- (Exam Topic 3)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

You need to ensure that the URL is accessible through the application gateway.
Solution: You create a WAF policy exclusion request headers that contain 137.135.10.24. Does this meet the goat?

1. A. Yes
2. B. No

Correct Answer: B

- (Exam Topic 3)
Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.
The departments at the company use the Azure subscriptions as shown in the following table.

All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region. You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.
What is the minimum number of ExpressRoute circuits required?

1. A. 1
2. B. 2
3. C. 3
4. D. 4
5. E. 5

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

- (Exam Topic 3)
You have an Azure virtual network named Vnet1 that hosts an Azure firewall named FW1 and 150 virtual machines. Vnet1 is linked to a private DNS zone named contoso.com. All the virtual machines have their name registered in the contoso.com zone.
Vnet1 connects to an on-premises datacenter by using ExpressRoute.
You need to ensure that on-premises DNS servers can resolve the names in the contoso.com zone. Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

1. A. On the on-premises DNS servers, configure forwarders that point to the frontend IP address of FW1.
2. B. On the on-premises DNS servers, configure forwarders that point to the Azure provided DNS service at 168.63.129.16.
3. C. Modify the DNS server settings of Vnet1.
4. D. For FW1, enable DNS proxy.
5. E. For FW1, configure a custom DNS server.

Correct Answer: AD
Reference:
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-fo https://azure.microsoft.com/en-gb/blog/new-enhanced-dns-features-in-azure-firewall-now-generally-available/

- (Exam Topic 3)
You have an Azure subscription that contains the following resources:
A virtual network named Vnet1
Two subnets named subnet1 and AzureFirewallSubnet
A public Azure Firewall named FW1
A route table named RT1 that is associated to Subnet1
A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated. What should you do?

1. A. On FW1, create an outbound service tag rule for AzureCloud.
2. B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
3. C. Deploy a NAT gateway.
4. D. To Subnetl, associate a network security group (NSG) that allows outbound access to port 1688.

Correct Answer: B
Reference:
https://ryanmangansitblog.com/2020/05/11/firewall-considerations-windows-virtual-desktop-wvd/