Microsoft - AZ-104: Microsoft Azure Administrator

Sample Questions

Explanation:

A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup related operations. These include taking on-demand backups, performing restores, and creating backup policies.

A virtual machine can be backed up by a single Recovery Services vault only. Prior to enable the backup for VM2 to RSV2, we have to stop the backup of VM2 to RSV1.

Reference: Back up Azure VMs in a Recovery Services vault

Explanation:

Data sets have unique lifecycles. Early in the lifecycle, people access some data often. But the need for access drops drastically as the data ages. Some data stays idle in the cloud and is rarely accessed once stored. Some data expires days or months after creation, while other data sets are actively read and modified throughout their lifetimes. Azure Blob Storage lifecycle management offers a rich, rule-based policy for GPv2 and blob storage accounts. Use the policy to transition your data to the appropriate access tiers or expire at the end of the data's lifecycle.

The lifecycle management policy lets you:

• Transition blobs from cool to hot immediately if accessed to optimize for performance
• Transition blobs, blob versions, and blob snapshots to a cooler storage tier (hot to cool, hot to archive, or cool to archive) if not accessed or modified for a period of time to optimize for cost
• Delete blobs, blob versions, and blob snapshots at the end of their lifecycles
• Define rules to be run once per day at the storage account level
• Apply rules to containers or a subset of blobs (using name prefixes or blob index tags as filters)

Consider a scenario where data gets frequent access during the early stages of the lifecycle, but only occasionally after two weeks. Beyond the first month, the data set is rarely accessed. In this scenario, hot storage is best during the early stages. Cool storage is most appropriate for occasional access. Archive storage is the best tier option after the data ages over a month. By adjusting storage tiers in respect to the age of data, you can design the least expensive storage options for your needs. To achieve this transition, lifecycle management policy rules are available to move aging data to cooler tiers.

Availability and pricing

The lifecycle management feature is available in all Azure regions for general purpose v2 (GPv2) accounts, blob storage accounts, premium block blobs storage accounts, and Azure Data Lake Storage Gen2 accounts. In the Azure portal, you can upgrade an existing general purpose (GPv1) account to a GPv2 account.

The lifecycle management feature is free of charge. Customers are charged the regular operation cost for the Set Blob Tier API calls. Delete operation is free.

Reference: Optimize costs by automating Azure Blob Storage access tiers

Explanation:

By adding copy loop to the resources section of your template, you can dynamically set the number of resources to deploy. You also avoid having to repeat template syntax.

You can also use copy loop with properties, variables, and outputs.

Add the copy element to the resources section of your template to deploy multiple instances of the resource. The copy element has the following general format:

"copy"

: {
  "name": "<name-of-loop>",
  "count": <number-of-iterations>,
  "mode": "serial" <or> "parallel",
  "batchSize": <number-to-deploy-serially>
}

The name property is any value that identifies the loop. The count property specifies the number of iterations you want for the resource type.

Use the mode and batchSize properties to specify if the resources are deployed in parallel or in sequence. 

The copyIndex() function returns the current iteration in the loop. copyIndex() is zero-based. 

By default, Resource Manager creates the resources in parallel. It applies no limit to the number of resources deployed in parallel, other than the total limit of 800 resources in the template. The order in which they're created isn't guaranteed.

Reference: Resource iteration in ARM templates

Explanation:

The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you link a virtual network with a private DNS zone with this setting enabled. A DNS record gets created for each virtual machine deployed in the virtual network.

A private DNS zone can be linked to multiple virtual networks and the automatic registration can basically be activated for each of the linked virtual networks. Vice versa, a virtual network can be linked to several private DNS zones.

However, automatic registration can only be activated once for a virtual network. Each virtual network can have automatic registration activated for a single private DNS zone.

Note: The Private DNS zone service is global and not bound to a location. However, you must specify a location for the resource group where the metadata associated with the Private DNS zone will reside. 

Reference: LinkTWhat is the auto registration feature in Azure DNS private zones?

Explanation:

Azure Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.

RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.

Azure Bastion requires a subnet named AzureBastionSubnet within your VNet address space with a subnet mask /27 or larger.

References:

What is Azure Bastion?

Tutorial: Configure Bastion and connect to a Windows VM