NEW QUESTION 1
DRAG DROP
You have an Azure subscription that contains the following resources:
• a virtual network named VNet1
• a replication policy named ReplPolicy1
• a Recovery Services vault named Vault1
• an Azure Storage account named Storage1
You have an Amazon Web Services (AWS) EC2 virtual machine named VM1 that runs Windows Server
You need to migrate VM1 to VNet1 by using Azure Site Recovery.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: Step 1: Deploy an EC2 virtual machine as a configuration server Prepare source include:
Use an EC2 instance that's running Windows Server 2012 R2 to create a configuration server and register it with your recovery vault.
Configure the proxy on the EC2 instance VM you're using as the configuration server so that it can access the service URLs.
Step 2: Install Azure Site Recovery Unified Setup.
Download Microsoft Azure Site Recovery Unified Setup. You can download it to your local machine and then copy it to the VM you're using as the configuration server.
Step 3: Enable replication for VM1.
Enable replication for each VM that you want to migrate. When replication is enabled, Site Recovery automatically installs the Mobility service.
References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-aws-azure

NEW QUESTION 2
You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2021 and hosts 10 virtual machines that run Windows Server 2021.
You plan to replicate the virtual machines to Azure by using Azure Site Recovery. You create a Recovery Services vault named ASR1 and a Hyper-V site named
Site1.
You need to add Host1 to ASR1. What should you do?

• A. Download the installation file for the Azure Site Recovery Provide
• B. Download the vault registration key.Install the Azure Site Recovery Provider on Host1 and register the server.
• C. Download the installation file for the Azure Site Recovery Provide
• D. Download the storage account key.Install the Azure Site Recovery Provider on Host1 and register the server.
• E. Download the installation file for the Azure Site Recovery Provide
• F. Download the vault registration key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.
• G. Download the installation file for the Azure Site Recovery Provide
• H. Download the storage account key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.

Answer: A

Explanation: Download the Vault registration key. You need this when you install the Provider. The key is valid for five days after you generate it.
Install the Provider on each VMM server. You don't need to explicitly install anything on Hyper-V hosts.
Incorrect Answers:
B, D: Use the Vault Registration Key, not the storage account key. References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

NEW QUESTION 3
You are the global administrator for an Azure Active Directory (Azure AD) tenant named adatum.com. From the Azure Active Directory blade, you assign the Conditional Access Administrator role to a user You need to ensure that Admin1 has just-in-time access as a conditional access administrator.
What should you do next?

• A. Enable Azure AD Multi-Factor Authentication (MFA).
• B. Set Admin1 as Eligible for the Privileged Role Administrator role.
• C. Admin1 as Eligible for the Conditional Access Administrator role.
• D. Enable Azure AD Identity Protection.

Answer: A

Explanation: Require MFA for admins is a baseline policy that requires MFA for the following directory roles:
Global administrator 
SharePoint administrator 
Exchange administrator 
Conditional access administrator 
Security administrator References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/baseline-protection

NEW QUESTION 4
You have a public load balancer that balancer ports 80 and 443 across three virtual machines.
You need to direct all the Remote Desktop protocol (RDP) to VM3 only. What should you configure?

• A. an inbound NAT rule
• B. a load public balancing rule
• C. a new public load balancer for VM3
• D. a new IP configuration

Answer: A

Explanation: To port forward traffic to a specific port on specific VMs use an inbound network address translation (NAT) rule.
Incorrect Answers:
B: Load-balancing rule to distribute traffic that arrives at frontend to backend pool instances. References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

NEW QUESTION 5
You plan to connect a virtual network named VNET1017 to your on-premises network by using both an Azure ExpressRoute and a site-to-site VPN connection.
You need to prepare the Azure environment for the planned deployment. The solution must maximize the IP address space available to Azure virtual machines.
What should you do from the Azure portal before you create the ExpressRoute are the VPN gateway?

Answer:

Explanation: We need to create a Gateway subnet Step 1:
Go to More Services > Virtual Networks Step 2:
Then click on the VNET1017, and click on subnets. Then click on gateway subnet.
Step 3:
In the next window define the subnet for the gateway and click OK

It is recommended to use /28 or /27 for gateway subnet.
As we want to maximize the IP address space we should use /27. References:
https://blogs.technet.microsoft.com/canitpro/2021/06/28/step-by-step-configuring-a-site-to-site-vpn- gateway-between-azure-and-on-premise/

NEW QUESTION 6
DRAG DROP
You have an Azure subscription that contains an Azure Service Bus named Bus1.
Your company plans to deploy two Azure web apps named App1 and App2. The web apps will create messages that have the following requirements:
Each message created by App1 must be consumed by only a single consumer
Each message created by App2 will be consumed by multiple consumers.
Which resource should you create for each web app? To answer, drag the appropriate resources to the correct web apps. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 7
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region. VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours. Solution: From Azure Monitor, you create a metric on Network In and Network Out. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: You should use Azure Network Watcher. References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

Case Study: 2
Mix Questions Set B (Implement advanced networking)

NEW QUESTION 8
You need to deploy an application gateway named appgwl015 to meet the following requirements: Load balance internal IP traffic to the Azure virtual machines connected to subnet0.
Provide a Service Level Agreement (SLA) of 99.99 percent availability for the Azure virtual machines.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Click New found on the upper left-hand corner of the Azure portal.
Step 2:
Select Networking and then select Application Gateway in the Featured list.
Step 3:
Enter these values for the application gateway: appgw1015 - for the name of the application gateway. SKU Size: Standard_V2
The new SKU [Standard_V2] offers autoscaling and other critical performance enhancements.

Step 4:
Accept the default values for the other settings and then click OK.
Step 5:
Click Choose a virtual network, and select subnet0. References:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-create-gateway- portal

NEW QUESTION 9
You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1. You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer. Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Reset GW1.
• B. Add a service endpoint to VNet1.
• C. Add a connection to GW1.
• D. Add a public IP address space to VNet1.
• E. Delete GWL
• F. Create a route-based virtual network gateway.

Answer: EF

Explanation: E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.
F: A VPN gateway is used when creating a VPN connection to your on-premises network.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
Incorrect Answers:
D: Point-to-Site connections do not require a VPN device or a public-facing IP address. References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm- ps

Case Study: 7
Lab 2
Overview
This is a lab or performance-based testing (PBT) section.
The following section of the exam is a lab. In this section, you will perform a set of tasks m a live environment. While most liable to you as it would be m a live environment, some functionality (e g, copy and paste, ability to having sites) will not be possible by design.
Scoring is based on the outcome of performing the tasks stated in the lab. In other words, it doesn't matter how you accomplish the lab9s0 and all other sections of the
exam in the time provided.
Please note that once you submit your work by clicking the Next button within a lab. you will NOT be able to return to the tab.



To connect to Azure portal, type https://portal.azure.com in te browser address bar.

NEW QUESTION 10
Another administrator reports that she is unable to configure a web app named
corplod7509086n3 to prevent all connections from an IP address of 11.0.0.11.
You need to modify corplod7509086n3 to successfully prevent the connections from the IP address. The solution must minimize Azure-related costs.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Find and select application corplod7509086n3:
1. In the Azure portal, on the left navigation panel, click Azure Active Directory.
2. In the Azure Active Directory blade, click Enterprise applications. Step 2:
To add an IP restriction rule to your app, use the menu to open Network>IP Restrictions and click on Configure IP Restrictions

Step 3:
Click Add rule
You can click on [+] Add to add a new IP restriction rule. Once you add a rule, it will become effective immediately.

Step 4:
Add name, IP address of 11.0.0.11, select Deny, and click Add Rule

References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions

NEW QUESTION 11
From the MFA Server blade, you open the Block/unblock users blade as shown in the exhibit.

What caused AlexW to be blocked?

• A. An administrator manually blocked the user.
• B. The user reports a fraud alert when prompted for additional authentication.
• C. The user account password expired.
• D. The user entered an incorrect PIN four times within 10 minutes.

Answer: B

NEW QUESTION 12
You have an Azure Active Directory (Azure AD) tenant named Tenant1 and an Azure subscription named You enable Azure AD Privileged Identity Management.
You need to secure the members of the Lab Creator role. The solution must ensure that the lab creators request access when they create labs.
What should you do first?

• A. From Azure AD Privileged Identity Management, edit the role settings for Lab Creator.
• B. From Subscription1 edit the members of the Lab Creator role.
• C. From Azure AD Identity Protection, creates a user risk policy.
• D. From Azure AD Privileged Identity Management, discover the Azure resources of Conscription.

Answer: A

Explanation: As a Privileged Role Administrator you can:
Enable approval for specific roles
Specify approver users and/or groups to approve requests
View request and approval history for all privileged roles References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

NEW QUESTION 13
HOTSPOT
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that is a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: 4
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET. The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

Box 2: 2
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.
Box 3: 2
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

NEW QUESTION 14
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named Adatum and an Azure Subscription named Subscription1. Adatum contains a group named Developers. Subscription1 contains a resource group named Dev.
You need to provide the Developers group with the ability to create Azure logic apps in the Dev resource group.
Solution: On Subscription1, you assign the DevTest Labs User role to the Developers group. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: DevTest Labs User role only lets you connect, start, restart, and shutdown virtual machines in your Azure DevTest Labs.
You would need the Logic App Contributor role. References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-securing-a-logic-app

NEW QUESTION 15
You need to create a function app named corp7509086nl that supports sticky sessions. The solution must minimize the Azure-related costs of the App Service plan.
What should you do from the Azure portal?

Answer:

Explanation: Step 1:
Select the New button found on the upper left-hand corner of the Azure portal, then select Compute > Function App.
Step 2:
Use the function app settings as listed below. App name: corp7509086n1
Hosting plan: Azure App Service plan
(need this for the sticky sessions)
Pricing tier of the the App Service plan: Shared compute: Free Step 3:
Select Create to provision and deploy the function app. References:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal

NEW QUESTION 16
HOTSPOT
You need to prepare the environment to implement the planned changes for Server2.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: Box 1: Create a Recovery Services vault
Create a Recovery Services vault on the Azure Portal. Box 2: Install the Azure Site Recovery Provider
Azure Site Recovery can be used to manage migration of on-premises machines to Azure. Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Server2 has the Hyper-V host role. References:
https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

Case Study: 5
Mix Questions Set C (Evaluate and perform server migration to Azure)

NEW QUESTION 17
DRAG DROP
You are developing an Azure web app named WebApp1. WebApp1 uses an Azure App Service plan named Plan1 that uses the B1 pricing tier.
You need to configure WebApp1 to add additional instances of the app when CPU usage exceeds 70 percent for 10 minutes.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: Box 1: From the Scale out (App Service Plan) settings blade, change the pricing tier The B1 pricing tier only allows for 1 core. We must choose another pricing tier.
Box 2: From the Scale out (App Service Plan) settings blade, enable autoscale
Log in to the Azure portal at http://portal.azure.com
Navigate to the App Service you would like to autoscale.
Select Scale out (App Service plan) from the menu
Click on Enable autoscale. This activates the editor for scaling rules.

Box 3: From the Scale mode to Scale based on metric, add a rule, and set the instance limits.
Click on Add a rule. This shows a form where you can create a rule and specify details of the scaling. References:
https://azure.microsoft.com/en-us/pricing/details/app-service/windows/ https://blogs.msdn.microsoft.com/hsirtl/2021/07/03/autoscaling-azure-web-apps/