Microsoft Practice Questions, Discussions & Exam Topics by our Authors
HOTSPOT - You have an Azure subscription that contains a virtual machine named VM1 and a virtual network named Vnet1. Vnet1 contains three subnets named Subnet1, Subnet2, and GatewaySubnet. VM1 is connected to Subnet1. You plan to deploy a new virtual machine named VM2 that will perform network traffic routing and inspection. You need to ensure that all the traffic from VM1 to the in...Author: Lucas · Last updated May 19, 2026 |
HOTSPOT - You have an on-premises network and an Azure virtual network named VNet1. You need to implement Azure Extended Network. The solution must minimize costs. Which type of virtual machine should you deploy to VNet1, and which tool should you use to configure Azure Extende...Author: StarryEagle42 · Last updated May 19, 2026 |
Your company has a remote office that contains a macOS device named Device1. Device1 has an IKEv2 VPN client installed. You have an Azure subscription that contains the resources shown in the following table. You need to ensure that Device1 can access the resources on VNe...Author: Michael · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24. You plan to deploy Azure virtual machines and Azure Bastion to VNet1. You need to recommend an IP subnetting configuration for VNet1. The solution must maximize the number of IP addresses that can be assigned to the virt...Author: Sofia2021 · Last updated May 19, 2026 |
HOTSPOT - You have an on-premises network that includes the sites shown in the following table. Each site is connected to the Internet by a firewall. All sites are connected to an SD-WAN. Each site is configured to propagate routes by using BGP. You have an Azure subscription that includes a virtual network named Vnet1 that contains a Virtual Network Gateway named Gateway1. You create a local network gateway with the configuration shown in the gateway exhibit (Click the Gateway tab.) You create a Site-to-Site (S2S) connecti...Author: Aria · Last updated May 19, 2026 |
HOTSPOT - You have an on-premises server named Server that is assigned a public IP address of 131.107.100.200. You have an Azure subscription that contains the resources shown in the following table. storage85347 has the Networking settings configured as shown in the following exhibit. From the Firewalls and virtual networks tab, you add Subnet1 to sto...Author: Sophia · Last updated May 19, 2026 |
You have an on-premises datacenter in Seattle. You have an Azure subscription that contains an Azure Network Watcher resource in the West US 2 Azure region. You need to document network latency between the on-premises datacenter and the West US 2 region and between the on-premises dat...To document network latency between your on-premises datacenter and the Azure regions (West US 2 and East US 2), the solution should minimize administrative effort while providing accurate latency measurements. The correct first step would be D) Create a Connection Monitor resource in the West US 2 region. Here's why: Key factors: 1. Connection Monitor (Option D): - Connection Monitor is a Network Watcher feature that helps you measure the connectivity and network latency between various endpoints, including on-premises and Azure resources. You can create a Connection Monitor in the Azure region where your Network Watcher resource is located (West US 2 in this case) to monitor network latency between your on-premises datacenter and both the West US 2 and East US 2 regions. - Why this is ideal: By creating the Connection Monitor in the West US 2 region (where you already have a Network Watcher resource), you can easily monitor both directions of network traffic: from your on-premises datacenter to West US 2 and from your on-premises datacenter to East US 2 (as long as you configure the East US 2 region as a destination within the same Connection Monitor configuration). 2. Get-AzNetworkWatcherConnectionMonitor Cmdlet (Option A): - This cmdlet is used to retrieve existing Connection Monitor data, not to set up new monitoring. You would use this cmdlet after you've created a Connection Monitor resource. - Rejecte... Author: Madison · Last updated May 19, 2026 |
Case Study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Overview - Proseware, Inc. is a fi...Author: Emily · Last updated May 19, 2026 |
HOTSPOT - Case Study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Overview - Pros...Author: Abigail · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the URL an...Author: Ahmed97 · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains the route tables and routes shown in the following table. The subscription contains the subnets shown in the following table. The subscription contains the virtual machines shown in the following table. The subscription contains the local network gateways shown in the following table. There is a Site-to-Site VPN connection to each local ...Author: Emma Brown · Last updated May 19, 2026 |
You have an Azure subscription that contains the public IP addresses shown in the following table. You plan to deploy a NAT gateway named NAT1. Which ...Author: Aria · Last updated May 19, 2026 |
You have an Azure application gateway named AGW1 that has a routing rule named Rule1. Rule 1 directs traffic for http://www.contoso.com to a backend pool named Pool1. Pool1 targets an Azure virtual machine scale set named VMSS1. You deploy another virtual machine scale set named VMSS2. You need to configure AGW1 to direct all traffic for http://www.adatum.com to VMSS2. The solution must ensure that requests to http://www.co...To configure the Azure Application Gateway (AGW1) to direct traffic for http://www.adatum.com to the new virtual machine scale set VMSS2, while ensuring that traffic for http://www.contoso.com continues to go to the existing backend pool Pool1, here’s the logical breakdown and reasoning for each action: Required Actions: 1. Add a Backend Pool (A): Since you want to direct traffic for http://www.adatum.com to VMSS2, you need to configure a backend pool for VMSS2. This will allow AGW1 to know where to route the traffic for adatum.com. Without creating a backend pool for VMSS2, you won't have a target for the traffic to be routed to. Reason for Selection: A backend pool is needed for VMSS2 so the Application Gateway can forward traffic for adatum.com to the correct target. 2. Add an HTTP Setting (C): The HTTP setting defines how the Application Gateway interacts with the backend pool. In this case, you need to create an HTTP setting for the new backend pool (VMSS2) so that it can handle the traffic for adatum.com. HTTP settings include things like backend port, cookie-based affinity, and protocol (HTTP/HTTPS), which must be defined for the traffic to be properly handled. Reason for Selection: An HTTP setting is required to specify the configuration for routing traffic to VMSS2 from AGW1. 3. Add a Rule (E): The rule is what binds the traffic for http://www.adatum.com to the correct backend pool and HTTP setting. You already have Rule1 for contoso.com, but a new rule is necessary to create a new mapping for adatum.com. The rule specifies the domain and the ba... Author: Liam123 · Last updated May 19, 2026 |
HOTSPOT - You have an Azure Traffic Manager parent profile named TM1. TM1 has two child profiles named TM2 and TM3. TM1 uses the performance traffic-routing method and has the endpoints shown in the following table. TM2 uses the weighted traffic-routing method with MinChildEndpoint = 2 and has the endpoints shown in the following table. TM3 uses priority traffic-routing method and has the endpoints shown in the following table. The App2, App4, and App6 end...Author: Sofia · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the ...Author: IceDragon2023 · Last updated May 19, 2026 |
HOTSPOT - You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com. You have the routing rules shown in the following table. Which rule will apply to each incoming request? To answer, s...Author: Olivia · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to ac...Author: MoonlitPantherX · Last updated May 19, 2026 |
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com. You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a cer...To use a custom domain on Azure Front Door with a certificate from an allowed certification authority (CA) for www.contoso.com, the correct solution is to use C) Azure Key Vault. Here's why: Key Factors: 1. Azure Key Vault (Option C): - Why selected: Azure Front Door allows the use of custom domains with SSL/TLS certificates. To manage certificates, Azure Key Vault is the best choice because it securely stores and manages certificates. You can store the SSL certificate for www.contoso.com in Azure Key Vault and link it to Azure Front Door to provide secure communication. - Scenario: If you have an SSL certificate from a valid CA, you can import it into Azure Key Vault. Azure Front Door can then be configured to use this certificate for your custom domain, enabling secure traffic with HTTPS. 2. An enterprise application in Azure Active Directory (Azure AD) (Option A): - Why rejected: An enterprise application in Azure AD is used for identity and access management and has nothing to do with SSL certificates or custom domains. It’s typically used for managing users and applications, not for managing SSL certificates for web traffic. - Scenario: This option wouldn't apply to SSL certificate management or domain configuration. 3. Active Directory Certificate Services (AD CS) (Option ... Author: Ella · Last updated May 19, 2026 |
You have an Azure application gateway for a web app named App1. The application gateway allows end-to-end encryption. You configure the listener for HTTPS by uploading an enterprise-signed certificate. You need to ensur...To ensure that the Azure Application Gateway can provide end-to-end encryption for App1, the correct configuration must enable encrypted communication between both the client and the Application Gateway, as well as between the Application Gateway and the backend (App1) servers. Let's go through the options and evaluate them based on this goal: Option A: Increase the Unhealthy threshold setting in the custom probe - Reasoning: The "Unhealthy threshold" setting defines how many consecutive failed probe attempts are allowed before the backend is considered unhealthy. While this setting is relevant for health checks and backend availability, it does not directly impact the encryption or SSL/TLS communication. Increasing this threshold won't help in enabling end-to-end encryption. - Why rejected: This setting is used for backend health monitoring, not encryption. It doesn't relate to SSL/TLS settings or ensuring encrypted communication between the gateway and the app. Option B: Enable the SSL profile to the listener - Reasoning: Enabling an SSL profile for the listener would allow the Application Gateway to handle the SSL/TLS encryption from the client side. This is essential for end-to-end encryption because it ensures that the Application Gateway decrypts incoming HTTPS traffic and passes it securely to the backend. However, for end-to-end encryption, we need to ensure the communication between the Application Gateway and the backend is also encrypted. - Why selected: This option is part of enabling secure HTTPS communication on the frontend. However, for end-to-end encryption, it is not e... Author: Chloe · Last updated May 19, 2026 |
You have an Azure application gateway named AppGW1 that balances requests to a web app named App1. You need to modify the server variables in the...To modify the server variables in the response header of App1, we need to configure Azure Application Gateway (AppGW1) in a way that allows for response header manipulation. Let's evaluate each option based on this requirement: Option A: HTTP settings - Reasoning: HTTP settings in Azure Application Gateway define how the gateway communicates with backend servers. These settings include things like backend pooling, cookie-based affinity, and SSL settings. However, HTTP settings are not designed to modify response headers, such as altering server variables. - Why rejected: HTTP settings do not provide functionality for modifying response headers. Their primary role is to control how traffic is routed between the gateway and the backend servers, not to manipulate headers in responses. Option B: Rewrites - Reasoning: Response header rewrites are specifically designed to modify HTTP response headers as they pass through the Azure Application Gateway. You can configure rewrite rules to change headers, such as modifying or adding server variables to the response. This is the exact functionality needed to alter the server variables in the response header of App1. - Why selected: The "rewrites" feature directly addresses the requirement to modify response headers, making it the best choice. You can define rules that will modify headers in both the request and response, includin... Author: Matthew · Last updated May 19, 2026 |
You have an Azure Virtual Desktop deployment that has 500 session hosts. All outbound traffic to the internet uses a NAT gateway. During peak business hours, some users report that they cannot access internet resources. In Azure Monitor, you disco...In this scenario, the issue is related to failed SNAT (Source Network Address Translation) connections, which usually occur when there are more concurrent connections than the available SNAT ports from the NAT gateway. To resolve this, we need to increase the available SNAT connections to accommodate the outbound traffic from the 500 session hosts. Let's evaluate each option: Option A: Bind the NAT gateway to another subnet - Reasoning: Binding a NAT gateway to multiple subnets is possible in Azure to allow outbound traffic from resources in different subnets to route through the NAT gateway. However, simply adding another subnet to the NAT gateway does not increase the number of SNAT connections. The number of SNAT connections is more directly tied to the number of public IPs associated with the NAT gateway, not the subnets. - Why rejected: While this may be useful for expanding the scope of resources using the NAT gateway, it doesn't directly address the issue of increasing SNAT connections for outbound traffic. Adding another subnet won't increase the available SNAT ports or capacity. Option B: Add a public IP address - Reasoning: A NAT gateway's capacity for SNAT connections is directly influenced by the number of public IP addresses associated with it. Each public IP address provides a set of SNAT ports, and when the connection count exceeds the available SNAT ports, some connections fail. B... Author: Benjamin · Last updated May 19, 2026 |
You have an Azure subscription that contains the public IPv4 addresses shown in the following table. You plan to create a load balancer named LB1 that will have the following settings: * Name: LB1 * Location:...Author: Leah · Last updated May 19, 2026 |
You have the Azure environment shown in the exhibit. VM1 is a virtual machine that has an instance-level public IP address (ILPIP). Basic Load Balancer uses a public IP address. VM1 and VM2 are in the backend pool. NAT Gateway uses a public IP address named IP3 that is associated to SubnetA. VNet1 has a virtual netwo...Author: Ava · Last updated May 19, 2026 |
You are configuring two network virtual appliances (NVAs) in an Azure virtual network. The NVAs will be used to inspect all the traffic within the virtual network. You need to provide high availability for the NVAs...To provide high availability for two network virtual appliances (NVAs) in an Azure virtual network, the solution must ensure that traffic is consistently routed to the available NVA in case one fails, while also minimizing administrative effort. Let's analyze each option: Option A: Azure Standard Load Balancer - Reasoning: Azure Standard Load Balancer is designed to distribute traffic across multiple backend instances, ensuring that traffic is routed to the available NVA in case one fails. It is ideal for scenarios where NVAs are deployed in active-active or active-passive configurations. This load balancer operates at the network layer (Layer 4) and can be used to distribute both inbound and outbound traffic, making it suitable for ensuring high availability with minimal administrative effort. - Why selected: The Standard Load Balancer is specifically designed for this use case: distributing traffic across NVAs and providing high availability. It is easy to configure and requires minimal administrative overhead. It is also optimized for internal network traffic, which is the type of traffic in this scenario (inside the virtual network). The Standard Load Balancer's failover and load-balancing capabilities are perfect for ensuring high availability for NVAs. Option B: Azure Application Gateway - Reasoning: Azure Application Gateway is a Layer 7 (application layer) load balancer that is typically used for HTTP/HTTPS traffic. It is primarily designed to distribute traffic to web servers and manage web traffic, providing features such as SSL termination and URL-based routing. While it provides high availability and advanced features for web applications, it is not ideal for non-HTTP(S) traffic inspection, such as traffic through NVAs that perform more generic network traffic inspection. - Why rejected: The Azure Application Gateway is not suited for ... Author: Aarav · Last updated May 19, 2026 |
You have five virtual machines that run Windows Server. Each virtual machine hosts a different web app. You plan to use an Azure application gateway to provide access to each web app by using a hostname of www.contoso.com and a different URL path for each web app, for example: h...In this scenario, the goal is to control the flow of traffic based on the URL path for multiple web apps hosted on different virtual machines. Let's evaluate each option and determine the most suitable configuration. Option A: HTTP settings - Reasoning: HTTP settings in Azure Application Gateway define how traffic should be routed to backend servers (e.g., virtual machines) and specify configurations like SSL certificates, cookie-based affinity, and connection draining. While HTTP settings are important for backend configuration, they do not control the routing based on URL paths. - Why rejected: HTTP settings are used to manage the connection between the application gateway and the backend servers, but they do not provide URL-based routing logic, which is what we need to control traffic based on the URL path. Option B: Listeners - Reasoning: A listener in an Azure Application Gateway listens for incoming traffic on a specific port (typically HTTP or HTTPS) and forwards it to the appropriate backend pool. While listeners are critical for handling incoming traffic, they alone do not provide the ability to control traffic routing based on URL paths. - Why rejected: Listeners handle the incoming connection but are not designed to perform URL-based routing or traffic distribution based on URL paths. You need additional logic to route traffic based on the path in the URL. Option C: Rules - Reasoning: URL-based routing (or path-based routing) is accomplished by defining routing rules in Azure A... Author: Victoria · Last updated May 19, 2026 |
You plan to publish a website that will use an FQDN of www.contoso.com. The website will be hosted by using the Azure App Service apps shown in the following table. You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com between AS1 and AS2. You create a Traffic Manager profile named TMprofile1. TMprofile1 uses...Author: Aarav2020 · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the URL and receive an HTTP 403...Author: Michael · Last updated May 19, 2026 |
HOTSPOT - Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint. The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint. You plan to use Azure Traffic Manager to maintain the list of endpoints. You need to configure a Traffic Manager profile...Author: Isabella1 · Last updated May 19, 2026 |
DRAG DROP - You have an Azure Front Door instance named FrontDoor1. You deploy two instances of an Azure web app to different Azure regions. You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com. You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com. Which three actions should you per...Author: William · Last updated May 19, 2026 |
You have a website that uses an FQDN of www.contoso.com. The DNS record for www. contoso.com resolves to an on-premises web server. You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an Azure Front Door instance named ContosoFD1. You build the website on Web1. You plan to configure ContosoFD1 to publish the website for testing. When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message ...Author: Kai99 · Last updated May 19, 2026 |
You have the Azure load balancer shown in the Load Balancer exhibit. LB2 has the backend pools shown in the Backend Pools exhibit. You need to ensure that LB2 distributes traffic to all the members of VMSS1. Which two actions should you per...Author: Liam · Last updated May 19, 2026 |
You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 * Two subnets named subnet1 and AzureFirewallSubnet * A public Azure Firewall named FW1 * A route table named RT1 that is associated to Subnet 1 * A rule routing of 0.0.0.0/0 to FW1 in RT1 After deploying 10 servers that run Windows Server to S...In this scenario, the virtual machines (VMs) are not activated because they are unable to reach the Microsoft Key Management Service (KMS) for activation. Since the traffic is routed through Azure Firewall (FW1) via the route table (RT1) and the firewall is likely blocking certain outbound traffic, we need to allow the required activation traffic through the firewall. Let's evaluate each option: Option A: On FW1, configure a DNAT rule for port 1688 - Reasoning: DNAT (Destination Network Address Translation) rules are used for inbound traffic, redirecting external traffic to an internal resource. However, KMS activation traffic is outbound from the virtual machines to the KMS server, not inbound. Therefore, DNAT is not suitable for enabling outbound communication for KMS activation. - Why rejected: Since KMS activation traffic is outbound, DNAT does not apply to this scenario, and setting up DNAT would not solve the problem. Option B: Deploy an application security group that allows outbound traffic to 1688 - Reasoning: While application security groups are helpful for controlling inbound and outbound traffic within a virtual network, outbound traffic control for specific ports (like port 1688 for KMS activation) is typically managed through network security groups (NSGs) or firewalls, not application security groups. An application security group by itself does not configure outbound access rules for specific ports at the firewall level. - Why rejected: Application security groups are not the correct tool for handling specific outbound port access through Azure Firewall. They cannot configure the firewall to allow outbound traffic to the required KMS service. Option C: On FW1, create an outbound network rule that allows tra... Author: James · Last updated May 19, 2026 |
You have an Azure Front Door instance that has a single frontend named Frontend1 and an Azure Web Application Firewall (WAF) policy named Policy1. Policy1 redirects requests that have a header containing "string1" to https://www.contoso.com/redirect1. Policy1 is associated to Frontend1. You need to configure additional redirection settings. Requests to Frontend1 that have a header containing "string2" must be redirecte...To solve the problem, you need to configure Azure Front Door to redirect requests based on specific header content (i.e., "string2"). The key action is to create a rule that triggers the desired redirection. Let's walk through each option to determine the best approach: 1. A) Create a custom rule. - This is the correct action. You need to create a custom rule that checks for the header containing "string2" and performs the redirect to `https://www.contoso.com/redirect2`. Custom rules allow you to define conditions, such as header values, and specify actions like redirection. - Why selected: Custom rules are the mechanism used to define custom redirect behaviors based on header values. - Why not other options: Creating a policy or frontend host does not directly relate to the redirection based on header values. 2. B) Create a policy. - This option is incorrect in this context because you already have an existing WAF policy (Policy1). Creating a new policy is unnecessary; instead, you need to modify the existing policy or add rules to it. 3. C) Create a frontend host. - A frontend host is already configured as `Frontend... Author: RadiantPhoenixX · Last updated May 19, 2026 |
Your company has offices in London, Tokyo, and New York. The company has a web app named App1 that has the Azure Traffic Manager profile shown in the following table. In Asia, you plan to deploy an additional endpoint that will host an updated version of App1. You need to route 10 pe...Author: IronLion88 · Last updated May 19, 2026 |
HOTSPOT - You configure a route table named RT1 that has the routes shown in the following table. You have an Azure virtual network named Vnet1 that has the subnets shown in the following table. You have the resources shown in the following table. Vnet1 connects to an ExpressRoute circuit. The on-premises router advertises the following routes: * 0.0.0.0/0 * 10.0....Author: Maya2022 · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription. The subscription contains virtual machines that host websites as shown in the following table. You have the Azure Traffic Manager profiles shown in the following table. You have the endpoints shown in the following table. For each of the following s...Author: Sophia Clark · Last updated May 19, 2026 |
You have an Azure application gateway configured for a single website that is available at https://www.contoso.com. The application gateway contains one backend pool and one rule. The backend pool contains two backend servers. Each backend server has an additional website that is available on port 8080. You need to ensure that if port 8...To solve this issue, we need to ensure that traffic is properly redirected when one of the backend servers has port 8080 unavailable. Let’s break down each of the options: A) Create a health probe A health probe is used by Azure Application Gateway to monitor the health of backend servers. When the probe detects that a server or service is unavailable, it stops sending traffic to that server, ensuring high availability by routing traffic to healthy backend servers. In this case, creating a health probe specifically for port 8080 would allow the Application Gateway to monitor the availability of port 8080 on the backend servers. If one of the backend servers fails to respond on port 8080, the traffic can be rerouted to the other backend server. This is exactly what we need to achieve the goal. B) Add a new rule A new rule typically defines how traffic should be routed based on certain conditions (like URL paths, hostnames, etc.). However, this doesn't address the problem of monitoring or handling backend availability for specific ports. A rule would not help with the issue of one server’s port being unavailable—it’s meant more for directing traffic based on routing criteria, not availability. Therefore, adding a new rule wouldn't solve the problem of handling traffic whe... Author: Emma · Last updated May 19, 2026 |
You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 * Two subnets named subnet1 and AzureFirewallSubnet * A public Azure Firewall named FW1 * A route table named RT1 that is associated to Subnet1 * A rule routing of 0.0.0.0/0 to FW1 in RT1 After deploying 10 servers that run Windows Server to Subne...To ensure that the virtual machines (VMs) in Subnet1 can be activated, we need to consider how activation works in Azure and the potential issues that may arise when routing traffic through an Azure Firewall (FW1). Specifically, Windows Activation typically requires communication with the Key Management Service (KMS), which is an internet-based service. Here's a breakdown of the options: Key Factors: - Virtual Machine Activation: Windows Server VMs generally use KMS (Key Management Service) for activation. This requires access to the KMS service over the internet. - Outbound traffic via Azure Firewall: Since traffic is routed via FW1 (due to the rule routing 0.0.0.0/0 to FW1), FW1 needs to allow traffic to the internet, including the traffic to Microsoft's KMS servers. Now, let’s evaluate each option: A) On FW1, create an outbound service tag rule for AzureCloud - AzureCloud is a service tag used to represent a set of IPs that cover Azure's public services, including services like Azure KMS (Key Management Service). - By creating an outbound rule with the AzureCloud service tag on FW1, you can allow traffic to reach various Azure services, including KMS servers required for activation. Reason for Selection: Allowing outbound traffic for AzureCloud ensures that traffic from the VMs can reach Azure services, including KMS, to complete activation. This is a straightforward and effective approach. B) Add an internet route to RT1 for the Azure Key Management Service (KMS) - This option suggests modifying the route table to route traffic specifically to KMS. However, Azure's KMS service is part of a large range of IP addresses managed by Azure, which can change dynamically. Therefore, specifically routing to Azure KMS is not a practical or sustainable solution. Routes would need to be continuously updated and managed, which is not ideal. Reason for Rejection: It’s impractical to add a specific route fo... Author: Ahmed97 · Last updated May 19, 2026 |
You have an Azure subscription. You plan to implement Azure Virtual WAN as shown in the following exhibit. What is the...Author: Emma · Last updated May 19, 2026 |
You have an internal Basic Azure Load Balancer named LB1 that has two frontend IP addresses. The backend pool of LB1 contains two Azure virtual machines named VM1 and VM2. You need to configure the...Author: Akash · Last updated May 19, 2026 |
Your company has 40 branch offices that are linked by using a Software-Defined Wide Area Network (SD-WAN). The SD-WAN uses BGP. You have an Azure subscription that contains 20 virtual networks configured as a hub and spoke topology. The topology contains a hub virtual network named Vnet1. The virtual networks connect to the SD-WAN by using a network virtual appliance (NVA) in Vnet1. You need to e...To address the need to propagate BGP routes between the virtual networks (VNet1 and the SD-WAN), we need to focus on a solution that facilitates the exchange of routing information (specifically BGP advertisements) between the Azure virtual networks and the SD-WAN while minimizing administrative effort. Let's evaluate each of the options: A) An Azure VPN Gateway that has BGP enabled Azure VPN Gateway supports BGP (Border Gateway Protocol) to exchange routing information between an on-premises network (in this case, the SD-WAN) and Azure virtual networks. However, a VPN Gateway would require you to configure a separate VPN connection for each of your branch offices or VNet-to-SDWAN connection. While it supports BGP, it would likely involve higher administrative overhead due to the individual VPN connections that would need to be maintained, especially with 40 branch offices and 20 virtual networks. While it could technically solve the problem, it doesn’t minimize administrative effort. B) A NAT gateway A NAT (Network Address Translation) gateway is used to allow resources in a virtual network to access the internet with a public IP address, particularly for outbound connections. It does not have any capabilities related to BGP or propagating routing information. Therefore, this is not a relevant solution for propagating BGP route advertisements between the virtual networks and SD-WAN. C) Azure Traffic Manager Azure Traffic Manager is a global DNS-based traffic distribution service that allows... Author: ThunderBear · Last updated May 19, 2026 |
HOTSPOT - You have an Azure load balancer that has the following configurations: * Name: LB1 * Location: East US 2 * SKU: Standard * Private IP address: 10.3.0.7 * Load balancing rule: rule1 (Tcp/80) * Health probe: probe1 (Http:80) * NAT rules: 0 inbound The backend pool of LB1 has the following configurations: * Name: backend1 * Virtual network: Vnet2 * Backend pool configuration: NIC * IP version: IPv4 * Virtual machines: VM1, VM2, VM3 You have an Azure virtual machine named VM4 that has the following network configurations: * Network interface: vm4981 * Vir...Author: Kai · Last updated May 19, 2026 |
DRAG DROP - Your company, named Contoso, Ltd., has an Azure subscription that contains the resources shown in the following table. You plan to deploy Azure Front Door. The solution must meet the following requirements: * Requests to a URL of https://contoso.azurefd.net/uk must be routed to App1uk. * Requests to a URL of https://contoso.azurefd.net/us must be routed to App1us. * Requests to a URL of https://contoso.azurefd.net/images must be routed to the storage account closest to the user. What is the minimum number of backend pools and routing rules you should create?...Author: Ryan · Last updated May 19, 2026 |
You have an Azure subscription that contains the resources shown in the following table. Gateway1 provides access to App1 by using a URL of https://app1.contoso.com. You create a new web app named App2. You need to configure Gateway1 to enable access to App2 by using a U...Author: Vivaan · Last updated May 19, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 12345678 - You plan to deploy a firewall to subnet1-2. The firewall will have an IP address ...Author: Olivia Johnson · Last updated May 19, 2026 |
You have two Azure virtual networks in the East US Azure region as shown in the following table. The virtual networks are peered to one another. Each virtual network contains four subnets. You plan to deploy a virtual machine named VM1 that will inspect and route traffic betwe...Author: James · Last updated May 19, 2026 |
You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 * Two subnets named subnet1 and AzureFirewallSubnet * A public Azure Firewall named FW1 * A route table named RT1 that is associated to Subnet1 * A rule routing of 0.0.0.0/0 to FW1 in RT1 After deploying 10 servers that run Windows Server to Subne...Key Considerations: The issue here is that Windows Server activation requires connectivity to Microsoft's Key Management Service (KMS), which typically uses port 1688. The virtual machines (VMs) are not able to activate because their traffic is likely being blocked or misrouted due to the Azure Firewall (FW1) and the associated route table (RT1). The goal is to ensure that the VMs in Subnet1 can reach the KMS service to complete their activation. Let’s evaluate each option in the context of the setup: A) On FW1, configure a DNAT rule for port 1688 - DNAT (Destination Network Address Translation) rules are typically used to forward inbound traffic to a specific backend server in a network. This is more suited for scenarios where external clients need to reach a service inside your network, such as a web server or a database server. - Windows activation, however, requires outbound traffic from the VMs to the internet, specifically to port 1688 for KMS. Since DNAT is for inbound traffic, it would not be appropriate here. Reason for rejection: DNAT is used for inbound traffic, but activation requires outbound traffic to the KMS service, making this solution inappropriate. B) Deploy a NAT gateway - A NAT gateway provides outbound internet connectivity for resources in a subnet without requiring a public IP on each individual resource. It is typically used for providing internet access to VMs that do not have direct internet access (i.e., no public IPs). - While a NAT gateway could help with outbound internet connectivity, the real issue in this scenario is making sure that the Azure Firewall (FW1) allows the necessary traffic to pass through. The firewall may be blocking outbound traffic to port 1688 required for Windows activation. Reason for rejection: The NAT gateway alone does not resolve the issue because the firewall (FW1) may still be blocking access to port 1688. Therefore, the solution should focus on ensuring the firewall allows the necessar... Author: Ming88 · Last updated May 19, 2026 |
You have an on-premises network. You have an Azure subscription that includes a virtual network named VNet1 and a private Azure Kubernetes Service (AKS) cluster named AKS1. VNet1 is connected to your on-premises environment via an Azure ExpressRoute circuit. AKS1 is connected to VNet1. You need to implement an off-cluster ingress controller for AKS1....To implement an off-cluster ingress controller for an Azure Kubernetes Service (AKS) cluster, we need to provide a solution that allows external connectivity to the containerized workloads hosted on AKS1 while considering the existing network setup (which includes an on-premises network connected to the Azure virtual network via ExpressRoute). Let's analyze the options: A) Azure Application Gateway Azure Application Gateway is a Layer 7 load balancer, which means it operates at the application layer (HTTP/HTTPS). It is well-suited for handling ingress traffic, particularly when you need more advanced features like URL-based routing, SSL termination, and Web Application Firewall (WAF) capabilities. Application Gateway can be configured as an ingress controller in AKS, and it integrates well with Azure Kubernetes Service (AKS) to manage ingress traffic for containerized workloads. Since your on-premises network is connected to Azure via ExpressRoute, Application Gateway can route the external traffic from the on-premises environment to AKS1 without issues. Application Gateway is a highly suitable choice here because it works well as an off-cluster ingress controller and can seamlessly provide connectivity from your on-premises environment to your containerized workloads hosted on AKS1. B) Azure Front Door Azure Front Door is a global load balancer primarily designed to handle HTTP/HTTPS traffic and provide high availability, global load balancing, and improved performance through routing to the nearest Azure region. It’s often used for public-facing applications and can route traffic to various services across regions. While Azure Front Door could be used for routing traffic to AKS, it is generally used for external public-facing services with global distribution needs. Since you are dealing with an on-premises network connected via... Author: Sofia · Last updated May 19, 2026 |
HOTSPOT - You are planning an Azure Front Door deployment that will contain the resources shown in the following table. Users will connect to the App Service through Front Door by using a URL of https://www.fabrikam.com. You obtain a certificate for the host name of www.fabrikam.com. You need to configure a DNS record for www.fabrikam.com and upload th...Author: Siddharth · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains an app named App1. App1 is hosted on the Azure App Service instances shown in the following table. You need to implement Azure Traffic Manager to meet the following requirements: * App1 traffic must be assigned equally to each App Service instance in each Azure region. * App1 traffic from North Europe must be routed to the App1 instances in the North Europe region. * App1 traffic from North America must be routed to the App1 instances in the East US Azure region. * If an App Service instance fails, all the traffi...Author: Evelyn · Last updated May 19, 2026 |