solution: Create and apply a custom outbound Azure API Management policy.
A. Yes
B. No
Correct Answer: B
References:
Question #5 Topic 7
Introductory Info
Case Study -
Background -
Requirements -
Chatbot -
server-based.
Vendor API -
Architecture -
Issues -
Delivery API -
Chatbot greeting -
App code -
Question
You need to resolve the delivery API error.
What should you do?
A. Implement simple retry by using the EnableRetryOnFailure feature of Entity Framework.
B. Implement exponential backoff by using the EnableRetryOnFailure feature of Entity Framework.
C. Implement a Circuit Breaker pattern by using the EnableRetryOnFailure feature of Entity Framework.
D. Invoke a custom execution strategy in Entity Framework.
Correct Answer: B
References:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-develop-error-messages
  Gjferweb 1 month ago

Don´t now why
B and not A.
https://social.technet.microsoft.com/Forums/en-US/209e6f88-8ac9-4bff-a898-323ac2f1f6e5/a-transport-level-level-error-has-occurred-when-
receiving-results-from-the-server-error-19-?forum=ssdsgetstarted
Another useful method to get rid of this error is to use RETRY LOGIC of Entity
Framework 1.1.0 services.AddDbContext<DbContext>(options =>
options.UseSqlServer('yourconnectionstring',
sqlServerOptionsAction: sqlOptions => {
sqlOptions.EnableRetryOnFailure( maxRetryCount: 5,
maxRetryDelay: TimeSpan.FromSeconds(30),
errorNumbersToAdd: new List<int>() { 19 }); })); This is
way to elevate I think
upvoted 2 times

Given
answer is CORRECT. Use - ExponentialBackoff class We recommend that you wait for
5 seconds before your first retry. Retrying after a delay shorter than 5 seconds
risks overwhelming the cloud service. For each subsequent retry, the delay
should grow exponentially, up to a maximum of 60 seconds.
upvoted 3 times
Question #6 Topic 7
Introductory Info
Case Study -
Background -
Requirements -
Chatbot -
server-based.
Vendor API -
Architecture -
Issues -
Delivery API -
Chatbot greeting -
App code -
Question
You need to implement the purchase requirement.
What should you do?
A. Use the Bot Framework REST API conversation operations to send the user's voice and the Speech Service API to recognize intents.
B. Use the Direct Line REST API to send the user's voice and the Speech Service API to recognize intents.
C. Use the Speech Service API to send the user's voice and the Bot Framework REST API conversation operations to recognize intents.
D. Use the Bot Framework REST API attachment operations to send the user's voice and the Speech Service API to recognize intents.
Correct Answer: A

I
think the answer should be C. The speech audio should be processed by the Speech
service API using speech to text
(https://docs.microsoft.com/en-us/azure/cognitive-services/speech-service/overview),
then processed via the Bot framework conversations to recognize the users intent
(https://docs.microsoft.com/en-us/azure/bot-service/bot-builder-conversations?view=azure-bot-service-4.0).
upvoted 2 times
No,
this is correct Enable users to place an order for delivery or pickup by using
their voice. You must develop a chatbot by using the Bot Builder SDK and
Language Understanding Intelligence Service (LUIS). The chatbot must allow users
to order food for pickup or delivery. The Bot Framework REST APIs enable you to
build bots that exchange messages with channels configured in the Bot Framework
Portal, store and retrieve state data, and connect your own client applications
to your bots. All Bot Framework services use industry-standard REST and JSON
over HTTPS. The Speech Service API is used to recognize intents. References:
https://docs.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-concepts?
view=azure-bot-service-4.0
https://docs.microsoft.com/en-us/azure/cognitive-services/speech-service/how-to-recognize-intents-from-
speech-cpp
upvoted 4 times

Additional info:
https://docs.microsoft.com/en-us/azure/cognitive-services/speech-service/overview
upvoted 1 times
  sagnikmukh 2 months ago

It
can be B,
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/cognitive-services/Speech-Service/tutorial-voice-enable-your-bot-speech-
sdk.md
upvoted 3 times

Answer is A:
https://docs.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-connector-api-reference?view=azure-bot-service-4.0
upvoted 4 times
Question #7 Topic 7
Introductory Info
Case Study -
Background -
Requirements -
Chatbot -
server-based.
Vendor API -
Architecture -
Issues -
Delivery API -
Chatbot greeting -
App code -
Question
You need to meet the security requirements.
A. HTTP Strict Transport Security (HSTS)
B. Direct Line API
C. Multi-Factor Authentication (MFA)
D. Bot Framework Portal
E. Bot Framework authentication
Correct Answer: E

Answer
is E .
upvoted 1 times

More info:
https://docs.microsoft.com/en-us/azure/bot-service/dotnet/bot-builder-dotnet-security?view=azure-bot-service-3.0
upvoted 1 times
Topic 8 - Testlet 2
Question #1 Topic 8
Introductory Info
Case study -

Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Contoso are hosted on-premises.
Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The
tenant uses the
P1 pricing tier.
The network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the
contoso.com DNS zone.
Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit
(OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Contoso.com contains a user named User1.
All the offices connect by using private links.
Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.
The Azure subscription contains the resources in the following table.
The network security team implements several network security groups (NSGs).
Planned Changes -
Contoso plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical requirements -
Contoso must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
- Connect the New York office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
Question
HOTSPOT -
You need to meet the connection requirements for the New York office.
Hot Area:
Correct Answer:
Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more
information, see
Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:
✑ Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-
premises network to the
VNet.
✑ Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises
network is routed through this gateway.
✑ Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance
to encrypt traffic.
✑ Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the
Recommendations section below.
Box 2: Configure a site-to-site VPN connection
On premises create a site-to-site connection for the virtual network gateway and the local network gateway.
Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not
go over the internet.
References:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn
Topic 9 - Testlet 3
Question #1 Topic 9
Introductory Info
Case Study -

Overview -
ADatum Corporation is a financial company that has two main offices in New York and Los Angeles. ADatum has a subsidiary named Fabrikam,
Inc. that shares the Los Angeles office.
ADatum is conducting an initial deployment of Azure services to host new line-of-business applications and is preparing to migrate its existing on-
premises workloads to Azure.
ADatum uses Microsoft Exchange Online for email.
On-Premises Environment -
The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the virtual machines are members of an
Active Directory forest named adatum.com and run Windows Server 2016.
The New York office uses an IP address space of 10.0.0.0/16. The Los Angeles office uses an IP address space of 10.10.0.0/16.
The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit that provides access to Azure services and
Microsoft
Online Services. Routing is implemented by using Microsoft peering.
The New York office has a virtual machine named VM1 that has the vSphere console installed.
Azure Environment -
You provision the Azure infrastructure by using the Azure portal. The infrastructure contains the resources shown in the following table.
AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and Pool22.
Requirements -
Planned Changes -
ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by using Azure Site Recovery.
Infrastructure Requirements -
ADatum identifies the following infrastructure requirements:
- A new web app named App1 that will access third-parties for credit card processing must be deployed.
- A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new
blobs immediately.
- The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure.
- The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified.
- All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.
- AG1 must load balance incoming traffic in the following manner:
- http://corporate.adatum.com/video/* will be load balanced across Pool11.
- http://corporate.adatum.com/images/* will be load balanced across Pool12.
- http://www.adatum.com will be load balanced across Pool21.
- http://fabrikam.com will be load balanced across Pool22.
- ER1 must route traffic between the New York office and platform as a service (PaaS) services in the East US Azure region, as long as ER1 is
available.
- ER1 must route traffic between the Los Angeles office and the PaaS services in the West US region, as long as ER2 is available.
- ER1 and ER2 must be configured to fail over automatically.
Application Requirements -
App2 must be available to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure
virtual network.
Inbound and outbound communications to App1 must be controlled by using NSGs.
Pricing Requirements -
ADatum identifies the following pricing requirements:
- The cost of App1 and App2 must be minimized
- The transactional charges of Azure Storage accounts must be minimized
Question
What should you create to configure AG2?
A. multi-site listeners
B. URL path-based routing rules
C. basic routing rules
D. an additional public IP address
E. basic listeners
Correct Answer: A
- http://www.adatum.com will be load balanced across Pool21.
- http://fabrikam.com will be load balanced across Pool22.
You need to configure an Azure Application Gateway with multi-site listeners to direct different URLs to different pools.
References:
https://docs.microsoft.com/en-us/azure/application-gateway/multiple-site-overview
Introductory Info
Case study -
Overview -
Microsoft
Azure Environment -
Requirements -
Planned Changes -
A new web app named App1 that will access third-parties for credit card processing must be deployed
A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new
blobs immediately.
The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure.
The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified.
All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain.
AG1 must load balance incoming traffic in the following manner:
1. http://corporate.adatum.com/video/* will be load balanced across Pool11
2. http://corporate.adatum.com/images/* will be load balanced across Pool12
1. http://www.adatum.com will be load balanced across Pool21
2. http://www.fabrikam.com will be load balanced across Pool22
ER1 must route traffic between the New York office and the platform as a service (PaaS) services in the East US Azure region, as long as ER1 is
available.
ER2 must route traffic between the Los Angeles office and the PaaS services in the West US region, as long as ER2 is available.
ER1 and ER2 must be configured to fail over automatically.
App2 must be able to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure virtual
network.
The cost of App1 and App2 must be minimized.
The transactional charges of Azure Storage accounts must be minimized.
Question
You need to configure AG1.
What should you create?
A. a multi-site listener
B. a basic routing rule
C. a URL path-based routing rule
D. a basic listener
Correct Answer: C
References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-url-route-portal
Introductory Info
Case study -
Overview -
Microsoft
Azure Environment -
Requirements -
Planned Changes -
blobs immediately.
available.
network.
Question
DRAG DROP -
You need to configure the Azure ExpressRoute circuits.
How should you configure Azure ExpressRoute routing? To answer, drag the appropriate configurations to the correct locations. Each configuration
may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Azure compute services, namely virtual machines (IaaS) and cloud services (PaaS), that are deployed within a virtual network can be connected
through the private peering domain. The private peering domain is considered to be a trusted extension of your core network into Microsoft
Azure.
Services such as Azure Storage, SQL databases, and Websites are offered on public IP addresses. You can privately connect to services hosted
on public IP addresses, including VIPs of your cloud services, through the public peering routing domain. You can connect the public peering
domain to your DMZ and connect to all Azure services on their public IP addresses from your WAN without having to connect through the
internet.
References:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings

Box
2 is incorrect, should be BGP comminities
upvoted 7 times

Yes.
I think your right.
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-optimize-routing
upvoted 3 times

Yes,
agree with you.
upvoted 1 times

Incorrect.
From the link @Myk posted: Customer to MS - BGP communities MS to customer -
*public* AS PATH prepending
upvoted 1 times

I
agree with MYK for the first bit -> customer to microsoft (i.e. ADdatum to
msft)should always be bgp communities. 2. from msft to addatum would is public
AS
upvoted 2 times

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-optimize-routing
upvoted 1 times

Box
1 is BGP Communities: Reffer to:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-optimize-routing#suboptimal-routing-from-customer-to-microsoft
Box 2 is public AS numbers (correct):
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-optimize-routing#suboptimal-routing-from-microsoft-to-customer
*Important: "We remove private AS numbers in the AS PATH for the prefixes
received on Microsoft Peering when peering using a private AS number. You need
to peer with a public AS and append public AS numbers in the AS PATH to
influence routing for Microsoft Peering."
upvoted 6 times

Box1: BGP Community Box2: BGP AS Prepending
upvoted 3 times
Introductory Info
Case study -
Overview -
Microsoft
Azure Environment -
Requirements -
Planned Changes -
blobs immediately.
available.
network.
Question
DRAG DROP -
You need to prepare the New York office infrastructure for the migration of the on-premises virtual machines to Azure.
Select and Place:

References:
https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial

https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial-prepare-on-premises
upvoted 1 times
  Rajkumaryadav 3 months ago

Set
up the source replication settings, and an on-premises Site Recovery
configuration server. Set up the replication target settings. Create a
replication policy. Enable replication for a VMware VM.
upvoted 1 times

1)
From the Azure Portal download the OVF file 2) From VM1, connect to the
COLLECTOR virtual machine 3) From the ASRV1 blade in the Azure portal, select a
protection goal 4) From VM1, register the configuration server.
upvoted 1 times

1)
From the Azure Portal download the OVF file 2) From VM1, connect to the
COLLECTOR virtual machine 3) From the ASRV1 blade in the Azure portal, select a
protection goal 4) From VM1, register the configuration server.
upvoted 1 times

upvoted 7 times

really wish the question area was visible :(
upvoted 1 times

The
answer should be follows: 1) From the ASRV1 blade in the Azure portal, select a
protection goal 2) From the Azure Portal download the OVF file 3) From VM1,
Deploy a virtual machine 4) From VM1, register the configuration server. Reffer
to:
https://docs.microsoft.com/en-us/azure/site-recovery/vmware-azure-tutorial
upvoted 10 times
  Daren 1 month, 3 weeks ago

The
question is ridiculous. I`ve done this process from scratch: all options could
be part of the answer and the order is absolutely irrelevant. 1. Set the
protection goal (who stops you to set it after you download the OVF file?!? ) 2.
Download the OVF file (you can dwd it, do the next 2 steps, then come back to
the portal and set the protection goal). 3.Deploy a VM (if importing the
template in vCenter is considered a VM deployment, yes, why not?!? ) 4.Connect
to the collector VM (Once you have this VM up and running, you have to actually
connect to it, right? So why not this option too? ) 5. Register the
configuration server.
upvoted 4 times

should
be this one https://www.examtopics.com/exams/microsoft/az-102/view/18/
upvoted 2 times
Introductory Info
Case study -
Overview -
Microsoft
Azure Environment -
Requirements -
Planned Changes -
blobs immediately.
available.
network.
Question
HOTSPOT -
You need to provision the resources in Azure to support the virtual machine that will be migrated from the New York office.
What should you include in the solution? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Why
address space should be 10.20.0.0/16 ?
upvoted 1 times

Azure
address space shoudn't overlaps with on-premises networks.
upvoted 12 times
  gomateus 5 months, 3 weeks ago

The New York office uses an IP address space of
10.0.0.0/16. The Los Angeles office uses an IP address space of
10.10.0.0/16.
upvoted 9 times

Why
use StorageV1? Microsoft states that V2 should be used whenever
possible.
upvoted 15 times

General-purpose v2 storage accounts support the latest Azure Storage features
and incorporate all of the functionality of general-purpose v1 and Blob storage
accounts. General-purpose v2 accounts deliver the lowest per-gigabyte capacity
prices for Azure Storage, as well as industry-competitive transaction prices.
General-purpose v2 storage accounts support these Azure Storage
services:
upvoted 9 times

So
StorageV2 should be the answer, right?
upvoted 7 times
  vrana 2 days, 19 hours ago

since
it says The transactional charges of Azure Storage accounts must be minimized.
so storage of V1 type is correct answer
upvoted 1 times
  tjuchniewicz 2 months, 1 week ago

Your
applications are transaction-intensive or use significant geo-replication
bandwidth, but don't require large capacity. In this case, general-purpose v1
may be the most economical choice.
upvoted 3 times

