Microsoft Practice Questions, Discussions & Exam Topics by our Authors
You have 10 on-premises networks that are connected by using a 3rd party Software Defined Wide Area Network (SD-WAN) solution. You have an Azure subscription that contains five virtual networks. You plan to connect the Azure virtual networks and the on-premises networks by using an Azure Virtual WAN with a single virtual WAN hub. ...To allow Azure Virtual WAN to act as a node in a 3rd party SD-WAN solution, we need to look at integration capabilities between Azure and non-Microsoft SD-WAN solutions. --- Scenario Summary: - You have 10 on-premises networks connected using a 3rd party SD-WAN. - You want to connect them to Azure Virtual WAN, which includes 5 virtual networks. - Azure Virtual WAN will have a single hub, and needs to participate as a node in the SD-WAN fabric. --- Key Requirement: Azure must be able to interoperate with your 3rd party SD-WAN solution. That typically involves a virtual appliance or specific software provided by the SD-WAN vendor, deployed in Azure. --- Option Analysis: A) Azure Virtual WAN ExpressRoute Gateway - Purpose: Connects Azure Virtual WAN to on-premises environments using ExpressRoute (private WAN). - Use Case: For private MPLS circuits, not SD-WAN integration. - Rejection Reason: ❌ SD-WAN over IPsec/overlay — not ExpressRoute-based, so not applicable. --- B) Network Virtual Appliance (NVA) - Purpose: A vendor-provided VM (router/firewall/sd-wan edge device) deployed in Azure. - Use Case: Allows you to deploy the SD-WAN edge node inside Azure, so Azure becomes part of the SD-WAN mesh. ... Author: Noah · Last updated May 19, 2026 |
HOTSPOT - You have the Azure resources shown in the following table. You need to link VNet2 to Circuit1. What should you create in each subscription? To answer, select the appropr...Author: Ella · Last updated May 19, 2026 |
You have an on-premises datacenter and an Azure subscription. You plan to implement ExpressRoute FastPath. You need to create an ExpressRoute gateway. The solution must mini...To select the correct ExpressRoute gateway SKU for FastPath while ensuring high availability (minimizing downtime if a single Azure datacenter fails), we need to analyze the following: --- 🔍 Key Requirements: 1. Supports ExpressRoute FastPath – Only some SKUs support FastPath. 2. Supports Availability Zones (AZs) – Ensures redundancy across datacenters within a region to minimize downtime if one fails. --- ✅ D) ErGw3AZ - Supports FastPath: ✔️ Yes. ErGw3AZ supports FastPath. - High Availability: ✔️ Yes. The "AZ" suffix means it is deployed across three Availability Zones (if the region supports AZs), providing maximum redundancy. - Performance: This is the highest tier gateway SKU available for ExpressRoute in AZ-enabled configurations. - Best Fit: Meets both FastPath support and high availability with minimum downtime during a datacenter failure. --- ❌ A) ErGw1AZ - Supports FastPath: ❌ No. This is the most basic SKU and does not support FastPath. - Availability Zones: ✔️ Y... Author: Noah Williams · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains the resources shown in the following table. You establish BGP peering between NVA1 and Hub1. You need to implement transit connectivity between VNet1 and VNet3 via Hub1 by using BGP peering. The solution must minimize costs. What...Author: Emily · Last updated May 19, 2026 |
You have an Azure subscription that contains an ExpressRoute Standard gateway named GW1. You need to upgrade GW1 to support ExpressRoute FastPath. ...To upgrade GW1 (an ExpressRoute Standard gateway) to support ExpressRoute FastPath, with minimal downtime, we need to choose a gateway SKU that: 1. ✅ Supports FastPath 2. ✅ Allows seamless upgrade from Standard 3. ✅ Minimizes downtime (i.e., avoids the need to delete and recreate the gateway) --- 🔍 Key Facts About FastPath: - FastPath bypasses the gateway for private peering, reducing latency and improving performance. - It is supported only on specific SKUs: ErGw2AZ and ErGw3AZ. - You cannot upgrade from a non-AZ (availability zone) SKU (like "Standard") to an AZ-enabled SKU in-place. - To minimize downtime, you must select a SKU that supports FastPath and allows resizing from the current SKU. --- ❌ A) Ultra performance - Not an official Azure gateway SKU. - Possibly confused with ExpressRoute circuit tier (Ultra), but not a gateway SKU. - Conclusion: Invalid option. --- ✅ B) ErGw3AZ - Supports FastPath: ✔️ Yes. - High availability: ✔️ Deployed across Availability Zones. - Performance: Highest scale, ideal for large deployments. - Caveat: If you're currently using a non-AZ gateway (Standard), you cannot directly upgrade to ErGw3AZ. You must recreate the gateway, which introduces downtime. - Conclusion: Supports FastPath but does not meet the "minimize downtim... Author: Jack · Last updated May 19, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 12345678 - You have two servers that are each hosted by a separate service provider in New York and California. The server hosted in New York is acc...Author: William · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains a virtual network named VNet1. You need to implement hybrid connectivity between an on-premises network and VNet1. The solution must meet the following requirements: * All cross-premises network traffic must traverse an ExpressRoute circuit. * All cross-premises network traffic must be encrypted by using a Site-to-Site (...Author: Emma Brown · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains the virtual networks shown in the following table. You have devices that run either Windows or macOS. The devices connect to VGW1 by using the OpenVPN protocol. Which ...Author: VioletCheetah55 · Last updated May 19, 2026 |
You have an Azure subscription that contains the resources shown in the following table. You plan to deploy an Azure Virtual Network NAT gateway named Gateway1. The solution must meet the following requirements: * VM1 will access the internet by using its public IP address. * VM2 will access the internet by using its public IP address. * Administr...Author: Noah Williams · Last updated May 19, 2026 |
DRAG DROP - You have 100 on-premises servers with IP addresses from the 10.0.0.0/24 IP address space. You have an Azure subscription that contains a virtual network named VNet1, an Azure VPN gateway named VGW1, and 100 virtual machines. VNet1 has an IP address space of 10.0.0.0/22. VGW1 uses the VpnGw1 SKU. You need to ensure that the Azure virtual machines and the on-premises servers can communicate by using VGW1. The solution must minimize ad...Author: Akash · Last updated May 19, 2026 |
DRAG DROP - You have a computer named CLIENT1 that runs Windows 11 and has the Azure VPN Client installed. You have an Azure virtual network gateway named VPNGW1. You need to ensure that you can connect CLIENT1 to VPNGW1. The solution must support Microsoft Entra authentication. Which four actions should you pe...Author: Joseph · Last updated May 19, 2026 |
HOTSPOT - You have an on-premises server named Server1 that runs Windows Server and has the DNS Server role installed. You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. VNet1 contains an Azure Firewall instance named FW1. VNet1 peers with VNet2. The on-premises network is connected to VNet1 by using ExpressRoute. The on-premises network is inaccessible from VNet2. You need to ensure that virtual machines connected to VNet2 use Server1 ...Author: Daniel · Last updated May 19, 2026 |
HOTSPOT - You create an ExpressRoute circuit named ERC1 that is enabled by your connectivity provider. You need to ensure that the routes for Azure Backup and Azure Cosmos DB are advertised to the on-premises network via ECR1. The solution must minimize administrative effort. What s...Author: Lucas · Last updated May 19, 2026 |
HOTSPOT - You plan to implement an Azure Virtual WAN named VWAN1 that will contain a hub named Hub1. VWAN1 will include the virtual networks shown in the following table. You need to ensure that hosts connected to VNet1 can communicate with hosts connected to VNet3. How should you configure the rout...Author: Harper · Last updated May 19, 2026 |
HOTSPOT - You have 50 on-premises networks. Each network contains a server that runs Windows Server. You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a database server named DB1. You plan to deploy an app named App1 that will be hosted on the on-premises servers and will connect to DB1 by using Azure Network Adapter. What should you use to...Author: Daniel · Last updated May 19, 2026 |
You have an on-premises network. You have an Azure subscription that contains a virtual network. You have an ExpressRoute service provider. You plan to connect the Azure virtual network and the on-premises network by using an ExpressRoute circuit. You create a new Expres...To provision the new ExpressRoute circuit and establish a connection between your Azure virtual network and your on-premises network via ExpressRoute, you will need to provide specific information to your ExpressRoute service provider. Here's a breakdown of the options you mentioned: A) IKEv2 shared key - Reasoning: The IKEv2 shared key is used for establishing a VPN connection with an IPsec tunnel. This key is used to secure communications over an encrypted VPN tunnel but is not needed for ExpressRoute provisioning. ExpressRoute doesn't use a traditional VPN setup or IPsec-based encryption as part of its core provisioning process. - Rejection Reason: This is not applicable for an ExpressRoute circuit setup. B) The certificate - Reasoning: A certificate is typically used for authentication in VPN connections, especially when establishing an IPsec/IKE VPN. However, in the case of ExpressRoute, certificates are generally not involved in the process of provisioning the circuit or establishing the connection. - Rejection Reason: This option does not apply to ExpressRoute provisioning. C) The public IP address - Reasoning: The public IP address refers to the IP address that is used for accessing services over the internet or in a hybrid environment. While public IP addresses are i... Author: Siddharth · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription. The subscription contains 500 virtual machines that run either Windows 11 or Linux. You need to identify which Linux virtual machines are accessible from the internet. The solution must minimize administrative effort. What should you use, and what shou...Author: FrozenWolf2022 · Last updated May 19, 2026 |
