The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 21
- Question
- Answer
- AZ-500 Question 22
- Question
- Answer
- Explanation
- AZ-500 Question 23
- Question
- Answer
- AZ-500 Question 24
- Question
- Answer
- Explanation
- AZ-500 Question 25
- Question
- Answer
- Explanation
- AZ-500 Question 26
- Question
- Answer
- Explanation
- AZ-500 Question 27
- Question
- Answer
- Explanation
- AZ-500 Question 28
- Question
- Answer
- AZ-500 Question 29
- Question
- Answer
- AZ-500 Question 30
- Question
- Answer
AZ-500 Question 21
Question
DRAG DROP –
You are configuring network connectivity for two Azure virtual networks named VNET1 and VNET2.
You need to implement VPN gateways for the virtual networks to meet the following requirements:
- VNET1 must have six site-to-site connections that use BGP.
- VNET2 must have 12 site-to-site connections that use BGP.
- Costs must be minimized.
Which VPN gateway SKU should you use for each virtual network? To answer, drag the appropriate SKUs to the correct networks. Each SKU may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
SKUs:
- Basic
- VpnGw1
- VpnGw2
- VpnGw3
Answer
VNET1: VpnGw1
VNET2: VpnGw1
AZ-500 Question 22
Question
You plan to deploy Azure container instances.
You have a containerized application that is comprised of two containers: an application container and a validation container. The application container is monitored by the validation container. The validation container performs security checks by making requests to the application container and waiting for responses after every transaction.
You need to ensure that the application container and the validation container are scheduled to be deployed together. The containers must communicate to each other only on ports that are not externally exposed.
What should you include in the deployment?
A. application security groups
B. network security groups (NSGs)
C. management groups
D. container groups
Answer
D. container groups
Explanation
Azure Container Instances supports the deployment of multiple containers onto a single host using a container group. A container group is useful when building an application sidecar for logging, monitoring, or any other configuration where a service needs a second attached process.
AZ-500 Question 23
Question
You have a web app hosted on an on-premises server that is accessed by using a URL of https://www.contoso.com.
You plan to migrate the web app to Azure. You will continue to use https://www.contoso.com.
You need to enable HTTPS for the Azure web app.
What should you do first?
A. Export the public key from the on-premises server and save the key as a P7b file.
B. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES.
C. Export the public key from the on-premises server and save the key as a CER file.
D. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using AES256.
Answer
B. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES.
AZ-500 Question 24
Question
You have 15 Azure virtual machines in a resource group named RG1.
All the virtual machines run identical applications.
You need to prevent unauthorized applications and malware from running on the virtual machines.
What should you do?
A. Apply an Azure policy to RG1.
B. From Azure Security Center, configure adaptive application controls.
C. Configure Azure Active Directory (Azure AD) Identity Protection.
D. Apply a resource lock to RG1.
Answer
B. From Azure Security Center, configure adaptive application controls.
Explanation
Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center. It helps you control which applications can run on your Azure and non-Azure VMs (Windows and Linux), which, among other benefits, helps harden your VMs against malware. Security
Center uses machine learning to analyze the applications running on your VMs and helps you apply the specific whitelisting rules using this intelligence.
AZ-500 Question 25
Question
You have an Azure subscription that contains the virtual networks shown in the following table.
| Name | Region | Subnet |
|---|---|---|
| VNET1 | West US | Subnet11 and Subnet12 |
| VNET2 | West US 2 | Subnet21 |
| VNET3 | East US | Subnet31 |
The subscription contains the virtual machines shown in the following table.
| Name | Network interface | Connected to |
|---|---|---|
| VM1 | NIC1 | Subnet11 |
| VM2 | NIC2 | Subnet11 |
| VM3 | NIC3 | Subnet12 |
| VM4 | NIC4 | Subnet21 |
| VM5 | NIC5 | Subnet31 |
On NIC1, you configure an application security group named ASG1.
On which other network interfaces can you configure ASG1?
A. NIC2 only
B. NIC2, NIC3, NIC4, and NIC5
C. NIC2 and NIC3 only
D. NIC2, NIC3, and NIC4 only
Answer
C. NIC2 and NIC3 only
Explanation
Only network interfaces in NVET1, which consists of Subnet11 and Subnet12, can be configured in ASG1, as all network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.
AZ-500 Question 26
Question
HOTSPOT –
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzNetworkSecurityRuleConfig and receive the output shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Traffic destined for an Azure Storage account is [answer choice]:
- able to connect to East US
- able to connect to East US 2
- able to connect to West Europe
- Prevented from connecting to all regions
FTP connections from 1.2.3.4 to 10.0.0.10/32 are [answer choice]:
- allowed
- dropped
- forwarded
Answer
Traffic destined for an Azure Storage account is able to connect to East US 2.
FTP connections from 1.2.3.4 to 10.0.0.10/32 are allowed.
Explanation
Box 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}
Box 2: allowed –
TCP Port 21 controls the FTP session. Contoso_FTP has SourceAddressPrefix {1.2.3.4/32} and DestinationAddressPrefix {10.0.0.5/32}
Note:
The Get-AzureRmNetworkSecurityRuleConfig cmdlet gets a network security rule configuration for an Azure network security group.
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
AZ-500 Question 27
Question
You are configuring and securing a network environment.
You deploy an Azure virtual machine named VM1 that is configured to analyze network traffic.
You need to ensure that all network traffic is routed through VM1.
What should you configure?
A. a system route
B. a network security group (NSG)
C. a user-defined route
Answer
C. a user-defined route
Explanation
Although the use of system routes facilitates traffic automatically for your deployment, there are cases in which you want to control the routing of packets through a virtual appliance. You can do so by creating user defined routes that specify the next hop for packets flowing to a specific subnet to go to your virtual appliance instead, and enabling IP forwarding for the VM running as the virtual appliance.
Note: User Defined Routes –
For most environments you will only need the system routes already defined by Azure. However, you may need to create a route table and add one or more routes in specific cases, such as:
- Force tunneling to the Internet via your on-premises network.
- Use of virtual appliances in your Azure environment.
- In the scenarios above, you will have to create a route table and add user defined routes to it.
AZ-500 Question 28
Question
From Azure Security Center, you create a custom alert rule.
You need to configure which users will receive an email message when the alert is triggered.
What should you do?
A. From Azure Monitor, create an action group.
B. From Security Center, modify the Security policy settings of the Azure subscription.
C. From Azure Active Directory (Azure AD), modify the members of the Security Reader role group.
D. From Security Center, modify the alert rule.
Answer
A. From Azure Monitor, create an action group.
AZ-500 Question 29
Question
You have an Azure subscription that contains an Azure Container Registry named Registry1. Azure Defender is enabled in the subscription.
You upload several container images to Registry1.
You discover that vulnerability security scans were not performed.
You need to ensure that the container images are scanned for vulnerabilities when they are uploaded to Registry1.
What should you do?
A. From the Azure portal, modify the Pricing tier settings.
B. From Azure CLI, lock the container images.
C. Upload the container images by using AzCopy.
D. Push the container images to Registry1 by using Docker.
Answer
A. From the Azure portal, modify the Pricing tier settings.
AZ-500 Question 30
Question
You have an Azure Active Directory (Azure AD) tenant named Contoso.com and an Azure Kubernetes Service (AKS) cluster AKS1.
You discover that AKS1 cannot be accessed by using accounts from Contoso.com.
You need to ensure AKS1 can be accessed by using accounts from Contoso.com. The solution must minimize administrative effort.
What should you do first?
A. From Azure, recreate AKS1.
B. From AKS1, upgrade the version of Kubernetes.
C. From Azure AD, implement Azure AD Premium P2
D. From Azure AD, configure the User settings.
Answer
A. From Azure, recreate AKS1.