Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 101:

  You have an Azure subscription named Subscription1 that has the following providers registered:

  1.

  Authorization

  2.

  Automation

  3.

  Resources

  4.

  Compute

  5.

  KeyVault

  6.

  Network

  7.

  Storage

  8.

  Billing

  9.

  Web

  Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:

  1.

  Private IP address: 10.0.0.4 (dynamic)

  2.

  Network security group (NSG): NSG1

  3.

  Public IP address: None

  4.

  Availability set: AVSet

  5.

  Subnet: 10.0.0.0/24

  6.

  Managed disks: No

  7.

  Location: East US

  You need to record all the successful and failed connection attempts to VM1.

  Which three actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Register the Microsoft.Insights resource provider

  B. Add an Azure Network Watcher connection monitor

  C. Register the Microsoft.LogAnalytics provider

  D. Enable Azure Network Watcher in the East US Azure region

  E. Create an Azure Storage account

  F. Enable Azure Network Watcher flow logs

  Correct Answer: AEF

  When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. There is no impact to your resources or associated charge for automatically enabling Network Watcher. For more information, see Network Watcher create.

  Create a VM with a network security group Enable Network Watcher (done by default with the vnet/subnet creation) -- and register the Microsoft.Insights provider ---------todo Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability --todo BUT ! NSG flow log data is written to an Azure Storage account. Complete the following steps to create a storage account for the log data. So you need to create a storage account before enable the NSG flow Download logged data View logged data

  References: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

• Question 102:

  You create the following resources in an subscription:

  1.

  An Azure Container Registry instance named Registry1

  2.

  An Azure Kubernetes Service (AKS) cluster named Cluster1

  You create a container image named App 1 on your administrative workstation.

  You need to deploy App1 to cluster 1. What should you do first?

  A. Create a host pool on Cluster1

  B. Run the docker push command.

  C. Run the kubect1 apply command.

  D. Run the az aks create command.

  Correct Answer: B

  An Azure container registry stores and manages private Docker container images, similar to the way Docker Hub stores public Docker images. You can use the Docker command-line interface (Docker CLI) for login, push, pull, and other

  operations on your container registry. After you login to the registry you can run push command to upload the image.

  Below is an sample of that command

  docker push myregistry.azurecr.io/samples/nginx

  Run the az acr build command : Correct Choice

  az acr build command queues a quick build, providing streaming logs for an Azure Container Registry

  az acr build --registry

  [--agent-pool]

  [--auth-mode {Default, None}]

  [--build-arg]

  [--file]

  [--image]

  [--no-format]

  [--no-logs]

  [--no-push]

  [--no-wait]

  [--platform]

  [--resource-group]

  [--secret-build-arg]

  [--subscription]

  [--target]

  [--timeout]

  []

  Create a host pool on Cluster1 : Incorrect Choice

  Host pools are a collection of one or more identical virtual machines (VMs) within Windows Virtual Desktop environments. It won't deploy the app to the cluster.

  Run the docker push command : Incorrect Choice

  Use docker push to share your images to the Docker Hub registry or to a self-hosted one. It won't deploy the app to the cluster.

  Run the docker build command : Incorrect Choice

  This command will build an image from a Dockerfile. But in the question it has been said that image file is already built and need to deploy. This command will not deploy the image.

  Reference:

  https://docs.microsoft.com/en-us/cli/azure/acr?view=azure-cli-latest#az-acr-build

  https://docs.docker.com/engine/reference/commandline/push/

  https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace

  https://docs.docker.com/engine/reference/commandline/build/

  https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli

• Question 103:

  You have an Azure Kubernetes Service (AKS) cluster named AKS1.

  You need to configure cluster autoscaler for AKS1.

  Which two tools should you use? Each correct answer presents a complete solution.

  NOTE: Each correct selection is worth one point.

  A. the set-AzAKs cmdlet

  B. the Azure portal

  C. The az aks command

  D. the kubect1 command

  E. the set Azvm cmdlet

  Correct Answer: BC

  AKS clusters can scale in one of two ways:

  The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes. The horizontal pod autoscaler uses the Metrics Server in a

  Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand.

  Reference:

  https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler

• Question 104:

  You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.

  You need to ensure that NGINX is available on all the virtual machines after they are deployed.

  What should you use?

  A. a Desired State Configuration (DSC) extension

  B. the Publish-AzVMDscConfigurationCmdlet

  C. a Microsoft Intune device configuration profile

  D. Deployment Center in Azure App Service

  Correct Answer: A

  The primary use case for the Azure Desired State Configuration (DSC) extension is to bootstrap a VM to the Azure Automation State Configuration (DSC) service. The service provides benefits that include ongoing management of the VM

  configuration and integration with other operational tools, such as Azure Monitoring. Using the extension to register VM's to the service provides a flexible solution that even works across Azure subscriptions.

  You can use the DSC extension independently of the Automation DSC service.

  In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx webserver.

  az vm extension set \

  --resource-group myResourceGroup \

  --vm-name myVM --name customScript \

  --publisher Microsoft.Azure.Extensions \

  --settings '{"commandToExecute": "apt-get install -y nginx"}

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview

• Question 105:

  You have an Azure subscription that contains the resources shown in the following table.

  

  You need to configure a proximity placement group for VMSS1.

  Which proximity placement groups should you use?

  A. Proximity2 only

  B. Proximity 1, Proximity2, and Proximity3

  C. Proximity 1 and Proximity3 only

  D. Proximity1 only

  Correct Answer: A

  Placement Groups is a capability to achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency among them, for improved application performance.

  Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a deployment constraint when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your applications.

  The VMSS should share the same region, even it should be the same zone as proximity groups are located in the same data center. Accordingly, it should be proximity 2 only.

  Reference: https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups

• Question 106:

  You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1. You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet. You add a network interface named Interface1 to VM1 as shown in the exhibit (Click the Exhibit button.)

  

  From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails. You need to establish a Remote Desktop connection to VM1. What should you do first?

  A. Start VM1.

  B. Attach a network interface.

  C. Delete the DenyAllOutBound outbound port rule.

  D. Delete the DenyAllInBound inbound port rule.

  Correct Answer: A

  Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower

  priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.

  References:

  https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

• Question 107:

  You have an app named App1 that runs on an Azure web app named webapp1.

  The developers at your company upload an update of App1 to a Git repository named Git1.

  Webapp1 has the deployment slots shown in the following table.

  

  You need to ensure that the App1 update is tested before the update is made available to users. Which two actions should you perform? Each correct answer presents part of the solution.

  A. Stop webapp1 prod.

  B. Stop webapp1-test

  C. Deploy the App1 update to webapp1-test, and then test the update.

  D. Deploy the App1 update to webapp1-prod, and then test the update.

  E. Swap the slots.

  Correct Answer: CE

  You can validate web app changes in a staging deployment slot before swapping it with the production slot. Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, and no requests are dropped because of swap operations. You can automate this entire workflow by configuring auto swap when pre-swap validation isn't needed. After the swap you can deploy the App1 update to webapp1-test, and then test the update. If the changes swapped into the production slot aren't as per your expectation then you can perform the same swap immediately to get your "last known good site" back.

  Reference: https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

• Question 108:

  You have an Azure subscription that contains the resources shown in the following table.

  

  The Not allowed resource types Azure policy is assigned to RG1 and uses the following parameters:

  Microsoft.Network/virtualNetworks

  Microsoft.Compute/virtualMachines

  In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.

  What should you do first?

  A. Remove Microsoft.Network/virtualNetworks from the policy.

  B. Create an Azure Resource Manager template.

  C. Remove Microsoft.Compute/virtualMachines from the policy.

  D. Add a subnet to VNET1.

  Correct Answer: C

  The Not allowed resource types Azure policy prohibits the deployment of specified resource types.

  You specify an array of the resource types to block.

  Virtual Networks and Virtual Machines are prohibited.

  Reference:

  https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

• Question 109:

  You have an Azure web app named webapp1.

  You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.

  You need to ensure that webapp1 can access the data hosted on VM1.

  What should you do?

  A. Connect webapp1 to VNET1.

  B. Peer VNET1 to another virtual network.

  C. Deploy an Azure Application Gateway.

  D. Deploy an internal load balancer

  Correct Answer: C

  By connecting webapp1 to VNET1, the web app will be able to access the data hosted on VM1 through the virtual network. The other options do not directly address the requirement to allow webapp1 access to the data hosted on VM1. An internal load balancer and a peered virtual network may provide other benefits, but they would not by themselves ensure that webapp1 can access the data hosted on VM1. An Azure Application Gateway is a reverse proxy that is often used for load balancing, SSL termination, and URL-based routing, but it would not directly allow webapp1 to access the data hosted on VM1.

• Question 110:

  Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.

  You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered.

  You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.

  What should you create?

  A. three virtual WANs and one virtual hub

  B. three virtual hubs and one virtual WAN

  C. three On-premises data gateways and one Azure Application Gateway

  D. three Azure Application Gateways and one On-premises data gateway

  Correct Answer: B

  Virtual WAN: The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links to all your virtual hubs that you would like to have within the virtual WAN. Virtual WANs are isolated from each other and can't contain a common hub. Virtual hubs in different virtual WANs don't communicate with each other.

  Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your on-premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or even connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region.

  Reference: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about