Troubleshooting Microsoft Azure Connectivity v1.0 (AZ-720)

Page:    1 / 5   
Total 77 questions

A company implements self-service password reset (SSPR).
After a firewall upgrade at the company's datacenter, SSPR stops working.
You need to resolve the issue.
Which two URLs must be present on the firewalls to allow SSPR to connect? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. *.update.microsoft.com
  • B. *.servicebus.windows.net
  • C. *.passwordreset.microsoftonline.com
  • D. *.svc.ms
  • E. *.adl.windows.com


Answer : BC

A company has an Azure Active Directory (Azure AD) tenant. The company deploys Azure AD Connect to synchronize objects from their Active Directory Domain Services (AD DS) domain.
You observe that AD DS objects are not synchronizing to Azure AD.
You need to verify that the staging mode is enabled.
What should you do?

  • A. Review the history for the Azure AD Connect sync scheduled task.
  • B. Review the triggers for the Azure AD Connect sync scheduled task.
  • C. Run this PowerShell cmdlet: Get-ADSyncScheduler
  • D. Run this PowerShell cmdlet: Get-ADSyncConnectorRunStatus


Answer : C

A company has two virtual networks (VNets) that reside in the same Azure region.

An administrator reports that virtual machines (VMs) in each VNet are unable to connect to VMs in the other VNet.

You need to configure a connection between the two networks that maximizes throughput and minimizes latency.

What should you do?

  • A. Create a point-to-site VPN connection.
  • B. Configure a VPN gateway.
  • C. Create a site-to-site VPN connection.
  • D. Configure virtual network peering.


Answer : D

HOTSPOT -

Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Background -
Contoso, Ltd. is a financial services company based in Boston, MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.

Current environment -

General -
Contoso's Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region:

VPN users use Windows 10 computers with the built-in SSTP VPN client software.

Recent changes -
• You extend the IP address space of VNet1 and create subnets in the new IP address space.
• You allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.
• You enable a service endpoint on contosostorage1 to provide direct access to the storage content from all subnets in VNet1.
• You configure all business critical VM workloads to use encryption keys stored in all five key vaults.
• You enable a private endpoint on CosmosDB1 to provide direct access to its content from VNet1.
• The Contoso's data engineering team was recently tasked with using contosostorage1 blob storage to store database backups.
• You develop an automated process to deploy Azure VMs by using Azure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.
• You deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.
• You deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.
You create the following resources:


Issues -

DNS issues -

Reverse DNS lookup -
• Reverse DNS lookups from VNet1 return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net.
• Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format [vmname].internal.cloudapp.net.
• VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.

Public DNS lookup -
You are notified that name resolution requests for www.contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.

Connectivity and routing issues -

Windows VPN -
Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.

Sales department VPN -
The sales department users cannot connect by using the MacOS VPN client.

Azure Storage connectivity -
• Server Message Block (SMB)-mounts from VMs on VNet2 and VNet3 to file shares in contosostorage1 are failing.
• Azure Storage Explorer connections using access keys from on-premises computers to contosostorage1 are failing.

Cosmos DB connectivity -
You observe that connections to CosmosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However, connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.

VM1 routing -
Internet traffic from VM1 is routed directly to the Internet.

VM2 routing -
After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You verify that routing for VM2 is configured correctly.

Azure and SharePoint issues -

Azure Key Vault -
Access attempts to Azure Key Vault by VM workloads intermittently fail with the HTTP response code 429.

SharePoint in VNet2 -
SharePoint traffic between tiers is blocked by NSGs which is causing application failures.

SharePoint in VNet3 -
ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3.

Permission issues -

Data engineering team -
The Contoso data engineering team is unable to view the contosostorage1 account in the Azure portal.

Azure VM deployment -
Azure VM deployments that use Azure Bicep are failing with an authorization error. The error indicates there are insufficient access permissions to retrieve the password of the local administrator account in the key vault.

Requirements -

DNS requirements -

Reverse DNS lookup -
You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmname].contoso.com for all three virtual networks.

Public DNS lookup -
You must verify that the Azure public DNS zone is currently used to resolve DNS name requests for www.contoso.com and recommend a solution that uses the Azure public DNS zone.
Connectivity and routing requirements

Windows VPN -
You must verify if VPN client connectivity issues are related to routing and recommend a solution.

MacOS VPN -
You must verify if Remote ID and Local ID VPN client settings on the MacOS devices are properly configured.

Azure Storage connectivity -
You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on-premises connections to contosostorage1 are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.

Cosmos DB connectivity -
You must verify if on-premises connections to CosmosDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.

VM1 routing -
RT12 must be configured to route internet traffic from VM1 through VM2.

VM2 routing -
VM2 must be configured to route internet traffic from VM1.
Azure and SharePoint requirements

Azure Key Vault -
You must identify the reason for the failures and recommend a solution.

SharePoint in VNet2 -
You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.

SharePoint in VNet3 -
You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.

Permission requirements -

Azure Bicep -
You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.

Data engineering team -
You must identify the role-based access control (RBAC) roles required by the data engineering team to access the storage account by using Azure portal. They also require permission to backup and restore blobs in contosostorage1.
You need to troubleshoot the issues with the SharePoint workload in VNet2.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.



Answer :

HOTSPOT -
A company deploys a new application and places the application behind an Azure Application Gateway Web Application Firewall (WAF).
A user with the client IP 203.0.113.26 reports that they cannot access the application.
You need to troubleshoot the the issue.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.



Answer :

HOTSPOT -
A company deploys Azure Traffic Manager load balancing for an Azure App Service solution.
Load balancing performance is showing a degraded status after deployment, and new HTTPS probes are failing to reach the Traffic Manager endpoints.
You need to troubleshoot the probe failure.
How should you complete the PowerShell script? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.



Answer :

A company has an Azure tenant. The company deploys an Azure Firewall named FW1 using the Standard SKU. You configure FW1 using classic firewall rules.
The company creates an application rule collection with the following settings:

Priority: 100 -

Action: Deny -

Rule type: FQDN -

Source type: IP address -
Source: *

Protocol: http:80,https:443 -
Target FQDN: *.cloud.contoso.com
An engineer observes that traffic to console.cloud.contoso.com is still allowed by FW1.
You need to determine why the traffic is allowed.
What should you review?

  • A. Network rules
  • B. Application rules
  • C. Infrastructure rules
  • D. Web categories


Answer : A

HOTSPOT -
A company implements Azure Firewall and deploys an Azure Firewall policy.
The policy incudes multiple application and network rules for the company's infrastructure. After deployment, an application is not accessible from on-premises computers.
You need to enable diagnostic logging for the following settings:
• AzureFirewallApplicationRule
• AzureFirewallNetworkRule
• AzureFirewallDnsProxy
How should you complete the PowerShell cmdlet? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.



Answer :

HOTSPOT -
A company uses an Azure blob container.
The IT department has a service-level agreement (SLA) that requests on average cannot exceed 20 milliseconds.
You need to implement a log analytics query to generate the SLA report.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.



Answer :

A company deploys the Azure Application Gateway Web Application Firewall (WAF) to protect their web applications.
Users in a remote office location report the following issues:
• Unable to access part of a web application.
• Part of the web application is failing to load.
• Parts of the web application has activities that are not performing as expected.
You need to troubleshoot the issue.
Which diagnostic log should you review?

  • A. Azure Activity
  • B. Access
  • C. Performance
  • D. Firewall


Answer : B

A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group (NSG) with all of the subnets.
Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2.
You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet.
You discover that FlowLog1 is not reporting outbound flow traffic.
You need to resolve the issue with FlowLog1.
What should you do?

  • A. Enable the public endpoint for the FlowLog1 storage account.
  • B. Configure the FlowTimeoutInMinutes property on VNet1 to a non-null value.
  • C. Enable FlowLog1 in a network security group associated with the network interface of VM1.
  • D. Configure the FlowTimeoutInMinutes property on VNet2 to a non-null value.


Answer : C

A company has virtual machines (VMs) in the following Azure regions:
• West Central US
• Australia East
The company uses ExpressRoute private peering to provide connectivity to VMs hosted in each region and on-premises services.
The company implements global VNet peering between a VNet in each region. After configuring VNet peering, VM traffic attempts to use ExpressRoute private peering.
You need to ensure that traffic uses global VNet peering instead of ExpressRoute private peering. The solution must preserve existing on-premises connectivity to Azure VNets.
What should you do?

  • A. Add a user-defined route to the subnets route table.
  • B. Add a filter to the on-premises routers.
  • C. Disable the ExpressRoute peering connections for one of the regions.
  • D. Add a second VNet to the virtual machines and configure VNet peering between the VNets.


Answer : A

A company uses Azure virtual machines (VMs) in multiple regions. The VMs have the following configuration:

The backend pool of an internal Azure Load Balancer (ILB) named ILB1 contains VM1 and VM2. The ILB uses the Basic SKU and is in a resource group named RG2.
Virtual network peering has been configured between VNet1 and VNet2.
Users report that they are unable to connect to resources on VM1 and VM2 by using ILB1 from VM3.
You need to resolve the connectivity issues.
What should you do?

  • A. Move ILB1 to RG1.
  • B. Redeploy the ILB using the Standard SKU.
  • C. Redeploy VM1 and VM2 into availability zones.
  • D. Move VM1 and VM2 into RG3.


Answer : A

DRAG DROP -
A customer has an Azure subscription. Microsoft Defender for servers is enabled for the subscription. The customer has not configured network security groups.
The customer configures a resource group named RG1 that contains the following resources:
• A virtual machine named VM1.
• A network interface named NIC1 that is attached to VM1.
The customer grants a user named Admin1 the following permission for RG1: Microsoft.Security/locations/jitNetworkAccessPolicies/write.
Admin1 reports that the JIT VM access pane in the Azure portal does not show any entries. When you view the same pane, VM1 appears on the Unsupported tab.
You need to ensure that Admin1 can enable just-in-time (JIT) VM access for VM1. The solution must adhere to the principle of least privilege.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.



Answer :

A company has a virtual machine (VM) named VM1 in a virtual network. The company also uses Azure Firewall Standard.

An administrator creates application rules to filter outbound traffic from VM1 and configure fully qualified domain names (FQDN) on the application rules.

The administrator discovers that outbound traffic from VM1 to the FQDNs are not being filtered by the firewall.

You need to resolve the issue with filtering.

What should you do first?

  • A. Create a CNAME type DNS record that references the firewall
  • B. Upgrade to the Azure Firewall Premium SKU.
  • C. Configure the firewall for a negative cache.
  • D. Configure VM1 to use Azure Firewall as its DNS server.


Answer : D

Page:    1 / 5   
Total 77 questions