The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.
Question 791
To complete the sentence, select the appropriate option in the answer area.
You can enable just in time (JIT) VM access by using __________.
Answer Area:
A. Azure Bastion
B. Azure Firewall
C. Azure Front Door
*D. Azure Security Center
Explanation
The just-in-time (JIT) virtual machine (VM) access feature in Azure Security Center allows you to lock down inbound traffic to your Azure Virtual Machines. This reduces exposure to attacks while providing easy access when you need to connect to a VM.
Question 792
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
What are two possible solutions?
A. Modify an Azure Traffic Manager profile
*B. Modify a network security group (NSG)
C. Modify a DDoS protection plan
D. Modify an Azure firewall
Explanation
A network security group works like a firewall. You can attach a network security group to a virtual network and/or individual subnets within the virtual network. You can also attach a network security group to a network interface assigned to a virtual machine. You can use multiple network security groups within a virtual network to restrict traffic between resources such as virtual machines and subnets.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
In this question, we need to add a rule to the network security group to allow the connection to the virtual machine on port 80 (HTTP).
Question 793
To answer, select the appropriate options in the answer area.
You plan to implement several security services for an Azure environment. You need to identify which Azure services must be used to meet the following security requirements:
- Monitor threats by using sensors
- Enforce Azure Multi-Factor Authentication (MFA) based on a condition
Which Azure service should you identify for each requirement?
Monitor threats by using sensors: __________
Answer Area:
- Azure Monitor
- Azure Security Center
- Azure Active Directory (Azure AD) Identity Protection
- Azure Advanced Threat Protection (ATP)
Monitor threats by using sensors: __________
Answer Area:
- Azure Monitor
- Azure Security Center
- Azure Active Directory (Azure AD) Identity Protection
- Azure Advanced Threat Protection (ATP)
Answer:
Monitor threats by using sensors: Azure Advanced Threat Protection (ATP)
Monitor threats by using sensors: Azure Active Directory (Azure AD) Identity Protection
Explanation
Monitor threats by using sensors: Azure Advanced Threat Protection (ATP)
To monitor threats by using sensors, you would use Azure Advanced Threat Protection (ATP).
Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Sensors are software packages you install on your servers to upload information to Azure ATP.
Monitor threats by using sensors: Azure Active Directory (Azure AD) Identity Protection
To enforce MFA based on a condition, you would use Azure Active Directory Identity Protection.
Azure AD Identity Protection helps you manage the roll-out of Azure Multi-Factor Authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you are signing in to.
Question 794
You need to configure an Azure solution that meets the following requirements:
- Secures websites from attacks
- Generates reports that contain details of attempted attacks
What should you include in the solution?
A. Azure Firewall
B. a network security group (NSG)
C. Azure Information Protection
*D. DDoS protection
Explanation
DDoS is a type of attack that tries to exhaust application resources. The goal is to affect the application’s availability and its ability to handle legitimate requests. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
Azure has two DDoS service offerings that provide protection from network attacks: DDoS Protection Basic and DDoS Protection Standard.
DDoS Basic protection is integrated into the Azure platform by default and at no extra cost.
You have the option of paying for DDoS Standard. It has several advantages over the basic service, including logging, alerting, and telemetry. DDoS Standard can generate reports that contain details of attempted attacks as required in this question.
Question 795
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Statement 1: Azure Security Center can monitor Azure resources and on-premises resources: Yes
Statement 2: All Azure Security Center features are free: No
Statement 3: From Azure Security Center, you can download a Regulatory Compliance report: Yes
Explanation
Statement 1: Azure Security Center can monitor Azure resources and on-premises resources: Yes
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud — whether they’re in Azure or not — as well as on premises.
Statement 2: All Azure Security Center features are free: No
Only two features: Continuous assessment and security recommendations, and Azure secure score, are free.
Statement 3: From Azure Security Center, you can download a Regulatory Compliance report: Yes
The advanced monitoring capabilities in Security Center also let you track and manage compliance and governance over time. The overall compliance provides you with a measure of how much your subscriptions are compliant with policies associated with your workload.
Question 796
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Statement 1: Azure Firewall will encrypt all the network traffic sent from Azure to the Internet: No
Statement 2: A network security group (NSG) will encrypt all the network traffic sent from Azure to the Internet: No
Statement 3: Azure virtual machines that run Windows Server 2016 can encrypt network traffic sent to the Internet: No
Explanation
Statement 1: Azure Firewall will encrypt all the network traffic sent from Azure to the Internet: No
Azure firewall does not encrypt network traffic. It is used to block or allow traffic based on source/destination IP address, source/destination ports and protocol.
Statement 2: A network security group (NSG) will encrypt all the network traffic sent from Azure to the Internet: No
A network security group does not encrypt network traffic. It works in a similar way to a firewall in that it is used to block or allow traffic based on source/destination IP address, source/destination ports and protocol.
Statement 3: Azure virtual machines that run Windows Server 2016 can encrypt network traffic sent to the Internet: No
The question is rather vague as it would depend on the configuration of the host on the Internet. Windows Server does come with a VPN client and it also supports other encryption methods such IPSec encryption or SSL/TLS so it could encrypt the traffic if the Internet host was configured to require or accept the encryption. However, the VM could not encrypt the traffic to an Internet host that is not configured to require the encryption.
Question 797
An Azure administrator plans to run a PowerShell script that creates Azure resources.
You need to recommend which computer configuration to use to run the script.
Which three computers can run the script?
*A. a computer that runs macOS and has PowerShell Core 6.0 installed.
B. a computer that runs Windows 10 and has the Azure PowerShell module installed.
C. a computer that runs Linux and has the Azure PowerShell module installed.
D. a computer that runs Linux and has the Azure CLI tools installed.
E. a computer that runs Chrome OS and uses Azure Cloud Shell.
A. a computer that runs macOS and has PowerShell Core 6.0 installed.
B. a computer that runs Windows 10 and has the Azure PowerShell module installed.
E. a computer that runs Chrome OS and uses Azure Cloud Shell.
Question 798
Which service provides serverless computing in Azure?
A. Azure Virtual Machines
*B. Azure Functions
C. Azure storage account
D. Azure dedicated hosts
Explanation
Azure Functions provide a platform for serverless code.
Azure Functions is a serverless compute service that lets you run event-triggered code without having to explicitly provision or manage infrastructure.
Question 799
Match the Azure services to the correct description. Each service may be used once, more than once, or not at all.
Azure Services:
- Azure Functions
- Azure App Service
- Azure virtual machines
- Azure Container Instances
Descriptions:
- Provide operating system virtualization
- Provide portable environment for virtualized applications
- Used to build, deploy, and scale web apps
- Provide a platform for serverless code
Answer:
- Azure virtual machines: Provide operating system virtualization
- Azure Container Instances: Provide portable environment for virtualized applications
- Azure App Service: Used to build, deploy, and scale web apps
- Azure Functions: Provide a platform for serverless code
Explanation
Azure virtual machines: Provide operating system virtualization
Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer.
Azure Container Instances: Provide portable environment for virtualized applications
Containers are becoming the preferred way to package, deploy, and manage cloud applications. Azure Container Instances offers the fastest and simplest way to run a container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service.
Containers offer significant startup benefits over virtual machines (VMs). Azure Container Instances can start containers in Azure in seconds, without the need to provision and manage VMs.
Azure App Service: Used to build, deploy, and scale web apps
Azure App Service is a platform-as-a-service (PaaS) offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services.
Azure Functions: Provide a platform for serverless code
Azure Functions is a serverless compute service that lets you run event-triggered code without having to explicitly provision or manage infrastructure.
Question 800
An Azure administrator plans to run a PowerShell script that creates Azure resources.
You need to recommend which computer configuration to use to run the script.
Solution: Run the script from a computer that runs Windows 10 and has the Azure PowerShell module installed.
Does this meet the goal?
*A. Yes
B. No
Explanation
A PowerShell script is a file that contains PowerShell cmdlets and code. A PowerShell script needs to be run in PowerShell.
In this question, the computer has the Azure PowerShell module installed. Therefore, this solution does meet the goal.