NEW QUESTION 1
You have the Azure virtual networks shown in the following table.

To which virtual networks can you establish a peering connection from VNet1?

• A. VNet2 and VNet3 only
• B. VNet2 only
• C. VNet3 and VNet4 only
• D. VNet2, VNet3, and VNet4

Answer: C

Explanation: The virtual networks you peer must have non-overlapping IP address spaces. The VNet1 and VNhet2 address spaces overlap. The range of VNet2 is contained inside the range of VNet1.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-managepeering# requirements-and-constraints

NEW QUESTION 2
You need to deploy an Azure load balancer named Ib 1015 to your Azure subscription. The solution must meet the following requirements:
-Support the load balancing of IP traffic from the Internet to Azure virtual machines connected to VNET1016 subnet0.
-Prov.de 4 Service level Agreement (SWJ of 99.99 percent ability for the Azure virtual machines.
-Minimize Azure-related costs.
What should you do from the Azure portal?
To complete this task, you do NOT need to wait for the deployment to complete. Once the deployment start in Azure, you can move to the next task.

Answer:

Explanation: Step 1:
On the top left-hand side of the screen, click Create a resource > Networking > Load Balancer. Step 2:
In the Create a load balancer page enter these values for the load balancer: myLoadBalancer - for the name of the load balancer.
Internal - for the type of the load balancer. Basic - for SKU version.
Microsoft guarantees that apps running in a customer subscription will be available 99.99% of the time.
VNET1016subnet0 - for subnet that you choose from the list of existing subnets.
Step 3: Accept the default values for the other settings and click Create to create the load balancer.

NEW QUESTION 3
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1. You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer. Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Reset GW1.
• B. Add a service endpoint to VNet1.
• C. Add a connection to GW1.
• D. Add a public IP address space to VNet1.
• E. Delete GWL
• F. Create a route-based virtual network gatewa

Answer: EF

Explanation: E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.
F: A VPN gateway is used when creating a VPN connection to your on-premises network.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
Incorrect Answers:
D: Point-to-Site connections do not require a VPN device or a public-facing IP address. References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybasedrm- ps

Case Study: 10
Lab 2 Overview
This is a lab or performance-based testing (PBT) section.
The following section of the exam is a lab. In this section, you will perform a set of tasks m a live environment. While most liable to you as it would be m a live environment, some functionality (e g, copy and paste, ability to having sites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the lab9s0 and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab. you will NOT be able to return to the tab.



To connect to Azure portal, type https://portal.azure.com in te browser address bar.

NEW QUESTION 4
You have an Azure subscription that contains the resources in the following table.

To which subnets can you apply NSG1?

• A. the subnets on VNet2 only
• B. the subnets on VNet1 only
• C. the subnets on VNet2 and VNet3 only
• D. the subnets on VNet1, VNet2, and VNet3
• E. the subnets on VNet3 only

Answer: E

Explanation: All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
References: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plandesign- arm

NEW QUESTION 5
You need to implement a backup solution for App1 after the application is moved. What should you create first?

• A. a recovery plan
• B. an Azure Backup Server
• C. a backup policy
• D. a Recovery Services vault

Answer: D

Explanation: A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
References: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

NEW QUESTION 6
HOT SPOT
You plan to create an Azure Storage account in the Azure region of East US 2. You need to create a storage account that meets the following requirements: Replicates synchronously
Remains available if a single data center in the region fails
How should you configure the storage account? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: Zone-redundant storage (ZRS)
Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.
LRS would not remain available if a data center in the region fails GRS and RA GRS use asynchronous replication.
Box 2: StorageV2 (general purpose V2) ZRS only support GPv2.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs

NEW QUESTION 7
SIMULATION
Click to expand each objective. To connect to the Azure portal, type https://portal.azure.com in the browser address bar.



When you are finished performing all the tasks, click the ‘Next’ button.
Note that you cannot return to the lab once you click the ‘Next’ button. Scoring occur in the background while you complete the rest of the exam.
Overview
The following section of the exam is a lab. In this section, you will perform a set of tasks in a live environment. While most functionality will be available to you as it would be in a live environment, some functionality (e.g., copy and paste, ability to navigate to external websites) will not be possible by design. Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn’t matter how you accomplish the task, if you successfully perform it, you will earn credit for that task.
Labs are not timed separately, and this exam may have more than one lab that you must complete. You can use as much time as you would like to complete each lab. But, you should manage your time appropriately to ensure that you are able to complete the lab(s) and all other sections of the exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab, you will NOT be able to return to the lab.
To start the lab
You may start the lab by clicking the Next button.
You need to allow RDP connections over TCP port 3389 to VM1 from the internet. The solution must prevent connections from the Internet over all other TCP ports.
What should you do from the Azure portal?

Answer:

Explanation: Step 1: Create a new network security group Step 2: Select your new network security group.

Step 3: Select Inbound security rules, . Under Add inbound security rule, enter the following Destination: Select Network security group, and then select the security group you created previously.
Destination port ranges: 3389 Protocol: Select TCP

References: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

NEW QUESTION 8
You have an Azure subscription that contains 10 virtual machines.
You need to ensure that you receive an email message when any virtual machines are powered off, restarted, or deallocated.
What is the minimum number of rules and action groups that you require?

