AZ-900

Ace your homework & exams now with Quizwiz!

Choose all that apply: A. Data that is copied to an Azure Storage account is maintained automatically in at least three copies B. All data that is copied to an Azure Storage account is backed up automatically to another Azure data center C. An Azure Storage account can contain up to 2 TB of data and up to one million files

A

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. An Azure service is available to all Azure customers when it is in *** PUBLIC PREVIEW ***. A. No change is needed B. Private preview C. Development D. An Enterprise Agreement (EA) subscription

A

You have 1,000 virtual machines hosted on the Hyper-V hosts in a data center. You plan to migrate all the virtual machines to an Azure pay-as-you-go subscription. You need to identify which expenditure model to use for the planned Azure solution. Which expenditure model should you identify? A. Operational B. Elastic C. Capital D. Scalable

A

You plan to implement an Azure database solution. You need to implement a database solution that meets the following requirements: Can add data concurrently from multiple regions Can store JSON documents Which database service should you deploy? A. Azure Cosmos DB B. Azure Database for MySQL servers C. SQL Servers D. SQL data warehouse E. Azure Database for PostgreSQL servers

A

Your company has 10 offices. You plan to generate several billing reports from the Azure portal. Each report will contain the Azure resource utilization of each office. Which Azure Resource Manager feature should you use before you generate the reports? A. Tags B. Templates C. Locks D. Policies

A

Mark correct statements: A. Azure provides flexibility between capital expenditure (CapEx) and operational expenditure (OpEx) B. If you create two Azure virtual machines that use the B2S size, each virtual machine will always generate the same monthly costs C. When an Azure virtual machine is stopped, you continue to pay storage costs associated to the virtual machine

A, C

Your company has an on-premises network that contains multiple servers. The company plans to reduce the following administrative responsibilities of network administrators: * Backing up application data * Replacing failed server hardware * Managing physical server security * Updating server operating systems * Managing permissions to shared documents The company plans to migrate several servers to Azure virtual machines. You need to identify which administrative responsibilities will be reduced after the planned migration. Which two responsibilities should you identify? Each correct answer presents a complete solution. A. Replacing failed server hardware B. Backing up application data C. Managing physical server security D. Updating server operating systems E. Managing permissions to shared documents

A, C

Which cloud deployment solution is used for Azure virtual machines and Azure SQL databases? Choose all that apply. A. Azure virtual machines: Infrastructure as a service (IaaS) B. Azure virtual machines: Platform as a service (PaaS) C. Azure virtual machines: Software as a service (SaaS) D. Azure SQL databases: Infrastructure as a service (IaaS) E. Azure SQL databases: Platform as a service (PaaS) F. Azure SQL databases: Software as a service (SaaS)

A, E

Choose all that apply: A. All the Azure resources deployed to a single resource group must share the same Azure region B. If you assign a tag to a resource group, all the Azure resources in that resource group are assigned to the same tag C. If you set permissions to a resource group, all the Azure resources in that resource group inherit the permissions

C

Choose all that apply. A. To achieve a hybrid cloud model, a company must always migrate from a private cloud model B. A company can extend the capacity of its internal network by using the public cloud C. In a public cloud model, only guest users at your company can access the resources in the cloud

B

Choose all that apply: A. Azure Advisor provides recommendations on how to improve the security of an Azure Active Directory (Azure AD) environment B. Azure Advisor provides recommendations on how to reduce the cost of running Azure virtual machines C. Azure Advisor provides recommendations on how to configure the network settings on Azure virtual machines

B

Choose all that apply: A. To achieve a hybrid cloud model, a company must always migrate from a private cloud model B. A company can extend the capacity of its internal network by using the public cloud C. In a public cloud model, only guest users at your company can access the resources in the cloud

B

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. You can create an Azure support request from support.microsoft.com. A. No change is needed B. The Azure portal C. The Knowledge Center D. The Security & Compliance admin center

B

What is guaranteed in an Azure Service Level Agreement (SLA)? A. Uptime B. Feature availability C. Bandwidth D. Performance

B

Choose all that apply. A. Azure resources can only access other resources in the same resource group B. If you delete a resource group, all the resources in the resource group will be deleted C. A resource group can contain resources from multiple Azure regions

B, C

Mark correct statements: A. A platform as a service (PaaS) solution that hosts web apps in Azure provides full control of the operating systems that host applications B. A platform as a service (PaaS) solution that hosts web apps in Azure provides the ability to scale the platform automatically C. A platform as a service (PaaS) solution that hosts web apps in Azure provides professional development services to continuously add features to custom applications

B, C

You plan to deploy a critical line-of-business application to Azure. The application will run on an Azure virtual machine. You need to recommend a deployment solution for the application. The solution must provide a guaranteed availability of 99.99 percent. What is the minimum number of virtual machines and the minimum number of availability zones you should recommend for the deployment? A. Minimum number of virtual machines: 1 B. Minimum number of virtual machines: 2 C. Minimum number of virtual machines: 3 D. Minimum number of availability zones: 1 E. Minimum number of availability zones: 2 F. Minimum number of availability zones: 3

B, E

Match the Azure Cloud Services benefit to the correct description. Choose all that apply. A.Disaster recovery: A cloud service that remains available after it occurs B. Disaster recovery: A cloud service that can be recovered after it occurs C. Disaster recovery: A cloud service that performs quickly when it increases D. Disaster recovery: A cloud service that can be accessed quickly to the Internet E. Fault tolerance: A cloud service that remains available after it occurs F. Fault tolerance: A cloud service that can be recovered after it occurs G. Fault tolerance: A cloud service that performs quickly when it increases H. Fault tolerance: A cloud service that can be accessed quickly to the Internet I. Low latency: A cloud service that remains available after it occurs J. Low latency: A cloud service that can be recovered after it occurs K. Low latency: A cloud service that performs quickly when it increases L. Low latency: A cloud service that can be accessed quickly to the Internet M. Dynamic scalability: A cloud service that remains available after it occurs N. Dynamic scalability: A cloud service that can be recovered after it occurs O. Dynamic scalability: A cloud service that performs quickly when it increases P. Dynamic scalability: A cloud service that can be accessed quickly to the Internet

B, E, L, O

Choose all that apply: A. If you have Azure resources deployed to every region, you can implement availability zones in all regions B. Only virtual machines that run Windows Server can be created in availability zones C. Availability zones are used to replicate data and applications to multiple regions D. None of the above

D

You have an Azure environment that contains 10 web apps. To which URL should you connect to manage all the Azure resources? A. https://admin.azure.com B. https://admin.azurewebsites.com C. https://admin.microsoft.com D. https://portal.azure.com E. https://portal.azurewebsites.com F. https://portal.microsoft.com G. https://www.azure.com H. https://www.azurewebsites.com I. https://www.microsoft.com

D

You need to view a list of planned maintenance events that can affect the availability of an Azure subscription. Which blade should you use from the Azure portal? A. Advisor B. Security Center C. Cost Management + Billing D. Help + support

D

You plan to migrate several servers from an on-premises network to Azure. You need to identify the primary benefit of using a public cloud service for the servers. What should you identify? A. The public cloud is owned by the public, NOT a private corporation B. The public cloud is a crowd-sourcing solution that provides corporations with the ability to enhance the cloud C. All public cloud resources can be freely accessed by every member of the public D. The public cloud is a shared entity whereby multiple corporations each use a portion of the resources in the cloud

D

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1. On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1. You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2. You need to ensure that you can connect Client1 to VNet2. What should you do? A. Select Allow gateway transit on VNet2 B. Enable BGP on VPNGW1 C. Select Allow gateway transit on VNet1 D. Download and re-install the VPN client configuration package on Client1

D Ans: P2S VPN routing behavior is dependent on the client OS, the protocol used for the VPN connection, and how the virtual networks (VNets) are connected to each other. Azure currently supports two protocols for remote access, IKEv2 and SSTP. IKEv2 is supported on many client operating systems including Windows, Linux, MacOS, Android, and iOS. SSTP is only supported on Windows. If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.

You have an Azure subscription that contains the resources in the following table. *** Name: VNet1,??????????????????Type: Virtual network,????????Details: Not applicable Name: Subnet1,????????????????Type: Subnet,?????????????????Details: Hosted on VNet1 Name: VM1,????????????????????Type: Virtual machine,????????Details: On Subnet1 Name: VM2,????????????????????Type: Virtual machine,????????Details: On Subnet1 *** VM1 and VM2 are deployed from the same template and host line-of-business applications accessed by using Remote Desktop. You need to prevent users of VM2 and VM2 from accessing websites on the Internet over TCP port 80. What should you do? A. Change the DenyWebSites outbound security rule B. Change the Port_80 inbound security rule C. Disassociate the NSG from a network interface D. Associate the NSG to Subnet1

D Ans: You can associate or dissociate a network security group from a network interface or subnet. The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.

You plan to extend your company?s network to Azure. The network contains a VPN appliance that uses an IP address of 131.107.200.1. You need to create an Azure resource that identifies the VPN appliance. Which Azure resource should you create? A. Virtual networks B. Load balancers C. Virtual network gateways D. DNS zones E. Traffic Manager profiles F. Network Watcher G. Application network gateways H. CDN profiles I. ExpressRoute circuits

G

Several support engineers plan to manage Azure by using the computers shown in the following table: Computer 1 - Windows 10 Computer 2 - Ubuntu Computer 3 - MacOS Mojave You need to identify which Azure management tools can be used from each computer. Choose three: A. Computer 1 - The Azure CLI and Azure portal B. Computer 1 - The Azure portal and Azure PowerShell C. Computer 1 - The Azure CLI and Azure PowerShell D. Computer 1 - The Azure CLI, the Azure portal and Azure PowerShell E. Computer 2 - The Azure CLI and Azure portal F. Computer 2 - The Azure portal and Azure PowerShell G. Computer 2 - The Azure CLI and Azure PowerShell H. Computer 2 - The Azure CLI, the Azure portal and Azure PowerShell I. Computer 3 - The Azure CLI and Azure portal J. Computer 3 - The Azure portal and Azure PowerShell K. Computer 3 - The Azure CLI and Azure PowerShell L. Computer 3 - The Azure CLI, the Azure portal and Azure PowerShell

D, H, L

A company has just set up an Azure virtual private connection between its on-prem network and an Azure virtual network. Would the company need to pay additional costs to transfer several gigs of data from their on-prem network to Azure?

