| Question.56 You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers. You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines. You need to ensure that visitors are serviced by the same web server for each request. What should you configure? (A) Floating IP (direct server return) to Enabled (B) Floating IP (direct server return) to Disabled (C) A health probe (D) Session persistence to Client IP and Protocol |
56. Click here to View Answer
Answer is (D) Session persistence to Client IP and Protocol
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer for Sticky Sessions set Session persistence to Client IP.
Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. Idle Time-out (minutes) to 20
2. Protocol to UDP
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/
| Question.57 Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources: -A web app named webapp1 -A virtual network named VNET1 You need to ensure that webapp1 can connect to Share1. What should you deploy? (A) An Azure Application Gateway (B) An Azure Active Directory (Azure AD) Application Proxy (C) An Azure Virtual Network Gateway (D) None of these |
57. Click here to View Answer
Answer is (C) An Azure Virtual Network Gateway
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.
A: Application Gateway is for http, https and Websocket – Not SMB
B: Application Proxy is also for accessing web applications on-prem – Not SMB. Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
| Question.58 You have an Azure subscription named Sub1. You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.  You need to recommend a networking solution to meet the following requirements: -Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines. -Protect the web servers from SQL injection attacks. Which Azure resource should you recommend for each requirement?  |
58. Click here to View Answer
Box 1: an internal load balancer
Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. Application gateway which uses WAF tier.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
| Question.59 You plan to deploy five virtual machines to a virtual network subnet. Each virtual machine will have a public IP address and a private IP address. Each virtual machine requires the same inbound and outbound security rules. What is the minimum number of network interfaces and network security groups that you require?  |
59. Click here to View Answer
Box 1: 5
A public and a private IP address can be assigned to a single network interface.
By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM’s NIC, you can associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the private IP.
Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
| Question.60 You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool. You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data. What should you do?  |
60. Click here to View Answer
Box 1: An Azure Log Analytics workspace
In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions.
Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP addresses that connect to the ILB can be monitored when the diagnostics are enabled on a Network Security Group.
We cannot enable diagnostics on an internal load balancer to check for the IP addresses.
As for Internal LB, it is basic one. Basic can only connect to storage account. Also, Basic LB has only activity logs, which doesn’t include the connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics