|
|
|
|
Microsoft - AZ-104: Microsoft Azure AdministratorSample QuestionsQuestion: 423
Measured Skill: Configure and manage virtual networking (30-35%)
You manage two Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following virtual networks:
The virtual networks contain the following subnets:
Subscription2 contains the following virtual network:
- Name: VNETA
- Address space: 10.10.128.0/17
- Location: Canada Central
VNETA contains the following subnets:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.) | A | A Site-to-Site connection can be established between VNET1 and VNET2: Yes
VNET1 and VNET2 can be peered: Yes
VNET1 and VNETA can be peered: Yes | | B | A Site-to-Site connection can be established between VNET1 and VNET2: Yes
VNET1 and VNET2 can be peered: Yes
VNET1 and VNETA can be peered: No | | C | A Site-to-Site connection can be established between VNET1 and VNET2: No
VNET1 and VNET2 can be peered: Yes
VNET1 and VNETA can be peered: No | | D | A Site-to-Site connection can be established between VNET1 and VNET2: Yes
VNET1 and VNET2 can be peered: No
VNET1 and VNETA can be peered: Yes | | E | A Site-to-Site connection can be established between VNET1 and VNET2: No
VNET1 and VNET2 can be peered: Yes
VNET1 and VNETA can be peered: Yes | | F | A Site-to-Site connection can be established between VNET1 and VNET2: No
VNET1 and VNET2 can be peered: No
VNET1 and VNETA can be peered: No |
Correct answer: EExplanation:
You can create a Site-to-Site connection to connect your VNET to your on-premises network or to connect a VNET to another VNET. Für connecting VNETs there is a special kind of Site-to-Site connection called VNET-to-VNET connection which simplifies the process in that the local network gateways gets established automatically. A Site-to-Site connection requires a gateway subnet to place the VPN gateway. Since the address space of VNET1 and VNET2 is already fully used by the existing subnets, a gateway subnet cannot be created in VNET1 or in VNET2. Hence, a Site-to-Site connection cannot bes established.
VNET peering enables you to seamlessly connect Azure virtual networks. Once peered, the VNETs appear as one, for connectivity purposes. The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same VNET, through private IP addresses only. No public internet is involved.
You can peer VNETs within the same Azure region, across different Azure regions, and across VNETs in different subscriptions. The only requirement is that the virtual networks you peer must have non-overlapping IP address spaces.
Note: VNETA uses the address space from 10.10.128.1 til10.10.255.254.
References:
Choosing between Azure VNet Peering and VNet Gateways
Tutorial: Create a Site-to-Site connection in the Azure portal
Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants
Question: 424
Measured Skill: Configure and manage virtual networking (30-35%)
Note: This question is part of a series of questions that present the same scenario. Each questions in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution. Determine whether the solution meets the stated goals.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
Does this meet the goal?Correct answer: BExplanation:
The network security group shown is connected to the subnet that contains VM2.
The incoming rule named Allow_131.107.100.50 allows a client having the IP address 131.107.100.50 to access the virtual network containing VM2 via port 443 TCP. A computer using this IP address can connect directly to App1.
However, App1 is accessed through an Azure Load Balancer. While the client can connect to the load balancer, the load balancer cannot connect to VM2 because access is blocked by the BlockAllOther443 rule.
References:
Network security groups
How network security groups filter network traffic
Question: 425
Measured Skill: Configure and manage virtual networking (30-35%)
Note: This question is part of a series of questions that present the same scenario. Each questions in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution. Determine whether the solution meets the stated goals.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You delete the BlockAllOther443 inbound security rule.
Does this meet the goal?Correct answer: AExplanation:
The network security group shown is connected to the subnet that contains VM2.
The incoming rule named Allow_131.107.100.50 allows a client having the IP address 131.107.100.50 to access the virtual network containing VM2 via port 443 TCP. A computer using this IP address can connect directly to App1.
However, App1 is accessed through an Azure Load Balancer. While the client can connect to the load balancer, the load balancer cannot connect to VM2 because access is blocked by the BlockAllOther443 rule.
References:
Network security groups
How network security groups filter network traffic
Question: 426
Measured Skill: Configure and manage virtual networking (30-35%)
Note: This question is part of a series of questions that present the same scenario. Each questions in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution. Determine whether the solution meets the stated goals.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Does this meet the goal?Correct answer: BExplanation:
The network security group shown is connected to the subnet that contains VM2.
The incoming rule named Allow_131.107.100.50 allows a client having the IP address 131.107.100.50 to access the virtual network containing VM2 via port 443 TCP. A computer using this IP address can connect directly to App1.
However, App1 is accessed through an Azure Load Balancer. While the client can connect to the load balancer, the load balancer cannot connect to VM2 because access is blocked by the BlockAllOther443 rule.
References:
Network security groups
How network security groups filter network traffic
Question: 427
Measured Skill: Configure and manage virtual networking (30-35%)
Note: This question is part of a series of questions that present the same scenario. Each questions in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solution, while others might not have a correct solution. Determine whether the solution meets the stated goals.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2. Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the Allow_131.107.100.50 inbound rule and set Source to Any.
Does this meet the goal?Correct answer: AExplanation:
The network security group shown is connected to the subnet that contains VM2.
The incoming rule named Allow_131.107.100.50 allows a client having the IP address 131.107.100.50 to access the virtual network containing VM2 via port 443 TCP. A computer using this IP address can connect directly to App1.
However, App1 is accessed through an Azure Load Balancer. While the client can connect to the load balancer, the load balancer cannot connect to VM2 because access is blocked by the BlockAllOther443 rule.
References:
Network security groups
How network security groups filter network traffic
|
|
|
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
|
|
|
|
|
|
|
|
|