👉Get Full PDF
| Question.21 You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template. You need to ensure that NGINX is available on all the virtual machines after they are deployed. What should you use? (A) The Publish-AzVMDscConfiguration cmdlet (B) Azure Application Insights (C) Azure Custom Script Extension (D)The New-AzConfigurationAssignement cmdlet |
21. Click here to View Answer
Answer is (C) Azure Custom Script Extension
Note: There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
– the Publish-AzVMDscConfiguration cmdlet
– Azure Application Insights
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
https://docs.microsoft.com/en-us/samples/mspnp/samples/azure-well-architected-framework-sample-state-configuration
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration
| Question.22 You have an Azure subscription that contains the resources shown in the following table.  VMSS1 is set to VM (virtual machines) orchestration mode. You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1. Which resource group and location should you use to deploy VM1?  |
22. Click here to View Answer
Box 1: RG1, RG2, or RG3
The resource group stores metadata about the resources. When you specify a location for the resource group, you’re specifying where that metadata is stored. The location of the RG doesn’t influence the choice of the location of VM. best practice would be to create the VM1 in the RG1 because the scale set is in RG1. And Microsoft recommends that resources contained in a Resource Group share the same resource lifecycle.
Box 2: West US only
You can add the virtual machine to a scale set in the same region, zone, and resource group.
Note: Virtual machine scale sets will support 2 distinct orchestration modes:
ScaleSetVM Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance lifecycle – creation, update, deletion – is managed by the scale set.
VM (virtual machines) Virtual machines created outside of the scale set can be explicitly added to the scaleset.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
| Question.23 You have an Azure subscription that contains the resource groups shown in the following table.  RG1 contains the resources shown in the following table.  You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1. Which resources should you identify?  |
23. Click here to View Answer
Box 1: IP1, VNET2, and storage1
Box 2: IP2, VNET2, and storage2
Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything in the resource.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
| Question.24 You have an Azure subscription that contains the resources shown in the following table:  You assign a policy to RG6 as shown in the following table:  To RG6, you apply the tag: RGroup: RG6. You deploy a virtual network named VNET2 to RG6. Which tags apply to VNET1 and VNET2?  |
24. Click here to View Answer
Box 1: Department: D1 only
The Policy only affects resources that are created after the policy is enabled. There is a remediation option that can be used for resources created before the Policy applied. Nothing mentioned about remediation task in this in the question. VNET1 will have its original tag.
Box 2: Label: Value1 only
Tags are not inherited, so VNET2 will have the tag from the Policy.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
| Question.25 You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles: -Reader -Security Admin Security Reader You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do? (A) Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1. (B) Assign User1 the Owner role for VNet1. (C) Remove User1 from the Security Reader and Reader roles for Subscription1. (D) Assign User1 the Network Contributor role for RG1. |
25. Click here to View Answer
Answer is (B) Assign User1 the Owner role for VNet1.
Owner role has full access to all resources including the right to delegate access to others.
Note: There are several versions of this question in the exam.
The question can have other incorrect answer options, including the following:
1. Name Server (NS)
2. Assign User1 the Contributor role for VNet1.
3. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
| Question.26 You have an Azure subscription that contains the resources in the following table.  To which subnets can you apply NSG1? (A) The subnets on VNet1 only (B) The subnets on VNet2 and VNet3 only (C) The subnets on VNet2 only (D) The subnets on VNet3 only (E) The subnets on VNet1, VNet2, and VNet3 |
26. Click here to View Answer
Answer is (D) the subnets on VNet3 only
You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
| Question.27 You have a virtual network named VNet1 that has the configuration shown in the following exhibit.  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.  |
27. Click here to View Answer
Box 1: add an address space
You can add and remove address ranges for a virtual network. An address range must be specified in CIDR notation and cannot overlap with other address ranges within the same virtual network. We need to add the 192.168.1.0/24 CIDR (192.168.1.0 – 192.168.1.255) to the address space.
Box 2: add a subnet
The default subnet range is 10.2.0.0 – 10.2.0.255 . So, if you want to add an IP address from 10.2.1.0/24 you need to add a new subnet. When you assign an IP address range to a vnet (in this case from 10.2.0.0 to 10.2.255.255) you are reserving that IP address range. So, 10.2.1.0 to 10.2.1.255 are not currently used. You must create another subnet to use them.
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas
| Question.28 You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant. Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16. Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24. You need to connect VNet1 to VNet2. What should you do first? (A) Move VM1 to Subscription2. (B) Move VNet1 to Subscription2. (C) Modify the IP address space of VNet2. (D) Provision virtual network gateways. |
28. Click here to View Answer
Answer is (D) Provision virtual network gateways.
There is no overlap between the VNets:
VNet1: 10.0.0.0/16 – CIDR IP Range 10.0.0.0 – 10.0.255.255
VNet2: 10.10.0.0/24 – CIDR IP Range 10.10.0.0 – 10.0.0.255
Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can’t be connected.
You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don’t need to be associated with the same Active Directory tenant.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
| Question.29 You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3. Peering for VNET1 is configured as shown in the following exhibit.  Peering for VNET2 is configured as shown in the following exhibit.  Peering for VNET3 is configured as shown in the following exhibit.  How can packets be routed between the virtual networks?  |
29. Click here to View Answer
VNet1: Peered with VNet2 and VNet3
VNet2: Peered with VNet1
VNet3: Peered with VNet1
Box 1. VNET2 and VNET3
VNet1 is peered with VNet2 and VNet3. Also Gateway transit is disabled.
Box 2: VNET1 only
Gateway transit is disabled, so it can only communicate with the connected VNET1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
| Question.30 You have an Azure subscription that contains the resources shown in the following table.  You need to create a network interface named NIC1. In which location can you create NIC1? (A) East US and North Europe only (B) East US only (C) East US, West Europe, and North Europe (D) East US and West Europe only |
30. Click here to View Answer
Answer is (B) East US only
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.
If you try to create a NIC on a location that does not have any Vnets you will get the following error: “The currently selected subscription and location lack any existing virtual networks. Create a virtual network first.”
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface