The Rebirth Guide To AZ-104 Practice Exam

NEW QUESTION 1

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure virtual machine named VM1. VM1 was deployed by using a custom Azure Resource Manager template named ARM1.json.
You receive a notification that VM1 will be affected by maintenance. You need to move VM1 to a different host immediately.
Solution: From the Overview blade, you move the virtual machine to a different subscription.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Moving the virtual machine to a different subscription does not change the host that the virtual machine runs on. It only changes the billing and management of the resources. To move the virtual machine to a different host, you need to redeploy it or use Azure Site Recovery. Then, References: [Move resources to new resource group or subscription] [Redeploy Windows VM to new Azure node] [Use Azure Site Recovery to migrate Azure VMs between Azure regions]

NEW QUESTION 2

You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to user on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accesses by the Internet users.
What should you do?

• A. Modify the address space of the local network gateway.
• B. Remove the public IP addresses from the virtual machines.
• C. Modify the address space of Subnet1.
• D. Create a deny rule in a network security group (NSG) that is linked to Subnet1.

Answer: D

Explanation:
You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet. And this can be achieved by configuring a deny rule in a network security group (NSG) that is linked to Subnet1 for RDP / SSH protocol coming from internet.
Modify the address space of Subnet1 : Incorrect choice
Modifying the address space of Subnet1 will have no impact on RDP traffic flow to the virtual network.
Modify the address space of the local network gateway : Incorrect choice
Modifying the address space of the local network gateway will have no impact on RDP traffic flow to the virtual network.
Remove the public IP addresses from the virtual machines : Incorrect choice
If you remove the public IP addresses from the virtual machines, none of the applications be accessible publicly by the Internet users.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

NEW QUESTION 3
HOTSPOT
You have an Azure AD tenant that is linked to the subscriptions shown in the following table.

You have the resource groups shown In the following table.

You assign roles to users as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 4

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter. NVA and Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
• The NVAs must run in an active-active configuration that uses automatic failover.
• The toad balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A. Add two load balancing rules that have HA Ports enabled and Floating IP disabled.
• B. Deploy a basic load balancer.
• C. Add a frontend IP configuration, a backend pool, and a health probe.
• D. Add two load balancing rules that have HA Ports and Floating IP enabled.
• E. Deploy a standard load balancer.
• F. Add a frontend IP configuration, two backend pools, and a health probe.

Answer: DEF

NEW QUESTION 5
HOTSPOT
You are evaluating the connectivity between the virtual machines after the planned implementation of the Azure networking infrastructure.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 6

You have an Azure virtual machine named VM1.
You use Azure Backup to create a backup of VM1 named Backup1. After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.
✑ Copy a file named Budget.xls to a folder named Data.
✑ Reset the password for the built-in administrator account.
✑ Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1. You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?

• A. Modify the size of VM1.
• B. Add a data disk.
• C. Reset the password for the built-in administrator account.
• D. Copy Budget.xls to Data.

Answer: D

Explanation:
The scenario mentioned in the question, we are using the replace option. So in this case we would lose the existing data written to the disk after the backup was taken. The file was copied to the disk after the backup was taken. Hence, we would need to copy the file once again.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace- existing-disks

NEW QUESTION 7
DRAG DROP
You need to prepare the environment to ensure that the web administrators can deploy the web apps as quickly as possible.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 8

You have an Azure subscription that contains the resources shown in the following table.

LB1 is configured as shown in the following table.

You plan to create new inbound NAT rules that meet the following requirements: Provide Remote Desktop access to VM2 from the internet by using port 3389.

• A. A frontend IP address
• B. A health probe
• C. A load balancing rule
• D. A backend pool

Answer: A

Explanation:
To create an inbound NAT rule, you need to specify a frontend IP address and a frontend port for the load balancer to receive the traffic, and a backend IP address and a backend port for the load balancer to forward the traffic to1. According to the first table, LB1 has only one frontend IP address, which is 40.121.183.105. However, this frontend IP address is already used by the existing inbound NAT rule named rule1, which forwards port 80 to VM1 on port 802. Therefore, you cannot use the same frontend IP address and port for another inbound NAT rule.
To solve this problem, you need to create a new frontend IP address for LB1 before you can create the new inbound NAT rules. You can do this by using the Azure portal, PowerShell, or CLI3. After you create a new frontend IP address, you can use it to create the new inbound NAT rules that meet your requirements.

NEW QUESTION 9

Your on-premises network contains a VPN gateway.
You have an Azure subscription that contains the resources shown in the following table.

You need to ensure that all the traffic from VM1 to storage! travels across the Microsoft backbone network.
What should you configure?

• A. private endpoints
• B. Azure Firewall
• C. Azure AD Application Proxy
• D. Azure Peering Service

Answer: B

Explanation:
Per the MS documentation, private endpoint seems to be the proper choice: "You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet." Link: https://learn.microsoft.com/en-us/azure/storage/common/storage-private- endpoints

NEW QUESTION 10
HOTSPOT
You have an Azure subscription that contains the container images shown in the following table.

You plan to use the following services:
• Azure Container Instances
• Azure Container Apps
• Azure App Service
In which services can you run the images? To answer, select the options in the answer area.
NOTE: Each correct answer is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 11
HOTSPOT
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
✑ Can be assigned only to the resource groups in Subscription1
✑ Prevents the management of the access permissions for the resource groups
✑ Allows the viewing, creating, modifying, and deleting of resource within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 12

You have an Azure subscription that contains an Azure Stream Analytics job named Job1.
You need to monitor input events for Job1 to identify the number of events that were NOT processed.
Which metric should you use?

• A. Output Events
• B. Backlogged Input Events
• C. Out-of-Order Events
• D. Late Input Events

Answer: B

Explanation:
Backlogged Input Events is a metric that shows the number of input events that are waiting to be processed by the Stream Analytics job1. This metric indicates the performance and health of the job, as well as the input data rate and latency. If the Backlogged Input Events metric is high or increasing, it means that the job is not able to keep up with the incoming events and some events are not processed in a timely manner2.
Output Events is a metric that shows the number of output events that are emitted by the Stream Analytics job1. This metric indicates the output data rate and throughput of the job. It does not show how many input events were not processed by the job.
Out-of-Order Events is a metric that shows the number of input events that arrive out of order based on their timestamp1. This metric indicates the quality and consistency of the input data source. It does not show how many input events were not processed by the job. Late Input Events is a metric that shows the number of input events that arrive after the late arrival window has expired1. This metric indicates the timeliness and reliability of the input data source. It does not show how many input events were not processed by the job.

NEW QUESTION 13
HOTSPOT
You have an Azure subscription that contains an Azure Storage account named storageaccount1.
You export storageaccount1 as an Azure Resource Manager template. The template contains the following sections.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 14

You have an Azure App Services web app named App1. You plan to deploy App1 by using Web Deploy.
You need to ensure that the developers of App1 can use their Azure Active Directory (Azure AD) credentials to deploy content to App1. The solution must use the principle of least privilege.
What should you do?

• A. Configure app-level credentials for FTPS.
• B. Assign The Website Contributor role to the developers.
• C. Assign the Owner role to the developers.
• D. Configure user-level credentials for FTPS.

Answer: B

Explanation:
"To secure app deployment from a local computer, Azure App Service supports two types of credentials for local Git deployment and FTP/S deployment. These credentials are not the same as your Azure subscription credentials." https://learn.microsoft.com/en- us/azure/app-service/deploy-configure-credentials?tabs=cli

NEW QUESTION 15
HOTSPOT
You have an Azure subscription that contains the vaults shown in the following table.

You create a storage account that contains the resources shown in the following table.

To which vault can you back up cont1 and share1? To answer, select the appropriate options in the answer area. NOTE: Each correct answer is worth one point.

• A. Yes
• B. Not Mastered

Answer: A

NEW QUESTION 16

You have an Azur« subscription that contains a virtual machine named VM1 and an Azure key vault named KV1.
You need to configure encryption for VM1. The solution must meet the following requirements:
• Store and use the encryption key in KV1.
• Maintain encryption if VM1 is downloaded from Azure.
• Encrypt both the operating system disk and the data disks. Which encryption method should you use?

• A. encryption at host
• B. customer-managed keys
• C. Azure Disk Encryption
• D. Confidential disk encryption

Answer: C

Explanation:
Azure Disk Encryption is a service that helps you encrypt your Windows and Linux IaaS virtual machine disks1. It uses BitLocker for Windows and DM-Crypt for Linux to provide volume encryption for the OS and data disks2. Azure Disk Encryption requires that you use a key encryption key in Azure Key Vault to encrypt the volume encryption key, which is then stored on the disk. You can use either a service-managed key or a customer- managed key in Azure Key Vault3. Azure Disk Encryption also supports encrypting virtual machine disks that are downloaded from Azure4.

NEW QUESTION 17

You have an Azure virtual machine named VM1. Azure collects events from VM1.
You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.
You need to specify which resource type to monitor. What should you specify?

• A. metric alert
• B. Azure Log Analytics workspace
• C. virtual machine
• D. virtual machine extension

Answer: B

Explanation:
Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for analysis of details and correlations. Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.
Azure Log Analytics workspace is also used for on-premises computers monitored by System Center Operations Manager.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm

NEW QUESTION 18
......