- (Topic 5)
You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2. Which Azure Network Watcher feature should you use?

1. A. NSG flow logs
2. B. Connection troubleshoot
3. C. IP flow verify
4. D. Connection monitor

Correct Answer: D
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint.
Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a connection, you may find that you can decrease the latency by moving your Azure resources to different Azure regions.

HOTSPOT - (Topic 3)
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.


Solution:


Box 1: Selected
Only selected users should be able to join devices
Box 2: Yes
Require Multi-Factor Auth to join devices.
From scenario:
✑ Ensure that only users who are part of a group named Pilot can join devices to Azure AD
✑ Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Topic 5)
You deploy Azure virtual machines to three Azure regions.
Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full mesh topology.
Each subnet contains a network security group (NSG) that has defined rules.
A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region.
Which two options can you use to diagnose the issue? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

1. A. Azure Virtual Network Manager
2. B. IP flow verify
3. C. Azure Monitor Network Insights
4. D. Connection troubleshoot
5. E. elective security rules

Correct Answer: BD
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip- flow-verify-overview
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

- (Topic 5)
You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named Subnet1. Subnet1 is in a virtual network named VNet1. You need to prevent VM1 from accessing VM2 on port 3389.
What should you do?

1. A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network interface of VM1.
2. B. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
3. C. Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1.
4. D. Configure Azure Bastion in VNet1.

Correct Answer: A

HOTSPOT - (Topic 5)
You plan to deploy the following Azure Resource Manager (ARM) template.


For each of the following statements, select Yes . Otherwise, select No. NOTE: Each correct selection is worth one point.

Answer:

Solution:
✑ LB1 will be connected to a subnet named LB1 in VNET1. Yes, this is correct. The template specifies that the load balancer resource named LB1 has a property called frontendIPConfigurations, which defines the subnet where the load balancer is located. The value of this property is a reference to the resource ID of the subnet named LB1 in VNET1. You can see this reference in line 38 of the template1.
✑ LB1 can be deployed only to the resource group that contains VNET1. No, this is
not correct. The template does not specify a resource group for the load balancer resource, which means it can be deployed to any resource group in the same subscription as VNET1. However, if you want to deploy the load balancer to a specific resource group, you can add a property called resourceGroup to the reference of the subnet in line 382.
✑ The value of the sku variable can be provided as a parameter when the template is
deployed. No, this is not correct. The template defines the sku variable as a constant value of “Standard” in line 9. This means that the value cannot be changed or overridden by a parameter when the template is deployed. If you want to make the sku value configurable, you need to change the variable definition to a parameter definition, and use the parameter reference instead of the variable reference in line 363.

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A