Technical Lab: Associate public IP addresses to resources
Questionsβ
Question 1 β Multiple Choiceβ
An operations team needs to ensure that a virtual machine in Azure always maintains the same public IP address, even after reboots or reallocations by the platform. The address will be registered in external DNS and used by partners for inbound connections.
Which SKU and allocation method configuration adequately meets this requirement?
A) Basic SKU with Static allocation
B) Standard SKU with Dynamic allocation
C) Standard SKU with Static allocation
D) Basic SKU with Dynamic allocation, since the IP only changes when the resource is deallocated
Question 2 β Technical Scenarioβ
An engineer creates a Standard Load Balancer public and tries to associate it with a Basic SKU public IP address previously existing in the subscription. The operation fails with an incompatibility error.
Error: PublicIPAddressSkuMismatch
The public IP address SKU must match the load balancer SKU.
What is the root cause and the correct action to solve this problem?
A) The Basic IP address needs to be converted to Standard SKU directly through the Azure portal
B) The Standard Load Balancer requires Standard SKU public IPs; the Basic IP must be replaced with a new Standard SKU one
C) The error occurs because the IP is associated with another NIC; just disassociate it before linking to the Load Balancer
D) Just change the Basic IP allocation method from Dynamic to Static to make it compatible with the Standard Load Balancer
Question 3 β True or Falseβ
A Standard SKU public IP address with Static allocation, when disassociated from all resources and maintained as a standalone resource in the subscription, continues to generate charges.
Question 4 β Technical Scenarioβ
An architect is designing a solution with an Azure Firewall in a hub VNet. She needs to associate multiple public IP addresses to the firewall to support different SNAT ranges for distinct workloads. When trying to configure, she notices that the portal requests a specific resource in addition to individual public IPs.
Which resource should be created and associated with Azure Firewall to efficiently group and manage multiple public IP addresses?
A) A Network Security Group with outbound rules for each public IP
B) A public IP prefix (Public IP Prefix), which ensures contiguous IPs and facilitates external firewall rule configuration
C) An additional Basic SKU public IP for each workload, associated individually
D) A user-defined route (UDR) pointing each destination prefix to the corresponding public IP
Question 5 β Multiple Choiceβ
An organization associated a Standard SKU public IP address directly to a virtual machine's NIC. Subsequently, the security team requires that all outbound traffic from this VM go through inspection before leaving to the internet.
What is the default behavior of Standard SKU that most impacts this architectural decision compared to Basic SKU?
A) Standard SKU blocks all inbound traffic by default, requiring explicit NSG rules for release
B) Standard SKU does not allow direct association to VM NICs, being restricted to Load Balancers and Application Gateways
C) Standard SKU uses Dynamic allocation by default, changing the IP after each VM reboot
D) Standard SKU applies zone redundancy automatically, which prevents association with NICs in specific availability zones
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
The Standard SKU with Static allocation is the only one that guarantees the two required properties: IP address permanence even in deallocations and support for production scenarios with reliable connectivity. Basic SKU with Static allocation (alternative A) maintains the fixed IP while the resource exists, but Basic SKU is being discontinued and doesn't offer the zone redundancy and security by default guarantees of Standard. Alternative D is incorrect because, even with Dynamic allocation in Basic SKU, the IP can change after a complete VM deallocation, which would break the external DNS record. Standard SKU with Dynamic allocation (alternative B) doesn't exist: Standard IPs are always Static.
Answer Key β Question 2β
Answer: B
Azure enforces that the public IP SKU must match the Load Balancer SKU. A Standard Load Balancer only accepts Standard SKU public IPs. There is no native mechanism to convert a Basic SKU public IP to Standard; the resource needs to be recreated. Alternative A is incorrect because this direct conversion is not supported by the platform. Alternative C describes a different problem (association conflict), not the cause of the SKU error. Alternative D is incorrect because the allocation method (Dynamic or Static) is independent of the SKU and doesn't resolve the incompatibility between Basic and Standard.
Answer Key β Question 3β
True
Standard SKU public IP addresses generate charges based on resource existence, regardless of whether they are associated with any resource. Unlike some Azure resources that only charge during active use, Standard public IP starts accumulating cost from the moment it is provisioned. This represents a relevant behavioral difference compared to Basic SKU, where unassociated IPs also generate charges, but the pricing model differs. The practical implication is that idle Standard public IPs should be deleted, not just disassociated, to avoid unnecessary costs.
Answer Key β Question 4β
Answer: B
The Public IP Prefix is an Azure resource that reserves a contiguous block of Standard SKU public IP addresses. For Azure Firewall, it allows associating multiple public IPs in an organized way and also facilitates creating release rules in external firewalls or partners, since all IPs belong to the same CIDR range. Alternative A is incorrect because NSGs control traffic, they don't group public IPs. Alternative C uses Basic SKU, incompatible with Azure Firewall. Alternative D describes UDRs, which control VNet internal routing and have no relation to grouping public IPs in the firewall.
Answer Key β Question 5β
Answer: A
The most relevant security behavior of Standard SKU is that it is secure by default: all inbound traffic is denied until explicit NSG rules are created. This contrasts directly with Basic SKU, which allows inbound traffic by default. For the described architectural decision, this means the security team already has a mandatory control layer, but it should be complemented with routes and policies to ensure outbound traffic inspection. Alternative B is incorrect because Standard IPs can indeed be associated with VM NICs. Alternative C is incorrect because Standard IPs are always Static. Alternative D is incorrect because zone redundancy doesn't prevent association with NICs in specific zones.