33

Questions and Answers

What should you set Session persistence to when configuring an Azure Load Balancer for Sticky Sessions?

Idle Time-out (minutes) to 20

Session persistence to Source IP

Protocol to UDP

Session persistence to Client IP and Protocol (correct)

Which two additional load balancer resources should you create before you can create a load balancing rule for HTTPS traffic between VM1 and VM2?

An inbound NAT rule

A virtual network

A frontend IP address

A backend pool (correct)

A health probe (correct)

What type of public IP address SKU and assignment should you use for an Azure VPN gateway to connect to an on-premises database server?

A basic SKU and a static IP address assignment

A basic SKU and a dynamic IP address assignment (correct)

A standard SKU and a static IP address assignment

VM1 can resolve the address of Server1 in VNET1.

True

Fabrikam.com is a public DNS zone.

False

Which SKU of ExpressRoute gateway should you deploy to ensure support for up to 10 Gbps of traffic and FastPath?

ErGw3AZ

Which solution should you deploy to ensure that a web app can connect to an on-premises SMB share?

An Azure Virtual Network Gateway

What type of operating systems does Azure Backup support for backup?

Both A and B

What should you create for Azure Monitor to send an email when CPU usage on VM1 exceeds 80 percent?

An action group

What should you do first to protect VM3 and VM4 using Recovery Services?

Create a new Recovery Services vault

What is the minimum number of Bastion hosts required for secure RDP connections to the virtual machines?

3

What should you use to ensure NGINX is available on all the virtual machines after deployment?

a Desired State Configuration (DSC) extension

What should you configure for the Azure container instance to enable DNS name label scope reuse?

the public networking type

To which virtual machines can you connect through Bastion1?

VM1 and VM2 only

Which virtual networks can you peer with VNet1?

VNet2 only

What should you change to ensure cont1 can be configured to use private networking?

Networking type

Which virtual machines can you back up by using Azure Backup?

VM1, VM2, VM3, and VM4

From Azure Monitor, you create a metric on Network In and Network Out. Does this meet the goal of inspecting all the network traffic from VM1 to VM2 for a period of three hours?

No

You create an inbound security rule that denies all traffic from the 131.107.100.50 source with a priority of 64999. Does this meet the goal of allowing connections to App1 from 131.107.100.50 over TCP port 443?

No

You need to create the peering for VNet1 to another virtual network named VNet2 which has an address space of 10.2.0.0/16. What should you do first?

Modify the address space of VNet1

Which DNS names can you use to ping VM2 from VM1?

comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com

On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic. Does this meet the goal of establishing a point-to-site VPN connection to VNet1?

No

What should you configure to ensure that visitors are serviced by the same web server for each request to your Azure load balancer?

Session persistence to Client IP and protocol

Which public IP addresses can you use to create a public Azure Standard Load Balancer?

IP3 only

What should you configure on the AKS cluster to restrict network traffic between the pods?

The Calico network policy

What should you configure to ensure that visitors are serviced by the same web server for each request?

Session persistence to Client IP and protocol

What should you do first to ensure Bastion1 can support 100 concurrent SSH users?

Upgrade Bastion1 to the Standard SKU

What should you configure to ensure that visitors are serviced by the same web server for each request?

Session persistence to Client IP and protocol

What should you do to enable Azure Remote Desktop connection from Device1?

Connect to VM1

Which IP addresses can you use for deploying an Azure Bastion Basic SKU host named Bastion1?

IP1 and IP2 only

What should you configure to ensure that visitors are serviced by the same web server for each request?

Session persistence to Client IP

What should you configure to ensure NGINX is available on all virtual machines after deployment?

A Desired State Configuration (DSC) extension

Which resource should you create first to enable multi-user authorization (MAU) for Vault1?

A resource guard

Creating an inbound security rule that allows any traffic from the Azure Load Balancer meets the goal of connecting to App1 over TCP port 443.

True

What should you configure to ensure that all traffic from VM1 to storage1 travels across the Microsoft backbone network?

Service endpoints

Which extensions are considered correct for describing Azure Custom Script Extension?

Desired State Configuration (DSC) extension

What should you configure to ensure that all traffic from VM1 to storage1 travels across the Microsoft backbone network?

Network security group (NSG)

Which tunneling protocol should you use for route-based Site-to-Site VPN connections?

