Microsoft Practice Questions, Discussions & Exam Topics by our Authors
SNAPSHOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of publ...
Author: GlowingTiger · Last updated Jun 25, 2026
You have an Azure subscription that contains two virtual machines as shown in the following table.
You perform a reverse DNS lo...
To answer this question, let's break down the process of reverse DNS lookup and examine each option in the context of the Azure environment.
Key Concepts:
- A reverse DNS lookup involves querying the DNS system to map an IP address (in this case, `10.0.0.4`) to a Fully Qualified Domain Name (FQDN).
- In Azure, the DNS name associated with a virtual machine depends on the configuration, whether it's in a public or private network, and the region in which the virtual machine resides.
The Scenario:
- The reverse DNS lookup is being performed from VM2 on the IP address `10.0.0.4`, which belongs to VM1. This suggests that VM1 is the target of the lookup.
- In a typical private network setup in Azure, VMs can communicate using private IP addresses and the Azure DNS system will resolve those addresses to internal FQDNs.
Now, let's analyze each of the provided options:
A) vm1.core.windows.net
- Explanation: This is a domain used for public DNS resolution by Azure resources, typically used for services like virtual machines in public IP configurations.
- Rejection: Since the reverse DNS lookup is happening in a private network, this domain (`core.windows.net`) would not be used for private internal IP addresses like `10.0.0.4`. This would be relevant only if the VM had a public IP.
B) vm1.azure.com
- Explanation: This domain is related to Azure public-facing services, but it's not used for internal Azure DNS resolution. The `.azure.com` domain is more commonly associa...
Author: Rohan · Last updated Jun 25, 2026
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
Yo...
Let's break down the scenario and understand the problem to determine if the solution meets the goal.
Scenario Overview:
- App1 is installed on VM1 and VM2.
- Azure Load Balancer manages the connections to App1.
- TCP port 443 (typically HTTPS) is used for connections.
- The goal is to ensure that connections from IP address 131.107.100.50 over TCP port 443 can successfully establish a connection to App1 hosted on VM2.
- The Load Balancer rules are already configured correctly, so the issue likely lies in the network security rules.
- The exhibit likely shows the effective network security configurations for VM2, though it's not explicitly visible here, we can infer it refers to the NSG rules on VM2 or the subnet.
Solution Details:
- The solution suggests creating an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Key Considerations:
1. Source of Traffic:
- The traffic from 131.107.100.50 needs to be allowed. However, the source being specified as AzureLoadBalancer is crucial.
- Azure Load Balancer uses a specific source called AzureLoadBalancer for its health checks and load balancing operations. When traffic is routed through the Load Balancer, the source IP is often AzureLoadBalancer, which is a special IP range used for Azure load balancing services.
2. Security Rule:
- Creating an inbound rule for AzureLoadBalanc...
Author: StarlightBear · Last updated Jun 25, 2026
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should...
To configure a point-to-site (P2S) connection from an on-premises computer to VNet1 via a virtual network gateway (GW1), let's go through the options carefully and identify the correct actions.
Key Concepts:
- Point-to-Site (P2S) VPN: A P2S connection allows individual client computers to connect securely to a virtual network (VNet) in Azure over the internet. This requires a VPN Gateway configured to support P2S connections.
- Policy-based VPN Gateway: A policy-based VPN gateway (like GW1 in this case) uses static routing and is generally limited to Site-to-Site (S2S) connections. For P2S, route-based gateways are typically required.
- Therefore, the solution likely involves converting the policy-based gateway to a route-based gateway, which supports P2S connections.
Now, let's evaluate each option:
A) Add a service endpoint to VNet1:
- Explanation: Service endpoints are used to connect Azure services to a virtual network over a private link (e.g., Azure Storage, Azure SQL). They allow direct access to certain Azure services from the VNet.
- Rejection: This action is not related to configuring a point-to-site VPN connection. Service endpoints are used for service connectivity, not for enabling P2S VPN connections.
B) Reset GW1:
- Explanation: Resetting the gateway might restart the gateway and potentially clear existing configurations. However, this action by itself does not convert the policy-based gateway to a route-based gateway.
- Rejection: Resetting the gateway won't convert it to a route-based gateway or enable the necessary configuration for P2S connections.
C) Create a route-based virtual network gateway:
- Explanation: A route-based gateway is required for Point-to-Site (P2S) VPN connections. A policy-based gateway (like GW1) doesn't support P2S connections, but a route-based gateway does. To enable P2S VPN, you need ...
Author: SolarFalcon11 · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription that contains the resources in the following table:
In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured as shown in the following exhibit:
For each of the following ...
Author: GlowingTiger · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the private DNS zones shown in the following table.
You add virtual network links to the private DNS zones as shown in the following table.
For each of the following...
Author: Amelia · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription.
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
How should you complete the template? To answer, select the ap...
Author: Lucas · Last updated Jun 25, 2026
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual ...
To determine if the solution meets the goal of inspecting all the network traffic from VM1 to VM2 for a period of three hours, let's break down the concept and examine the solution in detail.
Key Concepts:
1. Azure Network Watcher: It is a tool in Azure used for monitoring and diagnosing network issues in virtual networks. It provides several features, including Packet Capture, which allows you to capture and analyze network traffic between virtual machines or across subnets in a virtual network.
2. Packet Capture: This feature enables the capture of network traffic (packets) on a VM’s network interface, which can be used to inspect communication between two VMs (like VM1 and VM2).
Solution Analysis:
The solution involves creating a packet capture using Azure Network Watcher. This action allows you to capture the network traffic between VM1 and ...
Author: Victoria · Last updated Jun 25, 2026
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual mac...
Key Concepts:
1. Azure Network Watcher: It is a tool for monitoring and diagnosing networking issues in Azure. It provides several features, such as Packet Capture and Connection Monitor.
2. Connection Monitor: This feature allows you to monitor the connectivity between two endpoints (e.g., virtual machines or other resources) in real-time. It checks whether the connection is alive, its latency, and packet loss over a period of time. Connection Monitor is used primarily for monitoring connectivity health and performance, not for deep packet inspection.
3. Packet Capture: The Packet Capture feature in Azure Network Watcher allows you to capture network traffic, providing granular details about the traffic, such as protocols, ports, and the actual packet content. This is the feature best suited for inspecting all network traffic over a specified time period.
Solution Analysis:
The question asks whether creating...
Author: Ahmed97 · Last updated Jun 25, 2026
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machin...
Key Concepts:
1. Performance Monitor: This is a Windows tool used to collect, analyze, and track performance data for various system metrics, such as CPU usage, disk I/O, memory usage, and network activity. It is typically used for monitoring the performance of a system or application at a higher level.
2. Data Collector Set (DCS): A Data Collector Set in Performance Monitor allows you to collect performance data from various sources (such as counters for network activity, disk usage, etc.) over a specified period of time. It is commonly used for tracking system performance but not for in-depth packet-level network traffic inspection.
3. Network Traffic Inspection: For inspecting detailed network traffic, such as monitoring the traffic between two virtual machines (VM1 and VM2) in a network, tools like Azure Network Watcher (specifically Packet Capture) are more appropriate than Performance Monitor. Performance Monitor can track basic network statistics (like bytes sent/received), but it does ...
Author: Victoria · Last updated Jun 25, 2026
DRAG DROP -
You have an Azure subscription that contains the resources shown in the following table.
You need to load balance HTTPS connections to vm1 and vm2 by using lb1.
Which three actions should you perform in sequence? To answer, move the appropria...
Author: Madison · Last updated Jun 25, 2026
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines n...
Key Concepts:
1. Azure Monitor: This is a comprehensive monitoring service in Azure that collects, analyzes, and acts on telemetry from your cloud and on-premises environments. It helps track resource performance, health, and logs but is not focused on detailed network traffic inspection.
2. Metrics (Network In/Network Out): Metrics in Azure Monitor can track high-level network statistics such as Network In (the amount of incoming network traffic) and Network Out (the amount of outgoing network traffic). These metrics give an overview of network activity but do not provide detailed packet-level information or allow for deep inspection of network traffic between VMs.
3. Detailed Network Traffic Inspection: For inspecting all network traffic between VM1 and VM2, a deeper level of inspection (such as packet-level capture) is required. Azure Network Watcher's Packet Capture tool would be suitable for this, as it allows you to capture detailed traffic between VMs over a period of time.
Solution Analysis:
The soluti...
Author: Chloe · Last updated Jun 25, 2026
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load
Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You ...
Key Concepts:
1. Azure Network Security Groups (NSGs): These are used to filter network traffic to and from Azure resources, such as virtual machines (VMs). NSGs allow inbound and outbound traffic based on rules defined by the administrator. Each rule includes a source, destination, protocol, port, and action (allow or deny).
2. Azure Load Balancer: The Azure Load Balancer distributes traffic to VMs based on the configured rules. If the rules are correctly set up, it ensures that traffic is properly routed to the backends (VMs) for the specified port and protocol.
3. Inbound Security Rule: An inbound rule in an NSG specifies what traffic is allowed or denied from external sources (like IP address `131.107.100.50`) into the virtual network.
Situation Overview:
- VM2 is the target of connections over TCP port 443 from IP address 131.107.100.50.
- Load Balancer rules have been verified as correct, so the issue likely lies in the NSG configur...
Author: IceDragon2023 · Last updated Jun 25, 2026
DRAG DROP -
You have an Azure subscription that contains two on-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Which four actions should you perform in sequence? To answer, move the appropriat...
Author: Ravi Patel · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the virtual machines shown in the following table.
You have the virtual network interfaces shown in the following table.
Server1 is a DNS server that contains the resources shown in the following table.
You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records ...
Author: FrostFalcon88 · Last updated Jun 25, 2026
You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an a...
To peer two virtual networks (VNet1 and VNet2), the first step should be ensuring that both virtual networks have the proper address spaces, subnets, and configurations for peering. The options provided each address different aspects of networking.
Let’s evaluate each option:
1. A) Modify the address space of VNet1:
- Reasoning: Virtual network peering requires that the address spaces of the two VNets do not overlap. If VNet1 and VNet2 are to be peered, you need to confirm that their address spaces are not conflicting.
- Scenario: If VNet1’s address space overlaps with VNet2’s address space, you may need to modify VNet1’s address space to avoid a conflict.
- Why this option is rejected: Since the exhibit doesn't indicate an address conflict or specify a requirement to change VNet1’s address space, modifying the address space may not be required at this stage.
2. B) Add a gateway subnet to VNet1:
- Reasoning: A gateway subnet is needed if you plan to connect VNet1 to an on-premises network or to enable VPN gateways between the VNets. However, peering between VNets does not require a gateway subnet unless you're planning to route traffic to on-premises networks or use VPN gateways.
- Scenario: This would be required if you were configuring a VPN or ExpressRoute connection, but it is not necessary for just peering.
- Why this option is rejected: Adding a gateway subnet is not required to create VNet peering unless the peering setup involves connecting to on-premises or other external networks.
3. C) Create a sub...
Author: Liam · Last updated Jun 25, 2026
You have the Azure virtual machines shown in the following table.
VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table...
To determine which DNS names can be used to ping VM2 from VM1, let's consider the setup and key factors involved in the resolution of DNS names within Azure:
Key Considerations:
1. Private DNS Zone and VNET:
- The virtual machines (VMs) in question are part of a VNET (VNET1), which is linked to a private DNS zone (`contoso.com`).
- The private DNS zone contains DNS records for these VMs. This implies that only VMs within this VNET will be able to resolve DNS names for the machines listed in the DNS zone (assuming the VMs are properly registered).
2. DNS Resolution:
- The DNS names can be resolved only if the DNS records exist in the private DNS zone linked to VNET1. For a machine to resolve a DNS name, that name must be present in the private DNS zone and be accessible from the same VNET or be part of the DNS configuration of that VNET.
3. The DNS Records for the Machines:
- Each VM will have a DNS record in the private DNS zone (`contoso.com`) for its respective name.
- From the provided information, we can assume that VM1 (being part of VNET1) can resolve the DNS names of the VMs listed in the DNS zone, based on the records shown in the table.
Options Review:
- A) comp2.contoso.com and comp4.contoso.com only:
- This option restricts the ping to only `comp2.contoso.com` and `comp4.contoso.com`. However, unless there is specific information stating that only these two names are resolvable from VM1, this option is incomplete. No such restriction is indicated, so it can't be the correct choice.
- B) comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com:
- This option includes all the records from the private DNS z...
Author: Scarlett · Last updated Jun 25, 2026
SNAPSHOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)
NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.
You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege....
Author: Zara1234 · Last updated Jun 25, 2026
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN ...
To determine if the solution meets the goal of establishing a point-to-site VPN connection from Computer2 to VNet1, let's break down the question and the proposed solution:
Goal:
You need to ensure that Computer2 can establish a point-to-site VPN connection to VNet1. Computer2 has already downloaded and installed the VPN client configuration package from Azure.
Proposed Solution:
The solution suggests setting the Startup type for the IPSec Policy Agent service to Automatic on Computer2.
Key Considerations:
1. Point-to-Site VPN Setup:
- Point-to-site VPNs use client certificates (in this case, a self-signed certificate) for authentication. The connection to the Azure VNet is established by using the VPN client configuration package, which contains the necessary settings.
- The IPSec Policy Agent service is part of the configuration that manages IPsec connections, but its role is primarily for managing IPsec VPN configurations on Windows machines.
2. IPSec Policy Agent Service:
- The IPSec Policy Agent service is used for managing the configuration of IPsec policies and helps establish IPsec VPN connections on Windows computers.
- This service is relevant when using IPsec (e.g., in Site-to-Site VPNs) but is not required for Point-to-Site (P2S) VPNs that rely on...
Author: Zara · Last updated Jun 25, 2026
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to...
To ensure that visitors are serviced by the same web server for each request, you need to configure session persistence with the appropriate settings in the Azure load balancer. Let’s break down the options:
Key Considerations:
1. Session Persistence (Sticky Sessions):
- Session persistence ensures that once a user is directed to a specific backend server, they continue to interact with the same server for subsequent requests. This is important for scenarios like web applications that rely on user sessions (such as maintaining login states or session data).
2. Load Balancer Protocol:
- The Azure Load Balancer supports different types of persistence options depending on the protocol (TCP/UDP). For web servers, TCP is typically used, and session persistence (also known as sticky sessions) is the way to ensure traffic is directed to the same VM for the duration of a user's session.
Option Breakdown:
- A) Session persistence to Client IP and protocol:
- Explanation: This option configures the load balancer to direct requests from the same client IP address (and protocol) to the same backend server. This is exactly what you need, as it ensures that a user will always be directed to the same web server during their session based on their IP address and the protocol used.
- Why this option is selected: This is the correct configuration because it enables sticky sessions based on the client's IP and protocol, which is typically required for web applications where maintaining the session on the same server is critical.
- B) Protocol to UDP:
- Explanation: UDP is a connectionless protocol typically used for scenarios like DNS, streaming, or other real-time services. F...
Author: Rahul · Last updated Jun 25, 2026
You have an Azure subscription that uses the public IP addresses shown in the following table.
You need to create a public Azure Stan...
To determine which public IP addresses can be used with a Standard Azure Load Balancer, we need to understand the restrictions and requirements for assigning public IPs to a Standard Load Balancer.
Key Considerations:
1. Public IP Address Types: Azure has two types of public IP addresses:
- Static Public IP: These IPs are reserved and do not change over time.
- Dynamic Public IP: These IPs may change if the associated resource is stopped and restarted.
2. Standard Load Balancer and Public IPs:
- A Standard Load Balancer requires Static Public IPs. You cannot use a Dynamic Public IP for a Standard Load Balancer.
3. Public IP SKU: Azure has two SKUs for public IPs:
- Basic SKU: Works with Basic Load Balancers.
- Standard SKU: Works with Standard Load Balancers.
- For a Standard Load Balancer, you must have Standard SKU public IPs.
Scenario Breakdown:
1. IP1: Could be either Sta...
Author: Ethan · Last updated Jun 25, 2026
You have an Azure subscription.
You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.
You need to restrict...
To restrict network traffic between pods in an Azure Kubernetes Service (AKS) cluster, the most appropriate option involves controlling network-level interactions between the pods. Here’s a breakdown of the available options and their relevance:
Key Considerations:
1. Network Policies: Network policies allow you to control the communication between pods. These policies can define which pods can communicate with other pods, effectively restricting network traffic. The control happens at the IP address or port level.
2. Pod Security Policies: Pod Security Policies (PSPs) are used to define security-related configurations for pods, such as preventing privileged containers or restricting access to host resources. They do not control networking or traffic restrictions.
3. Application Security Groups (ASGs): ASGs are used to control network security at the Azure level, primarily in Virtual Networks (VNets) or between virtual machines. They cannot be used to restrict communication at the pod level in AKS.
4. Calico Network Policy: Calico is a powerful network plugin for Kubernetes that supports network policies. It can be used to enforce fine-grained control over traffic between pods, including allowing or denying traffic based on labels or selectors.
5. Azure Network Policy: Azure Network Policy is a Kubernetes network policy plugin that provides network traffic restrictions similar to Calic...
Author: Oliver · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the VPN Gateway and subnets in the following table:
Subnet1 contains a virtual appliance named VM1 that operates as a router.
You create a routing table named RT1.
You need to route all inbound traffic from the VPN gateway to VNet1 t...
Author: Harper · Last updated Jun 25, 2026
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to...
To ensure that visitors are serviced by the same web server for each request in an Azure environment with an Azure Load Balancer, you need to configure session persistence. Here’s the reasoning behind each option and its relevance:
Key Considerations:
1. Session Persistence: Also known as sticky sessions, session persistence ensures that once a client establishes a connection with a particular server (in this case, a virtual machine), all subsequent requests from that client are routed to the same server. This is especially important for web applications where maintaining state between requests (such as user sessions) is critical.
2. Floating IP (Direct Server Return): Floating IP allows the load balancer to forward traffic to back-end servers in certain configurations. Direct server return (DSR) refers to the server returning traffic directly to the client without passing through the load balancer after the initial request. This is typically used in scenarios where the client does not need to know about the load balancer after the initial connection is made. DSR does not guarantee that the same server will handle future requests from the same client.
3. Health Probe: A health probe is used by the Azure Load Balancer to determine whether a virtual machine is healthy and able to handle traffic. While important for routing traffic only to healthy VMs, it does not ensure that a client is directed to the same VM for every request.
4. Session Persistence to Client IP and Protocol: This option enables session persistence based on the client's IP...
Author: Sophia · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription that contains the virtual machines shown in the following table:
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
* Priority: 100
* Name: Rule1
* Port: 3389
* Protocol: TCP
* Source: Any
* Destination: Any
* ...
Author: Siddharth · Last updated Jun 25, 2026
You have an Azure subscription that contains two virtual machines named VM1 and VM2.
You create an Azure load balancer.
You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.
Which two additional load balancer resources should you create before you can cr...
To create a load balancing rule for HTTPS traffic between VM1 and VM2 using an Azure load balancer, you need to set up certain prerequisites. Let's go through each option:
A) a frontend IP address
- Explanation: A frontend IP address is necessary for the load balancer to receive traffic from clients and direct it to the appropriate backend pool. The frontend IP address is associated with the load balancer and serves as the entry point for external traffic (in this case, HTTPS traffic). Without a frontend IP address, the load balancer won't be able to receive traffic to distribute.
- Why this is needed: It's critical to have a frontend IP to route the incoming traffic to the appropriate backend pool. For a load balancing rule to work, you need an IP address that clients can access.
B) an inbound NAT rule
- Explanation: Inbound NAT rules are used to map specific ports on the load balancer to virtual machine ports. These are typically used for scenarios where individual VMs are exposed via a public IP address and need direct access to specific services like RDP or SSH. However, this is not needed for the general load balancing of traffic between VMs. The use of NAT rules would interfere with the load balancing itself.
- Why this is not needed: NAT rules are typically used for management or diagnostic purposes, not for load balancing HTTPS traffic. Since we're aiming to balance traffic across multiple VMs, the NAT rule doesn't apply.
C) a virtual network
- Explanation: A virtual network (VNet) is essential for the communication between the load balancer and the virtual machines. The VNet ensures that VM1 and VM2, as well as the load balancer, can communicate with each other. Without a VNet, there would be no net...
Author: Alexander · Last updated Jun 25, 2026
You have an on-premises network that contains a database server named dbserver1.
You have an Azure subscription.
You plan to deploy three Azure virtual machines. Each virtual machine will be deployed to a separate availability zone.
You need to configure an Azure VPN gateway for a site-to-site VPN. The solution must ens...
To configure an Azure VPN gateway for a site-to-site VPN that ensures the virtual machines (VMs) in Azure can connect to the on-premises database server (dbserver1), you need to carefully select the appropriate public IP address SKU and assignment for the gateway. Let's break down each option and explain which one is correct.
A) a basic SKU and a static IP address assignment
- Explanation: A basic SKU for public IP addresses is typically used for scenarios with less critical applications and lower performance requirements. It has limited features compared to the standard SKU, such as lower availability and reliability. Also, a static IP address ensures that the public IP address does not change, which is necessary for a site-to-site VPN connection because the on-premises network needs a fixed IP address to establish the VPN tunnel.
- Why this is not ideal: While a static IP is necessary, the basic SKU has limitations in terms of scalability, performance, and availability. Azure recommends using the standard SKU for production-level VPN gateways as it offers higher reliability, availability, and features suited for business-critical applications, including site-to-site VPN configurations.
B) a standard SKU and a static IP address assignment
- Explanation: The standard SKU for public IP addresses offers enhanced features such as better performance, higher availability, and support for advanced networking configurations like VPN gateways. It also provides better redundancy and can handle more traffic compared to the basic SKU. A static IP assignment ensures that the IP address remains ...
Author: Ryan · Last updated Jun 25, 2026
SNAPSHOT -
You have two Azure virtual machines as shown in the following table.
You create the Azure DNS zones shown in the following table.
You perform the following actions:
* =D7=80=C2=A2=D7=80=C2=BE fabrikam.com, you add a virtual network link to vnet1 and enable auto registration.
* For contoso.com, you assign vm1 and vm2 the Owner role.
Fo...
Author: David · Last updated Jun 25, 2026
You have an on-premises datacenter and an Azure subscription.
You plan to connect the datacenter to Azure by using ExpressRoute.
You need to deploy an ExpressRoute gateway. The solution must meet the following requirements:
* Support up to 10 Gbps of tra...
When choosing an ExpressRoute gateway SKU to meet the given requirements, we need to carefully consider the specifications for each option. Let's analyze the requirements and then evaluate each SKU.
Requirements:
1. Support up to 10 Gbps of traffic: This means we need a SKU that supports high throughput.
2. Support availability zones: The solution must support deployment across multiple availability zones for high availability and resilience.
3. Support FastPath: FastPath is a feature that provides faster routing of traffic by bypassing some of the standard gateway processing, which can reduce latency.
4. Minimize costs: We want to choose the SKU that satisfies the requirements but also ensures cost efficiency.
Evaluation of Each SKU:
A) ERGw1AZ
- Support up to 10 Gbps: The ERGw1AZ SKU supports up to 2 Gbps, so it does not meet the requirement for 10 Gbps.
- Support availability zones: This SKU does support availability zones, as indicated by "AZ" in the name.
- Support FastPath: ERGw1AZ supports FastPath.
- Minimize costs: While it might be cheaper, it doesn't meet the 10 Gbps requirement, making it unsuitable for this case.
- Why this option is rejected: While it supports availability zones and FastPath, it doesn’t meet the traffic throughput requirement of 10 Gbps.
B) ERGw2
- Support up to 10 Gbps: The ERGw2 SKU supports up to 10 Gbps of throughput, so it meets this requirement.
- Support availability zones: ERGw2 does not support availability zones. This means it can't fulfill the requirement for zone redundancy.
- Support FastPath: ERGw2 does ...
Author: ElectricLionX · Last updated Jun 25, 2026
SNAPSHOT -
You have a virtual network named VNET1 that contains the subnets shown in the following table:
You have Azure virtual machines that have the network configurations shown in the following table:
For NSG1, you create the inbound security rule shown in the following table:
For NSG2, you create the inbound security rule shown in the following table:
...
Author: Matthew · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table:
Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:
VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routes in the following table:
...
Author: Victoria · Last updated Jun 25, 2026
Your on-premises network contains an SMB share named Share1.
You have an Azure subscription that contains the following resources:
* A web app named webapp1
* A virtual network named VNE...
To ensure that webapp1 in your Azure subscription can connect to Share1 (the SMB share on your on-premises network), you need to establish a secure connection between your Azure resources (webapp1) and the on-premises network where the SMB share resides. Let’s evaluate the options to find the most appropriate solution.
A) An Azure Application Gateway
- Explanation: The Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It is designed for HTTP/HTTPS traffic and provides features such as SSL termination, web application firewall (WAF), and URL-based routing.
- Why this is not ideal: Since SMB (Server Message Block) is a protocol used for file sharing, not HTTP/HTTPS, the Application Gateway won't work for connecting webapp1 to Share1. Application Gateway is not designed to handle SMB traffic.
B) An Azure Active Directory (Azure AD) Application Proxy
- Explanation: Azure AD Application Proxy is a solution that provides secure remote access to internal applications. It allows users to access on-premises applications over the internet through Azure AD.
- Why this is not ideal: The Azure AD Application Proxy is designed to enable access to web applications and HTTP-b...
Author: Zara1234 · Last updated Jun 25, 2026
You have an Azure subscription that contains the resources shown in the following table.
You create a public IP address named IP1.
Which two resources can you associate to IP1? Each correct a...
To determine which resources can be associated with the public IP address (IP1), we need to understand the types of resources that can support public IP associations in Azure. Here’s an analysis of each option:
A) VM1
- Why it's rejected:
- A VM (Virtual Machine) in Azure can be associated with a public IP address, but the public IP must be assigned to the network interface (NIC) of the VM, not the VM itself.
- The public IP is typically assigned to the NIC to allow internet communication directly with the VM, not to the VM as a resource.
- Scenario it can be used: If a public IP is needed for a VM, the IP would be associated with the VM’s NIC, not the VM resource itself.
B) LB1 (Load Balancer)
- Why it's selected:
- A Load Balancer (LB1) can be associated with a public IP in order to distribute traffic to the backend VMs or services. Azure Public Load Balancers are associated with public IP addresses to route external traffic to internal resources.
- A public load balancer is specifically designed to handle traffic from the internet and distribute it to resources within the virtual network.
- Scenario it fits: When you need to expose multiple services to the internet via a load balancer, you would assign a public IP to the load balancer to handle traffic routing.
C) NIC1 (Network Interface Card)
- Why it's selected:
- A Network Interface Card (NIC) can be directly associated with a public IP address to allow the associated virtual machine or service to be accessible from the internet.
- The NIC serves as the interface for VM1 or other resources to communicate with external networks, and public IPs are associated directly with NICs to ...
Author: Vikram · Last updated Jun 25, 2026
Your on-premises network contains a VPN gateway.
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that all the traffic from VM1 to...
To ensure that all traffic from VM1 to Storage1 travels across the Microsoft backbone network, we need to focus on options that enable private, direct, and optimized routing within Azure's network infrastructure. Let's analyze each option based on the requirement:
A) Network Security Group (NSG)
- NSGs are used to control inbound and outbound traffic to and from resources within a virtual network. They are primarily used for traffic filtering and security, not for controlling routing paths. While an NSG can restrict access to resources, it doesn't specifically influence how traffic between VM1 and Storage1 travels across the network.
- Rejection Reason: NSGs do not control traffic routing over the backbone network; they only manage security policies.
B) Service Endpoints
- Service Endpoints allow resources within a virtual network (such as VMs) to securely connect to Azure services (like Storage, SQL, etc.) over the Azure backbone network. With service endpoints, traffic between the VM and the storage account is directed over the Microsoft backbone network, bypassing the public internet.
- Key Factor: This option explicitly ensures that traffic between VM1 and Storage1 will flow over the Microsoft backbone network, as it enables secure connectivity to Azure services.
- Selected Option: Service Endpoints are the most appropriate solution for ensuring that traffic travels across the Microsoft backbone ...
Author: NebulaEagle11 · Last updated Jun 25, 2026
You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual...
To deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network, you need to choose a tunneling protocol that is both secure and reliable for this type of deployment. Let's evaluate each option:
A) IKEv1:
- Explanation: IKEv1 (Internet Key Exchange version 1) is an older protocol used to establish secure communication between devices.
- Reasons for rejection: While IKEv1 is supported, it is considered less secure and less efficient compared to newer protocols. It has vulnerabilities and lacks some of the advanced security features found in IKEv2.
- Scenarios for Use: IKEv1 is still supported for backward compatibility in environments with legacy systems that don’t support IKEv2, but it is not the best choice for modern deployments.
B) PPTP:
- Explanation: PPTP (Point-to-Point Tunneling Protocol) is an older VPN protocol primarily used for remote access VPNs.
- Reasons for rejection: PPTP is highly insecure and vulnerable to attacks. It is considered obsolete and unsuitable for production environments requiring robust security.
- Scenarios for Use: It’s not recommended for any production-level Site-to-Site or secure communications in modern networks.
C) IKEv2:
- Explanation: IKEv2 (Internet Key Exchange version 2) is a modern and secure tunneling protocol that provides several improvements o...
Author: Lucas Carter · Last updated Jun 25, 2026
You have an Azure subscription that contains the resources shown in the following table.
You configure Azure Site Recovery to replicate VM1 between the US East and West US regions.
You perform a test failover of VM1 and specify VNET2 as the target vir...
When performing a test failover with Azure Site Recovery (ASR), the test version of the VM will be deployed in the specified target virtual network (VNET2), and it will be connected to a subnet within that network. The key factor to understand here is that Azure Site Recovery creates a test VM that simulates a failover but does not affect the production resources. Let's analyze each option based on the provided information.
Given Information:
- The target virtual network for the test failover is VNET2.
- A test failover of VM1 is performed from US East to US West regions.
- The test version of VM1 will be connected to a subnet in VNET2.
Options Analysis:
A) TestSubnet1:
- Explanation: This subnet could potentially be associated with VNET2, but there's no indication in the question that this subnet is specifically designed for failovers or recovery purposes. It might be a test network, but this option lacks the specific context that makes it the correct subnet for a recovery scenario.
B) DemoSubnet1:
- Explanation: This subnet might be used for other demo or non-production purposes, but there's no indication in the question that this subnet is the designated recovery subnet. It does not appear relevant to the failover setup.
...
Author: Matthew · Last updated Jun 25, 2026
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to...
To ensure that visitors are serviced by the same web server for each request when using an Azure load balancer, the key feature you need to configure is session persistence. Session persistence ensures that once a client connects to a particular server, subsequent requests from the same client are routed to the same server, creating a sticky session.
Let's analyze the options one by one:
A) Protocol to UDP:
- Explanation: UDP (User Datagram Protocol) is used for stateless protocols, such as streaming services or DNS queries, where session persistence is typically not needed.
- Reason for rejection: Since this scenario involves web servers (which use HTTP/HTTPS), TCP is the more appropriate protocol for maintaining a persistent connection, and UDP would not be ideal for maintaining sticky sessions. Therefore, this option does not address the session persistence requirement for web traffic.
B) Session persistence to None:
- Explanation: If session persistence is set to None, there will be no persistence between requests from the same client. This means that the load balancer will distribute requests without any consideration for which server the client is connected to, potentially routing requests to different servers.
- Reason for rejection: This is the opposite of what is needed in this scenario, where you want to ensure the same server is used for each request from a client. Therefore, setting session persis...
Author: Jack · Last updated Jun 25, 2026
SNAPSHOT -
You have an Azure subscription that contains the virtual networks shown in the following table.
You have the peering options shown in the following exhibit.
You need to design a communication strategy for the resources on the virtual networks.
For each of the follo...
Author: Amira · Last updated Jun 25, 2026
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to...
To ensure that visitors are serviced by the same web server for each request in an Azure load balancing scenario, session persistence (also known as sticky sessions) is required. Session persistence guarantees that subsequent requests from the same client are routed to the same backend server, ensuring a consistent experience.
Let's analyze each option in the context of your requirement:
A) Floating IP (direct server return) to Disabled:
- Explanation: The Floating IP setting is related to how traffic is handled once it reaches the backend server. It allows the load balancer to bypass itself and direct traffic straight to the backend server. This is typically used in scenarios with direct server return (DSR) setups for performance optimization.
- Reason for rejection: Disabling Floating IP does not directly address the need for session persistence. While it can impact how traffic is routed after the initial connection, it does not ensure that subsequent requests from the same client are sent to the same server. Therefore, this option is not relevant to ensuring sticky sessions.
B) Session persistence to Client IP:
- Explanation: Session persistence to Client IP ensures that requests from the same client IP address are routed to the same backend server. This is the key feature needed for the requirement of servicing visitors with the same web server for each request.
- Reason for selection: This option directly addresses the need for sticky sessions, which is exactly what is required in this scenario. By configuring session persistence to Client IP, you ensure that each visitor’s requests are consistently handled by the same web server, impr...
Author: Aria · Last updated Jun 25, 2026
You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named VNET1 and VNET2 that are peered.
You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1.
You need to configure NSG1 to a...
To allow inbound access to the virtual machines via Azure Bastion, the correct port that needs to be configured in the inbound security rule is 443.
Reasoning:
1. Azure Bastion uses the TLS (Transport Layer Security) protocol on port 443 for secure, encrypted RDP (Remote Desktop Protocol) and SSH (Secure Shell) connections to virtual machines. This is the standard port for HTTPS traffic, and it is used by Azure Bastion to access VMs securely without exposing the VMs directly to the public internet.
2. Why other options are rejected:
- A) Port 22: Port 22 is typically used for SSH access directly to Linux-based virtual machines. However, when using Azure Bastion, you don't need to expose SSH directly. Azure Bastion provides a secure connection through port 443.
...
Author: Ming · Last updated Jun 25, 2026
SNAPSHOT
-
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the servers shown in the following table.
You plan to migrate contoso.com to Azure.
You create an Azure virtual network named VNET1 that has the following settings:
* Address space: 10.0.0.0/16
* Subnet:
o Name: Subnet1
o IPv4: 10.0.1.0/24
You need to move DC1 to VNET1. The solution must ensure that the mem...
Author: Ravi Patel · Last updated Jun 25, 2026
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to...
To ensure that visitors are serviced by the same web server for each request, you should configure Session persistence to Client IP on your Azure load balancer.
Reasoning:
1. Session Persistence (also known as Sticky Sessions):
- Session persistence ensures that once a client is connected to a specific web server, subsequent requests from that client are directed to the same server, instead of being load-balanced to any of the available VMs.
- Client IP session persistence ties a user's session to a specific virtual machine based on their IP address. This ensures that all requests from the same client (based on their IP) go to the same VM for the duration of the session.
This is important for applications like web servers where session data may be stored locally on the server, and it would be inefficient or problematic for requests to be distributed to different servers.
2. Why other options are rejected:
- A) Session persistence to None: If you set session persistence to None, the load balancer will route each request independently to different VMs, without ensuring that subsequent requests from the same client go to the same VM. This would not meet the requirement to keep users on the same server....
Author: Matthew · Last updated Jun 25, 2026
You have an Azure subscription that contains the virtual networks shown in the following table.
You need to deploy an Azure firewall named AF1 to RG1 in the...
To determine which virtual networks can be used to deploy the Azure firewall (AF1), we need to understand how Azure firewall deployment works and consider the region and resource group requirements for deployment.
Key Points for Deployment:
- Azure Firewall can only be deployed in a region and resource group that supports it.
- Azure Firewall requires a virtual network (VNet) that is in the same region as the firewall itself.
- The virtual network used for the deployment should be in the same region as the Azure firewall (West US in this case) and can either be peered or directly connected to other VNets if needed.
Given:
- The firewall AF1 needs to be deployed in RG1 in the West US region.
- Virtual networks in the table should be checked to ensure they align with these requirements.
Explanation:
- VNET1: If VNET1 is in the West US region, it can host the Azure firewall.
- VNET2: If VNET2 is in the West US region, it can also host the Azure firewall.
- VNET3: If VNET3 is not in the West US region, it cannot h...
Author: Emma Brown · Last updated Jun 25, 2026
You have an on-premises network.
You have an Azure subscription that contains three virtual networks named VNET1. VNET2. and VNET3. The virtual networks are peered and connected to the on-premises network. The subscription contains the virtual machines shown in the following table.
You need to monitor connectivity between the ...
Reasoning:
To determine the minimum number of Connection Monitors to deploy, we need to understand how Connection Monitor works and the requirements of monitoring connectivity between virtual machines (VMs) and the on-premises network. Here are the key factors:
1. Connection Monitor allows you to track the connectivity between various network resources, such as virtual machines, virtual networks, and on-premises networks. It works by monitoring the connection between the source (e.g., VM) and a destination (e.g., on-premises network or another VM).
2. Virtual Network Peering: In your scenario, VNET1, VNET2, and VNET3 are peered. This means that, depending on the routing and the network configuration, a connection between a VM in VNET1 and a VM in VNET2 or VNET3 might need monitoring for connectivity. Additionally, monitoring should include the connection from these VMs to the on-premises network.
3. Minimum Number of Connection Monitors:
- You need to monitor the connectivity from each VM to the on-premises network. If you have multiple VMs in different VNets, ideally, you should deploy a separate Connection Monitor for each connection path to the on-premises network.
- If VMs in VNET1, VNET2, and VNET3 are all located on different virtual networks, you need at least one Connection Monitor in each VNet to ensure connectivity is verified be...
Author: Isabella · Last updated Jun 25, 2026
SNAPSHOT
-
You plan to deploy the following Azure Resource Manager (ARM) template.
For each of the following statements, select Yes if the statement is true. ...
Author: Deepak · Last updated Jun 25, 2026
You have an Azure subscription that contains a storage account. The account stores website data.
You need to ensure that inbound user traffic uses the Microsoft point-of-p...
To ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location, the correct solution is C) Routing preference.
Reasoning:
1. Routing Preference in Azure refers to the feature that allows you to configure the traffic routing to use the closest point of presence (POP) when accessing services like storage accounts. This ensures that users' requests are directed to the nearest regional entry point for the service, reducing latency and improving performance.
- Microsoft Point-of-Presence (POP): When a user requests content from your storage account, Azure can route the request to the nearest POP (typically located in the region closest to the user) for faster access. This is especially important for global applications to ensure minimal latency for users from different regions.
Why other options are rejected:
- A) Private endpoints: Private endpoints are used for securely connecting to Azure resources over a private IP address within a virtual network. While they enhance security, they do not help with routing user traffic to the nearest POP. They are typically use...
Author: Andrew · Last updated Jun 25, 2026
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named Subnet1. Subnet1 is in a virtual network named VNet1.
Y...
To prevent VM1 from accessing VM2 on port 3389, the correct option is A) Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.
Explanation:
1. Network Security Groups (NSGs) control inbound and outbound traffic to network interfaces (NICs) and subnets in Azure. You can use NSGs to define rules that allow or deny traffic based on source IP, destination IP, ports, and protocols.
2. The requirement is to prevent VM1 from accessing VM2 on port 3389.
- Port 3389 is used for Remote Desktop Protocol (RDP), which allows access to virtual machines running Windows.
- If you want to prevent VM1 from initiating traffic to VM2 on port 3389, you would need to deny outbound traffic from VM1 to VM2 on that port.
- Option A:
- Create an NSG with an outbound rule that denies traffic on destination port 3389.
- Apply this NSG to VM1's network interface.
- This would stop VM1 from reaching VM2 on port 3389, as the outbound traffic from VM1 to VM2 on port 3389 would be blocked.
Why other options are rejected:
- Option B (Configure Azure Bastion in VNet1):
- Azure Bastion is a service that allows secure and seamless RDP or SSH co...
Author: Jack · Last updated Jun 25, 2026
You have an Azure subscription that contains the resources shown in the following table.
You need to manage outbound traffic f...
To manage outbound traffic from VNET1 using Firewall1, the first step is to C) Create a route table.
Reasoning:
1. Managing Outbound Traffic with Azure Firewall:
- Azure Firewall is a stateful network security service that monitors and controls outbound and inbound traffic. To use Firewall1 for managing outbound traffic from VNET1, you need to ensure that VNET1's outbound traffic is routed through Firewall1. This is done by creating a route table with a route that points to Firewall1 as the next hop for outbound traffic.
- A route table allows you to control the flow of traffic and ensures that traffic from VNET1 is directed to Azure Firewall for inspection and filtering before reaching the internet or other destinations.
2. Why Other Options Are Rejected:
- Option A (Configure the Hybrid Connection Manager):
- The Hybrid Connection Manager is part of Azure App Service and is used for connecting on-premises systems to Azure App Service resources. It is not related to managing network traffic through Azure Fire...
Author: Charlotte · Last updated Jun 25, 2026
You have an Azure subscription that contains the resources shown in the following table.
All the resources connect to a virtual network named VNet1.
You plan to deploy an Azure Bastion ...
To determine which resources can be protected by Azure Bastion (Bastion1), it's important to understand the capabilities and usage of Azure Bastion.
Key Concepts:
- Azure Bastion is a fully managed service that provides secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to virtual machines (VMs) in a virtual network without exposing the VMs to the public internet.
- Azure Bastion works by providing a secure jump server inside the same virtual network (VNet1) where the resources (VMs) are located. Therefore, Bastion1 will provide access to virtual machines (VMs) and other resources within the same VNet.
Breakdown of the Options:
1. VM1:
- VM1 is a virtual machine. Azure Bastion is primarily designed to provide secure RDP and SSH access to virtual machines. So, VM1 can be protected using Bastion1.
2. contoso.com:
- contoso.com appears to be a domain or a web application (not a virtual machine), and Azure Bastion is not designed to secure access to domain names or web applications. Instead, it is used to secure access to virtual machines within the VNet.
3. App1:
- App1 likely refers to an application or service within the network. Azure Bastion does not provide access or protection to applications or services (like web apps, etc.)—...
Author: BlazingPhoenix22 · Last updated Jun 25, 2026
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to...
To ensure that visitors are serviced by the same web server for each request, the primary goal is to maintain session persistence. This ensures that once a user connects to a particular server, subsequent requests from that user are always routed to the same server for the duration of their session.
Let's evaluate each option:
A) Session persistence to None:
- Explanation: This setting disables session persistence, meaning each request could be directed to any available server, without considering which server was previously handling the user's requests.
- Why it's rejected: This does not satisfy the requirement of ensuring that visitors are serviced by the same web server for each request.
- Scenario: It would be useful in cases where load balancing should be completely random, such as in stateless applications.
B) A health probe:
- Explanation: A health probe is used by the Azure load balancer to check the health of the backend virtual machines. If a machine is healthy, traffic can be routed to it; if unhealthy, traffic is redirected to another healthy VM.
- Why it's rejected: Health probes are primarily for ensuring that only healthy VMs receive traffic. While important for availability, this does not enforce session persistence, which is the specific requirement here.
- Scenario: Health probes are critical for ensuring high availability and resilience in case of failures but don't maintain consistent session routing.
C) Session persistence to Client IP and protocol:
- Explanation: This configuration ensures that traffic from the same clien...