Exam AZ-104 Microsoft Azure Administrator Questions and Answers – Page 1

The latest Exam AZ-104 Microsoft Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AZ-104 Microsoft Azure Administrator exam and earn AZ-104 Microsoft Azure Administrator certification.

Exam Question 91

You have an Azure subscription that contains the resources in the following table.

NameType
ASG1Application security group
NSG1Network security group (NSG)
Subnet1Subnet
VNet1Virtual network
NIC1Network interface
VM1Virtual machine
You have an Azure subscription that contains the resources in the following table.

Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.
You need to apply ASG1 to VM1.
What should you do?
A. Associate NIC1 to ASG1
B. Modify the properties of ASG1
C. Modify the properties of NSG1

Correct Answer:
A. Associate NIC1 to ASG1
Answer Description:
Application Security Group can be associated with NICs.

Exam Question 92

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1.
VNet1 connects to your on-premises network by using Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a connection
B. Create a local site VPN gateway
C. Create a VPN gateway that uses the VpnGw1 SKU
D. Create a gateway subnet
E. Create a VPN gateway that uses the Basic SKU
Correct Answer:
A. Create a connection
D. Create a gateway subnet
E. Create a VPN gateway that uses the Basic SKU

Exam Question 93

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?
A. Yes
B. No

Correct Answer:
B. No
Answer Description:
You should use a policy definition.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
References:
Microsoft Docs > Azure Policy definition structure

Exam Question 94

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?
A. Yes
B. No

Correct Answer:
B. No
Answer Description:
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
References:
Microsoft Docs > Azure Policy definition structure

Exam Question 95

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You configure a custom policy definition, and then you assign the policy to the subscription.
Does this meet the goal?
A. Yes
B. No

Correct Answer:
A. Yes
Answer Description:
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
References:
Microsoft Docs > Azure Policy definition structure

Exam Question 96

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
Which Azure Network Watcher feature should you use?
A. IP flow verify
B. Connection troubleshoot
C. Connection monitor
D. NSG flow logs

Correct Answer:
C. Connection monitor
Answer Description:
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint.

Monitor feature in Azure Network Watcher is now generally available in all public regions. Connection Monitor provides you RTT values on a per-minute granularity. You can monitor a direct TCP connection from a virtual machine to a virtual machine, FQDN, URI, or IPv4 address.

Incorrect Answers:
A: The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.
B: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does.
D: The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG.
References:
Microsoft Docs > What is Azure Network Watcher?

Exam Question 97

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a service endpoint to VNet1
B. Reset GW1
C. Create a route-based virtual network gateway
D. Add a connection to GW1
E. Delete GW1
F. Add a public IP address space to VNet1
Correct Answer:
C. Create a route-based virtual network gateway
E. Delete GW1
Answer Description:
C: A VPN gateway is used when creating a VPN connection to your on-premises network. Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.
Incorrect Answers: F: Point-to-Site connections do not require a VPN device or a public-facing IP address.
References:
Microsoft Docs > Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell

Exam Question 98

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?
A. Floating IP (direct server return) to Enabled
B. Floating IP (direct server return) to Disabled
C. a health probe
D. Session persistence to Client IP and Protocol

Correct Answer:
D. Session persistence to Client IP and Protocol
Answer Description:
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP.
On the following image you can see sticky session configuration:

To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP. On the following image you can see sticky session configuration:

Note: There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:

  • Idle Time-out (minutes) to 20
  • Protocol to UDP

References:
Configure Azure Load Balancer For Sticky Sessions

Exam Question 99

Your on-premises network contains an SMB share named Share1.
You have an Azure subscription that contains the following resources:

  • A web app named webapp1
  • A virtual network named VNET1

You need to ensure that webapp1 can connect to Share1.
What should you deploy?
A. an Azure Application Gateway
B. an Azure Active Directory (Azure AD) Application Proxy
C. an Azure Virtual Network Gateway

Correct Answer:
C. an Azure Virtual Network Gateway
Answer Description:
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.
Incorrect Answers:
B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
References:
Microsoft Docs > Create a Site-to-Site connection in the Azure portal

Exam Question 100

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
What should you use?

A. Deployment Center in Azure App Service
B. A Desired State Configuration (DSC) extension/Azure Custom Script Extension
C. the New-AzConfigurationAssignement cmdlet
D. a Microsoft Intune device configuration profile
E. the Publish-AzVMDscConfiguration cmdlet
F. Azure Application Insights
Correct Answer:
B. A Desired State Configuration (DSC) extension/Azure Custom Script Extension
Answer Description:
The primary use case for the Azure Desired State Configuration (DSC) extension is to bootstrap a VM to the Azure Automation State Configuration (DSC) service. The service provides benefits that include ongoing management of the VM configuration and integration with other operational tools, such as Azure Monitoring.
Using the extension to register VM’s to the service provides a flexible solution that even works across Azure subscriptions.
You can use the DSC extension independently of the Automation DSC service.
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx webserver.
az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM --name customScript \
--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}