You are building a group of 10 virtual machines and putting them into an availability
set to ensure high availability. You configure the maximum number of fault domains
available in your desired region, which is three. How many of your virtual machines
will end up in the first fault domain?
a. 4
b. 3
c. 5
d. 10
Give this one a try later!
, a. 4
The maximum number of fault domains available are 3, but depends on the
region. When the number of virtual machines exceeds the number of fault
domains, and their number is for example 3, the 4th VM will be placed into
the first fault domain, while the 5th VM will be placed into the second
domain, etc. Hence the 10th VM will end up in the first fault domain.
https://docs.microsoft.com/en-us/azure/virtual-machines/availability
You would like to implement a hub-and-spoke VNet peering connection between two
of your virtual networks, VNet1 in the East US region and VNet2 in the East US-2
region, using a network virtual appliance (NVA).You have deployed VNet3 to serve as
the network hub, and a custom Linux virtual machine in VNet3 to serve as the
NVA.How should you configure the peering connections between the VNets with this
particular hub-and-spoke architecture?
a. Configure all peering connections to allow forwarded traffic.
b. Configure peering connections directed to the hub network (VNet3) to allow
gateway transit.
c. Configure peering connections directed to the hub network (VNet3) to allow
gateway transit.
d. Configure peering connections directed to the hub network (VNet3) to use remote
gateways. Configure all other peering connections to allow gateway transit.
Give this one a try later!
a. Configure all peering connections to allow forwarded traffic.
If you require connectivity between spokes, consider deploying an Azure
Firewall or other network virtual appliance. Then create routes to forward
traffic from the spoke to the firewall or network virtual appliance, which can
then route to the second spoke. In this scenario, you must configure the
peering connections to allow forwarded traffic.
,You are the owner of a resource group that contains the following Azure
resources:VNet1, which contains Subnet1. Subnet1 is assigned a routing table, and a
network security group named NSG-1.SubNet1 contains an ARM virtual machine with a
private IP address only.VM-Database1 needs to connect to an on-premises static IP
address (216.3.128.12) to request software updates. You do not want to reveal the IP
address of the virtual machine. All inbound traffic aside from the software updates
should be blocked. Which steps should you take to allow the database to connect
successfully for updates while limiting threats? (Choose 2 answers.)
a. Deploy a private load balancer associated with the ARM virtual machine
b. Deploy a NAT gateway associated with Subnet1.
c. Update NSG-1 to allow outbound traffic to and from 216.3.128.12 over port 443.
Include no other rules allowing traffic.
d. Update NSG-1 to allow outbound traffic to
Give this one a try later!
b. Deploy a NAT gateway associated with Subnet1.
d. Update NSG-1 to allow outbound traffic to 216.3.128.12 over port 443.
Include no other rules allowing traffic.
Network security group security rules are evaluated by priority using the 5-
tuple information (source, source port, destination, destination port, and
protocol) to allow or deny the traffic. A flow record is created for existing
connections. Communication is allowed or denied based on the
connection state of the flow record. The flow record allows a network
security group to be stateful.
Deploy a Network Address Translation or NAT gateway to enable Source
Network Address Translation (SNAT). As Microsoft explains in its
documentation:
Source Network Address Translation (SNAT) rewrites the source of a flow
to originate from a different IP address and/or port. Typically, SNAT is used
when a private network needs to connect to a public host over the internet.
SNAT allows multiple compute resources within the private VNet to use the
same single Public IP address or set of IP addresses (prefix) to connect to
the internet.
, You would like to implement a Hub-and-Spoke VNet peering connection between
two existing VNets in the East US region, (VNet 1 and VNet2), without using a network
virtual appliance. You want resources in VNet1 and VNet2 to be able to communicate.
You have deployed VNet3 in the East US region that will serve as a hub between the
other VNets. VNet1 and VNet2 should be able to communicate with each other
through VNet3 using a VPN virtual network gateway.Which VNet peering connections
should be configured to use remote gateways?
a. All peering connections between the hub and spokes
b. No peering connections
c. Only peering connections directed to VNet3 as the hub
d. Only peering connections directed to VNet1 and VNet2 as the spokes
Give this one a try later!
c. Only peering connections directed to VNet3 as the hub
Suppose you have several spokes that need to connect with each other. In
that case, you'll run out of possible peering connections quickly, because
the number of virtual network peerings per virtual network is limited. (For
more information, see Networking limits. In this scenario, consider using
user-defined routes (UDRs) to force traffic destined to a spoke to be sent
to Azure Firewall or a network virtual appliance acting as a router at the
hub. This change will allow the spokes to connect to each other.
You can also configure spokes to use the hub gateway to communicate
with remote networks. To allow gateway traffic to flow from spoke to hub
and connect to remote networks, you must:
Configure the peering connection in the hub to allow gateway transit.
Configure the peering connection in each spoke to use remote gateways.
Configure all peering connections to allow forwarded traffic.
Your company is being audited, and an external accountant needs access to review a
blob container in the Blob service within one specific Azure storage account. You
currently use Azure Active Directory to control access to the blob storage resources
in question. However, you have been told you need to provide the accountant with
immediate access to review the blob container in the storage account without any
set to ensure high availability. You configure the maximum number of fault domains
available in your desired region, which is three. How many of your virtual machines
will end up in the first fault domain?
a. 4
b. 3
c. 5
d. 10
Give this one a try later!
, a. 4
The maximum number of fault domains available are 3, but depends on the
region. When the number of virtual machines exceeds the number of fault
domains, and their number is for example 3, the 4th VM will be placed into
the first fault domain, while the 5th VM will be placed into the second
domain, etc. Hence the 10th VM will end up in the first fault domain.
https://docs.microsoft.com/en-us/azure/virtual-machines/availability
You would like to implement a hub-and-spoke VNet peering connection between two
of your virtual networks, VNet1 in the East US region and VNet2 in the East US-2
region, using a network virtual appliance (NVA).You have deployed VNet3 to serve as
the network hub, and a custom Linux virtual machine in VNet3 to serve as the
NVA.How should you configure the peering connections between the VNets with this
particular hub-and-spoke architecture?
a. Configure all peering connections to allow forwarded traffic.
b. Configure peering connections directed to the hub network (VNet3) to allow
gateway transit.
c. Configure peering connections directed to the hub network (VNet3) to allow
gateway transit.
d. Configure peering connections directed to the hub network (VNet3) to use remote
gateways. Configure all other peering connections to allow gateway transit.
Give this one a try later!
a. Configure all peering connections to allow forwarded traffic.
If you require connectivity between spokes, consider deploying an Azure
Firewall or other network virtual appliance. Then create routes to forward
traffic from the spoke to the firewall or network virtual appliance, which can
then route to the second spoke. In this scenario, you must configure the
peering connections to allow forwarded traffic.
,You are the owner of a resource group that contains the following Azure
resources:VNet1, which contains Subnet1. Subnet1 is assigned a routing table, and a
network security group named NSG-1.SubNet1 contains an ARM virtual machine with a
private IP address only.VM-Database1 needs to connect to an on-premises static IP
address (216.3.128.12) to request software updates. You do not want to reveal the IP
address of the virtual machine. All inbound traffic aside from the software updates
should be blocked. Which steps should you take to allow the database to connect
successfully for updates while limiting threats? (Choose 2 answers.)
a. Deploy a private load balancer associated with the ARM virtual machine
b. Deploy a NAT gateway associated with Subnet1.
c. Update NSG-1 to allow outbound traffic to and from 216.3.128.12 over port 443.
Include no other rules allowing traffic.
d. Update NSG-1 to allow outbound traffic to
Give this one a try later!
b. Deploy a NAT gateway associated with Subnet1.
d. Update NSG-1 to allow outbound traffic to 216.3.128.12 over port 443.
Include no other rules allowing traffic.
Network security group security rules are evaluated by priority using the 5-
tuple information (source, source port, destination, destination port, and
protocol) to allow or deny the traffic. A flow record is created for existing
connections. Communication is allowed or denied based on the
connection state of the flow record. The flow record allows a network
security group to be stateful.
Deploy a Network Address Translation or NAT gateway to enable Source
Network Address Translation (SNAT). As Microsoft explains in its
documentation:
Source Network Address Translation (SNAT) rewrites the source of a flow
to originate from a different IP address and/or port. Typically, SNAT is used
when a private network needs to connect to a public host over the internet.
SNAT allows multiple compute resources within the private VNet to use the
same single Public IP address or set of IP addresses (prefix) to connect to
the internet.
, You would like to implement a Hub-and-Spoke VNet peering connection between
two existing VNets in the East US region, (VNet 1 and VNet2), without using a network
virtual appliance. You want resources in VNet1 and VNet2 to be able to communicate.
You have deployed VNet3 in the East US region that will serve as a hub between the
other VNets. VNet1 and VNet2 should be able to communicate with each other
through VNet3 using a VPN virtual network gateway.Which VNet peering connections
should be configured to use remote gateways?
a. All peering connections between the hub and spokes
b. No peering connections
c. Only peering connections directed to VNet3 as the hub
d. Only peering connections directed to VNet1 and VNet2 as the spokes
Give this one a try later!
c. Only peering connections directed to VNet3 as the hub
Suppose you have several spokes that need to connect with each other. In
that case, you'll run out of possible peering connections quickly, because
the number of virtual network peerings per virtual network is limited. (For
more information, see Networking limits. In this scenario, consider using
user-defined routes (UDRs) to force traffic destined to a spoke to be sent
to Azure Firewall or a network virtual appliance acting as a router at the
hub. This change will allow the spokes to connect to each other.
You can also configure spokes to use the hub gateway to communicate
with remote networks. To allow gateway traffic to flow from spoke to hub
and connect to remote networks, you must:
Configure the peering connection in the hub to allow gateway transit.
Configure the peering connection in each spoke to use remote gateways.
Configure all peering connections to allow forwarded traffic.
Your company is being audited, and an external accountant needs access to review a
blob container in the Blob service within one specific Azure storage account. You
currently use Azure Active Directory to control access to the blob storage resources
in question. However, you have been told you need to provide the accountant with
immediate access to review the blob container in the storage account without any
