AZ 104 Practice Test 4072024 Flashcards
Your company has an Azure Active Directory (Azure AD) subscription. You need to deploy five virtual machines (VMs) to your company’s virtual network subnet.
The VMs will each have both a public and private IP address. Inbound and outbound security rules for all of these virtual machines must be identical. Which of the following is the least number of security groups needed for this configuration?
1, Single NSG can be applied to the subnet, and the rules within it would be applicable to all VMs within that subnet.
Which log tracks all control-plane operations that occur within the subscription, like stopping or restarting a virtual machine?
Activity Logs. The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified or a virtual machine is started.
Which Azure CLI command will be required to create an Azure Key Vault?
az keyvault create
Your organization has hired a new cloud engineer and he should be able to manage cloud engineer’s access as well. You also need to follow Microsoft principle of least privilege.
Which role should be assigned to cloud engineer ?
User Access Administrator. Consider assigning the “User Access Administrator” role. This role enables members to handle user access for Azure resources efficiently.
Avoid assigning the “Owner” role. While it provides extensive access to Azure resources, it grants full control, which may exceed the principle of least privilege in this context.
Avoid assigning the “Contributor” role. Although it allows for the creation and management of various resources, it does not cover user access management for Azure resources within the subscription.
Avoid assigning the “User Administrator” role. This is an Azure AD role not a subscription RBAC role.
How can you successfully delete an Azure Recovery Services Vault that currently protects VM1 and VM2, given that you no longer need to maintain backups for these virtual machines and you are encountering error messages during the deletion process? Which three actions should you perform to delete the Azure recovery services vault?
a. Delete VM1 and VM2.
b. Stop the backup of VM1 and VM2.
c. Disable the soft delete feature and delete all the data.
d. Permanently remove any items in the soft delete state.
e. Delete the backup policy.
b, c, d. Soft delete is enabled by default on newly created vaults to protect backup data from accidental or malicious deletes. Backup data that exists in a soft deleted state before disabling this feature will remain in a soft deleted state for a period of 14 days. If you wish to permanently delete these immediately, then you need to undelete and delete them again to get them permanently deleted.
Which network watcher tool allows you to measure latency between Azure and on-premises resources?
The Connection Monitor monitors communication at regular intervals. It informs you of changes in reachability and latency.
What is the primary purpose of the Export-AzResourceGroup cmdlet in Azure PowerShell?
To export Azure resources from a resource group to a template file.
You have an administrative unit – Chicago. Below users and groups are added to administrative unit – Chicago.
You need to identify Which Azure AD objects can be administered by Admin of administrative unit.
Chris Green, john, group2. Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit). Since Godfred is part of group2, that means the admin won’t be able to manage the user Godfred as he is not the direct user added to the administrative unit.
You have two Azure virtual networks (VNet-A and VNet-B) connected via a virtual network peering configuration. You want resources in VNet-A to resolve Fully Qualified Domain Names (FQDNs) of resources in VNet-B. What Azure service can you use to achieve this?
Azure DNS Private Zones allows you to create a private DNS zone that can be associated with one or more virtual networks. By associating the private DNS zone with both VNet-A and VNet-B, resources in VNet-A can resolve the FQDNs of resources in VNet-B using the private DNS zone, ensuring secure and private name resolution within the connected virtual networks.
You are executing the below PowerShell cmdlet to enable encryption.
$RGName = “MyResourceGroup”
$VMName = “MyTestVM”
$VaultName= “MyKeyVault”
$KeyVault = Get-AzKeyVault -VaultName $VaultName -ResourceGroupName $RGName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId
$VolumeType = “All”
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGName -VMName $VMName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType $VolumeType
Is it required to stop the VM first before enabling encryption?
False. We can enable encryption on a running IaaS virtual machine in Azure.
Your organization has purchased a public domain: cloudportalfinance.com. You configured the cloudportalfinance.com Azure public DNS zone. You have already created an app service and deployed your application to the Azure app service. Your website is currently being accessed from cloudportal.azurewebsites.net. But you want users to be able to access it through the cloudportalfinance.com domain. You create two DNS records (txt and A) using the below PowerShell cmdlets.
Is this the correct method?
Yes
You have an Azure Key Vault in your subscription. You executed the below powershell cmdlet:
$vault = Get-AzKeyVault -ResourceGroupName ‘myrg1’
Below is the output of the cmdlet:
How would you retrieve only the resource ID property of the above-executed cmdlet?
$vault.ResourceID. The most common way to get the values of the properties of an object is to use the member access operator (.). Type a reference to the object, such as a variable that contains the object, or a command that gets the object. Then, type the operator (.) followed by the property name.
A storage account is “serverless storage” to store data. You can access the data without running a VM from the internet and/or VMs in Azure. Can we also access data on the data disk if the disk is not attached to the VM?
False. A storage account is “serverless storage” to store data. You are able to access the data without running a VM from the internet and/or VMs in Azure.
A storage account (fileshare or blob storage, for example) can be used by a VM like a “network share.”.
A data disk is always attached to a VM. You can’t access the data on the data disk directly from the internet.
You have an Azure File Share, Fileshare-01. You are checking the connectivity using the below PowerShell cmdlet.
$hostName = “mystorageaccount.file.core.windows.net”
Test-NetConnection -ComputerName $hostName -Port ___
Which port number should you use for connectivity?
445.
# Replace this value with the fully qualified domain name for your storage account.
Different storage accounts, especially in different Azure environments,
may have different suffixes than file.core.windows.net, so be sure to use the correct
suffix for your storage account.
$hostName = “mystorageaccount.file.core.windows.net”
Do the TCP connection test - see the above protocol/port table to figure out which
port to use for your test. This test uses port 445, the port used by SMB.
Test-NetConnection -ComputerName $hostName -Port 445
You have an Azure subscription, and below is the hub and spoke topology given.
HUB-VNET is connected to on-premises using a site-to-site VPN, and SPOKE-VNET is peering into HUB-VNET.
How VM1 can communicate with On-premises using the same HUB-VNET virtual network gateway.
Select yes if the statement is true. Otherwise, select no.
Statement: You are planning to use Gateway Transit.
Yes, Gatewaytransit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity.
To add peering, you can go to HUB-VNET and configure the below settings.
checking the box: Allow traffic to be forwarded from the remote virtual network (allow gateway transit).
Once you enable peering after configuring the option, you will find the Gateway transit option is enabled on the HUB-VNET, which means your Spoke-VNET can use the remote virtual network gateway to communicate with the on-premises environment.
You need to create a Network Security group using the PowerShell cmdlet and configure NSG rules to allow RDP and HTTP traffic.
$rule1 = New-AzNetworkSecurityRuleConfig -Name rdp-rule -Description “Allow RDP” `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix `
Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
$rule2 = New-AzNetworkSecurityRuleConfig -Name web-rule -Description “Allow HTTP” `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 101 -SourceAddressPrefix `
Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80
New-AzNetworkSecurityGroup -ResourceGroupName TestRG -Location westus -Name `
“NSG-FrontEnd” -SecurityRules $rule1, $rule2
You executed the above PowerShell cmdlet; is it correct?
Yes.
You have an Azure Storage account that contains a blob container – container4626.
You need to configure access to container4626.
Which authorization types can be used.
Azure AD, shared access signature (SAS) or storage key only.
Let’s examine the following situation:.
The resource group includes:
· Virtual Machine A
· Storage account B
· Virtual network C
You are trying to deploy the below resource using the ARM template:
· Network security group D
Below is the PowerShell cmdlet you are using to deploy the template.
New-AzResourceGroupDeployment -Mode Complete -Name ExampleDeployment `
-ResourceGroupName ExampleResourceGroup `
-TemplateFile c:\MyTemplates\storage.json
As you can see in the above cmdlet, we are using mode as complete. When deploying resources with Azure Resource Manager templates (ARM templates), you have two options for deployment mode: incremental or complete. What will happen if we use mode as complete?
Resource Manager deletes resources in the resource group that aren’t specified in the template. -that means virtual machine A, Storage account B, Virtual Network C will be deleted since these are not defined in ARM template. In complete mode, the Resource Manager deletes resources in the resource group that aren’t specified in the template.
A company is looking to amend its security policy to enhance security by reducing the exposure of certain ports—3389 and 22—on its Azure virtual machines (VMs). They want to achieve this while maintaining secure remote access options. Which Azure service can help them achieve this goal?
Azure Bastion is the Azure service that enables secure remote access to Azure VMs while reducing the exposure of ports. It allows users to connect to VMs over RDP and SSH without the need for public IP addresses or direct internet exposure. You require access to the Azure portal to use this service.
You have a virtual machine, and Network Security Groups (NSGs) are configured at both the subnet level and NIC level. For inbound traffic, which NSG will be evaluated first?
Subnet Level. For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there’s one, and then the rules in a network security group associated to the network interface.
In the Azure Recovery Services vault, if you delete any data mistakenly, it goes to soft delete to protect your data and recover backups. For how many days is the data retained before being permanently deleted?
14 days.
Your organization wants to start using Azure premium file shares to replace on-premises file servers.
You have the storage account in your Azure Subscription as shown below.
Select Yes if the statement is True. Otherwise select No.
Statement: You should create a new premium storage account since existing storage accounts will not allow you to create premium file share
Yes.
To provision an Azure premium file share, creating a new storage account is required even though it incurs additional costs. Converting an existing General-Purpose storage V2 account to Azure premium file share is not feasible.
In the below screenshot provided, you’ll notice that to create a premium file share, you must choose “Premium” as the storage account performance level and set the account type to “File Share.”
You have the below NSG configured in your Azure environment.
At the destination, we are directly providing the names of the services. What are these called?
Service tags.
You have an Azure subscription that contains a resource group named Prod-RG1 in the West Europe location.
Prod-RG1 contains the resources shown in the following table:
Prod-SQLDB01 is a backup to Prod-RGV1.
This entire setup was part of a testing project. Your testing is done, and you are trying to delete the resource group, Prod-RG1, but deletion fails.
What should you do first?
Stop the backup of Prod-SQLDB01.
You can’t delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, or Azure file shares).
You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
You can’t delete a vault that contains backup data in the soft deleted state.
You can’t delete a vault that has registered storage accounts.
So, before you can delete a recovery services vault, you need to stop the backup and delete the backup data.
You want to implement Azure file share on your on-premises Windows server. What is the recommended Windows OS required?
Windows server 2019 and above.
You need to create a DNS record set with the relative name www in DNS Zone contoso.com. Fully qualified domain name of the record set will be www.contoso.com.
Record Type is ‘A’ and TTL is 3600 seconds. Record set contains a single record set with IP Address ‘1.2.3.4’.
Complete the PowerShell cmdlet.
A = “1.2.3.4”, B = New-AzDnsRecordSet
The following sample rule filters the Storage account to run the actions on objects that exist inside sample-container and start with blob1.
{
“rules”: [
{
“enabled”: true,
“name”: “sample-rule”,
“type”: “Lifecycle”,
“definition”: {
“actions”: {
“version”: {
“delete”: {
“daysAfterCreationGreaterThan”: 90
}
},
“baseBlob”: {
“tierToCool”: {
“daysAfterModificationGreaterThan”: 30
},
“tierToArchive”: {
“daysAfterModificationGreaterThan”: 90,
“daysAfterLastTierChangeGreaterThan”: 7
},
“delete”: {
“daysAfterModificationGreaterThan”: 2555
}
}
},
“filters”: {
“blobTypes”: [
“blockBlob”
],
“prefixMatch”: [
“sample-container/blob1”
]
}
}
}
]
}
Select Yes if the statements are true. Otherwise, Select No.
Delete previous Blob versions 90 days after creation.
Tier blob to cool tier 30 days after last modification.
Yes, Yes.
Previous blob versions are deleted automatically 90 days after creation.
It will tier blob to cool tier 30 days after last modification.
You have below Azure VM in your subscription.
You need to create 10 more VMs based on the same configuration. Which blade will you use so that you can use the existing ARM template and modify it according to your requirements?
A. You need to click on Export Template to download the ARM template.
