AZ-104: Microsoft Azure Administrator
You have an Azure subscription that contains a resource group named RG26.
RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.
SQLDB01 is backed up to RGV1.
When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails.
You need to delete RG26.
What should you do first?
Delete VM1
Stop VM1
Stop the backup of SQLDB01
Delete sa001
Answer is Stop the backup of SQLDB01
When you delete a resource group, all resources in the resource group are also deleted but the Resource group has recovery service vault with active backup. You can’t delete recovery service vault with dependencies. So, First you have to stop the backup. Then you have to delete the backup in recovery service vault , but backup goes into soft deleted status. The soft deleted items will be permanently deleted only after 14 days of delete operation Only after permanent deletion, you can delete the recovery service vault or resource group RG26.
Here are the other possible dependencies for recovery service vault before it can be deleted., which could be used to twist the question.
• You can't delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
• You can't delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
• You can't delete a vault that contains backup data in the soft deleted state.
• You can't delete a vault that has registered storage accounts.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com.
Your company has a public DNS zone for contoso.com.
You add contoso.com as a custom domain name to Azure AD.
You need to ensure that Azure can verify the domain name.
Which type of DNS record should you create?
MX
NSEC
PTR
RRSIG
Answer is MX
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam - Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.
Note:
There are several versions of this question in the exam. The question can have two correct answer:
1. MX
2. TXT
The question can also have other incorrect answer options, including the following:
1. SRV
2. NSEC3
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
- Can be assigned only to the resource groups in Subscription1
- Prevents the management of the access permissions for the resource groups
- Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1?
First part is "/Subscription/subcription_id".
There is nothing called "resourceGroups" only or "resourceGroups/*". You can specify either a subscription, specific resource group, management group or specific resource. for example it should "/subcription/subcription_id/resourceGroups/resource_group_name"
Second is Microsoft.Authorization/*
Reference:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/role-definitions.md#role-definition-structure
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named Git1.
Webapp1 has the deployment slots shown in the following table.
You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution.
Swap the slots
Deploy the App1 update to webapp1-test, and then test the update
Stop webapp1-prod
Deploy the App1 update to webapp1-prod, and then test the update
Stop webapp1-test
Answer are;
Swap the slots
Deploy the App1 update to webapp1-prod, and then test the update
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.
You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine?
Box 1: Private IP addresses only.
Box 2: Private IP addresses only.
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network links).
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
You have the Azure virtual networks shown in the following table.
To which virtual networks can you establish a peering connection from VNet1?
VNet2 andVNet3 only
VNet2 only
VNet3 and VNet4 only
VNet2, VNet3, and VNet4
Answer is VNet3 and VNet4 only
VNet1 10.11.0.0/16 = 10.11.0.1 - 10.11.255.255 (overlap VNet2)
VNet2 10.11.0.0/17 = 10.11.0.1 - 10.11.127.254 (overlap VNet1)
VNet3 10.10.0.0/22 = 10.10.0.1 - 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 - 192.168.19.254 (no overlap)
Possible peerings are:
VNet1 -> Vnet3
VNet1 -> Vnet4
If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be connected.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
- The NVAs must run in an active-active configuration that uses automatic failover.
- The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform?
Deploy a basic load balancer
Deploy a standard load balancer
Add two load balancing rules that have HA Ports and Floating IP enabled
Add two load balancing rules that have HA Ports enabled and Floating IP disabled
Add a frontend IP configuration, a backend pool, and a health probe
Add a frontend IP configuration, two backend pools, and a health probe
B: Deploy a standard load balancer
HA ports need are not supported by a basic loadbalancer
C: Add two load balancing rules that have HA Ports and Floating IP enabled
You need a floating ip for the active-active configuration to switch over quickly
F: Add a frontend IP configuration, two backend pools, and a health probe
You need 2 backend pools for the 2 different services
A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
Download and re-install the VPN client configuration package on Client1.
Select Allow gateway transit on VNet1.
Select Allow gateway transit on VNet2.
Enable BGP on VPNGW1
Answer is Download and re-install the VPN client configuration package on Client1.
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
Deploy an internal load balancer
Peer VNET1 to another virtual network
Connect webapp1 to VNET1
Deploy an Azure Application Gateway
Answer is Connect webapp1 to VNET1
The VNet Integration feature has two variations:
- Regional VNet Integration: When you connect to Azure Resource Manager virtual networks in the same region, you must have a dedicated subnet in the VNet you're integrating with.
- Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet.
Note: If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
The resources inside a VNet can communicate.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?
Floating IP (direct server return) to Disabled
Session persistence to None
Protocol to UDP
Session persistence to Client IP
Answer is Session persistence to Client IP
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.
Note:
- Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine.
- Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/