Microsoft Microsoft Certifications AZ-104 Questions & Answers
Question 451:
You have a public load balancer that balances ports 80 and 443 across three virtual machines.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?
A. a load balancing rule
B. a new public load balancer for VM3
C. an inbound NAT rule
D. a frontend IP configuration
Correct Answer: C
To port forward traffic to a specific port on specific VMs use an inbound network address translation (NAT) rule.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview an inbound NAT rule :
Create a load balancer inbound network address translation (NAT) rule to forward traffic from a specific port of the front-end IP address to a specific port of a back-end VM.
Hence this option is Correct
a load balancing rule : Incorrect Choice
A load balancer rule defines how traffic is distributed to the VMs. The rule defines the front-end IP configuration for incoming traffic, the back-end IP pool to receive the traffic, and the required source and destination ports.
a new public load balancer for VM3 : Incorrect Choice
This option will not help you since this will route all traffic to VM3 only.
a frontend IP configuration : Incorrect Choice
When you define an Azure Load Balancer, a frontend and a backend pool configuration are connected with rules. The health probe referenced by the rule is used to determine how new flows are sent to a node in the backend pool. The
frontend (aka VIP) is defined by a 3-tuple comprised of an IP address (public or internal), a transport protocol (UDP or TCP), and a port number from the load balancing rule. The backend pool is a collection of Virtual Machine IP
configurations (part of the NIC resource) which reference the Load Balancer backend pool.
You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
A. Move VNet1 to Subscription2.
B. Modify the IP address space of VNet2.
C. Provision virtual network gateways.
D. Move VM1 to Subscription2.
Correct Answer: C
There is no overlap between the VNets: VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255 VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255
Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be connected.
You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the same Active Directory tenant.
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a local site VPN gateway.
B. Create a VPN gateway that uses the VpnGw1 SKU.
C. Create a VPN gateway that uses the Basic SKU.
D. Create a gateway subnet.
E. Create a connection.
Correct Answer: ABE
Create a Connection: You need to link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your on-premises network and Azure through ExpressRoute will be established.
Hence this is correct option. Create a local site VPN gateway : This will allow you to provide the local gateway settings, for example public IP and the on-premises address space, so that the Azure VPN gateway can connect to it. Hence this is
correct option.
Create a VPN gateway that uses the VpnGw1 SKU : The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. ExpressRoute-VPN Gateway coexist configurations are not supported
on the Basic SKU. The VpnType must be RouteBased. Hence this is correct option.
You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a container named container1.
You create a blob lifecycle rule named rule1.
You need to configure rule1 to automatically move blobs that were NOT updated for 45 days from contained to the Cool access tier.
How should you complete the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: daysAfterModificationGreaterThan
Box 2: Blockblob Use a block blob.
Example: The following sample JSON defines a lifecycle policy that moves a block blob whose name begins with log to the cool tier if it has been more than 30 days since the blob was modified.
You have an Azure subscription that contains the storage account shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: 3
You can set a maximum of five access policies on a container, table, queue, or share at a time. Each SignedIdentifier field, with its unique Id field, corresponds to one access policy. Trying to set more than five access policies at one time
causes the service to return status code 400 (Bad Request).
Box 2: 1
We see one unlocked Time-based retention container scoped immutable blob storage policy.
Container-level scope
When support for version-level immutability policies has not been enabled for a storage account or a container, then any immutability policies are scoped to the container. A container supports one immutability policy and one legal hold.
Policies apply to all objects within the container.
You have an Azure subscription that contains the storage accounts shown in the following table.
You need to identify which storage accounts support lifecycle management, and which storage accounts support moving data to the Archive access tier.
Which storage accounts should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: storage1, storage2, and storage3
Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle.
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts.
Box 2: storage2
The Archive tier for Blob Storage is currently supported for LRS, GRS, and RA-GRS accounts.
Incorrect:
* not storage1, not storage3
The Archive tier for Blob Storage isn't currently supported for ZRS, GZRS, or RA-GZRS accounts.
The first command gets a network interface named NetworkInterface1 that exists within resource group ResourceGroup1. The second command adds DNS server 192.168.1.100 to this interface. The third command applies these changes to
the network interface. To remove a DNS server, follow the commands listed above, but replace ".Add" with ".Remove" in the second command.
Box 3: Yes
User1 is a Contributor of NSG1. Networkinterface1 is in NSG1.
Contributor - Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Actions include: * Create and manage resources of all types
Note: You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound
network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
You have an Azure subscription that contains a user named User1 and a storage account named storage1. The storage1 account contains the resources shown in the following table.
User1 is assigned the following roles for storage1:
1.
Storage Blob Data Reader
2.
Storage Table Data Contributor
3.
Storage File Data SMB Share Contributor
For storage1, you create a shared access signature (SAS) named SAS1 that has the settings shown in the following exhibit. (Click the Exhibit tab.)
To which resources can User1 write by using SAS1 and key1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: folder1 and Table1 only With key1.
User1 is assigned the following roles for storage1: Storage Blob Data Reader Storage Table Data Contributor Storage File Data SMB Share Contributor
*
Storage Table Data Contributor Allows for read, write and delete access to Azure Storage tables and entities Can write to Table1
*
Storage File Data SMB Share Contributor Allows for read, write, and delete access on files and directories in Azure file shares. Can write to folder1
Box 2: Table1 and container1 only
With SAS1.
For key1 we see:
Allowed services: Table only. Not File, so not folder1.
A shared access signature is a signed URI that points to one or more storage resources. The URI includes a token that contains a special set of query parameters. The token indicates how the resources may be accessed by the client. One of
the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. This signature is used by Azure Storage to authorize access to the storage resource.
You have an Azure AD user named User1 and a read-access geo-redundant storage (RA-GRS) account named contoso2023.
You need to meet the following requirements:
User1 must be able to write blob data to contoso2023.
The contoso2023 account must fail over to its secondary endpoint.
Which two settings should you configure? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Explanation:
Box 1: Access control (IAM)
User1 must be able to write blob data to contoso2023.
Assign an Azure role for access to blob data (see step 4 below)May
1.
Sign in to the Azure portal.
2.
In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.
3.
Click the specific resource for that scope. (Steps 1-3 already done)
4.
Click Access control (IAM).
The following shows an example of the Access control (IAM) page for a resource group.
5.
Click the Role assignments tab to view the role assignments at this scope.
6.
Click Add > Add role assignment.
7.
Select the appropriate Role
Note: Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be
a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.
Box 2: Geo-replication
The contoso2023 account must fail over to its secondary endpoint.
To initiate an account failover from the Azure portal, follow these steps (See step 3 below):
Navigate to your storage account.
Under Settings, select Geo-replication. The following image shows the geo-replication and failover status of a storage account.
Verify that your storage account is configured for geo-redundant storage (GRS) or read-access geo-redundant storage (RA-GRS). If it's not, then select Configuration under Settings to update your account to be geo-redundant.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your AZ-104 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