You
are right. From official documentation; You can use general-purpose v1 accounts
for these scenarios: Your applications require the Azure classic deployment
model. General-purpose v2 accounts and Blob storage accounts support only the
Azure Resource Manager deployment model. Your applications are
transaction-intensive or use significant geo-replication bandwidth, but don't
require large capacity. In this case, general-purpose v1 may be the most
economical choice. You use a version of the Storage Services REST API that is
earlier than 2014-02-14 or a client library with a version lower than 4.x. You
can't upgrade your application.
upvoted 2 times

Always
V2 storage should be used.
upvoted 1 times
As
per the recommendation from MS, V2 should be used instead of V1 and prices
aren't different too.
upvoted 1 times
Introductory Info
Case study -
Overview -
Microsoft
Azure Environment -
Requirements -
Planned Changes -
blobs immediately.
available.
network.
Question
DRAG DROP -
You need to identify the appropriate sizes for the Azure virtual machines.
Which five actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Select and Place:
Correct Answer:
References:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware

• From
the Azure Portal, create an Azure Migration project • From the Azure Portal,
create an Azure Migration Assessment • From the Azure Portal. Download an OVA
file • From VM1, run the Deploy OVF template wizard • From VM1, connect to the
collector virtual machine and run the Azure Migration Collector
upvoted 3 times
  PeterWL 2 months ago

Reffer
to: https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware
the "From the Azure Portal, create an Azure Migration Assessment" should be
last action.
upvoted 5 times

Answer is: 1) From the Azure Portal, create an Azure
Migration project 2) From the Azure Portal. Download an OVA file 3) From VM1,
run the Deploy OVF template wizard 4) From VM1, connect to the collector virtual
machine and run the Azure Migration Collector 5) From the Azure Portal, create
an Azure Migration Assessment
upvoted 2 times
Introductory Info
Case study -

Overview -
tenant uses the
P1 pricing tier.
Planned Changes -
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.
Question
You need to meet the technical requirement for VM4.
What should you create and configure?
A. an Azure Logic App
B. an Azure Service Bus
C. an Azure Notification Hub
D. an Azure Event Hub
Correct Answer: D
Scenario: Create a workflow to send an email message when the settings of VM4 are modified.
You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can
publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event
hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to
perform tasks - without you writing any code.
References:
  pinox1 6 months, 1 week ago

I
think the answer is A: Azure logic app + event grid
upvoted 17 times

Thats
incorrect, what is your connector for receieving those changed events of
vm4?
upvoted 1 times

To
my understanding, event grid is connected to almost all the services of Azure.
Whenever there is change in VM4, event grid will trigger an event, logic app
will be executed and send the email.
upvoted 4 times

That
connector should be Event Grid, not Event Hub. Event Hub is for big
data...
upvoted 1 times

A:
upvoted 1 times

Agree
with Pinox1, the answer is A. A logic app must be created to trigger an event
like this. An Event Hub is used to ingest streaming data and process it, not for
generating event-based triggers like this scenario.
upvoted 2 times

A
is the right asnwer. Even the expalation said so !
upvoted 3 times

Exactly
upvoted 1 times

Source:
Prerequisites An Azure subscription. If you don't have an Azure
subscription, sign up for a free Azure account. An email account from an
email provider supported by Logic Apps for sending notifications, such as Office
365 Outlook, Outlook.com, or Gmail. For other providers, review the connectors
list here. This tutorial uses an Office 365 Outlook account. If you use a
different email account, the general steps stay the same, but your UI might
appear slightly different. A virtual machine that's alone in its own Azure
resource group. If you haven't already done so, create a virtual machine through
the Create a VM tutorial. To make the virtual machine publish events, you don't
need to do anything else. For me this last statement says everything. On the
exam I will go on A.
upvoted 3 times

Answre is A:
upvoted 1 times

Event
Hub is for Ingestion of streaming or Large data volume ..Hence answer is
incorrect.LogicApp is correct answer.
upvoted 1 times

A-Logic
App is the right answer as event grid is a connector but logic app is flow
orchestrator which fulfills the need.
upvoted 1 times

As
ques says "Create a workflow". You can not create a workflow in Event grid so
Logic App I will choose in exam.
upvoted 1 times
Introductory Info
Case study -
Overview -
Microsoft
Azure Environment -
Requirements -
Planned Changes -
blobs immediately.
available.
network.
Question
HOTSPOT -
You need to implement App2 to meet the application requirements. What should you include in the implementation? To answer, select the
appropriate options in the answer area.
Hot Area:
Correct Answer:
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/plans/ https://docs.microsoft.com/en-us/azure/azure-functions/functions-
scale

Standard don't deploy in Vnet. Only Isolated can be
deployed in Vnet
upvoted 1 times

not
true; Vnet integration requires Standard or Premium plan:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
upvoted 3 times

VNET
integration is different than putting the App itself inside a VNET from the
beginning, this can be achieved only by ASE ( ie./ Isolated tier )
upvoted 9 times

So
the correct answer is ( Isolated & Always ON )
upvoted 11 times
  iselectkane321 4 months ago

Always
ON only available on Basic and Standard service plan
upvoted 2 times

not
true:
https://azure.microsoft.com/en-gb/pricing/details/app-service/plans/
upvoted 2 times
  mahazona 2 months, 3 weeks ago

standard service plan is correct..
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
upvoted 3 times

Isolated
is correct Ref: This tier runs dedicated Azure VMs on dedicated Azure Virtual
Networks.
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 1 times
  Rishabhjain 2 weeks, 1 day ago

you
have to minimize the cost as well.
upvoted 2 times

Isolated
and Standard both support Always On feature but, in order to fulfil the
requirement - "The cost of App1 and App2 must be minimized", the choice has to
be Standard. Isolated app service tier is the most expensive!
upvoted 4 times
Introductory Info
Case Study -

Overview -
Contoso created a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The
tenant uses the
P1 pricing tier.
Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
Requirements -
Planned Changes -
Deploy Azure ExpressRoute to the Montreal office
Migrate the virtual machine hosted on Server1 and Server2 to Azure
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD)
Technical Requirements -
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only
Connect the New York office to VNet1 over the Internet by using an encrypted connection
Create a workflow to send an email message when the settings of VM4 are modified
Create a custom Azure role named Role1 that is based on the Reader role
Minimize costs whenever possible
Question
You need to configure a host name for WebApp2.
A. In Azure AD, add contoso.com as a custom domain name
B. In the public DNS zone of contoso.onmicrosoft.com, add an NS record
C. In Azure AD, add webapp2.azurewebsites.net as a custom domain name
D. In the public DNS zone of contoso.com, add a CNAME record

Correct Answer: C
Scenario: Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com
When you create a Cloud Service, Azure assigns it to a subdomain of cloudapp.net. For example, if your Cloud Service is named "contoso", your
users will be able to access your application on a URL like http://contoso.cloudapp.net. Azure also assigns a virtual IP address.
However, you can also expose your application on your own domain name, such as contoso.com.
References:
https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name-portal

Shouldn't
it be D. In the public DNS zone of contoso.com, add a CNAME record of
app2.contoso.com to webapp2.azurewebsites.net
upvoted 26 times

its
already exist as per Existing Environment - The network contains an Active
Directory forest named contoso.com. All domain controllers are configured as DNS
servers and host the contoso.com DNS zone.
upvoted 1 times

existing
environment here means the Onpremise environment, not Azure
Environment
upvoted 2 times

Correct
upvoted 2 times
  RPAL 4 months, 2 weeks ago

Nothing
to do with AD here.. Map a wildcard domain (for contoso.com) by using a CNAME
record. Option D is correct
upvoted 1 times

answer
is D - the requirement is to access via apps.contoso.com and the on premises AD
manages the DNS for contoso.com so it can only be in there that the records are
set and it would require a cname as it needs to map to webapp2.azurewebsites.net
- azurewebsites.net is a domain controlled by azure and assigned to
webapps
upvoted 1 times

so
you could not as azurewebsites.net as a custom domain name as it would be
imposible to verify as it is owned by MS
upvoted 1 times
  NeerajKS 3 months, 2 weeks ago

Option D is the correct answer.
upvoted 3 times

Should
be D.
upvoted 1 times

Answer
is D =>
https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-custom-domain-name-portal
upvoted 1 times

I'm
thinking it is D also. That is the only solution I see working.
upvoted 1 times
Introductory Info
Case Study -

Overview -
Contoso created a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The
tenant uses the
P1 pricing tier.
Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
Requirements -
Planned Changes -
Deploy Azure ExpressRoute to the Montreal office
Migrate the virtual machine hosted on Server1 and Server2 to Azure
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD)
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only
Connect the New York office to VNet1 over the Internet by using an encrypted connection
Create a workflow to send an email message when the settings of VM4 are modified
Create a custom Azure role named Role1 that is based on the Reader role
Minimize costs whenever possible
Question
Which pricing tier should you recommend for WebApp1?
A. D1
B. P1v2
C. S1
D. B1
Correct Answer: C
Standard supports up to 10 instances, and would be enough as the Standard plan includes auto scale that can automatically adjust the number
of virtual machine instances running to match your traffic needs.
Scenario: Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances
Incorrect Answers:
D: Basic supports only up to 3 instances.
References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
  tish123 3 months, 2 weeks ago

S1
is correct , since can host 10 instance and auto scaling is possible . "Ensure
that WebApp1 can adjust the number of instances automatically based on the load
and can scale up to five instances" - This is the requirement and Basic plan
dosen't support autoscaling thats the reason for it to be a not a valid option.
The justification given in the answer is wrong for the basic plan.
upvoted 4 times

10
Instance is supported by S1 Standard application.
upvoted 1 times
Introductory Info
Case Study -

Overview -


Licensing Issue -
Requirements -
Planned Changes -

Default Azure system routes that will be the only routes used to route traffic
A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
network.
Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The
During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Question
You need to prepare the environment to meet the authentication requirements.
Which two actions should you perform? Each correct answer presents part of the solution
A. Allow inbound TCP port 8080 to the domain controllers in the Miami office
B. Install Azure AD Connect on a server in the Miami office and enable Pass-through Authentication
C. Install the Active Directory Federation Services (AD FS) role on a domain controller in the Miami office
D. Join the client computers in the Miami office to Azure AD
E. Add http://autologon.microsoftazuread-sso.com to the intranet zone of each client computer in the Miami office.
Correct Answer: BE
B: Seamless SSO works with any method of cloud authentication - Password Hash Synchronization or Pass-through Authentication, and can be
enabled via Azure
AD Connect.
E: You can gradually roll out Seamless SSO to your users. You start by adding the following Azure AD URL to all or selected users' Intranet zone
settings by using
Group Policy in Active Directory: https://autologon.microsoftazuread-sso.com
Incorrect Answers:
A: Azure AD connect does not port 8080. It uses port 443.
C: Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
D: Seamless SSO needs the user's device to be domain-joined, but doesn't need for the device to be Azure AD Joined.
Scenario: Users in the Miami office must use Azure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) when accessing
resources in Azure.
Planned Azure AD Infrastructure include: The on-premises Active Directory domain will be synchronized to Azure AD.
References:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start
  microant 2 weeks, 4 days ago

question says:
http://autologon.microsoftazuread-sso.com"" http must be https
upvoted 1 times
Introductory Info
Case Study -

Overview -


Licensing Issue -
Requirements -
Planned Changes -

Default Azure system routes that will be the only routes used to route traffic
A virtual network named Paris-VNet that will contain two subnets named Subnet1 and Subnet2
A virtual network named ClientResources-VNet that will contain one subnet named ClientSubnet
A virtual network named AllOffices-VNet that will contain two subnets named Subnet3 and Subnet4
network.
Web administrators will deploy Azure web apps for the marketing department. Each web app will be added to a separate resource group. The
During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
Question
Which blade should you instruct the finance department auditors to use?
A. Partner information
B. Cost analysis
C. Resource providers
D. Invoices
Correct Answer: D
You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain
subscriptions such as support offers, Enterprise Agreements, or Azure in Open.
1. Select your subscription from the Subscriptions page. Opt-in for each subscription you own. Click Invoices then Email my invoice.
2. Click Opt in and accept the terms.
Scenario: During the testing phase, auditors in the finance department must be able to review all Azure costs from the past week.
References:
https://docs.microsoft.com/en-us/azure/billing/billing-download-azure-invoice-daily-usage-date

I
think the correct answer is B. Cost Analysis. Invoices are available for a
billing period and auditors may not be able to review Azure costs if the bill
hasn't been generated yet.
upvoted 15 times

Cost
Analysis --> Accumulated costs --> Select time period.
upvoted 8 times

It's
a bit of a trick question to be fair, however I would say "Cost Analysis".
Namely because when you eventually navigate to Invoices, it directs you to an
Invoices view within Cost Analysis, so one would argue Cost Analysis is the
overall tool.
upvoted 1 times

Just
to add to gurbys comment, it's probably better to select "Invoice details" from
the built-in views rather than "Accumulated costs".
upvoted 1 times

Answer
is B The key word here is " to review the invoices from the past week" the
invoice might be not generated though
upvoted 1 times

"Past
week" is in the past, so the invoice will be available, then D is the
answer.
upvoted 1 times
  Gjferweb 1 month ago

Not
necesarily: Why don't I see an invoice for the last billing period? There could
be several reasons that you don't see an invoice: It's less than 30 days from
the day you subscribed to Azure.
upvoted 1 times
  IonutB 1 month, 2 weeks ago

It
should be Cost analysis - Correct answer B. I've tried to put last 7 days using
Custom timespan from Invoices but there was no result.
upvoted 1 times
  kuome 1 week, 6 days ago

Scenario
snippet: 'review all Azure costs from the past week.' - an invoice is only
generated after 30 days Why don't I see an invoice for the last billing period?
There could be several reasons that you don't see an invoice: -It's less than
30 days from the day you subscribed to Azure. -The invoice isn't generated yet.
Wait until the end of the billing period. B. is the correct answer in this
case
upvoted 1 times
Introductory Info
Case study -

Overview -
tenant uses the
P1 pricing tier.
Planned Changes -
Question
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical
requirements.
What should you include in the recommendation?
A. an Azure logic app and the Microsoft Identity Management (MIM) client
B. Azure AD Identity Protection
C. dynamic groups and conditional access policies
D. Azure AD B2C
Correct Answer: C
Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
The recommendation is to use conditional access policies that can then be targeted to groups of users, specific applications, or other
conditions.
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Conditional
access policy enable one to configure the MFA.
upvoted 2 times

Question
asked doesn't makes sense with options.
upvoted 1 times
  AnujD 1 week, 1 day ago

MFA
criteria makes Option C (conditional access policy) qualified as an
answer.
upvoted 2 times
Introductory Info
Case study -

Overview -
tenant uses the
P1 pricing tier.
Planned Changes -
Question
HOTSPOT -
You need to prepare the environment to implement the planned changes for Server2.
Hot Area:

Box 1: Create a Recovery Services vault
Create a Recovery Services vault on the Azure Portal.
Box 2: Install the Azure Site Recovery Provider
Azure Site Recovery can be used to manage migration of on-premises machines to Azure.
Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Server2 has the Hyper-V host role.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure
  Russel 2 months ago

below
for the view
upvoted 9 times
Introductory Info
Case study -

Overview -
tenant uses the
P1 pricing tier.
Planned Changes -
Question
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
A. Diagram in VNet1
B. Diagnostic settings in Azure Monitor
C. IP flow verify in Azure Network Watcher
D. Diagnose and solve problems in Traffic Manager profiles
E. the security recommendations in Azure Advisor
Correct Answer: C
Scenario: Contoso must meet technical requirements including:
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP,
remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While
any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
Introductory Info
Case study -

