Microsoft Practice Questions, Discussions & Exam Topics by our Authors
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for te...Author: Noah · Last updated May 19, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The...Author: Grace · Last updated May 19, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 12345678 - You are planning security for Azure Front Door. You...Author: Maya2022 · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Virtual WAN named VWAN1. VWAN1 contains a...To determine if implementing an Azure Front Door profile will ensure that the security status of Hub1 in Azure Virtual WAN (VWAN1) is marked as Secured, let’s break this down. --- 🔍 Key Concepts: - Azure Virtual WAN (VWAN) is a networking service that provides optimized and automated branch connectivity through Microsoft’s global network. - A VWAN hub is the core of the network, providing connectivity, routing, and integration with other services. - A hub's security status (e.g., Secured vs. Unsecured) is related to whether Azure Firewall or Network Virtual Appliances (NVAs) are deployed in the hub and integrated with the virtual WAN. - Azure marks a hub as Secured when security services like: - Azure Firewall - Partner NVAs are deployed and associated with the hub. --- ❌ Analysis of the Proposed Solution: - Azure Front Door is a glo... Author: Victoria · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Virtual WAN named VWAN1. VWAN1 ...To evaluate whether implementing Azure Firewall ensures that the security status of Hub1 in Azure Virtual WAN (VWAN1) is marked as Secured, we need to look at what affects the security posture of a VWAN hub. --- 🔍 Key Concepts: - In Azure Virtual WAN, a hub’s security status indicates whether the hub is protected by a security solution like: - Azure Firewall - A supported third-party Network Virtual Appliance (NVA) - A hub is marked as "Secured" when a managed security service is deployed and integrated into the hub's routing. --- ✅ Why This Solution Works: - Azure Firewall is a native security solution in Azure and is fully integrated... Author: Sara · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Virtual WAN named VWAN1. VWAN1 con...To determine whether implementing Azure NAT Gateway will ensure that the security status of Hub1 in Azure Virtual WAN (VWAN1) is marked as Secured, we need to examine what impacts the security status of a VWAN hub. --- 🔍 Key Concepts: - Security status of a VWAN hub: Azure marks a hub as "Secured" when it includes integrated security services such as: - Azure Firewall, or - A supported third-party Network Virtual Appliance (NVA) deployed and integrated with routing in the hub. - Azure NAT Gateway: - Provides outbound connectivity for virtual networks using static public IPs. - Its primary role is Network Address Translation (NAT) — not security enforcement. - It does not offer ... Author: Sophia Clark · Last updated May 19, 2026 |
You have an Azure subscription. You plan to deploy Azure Firewall Premium, enable all the Premium features, and configure both network and applicat...In Azure Firewall Premium, the order in which rules are processed is critical for ensuring proper traffic filtering and threat protection. Here's the breakdown of how rule processing works and the reasoning behind the correct selection: --- Understanding the Rule Types: 1. A) Network Rules: - These match traffic based on IP addresses, ports, and protocols (TCP/UDP). - Used for low-level, layer 3 and 4 filtering. - Examples: Allowing RDP access from a specific IP range. 2. B) Application Rules: - Match based on fully qualified domain names (FQDNs) and HTTP/S traffic. - Used for layer 7 filtering. - Examples: Allowing access to `www.microsoft.com`. 3. C) Threat Intelligence: - A security feature, not a traffic rule per se. - Detects and blocks traffic to/from known malicious IPs or domains, based on Microsoft Threat Intelligence. - It acts before custom rules and can block traffic before other evaluations. 4. D) Infrastructure Rules: - This is not an actual rule type in Azure Firewall. - Possibly a distractor or refers loosely to internal Azure-managed rules, but not configurable or user-defined. --- Rule Processing Order in Azure Firewall Pre... Author: Mia · Last updated May 19, 2026 |
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains an Azure Virtual WAN named VWAN1. VWAN1 contains a hub n...Scenario Recap: You have: - An Azure Virtual WAN (VWAN1) with a hub (Hub1). - The hub's security status is currently "Unsecured". - You want the hub’s status to become "Secured". - Proposed solution: Implement Azure Web Application Firewall (WAF). --- Understanding Key Components: 1. Azure Virtual WAN Security Status: - A hub in Virtual WAN is marked as "Secured" only when it integrates with Azure Firewall or a supported Network Virtual Appliance (NVA). - This security status reflects whether the hub has network-level threat protection, traffic inspection, and governance. 2. Azure Web Application Firewall (WAF): - WAF protects web applications from common exploits and vulnerabilities like SQL injection, XSS, etc. - It works at layer 7 (application layer). - Typically deployed on Application Gateway, Azure ... Author: John · Last updated May 19, 2026 |
