Microsoft AZ-720 Practice Test - Questions Answers, Page 12

To resolve the issue where the application on VM1 is unable to send email to recipients outside the company, you should modify the NSG1 rule with a priority of 100 to allow outbound traffic on TCP port 587. The correct answer is therefore:

1. Configure the source and destination ports for the NSG1 rule with a priority of 100 to 587.

The NSG1 rule with priority 100 currently allows all outbound traffic (source: any, destination: any, protocol: any). To restrict the outbound traffic to only TCP port 587, modify the rule to use the following configuration:

Name: Allow_Outbound_Email

Priority: 100

Source: Any

Destination: Any

Protocol: TCP

Source Port Range: *

Destination Port Range: 587

Action: Allow

Once you have updated the NSG1 rule, the application on VM1 should be able to send email to recipients outside the company.

Reference: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-securitygroup#managing-rules-in-an-nsg

To allow the on-premises environment to access the Azure SQL Database named SQL1 over a site-tosite (S2S) VPN in SubnetB, you should deploy a private endpoint for SQL1. A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Link allows you to access Azure PaaS services (for example, Azure Storage and SQL Database) and Azure-hosted customer/partner services over a private endpoint in your virtual network. So the correct answer is D. Deploy a private endpoint for SQL1.

You can find more information about private endpoints in the official Microsoft documentation.

Explanation: To use FQDN filtering in network rules, you must enable DNS Proxy on the firewall policy and configure the virtual machines to use the Azure Firewall as their DNS server1. This way, the firewall can resolve the FQDNs and apply the appropriate network rules based on the IP addresses returned by the DNS server2. Upgrading to the Azure Firewall Premium SKU, creating a DNAT rule, or configuring the firewall for a negative cache are not required for FQDN filtering in network rules.

1: Azure Firewall policy DNS settings 2: Azure Firewall FQDN filtering in network rules

In Azure Monitor you create a graph and select (Used SNAT ports) and (Allocated SNAT ports) as the metric type and Average as the aggregation.

The Used SNAT ports metric reports the number of outbound flows that are masqueraded to the public IP address frontend1. The Allocated SNAT ports metric reports the number of SNAT ports allocated to the load balancer1. These metrics can help you monitor the outbound port exhaustion issue and see if adding additional front-end IPs to the load balancer has resolved it. The other metrics are not relevant for this scenario.

1: Standard load balancer diagnostics with metrics, alerts, and resource health

Domain: Contoso.com

Rule: NetRC1

Explanation: The NetRC1 rule has a higher priority (lower number) than the NetRC2 rule, so it is processed first. The NetRC1 rule allows outbound connections to Contoso.com on ports 80 and 443,

so it overrides the NetRC2 rule that blocks them. To block the connections, you need to review the NetRC1 rule and either change its action to deny, change its priority to a lower value, or remove Contoso.com from its destination FQDNs.

Domain: Adatum.com Rule: NetRC1

Explanation: The NetRC1 rule also blocks outbound connections to Adatum.com on ports 80 and 443, regardless of the AppRC2 rule that allows them. This is because network rules are always processed before application rules1, and network rules do not support FQDN filtering based on the SNI header2. To allow the connections, you need to review the NetRC1 rule and either change its action to allow, change its priority to a lower value, or remove Adatum.com from its destination FQDNs.

1: Azure Firewall policy rule sets

2: Azure Firewall FQDN filtering in network rules

Permission: JIT Network Access Policies permission

Operation: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action

Explanation: To request JIT access to a VM, the user needs the

Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action permission. This permission allows the user to initiate a JIT request on a specific VM1. The other permissions are not sufficient for

requesting JIT access.

Permission: Virtual machine permission Operation: Microsoft.Compute/virtualMachines/read Explanation: To request JIT access to a VM, the user also needs the

Microsoft.Compute/virtualMachines/read permission. This permission allows the user to view the details of the VM, such as its name, location, and status2. The other permissions are not necessary

for requesting JIT access.

1: Enable just-in-time access on VMs - Microsoft Defender for Cloud 2: Built-in roles for Azure

resources - Azure RBAC

Explanation: The Update-MSOLFederatedDomain cmdlet updates the settings in Azure AD for a federated domain. This cmdlet is useful when the AD FS certificate is updated, and the federation

metadata needs to be refreshed in Azure AD1. The other cmdlets are not relevant for this scenario:

Redo-MsolProvisionUser cmdlet retries the provisioning of a user object in Azure AD that previously failed or was canceled2.

Convert-MsolDomainToFederated cmdlet converts a standard domain to a federated domain3.

Set-MsolDomainFederationSettings cmdlet modifies the settings of an existing federated domain4.

Confirm-MsolDomain cmdlet confirms ownership of a domain after it has been added to Azure AD.

1: Update-MSOLFederatedDomain (MSOnline) 2: Redo-MsolProvisionUser (MSOnline) 3: ConvertMsolDomainToFederated (MSOnline) 4: Set-MsolDomainFederationSettings (MSOnline) : [ConfirmMsolDomain

(MSOnline)]

Requirement: Clients that resolve malicious domain names.

Query: DNS Security

Explanation: The DNS Security query shows the DNS clients that have attempted to resolve malicious domain names, such as those associated with malware, phishing, or crypto mining. The query also shows the number of malicious queries, the threat type, and the threat level for each client1.

Requirement: Clients that exceed threshold for lookup requests.

Query: DNS Clients

Explanation: The DNS Clients query shows the DNS clients that have sent queries to the DNS servers, along with the number of queries, the average response time, and the percentage of failed queries. The query can be filtered by a threshold value to show only the clients that exceed a certain number of queries2.

Requirement: Changes made to the DNS servers.

Query: Configuration Events

Explanation: The Configuration Events query shows the changes made to the DNS servers, such as adding or deleting zones, records, or forwarders. The query also shows the user who made the change, the time of the change, and the event ID3.