| Question.66 You plan to use Azure Network Watcher to perform the following tasks: -Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine. -Task2: Validate outbound connectivity from an Azure virtual machine to an external host. Which feature should you use for each task?  |
66. Click here to View Answer
Box 1: IP flow verify
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.
Box 2: Connection troubleshoot
Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using connection-troubleshoot.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
| Question.67 You have an Azure virtual machine named VM1. The network interface for VM1 is configured as shown in the exhibit.  You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only. You need to ensure that users can connect to the website from the Internet. What should you do? (A) Modify the protocol of Rule4 (B) Delete Rule1 (C) For Rule5, change the Action to Allow and change the priority to 401 (D) Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501. |
67. Click here to View Answer
Answer is (C) For Rule5, change the Action to Allow and change the priority to 401
HTTPS uses port 443.
Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
Note: There are several versions of this question in the exam.
The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:
– Modify the action of Rule1.
– Change the priority of Rule6 to 100.
– For Rule4, change the protocol from UDP to Any.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
| Question.68 You create an Azure Storage account named contosostorage. You plan to create a file share named data. Users need to map a drive to the data file share from home computers that run Windows 10. Which outbound port should you open between the home computers and the data file share? (A) 80 (B) 443 (C) 445 (D) 3389 |
68. Click here to View Answer
Answer is (C) 445
Port 445 is used for SMB (Server Message Block) protocol, which is what Windows uses for file sharing. Note that some ISPs block this port, so if you experience issues, a VPN or Azure ExpressRoute connection may be necessary to allow the traffic. Always ensure you are following security best practices when opening ports, especially when dealing with potentially sensitive data.
Incorrect:
Port 80: HTTP, this is for web
Port 443: HTTPS, for web too
Port 3389: Remote desktop protocol (RDP)
Reference:
https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows#prerequisites
| Question.69 You have an Azure policy as shown in the following exhibit:  What is the effect of the policy? (A) You are prevented from creating Azure SQL servers anywhere in Subscription 1. (B) You can create Azure SQL servers in ContosoRG1 only. (C) You are prevented from creating Azure SQL Servers in ContosoRG1 only. (D) You can create Azure SQL servers in any resource group within Subscription 1. |
69. Click here to View Answer
Answer is (B) You can create Azure SQL servers in ContosoRG1 only.
You are prevented from creating Azure SQL servers anywhere in Subscription 1, except from ContosoRG1. There’s an Exclusion on ContosoRG1.
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
| Question.70 You have an on-premises server that contains a folder named D:Folder1. You need to copy the contents of D:Folder1 to the public container in an Azure Storage account named contosodata. Which command should you run? (A) https://contosodata.blob.core.windows.net/public (B) AZ copy sync D:folder1 https://contosodata.blob.core.windows.net/public –snapshot (C) AZ copy copy D:folder1 https://contosodata.blob.core.windows.net/public –recursive (D) AZ storage blob copy start-batch D:Folder1 https://contosodata.blob.core.windows.net/public |
70. Click here to View Answer
Answer is (C) AZ copy copy D:folder1 https://contosodata.blob.core.windows.net/public –recursive
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Incorrect Answers:
B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy