- (Exam Topic 6)
You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.
You need to ensure that users can connect to the website from the internet. What should you do?
Correct Answer:
B
Rule 2 is blocking HTTPS access (port 443) and has a priority of 500.
Changing Rule 5 (ports 50-5000) and giving it a lower priority number will allow access on port 443. Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because
lower numbers have higher priority. Once traffic matches a rule, processing stops.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
- (Exam Topic 6)
You have an Azure Active Directory (Azure AD) tenant.
All administrators must enter a verification code to access the Azure portal.
You need to ensure that the administrators can access the Azure portal only from your on-premises network.
What should you configure?
Correct Answer:
B
the multi-factor authentication service settings - Correct choice There are two criterias mentioned in the question.
* 1. MFA required
* 2. Access from only a specific geographic region/IP range.
To satisfy both the requirements you need MFA with location conditional access. Please note to achieve this configuration you need to have AD Premium account for Conditional Access policy.
Navigate to Active Directory --> Security --> Conditional Access --> Named Location. Here you can create a policy with location (on-premise IP range) and enable MFA. This will satisfy the requirements.
an Azure AD Identity Protection user risk policy - Incorrect choice
In the Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk & MFA Registration. None of those in which you can enable a location (on-prem IP Range) requirement in any blade.
the default for all the roles in Azure AD Privileged Identity Management - Incorrect choice This option will not help you to restrict the users to access only form on prem.
an Azure AD Identity Protection sign-in risk policy - Incorrect choice
In the Identity Protection, there are three (3) protection policies- User Risk, Sign-In Risk & MFA Registration.
None of those in which you can enable a location (on-prem IP Range) requirement in any blade. Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
- (Exam Topic 6)
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit.
Solution:
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 6)
You have an Azure subscription that contains 10 virtual machines, a key vault named Vault 1, and a network security group (NSG) named NSG1. All the resources are deployed to the East US Azure region.
The virtual machines are protected by using NSG1. NSG1 is configured to block all outbound traffic to the internet.
You need to ensure that the virtual machines can access Vault1. The solution must use the principle of least privilege and minimize administrative effort.
What should you configure as the destination of the outbound security rule for NSG1 ?
Correct Answer:
C
- (Exam Topic 4)
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
You create virtual machines in Subscription1 as shown in the following table.
You plan to use Vault1 for the backup of as many virtual machines as possible. Which virtual machines can be backed up to Vault1?
Correct Answer:
A
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in several regions, create a Recovery Services vault in each region.
References:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
