AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 4

You need to ensure that production SQL servers in subnet1 cannot talk to DMZ webservers in subnet 2. What is the most cost effective solution to meet this requirement?


Options are :

  • Configure route tables on each VM to block traffic between subnet1 and subnet 2
  • Configure an Firewall Appliance to block traffic between subnet1 and subnet 2
  • Configure NSGs to block traffic between subnet1 and subnet 2 (Correct)
  • Configure an Application Gateway to block traffic between subnet1 and subnet 2

Answer : Configure NSGs to block traffic between subnet1 and subnet 2

AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 2

Apply your knowledge of Azure Route Tables to answer the following question. When adding a Route to an Azure Route Table which of the following are available Next Hop Types? (Select all that apply.) Virtual Network Gateway Virtual Network Storage Account Internet Virtual Appliance Network Security Gateway


Options are :

  • Virtual Network (Correct)
  • Network Security Gateway
  • Storage Account
  • Virtual Appliance (Correct)
  • Virtual Network Gateway (Correct)
  • Internet (Correct)

Answer : Virtual Network Virtual Appliance Virtual Network Gateway Internet

The business has a requirement to allow a remote office to write file data to a Storage Account called "azsaeastcore" during a two week project. It essential that you set this up quickly but in the most secure manner. Apply your knowledge of Storage Accounts to select the correct answer that meets the requirements?


Options are :

  • Configure Shared access signature in "azsaeastcore" with the following settings: Allowed permissions = "Write" and "List" Set the "Allowed IP addresses" to include the remote offices IP address Set an expiry date of two weeks time.
  • Configure Shared access signature in "azsaeastcore" with the following settings: Allowed permissions = "Write" Set the "Allowed IP addresses" to include the remote offices IP address Set an expiry date of two weeks time. (Correct)
  • Give the remote office the second shared access key that is configured when the storage account is setup but not the first one.
  • Give the remote office the second shared access key that is configured when the storage account is setup but not the first one. Configure Shared access signature in "azsaeastcore" with the following settings: Allowed permissions = Write Set an expiry date of two weeks.

Answer : Configure Shared access signature in "azsaeastcore" with the following settings: Allowed permissions = "Write" Set the "Allowed IP addresses" to include the remote offices IP address Set an expiry date of two weeks time.

When configuring an Azure Application Gateway what criteria is supported for the configuration of custom Health probes?  Select all that apply. Port listening success HTTP response status code match Ping reply success HTTP response body match SSH response status code match


Options are :

  • Ping reply success
  • Port listening success
  • SSH response status code match
  • HTTP response status code match (Correct)
  • HTTP response body match (Correct)

Answer : HTTP response status code match HTTP response body match

To ensure the maximum level of security your Security Manager has asked you to enable disk encryption for a VM. You are planning the configuration of this VM disk encryption. What should you configure in the Azure Key Vault to encrypt a VM disk?


Options are :

  • Access Policies
  • Certificates
  • Secrets
  • Keys (Correct)

Answer : Keys

Examine the following PowerShell statement and Choose the missing PowerShell cmdlet that is the best fit. $keyVault = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $rgName; $diskEncryptionKeyVaultUrl = $keyVault.VaultUri; $keyVaultResourceId = $keyVault.ResourceId; $keyEncryptionKeyUrl = (Get-AzKeyVaultKey -VaultName $keyVaultName -Name myKey).Key.kid; MISSINGPOWERSHELL CMDLET -ResourceGroupName $rgName ` -VMName "myVM" ` -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl ` -DiskEncryptionKeyVaultId $keyVaultResourceId ` -KeyEncryptionKeyUrl $keyEncryptionKeyUrl ` -KeyEncryptionKeyVaultId $keyVaultResourceId Set-AzVMDiskEncryptionExtension Set-AzVMDiskEncryption Get-AzVmDiskEncryptionStatus New-AzVM


Options are :

  • Set-AzVMDiskEncryption
  • Get-AzVmDiskEncryptionStatus
  • New-AzVM
  • Set-AzVMDiskEncryptionExtension (Correct)

Answer : Set-AzVMDiskEncryptionExtension

You are tasked with adding Virtual Machines to a resource group called "projectesp01". You decide to complete this task by creating a Resource Manager template. The resource group already contains 12 VMs. You do not want to modify or change the existing VMs. What deployment method should you use?


Options are :

  • Complete mode
  • Additional mode
  • Incremental mode (Correct)
  • Update mode

Answer : Incremental mode

AZ-103 Microsoft Azure Administrator Practice Exam Questions Set 5

The production Data VNet "Data1-vnet" is connected via two VNet peer connections to the production application VNet "App1-vnet" called "Data2App-peer" and "App2Data-peer". The application VNet "App1-vnet" is connected via two VNet peer connections to the Web DMZ VNet "Web1-vnet" called "App2Web-peer" and "Web2App-peer". It is discovered that the VMs in the Production Data VNet "data1-vnet" can communicate with the VMs in the Web DMZ VNet "Web1-vnet" but there is no peering configured between "Data1-vnet" and "Web1-vnet". Apply your knowledge of VNet peering to ensure services and VMs in the production Data VNet "data1-vnet" cannot communicate with VMs in the Web DMZ VNet "Web1-vnet".


Options are :

  • Uncheck the "Allow forwarded traffic" from the configuration of the vnet "Data1-vnet".
  • Uncheck the "Allow gateway transit" from configuration of the "App2Web-peer" and "Web2App-peer" peering connections.
  • Uncheck the "Allow forwarded traffic" in the configuration of the "App2Web-peer" and "Web2App-peer" peering connections. (Correct)
  • Uncheck the "Allow gateway transit" from configuration of the vnet "App1-vnet".

Answer : Uncheck the "Allow forwarded traffic" in the configuration of the "App2Web-peer" and "Web2App-peer" peering connections.

You want to delete the certificate "EnAppCert" from the "EnAppVault". What is the correct REST API call that will perform this task successfully?


Options are :

  • DELETE EnAppVault.vault.azure.net/certificates/EnAppCert?api-version=7.0
  • DELETE http://EnAppVault.vault.azure.net/certificates/EnAppCert?api-version=7.0
  • DELETE HTTPS://EnAppVault.vault.azure.net/certificates/EnAppCert?api-version=7.0 (Correct)
  • DELETE HTTPS://EnAppVault.vault.azure.net/removecertificates/EnAppCert?api-version=7.0

Answer : DELETE HTTPS://EnAppVault.vault.azure.net/certificates/EnAppCert?api-version=7.0

You have a VM called 'Webapp01' and you want to view resource usage for the VM for the last week. What should you configure to show you this? Select all that apply. Azure Monitoring Metrics Azure Monitoring Alerts Azure Monitoring Insights Azure Crash dump Logger Azure VM boot Diagnostics


Options are :

  • Azure Monitoring Alerts
  • Azure Monitoring Metrics (Correct)
  • Azure VM boot Diagnostics
  • Azure Crash dump Logger
  • Azure Monitoring Insights (Correct)

Answer : Azure Monitoring Metrics Azure Monitoring Insights

You are the Cloud Administrator of CycleShare.com a large organisation with multiple sites across the world. The Sales Director asks if there is any way her team can reset passwords without using the service desk (who are only available during US business hours). You decide to implement Azure Active Directory Self-Service Password Reset. However, your Security Manager has concerns that this will introduce a security weakness into the environment. What approach should you use that will enable the Sales Team to reset their passwords while travelling and ensure that it is the most secure method?


Options are :

  • Configure Self-Service Password Reset with the following settings: The number of methods required to reset are set to two. The methods used to reset are Mobile App code and text. This is enabled for the All users.
  • Configure Self-Service Password Reset with the following settings: The number of methods required to reset are set to one. The methods used to reset are Mobile App code and Security Questions. This is enabled for "Sales group" only.
  • Configure Self-Service Password Reset with the following settings: The number of methods required to reset are set to three. The methods used to reset are Mobile App code, Email and text. This is enabled for the All users.
  • Configure Self-Service Password Reset with the following settings: The number of methods required to reset are set to two. The methods used to reset are Mobile App code and Security Questions. This is enabled for "Sales group" only. (Correct)

Answer : Configure Self-Service Password Reset with the following settings: The number of methods required to reset are set to two. The methods used to reset are Mobile App code and Security Questions. This is enabled for "Sales group" only.

In Active Directory you want to ensure users see relevant disclaimers for legal, or compliance requirements. Where should you configure this information?


Options are :

  • Azure Active Directory > Identity Governance, then Create an 'Access review'
  • Azure Active Directory > Properties, then Create a 'Company legal policy'
  • Azure Active Directory > Properties, then Create and enable a 'Terms / disclaimer'
  • Azure Active Directory > Identity Governance, then Publish a 'Terms of use' (Correct)

Answer : Azure Active Directory > Identity Governance, then Publish a 'Terms of use'

Which script languages can you run to deploy ARM templates? Select all that apply. .NET JavaScript C++ Pascal Ruby


Options are :

  • C++
  • Ruby (Correct)
  • Pascal
  • .NET (Correct)
  • JavaScript

Answer : Ruby .NET

You are required to configure hybrid configuration between an on-premises environment and Azure Active Directory to leverage the benefits of the Microsoft Cloud. Which solution would meet the following criteria? Ensure no password hashes are stored in the cloud Enable my users to sign in and access cloud services using their on-premises password. Ensure no new on-premises servers are created


Options are :

  • Azure AD Connect with Connect Health
  • Password hash synchronization with single sign-on
  • Federated single sign-on with AD FS
  • Pass-through authentication and single sign-on (Correct)

Answer : Pass-through authentication and single sign-on

AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 4

Which of the following cannot be configured as a valid IP address range in VNets? Choose one, many, or none of the following: 224.0.0.0/4 10.2.0.0/16 127.0.0.0/8 169.254.0.0/16 168.63.129.16/32


Options are :

  • 224.0.0.0/4 (Correct)
  • 10.2.0.0/16
  • 168.63.129.16/32 (Correct)
  • 127.0.0.0/8 (Correct)
  • 255.255.255.255/32 (Correct)
  • 169.254.0.0/16 (Correct)

Answer : 224.0.0.0/4 168.63.129.16/32 127.0.0.0/8 255.255.255.255/32 169.254.0.0/16

You have a Windows 2019 VM called ITVM01 which is stored in the North Europe region in a resource group called "potel01RG". It has an additional two data disks that are both 6TB in size. There is an existing Key Vault in the tenancy called "azspokeyv1" in the East US region. The VM does not have any ports, or Network Security Gateway's configured. When you try to encrypt the VM disks it fails. What could be the reason for this failure?


Options are :

  • You need to open port 443 between the VM and the keyVault
  • Windows Server 2019 cannot be encrypted with KeyVault
  • The VM disks are over the 2TB limit for encryption
  • The VM and KeyVault are in a different region (Correct)

Answer : The VM and KeyVault are in a different region

Answer whether the following statement is true, or false. "You can connect Virtual Networks that are in two different subscriptions."


Options are :

  • FALSE
  • TRUE (Correct)

Answer : TRUE

In defining autoscaling rule sets what is the "cooldown" parameter?


Options are :

  • The amount of time to wait before the rule is applied again so that the autoscale actions have time to take effect. (Correct)
  • How often the metrics are collected for analysis.
  • The operator used to compare the metric data against the threshold.
  • The amount of time monitored before the metric and threshold values are compared.

Answer : The amount of time to wait before the rule is applied again so that the autoscale actions have time to take effect.

AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 4

Select which statements are true in regard to VM disk encryption. Select all that are TRUE: Disk encryption can be applied to a custom Linux image Azure created Key encryption is supported Boot and Data volumes can be encrypted On-premises Key Management Systems are supported Restoring an encrypted VM to a different region is supported


Options are :

  • Linux image
  • Disk encryption can be applied to a custom
  • Boot and Data volumes can be encrypted (Correct)
  • On-premises Key Management Systems are supported
  • Restoring an encrypted VM to a different region is supported
  • Azure created Key encryption is supported (Correct)

Answer : Boot and Data volumes can be encrypted Azure created Key encryption is supported

Your DevOps Manager wants the team to deploy code to Azure. She asks you which of the following are viable platforms to do this. Choose all that apply. Github CloudForge Bitbucket SourceForge LaunchPad


Options are :

  • CloudForge
  • Github (Correct)
  • Bitbucket (Correct)
  • SourceForge
  • LaunchPad

Answer : Github Bitbucket

You need to check on the encryption status of an IaaS VM called "VMApp01" in a resource group called "VMResourceGroup".  What Azure CLI statement will successfully achieve this?


Options are :

  • az vm encryption show --name "VMApp01" --resource-group "VMResourceGroup" (Correct)
  • az vm diskencrypt status --name "VMApp01" --resource-group "VMResourceGroup"
  • az vm diskencryption display --name "VMApp01" --resource-group "VMResourceGroup"
  • az vm encryption display --name "VMApp01" --resource-group "VMResourceGroup"

Answer : az vm encryption show --name "VMApp01" --resource-group "VMResourceGroup"

The Dev Ops Manager has tasked you with deploying a Linux VM. You decide to use an ARM template to achieve this. What value in the JSON template would you configure to lock down SSH access to the VM?


Options are :

  • keySafe
  • adminPublicKey (Correct)
  • sshLockdown
  • variables

Answer : adminPublicKey

Examine the following PowerShell statement. Choose the option that completes the statement to configure Diagnostic Logs to stream to the Event Hub. Set-AzDiagnosticSetting -ResourceId logsbapp01 -ServiceBusRuleId serbuazh740


Options are :

  • -Begin
  • -Start
  • -Enabled
  • -Enabled $true (Correct)

Answer : -Enabled $true

You need to create a Storage Account called "azsamp3we" in the West European region. This Storage Account will contain audio files of recorded customer service calls. The audio files are required for streaming to a browser application. You are required to add some Storage redundancy but the compliance officer needs this data to be stored inside the Western European region. Which is the best answer that will meet the requirements?


Options are :

  • Select Azure File Storage Then choose GRS (Geo-Redundant Storage)
  • Select Azure Blob Storage. Then choose LRS (Locally-Redundant Storage) (Correct)
  • Select Azure Blob Storage. Then choose ZRS (Zone-Redundant Storage)
  • Select Azure File Storage. Then choose RA-GRS (Read-Access Geo-Redundant Storage)

Answer : Select Azure Blob Storage. Then choose LRS (Locally-Redundant Storage)

You have created a Storage Account called "storlid265" in the East US region. You have configured it to use ZRS redundancy. Which statement best describes the outcome if the East US region suffers an outage? Choose the statement that best fits the outcome.


Options are :

  • The Storage Account will be available if the region suffers an outage, but you will be required to failover to secondary zone
  • The Storage Account will be unavailable if the region suffers an outage
  • The Storage Account will be available if the region suffers an outage (Correct)
  • The Storage Account will be available if the region suffers an outage, but you will be required to failover to secondary region

Answer : The Storage Account will be available if the region suffers an outage

Which of the following would be the best option for deploying a Standard SKU Public IP address?


Options are :

  • Standard Back-end Load-balancer
  • Basic Internet-facing Load-balancer
  • Standard Internet-facing Load-balancer (Correct)
  • Basic Back-end Load-balancer

Answer : Standard Internet-facing Load-balancer

You need to select a Storage Account type to store addresses of US sales leads. The data will be structured and will need a key attribute. Choose what Storage Account type best fits the solution.


Options are :

  • File Storage
  • Table Storage (Correct)
  • Blob Storage
  • Queue Storage

Answer : Table Storage

AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 3

You are the Cloud Administrator of CycleShare.com a large organisation with multiple sites across the world. You have created an Azure tenant and want to add your company's domain name "CycleShare.com" as your primary domain. Select the options that are required to add this custom domain.


Options are :

  • Login to Azure as a Global Administrator. Go to custom domains Type in "CycleShare.com" Copy the DNS csv file record Add this as a CSV DNS record with your domain registrar Click Verify within the custom domains section of Azure. Mark the "CycleShare.com" domain as primary
  • Login to Azure as a Global Administrator. Go to custom domains Type in "CycleShare.com" Copy the DNS SRV file record Add this as a SRV DNS record with your domain registrar Click Verify within the custom domains section of Azure.
  • Login to Azure as a Global Administrator. Go to custom domains Type in "CycleShare.com" Click on sync with registrar Click Verify within the custom domains section of Azure. Mark the "CycleShare.com" domain as primary
  • Login to Azure as a Global Administrator. Go to custom domains Type in "CycleShare.com" Copy the DNS txt file record Add this as a txt DNS record with your domain registrar Click Verify within the custom domains section of Azure. Mark the "CycleShare.com" domain as primary (Correct)

Answer : Login to Azure as a Global Administrator. Go to custom domains Type in "CycleShare.com" Copy the DNS txt file record Add this as a txt DNS record with your domain registrar Click Verify within the custom domains section of Azure. Mark the "CycleShare.com" domain as primary

Which feature allows you to keep on-premises Active Directory passwords in-synch with passwords in the cloud?


Options are :

  • Password Writeback (Correct)
  • Password Synchronisation feature
  • ADFS
  • Seamless SSO

Answer : Password Writeback

CycleShare.com is setup in a Hybrid cloud configuration to synchronize on-premises user accounts to Azure Active Directory. You are required to make a change to the filtering settings in Azure AD Connect. Before you amend the filtering settings you are required to disable the AD Connect synchronisation schedule. Choose the correct PowerShell syntax to do this.


Options are :

  • Disable-ADSyncScheduler -SyncCycleEnabled $false
  • Set-ADConnectSync -SyncCycleEnabled $stop
  • Set-ADSyncScheduler -SyncCycleEnabled $false (Correct)
  • Set-ADSyncScheduler -SyncCycleDisabled $true

Answer : Set-ADSyncScheduler -SyncCycleEnabled $false

AZ-300 Microsoft Azure Architect Practice Exam Questions NEW Set 4

What PowerShell command would you execute to deploy a Virtual Machine from the Azure Marketplace?


Options are :

  • New-AzVm
  • New-AzResourceDeployment
  • New-AzResourceGroupDeployment (Correct)
  • Create-AzResourceDeployment

Answer : New-AzResourceGroupDeployment

Which of the following are valid Azure Private IP addresses in the following two networks 10.20.0.0/16 and 10.100.26.0/24? Select all that apply. 10.20.0.2 10.100.26.255 10.20.0.50 10.100.0.3 10.100.26.242


Options are :

  • 10.100.0.3
  • 10.20.0.50 (Correct)
  • 10.20.0.2
  • 10.100.26.242 (Correct)
  • 10.100.0.255

Answer : 10.20.0.50 10.100.26.242

Examine the following PowerShell syntax below, then Choose the option that best describes the outcome of running the PowerShell script: Set-AzStorageAccount -Name "blobssa1" -ResourceGroupName "Store2RG" -EnableHttpsTrafficOnly $True


Options are :

  • Enable "Only HTTP traffic" setting for the Storage Account named "blobssa1"
  • Enable "Secure transfer required" setting for the Storage Account named "blobssa1" (Correct)
  • Applies a client-side certificate for the Storage Account named "blobssa1"
  • Enable "encryption-at-rest" setting for the Storage Account named "blobssa1"

Answer : Enable "Secure transfer required" setting for the Storage Account named "blobssa1"

What do you need to configure in Azure MFA to set a time period to allow authentication attempts after a user is authenticated?


Options are :

  • Authentication timeouts
  • App Password
  • Authentication Methods
  • Caching Rule (Correct)

Answer : Caching Rule

What is the true constraint of a globally peered virtual network?


Options are :

  • Resources in one virtual network cannot communicate with the front-end IP address of a Basic internal load balancer
  • Resources in one virtual network cannot communicate with the back-end IP address of a Standard internal load balancer
  • Resources in one virtual network cannot communicate with the front-end IP address of a Standard internal load balancer (Correct)
  • Resources in one virtual network cannot communicate with the back-end IP address of a Basic internal load balancer

Answer : Resources in one virtual network cannot communicate with the front-end IP address of a Standard internal load balancer

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions