Practice Tests Flashcards
Your company has a single on-premises datacenter in Washington DC. The East US Azure region has a peering location in Washington DC.
The company only has Azure resources in the East US region.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
Which type of ExpressRoute circuits should you create?
ExpressRoute Local ExpressRoute Direct ExpressRoutePremium ExpressRoute Standard
Answer(s): A
Reference:
https://azure.microsoft.com/en-us/pricing/details/expressroute/
You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN.
Users will authenticate by an on-premises Active Directory domain.
Which additional service should you deploy to support the VPN authentication?
an Azure key vault a RADIUS server a certification authority Azure Active Directory (Azure AD) Application Proxy
Answer(s): B
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure.
Which two Azure resources should you configure? Each correct answer presents a part of the solution. (Choose two.)
NOTE: Each correct selection is worth one point.
a virtual network gateway Azure Application Gateway Azure Firewall a local network gateway Azure Front Door
Answer(s): A,D
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/bgp-howto
You fail to establish a Site-to-Site VPN connection between your company’s main office and an Azure virtual network.
You need to troubleshoot what prevents you from establishing the IPsec tunnel.
Which diagnostic log should you review?
IKEDiagnosticLog RouteDiagnosticLog GatewayDiagnosticLog TunnelDiagnosticLog
Answer(s): A
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics
You have an Azure virtual network and an on-premises datacenter.
You are planning a Site-to-Site VPN connection between the datacenter and the virtual network.
Which two resources should you include in your plan? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
a user-defined route a virtual network gateway Azure Firewall Azure Web Application Firewall (WAF) an on-premises data gateway an Azure application gateway a local network gateway
Answer(s): B,G
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.
The departments at the company use the Azure subscriptions as shown in the following table.
Department Subscription
IT, Subscription1
Research, Subscription1
Development, Subscription2
Testing, Subscription2
Distribution, Subscription3
All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.
You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.
What is the minimum number of ExpressRoute circuits required?
1 2 3 4 5
Answer(s): A
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
Your company has offices in New York and Amsterdam. The company has an Azure subscription. Both offices connect to Azure by using a Site-to-Site VPN connection.
The office in Amsterdam uses resources in the North Europe Azure region. The office in New York uses resources in the East US Azure region.
You need to implement ExpressRoute circuits to connect each office to the nearest peering location. Once the ExpressRoute circuits are connected, the on-premises computers in the Amsterdam office must be able to connect to the on-premises servers in the New York office by using the ExpressRoute circuits.
Which ExpressRoute option should you use?
ExpressRoute FastPath ExpressRoute Global Reach ExpressRoute Direct ExpressRoute Local
Answer(s): B
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-global-reach
HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription that contains a single virtual network and a virtual network gateway.
You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Azure AD Configuration:
a) An access package
b) Conditional access policy
c) An enterprise application
d) A VPN certificate
P2S VPN tunnel type:
a) IKEv2
b) IKEv2 and SSTP (SSL)
c) OpenVPN (SSL)
d) SSTP (SSL)
Box 1: An enterprise application
Enable Azure AD authentication on the VPN gateway:
1. Locate the Directory ID of the directory that you want to use for authentication. It’s listed in the properties section of the Active Directory page.
2. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
Copy the Directory ID.
3. Sign in to the Azure portal as a user that is assigned the Global administrator role.
4. Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser.
5. Select the Global Admin account if prompted.
6. Select Accept when prompted.
7. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
Box 2: Open VPN (SSL)
When you connect to your VNet using Point-to-Site, you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you want to use Azure Active Directory authentication, you can do so when using the OpenVPN protocol.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
You have a peering connection between Vnet1 and Vnet2 as shown in the Peering-Vnet1-Vnet2 exhibit.
You have a peering connection between Vnet1 and Vnet3 as shown in the Peering-Vnet1-Vnet3 exhibit.
vnet1
This virtual network
- Traffic to remote virtual network
- Allow (default)
- Traffic forwarded from remote virtual network
- Allow (default)
- Virtual network gateway or Route Server
- None (default)
Remote virtual network
vnet2
- Traffic to remote virtual network
* Allow (default)
###########
vnet3
This virtual network
- Traffic to remote virtual network
- Allow (default)
- Traffic forwarded from remote virtual network
- Allow (default)
- Virtual network gateway or Route Server
- None (default)
Remote virtual network
vnet1
- Traffic to remote virtual network
- Allow (default)
- Traffic to remote virtual network
- Allow (default)
- Traffic forwarded from remote virtual network
- Allow (default)
- Virtual network gateway or Route Server
- None (default)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
a) The resources is vnet2 can communicate with the resources in vnet1 - Yes or No?
b) The resources in vnet2 can communicate with the resources in vnet3 - Yes or No?
c) The resources in vnet2 can communicate with the resources in the on-premises network
Box 1: Yes
Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes.
Box 2: No
No Virtual Gateway is used.
Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway transit works with virtual network peering.
In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks.
Box 3: No
No Virtual Gateway is used.
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
internal load balancers storage account Azure Virtual Networks NAT service endpoint policies
Answer(s): A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
You have a hub-and-spoke topology. The topology includes multiple on-premises locations that connect to a hub virtual network in Azure via ExpressRoute circuits.
You have an Azure Application Gateway named GW1 that provides a single point of ingress from the internet.
You plan to migrate the hub-and-spoke topology to Azure Virtual WAN.
You need to identify which changes must be applied to the existing topology. The solution must ensure that you maintain a single point of ingress from the internet.
Which three changes should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Add user-defined routes. Add virtual network peerings. Replace the user-defined routes used by the current topology. Create virtual network connections. Remove the existing virtual network peerings. Redeploy GW1.
Answer(s): C,D,E
Explanation:
Transition connectivity to virtual WAN hub:
Step 1. (E) Delete the existing peering connections from Spoke virtual networks to the old customer-managed hub. Access to applications in spoke virtual networks is unavailable until steps 1-3 are complete.
Step 2. (D) Connect the spoke virtual networks to the Virtual WAN hub via VNet connections.
Step 3. (C) Remove any user-defined routes (UDR) previously used within spoke virtual networks for spoke-to-spoke communications. This path is now enabled by dynamic routing available within the Virtual WAN hub.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology
You have an application named App1 that listens for incoming requests on a preconfigured group of 50 TCP ports and UDP ports.
You install App1 on 10 Azure virtual machines.
You need to implement load balancing for App1 across all the virtual machines. The solution must minimize the number of load balancing rules.
What should you include in the solution?
Azure Application Gateway V2 that has multiple listeners Azure Standard Load Balancer that has Floating IP enabled Azure Standard Load Balancer that has high availability (HA) ports enabled Azure Application Gateway v2 that has multiple site hosting enabled
Answer(s): A
Explanation:
Azure Application Gateway is limited to 100 active listeners that are routing traffic. Active listeners = total number of listeners - listeners not active.
If a default configuration inside a routing rule is set to route traffic (for example, it has a listener, a backend pool, and HTTP settings) then that also counts as a listener.
Note: Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.
Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. This type of routing is known as application layer (OSI layer 7) load balancing.
Incorrect:
Not B: Floating IP. Some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool. Common examples of port reuse include:
clustering for high availability
network virtual appliances
exposing multiple TLS endpoints without re-encryption.
Not D: Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool.
Reference:
https://github.com/MicrosoftDocs/azure-docs/blob/main/includes/application-gateway-limits.md
