A security team is testing Azure Front Door’s Web Application Firewall (WAF) rules. During the test, they want to log all matching requests without blocking them. Later, in production, they need WAF to block matching requests immediately and stop checking lower-priority rules.

Which WAF modes should they use for the testing and production phases, respectively?

A company uses Azure Application Gateway to host multiple applications. They need to:

• Apply a single WAF configuration to all applications hosted behind the gateway.

• Apply different WAF settings to specific sites.

• Customize WAF rules for specific URLs within a site.

Which type of WAF policy association should they use for each requirement, respectively?

Which of the following is the most important initial step in preparing an effective DDoS response strategy within an organization?

You have integrated Azure DDoS with Azure Monitor. Which resource types allow you to view DDoS telemetry for a protected public IP address (Choose three)

A company wants to use Azure Bastion to secure the RDP and SSH connections to the VMs. Which of the following role assignments are required to connect to a VM using Azure Bastion? (Choose two.)

An administrator is requesting access to a Just-in-Time (JIT) enabled Azure virtual machine from the Connect page in the Azure portal. Which action should they take to gain access?

John is creating a network-isolated Azure Kubernetes Service (AKS) cluster in the company’s Azure portal. A common approach to restrict outbound traffic is to use a firewall device with egress rules and FQDNs, but this is cumbersome if the only requirement is to create an isolated cluster with no outbound dependencies for bootstrapping. Which alternative solution should John use?

An organization has two Azure Kubernetes Service (AKS) clusters in different virtual networks (VNets). Both clusters are restricted to internal access within their respective security zones, and the company needs the source AKS cluster to communicate with an internal load balancer in the destination AKS cluster without traversing the internet. Which solution should they implement?

Your organization is securing an Azure Kubernetes Service (AKS) cluster in accordance with Azure’s best security practices. Which of the following represent some of the most significant security risks facing AKS deployments? (Choose two).

Jane creates a custom log format to enable log collection in an Azure Kubernetes Service deployment. She defines the following custom log format using Azure Log Analytics’ Common Event Format (CEF).

[Version]
CEF:0|AzureLogAnalytics|AKS|1.0|AKSLog|1.0|AKS Log|
[Event]
name=AKS Log
timestamp=2024-07-20T16:30:00.0000000Z
severity=INFO
category=AKS
data=AKS Log Data
[Product]
Event Source=AKS

Which annotation should be added to the Azure deployment to finalize the log collection?

You’re configuring Azure AD pod identity to manage pods running in an Azure Container Instance. Which Azure CLI command allows you to view the AzureIdentityBinding resource that connects AzureIdentity to a selector?

Which configuration steps are necessary to create the Azure Kubernetes Service RBAC read and writer role assignments scoped to a particular namespace within the cluster? (Choose two.)

Which Azure Kubernetes Service plugin enables non-interactive logins, supports older kubectl versions, and leverages SSO across multiple clusters without requiring sign-in to a new cluster?

Which of the following pieces of information should be specified to enable Azure Container Instances (ACI) to send data to your Log Analytics workspace and enable logging?

You run Azure Container Instances that pull images from a private Azure Container Registry. You need to detect vulnerabilities in those images and prove that scanning is actually happening, without changing how ACI runs. Microsoft Defender for Cloud is enabled at the subscription level. Your ACR has diagnostic settings that send logs to a Log Analytics workspace. A recent query returned entries like:

Category: ContainerRegistryLoginEvents
OperationName: LoggedIn
Subject: b21cb118-5a59-4628-bab0-3c3f0e434cg6

and

Category: ContainerRegistryRepositoryEvents
OperationName: Pull
Subject: b21cb118-5a59-4628-bab0-3c3f0e434cg6
Repository: contoso/app:1.4.2

Which two actions together provide image vulnerability scanning for ACI-used images and verifiable audit evidence that Defender performed the scans? (Choose two.)

You are auditing Azure Container Apps (ACA) using Azure policy. Which policy ensures that inbound communication for Container Apps is limited to callers within the Container Apps environment?

You manage a Kubernetes cluster hosted in Azure and want to use Azure Security Center (ASC) to detect threats in real time. Based on ASC’s capabilities, which two of the following scenarios will ASC detect and alert you to, assuming appropriate monitoring (e.g., auditd) is enabled? (Choose two.)

You’re configuring geo-replications to manage access to Azure Container Registry (ACR). How does Azure Traffic Manager maintain network latency for every push or pull image operation on a geo-replicated registry?

You are designing a solution on Azure Confidential VMs (DCasv5 series) to meet strict compliance requirements. The organization requires that:

• The OS disk must only be accessible by the virtual machine it belongs to.

• Disk encryption keys must be tied to the VM’s Trusted Platform Module (TPM) and released only through an attested secure protocol that bypasses the hypervisor and host OS.

• Data disks must also be encrypted, but binding their keys to the VM’s TPM is not a requirement.

Which configuration best meets these requirements?

You are designing a rate-limiting strategy for a system with 10 APIs, where the overall throughput limit is 1000 requests per second (RPS) per IP. If you choose an even distribution strategy across all APIs, what is the maximum RPS allowed for each individual API before throttling occurs?