Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 581:

  HOTSPOT

  You have an Azure subscription named Subscription1.

  Subscription1 contains the virtual machines in the following table:

  

  Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:

  

  VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3. You create a route table named RT1 that contains the routes in the following table:

  

  You apply RT1 to Subnet1 and Subnet2.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  IP forwarding enables the virtual machine a network interface is attached to:

  Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.

  Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.

  The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a

  single network interface attached to it.

  Box 1: Yes

  The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.

  Box 2: No

  VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

  Box 3: Yes

  The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding

• Question 582:

  HOTSPOT

  

  You have a virtual network named VNET1 that contains the subnets shown in the following table:

  You have two Azure virtual machines that have the network configurations shown in the following table:

  

  For NSG1, you create the inbound security rule shown in the following table:

  

  For NSG2, you create the inbound security rule shown in the following table:

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or Subnet1 where VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433

  from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the NSG1 rule has a higher priority (or lower value) than the NSG2 rule.

  Box 2: Yes

  No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.

  Box 3: Yes

  No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are thus applied.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

• Question 583:

  HOTSPOT

  You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the subnets in the following table:

  

  Subnet1 contains a virtual appliance named VM1 that operates as a router.

  You create a routing table named RT1.

  You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.

  How should you configure RT1? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box1 : 10.0.0.0/16

  Address prefix in networking refer to the destination IP address range. In this scenario, destination is Vnet1 , hence Address prefix will be the address space of Vnet1.

  Box 2 : Virtual appliance

  Next hop gets the next hop type and IP address of a packet from a specific VM and NIC. Knowing the next hop helps you determine if traffic is being directed to the intended destination, or whether the traffic is being sent nowhere Next Hop -> VM1 --> Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)

  Box 3 : GatewaySubnet

  In the scenario it is asked for all the inbound traffic to Vnet1. Inbound traffic is flowing through SubnetGW. You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.So its traffic from Gateway subnet only.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-next-hop-overview

• Question 584:

  HOTSPOT

  You have an Azure subscription that contains the resources in the following table:

  

  In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured as shown in the following exhibit:

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual network. VM5 does not belong to the registration virtual network though.

  Box 2: No

  Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to a resolution virtual network.

  Box 3: Yes

  VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.

  By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of the virtual machines within the registration virtual network.

  Reference:

  https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

• Question 585:

  HOTSPOT

  You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following configurations:

  1.

  Operating system: Windows Server 2016

  2.

  Size: Standard_D1_v2

  You run the get-azvmss cmdlet as shown in the following exhibit:

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  The Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine. Box 1: 0 The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM. Box 2: 1 Below is clearly mentioned in the official Website "The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total instance count, subject to a minimum batch size of one virtual machine."So, 20% from 4 ~1

  Reference: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade

• Question 586:

  HOTSPOT

  You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.

  You install and configure a web server and a DNS server on VM1.

  VM1 has the effective network security rules shown in the following exhibit:

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1:

  Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach the Web server, since it uses port 80.

  Box 2:

  If Rule2 is removed internet users can reach the DNS server as well. Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule,

  processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.

  References:

  https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

• Question 587:

  HOTSPOT

  You have an Azure Storage account named storage1 that uses Azure Blob storage and Azure File storage.

  You need to use AzCopy to copy data to the blob storage and file storage in storage1.

  Which authentication method should you use for each type of storage? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

  Box 1:

  Both Azure Active Directory (AD) and Shared Access Signature (SAS) token are supported for Blob storage.

  Box 2:

  Only Shared Access Signature (SAS) token is supported for File storage.

  Reference:

  https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

• Question 588:

  HOTSPOT

  You plan to create an Azure Storage account in the Azure region of East US 2.

  You need to create a storage account that meets the following requirements:

  1.

  Replicates synchronously.

  2.

  Remains available if a single data center in the region fails.

  How should you configure the storage account? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Zone-redundant storage (ZRS)

  Zone-redundant storage (ZRS) replicates your data synchronously across three storage clusters in a single region.

  LRS would not remain available if a data center in the region fails

  GRS and RA GRS use asynchronous replication.

  Box 2: StorageV2 (general purpose V2)

  ZRS only support GPv2.

  Reference:

  https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

  https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-zrs

• Question 589:

  HOTSPOT

  You have an Azure subscription named Subscription1.

  In Subscription1, you create an Azure file share named share1.

  You create a shared access signature (SAS) named SAS1 as shown in the following exhibit:

  

  To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: will have no access

  The IP 193.77.134.1 does not have access on the SAS since this IP falls outside of the allowed IP address range for SAS. Hence "will have no access" is correct.

  Box 2: will be prompted for credentials

  The net use command is used to connect to file shares.To mount an Azure file share, you will need the primary (or secondary) storage key. SAS keys are not currently supported for mounting. Based on the provided SAS exhibit, IP address is

  an allowed IP and also on given date SAS is active, but account storage key is must to have to run the "net use" command , which is not provided in the question. Hence "will be prompted for credentials" is correct option for this. net use R:

  \rebelsa1.file.core.windows.net\rebelshare /user:Azure\rebelsa1

  References:

  https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage- explorer?tabs=windows

  https://feedback.azure.com/forums/217298-storage/suggestions/14498352-allow-azure-files-shares-to-be-mounted-using-sas-s

  https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

  https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows

  http://www.rebeladmin.com/2018/03/step-step-guide-create-azure-file-share-map-windows-10/

• Question 590:

  HOTSPOT

  You have an Azure subscription that contains the resources shown in the following table:

  

  You assign a policy to RG6 as shown in the following table:

  

  To RG6, you apply the tag: RGroup: RG6.

  You deploy a virtual network named VNET2 to RG6.

  Which tags apply to VNET1 and VNET2? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  VNET1: Department: D1, and Label:Value1 only.

  Tags applied to the resource group or subscription are not inherited by the resources.

  Note: Azure Policy allows you to use either built-in or custom-defined policy definitions and assign them to either a specific resource group or across a whole Azure subscription.

  VNET2: Label:Value1 only.

  Incorrect Answers:

  RGROUP: RG6

  Tags applied to the resource group or subscription are not inherited by the resources.

  Reference:

  https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies