A network team wants all routers to send log messages to a centralized server at 192.0.2.50. Which command should be added to the router configuration?
Exhibit
Goal: Centralized logging server = 192.0.2.50
AZ-104 Implement and Manage Virtual Networking • Complete Question Bank
Complete AZ-104 Implement and Manage Virtual Networking question bank — all 0 questions with answers and detailed explanations.
Goal: Centralized logging server = 192.0.2.50
collector: 10.10.10.50 subscription: interface-counters mode: periodic 1000ms encoding: GPB
Storage account: reportsa Public network access: Enabled Selected networks: none VM subnet: app-subnet Requirement notes: - Keep the storage account on its public endpoint. - Permit only workloads in app-subnet to reach the account. - Do not assign static public IP addresses to the VMs.
vm-app01 in subnet appsubnet nslookup mystorageacct.blob.core.windows.net Server: 168.63.129.16 Name: mystorageacct.blob.core.windows.net Address: 20.62.14.8 Storage account settings: Public network access: Disabled Private endpoint connections: None Business requirement: the VM must reach the blob service over a private IP address.
Drag a concept onto its matching description — or click a concept then click the description.
The priority 100 rule is evaluated first, so it wins if both rules match the same traffic.
It controls traffic entering the subnet or NIC from another network location.
It filters traffic for a single VM and can be used in addition to a subnet NSG.
It matches any ephemeral source port and does not limit the sender's port selection.
It allows only HTTPS traffic that uses TCP and the specified destination port.
Inbound NSG rules on AppSubnet: Priority 200 Deny-All-Inbound Any Any Any Any Deny Priority 250 Allow-HTTPS-Admin TCP 203.0.113.20/32 Any 443 Allow Priority 300 Allow-HTTPS-Internet TCP Internet Any 443 Allow Test source IP: 203.0.113.20 Observed result: TCP 443 denied
Branch office details: - One edge firewall/router with public IP 203.0.113.50 - Users must reach private Azure VMs and internal services - Traffic must be encrypted over the internet - No per-user tunnel setup is desired
Hub VNet address space: 10.20.0.0/16 Spoke VNet address space: 10.20.1.0/24 Planned action: Create VNet peering between Hub and Spoke Portal message: The address spaces overlap and cannot be peered.
Application security groups: - WebASG contains the web VM NICs - AppASG contains the app VM NICs App subnet NSG rules: - Priority 300: Deny-All-Inbound | Source: Any | Destination: Any | Port: Any | Action: Deny No allow rule exists for web-to-app traffic.
Planned VNet address space: 10.70.0.0/16 Subnet A requirement: about 30 VM NICs Subnet B requirement: about 8 VM NICs and one future jump box Azure reserves 5 IP addresses in each subnet
HubVNet address space: 10.40.0.0/16 SpokeVNet address space: 10.40.1.0/24 Peering status: Failed Error: Virtual network address space overlaps with another peered network
Based on the exhibit, what should the administrator configure so the VM in the spoke VNet can resolve internal hostnames that are hosted on the DNS server in the hub VNet?
The team has already verified that IP connectivity between the spoke VM and the hub VM works.
Topology summary: - HubVNet: 10.40.0.0/16 - VM dns01: 10.40.0.4 - DNS service on dns01 hosts the zone corp.contoso.local - HubVNet DNS servers: 10.40.0.4 - SpokeVNet: 10.41.0.0/16 - Peered with HubVNet - Allow virtual network access: Enabled - Allow forwarded traffic: Enabled - DNS servers: Azure-provided - Test results from app01 in SpokeVNet: - ping 10.40.1.10 => success - nslookup web01.corp.contoso.local => NXDOMAIN - nslookup www.microsoft.com => success
Inbound NSG rules for Subnet-Prod: Priority 200: Deny-HTTPS-Internet | Source: Internet | Destination: Any | Port: 443 | Action: Deny Priority 250: Allow-HTTPS-Admin | Source: 203.0.113.20/32 | Destination: Any | Port: 443 | Action: Allow Observed result: Traffic from 203.0.113.20 to the VM on TCP 443 is blocked.
Requirement summary: - Storage account: contosostore - Public network access: Disabled - AppSubnet VMs must reach the storage account by private IP - DNS for privatelink.blob.core.windows.net is already configured
Hub VNet DNS server: 10.20.0.4 Spoke VNet DNS server setting: Azure-provided Test from spoke VM: ping 10.20.0.4 Success nslookup app01.corp.local Server failed to find app01.corp.local: NXDOMAIN Hub and spoke are already peered.
VNet-A address space: 10.0.0.0/16 VNet-B address space: 10.0.1.0/24 Attempt to peer VNet-A and VNet-B: Status: Failed Error: Address space overlap detected Requirement: Both VNets must remain connected, but the address spaces must not overlap.
Storage account: stprod01 Networking: - Public network access: Disabled - Private endpoint connections: None - Allowed virtual networks: None VNet: AppVNet Subnet: AppSubnet 10.50.1.0/24 Requirement: "Azure VMs in AppSubnet must reach the storage account without using the public endpoint."
Hub VNet: - DNS server VM: 10.50.0.4 Spoke VNet: - Default DNS setting: Azure-provided Observed behavior: - VM in spoke can ping hub VM by IP address - nslookup app01.corp.local returns NXDOMAIN
Subnet-Web configuration: - NAT gateway: nat-web - Route table association: rt-web Route table rt-web: - 0.0.0.0/0 -> Virtual appliance 10.1.0.4 - 10.1.0.0/16 -> Virtual network Observed issue: Internet-bound traffic still exits through the virtual appliance.
Subnet design notes: 28 VM NICs; 4 private endpoints; 2 internal load balancer frontend IP configurations; 5 additional IPs reserved for short-term growth.
Effective routes on NIC vm-app01: Address prefix Next hop type Source 10.20.0.0/16 Virtual network System 10.30.0.0/16 Virtual network gateway BGP 0.0.0.0/0 Virtual appliance User The VM is in 10.20.0.0/16 and is connected to a VPN gateway that advertises 10.30.0.0/16.
Troubleshooting summary: VM1 to VM2 on TCP 1433 shows Status = Blocked; connection troubleshooting reports that the destination is reachable at the route level; the administrator needs the specific allow or deny rule name.
NSG: nsg-app Inbound security rules: - Priority 100 Deny TCP 8443 Source: VirtualNetwork Destination: AppTier-ASG - Priority 200 Allow TCP 8443 Source: WebTier-ASG Destination: AppTier-ASG - Priority 300 Allow TCP 443 Source: VirtualNetwork Destination: AppTier-ASG ASG membership: - VM-Web1 is in WebTier-ASG - VM-App1 is in AppTier-ASG Observed result: - VM-Web1 cannot connect to VM-App1 on TCP 8443
Existing address spaces: - Hub virtual network: 10.50.0.0/16 - On-premises network: 10.51.0.0/16 New spoke virtual network requirements: - Must be peered to the hub - May later connect to on-premises through VPN - Must not overlap with any existing network range
From VM-B in VNet-B: nslookup mystorage.blob.core.windows.net returns 20.52.10.7; the storage account has a private endpoint in VNet-A at 10.4.1.5; the private DNS zone privatelink.blob.core.windows.net is linked only to VNet-A.
Inbound NSG rules on the app subnet: Priority 100 Deny TCP 8443 Source: VirtualNetwork Destination: Any Priority 110 Allow TCP 8443 Source: AzureLoadBalancer Destination: Any Priority 200 Deny Any Source: Any Destination: Any The web tier and app tier are in the same virtual network. The app tier uses application security group ASG-App. The web tier uses application security group ASG-Web.
Storage access requirement: the public endpoint must stay enabled; access must be limited to one Azure subnet; no private IP should be created in the virtual network; administrators do not want a private DNS zone.
Topology: - Internet users sign in to the Azure portal - Management connection must be initiated from a browser - The target Windows VM has no public IP address - The security team does not allow a VPN client on administrator laptops - RDP must remain off the public Internet
NSG: App-NSG inbound rules; Priority 100: Deny TCP 443, Source=VirtualNetwork, Destination=Any; Priority 110: Allow TCP 443, Source=WebTierASG, Destination=DbTierASG; Priority 200: Allow TCP 443, Source=AzureLoadBalancer, Destination=Any; Default rule: DenyAllInBound.
Storage account access requirements: - Access should be limited to subnet AppSubnet - The storage account should keep using its public endpoint - No private endpoint should be created - No private DNS zone should be managed - The workload is allowed to use Azure platform integration features
Workload subnet requirements: - 41 VM NICs - 2 internal load balancer frontend IP configurations - 3 private endpoint IPs - 1 Azure Bastion host - Azure reserves 5 IP addresses in every subnet Planned subnet must be a single subnet in one virtual network.
Troubleshooting notes: - Source VM: vm-app01 - Destination VM: vm-sql01 - Port: TCP 1433 - Symptom: Connection times out - Goal: Verify whether the packet is allowed or denied by NSG rules and identify the rule name - Need a point-in-time check from the VM NIC perspective
NSG rule summary: Rule 1: Allow-Web-To-Api, Source=ASG-Web, Destination=ASG-Api, Port=8443, Action=Allow, Priority=300 ASG membership: - WebVM01 NIC = ASG-Web - WebVM02 NIC = ASG-Web - ApiVM01 NIC = none - ApiVM02 NIC = none Observed result: Connections from WebVM01 to ApiVM01 on TCP 8443 fail.
Gateway deployment validation output: GatewaySubnet: Present Gateway type: VPN VPN type: Route-based Validation error: A public IP address resource must be specified for the gateway. Current gateway configuration: No public IP attached.
Subnet NSG inbound rules: Priority 100 Deny-RDP-All Source: Any Destination: Any Protocol: TCP Port: 3389 Priority 200 Allow-RDP-Admin Source: 192.168.10.0/24 Destination: Any Protocol: TCP Port: 3389 Priority 65000 AllowVNetInBound Source: VirtualNetwork Destination: VirtualNetwork Protocol: Any Port: * Client IP: 192.168.10.25 Symptom: RDP times out before the logon prompt appears.
Inbound NSG rules on subnet AppSubnet: 1. Priority 100: Deny-HTTPS, Source=Any, Destination=Any, Port=443, Action=Deny 2. Priority 200: Allow-HTTPS-Admins, Source=10.10.1.0/24, Destination=Any, Port=443, Action=Allow Observed result: Admins from 10.10.1.25 cannot open the site on TCP 443.
Effective routes for Subnet-Apps: 0.0.0.0/0 -> Virtual appliance 10.1.1.4 10.50.1.0/24 -> Internet 10.0.0.0/8 -> Virtual network Observed destination: 10.50.1.20
NSG rule on ApiSubnet: Priority 200 Allow-WebToApi Source: ASG-Web Destination: ASG-Api Protocol: TCP Port: 8443 Priority 300 Deny-All-Other Source: Any Destination: Any Protocol: Any Port: * VM inventory: web01 NIC: Member of ASG-Web api01 NIC: Not a member of ASG-Api Symptom: TCP 8443 connections from web01 to api01 are denied.
VNet-DevA address space: 10.20.0.0/16 VNet-DevB address space: 10.20.128.0/17 Peering status: Not created Deployment note: The peering wizard returns an address space overlap error.
Azure portal validation output: Resource group: rg-network Virtual network: vnet-hub Subnet: GatewaySubnet exists Error: The virtual network gateway requires a public IP address to terminate VPN connections.
Hub-and-spoke topology: - Hub VNet contains an active VPN gateway. - Spoke VNet has no gateway. - Requirement: Spoke resources must route on-premises traffic through the hub gateway. - Current spoke-to-hub peering settings: Allow virtual network access = Enabled, Use remote gateways = Disabled.
Drag a concept onto its matching description — or click a concept then click the description.
The address spaces overlap, so one range must be changed before peering can be created.
Create VNet peering; it provides private connectivity without a VPN gateway.
Enable gateway transit on the hub peering and use remote gateways on the spoke peering.
VNet peering is not transitive, so A must be connected to C directly or routed through an appliance.
Create a new non-overlapping address space and migrate workloads before removing the old range.
Drag a concept onto its matching description — or click a concept then click the description.
The priority 200 deny is evaluated first and blocks the flow.
The destination NIC must be added to ASG-Api for the rule to match.
The service tag does not represent the workstation's IP; a rule for the real source or a VPN path is needed.
NSGs are stateful, so the return traffic is allowed automatically.
The lower-number deny rule wins because NSGs stop at the first matching rule.
VNet-Prod address space: 10.40.0.0/16 VNet-Shared address space: 10.40.128.0/17 Operation result: Create peering failed Error: Address space overlap detected between the selected virtual networks.
Drag a concept onto its matching description — or click a concept then click the description.
Add a more specific /32 UDR for that public IP with next hop Internet.
The system route for the peered VNet prefix is more specific than the /8 UDR, so it wins unless a longer UDR is added.
The /24 route wins because Azure chooses the longest matching prefix.
Only resources in Subnet-A are affected; other subnets keep their own system or custom routes.
The /32 host route takes precedence over the broader prefix.
Drag a concept onto its matching description — or click a concept then click the description.
Create a private endpoint and link the correct private DNS zone to the VNet.
Use a service endpoint on the subnet and allow that subnet in the storage account network rules.
The private DNS zone is missing, not linked to the VNet, or the record has not been populated.
Use a service endpoint with a network rule on the SQL server.
Use the storage firewall with a virtual network rule for AppSubnet; if the on-premises source also needs access, allow its public IP separately. No private endpoint is required.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.