No

Your company plans to migrate all its data and resources to Azure. The company's migration plan states that only platform as a service (PaaS) solutions must be used in Azure. You need to deploy an Azure environment that supports the planned migration. Solution: You create an Azure App Service and Azure Storage accounts. Does this meet the goal? Yes/No

No

Your company plans to migrate all its data and resources to Azure. The company's migration plan states that only platform as a service (PaaS) solutions must be used in Azure. You need to deploy an Azure environment that supports the planned migration. Solution: You create an Azure App Service and Azure virtual machines that have Microsoft SQL Server installed. Does this meet the goal? Yes/No

No

Your company registers a domain name of contoso.com. You create an Azure DNS zone named contoso.com, and then you add an A record to the zone for a host named www that has an IP address of 131.107.1.10. You discover that Internet hosts are unable to resolve www.contoso.com to the 131.107.1.10 IP address. You need to resolve the name resolution issue. Solution: You create a PTR record for www in the contoso.com zone. Does this meet the goal? Yes/No

No Ans: The Domain Name System is a hierarchy of domains. The hierarchy starts from the 'root' domain, whose name is simply '.'. Below this come top-level domains, such as 'com', 'net', 'org', 'uk' or 'jp'. Below these are second-level domains, such as 'org.uk' or 'co.jp'. The domains in the DNS hierarchy are globally distributed, hosted by DNS name servers around the world. A domain name registrar is an organization that allows you to purchase a domain name, such as 'contoso.com'. Purchasing a domain name gives you the right to control the DNS hierarchy under that name, for example allowing you to direct the name www.contoso.com to your company web site. The registrar may host the domain in its own name servers on your behalf, or allow you to specify alternative name servers. Azure DNS provides a globally distributed, high-availability name server infrastructure, which you can use to host your domain. By hosting your domains in Azure DNS, you can manage your DNS records with the same credentials, APIs, tools, billing, and support as your other Azure services. The NS record set at the zone apex is automatically created with each DNS zone. It contains the names of the Azure DNS name servers assigned to the zone. You can add additional name servers to this NS record set, to support co-hosting domains with more than one DNS provider. You can also modify the TTL and metadata for this record set. However, you cannot remove or modify the pre-populated Azure DNS name servers. Modify the Name Server (NS) record.

You have an Azure environment. You need to create a new Azure virtual machine from an Android laptop. Solution: You use PowerShell in Azure Cloud Shell. Does this meet the goal? Yes/No

Yes Ans: PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line. PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. PowerShell includes a rich expression parser and a fully developed scripting language.

You have an Azure Active Directory (Azure AD) tenant. All administrators must enter a verification code to access the Azure portal. You need to ensure that the administrators can access the Azure portal only from your on-premises network. What should you configure? A. An Azure AD Identity Protection user risk policy. B. The multi-factor authentication service settings. C. The default for all the roles in Azure AD Privileged Identity Management. D. An Azure AD Identity Protection sign-in risk policy.

B Ans: The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods: Something you know (typically a password). Something you have (a trusted device that is not easily duplicated, like a phone). Something you are (biometrics).

Your company plans to request an architectural review of an Azure environment from Microsoft. The company currently has a Basic support plan. You need to recommend a new support plan for the company. The solution must minimize costs. Which support plan should you recommend? A. Premier B. Developer C. Professional Direct D. Standard

A Ans: Architecture Support for Premier Plan: Customer-specific architectural support such as design reviews, performance tuning, configuration and implementation assistance delivered by Microsoft Azure technical specialists. Operations Support for Premier Plan: Technical account manager-led service reviews and reporting Training for Premier Plan: Azure Engineering-led web seminars, on-demand training Proactive Guidance for Premier Plan: Designated Technical Account Manager

Your company has several business units. Each business unit requires 20 different Azure resources for daily operation. All the business units require the same type of Azure resources. You need to recommend a solution to automate the creation of the Azure resources. What should you include in the recommendations? A. Azure Resource Manager templates B. Virtual machine scale sets C. The Azure API Management service D. Management groups

A Ans: Azure Resource Manager Template defines the resources you need to deploy for your solution. First of all, you must know that an Azure Resource Manager Template is a just a simple JSON file. JSON is an open-standard file format derived from JavaScript. Note that a JSON file is a collection of name/value pairs.

You need to move the blueprint files to Azure. What should you do? A. Use Azure Storage Explorer to copy the files B. Use the Azure Import/Export service C. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer D. Generate an access key. Map a drive, and then copy the files by using File Explorer

A Ans: Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it to upload and download data from Azure blob storage.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. When planning to migrate a public website to Azure, you must plan to *** PAY MONTHLY USAGE *** costs. A. No change is needed B. Deploy a VPN C. Pay to transfer all the website data to Azure D. Reduce the number of connections to the website

A Ans: Azure doesn't directly bill based on the resource cost. Charges for a resource are calculated by using one or more meters. Meters are used to track a resource's usage throughout its lifetime. These meters are then used to calculate the bill. For example, when you create a single Azure resource, like a virtual machine, it has one or more meter instances created. Meters are used to track the usage of the resource over time. Each meter emits usage records that are used by Azure to calculate the bill. For example, a single virtual machine (VM) created in Azure may have the following meters created to track its usage: Compute Hours, IP Address Hours, Data Transfer In, Data Transfer Out, Standard Managed Disk, Standard Managed Disk Operations, Standard IO-Disk, Standard IO-Block Blob Read, Standard IO-Block Blob Write, Standard IO-Block Blob Delete

You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com. You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create? A. TXT B. SRV C. DNSKEY D. NSEC E. RRSIG F. PTR

A Ans: You can configure Azure DNS to host a custom domain for your web apps. For example, you can create an Azure web app and have your users access it using either www.contoso.com or contoso.com as a fully qualified domain name (FQDN). To do this, you have to create three records: * A root "A" record pointing to contoso.com A root "TXT" record for verification A "CNAME" record for the www name that points to the A record

Your company plans to deploy several web servers and several database servers to Azure. You need to recommend an Azure solution to limit the types of connections from the web servers to the database servers. What should you include in the recommendation? A. Network security groups (NSGs) B. Azure Service Bus C. A local network gateway D. A route filter

A Ans: You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. To learn about which Azure resources can be deployed into a virtual network and have network security groups associated to them, see Virtual network integration for Azure services. For each rule, you can specify source and destination, port, and protocol. Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. Existing connections may not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines. You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text. What should you create to store the password? A. An Azure Key Vault and an access policy B. A Recovery Services vault and a backup policy C. Azure Active Directory (AD) Identity Protection and an Azure policy D. An Azure Storage account and an access policy

A Ans: You can use a template that allows you to deploy a simple Windows VM by retrieving the password that is stored in a Key Vault. Therefore, the password is never put in plain text in the template parameter file.

You have an Azure subscription named Subscription1. You deploy a Linux virtual machine named VM1 to Subscription1. You need to monitor the metrics and the logs of VM1. What should you use? A. The AzurePerformanceDiagnostics extension B. Azure HDInsight C. Linux Diagnostic Extension (LAD) 3.0 D. Azure Analysis Services

A Ans: You can use extensions to configure diagnostics on your VMs to collect additional metric data. The basic host metrics are available, but to see more granular and VM-specific metrics, you need to install the Azure diagnostics extension on the VM. The Azure diagnostics extension allows additional monitoring and diagnostics data to be retrieved from the VM.

You plan to use the Azure Import/Export service to copy files to a storage account. Which two files should you create before you prepare the drives for the import job? Each correct answer presents part of the solution. A. A driveset CSV file B. A JSON configuration file C. A PowerShell PS1 file D. An XML manifest file E. A dataset CSV file

A, E Ans: 1. Modify the driveset.csv file in the root folder where the tool resides. 2. Modify the dataset.csv file in the root folder where the tool resides. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file.

You have an on-premises network that contains several servers. You plan to migrate all the servers to Azure. You need to recommend a solution to ensure that some of the servers are available if a single Azure data center goes offline for an extended period. What should you include in the recommendation? A. Fault tolerance B. Elasticity C. Scalability D. Low latency

A Ans: A High Availability system is one that is designed to be available 99.999% of the time, or as close to it as possible. Usually this means configuring a failover system that can handle the same workloads as the primary system. A Fault Tolerant system is extremely similar to HA, but goes one step further by guaranteeing zero downtime. HA still comes with a small portion of downtime, hence the ideal of a perfect HA strategy reaching "five nines" rather than 100% uptime. The time it takes for the intermediary layer, like the load balancer or hypervisor, to detect a problem and restart the VM can add up to minutes or even hours over the course of yearly runtime. Disaster Recovery goes beyond FT or HA and consists of a complete plan to recover critical business systems and normal operations in the event of a catastrophic disaster like a major weather event (hurricane, flood, tornado, etc), a cyberattack, or any other cause of significant downtime. HA is often a major component of DR, which can also consist of an entirely separate physical infrastructure site with a 1:1 replacement for every critical infrastructure component, or at least as many as required to restore the most essential business functions.

Your company plans to migrate to Azure. The company has several departments. All the Azure resources used by each department will be managed by a department administrator. You need to recommend an Azure deployment that provides the ability to segment Azure for the departments. The solution must minimize administrative effort. What should you include in the recommendation? A. Multiple subscriptions B. Multiple Azure Active Directory (Azure AD) directories C. Multiple regions D. Multiple resource groups

A Ans: A subscription is an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption. Microsoft's Software as a Service (SaaS)-based cloud offerings (Office 365, Intune/EMS, and Dynamics 365) charge per-user license fees. Microsoft's Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud offerings (Azure) charge based on cloud resource consumption. You can also use a trial subscription, but the subscription expires after a specific amount of time or consumption charges. You can convert a trial subscription to a paid subscription.

You have an Azure Active Directory (Azure AD) tenant that contains 5,000 user accounts. You create a new user account named AdminUser1. You need to assign the User administrator administrative role to AdminUser1. What should you do from the user account properties? A. From the Directory role blade, modify the directory role. B. From the Licenses blade, assign a new license. C. From the Groups blade, invite the user account to a new group.

A Ans: Assign a role to a user 1. Sign in to the Azure portal with an account that's a global admin or privileged role admin for the directory. 2. Select Azure Active Directory, select Users, and then select a specific user from the list. 3. For the selected user, select Directory role, select Add role, and then pick the appropriate admin roles from the Directory roles list, such as Conditional access administrator. 4. Press Select to save.

