Practice Free AZ-104 Exam Online Questions
HOTSPOT
You have an Azure subscription named Subscription1 that contains the following resource group:
– Name: RG1
– Region: West US
– Tag: "tag1": "value1"
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
– Exclusions: None
– Policy definition: Append a tag and its value to resources
– Assignment name: Policy1
– Parameters:
– Tag name: Tag2
– Tag value: Value2
After Policy1 is assigned, you create a storage account that has the following configuration:
– Name: storage1
– Location: West US
– Resource group: RG1
– Tags: "tag3": "value3"
You need to identify which tags are assigned to each resource.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: "tag1": "value1" only
Box 2: "tag2": "value2" and "tag3": "value3"
Tags applied to the resource group are not inherited by the resources in that resource group.
Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Performance Monitor, you create a Data Collector Set (DCS).
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Correct answer is packet capture in Azure Network Watcher. https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
You have an Azure Storage account named storage1.
You need to enable a user named User1 to list and regenerate storage account keys for storage1.
Solution: You assign the Storage Account Key Operator Service Role to User1.
Does this meet the goal?
- A . Yes
- B . No
You have an Azure subscription that contains the virtual machines shown in the following table. javascript:void(0)
You deploy a load balancer that has the following configurations:
• Name: LB1
• Type internal
• SKU: Standard
• Virtual network VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a standard SKU public IP or no public IP.
The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral IP.
Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.
Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
HOTSPOT
You have an Azure subscription.
You plan to create a role definition to meet the following requirements:
• Users must be able to view the configuration data of a storage account.
• Users must be able to perform all actions on a virtual network.
• The solution must use the principle of least privilege.
What should you include in the role definition for each requirement? To answer, select the appropriate options in the answer area.
Explanation:
Perform all actions on a virtual network:
“Microsoft.Network/virtualNetworks/*”
View the configuration data of a storage account:
“Microsoft.Storage/StorageAccounts/read”
To perform all actions on a virtual network, you need to use the wildcard () character in the action string, which grants access to all actions that match the string. The action string for virtual networks is "Microsoft.Network/virtualNetworks/". To view the configuration data of a storage account, you need to use the read action substring in the action string, which enables read actions (GET). The action string for storage accounts is “Microsoft.Storage/StorageAccounts/read”.
Reference:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
Each virtual network has 50 connected virtual machines.
You need to implement Azure Bastion.
The solution must meet the following requirements:
• Support host scaling.
• Support uploading and downloading files.
• Support the virtual machines on both VNet1 and VNet2.
• Minimize the number of addresses on the Azure Bastion subnet.
How should you configure Azure Bastion? To answer, select the options in the answer area. NOTE: Each correct answer is worth one point.
HOTSPOT
You plan to use Azure Network Watcher to perform the following tasks:
Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine
Task2: Validate outbound connectivity from an Azure virtual machine to an external host
Which feature should you use for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: IP flow verify
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.
Box 2: Connection troubleshoot
Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using connection-troubleshoot.
You create an Azure Storage account named Contoso storage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should be open between the home computers and the data file share?
- A . 80
- B . 443
- C . 445
- D . 3389
C
Explanation:
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
You create an Azure Storage account named Contoso storage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should be open between the home computers and the data file share?
- A . 80
- B . 443
- C . 445
- D . 3389
C
Explanation:
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections will fail if port 445 is blocked.
Reference: https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows
You have an Azure subscription that contains a storage account named storage 1.
You need to allow access to storage1 from selected networks and your home office. The solution must minimize administrative effort.
What should you do first for storage1?
- A . Add a private endpoint.
- B . Modify the Public network access settings.
- C . Select Internet routing
- D . Modify the Access Control (1AM) settings.