Correct Answer:

Correct Answer:

Box 1: 3 Subnets

*

One subnet for the three VMs

Virtual network and subnets

A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one virtual network. NICs connected to subnets

(same or different) within a virtual network can communicate with each other without any extra configuration.

*

One gateway subnet for the incoming VPN connection.

About the gateway subnet

The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the

virtual network gateway resources and services use. The subnet must be named 'GatewaySubnet' in order for Azure to deploy the gateway resources.

*

One subnet for the two container groups

To deploy to a new virtual network and have Azure create the network resources for you automatically, specify the following when you execute az container create:

Virtual network name

Virtual network address prefix in CIDR format

Subnet name

Subnet address prefix in CIDR format

Once you've deployed your first container group with this method, you can deploy to the same subnet by specifying the virtual network and subnet names, or the network profile that Azure automatically creates for you. Because Azure

delegates the subnet to Azure Container Instances, you can deploy only container groups to the subnet.

Note:

Contoso has the following virtual network requirements:

Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:

Two container groups that connect to Vnet6

Three virtual machines that connect to Vnet6

Allow VPN connections to be established to Vnet6

Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.

Box 2: 2

*

One Service Endpoint for the Azure KeyVault KeyVault1.

The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network.

*

One Service Endpoint for the Azure SQL Database DB1.

Service endpoints are a networking feature in Azure designed to help you better identify traffic coming into your Azure SQL Database as originating from one or more of your VNets.

Note: Service endpoints are a networking feature in Azure designed to help you better identify traffic coming into your Azure SQL Database as originating from one or more of your VNets.

Service endpoints are available for the following Azure services and regions.

Azure SQL Database

Azure Key Vault

Etc.

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/network-overview

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell

https://learn.microsoft.com/en-us/azure/container-instances/container-instances-vnet

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints

Correct Answer: B

Correct Answer: B

Correct Answer: A

As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions.

Unlike role-based access control (RBAC), you use management locks to apply a restriction across all users and roles.

Who can create or delete locks

To create or delete management locks, you need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks. You

can create a custom role with the required permissions.

Note: Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS

(Infrastructure-as-a-Service) products including Virtual Machines (VM), Virtual Networks, Application Gateways, Load balancers, etc.

Reference: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

Correct Answer: A

One SKU Premium required.

Azure ExpressRoute offers three different circuit SKUs, known as Local, Standard, and Premium, which provide varying degrees of connectivity scope.

Standard: a Standard SKU ExpressRoute circuit provides connectivity to resources in all Azure regions in a geopolitical area. Under this scenario, the on-premises network in London can connect to resources and access Azure's cloud

services hosted in regions such as West Europe (Amsterdam, Netherlands) and France Central (Paris, France) through ExpressRoute

Premium: a Premium SKU ExpressRoute circuit facilitates connectivity to resources and cloud services globally across all Azure regions. Specifically, this global connectivity is delivered over the Microsoft core network. In this case, the on-

premises network in London can link a virtual network created in West Europe (Amsterdam, Netherlands) to an Azure ExpressRoute circuit created in Japan East (Tokyo, Japan)

Reference: https://dgtlinfra.com/azure-expressroute-benefits-pricing-providers-locations/

Correct Answer: B

Correct Answer(s):

Add a public IP address - A single NAT gateway resource supports from 64,000 up to 1 million concurrent flows. Each IP address provides 64,000 SNAT ports to the available inventory. You can use up to 16 IP addresses per NAT gateway

resource.

Frequently the root cause of SNAT exhaustion is an anti-pattern for how outbound connectivity is established, managed, or configurable timers changed from their default values.

Steps

1.

Check if you have modified the default idle timeout to a value higher than 4 minutes.

2.

Investigate how your application is creating outbound connectivity (for example, code review or packet capture).

3.

Determine if this activity is expected behavior or whether the application is misbehaving. Use metrics in Azure Monitor to substantiate your findings. Use "Failed" category for SNAT Connections metric.

4.

Evaluate if appropriate patterns are followed.

5.

Evaluate if SNAT port exhaustion should be mitigated with additional IP addresses assigned to NAT gateway resource.

https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/troubleshoot-nat#snat-exhaustion

Wrong Answers:

Bind the NAT gateway to another subnet Not a valid solution to mitigate the issue.

Deploy Azure Standard Load Balancer that has outbound rules This replaces the need for outbound rules for backend pool outbound SNAT.

Correct Answer: A

Correct Answer(s):

Network Virtual Appliance (NVA) - Azure Virtual WAN supports connections from networking partners, such as VMware SD-WAN. These types of devices are known as network virtual appliances (NVAs).

Wrong Answers:

Point-to-site VPN Gateway - A point-to-site VPN Gateway supports connections from individual computers.

Local network gateway - A local network gateway represents the on-premises network.

Correct Answer: BF

Virtual network peering is a non-transitive relationship between two virtual networks. You can configure spokes to use the hub gateway to communicate with remote networks. To allow gateway traffic to flow from spoke to hub and connect to

remote networks, you must:

Configure the peering connection in the hub to allow gateway transit.

Configure the peering connection in each spoke to use remote gateways.

Configure all peering connections to allow forwarded traffic.

Below is the sample code.

# Peer hub to spoke

Add-AzVirtualNetworkPeering -Name HubtoSpoke -VirtualNetwork $VNetHub -RemoteVirtualNetworkId $VNetSpoke.Id -AllowGatewayTransit

# Peer spoke to hub

Add-AzVirtualNetworkPeering -Name SpoketoHub -VirtualNetwork $VNetSpoke -RemoteVirtualNetworkId $VNetHub.Id -AllowForwardedTraffic UseRemoteGateways

https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps#peer-the-hub-and-spoke-virtual-networks https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub- spoke?tabs=cli#virtual-networkpeering

Wrong Answers:

Code Block1: -AllowForwardedTraffic and Code Block2: -AllowForwardedTraffic

Allow forwarded traffic is used if you require connectivity between spokes. You can create routes to forward traffic from the spoke to the firewall or network virtual appliance, which can then route to the second spoke.

Correct Answer: A

Peer virtual networks

Step 1: In the search box at the top of the Azure portal, look for VNet1. When VNET1 appears in the search results, select it.

Step 2: Under Settings, select Peerings, and then select + Add, as shown in the following picture:

Step 3: Enter or select the following information, accept the defaults for the remaining settings, and then select Add.

*

..

*

Virtual network

Select VNET2 for the name of the remote virtual network. The remote virtual network can be in the same region of VNET1 or in a different region.

Step 4: Click Add

In the Peerings page, the Peering status is Connected, as shown in the following picture:

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal