Azure Certi 104-4 : 261 ~ 300

NO.261

You have an Azure subscription that contains an Azure Service Bus named Bus1. Your company plans to deploy two Azure web apps named App1 and App2. The web app will create messages that have the following requirements:
✑ Each message created by App1 must be consumed by only a single consumer.
✑ Each message created by App2 will consumed by multiple consumers.

Which resource should you create for each web app?
To answer, drag the appropriate resources to the correct web apps. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.Select and Place:

img

Suggested Answer:

img

Queue-Single Consumer Topics-Multiple Consumers https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-queues-topics-subscriptions

NO.262

You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size. You plan to make the following changes to VM1:
✑ Change the size to D8s v3.
✑ Add a 500-GB managed disk.
✑ Add the Puppet Agent extension.
✑ Enable Desired State Configuration Management.
Which change will cause downtime for VM1?

A. Enable Desired State Configuration Management

B. Add a 500-GB managed disk

C. Change the size to D8s v3

D. Add the Puppet Agent extension

Suggested Answer: C 🗳️While resizing the VM it must be in a stopped state.Reference:https://azure.microsoft.com/en-us/blog/resize-virtual-machines/

NO.263

You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.

img

You deploy virtual machines to Subscription1 as shown in the following table.

img

You plan to deploy the virtual machines shown in the following table.

img

For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:

img

Suggested Answer:

img

The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16 vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas

NO.264

You have an Azure subscription that contains three virtual networks named VNet1, VNet2, and VNet3. VNet2 contains a virtual appliance named VM2 that operates as a router.You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network. You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3. You need to provide connectivity between VNet1 and VNet3 through VNet2. Which two configurations should you perform?

Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.

A. On the peering connections, allow forwarded traffic

B. Create a route filter

C. On the peering connections, allow gateway transit

D. Create route tables and assign the table to subnets

E. On the peering, use remote gateways

Show Suggested Answer

Answer: A,D

Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the peered virtual network to flow through the gateway.

The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to this virtual network.

Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-managepeering#requirements-andconstraints

NO.265 **

You have an on-premises file server named Server1 that runs Windows Server 2016. You have an Azure subscription that contains an Azure file share. You deploy an Azure File Sync Storage Sync Service, and you create a sync group. You need to synchronize files from Server1 to Azure. Which three actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:

문제보기

Answer:
1 - Install the Azure File Sync agent on Server1
2 - Register Server1.
3 - Add a server endpoint

Suggested Answer:
Step 1: Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2: Register Server1.
Register Windows Server with Storage Sync ServiceRegistering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.

Step 3: Add a server endpoint
Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
References:https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

NO.266

You have an Azure Active Directory (Azure AD) tenant named Contoso.com that is synced to an Active Directory domain. The tenant contains the users shown in the following table.

img

The user have the attributes shown in the following table.

img

You need to ensure that you can enable Azure Multi-Factor Authentication (MFA) for all four users. Solution: You create a new user account in Azure AD for User3. Does this meet the goal?

A. Yes

B. No

Answer: A

User3 requires a user account in Azure AD.
Note: Your Azure AD password is considered an authentication method. It is the one method that cannot be disabled.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authenticationmethods

NO.267 *

You have an Azure Active Directory (Azure AD) tenant named contoso.com. You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users.
Solution: From Azure AD in the Azure portal, you use the Bulk create user operation. Does this meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: B 🗳️
Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.
Reference:https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation

"Bulk Create" is for new Azure AD Users.
For Guests:
- Use "Bulk invite users" to prepare a comma-separated value (.csv) file with the user information and invitation preferences - Upload the .csv file to Azure AD - Verify the users were added to the directory

From ChatGpt

If the goal is to create guest user accounts in your Azure AD tenant for each of the 500 external users, then you can use the Bulk create user operation in Azure AD as described in my previous answer.

If the goal is to invite external users to your Azure AD tenant as guest users, then you can follow the steps I provided in my most recent answer.

It's important to note that creating a guest user account for an external user in your Azure AD tenant is different from inviting them as a guest user. Creating a guest user account will create a user object in your Azure AD tenant that can be assigned to groups and assigned access to resources, while inviting them as a guest user will only create a temporary access token that allows them to access resources that you have shared with them.

So, depending on your specific needs, you can choose to create guest user accounts or invite external users as guest users in your Azure AD tenant.

NO.268

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

img

Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG2 and Central US
Does this meet the goal?

A. Yes

B. No

Suggested Answer: B 🗳️
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

NO.269 *

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1. You need to ensure that User1 can assign a policy to the tenant root management group. What should you do?

A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.

B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.

C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.

D. Create a new management group and delegate User1 as the owner of the new management group.

문제보기

Suggested Answer: C 🗳️
Correct Answer: C
No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

NO.270

You have an Azure web app named App1. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier. You discover that App1 stops each day after running continuously for 60 minutes. You need to ensure that App1 can run continuously for the entire day.
Solution: You add a continuous WebJob to App1. Does this meet the goal?

A. Yes

B. No

Answer: B

A web app can time out after 20 minutes of inactivity. Only requests to the actual web app reset the timer. Viewing the app's configuration in the Azure portal or making requests to the advanced tools site don't reset the timer.
If your app runs continuous or scheduled (Timer trigger) WebJobs, enable Always On to ensure that the WebJobs run reliably.
This feature is available only in the Basic, Standard, and Premium pricing tiers.
The app service plan mentioned in the question is associated to the free tier , so addition of a continuous WebJob to App1 is not possible.
So the proposed solution won't meet the goal.

Reference: https://docs.microsoft.com/en-us/azure/app-service/webjobs-creat

NO.271 *

You have Azure subscriptions named Subscription1 and Subscription2. Subscription1 has following resource groups:

img

RG1 includes a web app named App1 in the West Europe location. Subscription2 contains the following resource groups:

img

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:

img

Answer is Correct. Yes Yes Yes
- the lock is only effecting the resources itself with edit/delete. Which means If the resource is in a resource group with no lock types then it is free to move to any other group even if the other group has lock type read only or delete. However if the resource is a RG with read-only lock , it can NOT be moved. In case of no delete lock, it can be moved.

Note: App Service resources are region-specific and cannot be moved directly across regions. You can move the App Service resource by creating a copy of your existing App Service resource in the target region, then move your content over to the new app. You can then delete the source app and App Service plan. To make copying your app easier, you can clone an individual App Service app into an App Service plan in another region.
Reference:https://docs.microsoft.com/en-us/azure/app-service/manage-move-across-regions https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/app-service-move-limitations

NO.272 *

You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: A 🗳️
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more.
Reference:https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

NO.273

You have a general-purpose v1 Azure Storage account named storage1 that uses locally-redundant storage (LRS). You need to ensure that the data in the storage account is protected if a zone fails. The solution must minimize costs and administrative effort. What should you do first?

A. Create a new storage account.

B. Configure object replication rules.

C. Upgrade the account to general-purpose v2.

D. Modify the Replication setting of storage1.

문제보기

Suggested Answer: C 🗳️
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Correct. v1 supports GRS/RA-GRS but question was about least cost. Least cost is ZRS which is only supported for v2 and premium file/block storage.
Source: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy#supported-storage-account-types

NO.274

You have an Azure subscription that contains the following storage account:

img

You need 10 create a request to Microsoft Support to perform a live migration of storage1 to Zone Redundant Storage (ZRS) replication. How should you modify storage1 before the Live migration?

A. Set the replication to Locally-redundant storage (LRS)

B. Disable Advanced threat protection

C. Remove the lock

D. Set the access tier to Hot

Answer: A
If you want to live migrationfrom RA-GRS to ZRS, at first you have toSwitch the storage tier to LRS and then only you can request a live migration.

img

NO.275

You have two Azure virtual machines as shown in the following table.

img

You create the Azure DNS zones shown in the following table.

img

You perform the following actions:
✑ For fabrikam.com, you add a virtual network link to vnet1 and enable auto registration.
✑ For contoso.com, you assign vm1 and vm2 the Owner role.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

img

N = none of the actions in question added the VM1 record to contoso.com dns

Y = vnet1 is linked and auto-rego is enabled, records get added automatically.

