Practice Free AZ-104 Exam Online Questions
DRAG DROP
You have an Azure subscription that contains the resources shown in the following table.
You need to load balance HTTPS connections to vm1 and vm2 by using Ib1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal
HOTSPOT
You have two Azure subscriptions named Sub1 and Sub2. Sub1 is in a management group named MG1. Sub2 is in a management group named MG2.
You have the resource groups shown in the following table.
You have the virtual machines shown in the following table.
You assign roles to users as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
User 1 can sign in to VMI. = YES
User 1 has the Virtual Machine User Login role assigned at the scope of RG1. This role allows the user to sign in to virtual machines in the resource group using Azure AD credentials. VMI is a virtual machine in RG1, so User 1 can sign in to it.
User 2 can manage disks and disk snapshots of VMI. = NO
User 2 has the Disk Snapshot Contributor role assigned at the scope of MG2. This role allows the user to manage disk snapshots in the management group. However, VMI is not in MG2, but in RG1, which is in MG1. Therefore, User 2 does not have the permission to manage disks and disk snapshots of VMI.
User 2 can manage disks and disk snapshots of VM3. = YES
User 2 has the Disk Snapshot Contributor role assigned at the scope of MG2. This role allows the user to manage disk snapshots in the management group. VM3 is a virtual machine in RG3, which is in Sub2, which is in MG2. Therefore, User 2 has the permission to manage disks and disk snapshots of VM3.
HOTSPOT
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
Can be assigned only to the resource groups in Subscription1
Prevents the management of the access permissions for the resource groups
Allows the viewing, creating, modifying, and deleting of resource within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: "/subscription/c276fc76-9cd4-44c9-99a7-4fd71546436e"
In the assignableScopes you need to mention the subscription ID where you want to implement the
RBAC
Box 2: "Microsoft.Authorization/*"
Microsoft.Authorization/* is used to Manage authorization
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
You have an Azure subscription that contains.
The storage accounts shown in the following table.
You deploy a web app named Appl to the West US Azure region.
You need to back up Appl. The solution must minimize costs.
Which storage account should you use as the target for the backup?
- A . storage1
- B . storage2
- C . storage3
- D . storage4
A
Explanation:
To back up a web app, you need to configure a custom backup that specifies a storage account and a container as the target for the backup1. The storage account must be in the same subscription as the web app, and the container must be accessible by the web app2. The backup size is limited to 10 GB, and the backup frequency can be configured to minimize costs.
According to the table, storage1 is the only storage account that meets these requirements. Storage1 is in the same subscription and region as the web app, and it is a general-purpose v2 account that supports custom backups. Storage2 and storage3 are in a different region than the web app, which may incur additional costs for data transfer. Storage4 is a FilesStorage account, which does not support custom backups.
Therefore, you should use storage1 as the target for the backup of your web app. To configure a custom backup, you can follow these steps:
In your app management page in the Azure portal, in the left menu, select Backups.
At the top of the Backups page, select Configure custom backups.
In Storage account, select storage1. Do the same with Container.
Specify the backup frequency, retention period, and database settings as needed.
Click Configure.
At the top of the Backups page, select Backup Now.
You need to implement a backup solution for App1 after the application is moved.
What should you create first?
- A . a recovery plan
- B . an Azure Backup Server
- C . a backup policy
- D . a Recovery Services vault
D
Explanation:
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
Reference: https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account! from your on-premises network.
The on-premises network uses a public IP address space of 131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
• Ensure that you can upload the disk files to account1.
• Ensure that you can attach the disks to VM1.
• Prevent all other access to account1.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . From the Networking blade of account1, select Selected networks
- B . From the Service endpoints blade of VNet1, add a service endpoint.
- C . From the Networking blade of account11, add the 131.107.1.0/24 IP address range.
- D . From the Networking blade of account1. select Allow trusted Microsoft services to access this storage account
- E . From the Networking blade of account1, add VNet1.
A, E
Explanation:
To restrict access to account1, you need to enable the firewall and virtual network settings on the storage account. This allows you to specify which networks can access the storage account. By selecting Selected networks, you can block all access from the public internet and only allow access from the specified networks. By adding VNet1, you can allow access from the virtual network that contains VM1. You do not need to add the on-premises IP address range or enable the service endpoint option, as these are not required for uploading the disk files to the storage account. You do not need to allow trusted Microsoft services, as this is not relevant for the scenario. Then,
Reference: [Configure Azure Storage firewalls and virtual networks] [Upload a generalized VHD to Azure]
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
NSG1 is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Yes – VM1 can access the Storage account because there is nothing blocking it the on the virtual network. There is a rule that actually allows outbound access to storage.
Yes- VM2 is on the Same VNET there is nothing blocking access to it from VM1 on the Virtual network. The Deny rule for HTTPS_VM1_Deny is for inbound connections from the internet.
No- You have a Inbound deny rule for VM1 from the the internet with a destination of the 10.3.0.15 which is in Subnet1. This proves the NSG is associated to Subnet1 and only subnet one because the image shows it is connected to only 1 subnet. VM2 is on Subnet2 which you can determined by its IP address. This means that NSG1 does not apply to VM2.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the Redeploy blade, you click Redeploy.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Redeploying the virtual machine moves it to a new host within the same region and availability set. This can help resolve any underlying issues with the current host. Redeploying the virtual machine does not affect the configuration or data on the virtual machine. Then,
Reference: [Redeploy Windows VM to new Azure node]
You have an Azure subscription that contains the resources shown in the following table.
You need to create a network interface named NIC1.
In which location can you create NIC1?
- A . East US and North Europe only.
- B . East US and West Europe only.
- C . East US, West Europe, and North Europe.
- D . East US only.
D
Explanation:
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.
If you try to create a NIC on a location that does not have any Vnets you will get the following error:
"The currently selected subscription and location lack any existing virtual networks. Create a virtual network first."
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
You need to add VM1 and VM2 to the backend poo! of LB1.
What should you do first?
- A . Create a new NSG and associate the NSG to VNET1/Subnet1.
- B . Connect VM2 to VNET1/Subnet1.
- C . Redeploy VM1 and VM2 to the same availability zone.
- D . Redeploy VM1 and VM2 to the same availability set.