D084 - general study
Account Portal
Available for all subscriptions and accessible by Account Owners. It is used to manage subscriptions, payment methods, and spending limits.
You are working for a large company that has multiple business units. All the business units are using the same Azure account. What should be used to monitor the cost across multiple subscriptions within an organization? A Azure Monitor B Azure Advisor C Azure CDN D Azure Enterprise Agreements portal
Azure Enterprise Agreements portal
Which component should be used to capture the events that are generated from resource creation or deletion? A Azure Subscription Log B Azure Alert Log C Azure Monitoring Log D Azure Activity Log
Azure Activity Log
Which Azure service provides personalized recommendations regarding unused resources? A Azure Repos B Azure Advisor C Azure Alert D Azure DevOps
Azure Advisor
A VMWare Virtual Machine is deployed on the Azure platform. It is required to store the backed-up data to the Azure Recovery Vault. Which service should be used to accomplish this task? A Azure App Services B Azure Windows Virtual Desktop C Azure Backup Server D Azure Service Fabric
Azure Backup Server
By default at which scope are budgets created?
By default, you will be creating a budget at the subscription scope, but budgets can also be created at the resource group scope as well if necessary. You must select the desired scope before clicking the +Add button.
describe The Effective Security Rules view
It allows you to drill into each NSG rule and see the exact list of source and destination IP prefixes that have been applied, regardless of how the NSG rule was defined. To access the Effective Security Rules view, your virtual machine must be running. This is because the data is taken directly from the configuration of the running VM.
What is the purpose of a flowTuple?
It describes how a security rule was applied to a network flow.
describe the default RBAC role Contributor
Lets you manage everything except granting access to resources.
describe the default RBAC role Owner
Lets you manage everything, including access to resources.
describe the default RBAC role Reader
Lets you view everything, but not make any changes
caveat regarding the NSG Load Balancer security rule
The Load Balancer default rule uses the AzureLoadBalancer service tag. This applies only to Azure load balancer health probes, which originate at the load balancer. It does not apply to traffic received through the load balancer, which retain their original source IP address and port.
What is the Service Map IRT MS Azure
The Service Map is a Log Analytics solution. It helps you document the network flows from a running application. It works by installing two agents on each server: the Microsoft Monitoring Agent (MMA) and the Dependency Agent. Both agents are available for Windows and Linux. There is no requirement that the application be running in Azure—it can also be used for onpremises applications.
When applying NSGs to Vritual Networks what does the destination IP range refer to?
The destination IP ranges refers to the VirtualNetwork. This allows the NSG to be applied to any subnet in any VNet, and avoids coupling the NSG to a specific IP range. Traffic will only be permitted to those subnets where the NSG is applied.
The Azure CLI command __________ should be used to list a single role. A retrieve role definition with the name parameter B retrieve role definition C az role definition list with the name parameter D az role definition list
You can use the command az role definition list with the name parameter to list a single role.
Enabling Azure AD Identity Protection requires __________ to onboard the service
a global administrator After the service has been on-boarded into an Azure AD tenant, it can be managed by users with the global administrator and security administrator roles in Azure AD
what is a gateway subnet?
a special type of subnet that can only be used for virtual network gateways. Under the hood, the VPN gateway is implemented using Azure virtual machines (these are not directly accessible and are managed for you). While the minimum size for the gateway subnet is a CIDR /29, the Microsoft-recommended best practice is to use a CIDR /27 address block to allow for future expansion.
what is an ExpressRoute circuit?
an Azure resource used to represent the logical connection between your on-premises network and Microsoft. Each circuit is identified by a GUID called a service key (s-key), which is shared with your connectivity provider.
hybrid Azure AD Join is applicable to devices that
are joined to an on-premises directory. For hybrid Azure AD Join, an IT administration must perform the join to Azure AD. ---- For hybrid Azure AD Join scenarios, you can join current Windows devices such as Windows 10 and Windows Server 2016. There is support for a hybrid join with down-level devices as well including Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
Non-hybrid Azure AD Join is applicable to devices that
are not joined to an on-premises Active Directory --- For non-hybrid Azure AD Join, Windows 10 Professional and Windows 10 Enterprise devices can be joined to a directory
Each Azure AD tenant (or directory) is managed _______.
as an independent resource There is no parent-child relation between directories, although users from one directory can be invited to another directory through Azure AD B2B features.
what is the policy assignment scope when applied to resource groups?
assignments scoped to a resource group apply to all child resources in the resource group.
What is the correct command to delete a resource group without a confirmation message? A az group delete --name groupname --yes B az group delete --name groupname C az group delete --groupname --enforce D az group remove --groupname --rmd
az group delete --name groupname --yes
The __________ command is used to retrieve the existing tags for a resource group. A az group read -n group_name --query tags B az group review -n group_name --query tags C az group display tag D az group show -n group_name --query tags
az group show -n group_name --query tags
You need to add a tag to a resource group without existing tags. What is the correct command? A az group append -n group_name --set tags B az group modify -n group_name --set tags C az group insert --set tags D az group update -n group_name --set tags
az group update -n group_name --set tags
You are planning to enable debugging logs from Azure CLI. What is the correct command? A az monitor diagnostic setting-enabled B az diagnostic enable monitoring C az monitor diagnostic-settings create D az monitor create setting-enabled
az monitor diagnostic-settings create
Deny assignments are evaluated ______ role assignments and can be used to _______ service principals from accessing child scopes
before, exclude
The ________ role is similar to the role that allows you to manage subscription, but it can not change the association of subscriptions to Azure directories. A co-administrator B account administrator C service administrator
co-administrator
simplified process to add a customer domain
1. Add the custom domain name to your directory. 2. Add a DNS entry for the domain name at the domain name registrar. 3. Verify the custom domain name in Azure AD.
the three ways in which an express route can be established
1. If your network already has a presence at a co-location facility with a cloud exchange, your co-location provider can establish a virtual cross-connection with the Microsoft Cloud. This provides either a layer 2 or a managed layer 3 connection. 2. Your connectivity provider may be able to provide a point-to-point ethernet connection from their network to your on-premises network. Again, this approach offers either a layer 2 or managed layer 3 connection. 3. your existing IPVPN WAN provider may be able to integrate ExpressRoute into your WAN, if they are registered as an ExpressRoute provider. In this case, your provider will typically offer managed layer 3 connectivity.
A metrics inside Auzre contains a maximum of ______ dimension(s).
10
When creating a new alert rule based on a metric signal, it can take up to ___ ___ for the alert rule to become active.
10 minutes
A resource or resource group is limited to ___ tags. Each resource can have different tags.
15
You can have up to ________ role assignments in each subscription.
2000
what port does the Azure Log Analytics (OMS) agent operate on?
443 (requires inbound and outbound communication)
Events in the Activity Log are retained for ___ days
90 You can retain the data for a longer period by enabling archival and sending the logs to Azure storage and / or a Log Analytics workspace.
what is the policy assignment scope when applied to the management group?
Assignments scoped at the Management Group (either the Tenant Root Group or a child group) apply to all child resources in the Management Group- subscriptions, resource groups, and resources
describe a point to site VPN
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.
Components of alert rules on the Azure cloud
A name and description of the alert rule The severity of the alert rule A target resource A signal emitted by the target An action group
what is the policy assignment scope when applied to the Subscription?
Assignments scoped to a subscription apply to all child resources in the subscription-resource groups and resources
You are working for a retail company. Your company is planning to migrate all resources to Azure cloud. The company already provided Azure access. Your manager wants you to create subscriptions for other developers. Which role is required to perform this task? A Azure user role B Account administrator C Service administrator
Account administrator
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2016 and hosts 10 virtual machines that run Windows Server 2016. You plan to replicate the virtual machines to Azure by using Azure Site Recovery. You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1. You need to add Host1 to ASR1. What should you do? A. Download the installation file for the Azure Site Recovery Provider.Download the vault registration key.Install the Azure Site Recovery Provider on Host1 and register the server. B. Download the installation file for the Azure Site Recovery Provider.Download the storage account key.Install the Azure Site Recovery Provider on Host1 and register the server. C. Download the installation file for the Azure Site Recovery Provider.Download the vault registration key.Install the Azure Site Recovery Provider on each virtual machine and register the
Answer: A Explanation:Download the Vault registration key. You need this when you install the Provider. The key is valid for five days after you generate it. Install the Provider on each VMM server. You don't need to explicitly install anything on Hyper-V hosts. Incorrect:Not B, D: Use the Vault Registration Key, not the storage account key. https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure
You have an Azure Active Directory (Azure AD) tenant. All administrators must enter a verification code to access the Azure portal. You need to ensure that the administrators can access the Azure portal only from your on-premises network. What should you configure? A. an Azure AD Identity Protection user risk policy B. the multi-factor authentication service settings C. the default for all the roles in Azure AD Privileged Identity Management D. an Azure AD Identity Protection sign-in risk policy
Answer: B
You have an Azure virtual machine named VM1. Azure collects events from VM1. You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1. You need to specify which resource type to monitor. What should you specify? A. metric alert B. Azure Log Analytics workspace C. virtual machine D. virtual machine extension
Answer: D Explanation: Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for detailed analysis and correlation. Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs. Incorrect: Not B: Azure Log Analytics workspace is used for on-premises computers monitored by System Center Operations Manager. https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
What is an application security group (ASG)
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without the manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic. NSGs can be applied at the ASG level
designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers
Azure Network Watcher
Question : The Azure Virtual Machines are deployed on a virtual network. The hostname is defined for all the virtual machines. It is required to perform a DNS query to find the virtual machine as it resolves the hostname to IP. DNS queries should be internal to the virtual network. Which component should be used?
Azure Provided DNS
One security requirement is to document a network flow from the applications that are running on the Azure cloud. Which service on the Azure cloud provides reporting and network flow, and also includes traffic volumes?
Azure Service Map documents a network and provides reporting. It displays the network and also includes traffic volumes.
What acts as the shortcut that maps to IP ranges of various Azure services and will ease the task when creating security rules?
Azure Service tags
Which domain name system (DNS)-related service provides a DNS response based on which service endpoint is currently available?
Azure Traffic Manager
which routing protocol can optionally be enabled on the VPN Gateway?
BGP can be optionally enabled on your VPN gateway, if the onpremises gateway also supports it. If used, it enables the VPN gateway and the on-premises gateway to exchange routing information automatically, avoiding the need to configure routes manually.
Question : You have an existing system on-premise that generates the encryption keys for your application. You are planning to deploy your applications to the cloud but do not want to use cloud-based services to generate the keys. What do you use to import the keys in Azure? A Security Center B Azure Information Protection C Azure Active Directory D BYOK
BYOK
Your organization created a single account that is shared with multiple business units. What should be a condition for every business unit's Azure resource to track the cost? A Disk attachment B Security group attachment C Firewall rules D Tag resources
Tag resources
____ an Azure service that is related to Cost Management, which can track resource cost for Azure resources
Cloudyn Cloudyn can also track resource usage for AWS and Google. Cloudyn also supports non-EA accounts including Pay-As-You-Go and Cloud Solution Provider. Cloudyn can be used to monitor usage and spending after it has been configured by tenant owner.
You need to enforce a rule that any virtual machine created in your Azure account should have a tag associated with it. Which of the following is the way to fulfill this requirement? A Review every resource in the Azure account manually. B Create a policy script. C Update subscription. D Use Azure Active Directory.
Create a policy script.
describe a multi-site VPN
Each VPN gateway can support multiple Site-to-Site VPN connections. This is called a multi-site connection. Multi-site connections are commonly used to connect an Azure virtual network to multiple on-premises sites. They can also be used to create VPN connections to other Azure virtual networks in cases where VNet peering is not available
describe enterprise state roaming
Enterprise State Roaming is available for Windows 10 devices and allows users to synchronize user settings and application data through Azure AD When Enterprise State Roaming is enabled, Azure Rights Management (Azure RMS) is used to encrypt the data before it leaves the device and all data is encrypted in transit and at rest
What is the correct CLI command to view DNS records? A az dns record-set list --zone-name sampleref.com network B az dns network record-set list --zone-name sampleref.com C az record- dns network set list --zone-name sampleref.com D az network dns record-set list --zone-name sampleref.com
D az network dns record-set list --zone-name sampleref.com
You are monitoring a resource on Azure cloud. You need to collect additional telemetry from every Azure resource. Which type of log needs to be enabled? A Monitoring log B Debugging log C Diagnostic log D Subscription log
Diagnostic log
describe a highly redundant VPN gateway configuration
Dual on-premises VPN endpoints. This requires BGP to be enabled, and works with both active-standby or active-active VPN gateways. Combining dual on-premises endpoints with active-active VPN gateways provides a fully-redundant configuration, avoiding single points of failure Traffic will be distributed over all four VPN tunnels
describe Azure ExpressRoute
ExpressRoute is a secure and reliable private connection between your on-premises network and the Microsoft cloud. The connection is provided by a third-party network provider who has partnered with Microsoft to offer ExpressRoute services. This third party is known as the ExpressRoute provider. Unlike a Site-to-Site VPN, network traffic using ExpressRoute uses your provider's network more predictable latency Site-to-Site VPN connections only provide connectivity to your Azure VNet, whereas ExpressRoute provides connectivity to all Microsoft cloud services. This includes Azure VNets, Azure platform services (such as CosmosDB), and Microsoft services outside of Azure such as Office 365 and Dynamics 365.
A virtual machine is backed-up using Azure Backup service. Due to some issue in the virtual machine, the entire VM failed. The only option is to restore the VM. The requirement is to restore only files without recreating the entire virtual machine. What option will you choose to solve this issue? A Data recovery B File recovery C Disk recovery D VM recovery
File recovery
if separate NSGs are applied at the subnet and VM NIC level what is the order of precedence?
For inbound traffic, first the NSG at the subnet is applied, followed by the NSG at the NIC. Traffic only flows if both NSGs allow the traffic to pass. For outbound traffic, the sequence is reverse. First the NSG at the NIC is applied, followed by the NSG at the subnet. Again, traffic only flows if both NSGs allow the traffic to pass. In all cases, rules within each NSG are applied in priority order, with the first matching rule being effective.
You have created a role that should be available to all resources in subscription groups A and B. Subscription groups A and B are child groups of the management group. What is the correct way to apply RBAC so that all the resources within subscriptions A and B get it? A Grant user access to the owner role at the resource group level. B Grant user access to the owner role of subscription B. C Grant user access to the owner role of subscription A. D Grant user access to the owner role of the management group.
Grant user access to the owner role of the management group.
what is the underlying encryption standard for site-to-site VPN connections?
IPsec IKEv2
what must be enabled and configured before insights can be extracted or visualizations can be created that are dependent on that data
Log Analytics
describe the scope hierarchy within Azure
Management Group > Subscription > Resource Group > Resource
are tags inherited by child resources?
NO Tags are not inherited by child resources. Tags applied to a resource group are not applied to resources in that resource group.
what are NSG flow logs
NSG flow logs are a form of Azure diagnostic logs. They record both allowed and denied network flows in and out of an NSG. By analyzing NSG flow logs, you can understand which traffic flows your application is using, and which flows are being requested by an application, but blocked by your NSG. You can then review if the NSG rules should be updated to allow or deny these flows.
current rules regarding NSG associations, subnets, and VM NICs
NSGs can be associated with network interfaces (NICs) which are associated to the VMs, or they can be associated with a subnet. Each NIC or subnet can only be associated with a single NSG. However, a single NSG can be associated with multiple NICs and/or subnets.
Azure Active Directory Identity Protection is a feature of the Azure AD ______ edition that enables you to:
Premium P2, - Detect potential vulnerabilities affecting your organization's identities - Configure automated responses to detected suspicious actions that are related to your organization's identities - Investigate suspicious incidents and take appropriate action to resolve them
NSG Rule priority ranges
Priority values start from 100 and go to 4096 (and from 65001 to 65003 for default rules).
when plotting metrics in Azure Monitor which axis represents resources and which axis represents metrics
Resource = X Metrics = Y
IRT NSGs what are service tags?
Service tags are used in NSG rules as a quick and reliable way of creating rules that control traffic to each service. Typically, they are used in outbound rules to control which other Azure services the VMs in a VNet can or cannot access.
You are working as an Azure administrator and do not want to allow any single user to create more than 30 virtual machines. What is the way to fulfill this requirement? A Set up spending quotas. B Set up resource quotas. C Set resource tagging. D Set up consumption quotas.
Set up resource quotas.
describe a site-to-site VPN
Site-to-site VPNs enable on-premises networks to be connected to an Azure virtual network. This connection enables on-premises servers and Azure VMs to communicate over their private network space, without being exposed to the Internet.
Which property is changeable for a virtual machine (VM) managed data disk using the Set-AzVMDataDisk PowerShell cmdlet?
Storage account type
you can verify your custom domains with either a ___ or ___ record
TXT or MX
When creating the gateway subnet, what special parameter or cmdlet name is used to denote that the resource is a gateway subnet rather than a normal subnet?
There isn't one, just the subnet name of GatewaySubnet When creating the gateway subnet, there is no special parameter or cmdlet name to denote that this is a gateway subnet rather than a normal subnet. The only distinction that identifies a gateway subnet is the subnet name, GatewaySubnet.
Properties of a metric
Time it was collected Value Type of measurement the value represents Resource the value is associated with
An on-premise data center is required along with the Azure data center. The on-premise data center contains a database for the web application. A web server is deployed on an Azure virtual machine within the Azure data center. A web application needs to access a database from the on-premise data center. What is one way to handle connectivity between on-premise and Azure cloud? A Use VPN Traffic Manager. B Use Application Gateway. C Use site-to-site VPN. D Use Virtual Network.
Use site-to-site VPN.
Public load balancer
Used to load-balance traffic for Internet-facing applications. The frontend IP configuration references a separate public IP address resource, which is used to receive inbound traffic
Internal load balancer
Used to load-balance traffic for Intranet-facing applications, or between application tiers. The frontend IP configuration references a subnet, and an IP address from that subnet is allocated using either dynamic or static assignment to the load balancer
Which element of an Azure Resource Manager (ARM) template defines values used as JavaScript Object Notation (JSON) fragments to simplify template language expressions?
Variables
what are the default NSG rules and their priorities?
Virtual network: Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions. Internet : Outbound traffic is allowed, but inbound traffic is blocked. Load balancer: Allows Azure load balancer to probe the health of your VMs and role instances. If you are not using a load balanced set, you can override this rule. Inbound: AllowVNetInBound 65000 AllowAzureLoad BalancerInBound 65001 DenyAllInBound 65500 Outbound: AllowVNet OutBound 65000 AllowInternet OutBound 65001 DenyAllOutBound 65500
Your group creates a virtual machine in a particular subscription account. You need to verify that all virtual machines are in the A-series. What is the best way to resolve this? A Create Azure policies for resource group within the subscription B Create an Azure Alert and monitor all the virtual machines C Use Azure Advisor to get the guidelines D Build Azure dashboards to review instance type for all virtual machines
You can create an Azure policy for a resource group within the subscription. You can put the policy effect as "deny." If virtual machines are not in a series, then this policy will prevent the creation of VMs.
You have deployed a web site on Azure Virtual Machine. The virtual machine is costing a lot of money to your organization. You can use the ________ section of Azure Advisor to get a recommendation regarding virtual machine possible downgrade. A performance B cost C high availability D security
cost Azure Advisor provides a cost section that displays recommendations related to overall Azure spending by identifying ideal resources.
Adding ________ to Azure AD allows you to assign user names familiar to users
custom domain names This means they can log in by using their email address, like [email protected], instead of [email protected].
The default policy accomplishes a ______ backup at _______ and retains backups for _______
daily, 06:00am, 30 days
A VPN connection between an on-premises network and an Azure VNet can only be established if the network ranges ____________________
do not overlap.
Creating an Azure AD requires an initial domain name in the form of _____
domainname.onmicrosoft.com
Describe an Azure Load Balancer
is a fully-managed load-balancing service, used to distribute inbound traffic across a pool of backend servers running in an Azure virtual network. It can receive traffic on either Internet-facing or Intranet-facing endpoints, and supports both UDP and TCP traffic. operates at the transport layer (OSI layer 4), routing inbound and outbound connections at the packet level. It does not terminate TCP connections, and thus does not have visibility into application-level constructs. For example, it cannot support SSL offloading, URL path-based routing, or cookie-based session affinity (for these, see "Application Gateway")
The query language used by Log Analytics is called _______
kusto
storage account sku that provides fault tolerance if a disaster affects the Azure region where the account resides
requires a storage account type of standardV2 and a sku of standard_GRS
a _______ is required to use a multi-site connection.
route-based VPN
Custom DNS settings can be configured at the VNet level, and the network interface level, but not at the ________ level.
subnet level. To use specific settings for an individual subnet, you must configure those settings on each network interface in the subnet.
For machines to report telemetry to Log Analytics, they must be running ____
the Azure Log Analytics (OMS) agent. This agent was previously referred to as the Microsoft Monitoring Agent (MMA) or the OMS Linux agent. The agent binds to a workspace to collect the data defined in the workspace settings or any installed solutions.
where must tags be applied to be visible in detailed usage exports
the resource scope Tags applied at the resource group scope are not inherited by child resources. This means that as you are applying tags to your resources in Azure, you should think about applying tags to each individual resource to have the clearest line of sight into your usage based on your organizational tags.
By default, each VPN gateway is deployed as __________
two VMs in an active-standby configuration. To reduce downtime in the event the active instance fails, an active-active configuration can also be used (not supported for Basic SKU gateways). In this mode, both gateway instances have their own public IP addresses, and two connections are made to the on-premises VPN endpoint.
Each ExpressRoute circuit has ____ connections from your network edge to ____ Microsoft edge routers, configured using ___
two, two, BGP