Overview -
tenant uses the
P1 pricing tier.
Planned Changes -
Question
HOTSPOT -
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Topic 16 - More Questions.
You create an Azure virtual machine named VM1 in a resource group named RG1.
You discover that VM1 performs slower than expected.
You need to capture a network trace on VM1.
What should you do?
A. From Diagnostic settings for VM1, configure the performance counters to include network counters.
B. From the VM1 blade, configure Connection troubleshoot.
C. From the VM1 blade, install performance diagnostics and run advanced performance analysis
D. From Diagnostic settings for VM1, configure the log level of the diagnostic agent.
Correct Answer: C
The performance diagnostics tool helps you troubleshoot performance issues that can affect a Windows or Linux virtual machine (VM).
Supported troubleshooting scenarios include quick checks on known issues and best practices, and complex problems that involve slow VM
performance or high usage of CPU, disk space, or memory.
Advanced performance analysis, included in the performance diagnostics tool, includes all checks in the performance analysis, and collects
one or more of the traces, as listed in the following sections. Use this scenario to troubleshoot complex issues that require additional traces.
Running this scenario for longer periods will increase the overall size of diagnostics output, depending on the size of the VM and the trace
options that are selected.
References:
  nicky717 2 months, 2 weeks ago

I think it should be A. Drill down to VM resource,
Diagnostic Settings > Enable guest-OS level logging > From Performance
counters, include network (options also include CPU, memory, disk along with
app/SQL related logs).
upvoted 2 times

to
me it's B. With Network Watcher and a StorageAccount you could trace and review
the logs in SA.
upvoted 1 times

Its
C. Azure Performance Diagnostics VM Extension helps collect performance
diagnostic data from Windows VMs. The extension performs analysis, and provides
a report of findings and recommendations to identify and resolve performance
issues on the virtual machine. This extension installs a troubleshooting tool
called PerfInsights.
upvoted 4 times
  Ahmed911 6 days, 9 hours ago

But it's not capturing Network traces. and this is what
the question asked, Azure PD is just finding issues in CPU , memory and Disks
but not Network
upvoted 1 times

It's
A
upvoted 1 times

It's C: for sure. network "trace" or any other
performance "trace" is done by C:.
upvoted 2 times

Go
to VM blade -> "Diagnose and solve problems" -> "troubleshooting Tools"
-> "Performance diagnostics". Just Click on it and install. So option "C" is
100% right answer.
upvoted 2 times
A company plans to use third-party application software to perform complex data analysis processes. The software will use up to 500 identical
virtual machines
(VMs) based on an Azure Marketplace VM image.
You need to design the infrastructure for the third-party application server. The solution must meet the following requirements:
✑ The number of VMs that are running at any given point in time must change when the user workload changes.
✑ When a new version of the application is available in Azure Marketplace it must be deployed without causing application downtime.
✑ Use VM scale sets.
✑ Minimize the need for ongoing maintenance.
Which two technologies should you recommend? Each correct answer presents part of the solution.
A. single storage account
B. autoscale
C. single placement group
D. managed disks
Correct Answer: BD

B
and C Placement Group And Autoscale is the correct answer
upvoted 3 times
  kimiura 5 months, 3 weeks ago

B
and C
upvoted 1 times

C
is incorrect. Single placement group has a maximum of 100VM.
upvoted 5 times

It
is no 100 but 1000. So, C is correct
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-placement-groups
upvoted 1 times

With
Single placement group, max VMs are limited to 100. To have > 100 and <
1000, have to set singlePlacementGroup to false to use multiple placement
groups. So B and D are correct.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-placement-groups
By default, a scale set consists of a single placement group with a maximum
size of 100 VMs. If a scale set property called singlePlacementGroup is set to
false, the scale set can be composed of multiple placement groups and has a
range of 0-1,000 VMs. Large scale sets require Azure Managed Disks. Scale sets
that are not created with Managed Disks require multiple storage accounts (one
for every 20 VMs). Large scale sets are designed to work exclusively with
Managed Disks to reduce your storage management overhead, and to avoid the risk
of running into subscription limits for storage accounts.
upvoted 15 times

Good
point.Thanks!
upvoted 1 times
  gbabes 5 months ago

B
and D Introduction to Azure managed disks
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/managed-disks-overview
"Using managed disks, you can create up to 50,000 VM disks of a type in a
subscription per region, allowing you to create thousands of VMs in a single
subscription. This feature also further increases the scalability of virtual
machine scale sets by allowing you to create up to 1,000 VMs in a virtual
machine scale set using a Marketplace image."
upvoted 12 times

B
and D are right. Placement group are proximity group who ensure that VMs are as
close as possible in datacenter to reduce latency. Question ask about minimum
maintainence so managed disk is a right choice. Don't know why people choosing
"C" here.
upvoted 1 times

B
and D is the correct answer. Although Placement group does provide reduced
latency, fault tolerance, it is not a specific requirement here. The requirement
is to reduce management. For large number of VMs, that can be done through
managed disks.
upvoted 1 times
Your company has an Azure subscription.

You enable multi-factor authentication (MFA) for all users.
The company's help desk reports an increase in calls from users who receive MFA requests while they work from the company's main office.
You need to prevent the users from receiving MFA requests when they sign in from the main office.
What should you do?
A. From Azure Active Directory (Azure AD), configure organizational relationships.
B. From the MFA service settings, create a trusted IP range.
C. From Conditional access in Azure Active Directory (Azure AD), create a custom control.
D. From Conditional access in Azure Active Directory (Azure AD), create a named location.
Correct Answer: B
The first thing you may want to do, before enabling Multi-Factor Authentication for any users, is to consider configuring some of the available
settings. One of the most important features is a trusted IPs list. This will allow you to whitelist a range of IPs for your network. This way, when
users are in the office, they will not get prompted with MFA, and when they take their devices elsewhere, they will. Here's how to do it:
Log in to your Azure Portal.
Navigate to Azure AD > Conditional Access > Named locations.
From the top toolbar select Configure MFA trusted IPs.
References:
https://www.kraftkennedy.com/implementing-azure-multi-factor-authentication/
  rogerchen 3 months, 3 weeks ago

shouldn't
it be named location?
upvoted 1 times
  blitz 2 months, 2 weeks ago

it
will be D D. From Conditional access in Azure Active Directory (Azure AD),
create a named location.
upvoted 1 times
  thirstylion 2 months, 2 weeks ago

There
are two ways of doing it. The suggested answer is the basic way. To do the named
location way we need premium P1 sku.
upvoted 1 times

You
don't need Premium sku to use Conditional Access! MFA menu is accessed from the
conditional access plane. The proper answer is D.
upvoted 1 times

The
answer is D!!! It's funny that the explanation in the answer suggests Azure AD
> Conditional Access > Named locations but, points to the wrong answer
B.
upvoted 1 times

Its
"D", This question rephrased and repeated and last time it was "named location"
in other ques. Anyways Named location is the right way to do it.
upvoted 1 times
  tboggie 2 weeks, 1 day ago

The
answer is D
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
upvoted 1 times
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews
settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You consent to Azure AD Privileged Identity Management (PIM).
A. Yes
B. No
Correct Answer: A
PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
✑ Conduct access reviews to ensure users still need roles
Note: Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor
access to important resources in your organization. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online
Services like Office 365 or Microsoft
Intune.
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
'Consent to PIM' does not enable access review
feature.
upvoted 5 times
  SaurabhAzure 1 month, 2 weeks ago

thats
true...
upvoted 1 times
  kishoreg 1 month, 1 week ago

"Conduct access reviews to ensure users still need
roles" its clearly written
upvoted 2 times
  babacandy 4 days, 15 hours ago

Solution
Answer is confusing. To create access review a user should be in "Privileged
Role Administrator" role. Reference :
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
upvoted 1 times
Solution: You assign the Global administrator role to Admin1.
A. Yes
B. No
Correct Answer: B
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
References:
  turtle666 3 months, 2 weeks ago

Azure
AD Premium P2 licenses are not required for the following tasks: No licenses are
required for the users with the Global Administrator or User Administrator roles
that set up access reviews, configure settings, or apply the decisions from the
reviews.
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 3 times

turtle666
copied the text straight from the referenced link
upvoted 1 times
  Bluediamond 2 months ago

https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 1 times
  SaurabhAzure 1 month, 1 week ago

the
answer should be yes. As because global administrators can perform access
review. We do not need P2 license for global administrators
upvoted 2 times

prerequisites
for access review are: Azure AD Premium P2 Global administrator or User
administrator ref :
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 1 times
  Pigi_102 4 days, 1 hour ago

From:
https://azure.microsoft.com/en-us/pricing/details/active-directory/ Premium P2
is the only license with Access Review Option. Moreover, from
, License Requirement: "Using this feature requires an Azure AD Premium P2
license." So the answer is NO.
upvoted 1 times
Solution: You purchase an Azure Directory Premium P2 license for contoso.com.
A. Yes
B. No
Correct Answer: B
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
References:

I
think yes, because the requirement for access review is AD Premium 2.
upvoted 2 times

I
guess, just by upgrading to premium 2 will not help. Further steps are
required.
upvoted 1 times

Stupid
question. PIM required, which itself requires P2. Hope they don’t ask this one
as it’s a bogus question.
upvoted 4 times
  RPAL 4 months, 2 weeks ago

PIM
and Access Reviews are two different things.. but yes, if you need to review for
PIM access, you would need PIM
https://azure.microsoft.com/en-us/pricing/details/active-directory/
upvoted 1 times

agree
this question / series of questions is a bit stupid. Access reviews & PIM
both require P2 but there is no mention of which licence level there is so you
cannot know for the the other question so impossible to answer really. Of course
just buying the licence isnt going to configure itself but how are supposed to
know what it is implying
upvoted 1 times

This
is a poorly worded and misleading question. One needs Azure AD Premium 2 in
order to access PIM so the answer seems like it should be "yes" but I don't
think that's the intent of the question. If anyone gets this question on the
test, I think the answer to give is "no".
upvoted 1 times

Yes,
PIM requires AD P2
upvoted 1 times

Preimum
P1 is 1 pre-requisite, other requirement is to elevate user1 to Global admin
else he won't be able to create "Access Reviews" under "Identity Givernance".
"NO" is right answer.
upvoted 1 times
  vic88sanchez 2 weeks ago

This
is a very tricky question and i played in the azure portal with this and
thinking thru it all. I think the answer is no to all the questions because you
dont know if a license exists or consent was executed. The only one that could
have an answer of Yes is " you need to consent" and this is only doable if you
have a P2 license.
upvoted 1 times
  DeepuDN 4 days, 23 hours ago

It
states that "Admin1 discovers that all the other Identity Governance settings
are available.", means the Licence is already P2. In addition to P2, User needs
to be a Global Admin or User Admin. I think, given answer is correct.
upvoted 1 times
You have a resource group named RG1 that contains the following:
✑ A virtual network that contains two subnets named Subnet1 and Subnet2
✑ An Azure Storage account named contososa1
✑ An Azure firewall deployed to Subnet2
You need to ensure that contososa1 is accessible from Subnet1 over the Azure backbone network.
What should you do?
A. Deploy an Azure firewall to Subnet1.
B. Remove the Azure firewall.
C. Implement a virtual network service endpoint.
D. Create a stored access policy for contososa1.
Correct Answer: C
Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services,
over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your
VNet to the Azure service always remains on the Microsoft Azure backbone network.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

correct
upvoted 1 times

yes
true. Azure backbone network = service endpoint
upvoted 1 times
You manage Server1 by using Windows Admin Center.
You need to ensure that if Server1 fails, you can recover the data from Azure.
Solution: From the Azure portal, you create a Recovery Services vault. On VM1, you install the Azure Backup agent and you schedule a backup.
A. Yes
B. No
Correct Answer: B
Instead use Azure Storage Sync service and configure Azure File.
Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an
on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

A
(yes) should be good also, because the question says that you need to recover
data from Azure.
upvoted 1 times

The
question asks about Server1 (on prem) and not the VM1 in azure, so the ASR
answer is incorrect. Hence B.
upvoted 4 times

agreed
, answer is B because as Benkyoujin says it states VM1 is server with the backup
agent installed and does not mention Server1. It would only be A if the question
has a typo and it it should be written Server1 where it states VM1, but it
doesnt , so in this form it is B
upvoted 1 times

Shouldn't
the answer be "yes"? The question says that if Server1 fails, "you can recover
the data from Azure." The keyword there is "data" and not the whole server. If
we're backing up VM1 then that doesn't that mean we're capturing the data as
well?
upvoted 1 times

The
Keyword are: Windows Admin Center. You dont need to download the Backup Agent,
you can configure this in the Windows Admin Center. All three Question are
NO!
upvoted 1 times
  thirstylion 2 months, 2 weeks ago

"
file server named Server1"...that means they want to extend their on-prem file
server to Azure. Best way to do it is using Azure File Sync service.
upvoted 1 times
  Gjferweb 2 weeks, 2 days ago

If it is a typo? instead of VM1 should be server1? in
that case I think the answer is yes
upvoted 1 times

I
think A should be good, because
https://azure.microsoft.com/en-in/solutions/architecture/backup-archive-on-premises-applications/
upvoted 1 times

Could
be a word play from
https://docs.microsoft.com/en-us/azure/backup/backup-windows-with-mars-agent
MARS Agent vs Azure backup Agent. I vote B-No
upvoted 1 times
Solution: You create a Recovery Services vault and configure a backup by using Windows Server Backup.
A. Yes
B. No
Correct Answer: B
Instead use Azure Storage Sync service and configure Azure File.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

YES!
The Admin Center need an Schedular Backup Policy
upvoted 1 times
Solution: You create an Azure Storage account and an Azure Storage Sync service. You configure Azure File Sync for Server1.
A. Yes
B. No
Correct Answer: A
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol.
Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Additionally, Azure file
shares can be cached on Windows
Servers with Azure File Sync for fast access near where the data is being used.
Azure file shares can be used to:
Replace or supplement on-premises file servers:
Azure Files can be used to completely replace or supplement traditional on-premises file servers or NAS devices. Popular operating systems
such as Windows, macOS, and Linux can directly mount Azure file shares wherever they are in the world. Azure file shares can also be replicated
with Azure File Sync to Windows
Servers, either on-premises or in the cloud, for performance and distributed caching of the data where it's being used.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction https://docs.microsoft.com/en-
us/azure/storage/files/storage-sync-files-deployment-guide?tabs=azure-portal

Azure
File Sync Services is not a Backup!
upvoted 1 times

Azure
File Sync Services storage sync service resource will allow you to transform
your Windows Server into a quick cache for Azure file shares with optional cloud
tiering and multi-server sync functionality.
upvoted 1 times
  kishoreg 1 month, 1 week ago

True. But explanation mentions about azure file sync, is
there any alternate answer?
upvoted 1 times
  Santosh43 3 weeks ago

