Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
Does this meet the goal?
Answer:
B
The log shows that WAF rule with ruleId 920300 was trigged. Instead we should disable the WAF rule that has a ruleId 920300.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
HOTSPOT -
Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.
The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint.
You plan to use Azure Traffic Manager to maintain the list of endpoints.
You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types
DRAG DROP -
You have an Azure Front Door instance named FrontDoor1.
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com.
You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#associate-the-custom-domain-with-your-front-door https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
You have a website that uses an FQDN of www.contoso.com. The DNS record for www. contoso.com resolves to an on-premises web server.
You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an Azure Front Door instance named
ContosoFD1.
You build the website on Web1.
You plan to configure ContosoFD1 to publish the website for testing.
When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message shown in the exhibit. (Click the Exhibit tab.)
You need to test the website and ContosoFD1 without affecting user access to the on-premises web server.
Which record should you create in the contoso.com DNS domain?
Answer:
C
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#map-the-temporary-afdverify-subdomain
You have the Azure load balancer shown in the Load Balancer exhibit.
LB2 has the backend pools shown in the Backend Pools exhibit.
You need to ensure that LB2 distributes traffic to all the members of VMSS1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
BC
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-balancer-standard
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ Two subnets named subnet1 and AzureFirewallSubnet
✑ A public Azure Firewall named FW1
✑ A route table named RT1 that is associated to Subnet 1
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet 1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
Answer:
C
Cause -
The Azure Windows VMs need to connect to the Azure KMS server for Windows activation. The activation requires that the activation request come from an Azure public IP address.
To resolve this problem, use the Azure custom route to route activation traffic to the Azure KMS server.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation
You have an Azure Front Door instance that has a single frontend named Frontend1 and an Azure Web Application Firewall (WAF) policy named Policy1. Policy1 redirects requests that have a header containing "string1" to https://www.contoso.com/redirect1. Policy1 is associated to Frontend1.
You need to configure additional redirection settings. Requests to Frontend1 that have a header containing "string2" must be redirected to https:// www.contoso.com/redirect2.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
CEF
E: A WAF policy consists of two types of security rules:
custom rules that are authored by the customer.
managed rule sets that are a collection of Azure-managed pre-configured set of rules.
You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.
A web application delivered by Front Door can have only one WAF policy associated with it at a time.
CF: We create a frontend host and associate it with the Policy.
In the Association tab of the Create a WAF policy page, select + Associate a Front Door profile, enter the following settings, and then select Add:
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal
You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.
You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.
Which routing method should you use?
Answer:
D
Select Performance routing when you have endpoints in different geographic locations and you want end users to use the "closest" endpoint for the lowest network latency.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods
Your company has offices in London, Tokyo, and New York.
The company has a web app named App1 that has the Azure Traffic Manager profile shown in the following table.
In Asia, you plan to deploy an additional endpoint that will host an updated version of App1.
You need to route 10 percent of the traffic from the Tokyo office to the new endpoint during testing.
What should you configure in Traffic Manager?
Answer:
B
Need two profiles. Add one Child profile using Weighted routing. One additional trial endpoint, to the existing three, for the Child Profile is needed.
Note 1: Each Traffic Manager profile specifies a single traffic-routing method. However, there are scenarios that require more sophisticated traffic routing than the routing provided by a single Traffic Manager profile. You can nest Traffic Manager profiles to combine the benefits of more than one traffic-routing method.
Note 2: Weighted routing: Select Weighted routing when you want to distribute traffic across a set of endpoints based on their weight. Set the weight the same to distribute evenly across all endpoints.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-nested-profiles https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods
HOTSPOT -
You configure a route table named RT1 that has the routes shown in the following table.
You have an Azure virtual network named Vnet1 that has the subnets shown in the following table.
You have the resources shown in the following table.
Vnet1 connects to an ExpressRoute circuit. The on-premises router advertises the following routes:
✑ 0.0.0.0/0
✑ 10.0.0.0/16
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: Yes -
NVA1 with IP (NVA-network virtual appliance) 192.168.0.4 is on the DMZ subnet. It will use route 10.0.0.0/16 to the on-premises network.
Box 2: No -
VM2 has IP address 192.168.2.4 and is on the BackEnd subnet. VM2 will not use the RT1 route table, and will not reach the on-premises network through NVA1.
Box 3: Yes -
VM1 with IP address 192.168.1.4 is on the FrontEnd subnet, and will use the RT1 routing table. It will use Route2 and Next Hop IP address 192.168.0.4, IP address of NVA1, to reach VM2.