Your company plans to automate the deployment of servers to Azure. Your manager is concerned that you may expose administrative credentials during the deployment. You need to recommend an Azure solution that encrypts the administrative credentials during the deployment. What should you include in the recommendation? A. Azure Key Vault B. Azure Information Protection C. Azure Security Center D. Azure Multi-Factor Authentication (MFA)

A Ans: Azure Key Vault helps solve the following problems: Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data. Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources. Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. You plan to deploy 20 virtual machines to an Azure environment. To ensure that a virtual machine named VM1 cannot connect to the other virtual machines, VM1 must *** BE DEPLOYED TO A SEPARATE VIRTUAL NETWORK ***. A. No change is needed B. Run a different operating system than the other virtual machines C. Be deployed to a separate resource group D. Have two network interfaces

A Ans: Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation. VNet concepts: Address space: When creating a VNet, you must specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. For example, if you deploy a VM in a VNet with address space, 10.0.0.0/16, the VM will be assigned a private IP like 10.0.0.4. Subnets: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet. You can then deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow you to segment your VNet address space into segments that are appropriate for the organization's internal network. This also improves address allocation efficiency. You can secure resources within subnets using Network Security Groups. For more information, see Security groups. Regions: VNet is scoped to a single region/location; however, multiple virtual networks from different regions can be connected together using Virtual Network Peering. Subscription: VNet is scoped to a subscription. You can implement multiple virtual networks within each Azure subscription and Azure region.

You have a public load balancer that balances ports 80 and 443 across three virtual machines. You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only. What should you configure? A. An inbound NAT rule B. A load balancing rule C. A new public load balancer for VM3 D. A frontend IP configuration

A Ans: Create an inbound NAT port-forwarding rule: Create a load balancer inbound network address translation (NAT) rule to forward traffic from a specific port of the front-end IP address to a specific port of a back-end VM. 1. Select All resources in the left-hand menu, and then select MyLoadBalancer from the resource list. 2. Under Settings, select Inbound NAT rules, and then select Add. 3. On the Add inbound NAT rule page, type or select the following values: * Name: Type MyNATRuleVM1. * Port: Type 4221. * Target virtual machine: Select MyVM1 from the drop-down. * Port mapping: Select Custom. * Target port: Type 3389. 4. Select OK.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. One of the benefits of Azure SQL Data Warehouse is that *** HIGH AVAILABILITY *** is built into the platform. A. No change is needed B. Automatic scaling C. Data compression D. Versioning

A Ans: SQL Data Warehouse is supported by a broad ecosystem of partners, including data preparation, ingestion service and visualisation tool providers. Enjoy guaranteed 99.9 percent availability in 40 Azure regions worldwide. Service capabilities: * Massive query concurrency - Democratise data across your enterprise. * Integrated data processing - Ingest and query from multiple data types and sources within a single solution. * Quick and easy provisioning - Provision thousands of compute cores in less than five minutes and scale to a petabyte in hours. * Elastic design - Independently scale for performance or memory with separate compute and storage. * Advanced security - Help protect your data with virtual network service endpoints, advanced threat detection, always-on encryption, auditing and simplified secure access. * Fully managed infrastructure - Automate infrastructure allocation and workload optimisation to focus on data analysis and use the built-in advisor to optimise your cloud data warehouse. * Strong Ecosystem - Integrate with leading data preparation and visualisation vendors and get support from our partners to accelerate time to value. * Powerful SQL engine - Take advantage of Microsoft SQL Server, the industry's top-performing SQL engine, offering comprehensive support for SQL language. * Industry-leading compliance - Help ensure peace of mind with more than 50 government and industry compliance certifications, including HIPAA. * Global availability - Benefit from availability in 40 Azure regions, the most among all cloud-based data warehouse providers.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. An Azure region *** CONTAINS ONE OR MORE DATA CENTERS *** that are connected by using a low-latency network. A. No change is needed B. Is found in each country where Msoft has a subsidiary office C. Can be found in every country in Europe and the Americas only D. Contains one or more data centers that are connected by using a high-latency network

A Ans: Understand Azure global infrastructure: A region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. With more global regions than any other cloud provider, Azure gives customers the flexibility to deploy applications where they need to. Azure is generally available in 46 regions around the world, with plans announced for 8 additional regions. A geography is a discrete market, typically containing two or more regions, that preserves data residency and compliance boundaries. Geographies allow customers with specific data-residency and compliance needs to keep their data and applications close. Geographies are fault-tolerant to withstand complete region failure through their connection to our dedicated high-capacity networking infrastructure. Availability Zones are physically separate locations within an Azure region. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. Availability Zones allow customers to run mission-critical applications with high availability and low-latency replication.

You set the multi-factor authentication status for a user named [email protected] to Enabled. Admin1 accesses the Azure portal by using a web browser. Which additional security verifications can Admin1 use when accessing the Azure portal? A. A phone call, a text message that contains a verification code, and a notification or a verification code sent from the Microsoft Authenticator app. B. An app password, a text message that contains a verification code, and a notification sent from the Microsoft Authenticator app. C. An app password, a text message that contains a verification code, and a verification code sent from the Microsoft Authenticator app. D. A phone call, an email message that contains a verification code, and a text message that contains an app password.

A Ans: Verification methods: You can choose the verification methods that are available for your users. When your users enroll their accounts for Azure Multi-Factor Authentication, they choose their preferred verification method from the options that you have enabled. Guidance for the user enrollment process is provided in Set up my account for two-step verification. Call to phone: Places an automated voice call. The user answers the call and presses # in the phone keypad to authenticate. The phone number is not synchronized to on-premises Active Directory. Text message to phone: Sends a text message that contains a verification code. The user is prompted to enter the verification code into the sign-in interface. This process is called one-way SMS. Two-way SMS means that the user must text back a particular code. Two-way SMS is deprecated and not supported after November 14, 2018. Users who are configured for two-way SMS are automatically switched to call to phone verification at that time. Notification through mobile app: Sends a push notification to your phone or registered device. The user views the notification and selects Verify to complete verification. The Microsoft Authenticator app is available for Windows Phone, Android, and iOS. Verification code from mobile app or hardware token: The Microsoft Authenticator app generates a new OATH verification code every 30 seconds. The user enters the verification code into the sign-in interface. The Microsoft Authenticator app is available for Windows Phone, Android, and iOS.

You have an Azure subscription that contains three virtual networks named VNet1, VNet2, and VNet3. VNet2 contains a virtual appliance named VM2 that operates as a router. You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network. You plan to configure peering between VNet1 and Vnet2 and between VNet2 and VNet3. You need to provide connectivity between VNet1 and VNet3 through VNet2. Which two configurations should you perform? Each correct answer presents part of the solution. A. On the peering connections, use remote gateways B. On the peering connections, allow forwarded traffic C. On the peering connections, allow gateway transit D. Create route tables and assign the table to subnets E. Create a route filter

A, C Ans: Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the peered virtual network to flow through the gateway. For example, this virtual network may be attached to an on-premises network through a virtual network gateway. The gateway can be an ExpressRoute or VPN gateway. Checking this box allows traffic from the peered virtual network to flow through the gateway attached to this virtual network to the on-premises network. If you check this box, the peered virtual network cannot have a gateway configured. The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to this virtual network. If you leave this box unchecked (default), traffic from the peered virtual network still flows to this virtual network, but cannot flow through a virtual network gateway attached to this virtual network. If the peering is between a virtual network (Resource Manager) and a virtual network (classic), the gateway must be in the virtual network (Resource Manager).

A support engineer plans to perform several Azure management tasks by using the Azure CLI. You install the CLI on a computer. You need to tell the support engineer which tools to use to run the CLI. Which two tools should you instruct the support engineer to use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Command Prompt B. Azure Resource Explorer C. Windows PowerShell D. WIndows Defender Firewall E. Network and Sharing Center

A, C Ans: For Windows the Azure CLI is installed via an MSI, which gives you access to the CLI through the Windows Command Prompt (CMD) or PowerShell. When installing for Windows Subsystem for Linux (WSL), packages are available for your Linux distribution. The Azure CLI is a command-line tool providing a great experience for managing Azure resources. The CLI is designed to make scripting easy, query data, support long-running operations, and more.

You plan to store 20 TB of data in Azure. The data will be accessed infrequently and visualized by using Microsoft Power BI. You need to recommend a storage solution for the data. Which two solutions should you recommend? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Azure Data Lake B. Azure Cosmos DB C. Azure SQL Data Warehouse D. Azure SQL Database E. Azure Database for PostgreSQL

A, C Ans: Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists, and analysts to store data of any size, shape, and speed, and do all types of processing and analytics across platforms and languages. It removes the complexities of ingesting and storing all of your data while making it faster to get up and running with batch, streaming, and interactive analytics. Azure Data Lake works with existing IT investments for identity, management, and security for simplified data management and governance. It also integrates seamlessly with operational stores and data warehouses so you can extend current data applications. We've drawn on the experience of working with enterprise customers and running some of the largest scale processing and analytics in the world for Microsoft businesses like Office 365, Xbox Live, Azure, Windows, Bing, and Skype. Azure Data Lake solves many of the productivity and scalability challenges that prevent you from maximizing the value of your data assets with a service that's ready to meet your current and future business needs. Unlock new insights from your data with Azure SQL Data Warehouse, a fully managed cloud data warehouse for enterprises of any size that combines lightning-fast query performance with industry-leading data security. Optimise workloads by elastically scaling your resources in minutes. Get unlimited storage, automated administration and built-in auditing and threat detection. Integrate seamlessly with Azure Active Directory, Azure Data Factory, Azure Data Lake Storage, Azure Databricks and Microsoft Power BI to provide a single holistic modern data warehouse solution for all your analytical workloads.

You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image. You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Modify the extensionProfile section of the Azure Resource Manager template. B. Create an automation account C. Upload a configuration script D. Create a new virtual machine scale set in the Azure portal. E. Create an Azure policy

A, D Ans: Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide a way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to configure the VMs as they come online so they are running the production software.

You have an Azure subscription named Subscription1 that contains the resource groups shown in the following table. *** Name: RG1,????????????????????Region: East Asia Name: RG2,????????????????????Region: East US *** In RG1, you create a virtual machine named VM1 in the East Asia location. You plan to create a virtual network named VNET1. You need to create VNET1, and then connect VM1 to VNET1. What are two possible ways to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Create VNET1 in RG2, and then set East Asia as the location B. Create VNET1 in a new resource group in the West US location, and then set West US as the location C. Create VNET1 in RG1, and then set East US as the location D. Create VNET1 in RG2, and then set East US as the location E. Create VNET1 in RG1, and then set East Asia as the location

A, E Ans: Resource group - A container that holds related resources for an Azure solution. The resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization. There are some important factors to consider when defining your resource group: * A resource group can contain resources that are located in different regions. * All the resources in your group should share the same lifecycle. You deploy, update, and delete them together. If one resource, such as a database server, needs to exist on a different deployment cycle it should be in another resource group. * Each resource can only exist in one resource group. * You can add or remove a resource to a resource group at any time. * You can move a resource from one resource group to another group. * A resource group can be used to scope access control for administrative actions. * A resource can interact with resources in other resource groups. This interaction is common when the two resources are related but don't share the same lifecycle (for example, web apps connecting to a database).

You are troubleshooting a performance issue for an Azure Application Gateway. You need to compare the total requests to the failed requests during the past six hours. What should you use? A. NSG flow logs in Azure Network Watcher B. Metrics in Application Gateway C. Connection monitor in Azure Network Watcher D. Diagnostics logs in Application Gateway

B Ans: Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port. With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. For example, you can route traffic based on the incoming URL. So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is routed to another pool that's optimized for videos. This type of routing is known as application layer (OSI layer 7) load balancing. Azure Application Gateway can do URL-based routing and more. By using Azure Application Gateway, you can monitor resources in the following ways: Back-end health: Application Gateway provides the capability to monitor the health of the servers in the back-end pools through the Azure portal and through PowerShell. You can also find the health of the back-end pools through the performance diagnostic logs. Logs: Logs allow for performance, access, and other data to be saved or consumed from a resource for monitoring purposes. Metrics: Application Gateway has several metrics which help you verify that your system is performing as expected.

You plan to migrate a web application to Azure. The web application is accessed by external users. You need to recommend a cloud deployment solution to minimize the amount of administrative effort used to manage the web application. What should you include in the recommendation? A. Software as a Service (SaaS) B. Platform as a Service (PaaS) C. Infrastructure as a Service (IaaS) D. Database as a Service (DaaS)

B Ans: IaaS (Information as a Service). IaaS is the most basic level of cloud-based solutions, which refers to renting an IT infrastructure as a fully outsourced service. In this category, the cloud provider lets you rent servers, VMs, storage, network and operating systems on a pay-as-you-go basis. Examples: Amazon EC2 and S3, Google Compute Engine, Windows Azure. PaaS (Platform as a Service). PaaS is the cloud solution where, apart from providing an infrastructure, cloud providers also issue an on-demand computing environment to develop, test, run and collaborate with components such as web servers, database management systems, and software development kits (SDKs) for various programming languages. Examples: AWS Elastic Beanstalk, Heroku, Windows Azure, Force.com, Google App Engine. SaaS (Software as a Service). SaaS providers offer fully functional web-based application softwares tailored to a variety of business needs such as project tracking, web conferencing, marketing automation or business analytics. Examples: Google Apps, Microsoft Office 365, Gmail, Yahoo and Facebook.

Your company has a main office in London that contains 100 client computers. Three years ago, you migrated to Azure Active Directory (Azure AD). The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD. A remote user named User1 is unable to join a personal device to Azure AD from a home network. You verify that other users can join their devices to Azure AD. You need to ensure that User1 can join the device to Azure AD. What should you do? A. From the Device settings blade, modify the Users may join devices to Azure AD setting. B. From the Device settings blade, modify the Maximum number of devices per user setting. C. Create a point-to-site VPN from the home network of User1 to Azure. D. Assign the User administrator role to User1.

B Ans: Maximum number of devices - This setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches this quota, they are not be able to add additional devices until one or more of the existing devices are removed. The device quota is counted for all devices that are either Azure AD joined or Azure AD registered today. The default value is 20. Maximum number of devices setting does not apply to hybrid Azure AD joined devices.

You have two Azure Active Directory (Azure AD) tenants named contoso.com and fabrikam.com. You have a Microsoft account that you use to sign in to both tenants. You need to configure the default sign-in tenant for the Azure portal. What should you do? A. From Azure Cloud Shell, run Set-AzureRmSubscription. B. From Azure Cloud Shell, run Set-AzureRmContext. C. From the Azure portal, configure the portal settings. D. From the Azure portal, change the directory.

B Ans: The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in the current session. The context includes tenant, subscription, and environment information. Example: PS C:\>Set-AzureRmContext -SubscriptionId "xxxx-xxxx-xxxx-xxxx"

You plan to back up an Azure virtual machine named VM1. You discover that the Backup Pre-Check status displays a status of Warning. What is a possible cause of the Warning status? A. VM1 is stopped B. VM1 does not have the latest version of WaAppAgent.exe installed C. VM1 has an unmanaged disk D. A Recovery Services vault is unavailable

B Ans: The WARNING state indicates one or more issues in VM's configuration that might lead to backup failures and provides recommended steps to ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this class of issues. The PASSED state indicates that your VMs configuration is conducive for successful backups and no corrective action needs to be taken. The CRITICAL state indicates one or more critical issues in the VM's configuration that will lead to backup failures and provides required steps to ensure successful backups. A network issue caused due to an update to the NSG rules of a VM, for example, will fail backups as it prevents the VM from communicating with the Azure Backup service and falls in this class of issues.

You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources in the following table: *** Name: Storage1,???????????????Type: Storage account Name: RG1,????????????????????Type: Resource group Name: Container1,?????????????Type: Blob container Name: Share1,?????????????????Type: File share *** Another administrator deploys a virtual machine named VM1 and an Azure Storage account named Storage2 by using a single Azure Resource Manager template. You need to view the template used for the deployment. From which blade can you view the template that was used for the deployment? A. Container1 B. RG1 C. Share1 D. Storage1

B Ans: View template from deployment history 1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link. 2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment. 3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that you provided for parameters. To see the template that you used for the deployment, select View template.

You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size. You plan to make the following changes to VM1: * Change the size to D8s v3. * Add a 500-GB managed disk. * Add the Puppet Agent extension. * Attach an additional network interface. Which change will cause downtime for VM1? A. Add the Puppet Agent extension B. Change the size to D8s v3 C. Add a 500GB managed disk D. Attach an additional network interface

B Ans: While resizing the VM it must be in a stopped state.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. *** AUTHORIZATION *** is the process of verifying a user's credentials. A. No change is needed B. Authentication C. Federation D. Ticketing

B Ans: Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server. Users are usually identified with a user ID, and authentication is accomplished when the user provides a credential, for example a password, that matches with that user ID. Most users are most familiar with using a password, which, as a piece of information that should be known only to the user, is called a knowledge authentication factor. Authorization is a security mechanism used to determine user/client privileges or access levels related to system resources, including computer programs, files, services, data and application features. Authorization is normally preceded by authentication for user identity verification. System administrators (SA) are typically assigned permission levels covering all system and user resources. During authorization, a system verifies an authenticated user's access rules and either grants or refuses resource access.

Your network contains an Active Directory forest. The forest contains 5,000 user accounts. Your company plans to migrate all network resources to Azure and to decommission the on-premises data center. You need to recommend a solution to minimize the impact on users after the planned migration. What should you recommend? A. Implement Azure Multi-Factor Authentication (MFA) B. Sync all the Active Directory user accounts to Azure Active Directory (Azure AD). C. Instruct all users to change their password. D. Create a guest user account in Azure Active Directory (Azure AD) for each user.

B Ans: Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service, which helps your employees sign in and access resources in: External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications. Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

What can Azure Information Protection encrypt? A. Network traffic B. Documents and email messages C. An Azure Storage account D. An Azure SQL database

B Ans: Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations. After your content is classified (and optionally protected), you can then track and control how it is used. You can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, prevent data leakage or misuse, and so on.

What should the company use to build, test, and deploy predictive analytics solutions? A. Azure Logic Apps B. Azure Machine Learning Studio C. Azure Batch D. Azure Cosmos DB

B Ans: Azure Machine Learning Studio gives you an interactive, visual workspace to easily build, test, and iterate on a predictive analysis model. Microsoft Azure Machine Learning Studio is a collaborative, drag-and-drop tool you can use to build, test, and deploy predictive analytics solutions on your data. Machine Learning Studio publishes models as web services that can easily be consumed by custom apps or BI tools such as Excel. Machine Learning Studio is where data science, predictive analytics, cloud resources, and your data meet. To develop a predictive analysis model, you typically use data from one or more sources, transform, and analyze that data through various data manipulation and statistical functions, and generate a set of results. Developing a model like this is an iterative process. As you modify the various functions and their parameters, your results converge until you are satisfied that you have a trained, effective model.

You have a virtual machine named VM1 that runs Windows Server 2016. VM1 is in the East US Azure region. Which Azure service should you use from the Azure portal to view service failure notifications that can affect the availability of VM1? A. Azure Service Fabric B. Azure Monitor C. Azure virtual machines D. Azure Advisor

B Ans: Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs. Metrics are numerical values that describe some aspect of a system at a particular point in time. They are lightweight and capable of supporting near real-time scenarios. Logs contain different kinds of data organized into records with different sets of properties for each type. Telemetry such as events and traces are stored as logs in addition to performance data so that it can all be combined for analysis.

Your company has an Azure environment that contains resources in several regions. A company policy states that administrators must only be allowed to create additional Azure resources in a region in the country where their office is located. You need to create the Azure resource that must be used to meet the policy requirement. What should you create? A. A read-only lock B. An Azure policy C. A management group D. A reservation

B Ans: Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance. There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. If a resource group named RG1 has a delete lock, *** ONLY A MEMBER OF THE GLOBAL ADMINISTRATORS GROUP *** can delete RG1. A. No change is needed B. The delete lock must be removed before an administrator C. An Azure policy must be modified before an administrator D. An Azure tag must be added before an administrator

B Ans: Lock resources to prevent unexpected changes! As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively. CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource. ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Your company plans to deploy an Artificial Intelligence (AI) solution in Azure. What should the company use to build, test, and deploy predictive analytics solutions? A. Azure Logic Apps B. Azure Machine Learning Studio C. Azure Batch D. Azure Cosmos DB

B Ans: Machine Learning Studio is a powerfully simple browser-based, visual drag-and-drop authoring environment where no coding is necessary. Go from idea to deployment in a matter of clicks. Azure Machine Learning is designed for applied machine learning. Use best-in-class algorithms and a simple drag-and-drop interface-and go from idea to deployment in a matter of clicks.

To what should an application connect to retrieve security tokens? A. An Azure Storage account B. Azure Active Directory (Azure AD) C. A certificate store D. An Azure key vault

B Ans: Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) developer platform. It allows developers to build applications that sign in all Microsoft identities and get tokens to call Microsoft APIs such as Microsoft Graph or APIs that developers have built. It's a full-featured platform that consists of an OAuth 2.0 and OpenID Connect standard-compliant authentication service, open-source libraries, application registration and configuration, robust conceptual and reference documentation, quickstart samples, code samples, tutorials, and how-to guides.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. You have several virtual machines in an Azure subscription. You create a new subscription. *** THE VIRTUAL MACHINES CANNOT BE MOVED TO THE NEW SUBSCRIPTION ***. A. No change is needed B. The virtual machines can be moved to the new subscription C. The virtual machines can be moved to the new subscription only if they are all in the same resource group D. The virtual machines can be moved to the new subscription only if they run Windows Server 2016.

B Ans: Moving between subscriptions can be handy if you originally created a VM in a personal subscription and now want to move it to your company's subscription to continue your work. You do not need to start the VM in order to move it and it should continue to run during the move. New resource IDs are created as part of the move. After the VM has been moved, you will need to update your tools and scripts to use the new resource IDs.

You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table. *** Name: RG1,????????????????????Azure region: West Europe,????Policy: Policy1 Name: RG2,????????????????????Azure region: North Europe,???Policy: Policy2 Name: RG3,????????????????????Azure region: France Central,?Policy: Policy3 *** RG1 has a web app named WebApp1. WebApp1 is located in West Europe. You move WebApp1 to RG2. What is the effect of the move? A. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1. B. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1. C. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1. D. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.

B Ans: You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region. The region in which your app runs is the region of the App Service plan it's in. However, you cannot change an App Service plan's region.

Your company plans to move several servers to Azure. The company's compliance policy states that a server named FinServer must be on a separate network segment. You are evaluating which Azure services can be used to meet the compliance policy requirements. Which Azure solution should you recommend? A. A resource group for FinServer and another resource group for all the other servers. B. A virtual network for FinServer and another virtual network for all the other servers. C. A VPN for FinServer and a virtual network gateway for each other server. D. One resource group for all the servers and a resource lock for FinServer.

B Azure virtual networks are similar to LANs on your on-premises network. The idea behind an Azure virtual network is that you create a network, based on a single private IP address space, on which you can place all your Azure virtual machines. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges. Best practice: Create network access controls between subnets. Routing between subnets happens automatically, and you don't need to manually configure routing tables. By default, there are no network access controls between the subnets that you create on an Azure virtual network. Detail: Use a network security group to protect against unsolicited traffic into Azure subnets. Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets. When you use network security groups for network access control between subnets, you can put resources that belong to the same security zone or role in their own subnets.

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1. You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Reset GW1 B. Create a route-based virtual network gateway C. Delete GW1 D. Add a public IP address space to VNet1 E. Add a connection to GW1 F. Add a service endpoint to VNet1

B, C Ans: A VPN gateway is used when creating a VPN connection to your on-premises network. Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface). Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine. Point-to-Site connections do not require a VPN device or a public-facing IP address.

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production. The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet. You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:. * The NVAs must run in an active-active configuration that uses automatic failover. * The NVAs must load balance traffic to two services on the Production subnet. The services have different IP addresses. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Add two load balancing rules that have HA Ports enabled and Floating IP disabled B. Add a frontend IP configuration, two backend pools, and a health probe C. Add two load balancing rules that have HA Ports and Floating IP enabled D. Deploy a standard load balancer E. Deploy a basic load balancer F. Add a frontend IP configuration a backend pool, and a health probe

B, C, D Ans: A standard load balancer is required for the HA ports. Two backend pools are needed as there are two services with different IP addresses. Floating IP rule is used where backend ports are reused. HA Ports are not available for the basic load balancer.

You have an Azure subscription that contains the resources in the following table. *** Name: RG1,????????????????????Type: Resource group Name: Store1,?????????????????Type: Azure Storage Account Name: Sync1,??????????????????Type: Azure File Sync *** Store1 contains a file share named Data. Data contains 5,000 files. You need to synchronize the files in Data to an on-premises server named Server1. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Download an automation script B. Register Server1 C. Create a sync group D. Create a container instance E. Install the Azure File Sync agent on Server 1

B, C, E Ans: Use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that's available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world. Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share. Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service. Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud , which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.

You create an Azure Storage account named contosostorage. You plan to create a file share named data. Users need to map a drive to the data file share from home computers that run Windows 10. Which outbound port should you open between the home computers and the data file share? A. 80 B. 443 C. 445 D. 3389

C Ans: Azure Files is Microsoft's easy-to-use cloud file system. Azure file shares can be seamlessly used in Windows and Windows Server. Prerequisites: Storage account name: To mount an Azure file share, you will need the name of the storage account. Storage account key: To mount an Azure file share, you will need the primary (or secondary) storage key. SAS keys are not currently supported for mounting. Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked. You can check to see if your firewall is blocking port 445 with the Test-NetConnection cmdlet.

You plan to map a network drive from several computers that run Windows 10 to Azure Storage. You need to create a storage solution in Azure for the planned mapped drive. What should you create? A. An Azure SQL database B. A virtual machine data disk C. A Files service in a storage account D. A Blobs service in a storage account

C Ans: Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Additionally, Azure file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used. Azure Files: Extend your servers to Azure with Sync for on-premises performance and capability. Secure data at rest and in-transit using SMB 3.0 and HTTPS. Simplify cloud file share management using familiar tools. Create high-performance file shares using the Premium Files storage tier.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. You have an Azure virtual network named VNET1 in a resource group named RG1. You assign an Azure policy specifying that virtual networks are not an allowed resource type in RG1. VNET1 *** IS DELETED AUTOMATICALLY ***. A. No change is needed B. Is moved automatically to another resource group C. Continues to function normally D. Is now a read-only object

C Ans: The journey of creating and implementing a policy in Azure Policy begins with creating a policy definition. Every policy definition has conditions under which it's enforced. And, it has a defined effect that takes place if the conditions are met. In Azure Policy, we offer several built-in policies that are available by default. For example: Allowed Resource Type: Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. Not allowed resource types: Prevents a list of resource types from being deployed.

You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant. Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16. Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24. You need to connect VNet1 to VNet2. What should you do first? A. Move VM1 to Subscription2 B. Modify the IP address space of VNet2 C. Provision virtual network gateways D. Move VNet1 to Subscription2

C Ans: The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant. Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating. The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local network gateway in order to route traffic.

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers. You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines. You need to ensure that visitors are serviced by the same web server for each request. What should you configure? A. Protocol to UDP B. Session persistence to None C. Session persistence to Client IP D. Idle Time-out (minutes) to 20

C Ans: You can set the sticky session in load balancer rules with setting the session persistence as the client IP.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. When you need to delegate permissions to several Azure virtual machines simultaneously, you must deploy the Azure virtual machines *** TO THE SAME AZURE REGION ***. A. No change is needed B. By using the same Azure Resource Manager template C. To the same resource group D. To the same availability zone

C Ans: Access management for cloud resources is a critical function for any organization that is using the cloud. Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Here are some examples of what you can do with RBAC: * Allow one user to manage virtual machines in a subscription and another user to manage virtual networks. * Allow a DBA group to manage SQL databases in a subscription * Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets * Allow an application to access all resources in a resource group

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. An organization that hosts its infrastructure *** IN A PRIVATE CLOUD *** can decommission its data center. A. No change is needed B. In a hybrid cloud C. In the public cloud D. On a Hyper-V host

C Ans: After a workload is promoted to production, the assets that previously hosted the production workload are no longer required to support business operations. At that point, the older assets are considered retired. Retired assets can then be decommissioned, reducing operational costs. Decommissioning a resource can be as simple as turning off the power to the asset and disposing of the asset responsibly. Unfortunately, decommissioning resources can sometimes have undesired consequences. The following guidance can aid in properly decommissioning retired resources, with minimal business interruptions.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. Your company implements *** AZURE POLICIES *** to automatically add a watermark to Microsoft Word documents that contain credit card information. Instructions: Review the UPPER-CASED text surrounded by ***. If it makes the statement correct, select "No change is needed". If the statement is incorrect, select the answer choice that makes the statement correct. A. No change is needed B. DDoS protection C. Azure Information Protection D. Azure Active Directory (Azure AD) Identity Protection

C Ans: An Azure Information Protection policy contains the following elements that you can configure: * Which labels are included that let administrators and users classify (and optionally, protect) documents and emails. * Title and tooltip for the Information Protection bar that users see in their Office applications. * The option to set a default label as a starting point for classifying documents and emails. * The option to enforce classification when users save documents and send emails. * The option to prompt users to provide a reason when they select a label that has a lower sensitivity level than the original. * The option to automatically label an email message, based on its attachments. * The option to control whether the Information Protection bar is displayed in Office applications. * The option to control whether the Do Not Forward button is displayed in Outlook. * The option to let users specify their own permissions for documents. * The option to provide a custom help link for users.

Which Azure service should you use to store certificates? A. Azure Security Center B. An Azure Storage account C. Azure Key Vault D. Azure Information Protection

C Ans: Azure Key Vault enables Microsoft Azure applications and users to store and use several types of secret/key data: Cryptographic keys: Supports multiple key types and algorithms, and enables the use of Hardware Security Modules (HSM) for high value keys. Secrets: Provides secure storage of secrets, such as passwords and database connection strings. Certificates: Supports certificates, which are built on top of keys and secrets and add an automated renewal feature. Azure Storage: Can manage keys of an Azure Storage account for you. Internally, Key Vault can list (sync) keys with an Azure Storage Account, and regenerate (rotate) the keys periodically.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. *** RESOURCE GROUPS *** provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions. A. No change is needed B. Management groups C. Azure policies D. Azure App Service plans

C Ans: Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance. There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default allow and explicit deny system.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. *** AZURE POLICIES PROVIDE *** a common platform for deploying objects to a cloud infrastructure and for implementing consistency across the Azure environment. A. No change is needed B. Resource groups provide C. Azure Resource Manager provides D. Management groups provide

C Ans: Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription. You can use its access control, auditing, and tagging features to secure and organize your resources after deployment. When you take actions through the portal, PowerShell, Azure CLI, REST APIs, or client SDKs, the Azure Resource Manager API handles your request. Because all requests are handled through the same API, you see consistent results and capabilities in all the different tools. All capabilities that are available in the portal are also available through PowerShell, Azure CLI, REST APIs, and client SDKs.

*** AZURE POLICIES PROVIDE *** a common platform for deploying objects to a cloud infrastructure and for implementing consistency across the Azure environment. A. No change is needed B. Resource groups provide C. Azure Resource Manager provides D. Management groups provide

C Ans: Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure subscription. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment. When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request. It authenticates and authorizes the request. Resource Manager sends the request to the Azure service, which takes the requested action. Because all requests are handled through the same API, you see consistent results and capabilities in all the different tools. Terminology: resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources. resource group - A container that holds related resources for an Azure solution. The resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization. resource provider - A service that supplies Azure resources. For example, a common resource provider is Microsoft.Compute, which supplies the virtual machine resource. Microsoft.Storage is another common resource provider. Resource Manager template - A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group or subscription. The template can be used to deploy the resources consistently and repeatedly. declarative syntax - Syntax that lets you state "Here is what I intend to create" without having to write the sequence of programming commands to create it. The Resource Manager template is an example of declarative syntax. In the file, you define the properties for the infrastructure to deploy to Azure.

You have an Azure subscription that contains a resource group named RG1. RG1 contains 100 virtual machines. Your company has three cost centers named Manufacturing, Sales, and Finance. You need to associate each virtual machine to a specific cost center. What should you do? A. Configure locks for the virtual machine B. Add an extension to the virtual machines C. Assign tags to the virtual machines D. Modify the inventory settings of the virtual machine

C Ans: Billing Tags Policy Initiative: Requires specified tag values for cost center and product name. Uses built-in policies to apply and enforce required tags. You specify the required values for the tags.

Your company hosts an accounting named App1 that is used by all the customers of the company. App1 has low usage during the first three weeks of each month and very high usage during the last week of each month. Which benefit of Azure Cloud Services supports cost management for this type of usage pattern? A. High availability B. High latency C. Elasticity D. Load balancing

C Ans: Elastic computing is the ability to quickly expand or decrease computer processing, memory, and storage resources to meet changing demands without worrying about capacity planning and engineering for peak usage. Typically controlled by system monitoring tools, elastic computing matches the amount of resources allocated to the amount of resources actually needed without disrupting operations. With cloud elasticity, a company avoids paying for unused capacity or idle resources and doesn't have to worry about investing in the purchase or maintenance of additional resources and equipment. While security and limited control are concerns to take into account when considering elastic cloud computing, it has many benefits. Elastic computing is more efficient than your typical IT infrastructure, is typically automated so it doesn't have to rely on human administrators around the clock, and offers continuous availability of services by avoiding unnecessary slowdowns or service interruptions.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. You deploy an Azure resource. The resource becomes unavailable for an extended period due to a service outage. Microsoft will *** AUTOMATICALLY REFUND YOUR BANK ACCOUNT***. A. No change is needed B. Automatically migrate the resource to another subscription. C. Automatically credit your account D. Send you a coupon code that you can redeem for Azure credits

C Ans: If we do not achieve and maintain the Service Levels for each Service as described in this SLA, then you may be eligible for a credit towards a portion of your monthly service fees. We will not modify the terms of your SLA during the initial term of your subscription; however, if you renew your subscription, the version of this SLA that is current at the time of renewal will apply throughout your renewal term. We will provide at least 90 days' notice for adverse material changes to this SLA.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. From *** AZURE MONITOR ***, you can view which user turned off a specific virtual machine during the last 14 days. A. No change is needed B. Azure Event Hubs C. Azure Activity Log D. Azure Service Health

C Ans: The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions. Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. You can also understand the status of the operation and other relevant properties. The Activity Log does not include read (GET) operations or operations for resources that use the Classic/RDFE model. There is a single Activity Log for each Azure subscription. It provides data about the operations on a resource from the outside (the "control plane"). Diagnostic Logs are emitted by a resource and provide information about the operation of that resource (the "data plane"). You must enable diagnostic settings for each resource.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. Your Azure trial account expired last week. You are now unable to *** CREATE ADDITIONAL AZURE ACTIVE DIRECTORY (AZURE AD) USER ACCOUNTS ***. A. No change is needed B. Start an existing Azure virtual machine C. Access your data stored in Azure D. Access the Azure portal

C Ans: Your credit is expired: When you sign up for an Azure free account, you get a Free Trial subscription, which provides you $200 in Azure credits for 30 days and 12 months of free services. At the end of 30 days, Azure disables your subscription. Your subscription is disabled to protect you from accidentally incurring charges for usage beyond the credit and free services included with your subscription. To continue using Azure services, you must upgrade your subscription. After you upgrade, your subscription still has access to free services for 12 months. You only get charged for usage beyond the free services and quantities. You reached your spending limit: Azure subscriptions with credit such as Free Trial and Visual Studio Enterprise have spending limits on them. This means you can only use services up to the included credit. When your usage reaches the spending limit, Azure disables your subscription for the remainder of that billing period. Your subscription is disabled to protect you from accidentally incurring charges for usage beyond the credit included with your subscription. To remove your spending limit, see Remove the spending limit in Account Center.

What is required to use Azure Cost Management? A. A Dev/Test subscription B. Software Assurance C. An Enterprise Agreement (EA) D. A pay-as-you-go subscription

C,D Ans: As enterprises accelerate cloud adoption, it is becoming increasingly important to manage cloud costs across the organization. Last September, we announced the public preview of a comprehensive native cost management solution for enterprise customers. We are now excited to announce the general availability (GA) of Azure Cost Management experience that helps organizations visualize, manage, and optimize costs across Azure. In addition, we are excited to announce the public preview for web direct Pay-As-You-Go customers and Azure Government cloud. With the addition of the Azure Cost Management, customers now have an always-on, low-latency solution to understand and visualize costs with the following features available in Cost Management:

Which two types of customers are eligible to use Azure Government to develop a cloud solution? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. A Canadian government contractor B. A European government contractor C. A United States government entity D. A United States government contractor E. A European government entity

C,D Ans: Microsoft Azure Government delivers a cloud platform built upon the foundational principles of security, privacy and control, compliance, and transparency. Public Sector entities receive a physically isolated instance of Microsoft Azure that employs world-class security and compliance services critical to U.S. government for all systems and applications built on its architecture. US government agencies or their partners interested in cloud services that meet government security and compliance requirements, can be confident that Microsoft Azure Government provides world-class security, protection, and compliance services. Azure Government delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. Azure Government services handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide you with the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located in U.S. only). Azure Government customers (US federal, state, and local government or their partners) are subject to validation of eligibility. If there is a question about eligibility for Azure Government, you should consult your account team.

You have an Azure virtual machine named VM1 that you use for testing. VM1 is protected by Azure Backup. You delete VM1. You need to remove the backup data stored for VM1. What should you do first? A. Delete the Recovery Services vault B. Delete the storage account C. Stop the backup D. Modify the backup policy

D Ans: Azure Backup provides backup for virtual machines - created through both the classic deployment model and the Azure Resource Manager deployment model - by using custom-defined backup policies in a Recovery Services vault. With the release of backup policy management, customers can manage backup policies and model them to meet their changing requirements from a single window. Customers can edit a policy, associate more virtual machines to a policy, and delete unnecessary policies to meet their compliance requirements. You can't delete a Recovery Services vault if it is registered to a server and holds backup data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.

Which Azure service should you use to correlate events from multiple resources into a centralized repository? A. Azure Event Hubs B. Azure Analysis Services C. Azure Monitor D. Azure Log Analytics

D Ans: Log Analytics is a web tool used to write and execute Azure Monitor log queries. Open it by selecting Logs in the Azure Monitor menu. It starts with a new blank query.

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. You hire a temporary vendor. The vendor uses a Microsoft account that has a sign-in of [email protected]. You need to ensure that the vendor can authenticate to the tenant by using [email protected]. What should you do? A. From the Azure portal, add a custom domain name, create a new Azure AD user, and then specify [email protected] as the username. B. From Azure Cloud Shell, run the New-AzureADUser cmdlet and specify the "?UserPrincipalName [email protected]" parameter. C. From the Azure portal, add a new guest user, and then specify [email protected] as the email address. D. From Windows PowerShell, run the New-AzureADUser cmdlet and specify the "?UserPrincipalName [email protected]" parameter.

D Ans: UserPrincipalName - contains the UserPrincipalName (UPN) of this user. The UPN is what the user will use when they sign in into Azure AD. The common structure is @, so for Abby Brown in Contoso.com, the UPN would be [email protected] To create the user, call the New-AzureADUser cmdlet with the parameter values: powershell New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown" -PasswordProfile $PasswordProfile -MailNickName "AbbyB" - UserPrincipalName "[email protected]"

You have the Azure virtual networks shown in the following table. *** Name: VNet1,??????????????????Address space: 10.11.0.0/16,??Subnet: 10.11.0.0/17,?????????Azure Region: West US Name: VNet2,??????????????????Address space: 10.11.0.0/17,??Subnet: 10.11.0.0/25,?????????Azure Region: West US Name: VNet3,??????????????????Address space: 10.10.0.0/22,??Subnet: 10.10.1.0/24,?????????Azure Region: East US Name: VNet4,??????????????????Address space: 192.168.16.0/22,Subnet: 192.168.16.0/24,??????Azure Region: North Europe *** To which virtual networks can you establish a peering connection from VNet1? A. VNet2 and VNet3 only B. VNet2 only C. VNet3 and VNet4 only D. VNet2, VNet3, and VNet4

D Ans: You can connect virtual networks to each other with virtual network peering. These virtual networks can be in the same region or different regions (also known as Global VNet peering). Once virtual networks are peered, resources in both virtual networks are able to communicate with each other, with the same latency and bandwidth as if the resources were in the same virtual network.

You have the Azure virtual machines shown in the following table. *** Name: VM1,????????????????????Azure Region: West Europe Name: VM2,????????????????????Azure Region: West Europe Name: VM3,????????????????????Azure Region: North Europe Name: VM4,????????????????????Azure Region: North Europe *** You have a Recovery Services vault that protects VM1 and VM2. You need to protect VM3 and VM4 by using Recovery Services. What should you do first? A. Create a new backup policy B. Configure the extensions for VM3 and VM4 C. Create a storage account D. Create a new Recovery Services vault

D Ans: A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services.

You need to identify the type of failure for which an Azure availability zone can be used to protect access to Azure services. What should you identify? A. A physical server failure B. An Azure region failure C. A storage failure D. An Azure data center failure

D Ans: Availability Zones is a high-availability offering that protects your applications and data from datacenter failures. Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there's a minimum of three separate zones in all enabled regions. The physical separation of Availability Zones within a region protects applications and data from datacenter failures. Zone-redundant services replicate your applications and data across Availability Zones to protect from single-points-of-failure. With Availability Zones, Azure offers industry best 99.99% VM uptime SLA. The full Azure SLA explains the guaranteed availability of Azure as a whole. An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For example, if you create three or more VMs across three zones in an Azure region, your VMs are effectively distributed across three fault domains and three update domains. The Azure platform recognizes this distribution across update domains to make sure that VMs in different zones are not updated at the same time. Build high-availability into your application architecture by co-locating your compute, storage, networking, and data resources within a zone and replicating in other zones. Azure services that support Availability Zones fall into two categories: Zonal services - you pin the resource to a specific zone (for example, virtual machines, managed disks, Standard IP addresses), or Zone-redundant services - platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).

You need to ensure that when Azure Active Directory (Azure AD) users connect to Azure AD from the Internet by using an anonymous IP address, the users are prompted automatically to change their password. Which Azure service should you use? A. Azure AD Connect Health B. Azure AD Privileged Identity Management C. Azure Advanced Threat Protection (ATP) D. Azure AD Identity Protection

D Ans: Azure Active Directory Identity Protection enables organizations to configure automated responses to detected suspicious actions related to user identities. Microsoft has secured cloud-based identities for more than a decade. With Azure Active Directory Identity Protection, in your environment, you can use the same protection systems Microsoft uses to secure identities.

You need to limit the amount of inbound traffic to all the Azure virtual networks. What should you create? A. One network security group (NSG) B. 10 virtual network gateways C. 10 Azure ExpressRoute circuits D. One Azure firewall

D Ans: Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Capabilities supported in Azure Firewall: Stateful firewall as a service Built-in high availability with unrestricted cloud scalability FQDN filtering FQDN tags Network traffic filtering rules Outbound SNAT support Inbound DNAT support Centrally create, enforce, and log application and network connectivity policies across Azure subscriptions and VNETs Fully integrated with Azure Monitor for logging and analytics

You have an Azure environment that contains 10 virtual networks and 100 virtual machines. You need to limit the amount of inbound traffic to all the Azure virtual networks. What should you create? A. One network security group (NSG) B. 10 virtual network gateways C. 10 Azure ExpressRoute circuits D. One Azure firewall

D Ans: Azure Firewall: Cloud-native network security to protect your Azure Virtual Network resources

What should you use to evaluate whether your company's Azure environment meets regulatory requirements? A. The Knowledge Center website B. The Advisor blade from the Azure portal C. Compliance Manager from the Security Trust Portal D. The Security Center blade from the Azure portal

D Ans: Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. It provides integrated security monitoring and policy management across your subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions. Azure Security Center is enabled with your Microsoft Azure subscription and accessed from the Azure portal. (Sign in to the portal, select Browse, and scroll to Security Center).

You need to configure an Azure solution that meets the following requirements:. Secures websites from attacks. Generates reports that contain details of attempted attacks. What should you include in the solution? A. Azure Firewall B. A network security group (NSG) C. Azure Information Protection D. DDoS protection

D Ans: Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Product features: Always-on monitoring and automatic network attack mitigation Adaptive tuning based on platform insights in Azure Application layer protection with Azure Application Gateway Web Application Firewall Integration with Azure Monitor for analytics and insights Protection against the unforeseen costs of a DDoS attack

You attempt to create several managed Microsoft SQL Server instances in an Azure environment and receive a message that you must increase your Azure Subscription Limits. What should you do to increase the limits? A. Create a service health alert B. Upgrade your support plan C. Modify an Azure policy D. Create a new support request

D Ans: If you want to raise the limit or quota above the default limit, open an online customer support request at no charge. Free Trial subscriptions aren't eligible for limit or quota increases. If you have a Free Trial subscription, you can upgrade to a Pay-As-You-Go subscription. For more information, see Upgrade your Azure Free Trial subscription to a Pay-As-You-Go subscription and the Free Trial subscription FAQ. Quotas for resources in Azure resource groups are per-region accessible by your subscription, not per-subscription as the service management quotas are. Let's use vCPU quotas as an example. To request a quota increase with support for vCPUs, you must decide how many vCPUs you want to use in which regions. You then make a specific request for Azure resource group vCPU quotas for the amounts and regions that you want. If you need to use 30 vCPUs in West Europe to run your application there, you specifically request 30 vCPUs in West Europe. Your vCPU quota isn't increased in any other region--only West Europe has the 30-vCPU quota. As a result, decide what your Azure resource group quotas must be for your workload in any one region. Then request that amount in each region into which you want to deploy. For help in how to determine your current quotas for specific regions, see Troubleshoot deployment issues.

This question requires that you evaluate the UPPER-CASED text surrounded by *** to determine if it is correct. Azure Germany can be used by *** LEGAL RESIDENTS OF GERMANY ONLY ***. A. No change is needed B. Only enterprises that are registered in Germany C. Only enterprises that purchase their azure licenses from a partner based in Germany. D. Any user or enterprise that requires its data to reside in Germany.

D Ans: Microsoft Azure Germany delivers a cloud platform built on the foundational principles of security, privacy, compliance, and transparency. Azure Germany is a physically isolated instance of Microsoft Azure. It uses world-class security and compliance services that are critical to German data privacy regulations for all systems and applications built on its architecture. Operated by a data trustee, Azure Germany supports multiple hybrid scenarios for building and deploying solutions on-premises or in the cloud. You can also take advantage of the instant scalability and guaranteed uptime of a hyperscale cloud service. Azure Germany includes the core components of infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). These components include infrastructure, network, storage, data management, identity management, and many other services. Azure Germany supports most of the same great features that global Azure customers have used, like geosynchronous data replication and autoscaling.

You have an on-premises network that contains 100 servers. You need to recommend a solution that provides additional resources to your users. The solution must minimize capital and operational expenditure costs. What should you include in the recommendation? A. A complete migration to the public cloud B. An additional data center C. A private cloud D. A hybrid cloud

D Ans: Private cloud is a type of cloud computing that delivers similar advantages to public cloud, including scalability and self-service, but through a proprietary architecture. Unlike public clouds, which deliver services to multiple organizations, a private cloud is dedicated to the needs and goals of a single organization. As a result, private cloud is best for businesses with dynamic or unpredictable computing needs that require direct control over their environments, typically to meet security, business governance or regulatory compliance requirements. There are three general cloud deployment models: public, private and hybrid. A public cloud is where an independent, third-party provider, such as Amazon Web Services (AWS) or Microsoft Azure, owns and maintains compute resources that customers can access over the internet. Public cloud users share these resources, a model known as a multi-tenant environment. By comparison, a private cloud is created and maintained by an individual enterprise. The private cloud might be based on resources and infrastructure already present in an organization's on-premises data center or on new, separate infrastructure. In both cases, the enterprise itself owns and operates the private cloud. A hybrid cloud is a model in which a private cloud connects with public cloud infrastructure, allowing an organization to orchestrate workloads across the two environments. In this model, the public cloud effectively becomes an extension of the private cloud to form a single, uniform cloud. A hybrid cloud deployment requires a high level of compatibility between the underlying software and services used by both the public and private clouds. When an organization properly architects and implements a private cloud, it can provide most of the same benefits found in public clouds, such as user self-service and scalability, as well as the ability to provision and configure virtual machines (VMs) and change or optimize computing resources on demand. An organization can also implement chargeback tools to track computing usage and ensure business units pay only for the resources or services they use. Private clouds are often deployed when public clouds are deemed inappropriate or inadequate for the needs of a business. For example, a public cloud might not provide the level of service availability or uptime that an organization needs. In other cases, the risk of hosting a mission-critical workload in the public cloud might exceed an organization's risk tolerance, or there might be security or regulatory concerns related to the use of a multi-tenant environment. In these cases, an enterprise might opt to invest in a private cloud to realize the benefits of cloud computing, while maintaining total control and ownership of its environment. However, private clouds also have some disadvantages. First, private cloud technologies, such as increased automation and user self-service, can bring some complexity into an enterprise. These technologies typically require an IT team to rearchitect some of its data center infrastructure, as well as adopt additional management tools. As a result, an organization might have to adjust or even increase its IT staff to successfully implement a private cloud. This is different than public cloud, where most of the underlying complexity is handled by the cloud provider. Another potential disadvantage of private clouds is cost. A benefit of public cloud is cost mitigation through the use of computing as a "utility" -- customers only pay for the resources they use. When a business owns its private cloud, however, it bears all of the acquisition, deployment, support and maintenance costs involved.

When you are implementing a software as a service (SaaS) solution, you are responsible for *** CONFIGURING HIGH AVAILABILITY ***. A. No change is needed B. Defining scalability rules C. Installing the SaaS solution D. Configuring the SaaS solution

D Ans: Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office 365). SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from a cloud service provider. You rent the use of an app for your organization, and your users connect to it over the Internet, usually with a web browser. All of the underlying infrastructure, middleware, app software, and app data are located in the service provider's data center. The service provider manages the hardware and software, and with the appropriate service agreement, will ensure the availability and the security of the app and your data as well. SaaS allows your organization to get quickly up and running with an app at minimal upfront cost.

You have an Active Directory forest named contoso.com. You install and configure Azure AD Connect to use password hash synchronization as the single sign-on (SSO) method. Staging mode is enabled. You review the synchronization results and discover that the Synchronization Service Manager does not display any sync jobs. You need to ensure that the synchronization completes successfully. What should you do? A. Run Azure AD Connect and set the SSO method to Pass-through Authentication. B. From Synchronization Service Manager, run a full import. C. From Azure PowerShell, run Start-AdSyncSyncCycle ?PolicyType Initial. D. Run Azure AD Connect and disable staging mode.

D Ans: Staging mode must be disabled. If the Azure AD Connect server is in staging mode, password hash synchronization is temporarily disabled. Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features: Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD. Pass-through authentication - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment. Federation integration - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments. Synchronization - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes. Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1? A. Get-Event Event | where ($_.EventType ?eq "error"). B. Get-Event Event | where ($_.EventType == "error"). C. Search in (Event) * | where EventType ?eq "error". D. Search in (Event) "error". E. Select *from Event where EventType == "error". F. Event | where EventType is "error".

D Ans: Table scoping: To search a term in a specific table, add in (table-name) just after the search operator: Search in table Event: search in (Event) "error"| take 100 Search in multiple tables: search in (Event, SecurityEvent) "error"| take 100

Your company plans to migrate all on-premises data to Azure. You need to identify whether Azure complies with the company's regional requirements. What should you use? A. The Knowledge Center B. Azure Marketplace C. The Azure portal D. The Trust Center

D Ans: The Azure Security Information site on Azure.com gives you the information you need to plan, design, deploy, configure, and manage your cloud solutions securely. With the Microsoft Trust center, you also have the information you need to be confident that the Azure platform on which you run your services is secure. Compliance: Microsoft helps organizations comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data.

Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that is configured for hybrid coexistence with the on-premises Active Directory Domain. The tenant contains the users shown in the following users. User1: User Type - Member, Source - AzureAD, Sign-in - [email protected]. User2: User Type - Member, Source - Windows Server Active Directory, Sign-in - [email protected]. User3: User Type - Guest, Source - Multiple, Sign-in - [email protected]. User4: User Type - Guest, Source - Multiple, Sign-in - [email protected]. Whenever possible, you need to enable Azure Multi-Factor Authentication (MFA) for the users in contoso.com. Which users should you enable for Azure MFA? A. User 1 only B. User 1, User 2, User 3 only C. User 1 and User 2 only D. User 1, User 2, User 3, and User 4 E. User 2 only

D Ans: The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods: Something you know (typically a password) Something you have (a trusted device that is not easily duplicated, like a phone) Something you are (biometrics) Multi-Factor Authentication comes as part of the following offerings: Azure Active Directory Premium or Microsoft 365 Business - Full featured use of Azure Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication. Azure AD Free or standalone Office 365 licenses - Use pre-created Conditional Access baseline protection policies to require multi-factor authentication for your users and administrators. Azure Active Directory Global Administrators - A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.

