No.401
You have an Azure subscription that contains the resources shown in the following table.
You need to perform the tasks shown in the following table.
Which tasks can you perform by using Azure Storage Explorer?
A. Task1 and Task3 only
B. Task1, Task2, and Task3 only
C. Task1, Task3, and Task4 only
D. Task2, Task3, and Task4 only Most Voted
E. Task1, Task2, Task3, and Task4
Suggested Answer: D 🗳️
Azure Storage Explorer does not have the ability to create a new storage account directly. Instead, you can use Azure Storage Explorer to connect to and manage existing storage accounts in Azure.
NO.402 *
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e. You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Reference:https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
NO.403
You have an Azure subscription that contains two virtual networks named VNET1 and VNET2 and the users shown in the following table:
You need to identify which users can configure peering between VNET1 and VNET2.
Which users should you identify?
Options
A. User1 only
B. User3 only
C. User1 and User2 only
D. User1 and User3 only
E. User1, User2 and User3
Answer E
Explanation
Owner: An owner can configure peering.
A Global administrator can configure peering.
Network Contributor:
The accounts you use to work with virtual network peering must be assigned to the following roles:
Network Contributor: For a virtual network deployed through Resource Manager.
Classic Network Contributor: For a virtual network deployed through the classic deployment model.
NO.404 *
You have an Azure subscription that contains the resource groups shown in the following table.
RG1 contains the resources shown in the following table.
RG2 contains the resources shown in the following table.
You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1.Which resources should you identify?
To answer, select the appropriate options in the answer area.Hot Area:
Tested it in Lab today. RO or Delete locks does not have any impact for Move operation and it doesn`t matter if it comes from RG level or are directly attached to the resource. VNETS can be moved as well. Only limitation is VNET Peering needs to be disabled first. But is is not a case for this question. Correct Answer:
Box 1: IP1, VNET2, and storage1
Box 2: IP2, VNET2, and storage2
NO.405
You create the following resources in an Azure subscription:
✑ An Azure Container Registry instance named Registry1
✑ An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.You need to deploy App1 to Cluster1.What should you do first?
A. Run the docker push command.
B. Create an App Service plan.
C. Run the az acr build command.
D. Run the az aks create command.
Suggested Answer: C 🗳️You should sign in and push a container image to Container Registry.Run the az acr build command to build and push the container image. az acr build \--image contoso-website \--registry $ACR_NAME \--file Dockerfile .Reference:https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
Community vote distribution
A (74%)
C (26%)
This is really confusing question..Just obvious enough that MS will never give you chance to get full Marks because that will make Bill Gates look like clown in cooperate dinner party!!
Anyway reason i chose A is because image already build and just needs be pushed to ACR backed up by this link https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli?tabs=azure-cli
Reason i did not chose C which also correct except if you chose it then you need to build the image and push it but image i already created and this proven by this useful link https://markheath.net/post/build-container-images-with-acr
NO.406
You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggested Answer:
Box 1: never -The 10.2.9.0/24 subnet is not whitelisted.
Box 2: never -After you configure firewall and virtual network settings for your storage account, select Allow trusted Microsoft services to access this storage account as an exception to enable Azure Backup service to access the network restricted storage account.
NO.407
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
NO.408
You have an Azure subscription named Subsription1 that contains the resources in the following table.
VM1 and VM2 run the websites in the following table.
AppGW1 has the backend pools in the following table.
DNS resolves site1.contoso.com, site2.contoso.com, and site3.contoso.com to the IP address of AppGW1. AppGW1 has the listeners in the following table.
AppGW1 has the rules in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. Each correct selection is worth one point. NOTE:Hot Area:
Correct Answer:
Vm1 is in Pool1. Rule2 applies to Pool1, Listener 2, and site2.contoso.com
NO.409 *
You have an Azure subscription that contains an Azure Storage account named storageaccount1. You export storageaccount1 as an Azure Resource Manager template. The template contains the following sections.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one pointHot Area:
Suggested Answer:
Reference:https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json
Box 1- Yes. VirtualNetworkRules & IpRules are blank, with the default action Allow.
