Skip Navigation Links
 

Microsoft - AZ-104: Microsoft Azure Administrator

Sample Questions

Question: 706
Measured Skill: Monitor and maintain Azure resources (10–15%)

You have an Azure subscription that contains multiple virtual machines in the West US Azure region.

You need to use Traffic Analytics in Azure Network Watcher to monitor virtual machine traffic.

Which two resources should you create?

(Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.)

AA Log Analytics workspace
B An Azure Monitor workbook
C A storage account
D A Microsoft Sentinel workspace
E A Data Collection Rule (DCR) in Azure Monitor

Correct answer: A, E

Explanation:

Traffic analytics is a cloud-based solution that provides visibility into user and application activity in your cloud networks. Specifically, traffic analytics analyzes Azure Network Watcher flow logs to provide insights into traffic flow in your Azure cloud. With traffic analytics, you can:

  • Visualize network activity across your Azure subscriptions.

  • Identify hot spots.

  • Secure your network by using information about the following components to identify threats:

    • Open ports
    • Applications that attempt to access the internet
    • Virtual machines (VMs) that connect to rogue networks
  • Optimize your network deployment for performance and capacity by understanding traffic flow patterns across Azure regions and the internet.

  • Pinpoint network misconfigurations that can lead to failed connections in your network.

To use traffic analytics, you need the following components:

  • Network Watcher: A regional service that you can use to monitor and diagnose conditions at a network-scenario level in Azure. You can use Network Watcher to turn NSG flow logs on and off.

  • Log Analytics: A tool in the Azure portal that you use to work with Azure Monitor Logs data. Azure Monitor Logs is an Azure service that collects monitoring data and stores the data in a central repository. This data can include events, performance data, or custom data that's provided through the Azure API. After this data is collected, it's available for alerting, analysis, and export. Monitoring applications such as network performance monitor and traffic analytics use Azure Monitor Logs as a foundation. For more information, see Azure Monitor Logs. Log Analytics provides a way to edit and run queries on logs. You can also use this tool to analyze query results.

  • Log Analytics workspace: The environment that stores Azure Monitor log data that pertains to an Azure account.

  • Additionally, you need a network security group enabled for flow logging if you're using traffic analytics to analyze NSG flow logs or a virtual network enabled for flow logging if you're using traffic analytics to analyze VNet flow logs (preview):

    • Network security group (NSG): A resource that contains a list of security rules that allow or deny network traffic to or from resources that are connected to an Azure virtual network. Network security groups can be associated with subnets, network interfaces (NICs) that are attached to VMs (Resource Manager), or individual VMs (classic).

    • NSG flow logs: Recorded information about ingress and egress IP traffic through a network security group. NSG flow logs are written in JSON format and include:

      • Outbound and inbound flows on a per rule basis.
      • The NIC that the flow applies to.
      • Information about the flow, such as the source and destination IP addresses, the source and destination ports, and the protocol.
      • The status of the traffic, such as allowed or denied.
    • Virtual network (VNet): A resource that enables many types of Azure resources to securely communicate with each other, the internet, and on-premises networks.

    • VNet flow logs (preview): Recorded information about ingress and egress IP traffic through a virtual network. VNet flow logs are written in JSON format and include:

      • Outbound and inbound flows.
      • Information about the flow, such as the source and destination IP addresses, the source and destination ports, and the protocol.
      • The status of the traffic, such as allowed or denied.

Also, we need to create a Data Collection Rule within Azure Monitor to specify that the network traffic data for Traffic Analytics should be collected and sent to the Log Analytics workspace.

References:

Traffic analytics overview

Data collection rules in Azure Monitor



Question: 707
Measured Skill: Implement and manage storage (15–20%)

You have an Azure subscription that contains a storage account named storage1. The storage1 account contains blobs in a container named container1.

You plan to share access to storage1.

You need to generate a shared access signature (SAS). The solution must meet the following requirements:
  • Ensure that the SAS can only be used to enumerate and download blobs stored in container1.
  • Use the principle of least privilege.
Which three settings should you enable?

(To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AAllowed resource types - Service
B Allowed resource types - Container
C Allowed resource types - Object
D Allowed permissions - Read
E Allowed permissions - List
F Allowed blob index permissions - Filter

Correct answer: B, D, E

Explanation:

A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example:

  • What resources the client may access.

  • What permissions they have to those resources.

  • How long the SAS is valid.

We should ensure that the SAS can only be used to enumerate and download blobs stored in container1. For this purpose, List (enumerate) and Read (Download) permissions are required on the Container resource type.

Reference: Grant limited access to Azure Storage resources using shared access signatures (SAS)



Question: 708
Measured Skill: Deploy and manage Azure compute resources (20–25%)

You have an Azure subscription.

You create the following Azure Resource Manager (ARM) template named Template.json.



You need to deploy Template.json.

Which PowerShell cmdlet should you run from Azure Cloud Shell?

ANew-AzSubscriptionDeployment
B New-AzManagementGroupDeployment
C New-AzResourceGroupDeployment
D New-AzTenantDeployment

Correct answer: A

Explanation:

To simplify the management of resources, you can use an Azure Resource Manager template (ARM template) to deploy resources at the level of your Azure subscription. For example, you can deploy policies and Azure role-based access control (Azure RBAC) to your subscription, which applies them across your subscription. You can also create resource groups within the subscription and deploy resources to resource groups in the subscription.

For the PowerShell deployment command, use New-AzDeployment or its alias New-AzSubscriptionDeployment. The following example deploys a template to create a resource group:

New-AzSubscriptionDeployment `
-Name demoSubDeployment `
-Location centralus `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/emptyrg.json" `
-rgName demoResourceGroup`
-rgLocation centralus

Reference: Subscription deployments with ARM templates



Question: 709
Measured Skill: Deploy and manage Azure compute resources (20–25%)

You have an Azure subscription.

You plan to migrate 50 virtual machines from VMware vSphere to the subscription.

You create a Recovery Services vault.

What should you do next?

AConfigure an extended network.
B Create a recovery plan.
C Deploy an Open Virtualization Application (OVA) template to vSphere.
D Configure a virtual network.

Correct answer: D

Explanation:

On-Premises Computer werden zu verwalteten Azure-Datenträgern repliziert. Bei einem Failover werden auf der Grundlage dieser verwalteten Datenträger Azure-VMs erstellt und mit dem in diesem Verfahren angegebenen Azure-Netzwerk verknüpft. Der nächste Schritt, nach dem Erstellen des Recovery Services-Tresors, ist daher das Erstellen eines virtuellen Netzwerks.

Der folgende Microsoft Learn-Artikel enthält weitere Informationen zum Thema:

Vorbereiten von Azure für die lokale Notfallwiederherstellung in Azure



Question: 710
Measured Skill: Implement and manage virtual networking (15–20%)

You have an Azure subscription that contains the virtual networks shown in the following table.



Each virtual network has 50 connected virtual machines.

You need to implement Azure Bastion. The solution must meet the fallowing requirements:
  • Support host scaling.
  • Support uploading and downloading files.
  • Support the virtual machines on both VNet1 and VNet2.
  • Minimize the number of addresses on the Azure Bastion subnet.
How should you configure Azure Bastion?

(To answer, select the options in the answer area. NOTE: Each correct answer is worth one point.)

www.cert2brain.com

ASubnet size: /24
Public IP: Basic SKU with a dynamic allocation
B Subnet size: /29
Public IP: Basic SKU with a dynamic allocation
C Subnet size: /28
Public IP: Basic SKU with a static allocation
D Subnet size: /24
Public IP: Basic SKU with a static allocation
E Subnet size: /28
Public IP: Standard SKU with a static allocation
F Subnet size: /26
Public IP: Standard SKU with a static allocation

Correct answer: F

Explanation:

Azure Bastion supports multiple SKU tiers. When you configure Bastion, you select the SKU tier. You decide the SKU tier based on the features that you want to use. The following table shows the availability of features per corresponding SKU.

To allow for host scaling, the AzureBastionSubnet should be /26 or larger. Using a smaller subnet limits the number of instances you can create.

Azure Bastion deployments require a Public IP address, except Developer SKU deployments. The Public IP must have the following configuration:

  • The Public IP address SKU must be Standard.
  • The Public IP address assignment/allocation method must be Static.
  • The Public IP address name is the resource name by which you want to refer to this public IP address.
  • You can choose to use a public IP address that you already created, as long as it meets the criteria required by Azure Bastion and isn't already in use.

Reference: About Bastion configuration settings





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2024 by cert2brain.com