ExamGecko
Home Home / Microsoft / AZ-720

Microsoft AZ-720 Practice Test - Questions Answers, Page 5

Question list
Search
Search

List of questions

Search

Related questions











A company plans to use an Azure PaaS service by using Azure Private Link service. The azure Private Link service and an endpoint have been configured. The company reports that the endpoint is unable to connect to the service.

You need to resolve the connectivity issue.

What should you do?

A.
Disable the endpoint network policies.
A.
Disable the endpoint network policies.
Answers
B.
Validate the VPN device.
B.
Validate the VPN device.
Answers
C.
Approve the connection state.
C.
Approve the connection state.
Answers
D.
Disable the service network policies.
D.
Disable the service network policies.
Answers
Suggested answer: C

Explanation:

To resolve the connectivity issue, you should approve the connection state. According to 1, Azure Private Link service requires manual approval of connection requests from private endpoints by default. You can approve or reject a connection request by using PowerShell cmdlets or Azure portal.

A company deploys the Azure Application Gateway Web Application Firewall (WAF) to protect their web applications. Users in a remote office location report the following issues:

Unable to access part of a web application.

Part of the web application is failing to load.

Parts of the web application has activities that are not performing as expected.

You need to troubleshoot the issue.

Which diagnostic log should you review?

A.
Performance
A.
Performance
Answers
B.
Firewall
B.
Firewall
Answers
C.
Access
C.
Access
Answers
D.
Azure Activity
D.
Azure Activity
Answers
Suggested answer: B

Explanation:

To troubleshoot the issue, you should review the Firewall diagnostic log. According to 2, Azure Application Gateway Web Application Firewall (WAF) logs requests that are logged through either detection or prevention mode of an application gateway that is configured with WAF. You can use this log to view and analyze blocked requests and identify false positives or false negatives.

A company has an Azure tenant. The company deploys an Azure Firewall named FW1 using the Standard SKU. You configure FW1 using classic firewall rules. The company creates an application rule collection with the following settings:

Priority: 100

Action: Deny

Rule type: FQDN

Source type: IP address

Source: *

Protocol: http:80,https:443

Target FQDN: *.cloud.contoso.com

An engineer observes that traffic to console.cloud.conotoso.com is still allowed by FW1.

You need to determine why the traffic is allowed.

What should you review?

A.
Network rules
A.
Network rules
Answers
B.
Web categories
B.
Web categories
Answers
C.
Infrastructure rules
C.
Infrastructure rules
Answers
D.
Application rules
D.
Application rules
Answers
Suggested answer: A

Explanation:

To determine why the traffic is allowed, you should review network rules. According to 3, Azure Firewall uses network rules to allow or deny traffic based on source and destination IP address, port, and protocol. Network rules are applied before application rules and have higher priority than application rules. Therefore, if there is a network rule that allows traffic to console.cloud.contoso.com on port 80 or 443, it will override the application rule that denies traffic based on FQDN.

A company configures an Azure site-to-site VPN between an on-premises network and an Azure virtual network. The company reports that after completing the configuration, the VPN connection cannot be established. You need to troubleshoot the connection issue.

What should you do first?

A.
Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey.
A.
Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey.
Answers
B.
Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionVpnDeviceConfigScript.
B.
Identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionVpnDeviceConfigScript.
Answers
C.
Verify the AzureRoot.cer file exists.
C.
Verify the AzureRoot.cer file exists.
Answers
D.
Verify the AzureClient.pfx file exists.
D.
Verify the AzureClient.pfx file exists.
Answers
Suggested answer: A

Explanation:

To troubleshoot the connection issue, you should do first identify the shared key by running this PowerShell cmdlet: Get-AzVirtualNetworkGatewayConnectionSharedKey. According to 1, this cmdlet returns the shared key that is used for authentication between an Azure virtual network gateway and a local network gateway. You can use this cmdlet to verify that the shared key matches on both sides of the VPN connection. Therefore, you should choose A. Identify the shared key by running this PowerShell cmdlet: Get- AzVirtualNetworkGatewayConnectionSharedKey.

A company has an Azure Virtual Network gateway named VNetGW1. The company enables point-tosite connectivity on VNetGW1. An administrator configures VNetGW1 for the following:

OpenVPN for the tunnel type.

Azure certificate for the authentication type.

Users receive a certificate mismatch error when connecting by using a VPN client.

You need to resolve the certificate mismatch error.

What should you do?

A.
Reissue the client certificate with client authentication enabled.
A.
Reissue the client certificate with client authentication enabled.
Answers
B.
Create a profile manually, add the server FQDN and reissue the client certificate.
B.
Create a profile manually, add the server FQDN and reissue the client certificate.
Answers
C.
Reissue the client certificate with server authentication enabled.
C.
Reissue the client certificate with server authentication enabled.
Answers
D.
Install an IKEv2 VPN client on the user's computers.
D.
Install an IKEv2 VPN client on the user's computers.
Answers
Suggested answer: A

Explanation:

To resolve the certificate mismatch error, you should reissue the client certificate with client authentication enabled. According to 2, when you use Azure certificate for authentication type on point-to-site VPN connections, you need to ensure that your client certificates have client authentication as one of their enhanced key usage attributes. Otherwise, you will receive a certificate mismatch error when connecting by using a VPN client.

A company has an Azure Virtual Network gateway named VNetGW1. The company enables point-tosite connectivity on VNetGW1. An administrator configures VNetGW1 for the following:

OpenVPN for the tunnel type.

Azure certificate for the authentication type.

Users receive a certificate mismatch error when connecting by using a VPN client.

You need to resolve the certificate mismatch error.

What should you do?

A.
Configure the tunnel type for IKEv2 and OpenVPN on VNetGW1.
A.
Configure the tunnel type for IKEv2 and OpenVPN on VNetGW1.
Answers
B.
Create a profile manually, add the server FQDN and reissue the client certificate.
B.
Create a profile manually, add the server FQDN and reissue the client certificate.
Answers
C.
Install a Secure Socket Tunneling Protocol (SSTP) VPN client on the user's computers.
C.
Install a Secure Socket Tunneling Protocol (SSTP) VPN client on the user's computers.
Answers
D.
Configure preshared key for authentication on the VPN profile.
D.
Configure preshared key for authentication on the VPN profile.
Answers
Suggested answer: B

Explanation:

To resolve the certificate mismatch error, you should create a profile manually, add the server FQDN and reissue the client certificate. According to 1, when you use OpenVPN for tunnel type on point-tosite VPN connections, you need to ensure that your client certificates have the correct server FQDN as one of their subject alternative names (SANs). Otherwise, you will receive a certificate mismatch error when connecting by using a VPN client.

A company has an Azure Virtual Network gateway named VNetGW1. The company enables point-tosite connectivity on VNetGW1. An administrator configures VNetGW1 for the following:

OpenVPN for the tunnel type.

Azure certificate for the authentication type.

Users receive a certificate mismatch error when connecting by using a VPN client.

You need to resolve the certificate mismatch error.

What should you do?

A.
Install an IKEv2 VPN client on the user's computers.
A.
Install an IKEv2 VPN client on the user's computers.
Answers
B.
Reissue the client certificate with client authentication enabled.
B.
Reissue the client certificate with client authentication enabled.
Answers
C.
Create a profile manually, add the server FQDN and reissue the client certificate.
C.
Create a profile manually, add the server FQDN and reissue the client certificate.
Answers
D.
Configure the tunnel type for IKEv2 and OpenVPN on VNetGW1.
D.
Configure the tunnel type for IKEv2 and OpenVPN on VNetGW1.
Answers
Suggested answer: B

Explanation:

To resolve the certificate mismatch error, you should reissue the client certificate with client authentication enabled. According to 1, when you use Azure certificate for authentication type on point-to-site VPN connections, you need to ensure that your client certificates have client authentication as one of their enhanced key usage attributes. Otherwise, you will receive a certificate mismatch error when connecting by using a VPN client.

A company has an Azure Virtual Network gateway named VNetGW1. The company enables point-tosite connectivity on VNetGW1. An administrator configures VNetGW1 for the following:

OpenVPN for the tunnel type.

Azure certificate for the authentication type.

Users receive a certificate mismatch error when connecting by using a VPN client.

You need to resolve the certificate mismatch error.

What should you do?

A.
Reissue the client certificate with client authentication enabled.
A.
Reissue the client certificate with client authentication enabled.
Answers
B.
Configure preshared key for authentication on the VPN profile.
B.
Configure preshared key for authentication on the VPN profile.
Answers
C.
Install an IKEv2 VPN client on the user's computers.
C.
Install an IKEv2 VPN client on the user's computers.
Answers
D.
Reissue the client certificate with server authentication enabled.
D.
Reissue the client certificate with server authentication enabled.
Answers
Suggested answer: A

Explanation:

According to 1, when using certificate authentication for P2S VPN, you need to generate a root certificate and then install a client certificate on each device that connects to the VPN gateway. The client certificate must have client authentication as one of its purposes.

If you use a self-signed certificate, you can use PowerShell commands to create a root certificate and a client certificate with the correct settings. For more information, see 1.

A company hosts a network virtual appliance (VNA) and Azure Route Server in different virtual networks (VNets). Border Gateway Protocol (BGP) peering is enabled between the NVA loses internet connectivity after it advertises the default route to the route server.

You need to resolve the problem with the NVA.

What should you do?

A.
Configure a user-defined route on the NVA subnet.
A.
Configure a user-defined route on the NVA subnet.
Answers
B.
Move the route server to the same VNet as the NVA.
B.
Move the route server to the same VNet as the NVA.
Answers
C.
Configure a unique autonomous system number (ASN) on the NVA.
C.
Configure a unique autonomous system number (ASN) on the NVA.
Answers
D.
Configure a public IP address on the route server.
D.
Configure a public IP address on the route server.
Answers
Suggested answer: C

Explanation:

According to 2, when using Azure Route Server with network virtual appliances (NVAs), you need to ensure that each NVA has a unique ASN that is different from the route server’s ASN and any other BGP peer’s ASN. Otherwise, there will be routing issues due to BGP loop prevention mechanisms.

You can configure the ASN on the NVA by using its own configuration tools or commands. For more information, see 2.

A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group (NSG) with all of the subnets.

Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2. You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet.

You discover that FlowLog1 is not reporting outbound flow traffic.

You need to resolve the issue with FlowLog1.

What should you do?

A.
Configure FlowLog1 for version 2.
A.
Configure FlowLog1 for version 2.
Answers
B.
Create the storage account for FlowLog1 as a premium block blob.
B.
Create the storage account for FlowLog1 as a premium block blob.
Answers
C.
Configure the FlowTimeoutInMinutes property on VNet2 to a non-null value.
C.
Configure the FlowTimeoutInMinutes property on VNet2 to a non-null value.
Answers
D.
Enable FlowLog1 in a network security group associated with the network interface of VM1.
D.
Enable FlowLog1 in a network security group associated with the network interface of VM1.
Answers
Suggested answer: A

Explanation:

According to 1, flow logging using ExpressRoute Traffic Collector requires version 2 of flow logs.

Version 1 of flow logs does not support ExpressRoute Traffic Collector. You can configure the version of flow logs when you enable them on a network security group (NSG).

Total 119 questions
Go to page: of 12