Microsoft AZ-720 Exam Practice Test Instant Access

Question 1

A company uses an Azure Virtual Network (VNet) gateway named VNetGW1. VNetGW1 connects to a partner site by using a site-to-site VPN connection with dynamic routing.

The company observes that the VPN disconnects from time to time.

You need to troubleshoot the cause for the disconnections.

What should you verify?

AThe partner's VPN device and VNetGW1 are configured using the same shared key.

BThe partner's VPN device is configured for one VPN tunnel per subnet pair.

CThe public IP address of the partner's VPN device is configured in the local network gateway address space on VNetGW1.

DThe partner's VPN device and VNetGW1 are configured with the same virtual network address space.

Answer : B

To troubleshoot the cause for the VPN disconnections between VNetGW1 and the partner site, you should verify that the partner's VPN device is configured for one VPN tunnel per subnet pair.

Question 2

A company uses an Azure Virtual Network (VNet) gateway named VNetGW1. VNetGW1 connects to a partner site by using a site-to-site VPN connection with dynamic routing.

The company observes that the VPN disconnects from time to time.

You need to troubleshoot the cause for the disconnections.

What should you verify?

AThe partner's VPN device and VNetGW1 are configured using the same shared key.

BVNetGW1 has exceeded the subnet Security Association pairs.

CThe partner's VPN device and VNetGW1 are configured with the same virtual network address space.

DThe public IP address of the partner's VPN device is configured in the local network gateway address space on VNetGW1.

Answer : A

To troubleshoot the cause for the VPN disconnections between VNetGW1 and the partner site, you should verify that the partner's VPN device and VNetGW1 are configured using the same shared key.

Question 3

You need to resolve the issue repotted by Admin2.

What should you do?

AAdd a rule to N5G2 that allows outbound traffic to the internet over port 80.

BDisassociate NSG2 from Subnet12.

CConfigure a second network interface on VM4.

DDisassociate NSG5 from NIC4.

Answer : D

To resolve the issue reported by Admin2, you need to disassociate NSG5 from NIC4, which is the network interface of VM4. NSG5 is a network security group that has an inbound security rule that denies traffic from ASG2 to ASG5 over port 80. This rule prevents Admin2 from connecting to the web server public IP address on VM4 from VM2, as VM2 is in ASG2 and VM4 is in ASG5. By disassociating NSG5 from NIC4, you can remove the rule that blocks the traffic and allow Admin2 to access the web server on VM4. Alternatively, you could also modify or remove the rule in NSG5, but disassociating NSG5 from NIC4 is simpler and more effective.

Question 4

You need to resolve the issue with internet traffic from VM1 being routed directly to the internet.

What should you do?

AModify IP address prefix of RT12

BAssociate RT12 with Subnet1a.

CAssociate RT12 with Subnet2a.

DModify the next hop type of RT12.

Answer : B

This will ensure that the route table RT12, which has a route to direct internet traffic to the virtual network gateway VNG1, is applied to the subnet where VM1 is located. This will override the default route that sends internet traffic to the internet gateway.

Question 5

A company has an Azure tenant. The company deploys an Azure firewall named FW1 to control access from an on-premises datacenter to an Azure virtual machine named VM1.

The company troubleshoots ICMP connectivity from the on-premises datacenter to VM1. You are unable to ping VM1 from an on-premises server.

You need to determine if ICMP connectivity to VM1 is allow on FW1.

What should you do?

AUse the ping command targeting the IP address of VM1 and review the Infrastructure rules log of FW1.

BUse the ping command targeting the IP address of VM1 and review the command's response.

CUse the ping command targeting the IP address of VM1 and review the Network rules log of FW1.

DUse the ping command targeting the fully qualified domain name of VM1 and review the command's response.

Answer : C

According to Microsoft, the ICMP protocol is not permitted through the Azure load balancer. To test connectivity, Microsoft recommends that you do a port ping.While Ping.exe uses ICMP, you can use other tools, such as PSPing, Nmap, and telnet, to test connectivity to a specific TCP port1.

Question 6

You need to troubleshoot the CosmosDB1 issues from the on-premises environment. What should you use?

Aroute command

BNetwork Watcher next hop diagnostic tool

CNetwork Watcher Connection troubleshoot diagnostic tool

Dnslookup command

Answer : C

This tool helps you troubleshoot network connectivity issues from a virtual machine to a given endpoint.It tests for reachability from the virtual machine to the endpoint and provides information about why a connection fails1. In this case, you can use this tool to troubleshoot the connectivity issues from the on-premises environment to CosmosDB1.

Question 7

A company enables just-in-time (JIT) virtual machine (VM) access in Azure.

An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.

You need to determine why some VMs are not supported for JIT VM access.

What should you conclude?

AThe administrator is using the Microsoft Defender for Cloud free tier.

BThe VMs were provisioned by using a classic deployment.

CThe VMs were recently provisioned by using an Azure Resource Manager deployment.

DThe administrator does not have the SecurityReader role.

Answer : B

The Unsupported tab on the Just-in-Time VM access page in the Microsoft Defender for Cloud portal indicates that the VMs were provisioned by using a classic deployment Classic deployments were used in Azure before the deployment model was updated to Azure Resource Manager, which is now the preferred model for deploying and managing resources in Azure.

Microsoft Troubleshooting Microsoft Azure Connectivity AZ-720 Exam Practice Test