DRAG DROP - Your on-premises network contains two subnets named Subnet and Subnet2. Subnet2 contains a Hyper-V host that contains two virtual machines named VM1 and VM2. VM1 and VM2 are connected to Subnet2. You have an Azure virtual network named VNet1 that contains GatewaySubnet and a subnet named VSubnet1. VNet1 is connected to the on-premises network by using a Site-to-Site (S2S) VPN connection. You plan to migrate VM1 to VNet1 and maintain the existing IP address of VM1. VM2 will remain on Subnet2. You need to prepare the environment to ensure...Author: Sara · Last updated May 19, 2026 |
You have an on-premises datacenter named Site1 that contains a firewall named FW1. FW1 connects to the internet. You have an Azure subscription that contains the resources shown in the following table. You plan to connect Site1 to Hub1 by using a site-to...Author: GlowingTiger · Last updated May 19, 2026 |
HOTSPOT - Case Study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Overview - Pros...Author: Manish · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have two Azure virtual networks named Vnet1 and Vnet2. You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN. You implement virtual network peering ...Scenario Analysis: You have two Azure virtual networks, Vnet1 and Vnet2, with a Windows 10 device (Client1) connecting to Vnet1 via Point-to-Site (P2S) IKEv2 VPN. The virtual network peering between Vnet1 and Vnet2 is configured such that: - Vnet1 allows gateway transit. - Vnet2 can use the remote gateway (Vnet1’s gateway). However, Client1 cannot communicate with Vnet2. The goal is to ensure that Client1 can communicate with Vnet2. Solution: Resetting the Gateway of Vnet1 Key Concepts: - Point-to-Site VPN (P2S): Client1 uses a VPN connection to access Vnet1, and Vnet1's gateway enables traffic to Vnet2 via peering. - Gateway Transit: Vnet1 allows other virtual networks (in this case, Vnet2) to use its gateway. This means that traffic from Vnet2 can flow through Vnet1's VPN gateway to reach Client1. - Virtual Network Peering: Peering establishes a direct connection between two virtual networks, allowing resources in each to communicate with each other. Analysis of the Proposed Solution (Resetting the Gateway): - Resetting the gateway of Vnet1 does not directly address the underlying issue, which likely involves configuration or routing problems in the peering between Vnet1 and Vnet2 or the VPN setup itself. - Gateway ... Author: Ahmed · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have two Azure virtual networks named Vnet1 and Vnet2. You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN. You implement virtual network peering betwe...Scenario Analysis: You have two Azure virtual networks, Vnet1 and Vnet2. A Windows 10 device (Client1) connects to Vnet1 via a Point-to-Site (P2S) IKEv2 VPN. You've implemented virtual network peering between Vnet1 and Vnet2. In this setup: - Vnet1 allows gateway transit. - Vnet2 can use the remote gateway (Vnet1’s VPN gateway). However, Client1 is unable to communicate with Vnet2. The proposed solution is to enable BGP on the gateway of Vnet1. The goal is to determine whether enabling BGP will help ensure that Client1 can communicate with Vnet2. Key Concepts: 1. Virtual Network Peering: - Peering between Vnet1 and Vnet2 enables communication between the two networks. The gateway transit feature allows Vnet2 to use Vnet1’s gateway to route traffic to external networks. 2. Point-to-Site VPN (P2S): - Client1 is using a P2S IKEv2 VPN to connect to Vnet1, which implies that it’s accessing resources within Vnet1. The gateway transit feature allows Vnet1’s gateway to route traffic between Vnet1 and Vnet2. 3. BGP (Border Gateway Protocol): - BGP is a routing protocol used to exchange routing information between different networks. It can be used to automatically update routing tables and improve the routing of traffic between networks. - BGP can be enabled on VPN gateways in Azure to automatically exchange routes between the Azure network and on-premises or peered networks. Analysis of the Proposed Solution: - Enabling BGP on the gateway of Vnet1 can help propagate routing information for traffic flowing between Vnet1, Vnet2, and Client1. However, this solution alone might not be th... Author: Charlotte · Last updated May 19, 2026 |
HOTSPOT - You have the Azure environment shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information prese...Author: Vivaan · Last updated May 19, 2026 |
You plan to deploy Azure virtual network. You need to design the subnets. Which three types of resources require a dedicated subnet? Each correct answer presents...To properly design subnets within an Azure Virtual Network (VNet), certain resources require a dedicated subnet. Let’s walk through the options and discuss the reasoning behind selecting and rejecting each one. A) Azure Bastion Azure Bastion is a fully managed platform that provides secure and seamless RDP and SSH connectivity to your virtual machines. For optimal performance and security, Azure Bastion must be deployed in a dedicated subnet (called the AzureBastionSubnet). This is because it requires specific network configurations and IP range settings that do not interfere with other services. - Reason: Dedicated subnet is required for Azure Bastion to isolate and control network traffic. - Scenario: Use Azure Bastion for RDP/SSH access to VMs without exposing them to the public internet. B) Azure Active Directory Domain Services (Azure AD DS) Azure AD DS provides managed domain services like domain join, group policy, and LDAP. While it needs a subnet to function, it does not need a dedicated subnet on its own, unlike Azure Bastion or other resources that are very specific in their requirements. - Reason: Azure AD DS doesn’t require a dedicated subnet, but it requires a subnet to be deployed. It can coexist in a general subnet with other services. - Scenario: Use Azure AD DS in an existing subnet for integrating on-premises and cloud resources. C) Azure Private Link Azure Private Link enables secure access to Azure services over a private endpoint in your VNet, but it does not require a dedicated subnet. Private Link endpoints can be placed in any subnet. ... Author: StarryEagle42 · Last updated May 19, 2026 |
HOTSPOT - You have an Azure private DNS zone named contoso.com that is linked to the virtual networks shown in the following table. The links have auto registration enabled. You create the virtual machines shown in the following table. You manually add the following entry to the contoso.com zone: * Name: VM1 IP address: 10.1.10.9 - For ...Author: Aarav2020 · Last updated May 19, 2026 |
HOTSPOT - Your company has an Azure virtual network named Vnet1 that uses an IP address space of 192.168.0.0/20. Vnet1 contains a subnet named Subnet1 that uses an IP address space of 192.168.0.0/24. You create an IPv6 address range to Vnet1 by using a CIDR suffix of /48. You need to enable the virtual machines on Subnet1 to communicate with each other by using IPv6 addresses assigned by the company. The solution must minimiz...Author: Elijah · Last updated May 19, 2026 |
DRAG DROP - You have an Azure subscription that contains the resources shown in the following table. The IP Addresses settings for Vnet1 are configured as shown in the exhibit. You need to ensure that you can integrate WebApp1 and Vnet1. Which three actions should you perform in sequence before you can integrate WebApp1 and Vne...Author: Sophia Clark · Last updated May 19, 2026 |
DRAG DROP - You have three on-premises sites. Each site has a third-party VPN device. You have an Azure virtual WAN named VWAN1 that has a hub named Hub1. Hub1 connects two of the three on-premises sites by using a Site-to-Site VPN connection. You need to connect the third site to the other two sites by using Hub1. Which four actions should you perform ...Author: Ravi Patel · Last updated May 19, 2026 |
HOTSPOT - You are planning an Azure solution that will contain the following types of resources in a single Azure region: * Virtual machine * Azure App Service * Virtual Network gateway * Azure SQL Managed Instance App Service and SQL Managed Instance will be delegated to create resources in virtual networks. You need to identify how many virtual networks and subnets are required for the solution. The solution must minimize costs...Author: Ethan Smith · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have two Azure virtual networks named Vnet1 and Vnet2. You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN. You implement virtual network peering between Vnet1 and...Problem Breakdown: - Scenario Overview: - Vnet1 and Vnet2 are peered. - Vnet1 allows gateway transit, meaning traffic from Vnet2 can use the VPN gateway in Vnet1. - Client1 is connected to Vnet1 via a P2S VPN (IKEv2) but cannot communicate with Vnet2. - Key Points: - Virtual Network Peering is set up between Vnet1 and Vnet2. - Gateway transit is enabled in Vnet1, allowing Vnet2 to route traffic via the Vnet1 VPN gateway. - Client1 can access Vnet1 but cannot reach Vnet2. - The issue likely lies in routing or the VPN client configuration. --- Solution Analysis: Option: Reinstalling the VPN Client Configuration (Downloading and Reinstalling) - What does this solve? - Downloading and reinstalling the VPN client configuration typically ensures that the client’s VPN settings are up-to-date with the latest configuration, particularly for P2S connections. - This can refresh the VPN connection and might fix certain issues, especially if there were changes made to the VPN settings or network configuration. - Does this solve the issue of communication between Client1 and Vnet2? - No, simply reinstalling the VPN client configuration will not directly address the routing issue betw... Author: Nia · Last updated May 19, 2026 |
You have an Azure virtual network named Vnet1 that hosts an Azure firewall named FW1 and 150 virtual machines. Vnet1 is linked to a private DNS zone named contoso.com. All the virtual machines have their name registered in the contoso.com zone. Vnet1 connects to an on-premises datacenter by using ExpressRoute. You need to ensure that on-premises DNS servers can resolve the names...Scenario Recap: You have an Azure virtual network (Vnet1) hosting an Azure firewall (FW1) and 150 virtual machines (VMs). These VMs are registered in a private DNS zone (contoso.com), and Vnet1 connects to an on-premises datacenter via ExpressRoute. You need to ensure that the on-premises DNS servers can resolve the names in the contoso.com private DNS zone. Key Factors: - DNS Resolution for Private Zones: For on-premises servers to resolve names in an Azure private DNS zone, you need to enable DNS forwarding from on-premises DNS servers to Azure DNS or configure a DNS proxy. - Azure Firewall: The Azure Firewall (FW1) is in place, so it may play a role in handling DNS traffic between on-premises networks and Azure resources. - ExpressRoute: The ExpressRoute connection provides a private link to Azure, so you can configure DNS settings for communication between on-premises and Azure resources. Option Assessment: A) Modify the DNS server settings of Vnet1 - This option suggests modifying the DNS server settings in Vnet1, but it's more of a general network configuration and doesn't specifically address the DNS resolution for on-premises servers. You would typically configure Vnet1’s DNS settings for Azure-based resources to use Azure DNS or a custom DNS server. - Reason Rejected: This doesn't directly help with enabling the on-premises DNS servers to resolve names in the private DNS zone. It's more relevant for configuring DNS within Azure. B) For FW1, configure custom DNS server - If you configure FW1 with a custom DNS server, you could potentially enable it to forward DNS requests from on-premises to the appropriate DNS service. However, the main focus here is not on just configuring a DNS server on the firewall but ensuring proper DNS forwarding for on-premises queries. - Reason Rejected: Configuring a custom DNS server on the firewall alone doesn’t solve the problem of forwarding DNS requests from on-premises servers to the correct Azure DNS service or proxy. C) For FW1, enable DNS proxy - DNS Proxy on Azure Firewall allows DNS requests from Azure resources to be forwarded and resolved via an external DNS server. This feature is ... Author: Stella · Last updated May 19, 2026 |
You are planning the IP addressing for the subnets in Azure virtual networks. Which type of resourc...When planning IP addressing for subnets in Azure Virtual Networks (VNets), it’s important to understand the role each resource plays and whether it requires IP addresses from the subnets. Let's go through the options and analyze them: A) Internal Load Balancers Internal Load Balancers (ILBs) are used within an Azure VNet to distribute traffic between virtual machines or services. They require IP addresses from the subnet to function. The ILB will have a private IP address that resides within the subnet, and this IP address is used for routing traffic to the backend pool of virtual machines. Why Selected: - ILBs require IP addresses from the subnet to assign to the load balancer for routing traffic internally. - This makes it a valid choice for IP addressing planning. B) Storage Account Azure Storage accounts are globally accessible and do not need to be assigned specific private IP addresses within the VNet. They are accessed using DNS names (e.g., `mystorageaccount.blob.core.windows.net`) over the public internet, unless configured to be accessed privately via a service endpoint or a private endpoint. Why Rejected: - A Storage account does not require an IP address from the subnet unless it is configured to use a private endpoint. Even then, the private endpoint would use its own address, separate from the subnet’s IP addressing. C) Azure Virtual Network NAT Azure Virtual Network ... Author: Emily · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription. You have the on-premises sites shown the following table. You plan to deploy Azure Virtual WAN. You are evaluating Virtual WAN Basic and Virtual WAN Standard. Which type of Virtual WAN can you use for each site? To answ...Author: Amira99 · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains two virtual networks named Vnet1 and Vnet2. You register a public DNS zone named fabrikam.com. The zone is configured as shown in the Public DNS Zone exhibit. You have a private DNS zone named fabrikam.com. The zone is configured as shown in the Private DNS Zone exhibit. You have a virtual network link configured as shown in the Virtual Networ...Author: Ming · Last updated May 19, 2026 |
HOTSPOT - You have two Azure virtual networks named VNet1 and VNet2 in an Azure region that has three availability zones. You deploy 12 virtual machines to each virtual network, deploying four virtual machines per zone. The virtual machines in VNet1 host an app named App1. The virtual machines in VNet2 host an app named App2. You plan to use Azure Virtual Network NAT to implement outbound connectivity for App1 and App2. You need to identify the minimum number of subnets and Virtual Network NAT instances required to meet the following requirements: * A failure of two zones must NOT affect the availability o...Author: Scarlett · Last updated May 19, 2026 |
HOTSPOT - You have the Azure resources shown in the following table. WebApp1 uses the Standard pricing tier. You need to ensure that WebApp1 can access the virtual machines deployed to Vnet1Subnet1 and Vnet2Subnet1. The solution must minimize costs. What sh...Author: RadiantJaguar56 · Last updated May 19, 2026 |
HOTSPOT - You have the Azure App Service app shown in the App Service exhibit. The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit. The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit. For each of the fo...Author: Ryan · Last updated May 19, 2026 |
You have a hub-and-spoke topology. The topology includes multiple on-premises locations that connect to a hub virtual network in Azure via ExpressRoute circuits. You have an Azure Application Gateway named GW1 that provides a single point of ingress from the internet. You plan to migrate the hub-and-spoke topology to Azure Virtual WAN. You need to identify which changes must be applied to the existing topology. The solution must ensure that you maintain a s...In this scenario, we are migrating a hub-and-spoke topology to an Azure Virtual WAN (vWAN), while ensuring that a single point of ingress for internet traffic (via the Azure Application Gateway named GW1) is maintained. Let's go through each option, considering the requirements and the architecture changes: A) Add User-Defined Routes (UDRs) In Azure, User-Defined Routes (UDRs) are used to control the routing of traffic within a VNet. Since you're migrating to Azure Virtual WAN, the routing architecture will change, and UDRs may need to be adjusted to ensure proper routing across the hub and spoke VNets. However, since Virtual WAN abstracts some of the routing mechanisms, you may not need to add UDRs in the traditional sense but need to configure routing in the Virtual WAN hub instead. Why Rejected: - Azure Virtual WAN typically handles routing automatically between connected VNets and ExpressRoute circuits. In most cases, specific user-defined routes might not be necessary because of the default routing provided by Virtual WAN. However, for advanced cases, you might still need to add or adjust them, but this option is not a key change in the migration. B) Add Virtual Network Peerings Virtual Network Peerings are used to connect VNets in Azure so that traffic can flow between them. In a hub-and-spoke topology, you might have VNets connected to the hub via peering. When migrating to Azure Virtual WAN, the peering mechanism will likely change, as the connectivity model of Virtual WAN is different from traditional peering. Why Rejected: - With Virtual WAN, virtual network peerings are not necessary because the Virtual WAN hub itself handles the connectivity between VNets. The migration will involve connecting the VNets to the Virtual WAN hub instead of configuring peerings directly between VNets. C) Replace the User-Defined Routes Used by the Current Topology Since you're migrating to Azure Virtual WAN, the existing UDRs designed for a traditional hub-and-spoke topology may no longer be applicable, as the Virtual WAN hub will handle routing automatically. You'll likely need to replace the current UD... Author: Aria · Last updated May 19, 2026 |
You have an application named App1 that listens for incoming requests on a preconfigured group of 50 TCP ports and UDP ports. You install App1 on 10 Azure virtual machines. You need to implement load balancing for App1 across all the virtual machin...To load balance App1 installed on 10 Azure VMs, which listens on a preconfigured group of 50 TCP and UDP ports, and to minimize the number of load balancing rules, we need a solution that supports broad port ranges efficiently. Let’s analyze each option: --- A) Azure Application Gateway v2 that has multiple listeners Azure Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer used for web-based traffic. It supports features like SSL termination, cookie-based affinity, and URL-based routing. Why Rejected: - App1 is using TCP and UDP, not HTTP/S traffic. - Application Gateway does not support UDP or arbitrary TCP ports — it's not designed for non-web protocols. - Multiple listeners are only useful for routing based on host headers or paths for web traffic. Scenario: Use when balancing HTTP(S) traffic across apps with different URLs or domains. --- B) Azure Standard Load Balancer that has Floating IP enabled Floating IP is a feature that allows port reuse across multiple load balancing rules, which is useful for SQL AlwaysOn or NAT scenarios. Why Rejected: - Floating IP enables direct server return, not necessarily minimizing the number of rules. - It’s not designed to simplify rule creation for multiple port mappings across a wide range. Scenario: Use when high-performance or low-latency scenarios require same ports on mu... Author: Maya · Last updated May 19, 2026 |
DRAG DROP - You register a DNS domain with a third-party registrar. You need to host the DNS zone on Azure. Which three actions should you perform in sequence? To answer, move the appropriate actions from the ...Author: Mia · Last updated May 19, 2026 |
HOTSPOT - You have the network topology shown in the Topology exhibit. (Click the Topology tab.) You have the Azure firewall shown in the Firewall1 exhibit. (Click the Firewall1 tab.) You have the route table shown in the RouteTable1 exhibit. (Click the RouteTable1 tab.) For each of the following...Author: RadiantJaguar56 · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have two Azure virtual networks named Vnet1 and Vnet2. You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN. You implement virtual network peering between Vnet...Answer: B) No Reasoning: You are trying to allow Client1, which connects to Vnet1 via a P2S IKEv2 VPN, to access resources in Vnet2, which is peered with Vnet1. The peering is correctly configured: - Vnet1 allows gateway transit, and - Vnet2 is configured to use the remote gateway. This setup should theoretically allow Client1 to reach Vnet2 via gateway transit—if all other configurations are correctly done. Now, let’s evaluate the proposed solution: ✅ Why resizing the gateway might seem helpful (but isn’t in this case): - Resizing a gateway can help if: - You need more throughput or connections (e.g., for performance/scalability). - You're enabling features that require a higher SKU, like BGP or certain types of VPNs. - However, resizing alone doesn’t fix routing or forwarding issues. --- ❌ Why resizing the gateway does not meet the goal: - The problem is not performance-related... Author: Ming · Last updated May 19, 2026 |
You have an Azure subscription that contains the virtual networks shown in the following table. You plan to deploy an Azure firewall named AF1 to RG1 in the...Author: Olivia Johnson · Last updated May 19, 2026 |
HOTSPOT - You have two Azure App Service instances that host the web apps shown the following table. You deploy an Azure 2 that has one public frontend IP address and two backend pools. You need to publish all the web apps to the application gateway. Requests must be routed based on the HTTP host headers. What is the minimum number of listene...Author: CrimsonViperX · Last updated May 19, 2026 |
Your company has four branch offices and an Azure subscription. The subscription contains an Azure VPN gateway named GW1. The branch offices are configured as shown in the following table. The branch office routers provide internet connectivity and Site-to-Site VPN connections to GW1. The users in Branch1 report that they can connect to internet resources, but cannot access Azure resources. You need to ensure that the Branch1 us...Author: Deepak · Last updated May 19, 2026 |
DRAG DROP - You have an Azure subscription that contains a virtual network named Vnet1 and an Azure SQL database named SQL1. SQL1 has a private endpoint on Vnet1. You have a partner company named Fabrikam, Inc. Fabrikam has an Azure subscription that contains a virtual network named Vnet2 and a virtual machine named VM1. VM1 is connected to Vnet2. You need to provide VM1 with access to SQL1 by using an Azure Private Link service. What should you implement on each virtual network? To answer, drag the appropriate reso...Author: John · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains the virtual networks shown in the following table. You have a virtual machine named VM5 that has the following IP address configurations: * IP address:10.4.0.5 * Subnet mask:255.255.255.0 * Default gateway: 10.4.0.1 * DNS server: 168.63.129.16 You have an Azure Private DNS zone named fabrikam.com that contains the records shown in the following table. The virtual network links in the fabrikam.com DNS zone are configured as shown in the exhibit. (Click the...Author: Liam · Last updated May 19, 2026 |
Your company has five offices. Each office has a firewall device and a local internet connection. The offices connect to a third-party SD-WAN. You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual network gateway named Gateway1. Each office connects to Gateway1 by using a Site...Correct answer: A) Delete Gateway1 --- Scenario Summary: - You have five offices, each with firewalls and internet, connected through a third-party SD-WAN. - Each office also uses a Site-to-Site VPN to connect to Gateway1 in Vnet1 (Azure). - You want to replace the third-party SD-WAN with Azure Virtual WAN (VWAN). --- What is Azure Virtual WAN? Azure Virtual WAN is a networking service that provides: - Centralized connectivity to Azure via hub-and-spoke architecture - Simplified site-to-site VPN, ExpressRoute, and point-to-site VPN - Built-in SD-WAN integration, optimized routing, and global transit network Virtual WAN replaces the need for traditional VPN gateways like Gateway1 by centralizing and managing all VPN/site connectivity. --- ✅ Option A - Delete Gateway1 - Correct: When migrating from a traditional virtual network gateway (like Gateway1) to Azure Virtual WAN, Gateway1 is no longer needed. - VWAN uses its own virtual hub and hub gateway, so retaining the old Gateway1 causes redundancy and possibly routing conflicts. - Deleting Gateway1 is part of the transition to Virtual WAN. ... Author: Lina Zhang · Last updated May 19, 2026 |
You are planning the IP addressing for the subnets in Azure virtual networks. Which type of resou...Correct answer: A) internal load balancers --- Question Summary: You're planning IP addressing for Azure subnets and need to determine which resource type consumes IP addresses within those subnets. --- ✅ Option A – Internal Load Balancers - Correct: Internal Load Balancers (ILBs) are deployed inside virtual networks and are assigned a private IP address from the subnet where they are placed. - This private IP is used as the frontend for the load balancer, meaning it reserves an IP from the subnet address space, just like virtual machines or NICs. - ILBs are used for load balancing within a virtual network (e.g., between backend services). ✔ Key factor: > ILBs consume IP addresses from the subnet—they require you to plan for IP usage in subnet design. --- ❌ Why the other options are rejected: B) Azure DDoS Protection for virtual networks - Incorrect: DDoS Protection is a network-level security service that is enabled at the virtual network level. - It doesn’t require or consume IP addresses from subnets. - It monitors and protects existing IPs, but does not allocate new ones. ... Author: Oliver · Last updated May 19, 2026 |
You have an Azure subscription mat contains tour virtual networks named VNet1, VNet2, VNet3, and VNet4. You plan to deploy a hub and spoke topology by using virtual network peering. You need to configure VNet1 as the hub network. The solution must meet the following requirements: ...Problem Breakdown: - Scenario: You need to set up a hub and spoke topology with VNet1 as the hub network and VNet2, VNet3, and VNet4 as spoke networks. - Requirements: - Transitive routing between spokes: This means that traffic from one spoke (e.g., VNet2) should be able to reach other spokes (e.g., VNet3 and VNet4) via the hub (VNet1). - Maximize network throughput: This requirement aims to ensure that the solution is scalable and efficient in terms of network performance. --- Option Analysis: A) Azure VPN Gateway - Role: Azure VPN Gateway provides Site-to-Site VPN, Point-to-Site VPN, and ExpressRoute connectivity. - Transitive Routing: VPN Gateway does not support transitive routing by default. If you were to use VPN Gateway in a hub and spoke topology, you would need to rely on manual route configuration and route propagation, but VPN Gateway is not inherently designed for efficient transitive routing. - Maximizing Throughput: The throughput of VPN Gateway is limited by the SKU of the gateway, and VPNs are typically less efficient compared to other internal Azure networking solutions in terms of throughput. - Conclusion: While VPN Gateway can be part of a hub and spoke topology, it does not meet the transitive routing requirement efficiently and would likely reduce throughput due to the VPN overhead. B) Azure Route Server - Role: Azure Route Server is designed to simplify route propagation between network virtual appliances (NVAs) and Azure VNets. It provides dynamic routing capabilities by integrating with BGP (Border Gateway Protocol). - Transitive Routing: Azure Route Server allows automatic route propagation between VNets and enables transitive routing in a hub and spoke topology by working with NVAs that advertise routes dynamically. This is especially useful in hub-and-spoke architectures where multiple VNets need to communicate via a central hub. - Maximizing Throughput: By using dynamic routing and eliminating static route management, Route Server provides more efficient routing and better throughput compared to VPN Gateway. It ensures tha... Author: David · Last updated May 19, 2026 |