AZ-500 -part2

You have an Azure subscription that contains two virtual machines named VM1 and VM2 that run Windows Server 2019. You are implementing Update Management in Azure Automation. You plan to create a new update deployment named Update1. You need to ensure that Update1 meets the following requirements: ✑ Automatically applies updates to VM1 and VM2. ✑ Automatically adds any new Windows Server 2019 virtual machines to Update1. What should you include in Update1?. a security group that has a Membership type of Assigned. a security group that has a Membership type of Dynamic Device. a dynamic group query. a Kusto query language query.

You have an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the automatically generated service principal for the AKS cluster to authenticate to the Azure Container Registry. What should you create?. a secret in Azure Key Vault. a role assignment. an Azure Active Directory (Azure AD) user. an Azure Active Directory (Azure AD) user.

You have the Azure virtual machines shown in the following table. For which virtual machine can you enable Update Management?. VM2 and VM3 only. VM2, VM3, and VM4 only. VM1, VM2, and VM4 only. VM1, VM2, VM3, and VM4. VM1, VM2, and VM3 only.

You have an Azure subscription named Sub1. You have an Azure Active Directory (Azure AD) group named Group1 that contains all the members of your IT team. You need to ensure that the members of Group1 can stop, start, and restart the Azure virtual machines in Sub1. The solution must use the principle of least privilege. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place: Create a Json file. Run the update -azManagementGroup cmdlet. Create a xml file. Run the New-AzRoleDefinition cmdlet. Run the New-AzRoleAssigment cmdlet.

You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ConReg1. You enable content trust for ContReg1. You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege. Which two roles should you assign to User1? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. AcrQuarantineReader. Contributor. AcrPush. AcrImageSigner. AcrQuarantineWriter.

You have an Azure Container Registry named ContReg1 that contains a container image named image1. You enable content trust for ContReg1. After content trust is enabled, you push two images to ContReg1 as shown in the following table. Which images are trusted images?. image1 and image2 only. image2 only. image1, image2, and image3.

DRAG DROP - You have an Azure subscription that contains the following resources: ✑ A virtual network named VNET1 that contains two subnets named Subnet1 and Subnet2. ✑ A virtual machine named VM1 that has only a private IP address and connects to Subnet1. You need to ensure that Remote Desktop connections can be established to VM1 from the internet. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange then in the correct order. Select and Place: Configure a network security group (NSG). Create a network rule collection. Create a Nat rule collection. Create a New Subnet. Deploy Azure application gateway. Deploy azure Firewall.

HOTSPOT - You create resources in an Azure subscription as shown in the following table. NAME----------------------------TYPE-------------------------------REGION Rg1 Resource Group West Europe VNET1 Azure virtual network West Europe Contoso1901 Azure Storage account West Europe VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24. Subnet2 has a network ID of 10.1.1.0/24. Contoso1901 is configured as shown in the exhibit. (Click the Exhibit tab.) For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area: An Azure VM on subnet1 can access data in contoso 1901. An Azure VM on subnet2 can access data in contoso1901. A computer on the internet that has an ip address of 193.77.10.2 can access data in contoso 1901.

You have an Azure subscription that contains the virtual machines shown in the following table. All the virtual networks are peered. You deploy Azure Bastion to VNET2. Which virtual machines can be protected by the bastion host?. VM1, VM2, VM3, and VM4. VM1, VM2, and VM3 only. VM2 and VM4 only. VM2 only.

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as instances of the virtual machines are provisioned. What should you use?. device configuration policies in Microsoft Intune. Azure Automation State Configuration. security policies in Azure Security Center. device compliance policies in Microsoft Intune.

You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1. Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04. You create a service endpoint for MicrosoftStorage in Subnet1. You need to ensure that when you deploy Docker containers to VM1, the containers can access Azure Storage resources by using the service endpoint. What should you do on VM1 before you deploy the container?. Create an application security group and a network security group (NSG). Edit the docker-compose.yml file. Install the container network interface (CNI) plug-in.

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as instances of the virtual machines are provisioned. What should you use?. device configuration policies in Microsoft Intune. an Azure Desired State Configuration (DSC) virtual machine extension. application security groups. device compliance policies in Microsoft Intune.

DRAG DROP - You have an Azure subscription that contains the virtual networks shown in the following table. The Azure virtual machines on SpokeVNetSubnet0 can communicate with the computers on the on-premises network. You plan to deploy an Azure firewall to HubVNet. You create the following two routing tables: ✑ RT1: Includes a user-defined route that points to the private IP address of the Azure firewall as a next hop address ✑ RT2: Disables BGP route propagation and defines the private IP address of the Azure firewall as the default gateway You need to ensure that traffic between SpokeVNetSubnet0 and the on-premises network flows through the Azure firewall. To which subnet should you associate each route table? To answer, drag the appropriate subnets to the correct route tables. Each subnet may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place: AzureFirewallSubnet. GatewaySubnet. SpokeVNetSubnet0.

You are configuring an Azure Kubernetes Service (AKS) cluster that will connect to an Azure Container Registry. You need to use the auto-generated service principal to authenticate to the Azure Container Registry. What should you create?. an Azure Active Directory (Azure AD) group. an Azure Active Directory (Azure AD) role assignment. an Azure Active Directory (Azure AD) user. a secret in Azure Key Vault.

You have an Azure subscription that contains the Azure virtual machines shown in the following table. You create an MDM Security Baseline profile named Profile1. You need to identify to which virtual machines Profile1 can be applied. Which virtual machines should you identify?. VM1 only. VM1, VM2, and VM3 only. VM1 and VM3 only. VM1, VM2, VM3, and VM4.

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as instances of the virtual machines are provisioned. What should you use?. device configuration policies in Microsoft Intune. an Azure Desired State Configuration (DSC) virtual machine extension. security policies in Azure Security Center. Azure Logic Apps.

HOTSPOT - You have an Azure subscription that contains the virtual machines shown in the following table. You can start VM1. You can start VM2. You can create a virtual machine in RG2.

You have an Azure virtual machine named VM1. From Azure Security Center, you get the following high-severity recommendation: ג€Install endpoint protection solutions on virtual machineג€. You need to resolve the issue causing the high-severity recommendation. What should you do?. A. Add the Microsoft Antimalware extension to VM1. B. Install Microsoft System Center Security Management Pack for Endpoint Protection on VM1. C. Add the Network Watcher Agent for Windows extension to VM1. D. Onboard VM1 to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

You have an Azure subscription that contains a virtual network. The virtual network contains the subnets shown in the following table. The subscription contains the virtual machines shown in the following table. You enable just in time (JIT) VM access for all the virtual machines. You need to identify which virtual machines are protected by JIT. Which virtual machines should you identify?. VM4 only. VM1 and VM3 only. VM1, VM3 and VM4 only. VM1, VM2, VM3, and VM4.

HOTSPOT - You have an Azure subscription that contains the virtual machines shown in the following table. NAME-----------------------Connected to-------------------Private Ip Address----------Public Ip Address VM1 VNET1/Subnet1 10.1.1.4 13.80.73.97 VM2 VNET2/Subnet2 10.2.1.4 213.199.133.190 VM3 VNET2/Subnet2 10.2.1.5 none Subnet1 and Subnet2 have a Microsoft.Storage service endpoint configured. You have an Azure Storage account named storageacc1 that is configured as shown in the following exhibit. For each of the following statements, select Yes if the statement is true. Otherwise, select No. Hot Area: From VM1, you can upload a blob to storageacc1. From VM2, you can upload a blob to storageacc1. From VM3, you can upload a blob to storageacc1.

You have Azure Resource Manager templates that you use to deploy Azure virtual machines. You need to disable unused Windows features automatically as instances of the virtual machines are provisioned. What should you use?. device compliance policies in Microsoft Intune. Azure Automation State Configuration. application security groups. Azure Advisor.

From Azure Security Center, you enable Azure Container Registry vulnerability scanning of the images in Registry1. You perform the following actions: ✑ Push a Windows image named Image1 to Registry1. ✑ Push a Linux image named Image2 to Registry1. ✑ Push a Windows image named Image3 to Registry1. ✑ Modify Image1 and push the new image as Image4 to Registry1. ✑ Modify Image2 and push the new image as Image5 to Registry1. Which two images will be scanned for vulnerabilities? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. Image4. Image2. Image1. Image3. Image5.

You have the Azure virtual machines shown in the following table. You create an Azure Log Analytics workspace named Analytics1 in RG1 in the East US region. Which virtual machines can be enrolled in Analytics1?. VM1 only. VM1, VM2, and VM3 only. VM1, VM2, VM3, and VM4. VM1 and VM4 only.

You are testing an Azure Kubernetes Service (AKS) cluster. The cluster is configured as shown in the exhibit. (Click the Exhibit tab.) You plan to deploy the cluster to production. You disable HTTP application routing. You need to implement application routing that will provide reverse proxy and TLS termination for AKS services by using a single IP address. What should you do?. A. Create an AKS Ingress controller. B. Install the container network interface (CNI) plug-in. C. Create an Azure Standard Load Balancer. D. Create an Azure Basic Load Balancer.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016. You need to deploy Microsoft Antimalware to the virtual machines. Solution: You add an extension to each virtual machine. Does this meet the goal?. Yes. No.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server 2012 R2 or Windows Server 2016. You need to deploy Microsoft Antimalware to the virtual machines. Solution: You connect to each virtual machine and add a Windows feature. Does this meet the goal?. Yes. No.

You have an Azure Active Directory (Azure AD) tenant named Contoso.com and an Azure Kubernetes Service (AKS) cluster AKS1. You discover that AKS1 cannot be accessed by using accounts from Contoso.com. You need to ensure AKS1 can be accessed by using accounts from Contoso.com. The solution must minimize administrative effort. What should you do first?. A. From Azure recreate AKS1. B. From AKS1, upgrade the version of Kubernetes. C. From Azure AD, implement Azure AD Premium. D. From Azure AD, configure the User settings.

You have an Azure subscription that contains an Azure Container Registry named Registry1. The subscription uses the Standard use tier of Azure Security Center. You upload several container images to Register1. You discover that vulnerability security scans were not performed. You need to ensure that the images are scanned for vulnerabilities when they are uploaded to Registry1. What should you do?. A. From the Azure portal modify the Pricing tier settings. B. From Azure CLI, lock the container images. C. Upload the container images by using AzCopy. D. Push the container images to Registry1 by using Docker.

From Azure Security Center, you create a custom alert rule. You need to configure which users will receive an email message when the alert is triggered. What should you do?. A. From Azure Monitor, create an action group. B. From Security Center, modify the Security policy settings of the Azure subscription. C. From Azure Active Directory (Azure AD), modify the members of the Security Reader role group. D. From Security Center, modify the alert rule.

You are configuring and securing a network environment. You deploy an Azure virtual machine named VM1 that is configured to analyze network traffic. You need to ensure that all network traffic is routed through VM1. What should you configure?. A. a system route. B. a network security group (NSG). C. a user-defined route.

You have an Azure subscription that contains the virtual networks shown in the following table. The subscription contains the virtual machines shown in the following table. On NIC1, you configure an application security group named ASG1. On which other network interfaces can you configure ASG1?. A. NIC2 only. B. NIC2, NIC3, NIC4, and NIC5. C. NIC2 and NIC3 only. D. NIC2, NIC3, and NIC4 only.

You have 15 Azure virtual machines in a resource group named RG1. All the virtual machines run identical applications. You need to prevent unauthorized applications and malware from running on the virtual machines. What should you do?. A. Apply an Azure policy to RG1. B. From Azure Security Center, configure adaptive application controls. C. Configure Azure Active Directory (Azure AD) Identity Protection. D. Apply a resource lock to RG1.

You have a web app hosted on an on-premises server that is accessed by using a URL of https://www.contoso.com. You plan to migrate the web app to Azure. You will continue to use https://www.contoso.com. You need to enable HTTPS for the Azure web app. What should you do first?. A. Export the public key from the on-premises server and save the key as a P7b file. B. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using TripleDES. C. Export the public key from the on-premises server and save the key as a CER file. D. Export the private key from the on-premises server and save the key as a PFX file that is encrypted by using AES256.

You plan to deploy Azure container instances. You have a containerized application that validates credit cards. The application is comprised of two containers: an application container and a validation container. The application container is monitored by the validation container. The validation container performs security checks by making requests to the application container and waiting for responses after every transaction. You need to ensure that the application container and the validation container are scheduled to be deployed together. The containers must communicate to each other only on ports that are not externally exposed. What should you include in the deployment?. A. application security groups. B. network security groups (NSGs). C. management groups. D. container groups.

DRAG DROP - You are configuring network connectivity for two Azure virtual networks named VNET1 and VNET2. You need to implement VPN gateways for the virtual networks to meet the following requirements: ✑ VNET1 must have six site-to-site connections that use BGP. ✑ VNET2 must have 12 site-to-site connections that use BGP. ✑ Costs must be minimized. Which VPN gateway SKU should you use for each virtual network? To answer, drag the appropriate SKUs to the correct networks. Each SKU may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place: BASIC. VpnGw1. VpnGw2. VpnGw3.

You are securing access to the resources in an Azure subscription. A new company policy states that all the Azure virtual machines in the subscription must use managed disks. You need to prevent users from creating virtual machines that use unmanaged disks. What should you use?. A. Azure Monitor. B. Azure Policy. C. Azure Security Center. D. Azure Service Health.

HOTSPOT - You have an Azure subscription that contains a storage account named storage1 and several virtual machines. The storage account and virtual machines are in the same Azure region. The network configurations of the virtual machines are shown in the following table. The virtual network subnets have service endpoints defined as shown in the following table. You configure the following Firewall and virtual networks settings for storage1: ✑ Allow access from: Selected networks ✑ Virtual networks: VNET3\Subnet3 Firewall ג€" Address range: 52.233.129.0/24 For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area: VM1 can connect to storage1. VM2 can connect to storage1. VM3 can connect to storage1.

You plan to create an Azure Kubernetes Service (AKS) cluster in an Azure subscription. The manifest of the registered server application is shown in the following exhibit. You need to ensure that the AKS cluster and Azure Active Directory (Azure AD) are integrated. Which property should you modify in the manifest?. A. accessTokenAcceptedVersion. B. keyCredentials. C. groupMembershipClaims. D. acceptMappedClaims.

You have an Azure Active Directory (Azure AD) tenant that contains the resources shown in the following table. NAME-----------TYPE User1 User User2 User User3 User Group1 Security Group Group2 Security Group App1 Enterprise application User2 is the owner of Group2. The user and group settings for App1 are configured as shown in the following exhibit. User3 is configured to approve access to Appl. You need to identify the owners of Group2 and the users of Appl. What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: ---------------------------------------------------------- Group2 Owners: *User2 only *User3 only *User1 and User2 only *User2 and User3 only *User1, User2 and User3 only App1 Users: *Group1 members only *Group2 members only *Group1 and Group2 members only *Group1 and Group2 members and User1 only *Group1 and Group2 members, User1 and User3 only. Group2 Owners. App1 Users.

HOTSPOT - You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016. You need to implement a policy to ensure that each virtual machine has a custom antimalware virtual machine extension installed. How should you complete the policy? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: effect. parameters.

HOTSPOT - You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table. NAME-----------------------------SUBSCRIPTION ROLE---------------------AZURE AD USER ROLE User1 Owner None User2 Contributor None User3 Security Admin None User4 None Service Administrator You create a resource group named RG1. Which users can modify the permissions for RG1 and which users can create virtual networks in RG1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: User who can modify the permissions for RG1. User who can create virtual networks in RG1.

HOTSPOT - You have a file named File1.yaml that contains the following contents. You create an Azure container instance named container1 by using File1.yaml. You need to identify where you can access the values of Variable1 and Variable2. What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: Variable1. Variable2.

HOTSPOT - You have Azure virtual machines that have Update Management enabled. The virtual machines are configured as shown in the following table. You schedule two update deployments named Update1 and Update2. Update1 updates VM3. Update2 updates VM6. Which additional virtual machines can be updated by using Update1 and Update2? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: Update1. Update2.

HOTSPOT - You have an Azure subscription named Sub1. You create a virtual network that contains one subnet. On the subnet, you provision the virtual machines shown in the following table. Currently, you have not provisioned any network security groups (NSGs). You need to implement network security to meet the following requirements: ✑ Allow traffic to VM4 from VM3 only. ✑ Allow traffic from the Internet to VM1 and VM2 only. ✑ Minimize the number of NSGs and network security rules. How many NSGs and network security rules should you create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: NSGs. Network Security rules.

HOTSPOT - You have an Azure key vault. You need to delegate administrative access to the key vault to meet the following requirements: ✑ Provide a user named User1 with the ability to set advanced access policies for the key vault. ✑ Provide a user named User2 with the ability to add and delete certificates in the key vault. ✑ Use the principle of least privilege. What should you use to assign access to each user? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: User1. User2.

HOTSPOT - You have two Azure virtual machines in the East US 2 region as shown in the following table. You deploy and configure an Azure Key vault. You need to ensure that you can enable Azure Disk Encryption on VM1 and VM2. What should you modify on each virtual machine? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: VM1. VM2.