| Question.51 You have an Azure subscription named Subscription1 that has the following providers registered: -Authorization -Automation -Resources -Compute -KeyVault -Network -Storage -Billing -Web Subscription1 contains an Azure virtual machine named VM1 that has the following configurations: -Private IP address: 10.0.0.4 (dynamic) -Network security group (NSG): NSG1 -Public IP address: None -Availability set: AVSet -Subnet: 10.0.0.0/24 -Managed disks: No Location: East US You need to record all the successful and failed connection attempts to VM1. Which three actions should you perform? (A) Enable Azure Network Watcher in the East US Azure region. (B) Add an Azure Network Watcher connection monitor. (C) Register the MicrosoftLogAnalytics provider. (D) Create an Azure Storage account. (E) Register the Microsoft.Insights resource provider. (F) Enable Azure Network Watcher flow logs. |
51. Click here to View Answer
Answer is A – E – F
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher’s NSG flow log capability.
1. Create a VM with a network security group
2. Enable Network Watcher and register the Microsoft.Insights provider
3. Enable a traffic flow log for an NSG, using Network Watcher’s NSG flow log capability
4. Download logged data
5. View logged data
Note: Storage account is already created since VMs have unmanaged disks.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
https://docs.microsoft.com/en-us/answers/questions/3619/what-is-the-difference-between-managed-disk-and-un.html
| Question.52 You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1. You install and configure a web server and a DNS server on VM1. VM1 has the effective network security rules shown in the following exhibit:  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.  |
52. Click here to View Answer
Box 1: B
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2: C
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
| Question.53 You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template. You need to ensure that NGINX is available on all the virtual machines after they are deployed. What should you use? (A) Deployment Center in Azure App Service (B) A Desired State Configuration (DSC) extension (C) The New-AzConfigurationAssignment cmdlet (D) A Microsoft Intune device configuration profile |
53. Click here to View Answer
Answer is (B) A Desired State Configuration (DSC) extension
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx webserver.
az vm extension set
–resource-group myResourceGroup
–vm-name myVM –name customScript
–publisher Microsoft.Azure.Extensions
–settings ‘{“commandToExecute”: “apt-get install -y nginx”}
Note:
There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
– the Publish-AzVMDscConfiguration cmdlet
– Azure Application Insights
Reference:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration
| Question.54 You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.  |
54. Click here to View Answer
Box 1: 10.244.0.0/16
The Pod CIDR, because containers live inside Pods.
Note: You can’t change this address range once the cluster is deployed, if you need more addresses for additional nodes.
Box 2: 10.0.0.0/16
The Service CIDR is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster
| Question.55 You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table:  Subnet1 contains a virtual appliance named VM1 that operates as a router. You create a routing table named RT1. You need to route all inbound traffic from the VPN gateway to VNet1 through VM1. How should you configure RT1?  |
55. Click here to View Answer
Box 1: 10.0.0.0/16
Address prefix
destination-> Vnet 1 (Address space of Vnet1)
Box 2: Virtual appliance
Next hop type
VM1 ->Virtual Appliance. You can specify IP address of VM 1 when configuring next hop as Virtual appliance.
Box 3: Gateway Subnet
Assigned to
This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout Table -> subnet ->Associate.