Exam AZ-104 Microsoft Azure Administrator Questions and Answers – Page 2

The latest Exam AZ-104 Microsoft Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AZ-104 Microsoft Azure Administrator exam and earn AZ-104 Microsoft Azure Administrator certification.

Exam AZ-104 Microsoft Azure Administrator Questions and Answers

Exam Question 101

Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
What should you create?
A. three Azure Application Gateways and one On-premises data gateway
B. three virtual hubs and one virtual WAN
C. three virtual WANs and one virtual hub
D. three On-premises data gateways and one Azure Application Gateway
Correct Answer:
B. three virtual hubs and one virtual WAN
Answer Description:
Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, intra-cloud connectivity (transitive connectivity for virtual networks), VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity. You do not have to have all of these use cases to start using Virtual WAN. You can simply get started with just one use case, and then adjust your network as it evolves.

The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables global transit network architecture, where the cloud hosted network ‘hub’ enables transitive connectivity between endpoints that may be distributed across different types of ‘spokes’.

Azure regions serve as hubs that you can choose to connect to. All hubs are connected in full mesh in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) connectivity. For spoke connectivity with SD-WAN/VPN devices, users can either manually set it up in Azure Virtual WAN, or use the Virtual WAN CPE (SD-WAN/VPN) partner solution to set up connectivity to Azure. We have a list of partners that support connectivity automation (ability to export the device info into Azure, download the Azure configuration and establish connectivity) with Azure Virtual WAN.
References:
Microsoft Docs > What is Azure Virtual WAN?

Exam Question 102

You have the Azure virtual networks shown in the following table.

NameAddress spaceSubnetResource group Azure region
VNet110.11.0.0/1610.11.0.0/17West US
VNet210.11.0.0/1710.11.0.0/25West US
VNet310.10.0.0/2210.10.1.0/24East US
VNet4192.168.16.0/22192.168.16.0/24North Europe
You have the Azure virtual networks shown in the following table.

To which virtual networks can you establish a peering connection from VNet1?
A. VNet2 andVNet3 only
B. VNet2 only
C. VNet3 and VNet4 only
D. VNet2, VNet3, and VNet4

Correct Answer:
C. VNet3 and VNet4 only
Incorrect Answers: A, B, C: The address space for VNet2 overlaps with VNet1. We therefore cannot establish a peering between VNet2 and VNet1.
References:
Microsoft Docs > Tutorial: Connect virtual networks with virtual network peering using the Azure portal

Exam Question 103

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:

  • The NVAs must run in an active-active configuration that uses automatic failover.
  • The NVA must load balance traffic to two services on the Production subnet. The services have different IP addresses.

Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Deploy a basic load balancer
B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled
E. Add a frontend IP configuration, a backend pool, and a health probe
F. Add a frontend IP configuration, two backend pools, and a health probe
Correct Answer:
B. Deploy a standard load balancer
C. Add two load balancing rules that have HA Ports and Floating IP enabled
F. Add a frontend IP configuration, two backend pools, and a health probe
Answer Description:
A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
References:
Microsoft Docs > What is Azure Load Balancer?
Microsoft Docs > Multiple frontends for Azure Load Balancer

Exam Question 104

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
A. Download and re-install the VPN client configuration package on Client1.
B. Select Allow gateway transit on VNet1.
C. Select Allow gateway transit on VNet2.
D. Enable BGP on VPNGW1

Correct Answer:
A. Download and re-install the VPN client configuration package on Client1.
References:
Microsoft Docs > About Point-to-Site VPN routing

Exam Question 105

You have an Azure subscription that contains the resources in the following table.

NameTypeAzure regionResource group
VNet1Virtual networkWest USRG2
VNet2Virtual networkWest USRG1
VNet3Virtual networkEast USRG1
NSG1Network security group (NSG)East USRG2
You have an Azure subscription that contains the resources in the following table.

To which subnets can you apply NSG1?
A. the subnets on VNet1 only
B. the subnets on VNet2 and VNet3 only
C. the subnets on VNet2 only
D. the subnets on VNet3 only
E. the subnets on VNet1, VNet2, and VNet3

Correct Answer:
D. the subnets on VNet3 only
Answer Description:
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
References:
Microsoft Docs > Plan virtual networks
Microsoft Docs > Move Azure network security group (NSG) to another region using the Azure portal

Exam Question 106

You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
A. Deploy an internal load balancer
B. Peer VNET1 to another virtual network
C. Connect webapp1 to VNET1
D. Deploy an Azure Application Gateway

Correct Answer:
D. Deploy an Azure Application Gateway

Exam Question 107

You create an Azure VM named VM1 that runs Windows Server 2019.
VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

You create an Azure VM named VM1 that runs Windows Server 2019. VM1 is configured as shown in the exhibit.

You need to enable Desired State Configuration for VM1.
What should you do first?
A. Connect to VM1.
B. Start VM1.
C. Capture a snapshot of VM1.
D. Configure a DNS name for VM1.

Correct Answer:
B. Start VM1.
Answer Description:
Status is Stopped (Deallocated).
The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
The VM needs to be started.

Exam Question 108

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?
A. Floating IP (direct server return) to Disabled
B. Idle Time-out (minutes) to 20
C. Protocol to UDP
D. Session persistence to Client IP

Correct Answer:
D. Session persistence to Client IP
Answer Description:

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP.

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.
On the following image you can see sticky session configuration:
Note:

  • Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine.
  • Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.

References:
Configure Azure Load Balancer For Sticky Sessions

Exam Question 109

You have an Azure subscription that contains the following resources:

  • A virtual network that has a subnet named Subnet1
  • Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
  • A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  • Priority: 100
  • Source: Any
  • Source port range: *
  • Destination: *
  • Destination port range: 3389
  • Protocol: UDP
  • Action: Allow

VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389 and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
Does this meet the goal?
A. Yes
B. No

Correct Answer:
B. No
Answer Description:
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.

Exam Question 110

You have an Azure subscription that contains the following resources:

  • A virtual network that has a subnet named Subnet1
  • Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
  • A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  • Priority: 100
  • Source: Any
  • Source port range: *
  • Destination: *
  • Destination port range: 3389
  • Protocol: UDP
  • Action: Allow

VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol.
Does this meet the goal?
A. Yes
B. No

Correct Answer:
B. No
Answer Description:
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.