The latest Microsoft AZ-900 Azure Fundamentals certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-900 Azure Fundamentals exam and earn Microsoft AZ-900 Azure Fundamentals certification.
Question 31
An Azure administrator plans to run a PowerShell script that creates Azure resources.
You need to recommend which computer configuration to use to run the script.
Solution: Run the script from a computer that runs macOS and has PowerShell Core 6.0 installed.
Does this meet the goal?
* A. Yes
B. No
Explanation
A PowerShell script is a file that contains PowerShell cmdlets and code. A PowerShell script needs to be run in PowerShell.
In this question, the computer has PowerShell Core 6.0 installed. Therefore, this solution does meet the goal.
Note: To create Azure resources using PowerShell, you would need to import the Azure PowerShell module which includes the PowerShell cmdlets required to create the resources.
Question 32
You have an Azure environment that contains 10 virtual networks and 100 virtual machines.
You need to limit the amount of inbound traffic to all the Azure virtual networks. What should you create?
A. one application security group (ASG)
B. 10 virtual network gateways
C. 10 Azure ExpressRoute circuits
* D. one Azure firewall
Explanation
You can restrict traffic to multiple virtual networks with a single Azure firewall.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.
Azure Firewall: Cloud-native network security to protect your Azure Virtual Network resources.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
Capabilities supported in Azure Firewall:
- Stateful firewall as a service
- Built-in high availability with unrestricted cloud scalability
- FQDN filtering
- FQDN tags
- Network traffic filtering rules
- Outbound SNAT support
- Inbound DNAT support
- Centrally create, enforce, and log application and network connectivity policies across Azure subscriptions and VNETs
- Fully integrated with Azure Monitor for logging and analytics
Question 33
You have an Azure environment that contains multiple Azure virtual machines.
You plan to implement a solution that enables the client computers on your on-premises network to communicate to the Azure virtual machines.
You need to recommend which Azure resources must be created for the planned solution.
Which two Azure resources should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
* A. a virtual network gateway
B. a load balancer
C. an application gateway
D. a virtual network
* E. a gateway subnet
Explanation
To implement a solution that enables the client computers on your on-premises network to communicate to the Azure virtual machines, you need to configure a VPN (Virtual Private Network) to connect the on-premises network to the Azure virtual network.
The Azure VPN device is known as a Virtual Network Gateway. The virtual network gateway needs to be located in a dedicated subnet in the Azure virtual network. This dedicated subnet is known as a gateway subnet and must be named ‘GatewaySubnet’.
Note: a virtual network (answer D) is also required. However, as we already have virtual machines deployed in a Azure, we can assume that the virtual network is already in place.
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
A virtual network gateway is composed of two or more virtual machines that are deployed to a specific subnet you create, which is called the gateway subnet. The VMs that are located in the gateway subnet are created when you create the virtual network gateway. Virtual network gateway VMs are configured to contain routing tables and gateway services specific to the gateway. You can’t directly configure the VMs that are part of the virtual network gateway and you should never deploy additional resources to the gateway subnet.
VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.
Question 34
You have an Azure environment.
You need to create a new Azure virtual machine from a tablet that runs the Android operating system.
Solution: You use Bash in Azure Cloud Shell.
Does this meet the goal?
* A. Yes
B. No
Explanation
With Azure Cloud Shell, you can create virtual machines using Bash or PowerShell.
Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell.
Question 35
Your company plans to move several servers to Azure.
The company’s compliance policy states that a server named FinServer must be on a separate network segment.
You are evaluating which Azure services can be used to meet the compliance policy requirements.
Which Azure solution should you recommend?
A. a resource group for FinServer and another resource group for all the other servers
* B. a virtual network for FinServer and another virtual network for all the other servers
C. a VPN for FinServer and a virtual network gateway for each other server
D. one resource group for all the servers and a resource lock for FinServer
Explanation
Networks in Azure are known as virtual networks. A virtual network can have multiple IP address spaces and multiple subnets. Azure automatically routes traffic between different subnets within a virtual network.
The question states that FinServer must be on a separate network segment. The only way to separate FinServer from the other servers in networking terms is to place the server in a different virtual network to the other servers.
Azure virtual networks are similar to LANs on your on-premises network. The idea behind an Azure virtual network is that you create a network, based on a single private IP address space, on which you can place all your Azure virtual machines. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges.
Best practice: Create network access controls between subnets. Routing between subnets happens automatically, and you don’t need to manually configure routing tables. By default, there are no network access controls between the subnets that you create on an Azure virtual network.
Detail: Use a network security group to protect against unsolicited traffic into Azure subnets. Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets.
When you use network security groups for network access control between subnets, you can put resources that belong to the same security zone or role in their own subnets.
Question 36
You plan to map a network drive from several computers that run Windows 10 to Azure Storage.
You need to create a storage solution in Azure for the planned mapped drive.
What should you create?
A. an Azure SQL database
B. a virtual machine data disk
* C. a Files service in a storage account
D. a Blobs service in a storage account
Explanation
Azure Files is Microsoft’s easy-to-use cloud file system. Azure file shares can be seamlessly used in Windows and Windows Server.
To use an Azure file share with Windows, you must either mount it, which means assigning it a drive letter or mount point path, or access it via its UNC path.
Unlike other SMB shares you may have interacted with, such as those hosted on a Windows Server, Linux Samba server, or NAS device, Azure file shares do not currently support Kerberos authentication with your Active Directory (AD) or Azure Active Directory (AAD) identity, although this is a feature we are working on.
Instead, you must access your Azure file share with the storage account key for the storage account containing your Azure file share. A storage account key is an administrator key for a storage account, including administrator permissions to all files and folders within the file share you’re accessing, and for all file shares and other storage resources (blobs, queues, tables, etc) contained within your storage account.
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Additionally, Azure file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.
Azure Files:
- Extend your servers to Azure with Sync for on-premises performance and capability.
- Secure data at rest and in-transit using SMB 3.0 and HTTPS.
- Simplify cloud file share management using familiar tools.
- Create high-performance file shares using the Premium Files storage tier.
Question 37
Your company plans to migrate all its network resources to Azure.
You need to start the planning process by exploring Azure.
What should you create first?
* A. a subscription
B. a resource group
C. a virtual network
D. a management group
Explanation
The first thing you create in Azure is a subscription. You can think of an Azure subscription as an ‘Azure account’. You get billed per subscription.
A subscription is an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption.
- Microsoft’s Software as a Service (SaaS)-based cloud offerings (Office 365, Intune/EMS, and Dynamics 365) charge per-user license fees.
- Microsoft’s Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud offerings (Azure) charge based on cloud resource consumption.
You can also use a trial subscription, but the subscription expires after a specific amount of time or consumption charges. You can convert a trial subscription to a paid subscription.
Organizations can have multiple subscriptions for Microsoft’s cloud offerings.
Question 38
You have an on-premises application that sends email notifications automatically based on a rule.
You plan to migrate the application to Azure.
You need to recommend a serverless computing solution for the application.
What should you include in the recommendation?
A. a web app
B. a server image in Azure Marketplace
* C. a logic app
D. an API app
Explanation
Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies how you design and build scalable solutions for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) communication, whether in the cloud, on premises, or both.
For example, here are just a few workloads you can automate with logic apps:
- Process and route orders across on-premises systems and cloud services.
- Send email notifications with Office 365 when events happen in various systems, apps, and services.
- Move uploaded files from an SFTP or FTP server to Azure Storage.
- Monitor tweets for a specific subject, analyze the sentiment, and create alerts or tasks for items that need review.
Question 39
You plan to deploy a website to Azure.
The website will be accessed by users worldwide and will host large video files.
You need to recommend which Azure feature must be used to provide the best video playback experience.
What should you recommend?
A. an application gateway
B. an Azure ExpressRoute circuit
* C. a content delivery network (CDN)
D. an Azure Traffic Manager profile
Explanation
The question states that users are located worldwide and will be downloading large video files. The video playback experience would be improved if they can download the video from servers in the same region as the users. We can achieve this by using a content deliver network.
A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. CDNs store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency.
Azure Content Delivery Network (CDN) offers developers a global solution for rapidly delivering highbandwidth content to users by caching their content at strategically placed physical nodes across the world.
Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway Protocol (BGP).
The benefits of using Azure CDN to deliver web site assets include:
- Better performance and improved user experience for end users, especially when using applications in which multiple round-trips are required to load content.
- Large scaling to better handle instantaneous high loads, such as the start of a product launch event.
- Distribution of user requests and serving of content directly from edge servers so that less traffic is sent to the origin server.
Question 40
Your company plans to deploy several million sensors that will upload data to Azure.
You need to identify which Azure resources must be created to support the planned solution.
Which two Azure resources should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
* A. Azure Data Lake
B. Azure Queue storage
C. Azure File Storage
* D. Azure IoT Hub
E. Azure Notification Hubs
Explanation
IoT Hub (Internet of things Hub) provides data from millions of sensors.
IoT Hub is a managed service, hosted in the cloud, that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloudhosted solution backend. You can connect virtually any device to IoT Hub.
There are two storage services IoT Hub can route messages to — Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2) accounts. Azure Data Lake Storage accounts are hierarchical namespace-enabled storage accounts built on top of blob storage. Both of these use blobs for their storage.