AZ-104

Question 1

You manage the Azure network for your company. The company on-premises network configuration consists of multiple subnets. Each branch office has a dedicated IP subnet.

A new branch office was recently added. The network devices in this office were assigned to a 192.168.22.0/24 subnet.

You need to reconfigure the existing Azure VPN Gateway to ensure that all network devices in the new branch office can be accessed from the Azure virtual network.

Which PowerShell cmdlet should you use?

Answer 1

You should use the Set-AzLocalNetworkGateway PowerShell cmdlet. To change the list of network prefixes that are routed to the on-premises location, you need to reconfigure the local network gateway. This list can be configured upon the creation of the local network gateway or later, using the Set-AzLocalNetworkGateway cmdlet.

Question 2

You have two Azure virtual machines (VMs) running Windows as shown in the first exhibit.

You create a virtual network (VNet) peering by executing the following PowerShell commands:

$vnet1 = Get-AzVirtualNetwork -Name ‘VNet1’ -ResourceGroupName ‘RG1’
$vnet2 = Get-AzVirtualNetwork -Name ‘VNet2’ -ResourceGroupName ‘RG2’
Add-AzVirtualNetworkPeering `
-Name ‘VNet1-VNet2’ `
-VirtualNetwork $vnet1 `
-RemoteVirtualNetworkId $vnet2.Id

The peering overview of VNet1 is shown in the second exhibit.

You open the local Windows firewalls by running the following PowerShell command on both VMs:

New-NetFirewallRule -DisplayName ‘Enable ping’ -Protocol ‘ICMPv4’

A ping from VM1 to the private IP address of VM2 fails.

You need to make sure that VM1 can connect to VM2.

What should you do?

Answer 2

You should add a VNet peering from VNet2 to VNet1. When peering two VNets, peering connections are required in both directions. The peering from VNet1 to VNet2 is already created, so now you need to create the reverse peering. As shown in the second exhibit, the peering status is Initiated. The peering status should be Connected. This will be the case when 2-way peering is created.

Question 3

Your company has an Azure subscription. You have a virtual network (VNet) hosted in the East US Azure region. The VNet includes a virtual machine (VM) named VM1 that runs Windows Server 2016.

You need to capture all network packets into and out of VM1 over a two-hour period. Captured packets should be stored in VM1’s storage.

What should you use?

Answer 3

You should use Azure Network Watcher. Network Watcher lets you monitor and view performance metrics and diagnose performance issues for an Azure network. Functionality includes the ability to capture packets into or out of a VM. You can store the captured packets in Azure Storage on a local disk on the VM.

Question 4

You have an Azure network, as shown in the exhibit. Your network consists of two virtual networks (VNets) and several servers. Server 2 has the Network Watcher Agent installed.

You have peered both VNets together, but Server 1 cannot communicate with Server 2 over HTTPS.

You need to find the fault that is preventing the servers from communicating.

What should you do first?

Answer 4

You should use the Network Watcher service to test the connection. The IP flow verify tool in Network Watcher can be used to discover network issues, such as misconfigured network security groups.

Question 5

Your company has an Azure subscription that includes a virtual machine (VM) named VM1. VM1 is backed up through Azure Backup using a custom backup policy that runs backups twice daily. You plan to create a new VM based on VM1. You plan to restore from the Azure portal and choose to Create a new VM as the restore type.

Can you specify the destination virtual network for the new VM?

Answer 5

Yes

Question 6

Your company has an Azure subscription that includes a virtual machine (VM) named VM1. VM1 is backed up through Azure Backup using a custom backup policy that runs backups twice daily. You plan to create a new VM based on VM1. You plan to restore from the Azure portal and choose to Create a new VM as the restore type.

Can you create a new VM in the same resource group as the source VM or specify a different resource group?

Answer 6

Yes

Question 7

Your company has an Azure subscription that includes a virtual machine (VM) named VM1. VM1 is backed up through Azure Backup using a custom backup policy that runs backups twice daily. You plan to create a new VM based on VM1. You plan to restore from the Azure portal and choose to Create a new VM as the restore type.

Can you create the new VM in a different region?

Answer 7

No

Question 8

Vilken enhet sätter man TTL för DNS i?

Answer 8

Sekunder

Question 9

You are asked to configure Azure DNS records for the root domain company1.com and add two records to that zone for independently hosted websites on different servers but using the same alias of “www”. These servers will round-robin the DNS requests for high availability of the service. The time to live for the records must also be set to 1 hour.

You need to configure Azure DNS to support the requirements.

