| Question.46 You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address. The virtual machines host several applications that are accessible over port 443 to users on the Internet. Your on-premises network has a site-to-site VPN connection to VNet1. You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network. You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users. What should you do? (A) Modify the address space of the local network gateway (B) Create a deny rule in a network security group (NSG) that is linked to Subnet1 (C) Remove the public IP addresses from the virtual machines (D) Modify the address space of Subnet1 |
46. Click here to View Answer
Answer is (B) Create a deny rule in a network security group (NSG) that is linked to Subnet1
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
| Question.47 You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.  You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com. For controso.com, you create a virtual network link named link1 as shown in the exhibit.  You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet. You need to ensure that VM1 can resolve host names in adatum.com. What should you do? (A) Update the DNS suffix on VM1 to be adatum.com (B) Configure the name servers for adatum.com at the domain registrar (C) Create an SRV record in the contoso.com zone (D) Modify the Access control (IAM) settings for link1 |
47. Click here to View Answer
Answer is Configure the name servers for adatum.com at the domain registrar
Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for adatum.com to. You configure this by configuring the name servers for adatum.com at the domain registrar.
Wrong answers;
A. This would change the domain suffix of VM1 which is useless.
C. SRV records tie a host/IP to a service.
D. Link1 is only for contoso.com and would help our case.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
| Question.48 You have an Azure subscription. Users access the resources in the subscription from either home or from customer sites. From home, users must establish a point-to-site VPN to access the Azure resources. The users on the customer sites access the Azure resources by using site-to-site VPNs. You have a line-of-business-app named App1 that runs on several Azure virtual machine. The virtual machines run Windows Server 2016. You need to ensure that the connections to App1 are spread across all the virtual machines. What are two possible Azure services that you can use? (A) An internal load balancer (B) A public load balancer (C) An Azure Content Delivery Network (CDN) (D) Traffic Manager (E) An Azure Application Gateway |
48. Click here to View Answer
Answer is A & E
Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer. The load balancer is located in the front-end subnet of the application.
A: The customer sites are connected through VPNs, so an internal load balancer is enough.
B: The customer sites are connected through VPNs, so there’s no need for a public load balancer, an internal load balancer is enough.
C: A CDN does not provide load balancing for applications, so it not relevant for this situation.
D: Traffic manager is a DNS based solution to direct users’ requests to the nearest (typically) instance and does not provide load balancing for this situation.
E: Azure Application Gateway is a valid option, as it provides load balancing in addition to routing and security functions
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://docs.microsoft.com/en-us/azure/application-gateway/overview
| Question.49 You have an Azure DNS zone named adatum.com. You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure. What should you do? (A) Create an NS record named research in the adatum.com zone. (B) Create an PTR record named research in the adatum.com zone. (C) Modify the SOA record of adatum.com. (D) Create an A record named *.research in the adatum.com zone. |
49. Click here to View Answer
Answer is (A) Create an NS record named research in the adatum.com zone.
An NS record or (name server record) tells recursive name servers which name servers are authoritative for a zone. You can have as many NS records as you would like in your zone file. The benefit of having multiple NS records is the redundancy of your DNS service.
You need to create a name server (NS) record for the zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/delegate-subdomain
| Question.50 You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table. You need to provide internet users with access to the applications that run in Cluster1.  Which IP address should you include in the DNS record for Cluster1? (A) 131.107.2.1 (B) 10.0.10.11 (C) 172.17.7.1 (D) 192.168.10.2 |
50. Click here to View Answer
Answer is (A) 131.107.2.1
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.
Note: 10.X.X.X range is private.
Reference:
https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard