NO.451
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates. You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
NO.452
You have a .NET Core application running in Azure App Services. You are expecting a huge influx of traffic to your application in the coming days. When your application experiences this spike in traffic, you want to detect any anomalies such as request errors or failed queries immediately. What service can you use to assure that you know about these types of errors related to your .NET application immediately?
A. Application Insights Search
B. Log analytics workspace
C. Client-side monitoring
D. Live Metrics Stream in Application Insights
Correct Answer: D
ExplanationLive metrics stream includes such information as the number of incoming requests, the duration of those requests, and any failures that occur. You can also inspect critical performance metrics such as processor and memory.
NO.453
You have an Azure subscription that contains a storage account named account1. You plan to upload the disk files of a virtual machine to account1 from your on-premises network. The on-premises network uses a public IP address space of131.107.1.0/24. You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24. You need to configure account1 to meet the following requirements:
✑ Ensure that you can upload the disk files to account1.
✑ Ensure that you can attach the disks to VM1.
✑ Prevent all other access to account1.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. From the Firewalls and virtual networks blade of account1, add VNet1.
B. From the Firewalls and virtual networks blade of account1, select Allow trusted Microsoft services to access this storage account.
C. From the Firewalls and virtual networks blade of account1, add the 131.107.1.0/24 IP address range.
D. From the Firewalls and virtual networks balde of account1, select Selected networks.
E. From the Service endpoints blade of VNet1, add a service endpoint.
Suggested Answer: CD 🗳️
D: By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
Azure portal -
- Navigate to the storage account you want to secure.
- Click on the settings menu called Firewalls and virtual networks.
- To deny access by default, choose to allow access from 'Selected networks'. To allow traffic from all networks, choose to allow access from 'All networks'.
- Click Save to apply your changes.
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
When performing C you also have to select a network (= Vnet1) and it will create a service endpoint. Also "Allow Trusted Microsoft services" is already selected by default. This means that C also performs tasks A and E. Also the on-premise address range has to be added, so D is needed. This means C (first) and D (second) have to be performed.
NO.454
You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the following table.
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com. You create a virtual network link for contoso.com as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So, VM1, VM2 and VM3 will auto-register their host records to contoso.com. None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet (adatum.com)
Box 1: Yes Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 2: Yes Auto registration is enabled for private Azure DNS zone named contoso.com.
Box 3: No None of the VM will auto-register to the public Azure DNS zone named adatum.com
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
NO.455
You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to Subscription1. You need to monitor the metrics and the logs of VM1. What should you use?
A. Azure HDInsight
B. Linux Diagnostic Extension (LAD) 3.0
C. the AzurePerformanceDiagnostics extension
D. Azure Analysis Services
Suggested Answer: B 🗳️
The Linux Diagnostic Extension should be used which downloads the Diagnostic Extension (LAD) agent on Linux server.
The Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure. It has the following collection and capabilities: - Metrics - Syslog - Files
A: Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. You can use open-source frameworks such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more.
C: Azure Performance Diagnostics VM Extension is used for Windows VM only.
D: Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux
NO.456
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure LoadBalancer. The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly. You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150. Does this meet the goal?
A. Yes Most Voted
B. No Most Voted
Suggested Answer: B 🗳️
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Community vote distribution
B (57%)
A (43%)
I am 100% sure answer is No, if you check the picture you will see you can attach network interface (NIC) it is mean that VM2's status is stop
upvoted 2 times
dimsok 3 weeks, 3 days ago
Selected Answer: B
The rule is there and it is correct. Something else is wrong (e.g. VM stopped?)
NO.457
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.
You run Azure Network Watcher as shown in the following exhibit.
You run Network Watcher again as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: No -It limits traffic to VM2, but not VM1 traffic.
Box 2: Yes -Yes, the destination is VM2.
Box 3: No -
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
NO.458
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point. Hot Area:
- Add an address space
- Add a subnet
NO.459
You have an Azure subscription that contains two on-premises locations named site1 and site2. You need to connect site1 and site2 by using an Azure Virtual WAN. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:
Suggested Answer:
Reference:https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
NO.460
You need to configure Azure Backup to back up the file shares and virtual machines.
What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: 3 -If you have data sources in multiple regions, create a Recovery Services vault for each region. The File Shares and VMs are located in three Regions: West US, East US, Central US.
Box 2: 6 -A backup policy is scoped to a vault. For each vault we need one backup policy for File Shares and one backup policy for VM. Note: Back up the Azure file shares and virtual machines by using Azure Backup.
To back up the file shares and virtual machines. one vault per region. 3 vaults for 3 regions File shares: 3 region. VMs: 3 region. so... vault = 3 backup policies = 3FS + 3VM = 6
Reference:https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault https://docs.microsoft.com/en-us/azure/backup/guidance-best-practices
NO.461
You have an app named App1 that runs on two Azure virtual machines named VM1 and VM2. You plan to implement an Azure Availability Set for App1. The solution must ensure that App1 is available during planned maintenance of the hardware hostingVM1 and VM2. What should you include in the Availability Set?
A. one update domain
B. two fault domains
C. one fault domain
D. two update domains
Suggested Answer: D 🗳️
Microsoft updates, which Microsoft refers to as planned maintenance events, sometimes require that VMs be rebooted to complete the update. To reduce the impact on VMs, the Azure fabric is divided into update domains to ensure that not all VMs are rebooted at the same time.
Incorrect Answers:A: An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.
B, C: A fault domain shares common storage as well as a common power source and network switch. It is used to protect against unplanned system failure.
References:https://petri.com/understanding-azure-availability-setshttps://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets
NO.462
You have an Azure subscription that contains the following users in an Azure Active Directory tenant named contoso.onmicrosoft.com:
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com. You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User2 to create the user accounts. Does that meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
Only a global administrator can add users to this tenant.
Reference:https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad
Answer is B.
Looks like the question was definitely reworded at some point messing up the answer voting and comments. Global admin's won't automatically get the global admin role in a newly created tenant, the owner needs to grant the permission anew.
https://learn.microsoft.com/en-us/answers/questions/1163804/need-clear-understanding-on-the-permissions-global
NO.463
You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.You need to ensure that users can connect to the website from the Internet.What should you do?
A. Modify the protocol of Rule4
B. Delete Rule1
C. For Rule5, change the Action to Allow and change the priority to 401 Most Voted
D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Suggested Answer: C 🗳️
HTTPS uses port 443. Rule2, with priority 500, denies HTTPS traffic.Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.Note:There are several versions of this question in the exam. The question has two possible correct answers:
- Change the priority of Rule3 to 450.
- For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:✑ Modify the action of Rule1.✑ Change the priority of Rule6 to 100.✑ For Rule4, change the protocol from UDP to Any.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
NO.464
You create the following resources in an Azure subscription:
✑ An Azure Container Registry instance named Registry1
✑ An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.You need to deploy App1 to Cluster1.What should you do first?
A. Run the docker push command. Most Voted
B. Create an App Service plan.
C. Run the az acr build command.
D. Run the az aks create command.
Suggested Answer: A 🗳️
An Azure container registry stores and manages private Docker container images, similar to the way Docker Hub stores public Docker images. You can use the Docker command-line interface (Docker CLI) for login, push, pull, and other operations on your container registry. After you login to the registry you can run push command to upload the image. Below is an sample of that command docker push myregistry.azurecr.io/samples/nginx
Reference: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli
NO.465
You have an Azure subscription. The subscription contains a virtual machine that runs Windows 10. You need to join the virtual machine to an Active Directory domain.How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: "Microsoft.Compute/VirtualMachines/extensions", The following JSON example uses the Microsoft. Compute/virtualMachines/extensions resource type to install the Active Directory domain join extension. Parameters are used that you specify at deployment time. When the extension is deployed, the VM is joined to the specified managed domain.
Box 2: "ProtectedSettings":{
NO.466
Your network contains an on-premises Active Directory domain named adatum.com. The domain contains an organizational unit (OU) named OU1. OU1 contains the objects shown in the following table.
You sync OU1 to Azure Active Directory (Azure AD) by using Azure AD Connect. You need to identify which objects are synced to Azure AD. Which objects should you identify?
(A). User1 and Group1 only
(B). User1, Group1, and Group2 only
(C). User1, Group1, Group2, and Computer1
(D). Computer1 only
Answer: B
Reference: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
NO.467
You have an Azure subscription that contains 10 virtual machines. You need to ensure that you receive an email message when any virtual machines are powered off, restarted, or deallocated. What is the minimum number of rules and action groups that you require?
A. three rules and three action groups
B. one rule and one action group
C. three rules and one action group
D. one rule and three action groups
Suggested Answer: C 🗳️
We need a separate rule for each condition. We also need a separate action group for each action type that we want to fire when the rule is met. In this scenario we have three conditions (when any virtual machines are powered off, restarted, or deallocated) and one action type (you are sent an email message).
References:https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-action-rules https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric-overview https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups
NO.468
You have an Azure subscription. You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking. You need to restrict network traffic between the pods. What should you configure on the AKS cluster?
A. the Azure network policy
B. the Calico network policy
C. pod security policies
D. an application security group
Suggested Answer: B 🗳️
Reference:https://docs.microsoft.com/en-us/azure/aks/use-network-policies
NO.469
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1. You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet. You add a network interface named Interface1 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails. You need to establish a Remote Desktop connection to VM1. What should you do first?
A. Change the priority of the RDP rule.
B. Attach a network interface.
C. Delete the DenyAllInBound rule.
D. Start VM1.
Suggested Answer: D 🗳️
Incorrect Answers:
A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority.
B: The network interface has already been added to VM.
C: The Outbound rules are fine.
Reference:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
NO.470
You are configuring Azure Active Directory (Azure AD) authentication for an Azure Storage account named storage1. You need to ensure that the members of a group named Group1 can upload files by using the Azure portal. The solution must use the principle of least privilege. Which two roles should you configure for storage1? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Storage Account Contributor
B. Storage Blob Data Contributor
C. Reader
D. Contributor
E. Storage Blob Data Reader
Suggested Answer: BC 🗳️
To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments:
A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor
The Azure Resource Manager Reader role, at a minimum
The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them.
It does not provide read permissions to data in Azure Storage, but only to account management resources.
The Reader role is necessary so that users can navigate to blob containers in the Azure portal.
Note: in order from least to greatest permissions:
The Reader and Data Access role -The Storage Account Contributor role, The Azure Resource Manager Contributor role, The Azure Resource Manager Owner role
Reference:https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access
NO.471
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only. NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. Does this meet the goal?
A. Yes
B. No
Suggested Answer: A 🗳️
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
References:https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol. Does this meet the goal? (A). Yes (B). No Answer: B The default port for RDP is TCP port 3389 not UDP. NSGs deny all inbound traffic except from virtual network or load balancers. For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, and then the rules in a network security group associated to the network interface.
By default NSG rule to allow traffic through RDP port 3389 is not created automatically during the creation of VM , unless you change the setting during creation. Here in the solution UDP traffic is allowed at virtual network level which is not tcp/rdp protocol. So this will not work to achieve the goal.
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdpconnection https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
NO.472
You have an Azure subscription named Subscription1. Subscription1 contains the resources in the following table.
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual networks to VNet2. The adatum.com zone is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: No -Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual network. VM5 does not belong to the registration virtual network though.
Box 2: No -Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to a resolution virtual network.
Box 3: Yes -VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual machines within the registration virtual network.
Reference:https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
NO.473
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1. You create a backup policy named Policy1 as shown in the exhibit. (Click the Exhibit tab.)
You configure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM. You need to identify the number of available recovery points for VM1. How many recovery points are available on January 8 and January 15? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: 6 -5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
Box 2: 8 -5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
1. 4 daily + 1 daily/weekly + 1 monthly = 6
2. 4 daily + 1 daily/weekly + 1 weekly + 1 monthly + 1 yearly = 8
Reference:https://social.technet.microsoft.com/Forums/en-US/854ab6ae-79aa-4bad-ac65-471c4d422e94/daily-monthly-yearly-recovery-points-and-storage-used? forum=windowsazureonlinebackup
다시계산해보기....
NO.474
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1. You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run az aks. Does this meet the goal?
A. Yes
B. No
Suggested Answer: B 🗳️
To deploy a YAML file, the command is: kubectl apply -f <file_name>.yaml
Reference:https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
NO.475
You have an Azure virtual machine named VM1 that runs Windows Server 2016. You need to create an alert in Azure when more than two error events are logged to the System log on VM1 within an hour.
Solution: You create an Azure Log Analytics workspace and configure the data settings.
You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.
Does this meet the goal?
(A). Yes
(B). No
Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to perform an automated response. The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud providers, and on-premises. It collects data into a Log Analytics workspace.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
NO.476
You have an Azure web app named App1. App1 runs in an Azure App Service plan named Plan1. Plan1 is associated to the Free pricing tier.You discover that App1 stops each day after running continuously for 60 minutes. You need to ensure that App1 can run continuously for the entire day.
Solution: You add a triggered WebJob to App1. Does this meet the goal?
A. Yes
B. No
Correct Answer: B 🗳️
You need to change to Basic pricing Tier.Note: The Free Tier provides 60 CPU minutes / day. This explains why App1 is stops. The Basic tier has no such cap.
References:https://azure.microsoft.com/en-us/pricing/details/app-service/windows/
NO.477
You have an Azure subscription named Sub1 that contains the Azure resources shown in the following table.
You assign an Azure policy that has the following settings:
✑ Scope: Sub1
✑ Exclusions: Sub1/RG1/VNET1
✑ Policy definition: Append a tag and its value to resources
✑ Policy enforcement: Enabled
✑ Tag name: Tag4
✑ Tag value: value4
You assign tags to the resources as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
1st No:
Azure policy was created before the RG1 was assigned tag, which means when RG1 was manually assigned tag Tag2:IT, the policy will take action to append Tag4:vaule4 to RG1.
Note that policy action is to "append", that means whatever else tag RG1 is given won't be taken away.
As such RG1 will have two tags, Tag2:IT and Tag4:value4
2nd No:
Remember tags are not inheritable, whatever tag assigned to RG1 won't be applied to any resources under it. As such the Storage1 should be Tag3:value1 and Tag4:vaule4.
3rd No:
VNet1 is excluded from the Azure policy, hence the policy won't do anything to it. As such vNet1 should only have the tag manually assigned: Tag3:value2.
PS, I take that "Exclusions: Sub1/RG1/VNET1" does not mean both RG1 & vNet1 are excluded, only vNet1 is excluded, the Sub1/RG1/VNET1 is merely a path to the object that is excluded.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources?tabs=json
NO.478
You have an Azure subscription.You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the IP address of the pod. For the AKS cluster, you need to choose a network type that will support App1. What should you choose?
A. kubenet
B. Azure Container Networking Interface (CNI)
C. Hybrid Connection endpoints
D. Azure Private Link
Suggested Answer: B 🗳️
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space.
Incorrect Answers:
A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes. Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.
C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networking
Reference:https://docs.microsoft.com/en-us/azure/aks/concepts-network
NO.479
You have an Azure web app named WebApp1 that runs in an Azure App Service plan named ASP1. ASP1 is based on the D1 pricing tier. You need to ensure that WebApp1 can be accessed only from computers on your on-premises network. The solution must minimize costs. What should you configure?
To answer, select the appropriate options in the answer area. Each correct selection is worth one point. NOTE:Hot Area:
Correct Answer:
Box 1: B1
-B1 (Basic) would minimize cost compared P1v2 (premium) and S1 (standard).
Box 2: Cross Origin Resource Sharing (CORS)
Once you set the CORS rules for the service, then a properly authenticated request made against the service from a different domain will be evaluated to determine whether it is allowed according to the rules you have specified.
Note: CORS (Cross Origin Resource Sharing) is an HTTP feature that enables a web application running under one domain to access resources in another domain. In order to reduce the possibility of cross-site scripting attacks, all modern web browsers implement a security restriction known as same-origin policy.This prevents a web page from calling APIs in a different domain.
CORS provides a secure way to allow one origin (the origin domain) to call APIs in another origin.
References:https://azure.microsoft.com/en-us/pricing/details/app-service/windows/ https://docs.microsoft.com/en-us/azure/cdn/cdn-cors
NO.480
Your company has serval departments. Each department has a number of virtual machines (VMs). The company has an Azure subscription that contains a resource group named RG1. All VMs are located in RG1. You want to associate each VM with its respective department. What should you do?
A. Create Azure Management Groups for each department.
B. Create a resource group for each department.
C. Assign tags to the virtual machines. Most Voted
D. Modify the settings of the virtual machines.
Suggested Answer: C 🗳️
Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
NO.481
You have Azure Active Directory tenant named Contoso.com that includes following users:
Contoso.com includes following Windows 10 devices:
You create following security groups in Contoso.com:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
User1 can add Device2 to Group1: No
User2 can add Device1 to Group1: Yes
User2 can add Device2 to Group2: No
Explaination:
Groups can contain both registered and joined devices as members. As a global administrator or cloud device administrator, you can manage the registered or joined devices. Intune Service administrators can update and delete devices.
User administrator can manage users but not devices.
User1 is a cloud device administrator. Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.
User2 is the owner of Group1. He can add Device1 to Group1.
Group2 is configured for dynamic membership. The properties on which the membership of a device in a group of the type dynamic device are defined cannot be changed by either an end user or an user administrator. User2 cannot add any device to Group2.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
Box 1: Yes
-User1 is a Cloud Device Administrator. Device2 is Azure AD joined. Group1 has the assigned to join type. User1 is the owner of Group1.
Note: Assigned groups - Manually add users or devices into a static group. Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD
Box 2: No
-User2 is a User Administrator. Device1 is Azure AD registered. Group1 has the assigned join type, and the owner is User1.
Note: Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential.
Box 3: Yes
-User2 is a User Administrator. Device2 is Azure AD joined. Group2 has the Dynamic Device join type, and the owner is User2.
Reference:https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
NO.482
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json. You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription. Does this meet the goal?
A. Yes
B. No Most Voted
Suggested Answer: B 🗳️
You would need to redeploy the VM.
Reference:https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
NO.483
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1. Which A records will be added to the adatum.com zone for each virtual machine? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.Reference:https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
NO.484
You are creating an Azure load balancer. You need to add an IPv6 load balancing rule to the load balancer. How should you complete the Azure PowerShell script?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
References:https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-internet-ps
NO.485
You plan to use the Azure Import/Export service to copy files to a storage account. Which two files should you create before you prepare the drives for the import job?
Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a driveset CSV file
B. a JSON configuration file
C. a PowerShell PS1 file
D. an XML manifest file
E. a dataset CSV file
Suggested Answer: AE 🗳️
A: Modify the driveset.csv file in the root folder where the tool resides.
E: Modify the dataset.csv file in the root folder where the tool resides.
Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file
References:https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-data-to-files
NO.486
You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the following table:
You plan to schedule backups to occur every night at 23:00.Which virtual machines can you back up by using Azure Backup?
A. VM1 and VM3 only
B. VM1, VM2, VM3 and VM4 Most Voted
C. VM1 and VM2 only
D. VM1 only
Suggested Answer: B 🗳️
Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Azure Backup supports backup of VM that are shutdown or offline.
Reference:https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtual-machines/linux/endorsed-distros
NO.487
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1. You need to identify which storage account can be used to export the data. What should you identify?
A. storage1
B. storage2
C. storage3
D. storage4
Suggested Answer: D 🗳️
Azure Import/Export service supports the following of storage accounts:
✑ Standard General Purpose v2 storage accounts (recommended for most scenarios)
✑ Blob Storage accounts
✑ General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types:
✑ Import supports Azure Blob storage and Azure File storage
✑ Export supports Azure Blob storage
Reference:https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
NO.488
You create the following resources in an Azure subscription:
✑ An Azure Container Registry instance named Registry1
✑ An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1. What should you do first?
A. Run the docker push command. Most Voted
B. Create an App Service plan.
C. Run the az acr build command.
D. Run the az aks create command.
Suggested Answer: A 🗳️
Selected Answer: A
The az acr build command is used to build and push Docker images to an Azure Container Registry. It automates the build process and pushes the resulting image directly to the registry, eliminating the need to run separate docker build and docker push commands. However, in this scenario, the container image App1 has already been built on your administrative workstation, and you only need to push it to the Azure Container Registry. Therefore, you don't need to use the az acr build command. Instead, you can simply use the docker push command to push the existing App1 image to Registry1, as shown in the previous answer.
You should sign in and push a container image to Container Registry. Run the az acr build command to build and push the container image.
az acr build \--image contoso-website \--registry $ACR_NAME \--file Dockerfile .Reference:https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
You need to deploy Application1 to Cluster1.
Which command should you run?
(A). az acr build
(B). az aks create
(C). docker build
(D). kubectl apply
Answer: A
NO.489
You have an existing Azure subscription that contains 10 virtual machines. You need to monitor the latency between your on-premises network and the virtual machines. What should you use?
A. Service Map
B. Connection troubleshoot
C. Network Performance Monitor
D. Effective routes
Suggested Answer: C 🗳️
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute. You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.
Reference:https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
NO.490
You have an Azure subscription that contains an Azure Storage account. You plan to create an Azure container instance named container1 that will use a Docker image named Image1. Image1 contains a Microsoft SQL Server instance that requires persistent storage. You need to configure a storage service for Container1. What should you use?
- A. Azure Files Most Voted
- B. Azure Blob storage
- C. Azure Queue storage
- D. Azure Table storage
Suggested Answer: A 🗳️
Reference:https://azure.microsoft.com/en-us/blog/persistent-docker-volumes-with-azure-file-storage/ https://docs.microsoft.com/en-us/azure/aks/concepts-storage
Microsoft have Docker Volume Plugin for Azure file storage which provides exactly this and it is used for Azure file shares. Azure File Storage volume plugin is not limited to ease of container migration. It also allows a file share to be shared among multiple containers (even though they are on different hosts) to collaborate on workloads, share configuration or secrets of an application running on multiple hosts. Another use case is uploading metrics and diagnostics data such as logs from applications to a file share for further processing.
Reference:
https://azure.microsoft.com/en-gb/blog/persistent-docker-volumes-with-azure-file-storage/
Azure file shares can be used as persistent volumes for stateful containers. Containers deliver "build once, run anywhere" capabilities that enable developers to accelerate innovation. For the containers that access raw data at every start, a shared file system is required to allow these containers to access the file system no matter which instance they run on.
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
NO.491
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the VPN Gateway and subnets in the following table:
Subnet1 contains a virtual appliance named VM1 that operates as a router. You create a routing table named RT1. You need to route all inbound traffic from the VPN gateway to VNet1 through VM1. How should you configure RT1?
To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: 10.0.0.0/16
Address prefix destination-> Vnet 1 (Address space of Vnet1)
Box 2: Virtual appliance
Next hop type VM1 ->Virtual Appliance. You can specify IP address of VM 1 when configuring next hop as Virtual appliance.
Box 3: Gateway Subnet
Assigned to This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout Table -> subnet ->Associate.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-next-hop-overview
NO.492
You have Azure subscription that includes data in following locations:
You plan to export data by using Azure import/export job named Export1. You need to identify the data that can be exported by using Export1.Which data should you identify?
A. DB1
B. container1
C. share1
D. Table1
Suggested Answer: B 🗳️
B) "container1" The following list of storage types is supported with Azure Import/Export service: - Export: Azure Blob Storage -> Block blobs, Page blobs, and Append blobs supported. * Azure Files not supported & Export from archive tier not supported
Reference:
Export can be used only for Blob storage Import is used for file and blob storage Correct answer is B
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage. Only the Blob service is supported with the Export job feature Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
NO.493
You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a file named File1.txt. Your on-premises network contains servers that run Windows Server 2016. The servers are configured as shown in the following table.
You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for Sync1.For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point. Hot Area:
Suggested Answer:
Box 1: Yes --> No
If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files are merged with any other files that are already on other endpoints in the sync group.
Agree, files are never overwritten. If the file exists, it will get a new name on the endpoint (file1(1).txt)
I just tested in the lab and files are not overwritten. File that is older will get name of the hosting server added. for example: srv01 creates a new version of "file1" so older version (hosted on srv02) gets renamed to "file1-srv02"
Box 2: No -
Box 3: Yes
-Reference:https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning
NO.494
You have an Azure subscription that contains the resources in the following table.
Store1 contains a file share named data. Data contains 5,000 files. You need to synchronize the files in the file share named data to an on-premises server named Server1. Which three actions should you perform?
Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Create a container instance
B. Register Server1 Most Voted
C. Install the Azure File Sync agent on Server1 Most Voted
D. Download an automation script
E. Create a sync group Most Voted
Suggested Answer: BCE 🗳️
Step 1 (C): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (B): Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3 (E): Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.Reference:https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide
NO.495
You create the following resources in an Azure subscription:
✑ An Azure Container Registry instance named Registry1
✑ An Azure Kubernetes Service (AKS) cluster named Cluster1You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1. What should you do first?
A. Run the docker push command. Most Voted
B. Create an App Service plan.
C. Run the az acr build command.
D. Run the az aks create command.
Selected Answer: A
The az acr build command is used to build and push Docker images to an Azure Container Registry. It automates the build process and pushes the resulting image directly to the registry, eliminating the need to run separate docker build and docker push commands. However, in this scenario, the container image App1 has already been built on your administrative workstation, and you only need to push it to the Azure Container Registry. Therefore, you don't need to use the az acr build command. Instead, you can simply use the docker push command to push the existing App1 image to Registry1, as shown in the previous answer.
NO.496
You have an Azure subscription named Subscription1. Subscription1 contains the virtual networks in the following table.
Subscription1 contains the virtual machines in the following table.
The firewalls on all the virtual machines are configured to allow all ICMP traffic. You add the peerings in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.Hot Area:
Suggested Answer:
Box 1: Yes -Vnet1 and Vnet3 are peers.
Box 2: Yes -Vnet2 and Vnet3 are peers.
Box 3: No -Peering connections are non-transitive.References:https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
