Microsoft Microsoft Certified: Azure Support Engineer for Connectivity Specialty AZ-720 Questions & Answers

• Question 41:

  A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group

  (NSG) with all of the subnets.

  Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2.

  You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet.

  You discover that FlowLog1 is not reporting outbound flow traffic.

  You need to resolve the issue with FlowLog1.

  What should you do?

  A. Create the storage account for FlowLog1 as a premium block blob.

  B. Create the storage account for FlowLog1 as a premium page blob.

  C. Enable FlowLog1 in a network security group associated with the subnet of VM1.

  D. Configure the FlowTimeoutInMinutes property on VNet1 to a non-null value.

  Correct Answer: C

  when FastPath is enabled on an ExpressRoute gateway, network traffic between your on-premises network and your virtual network bypasses the gateway and goes directly to virtual machines in the virtual network. Therefore, if you want to capture outbound flow traffic from VM1, you need to enable flow logging on an NSG associated with the subnet of VM1.

• Question 42:

  A company has an Azure Active Directory (Azure AD) tenant. The company deploys Azure AD Connect to synchronize objects from their Active Directory Domain Services (AD DS) domain.

  You observe that AD DS objects are not synchronizing to Azure AD.

  You need to verify that the staging mode is enabled.

  What should you do?

  A. Review the history for the Azure AD Connect sync scheduled task.

  B. Run this PowerShell cmdlet: Get-ADSyncScheduler

  C. Review the triggers for the Azure AD Connect sync scheduled task.

  D. Run this PowerShell cmdlet: Get-ADSyncConnetorRunStatus

  Correct Answer: B

  Azure AD Connect has a staging mode feature that allows you to install multiple sync servers for high availability or disaster recovery purposes. When staging mode is enabled on a sync server, it doesn't export any changes to Azure AD or

  your on- premises AD DS environment.

  To verify that staging mode is enabled on a sync server, you can run the Get- ADSyncScheduler PowerShell cmdlet and check the value of StagingModeEnabled property. If it is True, then staging mode is enabled and no synchronization will

  occur.

• Question 43:

  A company has two virtual networks (VNets) that are configured to use peering. Several Azure virtual machines are connected to each network. An on-premises network is connected to one of the VNets by using Azure VPN Gateway.

  An administrator reports that communication between applications across the VNets is failing.

  You need to troubleshoot the issue.

  Which two features can you use to achieve the goal?

  A. IP flow verify

  B. AzureNetworkWatchExtension

  C. Next hop

  D. Network Watcher topology

  E. NSG flow logs

  Correct Answer: AC

  According to Microsoft, you can use Network Watcher IP Flow Verify and NSG Flow Logging to determine whether there is a Network Security Group (NSG) or User- Defined Route (UDR) that is interfering with traffic flow1.

• Question 44:

  A company enables just-in-time (JIT) virtual machine (VM) access in Azure.

  An administrator observes a list of VMs on the Unsupported tab of the JIT VM access page in the Microsoft Defender for Cloud portal.

  You need to determine why some VMs are not supported for JIT VM access.

  What should you conclude?

  A. The administrator is using the Microsoft Defender for Cloud free tier.

  B. The VMs were provisioned by using a classic deployment.

  C. The VMs were recently provisioned by using an Azure Resource Manager deployment.

  D. The administrator does not have the SecurityReader role.

  Correct Answer: B

  The Unsupported tab on the Just-in-Time VM access page in the Microsoft Defender for Cloud portal indicates that the VMs were provisioned by using a classic deployment Classic deployments were used in Azure before the deployment model was updated to Azure Resource Manager, which is now the preferred model for deploying and managing resources in Azure.

• Question 45:

  A company uses Azure AD Connect. The company plans to implement self-service password reset (SSPR).

  An administrator receives an error that password writeback cloud not be enabled during the Azure AD Connect configuration. The administrator observes the following event log error:

  Error getting auth token

  You need to resolve the issue.

  Solution: Restart the Azure AD Connect service.

  Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: A

• Question 46:

  A company has an ExpressRoute gateway between their on-premises site and Azure. The ExpressRoute gateway is on a virtual network named VNet1. The company enables FastPath on the gateway. You associate a network security group

  (NSG) with all of the subnets.

  Users report issues connecting to VM1 from the on-premises environment. VM1 is on a virtual network named VNet2. Virtual network peering is enabled between VNet1 and VNet2.

  You create a flow log named FlowLog1 and enable it on the NSG associated with the gateway subnet.

  You discover that FlowLog1 is not reporting outbound flow traffic.

  You need to resolve the issue with FlowLog1.

  What should you do?

  A. Configure FlowLog1 for version 2.

  B. Create the storage account for FlowLog1 as a premium block blob.

  C. Configure the FlowTimeoutInMinutes property on VNet2 to a non-null value.

  D. Enable FlowLog1 in a network security group associated with the network interface of VM1.

  Correct Answer: A

  According to 1, flow logging using ExpressRoute Traffic Collector requires version 2 of flow logs. Version 1 of flow logs does not support ExpressRoute Traffic Collector. You can configure the version of flow logs when you enable them on a network security group (NSG).

• Question 47:

  A company has an Azure Virtual Network gateway named VNetGW1. The company enables point-to-site connectivity on VNetGW1. An administrator configures VNetGW1 for the following:

  1.

  OpenVPN for the tunnel type.

  2.

  Azure certificate for the authentication type.

  Users receive a certificate mismatch error when connecting by using a VPN client.

  You need to resolve the certificate mismatch error.

  What should you do?

  A. Reissue the client certificate with client authentication enabled.

  B. Create a profile manually, add the server FQDN and reissue the client certificate.

  C. Reissue the client certificate with server authentication enabled.

  D. Install an IKEv2 VPN client on the user's computers.

  Correct Answer: A

• Question 48:

  A company has on-premises application server that runs in System Center Virtual Machine Manager (SCVMM). The company configures Azure Site Recovery.

  An administrator at the company reports that they receive an error message. The error message indicates that there are replication issues.

  You need to troubleshoot the issue.

  Which log should you review?

  A. Network Security Group flow log

  B. Azure Monitor log

  C. Network Watcher diagnostic log

  D. SCVMM debug log

  Correct Answer: A

  Flow logs are a very good way of checking what happens at L4 level. https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#why-use-flow-logs

• Question 49:

  A customer has an Azure Virtual Network named VNet1 that contains an internal standard SKU load balancer named LB1. The backend pool for LB1 includes the following virtual machines: VM1, VM2.

  The customer configures a rule named Rul1 to load balance incoming HTTPS requests for VM1 and VM2. Rule1 is associated with an HTTPS health probe. The path for the probe is set to /. The network adapters of VM1 and VM2 are associated with a network security named NSG1 that contains the following rules:

  

  You connect to https://VM1 and https://VM2 from VNet1. Attempts to connect using the front-end IP address of LB1 are failing.

  You need to resolve the issue.

  What should you do?

  A. Change the health probe associated with Rule1 to use HTTP.

  B. Add an NSG1 rule with the source set to VirtualNetwork.

  C. Change the health probe associated with Rule1 to use TCP.

  D. Add an NSG1 rule with the source set to AzureLoadBalancer.

  Correct Answer: B

• Question 50:

  A company connects their on-premises network by using Azure VPN Gateway. The on- premises environment includes three VPN devices that separately tunnel to the gateway by using Border Gateway Protocol (BGP).

  A new subnet should be unreachable from the on-premises network.

  You need to implement a solution.

  Solution: Disable peering on the virtual network.

  Does the solution meet the goal?

  A. Yes

  B. No

  Correct Answer: A