Real Exam Final Version Summary

Topic 1

1 Question #1

In order to implement MFA and Azure AD-Joined device, you need to create a 'Conditional Access Policy'. To implement conditional access policy;
Microsoft Entra--> Protection--> Security Center--> Conditional Access Page.
To implement conditional access policy;
- Protection-->Security Center-->Conditional Access Page-->Modify Grant Control (Not Session Control) -->Grant Access
You cannot change the usage model after an MFA provider is created,
- New conditional access policy that applies to the new employees
You access the Azure portal to alter the session control of the Azure AD conditional access policy. （No)
You access the multi-factor authentication page to alter the user settings （No)
You access the Azure portal to alter the grant control of the Azure AD conditional access policy. Does the solution meet the goal? （Yes)
You reconfigure the existing usage model via the Azure portal. （No)
You reconfigure the existing usage model via the Azure CLI (No)
You create a new Multi-Factor Authentication provider with a backup from the existing Multi-Factor Authentication provider data. (No)
- new auth providers may no longer be created.

You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.

Which three settings should you configure?

Select Users & Groups : Where you have to choose all users.
Select Cloud apps or actions: to specify the Azure portal
Grant: to grant the MFA.

2 Question #2

implement a custom deployment that includes adding a particular trusted root certification authority (CA).
- The az vm create command
- Powershell cmdlets it is not currently supported to create a VM passing custom data

3 Question #3

1.The Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet is used to initiate an initial synchronization cycle for Azure AD Connect, which is the successor to DirSync.

This command triggers the synchronization process and replicates changes from the on-premises Active Directory to Azure AD immediately.

2.Force replication of the Global Catalog on a domain controller, will replicate the user information to other domain controllers in the same site, but it will not replicate the user information to Azure AD immediately.

3.Netlogon is a Local Security Authority service that runs in the background. It handles domain user login authentication

If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records

You run the Start-ADSyncSyncCycle -PolicyType Initial PowerShell cmdlet （A. Yes）
You use Active Directory Sites and Services to force replication of the Global Catalog on a domain controller. （No)
You restart the NetLogon service on a domain controller. （No)

4 Question #4

ARM template of VM and storage account both which can only be reviewed at RG level

All templates in a RG are stored in Deployments within the the resource group level

Resource Group >> Deployment

You access the Virtual Machine blade (No)
You access the Resource Group blade. (Yes)
You access the Container blade. (No)

4 Question #5

Q: resize one of the VMs, which returns an allocation failure message.

If the VM you wish to resize is part of an availability set, then you must stop all VMs in the availability set before changing the size of any VM in the availability set.

The reason all VMs in the availability set must be stopped before performing the resize operation to a size that requires different hardware is that all running VMs in the availability set must be using the same physical hardware cluster

C. You should stop all three VMs.

5 Question #5

To minimize downtime when attaching a data disk from one Azure virtual machine (VM) to another

Once the data disk is detached from the source VM, you can then attach it to the destination VM.

This process typically involves stopping the destination VM briefly to attach the disk, but since the disk has already been detached from the source VM, downtime is minimized.

C. Detach the data disk.

6 Question #6

Each availability set can be configured with up to three fault domains and twenty update domains. （3 FD and 20 Update domains)

Q: configure for the platformFaultDomainCount property?

D. Max Value => FD (3)

2 or 3 is max for a region so answer should be Max.

Q: configure for the platformUpdateDomainCount property

B. 20

3 fault and 20 update domains.

7 Question #7

The password can be stored as a secret in the Key Vault and then accessed by the ARM template using a reference to the Key Vault.
An access policy, which is used to define who has permissions to access and manage the Key Vault
Only authorized users can access the password stored in the Key Vault
Key vault + access policy

8 Question #8

After Windows is installed but before the logon screen appears, Windows Setup searches for the SetupComplete.cmd file in the %WINDIR%\Setup\Scripts\directory

Q: solution that ensures the scripts are run on the new VMs.

A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.

9 Question #9

Q: You need to upload the image to Azure to ensure that it is available for selection when you create the new Azure VMs

B. Add-AzVhd

The Add-AzVhd cmdlet uploads on-premises virtual hard disks, in .vhd file format, to a blob storage account as fixed virtual hard disk
"New-AzVM" is for creating new VMs, not uploading images
"Add-AzImage" does not exist. the correct command is "New-AzImage".
"Add-AzImageDataDisk" Adds a data disk to an image object.

10 Question #10

Q： on-premises Hyper-V server that hosts a VM, named VM1, which must be replicated to Azure.

Set up disaster recovery to Azure for on-premises physical servers

Set up an Azure storage account (Storage Account)
Create a Recovery Services vault for Site Recovery
Create a replication policy
Enable replication for a server

11 Question #11

Q: You have to make sure that a connection to VirtualNetworkB can be established from the Windows 10 workstation.

After configuring virtual network peering between VirtualNetworkA and VirtualNetworkB, you confirm that you are able to access VirtualNetworkB from the company's on-premises network."
- This indicates the Allow/Use gateway transit is set up working
The next step will be restart/reinstall the VPN-Client config at the windows 10 WS.
"Allow gateway transit" setting on VirtualNetworkA will not enable the Windows 10 workstation to connect to VirtualNetworkB.
The "Allow gateway transit" setting is used to enable traffic to flow between virtual networks when they are connected through virtual network peering.
- It allows a virtual network to use the VPN gateway in another virtual network to access remote networks
To enable the Windows 10 workstation to connect to VirtualNetworkB, you need to configure point-to-site VPN connectivity between the Windows 10 workstation and VirtualNetworkB
Solution: You choose the Allow gateway transit setting on VirtualNetworkA. (No)
Solution: You choose the Allow gateway transit setting on VirtualNetworkB. (No)
Solution: You download and re-install the VPN client configuration package on the Windows 10 workstation. (Yes)

After reconfiguring \ creating peering existing point-to-site VPN connections need to be recreated

12 Question #12

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.
A Site-to-Site (S2S) VPN connection is used to connect two or more on-premises networks to an Azure virtual network (VNet), while a VNet-toVNet VPN connection is used to connect two or more Azure virtual networks (VNets) together.
C. Configure a Point-to-Site (P2S) VPN.

13 Question #13

1.To configure an Azure internal load balancer as a listener for the availability group, you need to create a TCP health probe on port 1433(Not HTTP), which is the default port for SQL Server

Q: Your company has a Microsoft SQL Server Always On availability group configured on their Azure virtual machines (VMs).

Solution: You create an HTTP health probe on port 1433. (No)

14 Question #14

Q: You need to configure an Azure internal load balancer as a listener for the availability group.

key word is 'availability group' means we need redundancy of servers, servers must talk with each other which uses health probe not session persistence, this is use for communication between client and server.
For this load balancer, you enable direct server return because only one of the two SQL Server instances owns the availability group listener resource at a time.
- Therefore Floating IP (direct server return) is Enabled
- By enabling Floating IP, the load balancer will use a floating IP address as the source IP address for outbound flows from the backend pool.
Solution: You set Session persistence to Client IP. (No)
Solution: You enable Floating IP. (Yes）

15 Question #15

Q have configured two VMs on a single subnet in an Azure virtual network.

E. Run the Set-AzureStaticVNetIP PowerShell cmdlet
The Set-AzureStaticVNetIP PowerShell cmdlet is used to set a static internal IP address for an Azure virtual machine.
Option A, New-AzureRMVMConfig, is used to create a new virtual machine configuration object.
B, Set-AzureSubnet, is used to modify the properties of an existing Azure subnet, not to set static IP addresses for virtual machines
Option C, modifying VM properties in the Azure Management Portal, does not provide a way to set static IP addresses for virtual machines

16 Question #16

Five virtual machines (VMs)

Which of the following is the least amount of network interfaces needed for this configuration? (5)
- 5 VM so 5 NIC Cards.
Which of the following is the least amount of security groups needed for this configuration?
- All identical security groups so you will only require 1 security group as all the settings are the same

17 Question #17

To restore data, you use the Recover Data wizard in the Microsoft Azure Recovery Services (MARS) Agent
If you have Cross Region Restore enabled on your vault, you can restore the backup data from the secondary region.
You can recover the files to any VM within the company's subscription.
C. You should restore the VM to a new Azure VM.

18 Question #18

Azure Monitor is the tool used to collect and analyze performance metrics and logs in Azure.
It provides insights into the performance of Azure resources, applications, and workloads
Azure Traffic Analytics is used to monitor and analyze network traffic,
Azure Activity Log provides insights into activities performed on Azure resources,
Azure Advisor provides recommendations for improving the performance, security, and reliability of Azure resources

19 Question #19

Which of the following VMs can you back up?

A. VMs that run Windows 10.
B. VMs that run Windows Server 2012 or higher.
C. VMs that have NOT been shut down.
D. VMs that run Debian 8.2+.
E. VMs that have been shut down

20 Question #20

"New-AzureADUser" is for creating new Azure AD users not inviting Guests.
To invite using Powershell one should use the "New-AzureADMSInvitation" cmdlet
The New-AzureADUser cmdlet creates a user in Azure Active Directory (Azure AD).
Bulk Create" is for new Azure AD Users.
- Use "Bulk invite users" to prepare a comma-separated value (.csv) file with the user information and invitation preferences
- Upload the .csv file to Azure AD
Solution: You create a PowerShell script that runs the New-AzureADUser cmdlet for each user （No）
Solution：From Azure AD in the Azure portal, you use the Bulk create user operation. （No）
Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user. （Yes）

The New-MgUser cmdlet is part of the Microsoft Graph PowerShell module, and it's used for creating new users in Azure AD.

Topic 2

1 Question #1

The Network Contributor role lets you manage networks, but not access them.

Network Contributor on LB1
Network Contributor on LB2

2 Question #2

You need to ensure that access to AKS1 can be granted to the contoso.com users.

B. From contoso.com, create an OAuth 2.0 authorization endpoint.

Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top. By modifying the Organization relationships settings in the contoso.com Azure AD tenant, you can establish the necessary trust relationship between the tenant and AKS

3 Question #3

You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.

You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
You can set up a rule for dynamic membership on security groups or Office 365 groups
A. a Microsoft 365 group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type

4 Question #4

Q: Ensure that Admin1 can deploy the Marketplace resource successfully.

C. From Azure PowerShell, run the Set-AzMarketplaceTerms cmdlet

5 Question #5

Q： You need to assign the User administrator administrative role to AdminUser1.

B. From the Directory role blade, modify the directory role

Active Directory -> Manage Section -> Roles and administrators-> Search for Admin and assign a user to it.‘

6 Question #6

Q You need to ensure that 10 users can use all the Azure AD Premium features.

A. From the Licenses blade of Azure AD, assign a license

Active Directory-> Manage Section > Choose Licenses -> All Products -> Select Azure Active Directory Premium P2 -> Then assign a user to it.

7 Question #7

Q: You need to ensure that an alert is set in Service Manager when the amount of available memory on VM1 is below 10 percent.

C. Deploy the IT Service Management Connector (ITSM)

The IT Service Management Connector (ITSMC) allows you to connect Azure and a supported IT Service Management (ITSM) product/service, such as the Microsoft System Center Service Manager

8 Question #8

All the computers that will be joined to the Azure AD domain.

What should you configure in Azure AD?

A. Device settings from the Devices blade

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principles to the local administrators group on the device:
- Sign in to your Azure portal as a global administrator or device administrator.
- Azure Active Directory. -> Devices -> Device settings.

9 Question #9

Q: User1 can assign the Reader role for VNet1 to other users.

The question has two possible correct answers:

Assign User1 the User Access Administrator role for VNet1.
Assign User1 the Owner role for VNet1.

The User Access Administrator role allows users to manage user access to Azure resources, but it does not provide the ability to assign roles to other users. for that specific virtual network

10 Question #10

Q: Which type of DNS record to Azure AD （custom domain name to Azure AD）

MX correct

11 Question #11

Q： You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.

Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group. （No)
- The Azure DevTest Labs is a role used for Azure DevTest Labs, not for Logic Apps.
- DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
- The Logic App Contributor role lets you manage logic app, but not access to them. It provides access to view, edit, and update a logic app
- Azure DevTest Labs is a service that has nothing to do with Logic App
Solution: On Subscription1, you assign the Logic App Operator role to the Developers group.
- Logic App Operator - Lets you read, enable, and disable logic apps, but not edit or update them
- Logic App Contributor - Lets you create, manage logic apps, but not access to them
Solution: On Dev, you assign the Contributor role to the Developers group.

12 Question #12

A report to the finance department.

Box 1: Assign a tag to each resource
Box 2: From the Cost analysis blade, filter the view by tag
Box 3: Download the usage report

13 Question #13

Azure Log Analytics workspace named Workspace1.

You need to view the error events from a table named Event.

Event | search "error"
Event | where EventType == "error"
search in (Event) "error"
KQL: search in (Event) * | where EventType == "error"

14 Question #14

RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.

A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.

15 Question #15

Q1: RG1 has a web app named WebApp1. WebApp1 is located in West Europe. You move WebApp1 to RG

You can only move a resource to a Resource Group or Subscription, but the location stays the same.

When you move WebApp1 to RG2, the resource will be restricted based on the policy of the new Resource Group

A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.

16 Question #16

Q: You need to ensure that the connections to App1 are spread across all the virtual machines.

A. an internal load balancer:

An internal load balancer can be used to distribute traffic among the virtual machines running App1. It can distribute traffic based on various algorithms such as round-robin, least connections, and IP hash.

E. an Azure Application Gateway:

An Azure Application Gateway is a layer 7 (Application Layer) load balancer that can distribute traffic based on various criteria such as URL path, host headers, and cookie.

17 Question #17

Q: Less expensive offering.

Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources.

You can get cost recommendations from the Cost tab on the Advisor dashboard.

18 Question #18

Manage external collaboration settings

Q: You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant.

A. From the Users settings blade, modify the External collaboration settings.

Go to Azure AD-users -- user settings -- scroll down -- External users

19 Question #19

Q: User can assign a policy to the tenant root management group.

C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.

Azure AD Global Administrators are the only users that can elevate themselves to gain access.

20 Question #20

Your account must have any one of the following Azure roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.
Network Contributor role - Lets you manage networks, but not access to them.

Q: user can assign the required role to enable Traffic Analytics for an Azure subscription.

Solution: You assign the Owner role at the subscription level to Admin1. (Y)
Solution: You assign the Reader role at the subscription level to Admin1. (N)

One of the following Azure built-in roles needs to be assigned to your account:

Assign Network Contributor role at subscription level to Admin1 Yes
Assign Monitor Contributor role at subscription level to Admin1 Yes
Assign Owner role at subscription level to Admin1 Yes
Assign Reader role at subscription level to Admin1 No
Assign Traffic Manager Contributor role at subscription level to Admin1 No

least privilege to manage virtual networks

Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC (Y)
Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. (No)

20 Question #20

ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.

A. From the Azure portal, modify the Managed Identity settings of VM1

You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

21 Question #21

You need to ensure that you can create Azure AD users that have names containing a suffix of @contoso.com

Add the custom domain name to your directory
Add a DNS entry for the domain name at the domain name registrar
Verify the custom domain name in Azure AD

Q: Public Azure DNS zone named contoso.com to registered DNS domain, resolvable from the internet.

D. Modify the NS records in the DNS domain registra

When you delegate a domain to Azure DNS, you must use the name servers that Azure DNS provides.

22 Question #22

The Owner Role lets you manage everything, including access to resources.
The Network Contributor role lets you manage networks, including creating subnets.
The Security Admin role can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.

23 Question #23

Locks Box 1: Sub1, RG1, and VM1 only

You can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

Tags Box 1: Sub1, RG1, and VM1 only

You apply tags to your Azure resources, resource groups, and subscriptions.

24 Question #24

To perform a bulk delete of users in Azure Active Directory, you need to create and upload a CSV file that contains the list of users to be deleted

B. The user principal name of each user only

The file should include the user principal name (UPN) of each user only. Therefore, the answer is B.

UPN is the only mandatory attribute for the user account

24 Question #25

Tags are not inheritable
Policy： "Exclusions: Sub1/RG1/VNET1" does not mean both RG1 & vNet1 are excluded, only vNet1 is excluded, the Sub1/RG1/VNET1 is merely a path to the object that is excluded

26 Question #26

Q grant user management permissions to a local administrator in each office.

B. administrative units

Administrative units restrict permissions in a role to any portion of your organization that you define

27 Question #27

Q: ensure that User1 can assign the Reader role for VNet1 to other users.

Has full access to all resources including the right to delegate access to others.
- Assign User1 the User Access Administrator role for VNet1.
- Assign User1 the Owner role for VNet1.
Owner = Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Contributor = Grants full access to manage all resources, but does NOT allow you to assign roles in Azure RBAC. (you cannot add users or changes their rights)
User Access Administrator = Lets you manage user access to Azure resources.
Reader = View all resources, but does not allow you to make any changes.
Security Admin = View and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
Network Contributor = Lets you manage networks, but not access to them. (so you can add VNET, subnet, etc)

28 Question #28

Q: User can sign to VM

DataActions:

Microsoft.Compute/virtualMachines/login/action
Microsoft.Compute/virtualMachines/loginAsAdmin/action

Q: When you assign roles, you must specify a scope. Scope is the set of resources the access applies to

assignableScopes

Management group, subscription, resource group, and resource

29 Question #29

Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:

A. Enable Active Directory Domain Service (AD DS) authentication for storage1.

Select or create an Azure AD tenant
To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant. Etc.

Q: Aassign User1 the Storage File Data SMB Share Contributor role for share1.

A. Enable identity-based data access for the file shares in storage1.

30 Question #30

Q: Ensure that Group1 can manage role assignments for the existing subscriptions and the planned subscriptions.

Use the principle of least privilege. / Minimize administrative effort.

B. Assign Group1 the User Access Administrator role for the root management group

The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription.
And because we should use the principle of least privilege we should chose the User Access Administrator role instead of the Owner one.

31 Question #31

Policy can be assigned (Tenant Root Group, ManagementGroup1, Subscription1, and RG1）

Can't assign policy to RESOUCE (VM)

Can exclude Policy1 from: (ManagementGroup1, Subscription1, RG1, and VM1)

Can't exclude policy to Tenant Root Group

32 Question #32

Storage Blob Data Contributor- -> Read, write, and delete Azure Storage containers and blobs
Reader --> View all resources, but does not allow you to make any changes
B. Upload blob data to storageacct1234.
D. View blob data in storageacct1234.

33 Question #33

To allow the developers of App1 to use their Azure AD credentials to deploy content to App1 using Web Deploy, you should assign the Website Contributor role to the developers.

This role provides the necessary permissions for developers to deploy content to the web app, but does not grant them excessive permissions that could be used to make unwanted changes

34 Question #34

Q： Create a guest user account in contoso.com for each of the 500 external users

Solution: From Azure AD in the Azure portal, you use the Bulk invite users operation.

In this question the .CSV file you have DOES NOT contain a redirection URL. Therefore, the answer is B: NO.

35 Question #35

Their "cloning" rules are not the same. While you can clone an in-built Azure role, you CANNOT clone in-built Azure AD role. When creating a custom role in Azure AD, you can either choose a custom role already created OR start from scratch. So for 2nd, Answer should be Role2 only

Reader and Data Access":

"Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys."

"Owner" is needed to manage permissions, as "User Access Administrator" is not offered as an option.

36 Question #36

You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints.

37 Question #37

Ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.

B. private endpoints

To ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network without going out to the public internet, you should use a private endpoint.

38 Question #38

Blob storage: Azure AD and shared access signatures (SAS)
File storage: Shared access signatures (SAS) only
Blob storage (hierarchical namespace): Microsoft Entra ID & SAS
File storage: SAS only

Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.

Only Shared Access Signature (SAS) token is supported for File storage.

Blob Storage: Support both Azure Active Directory (AD) and Shared Access Signature (SAS) token.
File Storage: Only Shared Access Signature (SAS) token is supported.

39 Question #39

Aassign Workspace1 a role to allow read, write, and delete operations for the data stored in the containers of storage1.

Storage Blob Data Contributor Read, write, and delete Azure Storage containers and blobs.
Storage Account Contributor can't perform delete operation.

Option A, "Storage Account Contributor," grants permissions to manage the Azure Storage account itself, including its configuration and settings, but it doesn't provide the necessary permissions to perform read, write, and delete operations on the data stored within the containers of the storage account.

40 Question #40

Group1: Security group (Security Enabled) - You can assign licenses.
Group2: Mail-enabled security group (Security Enabled) - You cannot assign licenses to mail-enabled security groups.
Group3: Microsoft 365 group (Security Enabled) - You can assign licenses.
Group4: Microsoft 365 group (Security Disabled) - You cannot assign licenses to security-disabled groups.

41 Question #41

Q You need to create a Microsoft 365 group that contains only members of a marketing department in France.

(user.department -eq "Marketing") –and (user.country –eq "France")

42 Question #42

Q: Standard users must be prevented from creating new service principals

Register applications: (YES)

Setting this option to No prevents users from creating application registrations

Q: Standard users must only be able to use PowerShell or Microsoft Graph to manage their own Azure resources.

Yes: Restricts non-administrators from browsing the Azure AD administration portal.
Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources

43 Question #43

You can only add Admin1 as a co-administrator to the Sub1 subscription

You cannot add Admin1 as a co-administrator to the RG1 resource group, MG1 management group, or VM1 virtual machine.

Co-administrators have full access to all resources in a subscription, including the ability to create, read, update, and dele

44 Question #44

can delete all users whether a license is assigned directly or via inheritance from a group membership)
Groups with active license assignments cannot be deleted

Topic 3

1 Question #1

Q which storage account can be used to export the data.

Blobstorage

Standard General Purpose v2 storage accounts (recommended for most scenarios)
Azure Import/Export service supports the following storage types:
- Import supports Azure Blob storage and Azure File storage
- Export supports Azure Blob storage. Azure Files not supported

The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.

General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables.
Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs.
General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
Azure Table Storage: Storage V1 & Storage V2
Blob Storage: Storage V1 & Storage V2 & Blob storage

2 Question #2

Q: identify the data that can be exported by using Export1.

Import and export support for blob storage.
Only import support for File storage but export not support.

container1: Blob containers like container1 are the primary data target for Azure Import/Export jobs.

Q: Plan to use an Azure Import/Export job. What can you use as the destination of the imported data

A. Azure Blob Storage

3 Question #3

Minimize the number of secrets used.
- Access Control (IAM)
- Shared access signatures (SAS)
Ensure that App2 can only read from storage1 for the next 30 days.
Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM
We need temp access for App2, so we need to use SAS.

4 Question #4

Tiering

Tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts.
General Purpose v1 (GPv1) accounts do not support tiering

Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide

5 Question #5

Synchronize the files in the file share named data to an on-premises server

Step 1: Install the Azure File Sync agent on Server1.
Step 2: Register Server1. Register Windows Server with Storage Sync Service.
Step 3: Create a sync group and a cloud endpoint.

6 Question #6

Transfer the data to the storage account by using the Azure Import/Export service.

Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Step 2: From the Azure portal, create an import job.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center
Step 4: From the Azure portal, update the import job

7 Question #7

Storage account named contosostorage, and then you create a file share named data.

[storageaccountname].file.core.windows.net/[FileShareName]

copy an on-premises virtual machine image to a container named vmimages

Q: You need to create the container for the planned image.

azcopy make 'https://mystorageaccount.blob.core.windows.net/vmimages'

azcopy make "https://[account-name].[blob,file,dfs].core.windows.net/[top-level-resource-name]"

8 Question #8

Azure File Sync uses a simple conflict-resolution strategy: we keep both changes to files that are changed in two endpoints at the same time.

The most recently written change keeps the original file name. The older file (determined by LastWriteTime) has the endpoint name and the conflict number appended to the filename.

For server endpoints, the endpoint name is the name of the server.
For cloud endpoints, the endpoint name is Cloud. The name follows this taxonomy

(FileNameWithoutExtension)-(endpointName)[-#].

File that is older will get name of the hosting server added. for example: srv01 creates a new version of "file1" so older version (hosted on srv02) gets renamed to "file1-srv02"

9 Question #9

ZRS currently supports standard general-purpose v2, FileStorage and BlockBlobStorage storage account types.

ZRS Supports the following Storage Account Types:

Standard GPv2 Accounts
Premium File Share Accounts
Premium Block Blob Accounts

Q: storage account (Remains available if a single data center in the region fails.)

Box 2: StorageV2 (general purpose V2)
ZRS only support GPv2.

10 Question #10

QPlan to upload the disk files of a virtual machine to account1 from your on-premises network.

By default, Azure Storage accounts are accessible from everywhere.

A. From the Networking blade of account1, select Selected networks.
C. From the Networking blade of account1, add the 131.107.1.0/24 IP address range (on-premises network uses a public IP address space).

11 Question #11

Deploy an Azure File Sync Storage Sync Service, and you create a sync group.

Step 1: Install the Azure File Sync agent on Server1
Step 2: Register Server1. (Register Windows Server with Storage Sync Service)
Step 3: Add a server endpoint. (Create a sync group and a cloud endpoint)

12 Question #12

Azure Import/Export service to copy files to a storage account.

Q: Two files should you create before you prepare the drives for the import job?

A dataset CSV file
A driveset CSV file

13 Question #13

Q Need to delete the Recovery Services vault. Do first?

D. From the Recovery Service vault, stop the backup of each backup item

You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.

14 Question #14

To create a Vault to protect VMs, the Vault must be in the same Region as the VMs
Only VM and Fileshare is allowed to Backup.

File only except for vault backup

15 Question #15

Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.

The maximum size of an Azure Files Resource of a file share is 5 TB.

Azure File Storage
Azure Blob Storage

16 Question #16

Locally Redundant Storage (LRS) provides highly durable and available storage within a single location (sub region). We maintain an equivalent of 3 copies

17 Question #17

AzCopy supports file storage services, as well as blob storage services & files storage

AzCopy is supported in all these three operating systems（WIN10, MacOS, Linux）

18 Question #18

Server instance that requires persistent storage.

Mounting of the File shares from within the linux container you need file shares

19 Question #19

The solution must ensure that App1 is available during planned maintenance of the hardware hosting VM1 and VM2.

D. two update domains

An update domain is a group of VMs and underlying physical hardware that can be rebooted at the same time.

20 Question #20

You plan to set up Azure File Sync between Server1 and the Azure file share.

First action: Create a Storage Sync Service
Second action: Create a sync group
Prepare Windows Server to use with Azure File Sync
- Deploy the Storage Sync Service
- Install the Azure File Sync agent
Register Windows Server with Storage Sync Service
Create a sync group and a cloud endpoint
Create a server endpoint
Configure firewall and virtual network setting

21 Question #21

Storage Account must be in the same Region as the Recovery Services Vault.
The location and subscription where this Log Analytics workspace can be created is independent of the location and subscription where your Vaults exist.

22 Question #22

Premium file shares are hosted in a special purpose storage account kind, called a FileStorage account.

Object storage data tiering between hot, cool, and archive is supported in Blob Storage and General Purpose v2 (GPv2) accounts.

Archive access tier is only supported by Blob Storage and General Purpose v2 (GPv2) accounts.

General Purpose v1 (GPv1) accounts don't support tiering
The archive tier supports only LRS, GRS, and RA-GRS.
The archive tier isn't supported for ZRS, GZRS, or RA-GZRS accounts

23 Question #23

The SAS token is not supported in mounting Azure File share currently, it just supports the Azure storage account key.

Since it is using "net use" where it uses SMB, the SMB (Server Message Broker) protocol does not support SAS. it still asks for username/password. Accordingly, it will give error wrong username/pass and will not provide access

24 Question #24

You need to ensure that the data in the storage account is protected if a zone fails.

.Upgrade the account to general-purpose v2.

Standard general-purpose v1 = LRS/GRS/RA-GRS (No ZRS)
Blob Storage = LRS/GRS/RA-GRS(No ZRS)
Standard general-purpose v2 = LRS/ZRS/GRS/RA-GRS/GZRS/RA-GZRS

The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts, premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts.

25 Question #25

Server Message Block (SMB) is used to connect to an Azure file share over the internet. The SMB protocol requires TCP port 445 to be open

26 Question #26

VirtualNetworkRules & IpRules are blank, with the default action
- Default action is allow. IP is allowed. (NetworkACLs are blank. Default Action Allow)
Storagev2 allows tiering
To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments:
- The Azure Resource Manager Reader role
- A data access role, such as Storage Blob Data Contributor

27 Question #27

Q: Prevent new content added to container1 from being modified for one year.

B. an access policy

Time-based retention policies: With a time-based retention policy, users can set policies to store data for a specified interval.

When a time-based retention policy is set, objects can be created and read, but not modified or deleted.、、mutable blob storage: 1, because max total of immutable blob storage policy is 2 - one Legal hold policy and one Time-based retention policy. We already have one, so additional 1 available.

After the retention period has expired, objects can be deleted but not overwritten.

Access policy can set retention policy.

28 Question #28

Files in the archive tier CANNOT be read as documented by Microsoft:

"While a blob is in archive storage, the blob data is offline and can't be read or modified. To read or download a blob in archive, you must first rehydrate it to an online tier."

29 Question #29

To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments:

A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor
The Azure Resource Manager Reader role, at a minimum
- The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them

30 Question #30

Storage object replication

Account type: StorageV2 or BlobStorage only
Object type to create in the new account: Container
- Object Replication supports General Purpose V2 and Premium Blob accounts.
- Blob versioning should be enabled on both the source and destination storage account.
- Cange feed is enabled on the source storage account

31 Question #31

You need to copy the contents of D:\Folder1 to the public container in an Azure Storage account named contosodata.

azcopy copy D:\folder1 https://contosodata.blob.core.windows.net/public --recursive

32 Question #32

set Account kind for storage1 to BlockBlobStorage.

Which setting should you modify first?

A. Performance

Portal > Create a storage account > Basics > If you need to create a legacy storage account type, please click here > Performance = Premium > Account kind = BlockBlobStorage

33 Question #33

Q: one of the containers, you need to use a different key to encrypt data at rest.

D. Create an encryption scope.

Encryption scopes enable you to manage encryption with a key that is scoped to a container or an individual blob. You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers

By creating an encryption scope, you can use a customer-managed key, stored in Azure Key Vault, to encrypt the data in that specific container

Q Storage1, you create an encryption scope named Scope1.

which storage types can you encrypt by using Scope?

containers only

Encryption scopes enable you to manage encryption with a key that is scoped to a container or an individual blob

34 Question #34

deleteRetentionPolicy is 7 days, so can not be restored after 7 days. Means, backup is deleted after 7 days.
allowBlobPublicAccess is true, so anyone can access the blob, not just on Azure.
kind is Standard_LRS, so 3 local copies are stored.

35 Question #35

tierToArchive because it's the lowest cost tier, and doesn't say anything about needing to read data after 90 days. However, rehydration costs will occur if they did need to read it.
prefixMatch because we only want the blob in the container1.

36 Question #36

Create Recovery Services Vault,
Set Replication Policy to ZRS (because of the requirement for having in three separate zones)
For VM1, create a backup policy

37 Question #37

Upload an append blob to container1.
Create a file share in storage 1.
Add data to table1.

Azure Storage Explorer does not have the ability to create a new storage account directly. Instead, you can use Azure Storage Explorer to connect to and manage existing storage accounts in Azure.

38 Question #38

E. an RSA key type with a key size of 2048, 3072, or 4096 only

39 Question #39

Max stored access policies: 3, because max total of stored access policy is 5 and we already have 2, so additional 3 available.

Max immutable blob storage: 1, because max total of immutable blob storage policy is 2 - one Legal hold policy and one Time-based retention policy. We already have one, so additional 1 available.

40 Question #40

If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob.

For example, action delete is cheaper than action tierToArchive. Action tierToArchive is cheaper than action tierToCool.

41 Question #41

Lifecycle management policies are supported for

block blobs
append blobs in general-purpose v2,
premium block blob,
Blob Storage accounts.

The Archive access tier:

Only storage accounts that are configured for LRS, GRS, or RA-GRS support moving blobs to the archive tier.

(No ZRS) SUPPORT for Archive access tier

The archive tier isn't supported for ZRS, GZRS, or RA-GZRS accounts.

tierToCool

tierToCool - Supported for blockBlob

42 Question #42

Q Share1 can support SMB Multichannel (minimize costs.)

A. Premium performance with locally-redundant storage (LRS)

43 Question #43

Q plan to use conditions when assigning role-based access control (RBAC) roles to storage1.

E. containers and queues only

44 Question #44

CNI provides dedicated Network interfaces for Pods integrating Azure VNETs

AKS and CNI Must in same region

uses kubenet is an internal network piece that doesn't require VNETs

45 Question #45

Azure Resource Manager template ensure that NGINX is available on all the virtual machines after they are deployed.