Answer 9

You should complete the script as follows:

New-AzDnsRecordSet -Name “@” -RecordType A -ZoneName “company1.com” -ResourceGroupName “MyResourceGroup” -Ttl 3600 -DnsRecords `
(New-AzDnsRecordConfig -IPv4Address “1.2.3.4”)
$aRecords = @()
$aRecords += New-AzDnsRecordConfig -IPv4Address “2.3.4.5”
$aRecords += New-AzDnsRecordConfig -IPv4Address “3.4.5.6”
New-AzDnsRecordSet -Name “www” -ZoneName “company1.com” -ResourceGroupName MyResourceGroup -Ttl 3600 -RecordType A -DnsRecords $aRecords

When configuring the root of a new DNS zone, you first have to configure the root element at the apex of the zone. This is done by using the New-AzDnsRecordSet cmdlet with the name “@”. This completes the first part of the requirement.

The Time To Live (TTL) should be set to 1 hour in both places. With DNS entries this is configured in seconds, so 3600 seconds is used for this value.

Following the configuration of the zone apex, you need to set two aliases for “www”. These are both set using the New-AzRecordConfig cmdlet and assigning the two IP addresses as elements of an array.

Finally, you create a New-AzRecordSet using the same zone and declare the records in the record set as the array you created earlier.

Question 10

Your company’s Azure subscription includes the Azure virtual machines (VMs) shown in the exhibit. Your company wants to start using Azure Recovery Services vaults to protect all VMs and store backup data.

You need to create Recovery Services vaults to support Azure VM backups.

What is the minimum number of Recovery Services vaults required?

Answer 10

2

You should create two Recovery Service vaults. You are required to create a Recovery Services vault in each Azure geographic region containing VMs for which you want to configure backups. VMs that are being backed up can include a mix of operating systems and operating system versions.

Question 11

Your company has an Azure subscription. You create an Azure Log Analytics workspace (Azure Monitor log) to collect data from various data sources. You are configuring monitoring solutions to collect log data and provide queries and views to analyze collected data.

You need to determine if prerequisites are met for the monitoring solutions you plan to employ.

Which monitoring solution requires a connected Operations Manager management group?

Answer 11

Windows Alert Management requires a connected Operations Manager management group to enable the alerts created in System Center Operations Manager (SCOM) to be imported into Log Analytics.

Question 12

Your company is planning to move a large amount of data from its on-premises storage solution to Azure Blob Storage in an Azure Storage Account.

You decide to use the Azure Import/Export service to migrate the data.

You need to prepare the disks for copying the data that will be migrated to Azure.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.

Answer 12

You should perform the following actions in order:
Purchase 2.5-inch SATA hard disk drives.
Connect the disks to a Windows machine.
Create a volume and encrypt it by using BitLocker.
Prepare the import by using the WaImportExportV1 tool.

Question 13

What version of WaImportExport tool should you use for Blob Storage?

Answer 13

You use V1 when you want to import/export the data into Azure Blob Storage.

Question 14

What version of WaImportExport tool should you use for Azure FIles?

Answer 14

You need to use the V2 version when you want to import the data into Azure Files.

Question 15

You are planning to leverage Azure File Sync to create a cloud-based file share for all on-premises files hosted on a server running Windows Server 2019.

You need to set up the synchronization. You open port 443 for outbound traffic in the on-premises server.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in order.

Answer 15

You should perform the following actions in order:
Create a File Sync service in Azure.
Install the Azure File Sync Agent on the server and register it with the Storage Sync Service.
Create a sync group and a cloud endpoint.
Register the server and create a server endpoint on the share.
You should first create a File Sync service. Next, install the Azure File Sync Agent and configure the endpoints on the server and Azure Storage file share to start the sync process.

Question 16

Your company has a web application deployed in Azure. This web application is distributed in three different layers with three virtual machines (VMs) in each layer. The web application also has a public IP address to allow customers to access the application.

You are implementing a business continuity and disaster recovery (BCDR) plan for this web application using Azure Site Recovery. You configure replication of the VMs in the Azure region that hosts your web application.

You need to minimize the recovery time objective (RTO).

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.

Answer 16

You should perform the following steps in order:
Configure Network Security Groups (NSGs) in the target region.
Create a recovery plan.
Customize the plan and add a step for attaching the public IP address.
Create a Traffic Manager profile.
First, you should configure NSGs in the target region. When you set up Azure Site Recovery, the service can automatically configure virtual networks and subnets that you have configured in your source site. Unfortunately, the Azure Site Recovery service does not automatically replicate any NSGs that you have set in your source site. You need to re-create in the target region any NSG that you configured in the source region. Once you configure replication of the VMs in the source region and perform the first replication, you can create the target NSG.

Next, you should create a recovery plan. When you design a business continuity and disaster recovery plan, you write the needed tasks for bringing your web application online in case there is a critical failure in the Azure region where you are hosting your application. An Azure Site Recovery plan is a list of tasks that allows you to automate the execution of all jobs in your plan. Before you can create a recovery plan, you need to configure the replication of your VMs.

Next, you should customize the plan and add a step for attaching the public IP address. By default, Azure Site Recovery does not migrate public IP addresses, and these types of addresses cannot be retained during failover. If you need your target site to have a public IP address, you need to add the IP address to the target region. You can do this manually or by adding a step to the recovery plan. You use an Azure Automation runbook to add this public IP address to the target region.

Finally, you should create a Traffic Manager profile. Traffic Manager allows you to monitor the status of the source and target sites. In case of a failure of the source site, Traffic Manager automatically redirects the traffic to the target site while Azure Site Recovery handles the failover to the target region, making your web application available again and minimizing downtime.

Question 17

You deploy a virtual network (VNet) named VNET01. You deploy several virtual machines (VMs) connected to VNET01.

You configure a new service on VM01, which is one of the VMs connected to VNET01.

You need to allow inbound traffic to TCP port 992 on VM01. You created a network security group named NSG01.

Which PowerShell cmdlet should you use to attach the network security group to VM01?

Answer 17

You should use the Set-AzNetworkInterface cmdlet. This cmdlet modifies the NIC configured for a VM. To make this association, you should use a script similar to the following:

$nic = Get-AzNetworkInterface -ResourceGroupName “RG01” -Name “primary NIC of VM01”
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName “RG01” -Name “NSG01”
$nic.NetworkSecurityGroup = $nsg
$nic | Set-AzNetworkInterface

Question 18

You are planning to deploy a Line of Business (LOB) application in Azure. This LOB application needs to be distributed in three different layers: one for the frontend, one for the backend, and the last layer for data persistence. To ensure high availability of each layer, you deploy two virtual machines (VMs) per layer. You also plan to configure an internal load balancer for the backend and persistence layers.

The LOB application must have the following minimum required services running on each layer:

Frontend layer: An IIS listening on TCP port 80 and an internal health endpoint on TCP port 80
Backend layer: An IIS listening on TCP port 443 and an internal health endpoint on TCP port 80
Persistence layer: A SQL Server listening on TCP port 1433
You are configuring the VMs for the backend layer.

You need to configure an internal load balancer for the backend layer. You need to ensure that your solution is resilient to hardware and software failures. Your solution needs to be cost-effective.

Which four actions should you perform? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in any order.

Answer 18

You should perform the following steps:
Create a Standard Load Balancer.
Create a backend pool using the availability set.
Create an HTTP health probe using port 80.
Create a load balancing rule using port 443.
You need to create a Standard Load Balancer. This SKU meets all of the scenario requirements.

Question 19

Can you apply a custom role to a management group?

Answer 19

No

Question 20

You are asked to configure a subnet named SUBNET1 that is part of a virtual network named VNET1. Hosts on SUBNET1 need to be able to reach resources on a virtual network named VNET2 and also reach a proxy server that scans all outbound internet requests being made by resources hosted on SUBNET1.

The proxy server is hosted on your on-premises network. You have an ExpressRoute circuit named EXP-ROUTE1 configured between VNET2 and your on-premises network.

You want VNET1 to use EXP-ROUTE1 to reach the proxy server. Your solution must not require the creation of additional resources to reduce cost.

Which two actions should you perform? Each correct answer presents part of the solution.

Answer 20

You should configure virtual network peering between VNET1 and VNET2. You should also set VNET1 to use the remote gateway. The peering will provide connectivity between VNET1 and VNET2 by internally sharing routes to the corresponding IP address ranges. For VNET1 to leverage the EXP-ROUTE1 to connect to on-premises, you would have to ensure that the peering connection on VNET1 uses the gateway device attached to VNET2. This gateway is what is used by the ExpressRoute EXP-ROUTE1 circuit.

Question 21

Your Azure subscription has the following resources:

three App Services
one backup vault
one Azure event hub
a virtual network (VNet) named VNET01
a VPN Gateway
You deploy a new storage account named storage1 in a resource group named RG01.

You need to ensure that the App Services, the backup vault, and the event hub can access the new storage account. Access should be enabled from within Azure only, and not via public internet.

You decide to use PowerShell to set up the new storage account.

How should you complete the command string? To answer, select the appropriate options from the drop-down menus.

Answer 21

You should run the following script to ensure that the backup vault and the event hub services have access to the storage account:

Get-AzVirtualNetwork -ResourceGroupName “RG01” -Name “VNET01” |
Set-AzVirtualNetworkSubnetConfig -Name “VSUBNET01”
-AddressPrefix “10.0.0.0/24” -ServiceEndpoint “Microsoft.Storage”
| Set-AzVirtualNetwork

$subnet = Get-AzVirtualNetwork -ResourceGroupName “RG01” -Name “VNET01” |
Get-AzVirtualNetworkSubnetConfig -Name “VSUBNET01”

Add-AzStorageAccountNetworkRule -ResourceGroupName “RG01”
-Name “ storage01” -VirtualNetworkResourceId $subnet.Id

Update-AzStorageAccountNetworkRuleSet -ResourceGroupName “RG01”
-Name “ storage01” -Bypass AzureServices

You should use Microsoft.Storage as the service endpoint. Using the Set-AzVirtualNetworkSubnetConfig cmdlet enables the service endpoint on the subnet VSUBNET01 for a storage account. This will allow connections to the virtual subnet from the storage account. This cmdlet makes modifications only to the memory representation of the virtual network. You need to run Set-AzVirtualNetwork to make the changes persistent.

You should use the Add-AzStorageAccountNetworkRule cmdlet to add a firewall exception on the NetworkRule property in the storage account. This will allow communication from the virtual subnet to the storage account.

You should use the Update-AzStorageAccountNetworkRuleSet cmdlet. This cmdlet also updates the NetworkRule property. This cmdlet allows you to modify the NetworkRule property to allow other Azure services, like Backup or Event Hub, to have access to the storage account.

You should use AzureServices for the -Bypass parameter. This way, you instruct the Update-AzStorageAccountNetworkRuleSet cmdlet to allow connections from other Azure services. Allowed values are AzureServices, Metrics, Logging, and None.

Question 22

You are asked to evaluate and solve an issue with network and application rules on an Azure Firewall named AZFW1 associated with your Hub virtual network. AZFW1 was configured to not allow outbound traffic to google.com, however, users are able to reach google.com websites.

AZFW1 is configured with the network and applications rules as shown in the exhibit.

You need to resolve the issue by modifying the rules defined for AZFW1.

What should you do?

Answer 22

You should delete the all-web rule and add an application rule with a 400 priority to allow all websites. Network rules on Azure Firewall are evaluated before application rules, no matter if the priority value is smaller at the application rule. Because the all-web network rule allows all requests to port 80 and 443 to succeed, the application rule that denies traffic to google.com does not take effect. You should also another application rule with 400 priority to allow traffic to websites different than google.com.

Question 23

You plan to deploy a new Azure web app. The deployment must support Autoscale and support up to 20 instances of the web app.

You need to create an App Service Plan that supports the deployment. You want to minimize the cost to deploy and maintain the web app.

Which pricing tier should you choose?

Answer 23

You should choose a Premium service plan. The Premium pricing tier supports Autoscale with up to 30 instances.

You should not choose a Standard service plan. The Standard pricing tier supports Autoscale, but it is limited to no more than 10 instances.

Question 24

You have an Azure virtual network (VNet) named VNet1. VNet1 contains a subnet named Sub1 that hosts three Windows Server 2019 virtual machines (VMs).

You need to design a network security group (NSG) that blocks inbound Remote Desktop Protocol (RDP) traffic from the Internet into Sub1.

How should you configure the NSG? To answer, drag the appropriate NSG configuration value to each NSG configuration property. A configuration value may be used once, more than once, or not at all.

Answer 24

Source: Service Tag
Source Data: Internet
Destination: Any
Destination Port: 3389

Question 25

our company has an application deployed on Azure Linux virtual machines (VMs). The application is distributed on three different layers using the following structure:

A VM named FRONT01 for the frontend layer
A VM named BACK01 for the backend layer
An Azure SQL Database instance for the data layer
All resources for this application are deployed in the resource group APP01-RG. All VMs have unmanaged VHDs attached.

You plan to deploy a new version of the application to provide high availability on the frontend and backend layers. You will deploy this new infrastructure in the resource group APP02-RG.

You need to create a VHD template for the frontend layer using the current application infrastructure. You can schedule a stop of the application as needed. The VMs only contain the user that was created during the initial deployment of the VM. You also need to ensure that you remove the last provisioned user on the VMs. You decide to use Azure CLI to accomplish this task.

Which four commands should you run in sequence? To answer, move the appropriate commands from the list of possible commands to the answer area and arrange them in the correct order.

Answer 25

You should run the following commands in order:
sudo waagent -deprovision+user
az vm deallocate –resource-group APP01-RG –name FRONT01
az vm generalize –resource-group APP01-RG –name FRONT01
az vm capture –resource-group APP01-RG –name FRONT01 –vhd-name-prefix TEMPLATE
First, you need to execute the sudo waagent -deprovision+user ssh command on the VM that you will use to create the template. This command will remove all SSH host keys, the nameserver configuration in /etc/resolv.conf, the root password from /etc/shadow, and the cached DHCP client leases. It also resets the hostname to localhost.localdomain. The +user part of the parameter deletes the last provisioned user account and its associated data. This command does not guarantee that any sensitive information on the VMs is cleared and ready for distribution.

Next, you need to deallocate the VM using the az vm deallocate –resource-group APP01-RG –name FRONT01 command. This command will shut down the VM and release any compute resource associated with it. You are not billed for deallocated VMs.

Next, you need to generalize the VM using the az vm generalize –resource-group APP01-RG –name FRONT01 command. By marking a VM as generalized, you are marking the VM to be used as the source for new VM images or copies of its disks to be used as VHD templates.

Finally, you need to copy the VM disks using the az vm capture –resource-group APP01-RG –name FRONT01 –vhd-name-prefix TEMPLATE command. Because you did not set the location for the storage container, the command will copy the VM disks in the vhd container.

Question 26

You have a virtual machine (VM) named VM1 in the West Europe region. VM1 has a network interface named NIC1. NIC1 is attached to a VNet named VNet1. VM1 has one managed disk (OS disk).

You need to move VM1 to VNet2. VNet2 is located in the West Europe region.

Which two actions should you perform? Each correct answer presents part of the solution.

Answer 26

You should delete VM1. This is necessary because the VNet of a VM cannot be changed. When deleting the VM, the associated disk will not be deleted.

You should then create a new VM using the existing disk from VM1. You should use the same settings, but the VM should be connected to VNet2.

Question 27

You create a new storage account named DevStore for Azure Blob storage and Azure File storage. You plan to use AzCopy to copy data from blob storage and file storage in other storage accounts to DevStore. You have access to the storage account access keys for the source storage accounts and for DevStore. You also have valid Azure Active Directory (Azure AD) user accounts and shared access signatures (SAS) with access to the source data.

You need to identify the authorization methods you can use to copy data to DevStore.

Which authorization methods can you use to copy each storage type? To answer, select the appropriate options from the drop-down menus.

Answer 27

Only Azure AD and SAS authorization are supported with blob storage to copy data to DevStore.

Only SAS is supported for file storage authorization. When copying from multiple source URLs, you need to append a SAS token to each source URL.

Access keys, which are generated by Azure when you create a storage account, are not used for copy authorization with AzCopy.

Question 28

You have a subscription named SubscriptionA that hosts the following resources:

A key vault named mySecureVault in a resource group named myKeyVaultResourceGroup.
A virtual machine (VM) named mySecureVM in a resource group named myVirtualMachineResourceGroup.
You need to write a PowerShell script that will encrypt the disk for mySecureVM using the keys stored in the mySecureVault.

How should you complete the script? To answer, select the appropriate options from the drop-down menus.

Answer 28

You should complete the script as follows:

$keyVaultRG= 'myKeyVaultResourceGroup';
$vmRG= 'myVirtualMachineResourceGroup';
$vmName = 'mySecureVM';
$keyVaultName = 'mySecureVault';

$keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $keyVaultRG;
$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
$keyVaultId = $keyVault.ResourceId;
Set-AzVMDiskEncryptionExtension -ResourceGroupName $vmRG -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultId -VMName $vmName;

The Get-AzKeyVault cmdlet does not have a parameter called Name. You have to provide the key vault name using the -VaultName parameter.

The VaultUri property will provide the Uri to the vault. The Path and Uri properties are not supported by the key vault object.

You should use ResourceId to retrieve the ID for the key vault. You should not use Id. Id is not a supported property for the key vault object.

Question 29

You have a Microsoft Azure subscription named Sub1. Your company has 120 terabytes (TB) in its on-premises data center.

You need to use Azure Import/Export Service to transfer the data into a storage account in Sub1.

Which five actions should you perform in sequence? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.

Answer 29

You should perform the following actions in order:

1. Prepare the hard drives.
2. Create an import job.
3. Ship the drives to an Azure datacenter.
4. Update the job with the tracking information.
5. Verify the data upload to Azure.

Question 30

You are asked to configure an Azure storage account to be accessible from only one specific Virtual Network in an Azure Virtual Network (VNet). It must not be accessible from any other network or region in use across your company’s Azure subscription.

You need to implement this requirement.

What should you do?

Answer 30

You should implement a VNet service endpoint. Service endpoints are used to limit network access to a specific set of resources. To meet the requirement, you can implement a storage endpoint on an Azure Resource Manager deployed storage account to restrict access to a specific VNet and exclude access from all other resources including the Internet and on-premises connected resources.

Question 31

You configure the companycs.com zone in Azure DNS. You have an A record set named app that points to an App Service that hosts a web application.

You need to make this application available by using the webapp.companycs.com domain name. This new domain name needs to point to the public IP address of the App Service.

You need to ensure that the DNS record for this new domain name is updated or deleted automatically in case the app.companycs.com DNS record is modified or deleted.

Which type of record set should you create?

Answer 31

You should create an A alias record set. An A alias record set is a special type of record set that allows you to create an alternative name for a record set in your domain zone or for resources in your subscription. This is different from a CNAME record type because the alias record set will be updated or deleted in case the target record set is modified or deleted. You can only create an A alias record set that points to A, AAAA or CNAME record types in an Azure DNS zone.

Question 32

Your company has an Azure subscription that hosts all services that the company uses in production. The Finance department notices that the bills related to Azure are increasing. The company wants to keep the costs of this Azure subscription under control.

After reviewing the cost analysis reports, you realize that there are several virtual machines (VMs) consuming more resources than expected.

You need to inform management when the VMs consume unexpected amounts of resources.

What should you do?

Answer 32

You should configure a report schedule in the Cost Management portal. The Cost Management portal allows you to perform a detailed cost analysis of your resources. When running a cost report, you can set the filter for the virtual machines that are consuming more resources than expected. Then you can schedule that report to run periodically and send it to a list of recipients. You can also save it to a JSON or CSV report in a Storage Account. Then you can set three different alert levels for the report, one for the green level, one for the yellow level, and one for the red level. You need to set the cost thresholds for levels yellow and red.

Question 33

You plan to use Azure Storage Explorer to manage Azure cloud storage resources. You download and install Azure Storage Explorer on a computer running Windows 10.

You need to identify the resources to which you can connect using your Azure Active Directory (Azure AD) identity.

Which three resources support an Azure AD connection? Each correct answer presents part of the solution.

Answer 33

Azure Active Directory (Azure AD) connection with individual resources is supported for:
Blob containers
Gen2 containers
Gen2 directories
Queues
Storage accounts

(Azure AD connections are not supported for File shares or Tables.)

Question 34

For how long is Virtual Machine backups retained by default with Recovery Services?

Answer 34

30 days

Question 35

How long can it take for an archived blob to be rehydrated?

Answer 35

No more than 15 hours

Question 36

Your company has an Azure DNS zone named company.com. You create a new subdomain named development.company.com. The new domain should be delegated to a different DNS server in Azure than the company.com domain.

You need to configure delegation for the domain.

What should you do?

Answer 36

You should create a DNS NS record set named development in the company.com zone. The NS must be created at the apex of the zone name, the top-level zone name. The NS record identifies the Azure DNS name server assigned to the zone. The top-level NS record set is created automatically and cannot be deleted. You can create, modify, and delete NS record sets for delegated zones.

Question 37

You deploy an Azure web app named MyApp. MyApps runs in a Free pricing tier service plan named MyPlan. During testing, you discover that MyApp stops after 60 minutes and that it cannot be restarted until the next day.

You need to ensure that MyApp can run eight hours each day during the testing period. You want to keep the additional costs incurred to a minimum.

Solution: You change the pricing tier for MyPlan to Shared D1.

Does this solution meet the goal?

Answer 37

No, You should not change the pricing tier for MyPlan to Shared D1. This plan allows only 240 minutes of CPU time per day.

Question 38

You have two Azure virtual machines (VMs) named VM1 and VM2 running Windows Server 2019. The VMs are backed up by a Recovery Services vault. A daily backup is scheduled.

A configuration file on VM1 was updated, and you need to restore it to a version of 6 days ago. You need to perform this action as quickly as possible without affecting other system files.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer 38

You should perform the following actions in order:
Start the file recovery process and select the recovery point of 6 days ago.
Download and execute a PowerShell script to browse and recover files on VM1.
Copy the file from the mounted volume to the VM.
Unmount the volumes.

Question 39

You are asked to configure an Azure storage account to be accessible from only one specific Virtual Network in an Azure Virtual Network (VNet). It must not be accessible from any other network or region in use across your company’s Azure subscription.

You need to implement this requirement.

What should you do?

Answer 39

You should implement a VNet service endpoint. Service endpoints are used to limit network access to a specific set of resources. To meet the requirement, you can implement a storage endpoint on an Azure Resource Manager deployed storage account to restrict access to a specific VNet and exclude access from all other resources including the Internet and on-premises connected resources.

Question 40

You have an Azure virtual network (VNet) named vnet1 with a network address space of 10.2.0.0/22. Vnet1 contains a subnet named subnet1 with a network address range of 10.2.0.0/24. Subnet1 contains an Azure virtual machine (VM) named vm1 running Windows 10. The network interface of vm1 does not have a public IP address.

You need to implement the Azure Bastion service and connect to vm1 using the Remote Desktop Protocol (RDP) from the internet.

Which three actions should you perform in sequence?

Answer 40

ou should perform the following actions in order:
Create a subnet with name AzureBastionSubnet and an address range of 10.2.1.0/27.
Create a bastion.
Connect to vm1 using the Azure portal in a web browser.
You should first create a subnet named AzureBastionSubnet and an address range of 10.2.1.0/27. The Bastion service needs a dedicated subnet. The name of the subnet must be AzureBastionSubnet. The size of the subnet should be /27 or larger. An address range of 10.2.1.0/27 means a range of IP addresses 10.2.1.0 to 10.2.1.31.

You should then create a bastion. Azure Bastion is a platform service that provides secure RDP access to VMs.

Finally, you should connect to vm1 using the Azure portal in a web browser. Azure Bastion can only provide RDP access to VMs by using a web browser.

Question 41

You are creating a new Azure Storage account named mystorageaccount in the resource group named MyResourceGroup. The storage account should meet the following requirements:

Support hot, cool, and archive storage tiers
Support automated blob lifecycle
Provide fault tolerance in case of an Azure region-wide failure
Minimize costs

az storage account create -n mystorageaccount -g MyResourceGroup
–kind –sku

Answer 41

az storage account create -n mystorageaccount -g MyResourceGroup
–kind StorageV2 –sku Standard_GRS

You should use StorageV2.

BlockBlobStorage is only supported for Premium accounts and would not minimize costs.

Question 42

You want to install SQL Server 2019 on an Azure Windows virtual machine (VM).

You need to ensure that the VM has a Service Level Agreement (SLA) of 99.9 percent. Your solution must minimize costs.

Which value should you choose for each configuration option? To answer, drag the appropriate value to each configuration property. A value may be used once, more than once or not at all.

Answer 42

Size: Standard_DS4_v2
OS disk type: Premium SSD
Data storage type: Premium SSD

You should set the size to Standard_DS4_v2. For an Azure single instance VM, an SLA of 99.9 percent connectivity will only be guaranteed if all disks are premium SSD or Ultra Disk. Not all Azure VM sizes support premium storage. The Standard_DS4_v2 VM size supports premium storage.

You should set the OS disk type and the data storage type to Premium SSD. If all disks are premium SSD, an SLA of 99.9 percent connectivity will be guaranteed.

Question 43

Can you add more than one Azure File Share to the same Sync Group?

Answer 43

No

Question 44

Can a server sync with multiple sync groups?

Answer 44

Yes

Question 45

How long can changes made to a file share take to be synced?

Answer 45

Up to 24 hours

Question 46

Is pre-seeding the best approach for doing the first sync with Azure File Sync?

Answer 46

No.

Question 47

How many email alert can be sent per hour in Azure Monitor?

Answer 47

60

Question 48

How many voice alerts can be sent per hour in Azure Monitor?

Answer 48

12 (every five minutes)

Question 49

How many SMS alert can be sent per hour in Azure Monitor?

Answer 49

12 (every 5 minutes)

Question 50

What replication types for Azure File Shares are available?

Answer 50

Locally Redundant Storage (LRS)

Zone-redundant storage (ZRS)

Question 51

Is Geo / Region redundant storage available for Azure File Shares?

Answer 51

No

Question 52

You have been asked to move 10 TB of data from an Azure Storage Account Blob container to a server located in your on-premises data center. All data resides in one storage account on Microsoft Azure.

You have a site-to-site VPN connection from Microsoft Azure to your on-premises data center. Since the connectivity to your on-premises server is over the internet and does not provide a high bandwidth connection, you decide to leverage the Import/Export service provided by Microsoft to move the data.

Which five actions should you perform in sequence to perform the requested action? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in order.

Answer 52

You should perform the following actions in the order:
On the Azure portal create an export job specifying the containers to export.
Check the number of drives required for export using the WaImportExport.exe tool.
Ship the empty drives to Microsoft noting the carrier shipment tracking number.
Update the tracking number on the export job.
Receive the drives and unlock them using the Import/Export Job provided BitLocker keys.

Question 53

When exporting data from Azure to On-prem with an Import / Export job, do you need to prepare the drives?

Answer 53

No. That is only needed when you export data from On-prem to Azure.

Question 54

Your company has an Azure Subscription with several resources deployed. The subscription is managed by a Cloud Service Provider.

The accounting department is currently granted the billing reader role, so they are able to see cost-related information. They need to get a better understanding of the costs so they can assign them to the correct cost center.

You need to provide cost center information. Your solution should minimize administrative effort.

What two actions should you perform? Each correct answer presents part of the solution.

Answer 54

Apply CostCenter tag to both Resource and Resource Group.

You should create a tag named CostCenter and assign it to each resource group. Creating a tag and assigning it to each resource group allows you to easily identify the cost center associated with each resource group. When you associate a tag with a resource or resource group, you need to provide a value to that tag. You can instruct the accounting department to use the Azure Cost Management tool to review the costs associated with each cost center by filtering by the newly created tag.

You should also create a tag named CostCenter and assign it to each resource. If you apply a tag to a resource group, that tag is not inherited by the resources in the resource group. You need to manually configure the tag for each resource that you want to include in the cost center. You can automate this action by using a PowerShell or Azure CLI script.

Question 55

You have storage accounts in your Azure subscription for different purposes. The storage accounts have blob containers and file shares configured.

Some users access these storage accounts by using the Microsoft Azure Storage Explorer desktop application. They are reporting that they get the error message shown in the exhibit when they try to browse the contents of the storage account.

You need to resolve the issue.

What are two possible reasons why users are getting this error message? Each correct answer presents a complete solution.

Answer 55

There’s a ReadOnly lock
Users have Read Role assign in the storage account

Your users are getting the error shown in the exhibit because there is a ReadOnly resource lock configured or your users have the Read role assigned in the storage accounts. When a user or process needs to list the contents of a storage account, Azure needs to read the access keys of the storage account before listing the contents of the containers. Because the access keys of a storage account provide write access to the data and there is no read-only access key available in the storage account, you need read-write permissions to list the contents of a storage account. Neither the ReadOnly or Read role grants the Microsoft.Storage/storageAccounts/listKeys/action permission that allows Azure to list the access keys.

Question 56

You are asked by your application team to provide a website hosting environment that meets the following scalability and security requirements.

You have to provide a website hosting environment that meets the following scalability and security requirements:

At peak loads, the web application should be able to scale up to 10 host instances.
The web application storage requirements are minimal and will not exceed 5 GB.
The web application will perform complex calculations and will require enhanced compute capabilities.
The virtual machines where the web applications are hosted should be dedicated to your company only.
You need to propose an Azure App Service to host the application. The solution must ensure minimal costs.

Which Azure App Service Plan should you use?

Answer 56

PremiumV2 has required features and is less expensive than Isolated.

Question 57

You need to create an Azure Availability Set named AS1. You are planning to deploy eight virtual machines (VMs) to AS1 to run an IIS web application.

You need to configure AS1. You have the following requirements:

During planned maintenance of the VM hosts, at least six VMs must be available at all time. The VMs must be restarted in groups of two.
The VMs must be physically separated from each other as much as possible.
How should you configure the Availability Set?

How many Fault domains are needed?
How many Update domains are needed?

Answer 57

3 fault domains (max for the region)
4 update domains

You should set fault domains to 3. This is the maximum number of fault domains in the Central US region. VMs in the same fault domain share hardware like power sources and physical network switches. VMs in a different fault domain are physically separated. By setting the fault domains to the maximum value, the VMs are physically separated as much as possible.

You should set update domains to 4. The VMs will be divided among these four update domains, so each update domain will contain two VMs. Azure performs planned maintenance of the hypervisors for one update domain at a time. In this case, two VMs will be restarted at the same time.

Question 58

Your company has a Windows Server 2012 R2 Standard Edition file server that stores important information. The information is stored in a separate volume from the system volume. To improve security, the volume that stores corporate information is encrypted using BitLocker.

Your company wants to centralize the storage of information and improve flexibility accessing the information. You decide to use Azure File Sync to achieve this goal.

You configure an Azure File share and the appropriate firewall rules at the file server to allow access from your company offices.

After configuring the Sync group, you receive an error about the cloud endpoint creation.

What is the most likely cause of the error?

Answer 58

You are getting the error while creating the cloud endpoint because you are using firewall rules in the storage account. To make it work you need to ensure that you list the IP addresses of the relevant servers in the Storage Account firewall and virtual networks configuration and enable the Allow trusted Microsoft services to access this storage account feature.

Question 59

What will happen to the Actions of this rule?

"Actions": [
     "Microsoft.Network/*/read",
     "Microsoft.Support/*",
     "Microsoft.Authorization/*/read"
]
"NotActions": [
     "*"
]

Answer 59

They will be denied due to the * in NotActions.

Question 60

Your company is planning to use Azure Container Instances to deploy simple cloud applications. You are tasked with determining if multi-container groups hosting multiple container instances meet your solution requirements.

You need to identify features and requirements for multi-container groups with each group hosting an application container, a logging container, and a monitoring container.

Multi-container groups support Linux containers only?
You can deploy a multi-container group from ARM Templates or a YAML file?
Container groups can scale up as necessary to create additional container instances as necessary?

Answer 60

Yes
Yes
No

Question 61

Are WebJobs allowed in the Basic App Service Plan?

Answer 61

Yes

Question 62

Do you have to link webjobs to a web project to run the webjob in the context of a web app?

Answer 62

Yes