
You have an Azure subscription that contains the Azure App Service web apps shown in the following table. You need to deploy Azure Traffic Manager. The solution must meet the following requirements: * Traffic to https://www.fabrikam.com must be directed to App1eu. * If App1eu becomes unresponsive, all the traffic to https://www.fabrikam.com must be directed to App1us. You need to implement Traffic ...Author: RadiantPhoenixX · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains an app named App1. App1 is deployed to the Azure App Service apps shown in the following table. You need to publish App1 by using Azure Front Door. The solution must ensure that all the requests to App1 are load balanced between all the available worker instances. What is the minimum number of origin...Author: John · Last updated Jun 22, 2026 |
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a subnet named Subnet1. You deploy an instance of Azure Application Gateway v2 named AppGw1 to Subnet1. You create a network security group (NSG) named NSG1 and link NSG1 to Subnet1. You need to ensure that AppGw1 will only load bal...To ensure that Azure Application Gateway (AppGw1) only load balances traffic that originates from VNet1, the key is to control inbound traffic to the Application Gateway. Specifically, the traffic that reaches the Application Gateway should be from sources within the same VNet1, while blocking traffic from external sources (i.e., the internet). Let’s break down the options: Key Considerations: - NSG (Network Security Group): An NSG controls both inbound and outbound traffic at the subnet or network interface level. The priority of rules determines their order of evaluation (lower numbers have higher priority). - Inbound Traffic: The Application Gateway typically needs to allow incoming traffic, but we want to restrict it to only traffic coming from within VNet1 (traffic from the same virtual network). Therefore, we need to block traffic coming from outside the VNet. - Outbound Traffic: The traffic that AppGw1 sends out is typically handled differently. It is not directly relevant to restricting inbound access to the Application Gateway from external sources. Now, let’s evaluate the options: A) An outbound rule that has a priority of 4096 and blocks all internet traffic - Outbound rules control traffic leaving the subnet. However, since the goal is to control incoming traffic to AppGw1 (to only allow traffic from VNet1), this outbound rule will not have any impact on restricting traffic to the Application Gateway. - Reason for rejection: The issue is about inbound traffic control, and outbound rules do not affect that. B) An inbound rule that has a priority of 4096 and blocks all internet traffic - This inbound rule blocks all internet traffic (i.e., traffic from outside VNet1) from reaching Subnet1 (where AppGw1 resides). This rule will ensure that only traffic originating from VNet1 can reach A... Author: VenomousSerpent42 · Last updated Jun 22, 2026 |
You plan to implement an Azure virtual network that will contain 10 virtual subnets. The subnets will use IPv6 addresses. Each subnet will host up to 200 load-balanced virtual machines. You need to recommend a load balancing solution for the virtual network. The solution must meet the following requirements: * The virtual machines an...Key Considerations: - Virtual Network Accessibility: The virtual machines and the load balancer must be accessible only from within the virtual network, meaning no external access should be allowed. - Cost Minimization: You need to select a solution that keeps the costs low while still meeting the requirements for load balancing and IPv6 support. - Number of Virtual Machines: You plan to host 200 load-balanced virtual machines per subnet across 10 subnets. This implies a significant number of virtual machines that need to be efficiently distributed across load balancers. Evaluating Each Option: A) Basic Azure Load Balancer - The Basic Azure Load Balancer is an entry-level load balancing solution that is designed for basic scenarios. It supports both IPv4 and IPv6. - Accessibility from the Virtual Network: The Basic Load Balancer can be used to load balance virtual machines within a Virtual Network. It can be configured to ensure that it’s only accessible from the virtual network by using an internal load balancer (ILB). - Cost: The Basic Azure Load Balancer is the least expensive option because it doesn’t offer advanced features like high availability zones, automatic scaling, or advanced routing. - Limitation: The Basic Load Balancer lacks certain features like zone redundancy, auto-scaling, and more sophisticated traffic routing, which might be important as the number of virtual machines grows. However, it’s suitable for simple scenarios and meets the cost minimization requirement. Reason for selection: This is the most cost-effective solution for a simple internal load balancing scenario, especially when advanced features are not required. B) Azure Application Gateway v1 - Azure Application Gateway v1 is designed for more complex scenarios where you need to route HTTP/HTTPS traffic based on content (such as URL path-based routing or host-based routing). It provides features like web application firewall (WAF). - Accessibility from the Virtual Network: It can be set up as an internal gateway, ensuring that it’s only accessible from within the virtual network. - Cost: Azure Application Gateway v1 is more expensive than the Basic Load Balancer due to its advanced features, such as WAF and content-based routing. For 200 load-balanced virtual machines across 10 subnets, this could result in higher operational costs. - Limitation: It’s overkill for scenarios where HTTP/HTTPS-based load balancing is not required. This option also does not seem to align well with the requirement f... Author: RadiantPhoenixX · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains the virtual networks shown in the following table. The subscription contains the virtual machines shown in the following table. You create a load balancer named LB1 that has the following configurations: * SKU: Basic * Type: Internal * Subnet: Subnet12 * Virtual network: VNet...Author: Emma Brown · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription. The subscription contains an Azure application gateway that has the following configurations: * Name: AppGW1 * Tier: Standard V2 * Autoscaling: Disabled You create an Azure AD user named User1. You need to ensure that User1 can change the tier of AppGW1. The solution must use the principle of least privilege. Which role should you as...Author: Ava · Last updated Jun 22, 2026 |
DRAG DROP - You have an Azure subscription. You plan to deploy Azure Front Door with Azure Web Application Firewall (WAF). You plan to implement custom rules and managed rules that meet the following requirements: * Block malicious bots. * Throttle client IP addresses that exceed 100 connections per minute. You need to identify which Front Door SKU to configure, and which type of rule to configure for each requirement. The solution must minimize administrative effort and costs. What should you identify? To answer, drag t...Author: Michael · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure application gateway. You need to create a rewrite rule that will remove the origin port from the HTTP header of incoming requests that are being forwarded to the backend pool. How should you configure each setting? To...Author: IronLion88 · Last updated Jun 22, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 12345678 - You have two servers that are each hosted by a separate service provider in New York and Germany. The server hosted in New York is accessible by using a host name of ny.contoso.com. The...Author: Leah Davis · Last updated Jun 22, 2026 |
SNAPSHOT - You have an on-premises web server that hosts a web app named App1 and has the following configurations: * IP address: 131.107.50.60 * FQDN: server1.contoso.com You have an Azure subscription. You need to publish App1 by using Azure Front Door. The solution must meet the following requirements: * Ensure that internet users can connect to App1 by using an FQDN of app1.contoso.com. * Minimize the changes required to the configuration of ...Author: Liam123 · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains the resources shown in the following table. You plan to deploy an app named App1 to meet the following requirements: * External users must be able to access App1 from the internet. * App1 will be load balanced across all the virtual machines. * App1 will be hosted on VM1, VM2, VM3, and VM4. * App1 must be available if an Azure region fails. * Costs must be minimized. You need...Author: Sara · Last updated Jun 22, 2026 |
You have an Azure Front Door instance named FD that contains an origin group named OG1. You need to configure a health probe for OG1. The solution must minimize the amount of...In this scenario, you're tasked with configuring a health probe for an Azure Front Door origin group (OG1). The key requirement is to minimize the amount of traffic generated by the health probe. Let's break down each HTTP method: A) CONNECT The CONNECT method is used to establish a tunnel to the server, typically for protocols like HTTPS or when performing secure connections. It is not commonly used for checking the health of a service or resource. This method is also not ideal for health probes because it involves a more complex connection process and isn't suited to simply check the availability or responsiveness of a resource. CONNECT would generate unnecessary overhead for a health probe and is therefore not the best choice. B) HEAD The HEAD method is used to retrieve the headers of a resource without fetching the actual content (body). This method is designed to minimize the amount of traffic generated by a request because it does not download the body of the response, only the headers. Since health probes generally only need to check if a server is available (e.g., by checking if a response is returned), HEAD is ideal for minimizing traffic. It allows Azure Front Door to verify the status of the origin without incurring the additional data transfer costs that would come with downloading the... Author: Ahmed · Last updated Jun 22, 2026 |
