Topic 3, Mix Questions
Task 8
You need to ensure that the storage34280945 storage account will only accept connections from hosts on VNET1
Answer: See the Explanation below for step by step instructions.
Explanation:
Here are the steps and explanations for ensuring that the storage34280945 storage account will only accept connections from hosts on VNET1:
To restrict network access to your storage account, you need to configure the
Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.
On the Networking page, select Firewalls and virtual networks, and then
select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.
Under Virtual networks, select + Add existing virtual network. Then select VNET1 from the list of virtual networks and select the subnet that contains the hosts that you want to allow access to your storage account1. This will enable a service endpoint for Storage in the subnet and configure a virtual network rule for that subnet through the Azure storage firewall2.
Select Add to add the virtual network and subnet to your storage account1. Select Save to apply your changes1.
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a subnet named Subnet1 You deploy an instance of Azure Application Gateway v2 named AppGw1 to Subnet1. You create a network security group (NSG) named NSG1 and link NSG1 to Subnet1.
You need to ensure that AppGw1 will only load balance traffic that originates from VNet1. The solution must minimize the impact on the functionality of AppGw1.
What should you add to NSG1?
A.
an outbound rule that has a priority 100 and blocks all internet traffic
B.
an outbound rule that has a priority of 4096 and blocks all internet traffic
C.
an inbound rule that has a priority of 4096 and blocks all internet traffic
D.
an inbound rule that has a priority of 100 and blocks all internet traffic
an inbound rule that has a priority of 4096 and blocks all internet traffic
Task 5
You need to ensure that requests for wwwjelecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net.
Answer: See the Explanation below for step by step instructions.
Explanation:
Here are the steps and explanations for ensuring that requests for wwwjelecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net:
To use a custom domain with your Azure Front Door, you need to create a
CNAME record with your domain provider that points to the Front Door default frontend host. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name1.
To create a CNAME record, you need to sign in to your domain registrar’s website and go to the page for managing DNS settings1.
Create a CNAME record with the following information1:
Save your changes and wait for the DNS propagation to take effect1.
To verify the custom domain, you need to go to the Azure portal and select your Front Door profile. Then select Domains under Settings and select Add2.
On the Add a domain page, select Non-Azure validated domain as the Domain type and enter wwwjelecloud.com as the Domain name. Then select Add2.
On the Domains page, select wwwjelecloud.com and select Verify. This will check if the CNAME record is correctly configured2.
Once the domain is verified, you can associate it with your Front Door endpoint.
On the Domains page, select wwwjelecloud.com and select Associate
endpoint. Then select your Front Door endpoint from the drop-down list and select Associate2.
Task 2
You need to create an Azure Firewall instance named FW1 that meets the following requirements:
• Has an IP address from the address range of 10.1.255.0/24
• Uses a new Premium firewall policy named FW-pohcy1
• Routes traffic directly to the internet
See the Explanation below for step by step instructions.
Explanation:
To create an Azure Firewall instance, you need to go to the Azure portal and select Create a resource. Type firewall in the search box and press Enter. Select Firewall and then select Create1.
To assign an IP address from the address range of 10.1.255.0/24 to the firewall, you need to select a public IP address that belongs to that range. You can either create a new public IP address or use an existing one1.
To use a new Premium firewall policy named FW-policy1, you need to select Premium as the Firewall tier and create a new policy with the name FW- policy12. A Premium firewall policy allows you to configure advanced features such as TLS Inspection, IDPS, URL Filtering, and Web Categories3.
To route traffic directly to the internet, you need to enable SNAT (Source Network Address Translation) for the firewall. SNAT allows the firewall to use its public IP address as the source address for outbound traffic4.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
* A virtual network named Vnet1
* A subnet named Subnet1 in Vnet1
* A virtual machine named VM1 that connects to Subnet1
* Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1. Does this meet the goal?
A.
Yes
B.
No
No
You plan to implement an Azure virtual network that will contain 10 virtual subnets. The subnets will use IPv6 addresses. Each subnet will host up to 200 load-balanced virtual machines.
You need to recommend a load balancing solution for the virtual network. The solution must meet the following requirements:
• The virtual machines and the load balancer must be accessible only from the virtual network.
• Costs must be minimized.
What should you include in the recommendation?
A.
Basic Azure Load Balancer
B.
Azure Application Gateway v1 Azure Application Gateway v2
C.
Azure Standard Load Balancer
D.
Azure Application Gateway v2
Azure Standard Load Balancer
You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF).
FD1 uses a frontend host named app1.contoso.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region.
You need to configure FD1 to block requests to app1.contoso.com from all countries other than the United States.
What should you include in the WAF policy?
A.
a frontend host association
B.
a managed rule set
C.
a custom rule that uses a rate limit rule
D.
a custom rule that uses a match rule
a custom rule that uses a match rule
You have an Azure subscription that contains the following resources:
A virtual network named Vnet1
Two subnets named subnet1 and AzureFirewallSubnet A public Azure Firewall named FW1
A route table named RT1 that is associated to Subnet1 A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated. What should you do?
A.
Deploy an application security croup mat allows outbound traffic to 1688.
B.
Deploy an Azure Standard Load Balancer that has an outbound NAT rule
C.
On fW1.configure a DNAT rule for port 1688.
D.
Add an internet route to RI1 for the Azure Key Management Service (KMS).
Add an internet route to RI1 for the Azure Key Management Service (KMS).
You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.
You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.
Which routing method should you use?
A.
geographic
B.
weighted
C.
performance
D.
priority
priority
You fail to establish a Site-to-Site VPN connection between your company's main office and an Azure virtual network.
You need to troubleshoot what prevents you from establishing the IPsec tunnel.
Which diagnostic log should you review?
A.
IKEDiagnosticLog
B.
GatewayDiagnosticLog
C.
TunnelDiagnosticLog
D.
RouteDiagnosticLog
IKEDiagnosticLog
| Page 4 out of 19 Pages |