HOTSPOT
-
You have an Azure virtual network and an on-premises datacenter that connect by using a Site-to-Site VPN tunnel.
You need to ensure that all traffic from the virtual network to the internet is routed through the datacenter.
How should you complete the PowerShell script to configure forced tunneling? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
What should you do first?

A. Create a private link.

B. Create a new subnet.

C. Create a NAT gateway.

D. Create a gateway subnet and deploy a virtual network gateway.

SIMULATION
-
 
Username and password
-
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username:
User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
-
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
-
You need to block all outbound internet traffic for HTTP and HTTPS that originates from subnet1-1. All other traffic must be allowed.
To complete this task, sign in to the Azure portal.

SIMULATION
-
 
Username and password
-
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username:
User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
-
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
-
You need to ensure that requests for www.relecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net.
To complete this task, sign in to the Azure portal.

HOTSPOT -
You have an Azure subscription that contains the route tables and routes shown in the following table.
 
The subscription contains the subnets shown in the following table.
 
The subscription contains the virtual machines shown in the following table.
 
The subscription contains the local network gateways shown in the following table.
 
There is a Site-to-Site VPN connection to each local network gateway.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT
-
You have an Azure application gateway.
You need to create a rewrite rule that will remove the origin port from the HTTP header of incoming requests that are being forwarded to the backend pool.
How should you configure each setting? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT -
You have two Azure virtual networks named VNet1 and VNet2 in an Azure region that has three availability zones.
You deploy 12 virtual machines to each virtual network, deploying four virtual machines per zone. The virtual machines in VNet1 host an app named App1. The virtual machines in VNet2 host an app named App2.
You plan to use Azure Virtual Network NAT to implement outbound connectivity for App1 and App2.
You need to identify the minimum number of subnets and Virtual Network NAT instances required to meet the following requirements:
✑ A failure of two zones must NOT affect the availability of either App1 or App2.
✑ A failure of two zones must NOT affect the outbound connectivity of either App1 or App2.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual machine named VM1 and an Azure firewall named FW1.
You have an Azure Firewall Policy named FP1 that is associated to FW1.
You need to ensure that RDP requests to the public IP address of FW1 route to VM1.
What should you configure on FP1?

A. a network rule

B. URL filtering

C. a DNAT rule

D. an application rule

HOTSPOT
-
You have an Azure subscription that contains an Azure Firewall policy named FWPolicy1.
You need to configure FWPolicy1 to meet the following requirements:
•	Allow traffic based on the FQDN of the destination.
•	Allow TCP traffic based on the source.
Which types of rules should you use for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
You have an Azure subscription that contains a virtual network gateway named VNetGwy1. VNetGwy1 has a public IP address of 20.25.32.214.
You need to query the health probe of VNetGwy1.
How should you complete the URI? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ A subnet named Subnet1 in Vnet1
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1.
Does this meet the goal?

A. Yes

B. No

You have an Azure virtual network named VNet1 that contains the subnets shown in the following table.
 
You need to deploy an Azure application gateway named AppGW1 to VNet1.
To where can you deploy AppGW1?

A. GatewaySubnet only

B. Subnet2 only

C. Subnet1 or Subnet2 only

D. Subnet2 or GatewaySubnet only

E. Subnet1, Subnet2, and GatewaySubnet

HOTSPOT -
You have on-premises datacenters in New York and Seattle.
You have an Azure subscription that contains the ExpressRoute circuits shown in the following table.
 
You need to ensure that all the data sent between the datacenters is routed via the ExpressRoute circuits. The solution must minimize costs.
How should you configure the network? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

You need to configure GW1 to meet the network security requirements for the P2S VPN users.
Which Tunnel type should you select in the Point-to-site configuration settings of GW1?

A. IKEv2 and OpenVPN (SSL)

B. IKEv2

C. IKEv2 and SSTP (SSL)

D. OpenVPN (SSL)

E. SSTP (SSL)

HOTSPOT -
You have an Azure private DNS zone named contoso.com that is linked to the virtual networks shown in the following table.
 
The links have auto registration enabled.
You create the virtual machines shown in the following table.
 
You manually add the following entry to the contoso.com zone:
✑ Name: VM1
IP address: 10.1.10.9 -
 
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
 

You have an Azure subscription that contains the public IPv4 addresses shown in the following table.
 
You plan to create a load balancer named LB1 that will have the following settings:
✑ Name: LB1
✑ Location: West US
✑ Type: Public
✑ SKU: Standard
Which public IPv4 addresses can be used by LB1?

A. IP1, IP3, IP4, and IP5 only

B. IP3 only

C. IP1 and IP3 only

D. IP2 only

E. IP1, IP2, IP3, IP4, and IP5

F. IP3 and IP5 only

HOTSPOT
-
Your on-premises network contains a server named DNS1 that runs Windows Server 2022. DNS1 has the DNS server role and an IP address of 10.1.0.1. The network contains computers that use DNS1 for name resolution.
You have an Azure subscription that contains the resources shown in the following table.
 
The on-premises network connects to Vnet1 by using a Site-to-Site VPN.
You need to ensure that the computers on the on-premises network can resolve the IP address for sql1.private.fabrikam.com.
What should you do on DNS1 and DNS2? To answer, drag the appropriate actions to the correct servers. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
You have an Azure subscription that contains the resource groups shown in the following table.
 
You have the virtual networks shown in the following table.
 
Vnet1 contains two virtual machines named VM1 and VM2. Vnet2 contains two virtual machines named VM3 and VM4.
You have the network security groups (NSGs) shown in the following table that include only default rules.
 
You have the Azure load balancers shown in the following table.
 
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
 

DRAG DROP
-
You have an Azure subscription that contains an Azure VPN gateway named GW1. GW1 provides Point-to-Site (P2S) VPN connectivity.
Users connect to GW1 from a Windows 11 device by using an SSTP connection.
You need to ensure that the P2S VPN connections support Azure AD authentication.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
 

You have three on-premises networks.
You have an Azure subscription that contains a Basic Azure virtual WAN. The virtual WAN contains a single virtual hub and a virtual network gateway that is limited to a throughput of 1 Gbps.
The on-premises networks connect to the virtual WAN by using Site-to-Site (S2S) VPN connections.
You need to increase the throughput of the virtual WAN to 3 Gbps. The solution must minimize administrative effort.
What should you do?

A. Upgrade the virtual WAN to the Standard SKU.

B. Add an additional VPN gateway to the Azure subscription.

C. Create an additional virtual hub.

D. Increase the number of gateway scale units.

HOTSPOT
-
You have two Azure subscriptions named Subscription1 and Subscription2.
There are no connections between the virtual networks in the two subscriptions.
You configure a private link service as shown in the privatelinkservice1 exhibit. (Click the privatelinkservice1 tab.)
 
You create a load balancer name in Subscription1 and configure the backend pool shown in the lb1 exhibit. (Click the lb1 tab.)
 
You create a private endpoint in Subscription2 as shown in the privateendpoint4 exhibit. (Click the privateendpoint4 tab.)
 
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
 

HOTSPOT -
Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.
The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint.
You plan to use Azure Traffic Manager to maintain the list of endpoints.
You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.
You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.
Which routing method should you use?

A. geographic

B. weighted

C. priority

D. performance

SIMULATION
-
 
Username and password
-
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username:
User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
-
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
-
You need to ensure that connections to the storage12345678 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name storage12345678.privatelink.blob.core.windows.net.
To complete this task, sign in to the Azure portal.

You have an Azure application gateway configured for a single website that is available at https://www.contoso.com.
The application gateway contains one backend pool and one rule. The backend pool contains two backend servers. Each backend server has an additional website that is available on port 8080.
You need to ensure that if port 8080 is unavailable on a backend server, all the traffic for https://www.contoso.com is redirected to the other backend server.
What should you do?

A. Create a health probe

B. Add a new rule

C. Change the port on the listener

D. Add a new listener

HOTSPOT
-
You have an Azure subscription that contain a storage account named st1 in the East US Azure region.
You have the virtual networks shown in the following table.
 
You have the subnets shown in the following table.
 
