Practice Free AZ-104 Exam Online Questions
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an app named App1 that is installed on two Azure virtual machines named VM1 and VM2.
Connections to App1 are managed by using an Azure Load Balancer.
The effective network security configurations for VM2 are shown in the following exhibit.
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail. You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Does this meet the goal?
- A . Yes
- B . No
HOTSPOT
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
HOTSPOT
You need to implement the planned changes for User1.
Which roles should you assign to User1, and for which resources? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
The Owner role is a very high-level role that grants full access to manage all resources in the scope, including the ability to assign roles to other users. This role does not follow the principle of least privilege, which means that you should only grant the minimum level of access required to accomplish the goal.
To enable Traffic Analytics for an Azure subscription, you need to have a role that grants you the following permissions at the subscription level:
Microsoft.Network/applicationGateways/read
Microsoft.Network/connections/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/localNetworkGateways/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/routeTables/read
Microsoft.Network/virtualNetworkGateways/read
Microsoft.Network/virtualNetworks/read
Microsoft.OperationalInsights/workspaces/*
Some of the built-in roles that have these permissions are Owner, Contributor, or Network Contributor1. However, these roles also grant other permissions that may not be necessary or desirable for enabling Traffic Analytics. Therefore, the best practice is to use the principle of least privilege and create a custom role that only has the required permissions for enabling Traffic Analytics2.
Therefore, to meet the goal of ensuring that an Azure AD user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription, you should create a custom role with the required permissions and assign it to Admin1 at the subscription level.
HOTSPOT
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
Sub1 contains the following alert rule:
• Name: Alert1
• Scope: All resource groups in Sub1 o Include all future resources
• Condition: All administrative operations
• Actions: Action1
Sub1 contains the following alert processing rule:
• Name: Rule1
• Scope: Sub1
• Rule type: Suppress notifications
• Apply the rule: On a specific time
o Stan: August 10. 2022
o End: August 13. 2022
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-processing-rules?tabs=portal#what-should-this-rule-do Suppression: This action removes all the action groups from the affected fired alerts. So, the fired alerts won’t invoke any of their action groups, not even at the end of the maintenance window. Those fired alerts will still be visible when you list your alerts in the portal, Azure Resource Graph, API, or PowerShell.
The alert rule named Alert1 has a scope of all resource groups in Sub1 and includes all future resources. This means that any administrative operation performed on any resource group in Sub1 will trigger the alert rule. The condition of the alert rule is all administrative operations, which includes creating a resource group1. Therefore, if you create a resource group in Sub1 on August 11, 2022, Alert1 will be fired and listed in the Azure portal.
The alert processing rule named Rule1 has a scope of Sub1 and a rule type of suppress notifications. This means that any alert fired in Sub1 will have its notifications suppressed by the rule. The rule applies on a specific time range from August 10, 2022 to August 13, 2022. Therefore, if you create a resource group in Sub1 on August 12, 2022, Alert1 will be fired but no email message will be sent to [email protected] because of Rule1.
The alert processing rule named Rule1 does not apply after August 13, 2022. Therefore, if you add a tag to RG1 on August 15, 2022, Alert1 will be fired and an email message will be sent to [email protected] as specified by the action group Action1.
You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
- A . Connect webapp1 to VNET1.
- B . Deploy an internal load balancer.
- C . Deploy an Azure Application Gateway,
- D . Peer VNET1 to another virtual network.
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named GUI.
Webapp1 has the deployment slots shown in the following table.
You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Swap the slots
- B . Deploy the App1 update to webapp1-prod, and then test the update
- C . Stop webapp1-prod
- D . Deploy the App1 update to webapp1-test, and then test the update
- E . Stop webapp1-test
AD
Explanation:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
You have an Azure subscription that has a Recovery Services vault named Vault 1.
The subscription contains the virtual machines shown in the following table.
You plan to schedule backups to occur every night at 23:00.
Which virtual machines can you back up by using Azure Backup?
- A . VM1 only
- B . VM1 and VM2 only
- C . VM1 and VM3 only
- D . VM1, VM2, VM3 and VM4
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Use managed disks
- B . Availability options
- C . OS disk type
- D . Size
- E . Image
A, B
Explanation:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
The subnets have the IP address spaces shown in the following table.
You plan to create a container app named contapp1 in the East US Azure region.
You need to create a container app environment named con-env1 that meets the following requirements:
• Uses its own virtual network.
• Uses its own subnet.
• Is connected to the smallest possible subnet.
To which virtual networks can you connect con-env1, and which subnet mask should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Virtual Network: You can connect con-env1 to VNet2 and VNet3 only. This is because VNet1 is in a different region than the container app, which is East US. According to the web search results, you can only connect a container app environment to a virtual network that is in the same region as the container app1. Therefore, VNet1 is not a valid option. VNet2 and VNet3 are both in the same region as the container app, and they have enough available IP addresses to support a container app environment.
Subnet mask: You should use /28 as the subnet mask for con-env1. This is because /28 is the smallest possible subnet mask that can accommodate a container app environment. According to the web search results, a container app environment requires a minimum of 16 IP addresses in a subnet2. A /28 subnet mask provides 16 IP addresses, while a /26 subnet mask provides 64 IP addresses, a /24 subnet mask provides 256 IP addresses, a /23 subnet mask provides 512 IP addresses, and a /16 subnet mask provides 65,536 IP addresses. Therefore, /28 is the most efficient choice for minimizing the subnet size.