Practice Tests

Question 1

Why does Azure Bastion require a public IP address?

Answer 1

Traffic is first routed to the public IP of Bastion. Bastion then routes RDP or SSH connections to the private IP address associated with the virtual machine.

Question 2

Bastion subnet requirement

Answer 2

Azure Bastion requires a dedicated subnet: AzureBastionSubnet. You must create this subnet in the same virtual network that you want to deploy Azure Bastion to.

Question 3

What are the three scopes you can assign an Azure policy to?

Answer 3

management group
subscription
resource group.

Question 4

What are the three entities that an administrative unit can contain?

Answer 4

users
groups
devices

Question 5

True or false: service endpoints are enabled per service, per subnet.

Answer 5

True

Question 6

Network security groups limit access to all resources within a subnet.

Answer 6

True. But first the NSG has to be associated with the subnet.

Question 7

Smallest in size to largest: Account, Subscription, Department

Answer 7

Department, Account, Subscription
Departments help to segment costs into logical groupings and set a budget or quota at the department level. The quota isn’t firmly enforced; it’s used for reporting purposes.
Accounts are organizational units in the Azure EA portal. They can be used to manage subscriptions and access reports.
Subscriptions are the smallest units in the Azure EA portal. They’re containers for Azure services that are managed by a Service Administrator. This is where your organization deploys Azure services.

Question 8

True or false: Azure resources are deployed into Azure management groups.

Answer 8

False. Azure subscriptions.

Question 9

Azure backup and soft delete

Answer 9

With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days of retention for backup data in the “soft delete” state don’t incur any cost to you.

Question 10

Limitations on deleting a recovery services vault

Answer 10

You can’t delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
You can’t delete a vault that contains backup data in the soft deleted state.
You can’t delete a vault that has registered storage accounts.

Question 11

AAD joined device. Who can administer?

Answer 11

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:
The Azure AD global administrator role
The Azure AD joined device local administrator role
The user performing the Azure AD join
By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device.

Question 12

What is the effect of moving a web app?

Answer 12

Moving the web app does not have an impact an app service plan. The app service plan will remain in its source location or resource group. Since web app is moved to a different resource group, the policies in the target resource group will be applied.

Question 13

What does Azure Traffic Manager do?

Answer 13

Distributes traffic across Azure regions

Question 14

Does changing a VM size require restart?

Answer 14

Yes. If the virtual machine is currently running, changing its size will cause it to be restarted.

Question 15

For load balancing, what is the difference between global vs. regional?

Answer 15

Global-These services route end-user traffic to the closest available backend, so to closest region

Regional load-balancing services distribute traffic within virtual networks across virtual machines (VMs) or zonal and zone-redundant service endpoints within a region.

Question 16

Name the Azure load balancing options in terms of global and regional

Answer 16

Global: Azure Traffic Manager, Azure Front Door
Regional: Azure Load Balancer, Application Gateway

Question 17

What is the difference between Azure roles and Azure AD roles?

Answer 17

Separate.
Azure role assignments do not grant access to Azure AD. They grant access to Azure resources. However, global admin role in AAD allows you to get User Access Admin role in Azure at root scope.

Question 18

Azure Bastion setup

Answer 18

The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network.

Question 19

How would you make Azure services available to private IP addresses in your vnet

Answer 19

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks.

Question 20

Can a vm in one location connect to a virtual network in another location?

Answer 20

No. Everything has to be in the same location and subscription.
Vm—>NIC—>VNet

Question 21

Can a vm move to a different subnet within a vnet?

Answer 21

Yes. Add a NIC. Multiple NICs allow a VM to connect to different subnets.

Question 22

If you host an app on two vm’s, each in a different availability zone, and one zone has local failures, will you still be able to access the app?

Answer 22

Yes, because each vm is in a different zone.

Availability zones are designed so that if one zone is affected, regional services, capacity, and high availability are supported by the remaining two zones. Each Azure region usually consists of three availability zones.

Question 23

How would you identify underutilized resources?

Answer 23

Azure Advisor

Question 24

Name the authorization methods available for azcopy.

Answer 24

Blob storage: AAD or SAS token

File storage: SAS token is only authorization method that is supported

Question 25

What is the recommended way to enable Azure MFA?

Answer 25

The recommended way to enable and use Azure AD Multi-Factor Authentication is with Conditional Access policies. Conditional Access lets you create and define policies that react to sign-in events and that request additional actions before a user is granted access to an application or service.

Question 26

You need to create a conditional access policy that requires all users to use multi-factor authentication when they access the Azure portal.
Which three settings should you configure?

Answer 26

Users and groups
Cloud apps
Grant

Question 27

What do the External Collaboration settings do?

Answer 27

Determine scope of guest user access
Specify who can invite guests
Enable guest self-service sign-up via user flows
Allow or block domains

Question 28

Can you roll back a slot swap in Azure App Service.

Answer 28

If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by swapping the same two slots immediately.

Question 29

How can you log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability.

Answer 29

Enable Network Watcher and register the Microsoft.Insights provider
Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability. This requires an Azure storage account.

Question 30

True or false: an App Service Plan can have more than one web app?

Answer 30

True. However, the app service plan should be either windows or linux based.

Question 31

What are the three types of cost alerts

Answer 31

budget alerts, credit alerts, and department spending quota alerts.

Question 32

What is the turnaround time for cost and usage data and how often are budgets evaluated against these costs?

Answer 32

Cost and usage data is typically available within 8-24 hours and budgets are evaluated against these costs every 24 hours.

Question 33

Update domains indicate groups of virtual machines and underlying physical hardware that can be…

Answer 33

Rebooted at the same time.

Question 34

Fault domains define the group of virtual machines that share a common…

Answer 34

Power source and network switch.

Question 35

Can a vnet span regions?

Answer 35

No. A VNet is limited to a single region. A virtual network does, however, span availability zones. You can connect virtual networks in different regions with virtual network peering.

Question 36

Name the steps to setup Azure File Sync

Answer 36

The steps are as follows.
Install the Azure File Sync agent
Register Windows Server with Storage Sync Service
Create a sync group and a cloud endpoint

Question 37

A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). How can you log network traffic that flows through an NSG? with Network Watcher’s NSG flow log capability.

Answer 37

Use Network Watcher’s NSG flow log capability

Question 38

What provider must you register to use Network Watcher’s NSG flow?

Answer 38

Microsoft.Insights provider

Question 39

What does Azure Network Watcher allow you to do?

Answer 39

Gain insight into your Azure Virtual Network with tools like packet capture and NSG flows logs, to diagnose problems with traffic filtering and routing, and to monitor connections.

Question 40

What does IP flow verify in Azure Network Watcher allow you to do?

Answer 40

IP flow verify checks if a packet is allowed or denied to or from a virtual machine. IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

Question 41

What are placement groups?

Answer 41

A regional (non-zonal) scale set uses placement groups, which act as an implicit availability set with five fault domains and five update domains. If you have 10 VMs spread across five update domains, the 8 VMs will be available for any given Azure planned maintenance.

Question 42

True or false-Scale sets can be deployed regionally or they can be zonal

Answer 42

True

Question 43

What is the difference between an availability set and a scale set?

Answer 43

Availability set is for redundancy and for promoting business continuity in the face of an outage.
A scale set is a group of load balanced vms that can scale in response to increase demand or a schedule

Question 44

When changing size (sku) of a vm scale set, what is necessary?

Answer 44

Some properties of VM scale sets only be changed to certain values if the VMs in the scale set are deallocated. These properties include:
· SKU Name- If the new VM SKU is not supported on the hardware the scale set is currently on, you need to deallocate the VMs in the scale set before you modify the SKU name.

Question 45

In terms of a user profile in AAD, what does usage location attribute hold?

Answer 45

Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the Usage location. You can set this value in the Azure Active Directory > Users > Profile > Settings area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.

Question 46

What are the steps to create a site-to-site vpn connection?

Answer 46

Create a virtual network
Create a VPN gateway
Create a local network gateway (in Azure)
Create a VPN connection
Verify the connection
Connect to a virtual machine

Question 47

Azure Import/Export service

Answer 47

Data from external data disk drives can be:
Import from disk to Azure Blob Storage or Azure File Storage
Export fom Azure Blob Storage to disk drive

Question 48

General purpose v1 and v2 storage accounts support what services?

Answer 48

The both support blob, file, queue, table, and disk.

v2 supports data lake gen 2 in addition

Question 49

How many cloud endpoints can an Azure File Sync group have?

Answer 49

One

Question 50

Describe vCPU quotas for vms.

Answer 50

The vCPU quotas for virtual machines and virtual machine scale sets are arranged in two tiers for each subscription, in each region.

The first tier is the Total Regional vCPUs, and the second tier is the various VM size family cores such as the D-series vCPUs. Any time a new VM is deployed the vCPUs for the VM must not exceed the vCPU quota for the VM size family or the total regional vCPU quota

Question 51

What is a local network gateway in terms of Azure site to site vpn?

Answer 51

The local network gateway (LNG) typically refers to your on-premises location. It is not the same as a virtual network gateway. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection

Question 52

What are the two types of locks?

Answer 52

Delete lock

Read-only lock