AZ-720Free trial

A company uses Azure Site Recovery (ASR) for a VMWare environment that includes the following virtual machines (VMs):

The company reports that they are unable to configure all of the servers for replication.
You need to evaluate the servers and server roles to determine which servers can be protected.
Which server can you protect by using ASR?

A company uses Azure Backup Server to back up SQL Server databases that are deployed in an availability group.

The company reports that a backup operation for a database fails. The following error message displays:

Unable to configure protection.

You need to ensure that the backup operation runs successfully.

What should you do?

A company uses Azure Site Recovery (ASR) to replicate and recover Azure virtual machines (VM) between Azure regions.
An administrator receives the following warning from ASR about a VM that uses P10 disks: Data change rate beyond supported limits
You add OS Disk Write Bytes/Sec and Data Disk Write Bytes/Sec to the list of metrics for monitoring. You discover that the VM consistently has a data churn of greater than 8 MB/s but less than 10 MB/s.
You need to resolve the issue.
What should you do?

A company has an on-premises application server that runs in System Center Virtual Machine Manager (SCVMM). The company configures Azure Site Recovery.
An administrator at the company reports that they receive an error message. The error message indicates that there are replication issues.
You need to troubleshoot the issue.
Which log should you review?

HOTSPOT -
A company uses Azure Backup Agent to back up specific files and folders from an on-premises virtual machine (VM).
An administrator reports that the backup job is transferring files slowly. You determine that the backup job is verifying changes in directories by scanning the entire volume.
You need to determine the state of the backup job.
In which state will the backups occur? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
A company migrates an on-premises Windows virtual machine (VM) to Azure. An administrator enables backups for the VM by using the Azure portal.
The company reports that the Azure VM backup job is failing.
You need to resolve the issue.
Solution: Install the VM guest agent by using administrative permissions.
Does the solution meet the goal?

HOTSPOT

A company uses an Azure Backup agent to back up specific files and folders from an Azure virtual machine (VM) and an on-premises VM.

An administrator reports that the backup job fails on both VMs. Errors are returned in Microsoft Azure Recovery Services (MARS).

You need to troubleshoot the backup issues.

Which troubleshooting solution should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

HOTSPOT -

Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Background -
Contoso, Ltd. is a financial services company based in Boston, MA, United States. Contoso hires you to manage their Azure environment and resolve several operational issues.

Current environment -

General -
Contoso's Azure environment contains the following resources. All resources are associated with the same subscription and are located in the East US region:

VPN users use Windows 10 computers with the built-in SSTP VPN client software.

Recent changes -
• You extend the IP address space of VNet1 and create subnets in the new IP address space.
• You allow users with computers that run the current version of MacOS to use the built-in VPN client for connecting to the point-to-site VPN.
• You enable a service endpoint on contosostorage1 to provide direct access to the storage content from all subnets in VNet1.
• You configure all business critical VM workloads to use encryption keys stored in all five key vaults.
• You enable a private endpoint on CosmosDB1 to provide direct access to its content from VNet1.
• The Contoso's data engineering team was recently tasked with using contosostorage1 blob storage to store database backups.
• You develop an automated process to deploy Azure VMs by using Azure Bicep. The passwords for the local administrator accounts are stored in the key vaults. You grant the team that initiates the deployment the Reader RBAC role to all key vaults.
• You deploy a multi-tier SharePoint Server environment into a subnet in VNet2. You implement network security groups (NSGs) to allow only specific ports between tiers in the subnet. You configure NSGs to use application security groups (ASGs) when designating the source and destination of cross-tier traffic.
• You deploy a secondary multi-tier SharePoint Server environment into a subnet in VNet3.
You create the following resources:

Issues -

DNS issues -

Reverse DNS lookup -
• Reverse DNS lookups from VNet1 return two records. One DNS record is in the format [vmname].contoso.com and the other DNS record is in the format [vmname].internal.cloudapp.net.
• Reverse DNS lookups from VNet2 and VNet3 return DNS names in the format [vmname].internal.cloudapp.net.
• VMs on each virtual network can only resolve reverse DNS lookup names of VMs on the same virtual network.

Public DNS lookup -
You are notified that name resolution requests for www.contoso.com are using the DNS zone hosted by the DNS registrar where the zone was originally created.

Connectivity and routing issues -

Windows VPN -
Windows VPN clients cannot connect to Azure VMs on the subnets recently added to VNet1.

Sales department VPN -
The sales department users cannot connect by using the MacOS VPN client.

Azure Storage connectivity -
• Server Message Block (SMB)-mounts from VMs on VNet2 and VNet3 to file shares in contosostorage1 are failing.
• Azure Storage Explorer connections using access keys from on-premises computers to contosostorage1 are failing.

Cosmos DB connectivity -
You observe that connections to CosmosDB1 from the on-premises environment are using the CosmosDB1 public endpoint. However, connections to CosmosDB1 from the on-premises environment should be using the private endpoint. You verify that connections to CosmosDB1 from VNet1 are using the private endpoint.

VM1 routing -
Internet traffic from VM1 is routed directly to the Internet.

VM2 routing -
After configuring RT12 to route internet traffic from VM1 through VM2, traffic reaches VM2 but then it is dropped. You verify that routing for VM2 is configured correctly.

Azure and SharePoint issues -

Azure Key Vault -
Access attempts to Azure Key Vault by VM workloads intermittently fail with the HTTP response code 429.

SharePoint in VNet2 -
SharePoint traffic between tiers is blocked by NSGs which is causing application failures.