• A. three rules and three action groups
• B. one rule and one action group
• C. three rules and one action group
• D. one rule and three action groups

Answer: C

Explanation: An action group is a collection of notification preferences defined by the user. Azure Monitor and Service
Health alerts are configured to use a specific action group when the alert is triggered. Various alerts may use the same action group or different action groups depending on the user's requirements. References: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-actiongroups

NEW QUESTION 9
DRAG DROP
You create an Azure Migrate project named TestMig in a resource group named test-migration. You need to discover which on-premises virtual machines to assess for migration.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: Step 1: Download the OVA file for the collection appliance
Azure Migrate uses an on-premises VM called the collector appliance, to discover information about your on-premises machines. To create the appliance, you download a setup file in Open Virtualization Appliance (.ova) format, and import it as a VM on your on-premises vCenter Server. Step 2: Create a migration group in the project
For the purposes of assessment, you gather the discovered VMs into groups. For example, you might group VMs that run the same application. For more precise grouping, you can use dependency visualization to view dependencies of a specific machine, or for all machines in a group and refine the group.
Step 3: Create an assessment in the project
After a group is defined, you create an assessment for it. References:
https://docs.microsoft.com/en-us/azure/migrate/migrate-overview

Case Study: 9
Mix Questions Set D (Implement advanced networking)

NEW QUESTION 10
You have an Azure Active Directory (Azure AD) tenant named Tenant1 and an Azure subscription named You enable Azure AD Privileged Identity Management.
You need to secure the members of the Lab Creator role. The solution must ensure that the lab creators request access when they create labs.
What should you do first?

• A. From Azure AD Privileged Identity Management, edit the role settings for Lab Creator.
• B. From Subscription1 edit the members of the Lab Creator role.
• C. From Azure AD Identity Protection, creates a user risk policy.
• D. From Azure AD Privileged Identity Management, discover the Azure resources of Conscriptio

Answer: A

Explanation: As a Privileged Role Administrator you can: Enable approval for specific roles
Specify approver users and/or groups to approve requests View request and approval history for all privileged roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pimconfigure

NEW QUESTION 11
You create an Azure subscription that is associated to a basic Azure Active Directory (Azure AD) tenant. You need to receive an email notification when any user activates an administrative role. What should you do?

• A. Purchase Azure AD Premium 92 and configure Azure AD Privileged Identity Management,
• B. Purchase Enterprise Mobility + Security E3 and configure conditional access policies.
• C. Purchase Enterprise Mobility + Security E5 and create a custom alert rule in Azure Security Center.
• D. Purchase Azure AD Premium PI and enable Azure AD Identity Protectio

Answer: A

Explanation: When key events occur in Azure AD Privileged Identity Management (PIM), email notifications are sent. For example, PIM sends emails for the following events:
When a privileged role activation is pending approval When a privileged role activation request is completed When a privileged role is activated
When a privileged role is assigned When Azure AD PIM is enabled References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pimemail- notifications

NEW QUESTION 12
HOT SPOT
You have an Azure subscription.
You need to implement a custom policy that meet the following requirements:
*Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso.
*Ensures that resource group can be created from the Azure portal.
*Ensures that compliance reports in the Azure portal are accurate.
How should you complete the policy? To answer, select the appropriate options in the answers area.

Answer:

Explanation: References: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definitionstructure

NEW QUESTION 13
You need to meet the technical requirement for VM4. What should you create and configure?

• A. an Azure Notification Hub
• B. an Azure Event Hub
• C. an Azure Logic App
• D. an Azure services Bus

Answer: B

Explanation: Scenario: Create a workflow to send an email message when the settings of VM4 are modified. You can start an automated logic app workflow when specific events happen in Azure resources or third-party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks - without you writing any code.
References:
https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-gridlogic- app

NEW QUESTION 14
You need to recommend an identify solution that meets the technical requirements. What should you recommend?

• A. federated single-on (SSO) and Active Directory Federation Services (AD FS)
• B. password hash synchronization and single sign-on (SSO)
• C. cloud-only user accounts
• D. Pass-through Authentication and single sign-on (SSO)

Answer: A

Explanation: Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company’s network.
Scenario: Technical Requirements include:
Prevent user passwords or hashes of passwords from being stored in Azure.
References: https://www.sherweb.com/blog/active-directory-federation-services/

NEW QUESTION 15
HOT SPOT
You plan to create a new Azure Active Directory (Azure AD) role.
You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least privilege.
How should you complete the JSON definition? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: "*/read",
*/read lets you view everything, but not make any changes. Box 2: " Microsoft.Support/*"
The action Microsoft.Support/* enables creating and management of support tickets. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

NEW QUESTION 16
You have an Azure subscription that contains 100 virtual machines. You regularly create and delete virtual machines.
You need to identify unused disks that can be deleted. What should you do?

• A. From Microsoft Azure Storage Explorer, view the Account Management properties.
• B. From the Azure portal, configure the Advisor recommendations.
• C. From Cloudyn, open the Optimizer tab and create a report.
• D. From Cloudyn, create a Cost Management repor

Answer: A

Explanation: You can find unused disks in the Azure Storage Explorer console. Once you drill down to the Blob containers under a storage account, you can see the lease state of the residing VHD (the lease state determines if the VHD is being used by any resource) and the VM to which it is leased out. If you find that the lease state and the VM fields are blank, it means that the VHD in question is unused.
Note: The ManagedBy property stores the Id of the VM to which Managed Disk is attached to. If the ManagedBy property is $null then it means that the Managed Disk is not attached to a VM References:
https://cloud.netapp.com/blog/reduce-azure-storage-costs