You have an Azure subscription that contains the resources shown in the following table. You need to configure FW1 to filter traffic that originates from VNet...Author: Oliver · Last updated Jun 22, 2026 |
DRAG DROP - You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. You plan to deploy the resources shown in the following table. You need to deploy two load balancers to manage the traffic for VMSS1, VM1, and VM2. The solution must meet the following requirements: * Either VM1 or VM2 must inspect all the traffic from the internet to App1. * All user connections from the internet to App1 must be load balanced. * Costs must be minimized. Which load balancer SKU should you include in the solution? To ans...Author: Nia · Last updated Jun 22, 2026 |
You have an Azure subscription that contains the resources shown in the following table. You need to configure a solution to meet the following requirements: * App1 must be assigned a private endpoint. * ...Author: Lucas Carter · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains a virtual machine scale set named VMSS1 and a public standard Azure load balancer named LB1. VMSS1 contains eight virtual machines that have private IP addresses only. VMSS1 is configured as a backend pool of LB1. LB1 has two frontend IP addresses and one outbound rule that provides internet connectivity to VMSS1. What is the maximum number of ports available to the virtual machines in VMSS1, and w...Author: Leah Davis · Last updated Jun 22, 2026 |
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance. You need to configure the policy to meet the following requirements: * Log all connections from Australia. * Deny all connections from New Zealand. * Deny all further connections from a net...To meet the requirements for configuring an Azure Web Application Firewall (WAF) policy in prevention mode for an Azure Front Door instance, we need to evaluate how to implement the required actions (logging, denying, and rate-limiting) through custom rules. Let's break down the requirements: 1. Log all connections from Australia: - This can be done using GeoMatch conditions, which allow filtering based on geographic locations (e.g., Australia). Logging is generally done by specifying an action of "Log" within a rule. 2. Deny all connections from New Zealand: - This also involves using a GeoMatch condition to filter for traffic from New Zealand and an action of "Deny." 3. Deny all further connections from a network of `131.107.100.0/24` if there are more than 100 connections during one minute: - This requires implementing rate-limiting using the RateLimit action, which can be applied based on the specific source IP (131.107.100.0/24) and a condition that checks if the number of requests exceeds a threshold within a given period (e.g., more than 100 requests in 1 minute). Let's review the options: A) Three custom rules that each has one condition This option requires three separate custom rules: - One rule for logging connections from Australia. - One rule for denying connections from New Zealand. - One rule for rate-limiting connections from the `131.107.100.0/24` network if more than 100 connections are made in one minute. This option is the most straightforward and adheres to the requirements because each rule focuses on a single condition. Three separate rules are necessary for these distinct actions. This would allow you to configure specific actions (log, deny, rate limit) for different conditions without overloading a single rule with multiple actions. While it results in multiple rules, it is the minimum number of rules to achieve the desired configuration. B) One custom rule that has three conditions This would involve combining all three requirements into a single rule, which is not ideal in this case because: - Logging connections from Australia... Author: Stella · Last updated Jun 22, 2026 |
You have an Azure subscription that contains multiple virtual machines in the West US Azure region. You need to use Traffic Analytics. Which two resources should you create? Each correct answer presents pa...To use Traffic Analytics in Azure, you need to set up resources that allow you to collect and analyze network traffic data. Traffic Analytics requires data from Network Security Group (NSG) flow logs, which is integrated with Log Analytics. Let's evaluate the options: A) An Azure Monitor workbook - Explanation: A workbook in Azure Monitor is a tool for visualizing and analyzing data, often used for creating dashboards. However, it does not provide the necessary infrastructure to collect traffic data for Traffic Analytics. It’s mainly for visualizing the data after it’s collected. - Reason: Not directly involved in the collection of traffic data. It’s more about visualization, not the backend setup for Traffic Analytics. B) A Log Analytics workspace - Explanation: A Log Analytics workspace is where data collected from various Azure resources (like NSG flow logs) is stored and analyzed. Traffic Analytics uses NSG flow logs, and these logs need to be sent to a Log Analytics workspace. The Traffic Analytics service uses the data stored in the Log Analytics workspace to provide insights and analytics. - Reason: This is required for Traffic Analytics because it holds the collected traffic data and allows you to run queries on it. C) A storage account - Explanation: A storage account could be used to store data like logs or backup files, but it is not necessary for Traffic Analytics. Traffic Analytics specifically requires data from Log Analytics, not a storage account. - Reason: Storage accounts are not used to directly collect... Author: Madison · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains the virtual machines shown in the following table. Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule: * Priority: 100 * Port: Any * Protocol: Any * Source: Any * Destination: Storage * Action: Deny You create a private endpoint that has the following settings: * Name: Private1 * Resource type: Microsoft.Storage/storageAccounts * Resource: storage1 * Target sub...Author: FrozenWolf2022 · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure firewall shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information prese...Author: Noah · Last updated Jun 22, 2026 |
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure. You need to log the uptime and the latency of the connection periodically by using an...In this scenario, you are tasked with logging the uptime and latency of a connection between an on-premises network and Azure using ExpressRoute. You want to monitor the connection periodically using both an Azure virtual machine (VM) and an on-premises VM. Let's go over each option and evaluate them: A) Azure Monitor - Rejected: Azure Monitor is a broad monitoring service that collects, analyzes, and acts on telemetry data from various resources in Azure. While it can monitor various performance metrics and logs, it is not specifically designed for tracking the uptime and latency of an ExpressRoute connection between on-premises and Azure. Azure Monitor can help you track overall VM performance or app insights but not specific network metrics like latency and uptime for a hybrid connection. B) IP flow verify - Rejected: IP flow verify is used to troubleshoot and verify the flow of traffic through network security groups (NSGs) in Azure. It helps verify if traffic is allowed or denied based on NSG rules, but it is not intended for logging the uptime and latency of a network connection like ExpressRoute. Therefore, it's not a suitable option for your needs. C) Connection Monitor - Selected: Connection Monitor is a network monitoring tool tha... Author: William · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure application gateway named AppGW1 that provides access to the following hosts: * www.adatum.com * www.contoso.com * www.fabrikam.com AppGW1 has the listeners shown in the following table. You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following table. For each ...Author: Emily · Last updated Jun 22, 2026 |
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly. Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service. You need to create a...In this scenario, you have an Azure virtual network (VNet) with a subnet named Subnet1 that is associated with a Network Security Group (NSG), NSG1, which blocks all outbound traffic that isn't explicitly allowed. Your task is to allow the virtual machines (VMs) in Subnet1 to communicate with Azure Cosmos DB. Let's evaluate the options: A) A service tag - Selected: Service tags are predefined identifiers in Azure that represent a group of IP addresses from specific Azure services or regions. In this case, there is a predefined service tag for Azure Cosmos DB (known as `CosmosDB`). When you use a service tag in your NSG rule, it allows traffic to flow to Azure Cosmos DB without needing to explicitly manage IP ranges. - Using the `CosmosDB` service tag in the outbound rule ensures that the traffic from Subnet1 to Azure Cosmos DB is allowed, without manually defining the IP addresses of Cosmos DB endpoints. - This is the recommended and easiest way to create a rule to allow communication between your VMs and Azure Cosmos DB. B) A service endpoint policy - Rejected: A service endpoint policy is used to configure specific network security and routing policies for Azure service endpoints. However, a service endpoint allows you to connect directly to Azure services like Cosmos DB over a private IP in your virtual network. While service endpoints can help control traffic to specific Azure services, it doesn’t directly address outbound traffic blocking in NSG... Author: Sara · Last updated Jun 22, 2026 |
Your company has offices in Montreal, Seattle, and Paris. The outbound traffic from each office originates from a specific public IP address. You create an Azure Front Door instance named FD1 that has Azure Web Application Firewall (WAF) enabled. You configure a WAF policy named Policy1 that has a rule named Rule1. Rule1 applies a rate limit of 100 requests for traffic...In this scenario, you need to apply a rate limit of 100 requests for traffic originating from each office (Montreal, Seattle, Paris) using Azure Front Door and Web Application Firewall (WAF). You already have a WAF policy with a rule that applies a rate limit for the Montreal office. The task is to extend this rule to apply the same rate limit for the traffic from the other two offices (Seattle and Paris). Let’s break down each option: A) Modify the rate limit threshold of Rule1 - Rejected: Modifying the rate limit threshold of Rule1 will only change the rate limit (i.e., the number of requests allowed) but will not address the core issue, which is that the rule should apply the rate limit for each office. Changing the threshold would affect only the current rule (which applies to Montreal), and does not help you configure rate limits for Seattle and Paris. You need a way to define the rule separately for each office. B) Create two additional associations - Rejected: Associations in Azure WAF policies are used to apply a WAF policy to a specific resource, such as an Azure Front Door. However, creating additional associations does not address the need to apply specific rate limits for each office (Montreal, Seattle, Paris). What you need is to define distinct conditions based on the origin of the traffic (the office's public IP), not just creating new associations for the existing policy. C) Modify the con... Author: Emma · Last updated Jun 22, 2026 |
You have an Azure virtual network named Vnet1. You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region. The virtual machines must be prevented from accessing any Azure Storage resources. Which two outbound network security group (N...To answer this question correctly, let's break down the requirements and examine each option to see how they apply to the scenario. Scenario Breakdown: - The virtual machines in Vnet1 should be able to access only Azure SQL resources in the East US Azure region. - The virtual machines in Vnet1 must not be able to access any Azure Storage resources. - You need to configure outbound Network Security Group (NSG) rules to meet these requirements. Understanding the Key Components: 1. Azure SQL: This refers to Azure SQL Database or any SQL-related services, which can be accessed through the public endpoint or private endpoint (if using private endpoints). 2. Azure Storage: Refers to Azure storage resources, such as Blob storage, Queue storage, etc. 3. Outbound NSG Rules: You want to create outbound rules, meaning the rules will apply to traffic leaving Vnet1. Key Considerations: - Denying Azure Storage access: You need to deny traffic to Azure Storage resources (e.g., IP ranges associated with Azure Storage) while allowing traffic to Azure SQL resources in the East US. - Allowing access to Azure SQL: The virtual machines should be allowed to connect to SQL resources in the East US Azure region. - NSG Rules: You will configure both Allow and Deny outbound rules to meet the specific access requirements. Option Evaluation: A) A deny rule that has a source of VirtualNetwork and a destination of Sql - Explanation: This rule denies traffic from the Virtual Network (Vnet1) to any SQL resources. However, this rule would block all SQL access, which is contradictory to the requirement, as the VMs in Vnet1 should be able to access SQL resources in East US. - Rejection Reason: This rule would block the required access to SQL resources, which is not the intended result. B) A... Author: Sophia · Last updated Jun 22, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 * A subnet named Subnet1 in Vnet1 * A virtual machine named VM1 that connects to Subnet1 * Three stora...Let's break down the solution and the goal: Scenario: - You have an Azure virtual machine (VM1) that is connected to Subnet1 in Vnet1. - There are three storage accounts: storage1, storage2, and storage3. - The goal is to ensure that VM1 can access storage1 but is prevented from accessing storage2 and storage3. Solution: - You configure the firewall on storage1 to only accept connections from Vnet1. Key Reasoning: - Azure Storage Account Firewalls can restrict access to a storage account based on the virtual network (VNet) and specific subnets within that VNet. - By allowing access from Vnet1 to storage1 through the firewall, you are ensuring that VM1 (which is in Vnet1) can access storage1. - However, this does not automatically prev... Author: Noah · Last updated Jun 22, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 * A subnet named Subnet1 in Vnet1 * A virtual machine named VM1 that connects to Subnet1 * Three stor...The goal is to ensure that VM1 can access storage1, but prevent it from accessing the other storage accounts, and you're asked whether creating a network security group (NSG) and associating it with Subnet1 meets this goal. Key Considerations: 1. Network Security Group (NSG): - NSGs are used to control inbound and outbound traffic to and from Azure resources, such as virtual machines, based on rules (IP addresses, ports, etc.). - An NSG can be associated with either a subnet or a network interface to control traffic. - An NSG controls traffic at the network level—it does not have direct control over access to Azure resources like storage accounts. 2. Azure Storage Access: - To control access to storage accounts, you generally use storage account firewalls and virtual networks (VNet rules). - You can specify which VNets or subnets are allowed to access a storage account by configuring the firewall rules for the storage account itself. - An NSG does not have the ability to control which storage accounts VM1 can access based on specific resources like a storage account. Why this Solution Does... Author: Lucas · Last updated Jun 22, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 A subnet named Subnet1 in Vnet1 - * A virtual machine named VM1 that connects to Subnet1 * Three storage accounts named storage1, st...Author: NebulaEagle11 · Last updated Jun 22, 2026 |
You need to use Traffic Analytics to monitor the usage of applications deployed to Azure virtual machines. Which Azure...To monitor the usage of applications deployed to Azure virtual machines using Traffic Analytics, the key feature you should implement first is NSG flow logs. Here’s why: Key Considerations: 1. Traffic Analytics: - Traffic Analytics is part of Azure Network Watcher and provides insights into traffic patterns and network usage. It helps in understanding traffic flow, application usage, and overall network performance. - Traffic Analytics relies on NSG flow logs to gather data about traffic that is flowing through a network security group (NSG). 2. NSG Flow Logs: - NSG flow logs capture information about inbound and outbound IP traffic to network interfaces in your virtual machines. These logs include information like source and destination IPs, ports, protocols, and whether the traffic was allowed or denied by the NSG rules. - These flow logs are essential for Traffic Analytics to analyze traffic patterns, which is necessary for monitoring the usage of applications. 3. Other Options: - IP Flow Verify: This feature... Author: Aria · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains the virtual machines shown in the following table. VNet1 and VNet2 are NOT connected to each other. You need to block traffic from SQL Server 2019 to IIS by using application security groups. The solution must minimize administrative effort. How should you configure the appli...Author: Zara · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure virtual network that contains the subnets shown in the following table. In.NSG1, you create inbound rules as shown in the following table. NSG2 has only the default rules configured. You have the Azure virtual machines shown in the following table. For each of the followi...Author: NightmareDragon2025 · Last updated Jun 22, 2026 |
You have the Azure virtual networks shown in the following table. You have the Azure resources shown in the following table. You need to check latency between the resources by using connection monitors in Azu...Author: Daniel · Last updated Jun 22, 2026 |
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual machine named VM1 and an Azure firewall named FW1. You have an Azure Firewall Policy named FP1 that is associated to FW1. You need to en...To ensure that RDP (Remote Desktop Protocol) requests to the public IP address of the Azure Firewall (FW1) are routed to VM1, the configuration you need is a DNAT rule within the Azure Firewall policy (FP1). Here’s why: Key Considerations: 1. Azure Firewall and DNAT: - Azure Firewall can perform Destination Network Address Translation (DNAT) to forward incoming traffic from the internet to an internal resource (such as a virtual machine). DNAT rules are used to map a public IP address to a private IP address and specific port (like RDP on port 3389). - By creating a DNAT rule in FP1, you are instructing the firewall to forward RDP traffic from the public IP of FW1 to VM1, which is in the private network. 2. Why DNAT is the correct choice: - DNAT rules enable the firewall to forward incoming requests (like RDP traffic) on specific ports to an internal IP address (VM1 in this case). In this scenario, you need to configure a DNAT rule that listens on the public IP of FW1 and forwards traffic on port 3389 (RDP) to the private IP of VM1. 3. Other Options: - ... Author: Carlos Garcia · Last updated Jun 22, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 12345678 - You need to create an Azure Fire...Author: VioletCheetah55 · Last updated Jun 22, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 12345678 - You plan to implement an Azure application gateway in the East US Azure region. The application gateway will have Web Application Fi...Author: MysticJaguar44 · Last updated Jun 22, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: L...Author: FrostFalcon88 · Last updated Jun 22, 2026 |
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains 20 subnets and 500 virtual machines. Each subnet contains a virtual machine that runs network monitoring software. You have a network security group (NSG) named NSG1 associated to each subnet. When a new subnet is created in Vnet1 an automated process creates an additional network monitoring virtual machine in the subnet and links the subnet to NSG1. You need to create an inbound security rule in NSG1 that will allow connections to the network monitoring virtual machines from an IP address of 131.107.1.15. The sol...To address the given scenario, we need to create an inbound security rule in NSG1 to allow connections to the network monitoring virtual machines (VMs) from a specific IP address (131.107.1.15). The rule must be configured to ensure only the monitoring VMs receive the connection while minimizing changes to NSG1 when new subnets are created. Let's break down each option: A) Application Security Group - What it is: An Application Security Group (ASG) is a way to group virtual machines based on their application roles, irrespective of their IP addresses. This allows for more granular control over security rules by grouping VMs that share common characteristics or functions. - Why it's a good option: By using an ASG, you can group all network monitoring VMs together and reference this group in your NSG rule. This approach would ensure that only the monitoring VMs receive the connection from 131.107.1.15. The advantage is that you can easily update or expand the group as new monitoring VMs are created without needing to modify the NSG rules frequently. - Why it's better: This option meets the requirement to minimize changes to NSG1 when new subnets are created, as the automated process that creates monitoring VMs can be configured to add those VMs to the ASG, ensuring they automatically fall under the same security rule. B) Service Tag - What it is: A Service Tag is a label representing a group of IP address prefixes from specific Microsoft services (e.g., Azure infrastructure, Azure services). Service tags allow you to allow or deny traffic to/from services like AzureLoadBalancer or specific regions. - Why it's not ideal: Service tags are useful for specifying broad access to Azure services, but they wouldn't allow you to specifically target the network monitoring VMs unless they were using a specific Azure service, which is not mentioned in this scenario. It also doesn't provide a way to control ... Author: Daniel · Last updated Jun 22, 2026 |
You have an Azure subscription that contains the resources shown in the following table. Subnet1 contains three virtual machines that host an app named App1. App1 is accessed by using the SFTP protocol. From NSG1, you configure an inbound security rule named Rule2 that allows inbound SFTP connections to ASG1. You need ...Author: Scarlett · Last updated Jun 22, 2026 |
You have an Azure subscription that contains the resources shown in the following table. Users on HP1 connect to App1 by using a URL of https://app1.contoso.com. You need to ensure that the IDPS on FW1 can identify security threats in the connections from HP1 to Server1. Which two ac...Author: Emma · Last updated Jun 22, 2026 |
SNAPSHOT - Case Study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Overview - Con...Author: Deepak · Last updated Jun 22, 2026 |
SNAPSHOT - You have the Azure firewall shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the informati...Author: Stella · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains 10 virtual machines. The virtual machines are assigned private IP addresses. The subscription contains the resources shown in the following table. You need to configure FWPolicy1 to meet the following requirements: * Allow incoming connections to the virtual machines from the internet on port 4567. * Block outbound connections from the virtual machines to...Author: Matthew · Last updated Jun 22, 2026 |
DRAG DROP - You have an Azure subscription that contains an Azure VPN gateway named GW1. GW1 provides Point-to-Site (P2S) VPN connectivity. Users connect to GW1 from a Windows 11 device by using an SSTP connection. You need to ensure that the P2S VPN connections support Azure AD authentication. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions...Author: Suresh · Last updated Jun 22, 2026 |
DRAG DROP - You have an Azure subscription that contains an Azure Firewall Premium policy named FWP1. To FWP1, you plan to add the rule collections shown in the following table. Which priority should you assign to each rule collection? To answer, drag the appropriate priority values to the correct rule collections. Each value may be used once, mo...Author: Kai99 · Last updated Jun 22, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an Az...In this scenario, the goal is to configure a rate limit for incoming requests to Azure Front Door Premium (AFD1). This rate limiting configuration needs to be implemented in a way that controls the number of requests based on specific thresholds. Let's break down the provided solution: Solution: You configure a managed rule for WAF1. - What is a Managed Rule in WAF? A managed rule set in Azure Web Application Firewall (WAF) provides predefined rules that are designed to protect applications from common web vulnerabilities like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. It generally focuses on blocking malicious requests based on known attack patterns, but rate limiting (i.e., controlling the number of requests over time) is not typically part of the managed rule sets. - Rate Limiting in WAF: While Azure WAF is highly effective at mitigating threats like DDoS attacks, the rate limiting feature is not something that is directly configured through managed rule sets. Rate limiting, in this context, w... Author: Amira99 · Last updated Jun 22, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an Az...To answer this question, let's evaluate whether modifying the policy settings of WAF1 can configure a rate limit for incoming requests to Azure Front Door Premium (AFD1). Key Concepts: - Azure Front Door Premium (AFD1): This is a global, scalable entry point for fast and secure delivery of applications and content. It provides features like traffic routing, caching, and security integrations with services like Azure Web Application Firewall (WAF). - Azure Web Application Firewall (WAF): WAF provides centralized protection to applications from common threats and vulnerabilities. It can be associated with Azure Front Door, Azure Application Gateway, and Azure CDN. - WAF Policy Settings: These are configurations within the WAF that define security rules, such as the management of attack surface, blocking malicious traffic, and enforcing various protection mechanisms. The Problem: You need to configure a rate limit for incoming requests to AFD1. The question is whether modifying WAF1 policy settings will allow you to configure rate limiting. Explanation: - Rate Limiting: Typically, rate limiting is a mechanism used to control the number of requests an entity (like an IP address or a client) can make to a service in a specific period (e.g., requests per second or minute). While WA... Author: Lucas · Last updated Jun 22, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an A...To determine if the solution meets the goal, we need to assess the requirements and the solution provided. Key Factors to Consider: - Azure Front Door Premium: Azure Front Door provides load balancing, global traffic management, and security features. The integration with a WAF policy allows for the application of security measures like rate limiting. - Azure Web Application Firewall (WAF): WAF policies are used to protect applications from threats and attacks, and custom rules can be created within WAF to apply specific security measures. - Rate Limiting: Rate limiting is the process of controlling the rate of incoming traffic or requests to protect a system from being overwhelmed or attacked. Azure Front Door provides this functionality, but it is typically implemented either by the WAF or directly through Front Door settings. Analyzing the Solution: - The question asks about configuring a rate limit for incoming requests to AFD1 (Azure Front Door Premium profile). The solution suggests configuring a custom rule in WAF1. Custom rules... Author: Suresh · Last updated Jun 22, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an Az...To assess whether the solution meets the goal, let’s break down the key elements and the solution provided. Key Factors to Consider: 1. Azure Front Door Premium: AFD1 is an Azure Front Door Premium profile, which supports features like load balancing, traffic management, and security capabilities, including rate-limiting. 2. Azure Web Application Firewall (WAF): WAF1 is a WAF policy associated with AFD1. The WAF is responsible for protecting your applications from security threats such as SQL injection, cross-site scripting, and other vulnerabilities. 3. Rate Limiting: Rate limiting controls the number of requests a client can make within a certain time period to prevent overload or abuse. Azure Front Door Premium supports rate-limiting features, and it can be configured as part of Front Door’s built-in functionality. Rate limiting can be applied directly through Front Door rather than only through WAF custom rules. 4. Rule Set in Azure Front Door: A rule set refers to a collection of rul... Author: Leo · Last updated Jun 22, 2026 |
SNAPSHOT - You have an Azure subscription that contains an Azure Firewall policy named FWPolicy1. You need to configure FWPolicy1 to meet the following requirements: * Allow traffic based on the FQDN of the destination. * Allow TCP traffic based on the source. Which types of rules should you use f...Author: Isabella · Last updated Jun 22, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical su...Author: Abigail · Last updated Jun 22, 2026 |