The latest Microsoft AZ-104 Azure Administrator certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-104 Azure Administrator exam and earn Microsoft AZ-104 Azure Administrator certification.
Question 301
You have an Azure subscription that contains the virtual machines shown in the following table:
| Name | Operating system | Connect to |
|---|---|---|
| VM1 | Windows Server 2019 | Subnet1 |
| VM2 | Windows Server 2019 | Subnet2 |
VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
- Priority: 100
- Name: Rule1
- Port: 3389
- Protocol: TCP
- Source: Any
- Destination: Any
- Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
- From the Internet, you can connect to VM1 by using Remote Desktop: No
- From the Internet, you can connect to VM2 by using Remote Desktop: Yes
- From VM1, you can connect to VM2 by using Remote Desktop: Yes
Explanation:
Default security rules
Azure creates the following default rules in each network security group that you create:
Inbound
AllowVNetInBound
ALLOWVNETINBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow
AllowAzureLoadBalancerInBound
ALLOWAZURELOADBALANCERINBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65001 AzureLoadBalancer 0-65535 0.0.0.0/0 0-65535 Any Allow
DenyAllInbound
DENYALLINBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65500 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any Deny
Outbound
AllowVnetOutBound
ALLOWVNETOUTBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow
AllowInternetOutBound
ALLOWINTERNETOUTBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65001 0.0.0.0/0 0-65535 Internet 0-65535 Any Allow
DenyAllOutBound
DENYALLOUTBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65500 0.0.0.0/0 0-65535 0.0.0.0/0 0-65535 Any Deny
Box 1: No. The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Box 2: Yes. NSG2 will allow this.
Box 3: Yes. NSG2 will allow this. Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Question 302
You have an Azure subscription that contains three virtual networks named VNet1, VNet2, VNet3.
VNet2 contains a virtual appliance named VM2 that operates as a router. You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network.
You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3.
You need to provide connectivity between VNet1 and VNet3 through VNet2.
Which two configurations should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
*A. On the peering connections, allow forwarded traffic.
B. On the peering connections, allow gateway transit.
*C. Create route tables and assign the table to subnets.
D. Create a route filter.
E. On the peering connections, use remote gateways.
Explanation:
You need to provide connectivity between VNet1 and VNet3 through VNet2.” It’s not about remote gateways or connectivity outside the Vnets. So A (to forward traffic from a spoke vnet to another spoke) and C (without UDR and NVA as next hop IP traffic won’t flow between the spokes).
Question 303
You have an Azure Logic App named App1. App1 provides a response when an HTTP POST request or an HTTP GET request is received.
During peak periods, App1 is expected to receive up to 200,000 requests in a five-minute period.
You need to ensure that App1 can handle the expected load.
What should you configure?
A. Access control (IAM)
B. API connections
*C. Workflow settings
D. Access keys
Question 304
You have an Azure App Service plan named AdatumASP1 that hosts several Azure web apps.
You discover that the web apps respond slowly.
You need to provide additional memory and CPU resources to each instance of the web app.
What should you do?
A. Scale out AdatumASP1.
B. Add continuous WebJobs that use the multi-instance scale.
*C. Scale up AdatumASP1.
D. Add a virtual machine scale set.
Question 305
You have an Azure web app named App1 that streams video content to users. App1 is located in the East US Azure region.
Users in North America stream the video content without any interruption.
Users in Asia and Europe report that the video buffer often and do not play back smoothly.
You need to recommend a solution to improve video streaming to the European and Asian users.
What should you recommend?
A. Scale out the App Service plan.
B. Scale up the App Service plan.
*C. Configure an Azure Content Delivery Network (CDN) endpoint.
D. Configure Azure File Sync.
Question 306
You manage a virtual network named VNet1 that is hosted in the West US Azure region.
VNet1 hosts two virtual machines named VM1 and VM2 that run Windows Server.
You need to inspect all the network traffic from VM1 to VM2 for a period of three hours.
Solution: From Azure Network Watcher, you create a connection monitor.
Does this meet the goal?
A. Yes
*B. No
Question 307
You are troubleshooting a performance issue for an Azure Application Gateway.
You need to compare the total requests to the failed requests during the past six hours.
What should you use?
A. Connection monitor in Azure Network Watcher.
*B. Metrics in Application Gateway
C. Diagnostics logs in Application Gateway
D. NSG flow logs in Azure Network Watcher
Question 308
You deploy an Azure Application Gateway.
You need to ensure that all the traffic requesting https://adatum.com/internal resources is directed to an internal server pool and all the traffic requesting https://adatum.com/external resources is directed to an external server pool.
What should you configure on the Application Gateway?
*A. URL path-based routing
B. multi-site listeners
C. basic routing
D. SSL termination
Question 309
You have an Azure Active Directory (Azure AD) tenant that has Azure AD Privileged Identity Management configured.
You have 10 users who are assigned the Security Administrator role for the tenant.
You need the users to verify whether they still require the Security Administrator role.
What should you do?
A. From Azure AD Identity Protection, configure a user risk policy.
*B. From Azure AD Privileged Identity Management, create an access review.
C. From Azure AD Identity Protection, configure the Weekly Digest.
D. From Azure AD Privileged Identity Management, create a conditional access policy.
Question 310
You have an Azure subscription.
You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the IP address of the pod.
For the AKS cluster, you need to choose a network type that will support App1.
What should you choose?
A. kubenet
*B. Azure Container Networking Interface (CNI)
C. Hybrid Connection endpoints
D. Azure Private Link
Explanation:
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space.
Incorrect Answers:
A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes. Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.
C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networking