AZ-104 Practice test with complete solutions

Document Content and Description Below

Q1. Your company is planning to use Azure Container Instances to deploy simple cloud applications. You are tasked with determining if multi-container groups hosting multiple container instances meet y... our solution requirements. You need to identify features and requirements for multi-container groups with each group hosting an application container, a logging container, and a monitoring container. For each of the following statements, select Yes if the statement is true. Otherwise, select No. Statement: 1-Multi-container groups support Linux containers only. 2-You can deploy a multi-container group from a Resource Manager template or a YAML file. 3-Container groups can scale up as necessary to create additional container instances as necessary. - ANSWER Answer: 1-Yes. 2-Yes. 3-No. Explanation: 1-Yes. Multi-container groups support Linux containers only. This is a current restriction for multi-container groups. Windows Containers are limited to Azure Container Instances that support deployment of a single container instance only. 2-Yes. You can deploy a multi-container group from a Resource Manager template or a YAML file. It is recommended that you use a Resource Manager template when you need to deploy additional Azure resources when deploying container instances, and this is the preferred method for deploying multi-container groups. 3-No. Container groups and container instances do not support scaling. If additional container groups or container instances are needed, they must be explicitly created. Q2. You create a FileStorage premium storage account and create a premium tier Azure file share. You plan to mount the file share directly on-premises using the Service Message Block (SMB) 3.0 protocol. You need to ensure that your network is configured to support mounting an Azure file share on-premises. You want to minimize the administrator effort necessary to accomplish this. What should you do? A-Create an ExpressRoute circuit. B-Install and configure Azure File Sync. C-Configure TCP port 445 as open in your on-premises internet firewall. D-Configure TCP port 443 as open in your on-premises internet firewall. - ANSWER Answer: C Explanation: You should configure TCP port 445 as open in your on-premises internet firewall. This is the only requirement for mounting an Azure file share as an on-premises SMB file share on your on-premises network. You should not configure TCP port 443 as open in your on-premises internet firewall. This would be a requirement if you were configuring Azure File Sync and not using ExpressRoute. You should not install and configure Azure File Sync. This is not a requirement for mounting a file share on-premises. You would use Azure File Sync if you wanted to cache several Azure file shares on-premises or in cloud VMs. You should not create an ExpressRoute circuit. An ExpressRoute circuit provides a private connection between your on-premises network and the Microsoft cloud. By using ExpressRoute you do not need to configure the on-premises firewall, but this solution requires more administrative effort to implement and maintain. Q3. You deploy a line of business (LOB) application. All resources that are part of the LOB application are deployed in a single resource group. The resources were added in different phases. You need to export the current configuration of the LOB application resources to an Azure Resource Manager (ARM) template. You will later use this template for deploying the LOB application infrastructure in different environments for testing or development purposes. For each of the following statements, select Yes if the statement is true. Otherwise, select No. Statement: 1-You need to export the ARM template from the latest deployment. 2-Each deployment contains only the resources that have been added in that deployment. 3-The parameters file contains the values used during the deployment. 4-The template contains the needed scripts for deploying the template. - ANSWER Answer: 1-No. 2-Yes. 3-Yes. 4-No. Explanation 1-No. You do not need to export the ARM template from the latest deployment. In this scenario, the LOB application was deployed in several phases. The latest deployment will export only the latest resources added to the application. If you want to export the ARM template with all the needed resources for the LOB application, you need to export the ARM template from the resource group. 2-Yes. Each deployment contains only the resources that have been added in that deployment. When you export an ARM template from a deployment, the template only contains the resources created during that deployment. 3-Yes. The parameters file contains the values used during the deployment. The parameters file is a JSON file that stores all the parameters used in the ARM template. You can use this file to reuse the template in different deployments, just changing the values of the parameters file. If you use this file in templates created from resource groups, you need to make significant edits to the template before you can effectively use the parameters file. 4-No. The template does not contain the needed scripts for deploying the template. When you download an ARM template from a deployment or a resource group, the downloaded package contains only the ARM template and the parameters file. You can reference Azure CLI scripts or a PowerShell script in the Azure docs linked in the export template pane. Q4. You use taxonomic tags to logically organize resources and to make billing reporting easier. You use Azure PowerShell to append an additional tag on a storage account named corpstorage99. The code is as follows: $r = Get-AzResource --ResourceName "corpstorage99" --ResourceGroupName "prod-rg" Set-AzResource --Tag --Resourceld $r.ResourceId --Force The code returns unexpected results. You need to append the additional tag as quickly as possible. What should you do? A-Refactor the code by using the Azure Command-Line Interface (CLI). B-Deploy the tag by using an Azure Resource Manager template. C-Edit the script to call the Add() method after getting the resource to append the new tag. D-Assign the Enforce tag and its value Azure Policy to the resource group. - ANSWER Answer: C Explanation: You should edit the script to call the Add() method after getting the resource to append the new tag as shown in the second line of this refactored Azure PowerShell code: $r = Get-AzResource --ResourceName "corpstorage99" --ResourceGroupName "prod-rg" $r.Tags.Add ( " Dept " , "IT") Set-AzResource --Tag $r.Tags --ResourceId $r.Resourceld --Force Unless you call the Add() method, the Set-AzResource cmdlet will overwrite any existing taxonomic tags on the resource. The Add() method preserves existing tags and includes one or more tags to the resource tag list. You should not deploy the tag by using an Azure Resource Manager template. Doing so is unnecessary in this case because the Azure PowerShell is mostly complete as-is. Furthermore, you must find the solution as quickly as possible. You should not assign the Enforce tag and its value Azure Policy to the resource group. Azure Policy is a governance feature that helps businesses enforce compliance in resource creation. In this case, the solution involves too much administrative overhead to be a viable option. Moreover, the scenario makes no mention of the need for governance policy in specific terms. You should not refactor the code by using the Azure Command-Line Interface (CLI). Either Azure PowerShell or Azure CLI can be used to institute this solution. It makes no sense to change the development language given since you have already completed most of the code in PowerShell. Q5. You manage an ASP.Net Core application that runs in an Azure App Service named app1. The app connects to a storage account named storage1 that uses an access key stored in an app setting. Both app1 and storage1 are provisioned in a resource group named rg1. For security reasons, you need to regenerate the storage1 access keys without interrupting the connection with app1. How should you complete the command? To answer, select the appropriate options from the drop-down menus. Key=$(az az storage account keys list -resource-group rg1 -account-name storage1 (1) ) az webapp config appsettings set -resource-group rg1 -name app1 -settings STORAGE_ACCOUNT_KEY=$key az storage account keys renew -resource-group rg1 -account-name storage1 -account-name storage1 (2) Key=$(az az storage account keys list -resource-group rg1 -account-name storage1 (3) ) az webapp config appsettings set -resource-group rg1 -name app1 -settings STORAGE_ACCOUNT_KEY=$key az storage account keys renew --resource-group rg1 -account-name storage1 -account-name storage1 (4) Choose the correct options for (1) (2) (3) (4): A--key primary B--key secondary C--query[0].value D--query[1].value - ANSWER Answer: (1) D (2) A (3) C (4) B Explanation: To retrieve the primary key, use -query[0].value. To retrieve the secondary key, use -query[1].value To generate key, use -key primary or -key secondary Q6. You have a virtual machine (VM) named VM1 in the West Europe region. VM1 has a network interface named NIC1. NIC1 is attached to a VNet named VNet1. VM1 has one managed disk (OS disk). You need to move VM1 to VNet2. VNet2 is located in the West Europe region. Which two actions should you perform? Each correct answer presents part of the solution. A-Delete VM1. B-Create VNet peering between VNet1 and VNet2. C-Create a new VM using the existing disk from VM1. D-Deallocate VM1. - ANSWER Answer: A, C Explanation: You should delete VMI. This is necessary because the VNet of a VM cannot be changed. When deleting the VM, the associated disk will not be deleted. You should then create a new VM using the existing disk from VMI. You should use the same settings, but the VM should be connected to VNet2. You should not deallocate VMI. This will shut down the VM and release the compute resources. The VM should be deleted. Redeploy the VM into the virtual network. The easiest way to redeploy is to delete the VM, but not any disks attached to it, and then re-create the VM using the original disks in the virtual network. Virtual networks and virtual machines in Azure | Microsoft Docs Q7. Your on-premises datacenter has a mixture of servers running Windows Server 2012 R2 Datacenter edition and Windows Server 2016 Datacenter edition. You need to configure Azure Sync Service between the Azure Files service and the servers in the datacenter. Which two activities must you complete to ensure that the service will operate successfully on your servers? Each correct answer presents part of the solution. A-Ensure that the PowerShell version deployed to the servers is at minimum version 5.1. B-Ensure that Active Directory Federation Services (ADFS) is deployed to all servers. C-Disable Internet Explorer Enhanced Security for Admins and Users. D-Ensure that for fileserver clusters, Azure Active Directory Connect is deployed to at least one server in the cluster. E-Disable Internet Explorer Enhanced Security for Admins only. - ANSWER Answer: A, C Explanation: To enable Azure File Sync, you must disable Internet Explorer Enhanced Security for all admin and user accounts. Azure File Sync requires a minimum PowerShell version of 5.1. Windows Server 2016 supports that as the minimum default version, but it may have to be installed on Windows Server 2012 R2 servers. Active Directory Federation Services (ADFS) and Azure Active directory connect do not need to be installed on the file servers in the environment. Azure Active Directory Connect is used to synchronize on-premises identities to Azure Active Directory (Azure AD) and so is needed in the overall environment, but not on the file servers. Q8. You are configuring storage for an Azure Kubernetes Service (AKS) cluster. You want to create a custom StorageClass. You use the kubectl command to apply the following YAML file: kind: StorageC1ass apiVersion: storage. k8s.io/v1 metadata: name: managed-disk-forapp provisioner: kubernetes.io/azure-disk reclaimPolicy: Retain parameters: storageaccounttype: Default kind: Managed You need to determine the impact of using this storage class when configuring persistent volumes. For each of the following statements, select Yes if the statement is true. Otherwise, select No Statement: 1-Managed disks use Azure Premium storage. 2-When the pod claiming a disk is deleted, the underlying Azure Disk is maintained. 3-A configured Managed Disk can be shared by multiple pods. - ANSWER Answer: 1-No. 2-Yes. 3-No. Explanation: 1-No. Managed disks configured using this storage group use Standard storage rather than Premium storage. This is specified by the storageaccounttype parameter. For Premium storage, this line would read: storageaccounttype: Premium LRS 2-Yes. When the pod claiming a disk is deleted, the underlying Azure Disk is maintained, retaining its data, and it can be reused. This is because the reclaimPolicy is specified as Retain. 3-No. A configured Managed Disk cannot be shared by multiple pods. Azure Disk storage cannot be shared between multiple pods or nodes. You must use Azure Files to support shared data access instead. Q9. You administer an Azure environment at Company1. You are requested to restrict access for the administrator Admin1 to a portion of Azure Active Directory (Azure AD). You create the administrative unit AdminUnit1 and configure it as shown in the exhibits Administrative unit users, Administrative unit groups, and Administrative unit admin. The configuration of the security group Group1 is shown in the exhibit Security group. You need to identify the Azure AD objects that can be administered by Admin1. Which Azure AD objects should you identify? Exhibit: User Administrator "Admin1" is assigned to be responsible for the scope Administrative unit "AdminUnit1". Security Group "Group1" has 3 direct members: User1, User2, User3 Administrative unit "AdminUnit1" has user User1, User2 added directly. Administrative unit "AdminUnit1" has group Group1 added directly. A-User 1, and User2 only B-User 1, User2, and Group1 only C-Group1 only D-User 1, User2, and User3 only - ANSWER Answer: B Explanation: Admin1 can administer User1, User2, and Group1 only. With Azure administrative units, you can restrict access to any portion of Azure AD. In this way, it is possible to restrict Admin1's administrative access to the user and group objects that Admin1 is responsible for. Administrative units can only contain users and groups. Adding a security group to an administrative unit does not allow the administrative unit administrator to manage properties for individual members of that group. To allow the administrative unit administrator to manage individual members of the group, each group member must be added directly as a user to the administrative unit. In this scenario, Group1 and its members User1 and User2 are added directly to AdminUnit1. Therefore, only these Azure AD objects can be administered by Admin1. Admin1 cannot administer User1, User2, and User3 only. Although Admin1 can modify properties of User1 and User2, User3 is out of the administrative scope of AdminUnit1 and, as such, out of the administrative scope of Admin1. To allow Admin1 to modify User3, this user must be added directly as a user of the AdminUnit1. Admin1 cannot administer Group1 only. Although properties of Group1 can be modified by Admin1, it is not the only Azure AD object that can be modified by Admin1 in this scenario. Admin1 cannot administer User1 and User2 only. Although the properties of User1 and User2 can be modified by Admin1, they are not the only Azure AD objects that can be modified by Admin1 in this scenario. Q10. You need to create an Azure Availability Set in Central US named AS1. You are planning to deploy eight virtual machines (VMs) to AS1 to run an IIS web application. You need to configure AS1. You have the following requirements: • During planned maintenance of the VM hosts, at least six VMs must be available at all time. The VMs must be restarted in groups of two. • The VMS must be physically separated from each other as much as possible. How should you configure the Availability Set? To answer, select the appropriate options from the drop-down menus. Fault domains: ? Update domains: ? - ANSWER Answer: Fault domains: 3, Update domains: 4 Explanation: You should set fault domains to 3. This is the maximum number of fault domains in the Central US region. VMs in the same fault domain share hardware like power sources and physical network switches. VMs in a different fault domain are physically separated. By setting the fault domains to the maximum value, the VMS are physically separated as much as possible. You should set update domains to 4. The VMs will be divided among these four update domains, so each update domain will contain two VMs. Azure performs planned maintenance of the hypervisors for one update domain at a time. In this case, two VMs will be restarted at the same time. Q11. Your company plans to release a new web application. This application is deployed by using an App Service in Azure and will be available to users of the company1.com domain. You have already purchased the company1.com domain name. You configure the company1.com Azure DNS zone and delegate it to Azure DNS. You need to ensure that web application can be accessed by using the company1.com domain name. You decide to use PowerShell to accomplish this task. How should you complete the command? To answer, select the appropriate options from the drop-down menus. New-AzDnsRecordSet -Name (1) -RecordType (2) ` -ZoneName "company1.com" -ResourceGroupName "APP-RG" -Ttl 600 ` -DnsRecords (New-AzDnsRecordConfig -IPv4Address "<IP address>") New-AzDnsRecordSet -ZoneName company1.com -ResourceGroupName APP-RG ` -Name (3) -RecordType (4) -Ttl 600 ` -DnsRecords (New-AzDnsRecordConfig -Value "applicationcs.azurewebsites.net") Choose the correct options: (1) A-"company1.com", B-"www.company1.com", C-"@" (2) A-"A", B-"AAAA", C-"CNAME", D-"TXT" (3) A-"company1.com", B-"www.company1.com", C-"@" (4) A-"A", B-"AAAA", C-"CNAME", D-"TXT" - ANSWER Answer: (1) C-"@" (2) A-"A" (3) C-"@" (4) D-"TXT" Explanation: You need to create an A record that points to the IP address of the App Service that hosts the web application. Because you need your application to be accessed by using the company1.com domain name, you need to use the special name that represents the root of the domain. You need to use an A record type because the public IP address of the App Service is an IPv4 address. You need to create an additional TXT record that points to applicationscs.azurewebsites.net. This record is needed by the App Service to verify the custom domain name for the App Service. Because you want your application to be accessed by the company1.com domain name, you need to use the special name that represents the root of the domain. You should not use "company1.com", "www.company1.com" or "applicationcs.azurewebsites.net" values for the Name parameter. You need to configure a DNS record for the root of the domain. If you use any of these values, you will get a DNS record similar to company1.com.company1.com. You should not use an AAAA record type. This record type is used for IPv6 addresses. You need to create a record for an IPv4 address. You should not use a CNAME record type. In the first step, you used an IPv4 address. CNAME cannot contain an IPv4 address as the value for the DNS record. This record type only allows fully qualified domain names. Also, you need to create a DNS record to verify the App Service custom domain. You are required to use a TXT record for this verification, not a CNAME. Q12. Your company has an Azure subscription with one virtual network (VNet) named VNet1. Vnet1 includes the subnets and virtual machines (VMS) shown in the Subnets exhibit. You create and associate the network security groups (NSGs) shown in the Security Groups exhibit. You need to determine how the security rules in the NSGs are processed. For each of the following statements, select Yes if the statement is true. Otherwise, select No. Exhibit: Subnet - Connected virtual machines: Subnet1 - VM1, VM2, VM3 Subnet2 - VM4, VM5 Subnet3 - VM6, VM7 Network security group - Connected virtual machines: NGS1 - Subnet1 NGS2 - VM1 NGS3 - Subnet3 Statement: 1-For incoming traffic to VMI, NSG1 applies before NSG2. 2-For traffic between VM1 and VM2, only NSG2 applies. 3-For traffic between VM6 and VM7, NSG3 applies. - ANSWER Answer: 1-Yes. 2-No. 3-Yes. Explanation: 1-Yes. For incoming traffic to VM1, NSG1 applies before NSG2. Incoming traffic rules in NSG1 are processed before the incoming traffic rules for NSG2 because NSGI is associated at the subnet level. For inbound traffic, the rules are processed in the NSG associated with the subnet first, and then the rules in an NSG associated with the network interface. For outgoing traffic, the rules in NSGs associated with the VM network interface are processed before the NSGs associated in the subnet level. 2-No. For traffic between VM1 and VM2, both NSG1 and NSG2 apply. NSG2 applies for any traffic into or out of VM1. NSG1 applies for any traffic between the VMs in Subnet1. 3-Yes. For traffic between VM6 and VM7, NSG3 applies. NSG rules apply for traffic into or out of a subnet and between VMs in a subnet. Q13.You host a line-of-business (LOB) web application in a virtual network (VNet) in Azure. A site-to-site virtual private network (S2S VPN) connection links your on-premises environment with the Azure VNet. You plan to use a network security group (NSG) to restrict inbound traffic into the VNet to the following IPv4 address ranges: • 192.168.2.0/24 • 192.168.4.0/24 • 192.168.8.0/24 Your solution must meet the following technical requirements: • Limit rule scope only to the three IPv4 address ranges. • Minimize the number of NSG rules. • Minimize future administrative maintenance efforts. What should you do? A-Define three NSG rules (one per IPv4 address range). B-Pass the IPv4 address range 192.168.0.0/22 into the NSG rule. C-Define an NSG rule that includes the VirtualNetwork service tag. D-Pass the three IPv4 address ranges into the NSG rule as a comma-separated list. - ANSWER Answer: D Explanation: You should pass the three IPv4 address ranges into the NSG rule as a comma-separated list. NSGs in Azure allows you to specify individu [Show More]

Last updated: 2 years ago

Preview 1 out of 59 pages