- (Exam Topic 5)
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1.VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2. What should you do first?
Correct Answer:
C
The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a
Site-to-Site IPsec connection to an on-premises location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local network gateway in order to route traffic.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
- (Exam Topic 5)
You have a public load balancer that balances ports 80 and 443 across three virtual machines. You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only. What should you configure?
Correct Answer:
C
To port forward traffic to a specific port on specific VMs use an inbound network address translation (NAT) rule.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview an inbound NAT rule :
Create a load balancer inbound network address translation (NAT) rule to forward traffic from a specific port of the front-end IP address to a specific port of a back-end VM.
Hence this option is Correct
a load balancing rule : Incorrect Choice
A load balancer rule defines how traffic is distributed to the VMs. The rule defines the front-end IP configuration for incoming traffic, the back-end IP pool to receive the traffic, and the required source and destination ports.
a new public load balancer for VM3 : Incorrect Choice
This option will not help you since this will route all traffic to VM3 only. a frontend IP configuration : Incorrect Choice
When you define an Azure Load Balancer, a frontend and a backend pool configuration are connected with rules. The health probe referenced by the rule is used to determine how new flows are sent to a node in the backend pool. The frontend (aka VIP) is defined by a 3-tuple comprised of an IP address (public or internal), a transport protocol (UDP or TCP), and a port number from the load balancing rule. The backend pool is a collection of Virtual Machine IP configurations (part of the NIC resource) which reference the Load Balancer backend pool.
References:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://pixelrobots.co.uk/2017/08/azure-load-balancer-for-rds/
- (Exam Topic 6)
You create the following resources in an Azure subscription:
• An Azure Container Registry instance named Registry1.
• An Azure Kubernetes Service (AKS) cluster named Cluster1.
You create a container image named App1 on your administrative workstation. You need to deploy App1 to Cluster1. What should you do first?
Correct Answer:
B
Run the az acr build command : Correct Choice
az acr build command queues a quick build, providing streaming logs for an Azure Container Registry az acr build --registry
[--agent-pool]
[--auth-mode {Default, None}] [--build-arg]
[--file]
[--image]
[--no-format]
[--no-logs]
[--no-push]
[--no-wait]
[--platform]
[--resource-group] [--secret-build-arg] [--subscription]
[--target]
[--timeout] [
- (Exam Topic 6)
You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.
You need to ensure that users can connect to the website from the internet. What should you do?
Correct Answer:
B
Rule 2 is blocking HTTPS access (port 443) and has a priority of 500.
Changing Rule 5 (ports 50-5000) and giving it a lower priority number will allow access on port 443. Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because
lower numbers have higher priority. Once traffic matches a rule, processing stops.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
- (Exam Topic 6)
You have an Azure Active Directory (Azure AD) tenant.
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?
Correct Answer:
B
the multi-factor authentication service settings - Correct choice There are two criterias mentioned in the question.
* 1. MFA required
* 2. Access from only a specific geographic region/IP range.
To satisfy both the requirements you need MFA with location conditional access. Please note to achieve this configuration you need to have AD Premium account for Conditional Access policy.
Navigate to Active Directory --> Security --> Conditional Access --> Named Location. Here you can create a policy with location (on-premise IP range) and enable MFA. This will satisfy the requirements.
an Azure AD Identity Protection user risk policy - Incorrect choice
In the Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk & MFA Registration. None of those in which you can enable a location (on-prem IP Range) requirement in any blade.
the default for all the roles in Azure AD Privileged Identity Management - Incorrect choice This option will not help you to restrict the users to access only form on prem.
an Azure AD Identity Protection sign-in risk policy - Incorrect choice
In the Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk & MFA Registration.
None of those in which you can enable a location (on-prem IP Range) requirement in any blade. Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition