Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 531:

  HOTSPOT

  You have an Azure subscription named Subscription1.

  In Subscription1, you create an Azure web app named WebApp1. WebApp1 will access an external service that requires certificate authentication.

  You plan to require the use of HTTPS to access WebApp1.

  You need to upload certificates to WebApp1.

  In which formats should you upload the certificate?

  To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  A PFX file contains the public key file (SSL Certificate) and its unique private key file. This is required for HTTPS access. The web app will distribute the public key (in a CER file) to clients that connect to the web app. The CER file is an SSL Certificate which has the public key of the external service. The external service will have the private key associated with the public key contained in the CER file.

• Question 532:

  HOTSPOT

  You are creating an Azure load balancer.

  You need to add an IPv6 load balancing rule to the load balancer.

  How should you complete the Azure PowerShell script? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Powershell command to create a load balancer rule (AzureRm module new version is AZ as given in below command): $lbrule1v6 = New-AzLoadBalancerRuleConfig -Name "HTTPv6" -FrontendIpConfiguration $FEIPConfigv6 -BackendAddressPool $backendpoolipv6 -Probe $healthProbe -Protocol Tcp -FrontendPort 80 -BackendPort 8080 Powershell command to create the load balancer using the previously created objects : New-AzLoadBalancer -ResourceGroupName NRP-RG -Name 'myNrpIPv6LB' -Location 'West US' -FrontendIpConfiguration $FEIPConfigv6 -InboundNatRule $inboundNATRule1v6 -BackendAddressPool $backendpoolipv6 -Probe $healthProbe -LoadBalancingRule $lbrule1v6

  References: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-internet-ps

• Question 533:

  HOTSPOT

  Your company has offices in New York and Los Angeles.

  You have an Azure subscription that contains an Azure virtual network named VNet1. Each office has a site-to-site VPN connection to VNet1.

  Each network uses the address spaces shown in the following table.

  

  You need to ensure that all Internet-bound traffic from VNet1 is routed through the New York office. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1 : Set-AzureRmVirtualNetworkGatewayDefaultSite

  The Set-AzureRmVirtualNetworkGatewayDefaultSite cmdlet assigns a forced tunneling default site to a virtual network gateway. Forced tunneling provides a way for you to redirect Internet-bound traffic from Azure virtual machines to your on-

  premises network; this enables you to inspect and audit traffic before releasing it. Forced tunneling is carried out by using a virtual private network (VPN) tunnel; this tunnel requires a default site, a local gateway where all the Azure Internet-

  bound traffic is redirected. Set-AzureRmVirtualNetworkGatewayDefaultSite provides a way to change the default site assigned to a gateway.

  Box 2 : 0.0.0.0/0

  Forced tunneling must be associated with a VNet that has a route-based VPN gateway. You need to set a "default site" among the cross-premises local sites connected to the virtual network. Also, the on-premises VPN device must be

  configured using 0.0.0.0/0 as traffic selectors.

  Forced Tunneling:

  The following diagram illustrates how forced tunneling works

  

  Reference: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/set-azurermvirtualnetworkgatewaydefaultsite?view=azurermps-6.13.0 https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm

• Question 534:

  HOTSPOT

  You have an Azure web app named WebApp1 that runs in an Azure App Service plan named ASP1.

  ASP1 is based on the D1 pricing tier.

  You need to ensure that WebApp1 can be accessed only from computers on your on-premises network. The solution must minimize costs.

  What should you configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: B1

  B1 (Basic) would minimize cost compared P1v2 (premium) and S1 (standard).

  Box 2: Cross Origin Resource Sharing (CORS)

  Once you set the CORS rules for the service, then a properly authenticated request made against the service from a different domain will be evaluated to determine whether it is allowed according to the rules you have specified.

  Note: CORS (Cross Origin Resource Sharing) is an HTTP feature that enables a web application running under one domain to access resources in another domain. In order to reduce the possibility of cross-site scripting attacks, all modern

  web browsers implement a security restriction known as same-origin policy. This prevents a web page from calling APIs in a different domain. CORS provides a secure way to allow one origin (the origin domain) to call APIs in another origin.

  References:

  https://azure.microsoft.com/en-us/pricing/details/app-service/windows/

  https://docs.microsoft.com/en-us/azure/cdn/cdn-cors

• Question 535:

  HOTSPOT

  You need to deploy two Azure web apps named WebApp1 and WebApp2. The web apps have the following requirements:

  1.

  WebApp1 must be able to use staging slots

  2.

  WebApp2 must be able to access the resources located on an Azure virtual network

  What is the least costly plan that you can use to deploy each web app? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  References: https://azure.microsoft.com/en-au/pricing/details/app-service/windows/ https://azure.microsoft.com/en-gb/pricing/details/app-service/plans/

• Question 536:

  HOTSPOT

  You have an Azure subscription named Subscription1. You have a virtualization environment that contains the virtualization server in the following table.

  

  The virtual machines are configured as shown on the following table.

  

  All the virtual machines use basic disks. VM1 is protected by using BitLocker Drive Encryption (BitLocker). You plan to use Azure Site Recovery to migrate the virtual machines to Azure. Which virtual machines can you migrate? To answer,

  select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Not VM1 because it has BitLocker enabled.

  Not VM2 because the OS disk is larger than 2TB.

  Not VMC because the Data disk is larger than 4TB.

  References:

  https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-support-matrix#azure-vm- requirements

• Question 537:

  HOTSPOT

  You plan to deploy 20 Azure virtual machines by using an Azure Resource Manager template. The virtual machines will run the latest version of Windows Server 2016 Datacenter by using an Azure Marketplace image.

  You need to complete the storageProfile section of the template. How should you complete the storageProfile section? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  ..

  "storageProfile": {

  "imageReference": {

  "publisher": "MicrosoftWindowsServer",

  "offer": "WindowsServer",

  "sku": "2016-Datacenter",

  "version": "latest"

  },

  ...

  References:

  https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate

• Question 538:

  HOTSPOT

  You plan to create a new Azure Active Directory (Azure AD) role. You need to ensure that the new role can view all the resources in the Azure subscription and issue support requests to Microsoft. The solution must use the principle of least

  privilege. How should you complete the JSON definition? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: "*/read",

  */read lets you view everything, but not make any changes.

  Box 2: " Microsoft.Support/*"

  The action Microsoft.Support/* enables creating and management of support tickets.

  References:

  https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

  https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-rolesg/details/app-service/windows/

  https://azure.microsoft.com/en-gb/pricing/details/app-service/plans/

• Question 539:

  HOTSPOT

  You have an Azure subscription.

  You need to implement a custom policy that meet the following requirements:

  *Ensures that each new resource group in the subscription has a tag named organization set to a value of Contoso.

  *Ensures that resource group can be created from the Azure portal. *Ensures that compliance reports in the Azure portal are accurate. How should you complete the policy? To answer, select the appropriate options in the answers area.

  Hot Area:

  

  Correct Answer:

  

  Box 1: "Microsoft.Resources/subscriptions/resourceGroups" To create a new resource group in a subscription, account have at least the this permission.

  Box 2: "Append" Append adds fields to the resource when the if condition of the policy rule is met. If the append effect would override a value in the original request with a different value, then it acts as a deny effect and rejects the request. To append a new value to an existing array, use the [*] version of the alias

  Reference: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

• Question 540:

  HOTSPOT

  You have an Azure subscription named Subscription1.

  You plan to deploy an Ubuntu Server virtual machine named VM1 to Subscription1. You need to perform a custom deployment of the virtual machine. A specific trusted root certification authority (CA) must be added during the deployment.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Cloud-init.txt

  Cloud-init.txt is used to customize a Linux VM on first boot up. It can be used to install packages and write files, or to configure users and security. No additional steps or agents are required to apply your configuration.

  Box 2: The az vm create command

  Once Cloud-init.txt has been created, you can deploy the VM with az vm create cmdlet, sing the -- customdata parameter to provide the full path to the cloud-init.txt file.

  References:

  https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment