HashiCorp Consul Associate Exam Actual Questions

Text Material Preview

Dumpsinfo is a good website providing the latest exams information and dumps
questions for all hot IT certification exams, such as Microsoft, Cisco, Huawei, 
IBM, VMware, Fortinet, and so on.
Features of Dumpsinfo’s products
Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support
Besides, Dumpsinfo also provides unlimited access. You can get all Dumpsinfo
files at lowest price.
HashiCorp Certified: Consul Associate Consul Associate exam free dumps
questions are available below for you to study. 
Full version: Consul Associate Exam Dumps Questions
1.Which token is always assigned the Accessor ID of 00000000-0000-0000-0000-000000000002,
regardless of what cluster you are working on?
A. anonymous token
B. Consul DNS token
C. master token
D. the second token created by the user
Answer: A
Explanation:
The anonymous token is used when a request is made to Consul without specifying a bearer token.
The anonymous token's description and policies may be updated but Consul will prevent this token's
deletion.
When created, it will be assigned 00000000-0000-0000-0000-000000000002 for its Accessor ID and
anonymous for its Secret ID.
https://www.consul.io/docs/acl/acl-system.html#builtin-tokens
 1 / 12
https://www.dumpsinfo.com/vendors/microsoft/
https://www.dumpsinfo.com/vendors/cisco/
https://www.dumpsinfo.com/vendors/huawei/
https://www.dumpsinfo.com/vendors/ibm/
https://www.dumpsinfo.com/vendors/vmware/
https://www.dumpsinfo.com/vendors/fortinet/
https://www.dumpsinfo.com/unlimited-access/
https://www.dumpsinfo.com/exam/consul-associate
2.True or False? Once created, the bootstrap token should be saved in a secure place, as it can
never be replaced without reinstalling the Consul server.
A. true
B. false
Answer: B
Explanation:
While the bootstrap token should be protected at all costs, it can actually be reset if the bootstrap
token is lost or misplaced. This is done by resetting the ACL system by updating the index.
https://learn.hashicorp.com/consul/security-networking/acl-troubleshooting#reset-the-acl-system
3.Based on the screenshot below, select the answers that are true: (select three)
A. Consul will continue to send traffic to this host since the host is healthy
B. although the host has registered, the health check is failing
C. there is a single node that has registered the counting service
D. Consul will not send traffic to this host since the health check is failing
Answer: B,C,D
Explanation:
In this screenshot, you are viewing the counting service, which displays all the nodes that have
registered the counting service. As you can see, there is only a single node hosting this service,
however, the health check on this node is failing. Consul will not send traffic to any node where the
health check is failing.
 2 / 12
4.Which of the following health checks can be defined as a TCP check?
A. { "check": { "id": "web-app", "name": "Web App Status", "ttl": "30s" } }
B. { "check": { "id": "web-alias", "alias_service": "web" }
C. { "check": { "id": "ssh", "name": "SSH TCP on port 22", "tcp": "localhost:22", "interval": "10s",
"timeout": "1s" } }
D. { "check": { "id": "mem-util", "name": "Service health status", "grpc": "127.0.0.1:12345/my_service",
"grpc_use_tls": true, "interval": "10s" } }
Answer: C
Explanation:
The ssh check is the only TCP check listed. The TCP port is defined by the tcp argument, in this
case,
localhost:22.
web-alias is an alias-check for a local service.
mem-util is a gRPC check for the specific service named my_service
web-app is a TTL health check
https://www.consul.io/docs/agent/checks.html#check-definition
5.Bob is responsible for a long-running application at Startup, Inc. Since the DevOps team has
selected Consul for service discovery features, Bob has registered the application with Consul so
microservices can discover and communicate with this legacy app. However, Bob needs to be able to
update the service configuration to add a health check to the service definition without restarting the
Consul client.
How can Bob add the health check without negatively impacting the local Consul agent?
A. simply update the file and Consul will automatically pick up the new changes
B. run a consul reload to pick up the new configuration
C. change the service configuration file to use -config-dir instead of config-file and restart the agent
D. run a consul watch command to push the new configuration to Consul
Answer: B
Explanation:
In this case, Bob can run a consul reload in order to trigger a reload of the configuration file.
