Topic 3, Mix Questions

You have an Azure virtual network that contains two subnets named Subnet1 and Subnet2. Subnet1 contains a virtual machine named VM1. Subnet2 contains a virtual machine named VM2.

You have two network security groups (NSGs) named NSG1 and NSG2. NSG1 has 100 inbound security rules and is associated to VM1. NSG2 has 200 inbound security rules and is associated to Subnet1.

VM2 cannot connect to VM1.

You suspect that an NSG rule blocks connectivity.

You need to identify which rule blocks the connection. The issue must be resolved as quickly as possible.

Which Azure Network Watcher feature should you use?

Reveal Solution Hide Solution

HOTSPOT

You have an Azure subscription.

You have the on-premises sites shown the following table.

You plan to deploy Azure Virtual WAN.

You are evaluating Virtual WAN Basic and Virtual WAN Standard.

Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Azure Virtual WAN offers a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. It supports various connection types like Site-to-Site VPN, Point-to-Site VPN, and ExpressRoute connections. Depending on the Virtual WAN tier (Basic or Standard), certain functionalities and connection types are supported.

Virtual WAN Basic typically supports basic VPN features and connectivity.

Virtual WAN Standard provides all the features of Basic, plus it supports ExpressRoute, Point-to-Site (P2S) VPN, and much more advanced features like VPN and ER connectivity, BGP routing, multiple connections, and custom BGP settings.

Given this:

Site1 with 500 users connected via ExpressRoute would require Virtual WAN Standard because Basic does not support ExpressRoute connections.

Site2 with 100 users connected via Site-to-Site VPN could be supported by either Virtual WAN Basic or Standard, as both support Site-to-Site VPN connections. However, considering the number of users and potential need for advanced features, Virtual WAN Standard might be more appropriate.

Site3 with 1 user connected via Point-to-Site VPN would typically only require Virtual WAN Basic, as it’s a single user and Basic supports P2S VPN. However, if advanced features of P2S VPN are required, such as Azure AD authentication, then Virtual WAN Standard would be necessary.

Based on these considerations, here are the selections:

Virtual WAN Basic: Can be used for Site2 and Site3 only.

Virtual WAN Standard: Can be used for Site1, Site2, and Site3.

The selection depends on the specific features and scalability requirements of each site’s connection to Azure. If the only consideration is the type of connectivity, then Basic could suffice for Site2 and Site3, while Standard is required for Site1. However, if advanced features are a consideration, Standard may be the appropriate choice across all sites.

You need to configure GW1 to meet the network security requirements for the P2S VPN users.

Which Tunnel type should you select in the Point-to-site configuration settings of GW1?

Reveal Solution Hide Solution

HOTSPOT

You have an Azure subscription that contains a single virtual network and a virtual network gateway. You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).

What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway.

You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

You need to ensure that the URL is accessible through the application gateway.

Solution: You disable the WAF rule that has a ruleld of 920300.

Does this meet the goal?

Reveal Solution Hide Solution

You plan to deploy an Azure virtual network.

You need to design the subnets.

Which three types of resources require a dedicated subnet? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Topic 2, Contoso Case Study 2

Overview

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab. note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Existing Environment:

Azure Network Infrastructure

Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.

The Azure subscription contains the virtual networks shown in the following table.

Vnet1 contains a virtual network gateway named GW1.

Azure Virtual Machines

The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.

The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the internet. The firewall on each virtual machine allows ICMP traffic.

An application security group named ASG1 is associated to the network interface of VM1.

Azure Private DNS Zones

The Azure subscription contains the Azure private DNS zones shown in the following table.

Zone1.contoso.com has the virtual network links shown in the following table.

Other Azure Resources

The Azure subscription contains additional resources as shown in the following table.

Requirements:

Virtual Network Requirements

Contoso has the following virtual networks requirements:

* Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:

Two container groups that connect to Vnet6

Three virtual machines that connect to Vnet6

Allow VPN connections to be established to Vnet6

Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network

* The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.

* A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.

Network Security Requirements

Contoso has the following network security requirements:

* Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.

* Enable NSG flow logs for NSG3 and NSG4.

* Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.

* Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.

HOTSPOT

You need to meet the network security requirements for the NSG flow logs.

Which type of resource do you need, and how many instances should you create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.

You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.

Which routing method should you use?

Reveal Solution Hide Solution

You have the Azure load balancer shown in the Load Balancer exhibit.

LB2 has the backend pools shown in the Backend Pools exhibit.

You need to ensure that LB2 distributes traffic to all the members of VMSS1.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

You fail to establish a Site-to-Site VPN connection between your company’s main office and an Azure virtual network.

You need to troubleshoot what prevents you from establishing the IPsec tunnel.

Which diagnostic log should you review?

Reveal Solution Hide Solution