AZ-104 Practice Test Questions

You are configuring Azure AD authentication for an Azure Storage account named storage1.

You need to ensure that the members of a group named Group1 can upload files by using the Azure portal. The solution must use the principle of least privilege.

Which two roles should you assign to Group1? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Storage Blob Data Contributor

B. Reader

C. Storage Blob Data Reader

D. Contributor

E. Storage Account Contributor

A. Storage Blob Data Contributor

B. Reader

Explanation:

To ensure that the members of Group1 can upload files by using the Azure portal, they need to have both data access and management access to the storage account. Data access refers to the ability to read, write, or delete blob data in the storage account. Management access refers to the ability to view the storage account resources in the Azure portal, but not modify them. The Azure role-based access control (Azure RBAC) system provides built-in roles that encompass common sets of permissions for data access and management access. The Storage Blob Data Contributor role grants read, write, and delete access to blob data in the storage account. The Reader role grants view access to the storage account resources in the Azure portal. Therefore, by assigning both roles to Group1, the members of the group can upload files by using the Azure portal. This solution also follows the principle of least privilege, as the group members are only granted the minimum permissions required to perform the task.

References:

Assign an Azure role for access to blob data

Data access from the Azure portal

You have an Azure subscription that contains a user named User1 and the resources shown in the following table.

You have an Azure subscription that contains two virtual machines named VM1 and VM2

You create an Azure load balancer.

You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.

Which two additional load balance resources should you create before you can create the load balancing rule? Each correct answer presents part of the solution

MOTL Each correct selection 5 worth one point.

A. a frontend IP address

B. a backend pool

C. a health probe

D. an inbound NAT rule

E. a virtual network

A. a frontend IP address

C. a health probe

Explanation:

To create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2, you need to create two additional load balance resources: a frontend IP address and a health probe.

A frontend IP address is the IP address that the clients use to access the load balancer. It can be either public or private, depending on the type of load balancer. A frontend IP address is required for any load balancing rule1.

A health probe is used to monitor the health and availability of the backend instances. It can be either TCP, HTTP, or HTTPS, depending on the protocol of the load balancing rule. A health probe is required for any load balancing rule1.

A backend pool is a group of backend instances that receive the traffic from the load balancer. You already have a backend pool that contains VM1 and VM2, so you don’t need to create another one.

An inbound NAT rule is used to forward traffic from a specific port on the frontend IP address to a specific port on a backend instance. It’s not required for a load balancing rule, but it can be used to access individual instances for troubleshooting or maintenance purposes1.

A virtual network is a logical isolation of Azure resources within a region. It’s not a load balance resource, but it’s required for creating an internal load balancer or connecting virtual machines to a load balancer2.

You have an Azure subscription. The subscription contains a virtual machine that runs Windows 10.

You need to join the virtual machine to an Active Directory domain.

How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.

NOTE Each correct selection is worth one point.

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter. NVA and Production.

The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.

You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:

• The NVAs must run in an active-active configuration that uses automatic failover.

• The toad balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Add two load balancing rules that have HA Ports enabled and Floating IP disabled.

B. Deploy a basic load balancer.

C. Add a frontend IP configuration, a backend pool, and a health probe.

D. Add two load balancing rules that have HA Ports and Floating IP enabled.

E. Deploy a standard load balancer.

F. Add a frontend IP configuration, two backend pools, and a health probe.

D.   Add two load balancing rules that have HA Ports and Floating IP enabled.

E.   Deploy a standard load balancer.

F.   Add a frontend IP configuration, two backend pools, and a health probe.

You have the role assignment file shown in the following exhibit.

You plan to create the Azure web apps shown in the following Table.

What is the minimum number of App Service plans you should create for the web apps?

A. 1

B. 2

C. 3

D. 4

B. 2

Explanation:

NET Core 3.0: Windows and Linux ASP .NET V4.7: Windows only PHP 7.3: Windows and Linux Ruby 2.6: Linux only Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to choose the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs. Reference: https://docs.microsoft.com/en-us/azure/app-service/overview

You have an Azure subscription that contains a virtual network named VNET in the East Us 2 region. A network interface named VM1-NI is connected to VNET1.

You successfully deploy the following Azure Resource Manager template.

You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.

You create a backup Policy1 as shown in the exhibit. (Click the Exhibit tab.)

You have an Azure policy as shown in the following exhibit.

What is the effect of the policy?

A. You are prevented from creating Azure SQL servers anywhere in Subscnption1.

B. You can create Azure SQL servers in ContosoRG1 only.

C. You can create Azure SQL servers in any resource group within Subscnption1.

D. You are prevented from creating Azure SQL Servers in ContosoRG1 only.

B. You can create Azure SQL servers in ContosoRG1 only.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.

Another administrator plans to create several network security groups (NSGs) in the subscription.

You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.

Solution: You create a resource lock, and then you assign the lock to the subscription.

Does this meet the goal?

A. Yes

B. No

Explanation:

No, this does not meet the goal. Creating a resource lock and assigning it to the subscription is not enough to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. This is because a resource lock does not affect the configuration or functionality of a resource, but only prevents it from being deleted or modified1. A resource lock does not apply any security rules to an NSG or a virtual network.

To meet the goal, you need to create a custom policy definition that enforces a default security rule for NSGs. A policy definition is a set of rules and actions that Azure performs when evaluating your resources2. You can use a policy definition to specify the required properties and values for NSGs, such as the direction, protocol, source, destination, and port of the security rule. You can then assign the policy definition to the subscription scope, so that it applies to all the resource groups and virtual networks in the subscription.

You have an Azure subscription that hat Traffic Analytics configured.

You deploy a new virtual machine named VM1 that has the following settings:

• Region- East US

• Virtual network: VNet1

• NIC network security group: NSG1

You need to monitor VM1 traffic by using Traffic Analytics.

Which settings should you configure?

A. Diagnostic settings for VM1

B. Insights for VM1

C. NSG flow logs for NSG1

D. Diagnostic settings for NSG1

C. NSG flow logs for NSG1

Explanation:

Traffic Analytics analyzes the network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud1. NSG flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG2. To use Traffic Analytics, you need to enable NSG flow logs for the network security groups you want to monitor1.

Diagnostic settings for VM1 or NSG1 are not required for Traffic Analytics. Diagnostic settings are used to stream log data from an Azure resource to different destinations such as Log Analytics workspace, Event Hubs, or Storage account3. Insights for VM1 are also not required for Traffic Analytics. Insights are a feature of Azure Monitor that provide analysis of the performance and health of an Azure resource4.