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
 

SIMULATION
-
 
Username and password
-
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username:
User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
-
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
-
You plan to use VNET4 for an Azure API Management implementation.
You need to configure a policy that can be used by an Azure application gateway to protect against known web attack vectors. The policy must only allow requests that originate from IP addresses in Canada. You do NOT need to create the application gateway to complete this task.
To complete this task, sign in to the Azure portal.

HOTSPOT -
You need to connect an on-premises network and an Azure environment. The solution must use ExpressRoute and support failing over to a Site-to-Site VPN connection if there is an ExpressRoute failure.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT
-
You have an on-premises datacenter.
You have an Azure subscription that contains 10 virtual machines and a virtual network named VNet1 in the East US Azure region. The virtual machines are connected to VNet1 and replicate across three availability zones.
You need to connect the datacenter to VNet1 by using ExpressRoute. The solution must meet the following requirements:
•	Maintain connectivity to the virtual machines if two availability zones fail.
•	Support 1000-Mbps connections.
•	Minimize costs.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT -
You have an Azure firewall shown in the following exhibit.
 
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
 

You have an on-premises network named Site1.
You have an Azure subscription that contains a virtual network named VNet1 and a storage account named storage1.
Site1 and VNet1 are connected by using a Site-to-Site (S2S) VPN.
You need to ensure that the servers in Site1 can connect to storage1 by using the S2S VPN. The solution must minimize administrative effort.
What should you create on VNet1?

A. an Azure application gateway

B. an Azure Private Link service

C. a service endpoint

D. a private endpoint

SIMULATION
-
 
Username and password
-
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username:
User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
-
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
-
You need to ensure that subnet 4-3 can accommodate 507 hosts.
To complete this task, sign in to the Azure portal.

You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ Two subnets named subnet1 and AzureFirewallSubnet
✑ A public Azure Firewall named FW1
✑ A route table named RT1 that is associated to Subnet1
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?

A. On FW1, create an outbound service tag rule for AzureCloud.

B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).

C. Deploy a NAT gateway.

D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.

Your on-premises network contains a DNS server named Server1.
You have an Azure subscription that contains the resources shown in the following table.
 
The on-premises network is connected to VNet1 by using a Site-to-Site (S2S) VPN.
You need to ensure that Server1 can resolve the DNS name of storage1. The solution must minimize costs and administrative effort.
What should you use?

A. Azure DNS Private Resolver

B. an Azure public DNS zone

C. an Azure Private DNS zone

D. an Azure virtual machine that hosts a DNS service

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the following subnets:
•	AzureFirewallSubnet
•	GatewaySubnet
•	Subnet1
•	Subnet2
•	Subnet3
Subnet2 has a delegation to the Microsoft.Web/serverfarms service.
The subscription contains the resources shown in the following table.
 
You need to implement an Azure application gateway named AG1 that will be integrated with an Azure Web Application Firewall (WAF). AG1 will be used to publish VMSS1.
To which subnet should you connect AG1?

A. GatewaySubnet

B. AzureFirewallSubnet

C. Subnet2

D. Subnet1

E. Subnet3

You have an Azure Private Link service named PL1 that uses an Azure load balancer named LB1.
You need to ensure that PL1 can support a higher volume of outbound traffic.
What should you do?

A. Increase the number of frontend IP configurations for LB1.

B. Increase the number of NAT IP addresses assigned to PL1.

C. Deploy an Azure Application Gateway v2 instance to the source NAT subnet.

D. Redeploy LB1 with a different SKU.

You have the Azure resources shown in the following table.
 
You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint.
You need to ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region.
What should you do first?

A. Fail over storage1 to the paired Azure region.

B. Configure the firewall settings for storage1.

C. Create a virtual network in the paired Azure region.

D. Create another service endpoint.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an Azure Web Application Firewall (WAF) policy named WAF1. AFD1 is associated with WAF1.
You need to configure a rate limit for incoming requests to AFD1.
Solution: You add a rule to the rule set of AFD1.
Does this meet the goal?

A. Yes

B. No

You have a website that uses an FQDN of www.contoso.com. The DNS record for www. contoso.com resolves to an on-premises web server.
You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an Azure Front Door instance named
ContosoFD1.
You build the website on Web1.
You plan to configure ContosoFD1 to publish the website for testing.
When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message shown in the exhibit. (Click the Exhibit tab.)
 
You need to test the website and ContosoFD1 without affecting user access to the on-premises web server.
Which record should you create in the contoso.com DNS domain?

A. a CNAME record that maps afdverify.www.contoso.com to ContosoFD1.azurefd.net

B. a CNAME record that maps www.contoso.com to ContosoFD1.azurefd.net

C. a CNAME record that maps afdverify.www.contoso.com to afdverify.ContosoFD1.azurefd.net

D. a CNAME record that maps www.contoso.com to Web1.contoso.com

HOTSPOT -
You have an Azure subscription that contains a single virtual network and a virtual network gateway.
You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT -
You have the Azure environment shown in the exhibit.
 
You have virtual network peering between Vnet1 and Vnet2. You have virtual network peering between Vnet4 and Vnet5. The virtual network peering is configured as shown in the following table.
 
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
 

HOTSPOT
-
You have an Azure application gateway named AppGw1.
You need to create a rewrite rule for AppGw1. The solution must rewrite the URL of requests from https://www.contoso.com/fashion/shirts to https://www.contoso.com/buy.aspx?category=fashion&product=shirts.
How should you complete the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT -
You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com.
You have the routing rules shown in the following table.
 
Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Hot Area:
 

HOTSPOT
-
You have an Azure subscription that contains 10 virtual machines. The virtual machines are assigned private IP addresses. The subscription contains the resources shown in the following table.
 
You need to configure FWPolicy1 to meet the following requirements:
•	Allow incoming connections to the virtual machines from the internet on port 4567.
•	Block outbound connections from the virtual machines to an FQDN of *.fabrikam.com.
What should you configure in FWPolicy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

SIMULATION
-
 
Username and password
-
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username below.
To enter your password, place your cursor in the Enter password box and click on the password below.
Azure Username:
User-12345678@cloudslice.onmicrosoft.com
Azure Password: xxxxxxxxxx
-
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 12345678
-
You plan to deploy 100 virtual machines to subnet-1. The virtual machines will NOT be assigned a public IP address. The virtual machines will call the same API which is hosted by a third party. The virtual machines will make more than 10,000 calls per minute to the API.
You need to minimize the risk of SNAT port exhaustion. The solution must minimize administrative effort.
To complete this task, sign in to the Azure portal.

HOTSPOT
-
You have an Azure subscription that contains the resources shown in the following table.
 
You need to restrict access to storage1 and sql1 by using service endpoints. The solution must meet the following requirements:
•	Allow access from Subnet1 to SQLDB1.
•	Implement service endpoint policies to restrict access to supported resources.
•	Allow access from Subnet1 to storage1 and the read-only replica of storage1 in the paired Azure region.
What is the minimum number of service endpoints and service endpoint policies you should create? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
You have an Azure subscription.
You plan to use Azure Virtual WAN.
You need to deploy a virtual WAN hub that meets the following requirements:
•	Supports 4 Gbps of Site-to-Site (S2S) VPN traffic
•	Supports 8 Gbps of ExpressRoute traffic
•	Minimizes costs
How many scale units should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have an Azure virtual network that contains the subnets shown in the following table.
 
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall.
You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com.
What should you do?

A. In a firewall policy, create a DNAT rule.

B. Create a network security group (NSG) and associate the NSG to Subnet2.

C. In a firewall policy, create a network rule.

D. In a firewall policy, create an application rule.

You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance.
You need to configure the policy to meet the following requirements:
✑ Log all connections from Australia.
✑ Deny all connections from New Zealand.
✑ Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute.
What is the minimum number of objects you should create?

A. three custom rules that each has one condition

B. one custom rule that has three conditions

C. one custom rule that has one condition

D. one rule that has two conditions and another rule that has one condition

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an Azure Web Application Firewall (WAF) policy named WAF1. AFD1 is associated with WAF1.
You need to configure a rate limit for incoming requests to AFD1.
Solution: You modify the policy settings of WAF1.
Does this meet the goal?

A. Yes

B. No