Microsoft - AZ-104: Microsoft Azure Administrator
Sample Questions
Question: 811
Measured Skill: Implement and manage virtual networking (15–20%)
You have an Azure subscription that contains the virtual networks shown in the following table.
You add a service endpoint to each subnet as shown in the following table.
You create the service endpoint policies shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Policy1 can be associated to Subnet2: Yes
Policy2 can be associated to Subnet1: Yes
Policy2 can be associated to Subnet3: Yes |
| B | Policy1 can be associated to Subnet2: Yes
Policy2 can be associated to Subnet1: Yes
Policy2 can be associated to Subnet3: No |
| C | Policy1 can be associated to Subnet2: Yes
Policy2 can be associated to Subnet1: No
Policy2 can be associated to Subnet3: Yes |
| D | Policy1 can be associated to Subnet2: No
Policy2 can be associated to Subnet1: Yes
Policy2 can be associated to Subnet3: No |
| E | Policy1 can be associated to Subnet2: No
Policy2 can be associated to Subnet1: No
Policy2 can be associated to Subnet3: Yes |
| F | Policy1 can be associated to Subnet2: No
Policy2 can be associated to Subnet1: No
Policy2 can be associated to Subnet3: No |
Correct answer: CExplanation:
Azure virtual network service endpoints provide secure and direct connectivity to Azure services over an optimized route through the Azure backbone network. These endpoints allow you to secure critical Azure service resources exclusively to your virtual networks, enabling private IP addresses to reach Azure services without requiring public IP addresses.
Virtual Network service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over service endpoint, and allow data exfiltration to only specific Azure Storage accounts. Endpoint policies provide granular access control for virtual network traffic to Azure Storage when connecting over service endpoint.
By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts is denied.
You can apply multiple policies to a subnet. When multiple policies are associated to the subnet, virtual network traffic to resources specified across any of these policies are allowed. Access to all other service resources, not specified in any of the policies, are denied.
Virtual networks must be in the same region and subscription as the service endpoint policy.
You can only apply service endpoint policy on a subnet if service endpoints are configured for the Azure services listed in the policy.
References:
Azure virtual network service endpoints
Virtual network service endpoint policies for Azure Storage
Question: 812
Measured Skill: Deploy and manage Azure compute resources (20–25%)
You have an Azure subscription that contains the resources shown in the following table.
You need to automate the creation of private endpoints for Vault1 by using an Azure Resource Manager (ARM) template.
How should you complete the template?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | P1: deployer
P2: Subnet1 |
| B | P1: objectKeys
P2: VNet1
|
| C | P1: parameters
P2: privatelink.vaultcore.azure.net |
| D | P1: parameters
P2: Vault1 |
| E | P1: resourceId
P2: VNet1 |
| F | P1: resourceId
P2: privatelink.vaultcore.azure.net |
Correct answer: EExplanation:
An Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. The private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control.
The first drop down must specify the Key Vault to which the private endpoint will be added. This is done using its resource ID.
The second drop down specifies the virtual network and the subnet to which the private endpoint will be added.
References:
Integrate Key Vault with Azure Private Link
Link private endpoint connection with Azure Keyvault using ARM template
Question: 813
Measured Skill: Implement and manage virtual networking (15–20%)
You have an Azure subscription.
You plan to create the resources shown in the following table.
VMSS1 will use Prefix1.
How many IP addresses will be available to VMSS1?Correct answer: CExplanation:
A public IP address prefix is a reserved range of public IP addresses in Azure. Public IP prefixes are assigned from a pool of addresses in each Azure region. You create a public IP address prefix in an Azure region and subscription by specifying a name and prefix size. The prefix size is the number of addresses available for use. Public IP address prefixes consist of IPv4 or IPv6 addresses. In regions with Availability Zones, Public IP address prefixes can be created as zone-redundant or associated with a specific availability zone. After the public IP prefix is created, you can create public IP addresses.
The following public IP prefix sizes are available:
/28 (IPv4) or /124 (IPv6) = 16 addresses
/29 (IPv4) or /125 (IPv6) = 8 addresses
/30 (IPv4) or /126 (IPv6) = 4 addresses
/31 (IPv4) or /127 (IPv6) = 2 addresses
Prefix size is specified as a Classless Inter-Domain Routing (CIDR) mask size.
Reference: Public IP address prefix
Question: 814
Measured Skill: Implement and manage virtual networking (15–20%)
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
The subscription contains the users shown in the following table.
You have the following Bicep file named Deploy.bicep.
You run the following command.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Admin1 can delete VNet2: Yes
Admin2 can add a subnet to VNet1: Yes
Admin1 can add a subnet to VNet2: Yes |
| B | Admin1 can delete VNet2: Yes
Admin2 can add a subnet to VNet1: Yes
Admin1 can add a subnet to VNet2: No |
| C | Admin1 can delete VNet2: Yes
Admin2 can add a subnet to VNet1: No
Admin1 can add a subnet to VNet2: Yes |
| D | Admin1 can delete VNet2: No
Admin2 can add a subnet to VNet1: Yes
Admin1 can add a subnet to VNet2: No |
| E | Admin1 can delete VNet2: No
Admin2 can add a subnet to VNet1: No
Admin1 can add a subnet to VNet2: Yes |
| F | Admin1 can delete VNet2: No
Admin2 can add a subnet to VNet1: No
Admin1 can add a subnet to VNet2: No |
Correct answer: DExplanation:
VNet2 including Subnet1 are deployed to RG1. Admin1 has owner permissions for the resources in RG1 and Admin2 has contributor permissions for the resources in RG1. Even though Admin1 and Admin2 have the required permissions to delete the virtual network or add a subnet, these operations are prohibited by the deny-assignment of the deployment of VNet2. The deny-assignment affects VNet2 only. VNet1 is not affected by the deny-assignment.
The DenySettingsMode parameter of the New-AzResourceGroupDeploymentStack cmdlet defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless you explicitly grant access. The values include: None, DenyDelete, and DenyWriteAndDelete.
References:
New-AzResourceGroupDeploymentStack
Create and deploy Azure deployment stacks in Bicep
Question: 815
Measured Skill: Implement and manage virtual networking (15–20%)
You have an on-premises network.
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. VNet1 uses an IP address space of 192.168.8.0/24. VNet2 uses an IP address space of 192.168.9.0/24.
You need to configure the virtual networks. The solution must meet the following requirements:
- Ensure that the resources on VNet1 can communicate with the resources on VNet2.
- Ensure that the resources on the on-premises network can communicate with Azure resources.
- Minimize costs.
What should you include in the solution?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Ensure communication between VNet1 and VNet2: Network peering
Ensure communication between the on-premises network and Azure: An ExpressRoute circuit |
| B | Ensure communication between VNet1 and VNet2: Network peering
Ensure communication between the on-premises network and Azure: Azure VPN Gateway |
| C | Ensure communication between VNet1 and VNet2: A private endpoint
Ensure communication between the on-premises network and Azure: Azure Private Link |
| D | Ensure communication between VNet1 and VNet2: A private endpoint
Ensure communication between the on-premises network and Azure: An ExpressRoute circuit |
| E | Ensure communication between VNet1 and VNet2: A static route
Ensure communication between the on-premises network and Azure: Azure VPN Gateway |
| F | Ensure communication between VNet1 and VNet2: A static route
Ensure communication between the on-premises network and Azure: Azure Private Link |
Correct answer: BExplanation:
Azure Virtual Network peering enables you to seamlessly connect two or more virtual networks in Azure, making them appear as one for connectivity purposes. This powerful feature allows you to create secure, high-performance connections between virtual networks while keeping all traffic on Microsoft's private backbone infrastructure, eliminating the need for public internet routing.
Both Azure ExpressRoute and an Azure VPN Gateway can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. Implementing an Azure VPN Gateway is significantly cheaper than implementing Azure ExpressRoute.
References:
Azure virtual network peering
What is Azure VPN Gateway?