Y = vnet1 is linked and auto-rego is enabled, records get added automatically.

NO.276

You have an Azure subscription named Subscription1 that contains the resource groups shown in the following table.

img

In RG1, you create a virtual machine named VM1 in the East Asia location. You plan to create a virtual network named VNET1. You need to create VNET1, and then connect VM1 to VNET1. What are two possible ways to achieve this goal? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.

A. Create VNET1 in RG2, and then set East Asia as the location.

B. Create VNET1 in a new resource group in the West US location, and then set West US as the location.

C. Create VNET1 in RG1, and then set East US as the location.

D. Create VNET1 in RG2, and then set East US as the location.

E. Create VNET1 in RG1, and then set East Asia as the location.

문제보기

Suggested Answer: AE 🗳️

NO.277 **

You have an Azure subscription named Subscription1. You plan to deploy an Ubuntu Server virtual machine named VM1 to Subscription1. You need to perform a custom deployment of the virtual machine. A specific trusted root certification authority (CA) must be added during the deployment. What should you do?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:

img

Correct Answer:

img

Explanation:
Box 1: Cloud-init.txt
Cloud-init.txt is used to customize a Linux VM on first boot up. It can be used to install packages and write files, or to configure users and security. No additional steps or agents are required to apply your configuration.
Box 2: The az vm create command
Once Cloud-init.txt has been created, you can deploy the VM with az vm create cmdlet, sing the –custom-data parameter to provide the full path to the cloud-init.txt file.
References:https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment

To create a custom CA, you can use the New-SelfSignedCertificate cmdlet in PowerShell. This cmdlet generates a self-signed certificate that can be used as a root CA for issuing certificates.

NO.278

You have an Azure Subscription that contains a storage account named storageacct1234 and two users named User1 and User2. You assign User1 the roles shown in the following exhibit.

img

Which two actions can User1 perform?
Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.

A. Assign roles to User2 for storageacct1234.

B. Upload blob data to storageacct1234.

C. Modify the firewall of storageacct1234.

D. View blob data in storageacct1234.

E. View file shares in storageacct1234.

Show Suggested Answer

BD is the answer.

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader View all resources, but does not allow you to make any changes. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor Read, write, and delete Azure Storage containers and blobs.

NO.279

Your company has datacenters in Los Angeles and New York. The company has a Microsoft Azure subscription. You are configuring the two datacenters as geo-clustered sites for site resiliency. You need to recommend an Azure storage redundancy option. You have the following data storage requirements:
✑ Data must be stored on multiple nodes.
✑ Data must be stored on nodes in separate geographic locations.
✑ Data can be read from the secondary location as well as from the primary location
Which of the following Azure stored redundancy options should you recommend?

A. Geo-redundant storage

B. Read-only geo-redundant storage

C. Zone-redundant storage

D. Locally redundant storage

Suggested Answer: B 🗳️
RA-GRS allows you to have higher read availability for your storage account by providing ג€read onlyג€ access to the data replicated to the secondary location. Once you enable this feature, the secondary location may be used to achieve higher availability in the event the data is not available in the primary region. This is anג€opt-inג€ feature which requires the storage account be geo-replicated.
References:https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs#read-access-geo-redundant-storage

NO.280

Your on-premises network contains an Active Directory domain named adatum.com that is synced to Azure Active Directory (Azure AD). Password writeback is disabled. In adatum.com, you create the users shown in the following table.

img

Which users must sign in from a computer joined to adatum.com?

A. User2 only

B. User1 and User3 only

C. User1, User2, and User3

D. User2 and User3 only

E. User1 only

Correct Answer: E

Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time.
References:https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

NO.281 *

You have an Azure subscription that contains the resources shown in the following table.

img

In Azure Cloud Shell, you need to create a virtual machine by using an Azure Resource Manager (ARM) template. How should you complete the command?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:

img

Suggested Answer:

img

Reference:https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-6.6.0

Box 1: New-AzResourceGroupDeployment.
This cmdlet allows you to use a custom ARM template file to deploy resources to a resource group.

For example: New-AzResourceGroup -Name $resourceGroupName -Location "$location"
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-simple-windows/azuredeploy.json" -adminUsername $adminUsername -adminPassword $adminPassword ` -dnsLabelPrefix $dnsLabelPrefix

Box 2: -ResourceGroupName RG1.
It’s one of parameters of New-AzResourceGroupDeployment to specify to which resource group you want to deploy resources.

You could use New-AzVm to create a VM, but it doesn’t use a template. You would need to provide all parameters in the command line.

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azvm?view=azps-7.0.0

NO.282 **

You have an Azure subscription named AZPT1 that contains the resources shown in the following table:

img

You create a new Azure subscription named AZPT2. You need to identify which resources can be moved to AZPT2. Which resources should you identify?

A. VM1, storage1, VNET1, and VM1Managed only

B. VM1 and VM1Managed only

C. VM1, storage1, VNET1, VM1Managed, and RVAULT1

D. RVAULT1 only

Suggested Answer: C 🗳️
You can move a VM and its associated resources to a different subscription by using the Azure portal. You can now move an Azure Recovery Service (ASR) Vault to either a new resource group within the current subscription or to a new subscription.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

NO.283 **

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production. The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet. You need to implement an Azure load balancer for the NVAs.
The solution must meet the following requirements:
The NVAs must run in an active-active configuration that uses automatic failover.
The NVAs / The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses
Which three actions should you perform?
Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

(A). Add two load balancing rules that have HA Ports enabled and Floating IP disabled.

(B). Deploy a standard load balancer.

(C). Add a frontend IP configuration, two backend pools, and a health prob.

(D). Add a frontend IP configuration, a backend pool, and a health probe.

(E). Add two load balancing rules that have HA Ports and Floating IP enabled.

(F). Deploy a basic load balancer.

Answer: B,C,E

  • A standard load balancer is required for the HA ports.
  • Two backend pools are needed as there are two services with different IP addresses.
  • Floating IP rule is used where backend ports are reused.

Incorrect Answers: F: HA Ports are not available for the basic load balancer.

Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview

Frontend IP vs Floting IP (from ChatGpt)

In Azure Load Balancer, a frontend IP address and a floating IP address are two different concepts that serve different purposes.

A frontend IP address is an IP address that is assigned to the load balancer and used to receive traffic from clients. When you create a load balancer, you can specify one or more frontend IP addresses, which can be either a public IP address or an internal IP address. The frontend IP addresses are associated with frontend configurations, which define how traffic is received and distributed by the load balancer.

A floating IP address, on the other hand, is a secondary IP address that can be assigned to the load balancer and used to maintain connectivity to backend instances in a backend pool. When a floating IP address is assigned to a load balancer, it is associated with a backend pool and can be moved between instances in the pool as needed.

The main difference between a frontend IP address and a floating IP address is that the frontend IP address is used to receive traffic from clients, while the floating IP address is used to maintain connectivity to backend instances. The frontend IP address is typically a public IP address that is accessible from the internet, while the floating IP address is typically an internal IP address that is used only within the Azure Virtual Network.

It's worth noting that while a frontend IP address is required for a load balancer to function, a floating IP address is optional. You can use a load balancer without a floating IP address, but adding a floating IP address can provide additional benefits, such as maintaining connectivity to backend instances during failover scenarios.