You have an Azure subscription that contains an Azure App Service web app named WebApp1 and an Azure Front Door profile named FDProfile1. FDProfile1 forwards requests addressed to https://www.contoso.com to WebApp1. You need to ensure that only requests ...Scenario Summary: - You have: - An Azure App Service web app named WebApp1. - An Azure Front Door profile (FDProfile1) that currently forwards all requests to WebApp1. - The domain used is `https://www.contoso.com`. - Goal: Forward only requests to `/users/` path to WebApp1. --- Key Requirement: You want to filter requests so that only specific paths (`/users/`) are forwarded to your backend (WebApp1). --- Understanding Front Door Components: 1. A) Routes ✅ - Routes define how Front Door matches incoming requests (e.g., domain + path pattern) and which backend it forwards them to. - This is where you configure path-based routing, such as allowing only `/users/`. - You can set rules like: `Path pattern: /users/ → Backend: WebApp1`. 2. B) Origin Group - Defines a set of backend origins, including health probe settings and load balancing. - It doesn’t control which requests are forwarded — only how and where requests are balanced after routing. - Not used for pat... Author: Isabella · Last updated May 19, 2026 |
DRAG DROP - Your on-premises network uses an IP address space of 10.0.0.0/20. You have an Azure subscription that contains the resources shown in the following table. The on-premises network is connected to HubVnet by using a Site-to-Site (S2S) VPN. You deploy an Azure firewall named AZFW1 to HubVNet. You need to ensure that AZFW/1 can inspect all the traffic between the on-premises network and SpokeVNet. What should you do in RT1? To answer, drag the appropriate destinati...Author: Lucas Carter · Last updated May 19, 2026 |
You purchase an Azure subscription. You plan to deploy resources shown in the following table to the subscription. You need to create a NSG1 rule named Rule1 to meet the following requirements: * Enable the search servers of App1 to establish outbound HTTP connections to internet services. * Minimize administrat...Author: Elijah · Last updated May 19, 2026 |
You have an Azure subscription that contains a virtual machine named VM1 and a network security group (NSG) named NSG1. NSG1 has the default rules configured. VM1 runs Windows Server 2022 and contains a single NIC named NIC1. NIC1 is associated with NSG1. You need to prevent access to the Azure In...To prevent access to the Azure Instance Metadata Service (IMDS) REST API on VM1, the appropriate solution is to configure a network security group (NSG) rule that specifically blocks traffic to the IMDS endpoint. Let's evaluate the options: A) An outbound rule that blocks traffic to an IP address. - Reasoning: The IMDS API is accessible via a specific IP range, which is reserved for the metadata service. Blocking outbound traffic to the specific IP address of the IMDS service would effectively prevent VM1 from accessing IMDS. - Why it works: The IMDS endpoint uses the IP address `169.254.169.254`. By blocking outbound traffic to this IP address, the VM will not be able to access the metadata service. - Considerations: The outbound rule is appropriate because the IMDS is accessed over HTTP (or HTTPS) from the VM to the IP address `169.254.169.254`, which is an external address from the perspective of the VM. B) An inbound rule that blocks traffic to an IP address. - Reasoning: The IMDS API is accessed via outbound traffic, not inbound. The VM sends HTTP requests to the IP address `169.254.169.254` to reach the IMDS API. - Why it doesn’t work: An inbound rule blocking traffic to an IP address would not prevent the VM from sending outbound requests to the IMDS service. This would only affect incoming traffic to the VM, which is irrelevant in this case. C) An inbound and outbound rule that blocks traffic to an application security group. - Reasoning: An a... Author: Emma Brown · Last updated May 19, 2026 |
You have an Azure subscription that contains the resources shown in the following table. NSG1 is associated to the NIC of VM1 and contains the rules shown in the following table. You collect NSG flow logs for five minutes for the following activities: * Two RDP sessions from VM1 to VM2, each initiated from a different TCP port * Three SSH sessions from VM2 to VM1, each initiated...Author: GlowingTiger · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains 1,000 virtual machines. You collect network security group (NSG) flow logs. You need to identify all the virtual machines that have interacted with non-Azure public IP addresses during the last 30 days. How should you complet...Author: Leah · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains the resources shown in the following table: Each quarter, you deploy five new virtual machines to host App1. You need to add a rule to NSG1 to ensure that the virtual machines that host App1 can connect to SQL1 and SQL2. The solution must follow the principle of least privilege and minimize administrative effort. How should you configure...Author: Amira · Last updated May 19, 2026 |
You have an Azure subscription that contains an Azure Front Door named FD1. FD1 is configured as shown in the following exhibit. You need to...Author: Isabella1 · Last updated May 19, 2026 |
You have an Azure subscription that contains an instance of Azure Firewall Standard named AzFW1. You plan to enable the following: * TLS inspection * Threat intelligence * A network int...Let's break down the available options and analyze each feature's support in Azure Firewall Standard (AzFW1): Available Features in Azure Firewall Standard (AzFW1): 1. TLS Inspection: Azure Firewall Standard supports TLS inspection, which allows it to decrypt and inspect TLS-encrypted traffic for threats before re-encrypting it. 2. Threat Intelligence: Azure Firewall Standard can utilize threat intelligence to provide real-time protection based on threat data from Microsoft’s global intelligence network. It can be used to block traffic to and from known malicious IP addresses or domains. 3. Intrusion Detection and Prevention System (IDPS): Azure Firewall Standard includes network intrusion detection and prevention system (IDPS) capabilities. It can detect and block known attack signatures and patterns, similar to other firewall solutions. Evaluating the Options: A) TLS inspection only: - Reasoning: TLS inspection is supported in AzFW1, so this option is valid for TLS inspection. However, this option excludes both threat intelligence and IDPS, which are also supported in Azure Firewall Standard. - Why rejected: Although TLS inspection can be enabled, the other features (threat intelligence and IDPS) can also be enabled simultaneously with TLS inspection in Azure Firewall Standard. So, choosing this option means missing out on these additional capabilities. B) Threat intelligence only: - Reasoning: Azure Firewall Standard supports threat intelligence. It allows blocking traffic based on intelligence feeds, but TLS inspection and IDPS are separate features. - Why rejected: By selecting this option, you would be missing out on the benefits of TLS inspection and IDPS, which are also available with AzFW1. C) TL... Author: Emily · Last updated May 19, 2026 |
DRAG DROP - You have an Azure Web Application Firewall (WAF) v2 tier named AG1 on an Azure application gateway. AG1 has a policy named Policy1. You need to add a custom rule to Policy1. The rule must block all requests from IP addresses in a specific IP address range. Which four PowerShell cmdlets should you r...Author: Madison · Last updated May 19, 2026 |
You have an Azure subscription that contains a resource group named RG1 and a virtual network named VNet1. You need to deploy Azure Firewall to RG1. The solut...To determine the correct answer, let’s walk through what’s required to deploy Azure Firewall and how to minimize administrative effort. --- 🔍 Scenario Breakdown - You already have: - A resource group named RG1. - A virtual network named VNet1. - You need to deploy Azure Firewall to RG1. - Goal: Minimize administrative effort (i.e., reuse existing resources where possible and avoid unnecessary setup). --- 🔥 Azure Firewall Requirements When deploying Azure Firewall into a virtual network, it must be placed in a dedicated subnet named `AzureFirewallSubnet`. This is a mandatory requirement, and Azure will not allow deployment without it. - The subnet must: - Be named exactly `AzureFirewallSubnet`. - Have a minimum subnet size of /26. --- 🔎 Option Analysis A) Create a secured virtual hub named AzureFirewallHub - ❌ Incorrect. - This relates to Azure Firewall in Virtual WAN (vWAN) architecture, which is different from deploying into a standard VNet like VNet1. - You’re using a regular VNet, not Virtual WAN, so this is not needed and adds complexity. --- B) Create a n... Author: David · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains two virtual machines. You monitor traffic between the virtual machines by using NSG flow logs. You have a network security group (NSG) flow log that has the following entries. 1493763938,185.170.185.105,10.2.0.4,35370,23,T,I,A,B,,,, 1493695838,185.170.185.105,10.2.0.4,35370,23,T,I,A,C,200,500,100,300 1493696138,185.170.185.105,10.2.0.4,35370,23,T,I,A,E,1000,6000,500,1200 You need to identify the following metrics from the log entries: * The total number of packets transferred b...Author: Noah · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription. You plan to implement an Azure application gateway named AGW1. You need to implement an external TLS certificate store for AGW1. The solution must meet the following requirements: * Keys must be stored by using the highest possible security. * Administrative effort must be minimized. Which type of certificate store should you use, an...Author: VioletCheetah55 · Last updated May 19, 2026 |
HOTSPOT - You have an on-premises VPN appliance named GW1. You have an Azure subscription that contains an Azure VPN gateway named VPNGW1. VPNGW1 connects to GW1. You need to modify the IKEv2 encryption algorithm used by VPNGW1 and GW1. Which PowerShell cmdlet should y...Author: Nia · Last updated May 19, 2026 |
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains an Azure Virtual Desktop host pool named Pool1. You need to implement Azure Firewall and TLS inspection for all the outbound traffic from Pool1. Which two resources shoul...Let's analyze the question and options carefully, as we need to implement Azure Firewall and TLS inspection for all outbound traffic from an Azure Virtual Desktop (AVD) host pool. Key Requirements: - Outbound traffic inspection: The goal is to inspect outbound traffic for TLS inspection. This implies the use of Azure Firewall to manage and inspect the traffic. - Traffic routing: Outbound traffic needs to be routed through the Azure Firewall to ensure that it is inspected. This typically requires configuring the virtual network in a way that routes traffic through the firewall. Now, let's go through the available options. A) An Azure Private DNS zone: - Reasoning: A private DNS zone is typically used to manage DNS resolution for resources within a virtual network. While it's crucial for scenarios where DNS resolution needs to be handled internally (such as for private IP addresses), it is not relevant to traffic routing or TLS inspection. - Why rejected: This does not directly help with implementing Azure Firewall or TLS inspection for outbound traffic from Pool1. B) A private endpoint: - Reasoning: Private endpoints are used to connect services privately to your virtual network, enabling traffic to flow over a private IP rather than the public internet. However, private endpoints are not specifically designed for routing outbound traffic through Azure Firewall. - Why rejected: While private endpoints are useful for accessing specific Azure services privately, they do not facilitate routing general outbound traffic (from Pool1 in this case) through Azure Firewall for inspection. C) An Azure Key Vault: - Reasoning: Azure Key Vault is a service for managing secrets, keys, and certificates. It is important for security purposes, but it is not relevant for traffic inspection or routing. - Why rejected: This option does not help with the task of routing or inspecting outbound traffic from an Azure Virtual ... Author: Ahmed97 · Last updated May 19, 2026 |
You have an Azure virtual machine named VM1. You need to capture all the network traffic of VM1 by using Azure Network Wat...When using Azure Network Watcher to capture network traffic from a virtual machine (VM), the captured network traffic can be written to specific storage locations. The key here is to understand where Azure Network Watcher can write the captured traffic data. Key Points: 1. Network Watcher Packet Capture: Azure Network Watcher enables packet captures from a virtual machine, and the captured packets are written to Azure storage accounts or file paths. 2. Capture Locations: The captured traffic can be written to: - Blob storage (general-purpose storage accounts or premium block blob storage) - File path on VM1, but this is typically less preferred as it may impact performance on the VM. Let's analyze the options: A) A file path on VM1 only: - Reasoning: Capturing traffic to a file path on VM1 is possible, but it's not the recommended method for long-term or scalable capture. Writing to a local file on the VM could result in performance degradation and potential data loss if the VM is stopped or crashes. - Why rejected: While it's technically possible, it doesn't provide the scalability, reliability, and convenience of using Azure storage. This option is not ideal for large-scale or persistent captures. B) General purpose v2 standard only: - Reasoning: General-purpose v2 (GPv2) storage accounts support blob storage, which is the most suitable place for storing large amounts of capture data. This storage type can be used to store captured network traffic efficiently. - Why selected: GPv2 accounts are flexible, scalable, and cost-effective, making them the best choice for storing network capture data over extended periods. C) A Block blob premium account only: - Reasoning: A premium block blob account provides high-performance, low-latency storage, but it is usually intended for workloads requiring high IOPS or throughput. While it can store capture data, it’s generally overkill for most packet capture scenarios ... Author: Madison · Last updated May 19, 2026 |
You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 * Two subnets named subnet1 and AzureFirewallSubnet * A public Azure Firewall named FW1 * A route table named RT1 that is associated to Subnet1 * A rule routing of 0.0.0.0/0 to FW1 in RT1 After deploying 10 servers that run Windows Server to Subnet1, you disc...To resolve the issue of virtual machines (VMs) not being activated in Subnet1, it's important to understand why the VMs are unable to activate their operating systems. Windows Server activation often relies on connecting to the Key Management Service (KMS) server, which uses port 1688. If the network traffic is being blocked (especially outbound traffic), the VMs cannot reach the KMS server and therefore cannot activate. Given the scenario, let's analyze the options provided: A) Deploy a NAT gateway: - Reasoning: A NAT gateway allows virtual machines in a subnet to access the internet with a public IP for outbound traffic. However, the issue here is not related to the ability to route traffic to the internet but specifically about reaching the KMS service on port 1688. A NAT gateway on its own doesn’t provide granular control over specific ports like 1688, which is required for KMS activation. - Why rejected: While a NAT gateway is useful for providing outbound internet access, it doesn't solve the specific problem of routing traffic on port 1688 to the KMS server. It is not sufficient to ensure the activation of the VMs without additional rules. B) On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS): - Reasoning: Azure Firewall (FW1) is managing the network traffic, and creating an outbound rule that allows traffic to the Azure KMS server is a very effective way to ensure that the VMs can communicate with the KMS server. This rule can specifically allow outbound traffic on port 1688, which is used for the Windows Server activation process. - Why selected: This option directly addresses the issue by allowing traffic to the KMS server on the required port. It ensures that activation requests from the VMs can reach the KMS server and complete the activation process. This approach is more specific and controlled than simply opening up broader outbound access. ... Author: Krishna · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains 200 virtual machines. You need to use Azure Network Watcher to identify which virtual machines generate the most network traffic. The solution must minimize administrative effort. Which prerequisites should you deploy for Network Watcher, and which Network Watcher feature should you u...Author: Sofia · Last updated May 19, 2026 |
You have the Azure resources shown in the following table. You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint. You need to ensure that you can use the service endpoint to conne...Author: Suresh · Last updated May 19, 2026 |
HOTSPOT - You have the Azure App Service app shown in the App Service exhibit. The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit. The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit. For each of the fo...Author: Leo · Last updated May 19, 2026 |
DRAG DROP - You have an Azure virtual network named Vnet1 that connects to an on-premises network. You have an Azure Storage account named storageaccount1 that contains blob storage. You need to configure a private endpoint for the blob storage. The solution must meet the following requirements: * Ensure that all on-premises users can access storageaccount1 through the private endpoint. * Prevent access to storageaccount1 from being interrupte...Author: Siddharth · Last updated May 19, 2026 |
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe region. You deploy an Azure App Service app named App1 to the West Europe region. You need to provide App1 with acc...To allow App1 (Azure App Service app) to access resources in Vnet1, we need to establish network connectivity between the App Service and the virtual network. The solution should also minimize costs, which means selecting the option that provides the required functionality without unnecessary additional infrastructure. --- 🔍 Understanding the App Service Integration with a VNet: Azure App Service (App1) can be integrated with a VNet to allow access to resources within that VNet. There are a few different options to achieve this, depending on the type of connectivity required and the cost considerations. 1. Private Link: - Provides private connectivity to Azure services (like Azure App Service) over a private IP. - This option is more suitable when you're connecting Azure resources like App Service to services that support Private Link, but it’s more expensive and may not be necessary for simple VNet access. 2. New Subnet: - A subnet in a VNet is necessary for integration if you're planning to connect an App Service to the VNet via a VNet Integration feature. But it doesn't make sense to create a new subnet unless you're specifically trying to organize resources differently. If there's already a subnet in Vnet1, you can use it. 3. NAT Gateway: - A NAT Gateway provides outbound internet access for resources in a private subnet. It’s generally used when you have private VMs or resources in the subnet and need outbound access to the internet. - Not necessary for App Service VNet integration, as App Service doesn’t require a NAT gateway for access to VNet resources. 4. Gateway Subnet and Virtual Network Gateway: - This is used for VPN connections or ExpressRoute to provide private connectivity between on-premises networks and Azure VNets. - It's generally used for hybrid cloud scenarios and incurs significant cost due to the infrastructure and bandwidth involved. - Not necessary for VNet integration with an A... Author: Maya · Last updated May 19, 2026 |
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources: * An Azure App Service app named App1 * An Azure DNS zone named contoso.com * An Azure private DNS zone named private.contoso.com * A virtual network named Vnet1 You create a private endpoint for App1. The record for the endp...To provide the developer with the correct DNS name for the private endpoint of App1, let's evaluate each option in the context of your Azure setup: 1. Option A: app1.contoso.onmicrosoft.com - This domain is typically used for Azure Active Directory-associated resources (like applications registered in Azure AD). - It is not related to private endpoints in Azure DNS, so this option does not match the requirements. 2. Option B: app1.private.contoso.com - This DNS name suggests it is from a private DNS zone. However, Azure private DNS zones are configured to allow resources within a virtual network to resolve private IPs, and the name would typically be part of the private DNS zone (i.e., the zone you set for the private endpoint, like `private.contoso.com`). - This is a plausible option if the private DNS zone for the endpoint was specifically set up to use this subdomain. 3. Option C: app1.privatelink.azurewebsites.net - This is the typical DNS name format for private endpoints associated with Azure App Service. Private endpoints are automatically assigned a name in the `privatelink.azurewebsites.net` domain, which is ... Author: Chloe · Last updated May 19, 2026 |
You have Azure App Service apps in the West US Azure region as shown in the following table. You need to ensure that all the apps can access the resources in a virtual network named VNet1 without fo...Author: Mia · Last updated May 19, 2026 |
HOTSPOT - You have the Azure environment shown in the Azure Environment exhibit. The settings for each subnet are shown in the following table. The Firewalls and virtual networks settings for storage1 are configured as shown in the Storage1 exhibit. For each of the following state...Author: Oliver · Last updated May 19, 2026 |
DRAG DROP - You have two Azure subscriptions named Subscription1 and Subscription2. Subscription1 contains a virtual network named Vnet1. Vnet1 contains an application server. Subscription2 contains a virtual network named Vnet2. You need to provide the virtual machines in Vnet2 with access to the application server in Vnet1 by using a private endpoint. Which four actions should ...Author: Sara · Last updated May 19, 2026 |
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources: * A virtual network named Vnet1 * An App Service plan named ASP1 * An Azure App Service named webapp1 An Azure private DNS zone named private.contoso.com * Virtual machines on Vnet1 that cannot communicate outside the virtual network You need to ensure that the virtual machines on Vnet1 ca...Author: Amira99 · Last updated May 19, 2026 |
You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF). FD1 uses a frontend hast named app1.contoso.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region. You need to configure FD1 to b...To configure Azure Front Door (FD1) to block requests to the domain `app1.contoso.com` from all countries except the United States, you need to create a Web Application Firewall (WAF) policy that inspects the incoming traffic and applies a rule to block requests based on the country of origin. Option A: A custom rule that uses a match rule This option is correct. A custom rule using a match rule allows you to specify criteria based on properties like IP addresses, HTTP headers, and geographic location. In this case, the match rule would be configured to inspect the "Country" field from the incoming request, and block any traffic that originates from countries other than the United States. This solution is the most appropriate because: - Geographic filtering: It can specifically match and filter requests based on geographic location (e.g., countries). - Customizability: You can set conditions for your match rule to allow or block traffic from specific countries, giving you control over the rule. Option B: A frontend host association This option is not relevant. A frontend host association is used to associate the WAF policy with a specific frontend host (e.g., `app1.contoso.com`), but it does not provide functionality for geographic blocking. The frontend host association is needed to ensure the WA... Author: Suresh · Last updated May 19, 2026 |
You are planning the IP addressing for the subnets in Azure virtual networks. Which type of resou...When planning the IP addressing for the subnets in an Azure Virtual Network, you need to identify which resources within the subnets require IP addresses. Let’s review the options provided to determine which resource requires IP addresses and explain why the others are not applicable. Option A: Azure DDoS Protection for Virtual Networks Azure DDoS Protection is a service that helps protect your virtual network resources from Distributed Denial of Service (DDoS) attacks. It is a layer of security that monitors and mitigates traffic in the Azure environment. However, Azure DDoS Protection itself does not require IP addresses within the subnet. It works at the network perimeter, providing protection for any IP addresses that may be targeted by malicious traffic. Since it doesn’t consume any IP addresses within the subnet itself, this option is not applicable. Option B: Private Endpoints A private endpoint is a network interface connected to an Azure service, such as Azure Storage or SQL Database, and it allows access to these services over a private IP address within your virtual network. Private endpoints do require IP addresses in the subnets because they represent a network interface that is assigned an IP address within the subnet. This makes the private endpoint accessible only within the virtual network, ensuring secure, private communication with Azure services. Therefore, Private Endpoints do require IP address... Author: Rahul · Last updated May 19, 2026 |
You have an Azure subscription that contains the resources shown in the following table. You need to ensure that VM1 and VM2 can connect only to storage1. The solution must meet the following requirements: * Prevent VM1 and VM2 from accessin...Author: FrozenWolf2022 · Last updated May 19, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical support purposes only: Lab Instance: 1234567...Author: Ava · Last updated May 19, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is for technical...Author: Daniel · Last updated May 19, 2026 |
SIMULATION - Username and password - Use the following login credentials as needed: To enter your username, place your cursor in the Sign in box and click on the username below. To enter your password, place your cursor in the Enter password box and click on the password below. Azure Username: [email protected] Azure Password: xxxxxxxxxx - If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab. The following information is f...Author: Manish · Last updated May 19, 2026 |
HOTSPOT - You have two Azure subscriptions named Subscription1 and Subscription2. There are no connections between the virtual networks in the two subscriptions. You configure a private link service as shown in the privatelinkservice1 exhibit. (Click the privatelinkservice1 tab.) You create a load balancer name in Subscription1 and configure the backend pool shown in the lb1 exhibit. (Click the lb1 tab.) You create a private endpoint in Subscription2 as shown in the p...Author: Rohan · Last updated May 19, 2026 |
You have an Azure subscription that contains an Azure Front Door named FD1. You plan to deploy an app named App1 by using Azure App Service. Users will access App1 by using FD1. You need to provide FD1 with access to App1. The solution must meet the following requirements: * Ensure that users can o...To meet the requirements that users can only access App1 through Azure Front Door (FD1) and cannot access it directly from the internet, the solution must enforce that App1 is accessible only via FD1, with no direct access. Let's analyze each option: A) An Access Restriction - Access restrictions allow you to define rules to control which IP addresses can access an Azure App Service. This would typically be used to block or allow access based on specific IP ranges. - However, access restrictions do not directly prevent internet access but only restrict it by IP. While you could potentially configure FD1’s IP ranges to allow access to App1, access restrictions alone wouldn't ensure that only FD1 can reach the app, as the app would still be accessible through other means if misconfigured. - This option doesn't meet the need to restrict access purely to FD1 and prevent direct internet access. B) A Private Endpoint - A private endpoint allows you to access Azure App Service via a private IP address within your virtual network. By using a private endpoint, App1 would no longer be accessible over the public internet directly but would be accessible within a private network. - This option meets the requirement because it ensures that users can only access App1 through FD1, as FD1 can be configured to route traffic to the private endpoint of App1. Since App1 is only accessible through a private IP, no one can access it directly from the internet unless they are connected to the virtual network with the private endpoint. - This is ... Author: John · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains the resources shown in the following table. You purchase a certificate for app1.contoso.com from a public certification authority (CA) and install the certificate on appservice1. You need to ensure that App1 can be accessed by using a URL of https://app1.contoso.com. The solution must ensure that all the traffic for App1 is routed via FD1. Which type of DN...Author: Siddharth · Last updated May 19, 2026 |
You have an Azure subscription that contains four virtual machines. The virtual machines host an app named App1. You deploy an Azure Standard Load Balancer named LB1 to load balance incoming HTTPS requests to App1. You need to reduce how long it takes for LB1 to stop...To address the issue of reducing how long it takes for the Azure Load Balancer (LB1) to stop sending traffic to failed virtual machines (VMs) running App1, you need to modify the settings related to health probes. Here's a detailed explanation of each option and why it is selected or rejected: A) Backend pools settings - Reasoning: The backend pool defines which virtual machines (VMs) are part of the load balancer's pool for traffic distribution. However, adjusting the backend pool does not directly affect how quickly LB1 stops sending traffic to failed servers. It’s more about which VMs are included in the load balancing pool, not how quickly LB1 detects failures. - Rejected: This option does not impact failure detection or response time to unhealthy VMs. B) Diagnostic settings - Reasoning: Diagnostic settings allow you to monitor and collect data about the load balancer’s operations, such as metrics and logs. While they are useful for understanding load balancer performance and troubleshooting, they do not influence the speed or behavior of failure detection and traffic redirection. - Rejected: These settings don’t directly affect the time it takes for LB1 to stop sending traffic to failed VMs. C) Load-balancing rules - Reasoning: Load balancing rules define how the load balancer distributes traffic to the VMs. These rules determine how traffic is balanced but do not direct... Author: Zain · Last updated May 19, 2026 |
You have an Azure virtual network named VNet1 that contains the subnets shown in the following table. You need to deploy an Azure application ...Author: Isabella1 · Last updated May 19, 2026 |
HOTSPOT - You have an Azure subscription that contains multiple virtual machine scale sets and multiple Azure load balancers. The load balancers balance traffic across the scale sets. You plan to deploy Azure Front Door to load balance traffic across the load balancers. You need to identify which Front Door SKU to configure, and what to use to route the traffic to the load balancers. The ...Author: Noah Williams · Last updated May 19, 2026 |
DRAG DROP - You have an Azure subscription that contains the resources shown in the following table. You discover that users connect directly to App1. You need to meet the following requirements: * Administrators must only access App1 by using a private endpoint. * All user connections to App1 must be routed through FD1. * The downtime of connections to App1 must be minimized. W...Author: Isabella · Last updated May 19, 2026 |
Your on-premises network contains a DNS server named Server1. You have an Azure subscription that contains the resources shown in the following table. The on-premises network is connected to VNet1 by using a Site-to-Site (S2S) VPN. You need to ensure that Server1 c...Author: StarryEagle42 · Last updated May 19, 2026 |
You have an Azure Private Link service named PL1 that uses an Azure load balancer named LB1. You need to ensure that PL1 can support ...To ensure that PL1 (Azure Private Link service) can support a higher volume of outbound traffic, the solution must address the limitations of the Azure load balancer (LB1) that PL1 uses for outbound traffic. Let's go through the options one by one: A) Increase the number of frontend IP configurations for LB1 - Frontend IP configurations for an Azure load balancer specify the public or private IP addresses that are used to route incoming traffic. However, increasing the number of frontend IP configurations does not directly affect the load balancer’s ability to handle a higher volume of outbound traffic. - The number of frontend IPs primarily affects incoming traffic, not outbound traffic. So, this option is not suitable for supporting higher outbound traffic for PL1. B) Increase the number of NAT IP addresses assigned to PL1 - NAT IP addresses are used in scenarios where outbound traffic needs to be translated through specific public or private IP addresses. Increasing the number of NAT IP addresses can help distribute outbound traffic more efficiently across different IP addresses. - This option directly addresses the need to scale outbound traffic by adding more IPs for the traffic to be routed through, thereby increasing the volume of traffic PL1 can handle. - This is a viable option for scaling outbound traffic. C) Deploy an Azure Application Gateway v2 instance to the source NAT subnet ... Author: RadiantPhoenixX · Last updated May 19, 2026 |