Answer
is definatley Yes, Below confirms that. Ouestion is only about recovering the
data. Azure Files offers fully managed file shares in the cloud that are
accessible via the industry standard Server Message Block (SMB) protocol. Azure
file shares can be mounted concurrently by cloud or on-premises deployments of
Windows, Linux, and macOS. Additionally, Azure file shares can be cached on
Windows Servers with Azure File Sync for fast access near where the data is
being used.
upvoted 1 times
The company does not have access to the source code for the website. They have the original installer.
What should you do -
A. Use a webhook to log autoscale failures.
B. Use an autoscale setting to scale instances vertically.
C. Use only default diagnostics metrics to trigger autoscaling
D. Use an autoscale setting to define more profiles that have one or more autoscale rules.
Correct Answer: C
In-guest VM metrics with the Azure diagnostics extension
The Azure diagnostics extension is an agent that runs inside a VM instance. The agent monitors and saves performance metrics to Azure
storage. These performance metrics contain more detailed information about the status of the VM, such as AverageReadTime for disks or
PercentIdleTime for CPU. You can create autoscale rules based on a more detailed awareness of the VM performance, not just the percentage
of CPU usage or memory consumption.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview
  fp76 1 month, 2 weeks ago

Should
be D?
upvoted 1 times

C
is correct. You can create an autoscale setting on a VM to use host-level
metrics or guest OS-based metrics. ref :
upvoted 1 times
  jcarlos 1 week ago

I
would go for D. Although using simple autoscale can be a solution for most of
the scenarios, the fact that workload varies along the year makes the use of
different autoscale profiles (each profile "tuned" for each situation) a more
appropriate solution From
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-overview
You can have multiple profiles, which allow you to take care of different
overlapping requirements. You can have different autoscale profiles for
different times of day or days of the week, for example.
upvoted 1 times
You are responsible for mobile app development for a company. The company develops apps on Windows Mobile, IOS, and Android.
You plan to integrate push notifications into every app.
You need to be able to send users alerts from a backend server.
Which two options can you use to achieve this goal? Each correct answer presents a complete solution.
A. Azure Web App
B. Azure Mobile App Service
C. Azure SQL Database
D. Azure Notification Hubs
E. a virtual machine
Correct Answer: BD
The Mobile Apps client enables you to register for push notifications with Azure Notification Hubs.
The following platforms are supported:
✑ Xamarin Android releases for API 19 through 24 (KitKat through Nougat)
✑ Xamarin iOS releases for iOS versions 8.0 and later

✑ Universal Windows Platform
✑ Windows Phone 8.1
✑ Windows Phone 8.0 except for Silverlight applications
References:
https://docs.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library

Well
I don't think the the published answers "represent a complete solution" --
Notification Hubs are not used on their own.
upvoted 1 times
Correct Answer: C
Reference:

Correct Answer: C
Reference:
  poxbottle 1 month, 1 week ago

Duplicate
upvoted 1 times

shouldn't
it be D?
upvoted 1 times
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises
network by using
Azure ExpressRoute.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Create a VPN gateway that uses the VpnGw1 SKU.
B. Create a connection.
C. Create a local site VPN gateway.
D. Create a gateway subnet.
E. Create a VPN gateway that uses the Basic SKU.
Correct Answer: D
References:
https://docs.microsoft.com/en-za/archive/blogs/canitpro/step-by-step-configuring-a-site-to-site-vpn-gateway-between-azure-and-on-premise

A.
Create a VPN gateway that uses the VpnGw1 SKU. B. Create a connection. C. Create
a local site VPN gateway. We need to Gateway subnet also but since already Vnet1
is connecting to OnPrem via ExpressRoute so gateway subnet would already be
existing. My answer is ABC
upvoted 3 times
  jcarlos 1 week ago
i
would say you are right. Only thing is that C Create a local site VPN gateway
should be Create "local network gateway".
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 1 times

More info on VPN gateway SKUs:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
upvoted 1 times
  Jetmahanakorn 4 days, 5 hours ago

A,
C, D
upvoted 1 times
You have an Azure web app named App1 that is configured to run between two and five instances. There are currently three instances of App1
running.
App1 has the following autoscale rules:
✑ Increase the instance count by one when the CPU percentage is greater or equal to 80.
✑ Decrease the instance count by one when the CPU percentage is less than or equal to 60.
You are evaluating the following CPU percentage of utilization for App1:
✑ 60%
✑ 55%
✑ 50%
✑ 45%
You need to identify which utilizations will cause App1 to scale in.
A. 45% only
B. 45% and 50% only
C. 50% and 55% only
D. 45%, 50%, and 55% only
Correct Answer: D
Azure Monitor autoscaling allows you to scale the number of running instances up or down, based on telemetry data (metrics). Scale-in occurs
when the instances are decrease. For this rule the instances are decreased when the CPU usage is 60% or lower.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-custom-metric https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/autoscale-common-metrics

D
is right. As it considers the avergae CPU utilization post scale down. Check
this:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/autoscale-best-practices
Assume there are 2 instances to start with. If the average CPU% across
instances goes to 80, autoscale scales out adding a third instance. Now assume
that over time the CPU% falls to 60. Autoscale's scale-in rule estimates the
final state if it were to scale-in. For example, 60 x 3 (current instance count)
= 180 / 2 (final number of instances when scaled down) = 90. So autoscale does
not scale-in because it would have to scale-out again immediately. Instead, it
skips scaling down. The next time autoscale checks, the CPU continues to fall to
50. It estimates again - 50 x 3 instance = 150 / 2 instances = 75, which is
below the scale-out threshold of 80, so it scales in successfully to 2
instances.
upvoted 2 times
  aperez1979 2 days, 14 hours ago

C
is right. there are 3 instances to start.
upvoted 1 times
  aperez1979 2 days, 14 hours ago

B
i want to say.
upvoted 1 times

I believe B is correct for the following: 45*3=135,
135/2=67.5, 67.5 < scale out threshold of 80, so Azure WILL scale in
50*3=150, 150/2=75.0, 75.0 < below scale out threshold of 80, so Azure WILL
scale in 55*3=165, 165/2=82.5, 82.5 > scale out threshold of 80, so Azure
WILL NOT scale in
upvoted 2 times
You monitor Azure virtual machines by using Azure Monitor.

You plan to restart the virtual machines when CPU usage exceeds 95 percent for more than 30 minutes.
You need to create an alert in Azure Monitor to restart the virtual machines. The solution must minimize administrative effort.
Which type of action should you use in the alert?
A. ITSM
B. Webhook
C. Automation Runbook
D. Logic App
Correct Answer: C
Automation runbooks allows you to automatically perform standard remediations in response to VM alerts, like restarting or stopping the VM.
Previously, during VM alert rule creation you were able to specify an Automation webhook to a runbook in order to run the runbook whenever the
alert triggered.
However, this required you to do the work of creating the runbook, creating the webhook for the runbook, and then copying and pasting the
webhook during alert rule creation. With this new release, the process is much easier because you can directly choose a runbook from a list
during alert rule creation, and you can choose an Automation account which will run the runbook or easily create an account.
Reference:
https://azure.microsoft.com/en-us/blog/automatically-remediate-azure-vm-alerts-with-automation-runbooks/
You have a server named Server1 that runs Windows Server 2019. Server1 is a container host.
You plan to create a container image.
You create the following instructions in a text editor.
FROM mcr.microsoft.com/windows/servercore:lts2019
LABEL maintainer="User1@contoso.com"
RUN dism.exe /online /enable-feature /all /featurename:iis-webserver /NoRestart
RUN echo "Hello World!" > c:\inetpub\wwwroot\index.html
You need to be able to automate the container image creation by using the instructions.
To which file should you save the instructions?
A. dockerconfig.json
B. Dockerfile
C. daemon.json
D. Build.ini
Correct Answer: B
The Dockerfile is a text file that contains the instructions needed to create a new container image.
Reference:
https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/manage-windows-dockerfile
Deploy and Configure Infrastructure

upvoted 1 times
You create a container image named Image1 on a developer workstation.

You plan to create an Azure Web App for Containers named WebAppContainer that will use Image1.
You need to upload Image1 to Azure. The solution must ensure that WebAppContainer can use Image1.
To which storage type should you upload Image1?
A. Azure Container Registry
B. an Azure Storage account that contains a blob container
C. an Azure Storage account that contains a file share
D. Azure Container Instances
Correct Answer: A
Configure registry credentials in web app.
App Service needs information about your registry and image to pull the private image. In the Azure portal, go to Container settings from the
web app and update the Image source, Registry and save.
References:
https://docs.microsoft.com/en-us/azure/devops/pipelines/targets/webapp-on-container-linux
You are creating a Dockerfile to build a container image.
You need to add a file named File1.txt from Server1 to a folder named C:\Folder1 in the container image.
Solution: You add the following line to the Dockerfile.
Copy-Item File1.txt C:\Folder1\File1.txt
You then build the container image.
A. Yes
B. No
Correct Answer: B
Copy-Item is not supported. Copy is the correct command to copy a file to the container image.
References:
https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy https://docs.docker.com/engine/reference/builder/

Reference:
upvoted 1 times
COPY File1.txt /Folder1/
A. Yes
B. No
Correct Answer: A
Copy is the correct command to copy a file to the container image.
References:

Reference:
upvoted 1 times
COPY File1.txt C:/Folder1/
A. Yes
B. No
Correct Answer: B
Copy is the correct command to copy a file to the container image but the root directory is specified as '/' and not as 'C:/'.
References:
  anderhong 1 week ago

This
should be Yes. Correctly copy file to c:/Folder/
upvoted 5 times
  PierroD 1 day, 21 hours ago

Copy
is the correct command to copy a file to the container image. But "C:/Folder1"
instead of "C:\Folder1".
upvoted 1 times
ADD File1.txt C:/Folder1/
A. Yes
B. No
Correct Answer: B
Copy is the correct command to copy a file to the container image. The ADD command can also be used. However, the root directory is
specified as '/' and not as
'C:/'.
Reference:
  xxhermitsxx 5 days, 14 hours ago

Shouldn;t
this also be Yes then?
upvoted 3 times
XCOPY File1.txt C:\Folder1\
A. Yes
B. No
Correct Answer: B
Copy is the correct command to copy a file to the container image. Furthermore, the root directory is specified as '/' and not as 'C:/'.
References:
Create and Deploy Apps
You have an Azure SQL database named Db1 that runs on an Azure SQL server named SQLserver1.
You need to ensure that you can use the query editor on the Azure portal to query Db1.
What should you do?
A. Modify the Advanced Data Security settings of Db1
B. Configure the Firewalls and virtual networks settings for SQLserver1
C. Copy the ADO.NET connection string of Db1 and paste the string to the query editor
D. Approve private endpoint connections for SQLserver1

Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-connect-query-portal
Implement Authentication and Secure Data
Introductory Info
Case study -

Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end
A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Requirements -
Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.
User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.
Question
You need to recommend an identity solution that meets the technical requirements.
A. cloud-only user accounts
B. password hash synchronization and single sign-on (SSO)
C. Pass-through Authentication and single sign-on (SSO)
D. federated single sign-on (SSO) and Active Directory Federation Services (AD FS)
Correct Answer: C
With Pass-through Authentication the on-premises passwords are never stored in the cloud in any form.
Scenario:
✑ Prevent user passwords or hashes of passwords from being stored in Azure.
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
✑ Minimize administrative effort whenever possible.
References:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Develop for the Cloud
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
A. an Azure Backup Server
B. a Recovery Services vault
C. a backup policy
D. a recovery plan
Correct Answer: B
Scenario: Ensure that all the virtual machines for App1 are protected by backups.
You can back up Azure VMs using a couple of methods:
✑ Single Azure VM: You can back up an Azure VM directly from the VM settings.
✑ Multiple Azure VMs: You can set up a Recovery Services vault and configure backup for multiple Azure VMs.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
Introductory Info
Case study -

Overview -
File servers
Domain controllers
A SQL database
A web front end
Requirements -
Planned Changes -
User Requirements -
Question
You need to move the blueprint files to Azure.
What should you do?
A. Use the Azure Import/Export service.
B. Use Azure Storage Explorer to copy the files.
C. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.
D. Generate an access key. Map a drive, and then copy the files by using File Explorer.
Correct Answer: D
Scenario: Copy the blueprint files to Azure over the Internet.
To mount an Azure file share, you will need the primary (or secondary) storage key. SAS keys are not currently supported for mounting.
Incorrect Answers:
A: Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives
to an Azure datacenter.
References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
  jcarlos 6 days, 20 hours ago

I
would say B. Technical Requirements: Ensure that the blueprint files are stored
in the archive storage tier. Storage tier in storage accounts is only supported
by BLOB service. You can't access blob service maping a drive. Thus, from all
the options present in the answer, file storage explorer is the only you can use
to copy files to blob service trough Internet
upvoted 6 times

Examtopic AZ300

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Examtopic AZ300

Загружено:

Авторское право:

Доступные форматы

- Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Question Set 1

Correct Answer: Explanation

  Cern77 7 months, 1 week ago

  JasonYin 6 months, 1 week ago

  NoNotSpam 6 months, 1 week ago

  bolbol 5 months, 3 weeks ago

  Bonna 5 months, 2 weeks ago

  Bonna 5 months, 2 weeks ago

  onlyfunmails 5 months, 1 week ago

  AnshMan 4 months, 3 weeks ago

  Ekramy_Elnaggar 5 months, 1 week ago

  Andy001 3 months, 1 week ago

  Ekramy_Elnaggar 5 months, 1 week ago

  Carlos 4 months, 3 weeks ago

  Stan007 4 months, 3 weeks ago

  Ekramy_Elnaggar 4 months, 2 weeks ago

  lorimer1 4 months, 1 week ago

  Ekramy_Elnaggar 4 months, 1 week ago

  Sweb 3 months, 2 weeks ago

  AS007 3 months, 3 weeks ago

  SilentH 3 months, 3 weeks ago

  anagar 3 months, 1 week ago

  Shiven 3 months ago

  Shiven 2 months, 1 week ago

  sivak 1 month, 2 weeks ago

  Famous_Guy 1 month ago

  Noor001 3 weeks, 5 days ago

  Derektx 3 weeks, 5 days ago

  xpuneet 2 days, 2 hours ago

  tubadc 5 months, 1 week ago

  Musk 5 months ago

  Jt909 5 months ago

  lorimer1 4 months, 1 week ago

  anagar 3 months, 1 week ago

  Samin 2 months, 4 weeks ago

  TYT 1 month ago

  Pankaj7121 1 week, 5 days ago

A. Modify the IP address space of VNet2.

B. Move VM1 to Subscription2.

C. Provision virtual network gateways.

D. Move VNet1 to Subscription2.

  tubadc 5 months, 1 week ago

  cacasodo 21 hours, 26 minutes ago

  lorimer1 4 months, 1 week ago

  Srini300 3 months, 3 weeks ago

  SilentH 3 months, 3 weeks ago

  Srini300 3 months, 3 weeks ago

  starnb 2 months, 1 week ago

  TYT 1 month ago

  Pankaj7121 1 week, 5 days ago

You have an Azure Active Directory (Azure AD) tenant.

A. From the Azure portal, modify session control of Policy1.

B. From multi-factor authentication page, modify the user settings.

C. From multi-factor authentication page, modify the service settings.

D. From the Azure portal, modify grant control of Policy1.

  cjsammaejs 5 months, 2 weeks ago

  Protonenpaule 1 month, 2 weeks ago

  TYT 1 month ago

  milind8451 1 week, 6 days ago

Correct Answer: Explanation

  Cern77 7 months, 1 week ago