HA port Overview
High availability ports overview in Azure - Azure Load Balancer | Microsoft Learn

The following diagram presents a hub-and-spoke virtual network deployment. The spokes forcetunnel their traffic to the hub virtual network and through the NVA, before leaving the trusted space. The NVAs are behind an internal Standard Load Balancer with an HA ports configuration. All traffic can be processed and forwarded accordingly. When configured as show in the following diagram, an HA Ports load-balancing rule additionally provides flow symmetry for ingress and egress traffic. (ref. High availability ports overview in Azure - Azure Load Balancer | Microsoft Learn)

Azure Standard Load Balancer helps you load-balance all protocol flows on all ports simultaneously when you're using an internal load balancer via HA Ports.

High availability (HA) ports are a type of load balancing rule that provides an easy way to load-balance all flows that arrive on all ports of an internal standard load balancer. The load-balancing decision is made per flow. This action is based on the following five-tuple connection: source IP address, source port, destination IP address, destination port, and protocol

The HA ports load-balancing rules help you with critical scenarios, such as high availability and scale for network virtual appliances (NVAs) inside virtual networks. The feature can also help when a large number of ports must be load-balanced.

The HA ports load-balancing rules are configured when you set the front-end and back-end ports to 0 and the protocol to All. The internal load balancer resource then balances all TCP and UDP flows, regardless of port number

NO.284 *

You have a deployment template named Template1 that is used to deploy 10 Azure web apps. You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs. What should you identify?

A. five Azure Application Gateways

B. one App Service plan

C. 10 App Service plans

D. one Azure Traffic Manager

E. one Azure Application Gateway

문제보기

Suggested Answer: B 🗳️
You create Azure web apps in an App Service plan.
Reference:https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

In App Service (Web Apps, API Apps, or Mobile Apps), an app always runs in an App Service plan. An App Service plan defines a set of compute resources for a web app to run.
One App Service Plan : Correct Choice

For an Azure Web App, you need to have an Azure App Service Plan in place.
You can associate multiple Azure Web Apps with the same App Service Plan. Hence to save on costs, you can just have one Azure App Service Plan in place.

An Azure Load Balancer : Incorrect Choice
An Azure load balancer is a Layer-4 (TCP, UDP) load balancer that provides high availability by distributing incoming traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to an operational VM

An Application Gateway : Incorrect Choice
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

10 Azure App Service Plans : Incorrect Choice
For an Azure Web App, you need to have an Azure App Service Plan in place. You can associate multiple Azure Web Apps with the same App Service Plan. Hence to save on costs, you can just have one Azure App Service Plan in place. So there is no need for 10 App Service Plans.

Reference: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-load-balancer
https://docs.microsoft.com/en-us/azure/application-gateway/overview

NO.285

You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Dev, you assign the Contributor role to the Developers group. Does this meet the goal?

A. Yes

B. No

Hide Solution  Discussion  36

Correct Answer: A 🗳️
The Contributor role can manage all resources (and add resources) in a Resource Group.

NO.286 *

You have an Azure App Service plan that hosts an Azure App Service named App1. You configure one production slot and four staging slots for App1. You need to allocate 10 percent of the traffic to each staging slot and 60 percent of the traffic to the production slot. What should you add to App1?

A. slots to the Testing in production blade

B. a performance test

C. a WebJob

D. templates to the Automation script blade

Correct Answer: A 🗳️
Besides swapping, deployment slots offer another killer feature: testing in production. Just like the name suggests, using this, you can actually test in production. This means that you can route a specific percentage of user traffic to one or more of your deployment slots.

Azure Deployment Slots: Benefits and How to Use Them (stackify.com)

NO.287

You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet. You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes. What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:

img

Suggested Answer:

img

Box 1: 4 -Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

img

Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and two connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network.

Box 2: 2 -Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.

Box 3: 2 -Dual-redundancy: active-active VPN gateways for both Azure and on-premises networksReference:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

you need to create one local network gateway for each VPN device, and one connection from your Azure VPN gateway to each local network gateway.

NO.288

Your company registers a domain name of contoso.com. You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10. You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address. You need to resolve the name resolution issue.
Solution: You modify the name servers at the domain registrar. Does this meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: A 🗳️
Modify the Name Server (NS) record.

