| Question.61 You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.  Each virtual machine uses a static IP address. You need to create network security groups (NSGs) to meet following requirements: -Allow web requests from the internet to VM3, VM4, VM5, and VM6. -Allow all connections between VM1 and VM2. -Allow Remote Desktop connections to VM1. -Prevent all other network traffic to VNET1. What is the minimum number of NSGs you should create? (A) 1 (B) 3 (C) 4 (D) 12 |
61. Click here to View Answer
Answer is (A) 1
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). You can associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many subnets and NICs as you choose.
So, you can create 1 NSG and associate it with all 3 Subnets.
– Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and VM6 static IP addresses.
– Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even configuring NSG.
– Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address.
– Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules
| Question.62 You have an Azure subscription that contains the resources in the following table.  VM1 and VM2 are deployed from the same template and host line-of-business applications. You configure the network security group (NSG) shown in the exhibit.  You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80. What should you do? (A) Disassociate the NSG from a network interface (B) Change the Port_80 inbound security rule. (C) Associate the NSG to Subnet1. (D) Change the DenyWebSites outbound security rule. |
62. Click here to View Answer
Answer is (C) Associate the NSG to Subnet1.
Outbound rule “DenyWebSites” is setup correctly to block outbound internet traffic over port 80. In the screenshot it states, “Associated with: 0 subnets, 0 NIC’s”, so you need to associate the NSG to Subnet1.You can associate or dissociate a network security group from a NIC or Subnet.
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
| Question.63 You have the Azure virtual machines shown in the following table.  A DNS service is installed on VM1. You configure the DNS servers settings for each virtual network as shown in the following exhibit.  You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1. What should you do? (A) Configure a conditional forwarder on VM1 (B) Add service endpoints on VNET1 (C) Add service endpoints on VNET2 and VNET3 (D) Configure peering between VNET1, VNET2, and VNET3 |
63. Click here to View Answer
Answer is (D) Configure peering between VNET1, VNET2, and VNET3
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs. Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
| Question.64 You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute. You plan to prepare the environment for automatic failover in case of ExpressRoute failure. You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost. Which three actions should you perform? (A) Create a connection (B) Create a local site VPN gateway (C) Create a VPN gateway that uses the VpnGw1 SKU (D) Create a gateway subnet (E) Create a VPN gateway that uses the Basic SKU |
64. Click here to View Answer
Answer is A-B-C
For a site to site VPN, you need:
– a local gateway
– a gateway subnet
– a VPN gateway
– a connection to connect the local gateway and the VPN gateway
However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute connection, VNET1 must already be configured with a gateway subnet so we don’t need another one.
Note: BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN gateway.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
https://azure.microsoft.com/es-es/pricing/details/vpn-gateway
| Question.65 You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations: -Subnet: 10.0.0.0/24 -Availability set: AVSet -Network security group (NSG): None -Private IP address: 10.0.0.4 (dynamic) -Public IP address: 40.90.219.6 (dynamic) You deploy a standard, Internet-facing load balancer named slb1. You need to configure slb1 to allow connectivity to VM1. Which changes should you apply to VM1 as you configure slb1?  |
65. Click here to View Answer
Box 1: Remove the public IP address from VM1
Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs. Load balancer and the public IP address SKU must match when you use them with public IP addresses. Only Basic SKU IPs work with the Basic SKU load balancer and only Standard SKU IPs work with Standard SKU load balancers.
Box 2: Create and configure an NSG
NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource.
Note: You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Reference:
https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard
https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-addresses
https://stackoverflow.com/questions/52882024/cannot-add-vm-to-standard-azure-load-balancer
https://docs.microsoft.com/en-us/azure/load-balancer/skus
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management