Remember that not all configuration options are reloadable, but updating/adding a service
configuration change is supported by a consul reload.
More about consul reload can be found here.
More about the supported reloadable configurations can be found here.
6.Scenario: You are manually creating Consul snapshots in preparation for an upgrade.
You save two snapshots, as shown in the commands below:
After inspecting the snapshots, you have noticed that the version number of the snapshot is not
incrementing, and both snapshots display a value of 1.
Why is the value not incrementing?
 3 / 12
A. the version number does not correspond to the version of data, rather it is the snapshot format
version
B. since the snapshot name is different, the version indicates that it is the first version of a snapshot
with that particular name
C. the version is synonymous with the version of Consul, and this snapshot was created on a cluster
running Consul 1.x.x
D. the snapshot was not created with the proper flag to indicate it was not the first version of the
snapshot
Answer: A
Explanation:
The version field indicates the snapshot format version. This only refers to the structure of the
snapshot,
not the data contained within.
https://www.consul.io/docs/commands/snapshot/inspect.html#version
7.Sara has deployed a new application and has successfully registered the new service with Consul.
However, Sara needs to add health checks to the configuration to ensure the local agent understands
when the application is healthy or not.
How can Sara update the service definition without negatively impacting the Consul Agent or the
availability of the service itself? (select two)
A. update the service definition file and run a consul reload
B. update the service definition using the Consul API
C. deregister the service and re-register using the updated configuration definition file
D. update the service definition file and Consul will automatically pick up the changes
Answer: A,B
Explanation:
In this case, Sara can use the Consul API or update the configuration file and issue a consul reload
command so Consul will pick up the new service definition. Neither of these actions will negatively
impact the Consul agent nor the registered service.
https://www.consul.io/commands/reload
https://www.consul.io/api-docs/agent/service#register-service
 4 / 12
8.Select the following statements that are true in defining a prepared query: (select three)
A. used to filter the results of a service request
B. can only be used with the DNS interface
C. invoked by applications to retrieve results
D. objects that are defined at the data center level
Answer: A,C,D
Explanation:
Prepared queries are objects that are defined at the datacenter level. They only need to be created
once and are stored on the Consul servers. This method is similar to the values in Consul's KV store.
Once created, prepared queries can then be invoked by applications to perform the query and get the
latest results of the corresponding filter.
A policy could be used to control which version of an application should be used in a centralized way,
maybe by defining tags within the prepared query. This, of course, assumes that services were
registered with theproper tags as well.
While most folks will combine prepared queries with DNS, it's possible to read a prepared query using
Consul's API. See this page for more information about using the API.
https://learn.hashicorp.com/consul/developer-discovery/geo-failover
9.The LAN gossip pool provided by Serf requires that all cluster members (servers and clients) can
communicate over what tcp/udp port, by default?
A. 8301
B. 8300
C. 8500
D. 8600
Answer: A
Explanation:
LAN Serf: The Serf LAN port (TCP and UDP) requires port 8301. This port is used for all members of
the
datacenter to communicate.
https://www.consul.io/docs/install/ports
10.True or False? The Consul K/V should not be used to store sensitive data because it is not an
encrypted store.
A. False
B. True
Answer: B
Explanation:
This is true, the Consul K/V is NOT an encrypted store, nor does Consul have the ability to encrypt
data. If you want to store sensitive data, it is suggested you use Vault instead.
https://www.consul.io/docs/dynamic-app-config/kv
11.Which of the following is responsible for Consul functions such as leadership elections,
maintaining committed log entries, and establishing a quorum?
A. Serf
B. Raft
C. Connect
D. Network Coordinates
Answer: B
 5 / 12
Explanation:
Consul uses a consensus protocol to provide Consistency (as defined by CAP). The consensus
protocol is based on "Raft: In search of an Understandable Consensus Algorithm".
Leadership Elections:
Raft nodes are always in one of three states: follower, candidate, or leader. All nodes initially start out
as a follower. In this state, nodes can accept log entries from a leader and cast votes. If no entries are
received for some time, nodes self-promote to the candidate state. In the candidate state, nodes
request votes from their peers. If a candidate receives a quorum of votes, then it is promoted to a
leader.
Maintaining Committed Log Entries:
Once a cluster has a leader, it is able to accept new log entries. A client can request that a leader
append a new log entry (from Raft's perspective, a log entry is an opaque binary blob). The leader
then writes the entry to durable storage and attempts to replicate to a quorum of followers. Once the
log entry is considered committed, it can be applied to a finite state machine. The finite state machine
is application-specific; in Consul's case, we use MemDB to maintain cluster state. Consul's writes
block until it is both committed and applied. This achieves read after write semantics when used with
the consistent mode for queries.
Establishing a Quorum:
Consensus is fault-tolerant up to the point where a quorum is available. If a quorum of nodes is
unavailable, it is impossible to process log entries or reason about peer membership. More
information on the consensus protocol (Raft) can be found at this link.
12.Which nodes in a Consul datacenter participate in the WAN gossip pool? (select two)
A. Consul server nodes
B. Consul non-voting server nodes
C. Consul consumers (meaning any client accessing Consul - like a user desktop)
D. Consul client nodes
Answer: A,B
Explanation:
The WAN pool is globally unique, as all servers should participate in the WAN pool regardless of
datacenter. Membership information provided by the WAN pool allows servers to perform cross
datacenter requests. The integrated failure detection allows Consul to gracefully handle an entire
datacenter losing connectivity, or just a single server in a remote datacenter.
https://www.consul.io/docs/internals/gossip.html
13.You are using the Consul KV store and need to be able to easily list all of the keys in a given path.
What is the easiest way to do so?
A. consul kv read -recursive
B. consul kv get *.*
C. consul kv read
D. consul kv get -recurse
Answer: D
Explanation:
List all the keys in the store using the recurse options. Results are returned in lexicographical order.
https://learn.hashicorp.com/consul/getting-started/kv
14.The Consul KV store can be accessed by the following methods: (select three)
A. UI
B. CLI
 6 / 12
C. federated cluster
D. API
Answer: A,B,D
Explanation:
The KV store can be accessed by the consul kv CLI subcommands, HTTP API, and Consul UI.
https://www.consul.io/docs/agent/kv.html#accessing-the-kv-store
15.Select the benefits that the LAN gossip pool provides to a Consul datacenter (select three)
A. reliable and fast event broadcasts
B. failure detection work to be shared by the entire cluster
C. automatically discover servers, reducing the amount of configuration needed
D. perform cross datacenter requests
Answer: A,B,C
Explanation:
Consul makes use of two different gossip pools. We refer to each pool as the LAN or WAN pool
respectively. Each datacenter Consul operates in has a LAN gossip pool containing all members of
the datacenter, both clients and servers. The LAN pool is used for a few purposes. Membership
information allows clients to automatically discover servers, reducing the amount of configuration
needed. The distributed failure detection allows the work of failure detection to be shared by the entire
cluster instead
of concentrated on a few servers. Lastly, the gossip pool allows for reliable and fast event broadcasts.
https://www.consul.io/docs/internals/gossip.html#gossip-in-consul
16.When manually creating a Consul snapshot, which of the following commands creates a snapshot
and saves it to the local node?
A. consul snapshot create practice-exam.snap
B. consul initiate snapshot practice-exam.snap
C. consul snapshot save practice-exam.snap
D. consul save snapshot practice-exam.snap
Answer: C
Explanation:
The consul snapshot save command is used to retrieve an atomic, point-in-time snapshot of the state
of
the Consul servers which includes key/value entries, service catalog, prepared queries, sessions, and
ACLs. The snapshot is saved to the given file.
https://www.consul.io/docs/commands/snapshot/save
17.Your security team has established company policies that require encryption keys to be rotated at
least once a year for all applicable systems. Consul has been identified as an affected system, and
the encryption key for gossip must be rotated across the entire environment. However, you have
multiple Consul clusters, each consisting of five Consul nodes and hundreds of services registered
with Consul, each of which has the gossip key explicitly written to the configuration file.
