- (Exam Topic 6)
You have an Azure subscription named Subscription1 that contains the resources in the following table.
VM1 and VM2 run the websites in the following table.
AppGW1 has the backend pools in the following table.
DNS resolves site1.contoso.com, site2.contoso.com, and site3.contoso.com to the IP address of AppGW1. AppGW1 has the listeners in the following table.
AppGW1 has the rules in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Solution:
Vm1 is in Pool1. Rule2 applies to Pool1, Listener 2, and site2.contoso.com
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 6)
You have an Azure subscription named Subscription1 that contains the resources shown in the following table.
The status of VM1 is Running.
You assign an Azure policy as shown in the exhibit. (Click the Exhibit tab.)
You assign the policy by using the following parameters:
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Solution:
Not allowed resource types (Deny): Prevents a list of resource types from being deployed. This means this policy specifically prevents a list of resource types from being deployed. So that refers that except deployment all the other operations like start/stop or move etc. are not prevented. But to be noted if the resource already exists, it just marks it as non-compliant.
Replicated this scenario in LAB keeping VM running and below are the outcome :
· VM is not deallocated
· Able to stop and start VM successfully.
· Not able to create new virtual network or VM.
· Not able to modify VM size.
· Not able change the address space of the virtual network.
· Successfully moved virtual network and VM in another resource group. Statement 1 : Yes
Based on above experiment the policy will mark the VNET1 as non-compliant but it can be moved to RG2 . Hence this statement is true.
Statement 2 : No
Based on above experiment the policy will mark the VM as non-compliant but it will still be running, not deallocated. Hence this statement is False.
Statement 3 : No
Based on above experiment the address space for VNET2 can not be modified. Hence this statement is False.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 4)
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
Solution:
Box 1: can connect to the container from any device
In the policy "osType": "window" refer that it will create a container in a container group that runs Windows but it won't block access depending on device type.
Box 2: the container will restart automatically
Docker provides restart policies to control whether your containers start automatically when they exit, or wh Docker restarts. Restart policies ensure that linked containers are started in the correct order. Docker recommends that you use restart policies, and avoid using process managers to start containers.
on-failure : Restart the container if it exits due to an error, which manifests as a non-zero exit code. As the flag is mentioned as "on-failure" in the policy, so it will restart automatically
Reference:
https://docs.microsoft.com/en-us/cli/azure/container?view=azure-cli-latest https://docs.docker.com/config/containers/start-containers-automatically/
Does this meet the goal?
Correct Answer:
A
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com. You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
Correct Answer:
B
With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster. To obtain a kubectl configuration context, a user can run the az aks get-credentials command. When a user then interacts with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD credentials. This approach provides a single source for user account management and password credentials. The user can only access the resources as defined by the cluster administrator.
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the Open ID connect documentation. From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster.
Reference:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/ https://docs.microsoft.com/en-us/azure/aks/concepts-identity
- (Exam Topic 4)
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant contains 500 user accounts.
You deploy Microsoft Office 365. You configure Office 365 to use the user accounts in adatum.com. You configure 60 users to connect to mailboxes in Microsoft Exchange Online.
You need to ensure that the 60 users use Azure Multi-Factor Authentication (MFA) to connect to the Exchange Online mailboxes. The solution must only affect connections to the Exchange Online mailboxes.
What should you do?
Correct Answer:
A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
