The latest Troubleshooting Microsoft Azure Connectivity AZ-720 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Troubleshooting Microsoft Azure Connectivity AZ-720 exam and earn Troubleshooting Microsoft Azure Connectivity AZ-720 certification.
Table of Contents
- Question 11
- Exam Question
- Correct Answer
- Explanation
- Question 12
- Exam Question
- Correct Answer
- Question 13
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 14
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 15
- Exam Question
- Correct Answer
- Explanation
- References
- Question 16
- Exam Question
- Correct Answer
- Question 17
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 18
- Exam Question
- Correct Answer
- Question 19
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 20
- Exam Question
- Correct Answer
Question 11
Exam Question
You need to resolve the issue with internet traffic from VM1 being routed directly to the internet.
What should you do?
A. Modify IP address prefix of RT12
B. Associate RT12 with Subnet1a.
C. Associate RT12 with Subnet2a.
D. Modify the next hop type of RT12.
Correct Answer
B. Associate RT12 with Subnet1a.
Explanation
This will ensure that the route table RT12, which has a route to direct internet traffic to the virtual network gateway VNG1, is applied to the subnet where VM1 is located. This will override the default route that sends internet traffic to the internet gateway.
Question 12
Exam Question
HOTSPOT –
A company named Contoso connects its on-premises resources to Azure by using ExpressRoute.
An administrator reports that the circuit is in a failed state.
You need to resolve the issue.
How should you complete the PowerShell commands? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer
$var1 = Get-AzExpressRouteCircuit -Name “Contoso-Circuit” -ResourceGroupName “Contoso-Group” Set-AzExpressRouteCircuit -ExpressRouteCircuit $var1
Question 13
Exam Question
You need to troubleshoot the Azure Key Vault issues.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Requirement: Identify the root cause of the issue.
Tool or action:
- Key Vault key size limit
- Network throughput limit
- Key Vault transaction limit
Requirement: Resolve the issue.
Tool or action:
- Increase the size of the Azure VMs.
- Distribute requests across additional Azure key vaults.
Correct Answer
Identify the root cause of the issue: Key Vault transaction limit
Resolve the issue: Distribute requests across additional Azure key vaults.
Explanation
Box 1: Key Vault transaction limit. Based on the given scenario, the issue is related to the number of transactions per second (TPS) being throttled. The Azure Key Vault has a transaction limit, which varies depending on the service tier. In the provided images, the error message states that the request rate is too large, indicating that the transaction limit has been reached. To resolve this issue, you can either distribute the transactions over a longer period, implement a retry policy, or consider upgrading to a higher service tier if the current tier’s transaction limit is insufficient for your needs.
Box: 2 Distribute requests across additional Azure Key vaults
In the provided scenario, the issue is that the Azure Key Vault is experiencing throttling due to too many requests per second. Throttling occurs when the number of requests exceeds the allowed limits for a given time period. To resolve this issue, you should distribute the requests across additional Azure Key Vaults. By doing so, you can balance the load and prevent exceeding the request limits, thus avoiding throttling
Reference
- Microsoft Learn > Azure > Security > Key Vault > General > Azure Key Vault service limits
- Microsoft Learn > Azure > Security > Key Vault > General > Azure Key Vault throttling guidance
Question 14
Exam Question
A company manages a solution that uses Azure Functions.
A function returns the following error. Azure Functions Runtime is unreachable.
You need to troubleshoot the issue.
What are two possible causes of the issue? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. The function key was deleted.
B. The storage account application settings were deleted.
C. The execution quota is full.
D. The company did not configure a timer trigger.
E. The storage account for the function was deleted.
Correct Answer
B. The storage account application settings were deleted.
E. The storage account for the function was deleted.
Explanation
Two possible causes of the issue where a function returns the error “Azure Function Runtime is unreachable” are:
C. The storage account application settings were deleted.
E. The storage account for the function was deleted.
According to Microsoft, this issue occurs when the Functions runtime can’t start. The most common reason for this is that the function app has lost access to its storage account. If that account is deleted or if the storage account application settings were deleted, your functions won’t work.
Reference
Microsoft Learn > Azure > Functions > Troubleshoot error: “Azure Functions Runtime is unreachable”
Question 15
Exam Question
You need to troubleshoot and resolve the public DNS lookup issues.
What should you do? To answer, select the appropriate option in the answer area. NOTE: Each correct selection is worth one point.
Requirement: Verify if the Azure public DNS zone is configured according to the requirements.
Action:
- Run the command: nslookup -type=a www.contoso.com 8.8.8.8.
- Run the command: nslookup -recurse www.contoso.com 8.8.8.8.
- Run the command: nslookup -type=soa www.contoso.com 8.8.8.8.
Requirement: Resolve the public DNS lookup issue.
Action:
- Create NS records.
- Create SRV records.
- Create SOA records.
Correct Answer
Verify if the Azure public DNS zone is configured according to the requirements: Run the command: nslookup -type=a www.contoso.com 8.8.8.8.
Resolve the public DNS lookup issue: Create NS records.
Explanation
BOX 1: Run the command: nslookup -type=a www.contoso.com 8.8.8.8 nslookup is a command-line tool that queries DNS servers for information about domain names and IP addresses. It can be used to troubleshoot DNS issues and verify DNS configurations1.
The -type option specifies the type of DNS record to query. The -type=a option queries for A records, which map domain names to IPv4 addresses1. The www.contoso.com argument specifies the domain name to query. The 8.8.8.8 argument specifies the DNS server to use for the query, which is a public DNS server provided by Google2.
By running this command, you can verify if the Azure Public DNS zone is configured according to the requirements by checking if the A record for www.contoso.com matches the expected IPv4 address. If the A record is missing or incorrect, you can use the Azure portal, PowerShell, or Azure CLI to create or update it in your DNS zone3.
Box2: Create NS records
NS (Name Server) records are used to delegate a domain or subdomain name to a set of authoritative DNS servers, which can provide information about that domain. In this scenario, there appears to be an issue with resolving the domain in question via public DNS lookup since it’s only resolving locally on one server and not across all networks. By creating NS records for the domain, authoritative nameservers will be identified and designated as responsible for providing accurate information about the specific zone. This will ensure your domain is properly distributed on various different network zones and help users globally reach your website without any delays or connectivity problems. Alternatively, SRV (Service locator) record is used when you have multiple servers offering similar services such as email or SIP but want to use a weight system indication greater trustworthiness/proximity of datacenters within providers dns infrastructure. And SOA (Start Of Authority) – indicates who in control ofthe DNS zone and provides other related information such as the serial number and default TTL values. Therefore, option A. Create NS records would be the best solution for resolving public DNS lookup issues in this scenario.
References
- “NS record,” Microsoft Docs, accessed March 27, 2023. [Online]
- “SRV record,” Cloudflare Help Center, accessed March 27, 2023. [Online]
- “SOA record,” DigitalOcean Product Documentation, accessed March 27, 2023. [Online]
Question 16
Exam Question
HOTSPOT –
A company creates an Azure resource group named RG1. RG1 has an Azure SQL Database logical server named sqlsvr1 that hosts the following resources:
| Resource | Description |
|---|---|
| VM1 | Virtual machine |
| SQLDB1 | Azure SQL database |
| SQLDB2 | Azure SQL database |
An administrator grants a user named User1 the Reader RBAC role in RG1. The administrator grants User2 the Contributor role in sqlsvr1.
User1 reports that they can connect to SQLDB1 from the IP address 155.127.95.212. User1 cannot connect to SQLDB2. User2 can connect to both SQLDB1 and SQLDB2 from the IP address 121.19.27.18. Both users can successfully connect to SQLDB1 and SQLDB2 from VM1.
You are helping the administrator troubleshoot the issue. You run the following PowerShell command:
Get-AzSqlServerFirewallRule -ResourceGroupName ‘RG1’ -ServerName ‘sqlsvr1’
The following output displays:
ResourceGroupName: RG1 –
ServerName: sqlsvr1 –
StartIpAddress: 0.0.0.0 –
EndIpAddress: 0.0.0.0 –
FirewallRuleName: Rule01 –
ResourceGroupName: RG1 –
ServerName: sqlsvr1 –
StartIpAddress: 72.225.0.0 –
EndIpAddress: 72.225.255.255 –
FirewallRuleName: Rule02 –
You need to identify the cause for the reported issue and resolve User1’s issues. The solution must satisfy the principle of least privilege.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point. A company manages a solution that uses Azure Functions.
Requirement: Tool to use to determine the reason for the connection failure.
Action:
- Transact-SQL stored procedure
- Azure CLI command
- Azure PowerShell cmdlet
Requirement: Resolve the issue.
Action:
- Modify the RBAC assignment for User2.
- Modify the firewall rules of sqlsvr1.
- Modify the firewall rules of SQLDB2.
Correct Answer
Tool to use to determine the reason for the connection failure: Transact-SQL stored procedure
Resolve the issue: Modify the firewall rules of SQLDB2.
Question 17
Exam Question
HOTSPOT
You need to resolve the Azure virtual machine (VM) deployment issues.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Requirement: Configure an Azure Key Vault access policy setting.
Action:
- Enable access to Azure virtual machines for deployment.
- Enable access to Azure Disk Encryption for volume encryption.
- Enable access to Azure Resource Manager for template deployment.
Requirement: Configure RBAC Key Vault permissions.
Action:
- Grant the Microsoft.KeyVault/operations/read permission.
- Grant the Microsoft.KeyVault/vaults/keys/read permission.
- Grant the Microsoft.KeyVault/vaults/deploy/action permission.
Correct Answer
Configure an Azure Key Vault access policy setting: Enable access to Azure Resource Manager for template deployment.
Configure RBAC Key Vault permissions: Grant the Microsoft.KeyVault/vaults/deploy/action permission.
Explanation
Box 1: Enable access to Azure Resource Manager for template deployment. In the given scenario, you are trying to resolve Azure VM deployment issues. To configure an Azure Key Vault access policy setting for VM deployment, you need to enable access to Azure Resource Manager for template deployment. This will allow the VM deployment process to access the secrets and certificates stored in the Key Vault during the deployment of the VM using an ARM (Azure Resource Manager) template.
Box 2: Grant the Microsoft.KeyVault/vaults/deploy/action permission
This is the permission that you should configure on an RBAC Key Vault role to resolve the Azure virtual machine (VM) deployment issues. This permission allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template1. Therefore, option C is correct.
A detailed explanation with references is as follows:
As mentioned in the scenario, the Azure virtual machine (VM) deployment issues are caused by the inability of Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template. To resolve this issue, you need to configure an RBAC Key Vault role that grants Azure Resource Manager the permission to access the key vault.
RBAC Key Vault roles are roles that can be assigned to users, groups, or applications to manage access to key vault secrets, keys, and certificates2. RBAC Key Vault roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources3.
With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements3:
- The security principal: The user, group, or application that you want to grant or deny access to the resource.
- The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.
- The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.
To configure a role assignment that allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template, you need to grant the Microsoft.KeyVault/vaults/deploy/action permission1. This is a special permission that grants Azure Resource Manager a limited permission to get secrets from the key vault during resource deployment1. This permission does not grant any other permissions to Azure Resource Manager on the key vault or its contents1.
To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure portal, follow these steps1:
- In the Azure portal, navigate to the Key Vault resource.
- Select Access control (IAM), then select Add > Add role assignment.
- Under Role, select a built-in or custom role that includes the Microsoft.KeyVault/vaults/deploy/action permission. For example, you can select Key Vault Administrator or Key Vault Secrets User.
- Under Assign access to, select Azure AD user, group, or service principal.
- Under Select, enter Azure Resource Manager in the search field and select it.
- Select Save to create the role assignment.
To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure CLI or PowerShell, see Grant permissions for template deployment.
Reference
Microsoft Learn > Azure > Security > Key Vault > General > Tutorial: Use a managed identity to connect Key Vault to an Azure web app in .NET
Question 18
Exam Question
HOTSPOT –
A company implements Windows and Linux VMs in an Azure Virtual Network. The company plans to apply routing changes to the virtual network.
You need to determine the impact of these changes on network latency affecting applications that use TCP and UDP traffic. The solution must provide the highest level of accuracy.
Which tools should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Operating system: Windows
Tool:
- ping
- latte
- tracert
Operating system: Linux
Tool:
- SockPerf
- nttcp
Correct Answer
Windows: latte
Linux: SockPerf
Question 19
Exam Question
You need to resolve the connectivity issue with the on-premises database named CosmosDB1.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Requirement: CosmosDB1 must be accessible by host name by using VNet1.
Action:
- Deploy an Azure virtual machine (VM) that hosts a DNS service.
- Configure a user-defined route (UDR) on the GatewaySubnet of VNet1.
- Configure a network security group (NSG) on the GatewaySubnet on VNet1.
Requirement: CosmosDB1 must be accessible by host name from the on-premises environment.
Action:
- Configure DNS conditional forwarding in the on-premises DNS infrastructure.
- Configure a DNS secondary zone in the on-premises DNS infrastructure.
- Configure custom routes in the on-premises routers.
Correct Answer
CosmosDB1 must be accessible by host name by using VNet1: Deploy an Azure virtual machine (VM) that hosts a DNS service.
CosmosDB1 must be accessible by host name from the on-premises environment: Configure DNS conditional forwarding in the on-premises DNS infrastructure.
Explanation
Box 1: Deploy an Azure virtual machine (VM) that hosts a DNS service.
In the given scenario, CosmosDB1 is an on-premises database, and you need to make it accessible by host name using VNet1. To achieve this, you should deploy an Azure virtual machine that hosts a DNS service. This will allow you to configure custom DNS settings for VNet1, enabling the resolution of the on-premises database’s host name.
Box 2: Configure DNS conditional forwarding in the on-premises DNS infrastructure.
In the given scenario, you need to resolve the connectivity issue with the on-premises database named CosmosDB1, and it must be accessible by hostname from the on-premises environment. To achieve this, you should configure DNS conditional forwarding in the on-premises DNS infrastructure. DNS conditional forwarding allows you to specify that DNS queries for a specific domain (in this case, the Azure Cosmos DB) are forwarded to a specific DNS server or set of servers. This ensures that the on-premises environment can resolve the hostname of CosmosDB1 by forwarding the DNS queries to the appropriate DNS server responsible for that domain.
Reference
Microsoft Learn > Azure > Networking > Virtual Network > Name resolution for resources in Azure virtual networks
Question 20
Exam Question
A company hosts a network virtual appliance (NVA) and Azure Route Server in different virtual networks (VNets). Border Gateway Protocol (BGP) peering is enabled between the NVA and the route server.
The company discovers that the NVA loses internet connectivity after it advertises the default route to the route server.
You need to resolve the problem with the NVA.
What should you do?
A. Configure a unique autonomous system number (ASN) on the NV
B. Configure a user-defined route on the NVA subnet.
C. Move the route server to the same VNet as the NVA.
D. Configure a public IP address on the route server.
Correct Answer
B. Configure a user-defined route on the NVA subnet.