Practice Free AZ-104 Exam Online Questions
You deploy Azure virtual machines to three Azure regions.
Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full mesh topology.
Each subnet contains a network security group (NSG) that has defined rules.
A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region.
Which two options can you use to diagnose the issue? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . Azure Virtual Network Manager
- B . IP flow verify
- C . Azure Monitor Network Insights
- D . Connection troubleshoot
- E . elective security rules
B,D
Explanation:
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
HOTSPOT
You have a virtual network named VNETI that contains the subnets shown in the following table.
You have Azure virtual machines that have the network configurations shown in the following table.
For NSG2, you create the inbound security rule shown in the following table.
For NSG2, you create the inbound security rule shown in the following table.
For each of the following statements, select Yes If the statement is true. Otherwise, select No. NOTE Each correct selection is worth one point
HOTSPOT
You plan to use Azure Network Watcher to perform the following tasks:
Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine
Task2: Validate outbound connectivity from an Azure virtual machine to an external host
Which feature should you use for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: IP flow verify
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.
Box 2: Connection troubleshoot
Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using connection-troubleshoot.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You assign a built-in policy definition to the subscription.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
No, this does not meet the goal. Assigning a built-in policy definition to the subscription is not enough to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks. This is because there is no built-in policy definition that matches this requirement. The closest built-in policy definition is “Network security groups should not allow unrestricted inbound traffic on well-known ports”, but this policy only blocks TCP port 80 and 443, not 80801.
To meet the goal, you need to create a custom policy definition that enforces a default security rule for NSGs. A policy definition is a set of rules and actions that Azure performs when evaluating your resources2. You can use a policy definition to specify the required properties and values for NSGs, such as the direction, protocol, source, destination, and port of the security rule. You can then assign
the policy definition to the subscription scope, so that it applies to all the resource groups and virtual networks in the subscription.
HOTSPOT
You have an Azure subscription that contains a storage account named contoso?02 3. The Contoso 2023 storage account contains the resources shown in the following table.
The Contoso 2023 storage account is configured as shown in the following exhibit.
You have a Microsoft Entra tenant that contains the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
HOTSPOT
You have an Azure subscription that contains a storage account named storage1. The storage 1 account contains a container named containet1. You create a blob lifecycle rule named rule1.
You need to configure rule1 to automatically move blobs that were NOT updated for 45 days Irom container! to the Cool access tier.
How should you complete the rule? To answer, select the appropriate options in the answer area. NOTE: Each correct answer is worth one point.
Explanation:
DRAG DROP
You have an Azure subscription that contains a storage account.
You have an on-premises server named Server1 that runs Window Server 2016. Server1 has 2 TB of data.
You need to transfer the data to the storage account by using the Azure Import/Export service.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Explanation:
At a high level, an import job involves the following steps:
Step 1: Attach an external disk to Server1 and then run waimportexport.exe
Determine data to be imported, number of drives you need, destination blob location for your data in Azure storage.
Use the WAImportExport tool to copy data to disk drives. Encrypt the disk drives with BitLocker.
Step 2: From the Azure portal, create an import job.
Create an import job in your target storage account in Azure portal. Upload the drive journal files.
Step 3: Detach the external disks from Server1 and ship the disks to an Azure data center.
Provide the return address and carrier account number for shipping the drives back to you.
Ship the disk drives to the shipping address provided during job creation.
Step 4: From the Azure portal, update the import job
Update the delivery tracking number in the import job details and submit the import job.
The drives are received and processed at the Azure data center.
The drives are shipped using your carrier account to the return address provided in the import job.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-service
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARMIjson.
You receive a notification that VM1 will be affected by maintenance.
You need to move VM1 to a different host immediately.
Solution: From the VM1 Redeploy + reapply blade, you select Redeploy.
Does this meet the goal?
- A . Yes
- B . No
HOTSPOT
You have an Azure subscription that contains a user named User1 and the resources shown in the following table.
NSG1 is associated to networkinterface1.
User1 has role assignments tor NSG1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE Each correct selection is worth one point.
You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . a Security group that uses the Assigned membership type
- B . an Office 365 group that uses the Assigned membership type
- C . an Office 365 group that uses the Dynamic User membership type
- D . a Security group that uses the Dynamic User membership type
- E . a Security group that uses the Dynamic Device membership type
B,C
Explanation:
You can set expiration policy only for Office 365 groups in Azure Active Directory (Azure AD).
Note: With the increase in usage of Office 365 Groups, administrators and users need a way to clean up unused groups. Expiration policies can help remove inactive groups from the system and make things cleaner.
When a group expires, all of its associated services (the mailbox, Planner, SharePoint site, etc.) are also deleted.
You can set up a rule for dynamic membership on security groups or Office 365 groups.