AZ-104考題解析_Implement and manage virtual networking
Q1.You need to configure an Azure web app named contoso.azurewebsites.net to host www.contoso.com.
What should you do first?
○ Create a TXT record named asuid that contains the domain verification ID.
○ Create a TXT record named www.contoso.com that has a value of contoso.azurewebsites.net.
○ Create a CNAME record named asuid that contains the domain verification ID.
○ Create A records named www.contoso.com and asuid.contoso.com.
要把 www.contoso.com 加到 Azure App Service(contoso.azurewebsites.net)作為 custom domain,第一步必須驗證網域擁有權(domain ownership)。
若要將自訂網域 (如 www.contoso.com ) 與 Azure App Service (如 contoso.azurewebsites.net ) 建立關聯,Azure 需要驗證您擁有或控制該自訂網域。
此驗證程序的標準且建議的第一步驟是建立一個特定的 TXT 記錄,其中包含 Azure 提供的唯一網域驗證 ID (asuid 代表 Azure Service Unique ID 或 Azure Site Unique ID )。
DNS Record types
- A Record: maps domain name to IPv4 address
- AAAA Record: maps domain name to IPv6 address
- CNAME: Canonical Name. Defines an alias for a domain name, pointing it to another domain. For e.g., www.contoso.com might point to contoso.azurewebsites.net
- NS: Name Server. Lists authoritative name servers for a domain
- TXT: Text record: Stores text-based information. Often used for domain verification and email security
驗證通過後,下一步才是建立對應的 DNS 指向這邊就會再去建立 CNAME。
CNAME 記錄的作用是將一個網域名稱映射到另一個網域名稱(例如將 www.contoso.com 映射到 contoso.azurewebsites.net )。
========================================================================
Q2.You have a Microsoft Entra tenant that has the contoso.onmicrosoft.com domain name.
You have a domain name of contoso.com registered at a third-party registrar.
You need to ensure that you can create Microsoft Entra users that have names containing a suffix of @contoso.com.
Which three actions should you perform in sequence?
ACTIONS
- Verify the domain.
- Add a record to the public contoso.com DNS zone.
- Create an Azure DNS zone.
- Configure company branding.
- Add a Microsoft Entra tenant.
- Add a custom domain name.
OPTIONS:
○ 2-3-6
○ 6-2-1
○ 3-2-6
○ 6-1-2
6.Add a custom domain name.
首先需要在 Microsoft Entra 租用戶中將 contoso.com 新增為自訂網域。
2.Add a record to the public contoso.com DNS zone.
在公開的 contoso.com DNS 區域新增記錄是正確的。為了證明您擁有該網域,Microsoft Entra ID 會提供一個 TXT 或 MX 記錄,必須將此記錄新增到託管該網域的公開 DNS 區域中。
1.Verify the domain.
新增 DNS 記錄後,需要在 Microsoft Entra ID 中完成驗證流程。一旦驗證通過,該網域就能用來建立如 user@contoso.com 這樣的 UPN 使用者帳戶。
Add your custom domain name to your tenant
Create DNS records in a custom domain for a web app
其他選項
3.Create an Azure DNS zone. => 不需要
建立 Azure DNS 區域是錯誤的,因為只有在 Azure 內託管 DNS 時才需要這麼做,而驗證外部註冊的網域並不需要此步驟。只有當你打算把 DNS 轉移到 Azure DNS 才需要(且還要在註冊商那邊委派 NS);題目情境說 DNS 在第三方註冊商,所以不必要。
4.Configure company branding. => 不需要
設定公司品牌是錯誤的,因為這並非使用自訂網域設定使用者帳戶的必要條件。
5.Add a Microsoft Entra tenant.=> 不需要
選項中都沒出現,題目一開始就說已有 Entra tenant
========================================================================
Q3.You have an Azure subscription that contains the resources in the following table.
In Azure, you create a private DNS zone named adatum.com, add virtual network link to VNet2, and enable auto registration.
The adatum.com zone is configured as shown in the following exhibit.
For the following statement, select Yes if the statement is true. Otherwise, select No.
“The A record for VM5 will be registered automatically in the adatum.com zone.”
