DRAG DROP - You have three on-premises sites. Each site has a third-party VPN device. You have an Azure virtual WAN named VWAN1 that has a hub named Hub1. Hub1 connects two of the three on-premises sites by using a Site-to-Site VPN connection. You need to connect the third site to the other two sites by using Hub1. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:
HOTSPOT - You are planning an Azure solution that will contain the following types of resources in a single Azure region: - Virtual machine - Azure App Service - Virtual Network gateway - Azure SQL Managed Instance App Service and SQL Managed Instance will be delegated to create resources in virtual networks. You need to identify how many virtual networks and subnets are required for the solution. The solution must minimize costs to transfer data between virtual networks. What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have two Azure virtual networks named Vnet1 and Vnet2. You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN. You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway. You discover that Client1 cannot communicate with Vnet2. You need to ensure that Client1 can communicate with Vnet2. Solution: You download and reinstall the VPN client configuration. Does this meet the goal?
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Question 44
You have an Azure virtual network named Vnet1 that hosts an Azure firewall named FW1 and 150 virtual machines. Vnet1 is linked to a private DNS zone named contoso.com. All the virtual machines have their name registered in the contoso.com zone. Vnet1 connects to an on-premises datacenter by using ExpressRoute. You need to ensure that on-premises DNS servers can resolve the names in the contoso.com zone. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
HOTSPOT - You have an Azure subscription. You have the on-premises sites shown the following table. You plan to deploy Azure Virtual WAN. You are evaluating Virtual WAN Basic and Virtual WAN Standard. Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
HOTSPOT - You create NSG10 and NSG11 to meet the network security requirements. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: No - NSG10 which is attached to VM1's subnet blocks RDP (port TCP 3389) to 'Any' which means the port is blocked to all destinations. Box 2: Yes - NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2's subnet (VNet1/Subnet2). Box 3: No - NSG11 blocks RDP (port TCP 3389) destined for 'VirtualNetwork'. VirtualNetwork is a service tag and means the address space of the virtual network (VNet1) which in this case is 10.1.0.0/16. Therefore, RDP traffic from subnet2 to anywhere else in VNet1 is blocked.
Question 48
HOTSPOT - You have an Azure subscription that contains two virtual networks named Vnet1 and Vnet2. You register a public DNS zone named fabrikam.com. The zone is configured as shown in the Public DNS Zone exhibit. You have a private DNS zone named fabrikam.com. The zone is configured as shown in the Private DNS Zone exhibit. You have a virtual network link configured as shown in the Virtual Network Link exhibit. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Yes - DNS queries from the internet use the public DNS zone. In the public DNS zone, www.fabrikam.com is a CNAME record that resolves to appservice1.fabrikam.com which resolves to 131.107.1.1. Box 2: No - DNS queries from the internet use the public DNS zone. There is no DNS record for server1.fabrikam.com in the public DNS zone. Box 3: No - The private DNS zone is linked to VNet1, not VNet2. Therefore, resources in VNet2 cannot query the private DNS zone.
Question 49
HOTSPOT - You have two Azure virtual networks named VNet1 and VNet2 in an Azure region that has three availability zones. You deploy 12 virtual machines to each virtual network, deploying four virtual machines per zone. The virtual machines in VNet1 host an app named App1. The virtual machines in VNet2 host an app named App2. You plan to use Azure Virtual Network NAT to implement outbound connectivity for App1 and App2. You need to identify the minimum number of subnets and Virtual Network NAT instances required to meet the following requirements: - A failure of two zones must NOT affect the availability of either App1 or App2. - A failure of two zones must NOT affect the outbound connectivity of either App1 or App2. What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
HOTSPOT - You have the Azure resources shown in the following table. WebApp1 uses the Standard pricing tier. You need to ensure that WebApp1 can access the virtual machines deployed to Vnet1\Subnet1 and Vnet2\Subnet1. The solution must minimize costs. What should you create in each virtual network? To answer, select the appropriate options in the answer area. Hot Area:
Box 1: An additional subnet - Regional virtual network integration: When you connect to virtual networks in the same region, you must have a dedicated subnet in the virtual network you're integrating with. Box 2: A VPN gateway - Gateway-required virtual network integration: When you connect directly to virtual networks in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway created in the target virtual network. Note: If your app is in an App Service Environment, it's already in a virtual network and doesn't require use of the VNet integration feature to reach resources in the same virtual network. Reference: https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
