AZ-104: Microsoft Azure Administrator
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
- The NVAs must run in an active-active configuration that uses automatic failover.
- The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform?
Deploy a basic load balancer
Deploy a standard load balancer
Add two load balancing rules that have HA Ports and Floating IP enabled
Add two load balancing rules that have HA Ports enabled and Floating IP disabled
Add a frontend IP configuration, a backend pool, and a health probe
Add a frontend IP configuration, two backend pools, and a health probe
B: Deploy a standard load balancer
HA ports need are not supported by a basic loadbalancer
C: Add two load balancing rules that have HA Ports and Floating IP enabled
You need a floating ip for the active-active configuration to switch over quickly
F: Add a frontend IP configuration, two backend pools, and a health probe
You need 2 backend pools for the 2 different services
A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN gateway named VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?
Download and re-install the VPN client configuration package on Client1.
Select Allow gateway transit on VNet1.
Select Allow gateway transit on VNet2.
Enable BGP on VPNGW1
Answer is Download and re-install the VPN client configuration package on Client1.
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
You have an Azure web app named webapp1.
You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?
Deploy an internal load balancer
Peer VNET1 to another virtual network
Connect webapp1 to VNET1
Deploy an Azure Application Gateway
Answer is Connect webapp1 to VNET1
The VNet Integration feature has two variations:
- Regional VNet Integration: When you connect to Azure Resource Manager virtual networks in the same region, you must have a dedicated subnet in the VNet you're integrating with.
- Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet.
Note: If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
The resources inside a VNet can communicate.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?
Floating IP (direct server return) to Disabled
Session persistence to None
Protocol to UDP
Session persistence to Client IP
Answer is Session persistence to Client IP
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-Balancer For Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.
Note:
- Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine.
- Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/
You have an Azure subscription that contains the resources shown in the following table.
The Not allowed resource types Azure policy is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.
What should you do first?
Remove Microsoft.Compute/virtualMachines from the policy.
Create an Azure Resource Manager template
Add a subnet to VNET1.
Remove Microsoft.Network/virtualNetworks from the policy.
Answer is Remove Microsoft.Compute/virtualMachines from the policy.
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to block.
Virtual Networks and Virtual Machines are prohibited.
By removing VMs from policy you will be able to create a new VM on the RG, and assign an already existing Vnet to the VM.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types
Your company has an Azure subscription named Subscription1.
The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
- The DNS Manager console
- Azure PowerShell
- Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
What should you use?
Azure CLI
Azure PowerShell
the Azure portal
the DNS Manager console
Answer is Azure CLI
Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently supported via Azure PowerShell or the Azure portal.
PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-import-export https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide
You have a public load balancer that balances ports 80 and 443 across three virtual machines.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?
an inbound NAT rule
a new public load balancer for VM3
a frontend IP configuration
a load balancing rule
Answer is an inbound NAT rule
Create an Inbound NAT rule in the LB front end to port forward 3389 to VM3.
Create a load balancer inbound network address translation (NAT) rule to forward traffic from a specific port of the front-end IP address to a specific port of a back-end VM.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal
You have an Azure virtual machine that runs Windows Server 2019 and has the following configurations:
- Name: VM1
- Location: West US
- Connected to: VNET1
- Private IP address: 10.1.0.4
- Public IP addresses: 52.186.85.63
- DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.
You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.
Which zones should you identify?
Box 1: The private zones only
Box 2: The private zones only
You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones can be linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-registration option set. To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.
The planned disk configurations for VM1 are shown in the following exhibit.
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify?
Use managed disks
OS disk type
Availability options
Size
Image
Answer is A & C
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone dropdown.
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
Modify the address space of the local network gateway
Create a deny rule in a network security group (NSG) that is linked to Subnet1
Remove the public IP addresses from the virtual machines
Modify the address space of Subnet1
Answer is Create a deny rule in a network security group (NSG) that is linked to Subnet1
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices