The latest Microsoft AZ-104 Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-104 Azure Administrator exam and earn Microsoft AZ-104 Azure Administrator certification.
Question 81
You create the following resources in an Azure subscription:
- An Azure Container Registry instance named Registry1
- An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
What should you do first?
A. Run the docker push command.
B. Create an App Service plan.
*C. Run the az acr build command.
D. Run the az aks create command.
Explanation:
You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image.
az acr build \
–image contoso-website \
–registry $ACR_NAME \
–file Dockerfile .
Question 82
You have an Azure subscription that contains the resources shown in the following table.
| Name | Type | Resource group | Location |
|---|---|---|---|
| RG1 | Resource group | Not applicable | Central US |
| RG2 | Resource group | Not applicable | West US |
| VMSS1 | Virtual machine scale set | RG2 | West US |
| Proximity1 | Proximity placement group | RG1 | West US |
| Proximity2 | Proximity placement group | RG2 | Central US |
| Proximity3 | Proximity placement group | RG1 | Central US |
You need to configure a proximity placement group for VMSS1.
Which proximity placement groups should you use?
*A. Proximity2 only
B. Proximity1, Proximity2, and Proximity3
C. Proximity1 only
D. Proximity1 and Proximity3 only
Explanation:
Resource Group location of VMSS1 is the RG2 location, which is West US.
Only Proximity2, which also in RG2, is location in West US
Question 83
You have an Azure subscription named Subscription1. Subscription1 contains a resource group named RG1. RG1 contains resources that were deployed by using templates.
You need to view the date and time when the resources were created in RG1.
Solution: From the Subscriptions blade, you select the subscription, and then click Resource providers.
Does this meet the goal?
A. Yes
*B. No
Deploy and manage Azure compute resources: Testlet 2
Overview
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The tenant uses the P1 pricing tier.
Existing Environment
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.
| Name | Role | Contains virtual machine |
|---|---|---|
| Server1 | VMware vCenter server | VM1 |
| Server2 | Hyper-V host | RVM2 |
Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.
| Name | Type |
|---|---|
| VNet1 | Virtual network |
| VM3 | Virtual machine |
| VM4 | Virtual machine |
The network security team implements several network security groups (NSGs)
Requirements
Planned Changes
Litware plans to implement the following changes:
- Deploy Azure ExpressRoute to the Montreal office.
- Migrate the virtual machines hosted on Server1 and Server2 to Azure.
- Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
- Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.
Technical Requirements
Litware must meet the following technical requirements:
- Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.
- Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
- Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
- Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
- Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
- Connect the New York office to VNet1 over the Internet by using an encrypted connection.
- Create a workflow to send an email message when the settings of VM4 are modified.
- Create a custom Azure role named Role1 that is based on the Reader role.
- Minimize costs whenever possible.
Question 84
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
What should you use?
A. Diagram in VNet1
B. Diagnostic settings in Azure Monitor
C. Diagnose and solve problems in Traffic Manager profiles
D. The security recommendations in Azure Advisor
*E. IP flow verify in Azure Network Watcher
Explanation:
Scenario: Contoso must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Configure and manage virtual networking: Question Set 1
Question 85
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
Does this meet the goal?
A. Yes
*B. No
Explanation:
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note: Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Question 86
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: You join Computer2 to Azure Active Directory (Azure AD)
Does this meet the goal?
A. Yes
*B. No
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
Question 87
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?
A. Yes
*B. No
Question 88
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.)
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
What should you do first?
A. Change the priority of the RDP rule
B. Attach a network interface
C. Delete the DenyAllInBound rule
*D. Start VM1
Explanation:
Incorrect Answers:
A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority.
B: The network interface has already been added to VM.
C: The Outbound rules are fine.
Question 89
You have the Azure virtual machines shown in the following table.
| Name | IP address | Type |
|---|---|---|
| VM1 | 10.1.0.4 | VNET1/Subnet1 |
| VM2 | 10.1.10.4 | VNET1/Subnet2 |
| VM3 | 172.16.0.4 | VNET2/SubnetA |
| VM4 | 10.2.0.8 | VNET3/SubnetB |
A DNS service is installed on VM1.
You configure the DNS servers settings for each virtual network as shown in the following exhibit.
You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
What should you do?
A. Configure a conditional forwarder on VM1
B. Add service endpoints on VNET1
C. Add service endpoints on VNET2 and VNET3
*D. Configure peering between VNET1, VNET2, and VNET3
Explanation:
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
Incorrect Answers:
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
An Azure AD DS DNS zone should only contain the zone and records for the managed domain itself.
A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as contoso.com, to forward queries to. Instead of the local DNS server trying to resolve queries for records in that domain, DNS queries are forwarded to the configured DNS for that domain. This configuration makes sure that the correct DNS records are returned, as you don’t create a local a DNS zone with duplicate records in the managed domain to reflect those resources.
To create a conditional forwarder in your managed domain, complete the following steps:
1. Select your DNS zone, such as aaddscontoso.com.
2. Select Conditional Forwarders, then right-select and choose New Conditional Forwarder…
3. Enter your other DNS Domain, such as contoso.com, then enter the IP addresses of the DNS servers for that namespace, as shown in the following example:
4. Check the box for Store this conditional forwarder in Active Directory, and replicate it as follows, then select the option for All DNS servers in this domain, as shown in the following example:
5. To create the conditional forwarder, select OK.
Name resolution of the resources in other namespaces from VMs connected to the managed domain should now resolve correctly. Queries for the DNS domain configured in the conditional forwarder are passed to the relevant DNS servers.
Question 90
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
A. Modify the address space of the local network gateway
*B. Create a deny rule in a network security group (NSG) that is linked to Subnet1
C. Remove the public IP addresses from the virtual machines
D. Modify the address space of Subnet1
Explanation:
You don’t have to allow direct RDP or SSH access over the internet.
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don’t have to allow direct RDP or SSH access over the internet. And this can be achieved by configuring a deny rule in a network security group (NSG) that is linked to Subnet1 for RDP / SSH protocol coming from internet.
Modify the address space of Subnet1: Incorrect choice
Modifying the address space of Subnet1 will have no impact on RDP traffic flow to the virtual network.
Modify the address space of the local network gateway: Incorrect choice
Modifying the address space of the local network gateway will have no impact on RDP traffic flow to the virtual network.
Remove the public IP addresses from the virtual machines: Incorrect choice
If you remove the public IP addresses from the virtual machines, none of the applications be accessible publicly by the Internet users.