You have an Azure DNS zone named adatum.com. You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure. What should you do? A. Create an A record named *.research in the adatum.com zone. B. Create a PTR record named research in the adatum.com zone. C. Modify the SOA record of adatum.com. D. Create an NS record named research in the adatum.com zone.

D Ans: You need to create a name server (NS) record for the zone. The A Record points your hostname to an IP address. The record A specifies IP address (IPv4) for given host. This is one of the most frequently used records in the DNS Zones. PTR records are used for the Reverse DNS (Domain Name System) lookup. Using the IP address you can get the associated domain/hostname. An A record should exist for every PTR record. The usage of a reverse DNS setup for a mail server is a good solution. The SOA means Start Of Authority. The SOA record defines the beginning of the authority DNS zone and specifies the global parameters for the zone. The SOA record has the following structure: "Serial number", "Primary name server (NS)", "DNS admin e-mail", "Refresh Rate", "Retry Rate", "Expire time" and "Default TTL". The NS records identify the name servers, responsible for your DNS zone. In order to have a valid DNS configuration, the NS records configured in the DNS zone must be exactly the same as these configured as name servers at your domain name provider.

You have an Azure environment that contains multiple Azure virtual machines. You plan to implement a solution that enables the client computers on your on-premises network to communicate to the Azure virtual machines. You need to recommend which Azure resources must be created for the planned solution. Which two Azure resources should you include in the recommendation? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. A virtual network gateway B. A load balancer C. An application gateway D. A virtual network E. A gateway subnet

D, E Ans: A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth. A virtual network gateway is composed of two or more virtual machines that are deployed to a specific subnet you create, which is called the gateway subnet. The VMs that are located in the gateway subnet are created when you create the virtual network gateway. Virtual network gateway VMs are configured to contain routing tables and gateway services specific to the gateway. You can't directly configure the VMs that are part of the virtual network gateway and you should never deploy additional resources to the gateway subnet. VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

What are two characteristics of the public cloud? Each correct answer presents a complete solution. A. Dedicated hardware B. Unsecured connections C. Limited storage D. Metered pricing E. Self-service management

D,E Ans: Advantages of public clouds: Lower costs-no need to purchase hardware or software, and you pay only for the service you use. No maintenance-your service provider provides the maintenance. Near-unlimited scalability-on-demand resources are available to meet your business needs. High reliability-a vast network of servers ensures against failure.

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The User administrator role is assigned to a user named Admin1. An external partner has a Microsoft account that uses the [email protected] sign in. Admin1 attempts to invite the external partner to sign in to the Azure AD tenant and receives the following error message: ?Unable to invite user. [email protected] ? Generic authorization exception.?. You need to ensure that Admin1 can invite the external partner to sign in to the Azure AD tenant. What should you do? A. From the Roles and administrators blade, assign the Security administrator role to Admin1. B. From the Organizational relationships blade, add an identity provider. C. From the Custom domain names blade, add a custom domain. D. From the Users blade, modify the External collaboration settings.

D. Ans: By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests. With Azure AD B2B collaboration, a tenant admin can set the following invitation policies: Turn off invitations Only admins and users in the Guest Inviter role can invite Admins, the Guest Inviter role, and members can invite All users, including guests, can invite

You have an Azure subscription that contains the resources in the following table. *** Name: VNet1,??????????????????Type: virtual network?????????Azure region: West US?????????Resource group: RG2 Name: VNet2,??????????????????Type: virtual network?????????Azure region: West US?????????Resource group: RG1 Name: VNet3,??????????????????Type: virtual network?????????Azure region: East US?????????Resource group: RG1 Name: NSG1,???????????????????Type: Network security group (NSG)Azure region: East US?????????Resource group: RG2 *** To which subnets can you apply NSG1? A. The subnets on VNet2 only B. The subnets on VNet2 and VNet3 only C. The subnets on VNet1, VNet2, and VNet3 D. The subnets on VNet1 only E. The subnets on VNet3 only

E Ans: All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource. You can however, connect virtual networks that exist in different subscriptions and regions. For more information, see connectivity. When deciding which region(s) to deploy resources in, consider where consumers of the resources are physically located: Consumers of resources typically want the lowest network latency to their resources. To determine relative latencies between a specified location and Azure regions, see View relative latencies. Do you have data residency, sovereignty, compliance, or resiliency requirements? If so, choosing the region that aligns to the requirements is critical. Do you require resiliency across Azure Availability Zones within the same Azure region for the resources you deploy? You can deploy resources, such as virtual machines (VM) to different availability zones within the same virtual network. Not all Azure regions support availability zones however.

You plan to deploy several Azure virtual machines. You need to ensure that the services running on the virtual machines are available if a single data center fails. Solution: You deploy the virtual machines to two or more scale sets. Does this meet the goal? Yes/No

No Ans: Azure virtual machine scale sets let you create and manage a group of identical, load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs. With virtual machine scale sets, you can build large-scale services for areas such as compute, big data, and container workloads. To provide redundancy and improved performance, applications are typically distributed across multiple instances. Customers may access your application through a load balancer that distributes requests to one of the application instances. If you need to perform maintenance or update an application instance, your customers must be distributed to another available application instance. To keep up with additional customer demand, you may need to increase the number of application instances that run your application. A region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. With more global regions than any other cloud provider, Azure gives customers the flexibility to deploy applications where they need to. Azure is generally available in 46 regions around the world, with plans announced for 8 additional regions.

An Azure administrator plans to run a PowerShell script that creates Azure resources. You need to recommend which computer configuration to use to run the script. Solution: Run the script from a computer that runs Linux and has the Azure CLI tools installed. Does this meet the goal? Yes/No

No Ans: Install Azure CLI on Linux manually If there's no package for the Azure CLI for your distribution, install the CLI manually by running a script.

You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates. You need to view the date and time when the resources were created in RG1. Solution: From the Subscriptions blade, you select the subscription, and then click Programmatic deployment. Does this meet the goal? Yes/No

No Ans: The Azure Activity Log provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Manager operational data to updates on Service Health events. The Activity Log was previously known as Audit Logs or Operational Logs, since the Administrative category reports control-plane events for your subscriptions. Use the Activity Log, to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. You can also understand the status of the operation and other relevant properties. The Activity Log does not include read (GET) operations or operations for resources that use the Classic/RDFE model.

You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server. You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Network Watcher, you create a packet capture. Does this meet the goal? Yes/No

No Ans: Use the Connection Monitor feature of Azure Network Watcher. Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies, both reactively, and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.

Your company has an Azure subscription that contains the following unused resources: 20 user accounts in Azure Active Directory (Azure AD). Five groups in Azure AD. 10 public IP addresses. 10 network interfaces. You need to reduce the Azure costs for the company. Solution: You remove the unused network interfaces. Does this meet the goal? Yes/No

No Ans: When creating a virtual machine using the Azure portal, the portal creates a network interface with default settings for you. If you'd rather specify all your network interface settings, you can create a network interface with custom settings and attach the network interface to a virtual machine when creating the virtual machine (using PowerShell or the Azure CLI). You can also create a network interface and add it to an existing virtual machine (using PowerShell or the Azure CLI). To learn how to create a virtual machine with an existing network interface or to add to, or remove network interfaces from existing virtual machines, see Add or remove network interfaces. Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.

Your company plans to purchase Azure. The company's support policy states that the Azure environment must provide an option to access support engineers by phone or email. You need to recommend which support plan meets the support policy requirement. Solution: Recommend a Basic support plan. Does this meet the goal? Yes/No

No Ans: BASIC: No Technical Support. DEVELOPER: Business hours access1 to Support Engineers via email STANDARD, PROFESSIONAL DIRECT, PREMIER: 24x7 access to Support Engineers via email and phone

Your Azure environment contains multiple Azure virtual machines. You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP. Solution: You modify a DDoS protection plan. Does this meet the goal? Yes/No

No Ans: You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or a VM network interface. You place these filters, which control both inbound and outbound traffic, on a network security group attached to the resource that receives the traffic. The example in this article demonstrates how to create a network filter that uses the standard TCP port 80 (it's assumed you've already started the appropriate services and opened any OS firewall rules on the VM). After you've created a VM that's configured to serve web requests on the standard TCP port 80, you can: 1. Create a network security group. 2. Create an inbound security rule allowing traffic and assign values to the following settings: a. Destination port ranges: 80. b. Source port ranges: * (allows any source port). c. Priority value: Enter a value that is less than 65,500 and higher in priority than the default catch-all deny inbound rule. Associate the network security group with the VM network interface or subnet.

You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json. You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately. Solution: From the Redeploy blade, you click Redeploy. Does this meet the goal? Yes/No

Yes Ans: When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your configuration options and associated resources.

You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev. You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group. Solution: On Dev, you assign the Logic App Contributor role to the Developers group. Does this meet the goal? Yes/No

Yes Ans: You can permit only specific users or groups to run specific operations, such as managing, editing, and viewing logic apps. To control their permissions, use Azure Role-Based Access Control (RBAC) to assign customized or built-in roles to members in your Azure subscription: Logic App Contributor: Lets you manage logic apps, but you can't change access to them. Logic App Operator: Lets you read, enable, and disable logic apps, but you can't edit or update them. To prevent others from changing or deleting your logic app, you can use Azure Resource Lock, which prevents others from changing or deleting production resources.

Your company plans to migrate all its data and resources to Azure. The company's migration plan states that only platform as a service (PaaS) solutions must be used in Azure. You need to deploy an Azure environment that supports the planned migration. Solution: You create an Azure App Service and Azure SQL databases. Does this meet the goal? Yes/No

Yes Ans: Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection. Like IaaS, PaaS includes infrastructure-servers, storage and networking-but also middleware, development tools, business intelligence (BI) services, database management systems and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing and updating. PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators such as Kubernetes or the development tools and other resources. You manage the applications and services you develop and the cloud service provider typically manages everything else.


Related study sets

Matetnal Childhood Chapter 9 Review

View Set

Chapter 9 Applications: International Trade

View Set

Week 10 Intellectual Property, Real Estate, Landlord and Tenant, Mortgages Ch 20,21,22,23

View Set