- (Exam Topic 6)
You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.

You need to provide internet users with access to the applications that run in Cluster1. Which IP address should you include in the DNS record for Ousted?

1. A. 172.17.7.1
2. B. 131.107.2.1
3. C. 192.168.10.2
4. D. 10.0.10.11

Correct Answer: B
When any internet user will try to access the cluster which is behind a load balancer, traffic will first hit to load balancer front end IP. So in the DNS configuration you have to provide the IP address of the load balancer.
Reference:
https://stackoverflow.com/questions/43660490/giving-a-dns-name-to-azure-load-balancer

- (Exam Topic 5)
You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet. Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?

1. A. Modify the address space of the local network gateway.
2. B. Remove the public IP addresses from the virtual machines.
3. C. Modify the address space of Subnet1.
4. D. Create a deny rule in a network security group (NSG) that is linked to Subnet1.

Correct Answer: D
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet. And this can be achieved by configuring a deny rule in a network security group (NSG) that is linked to Subnet1 for RDP / SSH protocol coming from internet.
Modify the address space of Subnet1 : Incorrect choice
Modifying the address space of Subnet1 will have no impact on RDP traffic flow to the virtual network. Modify the address space of the local network gateway : Incorrect choice
Modifying the address space of the local network gateway will have no impact on RDP traffic flow to the virtual network.
Remove the public IP addresses from the virtual machines : Incorrect choice
If you remove the public IP addresses from the virtual machines, none of the applications be accessible publicly by the Internet users.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

- (Exam Topic 5)
You have an Azure subscription that contains the resources in the following table.

Store1 contains a Tile share named data. Data contains 5,000 files.
You need to synchronize the files in the file share named data to an on-premises server named Server1. Which three actions should you perform? Each correct answer presents part of the solution.

1. A. Download an automation script.
2. B. Create a container instance.
3. C. Create a sync group.
4. D. Register Server1.
5. E. Install the Azure File Sync agent on Server1.

Correct Answer: CDE
Step 1 (E): Install the Azure File Sync agent on Server1
The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share
Step 2 (D): Register Server1.
Register Windows Server with Storage Sync Service
Registering your Windows Server with a Storage Sync Service establishes a trust relationship between your server (or cluster) and the Storage Sync Service.
Step 3 (C): Create a sync group and a cloud endpoint.
A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints. A server endpoint represents a path on registered server.
References: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

- (Exam Topic 6)
Your VMware vSphere on-premises infrastructure hosts 600 virtual machines (VMs).
Your company is planning to move all of these VMs to Azure. You are asked to provide information about the resources that will be needed in Azure to host all of the VMs.
All VMs hosted in your on-premise infrastructure are based on Windows Server 2012 R2 or newer and RedHat Enterprise Linux 7.0 or newer.
You conduct the initial migration assessment and get a message that some virtual machines are conditionally ready for Azure.
You need to find the cause of this message.
What are two reasons why are you might get this message on some VMs? (Choose two) Each correct answer presents part of the solution.

1. A. The vCenter user does not have enough permissions on affected VMs.
2. B. The operating system is configured as Windows Server 2003 in vCenter Server.
3. C. The operating system is configured as Others in vCenter Server.
4. D. The VMs are configured with the BIOS boot type.
5. E. The VMs are configured with the UEFI boot type.

Correct Answer: BE
To prepare for VMware VM assessment, you need to:
Verify VMware settings. Make sure that the vCenter Server and VMs you want to migrate meet requirements.
Set up permissions for assessment. Azure Migrate uses a vCenter account to access the vCenter Server, to discover and assess VMs.
Verify appliance requirements. Verify deployment requirements for the Azure Migrate appliance, before you deploy it in the next tutorial.
Reference:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-prepare-vmware

- (Exam Topic 4)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
A virtual network that has a subnet named Subnet1
Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
Priority: 100
Source: Any
Source port range: *
Destination: *
Destination port range: 3389
Protocol: UDP
Action: Allow
VM1 connects to Subnet1. NSG1-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default. References:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection