Microsoft Certified: Azure Solutions Architect Expert Certification Questions and Answer (Dumps and Practice Questions)
Question : You have created a Virtual Network in Azure named QuickNet,
You design the virtual network to include two subnets, one named Quick1-subnet and one named Quick2-subnet.
Quick1-subnet : (Starting IP : 10.0.0.0, CIDR Address Count : /27(32) , Usable Address Range : 10.0.0.0-10.0.0.31)
Quick2-subnet : (Starting IP : 10.0.0.32, CIDR Address Count : /29(8) , Usable Address Range : 10.0.0.32-10.0.0.39)
identify the number of IP addresses that will be available for virtual machines (VMs) or cloud services in each subnet.
1. 3 for Quick1-subnet and 3 for Quick2-subnet
2. 3 for Quick1-subnet and 27 for Quick2-subnet
3. Access Mostly Uused Products by 50000+ Subscribers
4. 31 for Quick1-subnet and 3 for Quick2-subnet
5. 27 for Quick1-subnet and 3 for Quick2-subnet
Correct Answer : Get Lastest Questions and Answer :
Explanation: Quick2-subnet 32-39 = 7 (AZure reserve first 4 IPs) = 3 available IPs
Quick1-subnet 0-31 = 31 (AZure reserve first 4 IPs) = 27 available
Within each subnet, the first three IP addresses and the last IP address are reserved, and you cannot use them for VMs or cloud services. The smallest subnets that are supported use
a 29-bit subnet mask. VMs that are configured with IP addresses from one subnet can be moved to another subnet of the same virtual network and receive different IP configurations.
Question : You administer an Azure solution that uses a virtual network named QuickVNet. QuickVNet has a single subnet named QuickSubnet-.
You discover a high volume of network traffic among four virtual machines (VMs) that are part of QuickSubnet-1.
You need to isolate the network traffic among the four VMs. You want to achieve this goal with the least amount of downtime and impact on users.
What should you do?
1. Create a new subnet in the existing virtual network and move the four VMs to the new subnet.
2. Create a site-to-site virtual network and move the four VMs to your datacenter.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Create an availability set and associate the four VMs with that availability set.
Correct Answer : Get Lastest Questions and Answer :
Explanation: You want to achieve this goal with the least amount of downtime and impact on users". That's why not B. And the cost of that wouldn't make sense. By moving
them to a separate subnet in the same VNet you *can* isolate them. I say *can* because you'd still have to configure the Windows firewall to block/allow traffic on the machines in
the new subnet.
Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP
addresses. So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security"
Machine Isolation Options
There are three basic options to be discussed in this paper where machine isolation may be implemented on the Windows Azure platform:
Between machines deployed to a single virtual network
Between machines deployed to distinct virtual networks
Between machines deployed to distinct virtual networks where a VPN connection has been established from on-premises with both virtual networks
These options will be detailed in the sections that follow.
By default, Windows Server virtual machines created from the gallery will have two public endpoints, specifically RDP and Remote PowerShell connections. There will be no other
public endpoints except additional endpoints that are added by the administrator. These endpoints and any others created by the administrator may be secured with access control
lists (ACLs) on any given IaaS virtual machine. As of this writing ACLs are available for IaaS virtual machines, but not for PaaS web or worker roles.
How Network ACLs Work
An ACL is an object that contains a list of rules. When you create an ACL and apply it to a virtual machine endpoint, packet filtering takes place on the host node of your virtual
machine. This means the traffic from remote IP addresses is filtered by the host node for matching ACL rules instead of on your virtual machine. This prevents your virtual machine
from spending the precious CPU cycles on packet filtering.
When a virtual machine is created, a default ACL is put in place to block all incoming traffic. However, if an input endpoint is created (for example, port 3389), then the default
ACL is modified to allow all inbound traffic for that endpoint. As discussed above, when a virtual machine is created from the Azure gallery, a PowerShell endpoint and an RDP
endpoint are created using standard private ports but randomly generated public ports, as seen in the portal below. Inbound traffic from any remote subnet is then restricted to
those endpoints and no firewall provisioning is required. All other ports are blocked for inbound traffic unless endpoints are created for those ports. Outbound traffic is allowed by default.
Using Network ACLs, you can do the following:
Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint.
Blacklist IP addresses
Create multiple rules per virtual machine endpoint
Specify up to 50 ACL rules per virtual machine endpoint
Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
Specify an ACL for a specific remote subnet IPv4 address.
So network ACLs are the key to protecting virtual machine public endpoints and controlling that type of access to them. Currently, you can specify network ACLs for IaaS virtual
machines input endpoints, which allow you to control access from the internet to each virtual machine. Unless you specify endpoints, the virtual machines in a virtual network do not
get incoming traffic and this is equivalent to having a default deny ACL at the network level which you can override on a per virtual machine basis. You cannot currently specify an
ACL on a specific subnet contained in a virtual network, and we are looking into this for the future.
Option 1: Subnets within a Single Virtual Network
Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP
addresses. So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security, as depicted simply in
the diagram below.
In order to secure the server, Windows Firewall could be configured to block all inbound connections, and inbound rules would be setup to determine:
1) what local ports will accept connections,
2) what remote ports from which connections will be accepted,
3) what remote IP addresses will be accepted,
4) what authorized users can make connections, and
5) what authorized computers can make connections
In this case, the firewall exceptions would include local Dynamic IP (DIP) addresses within its own subnet and across other subnets configured for the virtual network. Any public
endpoints would be secured with network ACLs. Firewall exceptions should, of course, include the private ports for public endpoints established with network ACLS.
Option 2: Subnets in Different Virtual Networks
In order to protect virtual machines from other machines deployed in other Azure virtual networks, or machines in other Azure cloud services not associated with a virtual network, or
machines outside the Windows Azure platform, the Windows Azure network ACL feature would be used to provide access control to virtual machines. This is the most natural scenario in
Windows Azure for application isolation, since by default the only access allowed on virtual machines are the default provided RDP and Remote PowerShell public endpoints. For any
Azure virtual machine (PaaS or IaaS) that wishes to access another virtual machine in a different virtual network, its virtual IP (VIP) address will be considered as opposed to its
DIP addresses within a single virtual network. So when a permit ACL is set on a given virtual machine endpoint, that ACL will consider the public VIP of the machine that desires to
make a connection. We can see this in the diagram below.
We can selectively permit or deny network traffic (in the management portal or from PowerShell) for a virtual machine input endpoint by creating rules that specify "permit" or
"deny". By default, when an endpoint is created, all traffic is permitted to the endpoint. So for that reason, it's important to understand how to create permit/deny rules and place
them in the proper order of precedence to gain granular control over the network traffic that you choose to allow to reach the virtual machine endpoint. Note that at the instant you
add one or more "permit" ranges, you aredenying all other ranges by default.
If you need to isolate resources further by preventing unauthorized communications between the subnets, you can use network security groups. (NSG)
Question : You maintain a virtual network named QuickVMNet , now you want to deploy a virtual machine and make sure that it is part of QuickVMNet , how can you do that?
1. Run the New-AzureVM Power Shell cmdlet.
2. Run the New-AzureQuickVM Power Shell cmdlet.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Update fabrikamVNet's existing Availability Set.
Correct Answer : Get Lastest Questions and Answer :
Explanation: New-AzureQuickVM
Creates and provisions a new Azure virtual machine.
New-AzureQuickVM -ImageName
[-EnableWinRMHttp] [-HostCaching
[-NoExportPrivateKey] [-NoWinRMEndpoint] [-Password
[-VNetName
The New-AzureQuickVM cmdlet sets the configuration for a new virtual machine and creates the virtual machine. You can create a new Azure service for the virtual machine by specifying
either the Location or AffinityGroup parameters, or deploy the new virtual machine into an existing service.
New-AzureVM
Creates a new Azure virtual machine.
Parameter Set: ExistingService
New-AzureVM -ServiceName
[-InternalLoadBalancerConfig
Parameter Set: CreateService
New-AzureVM -ServiceName
[-DnsSettings
[-ReverseDnsFqdn
The New-AzureVM cmdlet adds a new virtual machine to an existing Azure cloud service, or creates a new virtual machine and a new cloud service in the current subscription if either
the Location or AffinityGroup parameter is specified.
You can use the New-AzureQuickVM syntax, New-AzureVM or New-AzureVMConfig syntax, The New-AzureQuickVM automatically creates and provisions the VM which does not require any
additional steps.
New-AzureQuickVM -Windows -ServiceName "
-ImageName "b83b3509582419d99629ce476bcb5c8__Microsoft-SQL-Server-2012-
Evaluation-CY13Feb-SQL11-SP1-CU2-11.0.3339.0" -Password
-InstanceSize "ExtraLarge"
New-AzureVM
Creates a new Azure virtual machine.
New-AzureQuickVM
Creates and provisions a new Azure virtual machine.
Related Questions
Question : You manage a software-as-a-service application named SaasApp that provides
user management features in a multi-directory environment. You plan to offer SaasApp1 to
other organizations that use Azure Active Directory. You need to ensure that SaasApp1
can access directory objects. What should you do?
1. Configure the Federation Metadata URL
2. Register SaasApp1 as a native client application.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Configure the Graph API.
Question : You administer an Azure Active Directory (Azure AD) tenant where Box is configured for: Application Access
Password Single Sign-on An employee moves to an organizational unit that does not require access to Box through the Access Panel.
You need to remove only Box from the list of applications only for this user.
What should you do?
1. Delete the user from the Azure AD tenant.
2. Delete the Box Application definition from the Azure AD tenant.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Disable the user's account in Windows AD.
Question : You administer an Azure Active Directory (Azure AD) tenant that has a SharePoint web application named TeamSite. TeamSite accesses your Azure AD tenant for user
information. The application access key for TeamSite1 has been compromised. You need to ensure that users can continue to use TeamSite1 and that the compromised
key does not allow access to the data in your Azure AD tenant. Which two actions should you perform? Each correct answer presents part of the solution.
A. Remove the compromised key from the application definition for TeamSite1.
B. Delete the application definition for TeamSite1.
C. Generate a new application key for TeamSite1.
D. Generate a new application definition for TeamSite1.
E. Update the existing application key.
1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. D,E
5. C,E
Question : You administer a DirSync server configured with Azure Active Directory (Azure AD).
You need to provision a user in Azure AD without waiting for the default DirSync
synchronization interval. What are two possible ways to achieve this goal?
Each correct answer presents a complete solution.
A. Restart the DirSync server.
B. Run the Start-OnlineCoexistenceSync PowerShell cmdlet.
C. Run the Enable-SyncShare PowerShell cmdlet.
D. Run the Azure AD Sync tool Configuration Wizard.
E. Replicate the Directory in Active Directory Sites and Services.
1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. D,E
5. B,D
Question : You administer an Azure Web Site named contosoweb that is used to sell various products. Contosoweb experiences heavy traffic during weekends.
You need to analyze the response time of the product catalog page during peak times, from different locations. What should you do?
1. Configure endpoint monitoring.
2. Add the Requests metric.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Turn on Detailed Error Messages.
Question : Your company has a subscription to Azure. You configure your contoso.com domain to use a private Certificate Authority. You deploy a
web site named MyApp by using the Shared (Preview) web hosting plan. You need to ensure that clients are able to access the MyApp website by using https.
What should you do?
1. Back up the Site and import into a new website.
2. Use the internal Certificate Authority and ensure that clients download the certificate chain.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Change the web hosting plan to Standard.