Box 2- Yes. Individual blobs can be set to the archive tier - ref.https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
Bob 3. No. To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments: A data access role, such as Storage Blob Data Contributor, The Azure Resource Manager Reader role
Ref.https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal
Explanation:
- No IP access restrictions are specified in the json.
- The Storage Account is of kind general-purpose v2, so access tiers are supported.
- Azure AD Roles like Global Administrator dont provided access to resources. For that RBAC Roles need to be aplied to the users.
NO.410
You plan to move a distributed on-premises app named App1 to an Azure subscription. After the planned move, App1 will be hosted on several Azure virtual machines. You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.What should you create?
A. one virtual machine scale set that has 10 virtual machines instances
B. one Availability Set that has three fault domains and one update domain
C. one Availability Set that has 10 update domains and one fault domain
D. one virtual machine scale set that has 12 virtual machines instances
Suggested Answer: C 🗳️
An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.Reference:http://www.thatlazyadmin.com/azure-fault-update-domains/
NO.411
You have an Azure Active Directory (Azure AD) tenant. All administrators must enter a verification code to access the Azure portal. You need to ensure that the administrators can access the Azure portal without entering a verification code when they are connecting from your on-premises network. What should you configure?
A. an Azure AD Identity Protection user risk policy
B. the multi-factor authentication service settings.
C. the default for all the roles in Azure AD Privileged Identity Management
D. an Azure AD Identity Protection sign-in risk policy
Suggested Answer: B 🗳️Reference:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettingsManage identities
Answer is correct. In MFA service settings you can add the public IP/IPs of your corporate network with /32 CIDR and exclude from MFA verification. The trusted IP address ranges can be private or public.
Answer: B the multi-factor authentication service settings - Correct choice There are two criterias mentioned in the question. 1. MFA required 2. Access from only a specific geographic region/IP range. To satisfy both the requirements you need MFA with location conditional access. Please note to achieve this configuration you need to have AD Premium account for Conditional Access policy. Navigate to Active Directory --> Security --> Conditional Access --> Named Location. Here you can create a policy with location (on-premise IP range) and enable MFA. This will satisfy the requirements.
an Azure AD Identity Protection user risk policy - Incorrect choice In the Identity Protection,
there are three (3) protection policies- User Risk, Sign-In Risk & MFA Registration.
None of those in which you can enable a location (on-prem IP Range) requirement in any blade. the default for all the roles in Azure AD
Privileged Identity Management - Incorrect choice This option will not help you to restrict the users to access only form on prem.
an Azure AD Identity Protection sign-in risk policy - Incorrect choice In the Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk & MFA Registration. None of those in which you can enable a location (on-prem IP Range) requirement in any blade.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
NO.412
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure LoadBalancer. The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. Does this meet the goal?
A. Yes Most Voted
B. No Most Voted
Suggested Answer: A 🗳️Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Community vote distribution
B (57%)
A (43%)
NO.413
You have an availability set named AS1 that contains three virtual machines named VM1, VM2, and VM3. You attempt to reconfigure VM1 to use a larger size. The operation fails and you receive an allocation failure message. You need to ensure that the resize operation succeeds. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:
Suggested Answer:
Step 1: Stop VM1, VM, and VM3. If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set. The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is that all running VMs in the availability set must be using the same physical hardware cluster. Therefore, if a change of physical hardware cluster is required to change the VM size then all VMs must be first stopped and then restarted one-by-one to a different physical hardware clusters.
Step 2: Resize VM1.
Step 3: Start VM1, VM2, and VM3.
References:https://azure.microsoft.com/es-es/blog/resize-virtual-machines/
NO.414
You plan to create an Azure Storage account in the Azure region of East US 2. You need to create a storage account that meets the following requirements:
✑ Replicates synchronously.
✑ Remains available if a single data center in the region fails.
How should you configure the storage account?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: Zone-redundant storage (ZRS)Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.LRS would not remain available if a data center in the region failsGRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2)ZRS only support GPv2.
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs
NO.415
You have an Azure Active Directory (Azure AD) tenant named adatum.com. Adatum.com contains the groups in the following table:
You create two user accounts that are configured as shown in the following table.
To which groups do User1 and User2 belong? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: Group 1 only -
First rule applies -
Box 2: Group1 and Group2 only
-Both membership rules apply.
References:https://docs.microsoft.com/enus/sccm/core/clients/manage/collections/create-collections
Group types:
Security: Used to manage user and computer access to shared resources.
For example, you can create a security group so that all group members have the same set of security permissions. Members of a security group can include users, devices, other groups, and service principals, which define access policy and permissions. Owners of a security group can include users and service principals.
Microsoft 365: Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more.
This option also lets you give people outside of your organization access to the group. Members of a Microsoft 365 group can only include users. Owners of a Microsoft 365 group can include users and service principals. For more info about Microsoft 365 Groups, see Learn about Microsoft 365 Groups.
Membership types:
- Assigned: Lets you add specific users as members of a group and have unique permissions.
- Dynamic user: Lets you use dynamic membership rules to automatically add and remove members. If a member's attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
Dynamic device: Lets you use dynamic group rules to automatically add and remove devices. If a device's attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added), or no longer meets the rules requirements (is removed).
Important
You can create a dynamic group for either devices or users, but not for both. You can't create a device group based on the device owners' attributes. Device membership rules can only reference device attributions. For more info about creating a dynamic group for users and devices, see Create a dynamic group and check status
NO.416
You have an Azure web app named App1. App1 has the deployment slots shown in the following table:
In webapp1-test, you test several changes to App1. You back up App1. You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues. You need to revert to the previous version of App1 as quickly as possible. What should you do?
A. Redeploy App1
B. Swap the slots
C. Clone App1
D. Restore the backup of App1
Suggested Answer: B 🗳️
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the slots. We can easily revert the deployment by swapping back.Reference:https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
NO.417 *
Your VMware vSphere on-premises infrastructure hosts 600 virtual machines (VMs). Your company is planning to move all of these VMs to Azure. You are asked to provide information about the resources that will be needed in Azure to host all of the VMs. All VMs hosted in your on-premise infrastructure are based on Windows Server 2012 R2 or newer and RedHat Enterprise Linux 7.0 or newer. You conduct the initial migration assessment and get a message that some virtual machines are conditionally ready for Azure. You need to find the cause of this message. What are two reasons why are you might get this message on some VMs? (Choose two) Each correct answer presents part of the solution.
A. The vCenter user does not have enough permissions on affected VMs.
B. The operating system is configured as Windows Server 2003 in vCenter Server.
C. The operating system is configured as Others in vCenter Server.
D. The VMs are configured with the BIOS boot type.
E. The VMs are configured with the UEFI boot type.
Correct Answer: B,E
ExplanationTo prepare for VMware VM assessment, you need to: Verify VMware settings. Make sure that the vCenter Server and VMs you want to migrate meet requirements. Set up permissions for assessment. Azure Migrate uses a vCenter account to access the vCenter Server, to discover and assess VMs. Verify appliance requirements. Verify deployment requirements for the Azure Migrate appliance, before you deploy it in the next tutorial.
Reference:https://docs.microsoft.com/en-us/azure/migrate/tutorial-prepare-vmware
NO.418 *
You have an Azure subscription that contains the storage accounts shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
Correct Answer:
Box 1: contoso104 only
Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.
Box 2: contoso101 and contos103 only
Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts.
General Purpose v1 (GPv1) accounts don't support tiering. The archive tier supports only LRS, GRS, and RA-GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
NO.419 *
You have an Azure virtual machine named VM1 that runs Windows Server 2016. You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.
Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source. Does this meet the goal?
A. Yes
B. No Most Voted
Suggested Answer: B 🗳️Instead:
You create an Azure Log Analytics workspace and configure the data settings.
You install the Microsoft Monitoring Agent on VM1.
You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
NO.420
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates. You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment. Does this meet the goal?
A. Yes
B. No Most Voted
Suggested Answer: B 🗳️From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
NO.421
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
NO.422
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1. You need to identify which storage account can be used to export the data. What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
Suggested Answer: D 🗳️
Azure Import/Export service supports the following of storage accounts:
✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)
✑ Blob Storage accounts
✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types:
✑ Import supports Azure Blob storage and Azure File storage
✑ Export supports Azure Blob storage
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
NO.423
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks. The virtual networks have the address spaces and the subnets configured as shown in the following table.
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggested Answer:
Step 1: Remove peering between Vnet1 and VNet2.You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network.To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.Step 2: Add the 10.44.0.0/16 address space to VNet1.Step 3: Recreate peering between VNet1 and VNet2Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
NO.424
You have an Azure subscription named Subscription1 that contains the following resource group:
✑ Name: RG1
✑ Region: West US
✑ Tag: "tag1": "value1"
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
✑ Exclusions: None
✑ Policy definition: Append tag and its default value
✑ Assignment name: Policy1
✑ Parameters:- Tag name: Tag2- Tag value: Value2
After Policy1 is assigned, you create a storage account that has the following configurations:
✑ Name: storage1
✑ Location: West US
✑ Resource group: RG1
✑ Tags: "tag3": "value3"
You need to identify which tags are assigned to each resource. What should you identify? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: "tag1": "value1" only
Box 2: "tag2": "value2" and "tag3": "value3"Tags applied to the resource group are not inherited by the resources in that resource group.References:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
I also think it is important to point out "Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups."
NO.425
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group. Does this meet the goal?
A. Yes
B. No
Correct Answer: A 🗳️The Contributor role can manage all resources (and add resources) in a Resource Group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group.
Does this meet the goal?
(A). Yes
(B). No
Answer: B
DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
You would need the Logic App Contributor role.
Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app
NO.426 *
You have an Azure subscription that contains the resources in the following table.
Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1. You need to apply ASG1 to VM1. What should you do?
A. Associate NIC1 to ASG1
B. Modify the properties of ASG1
C. Modify the properties of NSG1
Suggested Answer: A 🗳️
Application Security Group can be associated with NICs.
References:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups
NO.427
Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter. You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered. You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters. What should you create?
A. three Azure Application Gateways and one On-premises data gateway
B. three virtual hubs and one virtual WAN
C. three virtual WANs and one virtual hub
D. three On-premises data gateways and one Azure Application Gateway
Suggested Answer: B 🗳️Reference:https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
Answer is B. You create 1 virtual WAN. In that WAN you create 3 virtual hubs for 3 DCs/Offices etc. The Azure region here is a moot point. You can create multiple virtual hubs in the same region hence 3 virtual hubs make sense. https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about https://learn.microsoft.com/en-us/training/modules/introduction-azure-virtual-wan/2-what-is-azure-virtual-wan
it should be 2 hubs & 1 WAN. so, B is the closest: 3 VHubs & 1 WAN. This link explains the same example: https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology#architecture
NO.428 *
You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.
RG1 has a web app named WebApp1. WebApp1 is located in West Europe. You move WebApp1 to RG2. What is the effect of the move?
A. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
Suggested Answer: B 🗳️
You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region. The region in which your app runs is the region of the App Service plan it's in.
However, you cannot change an App Service plan's region.
References:https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends.
The compute resources you use are determined by the App Service plan that you run your apps on.
An Azure App Service plan provides the resources that an App Service app needs to run.
NO.429 *
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers. You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines. You need to ensure that visitors are serviced by the same web server for each request. What should you configure?
A. Idle Time-out (minutes) to 20
B. Floating IP (direct server return) to Disabled
C. Floating IP (direct server return) to Enabled
D. Session persistence to Client IP and protocol
Suggested Answer: D 🗳️
You can set the sticky session in load balancer rules with setting the session persistence as the client IP and protocol. Client IP and Protocol specifies that successive requests from the same client IP address and protocol combinations will be handles by the same VM.
References:https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/
NO.430
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company's Azure solution makes use of Multi-Factor Authentication for when users are not in the office. The Per Authentication option has been configured as the usage model. After the acquisition of a smaller business and the addition of the new staff to Azure Active Directory (Azure AD) obtains a different company and adding the new employees to Azure Active Directory (Azure AD), you are informed that these employees should also make use of Multi-Factor Authentication. To achieve this, the Per Enabled User setting must be set for the usage model.
Solution: You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data. Does the solution meet the goal?
A. Yes
B. No
Answer: B
Since it is not possible to change the usage model of an existing provider as it is right now, you have to create a new one and reactivate your existing server with activation credentials from the new provider. Reference: https://365lab.net/2015/04/11/switch-usage-model-in-azure-multi-factor-authentication-server
참고
MFA provider
There are two types of Auth providers, and the distinction is around how your Azure subscription is charged. The per-authentication option calculates the number of authentications performed against your tenant in a month. This option is best if some users authenticate only occasionally. The per-user option calculates the number of users who are eligible to perform MFA, which is all users in Azure AD, and all enabled users in MFA Server. This option is best if some users have licenses but you need to extend MFA to more users beyond your licensing limits.
Manage your MFA provider
You can't change the usage model (per enabled user or per authentication) after an MFA provider is created.
If you purchased enough licenses to cover all users that are enabled for MFA, you can delete the MFA provider altogether.
existing Azure MFA Servers need to be reactivated using activation credentials generated through the MFA Provider.
NO.431 *
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources
:✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: AllowVM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
Solution: You modify the custom rule for NSG-VM1 to use the internet as a source and TCP as a protocol. Does this meet the goal?
(A). Yes
(B). No
Answer: B
NSGs deny all inbound traffic except from virtual network or load balancers. For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, and then the rules in a network security group associated to the network interface.
By default NSG rule to allow traffic through RDP port 3389 is not created automatically during the creation of VM , unless you change the setting during creation.
Subnets usually do not have any NSG associated unless you go out of the way to do so, which this scenario does. when you create that extra NSG, it won't have an RDP rule by default, thus blocking inbound connections. Request first goes to NSG -subnet1 and as there is no allow rule for RDP so it will block the request by default. Since the Subnet NSG (the one with the default rules) is evaluated first, it blocks the inbound RDP connection.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdpconnection https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
NO.432 *
You have an Azure subscription.Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs. You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016. You need to ensure that the connections to App1 are spread across all the virtual machines. What are two possible Azure services that you can use? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.
A. an internal load balancer
B. a public load balancer
C. an Azure Content Delivery Network (CDN)
D. Traffic Manager
E. an Azure Application Gateway
Suggested Answer: AE 🗳️
Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the front-end subnet of the application.
Reference:https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview https://docs.microsoft.com/en-us/azure/application-gateway/overview
Line-of-business apps means custom apps. Generally these are used by internal staff members of the company. Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Internal Load Balancer provides a higher level of availability and scale by spreading incoming requests across virtual machines (VMs) within the virtual network. Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview https://docs.microsoft.com/en-us/azure/application-gateway/overview
NO.433
You need to create container1 and share1. Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Reference:https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
Objective: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Container1: Needs to be in a cool Storage Tier capable of supporting a container/vm.
In addition to storing Azure file shares, GPv2 storage accounts can store other storage resources such as blob containers, queues, or tables. File shares can be deployed into the transaction optimized (default), hot, or cool tiers. Storage accounts that support tiering Object storage data tiering between hot, cool, and archive is simply supported in Blob storage and GPv2 accounts. General Purpose v1 aka GPv1 accounts don’t maintain tiering. Therefore, customers should easily convert their existing GPv1 or Blob storage accounts into GPv2 accounts through the Azure portal.
Storage1: No: Although GPv1 can do fileshares it cannot be used for tiering.
Storage2: Yes: Blob containers can be stored in GPv2 and tiering is supported
Storage3: Yes: This is literally blob storage and a blob container and supports tiering.
Storage4: No: Can only be used to storage Azure file shares.
참고
Azure Storage access tiers include:
- Hot tier - An online tier optimized for storing data that is accessed or modified frequently. The hot tier has the highest storage costs, but the lowest access costs.
- Cool tier - An online tier optimized for storing data that is infrequently accessed or modified. Data in the cool tier should be stored for a minimum of 30 days. The cool tier has lower storage costs and higher access costs compared to the hot tier.
- Archive tier - An offline tier optimized for storing data that is rarely accessed, and that has flexible latency requirements, on the order of hours. Data in the archive tier should be stored for a minimum of 180 days.
NO.434
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.Reference:https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?
(A). Yes
(B). No
Answer: B
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. However, there are no built-in policy definitions. Though there are sample policy defintions.
Reference: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
참고
While the type property can't be set, there are three values that are returned by SDK and visible in the portal:
Builtin: These policy definitions are provided and maintained by Microsoft.Custom: All policy definitions created by customers have this value.Static: Indicates a Regulatory Compliance policy definition with Microsoft Ownership. The compliance results for these policy definitions are the results of third-party audits on Microsoft infrastructure. In the Azure portal, this value is sometimes displayed as Microsoft managed. For more information, see Shared responsibility in the cloud.
NO.435
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json. You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription.
Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
You would need to redeploy the VM.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
NO.436 *
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.You install and configure a web server and a DNS server on VM1. VM1 has the effective network security rules shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1:Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach the Web server, since it uses port 80.Box 2:If Rule2 is removed internet users can reach the DNS server as well.Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.References:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
NO.437
You have an Azure web app named App1 that streams video content to users. App1 is located in the East US Azure region. Users in North America stream the video content without any interruption. Users in Asia and Europe report that the video buffer often and do not play back smoothly. You need to recommend a solution to improve video streaming to the European and Asian users. What should you recommend?
A. Scale out the App Service plan.
B. Scale up the App Service plan.
C. Configure an Azure Content Delivery Network (CDN) endpoint.
D. Configure Azure File Sync.
Hide Solution (https://www.examtopics.com/exams/microsoft/az-101/view/9/#)
Correct Answer: C 🗳️
A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. CDNs' store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency. Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering highbandwidth content to users by caching their content at strategically placed physical nodes across the world.
NO.438
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)
You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: No -Two methods are required.
Box 2: No -Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.
Box 3: Yes -As a User Administrator, User3 can add security questions to the reset process.Reference:https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq
NO.439
You have an Azure subscription.You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines. What should you modify on VM1?
A. the processor
B. the memory
C. Integration Services
D. the hard drive
E. the network adapters
Suggested Answer: D 🗳️
From the exhibit we see that the disk is in the VHDX format.Before you upload a Windows virtual machines (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk. The maximum size allowed for the OS VHD on a generation 1 VM is 2 TB.
You can convert a VHDX file to VHD, convert a dynamically expanding disk to a fixed-size disk, but you can't change a VM's generation.
References:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image?toc=azure virtual-machines windows toc.json
Azure는 VHD만 지원하므로 on-premise vm disk가 VHDX이면 VHD변경해야 함
NO.440 *
You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.
Each virtual machine uses a static IP address. You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?
A. 1 Most Voted
B. 3
C. 4
D. 12
Suggested Answer: *A 🗳️
Each network security group also contains default security rules.
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
Correct Answer: A
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many subnets and NICs as you choose.
So, you can create 1 NSG and associate it with all 3 Subnets.
- Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and VM6 static IP addresses.
- Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even configuring NSG.
- Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
- Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.
NO.441
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements. Your company has an Azure Active Directory (Azure AD) tenant named weyland.com that is configured for hybrid coexistence with the on-premises ActiveDirectory domain.You have a server named DirSync1 that is configured as a DirSync server. hello You create a new user account in the on-premise Active Directory. You now need to replicate the user information to Azure AD immediately.
Solution: You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet.Does the solution meet the goal?
A. Yes
B. No Most Voted
Suggested Answer: B 🗳️
Answer is B ( No ) Initial will perform a full sync and add the user account created but it will take time, Delta, will kick off a delta sync and bring only the last change, so it will be "immediately" and will fulfill the requirements.
NO.442
You have an Azure subscription named Subscription1 that contains a resource group named RG1. In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
NO.443
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.The virtual machines host several applications that are accessible over port 443 to users on the Internet.Your on-premises network has a site-to-site VPN connection to VNet1.You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.What should you do?
A. Modify the address space of the local network gateway
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1 Most Voted
C. Remove the public IP addresses from the virtual machines
D. Modify the address space of Subnet1
Suggested Answer: B 🗳️You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP orSSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.Reference:https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
NO.444
You plan to create the Azure web apps shown in the following table.
What is the minimum number of App Service plans you should create for the web apps?
A. 1
B. 2
C. 3
D. 4
Suggested Answer: B 🗳️
Correct Answer: B .NET Core 3.0: Windows and Linux ASP .NET V4.7: Windows only PHP 7.3: Windows and Linux Ruby 2.6: Linux only Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to choose the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs. Reference: https://docs.microsoft.com/en-us/azure/app-service/overview
NO.445
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1. You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1. Which two actions should you perform? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.
A. Add a service endpoint to VNet1
B. Reset GW1
C. Create a route-based virtual network gateway
D. Add a connection to GW1
E. Delete GW1
F. Add a public IP address space to VNet1
Suggested Answer: CE 🗳️
C: A VPN gateway is used when creating a VPN connection to your on-premises network.Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.Incorrect Answers:F: Point-to-Site connections do not require a VPN device or a public-facing IP address.
Reference:https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
NO.446
Your company registers a domain name of contoso.com.You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10.You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address.You need to resolve the name resolution issue.Solution: You create a PTR record for www in the contoso.com zone.Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
Modify the Name Server (NS) record.References:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
NO.447
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.You need to ensure that NGINX is available on all the virtual machines after they are deployed.What should you use?
A. Deployment Center in Azure App Service
B. A Desired State Configuration (DSC) extension Most Voted
C. the New-AzConfigurationAssignment cmdlet
D. a Microsoft Intune device configuration profile
Suggested Answer: B 🗳️
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx webserver. az vm extension set \--resource-group myResourceGroup \--vm-name myVM --name customScript \--publisher Microsoft.Azure.Extensions \--settings '{"commandToExecute": "apt-get install -y nginx"}Note:There are several versions of this question in the exam. The question has two correct answers:
- a Desired State Configuration (DSC) extension
- Azure Custom Script Extension
The question can have other incorrect answer options, including the following:✑ the Publish-AzVMDscConfiguration cmdlet✑ Azure Application InsightsReference:https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration
The primary use case for the Azure Desired State Configuration (DSC) extension is to bootstrap a VM to the Azure Automation State Configuration (DSC) service. The service provides benefits that include ongoing management of the VM configuration and integration with other operational tools, such as Azure Monitoring. Using the extension to register VM's to the service provides a flexible solution that even works across Azure subscriptions. IT Certification Guaranteed, The Easy Way! 342 You can use the DSC extension independently of the Automation DSC service. Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overvie
NO.448
HOTSPOT -You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table.
You create the budget shown in the following exhibit.
The AG1 action group contains a user named [email protected] only.Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.Hot Area:
Suggested Answer:
Box 1: VM1 and VM2 continue to runThe budget alerts are for Resource Group RG1, which include VM1, but not VM2. However, when the budget thresholds you've created are exceeded, only notifications are triggered. None of your resources are affected and your consumption isn't stopped.
Box 2: one email notification will be sent each month.Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in 25 days, and an email will be sent.The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
Reference:https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending https://docs.microsoft.com/en-gb/azure/cost-management-billing/costs/tutorial-acm-create-budgets
NO.449
You have an Azure subscription that contains the resources shown in the following table.
You need to create a network interface named NIC1.
In which location can you create NIC1?
A. East US and North Europe only
B. East US only
C. East US, West Europe, and North Europe
D. East US and West Europe only
Suggested Answer: B 🗳️
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
NO.450
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.You have an Azure subscription that contains the virtual machines shown in the following table.
You deploy a load balancer that has the following configurations:
✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You disassociate the public IP address from the network interface of VM2. Does this meet the goal?
(A). Yes
(B). No
Answer: A
You can only attach virtual machines in the same region and that have a standard SKU public IP configuration or no public IP configuration. All IP configurations must be on the same virtual network.
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine.Does this meet the goal?
A. Yes Most Voted
B. No
Suggested Answer: A 🗳️A Backend Pool configured by IP address has the following limitations:✑ Standard load balancer onlyReference:https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
