You have an Azure subscription that contains the resources shown in the following table. You need to create a network interface named NIC1. In which location can you create NIC1?
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
Question 372
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table. You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com. For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.) You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet. You need to ensure that VM1 can resolve host names in adatum.com. What should you do?
If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you must either use Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Question 373
HOTSPOT - You plan to use Azure Network Watcher to perform the following tasks: - Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine. - Task2: Validate outbound connectivity from an Azure virtual machine to an external host. Which feature should you use for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: IP flow verify - At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which. Box 2: Connection troubleshoot - Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using connection-troubleshoot. Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
Question 374
HOTSPOT - You have an Azure subscription that contains the Azure virtual machines shown in the following table. You configure the network interfaces of the virtual machines to use the settings shown in the following table. From the settings of VNET1 you configure the DNS servers shown in the following exhibit. The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP address of 193.77.134.10. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Yes - You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet. Box 2: No - You can set DNS servers per VM or cloud service to override the default network settings. Box 3: Yes - You can set DNS servers per VM or cloud service to override the default network settings. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#name-resolution-dns
Question 375
HOTSPOT - You have an Azure subscription that contains the resource groups shown in the following table. RG1 contains the resources shown in the following table. You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1. Which resources should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: IP1, Storage1 - IP addresses and storage accounts can be moved. Virtual networks cannot be moved. There is no lock on RG1. Box 2: None - There is a delete lock on RG2. Note: When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence. CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource. ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role. Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
Question 376
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the virtual machines shown in the following table. You deploy a load balancer that has the following configurations: - Name: LB1 - Type: Internal - SKU: Standard - Virtual network: VNET1 You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1. Does this meet the goal?
A Backend Pool configured by IP address has the following limitations: - Standard load balancer only Reference: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
Question 377
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the virtual machines shown in the following table. You deploy a load balancer that has the following configurations: - Name: LB1 - Type: Internal - SKU: Standard - Virtual network: VNET1 You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2. Does this meet the goal?
A Backend Pool configured by IP address has the following limitations: - Standard load balancer only Reference: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
Question 378
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the virtual machines shown in the following table. You deploy a load balancer that has the following configurations: - Name: LB1 - Type: Internal - SKU: Standard - Virtual network: VNET1 You need to ensure that you can add VM1 and VM2 to the backend pool of LB1. Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine. Does this meet the goal?
A Backend Pool configured by IP address has the following limitations: - Standard load balancer only Reference: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
Question 379
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate. From Azure, you download and install the VPN client configuration package on a computer named Computer2. You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2. Solution: You export the client certificate from Computer1 and install the certificate on Computer2. Does this meet the goal?
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Question 380
You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.) You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only. You need to ensure that users can connect to the website from the Internet. What should you do?
HTTPS uses port 443. Rule2, with priority 500, denies HTTPS traffic. Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic. Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed. Note: There are several versions of this question in the exam. The question has two possible correct answers: 1. Change the priority of Rule3 to 450. 2. For Rule5, change the Action to Allow and change the priority to 401. Other incorrect answer options you may see on the exam include the following: - Modify the action of Rule1. - Change the priority of Rule6 to 100. - For Rule4, change the protocol from UDP to Any. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