C. a Desired State Configuration (DSC) extension

To ensure that NGINX is available on all the virtual machines in a virtual machine scale set, you can use the Desired State Configuration (DSC) extension

Correct Answers

a Desired State Configuration (DSC) extension
Azure Custom Script Extension

Q: To enable Desired State Configuration for VM1.

B. Start VM1.

The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.

46 Question #46

After an storage account is created, Only Encryption Type can be changed.

"Enabled support for customer-managed keys" and "Infrastructure Encryption" both cannot be changed.

47 Question #47

You need to configure encryption for the account. The solution must meet the following requirements:

Use a customer-managed key stored in a key vault.
Use the maximum supported bit length.
- Key: RSA
- Bit length: 4096

48 Question #48

Q: users can view only specific blobs based on blob index tags

A. a role assignment condition

An Azure role assignment condition is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.

49 Question #49

Configure Azure Disk Encryption to use a key encryption key (KEK).
You need to prepare Vault1 for Azure Disk Encryption.
Create a new key.
Select Azure Disk Encryption for volume encryption.

40 Question #40

Encrypt both the operating system disk and the data disks

C. Azure Disk Encryption

41 Question #41

o configure read access to a container in an Azure Storage account while allowing both HTTP and HTTPS protocols and applying access permissions to all the content in the container, you should use a Shared Access Signature (SAS).

Shared Access Signatures (SAS) are used to grant limited access to specific resources in your storage account while maintaining fine-grained control over the allowed operations, including read access.

42 Question #42

Rehydrated files (that were in the archive tier first and then returned to hot or cool) wouldn't necessarily be archived after 30 days - as there's a condition that the last tier change must be at least 7 days ago. (I'll leave it open how these files became archived in the first place, before 30 days after creation...)

43 Question #43

Azure Storage Explorer on Windows / macOs / Android

No Ubuntu Linux

44 Question #44

The minimum number of copies of the storage account will be Three
To reduce the cost of infrequently accessed data in the storage account, you must modify the "Access tier" setting.
- Infrequently used data can be stored most cost-effiiently on the cold access tier

45 Question #45

SAS

Ensure that the SAS can only be used to enumerate and download blobs stored in container1.
Use the principle of least privilege.

Container:

"Grants access to the content and metadata of any blob in the container, and to the list of blobs in the container."
Specifying "Object" additionally would be redundant because it is a subset of "Container".
List: "List blobs non-recursively."
- Satisfies the requirement of enumeration.

Read:

"Read the content, blocklist, properties, and metadata of any blob in the container or directory. Use a blob as the source of a copy operation.
Satisfies the requirement of download.

46 Question #46

Public Access is enabled for blob
Azure Storage Account Contributor role can't access the file share

Topic 4

1 Question #1

Q: Deploy a YAML file to AKS1.

Solution: From Azure CLI, you run az aks. (No)
Solution: From Azure CLI, you run the kubectl client. (Yes)
From Azure CLI, you run azcopy (No)

2 Question #2

You need to create an alert in Azure when more than two error events are logged to the System event log on VM1 within an hour.

Q Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the storage account as the source.

No

You need to specify and Log Analytics Workspace not a Storage Account.

Q: Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source

Correct Answer: B - No

You create an Azure Log Analytics workspace and configure the data settings.
You install the Microsoft Monitoring Agent on VM1.
You create an alert in Azure Monitor and specify the Log Analytics workspace as the source

Q: Solution: You create an Azure Log Analytics workspace and configure the Agent configuration settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source. (Yes)

Log analytics agent - Install in VM.
Log analytics workspace - collect the log files from Log Analytics Agent.
Azure Monitor - Create alert based on logs read from Log Analytics Workspace

Q: Solution: You create an Azure Log Analytics workspace and configure the data settings. You add the Microsoft Monitoring Agent VM extension to VM1. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source. (No)

You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct
Log analytics agent - Install in VM.
Log analytics workspace - collect the log files from Log Analytics Agent.
Azure Monitor - Create alert based on logs read from Log Analytics Workspace.

Q: Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You create an alert in (Yes)

3 Question #3

Q: You need to move the custom application（VM1) to VNet2. The solution must minimize administrative effort.

First action: Delete VM1.
Second action: Create a new virtual machine.

We cannot just move a virtual machine between networks. What we need to do is identify the disk used by the VM, delete the VM itself while retaining the disk, and recreate the VM in the target virtual network and then attach the original disk to it.

Note: You can change the Subnet a VM is connected to after it's created, but you cannot change the VNet.

4 Question #4

Q: You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.

A. an Azure Key Vault and an access policy

5 Question #5

ASP.NET Core apps can be hosted both on Windows or Linux

ASP.NET apps can be hosted on Windows only.

6 Question #6

When the scale set virtual machines are provisioned, they have web server components installed.

A. Upload a configuration script

D. Modify the extensionProfile section of the Azure Resource Manager template

7 Question #7

install the kubectl client on Computer1.

az aks install-cli command.

8 Question #8

You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations

You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations
Compile a configuration into a node configuration
Check the compliance status of the node.
Step 1: Create and upload a configuration to Azure Automation
Step 2: Compile a configuration into a node configuration
Step 3: Register a VM to be managed by State Configuration
Step 4: Specify configuration mode settings
Step 5: Assign a node configuration to a managed node
Step 6: Check the compliance status of a managed node

9 Question #9

Ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.

A. one virtual machine scale set that has 10 virtual machines instances

No more than 20% of the Scale Set upgrading at any time, then 2 machines out of 10 will have maintenance, the 8 remaining VMs will be up.

10 Question #10

move VM1 to a different host immediately.

Solution: From the Redeploy blade, you click Redeploy.

A. Yes

When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your configuration options and associated resources

Solution: From the Update management blade, you click Enable

Correct Answer: B

You would need to redeploy the VM

11 Question #11

Q: VM1 connects to VNET1. You need to connect VM1 to VNET2.

Solution: You move VM1 to RG2, and then you add a new network interface to VM1. (No)

Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1

To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to VNET2

Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2. (Yes)
Solution: You turn off VM1, and then you add a new network interface to VM1

Correct Answer: B - No

12 Question #12

There are 10 update domains.

The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update domains will have one VM.
Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.

14 VM in 2 Fault Domain

There are 2 fault domains.
The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain
A rack failure will affect one fault domain so 7 VMs will be offline.

13 Question #13

To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP

Note: 10.X.X.X range is private

14 Question #14

1) Internet users "can connect to the container from any device" (No Access restrictions are specified)
2) If Internet Information Services (IIS) in the container fails, "the container will restart automatically". (The "restartPolicy" is set as "OnFailure".)

15 Question #15

Q Which change will cause downtime for VM1?

While resizing, the VM must be in a stopped state, therefore there will be a downtime.

C. Change the size to D8s v3

16 Question #16

You need to ensure that the App1 update is tested before the update is made available to users.

A. Swap the slots
D. Deploy the App1 update to webapp1-test, and then test the update

Deploying an app to a slot first(Test is this case) and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production.

17 Question #17

Record all the successful and failed connection attempts to VM1

A. Enable Azure Network Watcher in the East US Azure region.
E. Register the Microsoft.Insights resource provider.
F. Enable Azure Network Watcher flow logs.

18 Question #18

ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model.

ScaleSetVM orchestration mode

ScaleSetVM orchestration mode (the default mode) treats the instances in the scale set as a set, making it easier to manage them as a group, which is ideal for deploying multiple instances quickly

VM (virtual machines) orchestration mode.

VM (virtual machines) orchestration mode allows you to manage each instance of a virtual machine as a separate entity. This is mainly used for situations where you want to customize the instances individually.

19 Question #19

Need to view the date and time when the resources were created in RG1.

Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment.

B. No

From the RG1 blade, click Deployments. You see a history of deployment for the resource group

Solution: From the RG1 blade, you click Automation script.

B. No

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

20 Question #20

A read-only lock on a resource group prevents you from moving existing resources in or out of the resource group.

21 Question #21

To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in several regions, create a Recovery Services vault in each region

22 Question #22

Q configure cluster autoscaler for AKS1.

B: The az aks command is used for the AKS cluster configuration.
D: Azure portal, under node pools, press scale, then choose auto scale.

Q You need to deploy App1 to Cluster1.

B: You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image.

21 Question #21

Deploy a Linux virtual machine named VM1 to Subscription1.
need to monitor the metrics and the logs of VM1.

B. Linux Diagnostic Extension (LAD) 3.0

The Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure. It has the following collection and capabilities:

Metrics
Syslog
Files

22 Question #22

Go to resource > template > save to library.

View library > deploy template, It prepopulates the subscription but you have to set an RG. VM Name can be customized, admin user/pass are pulled from template.

view the template used for the deployment.

B. RG1

Go to the resource group for your new resource group.
You see a history of deployments for the group.
The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters

23 Question #23

We need to modify the size of the VM to increase the number of vCPU's assigned to the VM. This can be included as a task in the runbook.

The VM size property can be modified by a runbook that is triggered by metrics, but you can schedule it monthly.

E: DSC is only useful to keep the resources on a VM (OS, File shares, etc.) in a consistent state, not to change VM properties.

24 Question #24

Containers will be assigned an IP address in the subnet.

The Pod CIDR, because containers live inside Pods.

The Service CIDR is used to assign internal services in the AKS cluster an IP address.

The Service CIDR is used to assign internal services in the AKS cluster an IP address.

25 Question #25

Q: Which changes will be lost after you redeploy VM1?

C. the new files on drive D

For Windows Server, the temporary disk is mounted as “D:\”.
For Linux based VM’s the temporary disk is mounted as “/dev/sdb1”.

26 Question #26

When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the slots. We can easily revert the deployment by swapping back.

27 Question #27

You can perform a file recovery of

Box 1: Any Windows computer that has Internet connectivity

You can restore VM1 to

VM1 or a new Azure virtual machine only

For restoring a VM, you can choose 'Create new' or 'Replace existing'.

28 Question #28

Q Backup Pre-Check status displays a status of Warning

B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.

The Warning state indicates one or more issues in VM's configuration that might lead to backup failures and provides recommended steps to ensure successful backups.

Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this class of issues.

29 Question #29

Q: Move VM1 to a different host immediately will be affected by maintenance.

Solution: From the Overview blade, you move the virtual machine to a different resource group B. No

You would need to redeploy the VM.

30 Question #30

first box: platformFaultDomainCount should be 3 (since its in East US)
Use 20 for platformUpdateDomainCount

A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.

31 Question #31

Default Scale in and Out Default Durations are 10 minutes with 5 minute cool down.

32 Question #32

Create a virtual machine by using an Azure Resource Manager (ARM) template.

New-AzResourceGroupDeployment - ResourceGroupName RG1

33 Question #33

You need to restore the backup to VM2.

B. From VM2, install the Microsoft Azure Recovery Services Agent.

33 Question #33

Solution: You create NIC2 in RG1 and West US. A. Yes
Solution: You create NIC2 in RG2 and Central US. B. No
Solution: You create NIC2 in RG2 and West US. A. Yes

Resource Group doesn't matter in this question, as long as the NIC is in the same location as the VNET & VM

The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US, also referred to as a region

Multiple NICs allow a VM to connect to different subnets
VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create
Each NIC attached to a VM must exist in the same location and subscription as the VM
Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC

34 Question #34

New-AzResource: The New-AzDeployment cmdlet adds a deployment at the current subscription scope.

New-AzResourceGroupDeployment: adds a deployment to an existing resource group.

Use New-AzDeployment for deploying resources at the subscription level.
Use New-AzResourceGroupDeployment for deploying resources within a specific resource group.

The arm template is creating a resource group. So the scope of deployment must be subscription level

By using New-AzResourceGroupDeployment command -> "Adds an Azure deployment to a resource group."

New-AzSubscriptionDeployment

This cmdlet is used to deploy resources at the subscription level, which is required when creating new resource groups as they are a subscriptionlevel resource.

35 Question #35

Q: Need to configure a daily backup of WebApp1. The solution must ensure that Folder2 is excluded from the backup.

First create: An Azure Storage account
To exclude Folder2, use: A _backup.filter file

You need a Recovery service vault if you want to backup VMs, File Shares, SAP HANA in a VM or SQL Server in a VM.

App Service, this one backs up to a storage account
_backup.filter file

36 Question #36

Azure Resource Manager (ARM) template You need to join the virtual machine to an Active Directory domain

Type: "Microsoft. Compute/virtualMachines/extensions"
"ProtectedSettings": "password"

37 Question #37

To ensure that you can integrate AKS1 with an Azure container registry, you must modify the setting.

AKS-managed Azure Active Directory

38 Question #38

az aks nodepool update -n pool1 -g RG1 --cluster-name cluster1 max-surge 2

az aks nodepool update --max-surge 2 will add two new nodes
az aks nodepool scale --node-count 2 Running nodes will change from 4 to 2

39 Question #39

Multi-container groups currently support only Linux containers

40 Question #40

You plan to deploy an Instance of Azure Firewall Premium named FW1.

Azure Firewall

Dynamic IPv4: No
Static IPv4: Yes
Dynamic IPv6: No
Static IPv6: No

Azure Firewall supports standard SKU public static IPv4 addresses.

41 Question #41

Deloy a virtual machine by using an Azure Resource Manager (ARM) template.

dependsON: resoureceID
storageProfile: ImageReference

42 Question #42

Pricing Plan: Given these requirements, the best option is the "Standard" tier.

It offers both auto-scaling and custom domains, while being less expensive than the Premium or Isolated tiers.

The Basic tier does not support auto-scaling, and the Free and Shared tiers do not support custom domains or auto-scaling

43 Question #43

The location of the deployment is separate from the location of the resources you deploy
For each deployment name, the location is immutable. You can't create a deployment in one location when there's an existing deployment with the same name in a different location.

44 Question #44

Start at 2 instances, after 15 min, > 70%, then +1 instance

Cooling 5 mins, still >70%, then +1 instance
Cooling 5 mins, still > 70%, then +1 instance
Cooling 5 mins, still >70%, since max 5 instances, keep 5 instances only

45 Question #45

Windows Server

Azure Container Instances / Azure App Service'

Linux Server

Azure Container Instances / Azure Container Apps / Azure App Service

46 Question #46

The NIC acts as the bridge between the VM and the other network resources like the virtual network, public IP, and network security group. Hence, it's essential to ensure that NIC1 is deployed before VM1.

47 Question #47

scope property explicitly specifies the resource group where the storage account will be deployed. It's essential to align this with the desired target resource group, RG1, in this case.

sku property defines the performance and pricing tier, but it's not directly related to deployment targeting.

kind (required) - Value: 'BlobStorage', 'BlockBlobStorage', 'FileStorage', 'Storage', 'StorageV2'
Bicep function scope: - When used to set the scope property, it returns a scope object. Scope is not required parameter.
SKU (required) - Value: 'Premium_LRS', 'Premium_ZRS', 'Standard_GRS', 'Standard_GZRS', 'Standard_LRS', 'Standard_RAGRS', 'Standard_RAGZRS', 'Standard_ZRS'

48 Question #48

proximity placement group is a logical grouping used to make sure that Azure compute resources are physically located close to each other.

Topic 5 - Question Set 5

1 Question #1

Q: Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.

an internal load balancer

Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope

Q: Protect the web servers from SQL injection attacks.

an application gateway that uses the WAF tier

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities.

Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities

2 Question #2

Q: Need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.

B. three virtual hubs and one virtual WAN

3 Question #3

Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules

Minimum number of network interfaces: 5

A public and a private IP address can be assigned to a single network interface.

Minimum number of network security groups: 1

The same network security group can be associated to as many subnets and network interfaces as you choose

4 Question #4

create a private Azure DNS zone

Private IP address only

Private DNS Zone->Setting->virtual network links

5 Question #5

In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions

NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group.

Through this, the IP addresses that connect to the ILB can be monitored when the diagnostics are enabled on a Network Security Group.

6 Question #6

Virtual Peering for within a Region and Global Virtual Peering for across regions.

7 Question #7

There is a site-to-site VPN connection between your on-premises network and VNet1

You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.

You need to ensure that you can connect Client1 to VNet2.

A. Download and re-install the VPN client configuration package on Client1.

8 Question #8

You can assign NSG to the Subnet of the VNet in the same region where NSG is.

Summary VM-VNIC-VNET-NSG MUST ALL be in same region

9 Question #9

need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can peered

Step 1: Remove peering between Vnet1 and VNet2.
Step 2: Add the 10.44.0.0/16 address space to VNet1.
Step 3: Recreate peering between VNet1 and VNet2

10 Question #10

You can move resource( storage account & NIC ) to different resource group, but location will keep the same

11 Question #11

Q: need to ensure that visitors are serviced by the same web server for each request

D. Session persistence to Client IP

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server.

To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP or to Client IP and protocol

12 Question #12

Solution: Add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1. （Yes)

By adding the rule to NSG-Subnet1 you are allowing RDP on Subnet level. Then you delete NSG-VM1, so you are able to RDP.

Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol （No)

Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol. （Yes)

RDP TCP is allowed at Subnet and on VM level NSGs.
The default port for RDP is TCP port 3389.
To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol.

13 Question #13

Allow web requests from the internet to VM3, VM4, VM5, and VM6.

✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.

you can create 1 NSG and associate it with all 3 Subnets

Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and VM6 static IP addresses.
Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even configuring NSG.
Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.

14 Question #14

Move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.

Answer is incorrect, it should be A - Azure CLI.

Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.

15 Question #15

You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.

Private DNS zones can be linked with VNETs (not public ones).
And VM can auto-register to any private DNS zone linked with the Vnet and with auto-registration option set.

16 Question #16

create a site-to-site VPN to Azure

Create a gateway subnet.
Create a VPN gateway.
Create a local gateway.
Create a VPN connection.

1 - Start with a Gateway subnet.

You need the subnet in place first before you can associate a VPN gateway with it, which is what is created next.

2 - Create a VPN gateway.

Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what is available for answers, the prem side is now configured)

3 - Create a local gateway. Y

you need the local gateway in order to complete the tunnel, then you can create a VPN connection

17 Question #17

If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be connected.

You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the same Active Directory tenant

18 Question #18

Q: The point-to-site connection uses a self-signed certificate

Solution: You modify the Azure Active Directory (Azure AD) authentication policies. No

Instead export the client certificate from Computer1 and install the certificate on Computer2.

Solution: You join Computer2 to Azure Active Directory (Azure AD). No

Correct Answer: Meets the goal

Solution: You export the client certificate from Computer1 and install the certificate on Computer2.

19 Question #19

Αny resource with a dynamically assigned public IP address will display the 'name' you gave it when the resource it is assigned to is offline.

A static address will be shown regardless of the resource state. This means that we need to start the VM1.

20 Question #20

A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set. （VM1 SAME VM2)
There will be no loadbalancing between the VMs
- Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.
- Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network

21 Question #21

Box 1: Remove the public IP address from VM1 - You can only attach virtual machines in the backend pool that have a standard SKU public IP configuration or no public IP configuration.
Box 2: Create and configure an NSG - Standard load balancer is built on the zero trust network security model.
Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups.
NSGs are used to explicitly permit allowed traffic.

22 Question #22

Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.

VNET=>VNIC=>VM=>NSG=>AV set all MUST be in same location

23 Question #23

Q You need to ensure that VM1 can resolve host names in adatum.com.

B. Configure the name servers for adatum.com at the domain registrar

Adatum.com is a public DNS zone.

The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for adatum.com to.
You configure this by configuring the name servers for adatum.com at the domain registrar.

24 Question #24

Azure Network Watcher

Identify a security rule that prevents a network packet from reaching an Azure virtual machine. (IP flow verify)
Validate outbound connectivity from an Azure virtual machine to an external host.

Box 1: IP flow verify

At some point, a VM may become unable to communicate with other resources, because of a security rule.

Box 2: Connection troubleshoot

Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address.

25 Question #25

Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything in the resource

26 Question #26

Q: Ensure that you can add VM1 and VM2 to the backend pool of LB1.

Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.

B. No

You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public IP or no public IP.

The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss.

VMs do not need to have public IPs but if they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP.

LB1: Standard SKU
VM1: Basic SKU public IP
VM2: Basic SKU public IP

Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2. （N0）

Correct Answer: Meets the goal.

Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine

Incorrect Answers: Does not meet the goal

Solution: You disassociate the public IP address from the network interface of VM2.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2

27 Question #27

when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider. （No)
Solution: You assign a built-in policy definition to the subscription. （No)
Solution: You configure a custom policy definition, and then you assign the policy to the subscription. (Yes)

28 Question #28

Q： A Site-to-Site connection can be established between VNET1 and VNET2.

To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a Gateway Subnet and thus to establish a VNet to VNet VPN connection.、

VPN-GW on one side & Local GW on the other side

Three ways can be used for VNET to VNET2 connection in different RGs as well as different Subscriptions:

i. VNET-to-VNET - similar to Site-to-Site (IPSec) but differs in the way Local Network Gateway is configured. VPN-GW on both sides
ii. Site-to-Site (IPSec) - similar to VNET-to-VNET but differs in the way Local Network Gateway is configured. VPN-GW on one side & Local GW on the other side
iii. VNET Peering - doesn't use a VPN gateway

29 Question #29

Deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the IP address of the pod

Azure Container Networking Interface (CNI)、

With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space.

Azure Container Networking Interface (CNI) networking - The AKS cluster is connected to existing virtual network resources and configurations.

30 Question #30

Basic LB

Virtual machines in a single availability set or virtual machine scale set.

Standard LB

Virtual machines in a single availability set or virtual machine scale set.

31 Question #31

Need to create a site-to-site VPN.

The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.

Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.
Configure two local network gateways in Azure, each representing one on-premises VPN device. Associate the corresponding local network gateway with the active or standby virtual network gateway

32 Question #32

You perform a reverse DNS lookup for 10.0.0.4 from VM2.

D. vm1.internal.cloudapp.net

33 Question #33

You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.

A VPN gateway is used when creating a VPN connection to your on-premises network
Delete GW1 The policy type VNG does not support Point to Site VPN .

34 Question #34

Need to connect site1 and site2 by using an Azure Virtual WAN.

Create Virtual WAN
Create Hub
Create VPN Sites
Connect VPN sites to Hub
Create a virtual WAN
Configure virtual hub Basic settings
Configure site-to-site VPN gateway settings
Create a site
Connect a site to a virtual hub
Connect a VPN site to a virtual hub

35 Question #35

deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.

You need to restrict network traffic between the pods.

B. the Calico network policy

36 Question #36

Q Need to ensure that visitors are serviced by the same web server for each request.

D. Session persistence to Client IP and Protocol

37 Question #37

default NSG rules which denies any port open for inbound rules

38 Question #38

Azure VPN gateway for a site-to-site VPN

C. a basic SKU and a dynamic IP address assignment

VPN gateway supports only Dynamic

39 Question #39

Connection monitor resource: A region-specific Azure resource

40 Question #40

Ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location.

C. Routing preference

Routing preference in Azure Traffic Manager allows you to specify how to route traffic to your Azure service endpoints based on various criteria, such as the geographic location of the client or the endpoint, the performance of the endpoint, or the priority of the endpoint.

41 Question #41

Prevent VM1 from accessing VM2 on port 3389.

A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.

42 Question #42

Q: You need to ensure that Bastion1 can support 100 concurrent SSH users. '

D. Upgrade Bastion1 to the Standard SKU

When you configure Azure Bastion using the Basic SKU, two instances are created.

If you use the Standard SKU, you can specify the number of instances. This is called host scaling

Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.

43 Question #43

From Device1, you need to establish a Remote Desktop connection to VM1.

Upgrade Bastion1 to the Standard SkU.
From Bastion1, select Native Client Support.
From Azure CLI on Device1, run a network bastion rdp.

44 Question #44

Deploy an Azure Bastion Basic SKU host named Bastion1.

IP1 - IPv4 - Static - Standard - Regional -OK

45 Question #45

You need to ensure that NGINX is available on all the virtual machines after they are deployed.

D. a Desired State Configuration (DSC) extension
A. Azure Custom Script Extension

46 Question #46

Azure subscription that contains a Recovery Services vault named Vault1.

You need to enable multi-user authorization (MAU) for Vault1.

C. a resource guard

47 Question #47

Need to configure secure RDP connections to the virtual machines by using Azure Bastion.

What is the minimum number of Bastion hosts required?

A. 1

Global virtual network peering: Connecting virtual networks across Azure regions

48 Question #48

Need to be able to configure DNS name label scope reuse for container1

B. the public networking type

Public networking type allows you to assign a DNS name label to the container instance that is globally unique within Azure, and it's accessible from the internet.

This is typically used when you want to expose a service hosted in a container to the public.

49 Question #49

specify resource dependencies for the ARM template to deploy resource

First, create a network
2nd, create an interface
3rd, create VM
4th, install an extension.

In order to migrate 50 VMs to Azure using Azure Site Recovery, Configure virtual network

Recovery Service Vault (which is created)
Configure virtual network
configure extended network (next step after)

50 Question 50

The recommended subnet size for Azure Bastion is /26

Public IP: Standard SKU with a static allocation

Only Azure Bastion Standard SKU supports 'Host scaling' and 'Upload or download files'. Besides that, Public IP address recomended by Microsoft must be Standard and Static

51 Question 51

All the traffic between VNet1 and VNet2 traverses the Microsoft backbone network

B. peering

52 Question 52

You need to ensure that cont1 can be configured to use private networking.

Topic 6

1 Question 1

Azure Backup supports backup of VM that are shutdown or offline.
Supports Win Server 2012/2026, Win 10, Ubuntu

2 Question 2

Q Deploy an Azure Monitor alert rule that will trigger an alert when CPU usage on VM1 exceeds 80 percent.

A. an action group

"Alerts consist of:

Action groups
Alert conditions
User response
Alert processing rules"

3 Question #3

VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with VM3 and VM4.

4 Question #4

Q: You need to identify the minimum number of alert rules and action groups required for the planned monitoring.

Alert rules: You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).
Action groups: You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.

5 Question #5

Email will only be sent to Azure AD user members of the Monitoring Reader role.

Email will not be sent to Azure AD groups or service principals.

6 Question #6

There are two ways to enable application monitoring for OnPrem, VM or App Services Web APP:

Install the Application Insights Agent

7 Question #7

User3 can add security questions to the password reset process （N)

To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot add security questions to the reset process. User Administrator doesn’t have MFA permissions.

8 Question #8

The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed. By default, the maximum number of devices per user is 50.

Azure portal -> Azure Active Directory -> Devices
Azure portal -> Azure Active Directory -> Users > Select a user > Devices

The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.

9 Question #9

Q: Monitor the latency between your on-premises network and the virtual machines.

C. Network Performance Monitor

Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments

10 Question #10

Q Need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible.

Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer
Step 4: Copy the files using File Explorer!

9 Question #9

Location in which to store the backups: (A Recovery Services vault)

You can set up a Recovery Services vault and configure backup for multiple Azure VMs.

Object to use to config the protection for VM1: A backup policy

10 Question #10

Identify unattached disks that can be deleted.

D. From Azure Cost Management, view Advisor Recommendations

From Home -> Cost Management + Billing -> Cost Management, scroll down on the options and select View Recommendations

11 Question #11

Provide the developers of webapp1 with real-time access to the connection errors.

A. From webapp1, enable Web server logging

Data sources: VM1 only
Destinations: Workspace1 only

12 Question #12

1- Create an Azure backup vault.
2- Create a backup policy and configure the backup
3- Configure a managed identity

Backup vault uses managed identity to access other Azure resources.

13 Question #13

Q: NSG1 only contains the default rules.

You need to create a rule in NSG1 to prevent the hosts on Subnet1 form connecting to the Azure portal.

The hosts must be able to connect to other internet hosts.

To what should you set Destination in the rule?

C. Service Tag

You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints.

A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

Use service tags in place of specific IP addresses when you create security rules and routes

14 Question #14

Event | search "error"
Event | where EventType == "error"
search in (Event) "error"

15 Question #15

Collect performance traces for App1.

A. Azure Application Insights Profiler

"With Application Insights Profiler, you can capture and view performance traces for your application in all these dynamic situations, automatically at-scale, without negatively affecting your end users."

16 Question #16

Blobstorage is cheaper than the filestorage and StorageV2

16 Question #16

To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, you should first configure NSG flow logs

NSG flow logs provide information about traffic that is allowed or denied by an NSG.
By configuring NSG flow logs, you will be able to monitor the traffic passing through your NSGs and detect any suspicious activity

17 Question #17

Collect performance data and events from the virtual machines.

A. the Azure Monitor agent

18 Question #18

Create a dashboard to display detailed metrics and a visual representation of the network topology.

A. Azure Monitor Network Insights

Network Insights can help you view your ExpressRoute metrics and configurations all in one place. Through Network Insights, you can view topological maps and health dashboards containing important ExpressRoute information without needing to complete any extra setup.

19 Question #19

Q: What should you use to create an activity log alert in Azure Monitor?

A. a resource, a condition, and an action group

You create an alert rule by combining:

The resources to be monitored.
The signal or telemetry from the resource.
Conditions.

20 Question #20

Azure Backup vaults is not support backup Azure virtual machines

*Azure Backup vaults can protect the follwing types of datasource:

1- Azure Disks
2- Azure Blobs (Azure Storage)
3- Azure database for PostgreSQL server
4- Kubernetes services

21 Question #21

Q You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1.

C. an Azure Monitor Private Link Scope (AMPLS)

Q: You need to collect the IIS logs from each virtual machine and store them in a Log Analytics workspace.

A. a data collection endpoint

With Azure Private Link, you can securely link Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads.

An Azure Monitor private link connects a private endpoint to a set of Azure Monitor resources to define the boundaries of your monitoring network. That set is called an Azure Monitor Private Link Scope (AMPLS)

Finally, you can create a data collection rule (DCR) to enable VM Insights on the virtual machines in VNet1. The DCR will tell Azure Monitor to collect data from the virtual machines and send it to the Log Analytics workspace.

22 Question #22

You need to monitor input events for Job1 to identify the number of events that were NOT processed.

D. Backlogged Input Events

23 Question #23

You have a data collection rule (DCR) named Rule1.

You plan to use the Azure Monitor Agent to collect events from Windows System event logs.

Which type of query should you use for the data source in Rule1?

B. XPath

Q: You need to use Connection Monitor to identify network latency between VM1 and DC1.

D. an Azure Monitor agent extension

24 Question #24

You need to use Traffic Analytics in Azure Network Watcher to monitor virtual machine traffic.

A. a Log Analytics workspace
E. a Data Collection Rule (DCR) in Azure Monitor

To use Traffic Analytics in Azure Network Watcher to monitor virtual machine traffic, you need to create the following resources:

A. A Log Analytics workspace - Traffic Analytics requires a Log Analytics workspace to store and analyze network traffic data.
E. A Data Collection Rule (DCR) in Azure Monitor - You need to create a Data Collection Rule within Azure Monitor to specify what data should be collected and sent to the Log Analytics workspace, including the network traffic data for Traffic Analytics.

25 Question #25

What is the minimum number of Recovery Services vaults and backup policies you should create?

Recovery Services vaults. 3
- If you have data sources in multiple regions, create a Recovery Services vault for each region.
- The File Shares and VMs are located in three Regions: West US, East US, Central US.
backup policies. 6
- A backup policy is scoped to a vault. For each vault we need one backup policy for File Shares and one backup policy for VM.
one vault per region. 3 vaults for 3 regions
File shares: 3 region.
VMs: 3 region.
vault = 3
backup policies = 3FS + 3VM = 6

26 Question #26

Can create initiative definitions,
- Resource Policy Contributor for Sub1
Can assign initiatives
- Resource Policy Contributor for RG2
  Azure Files supports identity-based authentication over Server Message Block (SMB) through on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS).

A. On storage2, enable identity-based access for the file shares.

Standard (general-purpose v2) supports tier for Blob service and for Azure file.
Legacy Standard BlobStorage supports tier

Premium BlockBlobStorage doesn’t support tier.

Premium FileStorage doesn’t support tier

Storage (general-purpose v1) doesn’t support tier.

storage2 only -General Purpose v2 can create container1 blobs and share1 at the same time where we can set cool tier

Storage V2 and Storage 2. We want to use replication for blobs and only that storage type is available.

The other one is in Premium, which should never apply to the exams

Q: Need to add VM1 and VM2 to the backend pool of LB1.

C. Redeploy VM1 and VM2 to the same availability set.

You can not use basic load balancer to balance between single VMs . the have to be in a scale set or availability set

27 Question #27

Implement a backup solution for App1 after the application is moved.

D. a Recovery Services vault

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs.

When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

You need to move the blueprint files to Azure.

B. Use Azure Storage Explorer to copy the files

28 Question #28

You need to verify whether the issue relates to the NSGs.

E. IP flow verify in Azure Network Watcher

2.You need to ensure that VM1 can communicate with VM4. The solution must minimize the administrative effort.

B. Establish peering between VNET1 and VNET3.

3.Which command should you run before you create Role1?

Get-AzRoleDefinition -name "Reader" |ConvertTo-Json

4.You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.

B. dynamic groups and conditional access policies