Free SC-100 Exam Braindumps

Your company has an office in Seattle.
The company has two Azure virtual machine scale sets hosted on different virtual networks.
The company plans to contract developers in India.
You need to recommend a solution provide the developers with the ability to connect to the virtual machines over SSL from the Azure portal. The solution must meet the following requirements:
-Prevent exposing the public IP addresses of the virtual machines.
-Provide the ability to connect without using a VPN.
-Minimize costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. Create a hub and spoke network by using virtual network peering.
  2. Deploy Azure Bastion to each virtual network.
  3. Deploy Azure Bastion to one virtual network.
  4. Create NAT rules and network rules in Azure Firewall.
  5. Enable just-in-time VM access on the virtual machines.

Answer(s): A,C

Explanation:

Azure Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.
Note: Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software.
Incorrect:
Not B: Two Azure Bastions would increase the cost.


Reference:

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview



Your company has an on-premises network and an Azure subscription.
The company does NOT have a Site-to-Site VPN or an ExpressRoute connection to Azure.
You are designing the security standards for Azure App Service web apps. The web apps will access Microsoft SQL Server databases on the network.
You need to recommend security standards that will allow the web apps to access the databases. The solution must minimize the number of open internet- accessible endpoints to the on-premises network.
What should you include in the recommendation?

  1. virtual network NAT gateway integration
  2. hybrid connections
  3. virtual network integration
  4. a private endpoint

Answer(s): B

Explanation:

Hybrid Connections can connect Azure App Service Web Apps to on-premises resources that use a static TCP port. Supported resources include Microsoft SQL
Server, MySQL, HTTP Web APIs, Mobile Services, and most custom Web Services.

Note: You can use an Azure App Service Hybrid Connections. To do this, you need to add and create Hybrid Connections in your app. You will download and install an agent (the Hybrid Connection Manager) in the database server or another server which is in the same network as the on-premise database.
You configure a logical connection on your app service or web app.
A small agent, the Hybrid Connection Manager, is downloaded and installed on a Windows Server (2012 or later) running in the remote network (on-premises or anywhere) that you need to communicate with.
You log into your Azure subscription in the Hybrid Connection manager and select the logical connection in your app service.
The Hybrid Connection Manager will initiate a secure tunnel out (TCP 80/443) to your app service in Azure.
Your app service can now communicate with TCP-based services, on Windows or Linux, in the remote network via the Hybrid Connection Manager.
You could get more details on how to Connect Azure Web Apps To On-Premises.
Incorrect:
Not A: NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network. Once NAT gateway is associated to a subnet, NAT provides source network address translation (SNAT) for that subnet. NAT gateway specifies which static IP addresses virtual machines use when creating outbound flows.
However, we need an inbound connection.
Not C: You can Azure web app service VNet integration with Azure VPN gateway to securely access the resource in an Azure VNet or on-premise network.
However, this would require a Site to Site VPN as in the picture below.

Note: Virtual network integration gives your app access to resources in your virtual network, but it doesn't grant inbound private access to your app from the virtual network. Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. Virtual network integration is used only to make outbound calls from your app into your virtual network. The virtual network integration feature behaves differently when it's used with virtual networks in the same region and with virtual networks in other regions. The virtual network integration feature has two variations:
Regional virtual network integration: When you connect to virtual networks in the same region, you must have a dedicated subnet in the virtual network you're integrating with.
Gateway-required virtual network integration: When you connect directly to virtual networks in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway created in the target virtual network.


Reference:

https://github.com/uglide/azure-content/blob/master/articles/app-service-web/web-sites-hybrid-connection-connect-on-premises-sql-server.md https://docs.microsoft.com/en-us/answers/questions/701793/connecting-to-azure-app-to-onprem-datbase.html



You need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements.
What should you configure for each landing zone?

  1. an ExpressRoute gateway
  2. Microsoft Defender for Cloud
  3. an Azure Private DNS zone
  4. Azure DDoS Protection Standard

Answer(s): B

Explanation:

ExpressRoute provides direct connectivity to Azure cloud services and connecting Microsoft's global network. All transferred data is not encrypted, and do not go over the public Internet. VPN Gateway provides secured connectivity to Azure cloud services over public Internet.
Note:
Litware identifies the following landing zone requirements:
ג€¢ Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.
ג€¢ Provide a secure score scoped to the landing zone.
ג€¢ Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.
ג€¢ Minimize the possibility of data exfiltration.
ג€¢ Maximize network bandwidth.
Litware identifies the following business requirements:
ג€¢ Minimize any additional on-premises infrastructure.
ג€¢ Minimize the operational costs associated with administrative overhead.


Reference:

https://medium.com/awesome-azure/azure-difference-between-azure-expressroute-and-azure-vpn-gateway-comparison-azure-hybrid-connectivity
5f7ce02044f3



HOTSPOT (Drag and Drop is not supported)
You need to recommend a solution to meet the compliance requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Box 1: A blueprint
Scenario: Requirements. Compliance Requirements
Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard.
Microsoft releases automation for HIPAA/HITRUST compliance
I am excited to share our new Azure Security and Compliance Blueprint for HIPAA/HITRUST ג€" Health Data & AI. Microsoft's Azure Blueprints are resources to help build and launch cloud-powered applications that comply with stringent regulations and standards. Included in the blueprints are reference architectures, compliance guidance and deployment scripts.
An Azure Blueprint is a package for creating specific sets of standards and requirements that govern the implementation of Azure services, security, and design.
Such packages are reusable so that consistency and compliance among resources can be maintained.
Incorrect:
* not Workflow automation
Workflow automation is an approach to making the flow of tasks, documents and information across work-related activities perform independently in accordance with defined business rules.
Box 2: Modify an Azure policy definition
Scenario: The virtual machines in TestRG must be excluded from the compliance assessment.
Use a Policy definition to include the TestRG virtual machines from the Blueprint.
Note: Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by using aliases. When a resource property field is an array, a special array alias can be used to select values from all array members and apply a condition to each one.
By defining conventions, you can control costs and more easily manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that resources have a particular tag. Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that resource group.
Incorrect:
* Not Update a policy assignment
A policy assignment assigns a Blueprint to a subscription. The scope is at the subscription level.
Note: Policy Assignments provide a means for applying policy to a subscription to which a blueprint is assigned. That said, the policy must be within the scope of the blueprint containing the policy. Parameters defined with a policy are assigned during blueprint creation or during blueprint assignment.


Reference:

https://azure.microsoft.com/en-us/blog/microsoft-releases-automation-for-hipaa-hitrust-compliance/ https://cloudacademy.com/blog/what-are-azure-blueprints/ https://k21academy.com/microsoft-azure/azure-rbac-vs-azure-policies-vs-azure-blueprints/






Post your Comments and Discuss Microsoft SC-100 exam with other Community members:

SC-100 Discussions & Posts