Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups. Another administrator plans to create several network security groups (NSGs) in the subscription. You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. Solution: You create a resource lock, and then you assign the lock to the subscription. Does this meet the goal?
A. Yes
B. No
Question 362
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1. You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet. You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.) From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails. You need to establish a Remote Desktop connection to VM1. What should you do first?
A. Change the priority of the RDP rule
B. Attach a network interface
C. Delete the DenyAllInBound rule
D. Start VM1
Incorrect Answers: A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority. B: The network interface has already been added to VM. C: The Outbound rules are fine. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Question 363
You have the Azure virtual machines shown in the following table. A DNS service is installed on VM1. You configure the DNS servers settings for each virtual network as shown in the following exhibit. You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1. What should you do?
A. Configure a conditional forwarder on VM1
B. Add service endpoints on VNET1
C. Add service endpoints on VNET2 and VNET3
D. Configure peering between VNET1, VNET2, and VNET3
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure. Incorrect Answers: B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Question 364
HOTSPOT - You have an Azure subscription that contains the Azure virtual machines shown in the following table. You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table. You run Azure Network Watcher as shown in the following exhibit. You run Network Watcher again as shown in the following exhibit. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: No - It limits traffic to VM2, but not VM1 traffic. Box 2: Yes - Yes, the destination is VM2. Box 3: No - Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
Question 365
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address. The virtual machines host several applications that are accessible over port 443 to users on the Internet. Your on-premises network has a site-to-site VPN connection to VNet1. You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network. You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users. What should you do?
A. Modify the address space of the local network gateway
B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
C. Remove the public IP addresses from the virtual machines
D. Modify the address space of Subnet1
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet. Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
Question 366
You have an Azure subscription that contains the resources in the following table. Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1. You need to apply ASG1 to VM1. What should you do?
A. Associate NIC1 to ASG1
B. Modify the properties of ASG1
C. Modify the properties of NSG1
Application Security Group can be associated with NICs. References: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups
Question 367
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute. You plan to prepare the environment for automatic failover in case of ExpressRoute failure. You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
HOTSPOT - You have peering configured as shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: vNET6 only - Peering status to both VNet1 and Vnet2 are disconnected. Box 2: delete peering1 - Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state. Reference: https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/
Question 369
HOTSPOT - You have an Azure subscription that contains the resources in the following table. You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1. LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.) Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.) For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Yes - A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set. Box 2: Yes - When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows. You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted. Box 3: No - Reference: https://docs.microsoft.com/en-us/azure/load-balancer/skus https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
Question 370
HOTSPOT - You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations: - Subnet: 10.0.0.0/24 - Availability set: AVSet - Network security group (NSG): None - Private IP address: 10.0.0.4 (dynamic) - Public IP address: 40.90.219.6 (dynamic) You deploy a standard, Internet-facing load balancer named slb1. You need to configure slb1 to allow connectivity to VM1. Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Change the private IP address of VM1 to static Box 1: Remove the public IP address from VM1 Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs. Box 2: Create and configure an NSG NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource. Reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
