Test Prep Flashcards
1
Q
Where can you obtain details about the personal data Microsoft processes, how Microsoft processes it, and for what purposes? A) Microsoft Privacy Statement B) Compliance Manager C) Azure Service Health D) Trust Center
A
A) Microsoft Privacy Statement
2
Q
What type of Virtual Network Gateways are available in Azure? A) Point-to-Site and ExpressRoute B) VPN and Express Route C) Site-to-Site and ExpressRoute D) Policy Based and Site-to-Site
A
B) VPN and ExpressRoute
3
Q
Which of the following is NOT a valid Azure Site Recovery migration option? A) Migrate on-premises VirtualBox Virtual machine to Azure B) Migrate physical on-premises server to Azure C) Migrate on-premises Hyper-V virtual machine to Azure D) Migrate Azure virtual machines to a different region
A
A) Migrate on-premises VirtualBox virtual machines to Azure
4
Q
Which PowerShell cmdlet and parameter create a virtual machine and assigns it to an existing Availability Set? A) New-AzureRmVM -Faultdomain B) New-AzureRmVM -Updatedomain C) New-AzureRmVM -ASName D) New-AzureRmVM -AvailabilitySetName
A
D) New-AzureRmVM -AvailabilitySetName
5
Q
A company has an Azure subscription. The Subscription contains a resource group names “demogroup”. Resources have been deployed to the resource group using templates. You need to see the data and time when the resources were created in the resource group. You decide to use the Subscriptions blade and then choose Programmatic deployment. Would this fulfil the requirement? A) Yes B) No
A
B) No
6
Q
A company has an Azure subscription. The Subscription contains a resource group named “demogroup” Resources have been deployed to the resource group using templates You need to see the data and time when the resources were created in the resource group You decide to choose the Deployments section from the Resource group “demogroup” Would this fulfill the requirement? A) Yes B) No
A
A) Yes
7
Q
A company has an Azure subscription. The Subscription contains a resource group named “demogroup” Resources have been deployed to the resource group using templates You need to see the data and time when the resources were created in the resource group You decide to use the Subscriptions bland and then choose Resource providers. Would this fulfill the requirement? A) Yes B) No
A
B) No
8
Q
You have the following resources as part of your Azure Subscription Name Type testcontainer Blob Container testdb SQL Database testtable Azure Table testshare Azure File Share Which of the following can be exported by using the Azure Import/Export service? A) testshare B) testdb C) testcontainer D) testable
A
C) testcontainer
9
Q
You are planning on hosting an application that will run on two Azure virtual machines named demovm1 and demovm2. You are planning on implementing and Availability set for the application. You have to ensure that the application is available during planned maintenance of the hardware that is hosting the two Azure virtual machines. A) One update domain B) One fault domain C) Two Update domains D) Two Fault domains
A
C) Two update domains
10
Q
You have an Azure Subscription that contains the following resource groups:
testgrp1 - WestUS
testgrp2 - EastUS
testgrp1 has the following resources
teststore1 - Storage Account - WestUS
vnet1 - Virtual Network - WestUS
nic1 - Network Interface - WestUS
disk1 - Disk - WestUS
testvm1 - Virtual Machine - WestUS
The testvm1 Virtual Machine connects to nic1 and disk1. nic1 connects to vnet1. The testgrp2 resource group contains a public IP address named testip2 in the East US Location. The IP address is not assigned to a virtual machine. Can you move nic1 to testgrp2?
a) Yes
b) No
A
a) Yes
11
Q
A company call T3P has an Azure subscription and an Azure tenant. The administrator has enabled multifactor authentication for all users. The administrator needs to ensure that users can lock out their own account if they receive an unsolicited MFA request from Azure. Which of the following needs to be configured for this requirement?
a) Configure Notifications
b) Configure Providers
c) Configure Fraud alerts
d) Configure Block/Unblock users
A
c) Configure Fraud Alerts
12
Q
You have to deploy a web application for your company by using the Azure Web App Service. The backup and restore options should be available for the web application. Costs should also be minimized for hosting the application. Which of the following would you choose as the underlying App Service Plan?
a) Shared
b) Standard
c) Basic
d) Premium
A
b) Standard
Shared does not provide backup and restore options
13
Q
A company T3P has setup a Load Balancer that load balances traffic on port 80 and 443 across 3 virtual machines. You have to ensure that all clients are serviced by the same web server for each request.
Which of the following would you configure for this requirement?
a) Floating IP
b) TCP Rest
c) Session Persistence
d) Health Probe
A
c) Session Persistence
14
Q
You plan to deploy five virtual machines to a virtual network subnet. Each virtual machine will have a public IP address and a private IP address. Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network security groups that you require?
a) 2
b) 5
c) 1
d) 10
A
c) 1
15
Q
Which of the following rule would you apply to the Network Security Group for the Network interface attached to the Web server? Choose best possible answer?
a) An outbound rule allowing traffic on port 80
b) An outbound rule allowing traffic on port 443
c) An inbound rule allowing traffic on port 443
d) An inbound rule allowing traffic on port 80
A
c) An inbound rule allowing traffic on port 443
16
Q
You need to configure a VPN connection for T3P-net2. Which of the following would you need to configure in the virtual network?
a) A peering connection
b) An additional address space
c) A gateway subnet
d) An express route connection
A
c) A gateway subnet
17
Q
Your users want to sign in to devices, apps, and services from anywhere. They want to sign-in using organizational work or school account instead of a personal account. You must ensure corporate assets are protected and that devices meet standards for security and compliance. Specifically, you need to be able to enable or disable a device. What should you do? Select one.
a) Enable the device in Azure AD
b) Join the device to Azure AD
c) Connect the device to AzureAD
d) Register the device with AzureAD
A
b) Join the device to AzureAD
Join the device to Azure AD. Joining a device is an extension to registering a device. This means it provides you with all the benefits of registering a device, like being able to enable or disable the device. In addition, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
18
Q
Identify three differences from the following list between Azure Active Directory (AD) and Active Directory Domain Services (AD DS). Select three
a) Azure AD uses HTTP and HTTPS communications
b) Azure AD uses Kerberos authentication
c) There are no Organizational Units (OUs) or Group Policy Objects (GPOs) in Azure AD
d) Azure AD includes Federation Services
e) Azure AD can be queried through LDAP
A
a) Azure AD uses HTTP and HTTPS
c) There are no Organizational Units (OUs) or Group Policy Objects (GPOs) in Azure AD
d) Azure AD includes Federation Services
19
Q
You are configuring Self-Service Password Reset. Which of the following is not a validation method? Select one
a) An email notification
b) A test or code sent to a user’s mobile or office phone
c) A paging services
d) A set of security questions
A
c) A paging service
20
Q
Your company financial comptroller wants to be notified whenever the company is half-way to spending the money allocated for cloud services. What should you do?
a) Create an Azure reservation
b) Create a budget and a spending threshold
c) Create a management group
d) Enter workloads in the Total Cost of Ownership calculator
A
b) Create a budget and a spending threshold
Create a budget and a spending threshold. Billing Alerts help you monitor and manage billing activity for your Azure accounts. You can set up a total of five billing alerts per subscription, with a different threshold and up to two email recipients for each alert. Monthly budgets are evaluated against spending every four hours. Budgets reset automatically at the end of a period.
21
Q
What tool can you use to gain greater visibility into your spending patterns? Select one
a) Cost Insights
b) Cost Analysis
c) Your invoice
A
b) Cost Analysis
Cost analysis. Cost analysis is one of Azure Cost Management’s primary tools to help you better understand costs.
22
Q
Your company is concerned about cost and provisioning too many virtual machines at once. What’s the best way to control resource provisioning? Select one.
a) Change your subscription to Pay As You Go
b) Apply spending limits to the development team’s Azure subscription
c) Verbally give the managers a budget and hold them accountable for overages
A
b) Apply spending limits to the development team’s Azure subscription
Apply spending limits to the development team’s Azure subscription. If you exceed your spending limit, active resources are deallocated. You can then decide whether to increase your limit or provision fewer resources.
23
Q
The leadership team wants information on resource costs by departments. What’s the best way to categorize costs by department? Select one.
a) Apply a tag to each resource that identifies the appropriate billing department
b) Split the cost evenly between departments
c) Keep a spreadsheet that lists each team’s resources
A
a) Apply a tag to each resource that identifies the appropriate billing department
Apply a tag to each resource that identifies the appropriate billing department. You can apply tags to groups of Azure resources to organize billing data.
24
Q
An Azure subscription … Select one
a) is a logical container used to provision resources in Azure
b) is associated with a single department or organization
c) represents a single domain
A
a) is a logical container used to provision resources in Azure
An Azure subscription is a logical container used to provision resources in Azure. A subscription might have one or more tenants, directories, and domains associated with it.
25
You are assigning Azure AD roles. Which role will allow the user to manage all the groups in your Teams tenants and be able to assign other administrator roles? Select one
a) Global Administrator
b) Password administrator
c) Security Administrator
d) User administrator
a) Global Administrator
Global administrator. Only the global administrator can manage groups across tenants and assign other administrator roles.
26
You would like to add a user who has a Microsoft account to your subscription. Which type of user account is this? Select one.
a) Cloud identity
b) Directory-Synchronized
c) Provider identity
d) Guest User
e) Hosted identity
d) Guest User
Guest user. Guest users are users added to Azure AD from a third party like Microsoft or Google.
27
If you delete a user account by mistake, can it be restored? Select one
a) When a user account is deleted, it's gone forever and can't be restored
b) The user account can be restored, but only when it's created within the last 30 days
c) The user account can be restored, but only when it's deleted within the last 30 days
c) The user account can be restored, but only when it's deleted within the last 30 days
The user account can be restored, but only when it's deleted within the last 30 days. A user account can be restored when it's deleted within the last 30 days.
28
Which of the following roles has full access to manage all resources but does not allow you to assign roles? Select one
a) Owner
b) Contributor
c) Reader
b) Contributor
Contributor. Grants full access to manage all resources, but does not allow you to assign roles.
29
Your organization has several Azure policies that they would like to create and enforce for a new branch office. What should you do? Select one.
a) Create a policy initiative
b) Create a management group
c) Create a resource group
d) Create a new subscription
a) Create a policy initiative
Create a policy initiative. A policy initiative would include all the policies of interest. Once your initiative is created, you can assign the definition to establish its scope. A scope determines what resources or grouping of resources the policy assignment gets enforced on.
30
You would like to categorize resources and billing for different departments like IT and HR. The billing needs to be consolidated across multiple resource groups and you need to ensure everyone complied with the solution. What should you do? Choose two to complete a solution.
a) Create tags for each department
b) Create a billing group for each department
c) Create an Azure policy
d) Add the groups into a single resource group
e) Create a subscription account rule
a) Create tags for each department
c) Create an Azure policy
Create tags for each department and create an Azure policy. You should create a tag with a key:value pair like department:HR. You can then create an Azure policy which requires the tag be applied before a resource is created.
31
Your company wants to ensure that only cost-effective virtual machine SKU sizes are deployed. What should you do? Select one
a) Periodically inspect the deployment to see which SKU sizes are used
b) Create an Azure RBAC role that defines the allowed virtual machine SKU sizes
c) Create a policy in Azure Policy that specifies the allowed SKU sizes
c) Create a policy in Azure Policy that specifies the allowed SKU sizes
Create a policy in Azure Policy that specifies the allowed SKU sizes. After you enable this policy, that policy is applied when you create new virtual machines or resize existing ones.
32
Which of the following can be used to manage governance across multiple Azure subscriptions?
a) Azure initiatives
b) Resource Groups
c) Management Groups
c) Management Groups
Management groups. Management groups facilitate the hierarchical ordering of Azure resources into collections, at a level of scope above subscriptions. Distinct governance conditions can be applied to each management group, with Azure Policy and Azure role-based access controls, to manage Azure subscriptions effectively. The resources and subscriptions assigned to a management group automatically inherit the conditions applied to the management group.
33
Your company hires a new IT Administrator. She needs to manage a resource group with first-tier web servers including assigning permissions. However, she should not have access to other resource groups inside the subscription. You need to configure role-based access. What should you do? Select one.
a) Assign her as a Subscription Contributor
b) Assign her as a Resource Group Owner
c) Assign her as a Resource Group Contributor
b) Assign her as a Resource Group Owner
Assign her as a Resource Group owner. The new IT administrator needs to be able to assign permissions.
34
You have three virtual machines (VM1, VM2, and VM3) in a resource group. The Helpdesk hires a new employee. The new employee must be able to modify the settings on VM3, but not on VM1 and VM2. Your solution must minimize administrative overhead. What should you do? Select one
a) Assign the user to the Contributor role on the resource group
b) Assign the user the Contributor role on VM3
c) Move VM3 to a new resource group and assign the user to the Contributor role on VM3
b) Assign the user the Contributor role on VM3
Assign the user to the Contributor role on VM3. This means the user will not have access to VM1 or VM2. The Contributor role will allow the user to change the settings on VM1.
35
Your company wants to allow some users to control the virtual machines in each environment. These users should be prevented from modifying networking and other resources in the same resource group or Azure subscription. What should you do? Select one
a) Create a policy in Azure Policy that audits resource usage
b) Split the environment into separate resource groups
c) Create a role assignment through Azure RBAC
c) Create a role assignment through Azure RBAC
Create a role assignment through Azure RBAC. Azure RBAC enables you to create roles that define access permissions. You might create one role that limits access only to virtual machines and a second role that provides administrators with access to everything.
36
Suppose a team member can't view resources in a resource group. Where would the administrator go to check the team member's access? Select one
a) Check the team member's permissions by going to their Azure profile \> My Permissions
b) Go to the resources group and select Access Control (IAM) \> Role Assignments
c) Go to one of the resources in the resource group and select Role Assignments
b) Go to the resource group and select Access control (IAM) \> Role Assignments
Go to the resource group and select Access control (IAM) \> Role assignments. Find the list of role of assignments on the resource group.
37
A user who had Owner access to a subscription is leaving the company. No one else has access to this subscription. How can you grant another employee access to this subscription? Select one
a) Use the Azure portal to elevate your own access
b) Ask the former employee for their password
c) Ask the former employee to sign in and select a different employee to grant their permission to
a) Use the Azure portal to elevate your own access
Use the Azure portal to elevate your own access. Temporarily elevate your own access to assign the Owner role to another user.
38
What's included in a custom Azure role definition? Select one.
a) The assignment of the custom role
b) Operations allowed for Azure resources and the scope of permissions
c) Actions and DataActions operations that you can scope to the tenant level
b) Operations allowed for Azure resources and the scope of permissions
Operations allowed for Azure resources and the scope of permissions. A custom role definition includes the operations allowed such as read, write, and delete for Azure resources and the scope of those permissions.
39
What information does an Action provide in a role definition? Select one.
a) An Action provides the allowed management capabilities for the role
b) An Action determines what data the role can manipulate
c) An Action decides what resource the role is applied to
a) An Action provides the allowed management capabilities for the role
An Action provides the allowed management capabilities for the role. The Action provides what the role can do.
40
How are NotActions used in a role definition? Select one.
a) NotActions are subtracted from the Actions to define the list of permissible operations
b) NotActions are consulted after Actions to deny access to a specific operation
c) NotActions allow you to specify a single operation that is not allowed
a) NotActions are subtracted from the Actions to define the list of permissible operations
NotActions are subtracted from the Actions to define the list of permissible operations.
41
You are creating a new resource group to use for testing. Which two of the following parameters are required when you create a resource group with PowerShell of the CLI? Select two.
a) Location
b) Name
c) Region
d) Subscription
e) Tag
a) Location
b) Name
Location and Name are required by PowerShell (New-AzResourceGroup) and the CLI (az group create).
42
You have a new Azure subscription and need to move resources to that subscription. Which of the following resources cannot be moved? Select One.
a) Key Vault
b) Storage Account
c) Tenant
c) Tenant
A Tenant cannot be moved between subscriptions
43
You are reviewing your virtual machine usage. You notice that you have reached the limit for virtual machines in the US East region. Which of the following provides the easier solution? Select One.
a) Add another resource group
b) Change your subscription plan
c) Request support to increase your limit
c) Request support to increase your limit
Request support increase your limit. If you need to increase a default limit, there is a Request Increase link. You will complete and submit the support request.
44
Which of the following would be a good example of when to use a resource lock? Select one.
a) A ExpressRoute circuit with connectivity back to your on-premises network
b) A non-production virtual machine used to test occasional application builds
c) A storage account used to temporarily store images processed in a development environment.
a) A ExpressRoute circuit with connectivity back to your on-premises network
An ExpressRoute circuit with connectivity back to your on-premises network. Resource locks prevent other users in your organization from accidentally deleting or modifying critical resources.
45
Your manager asks you to explain how Azure uses resource groups. You provide all of the following information, except? Select one
a) Resources can be in only one resource group
b) Resources can be moved from one resource group to another resource group
c) Resources groups can be nested
c) Resource groups can be nested
Resource groups cannot be nested. You should carefully plan your resource group deployments.
46
Which of the following is not true about the Cloud Shell?
a) Authenticates automatically for instant access to your resources
b) Cloud Shell is assigned multiple machines per user account
c) Provides both Bash and PowerShell sessions
b) Cloud Shell is assigned multiple machines per user account
Cloud Shell is assigned multiple machines per user account, is not true. The cloud shell is assigned one machine per user account.
47
You are managing Azure locally using PowerShell. You have launched the app as an Administrator. Which of the following commands would you do first?
a) Connect-AzAccount
b) Get-AzResourceGroup
c) Get-AzSubscription
a) Connect-AzAccount
Connect-AzAccount. When you are working locally you are not automatically logged in to Azure. So, the first thing you should do is to connect to Azure and provide your credentials.
48
What do you need to install on your machine so you can execute Azure CLI commands locally? Select one
a) The Azure cloud shell
b) The Azure CLI and Azure PowerShell
c) Only the Azure CLI
c) Only the Azure CLI
Only the Azure CLI. You only need to install the Azure CLI. You will use a shell to issue the CLI commands, but every platform has at least one built-in shell.
49
Which parameter can you add to most CLI commands to get concise, formatted output? Select One
a) list
b) table
c) group
b) table
Table. The table parameter formats the output as a table. This can make things much more readable for commands that produce a large amount of output.
50
What needs to be installed on your machine to let you execute Azure PowerShell cmdlets locally? Select one
a) The Azure cloud shell
b) The Azure CLI and Azure PowerShell
c) The base PowerShell product and the Az module
c) The base PowerShell product and the Az module
You need both the base PowerShell product and the Az module. The base product gives you the shell itself, a few core commands, and programming constructs like loops, variables, etc. The Az modules adds the cmdlets you need to work with Azure resources
51
Suppose you are building a video-editing application that will offer online storage for user-generated video content. You will store the videos in Azure Blobs, so you need to create an Azure storage account to contain the blobs. Once the storage account is in place, it is unlikely you would remove and recreate it because this would delete all the user videos. Which tool is likely to offer the quickest and easiest way to create the storage account? Select one.
a) Azure Portal
b) Azure CLI
c) Azure PowerShell
a) Azure Portal
The portal is a good choice for one-off operations like creating a long-lived storage account. The portal gives you a GUI containing all the storage-account properties and provides tool tips to help you select the right options for your needs.
52
Which of the following is not an element in the template schema? Select one
a) Functions
b) Inputs
c) Outputs
d) Parameters
b) Inputs
Inputs is not a part of the template schema. The elements of an Azure Resource Manager template are schema, contentVersion, apiProfile, parameters, variables, functions, resources, and output.
53
Which of the following best describes the formate of an Azure Resource Manager template? Select one.
a) A Markdown document with a pointer table
b) A JSON document with key-value pairs
c) A TXT document with key-value pairs
d) An XML document with element-value pairs
b) A JSON document with key-value pairs
A JSON document with key-value pairs. An Azure Resource Template is a JSON document with key-value pairs.
54
Azure Resource Manager templates are idempotent. This means if you run a template with no changes a second time ... Select one.
a) Azure Resource Manager will deploy new resources as copies of the previously deployed resources
b) Azure Resource Manager won't make any changes to the deployed resources
c) Azure Resource Manager will delete the previously deployed resources and redeploy them
b) Azure Resource Manager won't make any changes to the deployed resources
If the resource already exists and no change is detected in the properties, no action is taken. If the resource already exists and a property has changed, the resource is updated. If the resource doesn't exist, it's created.
55
You are planning to configure networking Microsoft Azure. Your company has a new Microsoft Azure presence with the following network characteristics:
* 1 Virtual Network
* 1 subnet using 192.168.0.0/23 (does not have existing resources)
Your on-premises data center has the following network characteristics:
* 10 subnets using 102.168.1.0/24 through 192.168.10.0/24
The company intends to use 192.168.1.0/24 on-premises and 192.168.0.0/24 in Azure. You need to update your company's environment to enable the needed functionality. What should you do? Each answer represents part of the solution. Choose two.
a) Delete 192.168.0.0/23 from Azure
b) Delete 192.168.1.0/24 from the on-premises environment
c) Create a matching public subnet in Azure and in the on-premises environment
d) Create a subnet for 192.168.0.0/23 in the on-premises environment
e) Create a subnet for 192.168.0.0/24 in Azure
a) Delete 192.168.0.0/23 from Azure
e) Create a subnet for 192.168.0.0/24 in Azure
First, you need to delete 192.168.0.0/23 from Azure. It overlaps with 192.168.1.0/24, which you intend to use for on-premises. Second, you need to create a subnet for 192.168.0.0/24 in Azure to enable usage in Azure.
56
You are planning your Azure network implementation to support your company's migration to Azure. Your first task is to prepare for the deployment of the first set of VMs. The first set of VMs that you are deploying has the following requirements:
* Consumers on the internet must be able to communicate directly with the web application on the VMs
* The IP configuration must be zone redundant
You need to configure the environment to prepare for the first VM. Additionally, you need to minimize costs, whenever possible, while still meeting the requirements. What should you do? Select one
a) Create a standard public IP address. During the creation of the first VM, associate the public IP address with the VM's NIC
b) Create a standard public IP address. After the first VM is created, remove the private IP address and assign the public IP address to the NIC.
c) Create a basic public IP address. During the creation of the first VM, associate the public IP address with the VM
d) Create a basic public IP address. After the first VM is created, remove the private IP address and assign the public IP address to the NIC
a) Create a standard public IP address. During the creation of the first VM, associate the public IP address with the VM's NIC
To meet the requirement of communicating directly with consumers on the internet, you must use a public IP address. To meet the requirement of having a zone redundant configuration, you must use a standard public IP address. Of the answer choices, only the answer that creates the standard public IP address first, then associates it during VM creation, functions and meets the requirements. You cannot configure a VM with only a public IP address. Instead, all VMs have a private IP address and can optionally have one or more public IP addresses.
57
You have a VM with two NICs named NIC1 and NIC2. NIC1 is connected to 10.10.8.0/24 subnet. NIC2 is connected to 10.20.8.0/24 subnet. You plan to update the VM configuration to provide the following functionality.
* Enable direct communication from the internet to TCP port 443
* Maintain existing communication across the 10.10.8.0/24 and 10.20.8.0/24 subnets
* Maintain a simple configuration whenever possible
You need to update the VM configuration to support the new functionality. What should you do? select one.
a) Remove the private IP address from NIC2 and then assign a public IP address to it. Then, create an inbound security rule
b) Add a third NIC and associate a public IP address to it. Then, create an inbound security rule
c) Associate a public IP address to NIC2 and create an inbound security rule
d) Create an inbound security rule for TCP port 443
c) Associate a public IP address to NIC2 and create an inbound security rule
To enable direct communication from the internet to the VM, you must have a public IP address. You also need an inbound security rule. You can associate the public IP address with NIC1 or NIC2, although this scenario only presents an option to associate it with NIC2 so that is the correct answer.
58
You're currently using Network Security Groups (NSGs) to control how your network traffic flows in and out of your virtual network subnets and network interface. You want to customize how your NSGs work. For all incoming traffic, you need to apply your security rules to both the virtual machine and subnet level.
Which of the following options will let you accomplish this? (Choose two)
a) Configure the AllowVNetInBound security rule for all new NSGs
b) Create rules for both NICs and subnets with an allow action
c) Delete the default rules
d) Add rules with a higher priority than the default rules
b) Create rules for both NICs and subnets with an allow actions
d) Add rules with a higher priority than the default rules
You should add rules with a higher priority than the default rules if needed, as you cannot delete the default rules. Also, in order to meet the requirement to apply security rules to both VM and subnet level, you should create rules with an allow action for both. There is no need to configure the AllowVnetInBound rule as it as a default rule for any new security group you create.
59
Your company has two NSG security rules for inbound traffic to your web servers. There is an allow rule with a priority of 200. And, there is a deny rule with a priority of 150. Which rule takes precedence?
Select one
a) The allow rule takes precedence
b) The deny rule takes precedence
c) The rule that was created first takes precedence
b) The deny rule takes precedence
The deny rule takes precedence because it's processed first. The rule with priority 150 is processed before the rule with priority 200
60
Which of the following is a default inbound security rule? Select one
a) Allow inbound coming from any VM to any other VM within the subnet
b) Allow inbound coming from any VM to any other VM within the same virtual network
c) Allow traffic from any external source to any of the VMs
a) Allow inbound coming from any VM to any other VM within the subnet
By default, inbound security rules allow traffic from any VM to any other VM within the subnet.
61
Your company wants to simplify network security group rules by using service tags. Which of the following is a valid service tag? Select one
a) VirtualNetwork
b) VPNGateway
c) Database
a) VirtualNetwork
VirtualNetwork. Service tags represent a group of IP addresses. For resources that you can specify by using a tag, you don't need to know the IP address or port details. Other valid service tags are Internet, SQL, Storage, AzureLoadBalancer, and AzureTrafficManager.
62
You are configuring the Azure Firewall. You need to allow Windows Update network traffic through the firewall. Which of the following should you use? Select one.
a) Application Rules
b) Destination inbound rules
c) NAT Rules
d) Network rules
a) Application rules
Application rules. Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet. That would be appropriate to allow Windows Update network traffic.
63
Your company wants to allow external users to access an Azure virtual server with a remote desktop connection. Which one of the following items would you implement on Azure Firewall to allow these connections? Select one.
a) Service Tag
b) Source network address translation
c) Destination network address translation
c) Destination Network Address translation
Destination network address translation (DNAT). You use DNAT to translate Azure Firewall's public IP address to the private IP address of the virtual server.
64
Your company wants to allow access to an Azure SQL database instance. Which of the following network rules types should they use to configure Azure Firewall?
a) Application
b) Network
c) NAT
a) Application
Application. You use an application rule to filter traffic based on an FQDN such as server1.database.windows.net.
65
Your company has an existing Azure tenant named aplineskihouse.onmicrosoft.com. The company wants to start using alpineskihouse.com for their Azure resources. You add a custom domain to Azure.
Now you need to add a DNS record to prepare for verifying the custom domain. Which two of the following record types would you create?
a) Add a PTR record to the DNS Zone
b) Add a TXT record to the DNS Zone
c) Add an MX record to the DNS Zone
d) Add an SRV record to the DNS Zone
e) Add a CNAME record to the DNS Zone
b) Add a TXT record to the DNS Zone
c) Add an MX record to the DNS Zone
By default, Azure will prompt you to create a custom TXT record in your DNS zone to verify a custom domain. Optionally, you can use an MX record instead. The result is the same. Other record types are not supported.
66
You deploy a new domain named contoso.com to domain controllers in Azure. You have the following domain-joined VMs in Azure:
* VM1 at 10.20.30.10
* VM2 at 10.20.30.11
* VM3 at 10.20.30.12
* VM99 at 10.20.40.101
You need to add DNS records so that the hostnames resolve to their respective IP Addresses. Additionally, you need to add a DNS record so that intranet.contoso.com resolved to VM99. What should you do? (Each answer presents part of the solution. Choose two)
a) Add AAAA records for each VM
b) Add A records for each VM
c) Add a TXT record for intranet.contoosl.com with the text of VM99.contoso.com
d) Add an SRV record for intranet.contoso.com with the target pointing at VM99.contoso.com
e) Add a CNAME record for intranet.contoso.com with a value of VM99.contoso.com
b) Add A records for each VM
e) Add a CNAME record for intranet.contoso.com with a value of VM99.contoso.com
In this scenario, the hostnames have IPv4 IP addresses. Thus, to resolve those hostnames, you must add A records for each of the VMs. To enable intranet.contoso.com to resolve to VM99.contoso.com, you need to add a CNAME record. A CNAME record is often referred to as an “alias”.
67
Your company is preparing to move some services and VMs to Microsoft Azure. The company has opted to use Azure DNS to provide name resolution. A project begins to configure the name resolution. The project identifies the following requirements:
* A new domain will be used
* The domain will have DNS records for internal and external resources
* Minimize ongoing administrative overhead
you need to prepare and configure the environment with a new domain name and a test hostname of WWW. Which of the following steps should you perform? (Each answer presents part of the solution. Choose three)
a) Register a domain name with a domain registrar
b) Register a domain name with Microsoft Azure
c) Delegate the new domain name to Azure DNS
d) Add an Address (A) record for Azure name servers in the Zone
e) Add DNS glue records to point to the Azure name servers
f) Add a record for WWW
a) Register a domain name with a domain registrar
c) Delegate the new domain name to Azure DNS
f) Add a record for WWW
For private domain names, you must register with a registrar because Azure isn't a registrar. Thereafter, you need to delegate the new domain name to Azure DNS, which enables Azure DNS to be authoritative for the domain. After delegation, you should add a test hostname of WWW and test name resolution.