IKEv2

When performing a test failover of VM1 using Azure Site Recovery, to which subnet will the virtual machine be connected?

TestSubnet1

What should you configure on Azure load balancer LB1 to ensure that visitors are serviced by the same web server for each request?

Session persistence to Client IP

Which option should you use to ensure NGINX is available on all virtual machines after deployment in a scale set?

Desired State Configuration (DSC) extension

What port should you configure for NSG1 to allow inbound access to virtual machines via Bastion1?

443

What is the minimum number of connection monitors you should deploy to monitor connectivity between VMs and the on-premises network?

2

What should you configure to ensure inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location?

Routing preference

How can you prevent VM1 from accessing VM2 on port 3389?

Create a network security group (NSG) that denies outward port 3389 and apply it to VM1.

What should you do first to manage outbound traffic from VNET1 using Firewall1?

Create a route table.

Which resources can be protected by using Bastion1?

VM1 only

Study Notes

Load Balancing and Security Groups

• Azure Load Balancer can manage HTTPS connections between virtual machines (VMs) for efficient load distribution.
• To troubleshoot connection failures to applications running on Azure VMs, review Network Security Group (NSG) rules, ensuring they allow necessary traffic.
• Adding an inbound security rule that denies certain traffic does not meet connection goals if ports needed for communication are blocked.

Virtual Network and Peering

• Virtual networks (VNets) must have non-overlapping IP address spaces to configure peering correctly.
• Azure Virtual WAN can connect multiple on-premises locations through defined configurations.

Network Monitoring and Traffic Inspection

• Azure Monitor can be used to create metrics, but it does not provide sufficient detail for inspecting all network traffic between VMs.
• Azure Network Watcher is a more suitable service for monitoring traffic flows and diagnosing connectivity issues.

Public DNS and Connectivity

• Azure Private DNS zones facilitate name resolution for VMs, allowing for the use of DNS names when pinging other VMs.
• Configurations on private DNS must include relevant records for effective communication between resources.

VPN Connectivity and Certificates

• Point-to-site VPN connections require client certificates installed on the client machines to authenticate successfully.
• Adjusting service settings on the client machines alone (like setting the IPSec Policy Agent to Automatic) will not enable VPN connectivity without the requisite certificates.

Session Persistence in Load Balancers

• Session persistence configurations for Azure Load Balancers ensure users are routed to the same server, facilitating a consistent experience.
• Essential settings include configuring session persistence to Client IP and protocol, ensuring session continuity.

Network Policies in Kubernetes

• Network policies, particularly the Calico network policy, are necessary to manage and restrict traffic among pods in an Azure Kubernetes Service (AKS) cluster.

Routing and Traffic Management

• Routing tables must be configured correctly to direct inbound traffic to appropriate resources, such as VM-based routers within a defined virtual network.

Summary of Key Solutions

• Ensure that security group rules are not overly restrictive when configuring traffic for applications like web servers.
• Use the correct address spaces when peering VNets to avoid conflicts.
• Employ Azure Network Watcher for traffic flow monitoring and diagnostics, rather than relying solely on Azure Monitor metrics.
• For VPN setups, ensure complete configuration, including client certificate installations, for successful connections.

This encapsulates crucial elements regarding Azure networking, load balancing, security configurations, and monitoring practices vital for an effective Azure environment management.### Network Security Groups (NSG) and Rules

• NSG2 has a custom incoming rule with priority 100, allowing TCP traffic on port 3389 from any source to any destination.
• NSG1 is linked to Subnet1, while NSG2 is associated with the network interface of VM2.

Azure Load Balancer Configuration

• To load balance HTTPS traffic between VM1 and VM2, create additional resources: a backend pool and a health probe.
• A frontend IP address and an inbound NAT rule are not mandatory for the load balancing rule.

Azure VPN Gateway Requirements

• For connecting an on-premises database server to Azure VM using a site-to-site VPN, configure the gateway with a basic SKU and dynamic IP assignment.
• VPN gateways require a public IP as the external connection point, which is dynamically assigned during creation.

DNS Configuration in Azure

• Virtual networks VNET1, VNET2, and VNET3 are peered and linked to a private DNS zone named contoso.com.
• VM1 resolves to a specific IP address (131.107.3.3) while VM2 uses a custom DNS server (192.168.0.5).

Azure DNS Zones Management

• Adding virtual network links to a private DNS zone enables auto-registration of DNS records for virtual machines in that network.
• A record and a PTR record are automatically created for each VM with DNS settings enabled.

ExpressRoute Gateway Selection

• Use the ErGw3Az SKU for an ExpressRoute gateway to support up to 10 Gbps of traffic, availability zones, and FastPath, which helps minimize costs.

Networking and Forwarding

• IP forwarding on VM3 allows it to send traffic with different source IPs and facilitates connection between network interfaces.
• Route tables can enable connections from one VM to another, leveraging IP forwarding if it is enabled on the VM.

Connecting On-Premises SMB Share to Azure

• Use an Azure Virtual Network Gateway to ensure that a web app can connect to an on-premises SMB share through a site-to-site VPN.

Deployment of Applications on Azure VMs

• Utilize the Azure Custom Script Extension to ensure NGINX is available on all VMs in a scale set after deployment.

Ensuring Traffic Flow Across Microsoft Backbone

• Configure a network security group (NSG) to ensure all traffic from a VM to an Azure storage account traverses the Microsoft backbone network.

VPN Connection Protocol

• For route-based Site-to-Site VPN connections between multiple locations and Azure, use the IKEv2 protocol, which supports multiple connections and higher security than IKEv1.

Azure Site Recovery Test Failover

• During a test failover of VM1, specify the target virtual network (VNET2) to determine the subnet for the connection (specific options not provided in the content).### Azure Load Balancers
• To ensure that visitors are consistently served by the same web server, configure Session persistence to Client IP.
• Valid configurations for Azure load balancers include options like Idle Time-out and health probes, but session persistence is critical in maintaining user sessions.
• Floating IP (direct server return) can be configured to improve performance but is not the primary setting for persistent sessions.

Desired State Configuration (DSC)

• Deploying NGINX on multiple Azure Virtual Machines can be achieved using the Desired State Configuration (DSC) extension in Azure.
• DSC enables consistent configuration across virtual machines efficiently and maintains state over time.

Azure Bastion Configuration

• When deploying Azure Bastion, inbound access to virtual machines is enabled over port 443 for secure communication.
• The configuration of a Network Security Group (NSG) is essential for allowing or denying traffic to Azure virtual machines via Bastion.

Azure Virtual Networks and Firewalls

• Azure firewalls can only be deployed in networks that meet certain criteria, including appropriate region settings. Specific virtual networks may limit deployment options.
• VM connectivity monitoring can be achieved with Connection Monitor, requiring at least two monitors if tracking connectivity between multiple VMs and an on-premises network.

Security Group Policies

• To prevent a virtual machine (e.g., VM1) from accessing another (e.g., VM2), create an NSG with an outbound rule to deny traffic on port 3389 (commonly used for Remote Desktop Protocol).
• NSGs help manage both inbound and outbound traffic and are essential in maintaining network security in Azure environments.

Azure Resource Manager (ARM) Templates

• Understanding how to utilize ARM templates is crucial for deploying resources systematically in Azure, ensuring proper configuration and resource allocation.

Traffic Management and Routing

• Routing preference must be configured to leverage Microsoft’s closest point-of-presence (POP) for user inbound traffic, enhancing speed and reliability.
• Load balancing through Azure can also be adjusted based on specific requirements, including session persistence settings and health probes.

Azure Bastion Performance

• Upgrading Bastion to Standard SKU is necessary to support higher concurrent SSH connections, minimizing administrative overhead for more extensive operations.
• The scaling capabilities of Azure Bastion allow for enhanced user experience through improved resource management.

Key Azure Services

• Familiarity with services such as Microsoft Endpoint Manager, Deployment Center in Azure App Service, and Azure Network Watcher is crucial for effective Azure implementation and management.
• Key components like Azure CLI and Azure PowerShell are useful tools for managing and deploying Azure resources efficiently.

In summary, understanding these elements about Azure services, load balancing, and network security will reinforce effective deployment and management strategies for Azure environments.

Description

Test your knowledge with our AZ-104 exam practice questions. This quiz covers various topics related to Azure, including load balancing HTTPS connections. Prepare yourself for the certification exam by practicing with real questions.