AZ-104 : Microsoft Azure Administrator : Part 09

AZ-104 : Microsoft Azure Administrator : Part 09

1. HOTSPOT

   You have an Azure subscription that contains the virtual machines shown in the following table:

   

   VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.

   Subnet1 and Subnet2 are in a virtual network named VNET1.

   The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.

   NSG2 uses the default rules and the following custom incoming rule:

   – Priority: 100
   – Name: Rule1
   – Port: 3389
   – Protocol: TCP
   – Source: Any
   – Destination: Any
   – Action: Allow

   NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

2. HOTSPOT

   You have a virtual network named VNET1 that contains the subnets shown in the following table:

   

   You have two Azure virtual machines that have the network configurations shown in the following table:

   

   For NSG1, you create the inbound security rule shown in the following table:

   

   For NSG2, you create the inbound security rule shown in the following table:

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: Yes
   The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or Subnet1 where VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the NSG1 rule has a higher priority (or lower value) than the NSG2 rule.

   Box 2: Yes
   No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.

   Box 3: Yes
   No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are thus applied.

3. HOTSPOT

   You have an Azure subscription named Subscription1.

   Subscription1 contains the virtual machines in the following table:

   

   Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:

   

   VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.

   You create a route table named RT1 that contains the routes in the following table:

   

   You apply RT1 to Subnet1 and Subnet2.

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   IP forwarding enables the virtual machine a network interface is attached to:

   – Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
   – Send network traffic with a different source IP address than the one assigned to one of a network interface’s IP configurations.

   The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.

   Box 1: Yes
   The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.

   Box 2: No
   VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

   Box 3: Yes
   The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.

4. Your on-premises network contains an SMB share named Share1.

   You have an Azure subscription that contains the following resources:

   – A web app named webapp1
   – A virtual network named VNET1

   You need to ensure that webapp1 can connect to Share1.

   What should you deploy?

   • an Azure Application Gateway
   • an Azure Active Directory (Azure AD) Application Proxy
   • an Azure Virtual Network Gateway
   Explanation:
   A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.
   This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.

   Incorrect Answers:
   B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.

5. You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource Manager template.

   You need to ensure that NGINX is available on all the virtual machines after they are deployed.

   What should you use?

   • the Publish-AzVMDscConfiguration cmdlet
   • Azure Application Insights
   • Azure Custom Script Extension
   • the New-AzConfigurationAssignement cmdlet
   Explanation:
   Note:
   There are several versions of this question in the exam. The question has two correct answers:
   1. a Desired State Configuration (DSC) extension
   2.  Azure Custom Script Extension

   The question can have other incorrect answer options, including the following:
   – Deployment Center in Azure App Service
   – a Microsoft Intune device configuration profile

6. HOTSPOT

   You have an Azure subscription named Sub1.

   You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

   

   You need to recommend a networking solution to meet the following requirements:

   – Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
   – Protect the web servers from SQL injection attacks.

   Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   Explanation:

   Box 1: an internal load balancer
   Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network with a regional scope.

   Box 2: an application gateway that uses the WAF tier
   Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.

7. Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.

   You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered.

   You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.

   What should you create?

   • three Azure Application Gateways and one On-premises data gateway
   • three virtual hubs and one virtual WAN
   • three virtual WANs and one virtual hub
   • three On-premises data gateways and one Azure Application Gateway

8. HOTSPOT

   You plan to deploy five virtual machines to a virtual network subnet.

   Each virtual machine will have a public IP address and a private IP address.

   Each virtual machine requires the same inbound and outbound security rules.

   What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: 5
   A public and a private IP address can be assigned to a single network interface.

   Box 2: 1
   You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.

9. You have an Azure subscription that contains the resources shown in the following table.

   

   LB1 is configured as shown in the following table.

   

   You plan to create new inbound NAT rules that meet the following requirements:

   – Provide Remote Desktop access to VM1 from the internet by using port 3389.
   – Provide Remote Desktop access to VM2 from the internet by using port 3389.

   What should you create on LB1 before you can create the new inbound NAT rules?

   • a frontend IP address
   • a load balancing rule
   • a health probe
   • a backend pool

10. HOTSPOT

    You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.

    

    You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.

    Which A records will be added to the adatum.com zone for each virtual machine? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.

11. HOTSPOT

    You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one subnet named Sunet1.

    Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has three Azure virtual machines in the backend pool.

    You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against the collected data.

    What should you do? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: An Azure Log Analytics workspace
    In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data sources, and solutions

    Box 2: ILB1

12. You have the Azure virtual networks shown in the following table.

    

    To which virtual networks can you establish a peering connection from VNet1?

    • VNet2 andVNet3 only
    • VNet2 only
    • VNet3 and VNet4 only
    • VNet2, VNet3, and VNet4
    Explanation:

    Incorrect Answers:
    A, B, C: The address space for VNet2 overlaps with VNet1. We therefore cannot establish a peering between VNet2 and VNet1.

13. You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.

    The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.

    You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:

    – The NVAs must run in an active-active configuration that uses automatic failover.
    – The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.

    Which three actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Deploy a basic load balancer
    • Deploy a standard load balancer
    • Add two load balancing rules that have HA Ports and Floating IP enabled
    • Add two load balancing rules that have HA Ports enabled and Floating IP disabled
    • Add a frontend IP configuration, a backend pool, and a health probe
    • Add a frontend IP configuration, two backend pools, and a health probe
    Explanation:
    A standard load balancer is required for the HA ports.
    Two backend pools are needed as there are two services with different IP addresses.
    Floating IP rule is used where backend ports are reused.

    Incorrect Answers:
    E: HA Ports are not available for the basic load balancer.

14. You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.

    On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.

    You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.

    You need to ensure that you can connect Client1 to VNet2.

    What should you do?

    • Download and re-install the VPN client configuration package on Client1.
    • Select Allow gateway transit on VNet1.
    • Select Allow gateway transit on VNet2.
    • Enable BGP on VPNGW1

15. HOTSPOT

    You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the following table.

    

    You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.

    You create a virtual network link for contoso.com as shown in the following exhibit.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

16. You have an Azure subscription that contains the resources in the following table.

    

    To which subnets can you apply NSG1?

    • the subnets on VNet1 only
    • the subnets on VNet2 and VNet3 only
    • the subnets on VNet2 only
    • the subnets on VNet3 only
    • the subnets on VNet1, VNet2, and VNet3
    Explanation:

    All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.

17. DRAG DROP

    You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.

    The virtual networks have the address spaces and the subnets configured as shown in the following table.

    

    You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    Step 1: Remove peering between Vnet1 and VNet2.
    You can’t add address ranges to, or delete address ranges from a virtual network’s address space once a virtual network is peered with another virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.

    Step 2: Add the 10.44.0.0/16 address space to VNet1.

    Step 3: Recreate peering between VNet1 and VNet2

18. HOTSPOT

    You have an Azure subscription that contains the resource groups shown in the following table.

    

    RG1 contains the resources shown in the following table.

    

    VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.

    RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Yes
    You can move storage

    Box 2: No
    You can’t move to a new resource group a NIC that is attached to a virtual machine.

    Box 3: No
    Azure Public IPs are region specific and can’t be moved from one region to another.

19. You have an Azure web app named webapp1.

    You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.

    You need to ensure that webapp1 can access the data hosted on VM1.

    What should you do?

    • Deploy an internal load balancer
    • Peer VNET1 to another virtual network
    • Connect webapp1 to VNET1
    • Deploy an Azure Application Gateway

20. You create an Azure VM named VM1 that runs Windows Server 2019.VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

    

    You need to enable Desired State Configuration for VM1.

    What should you do first?

    • Connect to VM1.
    • Start VM1.
    • Capture a snapshot of VM1.
    • Configure a DNS name for VM1.
    Explanation:
    Status is Stopped (Deallocated).
    The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
    The VM needs to be started.