Actual exam question from Microsoft's AZ-500

Question #: 1 Topic #: 6 Missed

Question #: 2 Topic #: 6 Missed

Question #: 3 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

VNet1 contains the subnets shown in the following table.

You plan to use the Azure portal to deploy an Azure firewall named AzFW1 to VNet1.
Which resource group and subnet can you use to deploy AzFW1? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Suggested Answer:
Question #: 4 Topic #: 6

You have an Azure subscription that contains a storage account named storage1 and a
virtual machine named VM1.
VM1 is connected to a virtual network named VNet1 that contains one subnet and uses
Azure DNS.
You need to ensure that VM1 connects to storage1 by using a private IP address. The
solution must minimize administrative effort.
What should you do?
 A. For storage1, disable public network access.
 B. On VNet1, create a new subnet.
 C. For storage1, create a new private endpoint.
 D. Create an Azure Private DNS zone.

Suggested Answer: C 🗳️
Reference: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-
reviews-overview
Community vote distribution
C (100%)

Question #: 5 Topic #: 6

You have an Azure subscription that contains a web app named App1. App1 provides users
with product images and videos. Users access App1 by using a URL of
HTTPS://app1.contoso.com.
You deploy two server pools named Pool1 and Pool2. Pool1 hosts product images. Pool2
hosts product videos.
You need to optimize the performance of App1. The solution must meet the following
requirements:
• Minimize the performance impact of TLS connections on Pool1 and Pool2.
• Route user requests to the server pools based on the requested URL path.
What should you include in the solution?
 A. Azure Bastion
 B. Azure Front Door
 C. Azure Traffic Manager
 D. Azure Application Gateway

Correct Answer: D 🗳️
Reference: https://docs.microsoft.com/en-us/azure/databricks/security/credential-
passthrough/adls-passthrough
Community vote distribution
D (52%)
B (48%)

Question #: 6 Topic #: 6

HOTSPOT -
You have an Azure subscription that is linked to an Azure AD tenant and contains the virtual
machines shown in the following table.
The subnets of the virtual networks have the service endpoints shown in the following
table.

You create the resources shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 7 Topic #: 6

You have an Azure subscription that contains an instance of Azure Firewall Standard named
AzFW1.
You need to identify whether you can use the following features with AzFW1:
• TLS inspection
• Threat intelligence
• The network intrusion detection and prevention systems (IDPS)
What can you use?
 A. TLS inspection only
 B. threat intelligence only
 C. TLS inspection and the IDPS only
 D. threat intelligence and the IDPS only
  E. TLS inspection, threat intelligence, and the IDPS

Suggested Answer: B 🗳️
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-
flow-verify-overview
Community vote distribution
B (100%)

Question #: 8 Topic #: 6

SIMULATION -
Use the following login credentials as needed:
To enter your username, place your cursor in the Sign in box and click on the username
below.
To enter your password, place your cursor in the Enter password box and click on the
password below.
Azure Username: [email protected]
Azure Password: Gp0Ae4@!Dg
-
If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.
The following information is for technical support purposes only:
Lab Instance: 28681041
-
You need to configure Azure to allow RDP connections from the Internet to a virtual
machine named VM1. The solution must minimize the attack surface of VM1.
To complete this task, sign in to the Azure portal.

Suggested Answer:
Question #: 9 Topic #: 6

SIMULATION -
You need to ensure that only devices connected to a 131.107.0.0/16 subnet can access
data in the rg1lod28681041 Azure Storage account.
To complete this task, sign in to the Azure portal.
Suggested Answer:
Question #: 10 Topic #: 6
HOTSPOT -
You have an Azure Subscription that is connected to an on-premises datacenter and
contains the resources shown in the following table.

You need to configure virtual network service endpoints for VNet1 and VNet2. The solution
must meet the following requirements:
• The virtual machines that connect to the subnet of VNet1 must access storage1,
storage2, and Azure AD by using the Microsoft backbone network.
• The virtual machines that connect to the subnet of VNet2 must access storage1 and
KeyVault1 by using the Microsoft backbone network.
• The virtual machines must use the Microsoft backbone network to communicate between
VNet1 and VNet2.
How many service endpoints should you configure for each virtual network?
To answer, select the appropriate options in the answer area.NOTE: Each correct selection
is worth one point.

Suggested Answer:
Question #: 11 Topic #: 6

You have an Azure subscription that contains the resources shown in the following table.

You plan to deploy an Azure Private Link service named APL1.

Which resource should you reference during the creation of APL1.
 A. LB1
 B. SQL1
 C. VMSS1
 D. VM1

Suggested Answer: A 🗳️
Reference: https://docs.microsoft.com/en-us/azure/governance/policy/overview
Community vote distribution
A (100%)

Question #: 12 Topic #: 6

DRAG DROP -
You have an on-premises datacenter.
You have an Azure subscription that contains a virtual machine named VM1. VM1 is
connected to a virtual network named VNet1. VNet1 is connected to the on-premises
datacenter by using a Site-to-Site (S2S) VPN.
You plan to create an Azure storage account named storage1 and deploy an Azure web app
named App1.
You need to ensure that network communication to each resource meets the following
requirements:
• Connections to App1 must be allowed only from corporate network NAT addresses.
• Connections from VNet1 to storage1 must use the Microsoft backbone network.
• The solution must minimize costs.
What should you configure for each resource? To answer, drag the appropriate components
to the correct resources. Each component may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Suggested Answer:
Question #: 13 Topic #: 6

You have an Azure subscription that contains the subnets shown in the following table.

The subscription contains an Azure web app named WebApp1 that has the following
configurations:
• Region: West US
• Virtual network: VNet1
• VNet integration: Enabled
• Outbound subnet: Subnet11
• Windows plan (West US): ASP1
You plan to deploy an Azure web app named WebApp2 that will have the following settings:
• Region: West US
• VNet integration: Enabled
• Windows plan (West US): ASP1
To which subnets can you integrate WebApp2?
 A. Subnet11 only
 B. Subnet12 only
 C. Subnet11 or Subnet12 only
 D. Subnet12 or Subnet21 only
 E. Subnet11, Subnet12, or Subnet21

Suggested Answer: D 🗳️
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
view-activity-logs
Community vote distribution
D (46%)
E (37%)

Question #: 14 Topic #: 6

You have an Azure subscription.

You need to deploy an Azure virtual WAN to meet the following requirements:
• Create three secured virtual hubs located in the East US, West US, and North Europe
Azure regions.
• Ensure that security rules sync between the regions.
What should you use?
 A. Azure Virtual Network Manager
 B. Azure Front Door
 C. Azure Network Function Manager
 D. Azure Firewall Manager
Suggested Answer: D 🗳️
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
view-activity-logs
Community vote distribution
D (66%)
A (34%)

Question #: 15 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

VNet1 connects to a remote site by using a Site-to-Site (S2S) VPN that uses forced
tunneling.
VNet1 contains the subnets shown in the following table.

The SQL subnet contains SQL1.

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 16 Topic #: 6

You have an Azure subscription that contains an Azure web app named App1 and a virtual
machine named VM1. VM1 runs Microsoft SQL Server and is connected to a virtual network
named VNet1. App1, VM1, and VNet1 are in the US Central Azure region. You need to
ensure that App1 can connect to VM1. The solution must minimize costs.
What should you include in the solution?
  A. regional virtual network integration
 B. gateway-required virtual network integration
 C. Azure Front Door
 D. Azure Application Gateway integration
 E. NAT gateway integration

Suggested Answer: A 🗳️
Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-
howto-oauth2
Community vote distribution
A (100%)
Question #: 17 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following
table.

The subscription contains the subnets shown in the following table.

You plan to create an Azure web app named WebApp2 that will have the following
configurations:
• Region: East US
• VNet integration: Enabled
• Scale out: Autoscale to up to 10 instances
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.

Suggested Answer:
Question #: 18 Topic #: 6

DRAG DROP -
You have an Azure subscription.
You plan to implement Azure DDoS Protection. The solution must meet the following
requirements:
• Provide access to DDoS rapid response support during active attacks.
• Protect Basic SKU public IP addresses.
You need to recommend which type of DDoS Protection to use for each requirement.
What should you recommend? To answer, drag the appropriate DDoS Protection types to
the correct requirements. Each DDoS Protection type may be used once, more than once,
or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 19 Topic #: 6

You have an Azure subscription that contains a virtual network named VNet1. VNet1
contains a single subnet. The subscription contains a virtual machine named VM1 that is
connected to VNet1.
You plan to deploy an Azure SQL managed instance named SQL1.
You need to ensure that VM1 can access SQL1.
Which three components should you create? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
 A. a subnet
 B. a network security perimeter
 C. a virtual network gateway
 D. a network security group (NSG)
 E. a route table

Suggested Answer: ADE 🗳️

Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-
howto-oauth2
Community vote distribution
ADE (100%)

Question #: 20 Topic #: 6
HOTSPOT -
You are implementing an Azure Application Gateway web application firewall (WAF) named
WAF1.
You have the following Bicep code snippet.

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 21 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following
table.

NSG1 and NSG2 both have default rules only.

The subscription contains the virtual machines shown in the following table.

The subscription contains the web apps shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 22 Topic #: 6

DRAG DROP -
You have an Azure subscription.
You create an Azure Firewall policy that has the rules shown in the following table.

In which order should the rules be processed? To answer, move all rules from the list of
rules to the answer area and arrange them in the correct order.

Suggested Answer:
Question #: 23 Topic #: 6

You have an Azure subscription that contains the resources shown in the following table.

You create an Azure DDoS Protection plan named DDoS1 in the West US Azure region.
Which resources can you add to DDoS1?
 A. VNetl1only
 B. WebApp1 only
 C. VNet1 and VNet2 only
 D. VNet1 and WebApp1 only
 E. VNet1, VNet2, and WebApp1

Suggested Answer: C 🗳️
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-
encryption
Community vote distribution
C (87%)

Question #: 24 Topic #: 6

DRAG DROP -
You have an Azure subscription that contains the resources shown in the following table.

You need to configure network connectivity to meet the following requirements:

• Communication from VM1 to storage1 must traverse an optimized Microsoft backbone
network.
• All the outbound traffic from VM1 to the internet must be denied.
• The solution must minimize costs and administrative effort.
What should you configure for VNet1 and NSG1? To answer, drag the appropriate
components to the correct resources. Each component may be used once, more than once,
or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 25 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains an Azure firewall named AzFW1. AzFW1 has a
firewall policy named FWPolicy1.
You need to add rule collections to FWPolicy1 to meet the following requirements:
• Allow traffic based on the FQDN of the destination.
• Allow TCP traffic.
Which types of rule collections should you add for each requirement? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Suggested Answer:
Question #: 26 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following
table.

The subscription contains the virtual machines shown in the following table.

All the virtual machines have only private IP addresses.

You deploy Azure Bastion to VNet1 as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.

Suggested Answer:
Question #: 27 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

You plan to use service endpoints and service endpoint policies.

Which resources can be accessed by using a service endpoint, and which resources support
service endpoint policies? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 28 Topic #: 6

HOTSPOT -
You have an Azure App Service web app named App1 as shown in the following exhibit.
Subnet 2 contains a virtual machine named VM1.
Use the drop-down menus to select the answer choice that completes each statement
based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 29 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains a virtual machine named VM1.
You have a network security group (NSG) named NSG1 that is associated to the network
interface of VM1 and is configured as shown in the following exhibit.
Just-in-time (JIT) VM access is enabled on VM1 and has the following configurations:
• Management ports: 3389, 22
• Maximum time range: 3 hours
• Allowed source IP addresses: Any
You activate the JIT rule and connect to VM1 by using SSH.
For each of the following statements, select Yes if the statement is true, otherwise select
No.
NOTE: Each correct selection is worth one point.

Suggested Answer:

Question #: 30 Topic #: 6

You have an on-premises network.

You have an Azure subscription that contains the resources shown in the following table.

You plan to deploy a Site-to-Site (S2S) VPN between the on-premises network and VNet1.
You need to recommend an Azure VPN Gateway SKU that meets the following
requirements:
• Supports 1-Gbps throughput
• Minimizes costs
What should you recommend?
  A. VpnGw1
 B. VpnGw2
 C. VpnGw1AZ
 D. VpnGw2AZ

Correct Answer: B 🗳️
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/
tag-policies
Community vote distribution
B (100%)

Question #: 31 Topic #: 6

HOTSPOT -
You have an Azure subscription that contains a virtual network named VNet1. VNet1
contains the subnets shown in the following table.

The subscription contains the virtual machines shown in the following table.

VM3 contains a service that listens for connections on port 8080.

For VM1, you configure just-in-time (JIT) VM access as shown in the following exhibit.

For each of the following statement, select Yes if the statement is true. Otherwise, select
No.
NOTE: Each correct selection is worth one point.
Suggested Answer: