AZ-900 Microsoft Azure Fundamentals Exam Questions and Answers – Page 3

The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.

AZ-900 Microsoft Azure Fundamentals Exam Questions and Answers

Exam Question 251

You have two subscriptions named Subscription1 and Subscription2.
Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1.
VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2.
VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?

A. Move VM1 to Subscription2.
B. Modify the IP address space of VNet2.
C. Provision virtual network gateways.
D. Move VNet1 to Subscription2.
Correct Answer:
C. Provision virtual network gateways.
Answer Description:
The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local network gateway in order to route traffic.
References:
Microsoft Docs > Configure a VNet-to-VNet VPN gateway connection by using the Azure portal

Exam Question 252

You have an Azure subscription that contains the resources in the following table.
***
Name: VNet1,??????????????????Type: virtual network?????????Azure region: West US?????????Resource group: RG2
Name: VNet2,??????????????????Type: virtual network?????????Azure region: West US?????????Resource group: RG1
Name: VNet3,??????????????????Type: virtual network?????????Azure region: East US?????????Resource group: RG1
Name: NSG1,???????????????????Type: Network security group (NSG)Azure region: East US?????????Resource group: RG2
***
To which subnets can you apply NSG1?

A. The subnets on VNet2 only.
B. The subnets on VNet2 and VNet3 only.
C. The subnets on VNet1, VNet2, and VNet3.
D. The subnets on VNet1 only.
E. The subnets on VNet3 only.
Correct Answer:
E. The subnets on VNet3 only.
Answer Description:
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource. You can however, connect virtual networks that exist in different subscriptions and regions. For more information, see connectivity. When deciding which region(s) to deploy resources in, consider where consumers of the resources are physically located. Consumers of resources typically want the lowest network latency to their resources. To determine relative latencies between a specified location and Azure regions, see View relative latencies. Do you have data residency, sovereignty, compliance, or resiliency requirements? If so, choosing the region that aligns to the requirements is critical. Do you require resiliency across Azure Availability Zones within the same Azure region for the resources you deploy? You can deploy resources, such as virtual machines (VM) to different availability zones within the same virtual network. Not all Azure regions support availability zones however.
References:
Microsoft Docs > Plan virtual networks

Exam Question 253

You have five Azure virtual machines that run Windows Server 2016.
The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?

A. Protocol to UDP.
B. Session persistence to None.
C. Session persistence to Client IP.
D. Idle Time-out (minutes) to 20.
Correct Answer:
C. Session persistence to Client IP.
Answer Description:
You can set the sticky session in load balancer rules with setting the session persistence as the client IP.
References:
Microsoft Docs > Configure Azure Load Balancer For Sticky Sessions

Exam Question 254

You have the Azure virtual networks shown in the following table.
***
Name: VNet1,??????????????????Address space: 10.11.0.0/16,??Subnet: 10.11.0.0/17,?????????Azure Region: West US
Name: VNet2,??????????????????Address space: 10.11.0.0/17,??Subnet: 10.11.0.0/25,?????????Azure Region: West US
Name: VNet3,??????????????????Address space: 10.10.0.0/22,??Subnet: 10.10.1.0/24,?????????Azure Region: East US
Name: VNet4,??????????????????Address space: 192.168.16.0/22,Subnet: 192.168.16.0/24,??????Azure Region: North Europe
***
To which virtual networks can you establish a peering connection from VNet1?

A. VNet2 and VNet3 only.
B. VNet2 only.
C. VNet3 and VNet4 only.
D. VNet2, VNet3, and VNet4.
Correct Answer:
D. VNet2, VNet3, and VNet4.
Answer Description:
You can connect virtual networks to each other with virtual network peering. These virtual networks can be in the same region or different regions (also known as Global VNet peering). Once virtual networks are peered, resources in both virtual networks are able to communicate with each other, with the same latency and bandwidth as if the resources were in the same virtual network.
References:
Microsoft Docs > Tutorial: Connect virtual networks with virtual network peering using the Azure portal

Exam Question 255

Azure Multi-Factor Authentication (MFA) can be required for administrative and non-administrative user accounts.

A. Yes
B. No

Correct Answer:
A. Yes

Exam Question 256

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Reset GW1.
B. Create a route-based virtual network gateway.
C. Delete GW1.
D. Add a public IP address space to VNet1.
E. Add a connection to GW1.
F. Add a service endpoint to VNet1.
Correct Answer:
B. Create a route-based virtual network gateway.
C. Delete GW1.
Answer Description:
A VPN gateway is used when creating a VPN connection to your on-premises network. Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface). Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine. Point-to-Site connections do not require a VPN device or a public-facing IP address.
References:
Microsoft Docs > Create a route-based VPN gateway using the Azure portal
Microsoft Docs > Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell

Exam Question 257

You have an Azure subscription named Subscription1 that contains the resource groups shown in the following table.
***
Name: RG1,????????????????????Region: East Asia
Name: RG2,????????????????????Region: East US
***
In RG1, you create a virtual machine named VM1 in the East Asia location.
You plan to create a virtual network named VNET1.
You need to create VNET1, and then connect VM1 to VNET1.
What are two possible ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Create VNET1 in RG2, and then set East Asia as the location.
B. Create VNET1 in a new resource group in the West US location, and then set West US as the location.
C. Create VNET1 in RG1, and then set East US as the location.
D. Create VNET1 in RG2, and then set East US as the location.
E. Create VNET1 in RG1, and then set East Asia as the location.
Correct Answer:
A. Create VNET1 in RG2, and then set East Asia as the location.
E. Create VNET1 in RG1, and then set East Asia as the location.
Answer Description:
Resource group – A container that holds related resources for an Azure solution. The resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization.
There are some important factors to consider when defining your resource group:

  • A resource group can contain resources that are located in different regions.
  • All the resources in your group should share the same lifecycle. You deploy, update, and delete them together. If one resource, such as a database server, needs to exist on a different deployment cycle it should be in another resource group.
  • Each resource can only exist in one resource group.
  • You can add or remove a resource to a resource group at any time.
  • You can move a resource from one resource group to another group.
  • A resource group can be used to scope access control for administrative actions.
  • A resource can interact with resources in other resource groups. This interaction is common when the two resources are related but don’t share the same lifecycle (for example, web apps connecting to a database).

References:
Microsoft Docs > Azure Resource Manager overview

Exam Question 258

You have an Azure subscription that contains a virtual network named VNet1.
VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:.

  • The NVAs must run in an active-active configuration that uses automatic failover.
  • The NVAs must load balance traffic to two services on the Production subnet. The services have different IP addresses.

Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Add two load balancing rules that have HA Ports enabled and Floating IP disabled.
B. Add a frontend IP configuration, two backend pools, and a health probe.
C. Add two load balancing rules that have HA Ports and Floating IP enabled.
D. Deploy a standard load balancer.
E. Deploy a basic load balancer.
F. Add a frontend IP configuration a backend pool, and a health probe.
Correct Answer:
B. Add a frontend IP configuration, two backend pools, and a health probe.
C. Add two load balancing rules that have HA Ports and Floating IP enabled.
D. Deploy a standard load balancer.
Answer Description:
A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
HA Ports are not available for the basic load balancer.
References:
Microsoft Docs > Azure Standard Load Balancer overview
Microsoft Docs > Multiple Frontends for Azure Load Balancer

Exam Question 259

You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a packet capture.
Does this meet the goal?

A. Yes
B. No
Correct Answer:
B. No
Answer Description:
Use the Connection Monitor feature of Azure Network Watcher.
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies, both reactively, and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.
References:
Microsoft Docs > Tutorial: Monitor network communication between two virtual machines using the Azure portal

Exam Question 260

Authorization to access Azure resources can be provided only to Azure Active Directory (Azure AD) users.

A. Yes
B. No
Correct Answer:
B. No