Microsoft Microsoft Certifications AZ-104 Questions & Answers
Question 671:
You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named VNET1 and VNET2 that are peered.
You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1.
You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1.
Which port should you configure for the inbound security rule?
A. 22
B. 443
C. 389
D. 8080
Correct Answer: B
Using Bastion your RDP/SSH session is over TLS on port 443. https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
Question 672:
You have an Azure subscription that contains the virtual networks shown in the following table.
You need to deploy an Azure firewall named AF1 to RG1 in the West US Azure region. To which virtual networks can you deploy AF1?
A. VNET1, VNET2, VNET3, and VNET4
B. VNET1 and VNET2 only
C. VNET1 only
D. VNET1, VNET2, and VNET4 only
E. VNET1 and VNET4 only
Correct Answer: C
Question 673:
You have two Azure subscriptions named Sub1 and Sub2.
Sub1 contains a virtual machine named VM1 and a storage account named storage1.
VM1 is associated to the resources shown in the following table.
You need to move VM1 to Sub2.
Which resources should you move to Sub2?
A. VM1, Disk1, and NetInt1 only
B. VM1, Disk1, and VNet1 only
C. VM1, Disk1, and storage1 only
D. VM1, Disk1, NetInt1, and VNet1
Correct Answer: D
When you move a virtual machine from one subscription to another, you need to ensure that all the dependent resources are also moved along with it.
In the given scenario, VM1 is associated with the resources Disk1 (OS Disk), NetInt1 (Network Interface), and VNet1 (Virtual Network), and the storage account named storage1 is not associated with VM1.
Therefore, to move VM1 to Sub2, you need to move the following resources:
VM1: This is the virtual machine that you want to move to Sub2.
Disk1: This is the OS disk for VM1, and it contains the operating system and boot files.
NetInt1: This is the network interface that is attached to VM1 and provides connectivity to the virtual network.
VNet1: This is the virtual network that is associated with VM1, and it provides the network connectivity to the virtual machine.
Question 674:
You have an Azure subscription. The subscription contains virtual machines that connect to a virtual network named VNet1.
You plan to configure Azure Monitor for VM Insights.
You need to ensure that all the virtual machines only communicate with Azure Monitor through VNet1.
You have an Azure subscription that contains an Azure Stream Analytics job named Job1.
You need to monitor input events for Job1 to identify the number of events that were NOT processed.
Which metric should you use?
A. Out-of-Order Events
B. Output Events
C. Late Input Events
D. Backlogged Input Events
Correct Answer: D
Question 676:
You have an Azure virtual machine named VM1 and an Azure key vault named Vault1.
On VM1, you plan to configure Azure Disk Encryption to use a key encryption key (KEK).
You need to prepare Vault1 for Azure Disk Encryption.
Which two actions should you perform on Vault1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Select Azure Virtual machines for deployment.
B. Create a new key.
C. Create a new secret.
D. Configure a key rotation policy.
E. Select Azure Disk Encryption for volume encryption.
Correct Answer: BE
Steps:
1.
Creating a resource group, if needed.
2.
Creating a key vault. (B)
3.
Setting key vault advanced access policies. (E)
Set key vault advanced access policies
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes.
If you didn't enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies.
1.
Select your key vault and go to Access Policies.
2.
Under "Enable Access to", select the box labeled Azure Disk Encryption for volume encryption. ((E))
3.
Select Azure Virtual Machines for deployment and/or Azure Resource Manager for template deployment, if needed.
You have an Azure subscription that contains a virtual machine named VM1 and an Azure key vault named KV1. You need to configure encryption for VM1. The solution must meet the following requirements:
1.
Store and use the encryption key in KV1.
2.
Maintain encryption if VM1 is downloaded from Azure.
3.
Encrypt both the operating system disk and the data disks. Which encryption method should you use?
A. customer-managed keys
B. Confidential disk encryption
C. Azure Disk Encryption
D. encryption at host
Correct Answer: C
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs by using the DM-Crypt
feature of Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets, with the option to encrypt with a key encryption key (KEK).
Note: There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE) and encryption at host.
Incorrect:
*
Confidential disk encryption
Confidential disk encryption binds disk encryption keys to the virtual machine's TPM and makes the protected disk content accessible only to the VM. The TPM and VM guest state is always encrypted in attested code using keys released by
a secure protocol that bypasses the hypervisor and host operating system. Currently only available for the OS disk.
*
Encryption at host
Encryption at host is a Virtual Machine option that enhances Azure Disk Storage Server-Side Encryption to ensure that all temp disks and disk caches are encrypted at rest and flow encrypted to the Storage clusters.
When you enable encryption at host, that encryption starts on the VM host itself, the Azure server that your VM is allocated to. The data for your temporary disk and OS/data disk caches are stored on that VM host. After enabling encryption at
host, all this data is encrypted at rest and flows encrypted to the Storage service, where it is persisted. Essentially, encryption at host encrypts your data from end-to-end. Encryption at host does not use your VM's CPU and doesn't impact
You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a container named container1. You need to configure access to container1. The solution must meet the following requirements:
1.
Only allow read access.
2.
Allow both HTTP and HTTPS protocols.
3.
Apply access permissions to all the content in the container. What should you use?
A. an access policy
B. a shared access signature (SAS)
C. Azure Content Delivery Network (CDN)
D. access keys
Correct Answer: B
Create SAS tokes for your storage containers
User delegation SAS tokens are secured with Azure AD credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.
SAS tokens support HTTP, but it is recommended to require HTTPS.
Note: Azure Blob Storage offers three resource types:
Storage accounts provide a unique namespace in Azure for your data.
Data storage containers are located in storage accounts and organize sets of blobs (files, text, or images).
Blobs are located in containers and store text and binary data such as files, text, and images.
Incorrect:
*
an access policy
A stored access policy provides an additional level of control over service-level shared access signatures (SASs) on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional
restrictions for signatures that are bound by the policy.
You can use a stored access policy to change the start time, expiry time, or permissions for a signature. You can also use a stored access policy to revoke a signature after it has been issued.
*
Azure Content Delivery Network (CDN)
A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. A CDN store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize
latency.
*
access keys
When you create a storage account, Azure generates two 512-bit storage account access keys for that account. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens
You need to create an Azure Storage account named storage1. The solution must meet the following requirements:
1.
Support Azure Data Lake Storage.
2.
Minimize costs for infrequently accessed data.
3.
Automatically replicate data to a secondary Azure region.
Which three options should you configure for storage1? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.
A. zone-redundant storage (ZRS)
B. the Cool access tire
C. geo-redundant storage (GRS)
D. the Hot access tier
E. hierarchical namespace
Correct Answer: BCE
The Cool access tier: The Cool access tier is suitable for infrequently accessed data, as it offers lower storage costs compared to the Hot access tier. This option helps minimize costs for infrequently accessed data.
Geo-redundant storage (GRS): GRS provides data replication to a secondary Azure region, ensuring data durability and availability in case of a regional outage. This option automatically replicates data to a secondary Azure region.
Hierarchical namespace: Azure Data Lake Storage requires a hierarchical namespace to support its features. By enabling the hierarchical namespace, you can use Azure Data Lake Storage capabilities with the storage account.
Question 680:
You have an Azure subscription.
You plan to deploy the resources shown in the following table.
You need to create a single Azure Resource Manager (ARM) template that will be used to deploy the resources.
Which resource should be added to the dependsOn section for VM1?
A. VNET1
B. NIC1
C. IP1
D. NSG1
Correct Answer: B
Define the order for deploying resources in ARM templates.
When deploying resources, you may need to make sure some resources exist before other resources. For example, you need a logical SQL server before deploying a database. You establish this relationship by marking one resource as
dependent on the other resource. Use the dependsOn element to define an explicit dependency. Use the reference or list functions to define an implicit dependency.
Azure Resource Manager evaluates the dependencies between resources, and deploys them in their dependent order. When resources aren't dependent on each other, Resource Manager deploys them in parallel. You only need to define
dependencies for resources that are deployed in the same template.
Example:
The following example shows how to deploy multiple virtual machines. The template creates the same number of network interfaces. Each virtual machine is dependent on one network interface, rather than the whole loop.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your AZ-104 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
