SIMULATION - You need to configure Azure to allow RDP connections from the Internet to a virtual machine named VM1. The solution must minimize the attack s...

To allow RDP (Remote Desktop Protocol) connections from the Internet to a virtual machine (VM1) in Azure, while minimizing the attack surface, we need to ensure that the solution is secure yet functional. Let’s evaluate the available methods in the context of Azure's capabilities: Options for RDP Connections: 1. Enable a Public IP for VM1 and open the RDP port (3389) on the network security group (NSG): - This is the simplest solution, where you assign a public IP to the virtual machine and open port 3389 in the Network Security Group (NSG) to allow RDP connections. However, this is not the most secure approach because exposing RDP directly to the Internet increases the attack surface. Attackers can potentially exploit weaknesses in the RDP protocol or brute-force login attempts. 2. Use a Bastion Host to RDP into VM1: - Azure Bastion is the most secure solution. It provides a jump server that allows you to RDP into VM1 without exposing RDP ports directly to the Internet. This approach minimizes the attack surface by using Azure's internal network to access the VM and eliminates the need to open ports directly to the Internet. Azure Bastion provides a secure way to c...

Author: Sara · Last updated May 18, 2026

SIMULATION - You need to add the network interface of a virtual machine named VM1 to an application security group named ASG...

To add the network interface of a virtual machine (VM1) to an Application Security Group (ASG1), we need to go through the correct steps in the Azure portal. Let’s review the options and identify the most appropriate solution: Key Considerations: - Application Security Groups (ASG) are used to group network interfaces (NICs) of virtual machines based on application needs for easier security management. - VM1's network interface must be added to the correct ASG, which can help control network traffic based on application-level security needs. Options: 1. Navigate to VM1’s network interface and associate it with ASG1: - This is the correct solution. You can directly associate a VM’s network interface with an existing Application Security Group by going to the Network Interface configuration in the Azure portal. In the NIC settings, there will be an option to add the NIC to an Application Security Group (ASG). This approach correctly links the NIC to the ASG, ensuring that network security policies based on ASGs can be applied to that NIC. 2. Create a new network interface and associate it with ASG1: - While creating a new network interface and associating it with ASG1 is a valid approach for adding new interfaces to ASGs, it does not address the specific task of adding VM1's existing network interface to ASG1. This step involv...

Author: Liam123 · Last updated May 18, 2026

SIMULATION - You need to perform a full malware scan every Sunday at 02:00 on a virtual machine named VM1 by using Microsoft Antimalware for Virtua...

To perform a full malware scan on a virtual machine (VM1) every Sunday at 02:00 using Microsoft Antimalware for Virtual Machines in Azure, you need to configure a scheduled scan. Let’s break down the steps and options to accomplish this task: Key Considerations: - Microsoft Antimalware for Virtual Machines provides real-time protection against malware on Azure VMs. - You need to schedule the scan to run weekly on Sundays at 02:00. This can be accomplished by configuring Azure Automation with Runbooks to schedule the scan at the desired time. - You would also need to ensure that Microsoft Antimalware is installed and enabled on VM1 to ensure the scanning functionality is available. Options: 1. Configure a custom Azure Automation Runbook to schedule the scan: - Correct Solution: You can create a custom Runbook in Azure Automation that executes a PowerShell or Azure CLI script to trigger a full malware scan using Microsoft Antimalware for Virtual Machines. The Runbook can be scheduled to run every Sunday at 02:00 AM. This option gives you full control over the timing and execution of the scan and allows you to integrate additional functionality if needed. 2. Use the Azure Security Center to configure the scan schedule: - Incorrect Solution: While Azure Security Center can be used for monitoring and recommending security improvements, it does not provide the direct capability to schedule and trigger full malware scans on a recurring basis. Secur...

Author: CrystalWolfX · Last updated May 18, 2026

SIMULATION - You need to prevent administrative users from accidentally deleting a virtual network named VNET1. The administrative users must be allowed to modify the...

To prevent administrative users from accidentally deleting a virtual network named VNET1 while still allowing them to modify its settings, you can use Azure role-based access control (RBAC) and implement Azure Locks. Specifically, Resource Locks can be applied to the virtual network to prevent deletion while still allowing modifications. Here's how the options break down: 1. RBAC (Role-Based Access Control): - Role Assignment: Administrators can be assigned a role like Contributor or Owner for the virtual network, which allows them to modify the settings. - However, the Contributor or Owner role would typically allow users to delete the resource, which is not what you want. - Why it’s rejected: While it allows modification, it doesn’t prevent accidental deletion. RBAC alone cannot prevent deletion of resources. 2. Azure Resource Lock: - Read-only Lock: This lock prevents any modifications to the resource, meaning users can't change settings or configurations. This doesn't meet the requirement since administrative users must be allowed to modify the settings. - Delete Lock: This lock prevents the resource from being deleted but still allows modifications to the resource. This is the most suitable option, as it ensures that administrators cannot delete the vir...

Author: NebulaEagle11 · Last updated May 18, 2026

SIMULATION - You need to grant the required permissions to a user named User2-1234578 to manage the virtual networks in the RG1lod1234578 resource group. The solution must use the pri...

To grant the required permissions to User2-1234578 for managing the virtual networks in the RG1lod1234578 resource group while adhering to the principle of least privilege, we need to assign a role that provides the minimum necessary permissions to manage virtual networks, but not more. Options Breakdown: 1. Owner Role: - The Owner role gives full access to manage everything in the resource group, including the ability to assign roles to other users. This is not aligned with the principle of least privilege, as it grants more permissions than required. - Why it’s rejected: The Owner role provides broad permissions (full control over all resources), which violates the principle of least privilege, as User2-1234578 only needs to manage virtual networks. 2. Contributor Role: - The Contributor role allows a user to manage all resources in the resource group, but it doesn't grant the ability to assign roles or manage access. While this might seem appropriate, it is more permissions than needed since we only need to focus on virtual networks. - Why it’s rejected: It gives broad permissions for all resources in the resource group, which exceeds the specific need to manage virtual networks. 3. Network Contributor Role: - The Network Contributor role is designed specifically for managing network resources (like virtual networks) but does not grant permissions to manage other types of resources within the resource group. It allows the user to create, upd...

Author: Amelia · Last updated May 18, 2026

SIMULATION - You need to ensure that only devices connected to a 131.107.0.0/16 subnet can access data in the rg1lod1234578 Azure Storage a...

To ensure that only devices connected to the 131.107.0.0/16 subnet can access data in the rg1lod1234578 Azure Storage account, we need to configure network-level access restrictions. Specifically, the best solution is to use Azure Storage Account Firewall and Virtual Networks to allow access only from the specific subnet. Options Breakdown: 1. Allow Trusted Microsoft Services: - This option allows access to the storage account from trusted Microsoft services, such as Azure Backup or Azure Site Recovery, regardless of the IP address. - Why it’s rejected: This does not restrict access to a specific subnet or range of IP addresses. It provides broader access for Microsoft services, which is not what is required here. 2. IP-Based Firewall Rules: - You can configure the storage account firewall to allow traffic only from specific IP address ranges, such as 131.107.0.0/16. This option allows you to set network-level restrictions on who can access the storage account based on IP address. - Why it’s selected: The IP-Based Firewall Rules option allows you to restrict access to a specific IP range or subnet, which is exactly what is required in this scenario. It ensures that only devices in the 131.107.0.0/16 subnet can access the storage account. 3. Virtual Network Service Endpoints: - Virtual Network Service Endpoints allow you to extend your virtual network’s private address space to the Azure Storage account, securing access from only the specified virtual network. - Why it’s rejected: While Service Endpoints ensure secure access to res...

Author: Noah · Last updated May 18, 2026

HOTSPOT - You create resources in an Azure subscription as shown in the following table. VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24. Subnet2 has a network ID of 10.1.1.0/24. Contoso1901 is configured as shown in the exhibit. (Click the Exhibit tab.) For each of the f...

Author: Sofia · Last updated May 18, 2026

You have an Azure subscription that contains the virtual machines shown in the following table. All the virtual networks are peered. You deploy Azure Bastion t...

To determine which virtual machines (VMs) can be protected by Azure Bastion deployed in VNET2, we need to consider the following: Key Factors: 1. Azure Bastion is deployed in VNET2, so it can only directly protect VMs that are within VNET2 or VMs that can be accessed through peering from VNET2. The Bastion host allows secure RDP and SSH access to VMs over the Azure Portal, without needing a public IP. 2. Virtual Network Peering allows traffic between peered virtual networks. However, just because VNETs are peered doesn’t automatically mean that Bastion in one VNET can manage or access all VMs in other VNETs. Bastion can access VMs in a peered VNET only if proper routing and network security rules (like NSGs) allow for traffic between the VNETs. Scenarios for Each Option: - VM1 (VNET1): If VM1 is in VNET1 and VNET1 is peered with VNET2, Bastion in VNET2 might be able to access VM1. However, the access still depends on specific settings like network security group (NSG) rules and routing between the peered VNETs. If VNET1 is properly peered with VNET2 and NSGs permit traffic, then Bastion in VNET2 can protect VM1. - VM2 (VNET2): VM2 is in the same VNET2 as the Bastion host. Therefore, Bastion in VNET2 can directly access VM2 without any issues. - VM3 (VNET3): If VM3 is in VNET3 and VNET3 is peered with VNET2, Bastion in VNET2 can access VM3, provided the network security rules and routing allow traffic between these two VNETs. - VM4 (VNET4): Similarly, VM4 is in VNET4, and if V...

Author: Suresh · Last updated May 18, 2026

SIMULATION - You need to prevent administrative users from accidentally deleting a virtual network named VNET1. The administrative users must be allowed to modify the...

To prevent administrative users from accidentally deleting a virtual network (VNET1) while still allowing them to modify its settings, the most effective option in Azure would be "Locking the resource". Reasoning: 1. Azure Resource Locks: - Can’t Delete Lock: This lock prevents the deletion of a resource, such as VNET1, but still allows administrative users to modify the settings and configurations of the resource. This ensures that VNET1 cannot be accidentally deleted, fulfilling the primary requirement. - Can Delete Lock: This would allow the resource to be deleted and is not suitable for preventing accidental deletion. 2. Role-Based Access Control (RBAC): - Owner Role: The Owner role gives full control over the resource, including deletion, which is contrary to the goal of preventing deletion. ...

Author: Emma · Last updated May 18, 2026

You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1. Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04. You create a service endpoint for Microsoft.Storage in Subnet1. You need to ensure that when you deploy Docker containers to ...

To ensure that Docker containers on VM1 can access Azure Storage resources using the service endpoint, the correct solution is to install the container network interface (CNI) plug-in. Reasoning: 1. Container Network Interface (CNI) Plug-in: - The CNI plug-in allows Docker containers to use the virtual network of the underlying host (VM1 in this case). In this scenario, the containers need to be able to access resources like Azure Storage using the service endpoint configured on Subnet1. - The CNI plug-in ensures that Docker containers are able to use the network configuration of Subnet1, including the service endpoint for Microsoft.Storage, so they can communicate with Azure Storage resources over the virtual network. - Without the CNI plug-in, containers would not be able to fully integrate with the Azure Virtual Network, including service endpoints. 2. Application Security Group and Network Security Group (NSG): - Application Security Group (ASG) and Network Security Group (NSG) are network security mechanisms that control inbound and outbound traffic based on rules. However, they are more relevant for controlling traffic flow to and from VM1, and not directly related to enabling containers to u...

Author: GlowingTiger · Last updated May 18, 2026

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as insta...

To automatically disable unused Windows features when instances of virtual machines (VMs) are provisioned, the correct solution is to use an Azure Desired State Configuration (DSC) virtual machine extension. Reasoning: 1. Azure Desired State Configuration (DSC) VM Extension: - DSC is a configuration management tool in Azure that ensures the desired configuration of VMs is maintained. Using DSC, you can specify configurations (including disabling specific Windows features) and enforce them on the VM as it is provisioned or during ongoing management. - The DSC virtual machine extension allows you to apply configuration scripts (e.g., PowerShell scripts) to manage Windows features and settings on a VM. It is ideal for tasks like disabling unused Windows features because it can automatically enforce these settings when the VM is provisioned and as part of ongoing configuration management. - DSC is specifically designed for managing configurations across VMs and ensures that the VM's state aligns with the defined configuration, which is exactly what is needed in this scenario. 2. Device Configuration Policies in Microsoft Intune: - Device configuration policies in Intune are used primarily for managing the settings on devices like laptops and mobile phones. These policies focus more on device security and user settings, rather than managing server-side features like Windows features on VMs. - Intune is generally not used for managing virtual m...

Author: SolarFalcon11 · Last updated May 18, 2026

DRAG DROP - You have an Azure subscription that contains the virtual networks shown in the following table. The Azure virtual machines on SpokeVNetSubnet0 can communicate with the computers on the on-premises network. You plan to deploy an Azure firewall to HubVNet. You create the following two routing tables: * RT1: Includes a user-defined route that points to the private IP address of the Azure firewall as a next hop address * RT2: Disables BGP route propagation and defines the private IP address of the Azure firewall as the default gateway You need to ensure that traffic between SpokeVNetSubnet0 and the on-premises network flows through the Azure firewall. To which subnet should yo...

Author: Michael · Last updated May 18, 2026

You are troubleshooting a security issue for an Azure Storage account. You enable the diagnostic logs for the storage account....

To retrieve the diagnostic logs for an Azure Storage account, the correct option is Azure Security Center. Reasoning: 1. Azure Security Center: - Azure Security Center provides centralized security management and advanced threat protection across all Azure services, including Azure Storage. When diagnostic logging is enabled on an Azure Storage account, Security Center can provide insights and access to security logs. - Azure Security Center integrates with Azure Monitor and can collect security-related logs from various services, including Storage, and present them in a centralized view for troubleshooting security issues. - It is the appropriate tool for retrieving and analyzing diagnostic logs related to security events in Azure Storage. 2. Security & Compliance Admin Center: - The Security & Compliance Admin Center (also known as the Microsoft 365 Security & Compliance Center) is primarily used for managing compliance, security, and auditing features for Microsoft 365 services like Exchange, SharePoint, and OneDrive. It does not focus on Azure Storage diagnostic logs and is not the correct tool for this task. - This tool is more suited for compliance and auditing...

Author: Harper · Last updated May 18, 2026

You are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the auto-generated service principal t...

To configure an Azure Kubernetes Service (AKS) cluster to authenticate to an Azure Container Registry (ACR) using the auto-generated service principal, the correct option is B) an Azure Active Directory (Azure AD) role assignment. Reasoning: 1. Azure Active Directory (Azure AD) Group: - An Azure AD group is typically used for managing access to resources for multiple users or entities collectively. It does not directly facilitate the specific authentication process between AKS and ACR. In this scenario, the AKS cluster itself is what needs to authenticate to the ACR, and a group does not provide the necessary access control for this direct authentication. 2. Azure Active Directory (Azure AD) Role Assignment: - An Azure AD role assignment is used to grant permissions to users, groups, or service principals in Azure resources. The auto-generated service principal in AKS requires a role assignment to authenticate to ACR. Specifically, assigning the "AcrPull" role to the AKS service principal at the ACR ...

Author: Lina Zhang · Last updated May 18, 2026

You have an Azure subscription that contains the Azure virtual machines shown in the following table. You create an MDM Security Baseline profile named Profile1. You need to identify to which v...

To determine which virtual machines Profile1 (MDM Security Baseline profile) can be applied to, we need to consider which virtual machines are Azure AD-joined or Hybrid Azure AD-joined since MDM security baseline profiles are typically applied to devices that are managed through Azure AD or Intune. Reasoning for each option: 1. VM1 only: - If VM1 is the only machine that is Azure AD-joined or Hybrid Azure AD-joined, then Profile1 can only be applied to this machine. In this case, it would be the correct option. - This would be true if VM1 is specifically configured to be Azure AD-joined or Hybrid Azure AD-joined and the others are either not connected to Azure AD or are unmanaged. 2. VM1, VM2, and VM3 only: - If VM1, VM2, and VM3 are all Azure AD-joined or Hybrid Azure AD-joined, Profile1 could be applied to these virtual machines, assuming that VM4 is not Azure AD-joined. - This option is possible if VM4, for example, is either not conne...

Author: Ryan · Last updated May 18, 2026

SIMULATION - You need to ensure that connections from the Internet to VNET1subnet0 are allowed only over TCP port 7777. The solution must use only currently dep...

To ensure that connections from the Internet to `VNET1subnet0` are allowed only over TCP port 7777 using only currently deployed resources, we need to implement an appropriate Network Security Group (NSG) rule. Here's a step-by-step explanation of why the selected option is correct and why others would be rejected. Reasoning: 1. Network Security Group (NSG): - NSGs are used to control inbound and outbound traffic to Azure resources, such as virtual machines (VMs) or subnets, based on specific rules (protocol, port, and IP address). - We can create a custom inbound rule in the NSG associated with the subnet (`VNET1subnet0`) to allow only TCP port 7777 from the Internet. - An NSG rule will allow us to define port-based access, protocol (TCP), and source (Internet). - The NSG would have the allow rule for TCP port 7777 and then a deny all rule for any other ports or protocols. 2. Why NSG is the correct option: - NSGs are specifically designed for controlling traffic to Azure resources and are already a deployed resource in most Azure environments. - They are applicable at both the VM level and the subnet level, meaning they can enforce the port restr...

Author: Aditya · Last updated May 18, 2026

SIMULATION - You need to prevent administrators from performing accidental changes to the Homepage app service plan. ...

To prevent administrators from performing accidental changes to the Homepage app service plan, the most appropriate approach would be to implement Azure Resource Locks. Here's an explanation of why this option is the best choice and why others are rejected. Reasoning: 1. Azure Resource Locks: - Resource locks allow you to lock Azure resources so that no accidental or unauthorized changes can be made. There are two types of locks: - Read-only lock: Prevents any modifications to the resource but allows read access. - CanNotDelete lock: Allows modifications to the resource but prevents the resource from being deleted. - By applying a Read-only lock on the Homepage app service plan, administrators will be able to view the resource but will not be able to modify or make changes to it, thus preventing accidental changes. - Resource locks are simple to implement via the Azure portal, ensuring that administrators cannot inadvertently change the configuration of the app service plan. 2. Why other options are rejected: - Role-Based Access Control (RBAC): - While RBAC can be used to limit administrative access by controlling permissions, it does not fully prevent changes once the administrator has permissions to manage the resource. RBAC is more about permissions, whereas a resource lock ensures that even if someone has administrative permissions, they c...

Author: Michael · Last updated May 18, 2026

SIMULATION - You need to ensure that a user named Danny1234578 can sign in to any SQL database on a Microsoft SQL server named web1234578 by using SQL Server Management Studio (SSMS) and Azure Active...

To ensure that Danny1234578 can sign in to any SQL database on the Microsoft SQL Server named web1234578 using SQL Server Management Studio (SSMS) and Azure Active Directory (Azure AD) credentials, the correct option would involve configuring Azure Active Directory authentication for the SQL server and assigning the necessary permissions to the user. Reasoning: 1. Azure Active Directory Authentication for SQL Server: - To allow a user to sign in using Azure AD credentials, Azure Active Directory authentication must be enabled for the SQL server. This will allow users to authenticate via their Azure AD identities, enabling them to sign in to SQL databases on that server using their Azure AD credentials. - You need to ensure that the Azure AD admin for the SQL server is properly set up so that Azure AD users (like Danny1234578) can authenticate. Once this is done, the user can connect to the SQL server and access databases via SQL Server Management Studio (SSMS). 2. Why other options are rejected: - SQL Server Authentication: - This option requires setting up specific SQL logins for the user (like Danny1234578), which would require storing credentials (username and password...

Author: Julian · Last updated May 18, 2026

SIMULATION - You need to configure a Microsoft SQL server named Web1234578 only to accept connections from the Subnet0 subnet on the VNET01 virtua...

To configure a Microsoft SQL server named Web1234578 to accept connections only from the Subnet0 subnet on the VNET01 virtual network in Azure, you would configure Network Security settings in the Azure portal using a Virtual Network Service Endpoint or Virtual Network Firewall Rules. Let’s analyze the options and reject others based on the requirements: 1. Allow connections from specific IP addresses (Firewall Rules): - Reasoning: This option would allow you to restrict access by specifying IP addresses, but it requires you to know the exact IP addresses for Subnet0. While this approach can work, it's more difficult to manage in dynamic cloud environments, as IP addresses can change. - Rejection: This is not the best option since managing IP addresses is less efficient than using virtual network-specific access controls. The exact IP addresses of Subnet0 are not always static, so this option could be less reliable for subnet-specific controls. 2. Allow connections from specific subnets (VNET and subnet-based rules): - Reasoning: This option involves configuring the SQL server’s firewall to accept traffic from specific subnets within a virtual network. By selecting the VNET01 and Subnet0, we ensure that only resources within this subnet are allowed to connect, making it the most efficient and secure way to control access. - Selected Option: This is the most suitable and straightforward option because it provides a more precise control over which network resources (in this case, Subnet0) can communicate with the SQL server. 3. Allow connections from all networks (Default): - Reasoning: This option would allow the SQL server to accept connections from any IP address or network, ...

Author: Charlotte · Last updated May 18, 2026

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as insta...

To automatically disable unused Windows features as instances of virtual machines are provisioned in Azure, you need a solution that can be applied during the provisioning process and will allow you to configure the virtual machines' operating system settings (such as disabling features). Let’s analyze the options: A) Device configuration policies in Microsoft Intune: - Reasoning: Intune device configuration policies are primarily used for managing settings on devices, such as mobile phones, tablets, and desktops. While it is great for managing users' devices and enforcing security policies, it’s not directly suitable for virtual machine provisioning and operating system configuration in Azure. - Rejection: This solution is not appropriate because Intune is typically used for managing personal or company-owned devices, not for controlling the features of virtual machines in Azure during provisioning. B) An Azure Desired State Configuration (DSC) virtual machine extension: - Reasoning: Azure DSC (Desired State Configuration) is a powerful tool for managing and enforcing configurations on virtual machines. You can use DSC to apply configuration settings, such as enabling or disabling Windows features, directly to virtual machines as they are provisioned. DSC scripts can be executed as part of the VM deployment process, making it the best option for automatically disabling unused features. - Selected Option: This is the best solution because DSC allows you to define the exact state you want your VMs to be in, including disabling unused fea...

Author: Oliver · Last updated May 18, 2026

HOTSPOT - You have an Azure subscription that contains the virtual machines shown in the following table. You create the Azure policies shown in the following table. You create the resource locks shown in the following table. For each of the following statements, s...

Author: RadiantPhoenixX · Last updated May 18, 2026

HOTSPOT - You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table. You create a resource group named RG1. Which users can modify the permissions for RG1 and which users can create virtual networ...

Author: Daniel · Last updated May 18, 2026

SIMULATION - You need to configure network connectivity between a virtual network named VNET1 and a virtual network named VNET2. The solution must ensure that virtual machines connected to VNET1 can communicate with virtual machines c...

To enable network connectivity between two virtual networks, VNET1 and VNET2, in Azure, the goal is to allow communication between virtual machines (VMs) connected to both virtual networks. Let's analyze the available options and determine the best approach to achieve this connectivity. 1. VNet Peering: - Reasoning: VNet Peering connects two virtual networks in Azure, allowing resources (like virtual machines) in each network to communicate with each other using private IP addresses. With VNet Peering, you can enable communication between VMs in VNET1 and VNET2, regardless of whether the virtual networks are in the same or different regions. - Selected Option: VNet Peering is the most appropriate option for this scenario because it directly allows network connectivity between the two virtual networks and ensures that virtual machines can communicate with each other over private IP addresses. - Scenario Use: This is ideal for situations where you need to connect two virtual networks to enable seamless communication between resources in each network. 2. VPN Gateway: - Reasoning: A VPN Gateway allows you to connect an Azure virtual network to on-premises networks or to other Azure virtual networks over a VPN connection. This could be used for cross-premises or inter-region communication but is more suited for hybrid cloud scenarios rather than intra-Azure network communication. - Rejection: While this option can be used to connect VNET1 and VNET2, it’s more complex and typically used for connecting on-premises networks to Azure or for connecting virtual networks across regions. It introduces overhead with VPN configurations, making it less efficient than VNet Peering for communication between two Azure virtual networks. 3. VNet-to-VNet Connection using ExpressRoute: - Reasoning: ExpressRoute provides a private, dedicated connection between Azure and on-premises infrastructure, bypassing the public int...

Author: Elijah · Last updated May 18, 2026

SIMULATION - You need to deploy an Azure firewall to a virtual network named VNET3. To complete this task, sign in to the Azure portal and modify the Azure resources. This task might take ...

To deploy an Azure Firewall to a virtual network (VNET3), let's evaluate the available options and the reasoning behind selecting one. Key Considerations: 1. Azure Firewall Deployment Options: - Using the Azure Portal: This is often the preferred method for most users because it is interactive, user-friendly, and doesn't require command-line skills. In this case, we will perform the task directly through the Azure portal. - Using ARM Templates or Bicep: These are great for automating deployment at scale or deploying infrastructure as code, but they are more complex and require familiarity with JSON or Bicep. - Using Azure CLI or PowerShell: While these methods provide flexibility and can be scripted, they are more suitable for users familiar with command-line tools. However, they would be overkill for a task that can be completed in the Azure portal with ease. - Using Azure Resource Manager (ARM) via API: This is typically used for programmatic deployment at a scale, but it’s more advanced and not as intuitive as using the portal. Step-by-Step Reasoning: 1. Scenario: The task asks to deploy an Azure Firewall to VNET3, which means setting up ...

Author: Layla · Last updated May 18, 2026

SIMULATION - You need to configure a virtual network named VNET2 to meet the following requirements: * Administrators must be prevented from deleting VNET2 accidentally. * Administrators must be able to add subnets to VN...

To configure a virtual network (VNET2) to meet the specified requirements, let’s break down the key factors and options available. Key Requirements: 1. Prevent accidental deletion of VNET2: This requires setting up a protection mechanism to ensure VNET2 cannot be deleted unintentionally. 2. Allow administrators to add subnets: This requires the flexibility to modify the VNET by adding new subnets without restrictions. Options to Consider: 1. Enable Resource Locks: - Read-Only Lock: This will prevent any modifications to the VNET, including adding subnets, which does not meet the requirement of allowing administrators to add subnets regularly. - Delete Lock: This is the most appropriate option because it will prevent accidental deletion of the virtual network, but still allow administrators to perform changes like adding subnets or modifying settings. - Selected Option: This option is best suited because it directly meets both requirements: preventing deletion while still allowing changes such as subnet additions. 2. Role-Based Access Control (RBAC): - RBAC could restrict permissions for certain users, but it doesn't directly address preventing deletion of resources unless combined with specific roles and custom policies. While it’s useful for man...

Author: ShadowWolf101 · Last updated May 18, 2026

You have an Azure virtual machine named VM1. From Microsoft Defender for Cloud, you get the following high-severity recommendation: `Install endpoint protection solutions on virtual machine`. You ne...

To resolve the high-severity recommendation from Microsoft Defender for Cloud regarding the need to "Install endpoint protection solutions on virtual machine," we need to focus on the correct solution that addresses endpoint protection directly. Key Considerations: 1. Microsoft Defender for Cloud's Recommendation: The recommendation indicates a need for endpoint protection. Endpoint protection typically involves software that monitors and defends against malware, threats, and vulnerabilities at the level of the virtual machine itself. 2. Microsoft Defender for Endpoint: This is Microsoft's advanced endpoint security solution designed specifically to provide protection against a wide range of threats on endpoints, including virtual machines. Evaluation of Options: A) Add the Microsoft Antimalware extension to VM1: - Reasoning: This is a good option because the Microsoft Antimalware extension provides endpoint protection on Azure virtual machines. It helps detect and respond to threats like malware, which aligns with the need for "endpoint protection" mentioned in the recommendation. - Why this is selected: It directly addresses the issue by adding endpoint protection through the Microsoft Antimalware extension, fulfilling the requirement from Defender for Cloud. B) Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1: - Reasoning: This option is more suitable for integrating and managing endpoint protection via System Center Configuration Manager (SCCM). It is not a direct solution for Azure virtual machines but rather for on-premises infrastruc...

Author: Maya · Last updated May 18, 2026

HOTSPOT - You have a file named File1.yaml that contains the following contents. You create an Azure container instance named container1 by using File1.yaml. You need to identify where you can access the values of Variable1 and Variable2. What should you identify? To a...

Author: Liam · Last updated May 18, 2026

You have an Azure subscription that contains a virtual network. The virtual network contains the subnets shown in the following table. The subscription contains the virtual machines shown in the following table. You enable just in time (JIT) VM access for all the virtual m...

To determine which virtual machines (VMs) are protected by Just-in-Time (JIT) access, we need to focus on how JIT VM access works in Azure and how it is applied to specific virtual machines. Key Points: 1. JIT VM Access: Just-in-Time VM access is a security feature that controls when and how users can access virtual machines. It helps minimize the exposure of VMs by only allowing access for a specified period when requested. For JIT to be active on a VM, it must be enabled for that VM in Azure Security Center (now part of Microsoft Defender for Cloud). 2. Access Scope: JIT access is typically configured to be applied to virtual machines in specific subnets, and not all VMs in a subscription might necessarily have JIT enabled, depending on their network configuration, the policy applied, or whether the VM has been registered with JIT. Evaluation of Options: We are told that JIT VM access is enabled for all the virtual machines in the subscription. Based on that, we need to identify which VMs are actually "protected" by JIT access. Protection in this context means that JIT has been enabled and is actively controlling access to the VM. Now, let’s review the provided options based on the assumption that ...

Author: FrozenWolf2022 · Last updated May 18, 2026

HOTSPOT - You have an Azure subscription that contains the virtual machines shown in the following table. Subnet1 and Subnet2 have a Microsoft.Storage service endpoint configured. You have an Azure Storage account named storageacc1 that is configured as shown in the followin...

Author: Maya · Last updated May 18, 2026

HOTSPOT - You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table. You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6. Which additional virtual machines can be updated by using Updat...

Author: StarryEagle42 · Last updated May 18, 2026

HOTSPOT - You have an Azure subscription named Sub1. You create a virtual network that contains one subnet. On the subnet, you provision the virtual machines shown in the following table. Currently, you have not provisioned any network security groups (NSGs). You need to implement network security to meet the following requirements: * Allow traffic to VM4 from VM3 only. * Allow traffic from the Internet to VM1 and VM2 only. * Minimize the number of NSGs and n...

Author: Akash · Last updated May 18, 2026

HOTSPOT - You have an Azure key vault. You need to delegate administrative access to the key vault to meet the following requirements: * Provide a user named User1 with the ability to set advanced access policies for the key vault. * Provide a user named User2 with the ability to add and delete certificates in the key vault. * Use the principle of least privilege. What sh...

Author: Isabella · Last updated May 18, 2026

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as insta...

To disable unused Windows features automatically as instances of the virtual machines are provisioned, we need to look for a solution that can manage and automate the configuration of the virtual machines, specifically for disabling features on Windows VMs. Key Considerations: 1. The goal is to disable unused Windows features: This requires an automation tool or configuration management solution that can apply settings to virtual machines once they are provisioned. 2. Windows VM Configuration: We need to focus on automating the configuration of Windows settings, such as enabling/disabling features, once the VM is provisioned, and applying those settings consistently. Evaluation of Options: A) Device Compliance Policies in Microsoft Intune: - Reasoning: Microsoft Intune is primarily used for managing and securing devices in an enterprise environment, especially for mobile devices, laptops, and desktops. It can enforce compliance policies but is not designed to automate the disabling of Windows features on Azure virtual machines. - Why rejected: While Intune is powerful for device management, it doesn't fit the scenario of automating the disabling of Windows features on Azure virtual machines during deployment. Intune is more about ensuring compliance and security, not VM configuration. B) Azure Automation State Configuration: - Reasoning: Azure Automation State Configuration uses Desired State Configuration (DSC) to automatically configure and maintain the state of resources, including virtual machines. You can use DSC to ensure specific Windows features are disabled on virtual machines as they are provisioned. - Why this is selected: This is the best option. Azure Automation ...

Author: Chloe · Last updated May 18, 2026

You have an Azure Container Registry named Registry1. From Azure Security Center, you enable Azure Container Registry vulnerability scanning of the images in Registry1. You perform the following actions: * Push a Windows image named Image1 to Registry1. * Push a Linux image named Image2 to Registry1. * Push a Windows image named Image3 to Registry1. * Modify Image1 and push the new image as Image4 to Registry1. Modify Image2 and push...

To answer this question, let's break down the scenario and the relevant details: Key points to consider: 1. Azure Security Center Vulnerability Scanning: - When you enable vulnerability scanning in Azure Security Center for Azure Container Registry (ACR), it scans the images in the registry. - The scanning process depends on the image push and whether the image has been modified. 2. Image Modifications: - Image1 and Image2 were modified and pushed again as Image4 and Image5, respectively. - The new images (Image4 and Image5) would be the ones that get scanned because they represent updated versions of Image1 and Image2. 3. Scanning Logic: - Initial push: When an image is initially pushed (like Image1, Image2, or Image3), it will be scanned if vulnerability scanning is enabled at the time. - Modified images: Modified images (like Image4 and Image5) will also be scanned, as they are essentially new versions of the original images. Let's review each image: - Image4: Since Image1 was modified and pushed as Image4, I...

Author: Ethan Smith · Last updated May 18, 2026

HOTSPOT - You have two Azure virtual machines in the East US 2 region as shown in the following table. You deploy and configure an Azure Key vault. You need to ensure that you can enable Azure Disk Encryption on VM1 and VM2. What should you modify on each virtual machine? T...

Author: Ryan · Last updated May 18, 2026

You have the Azure virtual machines shown in the following table. You create an Azure Log Analytics workspace named Analytics1 in RG1 in the East ...

To determine which virtual machines can be enrolled in an Azure Log Analytics workspace, we need to consider a few factors: Key Factors: 1. Log Analytics Workspace Location: - Analytics1 is located in the East US region. A Log Analytics workspace can only enroll virtual machines (VMs) that are either in the same region or in regions that support cross-region management. 2. VM Location: - The location of each virtual machine (VM) will play a significant role in whether it can be enrolled in Analytics1. - Virtual machines in different regions from the Log Analytics workspace are typically not directly enrolled unless there is specific support for cross-region management, but most common scenarios restrict VM enrollment to the same region as the workspace. Analysis of VM Enrollment Possibilities: - VM1: If VM1 is located in the East US reg...

Author: Ming88 · Last updated May 18, 2026

You are testing an Azure Kubernetes Service (AKS) cluster. The cluster is configured as shown in the exhibit. (Click the Exhibit tab.) You plan to deploy the cluster to production. You disable HTTP application routing. You need to implement application routing tha...

To implement application routing that provides reverse proxy and TLS termination for AKS services using a single IP address, let’s evaluate the options: Key Requirements: 1. Reverse Proxy: A reverse proxy is required to route incoming traffic to different services in the AKS cluster. This would allow you to manage traffic to different applications or services running within your cluster. 2. TLS Termination: TLS termination is required to offload the SSL/TLS decryption from the backend services, meaning the traffic from external clients is encrypted, and the encryption is terminated at the load balancer or proxy. Evaluation of Each Option: A) Create an AKS Ingress controller - Explanation: An Ingress controller in Kubernetes is used to manage external HTTP(S) access to the services within a cluster. It can provide both reverse proxy functionality and TLS termination for Kubernetes services. The Ingress controller will allow you to route traffic based on hostnames, paths, and protocols. TLS termination can be configured on the Ingress controller, which satisfies both the reverse proxy and TLS termination requirements. - Reason for selection: An Ingress controller is specifically designed for managing external access to AKS services, providing reverse proxy functionality and TLS termination in a Kubernetes-native way. This is the best fit for the requirements. B) Install the container network interface (CNI) plug-in - Explanation: The CNI plug-in is used to manage networking between containers in the cluster. It handles networking, such as assigning IP addre...

Author: StarryEagle42 · Last updated May 18, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. The subscription contains 50 virtua...

To determine if the solution meets the goal of deploying Microsoft Antimalware to the virtual machines (VMs) in your Azure subscription, let's break down the question and the solution provided. Key Points: - Microsoft Antimalware is a service that helps protect your virtual machines against malware, and it can be deployed via extensions in Azure. - The virtual machines in question are running Windows Server 2012 R2 or Windows Server 2016. Solution: Add an extension to each virtual machine. - Extensions in Azure are lightweight, small applications that provide post-deployment configuration and automation on Azure virtual machines. - The Microsoft Antimalware extension is available for both Windo...

Author: Carlos Garcia · Last updated May 18, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. The subscription contains 50 virtual machines t...

To determine whether the solution meets the goal of deploying Microsoft Antimalware to the virtual machines, let's break down the scenario and solution. Scenario Overview: - The goal is to deploy Microsoft Antimalware to 50 virtual machines running Windows Server 2012 R2 or Windows Server 2016. - The proposed solution is to connect to each virtual machine and add a Windows feature. Analyzing the Solution: - Windows Antimalware (also known as Windows Defender Antivirus) is part of the Windows Server operating system and typically needs to be enabled or configured properly. - For Windows Server 2012 R2 and Windows Server 2016, Microsoft Antimalware (Windows Defender) can be enabled by adding the relevant Windows feature (e.g., Windows Defender Antivirus). However, this solution of manually adding a Windows feature via connecting to each virtual machine may not be the most efficient way to deploy antimalware across all 50 VMs. 1. Connecting to each virtual machine and adding the ...

Author: Matthew · Last updated May 18, 2026

You have an Azure Active Directory (Azure AD) tenant named Contoso.com and an Azure Kubernetes Service (AKS) cluster AKS1. You discover that AKS1 cannot be accessed by using accounts from Contoso.com. You need to ensure AKS1 can be accessed by us...

Scenario Overview: - You have an Azure Active Directory (Azure AD) tenant named Contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1. - You are unable to access AKS1 using accounts from Contoso.com. - The solution must minimize administrative effort, and the goal is to ensure that AKS1 can be accessed by accounts from Contoso.com. Analyzing the Options: Option A: From Azure, recreate AKS1. - Recreating the AKS cluster would likely involve a complete teardown and recreation of the cluster, which is unnecessary and inefficient. This approach would not address the core issue and would result in significant downtime and effort. - It's a very disruptive approach and is not the best solution for the scenario as it involves unnecessary steps when a simpler solution might exist. Option B: From AKS1, upgrade the version of Kubernetes. - Upgrading the Kubernetes version may address compatibility or feature-related issues but does not directly solve the issue of authentication with Azure AD accounts. The issue seems to be related to authentication integration rather than Kubernetes versioning. - Upgrading Kubernetes does not seem relevant to the problem of enabling access for Azure AD accounts. Option C: From Azure AD, implement Azure AD Premium P2. - Azure AD Premium P2 includes additional features for identity and access management, such as conditional access, identity protection, and...

Author: Olivia · Last updated May 18, 2026

You have an Azure subscription that contains an Azure Container Registry named Registry1. Microsoft Defender for Cloud is enabled in the subscription. You upload several container images to Registry1. You discover that vulnerability security scans were not performed. You need to ...

Scenario Overview: - You have an Azure subscription that contains an Azure Container Registry (ACR) named Registry1. - Microsoft Defender for Cloud is enabled in the subscription. - After uploading several container images to Registry1, you discover that vulnerability scans were not performed on these images. - The goal is to ensure that container images are scanned for vulnerabilities when they are uploaded to Registry1. Analyzing the Options: Option A: From the Azure portal, modify the Pricing tier settings. - Microsoft Defender for Cloud provides security features, but for container image vulnerability scanning to work in Azure Container Registry, you must be on the Premium tier of the Azure Container Registry. The vulnerability scanning feature is not available in the Basic or Standard tiers. - Modifying the pricing tier is necessary if your current tier doesn't support the vulnerability scanning feature, as the Premium tier is required for this functionality. This step ensures that vulnerability scans are enabled when images are pushed to the registry. - This is the correct solution if you're currently using a lower-tier pricing option and need the Premium tier for vulnerability scanning. Option B: From Azure CLI, lock the container images. - Locking container images via the Azure CLI refers to a feature that protects images from accidental deletion or modification, not vulnerability scanning. - This option does not address vulnerability scanning, so it does not meet the goal of ensuring scans are performed on uploaded images. Option C: Upload th...

Author: Liam123 · Last updated May 18, 2026

From Azure Security Center, you create a custom alert rule. You need to configure which users will receive an email mess...

Scenario Overview: - You have created a custom alert rule in Azure Security Center. - You need to configure which users will receive an email when the alert is triggered. Analyzing the Options: Option A: From Azure Monitor, create an action group. - Action groups are the mechanism used to define who gets notified when an alert is triggered. In Azure, Azure Monitor is the service responsible for monitoring and alerting. To configure notifications like emails, you would use action groups in Azure Monitor to specify the recipients, such as individual users or groups, and set up the alerting action (such as sending an email). - When you create an alert in Azure Security Center, you can configure it to use an action group for notifications. Action groups allow you to specify who should receive notifications (e.g., by email, SMS, etc.). - This is the correct solution, as it is the right way to configure who will receive notifications for alerts in Azure Security Center. Option B: From Security Center, modify the Security policy settings of the Azure subscription. - Security policy settings in Azure Security Center are used to configure and enforce security controls across your Azure subscription, such as policies for monitoring, compliance, and governance. - However, security policy settings do not control who receives notifications for alerts triggered by custom alert rules. They are focused on defining security configurations and policies, not on configuring notification recipients. - This option is incorrect, as it does not address...

Author: Liam · Last updated May 18, 2026

You are configuring and securing a network environment. You deploy an Azure virtual machine named VM1 that is configured to analyze network traffic. You need to ensure t...

Scenario Overview: - You have an Azure virtual machine (VM1) that is configured to analyze network traffic. - You need to ensure that all network traffic is routed through VM1. Analyzing the Options: Option A: A system route - System routes are automatically created by Azure to ensure traffic flows between Azure resources (such as virtual machines, subnets, and virtual networks) within the same region. These routes are not user-configurable and will generally define routes for internal traffic within the Azure network. - System routes will not help in routing traffic through a specific VM for analysis, as system routes are designed for basic internal traffic routing and cannot be customized to route traffic through a specific VM. - This option is not suitable for the scenario of routing traffic through VM1 for analysis. Option B: A network security group (NSG) - Network security groups (NSGs) are used to control inbound and outbound traffic to Azure resources based on security rules. NSGs are primarily used for filtering traffic based on source/destination IPs, ports, and protocols. - While NSGs play a critical role in securing the network, they do not directly control routing. NSGs are designed fo...

Author: Abigail · Last updated May 18, 2026

HOTSPOT - You have a network security group (NSG) bound to an Azure subnet. You run Get-AzNetworkSecurityRuleConfig and receive the output shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement ...

Author: Carlos Garcia · Last updated May 18, 2026

You have an Azure subscription that contains the virtual networks shown in the following table. The subscription contains the virtual machines shown in the following table. On NIC1, you configure an applic...

To answer this question, we need to consider how Application Security Groups (ASGs) work in Azure and how they relate to network interfaces (NICs) and virtual networks. Key Points to Consider: 1. ASG Configuration: ASGs are used to group and apply network security rules to network interfaces or virtual machines. Once an ASG is created, it can be associated with multiple network interfaces in the same virtual network. 2. Virtual Networks and NICs: The NICs associated with a virtual machine must belong to the same virtual network for an ASG to be applied across those NICs. 3. Same Virtual Network Requirement: You cannot assign an ASG to NICs that reside in different virtual networks. The NICs must be in the same virtual network as the one where the ASG is initially configured. Analyzing the Options: Option A: NIC2 only - This option suggests that ASG1 could only be assigned to NIC2. - For this to be correct, NIC2 would have to be in the same virtual network as NIC1 (since ASG1 was initially configured on NIC1). - If NIC2 is in a different virtual network from NIC1, ASG1 cannot be applied to NIC2. - This option is incorrect if other NICs in the same virtual network should also be considered. Option B: NIC2, NIC3, NIC4, and NIC5 - If NIC2, NIC3, NIC4, and NIC5 all belong to the same virtual network as ...

Author: Ava · Last updated May 18, 2026

You have 15 Azure virtual machines in a resource group named RG1. All the virtual machines run identical applications. You need to prevent unauthorized application...

Scenario Overview: - You have 15 Azure virtual machines in a resource group named RG1. - The virtual machines run identical applications. - The goal is to prevent unauthorized applications and malware from running on these virtual machines. Analyzing the Options: Option A: Apply an Azure policy to RG1. - Azure Policy helps enforce rules and compliance across resources in Azure, such as ensuring that specific configurations or settings are applied. However, Azure Policy is more focused on ensuring resource configurations (e.g., resource types, location restrictions, or naming conventions), not on controlling what applications are running on the virtual machines. - While Azure Policy can be used to manage various resources, it does not specifically protect virtual machines from unauthorized applications or malware. - This option is not suitable for preventing unauthorized applications from running on the VMs. Option B: From Azure Security Center, configure adaptive application controls. - Adaptive Application Controls in Azure Security Center is designed to help protect Azure virtual machines by whitelisting approved applications and blocking unauthorized applications. - It works by analyzing the application behavior on virtual machines, then recommending and enforcing policies to allow only known good applications to run. This directly addresses the goal of preventing unauthorized applications and malware from running on the virtual machines. - This is the c...

Author: Joseph · Last updated May 18, 2026

You have a web app hosted on an on-premises server that is accessed by using a URL of https://www.contoso.com. You plan to migrate the web app to Azure. You will continue to use https://www.cont...

Scenario Overview: - You have a web app hosted on an on-premises server that is accessed using the URL https://www.contoso.com. - You plan to migrate the web app to Azure but continue to use https://www.contoso.com. - The goal is to enable HTTPS for the Azure web app. Key Considerations: 1. HTTPS requires a SSL/TLS certificate, which includes a public key and a private key. 2. The certificate needs to be imported into Azure to enable HTTPS for the web app. 3. To migrate to Azure and keep using https://www.contoso.com, you would typically need to migrate the SSL certificate from the on-premises server to Azure, ensuring the private key is securely transferred. Analyzing the Options: Option A: Export the public key from the on-premises server and save the key as a P7b file. - A P7b file (PKCS7) contains the public key along with certificates in a chain (certificate chain), but it does not contain the private key. - While the public key is part of the SSL/TLS certificate, you cannot enable HTTPS without the private key. You need the private key to bind the SSL certificate to the web app in Azure, and this option does not provide it. - This option is not suitable because it only provides the public key, not the private key needed for HTTPS. Option B: Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES. - A PFX file (PKCS12) contains both the private key and the public key (certificate), which are required to enable HTTPS. - While this option provides the correct file format (PF...

Author: ElectricLionX · Last updated May 18, 2026

You plan to deploy Azure container instances. You have a containerized application that is comprised of two containers: an application container and a validation container. The application container is monitored by the validation container. The validation container performs security checks by making requests to the application container and waiting for responses after every transaction. You need to ensure that the application container and the va...

Scenario Overview: - You are planning to deploy Azure container instances. - You have two containerized applications: 1. Application container: Runs the application. 2. Validation container: Monitors the application container and performs security checks by making requests to the application container. - The containers must communicate with each other on ports that are not externally exposed. - The goal is to ensure that these containers are deployed together and can only communicate internally. Key Considerations: 1. Container Groups: Azure Container Instances (ACI) support deploying multiple containers together in a container group, which allows the containers to share the same network, storage, and IP address. This setup is perfect for scenarios where containers need to interact closely, such as your use case where the validation container needs to monitor the application container. 2. Communication on Internal Ports: The containers within the same container group can communicate with each other on internal ports without exposing those ports externally. This is important for your requirement to have communication that is not externally exposed. 3. Security Groups and Networking: While network security groups (NSGs) and application security groups can be used to control traffic at the network level, they are not directly related to the deployment and grouping of containers in a container instance. NSGs control traffic to/from Azure resources at the network interface level, but they are not used to deploy containers together. Analyzing the Options: Option A: Application security groups - Application Security Groups (ASGs) are used to group resources for the purpose of applying security policies, particularly in network security groups (NSGs). ASGs help control traffic between resources within a virtual network based on application-specific groupings, but they are not a tool for deploying containers together or ensuring containers are grouped in the same deployment. - This option is not suitable for grouping containers and ensuring they com...

Author: Ryan · Last updated May 18, 2026

DRAG DROP - You are configuring network connectivity for two Azure virtual networks named VNET1 and VNET2. You need to implement VPN gateways for the virtual networks to meet the following requirements: * VNET1 must have six site-to-site connections that use BGP. * VNET2 must have 12 site-to-site connections that use BGP. * Costs must be minimized. Which VPN gateway SKU should you use for each virtual network? To answer, drag the appropriate SKUs to the correct netw...

Author: Zara1234 · Last updated May 18, 2026

You are securing access to the resources in an Azure subscription. A new company policy states that all the Azure virtual machines in the subscription must use managed disks. You need to prevent...

Scenario Overview: - A new company policy requires that all Azure virtual machines in the subscription must use managed disks. - The goal is to prevent users from creating virtual machines that use unmanaged disks. Key Considerations: - Managed disks in Azure are easier to manage because Azure handles the storage account, scalability, and performance optimization. - To ensure compliance with the policy, you need to restrict the creation of virtual machines using unmanaged disks at the resource management level. - This means that you need to apply a mechanism that can enforce rules around resource creation, such as prohibiting certain disk types for virtual machines. Analyzing the Options: Option A: Azure Monitor - Azure Monitor is a tool used for collecting, analyzing, and acting on telemetry data from Azure resources. It provides insights into the performance and health of resources, but it does not have capabilities to enforce policies or restrict resource creation. - Azure Monitor cannot be used to prevent users from creating VMs with unmanaged disks. - This option is not suitable for the scenario. Option B: Azure Policy - Azure Policy allows you to define rules and enforce compliance on resources within your Azure subscription. It can be used to prevent users from creating virtual machines that use unmanaged disks by creating a policy that explicitly enforces the use of managed disks. - You can use an Azure Policy definition to restrict th...

Author: StarryEagle42 · Last updated May 18, 2026