What built-in Consul feature allows you to distribute a new encryption key to all the servers and nodes
and remove the old one?
A. use the consul keyring command
B. use the consul keygen command
C. use consul exec command
D. use consul maint command
Answer: A
 7 / 12
Explanation:
The keyring command is used to examine and modify the encryption keys used in Consul's Gossip
Pools. It is capable of distributing new encryption keys to the cluster, retiring old encryption keys, and
changing the keys used by the Consul cluster to encrypt messages.
Steps to swap out the encryption key and satisfy the security team's requirements:
1) Create a new key - consul keygen
2) Install the new key - consul keyring -install <key>
3) Configure Consul to use the new key - consul keyring -use <key>
4) Remove the old key - consul keyring -remove <old key>
https://www.consul.io/docs/commands/keyring.html
18.True or False? When joining a new Consul agent to a cluster, the consul join command must
include all the server nodes that make up the cluster.
A. False
B. True
Answer: A
Explanation:
A new Consul agent may join any node in the existing cluster. After joining with one member, the
gossip communication will propagate the updated membership state across the cluster.
Therefore, you can type consul join <hostname> for a single Consul server node, and Consul will take
care of the rest.
19.Assuming Consul default configurations, which of thefollowing DNS records would be used to
access the service referenced by the following configuration:
{
"Name": "retail-app",
"Service": {
"Service": "inventory-app",
"Tags": ["v1.2.3"],
"Failover": {
"Datacenters": ["dc2", "dc3"]
}
}
}
A. retail-app.service.consul
B. inventory-app.query.consul
C. inventory-app.query.service.consul
D. retail-app.query.consul
Answer: D
Explanation:
The configuration provided in the question is a prepared query. The name of the prepared query is
retail-app, therefore the DNS record used to query this prepared query is retail-app.query.consul
since all prepared queries use the query namespace.
Technically, you could access the service directly by using inventory-app.service.consul and it would
connect the user directly to the inventory-app without taking the prepared query into account.
https://www.consul.io/api-docs/query
20.Scenario: You have a Consul cluster running in production, with multiple production workloads
using Consul for service discovery. Currently, there is an issue with registering a new service to
 8 / 12
Consul, so you want to modify the Consul log level to help troubleshoot the problem. After adjusting
the configuration file and changing the LOG_LEVEL parameter, the change hasn't taken place, and
you can't restart the Consul service due to fear of causing an outage.
How can you instruct Consul to update the configuration without restarting the service, so the new log
level is applied?
A. disable and reenable logging for Consul, thus forcing Consul to read the logging configuration
B. place the Consul node in maintenance mode
C. using the service manager such as systemctl, issue an update command
D. issue a consul reload command so Consul reads the configuration file again and applies the
changes
Answer: D
Explanation:
The consul reload command triggers a reload of configuration files for the agent. Not all configuration
options are reloadable. To see what configuration options are reloaded when a reload command is
issued, check out this link here.
https://www.consul.io/docs/commands/reload
21.What are two ways that a client or service can programmatically discover healthy nodes for a
service registered in a local Consul cluster? (select two)
A. User Interface (UI)
B. HTTP API
C. federation
D. DNS
Answer: B,D
Explanation:
Applications can discover healthy nodes of a particular service by accessing the DNS name of the
service (e.g., website.service.consul) or by making the request via Consul's HTTP API.
https://learn.hashicorp.com/consul/getting-started/services#query-services
22.You manage a Consul environment and have enabled Consul ACLs. Your co-worker needs
access to Consul for administrative tasks, so you provide them an ACL token. When the user runs a
command on the CLI, they get an access denied message in return.
How can this co-worker provide the ACL token for authentication to successfully run the desired
commands? (select four)
A. pass the token using the -token argument
B. place the token in a file and reference the file using -token-file argument
C. save the token in a file named token in the current working directory and Consul will automatically
use it for authentication
D. set the CONSUL_HTTP_TOKEN environment variable
E. set the CONSUL_HTTP_TOKEN_FILE environment variable referencing a file containing the token
F. use consul exec and provide the ACL token
Answer: A,B,D,E
Explanation:
There are multiple ways to provide the ACL token when using the CLI, including setting the
CONSUL_HTTP_TOKEN environment variable or using the -token argument. If you want to save the
token to a file, you can reference that file by setting the CONSUL_HTTP_TOKEN_FILE environment
variable or passing the file path using the -token-file argument.
https://www.consul.io/commands/acl/set-agent-token#token
https://www.consul.io/commands/acl/set-agent-token#token-file
https://www.consul.io/commands#environment-variables
 9 / 12
23.You need to determine the leader node for the Consul cluster.
What command allows you to quickly identify the nodes and their current roles within the cluster?
Example of the command's output:
A. consul operator raft list-peers
B. consul members
C. consul raft- list
D. consul nodes -leader
Answer: A
Explanation:
The Raft operator command is used to interact with Consul's Raft subsystem. Specifically, the list-
peers command will display the current Raft peer configuration, which shows the state of each node,
being either a leader or a follower.
https://www.consul.io/docs/commands/operator/raft.html#list-peers
24.You have successfully configured a watch using the agent configuration but need to add a second
watch to monitor additional services. You update and save the agent configuration, but the new watch
isn't working.
What must be done for the new watch to take effect?
{
"type": "key",
"key": "app1/config/database",
"args": ["/usr/bin/update-database.sh", "-webapp1"]
}
A. reload the configuration using consul reload
B. wait for raft to replicate the changes to all the other nodes
C. restart the Consul service as a consul reload won't read the entire configuration
D. you can only configure a single watch in the configuration file, all others must be done via
command
line using the consul watch command
Answer: A
Explanation:
Watches can be configured as part of the agent's configuration, causing them to run once the agent is
initialized. Reloading the agent configuration allows for adding or removing watches dynamically.
https://www.consul.io/docs/agent/watches.html
25.1.Based upon the DNS query output below, select the answers below which are true statements.
(select three)
 10 / 12
A. the retail service is currently unhealthy and no nodes are available
B. the retail service is running on the same host that has been queried
C. the retail service is running and is available
D. there is a single, healthy host running the retail service
E. the retail service is running on port 8600
Answer: B,C,D
Explanation:
The dig command, which is a DNS query tool, was executed on a local Consul server, hence the
127.0.0.1 in the initial command executed. The command was run against port 8600, since that is the
default port that Consul listens to for DNS queries.
Based on the answer section, you can see that a single response, which indicates that the retail
service is running on 127.0.0.1 - the same host as the dig command was run against. In addition, the
fact that an answer was returned indicates that the service is up and running and passing any
associated health checks since Consul will not return unhealthy hosts to a DNS query.
https://learn.hashicorp.com/consul/getting-started/services#dns-interface
26.There are several ways to register services in Consul. Select the valid options below: (select four)
A. through the UI for a visual configuration
B. using the API to register them with a JSON or HCL specification
C. using configuration files that are loaded at node startup
D. using the CLI to simplify this submission process
E. directly from a Consul-aware application
Answer: B,C,D,E
Explanation:
All of the above ways are valid options to register a service with Consul except for the Consul UI,
which does not provide an option to register a service with Consul.
https://learn.hashicorp.com/consul/developer-mesh/connect-services#register-the-services-and-
sidecar-proxies
 11 / 12
27.In order to provide high availability and ensure that Consul's state is preserved even if a server
fails, HashiCorp suggests that Consul should be configured to run __________.
A. on a public cloud platform that can provide hardware redundancy
B. only Kubernetes to provide scheduling for new Consul nodes
C. on as many servers as needed to scale for performance
D. in a cluster made up of three to five serversAnswer: D
Explanation:
In order to make sure that Consul's state is preserved even if a server fails, you should always run
either three or five servers in production. The odd number of servers (and no more than five of them)
strikes a balance between performance and failure tolerance. When scaled beyond (7) servers, the
network requirements needed to maintain replication between the clusters may negatively impact the
performance of Consul.
Additionally, Consul is a platform and cloud-agnostic solution, meaning that it doesn't have to be run
on specific technology for customers to reap the benefits of using Consul.
 12 / 12