HOTSPOT - You have a virtual network named VNET1 that contains the subnets shown in the following table: You have Azure virtual machines that have the network configurations shown in the following table: For NSG1, you create the inbound security rule shown in the following table: For NSG2, you create the inbound security rule shown in the following table: For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Yes - The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or Subnet1 where VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the NSG1 rule has a higher priority (or lower value) than the NSG2 rule. Box 2: Yes - No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied. Box 3: Yes - No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are thus applied. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Question 422
HOTSPOT - You have an Azure subscription named Subscription1. Subscription1 contains the virtual machines in the following table: Subscription1 contains a virtual network named VNet1 that has the subnets in the following table: VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table: You apply RT1 to Subnet1 and Subnet2. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
IP forwarding enables the virtual machine a network interface is attached to: - Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface. Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations. The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it. Box 1: Yes - The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1. Box 2: No - VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1. Box 3: Yes - The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding
Question 423
Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources: - A web app named webapp1 - A virtual network named VNET1 You need to ensure that webapp1 can connect to Share1. What should you deploy?
A. an Azure Application Gateway
B. an Azure Active Directory (Azure AD) Application Proxy
C. an Azure Virtual Network Gateway
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it. Incorrect Answers: B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Question 424
Your on-premises network contains a VPN gateway. You have an Azure subscription that contains the resources shown in the following table. You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network. What should you configure?
A. a network security group (NSG)
B. service endpoints
C. Azure Peering Service
D. Azure Firewall
Question 425
You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network. Which tunneling protocol should you use?
A. IKEv1
B. PPTP
C. IKEv2
D. L2TP
A Site-to-Site (S2S) VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. IKEv2 supports 10 S2S connections, while IKEv1 only supports 1. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
Question 426
You have an Azure subscription that contains the resources shown in the following table. You configure Azure Site Recovery to replicate VM1 between the US East and West US regions. You perform a test failover of VM1 and specify VNET2 as the target virtual network. When the test version of VM1 is created, to which subnet will the virtual machine be connected?
A. TestSubnet1
B. DemoSubnet1
C. RecoverySubnetA
D. RecoverySubnetB
Question 427
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers. You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines. You need to ensure that visitors are serviced by the same web server for each request. What should you configure?
A. Protocol to UDP
B. Session persistence to None
C. Floating IP (direct server return) to Disabled
D. Session persistence to Client IP
Question 428
You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template. You need to ensure that NGINX is available on all the virtual machines after they are deployed. What should you use?
A. the Publish-AzVMDscConfiguration cmdlet
B. a Microsoft Endpoint Manager device configuration profile
C. Deployment Center in Azure App Service
D. a Desired State Configuration (DSC) extension
Question 429
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers. You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines. You need to ensure that visitors are serviced by the same web server for each request. What should you configure?
A. Floating IP (direct server return) to Disabled
B. Session persistence to Client IP
C. Protocol to UDP
D. Idle Time-out (minutes) to 20
Question 430
HOTSPOT - Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the servers shown in the following table. You plan to migrate contoso.com to Azure. You create an Azure virtual network named VNET1 that has the following settings: • Address space: 10.0.0.0/16 • Subnet: o Name: Subnet1 o IPv4: 10.0.1.0/24 You need to move DC1 to VNET1. The solution must ensure that the member servers in contoso.com can resolve AD DS DNS names. How should you configure DC1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
