Microsoft AZ-720 Exam Practice Test Instant Access

Question 1

A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.

The company reports that the Azure VM backup job is failing.

You need to troubleshoot the issue.

Solution: Enable replication and create a recovery plan for the backup vault.

Does the solution meet the goal?

AYes

BNo

Answer : B

Question 2

A company hosts a network virtual appliance (VNA) and Azure Route Server in different virtual networks (VNets). Border Gateway Protocol (BGP) peering is enabled between the NVA loses internet connectivity after it advertises the default route to the route server.

You need to resolve the problem with the NVA.

What should you do?

AConfigure a user-defined route on the NVA subnet.

BMove the route server to the same VNet as the NVA.

CConfigure a unique autonomous system number (ASN) on the NVA.

DConfigure a public IP address on the route server.

Answer : C

According to2, when using Azure Route Server with network virtual appliances (NVAs), you need to ensure that each NVA has a unique ASN that is different from the route server's ASN and any other BGP peer's ASN. Otherwise, there will be routing issues due to BGP loop prevention mechanisms.

You can configure the ASN on the NVA by using its own configuration tools or commands.For more information, see2.

Question 3

A company connects their on-premises network by using Azure VPN Gateway. The on-premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).

A new subnet should be unreachable from the on-premises network.

You need to implement a solution.

Solution: Scale the gateway to Generation2.

Does the solution meet the goal?

AYes

BNo

Answer : B

Scaling the gateway to Generation2 will not prevent the on-premises network from reaching the new subnet. Scaling the gateway changes the hardware configuration of the VPN gateway, but it does not affect the routing or connectivity between the on-premises network and the virtual network.

A better solution would be to create a network security group (NSG) and associate it with the new subnet. The NSG can be configured to deny traffic from the on-premises network to the new subnet. This way, the new subnet will be isolated from the on-premises network.

VPN Gateway Generation 2: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwgen2

Question 4

A company deploys a new file sharing application on four Standard_D2_v3 virtual machines (VMs) behind an Azure Load Balancer. The company implements Azure Firewall.

Users report that the application is slow during peak usage periods. An engineer reports that the peak usage for each VM is approximately 1 Gbps.

You need to implement a solution that support a minimum of 10 Gbps.

What should you do to increase the throughput?

ARequest an increase in networking quotas.

BIncrease the size of the VM instance.

CDisable the Azure Firewall and implement network security groups in its place.

DMove two of the servers behind a separate load balancer and configure round robin routing in Traffic Manager.

Answer : B

To achieve this goal, the best option is to increase the size of the VM instance. The Standard_D2_v3 virtual machine size has a maximum network bandwidth of 1 Gbps, so increasing the size of the VM instance to a higher tier, such as Standard_D8_v3 or higher, will provide more network bandwidth and improve the application's performance.

Option A, requesting an increase in networking quotas, may not be sufficient to achieve the required network bandwidth.

Option C, disabling the Azure Firewall and implementing network security groups, may not have a significant impact on the network bandwidth.

Option D, moving two of the servers behind a separate load balancer and configuring round-robin routing in Traffic Manager, may improve availability and performance but will not increase the network bandwidth.

Source: [1]https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general[2]https://docs.microsoft.com/en-us/azure/virtual-network/designing-hub-spoke-topologies#optimize-data-transfer-between-hub-and-spoke-vnets

Question 5

A customer has an Azure Virtual Network named VNet1 that contains an internal standard SKU load balancer named LB1. The backend pool for LB1 includes the following virtual machines: VM1, VM2.

The customer configures a rule named Rul1 to load balance incoming HTTPS requests for VM1 and VM2. Rule1 is associated with an HTTPS health probe. The path for the probe is set to /.

The network adapters of VM1 and VM2 are associated with a network security named NSG1 that contains the following rules:

You connect to https://VM1 and https://VM2 from VNet1. Attempts to connect using the front-end IP address of LB1 are failing.

You need to resolve the issue.

What should you do?

AChange the health probe associated with Rule1 to use HTTP.

BAdd an NSG1 rule with the source set to VirtualNetwork.

CChange the health probe associated with Rule1 to use TCP.

DAdd an NSG1 rule with the source set to AzureLoadBalancer.

Answer : D

According to Microsoft, Azure Load Balancer health probes originate from the IP address 168.63.129.16 and must not be blocked for probes to mark your instance as up.The AzureLoadBalancer service tag identifies this source IP address in your network security groups and permits health probe traffic by default1. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

Question 6

A company configures an Azure site-to-site VPN between an on-premises network and an Azure virtual network.

The company reports that after completing the configuration, the VPN connection cannot be established.

You need to troubleshoot the connection issue.

What should you do first?

AIdentify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey.

BIdentify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionVpnDeviceConfigScript.

CVerify the AzureRoot.cer file exists.

DVerify the AzureClient.pfx file exists.

Answer : A

To troubleshoot the connection issue, you should do first identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey.According to1, this cmdlet returns the shared key that is used for authentication between an Azure virtual network gateway and a local network gateway. You can use this cmdlet to verify that the shared key matches on both sides of the VPN connection.

Therefore, you should choose A. Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey.

Question 7

You need to resolve the VM2 routing issue.

What should you do?

AModify the IP configuration setting of the Azure network interface resource of VM1.

BAdd a network interface to VM1.

CAdd a network interface to VM2.

DModify the IP configuration setting of the Azure network interface resource of VM2.

Answer : D

To resolve the VM2 routing issue, you should modify the IP configuration setting of the Azure network interface resource of VM2. This will ensure that VM2 can communicate with other resources in the virtual network.

Troubleshooting connectivity problems between Azure VMs involves several steps such as checking whether NIC is misconfigured, whether network traffic is blocked by NSG or UDR, whether network traffic is blocked by VM firewall, whether VM app or service is listening on the port and whether the problem is caused by SNAT1.

Fabrikam Inc. runs an online reservation service that allows agents to manage online registrations for various hotels, vacation rentals, and customers.

The company has on-premises infrastructure and services that are hosted in Azure. The on-premises infrastructure includes servers that run Active Directory Domain Services (AD DS). Azure services include virtual machines (VMs) that are in one subscription and the following environments: development, testing, and production. Each environment is located in a different virtual network (VNet).

The company has a perimeter network that supports connections to the internet. The perimeter network is also hosted in a separate VNet All of the VNets are

connected by using virtual network peering.

The company's subscription contains the following Azure virtual machines (VMs):

The Web Server (IIS) role is installed on VM4 The operating system firewall for each VM allows inbound ping requests.

The company's subscription includes the following network security groups (NSGs):

NSG1, NSG2. NSG3, and NSG5 use the default inbound security rules. NSG4. NSG5. and NSG10 use the default outbound security rules. NSG4 has the following inbound security rule:

NSG10 has the following inbound security rules:

Network Policy Server (NPS) is installed on an on-premises server named SRV2. The NPS extension for Azure AD multi-factor authentication (MFA) is configured on the server as well.

The virtual network peering connections are in the following table.

You provision a virtual network gateway named VNetGW in the perimeter network. The virtual network gateway uses SKU VpnGw1 and the public IP address 16.4.4.4 The virtual network gateway will provide:

* Network routing to customer data centers using site-to-site VPN connections.

* Network routing to Azure for the scheduling agents and sales employees using a point-to-site VPN connection.

The company's site-to-site VPN connections with customers are shown in the following table.

The point-to-site VPN is configured as shown in the following table;

The company's user and group memberships are shown in the following table:

The scheduling agents, warehouse, and sales groups are members of the self-service password reset (SSPR) group named SSPR-group.

Azure AD Connect is installed on an on-premises server named SRV1. In addition;

* The server uses a pass-through authentication agent.

* The SSPR feature is enabled

* The SSPR feature is applied only to a group named SSPR-group

* The scheduling agents' internet connectivity must be blocked when connected to the point-to-site VPN.

* Sales employees must use the default VPN client on MacOS computers to connect to Azure.

* Azure AD Connect must synchronize all user accounts from AD DS to Azure AD.

* Pass-through authentication is required for all users.

* Azure AD multi-factor authentication (MFA) is requited for all users.

* All admin user accounts must be in an organizational unit (OU) named Admins.

Microsoft Troubleshooting Microsoft Azure Connectivity AZ-720 Exam Practice Test