Cert Prep: Microsoft Azure Administrator (AZ-104) - Cloud Academy - Try 2
Question 10 Question CORRECT The following is a subsection of an ARM template to deploy a Windows VM. In order to create the network interface you need a public IP Address and a Virtual Network. Which of the answers below belong in the dependsOn array to accomplish that objective? ... { "apiVersion": "2016-03-30", "type": "Microsoft.Network/networkInterfaces", "name": "[variables('nicName')]", "location": "[resourceGroup().location]", "dependsOn": [ ____FILL_IN_THE_BLANK____ "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]" ], ...
"[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",
Your company is migrating to the cloud and wants to replicate its on-premises network in Azure. The company plans to use Azure Virtual Networks to place resources in virtual networks and subnets. You are working on the design for the company IP address schema and need to map out which ranges can be assigned to the HR department. The HR department has a subnet with an address range of 10.3.0.0/16. Which IP addresses can be dynamically assigned to the HR department? Select three choices. 10.3.0.2 10.3.255.254 10.3.255.255 10.3.0.1
10.3.0.2 10.3.255.254 10.3.0.1
You are building a group of 10 virtual machines and putting them into an availability set to ensure high availability. You configure the maximum number of fault domains available in your desired region, which is three. How many of your virtual machines will end up in the first fault domain?
4
Question 9 Question CORRECT You want to provide a third party temporary access to a single file, and only this file, stored in Azure Storage's Azure Files. Which type of shared access signature (SAS) should you provide?
A service SAS
You must give an external contractor at least 6-hour read/write access to the only file stored in an Azure Storage blob container. Ideally, you want to revoke access when the contractor no longer needs the file. Which of the following authentication and access methods are suitable?
A service-level SAS on the file, using an access policy on the container to specify the read/write permission and the 6-hour timeframe allowed to access the file.
You need to cut your product development and product resource budget by a significant amount in the next fiscal quarter. You think there are ways to save by terminating underutilized resources, or reducing costs for heavily-used resource types. You do not currently have the time or resources to dedicate to a substantial cost analysis project. You need to obtain intelligent insights related to your historic budget allocations in a very short window of time with minimal administration required. To analyze your resource spend automatically for potential cost-saving opportunities, what Azure tool or service should you use?
Azure Advisor
Question 20 Question CORRECT A client has an Azure Site-to-Site (S2S) connection between an on-premises location and an Azure virtual network (VNet) using a RouteBased Azure VPN gateway. This client has a requirement for all Internet-bound traffic from virtual machines (VMs) on their Azure VNet to be routed back to the on-premises location for auditing. Which of the following solutions would best meet the requirement?
Configure forced tunneling to route Internet-bound traffic from the VMs to the on-premises location
Question 43 Question CORRECT You have begun migrating your existing applications from on-premise servers to resources on an Azure Virtual Network. The on-premise network and Azure are currently connected via ExpressRoute. You need to ensure the ExpressRoute connection is healthy at all times. What Network Watcher service can you utilize to monitor the connection?
Connection Monitor (formerly Network Performance Monitor)
A company needs to connect their on-premise data centers to Azure. They have huge workloads that need to regularly transfer between on premise data centers and Azure. The company wants to avoid sending data over the public internet for security reasons. Which of the following connections should the company opt for to establish this connection?
Create an ExpressRoute connection
A company wants to use Azure blob storage. For disaster recovery purposes, data copies should be maintained in different regions. In the event of heavy traffic, the company would like to partially offload read requests to a secondary region. As an Azure administrator, what can you do to achieve this requirement?
Create the Azure Storage account with the replication attribute set to read-access geo-redundant storage (RA-GRS).
Question 36 Question CORRECT An Azure Storage account contains a very large amount of data and needs a data archival policy that meets the following requirements: New data will be requested and updated thousands of times in the first 30 days. After 30 days, data will be accessed occasionally and should be available immediately. After 180 days data will be accessed very infrequently if at all. Which actions should be taken to meet these requirements in the most cost-effective way?
Data will first be stored in the hot tier for the first 30 days, move to the cool tier after 30 days, and move to the archive tier after 180 days. Data will be stored in the hot tier for the first 30 days, move to the cool tier after 30 days, and stored offline after 180 days.
Question 11 Question INCORRECT There are three members of the 1st line support team that have the Password Administrator role, User Administrator role, and Security Administrator role respectively. A new 1st line support team member has no administrator roles configured and needs his password reset. Which role(s) are required to reset the new team member's password?
Either the Password Administrator role or the User Administrator role
Question 14 Question CORRECT A company needs to connect their on-premise data center to Azure. They want to have a dedicated connection and at the same time want to have a failover connection. They don't mind having a drop in latency when it comes to the failover connection. They also have around 500+ employees who will need to use this connection. Which of the following connection types would you use?
ExpressRoute for the main connection and Site-to-Site for the failover connection.
There are several virtual machines (VMs) deployed in your Azure subscription. The VMs are connected to different virtual networks (VNets). You have configured custom filtering rules on the VNets. You deploy an additional VM named VM02 in a new VNet named VNet02. VM02 is experiencing connectivity issues. You use Network Watcher to troubleshoot connectivity. Which cmdlets should you use to determine which filtering rule is causing the issue? (Choose 2 answers)
Get-AzEffectiveNetworkSecurityGroup Test-AzNetworkWatcherIPFlow
A company plans to test new app functionality with a canary deployment model in Azure App Service. A system administrator must configure experimental settings for a test deployment slot and make sure they are not cloned to other deployment slots. What step will most effectively prevent the experimental settings from being cloned to other slots?
Mark the test settings as deployment slot settings
Question 19 Question CORRECT You are an IT Administrator for an organization with an existing Microsoft 365 tenant. Your organization would like to utilize SharePoint Online to allow users in different teams and countries within the company to collaborate on work projects. Which Entra ID Group (formerly Azure AD Group) would you recommend?
Microsoft 365 groups
What Azure network resource can allow or deny layer-3 traffic based on a series of security rules, and can also be directly applied to virtual machines, subnets, or network interface cards attached to virtual machines?
Network Security Groups
What Azure PowerShell command creates a Azure virtual machine?
New-AzVM
Question 18 Question INCORRECT Your company is being audited, and an external accountant needs access to review a blob container in the Blob service within one specific Azure storage account. You currently use Azure Active Directory to control access to the blob storage resources in question. However, you have been told you need to provide the accountant with immediate access to review the blob container in the storage account without any further information. How can you provide necessary access, but also limit it to the container in question?
Provide the accountant with read-only access to the specific Azure Blob container with a service-level shared access signature token to expire at the end of the business day. Specify the HTTPS protocol is required to accept requests.
A system administrator needs to adjust a scaling rule for a deployed app on Azure Container app. Currently, the container deploys a replica for every 10 messages it receives within an Azure Queue Service queue, and its maximum replica count allows the container app to process up to 150 messages at once. Now the scaling rule should deploy a replica for every 5 messages, and still allow the container app to process up to 150 messages at once. Which rule parameters would the system administrator need to update to achieve this objective? (Choose 2 answers)
Scale rule metadata Max replicas
A system administrator must encrypt a new Azure Storage data disk. The disk is added to an existing VM with disk storage configured for Azure Disk Encryption. The administrator is using the same key vault and resource groups that have successfully encrypted disks on other VMs. The administrator executes a Set-AzVMDiskEncryptionExtension Azure PowerShell command. After running the command, the administrator sees the new disk is not encrypted. What is a potential reason the command did not take effect?
The admin did not generate a GUID for the new sequence version
Question 34 Question INCORRECT Your IT landscape in Azure consists of both Linux and Windows virtual machines. You configured consistent backup of Windows VMs with Azure Backup using Volume Shadow Copy Service (VSS). Now you want to configure application consistent backup on the Azure Linux virtual machines. What statement below about Azure Backup on Linux virtual machines is correct?
Using Azure Backup on Linux requires custom pre- and post-scripts to complete application consistent backup.
Which of the following statements about Azure VPN Gateways and subnets is false?
When creating VNet-to-VNet connections there can be overlapping subnet address ranges
You need to configure Network Watcher's Network Performance Manager to monitor a hybrid network connection via ExpressRoute. Several steps are listed below. Which choice lists the required configuration steps in the correct order? (Note that all steps listed below are not necessary to configure an ExpressRoute Monitor.) 1. Configure to use ICMP 2. Configure to use TCP 3. Select ExpressRoute Peerings to Monitor 4. Run "EnableRules" PowerShell script on all VMs with installed Log Analytics Agent 5. Run "EnableRules" PowerShell script on NPM Monitoring VM 6. Connect or create an Azure Log Analytics workspace 7. Select related ExpressRoute Subscription and Initiate discovery 8. Install Azure Log Analytics agent on one or more VMs in each related subnet 9. Select related networks and nodes 10. Add Network Performance Monitor rules
6 - 8 - 4 - 2 - 7 - 3
Five developers in your company need to be able to connect to several application tier VMs. Your management team is concerned about security and doesn't want everyone to have access to all of the VMs. Which of the following network connections would be best in this scenario?
A point-to-site VPN
Your company would like your physical on-premise OLTP and OLAP database servers to failover to ARM virtual machines, in the event of a disaster. All servers must have managed disks. OLTP servers require premium SSD disks, while OLAP require standard SSD disks. They have drawn up the following requirements: OLTP databases require a minimal RTO. OLAP databases require a minimal RPO. The ARM virtual machines would need to be entirely replicated on Azure before failback to on-premise servers are initiated. The ARM virtual machines backups would need to be able to survive a regional outage. Which Azure services will you need to configure to correctly implement this disaster recovery plan? (Choose 3 answers)
Azure Site Recovery Azure Storage Azure Backup
Your organization's expenses have increased as operations have expanded. You need to identify expenses for Azure resources used by the IT and Development departments of your organization. Which Azure service or tool should you use to better understand your organization's resource expenses by department?
Azure resource tags
Your IT consulting business has recently partnered with two other businesses in different regions of the country. Each of your three offices has resources deployed in Microsoft Azure cloud. Although you plan to eventually merge your separate offices into a single Azure AD tenant, you would like to connect several VNets in your separate subscriptions beforehand with your existing, separate Azure AD tenants in place. What Azure solution is the easiest way to accomplish this?
Create VNet peering connection
Question 21 Question INCORRECT You want your application tier to automatically scale based on changes in demand. After reviewing usage reports with your historic CPU metrics, you know your baseline traffic will require three VM instances. However, the workload can randomly spike to triple the baseline amount. You want to configure auto scaling to respond quickly to increases in traffic and respond gradually to decreases. The application tier is the only tier that needs to auto scale. You would like to ensure your instances remain available in the event of data center maintenance or a data center outage. How can you accomplish this?
Create a Virtual Machine Scale Set and set the "Limit to Single Placement Group" to 'true,' and enable Auto Scaling. Set your minimum number of instances to '3', and your maximum to '9'. Set your scale-out rate to '2', and scale-in rate to '1'.
You must deploy a simple three-tier application in two different regions, US Central and US East. Each region will include two Azure VMs as the web tier, two VMs as the business logic tier, and an Azure SQL Database as the data tier. Using Azure Monitor, you will monitor the following metrics for all VMs in both regions: Percentage CPU Disk Writes per Second Disk Reads per Second You want to track performance closely. If a VM exceeds its threshold for a single metric, you want to receive an alert. How should you configure your Azure Monitor metric alert rules to meet this requirement?
Create a rule set of three alert rules for each region. Each rule will monitor one specific metric. Apply the rule set to all VMs in its specific region.
A company hosts a web-based .Net application in Azure. They require that whenever an abnormal activity occurs, such as high page request rate, a custom application is notified so that it can be handled accordingly. Which option below meets this requirement?
Create an alert and use the Webhook functionality to send the notification to the custom application.
A system administrator is configuring blob versioning for a general-purpose v2 storage account and must control the costs of versioning blobs as much as possible. How can the system administrator limit the increased storage costs by enabling blob versioning? (Choose 2 answers)
Create lifecycle management policies to transition blob versions to a cooler storage tier if they are not accessed for 90 days. Create lifecycle management policies to delete blob versions that have not been read or updated in 365 days.
You would like to implement a hub-and-spoke VNet peering connection between two of your virtual networks, VNet1 in the East US region and VNet2 in the East US-2 region, using a network virtual appliance (NVA). You have deployed VNet3 to serve as the network hub, and a custom Linux virtual machine in VNet3 to serve as the NVA. How should you configure route tables to support communication between the VNets with this particular hub-and-spoke architecture?
Create route tables with user-defined routes in VNet1 and VNet2 listing the Linux VM router as a next hop.
You have deployed a new virtual machine (VM1) to availability Set 1 (AS1) in VNet1. After the deployment, you realize you deployed it to the wrong availability set and VNet. You need the VM to be located in a different availability set named AS2. How can you fix this issue?
Delete VM1 and recreate it to deploy within AS2.
You are deploying Azure Virtual Machines within a single datacenter, but want the VMs to remain available when any server within the data center is offline for maintenance. How can you deploy your virtual machines to accomplish this?
Deploy the virtual machines in separate update domains.
You have a two-tier application hosted within VNet-01 with an IP address range of 10.0.1.0/16 and the following resource configurations: A web application front end hosted on an IaaS virtual machine named VM_Front within a public subnet with an IP address range of 10.0.2.0/24. VM_Front has a private IP address of 10.0.2.5, and a public IP address of 192.168.50.2. A web application backend hosted on a second IaaS virtual machine named VM_Back within a private subnet with an IP address range of 10.0.3.0/24. VM_Back has a private IP address of 10.0.3.4. A public-facing load balancer with a private IP address of 10.0.1.6 and a public IP address of 172.16.50.35. You are configuring the network security group for VM_Front, and want it to receive encrypted HTTP traffic from the load balancer, and want this to be one of the first rules the NSG processes against all incoming traffic. How would you configure a rule to allow this?