SharePoint in VNet3 -
ASGs used in the NSG rules associated with the VNet2 subnet are not visible when configuring NSG rules in VNet3.

Permission issues -

Data engineering team -
The Contoso data engineering team is unable to view the contosostorage1 account in the Azure portal.

Azure VM deployment -
Azure VM deployments that use Azure Bicep are failing with an authorization error. The error indicates there are insufficient access permissions to retrieve the password of the local administrator account in the key vault.

Requirements -

DNS requirements -

Reverse DNS lookup -
You must identify the reason for the differences between reverse DNS lookup results in the hub and the spoke networks and recommend a solution that provides the reverse DNS lookup in the format [vmname].contoso.com for all three virtual networks.

Public DNS lookup -
You must verify that the Azure public DNS zone is currently used to resolve DNS name requests for www.contoso.com and recommend a solution that uses the Azure public DNS zone.
Connectivity and routing requirements

Windows VPN -
You must verify if VPN client connectivity issues are related to routing and recommend a solution.

MacOS VPN -
You must verify if Remote ID and Local ID VPN client settings on the MacOS devices are properly configured.

Azure Storage connectivity -
You must resolve the issues with the SMB-mounts from VNet2 and VNet3 as well as ensure that on-premises connections to contosostorage1 are successful. Your solution must ensure that, whenever possible, network traffic does not traverse public internet.

Cosmos DB connectivity -
You must verify if on-premises connections to CosmosDB1 are using the CosmosDB1 public endpoint. You need to recommend a solution if connections are not using private endpoints.

VM1 routing -
RT12 must be configured to route internet traffic from VM1 through VM2.

VM2 routing -
VM2 must be configured to route internet traffic from VM1.
Azure and SharePoint requirements

Azure Key Vault -
You must identify the reason for the failures and recommend a solution.

SharePoint in VNet2 -
You need to identify the NSG rules that are blocking traffic. You also need to collect the data that is blocked by the NSG rules. The solution must minimize administrative effort.

SharePoint in VNet3 -
You need to create NSG rules for VNet3 with the same name, source and destination settings that are configured for the NSG associated with VNet2. The solution must minimize administrative effort.

Permission requirements -

Azure Bicep -
You must identify the minimum privileges required to provision Azure VMs using Azure Bicep.

Data engineering team -
You must identify the role-based access control (RBAC) roles required by the data engineering team to access the storage account by using Azure portal. They also require permission to backup and restore blobs in contosostorage1.

You need to troubleshoot the sales department issues.
How should you configure the system? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

HOTSPOT -
A company deploys an Azure Firewall. The company reports the following log entry:

For each of the following questions, select Yes or No.
NOTE: Each correct selection is worth one point.

A company hosts a network virtual appliance (NVA) and Azure Route Server in different virtual networks (VNets). Border Gateway Protocol (BGP) peering is enabled between the NVA and the route server.
The company discovers that the NVA loses internet connectivity after it advertises the default route to the route server.
You need to resolve the problem with the NVA.
What should you do?

HOTSPOT -
A company implements Windows and Linux VMs in an Azure Virtual Network. The company plans to apply routing changes to the virtual network.
You need to determine the impact of these changes on network latency affecting applications that use TCP and UDP traffic. The solution must provide the highest level of accuracy.
Which tools should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

HOTSPOT -
A company creates an Azure resource group named RG1. RG1 has an Azure SQL Database logical server named sqlsvr1 that hosts the following resources:

An administrator grants a user named User1 the Reader RBAC role in RG1. The administrator grants User2 the Contributor role in sqlsvr1.
User1 reports that they can connect to SQLDB1 from the IP address 155.127.95.212. User1 cannot connect to SQLDB2. User2 can connect to both SQLDB1 and SQLDB2 from the IP address 121.19.27.18. Both users can successfully connect to SQLDB1 and SQLDB2 from VM1.
You are helping the administrator troubleshoot the issue. You run the following PowerShell command:
Get-AzSqlServerFirewallRule -ResourceGroupName 'RG1' -ServerName 'sqlsvr1'
The following output displays:

ResourceGroupName: RG1 -

ServerName: sqlsvr1 -

StartIpAddress: 0.0.0.0 -

EndIpAddress: 0.0.0.0 -

FirewallRuleName: Rule01 -

ResourceGroupName: RG1 -

ServerName: sqlsvr1 -

StartIpAddress: 72.225.0.0 -

EndIpAddress: 72.225.255.255 -

FirewallRuleName: Rule02 -
You need to identify the cause for the reported issue and resolve User1’s issues. The solution must satisfy the principle of least privilege.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point. A company manages a solution that uses Azure Functions.

A company manages a solution that uses Azure Functions.
A function returns the following error. Azure Functions Runtime is unreachable.
You need to troubleshoot the issue.
What are two possible causes of the issue? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

HOTSPOT -
A company named Contoso connects its on-premises resources to Azure by using ExpressRoute.
An administrator reports that the circuit is in a failed state.
You need to resolve the issue.
How should you complete the PowerShell commands? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

A company uses an Azure VPN gateway to connect to their on-premises environment.
The company's on-premises VPN gateway is used by several services. One service is experiencing connectivity issues.
You need to minimize downtime for all services and resolve the connectivity issue.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A company has two virtual networks (VNets) that are configured to use peering. Several Azure virtual machines are connected to each network. An on-premises network is connected to one of the VNets by using Azure VPN Gateway.
An administrator reports that communication between applications across the VNets is failing.
You need to troubleshoot the issue.
Which two features can you use to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.