68
You want to connect different VNets in the same region as well as different regions and decide to use VNet peering to accomplish this. Which of the following statements is not true about VNet peering? Select one.
a) The virtual networks can only exist in the same Azure cloud region
b) Network traffic between peered virtual networks is private
c) Peering is easy to configure and manage, requiring little to no downtime
d) Gateway transit can be configured regionally or globally
a) The virtual networks can only exist in the same Azure cloud region
The virtual networks can exist in any Azure cloud region.
69
You are configuring VNet Peering across two Azure two virtual networks, VNET1 and VNET2. You are configuring the VPN Gateways. You want VNET2 to be able to use VNET1's gateway to get to resources outside the peering. What should you do? Select one
a) Select allow gateway transit on VNET1 and use remote gateways on VNET2
b) Select allow gateway transit on VNET2 and use remote gateways on VNET1
c) Select allow gateway transit and use remote gateways on both VNET1 and VNET2
d) Do not select allow gateway transit or use remote gateways on either VNET1 or VNET2
a) Select allow gateway transit on VNET1 and use remote gateways on VNET2
Select allow gateway transit on VNET1 and use remote gateways on VNET2. VNET1 will allow VNET2 to transit external resources, and VNET2 will expect to use a remote gateway.
70
The traffic between virtual machines in peered virtual networks is routed ... Select one
a) directly through Microsoft backbone infrastructure
b) through a VPN gateway
c) through the public internet
a) directly through Microsoft backbone infrastructure
The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft backbone infrastructure.
71
Your company is preparing to implement a Site-To-Site VPN to Microsoft Azure. You do all the following except? Select one
a) Obtain a VPN device for the onpreises environment
b) Obtain a VPN device for the Azure environment
c) Create a virtual network gateway (VPN) and the local network gateway in Azure
d) Obtain a public IPv4 IP address without NAT for the VPN device
b) Obtain a VPN device for the Azure environment
Obtain a VPN device for the Azure environment. Azure does not require a VPN device.
72
Your company is preparing to implement persistent connectivity to Microsoft Azure. The company has a single site, headquarters, which has an on-premises data center. The company establishes the following requirements for the connectivity:
* Connectivity must be persistent
* Connectivity must provide for the entire on-premises site
You need to implement a connectivity solution to meet the requirements. What should you do? Select one
a) Implement a Site-To-Site VPN
b) Implement a Virtual Private Cloud (VPC)
c) Implement a VNet-toVNet VPN
d) Implement a Point-to-Site VPN
a) Implement a Site-To-Site VPN
73
You are configuring a site-to-site VPN connection between your on-premises network and your Azure network. The on-premises network uses a Cisco ASA VPN device. Before starting the configuration, you ensure you have all the following, except? Select one
a) The shared access signature key for the recovery services vault
b) The shared key you provided when you create your site-to-site VPN connection
c) The public IP address of your Virtual Network gateway
a) The shared access signature key for the recovery services vault
The shared access signature key for the recovery services vault. You only need the shared key and public IP address of the gateway.
74
Your VPN gateway works with ExpressRoute. Which VPN type should you select? Select one
a) Path-based
b) Route-based
c) SKU-based
b) Route-Based
Route-based. Typical route-based gateway scenarios include point-to-site, inter-virtual network, or multiple site-to-site connections. Route-based is also selected when you coexist with an ExpressRoute gateway or if you need to use IKEv2.
75
Your company is preparing to implement a Site-To-Site VPN to Microsoft Azure. You are selected to plan and implement the VPN. Currently, you have an Azure subscription, an Azure virtual network, and an Azure gateway subnet. You need to prepare the on-premises environment and Microsoft Azure to meet the prerequisites of the Site-To-Site VPN. Later, you will create the VPN connection and test it. What should you do? Each answer presents part of the solution. Select three
a) Obtain a VPN device for the on-premises environment
b) Obtain a VPN device for the Azure Environment
c) Create a virtual network gateway (VPN) and the local network gateway in Azure
d) Create a virtual network gateway (ExpressRoute) in Azure
e) Obtain a public IPv4 IP Address without NAT for the VPN device
a) Obtain a VPN device for the on-premises environment
c) Create a virtual network gateway (VPN) and the local network gateway in Azure
e) Obtain a public IPv4 address without NAT for the VPN device
Obtain a VPN device for the on-premises environment. Create a VPN and the local network gateway in Azure. Obtain a public IPv4 IP address without NAT for the VPN device.
76
You are creating a connection between two virtual networks. Performance is a key concern. Which of the following will most influence performance? Select One
a) Ensuring you select a route-based VPN
b) Ensuring you select a policy-based VPN
c) Ensuring you specify a DNS server
d) Ensuring you select an appropriate Gateway SKU
d) Ensuring you select an appropriate Gateway SKU
Select the appropriate Gateway SKU to ensure performance.
77
What is the Azure ExpressRoute service? Select one
a) It's a service that provides a VPN connection between on-premises and the Microsoft cloud
b) It's a service that encrypts your data in transit
c) It's a service that provides a direct connection from your on-premises datacenter to the Microsoft cloud
d) It's a service that provides a site-to-site VPN connection between your on-premises network and the Microsoft cloud
c) It's a service that provides a direct connection from your on-premises datacenter to the Microsoft Cloud
78
Who manages and maintains the components of an Azure Virtual WAN? Select One
a) The customer
b) Microsoft
c) Both the customer and Microsoft
b) Microsoft
Microsoft. Azure Virtual WAN is managed and maintained by Microsoft.
79
What Microsoft service helps to simplify a hub-and-spoke virtual network WAN deployment? Select one
a) Azure Virtual WAN
b) ExpressRoute
c) Virtual network peering
a) Azure Virtual WAN
Azure Virtual WAN. Azure Virtual WAN with Virtual WAN hubs simplifies a complex virtual network WAN.
80
What Azure component is used to secure a Virtual WAN Hub? Select one
a) Network Security Groups (NSG)
b) Azure Active Directory
c) Azure Firewall and Azure Firewall Manager
c) Azure Firewall and Azure Firewall Manager
81
Which of the following is not a benefit of ExpressRoute? Select one
a) Redundant connectivity
b) Consistent network throughput
c) Encrypted network communication
d) Access to Microsoft Cloud Services
c) Encrypted network communication
82
Your company wants to redirect Internet traffic to your company's on premises servers for packet inspection. Which of the following is not used for this? Select one.
a) User defined routes
b) Forced Tunneling
c) System Routes
c) system Routes
System routes. Forced tunneling can redirect internet bound traffic back to the company's on-premises infrastructure. The redirection can be used to implement packet inspection or corporate audits. Forced tunneling in Azure is configured via virtual network user defined routes.
83
Why would you use a custom route in a virtual network? Select one
a) To load balance the traffic within your virtual network
b) To connect to your Azure virtual machines using RDP or SSH
c) To connect to resources in another virtual network hosted in Azure
d) To control the flow of traffic within your Azure virtual network
d) To control the flow of traffic within your Azure virtual network
To control the flow of traffic within your Azure virtual network. Custom routes are used to override the default Azure routing so that you can route traffic through a network virtual appliance.
84
When creating user-defined routes, you can specify any of these next hop types, except? select one
a) Internet
b) Load Balancer
c) Virtual appliance
d) Virtual Network Gateway
b) Load Balancer
Load balancer. The valid next hop choices are virtual appliance. virtual network gateway, virtual network, internet, and none.
85
Your company needs to extend their private address space in Azure by providing a direct connection to your Azure resources. They implement which of the following? Select one
a) User-defined route
b) Virtual appliance
c) Virtual Network Endpoint
c) Virtual Network Endpoint
Virtual network endpoint. Virtual network endpoints extend your private address space in Azure. Endpoints restrict the flow of traffic. As you enable service endpoints, Azure creates routes in the route table to direct this traffic.
86
What is the main benefit of using a network virtual appliance?
a) To control outbound access to the internet
b) To load balance incoming traffic from the internet across multiple Azure Virtual machines and across two regions for DR purpose
c) To control incoming traffic from the perimeter network and allow only traffic that meets security requirements to pass-through
d) To control who can access Azure resources from the perimeter network
c) To control incoming traffic from the perimeter network and allow only traffic that meets security requirements to pass through.
To control incoming traffic from the perimeter network and allow only traffic that meets security requirements to pass through. A network virtual appliance acts like a firewall. It checks all inbound and outbound traffic, and it secures your environment by allowing or denying the traffic.
87
Your company provides customers a virtual network in the cloud. You have dozens of Linux virtual machines in another virtual network. You need to install an Azure load balancer to direct traffic between the virtual networks. What should you do? Select one.
a) Install a private load balancer
b) Install a public load balancer
c) Install an external load balancer
d) Install an internal load balancer
e) Install a network load balancer
d) Install an internal load balancer
Install an internal load balancer. Azure has two types of load balancers: public and internal. An internal load balancer directs traffic only to resources that are inside a virtual network or that use a VPN to access Azure infrastructure.
88
Your company has a popular regional web site. The company plans to move it to Microsoft Azure and hose it in the Canada East region. The web team has established the following requirements for managing the web traffic:
* Evenly distribute incoming web requests across a farm of 10 Azure VMs
* Support many incoming requests including spikes during peak times
* Minimize complexity
* Minimize ongoing costs
Which of the following would you select for this scenario? Select one.
a) Azure Traffic Manager
b) Azure Load Balancer
c) Azure Application Gateway
d) Azure Cloud Services
b) Azure Load Balancer
Azure Load Balancer. In this scenario, the requirements call for load balancing of a web site with minimal complexity and costs. The web site is in a single region, which rules out Azure Traffic Manager (which is geared toward a distributed web application). Azure CDN is complex and expensive, and it best suited for delivering static web content at various locations worldwide (with maximum performance). Azure Cloud Services are suited for applications and APIs, not for this scenario.
89
You deploy an internal load balancer between your web tier and app tier servers. You configure a custom HTTP health probe. Which two of the following are not true?
a) The load balancer manages the health probe
b) By default, the health probe checks the endpoint every 30 seconds
c) The instance is healthy if it responds within an HTTP 200 error
d) You can change the amount of time between health probe checks
e) You can change the number of failures within a time period
b) By default the health probe checks the endpoint every 30 seconds
e) You can change the number of failures within a time period
By default, the health probe checks the endpoints every 15 seconds, not 30 seconds. You can change the number of consecutive failures, but you cannot specify a time period for the failures.
90
What is the default distribution type for traffic through a load balancer? Select one
a) Source IP affinity
b) Five-tuple hash
c) Three-tuple hash
b) Five-tuple hash
Five-tuple hash. The hash includes Source IP, Source port, Destination IP, Destination port, and Protocol type
91
Which configuration is required to configure an internal load balancer?
a) Virtual machines should be in the same virtual network
b) Virtual machines must be publicly accessible
c) Virtual machines must be in an availability set
a) Virtual machines should be in the same virtual network
Virtual machines should be in the same virtual network. The virtual machines that you use a load balancer to distribute a load to must be in the same virtual network.
92
Which of the following statement about external load balancers is correct?
a) They have a private, front-facing IP address
b) They don't have a listener IP address
c) They have a public IP address
c) They have a public IP address
They have a public IP address. External load balancers have public IP addresses.
93
Which criteria does Application Gateway use to route requests to a web server? Select one
a) The hostname, port, and path in the URL of the request
b) The IP address of the web server that is the target of the request
c) The region in which the servers hosting the web application is located
d) The user's authentication information.
a) The hostname, port, and path in the URL of the request
94
Which load balancing strategy does the Application Gateway implement? Select one
a) Distributes requests to each available server in a backend pool in turn, round-robin
b) Distributes requests to the server in the backend pool with the lightest load
c) Polls each server in the backend pool in turn, and sends the request to the first server that responds
d) Uses one server in the backend pool until that server reaches 50% load, then moves to the next server
a) Distributes requests to each available server in a backend pool, in turn, round-robin
The Application Gateway distributes requests to each available server in the backend pool using the round-robin method.
95
Your company has a website that allows users to customize their experience by downloading an app. Demand for the app has increased so you have added another virtual network with two virtual machines. These machines are dedicated to serving the app downloads. You need to ensure the additional download request do not affect the website performance. Your solution must route all download requests to the two news servers you have installed. What action will you recommend? Select one.
a) Add a user-defined route
b) Create a local network gateway
c) Configure a new routing table
d) Add an application gateway
d) Add an application gateway
Application gateway. Application Gateway lets you control the distribution of user traffic to your endpoints running in different datacenters around the world.
96
You are deploying the Application Gateway and want to ensure incoming requests are checked for common security threats like cross-site scripting and crawlers. To address your concerns what should you do? Select one.
a) Install an external load balancer
b) Install an internal load balancer
c) Install Azure Firewall
d) Install the Web Application Firewall
d) Install the Web Application Firewall
Install the Web Application Firewall. The web application firewall (WAF) is an optional component that handles incoming requests before they reach a listener. The web application firewall checks each request for many common threats, based on the Open Web Application Security Project (OWASP).
97
Which of the following replicates your data to a secondary region, maintains six copies of your data, and is the default replication option? Select one.
a) Locally-redundant storage
b) Geo-redundant storage
c) Read-access geo-redundant storage
d) Zone-redundant storage
c) Read-access geo-redundant storage
Read-access geo-redundant storage (GRS) is the default replication option.
98
You have two video files store as blobs. One of the videos is business-critical and requires a replication policy that creates multiple copies across geographically diverse datacenters. The other video is non-critical, and a local replication policy is sufficient. Which of the following options would satisfy both data diversity and cost sensitivity consideration?
a) Create a single storage account that makes use of Local-redundant storage (LRS) and host both videos from here
b) Create a single storage account that makes use of Geo-Redundant storage (GRS) and host both videos from here
c) Create two storage accounts. The first account makes use of Geo-Redundant Storage (GRS) and hosts the business-critical video content. The second account makes use of Local-Redundant Storage (LRS) and hosts the non-critical video content
c) Create two storage accounts. The first account makes use of Geo-Redundant Storage (GRS) and hosts the business-critical video content. The second account makes use of local-redundant storage (LRS) and hosts the non-critical video content.
Create two storage accounts. The first account makes use of Geo-redundant storage (GRS) and hosts the business-critical video content. The second account makes use of Local-redundant storage (LRS) and hosts the non-critical video content. In general, increased diversity means an increased number of storage accounts. A storage account by itself has no financial cost. However, the settings you choose for the account do influence the cost of services in the account. Use multiple storage accounts to reduce costs.
99
The name of a storage account must be:
a) Unique within the containing resource group
b) Unique within your Azure subscription
c) Globally unique
c) Globally Unique
Globally unique. The storage account name is used as part of the URI for API access, so it must be globally unique.
100
In a typical project, when would you create your storage account(s)?
a) At the beginning, during project setup
b) After deployment, when the project is running
c) At the end, during resource cleanup
a) At the beginning, during project setup
At the beginning, during project setup. Storage accounts are stable for the lifetime of a project. It's common to create them at the start of a project.
101
A manufacturing company has several sensors that record time-relative data. Only the most recent data is useful. The company wants the lowest cost storage for this data. What is the best kind of storage account for them?
a) LRS
b) GRS
c) ZRS
a) LRS
LRS. This option is the best because it's the lowest cost, the data is being continuously created, and data loss isn't an issue.
102
Which of the following is not a valid blob storage access tier?
a) Archive
b) Hot
c) Standard
d) Cool
c) Standard
Standard. Standard is a storage performance tier, but not an access tier.
103
What of these changes between access tiers will happen immediately?
a) Hot to Cool
b) Archive to Cool
c) Archive to Hot
a) Hot to cool
Hot to Cool. Changes between Hot and Cool, and to Archive, happen immediately.
104
You work for an open-source development company. You use Microsoft Azure for a variety of storage needs. Up to now, all the storage was used for internal purposes only. It is organized in block blobs. Each block blob is in its own container. Each container is set to default settings. In total, you have 50 block blobs. The company has decided to provide read access to the data in the block blobs, as part of releasing more information about their open-source development efforts. You need to reconfigure the storage to meet the following requirements:
* All block blobs must be readable by anonymous internet users
You need to configure the storage to meet the requirements. What should you do? Select one
a) Create a new container, move all the blobs to the new container, and then set the public access level to blob
b) Set the public access level to Blob on all existing containers
c) Create a new shared access signature for the storage account and then set the allowed permissions to Read, set the allowed resource types to Object, and set the allowed services to Blob
d) Create a new access key for the storage account and then provide the connection string in the storage connectivity information to the public.
a) Create a new container, move all the blobs to the new container, and then set the public access level to blob.
Create a new container, move all the blobs to the new container, and then set the public access level to Blob. You should create a new container, move the existing blobs, and then set the public access level to Blob. In the future, when access changes are required, you can configure the single container (which would contain all blobs).
105
Your company provides cloud software to audit administrative access in Microsoft Azure resources. The software logs all administrative actions (including all clicks and test input) to log files. The software is about to be released from beta and the company is concerned about storage performance. You need to deploy a storage solution for the log files to maximize performance. What should you do? Select one
a) Deploy Azure Files using SMB 3.0
b) Deploy Azure Table Storage
c) Deploy Azure Queues Storage
d) Deploy blob storage using block blobs
e) Deploy blob storage using append blobs
e) Deploy blob storage using append blobs
Deploy blob storage using append blobs. Append blobs optimize append operations (writes adding onto a log file, for example). The company needs to write data to log files, most often appending data (until a new log file is generated).
106
Your company is building an app in Azure. The app has the following requirements:
* Storage must be reachable programmatically through a REST API
* Storage must be globally redundant
* Storage must be accessible privately within the company's Azure environment
* Storage must be optimal for unstructured data
What type of Azure storage should you use for the app? Select on
a) Azure Data Lake store
b) Azure Table Storage
c) Azure Blob Storage
d) Azure File Storage
c) Azure Blob Storage
Azure Blob Storage. Azure Blob Storage is optimal for unstructured data and meets the requirements for the company's app.
107
You are using blob storage. Which of the following is true? Select one
a) The cool access tier is for frequent access of objects in the storage account
b) The hot access tier is for storing large amounts of data that is infrequently accessed
c) The performance tier you select does not affect pricing
d) You can switch between hot and cool performance tiers at any time.
d) You can switch between hot and cool performance tiers at any time
You can switch between peformance tiers at any time. Changing the account storage tier from cool to hot incurs a charge equal to reading all the data existing in the storage account. However, changing the account storage tier from hot to cool incurs a charge equal to writing all the data into the cool tier (GPv2 accounts only).
108
You use a Microsoft Azure storage account for storing large number of video and audio files. You create containers to store each type of file and want to limit access to those files for specific periods. Additionally, the files can only be accessed through shared access signatures (SAS). You need the ability to revoke access to the files and to change the period for which user can access the files. What should you do to accomplish this in the most simple and effective way? Select one
a) Create an SAS for each user and delete the SAS when you want to prevent access
b) Use Azure Rights Management Service (RMS) to control access to each file
c) Implement stored access policies for each container to enable revocation of access or change duration.
d) Periodically regenerate the account key to control access to the files
c) Implement stored access policies for each container to enable revocation of access or change of duration
You should implement stored access policies which will let you change access based on permissions or duration by replacing the policy with a new one or deleting it altogether to revoke access. While Azure RMS would protect the files, there would be administrative complexity involved whereas stored access policies achieve the goal in the simplest way. Creating a SAS for each user would also involve a great amount of administrative overhead. Regenerating keys would prevent all users from accessing all files at the same time.
109
You need to provide a contingent staff employee temporary read-only access to the contents of an Azure storage account container named media. It is important that you grant access while adhering to the security principle of least-privilege. What should you do? Select one
a) Set the public access level to Container
b) Generate a shared access signature (SAS) token for the container
c) Share the container entity tag (Etag) with the contingent staff member
d) Configure a Cross-Origin Resource Sharing (CORS) rule for the storage account
b) Generate a shared access signature (SAS) token for the container
You should generate a SAS token for the container which provides access either to entire containers or blobs. You should not share the Etag with the contingent staff member. Azure uses Etags to control concurrent access to resources and do not deliver the appropriate security controls. Setting the public access level to Container would not conform to the principle of least privilege as the container now becomes open to public connections with no time limitation. CORS is a Hypertest Transfer Protocol (HTTP) mechanism that enables cross-domain resource access but does not provide security-based resource access control.
110
You are planning a delegation model for your Azure storage. The company has issued the following requirements for Azure storage access:
* Apps in the non-production environment must have automated time-limited access
* Apps in the production environment must have unrestricted access to storage resources
You need to configure storage access to meet the requirements. What should you do? (Each answer presents part of the solution. Select two)
a) Use shared access signatures for non-production apps
b) Use shared access signatures for the production apps
c) Use access keys for the non-production apps
d) Use access keys for the production apps
e) Use Stored Access Policies for the production apps
f) Use Cross Origin Resource Sharing for the non-production apps
a) Use shared access signatures for the non-production apps
d) Use access keys for the production apps
Shared access signatures provide a way to provide more granular storage access than access keys. For example, you can limit access to “read only” and you can limit the services and types of resources. Shared access signatures can be configured for a specified amount of time, which meets the scenario’s requirements. Access keys provide unrestricted access to the storage resources, which is the requirement for production apps in this scenario.
111
When configuring network access to your Azure Storage Account, what is the default network rule?
a) To allow all connections from all networks
b) To allow all connections from a private IP address range
c) To deny all connections from all networks
a) To allow all connections from all networks
To allow all connections from all networks. The default network rule is to allow all connections from all networks.
112
Your organization has data stored in hard drives. It wants to move this data into a secure Azure storage solution. What solution would allow you to encrypt this data with minimal effort.
a) Azure Disk Encryption
b) Azure Storage Service Encryption
c) Client-site encryption with Azure
b) Azure Storage Service Encryption
Azure Storage Service Encryption. Storage Service Encryption allows encryption on all data stored on storage accounts. Encryption is enabled by default.
113
Your company is planning to store log data, crash dump files, and other diagnostic data for Azure VMs in Azure. The company has issued the following requirements for the storage:
* Administrators must be able to browse to the data in File Explore
* Access over SMB 3.0 must be supported
* The storage must support quotas
You need to choose the storage type to meet the requirements. Which storage type should you use? Select one.
a) Azure Files
b) Table Storage
c) Blob Storage
d) Queue Storage
a) Azure Files
Azure Files supports SMB 3.0, is reachable via File Explorer, and supports quotas. The other storage types do not support the requirements. While blob storage is good for unstructured data, it cannot be accessed over SMB 3.0.
114
Your company has a file server named FS01. The server has a single shared folder that users' access to shared files. The company wants to make the same files available from Microsoft Azure. The company has the following requirements:
* Microsoft Azure should maintain the exact same data as the shared folder on FS01
* Files deleted on either side (on-premises or cloud) shall be subsequently and automatically deleted from the other side (on-premises or cloud).
You need to implement a solution to meet the requirements. What should you do? Select one
a) Deploy DFS Namespaces
b) Install and use AZCopy
c) Deploy Azure File Sync
d) Install and use Azure Storage Explorer
e) Deploy storage tiering
c) Deploy Azure File Sync
In this scenario, only Azure File sync can keep FS01 and Azure synced up and maintaining the same data. While AZCopy can copy data, it isn't a sync solution to have both sources maintain the exact same files. Storage tiering is used for internal tiering (SSD and HDD, for example). While DFS Replication could fit here, DFS Namespace doesn't offer the replication component. Storage Explorer is a tool for managing different storage platforms.
115
You've been asked by a local manufacturing company that runs dedicated software in their warehouse to keep track of stock. The software needs to run on machines in the warehouse, but the management team wants to access the output from the head office. The limited bandwidth available in the warehouse caused them problems in the past when they tried to use cloud-based solutions. You recommend that they use Azure Files. Which is the best method to sync the files with the cloud?
a) Create an Azure Files share and directly mount shares on the machines in the warehouse
b) Use a machine in the warehouse to host a file share, install Azure File Sync, and share a drive with the rest of the warehouse
c) Install Azure File Sync on every machine in the warehouse and head office
b) Use a machine in the warehouse to host a file share, install Azure File Sync, and share a drive with the rest of the warehouse
Use a machine in the warehouse to host a file share, install Azure File Sync, and share a drive with the rest of the warehouse. This answer is the best because the low bandwidth means Azure File Sync will handle the updating and syncing of files efficiently over the low-bandwidth network.
116
What is the Azure File Sync Agent?
a) It's installed on a server to enable Azure File Sync replication between the local file share and an Azure File Share
b) It's installed on a server to set NTFS permissions on files and folders
c) It's installed on an Azure File Share to control on-premises file and folder replication traffic
a) It's installed on a server to enable Azure File Sync replication between the local file share and an Azure File Share
It's installed on a server to enable Azure File Sync replication between the local file share and an Azure file share. Azure File Sync agent is a downloadable package that enables a Windows Server file share to be synced with an Azure file share.
117
In what order do you create the Azure resources needed to support Azure File Sync?
a) Storage Sync Service, Storage Account, File Share, and then the Sync Group
b) Storage Account, File share, Storage Sync Service, and then Sync Group
c) Storage Account, Files Share, Sync Group, and then Storage Sync Service
b) Storage Account, File share, Storage Sync Service, and then Sync Group
Storage account, file share, Storage Sync Service, and then the sync group. Create the storage account, and then create a file share within the storage account. Create the Storage Sync Service, and then create the sync group within the Storage Sync Service.
118
what is cloud tiering in Azure File Sync?
a) It's a feature that archives infrequently accessed files to free up space on the local file share
b) It's a policy you create that prioritizes the sync order of files shares
c) It's a policy that set the frequency at which the sync job runs
a) It's a feature that archives infrequently accessed files to free up space on the local file share
It's a feature that archives infrequently accessed files to free up space on the local file share. Cloud tiering allows frequently accessed files to be cached on the local server. Infrequently accessed files are tiered, or archived, to the Azure file share according to the policy you create.
119
What's the deployment process for Azure File Sync?
a) Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent, register the on-premises server, and create the server endpoint
b) Create the Azure resources, install the Azure File Sync agent, register the on-premises server, and create the server endpoint
c) Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent on a virtual machine, register the on-premises server, and create the server endpoint.
a) Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent, register the on-premises server, and create the server endpoint.
Evaluate your on-premises system, create the Azure resources, install the Azure File Sync agent, register the on-premises server, and create the server endpoint. Verify that your on-premises server's OS and file system are supported. Then create the required resources in Azure. On the local server, install the Azure File Sync agent and register the server. Finally, create the server endpoint in Azure.
120
The manufacturing company's finance department wants to control how the data is being transferred to Azure Files. They want a graphical tool to manage the process, but they don't want to use the Azure Portal. What tool do you recommend they use?
a) Azure Data Box
b) Robocopy
c) Azure Storage Explorer
c) Azure Storage Explorer
Azure Storage Explorer. This option is the best if the finance department doesn't want to use the Azure portal.
121
You have an existing storage account in Microsoft Azure. It stores unstructured data. You create a new storage account. You need to move half of the data from the existing storage account to the new storage account. What tool should you use? Select one
a) Use the Azure Portal
b) Use File Server Resource Manager
c) Use the Robocopy command-line tool
d) Use the AzCopy command-like tool
d) Use the AzCopy command-line tool
Use the AzCopy command-line tool. The key in this scenario is that you need to move data between storage accounts. The AzCopy tool can work with two different storage accounts. The other tools do not copy data between storage accounts. Alternatively, although not one of the answer choices, you can use Storage Explorer to copy data between storage accounts.
122
You want to quickly upload the data in a collection of small files held in a local folder to blob storage. You don't want to overwrite blobs that have been modified in the last two days. Which tool should you use?
a) Azure CLI
b) AzCopy
c) Azure Storage Explorer
a) Azure CLI
Azure CLI. The Azure CLI is great choice for one-off file transfers and can be used to check the last modified date.
123
You want to transfer a series of large files to blob storage. It may take several hours to upload each file, and you're concerned that if a transfer fails, it shouldn't have to restart from the beginning. Which tool is the most appropriate to do this task?
a) Azure CLI
b) AzCopy
c) Azure Storage Explorer
b) AzCopy
AzCopy. AzCopy is ideal for transferring large files as it can run in the background, and you can monitor the status AzCopy jobs.
124
You are researching Microsoft Azure for your company. The company is considering deploying Windows-based VMs in Azure. However, before moving forward, the management team has asked you to research the costs associated with Azure VMs. You need to document the configuration options that are likely to save the company money on their Azure VMs. Which options should you document? Each answer presents part of the solution. Select four.
a) Use HDD instead of SSD for VM storage
b) Use unmanaged premium storage instead of managed standard storage
c) Bring your own Windows custom images
d) Use different Azure regions
e) Use the least powerful VMs that meet your requirements
f) Place all VMs in the same resource group
g) Bring your own Windows license for each VM
a) Use HDD instead of SSD for VM storage
d) Use different Azure regions
e) Use the least powerful VMs that meet your requirements
g) Bring your own Windows license for each VM
In this scenario, you need to document which of the options presented are likely to save the company money for their Azure VMs. While this isn’t an exhaustive list, the correct money-saving configuration options are: Use HDD instead of SSD, use different Azure regions, use the least powerful VMs that meet your requirements, and bring your own Windows license (instead of paying for a license with the VM). The other options usually increase cost.
125
You are planning to deploy several Linux VMs in Azure. The security team issues a policy that Linux VMs must use an authentication system other than passwords. You need to deploy an authenatication method for Linux VMs to meet the requirement. Which authentication method should you use? Select one
a) SSH Key pair
b) Azure multi-factor authentication
c) Access Keys
d) Shared Access signatures
e) Security Vault Cerficiate
a) SSH Key pair
Azure supports two authentication methods for Linux VMs - passwords and SSH (via an SSH key pair). Access keys and shared access signatures are access methods for Azure storage, not for Azure VMs. In this scenario, you need to use an SSH key pair to meet the requirement.
126
Your organization has a security policy that prohibits exposing SSH ports to the outside world. You need to connect to an Azure Linux virtual machine to install software. What should you do? Select one
a) Configure the Bastion service
b) Configure a guest configuration on the Virtual Machine
c) Create a custom script extension
d) Work offline and then reimage the virtual machine
a) Configure the Bastion service
Configure the Bastion service. The Azure Bastion service is a new fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP and SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address. Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP and SSH ports to the outside world while still providing secure access using RDP and SSH. With Azure Bastion, you connect to the virtual machine directly from the Azure portal. You don't need an additional client, agent, or piece of software.
127
What is the effect of the default network security settings for a new virtual machine?
a) Neither outbound nor inbound requests are allowed
b) Outbound request is allowed. Inbound traffic is only allowed from within the virtual network
c) There are no restrictions: all outbound and inbound requests are allowed
b) Outbound request is allowed: Inbound traffic is only allowed from within the virtual network
Outbound request is allowed. Inbound traffic is only allowed from within the virtual network. Outbound requests are considered low risk, so they are allowed by default. Inbound traffic from within the virtual network is allowed. By placing a VM in a virtual network, the VM owner is implicitly opting-in to communication among the resources in the virtual network.
128
You have several Linux virtual machines hosted in Azure. You will administer these VMs remotely over SSH from three dedicated machines in your corporate headquarters. Which of the following authentication methods would typically be considered best-practice for this situation
a) Username and password
b) Private key
c) Private key with passphrase
c) Private key with passphrase
Private key with passphrase. Private key access with a passphrase is the most secure option. Even if an attacker acquires your private key, they will be unable to use it without the passphrase.
129
You want to run a network appliance on a virtual machine. Which workload options should you choose?
a) General Purpose
b) Compute optimized
c) Memory optimized
d) Storage optimized
b) Compute optimized
Compute optimized. Compute optimized virtual machines are designed to have a high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers.
130
You host a service with two Azure virtual machines. You discover that occasional outages cause your service to fail. What two actions can you do to minimize the impact of the outage? Select two
a) Add a load balancer
b) Put the virtual machines in an availability set
c) Put the virtual machines in a scale set
d) Add a network gateway
e) Add a third instance of the virtual machines
a) Add a load balancer
b) Put the virtual machines in an availability set
To minimize the impact put the virtual machines in an availability set and add a load balancer.
131
Another IT administrator creates an Azure virtual machine scale set with 5 VMs. Later, you notice that the VMs are all running at max capactiy with the CPU being fully consumed. However, additional VMs ar enot deploying in the scale set. You need to ensure that additional VMs are deployed when the CPU is 75% consumed. What should you do? Select one
a) Enable the autoscale option
b) Increate the instance count
c) Add the scale set automation script to the library
d) Deploy the scale set automation script
a) Enable the autoscale option
When you have a scale set, you can enable automatic scaling with the autoscale option. When you enable the option, you define the parameters for when to scale. To meet the requirements of this scenario, you need to enable the autoscale option so that additional VMs are created when the CPU is 75% consumed. Note that the automation script is used to automate the deployment of scale sets and not related to automating the building of additional VMs in the scale set.
132
You're part of the DevOps team for a large food delivery company. Friday night is typically your busiest time. Conversely, 7am on Wednesday is generally your quietest time. What should you implement? Select one
a) autoscale
b) Metric-based rules
c) schedule-based rules
c) schedule-based rules
Schedule-based rules. You can proactively schedule the scale set to deploy one or N number of additional instances to accommodate a spike in traffic and then scale back down when the spike ends.
133
Your company is preparing to deploy an application to Microsoft Azure. The app is a self-contained unit that runs independently on several servers. The company is moving the app to the cloud to provide better performance. To get better performance, the team has the following requirements:
* If the CPU across the servers goes above 85%, a new VM should be deployed to provide additional resources
* If the CPU across the servers drops below 15%, an Azure VM running the app should be decommissioned to reduce costs.
You need to deploy a solution to meet the requirements while minimizing the administrative overhead to implement and manage the solution. What should you do?
a) Deploy the app in a virtual machine scale set
b) Deploy the app in a virtual machine availability set
c) Deploy the app by using a resource manager template
d) Deploy the app and use PowerShell Desired State Configuration (DSC)
a) Deploy the app in a virtual machine scale set
In this scenario, you should use a scale set for the VMs. Scale sets can scale up or down, based on defined criteria (such as the existing set of VMs using a large percentage of the available CPU). This meets the scenario’s requirements.
134
Your company is deploying a critical business application to Microsoft Azure. The uptime of the application is of utmost importance. The application has the following components.
* 2 Web servers
* 2 application servers
* 2 database servers
You need to design the layout of the VMs to meet the following requirements:
* Each VM in a tier must run on different hardware
* Uptime for the application must be maximized
You need to deploy the VMs to meet the requirements. What should you do? Select one
a) Deploy 1 VM from each tier into one availability set and the remaining VMs into a separate availability set
b) Deploy the VMs from each tier into a dedicated availability set for the tier
c) Deploy the application and database VMs in one availability set and the web VMs into a separate availability set
d) Deploy a load balancer for the web VMs and an availability set to hold the application and database VMs
b) Deploy the VMs from each tier into a dedicated availability set for the tier.
An availability set should hold VMs in the same tier because that ensures that the VMs are not dependent on the same physical hardware. If you deploy VMs in a single tier across multiple availability sets, then you have a chance of a tier becoming unavailable due to a hardware issue. In this scenario, each tier should have a dedicated availability set (Web availability set, app availability set, database availability set).
135
Your company has Windows Server VMs and Ubuntu Linux VMs in Microsoft Azure. The company has a new project to standardize the configuration of servers across the Azure environment. The company opts to use Desired State Configuration (DSC) across all VMs. You need to ensure that DSC can be used across all the VMs. What two things should you do? Select two.
a) Replace the Ubuntu VMs with Red Hat Enterprise Linux VMs
b) Deploy the DSC extensions for Windows Server VMs
c) Deploy the DSC extensions for Linux VMs
d) Use an automation script to install the DSC agent on both VMs
b) Deploy the DSC extension for Windows Server VMs
c) Deploy the DSC extension for Linux VMs
Desired State Configuration (DSC) is available for Windows Server and Linux-based VMs. In this scenario, you just need to deploy the extensions to the existing VMs to start using DSC.
136
What is Azure Automation State Configuration?
a) A declarative management platform to configure, deploy, and control systems
b) A service used to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations, import DSC resources, and assign configurations.
c) A service that manages the state configuration on each destination, or node
b) A service used to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations, import DSC resources, and assign configurations to target nodes
A service used to write, manage, and compile PowerShell Desired State Configuration (DSC) configurations, import DSC resources, and assign configurations to target nodes.
137
A PowerShell DSC Script \_\_\_\_\_\_\_\_\_\_\_
a) contains the steps required to configure a virtual machine to get it into a specified state
b) can only be run in push mode
c) describes the desired state
c) Describes the desired state
Describes the desired state. A PowerShell DSC script is declarative. It describes the desired state but doesn't include the steps necessary to achieve that state.
138
Why should you use pull mode instead of push mode for DSC?
a) Pull mode is best for complex environments that need redundancy and scale
b) Pull mode is easy to set up and doesn't need its own dedicated infrastructure
c) Pull mode uses the local configuration manager (LCM) to make sure that the state on each node matches the state specified in the configuration
a) Pull mode is best for complex environments that need redundancy and scale
Pull mode is best for complex environments that need redundancy and scale. Each node automatically polls the pull server at regular intervals to get the latest configuration details. In push mode, an administrator manually sends the configurations toward the nodes.
139
You are administering a production web app The app requires scaling to five instances, 40GB of storage, and a custom domain name. Which App Service Plan should you select.
a) Free
b) Shared
c) Basic
d) Standard
e) Premium
d) Standard
Standard. The Standard App Service Plan meets the requirements at the least cost.
140
Which of the following is not true of the App Service Plan? select one
a) The app service plan is a set of virtual server resources that run App Service apps
b) The app service plan determines the performance characteristics of the Virtual Servers
c) The app service plan hosts a single app service web app
c) The App Service plan hosts a single App Service Web App
The App Service plan hosts a single App Service web app. A single App Service plan can host multiple App Service web apps. In most cases, the number of apps you can run on a single plan will be limited by the performance characteristics of the apps and the resource limitations of the plan.
141
To get more CPU, Memory, or disk you should? Select one
a) Scale Up
b) Scale out
a) Scale Up
Scale up. Scale up gives you more CPU, memory, disk space, and more. You scale up by changing the pricing tier of the App Service plan that your app belongs to.
142
To configure an autoscale trigger based on average response time, you should select ... Select one
a) Metric-based
b) Time-based
c) User-based
a) Metric-based
Metric-based. Metric-based rules measure application load and add or remove VMs based on that load. For example, do this action when CPU usage is above 50%. Examples of metrics are CPU time, Average response time, and Requests.
143
Which of the following settings is not swapped when you swap an app? Select One
a) Framework version
b) Public certificates
c) Scale settings
c) Scale settings
Scale settings. Scale settings are not swapped.
144
Which of the following is not true about App Service backups? Select one
a) Incremental backups are the default
b) You can configure backups manually or on a schedule
c) You can exclude files and folder you do not want in the backup
a) Incremental backups are the default
Incremental backups are the default. Full backups are the default.
145
What method does Microsoft Azure App Service use to obtain credentials for users attempting to access an app? Select one
a) Credentials that are stored in the browser
b) Pass-through authentication
c) Redirection to provider endpoint
d) Synchronization of accounts across providers
c) Redirection to a provider endpoint
Redirection to a provider endpoint. Microsoft Azure App Service apps redirect requests to an endpoint that signs in users for that provider. The App Service can automatically direct all unauthenticated users to the endpoint that signs in users. Course: Module 4
146
Which of the following isn't a valid automated deployment source?
a) Azure DevOps
b) GitHub
c) SharePoint
c) SharePoint
SharePoint. Azure currently supports Azure DevOps, GitHub, Bitbucket, OneDrive, Dropbox, and external Git repositories.
147
Which of the following is not true about container groups? Select one.
a) Are scheduled on multiple host machines
b) Consists of two containers
c) Exposes a single public IP address, with one exposed port
d) Includes two Azure file shares as volume mounts
a) Are scheduled on multiple host machines
Are scheduled on multiple host machines. A container group is scheduled on a single host machine.
148
Which restart policy is typically the best choice for long-running tasks that service requests? Select one
a) Always
b) OnFailure
c) Never
a) Always
The restart policy Always will ensure needed processes continue to be available even if a restart is required.
149
All the following are true about Azure Container Instances except? Select one
a) Billing only when the container is in use
b) Launch containers in seconds
c) Storage using Azure Blobs
c) Storage using Azure Blobs
Storage using Azure Blobs. ACI uses persistent storage. You can mount Azure Files shares directly to a container to retrieve and persist state.
150
You decide to move all your services to Azure Kubernetes service. Which of the following components will contribute to your monthly Azure charge? Select one
a) Azure managed node
b) Pods
c) Customer node virtual machines
d) Tables
c) Customer node virtual machines
Customer node virtual machines. You only pay for the virtual machines instances, storage, and networking resources consumed by your Kubernetes cluster.
151
Which of the following is the Kubernetes agent that processes the orchestration requests and schedules running the requested containers? Select one
a) controller
b) container runtime
c) kube-proxy
d) kubelet
d) kublet
kubelet. The kubelet process the orchestration requests and schedules running the requested containers.
152
You are configuring networking for Azure Kubernetes service. Which of the following maps incoming direct traffic to the pods? Select one
a) AKS node
b) ClusterIP
c) Load Balancer
d) NodePort
d) NodePort
NodePort. NodePort maps incoming direct traffic to the pods.
153
You need to backup files and folders to Azure. Which three steps must you perform?
a) Download, install and register the backup agent
b) Synchronize configuration
c) Back up files and folders
d) Create a backup services vault
e) Create a recovery services vault
a) Download, install and register the backup agent
c) Back up files and folders
e) Create a recovery services vault
First, create a recovery services vault. Second, download, install and register the backup agent. Lastly, backup your files and folders.
154
You are responsible for implementing server workload backups. You need to implement on-premises backups to an Azure Recovery Vault service. What should you do?
a) Download and install the MARS agent, and then register the server by installing the vault credentials
b) Just download and install the MARS agent
c) Don't do anything. Windows Servers contain the required agent for inclusion in the Recover Vault Service
a) Download and install the MARS agent, and then register the server by installing the vault credentials
Download and install the MARS agent, and then register the server by installing the vault credentials. You can download all the required components direct from the Azure portal.
155
You have created the Recovery Vault service. Now you decide to change the storage replication type to locally redundant. In which situations can Larissa change the storage replication type?
a) You can change this setting at any time
b) You can change this setting, but only before a Recovery Vault service starts providing protection for items
c) You cannot change this setting at any time
b) You can change this setting, but only before a Recovery Vault service starts providing protection for items
You can change this setting, but only before a Recovery Vault service starts providing protection for items.
156
You are responsible for creating a disaster recovery plan for your data center. You must be able to recreate virtual machines from scratch. This includes the Operating System, its configuration/settings, and patches. Which of the following will provide a bare metal backup of your machines? Select one
a) Azure Backup (MARS) agent
b) Enable disk snapshots
c) Azure Site Recovery
d) Azure Backup Server
d) Azure Backup server
Azure Backup Server provides a bare metal backup capability.
157
You have several Azure VMs that are currently running production workloads. You have a mix of Windows Server and Linux servers and you need to implement a backup strategy for your production workloads. Which feature should you use in this case? Select one
a) Managed Snapshots
b) Azure Backup
c) Azure Site Recovery
d) Azure Migrate
b) Azure Backup
Azure Backup is the best option for your production workloads.
158
You plan to use Azure Backup to protect your virtual machines and data and are ready to create a backup. What is the first thing you need to do? Select one
a) Define Recovery points
b) Create a Recovery Services Vault
c) Create a Backup Policy
d) Install the Azure VM Agent
b) Create a Recovery Services vault
Create Recovery Services vault. When performing a virtual machine backup, you must first create a Recovery Services vault in the region where you want to store the data. Recovery points are stored in the Recovery Services vault. While creating a backup policy is a good practice, it is not a dependency to creating a backup. The Azure VM agent is required on an Azure virtual machine for the Backup extension to work. However, if the VM was created from the Azure gallery, then the VM Agent is already present on the virtual machine.
159
You deploy several Virtual Machines (VMs) to Azure. You are responsible for backing up all data processed by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these options would you recommend to restore a database used for development on a data disk? Select one.
a) Virtual Machine Backup
b) Azure Site Recovery
c) Disk Image Backup
d) Disk Snapshot
d) Disk Snapshot
Disk snapshot. You can use snapshots to quickly restore the database data disks.
160
You deploy several Virtual Machines (VMs) to Azure. You are responsible for backing up all data processed by the VMs. In the event of a failure, you need to restore the data as quickly as possible. Which of these options would you recommend to restore the entire virtual machine or files on the virtual machine? Select One)
a) Virtual Machine Backup
b) Azure Site Recovery
c) Disk image backup
d) Disk Snapshot
a) Virtual Machine Backup
Use Azure Backup to restore a VM to a specific point in time, and to restore individual files. Azure Backup supports application-consistent backups for both Windows and Linux VMs.
161
Your organization needs a way to create application-aware snapshots, and backup Linux virtual machines and VMWare virtual machines. You have files, folders, volumes, and workloads to protect. You recommend which of the following solutions? Select one
a) Azure Backup (MARS) agent
b) Azure Backup Server
c) Enable disk snapshots
d) Enable backup for individual Azure VMs
b) Azure Backup Server
Azure backup server provides app aware snapshots, support for Linux virtual machines and VMware virtual machines. Backup server can protect files, folders, volumes, and workloads.
162
You plan to use virtual machine soft delete. Which of the following statements are true? Select two
a) Soft delete provides 20 days extended retention of data
b) If you delete a backup, soft delete still provides recovery data
c) Soft delete is built-in protection at no additional cost
d) Soft delete items are stored in archive storage
e) A recovery service vault can be deleted if it only has soft-deleted backup items
b) If you delete a backup, soft delete still provides recovery data
c) Soft delete is built-in protection at no additional cost
If you delete a backup, soft delete still provides recovery of data. Soft delete is built-in protection at no additional cost.
163
You need to determine who deleted a network security group through Resource Manager. You are viewing the Activity Log when another Azure Administrator says you should use this event category to narrow your search. Select one.
a) Administrative
b) Service Health
c) Alert
d) Recommendation
e) Policy
a) Administrative
Administrative. This category contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of the types of events you would observe in this category include "create virtual machine" and "delete network security group". The Administrative category also includes any changes to role-based access control in a subscription.
164
What is the shared underlying logging data platform for Azure Sentinel and Azure Security Center?
a) Activity Logs
b) Azure Monitor Logs
c) Diagnostic Settings
b) Azure Monitor Logs
Azure Monitor Logs. Several services in Azure including Sentinel and Security Center use Azure Monitor Logs as their underlying logging data platform.
165
What data does Azure Monitor collect?
a) Data from a variety of sources, such as application event log, the operating system (Windows and Linux), Azure resources, and custom data sources
b) Azure billing details
c) Backups of database transaction logs
a) Data from a variety of sources, such as the application event log, the operating system (Windows and Linux), Azure resources, and custom data sources.
166
What two fundamental types of data does Azure Monitor collect?
a) Metrics and logs
b) Username and password
c) Email notifications and errors
a) Metrics and Logs
Metrics and logs. Azure Monitor collects two types of data: metrics and logs. Metrics are numerical values that describe some aspect of a system at a particular time. Logs contain different kinds of data, such as event information, organized into records.
167
Your organization has an app that is used across the business. The performance of this app is critical to day-to-day operations. Because the app is so important, four IT administrators have been identified to address any issues. You have configured an alert and need to ensure the administrators are notified if there is a problem. In which area of the portal will you provide the administrator email addresses? Select one
a) Activity Log
b) Performance Group
c) Signal Type
d) Action Group
d) Action Group
Action Group. When creating the alert, you will select Email as the Action Type. You will then be able to provide the administrator email addresses as part of the Action Group.
168
You are reviewing the Alerts page and notice an alert has been Acknowledged. What does this mean? Select one
a) The issue has just been detected and has not yet been reviewed
b) An administrator has reviewed the alert and started working on it
c) The issue has been resolved
d) The issue has been closed
b) An administrator has reviewed the alert and started working on it
An administrator has reviewed the alert and started working on it. An alert status of Acknowledged means an administrator has reviewed the alert and started working on it. Alert state is different and independent of the monitor condition. Alert state is set by the user. Monitor condition is set by the system.
169
What's the composition of an alert rule? Select one
a) Resource, condition, log, alert type
b) Metrics, logs, application, Operating System
c) Resource, condition, actions, alert details
c) Resource, condition, actions, alert details
Resource, condition, actions, alert details. These elements make up an alert rule
170
Which of the following is an example of a log data type?
a) Database tables
b) HTTP response records
c) Percentage of CPU over time
d) Website requests per hour
b) HTTP response records
HTTP response records. HTTP response records are examples of log data types.