Suppose you buy the domain contoso.com from a domain name registrar and then create a zone with the name contoso.com in Azure DNS. Since you're the owner of the domain, your registrar offers you the option to configure the name server (NS) records for your domain. The registrar stores the NS records in the .com parent zone. Internet users around the world are then directed to your domain in your Azure DNS zone when they try to resolve DNS records in contoso.com
References: https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

NO.289 **

You are planning to deploy an Ubuntu Server virtual machine to your company's Azure subscription. You are required to implement a custom deployment that includes adding a particular trusted root certification authority (CA). Which of the following should you use to create the virtual machine?

A. The New-AzureRmVm cmdlet.

B. The New-AzVM cmdlet.

C. The Create-AzVM cmdlet.

D. The az vm create command.

Suggested Answer: D
The Azure cloud-init documentation (https://learn.microsoft.com/en-us/azure/virtual-machines/linux/using-cloud-init) includes direct reference to the cloud init documentation site which shows several cloud init configuration examples, like "Configure an instance’s trusted CA certificates" (https://cloudinit.readthedocs.io/en/latest/reference/examples.html#configure-an-instance-s-trusted-ca-certificates). D should be the correct answer.

NO.290

You deploy an Azure Kubernetes Service (AKS) cluster named AKS1. You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run az aks. Does this meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: B 🗳️
To deploy a YAML file, the command is:kubectl apply -f <file_name>.yamlReference:https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough

Kubectl is not installed by installing AZ ClI. As stated Azure CLI is already available but installing Azure CLI doesn't mean that Azure Kubernates client is also installed.
So before running any aks command, we have to install kubectl, the Kubernetes command-line client.

az aks install-cli

Reference: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough#connect-to-the-cluster

NO.291 **

You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.

img

The planned disk configurations for VM1 are shown in the following exhibit.

img

You need to ensure that VM1 can be created in an Availability Zone. Which two settings should you modify?
Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

A. Use managed disks

B. OS disk type

C. Availability options

D. Size

E. Image

문제보기

Suggested Answer: AC 🗳️
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.


C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone dropdown.

NO.292

You need to create storage5. The solution must support the planned changes. Which type of storage account should you use, and which account should you configure as the destination storage account? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:

img

문제보기

Suggested Answer:

img

Reference:https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal

We want to use replication for blobs and only that storage type is available. The other one is in Premium, which should never apply to the exams. Quoting from https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal: "Before you configure object replication, create the source and destination storage accounts if they do not already exist. The source and destination accounts can be either general-purpose v2 storage accounts or premium block blob accounts (preview). "

NO.293

You manage two Azure subscriptions named Subscription1 and Subscription2. Subscription1 has following virtual networks:

img

The virtual networks contain the following subnets:

img

Subscription2 contains the following virtual network:
✑ Name: VNETA
✑ Address space: 10.10.128.0/17
✑ Location: Canada Central
VNETA contains the following subnets:

img

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:

img

Correct Answer are:

BOX 1: YES

This is possible. You can connect 2 Azure VNETS using a S2S VPN, VNET to VNET connection (which is just a azure managed S2S VPN), or VNET Peering. It is a best practice to use VNET to VNET connections for Azure VNETs, and then S2S for other connections. You could make a S2S connection between 2 VNets with 2 VPN gateways or deploy a VPN software device in one VNet and VPN gateway in another.

Reference: Connect Vnet to Vnet usins S2S VPN https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal About Highly Available gateway configurations - Azure VPN Gateway https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

BOX 2: YES

BOX 3: YES

There are no overlapping between networks where: VNETA 10.10.128.0/17 has IP range (10.10.128.1 - 10.10.255.254) and VNET1 10.10.10.0/24 has IP range (10.10.10.1 - 10.10.10.254)

NO.294

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1. You need to ensure that User1 can assign a policy to the tenant root management group. What should you do?
(A). Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.

(B). Assign the Global administrator role to User1, and then modify the default conditional access policies.

(C). Assign the Owner role to User1. and then modify the default conditional access policies.

(D). Assign the Owner role to User1. and then instruct User1 to configure access management for Azure resources.

Answer: B

No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access.

Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.

Reference: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview#important-facts-about-the-root-management-group https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

NO.295

You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the following table:

img

Subscription1 contains a virtual network named VNet1 that has the subnets in the following table.

img

VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routers in the following table.

img

You apply RT1 to Subnet1 and Subnet2. For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:

img

문제보기

Suggested Answer:

img

IP forwarding enables the virtual machine a network interface is attached to:✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.✑ Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.

Box 1: Yes -The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.

Box 2: No -VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

Box 3: Yes -The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.References:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding

NO.296

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

img

Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface named NIC1. You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US. Does this meet the goal?

A. Yes

B. No

문제보기

Suggested Answer: A 🗳️
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region.Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

NO.297 **

You need to create an Azure virtual machine named VM1 that requires a static private IP address configured inside the IP address space for the VNet in which the VM resides. How do you configure a static IP address for this Azure VM?

(A). After the VM has been created, create a new network interface and configure a static IP address for that network interface

(B). When creating a VM in the portal, select New next to private ip address and choose static after assigning the correct IP address

(C). When creating the VM in the portal, change the setting from dynamic to static on the networking tab under private IP address

(D). After the VM has been created, go to the network interface attached to the VM and change the IP configuration to static assignment

Answer: D

Changing the IP configuration on the network interface will achieve the requirement.

NO.298 *

You have an Azure Migrate project that has the following assessment properties:
✑ Target location: East US
✑ Storage redundancy: Locally redundant.
✑ Comfort factor: 2.0
✑ Performance history: 1 month
✑ Percentile utilization: 95th
✑ Pricing tier: Standard
✑ Offer: Pay as you go
You discover the following two virtual machines:
✑ A virtual machine named VM1 that runs Windows Server 2016 and has 10 CPU cores at 20 percent utilization
✑ A virtual machine named VM2 that runs Windows Server 2012 and has 4 CPU cores at 50 percent utilization
How many CPU cores will Azure Migrate recommend for each virtual machine?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

img

Suggested Answer:

img

Equation is: ‘core usage x comfort factor’. The comfort factor is 2.0. So VM 1 is 10 cores at 20% utilization which equals 2 cores. Multiply that the comfort factor and you get 4 cores. VM2 is 4 cores at 50% utilization which equals 2 cores. Multiply that the comfort factor and you get 4 cores.

Box 2: 4 -4 *0.50 * 0.95* 2 = 3.8
Note: The number of cores in the machines must be equal to or less than the maximum number of cores (128 cores) supported for an Azure VM.If performance history is available, Azure Migrate considers the utilized cores for comparison. If a comfort factor is specified in the assessment settings, the number of utilized cores is multiplied by the comfort factor.If there's no performance history, Azure Migrate uses the allocated cores, without applying the comfort factor.
References:https://docs.microsoft.com/en-us/azure/migrate/concepts-assessment-calculation

NO.299 **

You have an on-premises network that includes a Microsoft SQL Server instance named SQL1. You create an Azure Logic App named App1. You need to ensure that App1 can query a database on SQL1. Which three actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.Select and Place:

img

문제보기

Suggested Answer:

img

References:https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection

1 - From an on-premises computer, install an on-premises data gateway.
2 - From the Azure portal, create an on-premises data gateway
3 - From the Logic Apps Designer in the Azure portal, add a connector

Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-connection

NO.300 *

You have an Azure Active Directory (Azure AD) tenant. You plan to delete multiple users by using Bulk delete in the Azure Active Directory admin center. You need to create and upload a file for the bulk delete. Which user attributes should you include in the file?

A. The user principal name and usage location of each user only

B. The user principal name of each user only

C. The display name of each user only

D. The display name and usage location of each user only

E. The display name and user principal name of each user only

문제보기

Suggested Answer: B 🗳️Reference:https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-delete

igotoo

igotoo