Inbound Rule Source: 10.0.1.6 Source Port: * Destination: 10.0.2.5 Destination Port: 443 Protocol: TCP Priority: 100 Action: Allow
You are a start-up company currently hosting two small web applications, Web App 1 and Web App 2, on Azure Web Apps. Your Web Apps run on three instances on a Basic app service plan. You need to manage both web apps to meet the following requirements: Allow Web App 1 to scale from 5-8 instances based on application workload, as traffic for this web app is growing. Maintain Web App 2 on three separate instances, as this application is also growing more popular. However, Web App 2 does not require scaling capabilities yet. What steps would be most cost-effective and meet your application requirements?
Move Web App 1 to a separate Standard app service plan. Configure auto scaling for Web App 1 between a range of 5 to 8 instances based on application metrics. Keep your existing Basic app service plan for Web App 2.
An IT administrator manages a subscription (ID 11223344-1111-2222-3333-555666777888) that contains two resource groups (RG1, RG2). RG1 contains a test environment including three Azure virtual machines (TestVM1, TestVM2, TestVM3) within a virtual network (TestVnet1). The admin must provide a developer ([email protected]) with contributor access to the entire test environment. Which Azure Powershell command will accomplish this?
New-AZRoleAssignment -ResourceGroupName rg1 -SignInName john.doe.contoso.com -RoleDefinitionName Contributor
You are a systems technician for a company that has an existing Azure AD tenant. You have a new requirement to allow guests from outside your organization to access your company's resources in Azure and Microsoft 365. Your manager wants you to test adding guest users via PowerShell before allowing them access. Which PowerShell command should you use to invite guest users into your Azure AD tenant?
New-MgInvitation
Question 15 Question CORRECT You need a Hub-and-Spoke network between two existing virtual networks in the US East region, VNet1 and VNet2, to resources within the two networks to communicate. You cannot use a network virtual appliance. You deploy VNet3 in the East US region to be the network hub. VNet1 and VNet2 should be able to communicate with each other through VNet3 using virtual network gateways. Which VNet peering connections should be configured to allow gateway transit?
Only peering connections directed to VNet3 as the hub
Question 40 Question CORRECT A system administrator has updated an App Service plan from shared to premium tier, and now must update the DNS mapping for the apps within the plan. The administrator must configure the DNS mapping to allow multiple TLS/SSL certificates to secure multiple domains on the same IP address. Which setting meets this requirement when configuring the App Service DNS mapping?
Select an SNI SSL under the TLS/SSL type
Question 16 Question CORRECT You are a Systems Engineer for an organization that utilizes Microsoft Entra ID (formerly Azure AD) to facilitate identity management for its user base. You have multiple custom domains in your tenant. Your company is going through a re-brand exercise; therefore, you add a new domain called iamitgeek.com and change all existing UPN addresses so this is the primary address The 1st line support team has reported that when they add new users to the Microsoft Entra tenant, they are still automatically assigned the old domain. You have been asked to investigate why this is happening and resolve the issue. You need to ensure the minimum amount of administrative overhead. What do you need to do to resolve this issue?
Set the domain to primary under the custom domains blade.
A system administrator needs to move a set of Azure Virtual Machines (VMs) from its current availability zone to a new AZ in a target region. The VMs include the following configurations: An OS and managed disks with Server-Side Encryption (SSE) enabled The VMs are registered with a public load balancer The VMs have existing RBAC policies assigned The system administrator is orchestrating the move using Azure Resource Mover. What steps will the administrator need to complete to replicate these VM configurations once the move to the target region is complete?
Specify an existing load balancer in the target region to replace the existing one. Replace the RBAC policies manually once the move is complete. The VM storage disks were unchanged during the move.
Question 17 Question INCORRECT A customer team needs immediate access to a legacy application's documentation in order to assist a large customer. The files are currently stored as an archived blob in an Azure Storage general-purpose v2 storage account. The archived blob's storage tier needs to be changed to hot, and the change needs to be implemented as quickly as possible. It is not clear how long the legacy documentation blob has been stored in the archive tier. What is the most effective way to provide immediate, frequent access to the archived blob?
Use a copy operation to copy the archived blob and create a new hot blob.
Which Azure CLI command creates an App Service plan?
az appservice plan create