○ Yes
○ No
題目提到把 private DNS zone (adatum.com) 只 link 到 VNet2,並在該連結上啟用 auto-registration。
但 VM5 是連到 VNet1,不在 VNet2 裡面,因此 VM5 的 A 紀錄不會自動出現在 adatum.com。
哪個 VNet 被 link?VM 在哪個 VNet?兩者要同一個才會自動產生 A record。
只為連結的 VNet 自動註冊
========================================================================
Q4&Q5. You have an Azure subscription.
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
You must complete the following template.
Q4.What should you choose for Placeholder 1?
○ AzureBastionSubnet
○ AzureFirewallSubnet
○ LAN01
○ RemoteAccessSubnet
https://learn.microsoft.com/en-us/azure/bastion/bastion-faq#why-do-i-get-a-failed-to-add-subnet-error-when-using-deploy-bastion-in-the-portal
Why do I get a "Failed to add subnet" error when using "Deploy Bastion" in the portal?
At this time, for most address spaces, you must add a subnet named AzureBastionSubnet to your virtual network before you select Deploy Bastion.
Q5.What should you choose for Placeholder 2?
○ 10.10.10.0/26
○ 10.10.10.0/28
○ 10.10.10.0/30
解析
172.16.10.0/25
1010 1100.0001 0000.0000 1010.0
一般網路計算情況下128 IP addresses (2^(32−25) = 128)在扣除2頭尾得到126個。
1010 1100.0001 0000.0000 1010.0 0000000
1010 1100.0001 0000.0000 1010.0 1111111
172.16.10.0 =>Network address
172.16.10.1~172.16.10.126
172.16.10.127 =>Network broadcast address
在Azure架構時,128 IP addresses (2^(32−25) = 128)
要扣除5個IP空間剩餘的才是可被使用的扣打。
前四個跟最後一個扣除
172.16.10.0 =>Network address
172.16.10.1 =>Reserved by Azure for the default gateway
172.16.10.2 =>Reserved by Azure to map the Azure DNS IP addresses
172.16.10.3 =>Reserved by Azure to map the Azure DNS IP addresses
172.16.10.4~172.16.10.126 (Available) => 123個
172.16.10.127 =>Network broadcast address
Ref:
https://learn.microsoft.com/en-us/azure/bastion/bastion-faq#subnet
Can I have an Azure Bastion subnet of size /27 or smaller (/28, /29, etc.)?
For Azure Bastion resources deployed on or after November 2, 2021,
the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.).
========================================================================
Q6.You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown below.
Based on the information presented in the graphic, select the answer choice that completes the following statement.
"The virtual machines on the 10.2.9.0/24 subnet will have network connectivity to the file shares in the storage account ________________________________."
○ always
○ Never
○ during a backup
解析
storage account's public network access 有被限制在VNet1
的子網路範圍10.2.0.0/24換言之只能夠在10.2.0.0 to 10.2.0.255這範圍下
由於storage account的網路存取控制是在子網層級設定的。
而這些VM所在的子網並未被明確允許存取,因此在目前配置下,它們永遠無法與儲存帳戶中的檔案共享建立網路連線。
而有關於during a backup選項,備份操作同樣會受到相同的網路存取限制。除非備份服務源自或使用允許的生產子網(10.2.0.0/24)內的 IP 位址,否則位於 10.2.9.0/24 子網的虛擬機器仍將無法連線。
Azure Backup now supports storage accounts secured with Azure Storage Firewalls and Virtual Networks
========================================================================
Q7.You have several Azure virtual machines on a virtual network named VNet1.
You configure an Azure Storage account as shown below.
"Azure Backup will be able to back up the unmanaged disks of the virtual machines in the storage account ________________________________."
○ Never
○ always
○ during a backup
當您在 Azure 儲存體防火牆設定中啟用虛擬網路時,預設情況下,存取僅限於該特定虛擬網路內的資源。若要使其他 Azure 服務(包括 Azure Backup)在啟用 VNet 防火牆後仍能存取儲存體帳戶,您必須在防火牆例外清單中明確允許信任的服務清單上的 Azure 服務存取此儲存體帳戶。
若未啟用此例外狀況,即使 Azure 備份服務是受信任的 Azure Backup,仍會因儲存體帳戶設定為僅允許源自指定虛擬網路內的流量而遭防火牆封鎖。
========================================================================
Q8.You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
You create an Azure bastion for VNet1 as shown below.
"The Azure portal can use SSH to connect to VM2 through Bastion1."
○ Yes
○ No
Virtual Network Peering (虛擬網路對等互連)
可實現虛擬網路間的無縫連線,讓對等互連的 VNet 中的資源能使用其私人 IP 位址相互通訊。
由於 VM2 位於 VNet2 中,而 VNet2 直接與 VNet1,因此網路流量可直接透過 Azure 私人網路在兩者之間傳輸。
除非有設定特定的網路安全性群組(NSG)規則來封鎖流量,否則預設情況下即可進行此通訊。既然題目未提及任何封鎖規則,對等互連機制將促成直接通訊。
========================================================================
Q9.You have an Azure subscription that contains the virtual networks shown in the following table.
The subnets have the IP address spaces shown in the following table.
You plan to create a container app named contapp1 in the East US Azure region.
You need to create a container app environment named con-env1 that meets the following requirements:
- Uses its own (and existing) virtual network.
- Uses its own (and new) subnet.
- Is connected to the smallest possible subnet.
To which virtual networks can you connect con-env1?
○VNet1 only
○VNet2 only
○VNet3 only
○VNet1 or VNet2 only
○VNet2 or VNet3 only
○VNet1, VNet2, or VNet3 VNet1、VNet2 或 VNet3
解析:
部署容器應用程式環境(con-env1)的需求條件如下:
- 這個子網路必須是能夠容納該環境的最小可能範圍。
- 子網必須擁有至少 /23 的 CIDR 範圍,可提供 512 個 IP 位址。
VNet1 =>/23 可得知 2^(32-23) = 2^9=512個IP,相應Subnet1 => /24 => 256個IP 已經存在
若又要在VNet1內建立新的/23個子網 (換言之512個IP)不可能,因為該虛擬網路僅512個IP扣打,又已經有256個佔用了。
VNet2 =>/16 可得知2^(32-16)=2^16=65536個IP
相應Subnet2 => /17 共有兩個Subnet21 , Subnet22各自32768 ,因此32768*2=65536。
VNet3 => /16 可得知2^(32-16)=65536個IP,已存在Subnet3 (/24 -> 2^(32-24) = 2^8=256個IP )
由於VNet3 擁有更大的IP空間,已佔用僅一小部分,因此新建一個/23個子網。
Provide a virtual network to an Azure Container Apps environment
To use a VNet with Container Apps, the VNet must have a dedicated subnet with a CIDR range of /23 or larger when using the Consumption only environment
========================================================================
Q10.You have an Azure subscription that has the public IP addresses shown in the following table.
You plan to deploy an Instance of Azure Firewall Premium named FW1.
Which IP addresses can you use?
○ IP1 and IP2 only
○ IP2 only
○ IP1, IP2, and IP5 only
○ IP1, IP2, IP4, and IP5 only
Azure 防火牆對於使用的公共 IP 位址有特定要求。這些要求如下:
- SKU: The public IP addresses must be of the Standard SKU.
- Assignment: The public IP addresses must have a Static assignment.
- Protocol: Azure Firewall currently only supports IPv4 addresses.
IP1: 屬於標準 SKU 且為靜態 IPv4 地址,符合標準要求。
IP2: 同樣是標準 SKU 且為靜態 IPv4 地址,符合標準要求。
IP3 與 IP4:兩者皆使用基本版 SKU,但 Azure 防火牆並不支援此版本。
IP5:此為 IPv6 位址,目前 Azure 防火牆尚不支援 IPv6 通訊協定。
========================================================================
Q11.You have the Azure virtual machines shown in the following table.
VNET1, VNET2, and VNET3 are peered.
VM4 has a DNS server that is authoritative for a zone named contoso.com and contains the records shown in the following table.
The virtual networks are configured to use the DNS servers shown in the following table.
For the statement below, select Yes if the statement is true. Otherwise select No.
"From VM3, server2.contoso.com resolves to 131.107.2.4."
○Yes
○No
VM3 連接到 VNet3。
VNet3 配置為使用 VM4 作為其 DNS 伺服器。說明指出在 VM4 上運行的 DNS 伺服器擁有一個「A」記錄,該記錄將 server2.contoso.com 解析為 IP 地址 131.107.2.4 。
當 VM3 嘗試解析主機名稱 server2.contoso.com 時,其 DNS 查詢將被導向至 VM4 上的 DNS 伺服器。由於 VM4 擁有必要的「A」記錄,它將成功將主機名稱解析為 IP 位址 131.107.2.4 。因此,VM3 將能夠使用主機名稱 server2.contoso.com 與位於該 IP 位址的服務建立連線。
What is a virtual network link?
Private DNS vs Custom DNS for one VNET
========================================================================
Q12.You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
The subscription contains the Azure App Service web apps shown in the following table.
For the statement below, select Yes if the statement is true. Otherwise select No
"WebApp1 can communicate with VM2."
○Yes
○No
WebApp1 已啟用與 VNet1 的虛擬網路整合功能。VNet1 與 VNet2 建立了對等互連。VM2 部署於 VNet2 內。Azure 虛擬網路對等互連可實現虛擬網路間的無縫網路連線,使互連 VNet 中的資源能透過私有 IP 位址相互通訊。
由於 VNet1 和 VNet2 已完成對等互連,與 VNet1 整合的 WebApp1 可透過 Azure 私有網路與位於 VNet2 中的 VM2 進行通訊。
除非在 VM2 所在的 Subnet2 上配置了明確阻擋來自 VNet1 IP 位址範圍或 App Service 執行個體特定私有 IP 位址輸入流量的網路安全性群組 (NSG) 規則,否則通訊將會成功。由於未提及此類阻擋規則,因此預設允許對等互連 VNet 內部和之間流量的行為將適用。
========================================================================
Q13.You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the virtual machines shown in the following table.
The subscription contains the Azure App Service web apps shown in the following table.
For the statement below, select Yes if the statement is true. Otherwise select No.
"NSG1 controls inbound traffic to WebApp1."
○Yes
○No
當使用者在 Azure Active Directory 擁有全域管理員角色時,這是一個租用戶範圍的管理角色,可授予整個 Azure AD 租用戶的廣泛權限。然而,它不會自動授與存取 Azure 儲存體等 Azure 服務內儲存資料的權限。
在 Azure 儲存體中存取資料(包括檔案共用)是透過儲存體帳戶、容器或檔案共用層級的 Azure 角色型存取控制(RBAC)來管理的。若要存取檔案共用資料,使用者必須透過儲存體資源的「存取控制(IAM)」設定,在儲存體帳戶或特定檔案共用上被明確指派特定的資料存取角色(例如「儲存體檔案資料參與者」、「儲存體檔案資料讀取者」或「儲存體檔案資料 SMB 共用參與者」)。
僅擔任全域管理員身分雖能授予對 Azure AD 租用戶的管理控制權,並具備管理 Azure 訂閱與服務的能力,但這並不能免除對儲存資源明確資料存取權限的需求。
========================================================================
Q14.You have an Azure subscription that contains 10 virtual machines and the resources shown in the following table.
You need to ensure that Bastion1 can support 100 concurrent SSH users. The solution must minimize administrative effort.
What should you do first?
○Configure host scaling. 設定主機擴展。
○Upgrade Bastion1 to the standard SKU. 將 Bastion1 升級為標準 SKU。
○Create a network security group (NSG). 建立網路安全群組 (NSG)。
○Resize the subnet of Bastion1. 重新調整 Bastion1 子網路的大小。
○Deploy and manage Azure compute resources 部署和管理 Azure 計算資源
目前使用的 Azure Bastion 服務採用 Basic SKU 版本,存在以下限制:
Instance Count: Basic SKU allows for a maximum of 2 instances.
Concurrent SSH Users per Instance: Each Basic SKU instance supports up to 40 concurrent SSH users.
要支援 100 個同時進行的 SSH 連線,基本 SKU 是不夠的。即使使用最多 2 個執行個體,該服務也只能支援 80 個同時連線(2 個執行個體 * 40 個使用者/執行個體)。
因此,正確的做法是將 Bastion 服務的 SKU 升級至標準版。標準版 SKU 允許您配置所需的執行個體數量。為了支援 100 個同時連線並保留合理緩衝空間,您需要部署並管理超過 2 個執行個體。例如,若使用 3 個執行個體,該服務理論上可支援 120 個同時連線(3 個執行個體 * 40 位使用者/執行個體)。由此可見,要滿足此需求就必須部署並管理 Bastion 服務底層的 Azure 運算資源(透過升級 SKU 並可能增加執行個體數量)。
留言
張貼留言