Microsoft Microsoft Certifications AZ-104 Questions & Answers

• Question 51:

  You have a subnet named Subnet1 that contains Azure virtual machines. A network security group (NSG) named NSG1 is associated to Subnet1. NSG1 only contains the default rules.

  You need to create a rule in NSG1 to prevent the hosts on Subnet1 form connecting to the Azure portal. The hosts must be able to connect to other internet hosts.

  To what should you set Destination in the rule?

  A. Application security group

  B. IP Addresses

  C. Service Tag

  D. Any

  Correct Answer: C

  A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes

  Reference Virtual network service tags https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

• Question 52:

  You have an Azure subscription that contains two Log Analytics workspaces named Workspace1 and Workspace2 and 100 virtual machines that run Windows Server. You need to collect performance data and events from the virtual machines. The solution must meet the following requirements:

  1.

  Logs must be sent to Workspace1 and Workspace 2.

  2.

  All Windows events must be captured.

  3.

  All security events must be captured.

  What should you install and configure on each virtual machine?

  A. the Azure Monitor agent

  B. the Windows Azure diagnostics extension (WAD)

  C. the Windows VM agent

  D. object replication

  Correct Answer: A

  Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and

  Microsoft Defender for Cloud. Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents.

  Azure Monitor Agent replaces the Azure Monitor legacy monitoring agents:

  Log Analytics Agent: Sends data to a Log Analytics workspace and supports monitoring solutions. This is fully consolidated into Azure Monitor agent.

  Telegraf agent

  Diagnostics extension: Sends data to Azure Monitor Metrics (Windows only), Azure Event Hubs, and Azure Storage. This is not consolidated yet.

  Reference:

  https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

• Question 53:

  You have an Azure subscription that contains a virtual network named VNet1.

  VNet1 uses two ExpressRoute circuits that connect to two separate on-premises datacenters.

  You need to create a dashboard to display detailed metrics and a visual representation of the network topology.

  What should you use?

  A. Azure Monitor Network Insights

  B. a Data Collection Rule (DCR)

  C. Azure Virtual Network Watcher

  D. Log Analytics

  Correct Answer: A

  Through Network Insights, you can view topological maps and health dashboards containing important ExpressRoute information without needing to complete any extra setup.

  Reference: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-network-insights

• Question 54:

  You have an Azure subscription that contains a virtual machine named VM1 and an Azure function named App1.

  You need to create an alert rule that will run App1 if VM1 stops.

  What should you create for the alert rule?

  A. an application security group

  B. a security group that has dynamic device membership

  C. an action group

  D. an application group

  Correct Answer: C

  One of the most common monitoring requirements for a virtual machine is to create an alert if it stops running. The best method for this is to create a metric alert rule in Azure Monitor using the VM availability metric which is currently in public

  preview.

  Configure action group

  The Actions page allows you to add one or more action groups to the alert rule. Action groups define a set of actions to take when an alert is fired such as sending an email or an SMS message.

  Incorrect:

  * Application group

  An Application group is a collection of remote applications that you published within the Azure Virtual Desktop environment. You must associate the application group with a pooled host pool only.

  Reference:

  https://learn.microsoft.com/en-us/azure/azure-monitor/vm/tutorial-monitor-vm-alert-availability

• Question 55:

  You have an Azure subscription named Subscription1.

  You have 5 TB of data that you need to transfer to Subscription1.

  You plan to use an Azure Import/Export job.

  What can you use as the destination of the imported data?

  A. an Azure Cosmos DB database

  B. Azure Data Lake Store

  C. Azure Blob storage

  D. Azure Data Factory

  Correct Answer: C

  Supported storage accounts

  Azure Import/Export service supports the following types of storage accounts:

  Standard General Purpose v2 storage accounts (recommended for most scenarios)

  Blob Storage accounts

  General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments)

  Reference:

  https://learn.microsoft.com/en-us/azure/import-export/storage-import-export-requirements

• Question 56:

  You deploy Azure virtual machines to three Azure regions

  Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full mesh topology.

  Each subnet contains a network security group (NSG) that has defined rules.

  A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region.

  Which two options can you use to diagnose the issue? Each correct answer presents a complete solution.

  NOTE: Each correct selection is worth one point.

  A. Azure Virtual Network Manager

  B. IP flow verify

  C. Azure Monitor Network Insights

  D. Connection troubleshoot

  E. elective security rules

  Correct Answer: BD

  https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

• Question 57:

  You have an Azure subscription named Subscription1 that contains a virtual network named VNet1. VNet1 is in a resource group named RG1. Subscription1 has a user named User1. User1 has the following roles:

  1.

  Reader

  2.

  Security Admin

  3.

  Security Reader

  You need to ensure that User1 can assign the Reader role for VNet1 to other users.

  What should you do?

  A. Assign User1 the Network Contributor role for VNet1.

  B. Remove User1 from the Security Reader role for Subscription1. Assign User1 the Contributor role for RG1.

  C. Assign User1 the Owner role for VNet1.

  D. Assign User1 the Network Contributor role for RG1.

  Correct Answer: C

  Owner role - Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

  Incorrect:

  Not A, Not D:

  Network Contributor

  Lets you manage networks, but not access to them.

  Actions:

  Microsoft.Authorization/*/read - Read roles and role assignments

  Microsoft.Insights/alertRules/*- Create and manage a classic metric alert

  Microsoft.Network/* - Create and manage networks

  Microsoft.ResourceHealth/availabilityStatuses/read - Gets the availability statuses for all resources in the specified scope

  Microsoft.Resources/deployments/* - Create and manage a deployment

  Microsoft.Resources/subscriptions/resourceGroups/read - Gets or lists resource groups.

  Microsoft.Support/*- Create and update a support ticket

  Not B:

  Contributor role - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

  Reference:

  https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

• Question 58:

  You have an Azure subscription that contains the resources shown in the following table.

  

  All the resources connect to a virtual network named VNet1.

  You plan to deploy an Azure Bastion host named Bastion1 to VNet1.

  Which resources can be protected by using Bastion1?

  A. VM1 only

  B. contoso.com only

  C. App1 and contoso.com only

  D. VM1 and contoso.com only

  E. VM1, App1, and contoso.com

  Correct Answer: A

  https://learn.microsoft.com/en-us/azure/bastion/bastion-overview

  Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully

  platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion,

  your virtual machines don't need a public IP address, agent, or special client software.

• Question 59:

  You have an Azure subscription. The subscription contains a storage account named storage1 that has the lifecycle management rules shown in the following table.

  

  On June 1, you store a blob named File1 in the Hot access tier of storage1. What is the state of File1 on June 7?

  A. stored in the Cool access tier

  B. stored in the Archive access tier

  C. stored in the Hot access tier

  D. deleted

  Correct Answer: D

  If you define more than one action on the same blob, lifecycle management applies the least expensive action to the blob. For example, action delete is cheaper than action tierToArchive. Action tierToArchive is cheaper than action tierToCool.

  Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview

• Question 60:

  You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

  You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

  You need to ensure that visitors are serviced by the same web server for each request.

  What should you configure?

  A. a health probe

  B. Floating IP (direct server return) to Enabled

  C. Session persistence to Client IP and protocol

  D. Protocol to UDP

  Correct Answer: C

  With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.

  Note:

  Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine.

  Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.

  https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/