AZ-104: Microsoft Azure Administrator
You plan to use Azure Network Watcher to perform the following tasks:
- Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
- Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task?
Box 1: IP flow verify
At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.
Box 2: Connection troubleshoot
Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using connection-troubleshoot.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
You have an Azure virtual machine named VM1.
The network interface for VM1 is configured as shown in the exhibit.
You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server only.
You need to ensure that users can connect to the website from the Internet.
What should you do?
Modify the protocol of Rule4
Delete Rule1
For Rule5, change the Action to Allow and change the priority to 401
Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.
Answer is For Rule5, change the Action to Allow and change the priority to 401
HTTPS uses port 443.
Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
Note: There are several versions of this question in the exam.
The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:
- Modify the action of Rule1.
- Change the priority of Rule6 to 100.
- For Rule4, change the protocol from UDP to Any.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
You create an Azure Storage account named contosostorage.
You plan to create a file share named data.
Users need to map a drive to the data file share from home computers that run Windows 10.
Which outbound port should you open between the home computers and the data file share?
80
443
445
3389
Answer is 445
Port 445 is used for SMB (Server Message Block) protocol, which is what Windows uses for file sharing. Note that some ISPs block this port, so if you experience issues, a VPN or Azure ExpressRoute connection may be necessary to allow the traffic. Always ensure you are following security best practices when opening ports, especially when dealing with potentially sensitive data.
Incorrect:
Port 80: HTTP, this is for web
Port 443: HTTPS, for web too
Port 3389: Remote desktop protocol (RDP)
Reference:
https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-windows#prerequisites
You have an Azure policy as shown in the following exhibit:
What is the effect of the policy?
You are prevented from creating Azure SQL servers anywhere in Subscription 1.
You can create Azure SQL servers in ContosoRG1 only.
You are prevented from creating Azure SQL Servers in ContosoRG1 only.
You can create Azure SQL servers in any resource group within Subscription 1.
Answer is You can create Azure SQL servers in ContosoRG1 only.
You are prevented from creating Azure SQL servers anywhere in Subscription 1, except from ContosoRG1. There’s an Exclusion on ContosoRG1.
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview#policy-definition
You have an on-premises server that contains a folder named D:Folder1.
You need to copy the contents of D:Folder1 to the public container in an Azure Storage account named contosodata.
Which command should you run?
https://contosodata.blob.core.windows.net/public
azcopy sync D:folder1 https://contosodata.blob.core.windows.net/public --snapshot
azcopy copy D:folder1 https://contosodata.blob.core.windows.net/public --recursive
az storage blob copy start-batch D:Folder1 https://contosodata.blob.core.windows.net/public
Answer is azcopy copy D:folder1 https://contosodata.blob.core.windows.net/public --recursive
The azcopy copy command copies a directory (and all of the files in that directory) to a blob container. The result is a directory in the container by the same name.
Incorrect Answers:
B: The azcopy sync command replicates the source location to the destination location. However, the file is skipped if the last modified time in the destination is more recent.
D: The az storage blob copy start-batch command copies multiple blobs to a blob container.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs
https://docs.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-copy
You have an Azure subscription named Subscription1 that contains the storage accounts shown in the following table:
You plan to use the Azure Import/Export service to export data from Subscription1.
You need to identify which storage account can be used to export the data.
What should you identify?
storage1
storage2
storage3
storage4
Answer is storage4
Azure Import/Export service supports the following of storage accounts:
- Standard General Purpose v2 storage accounts (recommended for most scenarios)
- Blob Storage accounts
- General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types:
- Import supports Azure Blob storage and Azure File storage
- Export supports Azure Blob storage. Azure Files not supported.
Only storage4 can be exported.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
You have Azure Storage accounts as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Box 1: storageaccount1 and storageaccount2 only
Box 2: All the storage accounts
Note: The three different storage account options are: General-purpose v2 (GPv2) accounts, General-purpose v1 (GPv1) accounts, and Blob storage accounts.
- General-purpose v2 (GPv2) accounts are storage accounts that support all of the latest features for blobs, files, queues, and tables. - Blob storage accounts support all the same block blob features as GPv2, but are limited to supporting only block blobs. - General-purpose v1 (GPv1) accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-options
You have Azure subscription that includes data in following locations:
You plan to export data by using Azure import/export job named Export1.
You need to identify the data that can be exported by using Export1.
Which data should you identify?
DB1
container1
Share1
Table1
Answer is container1
Azure Import/Export service supports the following of storage accounts:
- Standard General Purpose v2 storage accounts (recommended for most scenarios)
- Blob Storage accounts
- General Purpose v1 storage accounts (both Classic or Azure Resource Manager deployments),
Azure Import/Export service supports the following storage types:
- Import supports Azure Blob storage and Azure File storage
- Export supports Azure Blob storage. Azure Files not supported.
Only container1 can be exported.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-import-export-requirements
You have an Azure Storage account named storage1.
You have an Azure Service app named App1 and an app named App2 that runs in an Azure container instance. Each app uses a managed identity.
You need to ensure that App1 and App2 can read blobs from storage1. The solution must meet the following requirements:
- Minimize the number of secrets used.
- Ensure that App2 can only read from storage1 for the next 30 days.
What should you configure in storage1 for each app?
Box 1: Access Control (IAM)
Since the App1 uses Managed Identity, App1 can access the Storage Account via IAM. As per requirement, we need to minimize the number of secrets used, so Access keys is not ideal.
Box 2: Shared access signatures (SAS)
We need temp access for App2, so we need to use SAS.
A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth
You need to create an Azure Storage account that meets the following requirements:
- Minimizes costs
- Supports hot, cool, and archive blob tiers
- Provides fault tolerance if a disaster affects the Azure region where the account resides
How should you complete the command?
Box 1: StorageV2
You may only tier your object storage data to hot, cool, or archive in Blob storage and General Purpose v2 (GPv2) accounts. General Purpose v1 (GPv1) accounts do not support tiering.
General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices.
Box 2: Standard_GRS
Geo-redundant storage (GRS): Cross-regional replication to protect against region-wide unavailability.
Incorrect Answers:
Locally-redundant storage (LRS): A simple, low-cost replication strategy. Data is replicated within a single storage scale unit.
Read-access geo-redundant storage (RA-GRS): Cross-regional replication with read access to the replica. RA-GRS provides read-only access to the data in the secondary location, in addition to geo-replication across two regions, but is more expensive compared to GRS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy-grs
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers