0% found this document useful (0 votes)

22 views839 pages

Microsoft AZ-104 Czesc 2 - ExamTopics

Uploaded by

slawomir.walesiak

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

22 views839 pages

Microsoft AZ-104 Czesc 2 - ExamTopics

Uploaded by

slawomir.walesiak

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 839

6/15/23, 7:05 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 1/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 4

You plan to automate the deployment of a virtual machine scale set that uses the Windows Server 2016 Datacenter image.
You need to ensure that when the scale set virtual machines are provisioned, they have web server components installed.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Upload a configuration script

B. Create an automation account

C. Create an Azure policy

D. Modify the extensionProfile section of the Azure Resource Manager template

E. Create a new virtual machine scale set in the Azure portal

Correct Answer: DE
Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC) extension handler. Virtual machine scale sets provide
a way to deploy and manage large numbers of virtual machines, and can elastically scale in and out in response to load. DSC is used to
configure the VMs as they come online so they are running the production software.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-dsc

Community vote distribution

AD (81%) DE (19%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A and D

The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration, software
installation, or any other configuration / management task. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure
portal at extension run-time.

The Custom Script extension integrates with Azure Resource Manager templates, and can also be used with the Azure CLI, Azure PowerShell, Azure
portal, or the REST API
The following Custom Script Extension definition downloads a sample script from GitHub, installs the required packages, then writes the VM
instance hostname to a basic HTML page.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
upvoted 175 times

  fishbonemsk 3 months, 1 week ago

Correct Answer: A and D
This link could be useful for explanation:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-deploy-vm-extensions
upvoted 4 times

  SilverFox22 1 year, 9 months ago

For the first time, I disagree with @mlantonis answer, but not the explanation. The reference link is spot on, and it has you 1. Create Custom
Script Extension definition, which is editing the extensionProfile section So, D. Then 2. you create the Scale Set. That is E. So answer is D and E.
upvoted 11 times

  Netspud 1 year, 4 months ago

Using the page reference, the page states the following order:
Create/configure Custom Script extension
Add the script (in this case upload)
Create the scaleset
upvoted 6 times

  Netspud 1 year, 4 months ago

So A and D is correct
upvoted 7 times

  GD01 1 year, 8 months ago

As per question : "You plan to automate the deployment of a virtual machine scale".... so cannot be E and you require configuration script for
post deployment installation of web server components...
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 2/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Answered A and D
upvoted 19 times

  AubinBakana 1 year, 9 months ago

I know this is 3 months ago & I gather you must have figured out this is not the correct answer.

You're talking about a custom script extension, NOT a configuration. And you have to actually create the VMSS - your choice misses that part
completely. This option appears to be false
upvoted 3 times

  boom666 1 year, 8 months ago

Actually I can't see "you have to to actually create the VMSS" in the question. I see "you plan to automate the deployment of the VMSS" and
"you have to ensure..." So if we plan to automate the deployment we need to upload a configuration script and update Resource Manager
Template. Then we can deploy the VMSS using those things today, tomorrow or someday else.
upvoted 6 times

  61Reasons 10 months, 1 week ago

hmmm. The question says "you plan to automate", which means he's not currently automating, thus no current configuration script, correct?
Seems he'd have to initially upload one.
upvoted 2 times

  MisterNobody Highly Voted  2 years, 8 months ago

A and D?
upvoted 56 times

  Dady9 2 years, 8 months ago

yes, AD works better here
upvoted 9 times

  somenick 2 years, 8 months ago

Agree. Here is the step by step guide how to do that: https://adamtheautomator.com/azure-dsc-arm-template/
upvoted 10 times

  juandsanchez666 2 years, 7 months ago

Agree, the correct answer are A and D.
upvoted 9 times

  marcellov 2 years, 1 month ago

Yes, because of the word "automate" you can't use the portal. So A and D should be the right answer.
upvoted 16 times

  Rams_84zO6n Most Recent  2 months, 2 weeks ago

Selected Answer: AD
Agree with mlantonis. Prepare a configuration script. https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-
tutorial-deploy-vm-extensions - store the script in GitHub, so you can access it with a URI. In the ARM template, edit the extension profile section
(a) fileURI (b) commandToExecute - so you can access the ARM template and execute the script to install the web server on the VM.
upvoted 2 times

  Confidence 3 months ago

A & D should be the answer
This question appeared in my exam 7th March 2023

Custom Script Extension is an effective way to auto install components (apps or features) on VMs without having to use manual methods.
upvoted 2 times

  Venuvgp 3 months, 1 week ago

A. Upload a configuration script: You can create a configuration script that installs the web server components and upload it to Azure. The script
can be in PowerShell or another scripting language.

D. Modify the extensionProfile section of the Azure Resource Manager template: You can modify the extensionProfile section of the Azure Resource
Manager template to specify the configuration script that installs the web server components. The extension can be the CustomScriptExtension or
the PowerShell DSC extension.

Option B is not required in this scenario, as you are not using Azure Automation to deploy and manage the scale set.

Option C is not required in this scenario, as you are not enforcing any policies related to the deployment of the scale set.

Option E is also not required, as you can modify an existing scale set template rather than creating a new one.
upvoted 4 times

  CommanderBigMac 4 months ago

Selected Answer: AD
For this question, you are still in the planning phase, so A. MS is tricksy, we need to read every word carefully.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 3/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  zellck 4 months ago

Selected Answer: AD
AD is the answer.

https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-dsc
upvoted 1 times

  UmbongoDrink 4 months ago

Selected Answer: AD
A and D

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
upvoted 2 times

  Ashfaque_9x 4 months, 2 weeks ago

Selected Answer: AD
Passed today on 29Jan23 with a score of 970. This question was in the exam.
Correct Answer: A and D
upvoted 4 times

  gpCert 4 months ago

WOW..............
upvoted 1 times

  lombri 4 months, 2 weeks ago

Selected Answer: AD
Virtual machine extensions are small applications that automate the tasks of creating, maintaining, and removing virtual machines.
Implement Custom Script Extensions
You can install Custom Script Extensions from the Azure portal by accessing your virtual machine's Extensions page.
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: AD
A) "Upload a configuration script" & D) "Modify the extensionProfile section of the Azure Resource Manager template"
upvoted 5 times

  Mev4953 9 months ago

Selected Answer: AD
Correct answer
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: AD
Correct Answer: AD

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template
upvoted 2 times

  anilagio 9 months, 3 weeks ago

Appeared on the exam 26/08/2022.
upvoted 6 times

  Socca 10 months, 1 week ago

E is not correct you need to automate this task you didnt need to create a new vm scale set I thik A and D are correct answer
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 4/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lazylinux 12 months ago

Selected Answer: AD
I Would agree with AD and as per others comments
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: DE
D. Modify the extensionProfile section of the Azure Resource Manager template Most Voted
E. Create a new virtual machine scale set in the Azure portal
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 5/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10 Topic 4

HOTSPOT -
You have an Azure Kubernetes Service (AKS) cluster named AKS1 and a computer named Computer1 that runs Windows 10. Computer1 that has
the Azure CLI installed.
You need to install the kubectl client on Computer1.
Which command should you run? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

To install kubectl locally, use the az aks install-cli command: az aks install-cli
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough

  mlantonis Highly Voted  2 years ago

Correct Answer:

To install kubectl locally, use the az aks install-cli command.

Note: Azure cli commands start with az. We use Install-Module to install a Powershell module.

Reference:

https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough

https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
upvoted 131 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Answered:

az aks install-cli
upvoted 13 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer correct
upvoted 27 times

  LalitMF Most Recent  5 months, 1 week ago

Install kubectl locally using the az aks install-cli command:

az aks install-cli
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 6/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  NaoVaz 9 months ago

1) "az" & 2) "aks"

Reference: https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-install-cli
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Answer correct

https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 1 times

  JacquesV 10 months, 1 week ago

In exam on 10Aug2022
upvoted 2 times

  manalshowaei 1 year ago

To install kubectl locally, use the az aks install-cli command: az aks install-cli
upvoted 1 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 4 times

  techie_11 1 year, 2 months ago

On exam 04/12/2022. answer correct
upvoted 2 times

  sabyasachide 1 year, 2 months ago

az aks install-cli
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 4 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920
Correct answer: az aks install-cli
upvoted 5 times

  [Removed] 1 year, 6 months ago

Was in Exam 15/11/21
upvoted 2 times

  JohnPhan 1 year, 7 months ago

az aks install-cli
upvoted 2 times

  ohana 1 year, 8 months ago

Took the exam today on 17 Oct. This question came out. Ans: az ask
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 7/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11 Topic 4

DRAG DROP -
You onboard 10 Azure virtual machines to Azure Automation State Configuration.
You need to use Azure Automation State Configuration to manage the ongoing consistency of the virtual machine configurations.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:

Correct Answer:

Step 1: Upload a configuration to Azure Automation State Configuration.

Import the configuration into the Automation account.
Step 2: Compile a configuration into a node configuration.
A DSC configuration defining that state must be compiled into one or more node configurations (MOF document), and placed on the Automation
DSC Pull Server.
Step 3: Assign the node configuration
Then: Check the compliance status of the node
Each time Azure Automation State Configuration performs a consistency check on a managed node, the node sends a status report back to the
pull server. You can view these reports on the page for that node.
On the blade for an individual report, you can see the following status information for the corresponding consistency check:
The report status ‫ג‬€" whether the node is "Compliant", the configuration "Failed", or the node is "Not Compliant"
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

  fedztedz Highly Voted  2 years, 6 months ago

Not correct. The right order is:
1. Upload a configuration to Azure Automation State Configuration
2. Compile a configuration into a node configuration
3. Check the compliance status of the node.
upvoted 262 times

  tfktfk 2 months, 2 weeks ago

this is a demo tu better understand
https://www.youtube.com/watch?v=8plqKnxzDHA
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 8/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 7 times
  mlantonis Highly Voted  2 years ago
Correct Answer:

1: Upload a configuration to Azure Automation State Configuration

2: Compile a configuration into a node configuration
3: Check the compliance status of the node.

Step 1: Create and upload a configuration to Azure Automation

Step 2: Compile a configuration into a node configuration
Step 3: Register a VM to be managed by State Configuration
Step 4: Specify configuration mode settings
Step 5: Assign a node configuration to a managed node
Step 6: Check the compliance status of a managed node

Reference:

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started

https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state
upvoted 180 times

  dotseree 3 months ago

You get it wrong. The answer provider by Exam Topics is rather right. The question present a a case that we have to deal with, note that the
question is not about listing the appropriate step per theory, but per the situation at hand here. Per your answer you have not yet registered the
nodes, you have not yet assigned node configuration to the nodes. Which compliance are you checking then? So per the case in the question
after Step 1 and 2, you have to register the VMs ( according to Azure steps). This is the case is not a single VM, so to easily locate and register
the VMs you need to assign tags to them in order to carry on the next step easily.
upvoted 2 times

  Dennis_SOn 11 months ago

Based on the 2nd link you provided, your answer is wrong
Configure machines to a desired state
Article
02/05/2022
4 minutes to read
11 contributors

Azure Automation State Configuration allows you to specify configurations for your servers and ensure that those servers are in the specified
state over time.

Onboard a VM to be managed by Azure Automation DSC

Upload a configuration to Azure Automation
Compile a configuration into a node configuration
Assign a node configuration to a managed node
Check the compliance status of a managed node
For this tutorial, we use a simple DSC configuration that ensures that IIS is installed on the VM.
upvoted 2 times

  Dennis_SOn 11 months ago

sorry the option is not assign tagged, i think you are correct
upvoted 3 times

  jassa012 Most Recent  1 month, 2 weeks ago

The answer provided is correct, just the visual is not. If you look at the steps they are right but if you look at the visual it is wrong.
Answer is :
1. Upload a configuration to Azure Automation State Configuration
2. Compile a configuration into a node configuration
3. Check the compliance status of the node.
upvoted 3 times

  habbey 1 month, 3 weeks ago

1. Upload a configuration to Azure Automation State Configuration 2: Compile a configuration into a node configuration 3: Check the compliance
status of the node.
upvoted 1 times

  Durden871 3 months ago

From Udemy:
Explanation
Create and Import the DSC configuration into the Automation account.

Before you can apply a desired state to a node, a DSC configuration defining that state must be compiled into one or more node configurations
(MOF document) and placed on the Automation DSC Pull Server.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 9/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Enable an Azure Resource Manager VM for management with State Configuration and assign the node configuration.

Each time State Configuration performs a consistency check on a managed node, the node sends a status report back to the pull server. You can
view these reports on the page for that node.

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-getting-started
upvoted 1 times
  saf862 4 months, 2 weeks ago
1: Upload a configuration to Azure Automation State Configuration
2: Compile a configuration into a node configuration
3: Check the compliance status of the node.
upvoted 2 times

  NaoVaz 9 months ago

1) "Upload a configuration to Azure Automation State Configuration"
2) "Compile a configuration to Azure Automation State Configuration"
3) "Check the compliance status of the node"

Reference: https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state
upvoted 4 times

  EmnCours 9 months, 2 weeks ago

1: Upload a configuration to Azure Automation State Configuration
2: Compile a configuration into a node configuration
3: Check the compliance status of the node.
upvoted 2 times

  Lazylinux 11 months, 3 weeks ago

Given Answer is incorrect
Azure Automation State Configuration: is a configuration management solution built on top of PowerShell Desired State Configuration (DSC). State
configuration works with Azure virtual machines, on-premises machines, and machines in a cloud other than Azure. Using state configuration, you
can import PowerShell DSC resources and assign them to many virtual machines from a central location. Once each endpoint has evaluated and /
or applied the desired state, state compliance is reported to Azure and can be seen on a built-in dashboard
More Detailed Steps:

Step 1: Create and upload a configuration to Azure Automation

Step 2: Compile a configuration into a node configuration

Step 3: Register a VM to be managed by State Configuration

Step 4: Specify configuration mode settings

Step 5: Assign a node configuration to a managed node

Step 6: Check the compliance status of a managed node

upvoted 5 times

  manalshowaei 1 year ago

Step 1: Upload a configuration to Azure Automation State Configuration.
Import the configuration into the Automation account.
Step 2: Compile a configuration into a node configuration.
A DSC configuration defining that state must be compiled into one or more node configurations (MOF document), and placed on the Automation
DSC Pull Server.
Step 3: Assign the node configuration
Step 4: Check the compliance status of the node
upvoted 2 times

  sankhagg 1 year, 2 months ago

upload,compile and check
upvoted 6 times

  deadhead82 1 year, 5 months ago

Admin , please change the answer screenshot. The explanation provided however is accurate. tags make no sense.
upvoted 6 times

  Jonangar 1 year, 5 months ago

https://docs.microsoft.com/en-us/azure/automation/tutorial-configure-servers-desired-state

Azure Automation State Configuration allows you to specify configurations for your servers and ensure that those servers are in the specified state
over time.

Onboard a VM to be managed by Azure Automation DSC

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 10/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Upload a configuration to Azure Automation

Compile a configuration into a node configuration
Assign a node configuration to a managed node
Check the compliance status of a managed node
upvoted 3 times
  hanyahmed 1 year, 5 months ago
1: Upload a configuration to Azure Automation State Configuration.
2: Compile a configuration into a node configuration.
3: Check the compliance status of the node.
upvoted 3 times

  Sara_Mo 1 year, 5 months ago

Correct Answer:

1: Upload a configuration to Azure Automation State Configuration

2: Compile a configuration into a node configuration
3: Check the compliance status of the node.

Step 1: Create and upload a configuration to Azure Automation

  wacky 1 year, 8 months ago

Just curious, what if you got all the right answer in the wrong order? how was the pointing system for that?
upvoted 6 times

  carzehuknu 1 year, 3 months ago

This comment make me hate myself, world and the universe
upvoted 5 times

  mrZAID 2 weeks, 3 days ago

HAHAHAHAH
upvoted 1 times

  Mukesh_Aggarwal_07 1 year, 8 months ago

Step 1: Upload a configuration to Azure Automation State Configuration.
Step 2: Compiling a configuration into a node configuration
Step 3: Onboard the virtual machines to Azure State Configuration
Step 4: Assign the node configuration.
Step 5: Check the compliance status of the node.
upvoted 3 times

  Snownoodles 1 year, 6 months ago

"onboard the virtual machines to azure state configuration" should be the first step according to https://docs.microsoft.com/en-
us/azure/automation/tutorial-configure-servers-desired-state
Step 1: Onboard a VM to be managed by Azure Automation DSC
Step 2: Upload a configuration to Azure Automation
Step 3: Compile a configuration into a node configuration
Step 4: Assign a node configuration to a managed node
Step 5: Check the compliance status of a managed node
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 11/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 4

You have an Azure Resource Manager template named Template1 that is used to deploy an Azure virtual machine.
Template1 contains the following text:

The variables section in Template1 contains the following text:

"location": "westeurope"
The resources section in Template1 contains the following text:

You need to deploy the virtual machine to the West US location by using Template1.
What should you do?

A. Modify the location in the resources section to westus

B. Select West US during the deployment

C. Modify the location in the variables section to westus

Correct Answer: A

Community vote distribution

A (100%)

  fedztedz Highly Voted  2 years, 6 months ago

Correct Answer A: You can change the location in resources. Parameters used to define the value of some variables to be able to use in different
places in the template resources.
Resources are used only for complicated expressions. In any case, RM will only deploy from resources. In case the value is not mentioned directly,
then it will check parameters if it is specified in the resources.
Based on this question, the value of location is defined directly in resources. so you change the resources location value
upvoted 94 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A

You can change the location in resources. Parameters used to define the value of some variables to be able to use in different places in the
template resources. Resources are used only for complicated expressions. In any case, RM will only deploy from resources. In case the value is not
mentioned directly, then it will check parameters if it is specified in the resources. Based on this question, the value of location is defined directly in
resources. so you change the resources location value.

Use location parameter. To allow flexibility when deploying your template, use a parameter to specify the location for resources. Set the default
value of the parameter to resourceGroup().location.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-location?tabs=azure-powershell
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax#resources
upvoted 85 times

  Juanchooo Most Recent  4 weeks ago

Came in my exam today 17/05/23
upvoted 2 times

  JunetGoyal 1 month, 2 weeks ago

Exact same Q came in my exam on 30 April2023. I got wrong ticked C
upvoted 1 times

  Aluksy 2 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 12/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer A, came out in my exam today 08 April 2023.

upvoted 4 times

  shadad 3 months, 2 weeks ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: A
upvoted 3 times

  Ashfaque_9x 4 months, 2 weeks ago

Selected Answer: A
Passed today on 29Jan23 with a score of 970. This question was in the exam.
upvoted 4 times

  Bigc0ck 5 months, 1 week ago

on the test, I selected B it was totally wrong lmao...
upvoted 1 times

  azaad_a 8 months, 1 week ago

Part of Exam Question
upvoted 5 times

  NaoVaz 9 months ago

Selected Answer: A
A) "Modify the location in the resources section to westus"

The variable is not used on the shown snippet.

Seeing that this is a ARM template there will be not possibility to select the region during the deployment.
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 2 times

  61Reasons 10 months, 1 week ago

I would have thought better to set the location variable to the desired region (and default was not mentioned).
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: A
A is correct..See others comments
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: A
A. Modify the location in the resources section to westu
upvoted 1 times

  epomatti 1 year, 1 month ago

Selected Answer: A
Not the best option in the real world but "A" is correct for this question.
upvoted 6 times

  Veks 1 year, 1 month ago

Yes, NOT the best option. I would never do that. Continue with using that template if u can fix it in two little steps :). I vote for option Y - change
resource file to use variable location and then modify variable location to westus.
Correct the mistakes of others and don't continue doing their mistakes on and on and on :).
upvoted 1 times

  Pramu 1 year, 2 months ago

Selected Answer: A
CORRECT
upvoted 2 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 13/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 4

You create an App Service plan named Plan1 and an Azure web app named webapp1.
You discover that the option to create a staging slot is unavailable.
You need to create a staging slot for Plan1.
What should you do first?

A. From Plan1, scale up the App Service plan

B. From webapp1, modify the Application settings

C. From webapp1, add a custom domain

D. From Plan1, scale out the App Service plan

Correct Answer: A
The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots.
If the app isn't already in the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged
publishing. At this point, you have the option to select Upgrade and go to the Scale tab of your app before continuing.
Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates,
staging slots, autoscaling, and more.
Incorrect:
Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots https://docs.microsoft.com/en-us/azure/app-service/manage-scale-
up

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A

The app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots. If the app isn't already in
the Standard, Premium, or Isolated tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you
have the option to select Upgrade and go to the Scale tab of your app before continuing.

Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging
slots, autoscaling, and more.

Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances

Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 130 times

  DA0410 Highly Voted  2 years, 8 months ago

correct . For more read https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 21 times

  JayBee65 2 years ago

Yes A, and this is a better link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-
limits#app-service-limits
upvoted 7 times

  RougePotatoe 4 months, 2 weeks ago

Just incase you had no idea what you're looking for. The chart clearly states that only standard, premium and isolated provide staging slots.
(5,20,20) in that order.
upvoted 2 times

  wendywen Most Recent  2 months, 2 weeks ago

Selected Answer: A
correct
upvoted 2 times

  UmbongoDrink 4 months ago

Selected Answer: A

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 14/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

A) "From Plan1, scale up the App Service Plan"

"When you deploy your web app, web app on Linux, mobile back end, or API app to Azure App Service, you can use a separate deployment slot
instead of the default production slot when you're running in the Standard, Premium, or Isolated App Service plan tier. " -
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 2 times
  Cool_Z 7 months, 3 weeks ago
Selected Answer: A
A. is the right answer.
From Plan1, scale up the App Service plan
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: A
A) "From Plan1, scale up the App Service Plan"

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Mokilsin 9 months, 3 weeks ago

A is correct
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: A
A is correct
app must be running in the Standard, Premium, or Isolated tier in order for you to enable multiple deployment slots that you can use to test app in
dev environment before deploy to production
upvoted 2 times

  manalshowaei 1 year ago

Selected Answer: A
A. From Plan1, scale up the App Service plan
upvoted 1 times

  epomatti 1 year, 1 month ago

Selected Answer: A
A is correct, need to use Standard or higher.
upvoted 2 times

  Pramu 1 year, 2 months ago

Selected Answer: A
Correct Answer
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 4 times

  Azure_daemon 1 year, 3 months ago

Scale up: Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, ""staging
slots"", autoscaling, and more. You scale up by changing the pricing tier of the App Service plan that your app belongs to.
upvoted 1 times

  WS_21 1 year, 3 months ago

Selected Answer: A
https://docs.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 2 times

  EleChie 1 year, 5 months ago

Changing your App Service plan (scale up)
Your App Service plan can be scaled up and down at any time. It is as simple as changing the pricing tier of the plan. You can choose a lower
pricing tier at first and scale up later when you need more App Service features.

For example, you can start testing your web app in a Free App Service plan and pay nothing. When you want to add your custom DNS name to the
web app, just scale your plan up to the Shared tier. Later, when you want to create an SSL binding, scale your plan up to Basic tier. When you want

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 15/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

to have staging environments, scale up to Standard tier. When you need more cores, memory, or storage, scale up to a bigger VM size in the same
tier.

The same works in the reverse. When you feel you no longer need the capabilities or features of a higher tier, you can scale down to a lower tier,
which saves you money.
upvoted 3 times

  EleChie 1 year, 5 months ago

Scale up. Get more CPU, memory, disk space, and extra features like dedicated virtual machines (VMs), custom domains and certificates, staging
slots, autoscaling, and more. You scale up by changing the pricing tier of the App Service plan that your app belongs to.

Scale out: Increase the number of VM instances that run your app. You can scale out to as many as 30 instances, depending on your pricing tier.
App Service Environments in Isolated tier further increases your scale-out count to 100 instances. The scale instance count can be configured
manually or automatically (autoscale). Autoscale is based on predefined rules and schedules.
upvoted 1 times

  AubinBakana 1 year, 9 months ago

They don't cover this section much in Az 104 Module for Apps. I struggled to understand this particular section. Still do but it's a little clearer now
that I've had to look it up. Answer is correct
upvoted 1 times

  zr79 1 year, 3 months ago

They do cover this one, though it says for you to use deployment slots you need to upgrade to the standard, premium, and isolated SKU which
is adding more CPU, memory which is scaling up
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 16/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14 Topic 4

You plan to move a distributed on-premises app named App1 to an Azure subscription.
After the planned move, App1 will be hosted on several Azure virtual machines.
You need to ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance.
What should you create?

A. one virtual machine scale set that has 10 virtual machines instances

B. one Availability Set that has three fault domains and one update domain

C. one Availability Set that has 10 update domains and one fault domain

D. one virtual machine scale set that has 12 virtual machines instances

Correct Answer: C
An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. As you create VMs
within an availability set, the Azure platform automatically distributes your VMs across these update domains. This approach ensures that at
least one instance of your application always remains running as the Azure platform undergoes periodic maintenance.
Reference:
http://www.thatlazyadmin.com/azure-fault-update-domains/

Community vote distribution

A (52%) C (46%)

  fedztedz Highly Voted  2 years, 6 months ago

Answer is wrong. The correct Answer is A.
First: in case you created on fault domain, you are limited with one update domain. You can test this.
Second: By default, Azure uses 5 update domains and up to 3 fault domains. So, In case you created 10 vm in scale set. then you will have 2 vm in
each update domain. So once one update domain is not available, then you get 4 domains with 8 vms as required.
upvoted 195 times

  rupayan87 7 months ago

you can have up to 3FD and 20UD. It can be any combination. 1FD x 10UD is also perfectly fine. You need to create 10VM and put them in AV
Set. MS will distribute the VMs into UDs within the FD. During maintenance UDs are respected by MS
upvoted 6 times

  ZacAz104 9 months ago

Question says "during planned Azure maintenance" this has nothing to do with Scale set definition so i think C is correct we need Availability set
nor Scale set
upvoted 19 times

  kilowd 1 year ago

If A is correct why not D ..Atleast 8 means 8 or more..Even though 12 is an overkill the question does not specify any restriction with regards to
Cost
upvoted 5 times

  ConanBarb 3 months, 3 weeks ago

Incorrect. 12 VMs is not overkill - it will not meet the requirements of at least 8:
VM spread over 5 UDs in a VMSS: 3, 3, 2, 2, 2
upvoted 1 times

  Mr_Marcus 11 months, 1 week ago

Given that either 10 or 12 VMs will do the job, cost efficiency would be implied when coming up with an answer. Good old Microsoft...
upvoted 3 times

  ConanBarb 3 months, 3 weeks ago

Sorry but that is not a correct understanding of Update Domains.
12 VMs in a VMSS that will have 5 UDs by default will render the following VM spread over the UDs: 3, 3, 2, 2, 2. Hence when UD1 or UD2
is taken down for update there will only be 7 VMs running.
upvoted 2 times

  ericZX 1 month, 2 weeks ago

If there are 12 VMs in a VMSS, when UD1 or UD2 is taken down for update there will only be 3+2+2+2=9 VMs running......
upvoted 2 times

  ThatDowntownSmell 11 months, 3 weeks ago

Good point, either A or D would work. Make me wonder if this question is not copied or translated correctly.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 17/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Dave03 7 months, 2 weeks ago

You are giving incorrect explanation. Each availability set can be configured with up to three fault domains and twenty update domains.
upvoted 7 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A

VM Scale Set consists of a set of identically configured VMs.

Availability Set consists of a set of discrete VMs.

No more than 20% of the Scale Set upgrading at any time, then 2 machines out of 10 will have maintenance, the 8 remaining VMs will be up.

Virtual machine scale sets are created with five fault domains by default in Azure regions with no zones. For the regions that support zonal
deployment of virtual machine scale sets and this option is selected, the default value of the fault domain count is 1 for each of the zones. FD=1 in
this case implies that the VM instances belonging to the scale set will be spread across many racks on a best effort basis.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-scale-sets
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
upvoted 186 times

  UWSFish 2 months ago

I agree with everyone here saying that answer C will do the job. I wouldn't get hunf up on that. The final line does not say, "which of these
choices will meet the requirements". it says, "What SHOULD you create" (emphasis mine). Which of the options is cleanest, most elegant, way
forward. Clearly A.
upvoted 1 times

  nightfxll 5 days, 21 hours ago

Try making it and you can't. Only 1 update domain can be made if there is 1 fault domain and vice versa.
upvoted 1 times

  garmatey 2 months, 1 week ago

What part of the question indicates if the VMs are identical or discrete?
upvoted 1 times

  morito 3 months ago

"Virtual machine scale sets are created with five fault domains by default in Azure regions" I believe you're speaking of update domains?
upvoted 3 times

  Exilic Most Recent  1 week, 1 day ago

Selected Answer: A
OpenAI

"To ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance, the best option would be:

A. One virtual machine scale set that has 10 virtual machine instances.

By creating a virtual machine scale set with 10 instances, you have the flexibility to easily scale up or down the number of virtual machines based
on the demand and requirements of App1. This allows you to maintain a minimum of eight virtual machines during planned maintenance or if any
of the virtual machines fail. The scale set also provides automatic scaling and load balancing capabilities to distribute the workload efficiently."
upvoted 1 times

  Athul07 1 week, 3 days ago

To ensure that App1 always runs on at least eight virtual machines during planned Azure maintenance, you should create:

A. one virtual machine scale set that has 10 virtual machine instances.

A virtual machine scale set (VMSS) allows you to deploy and manage a set of identical virtual machines that can automatically scale up or down
based on demand. By creating a VMSS with 10 virtual machine instances, you ensure that there are always at least eight instances available even
during planned Azure maintenance events.

With a VMSS, Azure handles the maintenance operations by automatically distributing the updates across the virtual machine instances, ensuring
that a minimum number of instances are always available to serve your application.

Therefore, the correct answer is A. one virtual machine scale set that has 10 virtual machine instances.
upvoted 1 times

  itguyeu 1 month ago

Confusing, but should be C.
"By default, Azure will assign three fault domains and five update domains (which can be increased to a maximum of 20) to the Availability Set.
When spreading your VMs over fault domains, your VMs sit over three different racks in the Azure data center.

What is the default number of update domains for an availability set?

five update domains.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 18/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

When you create an availability set, Azure creates five update domains by default. These update domains are spread across the fault domains in the
availability set.
upvoted 1 times
  quocdunginfo2 1 month, 1 week ago
C is the answer
Keyword here is "at least 8 VMs during Azure maintenance", it should be "Avail Set" and "Update Domain"
VMs in differ update domain will not be reboot at the sametime. In that case, we need at least 9 update domain in order to ensure at least 8 VM
always running, so C is satisfied
upvoted 1 times

  JunetGoyal 1 month, 2 weeks ago

Exact same Q came in my exam on 30 April2023. My Ans A. as 20% goes at mainatnce if part of scaleset
upvoted 2 times

  margotfrpp 1 month, 3 weeks ago

Selected Answer: C
VM have to be on different update domain
upvoted 1 times

  Tinez 2 months, 2 weeks ago

Selected Answer: A
Answer is A.
upvoted 1 times

  JunetGoyal 2 months, 3 weeks ago

Create scale set, put initial count 10 vm, A is right
upvoted 1 times

  liza1234 2 months, 4 weeks ago

Very Correct Answer: D
If you have 3 default FDs and 12 VMs running, then if 1 FD is down, then 4 VMs are down, leaving you with at least 8 more running VM's at any
given time.
At any given time that a planned maintenance happens, you will always have at least 8 running VMs if 1 fault domain is down.
upvoted 1 times

  liza1234 2 months, 4 weeks ago

you can't go below 12 VMs. 12 VMs should be the minimum number if the default fault domain is 3 as that would take down 1/3 of the VMs
when 1 fault domain is down.
upvoted 1 times

  Tyrel 3 months ago

Selected Answer: A
mlantonis has it right, it's A.
upvoted 1 times

  GeeB1 3 months, 1 week ago

C is the one
upvoted 2 times

  Gzt 3 months, 1 week ago

Selected Answer: C
Answer C
upvoted 3 times

  Durden871 3 months, 1 week ago

For those struggling with the near 50/50 split. I myself said, "C"; however, I'm comparing ExamTopics with Udemy and Udemy disagrees with the
answer as well along with an explanation.
upvoted 2 times

  Durden871 3 months, 1 week ago

Explanation
Correct Answer(s):

one virtual machine scale set that has 10 virtual machines instances - A regional (non-zonal) scale set uses placement groups, which act as an
implicit availability set with five fault domains and five update domains. If you have 10 VMs spread across five update domains, the 8 VMs will
be available for any given Azure planned maintenance.

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#do-scale-sets-work-with-azure-availability-
sets

Wrong Answers:

one Availability Set that has three fault domains and one update domain – We cannot create with one update domain. It should be 2 or more.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 19/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

one Availability Set that has 10 update domains and one fault domain – We cannot create with one fault domain. It should be 2 or more.

one virtual machine scale set that has 12 virtual machines instances – This will create more VMs than required, thus increasing costs.
upvoted 4 times

  Durden871 3 months, 1 week ago

And, to end this debate once and for all. Try actually doing it. You don't even need to create the VM, just start the process. I just did.
"The update domain count must be 1 when fault domain count is 1."
upvoted 4 times

  marcusw526 1 month, 2 weeks ago

Who did you ask at Udemy for the answer? I signed up with udemy but honestly started to feel like the classes were bullshit. I bought a class
that said it was supposed to have labs included so I could get real practice but it ask to pay extra for them and my sponsor refuses to pay so I
decided to come here instead of wasting my time watching videos.
upvoted 1 times

  Doman01 3 months, 2 weeks ago

The correct Answer will be A (can be D if we are not looking on costs), tested it with the portal and when I set FD to 1 I could not change UD to
anything than 1 and got this message shown on screenshit

https://imgur.com/a/x0yyWlk
upvoted 3 times

  Doman01 3 months ago

I am taking back what I said here

There is no correct answer

"during planned Azure maintenance." means UPDATE DOMAIN, when MS says that in documentation or other questions they are alsawys
referring to UPDATE DOMAINS, if it would be "unplanned" it would be about FAULT DOMAINS, Scale Sets have nothing to do with it

C is the best option but is wrong cause when you have 1 FAULT DOMAIN you can have only 1 Update domain (attached screenshot) so:

A, D - WRONG, VMSS have nothing to do with this

B - WRONG, we are talking about planned maintaince which refers to UPDATE DOMAINS

C - BEST ASNWER BUT WRONG - 10 UPDATE DOMAINS would do the work but you cannot create them while having 1 FAULT DOMAIN

https://imgur.com/a/uDFzSnw
upvoted 2 times

  ConanBarb 3 months, 3 weeks ago

Selected Answer: C
Correct answer: C

This was actually one of the more interesting and intriguing question! It really makes you think.

First: Both A and C solve problem of guaranteeing 8 VMs running.

Not B: only one UD here, i.e. all could/will go down during planned host maintenance
Not D: 12 VMs over 5 UDs, means two UDs will have 3 VMs each hence 7 VMs could end up running.

So why C over A?
Well first the question actually says "App1 will be hosted on several Azure virtual machines."
This can be interpreted as several ("discrete") VMs, i.e. a VMAS and not VMSS which run the same VM in several instances.

But mostly C over A due to the fact this scenario is about availability, i.e. creating redundant resources when things go down, and not scalability, i.e.
creating redundant resources for performance reasons.
upvoted 4 times

  Durden871 3 months, 1 week ago

Have you tried this in a lab? I just did and the answer cannot be "C". The answer specifically states "1 fault domain". When you try to set it up in
a lab you get the following error message:
"The update domain count must be 1 when fault domain count is 1."

Thus, the answer is "A."

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 20/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 4

A. Yes

B. No

Correct Answer: B
Instead: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in
Azure Monitor and specify the Log Analytics workspace as the source.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.

1. You create an Azure Log Analytics workspace and configure the data settings.
2. You install the Microsoft Monitoring Agent on VM1.
3. You create an alert in Azure Monitor and specify the Log Analytics workspace as the source.

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
upvoted 94 times

  Pniaq Highly Voted  2 years, 5 months ago

I can confirm, answer is correct.
upvoted 14 times

  UmbongoDrink Most Recent  4 months ago

Selected Answer: B
Correct Answer: B - No

You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
upvoted 1 times

  Ashfaque_9x 4 months, 2 weeks ago

Selected Answer: B
Passed today on 29Jan23 with a score of 970. This question was in the exam.
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

was on my 2n test
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: B
B) "No"

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 21/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

You need to create a Log Analytics Workspace.

Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#install-the-agent-and-configure-data-collection
upvoted 3 times
  EmnCours 9 months, 2 weeks ago
Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
l Luv Honey because it is B... comments as per others
upvoted 2 times

  manalshowaei 1 year ago

Selected Answer: B
B. No B. No
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times

  atilla 1 year, 3 months ago

I just test, you cannot create an event subscription for a VM
upvoted 1 times

  anaphm 1 year, 5 months ago

Correct Answer: B - No

You need to specify Log Analytics as the source for this alert, and not the VM as source for the alert.

  ohana 1 year, 8 months ago

Took the exam today on 17 Oct. This question came out. Ans: No
upvoted 3 times

  AubinBakana 1 year, 8 months ago

What's an event subscription? :)
upvoted 3 times

  AubinBakana 1 year, 9 months ago

Haha... They should have kept these questions together.
upvoted 1 times

  mkoprivnj 2 years ago

No is correct!
upvoted 2 times

  nfett 2 years, 1 month ago

per https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview answer is correct.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 22/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16 Topic 4

A. Yes

B. No

Correct Answer: B
You would need to redeploy the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

Changing Subscription won't affect the downtime, it will just you change the billing. You would need to redeploy the VM. After you redeploy a VM,
the temporary disk is lost, and dynamic IP addresses associated with virtual network interface are updated.

From Overview there is no option to move the VM to another hardware to skip the maintenance.

Ideally you need an Availability Set and defining the Update Domains.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
upvoted 98 times

  yangxs 1 year, 5 months ago

I hope MS can automatically move it to another hardware/ do maintenance once the VM is deallocated.
upvoted 2 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer is correct . NO (B)
Changing Subscription won't change any change for the downtime, Just you change the billing
upvoted 29 times

  JunetGoyal Most Recent  2 months, 3 weeks ago

Goto VM> Redeploy: As you redeploy , Vm will be re-pervision to new node, but make sure you save all running apps work before deploying, as
you will loss that!!
upvoted 1 times

  shadad 3 months, 2 weeks ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: B
there are many version of this showing on the exam. the only right answer is Redeploy.
upvoted 4 times

  JayLearn2022 3 months, 3 weeks ago

There are several version of this question. The following are the valid and invalid solutions that may be presented.

Valid Solution: Meets the Goal

Solution: From the Redeploy blade, you click Redeploy.

Invalid Solutions: Does not Meet the Goal

-Solution: From the Update management blade, you click Enable.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 23/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

-Solution: From the Overview blade, you move the virtual machine to a different subscription.

-Solution: From the Overview blade, you move the virtual machine to a different resource group.
upvoted 1 times
  JayLearn2022 3 months, 4 weeks ago
There are several versions of this question. The Following are the correct and incorrect answers that will be presented.

Correct Answer: Meets the goal.

-Solution: From the Redeploy blade, you click Redeploy.

Incorrect Answers: Does not meet the goal.

-Solution: From the Overview blade, you move the virtual machine to a different subscription.

-Solution: From the Update management blade, you click Enable.

upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: B
B) "No"

Moving a VM between subscriptions does not cause downtime neither changes on the underlying host where the VM is running.

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/move-vm
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv honey because it is B
Changing Subscription or Resource group won't affect the downtime, it will just you change the billing. You would need to redeploy the VM.
Remember Sun and RG keep the Metadata of the VM and hence irrelevant in this case
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: B
B. No B. No
upvoted 1 times

  epomatti 1 year, 1 month ago

Selected Answer: B
Moving subscriptions will not have an effect on the hardware.
upvoted 1 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: B
hanging Subscription won't affect the downtime, it will just you change the billing.
upvoted 1 times

  AubinBakana 1 year, 9 months ago

You redeploy the machine. Azure fundamental question
upvoted 2 times

  mkoprivnj 2 years ago

No is correct!
upvoted 1 times

  mg 2 years, 3 months ago

No! changing the subscription is not the solution you need to redeploy the vm
upvoted 2 times

  ZUMY 2 years, 3 months ago

No is correct :
Can Redeploy
upvoted 2 times

  waterzhong 2 years, 3 months ago

Set-AzVM -Redeploy -ResourceGroupName "myResourceGroup" -Name "myVM"
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 24/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17 Topic 4

A. Yes

B. No

Correct Answer: A
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your
configuration options and associated resources.
References:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your
configuration options and associated resources.

Use the Azure portal. Select the VM you wish to redeploy, then select the Redeploy button in the Settings blade. You may need to scroll down to
see the Support and Troubleshooting section that contains the 'Redeploy' button.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
upvoted 79 times

  meeko86 6 months ago

Agree answer is A.
From Azure Portal > Virtual Machine > Help > Redeploy + Reapply
Redeploy: Try redeploying your virtual machine, which will migrate it to a new Azure host. If you continue, the virtual machine will be restarted
and you will lose any data on the temporary drive. While the redeployment is in progress, the virtual machine will be unavailable.
upvoted 1 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer Correct. YES (A)
The best solution , it will redeploy in a different location within Azure infrastructure in the same region
upvoted 19 times

  magichappens 1 year, 2 months ago

You mean a different host. Given that "location" is often used for region your answer is confusing.
upvoted 1 times

  Aluksy Most Recent  2 months, 1 week ago

Correct Answer: A - Yes, Came out in my exam today 8th April 2023.
upvoted 1 times

  shadad 3 months, 2 weeks ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: A
upvoted 2 times

  UmbongoDrink 4 months ago

Selected Answer: A
When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your
configuration options and associated resources.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 25/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  NaoVaz 9 months ago
Selected Answer: A
A) "Yes"

Using the described steps the Vm will be re-deployed and will defnlty change the hosts where it is running.

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: A
A is correct
Yep Redeploy the VM will change the Host/Node/Hardware/Hypervisor
upvoted 1 times

  manalshowaei 1 year ago

A. Yes
upvoted 1 times

  epomatti 1 year, 1 month ago

Selected Answer: A
Perhaps "Disaster Recovery" replication would be a better option, but for this question the answer is "A" redeploy
upvoted 1 times

  Pramu 1 year, 2 months ago

Selected Answer: A
Correct Answer
upvoted 1 times

  shyams9977 1 year, 2 months ago

This question is came up today on 3/20/2022
upvoted 2 times

  atilla 1 year, 3 months ago

is it guaranteed that the vm is redeployed to a new node?
upvoted 1 times

  HenriKI2 1 year, 5 months ago

Selected Answer: A
From Azure Portal
Redeploy
Support+Troubleshoot > Redeploy + Reapply
Try redeploying your virtual machine, which will migrate it to a new Azure host. If you continue, the virtual machine will be restarted and you will
lose any data on the temporary drive. While the redeployment is in progress, the virtual machine will be unavailable.Learn more about Redeploy
upvoted 2 times

  anaphm 1 year, 5 months ago

The answer is Yes
upvoted 1 times

  JESUSBB 1 year, 6 months ago

In exam todas 11-DEC-2021.
Ans: A. Yes
upvoted 2 times

  zvasanth2 1 year, 9 months ago

If you have been facing difficulties troubleshooting Remote Desktop (RDP) connection or application access to Windows-based Azure virtual
machine (VM), redeploying the VM may help. When you redeploy a VM, Azure will shut down the VM, move the VM to a new node within the
Azure infrastructure, and then power it back on, retaining all your configuration options and associated resources. This article shows you how to
redeploy a VM using Azure PowerShell or the Azure portal.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 26/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 4

A. Yes

B. No

Correct Answer: B
You would need to redeploy the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

You would need to redeploy the VM.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
upvoted 39 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer is Correct. NO (B)
upvoted 22 times

  NJTH Most Recent  2 months, 1 week ago

Simular question set was on todays exam.
(7th April 2023)
upvoted 3 times

  UmbongoDrink 4 months ago

Selected Answer: B
You would need to redeploy the VM.
upvoted 2 times

  NaoVaz 9 months ago

Selected Answer: B
B) "No"

This action would not make the Vm be re-deployed in a new host.

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey because it is B
You would need to redeploy the VM.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 27/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  manalshowaei 1 year ago

Selected Answer: B
B. No .
upvoted 1 times

  Pramu 1 year, 2 months ago

Selected Answer: B
Correct Answer
upvoted 1 times

  AubinBakana 1 year, 9 months ago

Redeploying on the portal is very easy but you're using Powershell:

Set-AzVM -ResourceGroup MyResourcesGroup -Name MyVM -redeploy

upvoted 3 times

  mkoprivnj 2 years ago

No is correct!
upvoted 1 times

  nfett 2 years, 1 month ago

previous question answers this one. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node. No it doesnt
resolve the issue.
upvoted 1 times

  mg 2 years, 3 months ago

Answer is correct - No.
upvoted 1 times

  ZUMY 2 years, 3 months ago

B :Is correct
upvoted 2 times

  toniiv 2 years, 3 months ago

Answer B. is correct. Only way is to re-deploy the VM. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 28/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 4

You have an Azure subscription that contains a web app named webapp1.
You need to add a custom domain named www.contoso.com to webapp1.
What should you do first?

A. Create a DNS record

B. Add a connection string

C. Upload a certificate.

D. Stop webapp1.

Correct Answer: A
You can use either a CNAME record or an A record to map a custom DNS name to App Service.
Reference:
https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A

You can use either a CNAME record or an A record to map a custom DNS name to App Service.
You should use CNAME records for all custom DNS names except root domains (for example, contoso.com). For root domains, use A records.

Reference:

https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain
upvoted 94 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer is correct. A.
upvoted 49 times

  algokhan Most Recent  3 months, 2 weeks ago

Selected Answer: A
A is correct
upvoted 2 times

  UmbongoDrink 4 months ago

Selected Answer: A
You can use either a CNAME record or an A record to map a custom DNS name to App Service.
upvoted 2 times

  Bigc0ck 5 months, 1 week ago

two tests I havent noticed any DNS questions
upvoted 3 times

  NaoVaz 9 months ago

Selected Answer: A
A) "Create a DNS record"

Reference: https://docs.microsoft.com/en-us/Azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli#3-create-the-dns-
records
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: A
A is correct
U can use either a CNAME record or an A record to map a custom DNS name to App Service and as per traditional AD DS, always best use
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 29/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

CNAMEs for custom records except the root record

Also as NOTE: dont confuse this app service custom domain with Azure custom domains where the later requires either MX or TXT record
upvoted 5 times

  Vinod_Varma 10 months ago

Is it Worth to purchase Contributor access ?
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: A
A. Create a DNS record
upvoted 1 times

  techie_11 1 year, 2 months ago

On exam 04/12/2022. A answer correct
upvoted 5 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 4 times

  josevirtual 1 year, 3 months ago

Selected Answer: A
A is the correct answer.
upvoted 1 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 6 times

  AMT23 1 year, 6 months ago

Correct link: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=cname
upvoted 1 times

  JESUSBB 1 year, 6 months ago

In exam today 11-DEC-2021.
Ans: A. Create a DNS record
upvoted 2 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer: A
upvoted 3 times

  [Removed] 1 year, 6 months ago

Was on my exam 15/11/2021
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 30/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20 Topic 4

VM1 connects to VNET1.

You need to connect VM1 to VNET2.
Solution: You move VM1 to RG2, and then you add a new network interface to VM1.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.

To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to VNET2.

Note: When you create an Azure Virtual Machine (VM), you must create a Virtual Network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet. You can also change the size of a VM.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 79 times

  Narendragpt 1 year, 5 months ago

Questions Says Need to connect VM1 to VNET2 ......not saying to Move it . SO which answer is correct
upvoted 1 times

  mung 7 months ago

You are right, but the only way to connect VM1 to VNET2 is to delete VM1 and recreate it on RG2 and connect to VNET2.

Changing VNET is not an easy task once VM is deployed and running.

upvoted 1 times

  waterzhong Highly Voted  2 years, 5 months ago

If you create a VM and later want to migrate it into a VNet, it is not a simple configuration change. You must redeploy the VM into the VNet. The
easiest way to redeploy is to delete the VM, but not any disks attached to it, and then re-create the VM using the original disks in the VNet.
upvoted 58 times

  Andreas_Czech Most Recent  1 week, 1 day ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 31/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

tested in LAB (2023-06-06)

created all Resources, moved VM1 to RG2, created a NetInterface in RG2.
tried to connect it to VM1 -> grayed out -> must be NO
upvoted 1 times
  obaali1990 3 months ago
Selected Answer: B
The answer is NO
upvoted 1 times

  UmbongoDrink 4 months ago

Selected Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: B
B) "No"

The only way to change the VNET from a VM is by re-creating the VM in the desired VNET.

Reference: https://docs.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm.html
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
i Luv Honey because it is B
Remember this: Network interface ****(VM <--> VNET <---> NIC. All the three resources MUST be in the same location)***, so Before creating a
network interface, you must have an existing virtual network in the same location and subscription you create a network interface in.
upvoted 6 times

  manalshowaei 1 year ago

Selected Answer: B
B. No <
upvoted 1 times

  DrJoness 1 year, 2 months ago

Question appeared in exam today, April 7 2022
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  Bere 1 year, 6 months ago

The solution says:
You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.

The right answer would be:

You delete VM1. You copy the disk from West US region to East Asia region. You recreate VM1 from the disk you have copied, and then you can
connect VM1 to VNET2.
upvoted 3 times

  Gumer 1 year, 7 months ago

I failed yesterday exam scored 697 and got this series of questions
upvoted 6 times

  sachin007 1 year, 6 months ago

So close , give it another shot .Sure pass all the best
upvoted 4 times

  orion1024 1 year, 8 months ago

It says "you need to connect" not "you need to move".
So setting up the VM as multihomed should be a valid answer, hence answer A ?

Besides, it seems possible to change the primary vNIC of a VM after deployment, so I'm not getting this whole "need to delete VM to change
VNET" thing. What am I missing ?
upvoted 1 times

  orion1024 1 year, 8 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 32/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I found what I was missing, I mixed up VNIC and VNET. You can add multiple vNIC but they all belong to the VNET assigned to the VM at
creation, which can't be changed.
upvoted 4 times

  Kamex009 1 year, 9 months ago

This question was asked on exam taken on 08/22/2021
upvoted 4 times

  Shiven12 1 year, 11 months ago

This question came in the exam on 28/6/2021 - Passed the exam
upvoted 7 times

  mkoprivnj 2 years ago

No is correct!
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 33/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21 Topic 4

VM1 connects to VNET1.

You need to connect VM1 to VNET2.
Solution: You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.
Does this meet the goal?

A. Yes

B. No

Correct Answer: A
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

You should delete VM1. Then recreate VM1 and add the network interface for VM1.

To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to VNET2.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 61 times

  panileka 1 year, 9 months ago

VNET1 and VNET2 are in two different regions.. I am not sure we can connect a VM to these two networks.
upvoted 3 times

  ShivaUdari 1 year, 5 months ago

We should move the OSdisk to destination region and then creating new VM will work.
upvoted 4 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer is correct. YES (A). To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and
NIC connected to VNET2
upvoted 37 times

  UmbongoDrink Most Recent  4 months ago

Selected Answer: A

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 34/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

You should delete VM1. Then recreate VM1 and add the network interface for VM1.
upvoted 1 times
  NaoVaz 9 months ago
Selected Answer: A
A) "Yes"

The only way to change the VNET from a VM is by re-creating the VM in the desired VNET.

Reference: https://docs.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm.html
upvoted 1 times

  Mev4953 9 months ago

Redeployment :)
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: A
Yep A is correct
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: A
A. Yes
upvoted 1 times

  techie_11 1 year, 2 months ago

On exam 04/12/2022. Answer correct A
upvoted 4 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 4 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 3 times

  josevirtual 1 year, 3 months ago

Selected Answer: A
YES - Answer is correct
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  Spandrop 1 year, 11 months ago

You delete and recreate, fine. But the question says: you delete and recreate, and then you connect ...... recreate where?! Same RG? Different one? ...
I think that the question is not clear, but the overall idea is if you have to move a VM, delete and recreate it.
upvoted 6 times

  dumz 1 year, 8 months ago

Yes, I have same concern as yours.
We should re-creare VM1 in same region as VNET2.
upvoted 2 times

  ranajoy97 1 year, 11 months ago

The correct answer is NO. In order to attach a VM to a VNET the VM and the VNET needs to be in the same zone. As VNET2 is in a separate zone it
won't work
upvoted 3 times

  Ahmed_Root 1 year, 2 months ago

I agree with you, I don't understand why all people here vote for YES !!!
upvoted 1 times

  Shiven12 1 year, 11 months ago

This question came in the exam on 28/6/2021 - Passed the exam

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 35/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  RBV 2 years, 2 months ago
Is it possible to create a VM without a network interface?
I am pretty sure that you cannot create a VNIC without a VNET.
So, if you have recreated the VM the question is: Where did you create it? VNET1 ou VNET2?
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 36/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 4

VM1 connects to VNET1.

You need to connect VM1 to VNET2.
Solution: You turn off VM1, and then you add a new network interface to VM1.
Does this meet the goal?

A. Yes

B. No

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.

To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to VNET2.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 33 times

  klasbeatz 11 months, 3 weeks ago

Question...If you didn't want to worry about loosing content of the VM in the OS could you just re-attach the disk to the new VM after you
create it in the new desired VNET?
upvoted 1 times

  fedztedz Highly Voted  2 years, 6 months ago

The answer is correct . NO (B).
Even if you added a new network interface, this interface will be connected to the same VNET1.
upvoted 25 times

  Hibs2016 2 years, 6 months ago

Correct specified in the constraints page at the bottom of this link: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-
network-interface-vm
"You can connect network interfaces in the same VM to different subnets within a virtual network. However, the network interfaces must all be
connected to the same virtual network."

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 37/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 6 times
  panileka 1 year, 9 months ago
i am not sure if we can connect a VM to two networks that are not in the same region..
upvoted 1 times

  Kai_123 Most Recent  1 month, 3 weeks ago

Correct Answer: B- No
upvoted 1 times

  UmbongoDrink 4 months ago

Selected Answer: B
Instead you should delete VM1. You recreate VM1, and then you add the network interface for VM1.
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: B
B) "No"

The only way to change the VNET from a VM is by re-creating the VM in the desired VNET.

Reference: https://docs.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm.html
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey Because it is B
add new interface- dual homed VM maybe different subnets but still SAME VNET hence no way..Just delete VM and maintain the HD, create new
one in other region attach the HD and then create new NIC
upvoted 1 times

  klasbeatz 11 months, 3 weeks ago

So you can still attach the drive from the original VM to the new one right? So have the same content?
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: B
B. No <
upvoted 1 times

  dasEnder 1 year, 1 month ago

Selected Answer: B
Correct answer. NO.
upvoted 2 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. B correct answer
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times

  Bere 1 year, 6 months ago

The solution says:
You delete VM1. You recreate VM1, and then you create a new network interface for VM1 and connect it to VNET2.

The right answer would be:

You delete VM1. You copy the disk from West US region to East Asia region. You recreate VM1 from the disk you have copied, and then you can
connect VM1 to VNET2.
upvoted 1 times

  joydeep1 1 year, 12 months ago

Correct. answered B. In exam today
upvoted 2 times

  ZUMY 2 years, 3 months ago

No is the answer : Can't attach a Network in a different Vnet ( Attach NIC option will not suggest)
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 38/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  toniiv 2 years, 3 months ago

Answer B. is correct. For two reasons: A VM cannot be connected to two different VNets, and second reason is VM cannot connect to a Vnet in
different region.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 39/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23 Topic 4

HOTSPOT -
You have an Azure subscription named Subscription1 that contains the quotas shown in the following table.

You deploy virtual machines to Subscription1 as shown in the following table.

You plan to deploy the virtual machines shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16
vCPUs counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas

  mlantonis Highly Voted  2 years ago

Correct Answer:

Total regional vCPUs = 20

2 vCPUs (VM1) + 16 vCPUs (VM20) = 18 vCPUs, which means that only 2 vCPUs left to exceed usage limit.

Box 1: Yes
We can add 1 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 1 vCPU (VM3) = 19 vCPUs
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 40/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: No
We cannot add 4 vCPUs. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 4 vCPU (VM4) = 22 vCPUs

Box 3: No
We cannot add 16 vCPU. 2 vCPUs (VM1) + 16 vCPUs (VM20) + 16 vCPU (VM5) = 34 vCPUs

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quota
upvoted 155 times
  fedztedz Highly Voted  2 years, 6 months ago
Correct YES NO NO
The deallocated VM are still using and reserving the used 16 vCPU + 2 vCPU ,so in total we only have 2 vCPU available in the region
upvoted 131 times

  656823 1 month, 2 weeks ago

Thank you! Was about to ask this.
upvoted 1 times

  walexkino 2 years, 1 month ago

it makes sense.. Thanks
upvoted 12 times

  SIAMIANJI Most Recent  2 weeks, 6 days ago

It is Yes, Yes, No.
VM4 is a D family and there is not any other D family before deploying VM4 and we have 20 quota. So the answer for VM4 is "YES"
upvoted 1 times

  xRiot007 1 week, 1 day ago

The 20 limit of vCPUs contains all categories. The table makes it confusing and gives the impression we have 20 for each, but it's 20 in total.
upvoted 1 times

  rmsdg 6 months, 2 weeks ago

Quota is calculated based on the total number of cores in use both allocated and deallocated. If you need additional cores, request a quota
increase or delete VMs that are no longer needed.
upvoted 1 times

  Backy 7 months, 3 weeks ago

B2ms has 2 vCPUs and not 1 as the table says
upvoted 2 times

  ZakySama 7 months, 3 weeks ago

Thank you...
upvoted 1 times

  NaoVaz 9 months ago

1) You can deploy VM3 to West US: "Yes"
2) You can deploy VM4 to West US: "No"
3) You can deploy VM5 to West US: "No"

Explanation:
Even though the VM2 is in a Stopped (Deallocated) Status and we do not get charged for the CPU\RAM resources, the quota will not have the
resources available to be consumed by other VM's.
Since the quota specifies a maximum of 20 Total regional vCPU's, we currently have 18 reserved by VM1 and VM2, so we can just deploy VM3. VM4
and VM5 surpass our budget.
upvoted 5 times

  EmnCours 9 months, 2 weeks ago

Correct YES NO NO
The total regional vCPUs is 20 so that means a maximum total of 20 vCPUs across all the different VM sizes. The deallocated VM with 16 vCPUs
counts towards the total. VM20 and VM1 are using 18 of the maximum 20 vCPUs leaving only two vCPUs available.
upvoted 4 times

  HorseradishWalrus 9 months, 3 weeks ago

Why is the total regional vCPUs quota set to 20? I only found: https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/azure-subscription-service-limits
But this is "Classic deployment model limits"
upvoted 1 times

  somshivam 11 months, 2 weeks ago

Main point to note is deallocated VM are still counted and the other details of location and
upvoted 2 times

  Lazylinux 12 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 41/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

YNN and hence answer is correct and explanation is correct

upvoted 1 times

  manalshowaei 1 year ago

yes No No
upvoted 1 times

  malcubierre 1 year ago

New link: https://docs.microsoft.com/en-us/azure/azure-portal/supportability/per-vm-quota-requests
upvoted 1 times

  Lazylinux 1 year ago

Answer is correct YNN - see below link of MS
The vCPU quotas for virtual machines and virtual machine scale sets are arranged in two tiers for each subscription, in each region. The first tier is
the Total Regional vCPUs, and the second tier is the various VM size family cores such as the D-series vCPUs. Any time a new VM is deployed the
vCPUs for the VM must not exceed the vCPU quota for the VM size family or the total regional vCPU quota. If either of those quotas are exceeded,
the VM deployment will not be allowed. There is also a quota for the overall number of virtual machines in the region.
Note:
Quota is calculated based on the total number of cores in use both allocated and deallocated. If you need additional cores, request a quota
increase or delete VMs that are no longer needed.
upvoted 3 times

  Lazylinux 1 year ago

link is here
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quotas
upvoted 3 times

  michaelmorar 1 year, 1 month ago

Ah, so deallocated VMs count against the quota. Got it!
upvoted 3 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 1 times

  cashey 1 year, 5 months ago

yes no no quick maths
upvoted 5 times

  hanyahmed 1 year, 5 months ago

YES
NO
NO
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 42/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 4

HOTSPOT -
You have an Azure subscription that contains an Azure Availability Set named WEBPROD-AS-USE2 as shown in the following exhibit.

You add 14 virtual machines to WEBPROD-AS-USE2.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 43/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: 2 -
There are 10 update domains. The 14 VMs are shared across the 10 update domains so four update domains will have two VMs and six update
domains will have one VM. Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline.

Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault
domain so 7 VMs will be offline.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: 2
There are 10 update domains. The 14 VMs are shared across the 10 update domains, so 4 update domains will have 2 VMs and 6 update domains
will have 1 VM. Only one update domain is rebooted at a time.

D1 D2 D3 D4 D5 D6 D7 D8 D9 D10
vm1 vm2 vm3 vm4 vm5 vm6 vm7 vm8 vm9 vm10
vm11 vm12 vm13 vm14

Maximum Down = 2
Minimum Down = 1
Box 2: 7
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault
domain so 7 VMs will be offline.
14 VM in 2 Fault Domain

Rack 1 Rack 2
vm1 vm8
vm2 vm9
vm3 vm10
vm4 vm11
vm5 vm12
vm6 vm13
vm7 vm14

Maximum Down = 7
Minimum Down = 7
upvoted 465 times

  JohnnyChimpo 4 months, 3 weeks ago

You are a legend brother. I read their god damn documentation over and over and could not get it through my thick head. Thank you so very
much for your well explained, throughout and concise answers all over this course.
upvoted 20 times

  potasio101 4 days, 4 hours ago

Same or me I always look his explanation
upvoted 1 times

  studysmart 3 months, 3 weeks ago

Thanks. This explanation makes more sense.
upvoted 3 times

  SumanSaurabh 6 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 44/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Superb
upvoted 3 times

  rupayan87 7 months ago

and how exactly are we ensuring there are 7 VMs in each FD with 10 UDs in all.
upvoted 2 times

  ZUMY Highly Voted  2 years, 3 months ago

Box 2: 7 -
There are 2 fault domains. The 14 VMs are shared across the 2 fault domains, so 7 VMs in each fault domain. A rack failure will affect one fault
domain so 7 VMs will be offline.
upvoted 55 times

  fimbulvetrk Most Recent  1 month, 4 weeks ago

i just gave up to understand this question/topic so I just hope this questions doesn't appear to me
upvoted 3 times

  Bigc0ck 5 months, 1 week ago

I remember this might be on my 2nd test
upvoted 1 times

  NaoVaz 9 months ago

1) "2"
2) "7"

Explanation:
We have 14 VM's and 10 Update Domains. this means that 6 VM's will each be in its isolated Update Domain and 8 VM's will share a Update
Domain with another VM.

UpdateDomain1: 2 VM's
UpdateDomain2: 2 VM's
UpdateDomain3: 2 VM's
UpdateDomain4: 2 VM's
UpdateDomain5: 1 VM's
UpdateDomain6: 1 VM's
UpdateDomain7: 1 VM's
UpdateDomain8: 1 VM's
UpdateDomain9: 1 VM's
UpdateDomain10: 1 VM's

This means that when a scheduled update occurs at maximum 2 VM's will be down.

We also have 2 Fault Domains, which means that each Fault Domain will have 7 VM's inside. When a disaster occurs, at most 7 VM's will be
impacted.
upvoted 18 times

  EmnCours 9 months, 2 weeks ago

  bassemmkh 10 months, 2 weeks ago

I didn't have a clear idea about update domains until I found Saravana12g' Comment, thank you :

UD1=VM1 and VM11

UD2=VM2 and VM12
UD3=VM3 and VM13
UD4=VM4 and VM14
UD5=VM5
UD6=VM6
UD7=VM7
UD8=VM8
UD9=VM9
UD10=VM10
4 UD's are having 2 VM's each
6 UD's are having 1 VM's each
=> Only one update domain is rebooted at a time. Therefore, a maximum of two VMs will be offline and a minimum of 1 VM will be offline.
upvoted 22 times

  obaali1990 2 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 45/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Sure, this is cleaeeeer!!!!!!!

upvoted 1 times

  Jemo21 9 months, 2 weeks ago

Clear when you put it this way... Thanks buddy
upvoted 3 times

  Lazylinux 12 months ago

Yep answer is correct and explanation is correct - 2 and 7
upvoted 3 times

  manalshowaei 1 year ago

  Lazylinux 1 year ago

Answer is correct 2 and 7 and explanation as per mlantonis (no need for me to reinvent the wheel)
upvoted 1 times

  examsir 1 year ago

how about the 14 VMs are shared across the 10 update domain as below, then max down is 3
UD1=VM1 and VM11 and VM12
UD2=VM2 and VM13 and VM14
UD3=VM3
UD4=VM4
UD5=VM5
UD6=VM6
UD7=VM7
UD8=VM8
UD9=VM9
UD10=VM10
upvoted 1 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 1 times

  marco_aimi 1 year, 5 months ago

#UPDATE DOMAIN (nr°10) & 14 VM
UD1 : VM1 & VM11
UD2 : VM2 & VM12
UD3 : VM3 & VM13
UD4 : VM4 & VM14
UD5 : VM5
UD6 : VM6
UD7 : VM7
UD8 : VM8
UD9 : VM9
UD10: VM10

Only one update domain is rebooted at a time.

so a maximum 2 VMs will be offline.
so a minimum 1 VMs will be offline.

#FAULT DOMAIN (nr°2) & 14 VM

Rack A Rack B
VM1 VM8
VM2 VM9
VM3 VM10
VM4 VM11
VM5 VM12
VM6 VM13
VM7 VM14

Fault RACK A: 14 VM -7VM OFF = 7 VM UP

Fault RACK B: 14 VM -7VM OFF = 7 VM UP

Maximum VM Down = 7
Minimum VM Down = 7
upvoted 23 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 46/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  mikextreme 1 year, 1 month ago

Best Explain
upvoted 3 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 5 times

  AubinBakana 1 year, 8 months ago

Rack 1 Rack 2
VM1 VM21 ---> UD1
VM2 VM22 ---> UD2
VM3 VM23 ---> UD3
VM4 VM24 ---> UD4
VM5 VM25 ---> UD5
VM6 VM26 ---> UD6
VM7 VM27 ---> UD7

During a routine maintenance the number of machines to go down: 2

If there's a fault, a rack goes down: 7 machines will remain
upvoted 4 times

  Invisired 1 year, 7 months ago

Nice example.
upvoted 2 times

  novac1111 1 year, 7 months ago

unfortunately your distribution for Update domains is wrong, check this: https://docs.microsoft.com/en-us/azure/virtual-machines/availability-
set-overview
upvoted 1 times

  Altera2k 1 year, 8 months ago

In exam 09/20/2021
upvoted 3 times

  udhdhhxhdhd 1 year, 9 months ago

Shouldn't the answer of the 2nd question be 9? As 7 vm's are down and a maximum of 2 vm's are updating making them also unavailable?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 47/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25 Topic 4

You deploy an Azure Kubernetes Service (AKS) cluster named Cluster1 that uses the IP addresses shown in the following table.

You need to provide internet users with access to the applications that run in Cluster1.
Which IP address should you include in the DNS record for Cluster1?

A. 131.107.2.1

B. 10.0.10.11

C. 172.17.7.1

D. 192.168.10.2

Correct Answer: A

Community vote distribution

A (100%)

  fedztedz Highly Voted  2 years, 6 months ago

Correct Answer. (A).
To be able to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 124 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered A
upvoted 12 times

  juniorccs 1 year, 5 months ago

thanks for this
upvoted 2 times

  Zonci 1 year ago

youre my idol
upvoted 5 times

  vikki 2 years, 4 months ago

Appreciate! Help a lots.
upvoted 8 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A

To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.

Note: 10.X.X.X range is private.

Reference:

https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard
upvoted 83 times

  prbandeira 6 months, 3 weeks ago

and 192.168... and 172.00 is private too,
RFC1918 Subnets
The RFC1918 address space includes the following networks:

10.0.0.0 – 10.255.255.255 (10/8 prefix)

172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
upvoted 3 times

  JoeRogersHi 1 year, 12 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 48/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Plus, that’s what “front end” means.

upvoted 4 times

  shadad Most Recent  3 months, 2 weeks ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: A
upvoted 1 times

  UmbongoDrink 4 months ago

Selected Answer: A
To be able to access applications on Kubernetes, you need an application Load Balancer created by Azure which have public IP.
upvoted 1 times

  cnduknthm 7 months, 1 week ago

Selected Answer: A
To be able to access applications on kubernetes , you need a application Load Balancer created by Azure which have public ip.
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: A
A) " 131.107.2.1"

In Kubernetes when we expose apps we either expose them though Ingress using a single front-end loadbalancer IP, or we expose them using
Services like NodePort or LoadBalancer.

Based on the provided scenario we should map the DNS entry to the Load Balancer Front End Ip and expose applications using Ingress.
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Socca 10 months, 1 week ago

A is correct you need a proxy that is in the same time a load balancer such as nginix and haproxy the externel users from internet uses the public ip
adress of the proxy to access internal applications and the proxy knows the internals adresses and convert the ip packet and send them to the
destination.
upvoted 2 times

  GowthamNara 10 months, 3 weeks ago

Selected Answer: A
ddsfsfsd
upvoted 2 times

  Lazylinux 12 months ago

Selected Answer: A
A is correct
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: A
A. 131.107.2.1
upvoted 1 times

  Lazylinux 1 year ago

Selected Answer: A
A is correct... For me when It says Internet users/Access and I see load balancer with front IP that's mean it's the public IP and hence is the answer
but also the Cluster IP can be considered if public LD was not there
upvoted 2 times

  Ephert 1 year ago

This is the easiest of all if one is well versed with networking. Internet users will definitely require a public IP address to access the app and there is
only one public IP in the provided answers.
upvoted 1 times

  LHNing2 1 year, 4 months ago

Selected Answer: A
aaaaaaaaaaaaaaa
upvoted 3 times

  prince89 1 year, 5 months ago

Selected Answer: A
Correct Answer : A
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 49/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  Microgen 1 year, 7 months ago
finally I answered correctly
upvoted 4 times

  Gumer 1 year, 7 months ago

Got this question in yesterday exam, failed by the way
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 50/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 4

You have a deployment template named Template1 that is used to deploy 10 Azure web apps.
You need to identify what to deploy before you deploy Template1. The solution must minimize Azure costs.
What should you identify?

A. five Azure Application Gateways

B. one App Service plan

C. 10 App Service plans

D. one Azure Traffic Manager

E. one Azure Application Gateway

Correct Answer: B
You create Azure web apps in an App Service plan.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Creating one App Service Plan, you can support up to 10 Web Apps. Adding any of the other resources are pointless and not noted as a
requirement.

Reference:

https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 121 times

  Shadoken 11 months ago

Yes, the correct is B. But i read in skillpipe that in an App Service plan:
Free: up 10
Shared: up 100
The rest plans unlimited web apps
upvoted 3 times

  Borowik9 10 months, 3 weeks ago

Looks like the number changed: It now ranges from 8 to 64: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-
plans#should-i-put-an-app-in-a-new-plan-or-an-existing-plan
upvoted 5 times

  MothePro 2 months, 2 weeks ago

Soo.. now we need TWO App Service plan? ... *16 max apps..
upvoted 1 times

  OmegaGeneral Highly Voted  2 years, 10 months ago

Correct: you only need a single App service plan, as your web apps will share the service plans resource availability.
Adding any of the other resources are pointless and not noted as a requirement.
upvoted 63 times

  gauravit43 Most Recent  3 months, 1 week ago

I passed exam on 4th March,2023 and this question appeared in the exam. Correct answer is B
upvoted 2 times

  UmbongoDrink 4 months ago

Selected Answer: B
You create Azure web apps in an App Service plan.
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: B
B) "one App Service Plan"

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 51/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

One App Service Plan can a lot of Web Apps based on the SKU chosen: https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-
plans#should-i-put-an-app-in-a-new-plan-or-an-existing-plan
upvoted 4 times
  libran 9 months, 2 weeks ago
Selected Answer: B
Correct Answer: B
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  JacquesV 10 months, 1 week ago

In exam on 10Aug2022
upvoted 4 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey Because it is B
Creating one App Service Plan should be your first priority and what type of Plan i.e. Basic, STD, premium, Isolated will depends on needs and once
done then you can support up to 10 Web Apps.
upvoted 3 times

  manalshowaei 1 year ago

Selected Answer: B
B. one App Service plan
upvoted 1 times

  shash_ank 1 year ago

Seeing all the jerky questions Microsoft asks, these types of questions bring surprise and joy lol!
upvoted 2 times

  dasEnder 1 year, 1 month ago

Selected Answer: B
Correct answer
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 5 times

  [Removed] 1 year, 6 months ago

Correct. One App Service plan as long as they can run on the same OS as eachother. This isn't specified in the question so we could assume it. It
would need to be a Standard plan which will allow for up to 10 instances.
upvoted 3 times

  JESUSBB 1 year, 6 months ago

In the exam today 11-DEC-2021.
Ans: B. one App Service plan
upvoted 8 times

  [Removed] 1 year, 6 months ago

Was in exam 15/11/2021
upvoted 6 times

  maziokey 1 year, 9 months ago

correct answer: B
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 52/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27 Topic 4

HOTSPOT -
You plan to deploy an Azure container instance by using the following Azure Resource Manager template.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 53/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  olsenOnS Highly Voted  1 year, 6 months ago

Correct.

Can connect from any dev.

Will restart autom.

upvoted 42 times

  NaoVaz Highly Voted  9 months ago

1) Internet users "can connect to the container from any device"
2) If Internet Information Services (IIS) in the container fails, "the container will restart automatically".

Explanation:
No Access restrictions are specified.
The "restartPolicy" is set as "OnFailure".
upvoted 32 times

  ZakySama 7 months, 3 weeks ago

Thank you. why we have Ostype: Windows ?
upvoted 6 times

  xRiot007 2 weeks ago

That is the OS of the container. The client can have any OS. Communication is done over the network through port 80
upvoted 1 times

  rqFamily 6 months, 1 week ago

because the os type is windows, if you create Linux container then the os type will be Linux
upvoted 11 times

  JunetGoyal Most Recent  1 month, 2 weeks ago

Whoever got confuse with windows os in template, please note:
That defines the Node OS where containers are deployed.
In real world example: Like we have whts app running either on underline OS IOS or android if you have apple or samsung phone respectively.
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Correct.

Can connect from any dev.

Will restart autom.

upvoted 3 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 16 times

  mubba 1 year, 1 month ago

well done....
upvoted 1 times

  DrJoness 1 year, 2 months ago

Question appeared in exam today, April 7 2022
upvoted 4 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 54/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  cirspass 1 year, 3 months ago

i have a question～，there is no fill network policy，why it can acces from user of any device？
upvoted 1 times

  Paulwryan 1 year, 5 months ago

In order to connect to the container wouldn't the RDP port 3389 need to be open?
upvoted 1 times

  Odysseas 1 year, 5 months ago

It will connect via http (port 80) and will get a response from the IIS
upvoted 5 times

  helpaws 1 year, 5 months ago

So does the "osType": "Windows" is there to throw you off?
upvoted 3 times

  oscarfernand 1 year, 4 months ago

yes, it's a trap
upvoted 6 times

  tmub47 1 year, 5 months ago

What is the practical scenario for a Public access with just one OS type?
upvoted 1 times

  Pear7777 6 months, 1 week ago

my question too
upvoted 1 times

  space2201 1 year, 4 months ago

The osType element has nothing to do with the clients connecting to the container. It specifies the container OS type.
upvoted 12 times

  testmobile18 1 year, 5 months ago

Correct answer.
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-quickstart-template
"port": {
"type": "int",
"defaultValue": 80,
"metadata": {
"description": "Port to open on the container and the public IP address."
}
"restartPolicy": {
"type": "string",
"defaultValue": "Always",
"allowedValues": [
"Always",
"Never",
"OnFailure"
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 55/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28 Topic 4

You have an Azure subscription that contains a virtual machine named VM1. VM1 hosts a line-of-business application that is available 24 hours a
day. VM1 has one network interface and one managed disk. VM1 uses the D4s v3 size.
You plan to make the following changes to VM1:
✑ Change the size to D8s v3.
✑ Add a 500-GB managed disk.
✑ Add the Puppet Agent extension.
✑ Enable Desired State Configuration Management.
Which change will cause downtime for VM1?

A. Enable Desired State Configuration Management

B. Add a 500-GB managed disk

C. Change the size to D8s v3

D. Add the Puppet Agent extension

Correct Answer: C
While resizing the VM it must be in a stopped state.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines/

Community vote distribution

C (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: C

While resizing, the VM must be in a stopped state, therefore there will be a downtime.

Reference:

https://azure.microsoft.com/en-us/blog/resize-virtual-machines
upvoted 110 times

  Mahbus 4 days, 18 hours ago

Nowadays you don't need to stop the vm prior to resizing, even if the vm is running, you may resize, but it will restart the vm causing downtime
anyway. Also another advantage of stopping vm prior to resizing is that it gives more choices to choose from in the vm list.
upvoted 1 times

  multcloud Highly Voted  2 years, 9 months ago

Correct answer. Resizing VM will cause downtime.
upvoted 39 times

  FlowerChoc1 Most Recent  2 months ago

Got this question on today's exam. Yes, I passed. Thanks to you guys!
upvoted 5 times

  fimbulvetrk 1 month, 4 weeks ago

my exam is tomorrow and I hope this one appears to me haha
upvoted 1 times

  juanmpmx 2 months, 1 week ago

Correct Answer: C
upvoted 1 times

  UmbongoDrink 4 months ago

Selected Answer: C
While resizing the VM it must be in a stopped state.
upvoted 1 times

  omgMerrick 4 months, 1 week ago

Selected Answer: C
C. Change the size to D8s v3.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 56/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Changing the size of an Azure virtual machine involves a stop and restart of the virtual machine, which will cause downtime for the line-of-business
application hosted on VM1. This downtime can be minimized by using Azure Availability Sets or by taking appropriate steps to prepare for the
change, such as backing up data or moving the application to another virtual machine.

Adding a managed disk, installing the Puppet Agent extension, or enabling Desired State Configuration Management should not cause downtime
for VM1.
upvoted 3 times
  2cent2 5 months, 3 weeks ago
Selected Answer: C
...nothing to tell.
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: C
C) " Change the size to D8s v3"

Reference: https://azure.microsoft.com/en-us/blog/resize-virtual-machines/
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: C
Correct Answer: C 🗳️
While resizing the VM it must be in a stopped state.
Reference:
https://azure.microsoft.com/en-us/blog/resize-virtual-machines/
upvoted 2 times

  Lazylinux 12 months ago

Selected Answer: C
C is correct as resizing requires shutdown because of the hardware specs also because the current hardware cluster may not be able to support it
and hence VM will be moved to another one that have the resources to take on the new size
upvoted 2 times

  amunator 12 months ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: C
C. Change the size to D8s v3
upvoted 3 times

  Carai 1 year, 1 month ago

Selected Answer: C
correct
upvoted 1 times

  Azure_daemon 1 year, 3 months ago

C is the correct answer, I actually tested it in my subscription and as soon as I restarted the resizing it shutdown the running VM
upvoted 2 times

  Chole22 1 year, 3 months ago

https://docs.microsoft.com/en-us/azure/virtual-machines/resize-vm?tabs=portal

If the virtual machine is currently running, changing its size will cause it to be restarted.

If your VM is still running and you don't see the size you want in the list, stopping the virtual machine may reveal more sizes.
upvoted 1 times

  SanjSL 1 year, 7 months ago

If the virtual machine is currently running, changing its size will cause it to be restarted.

If your VM is still running and you don't see the size you want in the list, stopping the virtual machine may reveal more sizes.
https://docs.microsoft.com/en-us/azure/virtual-machines/resize-vm?tabs=portal
upvoted 4 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 57/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29 Topic 4

You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named Git1.
Webapp1 has the deployment slots shown in the following table.

You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Swap the slots

B. Deploy the App1 update to webapp1-prod, and then test the update

C. Stop webapp1-prod

D. Deploy the App1 update to webapp1-test, and then test the update

E. Stop webapp1-test

Correct Answer: AD

Community vote distribution

AD (100%)

  sk1803 Highly Voted  1 year, 8 months ago

Answer is correct.
1.Deploy the App to “webapp1-test” which is staging environment and test it there.
2.Once the test is success swap the slots, so the new changes will be available under production.
upvoted 76 times

  Pear7777 6 months, 1 week ago

in that order, yes.
upvoted 3 times

  Takloy 1 year, 6 months ago

Thanks! straight to the point!
upvoted 3 times

  Shailesh866 Highly Voted  1 year, 8 months ago

The answer is correct.
- Deploying an app to a slot first(Test is this case) and swapping it into production makes sure that all instances of the slot are warmed up before
being swapped into production.
- After a swap, the slot with previously staged app now has the previous production app. If the changes swapped into the production slot aren't as
you expect, you can perform the same swap immediately to get your "last known good site" back.
upvoted 15 times

  jamess Most Recent  1 month, 1 week ago

If you swap the slots it puts the test into production. Question says to test before available to users.
upvoted 1 times

  jamess 1 month, 1 week ago

Sorry disregard.
upvoted 1 times

  NJTH 2 months, 1 week ago

Exactly the same question was on todays exam.
(7th April 2023)
upvoted 2 times

  AzZnLuVaBoI 2 months, 2 weeks ago

On the Exam 3/29/23.
upvoted 4 times

  GBAU 4 months ago

Ah, MS, where does it say the test passes? You might have just swapped a failed app into production according to this question/answer.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 58/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  Irism 5 months ago
A & D, if you dont understand this question, dont even try the exam. just a tip
upvoted 1 times

  RougePotatoe 4 months, 2 weeks ago

Bruh chill not everyone has a app development background.
upvoted 6 times

  Bigc0ck 5 months, 1 week ago

This was on my 2nd test
upvoted 2 times

  majerly 8 months, 2 weeks ago

today in exam AD
upvoted 5 times

  NaoVaz 9 months ago

Selected Answer: AD
D) " Deploy the App1 update to webapp1-test, and then test the update" & A) " Swap the slots"

Reference: https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 9 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: AD
Correct Answer: AD
upvoted 1 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 2 times

  Tinez 2 months, 2 weeks ago

Please I'd like to ask a few questions.
Did they change the alphabet where the answer is or is it still on ''AD'' as we saw in Exam topics?
upvoted 1 times

  mubba 1 year, 1 month ago

well done....
upvoted 1 times

  Carai 1 year, 1 month ago

Selected Answer: AD
it makes sense
upvoted 1 times

  techie_11 1 year, 2 months ago

On exam 04/12/2022. Answer is correct
upvoted 2 times

  willt 1 year, 2 months ago

Correct.
upvoted 1 times

  DrJoness 1 year, 2 months ago

Selected Answer: AD
Question appeared in exam today. The answer is correct.
upvoted 3 times

  azuresam 1 year, 2 months ago

Correct:
1. Deploy the update to the webapp1-test and testing it there
2. If test successful then swap the slot with webapp1-prod
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 59/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 4

You have an Azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Network security group (NSG): NSG1
✑ Public IP address: None
✑ Availability set: AVSet
✑ Subnet: 10.0.0.0/24
✑ Managed disks: No
✑ Location: East US
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Enable Azure Network Watcher in the East US Azure region.

B. Add an Azure Network Watcher connection monitor.

C. Register the MicrosoftLogAnalytics provider.

D. Create an Azure Storage account.

E. Register the Microsoft.Insights resource provider.

F. Enable Azure Network Watcher flow logs.

Correct Answer: AEF

You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
✑ In the Azure portal, enable Network Watcher
✑ Register Insights provider. NSG flow logging requires the Microsoft.Insights provider.
✑ Enable NSG flow log. NSG flow log data is written to an Azure Storage account, Subscription1 has storage.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

Community vote distribution

DEF (55%) AEF (36%) 8%

  HenriKI2 Highly Voted  1 year, 5 months ago

Selected Answer: DEF
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region.
There is no impact to your resources or associated charge for automatically enabling Network Watcher. For more information, see Network
Watcher create.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
Create a VM with a network security group
Enable Network Watcher (done by default with the vnet/subnet creation)
-- and register the Microsoft.Insights provider ---------todo
Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability --todo BUT !
NSG flow log data is written to an Azure Storage account. Complete the following steps to create a storage account for the log data.
So you need to create a storage account before enable the NSG flow
Download logged data
View logged data

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 60/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 49 times

  holytoni 2 months ago

I think its AEF. As the machine has an unmanaged disk, therefore a storage account should already be there.
upvoted 1 times

  cnduknthm 7 months, 2 weeks ago

you are right but in this scenario, there is no mention of Virtual Network creation or updation. It just said the subscription contains Network
Provider registered but not VNET created or updated. So, in that Network Watcher is yet to be enabled correct?
upvoted 2 times

  Marz 6 months, 1 week ago

It is mentioned that a VM is already created. You cannot create a VM when there is nog VNET. So my conclusion is that the VNET is there,
and so Network Watcher already enabled. leaves DEF for answer.
upvoted 4 times

  _punky_ 1 year, 4 months ago

Checked! This ans is correct.
upvoted 4 times

  jackAttew_1 Highly Voted  1 year, 5 months ago

Answer is correct so AEF.
1.Create a VM with a network security group
2.Enable Network Watcher and register the Microsoft.Insights provider
3.Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
4.Download logged data
5.View logged data

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
upvoted 35 times

  yeanlingmedal71 1 year, 2 months ago

D, E, F - options are changed
upvoted 5 times

  BowSec Most Recent  1 month, 2 weeks ago

Selected Answer: AEF
AEF is correct

https://www.linkedin.com/learning/exam-tips-azure-administrator-az-104/monitor-virtual-networking?
autoSkip=true&autoplay=true&resume=false&u=78730170
upvoted 4 times

  Exilic 1 month, 3 weeks ago

Selected Answer: ABF
The three actions that should be performed to record all the successful and failed connection attempts to VM1 are:

A. Enable Azure Network Watcher in the East US Azure region.

B. Add an Azure Network Watcher connection monitor.
F. Enable Azure Network Watcher flow logs.

Explanation:

A. Azure Network Watcher is a network monitoring and diagnostic service that provides tools to monitor, diagnose, and gain insights into your
network performance and health. By enabling Azure Network Watcher in the East US Azure region, you can monitor the traffic to and from VM1.

B. Adding an Azure Network Watcher connection monitor allows you to monitor the connectivity and latency between VM1 and a target IP address
or FQDN. This will enable you to track all the successful and failed connection attempts to VM1.

F. Enabling Azure Network Watcher flow logs will allow you to capture information about the IP traffic to and from VM1. This information can be
stored in a storage account or sent to a Log Analytics workspace for analysis and reporting.

The other options are not required for recording the successful and failed connection attempts to VM1.

Therefore, the correct answer is A, B, and F.

upvoted 4 times

  Bar_t 5 days, 20 hours ago

B is wrong !!!
Connection monitor perform tests and do not collect information about existing (TCP) failed or sucesfull network connection to or from VM:
"The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology
changes between the VM and the endpoint. For example, you might have a web server VM that communicates with a database server VM.
Someone in your organization may, unknown to you, apply a custom route or network security rule to the web server or database server VM or
subnet.

If an endpoint becomes unreachable, connection troubleshoot notifies you of the reason"

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitor-communication-between-a-virtual-
machine-and-an-endpoint
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 61/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Exilic 1 month, 3 weeks ago
ChatGPT response:

The three actions that should be performed to record all the successful and failed connection attempts to VM1 are:

A. Enable Azure Network Watcher in the East US Azure region.

B. Add an Azure Network Watcher connection monitor.
F. Enable Azure Network Watcher flow logs.

Explanation:

The other options are not required for recording the successful and failed connection attempts to VM1.

Therefore, the correct answer is A, B, and F.

upvoted 2 times

  vinsom 2 months, 3 weeks ago

Surprised, the reference link in the ET answer does point to the DEF steps explicitly, while the ET answer is AEF. Quite amused! How does ET work?
upvoted 1 times

  Slawekyo 2 months, 2 weeks ago

The answers were swapped at some point.
As of now DEF is correct
upvoted 2 times

  Spooky7 2 months, 3 weeks ago

So if storage account already exists since VM has unmanaged disc and Network Watcher is automatically created when you create VNET (which you
have because VM can't exist without it), then what is the 3rd answer except E and F?
upvoted 1 times

  kklohit 3 months ago

Selected Answer: ABF
To record all the successful and failed connection attempts to VM1, you need to:

A. Enable Azure Network Watcher in the East US Azure region.

B. Add an Azure Network Watcher connection monitor.
F. Enable Azure Network Watcher flow logs.

Registering the MicrosoftLogAnalytics provider (C) is not necessary for this specific requirement, and creating an Azure Storage account (D) is not
mentioned as a requirement. Registering the Microsoft.Insights resource provider (E) is also not needed for this specific scenario.
upvoted 4 times

  algokhan 3 months, 2 weeks ago

Selected Answer: DEF
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
upvoted 1 times

  DanSuaricius 4 months ago

AEF is the correct answer. The option D is dismissed because a Storage is created already. This is concluded because the VM1 has an unmanaged
disk.
upvoted 3 times

  shandorcoachman 3 months, 1 week ago

I don't see that a storage account has already been created. It is saying: "Subscription1 contains an Azure virtual machine named VM1 that has
the following configurations".
upvoted 1 times

  er101q 4 months, 1 week ago

The three essential steps to record all the successful and failed connection attempts to VM1 are:

E. Register the Microsoft.Insights resource provider

A. Enable Azure Network Watcher in the East US Azure region
F. Enable Azure Network Watcher flow logs

These three steps are required to enable the functionality to monitor and log network traffic to VM1. Additionally, creating an Azure Storage
account is recommended as it is where the flow logs will be stored.
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 62/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Mo22 4 months, 3 weeks ago

Selected Answer: ABF
A. Enable Azure Network Watcher in the East US Azure region.
B. Add an Azure Network Watcher connection monitor.
F. Enable Azure Network Watcher flow logs.

To record all the successful and failed connection attempts to VM1, you should perform the following actions:

Enable Azure Network Watcher in the East US Azure region by using the Azure portal, Azure CLI or Azure PowerShell.
Add an Azure Network Watcher connection monitor by providing the target resource, the source, and the protocol.
Enable Azure Network Watcher flow logs for NSG1, this will allow you to log all the traffic flow in and out of VM1.
Once the logs are captured, you can use Azure Log Analytics, Azure Monitor, or other tools to analyze the logs.
Note:

You don't need to register the Microsoft.Insights or the MicrosoftLogAnalytics provider, as they are already registered by default.
You don't need to create an Azure Storage account, as the logs are stored in Azure Monitor Logs.
upvoted 2 times

  AnKiLa 4 months, 3 weeks ago

Sorry, but tht's not correct. Microsoft.Insights is not registered per default. Please have a look at https://learn.microsoft.com/en-us/azure/azure-
resource-manager/management/azure-services-resource-providers
upvoted 2 times

  BShelat 5 months, 2 weeks ago

A, D, E, F are required steps. VM1 does not have managed disks i.e. it has it has it sown disk i.e. storage account already exists. So "D" is not
required, we can select existing storage account and hence answer is A, E and F.
upvoted 4 times

  rmsdg 6 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-
overview#:~:text=When%20you%20create%20or%20update%20a%20virtual%20network%20in%20your%20subscription%2C%20Network%20Watc
her%20will%20be%20enabled%20automatically%20in%20your%20Virtual%20Network%27s%20region.%20There%20is%20no%20impact%20on%2
0your%20resources%20or%20associated%20charge%20for%20automatically%20enabling%20Network%20Watcher.%20For%20more%20informati
on%2C%20see%20Network%20Watcher%20create.
upvoted 1 times

  cnduknthm 7 months, 1 week ago

Selected Answer: AEF
There is no mention of Virtual Network creation or updation. It just says that the subscription contains Network Provider registered but not VNET
created or updated. So, in that Network Watcher is yet to be enabled and as the managed disks is mentioned as NO. there should be a storage
account.
upvoted 1 times

  kf01234 7 months, 2 weeks ago

Selected Answer: AEF
Just completed the total re-cap AZ104 course, the answer from teacher is AEF
upvoted 3 times

  klexams 7 months, 2 weeks ago

Selected Answer: AEF
Just stick with the steps outlined here https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 63/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31 Topic 4

You need to deploy an Azure virtual machine scale set that contains five instances as quickly as possible.
What should you do?

A. Deploy five virtual machines. Modify the Availability Zones settings for each virtual machine.

B. Deploy five virtual machines. Modify the Size setting for each virtual machine.

C. Deploy one virtual machine scale set that is set to VM (virtual machines) orchestration mode.

D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.

Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes

Community vote distribution

D (95%) 5%

  fedztedz Highly Voted  2 years, 6 months ago

Answer is correct (D).
the main idea is to create 5 VMs asap. To do this you should let Azure do it for you with the least steps. either by using ARM template which is not
mentioned here or VM scale set. That leaves us with 2 options C or D. C is like unmanaged Scale set where you add the VMs manually to the scale
set as a unmanaged group. while D is managed scale set by Azure where it is based on configuration set during the setup of the VM Scale set
upvoted 167 times

  Shadoken 11 months ago

The oschestration mode have different names at the present:
In flexible orchestration mode, you manually create and add a virtual machine of any configuration to the scale set. In uniform orchestration
mode, you define a virtual machine model and Azure will generate identical instances based on that model.

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 18 times

  mlantonis Highly Voted  2 years ago

Correct Answer: D

ScaleSetVM orchestration mode: Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual
machine instance lifecycle - creation, update, deletion - is managed by the scale set. It the current default VMSS behavior. (Scale set VMs are
created in a single shot).

VM (virtual machines) orchestration mode: Virtual machines created outside of the scale set can be explicitly added to the scale set. The
orchestration mode VM will only create an empty VMSS without any instances, and you will have to manually add new VMs into it by specifying the
VMSS ID during the creation of the VM. (Separately VMs are created and added to scale set later)

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes
upvoted 119 times

  KingChuang 7 months ago

Out date question.
New Mode:
https://learn.microsoft.com/zh-tw/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 4 times

  AubinBakana 1 year, 9 months ago

thank you for this. I wandered what the difference was between the 2. They sound the same. Never came across a situation where machines
were to be added manually, which in my opinion defeats the purpose of using a scale set unless you've got legacy equipment of something like
that. But hey, it must be there for a reason and at least I know. Again, thank you
upvoted 3 times

  UmbongoDrink Most Recent  4 months ago

Selected Answer: D
Correct Answer: D

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 64/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  alirasouli 7 months, 3 weeks ago

Selected Answer: D
This question is outdated. The two Orchestration Modes are:
- Uniform orchestration: Virtual machine scale sets with Uniform orchestration use a virtual machine profile or template to scale up to desired
capacity. While there is some ability to manage or customize individual virtual machine instances, Uniform uses identical VM instances.
- Flexible orchestration: With Flexible orchestration, Azure provides a unified experience across the Azure VM ecosystem. Flexible orchestration
offers high availability guarantees (up to 1000 VMs) by spreading VMs across fault domains in a region or within an Availability Zone.

I can say that Uniform orchestration superceded ScaleSetVM while Flexible orchestration superceded VM mode.

Reference:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 7 times

  NaoVaz 9 months ago

Selected Answer: D
D) " Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode. "

Currently the correct option is the Uniform Orchestration Mode - https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-

machine-scale-sets-orchestration-modes#scale-sets-with-uniform-orchestration
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: D
Correct Answer: D 🗳️
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/orchestration-modes
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: D
Yep D
Optimized for large-scale stateless workloads with identical instances.
Virtual machine scale sets with Uniform orchestration use a virtual machine profile or template to scale up to desired capacity. While there is some
ability to manage or customize individual virtual machine instances, Uniform uses identical VM instances. Individual Uniform VM instances are
exposed via the virtual machine scale set VM API commands.
***NOTE***
You cannot add existing Machine to any type of VM scale set,
In Flexible Orchestration ScaleSet ONLY newly created VMs or VMS spawned by the Condition of the scaleset Can be added to scale set
Uniform Scaleset DO NOT allow of addition of newly created VM to the scale set
upvoted 2 times

  manalshowaei 1 year ago

Selected Answer: D
D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: C
C. Change the size to D8s v3
upvoted 1 times

  HenriKI2 1 year, 5 months ago

Question is outdated.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
Now its UNIFORM mode and FLEXIBLE mode.
Uniform : Uniform uses identical VM instances. = ScaleSetVMs
Flexible : Achieve high availability at scale with identical or multiple virtual machine types. = VM orchestration
upvoted 16 times

  JESUSBB 1 year, 6 months ago

In the exam today 11-DEC-2021
Ans:D. Deploy one virtual machine scale set that is set to ScaleSetVM orchestration mode.
upvoted 1 times

  Snownoodles 1 year, 6 months ago

Selected Answer: D
The scalesetVM has new name 'uniform' orchestration mode, which create uniform VMs and uses VMSS API to manage.
Another orchestration mode is Flexible Orchestration mode, which uses VM API to individually manages VMs.
upvoted 6 times

  [Removed] 1 year, 6 months ago

Was on exam 15/11/2021
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 65/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Omar_Aladdin 1 year, 8 months ago

Free Microsoft Learners, What's up :*
upvoted 3 times

  chaudha4 1 year, 9 months ago

Shouldn't option C and D be updated to something like this:
C. Deploy one virtual machine scale set that is set to “Flexible” orchestration mode.
D. Deploy one virtual machine scale set that is set to “Uniform” orchestration mode.

------------------
Description:
-------------------
Choose how virtual machines are managed by the scale set.

In flexible orchestration mode (preview), you manually create and add a virtual machine of any configuration to the scale set.

In uniform orchestration mode, you define a virtual machine model and Azure will generate identical instances based on that model.
upvoted 3 times

  JayBee65 1 year, 11 months ago

Hasn't this changed to Uniform orchestration or Flexible orchestration modes?
upvoted 3 times

  mg 2 years, 3 months ago

Answer is correct
ScaleSetVm orchestration mode
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 66/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32 Topic 4

You plan to create the Azure web apps shown in the following table.

What is the minimum number of App Service plans you should create for the web apps?

A. 1

B. 2

C. 3

D. 4

Correct Answer: A

Community vote distribution

B (95%) 5%

  EleChie Highly Voted  9 months, 2 weeks ago

Correct Answer: B
.NET Core 3.0: Windows and Linux ASP
.NET V4.7: Windows only
PHP 7.3: Windows and Linux
Ruby 2.6: Linux only
Also, you can’t use Windows and Linux Apps in the same App Service Plan, because when you create a new App Service plan you have to choose
the OS type. You can't mix Windows and Linux apps in the same App Service plan. So, you need 2 ASPs.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview
upvoted 59 times

  Ozzy3458 8 months, 1 week ago

Ruby 2.6 ca run on Windows. check it ! So the answer is correct. A is the correct answer.
RubyInstaller for Windows https://rubyinstaller.org
upvoted 4 times

  adeyhtech87 4 months, 2 weeks ago

Ruby 2.7 works with only the Linux App service plan, as I can check in Jan 2023. Not sure, if Ruby 2.6 would have ever supported Windows.
So the answer is B correct. We basically need 1 service plan for Linux App setup environment and one for windows based workload.
upvoted 5 times

  slovik 7 months, 4 weeks ago

Maybe it can but it's not listed as webapp runtime for windows:
$ az webapp list-runtimes --os windows
[
"dotnet:7",
"dotnet:6",
"DOTNETCORE:3.1",
"ASPNET:V4.8",
"ASPNET:V3.5",
"NODE:18LTS",
"NODE:16LTS",
"NODE:14LTS",
"PHP:7.4",
"java:1.8:Java SE:8",
"java:11:Java SE:11",
"java:17:Java SE:17",
"java:1.8:TOMCAT:10.0",
"java:11:TOMCAT:10.0",
"java:17:TOMCAT:10.0",
"java:1.8:TOMCAT:9.0",
"java:11:TOMCAT:9.0",
"java:17:TOMCAT:9.0",
"java:1.8:TOMCAT:8.5",
"java:11:TOMCAT:8.5",
"java:17:TOMCAT:8.5"
]

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 67/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 18 times
  simonseztech Highly Voted  8 months ago
Selected Answer: B
Tested on 2022-10-12 in the portal : PHP & Ruby are Linux only so the answer is 2
upvoted 11 times

  sankar07 Most Recent  2 months, 1 week ago

Selected Answer: B
2 is right. You need 1 for windows and 1 for linux. Because .Net 47 runs only on windows. Ruby runs only on linux. The other 2 can run on both.
upvoted 2 times

  macrawat 2 months, 3 weeks ago

This is a dumb question
upvoted 8 times

  kklohit 3 months ago

Selected Answer: B
The answer is B.

Each Azure App Service plan can host multiple web apps, but each plan is limited to a specific set of features and corresponding worker size. In this
case, .NET Core 3.1, ASP .NET V 4.8, PHP 7.3, and Ruby 2.6 are all different runtime stacks, so each web app must be hosted on a separate App
Service plan. Therefore, the minimum number of App Service plans required to host all four web apps is two.

You can host WebApp1 and WebApp2 on an App Service plan that supports .NET Core and ASP.NET, and you can host WebApp3 and WebApp4 on
another App Service plan that supports PHP and Ruby.
upvoted 1 times

  hfk2020 3 months, 1 week ago

The .NET Core 3.1, PHP 7.3, and Ruby 2.6 runtime stacks work on both Linux and Windows operating systems.

ASP.NET V4.8 is a Windows-specific runtime stack and does not work on Linux. If you want to run ASP.NET web applications on Linux, you can use
.NET Core runtime stack, which supports cross-platform development and can run ASP.NET Core web applications on Linux as well as Windows.
upvoted 1 times

  kilobaik 3 months, 2 weeks ago

Correct answer is B (2).
Because:
- ASP.Net can run only on Windows
- PHP, Ruby: can run only on Linux
upvoted 1 times

  psr83 3 months, 3 weeks ago

Selected Answer: B
az webapp list-runtimes
{
"linux": [
"DOTNETCORE:7.0",
"PYTHON:3.11",
"PHP:8.2",
"RUBY:2.7",
],
"windows": [
"dotnet:7",
"dotnet:6",
"ASPNET:V4.8",
"ASPNET:V3.5",
]
}
upvoted 2 times

  psr83 3 months, 3 weeks ago

Selected Answer: B
az webapp list-runtimes --os windows
[
"dotnet:7",
"ASPNET:V4.8",
]
$ az webapp list-runtimes --os linux
[
"DOTNETCORE:7.0",
"PHP:8.0",
"RUBY:2.7",
]
upvoted 2 times

  insanewriters 3 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 68/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The Azure Portal will at least not let you choose a Windows app service for Ruby 2.7. It will also warn you that Ruby 2.7 will no longer be supported
as of March 2023.
upvoted 2 times

  UmbongoDrink 4 months ago

Selected Answer: B
Correct Answer: B
.NET Core 3.0: Windows and Linux ASP
.NET V4.7: Windows only
PHP 7.3: Windows and Linux
Ruby 2.6: Linux only
upvoted 1 times

  alejox96 4 months, 2 weeks ago

I fully agree that the answer should be B, that is, 2. However, this question already came up in one of the cloudlabds training sessions (Sponsored
by Microsoft) and the answer in the test was 1, apparently it is their error, so Even though we know that the correct answer is 2, if you mark it that
way it will come out as wrong.
upvoted 1 times

  RougePotatoe 4 months, 2 weeks ago

Do they have any evidence to say that they haven't fixed it in the test?
upvoted 2 times

  reddy187 4 months, 3 weeks ago

Selected Answer: B
Correct Answer is B: As per https://docs.microsoft.com/en-us/azure/app-service/overview, 2 ASP are required.
upvoted 1 times

  Vitu 5 months, 3 weeks ago

Selected Answer: B
for windows and for linux
upvoted 1 times

  Imagar 7 months ago

Selected Answer: B
https://learn.microsoft.com/es-es/azure/app-service/quickstart-ruby?tabs=cli
upvoted 1 times

  BYNeo 7 months ago

Answer should be B, https://learn.microsoft.com/en-us/azure/app-service/quickstart-ruby?tabs=cli, and https://learn.microsoft.com/en-
us/azure/app-service/overview#app-service-on-linux
upvoted 1 times

  vaibhavs120 7 months, 1 week ago

The answer should be 2
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 69/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 4

HOTSPOT -
You have a pay-as-you-go Azure subscription that contains the virtual machines shown in the following table.

You create the budget shown in the following exhibit.

The AG1 action group contains a user named admin@contoso.com only.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 70/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: VM1 and VM2 continue to run

The budget alerts are for Resource Group RG1, which include VM1, but not VM2. However, when the budget thresholds you've created are
exceeded, only notifications are triggered. None of your resources are affected and your consumption isn't stopped.
Box 2: one email notification will be sent each month.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in
25 days, and an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's
reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
Reference:
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
https://docs.microsoft.com/en-gb/azure/cost-management-billing/costs/tutorial-acm-create-budgets

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: VM1 and VM2 continue to run

The Budget’s scope is RG1, so only VM1 will be handled.
When the budget thresholds you've created are exceeded, only notifications are triggered.
To stop resources, you need to setup additional things, none of which are mentioned in the question.

Box 2: one email notification will be sent each month.

Budget alerts have scope in Resource Group RG1, which includes VM1, but not VM2.
VM1 consumes 20 Euro/day, so 20 euros * 30 days = 600 euros.
The 50%, 500 Euro limit, will be reached in 25 days (25*20 = 500), so an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway, because AG1 action group
contains a user.

Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's
reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
upvoted 276 times

  cnduknthm 7 months, 1 week ago

Please provide clarity on Alert Recepient (email) : Admin@contoso.com..when the email will be triggered to his address?
upvoted 1 times

  cnduknthm 7 months, 1 week ago

typo - user1@contoso.com
upvoted 1 times

  cnduknthm 7 months, 1 week ago

sorry to trouble you. got the answer from https://www.codit.eu/blog/control-your-azure-costs-through-budget-alerts/
upvoted 1 times

  thuylevn 1 year, 10 months ago

policy apply only RG1 (VM1). so only VM1 stop
upvoted 2 times

  ivanp8571 1 year, 3 months ago

But it requires an additional configuration to shut down the VM. Budget alerts only trigger alerts

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 71/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 7 times
  Takloy 1 year, 6 months ago
Yo Da'man!
upvoted 4 times

  Hyrydar 1 year, 7 months ago

Sir, you are a rock star. I learn from you.
upvoted 9 times

  Hyrydar 1 year, 7 months ago

I hope addressing you as sir, is correct. If not, fill it in.
upvoted 5 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer is Wrong. Correct is
- VM1 and VM2 continues to run. First the Alerts is managed only for VM1 in the scope of RG1. Second, when alert hits 100%, the action group is a
Azure app, which I assume a Azure logic App. It is not clear what this app does. accordingly, we can assume no action to stop the VM as a spending
limit. It is just an alert.
- The second answer is wrong. the alert will send an two email notification , one based on Action group AG1 and another based on the alert
recipients (the admin)
upvoted 97 times

  SnakePlissken 2 years, 1 month ago

- VM1 and VM2 continue to run. When the budget thresholds you've created are exceeded, only notifications are triggered. None of your
resources are affected and your consumption isn't stopped.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
- Only one email will be sent each month. Only if you don’t specify a particular action group, an email is sent to the alert recipients.
https://www.codit.eu/blog/control-your-azure-costs-through-budget-alerts
upvoted 48 times

  joelabc1234 1 year, 6 months ago

This is the correct answer. As stated the thresholds only affect RG1 where VM1 is located and it is not scoped on RG2 where VM2 resides.
upvoted 2 times

  Takloy 1 year, 7 months ago

explain why there's only 1 email.
upvoted 1 times

  e_karma 1 year, 6 months ago

because if you see the daily consumption it is 20 usd.. multiply by 30 it comes around 600 usd..First alert is send around 500 usd.. Going
by the current consumption it wont reach 700 usd when the second alert is triggered.
upvoted 5 times

  Takloy 1 year, 6 months ago

Thank you @e_karma!
upvoted 2 times

  Junpeng 1 year, 10 months ago

Make more sense, upvoted.
upvoted 3 times

  cnduknthm 7 months, 1 week ago

If you don’t specify a particular action group, an email is sent to the alert recipients. so, as we have AG1 group already in place. Only single
email will be sent.
upvoted 2 times

  Hibs2016 2 years, 6 months ago

Do you have any links explaining your point on the email notifications? I think it would only be one email notification.
upvoted 5 times

  nzwasp 2 years, 6 months ago

I selected one email based on the math, AG1 is reached but AG2 is not reached because 30 days of 20 dollars a day is only $600. Also even if
AG2 was triggered it still wouldnt send out a 2nd email.
upvoted 12 times

  Lkk51 2 years ago

2nd mail is from "Alert recipient" to user1@contoso.com
upvoted 2 times

  e_karma 1 year, 6 months ago

the alert is for resoruce group AG1 only. So no need of looking to AG2
upvoted 2 times

  Lapiduse 2 years, 5 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 72/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Agree:
- the alert will send an two email notification:
one based on Action group AG1 (admin) 50% and another based on the alert recipients (user) 100% of the budget.
upvoted 5 times

  thuylevn 1 year, 10 months ago

what happened if they under budget ?
=> so answer 1 email is correct (policy apply only for RG1)
upvoted 2 times

  thuylevn 1 year, 10 months ago

when they 100% of budget will send SMS
upvoted 1 times

  harisavt47 Most Recent  3 months ago

These questions are phrased so bad...
upvoted 2 times

  zellck 4 months ago

1. VM1 and VM2 continue to run.
2. one email will be sent monthly.

https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/cost-management-budget-scenario
Budgets are commonly used as part of cost control. Budgets can be scoped in Azure. For instance, you could narrow your budget view based on
subscription, resource groups, or a collection of resources. In addition to using the budgets API to notify you via email when a budget threshold is
reached, you can use Azure Monitor action groups to trigger an orchestrated set of actions resulting from a budget event.
upvoted 1 times

  klexams 8 months, 1 week ago

Box 2: 2 emails each month i.e. AG1 and Alert recipient.
Whenever an alert is generated, it's shown in cost alerts. An alert email is also sent to the people in the alert recipients list of the budget.
https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
upvoted 2 times

  GBAU 4 months ago

But is one email going to two recipients one email or two? i.e. is the question a poorly worded question of how many email notification triggers
will occur each month, or how many recipients will receive emails each month.

If I send an email to 20 recipients, I don't say I sent 20 emails...

upvoted 1 times

  NaoVaz 9 months ago

1) When the maximum amount in Budget1 is reached: "VM1 and VM2 continue to run".
2) Based on the current usage costs of the virtual machines: "one email notification will be sent each month".

Explanation:
Budgets don't by default interact with resources when thresholds are reached.
Only one email will be sent because on RG1 the VM1 will cost around 600€ (20€ per day).
upvoted 2 times

  vadi123 9 months, 1 week ago

appeared in exam 9/5/22
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Box 1: VM1 and VM2 continue to run
The budget alerts are for Resource Group RG1, which include VM1, but not VM2. However, when the budget thresholds you've created are
exceeded, only notifications are triggered. None of your resources are affected and your consumption isn't stopped.
Box 2: one email notification will be sent each month.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in 25
days, and an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's
reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
upvoted 1 times

  JacquesV 10 months, 1 week ago

In exam on 10Aug2022
upvoted 3 times

  Gino_Slim 11 months, 2 weeks ago

Ugh...more math (lol)
upvoted 2 times

  most_lenyora 10 months, 1 week ago

I feel you hahaha
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 73/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lazylinux 12 months ago

Given answer is WRONG correct is
Box 1: VM1 and VM2 continue to run => budget scope is for VM1 ONLY and hence consider it, so if another option said VM1 running and VM2 is
off then it can be correct but NOT other way round
Box 2: one email notification will be sent each month. as $600 is reached which is above 500 but below 700
upvoted 2 times

  manalshowaei 1 year ago

Box 1: VM1 is turned off, and VM2 continues to run
The budget alerts are for Resource Group RG1, which include VM1, but not VM2.
Box 2: one email notification will be sent each month.
Budget alerts for Resource Group RG1, which include VM1, but not VM2.VM1 consumes 20 Euro/day. The 50%, 500 Euro limit, will be reached in 25
days, and an email will be sent.
The 70% and 100% alert conditions will not be reached within a month, and they don't trigger email actions anyway.
Credit alerts: Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance. Whenever an alert is generated, it's
reflected in cost alerts and in the email sent to the account owners. 90% and 100% will not be reached though.
upvoted 3 times

  Lazylinux 1 year ago

Correct answer is
Box 1: VM1 and VM2 continue to run => it costs 600 per month for VM1 to run and hence in 2 months will exceed the budget.
Box 2: one email notification will be sent each month. => because cost 600 per month and email alert is set to 500
upvoted 2 times

  IAGirl 1 year ago

Box 1:VM1 and VM2 continue to run.
When the budget thresholds you've created are exceeded, only notifications are triggered. None of your resources are affected and your
consumption isn't stopped
Box 2: one email notification will be sent each month
RG1 includes VM1-> 20 euro/day * 30 days = 600 Eur. So 50% os the budget will reached and an email will be sent.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
upvoted 1 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 3 times

  itguy2 1 year, 3 months ago

"pay as you go" kinda threw me off of thinking... but pay as you go means you will just have to pay monthly as you use the them... budget limit has
nothing to do with it!
So, Answer is VM1 and VM2 will continue to run and One email notification
upvoted 1 times

  zr79 1 year, 3 months ago

When a budget is reached, only notifications will be triggered and the VM will continue running unless other automation is specified in the
question like runbooks.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 74/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34 Topic 4

A. Yes

B. No

Correct Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
upvoted 80 times

  bobbywilly Highly Voted  2 years, 9 months ago

No is the correct
upvoted 14 times

  UmbongoDrink Most Recent  4 months ago

Selected Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: B
B) "No"

Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-
powershell#verify-deployment
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 2 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey because it is B => check from RG =>Deployment
upvoted 2 times

  manalshowaei 1 year ago

Selected Answer: B
B. No .

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 75/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Olram 1 year, 1 month ago
Passed today. this is part of the exam. 4/23/22
upvoted 3 times

  josevirtual 1 year, 3 months ago

Selected Answer: B
Correct: B (No)

You can find this information in the RG1 Blade - Deployments

upvoted 1 times

  AubinBakana 1 year, 9 months ago

Here's something I could only learn here. I often went to the Activity Log for the resource or in the Azure monitor. No wonder why it never found a
good answer. :)
upvoted 3 times

  zr79 1 year, 3 months ago

Technically you're correct. But azure does in its ways
upvoted 1 times

  mg 2 years, 3 months ago

Answer is correct
To find the details of resource deployment - deployment from RG1 blade
upvoted 2 times

  ZUMY 2 years, 3 months ago

B is the Answer
upvoted 4 times

  toniiv 2 years, 3 months ago

Answer B. is correct. You should use the Deployments blade.
upvoted 4 times

  fedztedz 2 years, 6 months ago

Answer is correct. NO
upvoted 9 times

  sanovi 2 years, 10 months ago

how to check the timing for the deployment ???
upvoted 2 times

  zyta 2 years, 10 months ago

select resource group you have, open blade "deployments", go through the list of the events. You will see there log of events with statuses and
timestamps of when the action was done
upvoted 9 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 76/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35 Topic 4

VM1 connects to VNET1.

You need to connect VM1 to VNET2.
Solution: You create a new network interface, and then you add the network interface to VM1.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
Note: When you create an Azure virtual machine (VM), you must create a virtual network (VNet) or use an existing VNet. You can change the
subnet a VM is connected to after it's created, but you cannot change the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

Instead, you should delete VM1. Then recreate VM1 and add the network interface for VM1.

To migrate a VM from a VNET to another VNET. The only option is to delete the VM and redeploy it using a new NIC and NIC connected to VNET2.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview
upvoted 57 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer is correct. NO (B)
upvoted 21 times

  UmbongoDrink Most Recent  4 months ago

Selected Answer: B
You should delete VM1. You recreate VM1, and then you add the network interface for VM1.
(repeated question!)
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: B
B) "No"

The only way to change a VNET on a VM pis by deleting and re-creating the VM.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 77/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey Because it is B => VM=>VNET=>VNIC cannot migrate/move MUST all be in same region so either redeploy VM or create NEW one
and attach disk to it
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: B
B. No .
upvoted 1 times

  dasEnder 1 year, 1 month ago

Selected Answer: B
Correct answer
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times

  Azure_daemon 1 year, 3 months ago

once you create a VM you can change the VNET unless redeploy the VM
upvoted 1 times

  deltarj 1 year, 4 months ago

q27, q28, q29 & q42 are in pack. [remember: Delete&Recreate!]
upvoted 3 times

  [Removed] 1 year, 6 months ago

Was on exam 15/11/2021
upvoted 5 times

  Khana 1 year, 7 months ago

repeated question
upvoted 2 times

  nfett 2 years ago

Answer is B. repeated question.
upvoted 2 times

  Sandroal29 2 years, 2 months ago

The provided answer is correct.
upvoted 1 times

  ZUMY 2 years, 3 months ago

No is correct
upvoted 2 times

  NickyDee 2 years, 5 months ago

Delete and recreate VM
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 78/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36 Topic 4

You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.

Adatum.com has the following configurations:

✑ Users may join devices to Azure AD is set to User1.
✑ Additional local administrators on Azure AD joined devices is set to None.
You deploy Windows 10 to a computer named Computer1. User1 joins Computer1 to adatum.com.
You need to identify the local Administrator group membership on Computer1.
Which users are members of the local Administrators group?

A. User1 only

B. User2 only

C. User1 and User2 only

D. User1, User2, and User3 only

E. User1, User2, User3, and User4

Correct Answer: C
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. The
default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device.
Users added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners
are granted local administrator rights by default.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

Community vote distribution

C (100%)

  fedztedz Highly Voted  2 years, 6 months ago

Answer is correct . User 1 and User 2 only.
First the only user who can join Azure AD devices is User 1 . since User1 is admin on machine. So, the machine can be added.
Second, the ones that can be local admins on Windows 10 are managed under "Additional local administrators" , since this is not mentioned, so we
can assume default.
By default, the ones are global administrator and device owners (device administrators). This lead us to User1 and User2 only
upvoted 187 times

  ik96 1 year, 8 months ago

correct answer
upvoted 13 times

  kt_tk_2020 Highly Voted  2 years, 6 months ago

ans : D,
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:

The Azure AD global administrator role

The Azure AD device administrator role
The user performing the Azure AD join
upvoted 34 times

  akash2504 2 years, 1 month ago

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:

The Azure AD global administrator role

The Azure AD device administrator role
The user performing the Azure AD join

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 79/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

ans is D
upvoted 5 times
  Rob89435 1 year, 10 months ago
It's the 'Azure AD joined device local administrator role' not the 'Cloud Device Administrator'.
So C is correct.

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:
The Azure AD global administrator role
The Azure AD joined device local administrator role
The user performing the Azure AD join
upvoted 18 times

  Lkk51 2 years ago

Cloud Device Administrator

Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The
role does not grant permissions to manage any other properties on the device.

answer is C
upvoted 12 times

  lodo 2 years, 6 months ago

Ans C, cause the AZ AD device admin is added, not the AZ AD CLOUD device admin
upvoted 9 times

  Pukacz 2 years, 5 months ago

Yes, here are the role descriptions https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
so the answer C is correct.
upvoted 4 times

  AZcheck Most Recent  4 weeks, 1 day ago

User 1 & 2 only
upvoted 1 times

  CommanderBigMac 3 months, 3 weeks ago

This question feels very badly worded
upvoted 3 times

  UmbongoDrink 4 months ago

Selected Answer: C
User1 and User2 only
upvoted 1 times

  LiamAzure 7 months, 1 week ago

Selected Answer: C
Global Admin, Azure AD joined device local administrator role, User joining the device. The additional local administrators box is for any addition
local admins you want to manually add, but default is set to none
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: C
C) " User1 and User2 only "

User1 because he joined the Device to the tenant so he must be Admin on the device.
By default, Local administrators on joined devices, are the device owners and Global Administrators, so User2 is also.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin#how-it-works
upvoted 5 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: C
Correct Answer: C 🗳️
Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. The
default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are granted local administrator rights on a device. Users
added here are added to the Device Administrators role in Azure AD. Global administrators, here User2, in Azure AD and device owners are granted
local administrator rights by default.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: C

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 80/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

C is correct
When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local
administrators group on the device:
*The Azure AD global administrator role
*The Azure AD device administrator role
*The user performing the Azure AD join
*Users may join devices to Azure AD - This setting enables you to select the users who can register their devices as Azure AD joined devices. The
default is All.
*Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet
*The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected and
None. The default is All

**remember AZ AD device admin is NOT same as Cloud device admin, MS misleading here*
upvoted 9 times
  manalshowaei 1 year ago
Selected Answer: C
C. User1 and User2 only
upvoted 1 times

  scottims 1 year, 1 month ago

Ans. C
Tested this in lab
Azure Joined device with User1. Was presented with a box stating domain joining and User1 would be Administrator of device.

Added User2 to Cloud Device Administrator Role. Signed into the device and tried to run cmd as administrator. Result...UAC screen requesting
administrative credentials. Entered User1 credentials and administrative cmd opened.
upvoted 1 times

  josevirtual 1 year, 2 months ago

Selected Answer: C
C is correct
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  vineetkchauhan 1 year ago

you only put this comment to every question.. Are you a bot or trying to just creditibity of this source.
upvoted 4 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 3 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 7 times

  HenriKI2 1 year, 5 months ago

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
For BuiltinRoles
upvoted 1 times

  AubinBakana 1 year, 9 months ago

(Updating my previous comment.)

- A cloud administrator is not a built-in A AD role. It's not RBAC either - probably a custom for cloud resources at best. I did a quick search but
found nothing in the built-in roles.

- Intune Administrator is an *AAD role but only applies to devices registered with Intune.

User1 is a local administrator

- When the device is joined to AAD the Global administrator is added to the device as a local and a domain admin - has access to everything

Revealed answer is correct.

upvoted 3 times

  AubinBakana 1 year, 9 months ago

apply to devices & *users...
upvoted 1 times

  AubinBakana 1 year, 8 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 81/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

How I wish I could delete this - coming back here after a month. I realise this is completely wrong. A Cloud Device Administrator is a built-in
Role. I was looking at the wrong thing somehow, I must have been tired. My apologies.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 82/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37 Topic 4

HOTSPOT -
You have Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following resource groups:

RG1 includes a web app named App1 in the West Europe location.
Subscription2 contains the following resource groups:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: No -
RG2 is read only. ReadOnly means authorized users can read a resource, but they cannot delete or update the resource.

Box 2: Yes -

Box 3: Yes -
Note:
App Service resources are region-specific and cannot be moved directly across regions. You can move the App Service resource by creating a
copy of your existing App Service resource in the target region, then move your content over to the new app. You can then delete the source app
and App Service plan.
To make copying your app easier, you can clone an individual App Service app into an App Service plan in another region.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-move-across-regions https://docs.microsoft.com/en-us/azure/azure-resource-
manager/management/move-limitations/app-service-move-limitations

  fedztedz Highly Voted  2 years, 6 months ago

Answer is Correct. Yes Yes Yes
- the lock is only effecting the resources itself with edit/delete. Which means If the resource is in a resource group with no lock types then it is free
to move to any other group even if the other group has lock type read only or delete.
However if the resource is a RG with read-only lock , it can NOT be moved. In case of no delete lock , it can be moved.
upvoted 116 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 83/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Slimus 1 week, 2 days ago

I guess 'edit' also includes moving the resource.
upvoted 1 times

  Gde360 1 year, 10 months ago

N,Y,Y.
The first question was tested on Azure.
Created RG1, RG2. both are in West Europe. RG2 has assigned READ-ONLY lock.
Created web-App name App11223344 (same location as RG1,RG2) in RG1.
Removing App11223344 to RG2 failed.
------------------------------
{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. Diagnostic information:
request correlation id 'fd5981c2-705b-4966-b438-cd760bd1a13f'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Web/Microsoft.Web/sites/App11223344","message":"{\"error\":
{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/2df00a78-a9c5-4c98-92ef-
aa1fbbb50e6f/resourcegroups/RG2/providers/Microsoft.Web/sites/App11223344' cannot perform write operation because following scope(s)
are locked: '/subscriptions/2df00a78-a9c5-4c98-92ef-aa1fbbb50e6f/resourceGroups/RG2'. Please remove the lock and try again.\"}}"}]}
upvoted 204 times

  pappkarcsiii 1 year, 4 months ago

Same here, can't move - N, Y, Y.
{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. Diagnostic information:
subscription id '082877ab-8970-41b0-8ba8-5246ccda0cbe', request correlation id 'eec62f30-ecd6-49b1-995c-e8efc3072e0a'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Network/Microsoft.Network/virtualNetworks/test1","message":"{\"error\":
{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/082877ab-8970-41b0-8ba8-
5246ccda0cbe/resourcegroups/pk_test_2/providers/Microsoft.Network/virtualNetworks/test1' cannot perform write operation because
following scope(s) are locked: '/subscriptions/082877ab-8970-41b0-8ba8-5246ccda0cbe/resourceGroups/pk_test_2'. Please remove the lock
and try again.\"}}"}]}
upvoted 30 times

  Asten 7 months, 1 week ago

Correct. I tested it also.
upvoted 9 times

  madao322 3 months ago

I am afraid you are wrong on this one. The answer should be NYY.
The source resource group and the destination resource group must be both editable to process the resources migration. As the destination
group is read only, you will not be able to move anything into it until the lock is lifted
upvoted 1 times

  ThatDowntownSmell 11 months, 3 weeks ago

Absolutely incorrect on the first answer. A simple test shows this when trying to move a resource into a resource group with a read-only lock:
...cannot perform write operation because the following scope(s) are locked: ...

The correct answers a N,Y,Y

upvoted 18 times

  mlantonis Highly Voted  2 years ago

Correct Answer:

Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything in the
resource. For this reason, all of them are 'Y'.

Box 1: Yes

Box 2: Yes

Box 3: Yes
upvoted 72 times

  sjb666 1 year, 1 month ago

Just tried this in the lab, copying a web app to a ReadOnly locked RG and go the following:
{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. Diagnostic information:
subscription id 'e37b5b3d-ffdd-48c0-9660-a7beaded46eb', request correlation id '2ff3ba94-5bde-474d-a119-955b8303e2c5'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Web/Microsoft.Web/sites/WebApp12345989","message":"{\"error\":
{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/e37b5b3d-ffdd-48c0-9660-
a7beaded46eb/resourcegroups/VM1_group/providers/Microsoft.Web/sites/WebApp12345989' cannot perform write operation because
following scope(s) are locked: '/subscriptions/e37b5b3d-ffdd-48c0-9660-a7beaded46eb/resourceGroups/VM1_group'. Please remove the lock
and try again.\"}}"}]}
So N,Y,Y.
upvoted 19 times

  ckanoz 1 year, 3 months ago

I tested this in a Lab. Yopu can not move to a Resource Group that has a Read-Only Lock

{"code":"ResourceMovePolicyValidationFailed","message":"Resource move policy validation failed. Please see details. Diagnostic information:
subscription id '6c099931-f171-414c-8134-bcf8ce904d1b', request correlation id 'c50cf950-4b83-47ba-8e4f-5ac3d978c334'.","details":
[{"code":"ResourceMovePolicyValidationFailed","target":"Microsoft.Web/Microsoft.Web/sites/aps1","message":"{\"error\":

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 84/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

{\"code\":\"ScopeLocked\",\"message\":\"The scope '/subscriptions/6c099931-f171-414c-8134-

bcf8ce904d1b/resourcegroups/HouseGreyjoy/providers/Microsoft.Web/sites/aps1' cannot perform write operation because following scope(s)
are locked: '/subscriptions/6c099931-f171-414c-8134-bcf8ce904d1b/resourceGroups/HouseGreyjoy'. Please remove the lock and try
again.\"}}"}]}
upvoted 9 times
  dotseree 3 months ago
In Box 1 case, it is the destination that is preventing the action not the source. The destination RG is Read-only, meaning you can add any
resource to it.
upvoted 1 times

  matejka 7 months, 2 weeks ago

You are not correct in this case. Box 1 = N. I tested in lab and you cannot move a resource to an RG that has a read-only lock.
upvoted 7 times

  Spooky7 Most Recent  2 months, 3 weeks ago

I think answer is NNN

App Service is region specific and cannot be moved acrossed regions. Reason behind it is most likely fact that App Service needs an App Service
Plan and both has to be in the same region. One App Service Plan can be attached to more than one App Service. You cannot move one without
another.
upvoted 5 times

  amiray 2 months, 3 weeks ago

Read the question well, no one is moving anything across regions, it's in a different Resource groups.
upvoted 4 times

  Doman01 3 months ago

Everyone seems to agree on

2. YES
3. YES

1. is NO - tested in lab, screenshot below

https://imgur.com/a/A3J3hEj
upvoted 3 times

  YL123 3 months, 1 week ago

Must be NNN
As the answer says, "App Service resources are region-specific and cannot be moved directly across regions."
And also read this:
https://learn.microsoft.com/en-us/azure/resource-mover/common-questions#what-resources-can-i-move-across-regions-using-resource-mover
Which means, web app cannot move to another region.
RG2 is locked.
upvoted 4 times

  Benzitho 1 month ago

Read the question properly we are not moving App1 to another region , we simply moving App1 to another RG . Remember you can have
resources from different regions in an RG .
upvoted 2 times

  ConanBarb 3 months, 3 weeks ago

Box 3 is Yes but not for the complex reason stated (that App Service cant be moved crossed regions, and thus need to be duplicated to its new
location):
The question is merely if App1 can be moved to another Resource Group, not moving the resource to be deployed in another region/location. You
can move between RGs without any impact on resource region deployment (just mind the resource locks).
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

i know this question is testing our Lock knowledge, but. define "move."

this not-at-all contradictory article:

https://learn.microsoft.com/en-us/azure/app-service/manage-move-across-regions
1. is entitled "move an app service resource to another region"
2. clearly states that "App Service resources are region-specific and can't be moved across regions."
3. has a section entitled "move" that contains instructions to "move" an app service from one region to another. by backing it up and restoring it. is
backing it up in one region and restoring it in another still 'moving' it?
upvoted 6 times

  RougePotatoe 4 months, 1 week ago

Question is testing if you know how locks and Resource group / Resource location works.

Resources do not have to be in the same region as the Resource Groups.

So never assume a resource is based in a region mean all resources in the group is based in the same region.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 85/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  lingxian 4 months, 2 weeks ago

Web App can't be moved between different regions, you can only back up the web app and restore in another region.

So No, No, No
upvoted 5 times

  darthfodio 5 months, 1 week ago

I've seen a number of questions with posts that have wrong information from "Highly Voted" individuals. And people blindly upvote because of the
"Highly Voted" status, even if the answer doesn't quite add up. Think about it, a Read-Only lock means only read actions can occur. So, adding and
removing obviously won't work. That doesn't just apply to Azure, that is status quo pretty when applied in any platform or technology. Don't get
me wrong, "Highly Voted" individuals do provide mostly correct answers. But we have to validate these answers and stop blindly upvoting.
upvoted 8 times

  RougePotatoe 3 months, 3 weeks ago

Sounds like someone didn't try to move a read only resource in Azure. If you tried it you would know you can move read only resources in
azure.
upvoted 1 times

  RougePotatoe 3 months, 3 weeks ago

I was incorrect. While a lock emplaced on an individual resource such as a vNet would allow the resource to be moved a lock emplaced on a
RG would prevent the resource from being moved to that new resource group.
upvoted 1 times

  Sharing 5 months, 2 weeks ago

NNN

Reference - App Service resources are region-specific and can't be moved across regions. You must create a copy of your existing App Service
resources in the target region, then move your content over to the new app
upvoted 4 times

  meeko86 6 months ago

Answer: No Yes Yes
No: A read-only lock makes the RG read-only. You won´t be able to make ANY changes including moving resources into it. You will get error
"ResourceMovePolicyValidationFailed"
Yes: Delete lock allows resources to be moved into the RG.
Yes: The question is about moving to another RG not to another region. Resource group is only a registry and its region should be independent
from the region of resource under it.
upvoted 3 times

  NaoVaz 9 months ago

1) App1 can be moved to RG2: "No"
2) App1 can be moved to RG3: "Yes"
3) App1 can be moved to RG4: "Yes"

ReadOnly means authorized users can read from a resource, but they can't delete it or perform any actions on it. Since this is app+lied to a
Resource Group, we shouldn't be able to move resources inside this Resource Group.
upvoted 9 times

  David1990 9 months, 2 weeks ago

N Y Y correct answer
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

No, Yes, Yes
ReadOnly means authorized users can read from a resource, but they can't delete it or perform any actions on it.
upvoted 1 times

  Jdrr 9 months, 4 weeks ago

A lot of answers in this discussion are based on the theory which can be found in different web sites. I also was convinced that first option would
be Y based on the theory and also what I learned in the PlurqaSight training. Therefore I tested in my lab and I could not move to RG2. All people
who say they tested in their lab say NYY. Everyone who based their answer on the theory (and do not provide info that they have tested it in a lab),
say YYY (or NNN or something else). So please, everybody who wants to contribute to this discussion, TEST before you answer here, and don't rely
on the theory alone.
upvoted 6 times

  Jdrr 9 months, 4 weeks ago

fedztedz and mlantonis are very good and provide reliable answers, but they don't convince me in this case and they don't say they have tested
it themself.
upvoted 4 times

  SGTAY 10 months ago

No, Yes, Yes
ReadOnly means authorized users can read from a resource, but they can't delete it or perform any actions on it.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 86/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38 Topic 4

HOTSPOT -
You have an Azure subscription named Subscription1 that contains the following resource group:
✑ Name: RG1
✑ Region: West US
✑ Tag: `tag1`: `value1`
You assign an Azure policy named Policy1 to Subscription1 by using the following configurations:
✑ Exclusions: None
✑ Policy definition: Append a tag and its value to resources
✑ Assignment name: Policy1
✑ Parameters:
✑ Tag name: tag2

Tag value: value2 -

After Policy1 is assigned, you create a storage account that has the following configuration:
✑ Name: storage1
✑ Location: West US
✑ Resource group: RG1
✑ Tags: `tag3`: `value3`
You need to identify which tags are assigned to each resource.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: "tag1": "value1" only -

Box 2: "tag2": "value2" and "tag3": "value3" only

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 87/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Tags applied to the resource group are not inherited by the resources in that resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags

  michaelmorar Highly Voted  1 year, 1 month ago

Tag assigned to RG1 - tag1: value1
Tag assigned to storage1: tag2: value2 and tag3: value3

RG1 already exists so does not receive tag2.

According to the documentation:

"Add a tag to resources"

Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a
remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.
upvoted 68 times

  Lazylinux Highly Voted  12 months ago

I was not sure til i read the following, i think part important to pay attention to it the "Append a tag and its value to resources" and as per below

Append a tag and its value to resources Appends the specified tag and value when any resource which is missing this tag is created or updated.
Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource
groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).

Ans is
Tag assigned to RG1 - tag1: value1
Tag assigned to storage1: tag2: value2 and tag3: value3

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
upvoted 20 times

  NJTH Most Recent  2 months, 1 week ago

Simular question was on todays exam.
(7th April 2023)
upvoted 7 times

  TheUltimateGuru 3 months ago

This is 100% the correct answer to this question:
Tag assigned to RG1 - tag1: value1
Tag assigned to storage1: tag1: value1, tag2: value2 and tag3: value3

Storage1 inherits 'tag1: value1' from RG1 also as storage1 was created in this resource group after it's creation and tags are indeed inherited from
the resource group IF created after tags are applied to the resource group.

Slight technicality will catch many people out!

upvoted 2 times

  SimonSM178 2 months, 3 weeks ago

that's actually 100% wrong, no documentation states that resources inherit the resource group tag. as a matter of fact, it's the opposite:
resource DO NOT inherit the tag of the resource group they belong to.
upvoted 5 times

  Trevor_VT 3 months ago

The resources does not inherit tags from the resource groups, so please do not use words like "100% correct", not true.
upvoted 4 times

  JYKL88 6 months ago

The answer is correct. Need to follow the sequence
upvoted 1 times

  awssecuritynewbie 8 months ago

The resource group Tag does not pass down to the resources. so Tag1: value 1 will never make it to the storage account.
But the AZURE POLICY set at the SUB level will be passed down to the NEW RESOURCES ONLY. so it will be Tag2: value 2 and Tag 3
upvoted 6 times

  LiamAzure 7 months, 1 week ago

"The resource group Tag does not pass down to the resources", why not?
upvoted 1 times

  xRiot007 2 weeks ago

Because tags are not inherited. If you want a tag applied you need a policy or to run a remediation task
upvoted 1 times

  NaoVaz 9 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 88/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

1) Tags assigned to RG1: "'tag1': 'value1' only"

2) Tags assigned to storage1: "'tag2': 'value2' and 'tag3': 'value3' only"

The Resource Group already existed before the Policy was created. And the policy is for resources only not resource groups.

The storage account was created with tag3 and then gets appended the tag2 because the policy.
upvoted 10 times

  EmnCours 9 months, 2 weeks ago

Tag assigned to RG1 - tag1: value1
Tag assigned to storage1: tag2: value2 and tag3: value3
upvoted 4 times

  Jdrr 9 months, 4 weeks ago

New resources created in Subscription1 will receive tag2:value2 from policy. Additional, Storage will get tag3:value3 set on the storage account
itself. RG1 will only have tag1:value1. Confirmed in lab.
upvoted 4 times

  franekfranek 11 months ago

Resources don't inherit the tags you apply to a resource group or a subscription. To apply tags from a subscription or resource group to the
resources, see Azure Policies - tags.
That's why tags assigned to storage1: tag2: value2 and tag3: value3
upvoted 9 times

  manalshowaei 1 year ago

C. User1 and User2 only
upvoted 1 times

  bluefoot 1 year, 1 month ago

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 89/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39 Topic 4

HOTSPOT -
You have an Azure subscription named Subscription1.
In Subscription1, you create an alert rule named Alert1.
The Alert1 action group is configured as shown in the following exhibit.

Alert1 alert criteria triggered every minute.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: 60 -
One alert per minute will trigger one email per minute.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 90/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

✑ Voice: No more than 1 Voice call every 5 minutes.

✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: 60
One alert per minute will trigger one email per minute.
Box 2: 12 or 0
-If it’s a typo and it means Alert1, then Answer = 12 (60/5 = 12)
-If it is actually Alert2 then Answer = 0

No more than 1 SMS every 5 minutes can be send, which equals 12 per hour (60/5 = 12).
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device. Rate
limiting ensures that alerts are manageable and actionable.

The rate limit thresholds are:

✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 219 times

  GohanF2 2 months, 1 week ago

you are the best answering the questions.
upvoted 2 times

  Gadzee 1 year, 4 months ago

Alert 2 should be 0.
upvoted 6 times

  AubinBakana 1 year, 9 months ago

This is so much work you've done for us all. They probably meant alert1 in that next question
upvoted 21 times

  krisbla Highly Voted  2 years, 1 month ago

** Take another look *
BOX 1: 60
BOX 2: Not sure if its a typo.. but it says "Alert2" .. they do not mention Alert2 only Alert1.
-If they meant Alert1 then Answer = 12
-If they meant Alert2 then Answer = 0
upvoted 22 times

  JunetGoyal Most Recent  1 month, 2 weeks ago

Exact same Q came in my exam on 30 April2023.
A. 60
B.12
upvoted 2 times

  Hongzu13 4 months, 3 weeks ago

This was on the exam today!
upvoted 4 times

  Bigc0ck 5 months, 1 week ago

On the test, answered that SMS part wrong
upvoted 3 times

  Moradiya 5 months, 1 week ago

This was came in exam on 01/04/23
upvoted 4 times

  Lexxsuse 5 months, 3 weeks ago

Had this question in exam - box 2 mentions ALERT1, so the correct answer is 60/12
upvoted 15 times

  anurag1122 5 months, 3 weeks ago

damn, this question came in my exam yesterday. I just passed the exam though! but surely my answer for this question was wrong.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 91/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JYKL88 6 months ago

The answer shohld be

Box 1 : 60

Box 2 : 0 (since its for alert 2)

upvoted 1 times

  jaysonpro 8 months, 2 weeks ago

i dont get it it says Alert2 so it should be 0 for the sms?
upvoted 2 times

  NaoVaz 9 months ago

1) The number of email messages that Alert1 will send in an hour is: "60"
2) The number of SMS messages that Alert2 will send in an hour is: "12"

Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Box 1: 60 -
One alert per minute will trigger one email per minute.

Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
Note: Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device. Rate
limiting ensures that alerts are manageable and actionable.
The rate limit thresholds are:
✑ SMS: No more than 1 SMS every 5 minutes.
✑ Voice: No more than 1 Voice call every 5 minutes.
✑ Email: No more than 100 emails in an hour.
✑ Other actions are not rate limited.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-rate-limiting
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 4 times

  Lazylinux 12 months ago

Box 1: 60
Box2: 12
see below guidelines and remember test environments are double that
Rate limiting is a suspension of notifications that occurs when too many are sent to a particular phone number, email address or device. Rate
limiting ensures that alerts are manageable and actionable.

The rate limit thresholds in production are:

SMS: No more than 1 SMS every 5 minutes.
Voice: No more than 1 Voice call every 5 minutes.
Email: No more than 100 emails in an hour.
Other actions are not rate limited.

The rate limit thresholds for test action group are:

SMS: No more than 1 SMS every 1 minute.
Voice: No more than 1 Voice call every 1 minute.
Email: No more than 2 emails in every 1 minute.
Other actions are not rate limited.

More info here: https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups

upvoted 3 times

  manalshowaei 1 year ago

Box 1: 60 -
One alert per minute will trigger one email per minute.

Box 2: 12 -
No more than 1 SMS every 5 minutes can be send, which equals 12 per hour.
upvoted 1 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 2 times

  Toastbroodjie 1 year, 2 months ago

MS expecting people to know the rate limit thresholds by heart, like if someone wakes you up at 2am to ask if how many sms alerts can they send
and hour.
upvoted 15 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 92/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 93/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40 Topic 4

You have an Azure subscription named Subscription1 that contains the resources shown in the following table.

You create virtual machines in Subscription1 as shown in the following table.

You plan to use Vault1 for the backup of as many virtual machines as possible.
Which virtual machines can be backed up to Vault1?

A. VM1 only

B. VM3 and VMC only

C. VM1, VM2, VM3, VMA, VMB, and VMC

D. VM1, VM3, VMA, and VMC only

E. VM1 and VM3 only

Correct Answer: D
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in
several regions, create a
Recovery Services vault in each region.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault

Community vote distribution

D (100%)

  fedztedz Highly Voted  2 years, 6 months ago

Answer is correct. D
The following criteria is important for vault backup, the data source (VM) must be in the same region and subscription. It works with any resource
group or any Operating system. Accordingly the answer is correct.
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 94 times

  mlantonis Highly Voted  2 years ago

Correct Answer: D

To create a Recovery Services Vault to protect Virtual Machines, the vault must be in the same Region as the Virtual Machines. If you have Virtual
Machines in several Regions, create a
Recovery Services Vault in each Region. It works with any resource group or any Operating System.

Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 87 times

  mythjava Most Recent  3 months, 3 weeks ago

Answer is D.
All the VMs in the same region and subscription as that of the vault are available to configure backup.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-vms-prepare
upvoted 1 times

  UmbongoDrink 4 months ago

Selected Answer: D
VM1, VM3, VMA, and VMC only
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 94/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  raym1980 5 months, 1 week ago

Selected Answer: D
Came up in exam today, Answer: D
920/1000
upvoted 5 times

  WinaChang 6 months, 2 weeks ago

does anyone knows how to access page 20
the website block it likely...
upvoted 2 times

  vg123 3 months, 2 weeks ago

by purchasing contributor plan
upvoted 1 times

  NaoVaz 9 months ago

Selected Answer: D
D) " VM1, VM3, VMA, and VMC only "

"Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same region
as the data source." - https://docs.microsoft.com/bs-latn-ba/azure/backup/backup-create-rs-vault
upvoted 2 times

  Davin0406 9 months, 1 week ago

So this is the last page of free AZ-104 dump...is there anyone who payed for contributor access? I read some reviews, and they say error comes out
after payment so I'm worried if it's safe to pay or not:(
upvoted 2 times

  Davin0406 9 months, 1 week ago

I payed 1 year contributor access haha Nothing bad happened! I hope to pass the exam this month:)
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: D
Correct Answer: D 🗳️
To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines. If you have virtual machines in several
regions, create a
Recovery Services vault in each region.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault
upvoted 2 times

  Socca 10 months ago

The vault must be in the same region as the VMs that you went to backup to this vault so correct answer is D
upvoted 1 times

  Raks06 10 months ago

Correct, the VM must be in the same region as the Vault.
upvoted 1 times

  M1M31l 10 months, 2 weeks ago

Answer is correct. D
upvoted 1 times

  tt2tt 10 months, 3 weeks ago

Selected Answer: D
Correct Answer D
VMs should be in same location with recovery services vault.

This is really sad as it's last available questions from this site on az104. Is there any other site you would recommend?
upvoted 2 times

  nkhan19 11 months ago

Selected Answer: D
They could have simply written VM1,VM2,VM3,VM4,VM5 but it seems they're more interested in in confusing a candidate than him/her passing
with proper logic.

Some questions seem to be purposefully written in this way.

upvoted 1 times

  knotty25 11 months, 1 week ago

DOES ANYONE HAS ACCESS TO ALL 250 QUESTIONS? after 150 questions, it says blocked further access.
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 95/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  IRISone 11 months, 2 weeks ago

Selected Answer: D
D is correct as stated by others. Resource Group doesn't matter. Only region and subscription. Backup van be for any VM
upvoted 1 times

  aleksandarivanov 11 months, 3 weeks ago

Wow, this is the last available question here... this is unfortunate.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 96/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41 Topic 4

You have an Azure Kubernetes Service (AKS) cluster named AKS1.

You need to configure cluster autoscaler for AKS1.
Which two tools should you use? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. the kubectl command

B. the az aks command

C. the Set-AzVm cmdlet

D. the Azure portal

E. the Set-AzAks cmdlet

Correct Answer: AB
A: The following example uses the kubectl autoscale command to autoscale the number of pods in the azure-vote-front deployment. If average
CPU utilization across all pods exceeds 50% of their requested usage, the autoscaler increases the pods up to a maximum of 10 instances. A
minimum of 3 instances is then defined for the deployment: kubectl autoscale deployment azure-vote-front --cpu-percent=50 --min=3 --max=10
B: Use the az aks update command to enable and configure the cluster autoscaler on the node pool for the existing cluster.
Reference:
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-scale https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler

Community vote distribution

BD (63%) AB (33%) 2%

  fedztedz Highly Voted  2 years, 6 months ago

The Answer is not correct. The right is B & D.
B is for az aks command , check https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
D is for Azure portal. Under node pools, press scale, then choose auto scale.

The Answer A is not correct as it is confusing with Horizontal pod autoscale which is not asked here. The pod autoscale use kubectl.
upvoted 181 times

  diligent176 2 years, 5 months ago

The article does a good job explaining the difference of "cluster autoscaler" and "horizontal pod autoscaler"...
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
FYI also - the PowerShell command that can do this same task is "Set-AzAksCluster" (not Set-AzAks). B and D it is!
upvoted 12 times

  jantoniocesargatica 2 years, 1 month ago

There are 2 things to understand:
a) Are we talking about pods?
b) Are we talking about nodes?

The question is regarding how to autoscale the AKS, so it means that we are talking about the nodes. As we are talking how to scale the nodes:
a) az aks is neccesary
b) Then you scale the nodes in the portal.
The correct answers are B & D.

If we want to scale the pods, the options would be kubelet, but it is not the case. We are not talking about the containers, we are talking about
the infrastructure behind this.
upvoted 80 times

  mythjava 3 months, 3 weeks ago

Where is the option about D?
upvoted 1 times

  juniorccs 1 year, 5 months ago

thanks for the clarification
upvoted 5 times

  marcellov 2 years, 1 month ago

To corroborate with your answer, kubectl autoscale "creates an autoscaler that automatically chooses and sets the number of pods that run in a
kubernetes cluster":

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#autoscale

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 97/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

According to Microsoft, this is a Horizontal pod autoscale, not a Cluster autoscale:

https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#about-the-cluster-autoscaler
upvoted 5 times

  jantoniocesargatica 2 years, 1 month ago

But we are not talking about the pods, we are talinkg about the nodes, so is B and D. Think that this service is managed by Azure, and they
will not allow to do this by yourself, and this is the reason why you must choose the portal.
upvoted 5 times

  Hibs2016 2 years, 6 months ago

Do you have any links for doing the scaling in the portal?
upvoted 4 times

  mlantonis Highly Voted  2 years ago

Correct Answer: B and D

We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.

A: kubectl command is used for configuring Kubernetes and not AKS cluster.
B: The az aks command is used for the AKS cluster configuration.
C: Set-AzVm cmdlet is used for VMs.
D: Azure portal, under node pools, press scale, then choose auto scale.
E: Set-AzAks, creates or updates an AKS cluster, the correct cmdlet is Set-AzAksCluster.

AKS clusters can scale in one of two ways:

- The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically
increases the number of nodes.
- The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs
more resources, the number of pods is automatically increased to meet the demand.

Reference:
https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler
upvoted 167 times

  klexams 7 months, 2 weeks ago

I agreed already but then you pointed out the two ways:
- The cluster autoscaler
- The horizontal pod autoscaler

The 2nd uses kubectl so the answer is A and B.

upvoted 1 times

  Mozbius_ 1 year, 4 months ago

Thank you for the very clear explanations!!!
upvoted 3 times

  JunetGoyal Most Recent  1 month, 2 weeks ago

Exact same Q came in my exam on 30 April2023.I choose A, B.
I want not sure between A,D. haahaahh
upvoted 4 times

  zzreflexzz 1 month, 2 weeks ago

on exam 4/29/23
upvoted 2 times

  Exilic 1 month, 3 weeks ago

Selected Answer: BE
ChatGPT response:

The two tools you should use to configure cluster autoscaler for AKS1 are:

B. the az aks command, which provides a command-line interface for managing AKS clusters, including the ability to enable and configure cluster
autoscaler.

E. the Set-AzAks cmdlet, which is a PowerShell cmdlet for managing AKS clusters. It can be used to enable and configure cluster autoscaler.

Therefore, options B and E are correct. Options A, C, and D are not required for this task.

"follow up question"
Will the answer be the same if I need to configure autoscaler for the AKS cluster. I do not want to scale Kubernetes pods

Yes, the answer would still be the same.

Configuring cluster autoscaler for an AKS cluster is independent of scaling Kubernetes pods. The purpose of cluster autoscaler is to automatically
adjust the size of the AKS cluster based on the resource demands of the workloads running on it, while scaling Kubernetes pods involves adjusting
the number of replicas for a specific deployment or replica set.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 98/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Therefore, to configure cluster autoscaler for an AKS cluster, you would still need to use the az aks command and the Set-AzAks cmdlet.
upvoted 1 times

  garmatey 2 weeks, 1 day ago

be more critical of chatgpt's answers....
upvoted 1 times

  mythjava 3 months, 3 weeks ago

Selected Answer: BD
B,D is correct, A,C,E is not.
upvoted 1 times

  UmbongoDrink 4 months ago

Selected Answer: BD
We need to configure autoscaler for the AKS cluster. We do not want to scale Kubernetes pods, so kubectl command is not needed.

Use Portal under Node Pools

upvoted 2 times

  typales2005 5 months ago

Selected Answer: BD
was in 09/01/2023 exam.
upvoted 5 times

  Bigc0ck 5 months, 1 week ago

definitly on the test I took
upvoted 3 times

  Moradiya 5 months, 1 week ago

This was came in exam on 01/04/23
upvoted 3 times

  typales2005 5 months, 1 week ago

What did you answer?
upvoted 1 times

  prem007 6 months ago

Selected Answer: BD
If you need to create an AKS cluster, use the az aks create command.
link :If you need to create an AKS cluster, use the az aks create command.
Deploy an AKS cluster using the Azure portal.
Run a sample multi-container application with a web front-end and a Redis instance in the cluster.

linkhttps://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-portal?tabs=azure-cli
upvoted 1 times

  anushak 6 months ago

the answer is A and B
upvoted 1 times

  Jamal786 6 months, 3 weeks ago

I have prepared myself from Microsoft partners SPEKTRA SYSTEMS and there I found this same question which was as below:
You have an Azure Kubernetes Service Cluster named AKS1. For configuring an Autoscaler in AKS1 what are the COMMANDS you need to execute?
So with only one word has changed which is commands and solution would also be change which is
1) the az aks command
2) Set-AzAks cmdlet

SO, be attentive in the exam. MICROSOFT is clever!

upvoted 4 times

  Jamal786 6 months, 3 weeks ago

B and D are the right answers to this question. But in the exam, if the question comes with COMMANDS instead of TOOLS?
then answers are:
1) the az aks command
2) Set-AzAks cmdlet
upvoted 2 times

  BYNeo 7 months ago

Why D? unless it mention Azure portal cloud shell
upvoted 1 times

  klexams 7 months, 2 weeks ago

Selected Answer: AB

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 99/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases
the number of nodes. - The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If
an application needs more resources, the number of pods is automatically increased to meet the demand.

The 2nd way uses kubectl.

upvoted 1 times
  simonseztech 8 months ago
Selected Answer: BD
https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 100/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42 Topic 4

You create the following resources in an Azure subscription:

✑ An Azure Container Registry instance named Registry1
✑ An Azure Kubernetes Service (AKS) cluster named Cluster1
You create a container image named App1 on your administrative workstation.
You need to deploy App1 to Cluster1.
What should you do first?

A. Run the docker push command.

B. Create an App Service plan.

C. Run the az acr build command.

D. Run the az aks create command.

Correct Answer: C
You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image. az acr build \
--image contoso-website \
--registry $ACR_NAME \
--file Dockerfile .
Reference:
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app

Community vote distribution

A (77%) C (23%)

  VANSI Highly Voted  2 years, 1 month ago

I have this same question in the exam (passed) and does not have the option C.
So I choose the Docker push.
upvoted 137 times

  fedztedz Highly Voted  2 years, 6 months ago

Answer is Correct . C.
The question has a lot of missing steps.
If we go with Answer A. then we need the following:
- Make sure that ACR is integrated to AKS.
- docker tag has been run with the right ACR.
- docker push
- create kubectl apply with the right deployment and right ACR.
In case we go with Answer C.
- No need for docker push or tag.
- still need to make sure that ACR is integrated to AKS.
- then run kubectl apply
upvoted 86 times

  T0SHI 3 months, 2 weeks ago

C. Run the az acr build command.

ACR tasks automatically push successfully built images to your registry by default, allowing you to deploy them from your registry immediately.

Microsoft exam - Microsoft documentation ... If you are in doubt go to:

https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task#deploy-to-azure-container-instances
upvoted 1 times

  djgodzilla Most Recent  2 months, 3 weeks ago

Selected Answer: C
C for question that include the Option . some don't have C option hence choose A: push
1. Create a new container registry
$ az acr create --resource-group $RG ..
2. create a dockerfile inside directory
echo "FROM hello-world" > Dockerfile
3. Build an Image and Push to ACR
run below command using the newly created Dockerfile
$ az acr build --image sample/hello-world:v1 --registry acrbuildcontainer11 --file Dockerfile .
- View the newly created container registry with the sample/hello-world repository.
Go to container registry>acrbuildcontainer11 >Services: Repositories>sample/hello/world > click v1

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 101/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  djgodzilla 2 months, 3 weeks ago

In this specific case, the container image has already exists , hence might not need to rebuild and pushed using az acr build .
1. login to ACR registry
$ docker login $registryServer.azurecr.io --username UserDemo
2. Tag our container image:
$ docker tag containerdemo $registryServer.azurecr.io/Myimages/containerdemo/latest
3. Push image
$ docker push $registryServer.azurecr.io/Myimages/containerdemo/latest
📍 Check Repo: go To Container registry> Repositories
Check Myimages/containerdemo subfolder
upvoted 1 times

  Spooky7 2 months, 2 weeks ago

But docker image is build on your workstaition machine. It isn't registered in ACR yet.
upvoted 2 times

  fishbonemsk 3 months ago

Selected Answer: A
OpenAI answer:

To deploy App1 to Cluster1, you should first push the container image to the Azure Container Registry instance named Registry1.

Therefore, the correct answer is A. Run the docker push command.

The other answers are wrong because:

B. Creating an App Service plan is used for hosting web apps, not for deploying containerized applications to AKS.

C. Running the az acr build command is used to build and push a Docker container image to an Azure Container Registry (ACR), but in this case,
the container image has already been built, so it only needs to be pushed to the ACR.

D. Running the az aks create command is used to create a new AKS cluster, not to deploy a container image to an existing cluster.
upvoted 8 times

  Andy_S 2 weeks, 5 days ago

You are not able to deploy image from LOCAL (administrative) workstation.
upvoted 1 times

  hfk2020 3 months, 1 week ago

The first step to deploy the container image to the AKS cluster is to store the container image in the Azure Container Registry. Therefore, the
correct answer is:

C. Run the az acr build command.

The az acr build command builds a Docker container image using a Dockerfile in a specified build context and stores it in an Azure Container
Registry. Once the container image is stored in the registry, it can be deployed to an AKS cluster using a Kubernetes deployment manifest.

The docker push command is used to push a Docker container image to a registry. However, in this scenario, the registry is an Azure Container
Registry, and therefore, the az acr build command should be used instead.

Creating an App Service plan is not relevant to deploying a container image to an AKS cluster.

Creating an AKS cluster is also not relevant to deploying a container image to the cluster. The AKS cluster needs to be up and running before
deploying the container image, but it is not the first step.
upvoted 2 times

  Mazinger 3 months, 3 weeks ago

Selected Answer: A
To deploy the container image to the Azure Kubernetes Service (AKS) cluster, you first need to push the container image to the Azure Container
Registry (ACR) instance. Therefore, the correct answer is:
A. Run the docker push command.
The docker push command pushes the container image to the specified container registry, in this case, Registry1. After the image is pushed to the
registry, you can deploy the application to the AKS cluster using Kubernetes manifests or tools such as Helm.
Option B, "Create an App Service plan," is not applicable to AKS as it is used for Azure App Service. Option C, "Run the az acr build command," is
used to build and push container images to ACR but since the container image has already been created, it is not necessary. Option D, "Run the az
aks create command," is used to create a new AKS cluster, but it is not necessary in this case since Cluster1 has already been created.
upvoted 2 times

  Stevy_nash 4 months ago

Selected Answer: A
The az acr build command is used to build and push Docker images to an Azure Container Registry. It automates the build process and pushes the
resulting image directly to the registry, eliminating the need to run separate docker build and docker push commands.

However, in this scenario, the container image App1 has already been built on your administrative workstation, and you only need to push it to the
Azure Container Registry. Therefore, you don't need to use the az acr build command. Instead, you can simply use the docker push command to
push the existing App1 image to Registry1, as shown in the previous answer.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 102/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  sabsyed 4 months, 1 week ago
a is correct answer
upvoted 1 times

  Mo22 4 months, 3 weeks ago

Selected Answer: A
To deploy App1 to Cluster1, you should first run the "docker push" command to push the container image to the Registry1 container registry. This
will make the image available to the AKS cluster, so that it can be deployed.
upvoted 1 times

  Jamal786 6 months, 3 weeks ago

I have prepared myself from Microsoft partners SPEKTRA SYSTEMS and there I found the right solution: C. Please correct yourself!

Explanation
az acr build --registry $ACR_NAME --image helloacrtasks:v1 .
This will use to import and manage the image in a private Azure container registry, and update your Dockerfile to use your privately managed base
image

Reference link
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task
upvoted 1 times

  bdumois 8 months, 2 weeks ago

Both A and C are correct answers, this is one of those.
I have been using this command at work and it builds and pushes the image into the ACR (C) it is very simple, just one step.
If you have the image built, you could use docker push (A).
I picked C only because it's how we do it at work.
upvoted 3 times

  pkkalra 9 months, 1 week ago

Selected Answer: A
image is already created. You just need to push image to ACR via docker push command
upvoted 5 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: C
Correct Answer: C 🗳️
You should sign in and push a container image to Container Registry.
Run the az acr build command to build and push the container image. az acr build \
--image contoso-website \
--registry $ACR_NAME \
--file Dockerfile .
Reference:
https://docs.microsoft.com/en-us/learn/modules/aks-deploy-container-app/5-exercise-deploy-app
upvoted 1 times

  EmnCours 9 months, 1 week ago

Correct answar is A
upvoted 2 times

  David1990 9 months, 2 weeks ago

Selected Answer: A
A is correct
upvoted 3 times

  MartyMart 9 months, 3 weeks ago

Selected Answer: A
Answer is docker push
upvoted 2 times

  klexams 10 months, 3 weeks ago

Answer is A. Here is why:
Push images to registry
With your image built and tagged, push the azure-vote-front image to your ACR instance. Use docker push and provide your own acrLoginServer
address for the image name as follows:
docker push <acrLoginServer>/azure-vote-front:v1
It may take a few minutes to complete the image push to ACR.

https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr?tabs=azure-cli
upvoted 4 times

  nkhan19 11 months ago

Selected Answer: A
I go with Vansi comment.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 103/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 104/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43 Topic 4

You have an Azure subscription that contains the resources shown in the following table.

You need to configure a proximity placement group for VMSS1.

Which proximity placement groups should you use?

A. Proximity2 only

B. Proximity1, Proximity2, and Proximity3

C. Proximity1 only

D. Proximity1 and Proximity3 only

Correct Answer: A
Resource Group location of VMSS1 is the RG2 location, which is West US.
Only Proximity2, which also in RG2, is location in West US
Reference:
https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups/

Community vote distribution

A (88%) 13%

  mlantonis Highly Voted  2 years ago

Correct Answer: A

Placement Groups is a capability to achieve co-location of your Azure Infrastructure as a Service (IaaS) resources and low network latency among
them, for improved application performance.

Azure proximity placement groups represent a new logical grouping capability for your Azure Virtual Machines, which in turn is used as a
deployment constraint when selecting where to place your virtual machines. In fact, when you assign your virtual machines to a proximity
placement group, the virtual machines are placed in the same data center, resulting in lower and deterministic latency for your applications.

The VMSS should share the same region, even it should be the same zone as proximity groups are located in the same data center. Accordingly, it
should be proximity 2 only.

Reference:

https://azure.microsoft.com/en-us/blog/introducing-proximity-placement-groups
upvoted 101 times

  Throwitawaynow Highly Voted  2 years, 6 months ago

This should be proximity 1 only, proximity 2 is not in the same region as the VMSS
upvoted 41 times

  Ashfarqk 2 years ago

Did you understand the table properly???
Proximity 01 is in Central US
upvoted 7 times

  Kiano 2 years ago

They have changed the question and the table since the comment has been made. Basically the proximity group and the VMSS1 should be
in the same region.
upvoted 34 times

  AubinBakana 1 year, 9 months ago

Hahaha
upvoted 5 times

  NarenderSingh 1 year, 8 months ago

It should be Proximity 2 only as its in the same region.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 105/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  maloumba87 1 year, 2 months ago

Proximté 2 se trouve dans la même régions que VMSS
upvoted 1 times

  NJTH Most Recent  2 months, 1 week ago

Simular question was on todays exam.
(7th April 2023)
upvoted 1 times

  AzZnLuVaBoI 2 months, 2 weeks ago

On the Exam 3/29/23.
upvoted 3 times

  Tinez 2 months, 2 weeks ago

which one was the correct answer ?
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

proximity questions were definitly on 2nd test
upvoted 3 times

  kenneth12 6 months, 3 weeks ago

Selected Answer: A
Correct Answer is A
upvoted 1 times

  majerly 8 months, 2 weeks ago

Today in exam, the key is region for vmss,
upvoted 3 times

  awssecuritynewbie 8 months, 4 weeks ago

Selected Answer: A
A - as the group is in the same region,
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Correct Answer : A
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: A
Answer is correct and so is explanation
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: A
A. Proximity2 only
upvoted 1 times

  michaelmorar 1 year, 1 month ago

Selected Answer: A
A - proximity 2 is the only one in the same region as VMSS
upvoted 3 times

  Pasmo 1 year, 1 month ago

Selected Answer: A
Correct Answer is A
upvoted 3 times

  wsrudmen 1 year, 2 months ago

Selected Answer: A
Correct answer 1.
If it's not in the same region it doesn't make sense regarding the purpose of a placement groups (colocate resource for performance improvement)
upvoted 2 times

  VinothKM 1 year, 2 months ago

Selected Answer: C
it should be c
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 106/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  josevirtual 1 year, 3 months ago
Selected Answer: A
Only Proximity 2
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 107/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44 Topic 4

A. Yes

B. No

Correct Answer: B

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
upvoted 49 times

  Wizard69 Highly Voted  2 years, 3 months ago

I agree, you should look at the Deployments under the Resource Group
upvoted 16 times

  EmnCours Most Recent  9 months, 4 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 2 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey because it is B,
Can be viewed via RG Blade => deployment
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: B
B. No <
upvoted 1 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 1 times

  ajayasa 1 year, 3 months ago

similar question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  N4d114 1 year, 4 months ago

The correct answer is B - No.

To check date and time when RG1 create, u have to go at RG1 Resource, go to setting and click at deployment.
upvoted 1 times

  deltarj 1 year, 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 108/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Q41, 51, 52 & 53 [remember: RG1 blade-->deployment]

upvoted 3 times

  AbhiYad 1 year, 5 months ago

Selected Answer: B
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
upvoted 2 times

  Thanishn 2 years, 1 month ago

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
upvoted 1 times

  nikhilmehra 2 years, 1 month ago

deployments
upvoted 2 times

  ZUMY 2 years, 3 months ago

NO > RG1 -> Deployment
upvoted 2 times

  I 2 years, 3 months ago

RG1->Deployments
upvoted 3 times

  wendysgp 2 years, 5 months ago

to check go to deployments under GROUP
upvoted 2 times

  fedztedz 2 years, 6 months ago

Answer is correct . NO (B)
to check go to deployments under subscription
upvoted 5 times

  LexusNX425 2 years, 2 months ago

Or just go to deployments under RG1
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 109/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45 Topic 4

A. Yes

B. No

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
upvoted 36 times

  fedztedz Highly Voted  2 years, 6 months ago

correct. Programmatic deployment are used for API/CLI
upvoted 15 times

  RDIO Most Recent  1 month, 3 weeks ago

Selected Answer: B
It's "Deployments" on RG blade
upvoted 2 times

  _fkucuk 1 month, 3 weeks ago

Selected Answer: B
From the RG1 blade, click Deployments.
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 2 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey because it is B
From RG Blade => deployment
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: B
>B. No
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 110/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  ajayasa 1 year, 3 months ago

similar question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  AubinBakana 1 year, 9 months ago

There's not even an automatic script blade in RGs. Not that I am aware of
upvoted 1 times

  Ant0ny 2 years, 3 months ago

Correct, tested and comfirmed
upvoted 1 times

  Sandroal29 2 years, 3 months ago

The provided answer is correct.
upvoted 1 times

  ZUMY 2 years, 3 months ago

B. No - Bcoz it's under RG1 blade Settings ->Deployment
upvoted 2 times

  toniiv 2 years, 4 months ago

B. is correct. On Deployment blade you will find this information
upvoted 1 times

  TheOne1 2 years, 4 months ago

Correct.
upvoted 2 times

  NickyDee 2 years, 5 months ago

RG1 > Deployments
upvoted 10 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 111/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46 Topic 4

A. Yes

B. No

Correct Answer: A
From the RG1 blade, click Deployments. You see a history of deployment for the resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

From the RG1 blade, click Deployments. You see a history of deployment for the resource group.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell
upvoted 40 times

  fedztedz Highly Voted  2 years, 6 months ago

correct
upvoted 27 times

  petrisorpaul Most Recent  5 months, 1 week ago

Selected Answer: A
A. correct
upvoted 2 times

  sujidurga 8 months ago

successfully achieved with 950 marks. Thanks mlantonis and fedztedz...Aprciate your continous support
upvoted 4 times

  charf94 8 months, 3 weeks ago

Selected Answer: A
A. correct
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: A
yep correct way
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: A
A. Yes
upvoted 1 times

  ajayasa 1 year, 3 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 112/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

similar question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  zr79 1 year, 3 months ago

I see why they do not allow you to review a question after. makes sense with their options
upvoted 1 times

  deltarj 1 year, 4 months ago

I love these "clustered" questions, like these FOUR: 41, 51, 52 & 53 (remember the only positive ans: RG1 blade - Deployments)
Thanx mlantonis and fedztedz
upvoted 5 times

  MarxMazd 1 year, 11 months ago

There are multiple repeats of same question in previous 25 pages.
upvoted 4 times

  oriduri 2 years, 1 month ago

A is correct
upvoted 2 times

  Danny1 2 years, 2 months ago

This question came in the exam, all three versions of this..!! Best of luck
upvoted 6 times

  mg 2 years, 3 months ago

Correct
upvoted 2 times

  ZUMY 2 years, 3 months ago

Correct answer
upvoted 1 times

  Jacek_ 2 years, 3 months ago

correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 113/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47 Topic 4

You have an Azure subscription named Subscription1.

You deploy a Linux virtual machine named VM1 to Subscription1.
You need to monitor the metrics and the logs of VM1.
What should you use?

A. Azure HDInsight

B. Linux Diagnostic Extension (LAD) 3.0

C. the AzurePerformanceDiagnostics extension

D. Azure Analysis Services

Correct Answer: B
The Linux Diagnostic Extension should be used which downloads the Diagnostic Extension (LAD) agent on Linux server.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux

Community vote distribution

B (89%) 11%

  mlantonis Highly Voted  2 years ago

Correct Answer: B

The Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure. It has the following collection and
capabilities:
- Metrics
- Syslog
- Files

A: Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. You can use open-source frameworks
such as Hadoop, Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Storm, R, and more.

C: Azure Performance Diagnostics VM Extension is used for Windows VM only.

D: Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud.
upvoted 110 times

  fedztedz Highly Voted  2 years, 6 months ago

Not correct. Answer is B. it is linux server accordingly Linux Diagnostic Extension should be used which download the Diagnostic Extension (LAD)
agent on Linux server.
upvoted 105 times

  RRRSSS 1 year, 11 months ago

Cool, but probably there is a trick with LAD version?
Question refers to LAD 3.0, However this article refers to v 4.0 version.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
upvoted 2 times

  jimmyli 1 year, 10 months ago

no. It's actually in the link you provided, "Important
For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about version 2.3
and earlier, see Monitor the performance and diagnostic data of a Linux VM."
so LAD version doesn't matter.
B is the right answer!
upvoted 4 times

  Sanin 2 years, 1 month ago

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
upvoted 5 times

  Mazinger Most Recent  3 months, 3 weeks ago

Selected Answer: B
To monitor the metrics and logs of a Linux virtual machine in Azure, you can use the Linux Diagnostic Extension (LAD) 3.0. Therefore, the correct
answer is:

B. Linux Diagnostic Extension (LAD) 3.0

LAD is a solution provided by Microsoft to collect diagnostic data, logs, and metrics from Linux virtual machines running in Azure. LAD can be used
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 114/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

to monitor key performance indicators (KPIs) such as CPU, memory, and disk usage, as well as collect system logs and custom logs.

Option A, Azure HDInsight, is a cloud-based service that provides Apache Hadoop and Spark clusters for big data processing. Option C, the
AzurePerformanceDiagnostics extension, is not a valid Azure service or feature. Option D, Azure Analysis Services, is a PaaS offering that provides
enterprise-grade analytics and BI services in the cloud. It is not designed for monitoring Linux virtual machines.
upvoted 2 times
  kenneth12 6 months, 3 weeks ago
Selected Answer: B
Correct Answer is B
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: B
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli#supported-linux-distributions
upvoted 1 times

  NotMeAnyWay 11 months ago

Selected Answer: B
Answer B: Here's why...

Some of the feature in "the AzurePerformanceDiagnostics extension" do not work for Linux VMs: (https://docs.microsoft.com/en-
us/troubleshoot/azure/virtual-machines/performance-diagnostics#select-an-analysis-scenario-to-run)

Where as the "Linux Diagnostic Extension (LAD) 3.0" doc mentions the question's two requirements Metrics and Logs in the first two sentances of
the intoduction of this article:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux-v3
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey Because it is B
For sure B
the Linux diagnostic extension helps a user monitor the health of a Linux VM running on Microsoft Azure, In summary is used to monitor metrics
and logs of Linux VM. It has the following collection and capabilities:
New in LAD 4.0
This extension works with both Azure deployment models (Azure Resource Manager and classic).
You can enable this extension for your VM and virtual machine scale set by using the Azure PowerShell cmdlets, Azure CLI scripts, Azure Resource
Manager templates (ARM templates), or the Azure portal.
upvoted 3 times

  manalshowaei 1 year ago

Selected Answer: C
C. the AzurePerformanceDiagnostics extension
upvoted 1 times

  Azurefox79 1 year ago

Answer is correct, supports both Linux and Windows
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics
upvoted 2 times

  NotMeAnyWay 11 months ago

Answer B: Here's why...

Where as the "Linux Diagnostic Extension (LAD) 3.0" doc mentions the question's two requirements Metrics and Logs in the first two sentances
of the intoduction of this article:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux-v3
upvoted 1 times

  MikeyNg756 1 year, 1 month ago

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
upvoted 1 times

  albergd 1 year, 3 months ago

Selected Answer: B
Use the Linux diagnostic extension 4.0 to monitor metrics and logs:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
Azure Performance Diagnostics VM Extension is for Windows:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics-vm-extension
upvoted 1 times

  G_unit_19 1 year, 3 months ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 115/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

It is clearly B
upvoted 1 times
  EleChie 1 year, 4 months ago
Important

For information about version 3.x, see Use the Linux diagnostic extension 3.0 to monitor metrics and logs. For information about version 2.3 and
earlier, see Monitor the performance and diagnostic data of a Linux VM.

Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli

Azure Diagnostics extension overview

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview
upvoted 1 times

  never4baby777 1 year, 4 months ago

Selected Answer: B
B

The Linux diagnostic extension helps a user monitor the health of a Linux VM that runs on Microsoft Azure
upvoted 1 times

  Juli98 1 year, 5 months ago

Answer is B but question is outdated :
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

Azure Monitor recently launched a new agent, the Azure Monitor agent, that provides all capabilities necessary to collect guest operating system
monitoring data. While there are multiple legacy agents that exist due to the consolidation of Azure Monitor and Log Analytics, each with their
unique capabilities with some overlap, we recommend that you use the new agent that aims to consolidate features from all existing agents, and
provide additional benefits. Learn More

The Azure Monitor agent is meant to replace the Log Analytics agent, Azure Diagnostic extension and Telegraf agent for both Windows and Linux
machines.
upvoted 8 times

  Mozbius_ 1 year, 4 months ago

Thank you! Much appreciated! I was getting confused as this is exactly what I have learned in the courses.
upvoted 1 times

  El_gatux 1 year, 5 months ago

Selected Answer: C
Linux Diagnostic is part or AzurePerformanceDiagnostics extension.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?tabs=azcli
upvoted 1 times

  weril 1 year, 6 months ago

Okay my lads. It's LAD
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 116/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48 Topic 4

HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You install and configure a web server and a DNS server on VM1.
VM1 has the effective network security rules shown in the following exhibit:

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 117/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same
attributes as rules with higher priorities are not processed.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

  khengoolman Highly Voted  1 year, 8 months ago

Passed today with 947. This question appeared, correct Answer
upvoted 54 times

  nimeshabhinav 1 year, 5 months ago

It looks like all 300 questions appeared in your exam :D . I see your comments everywhere.
upvoted 56 times

  FlowerChoc1 2 months, 2 weeks ago

The dude is everywhere. What a loooooonnnng exam lol!
upvoted 3 times

  Whatsamattr81 4 months, 3 weeks ago

I was just thinking that... What an exam.
upvoted 1 times

  Kumud31 1 year, 4 months ago

YES,I bet
upvoted 1 times

  miloashis 1 year, 4 months ago

VERY TRUE BRO!!
upvoted 1 times

  subramani2018 1 year, 3 months ago

Is all questions with same pattermn come from here or any changes
upvoted 2 times

  Juli98 Highly Voted  1 year, 5 months ago

Correct.
Usually :
DNS = Port 53
WEB = Port 80 (http) or 443 (https).

Rule are processed by priority order

A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower
numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers)
that have the same attributes as rules with higher priorities are not processed.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Rule 2 Blocked DNS (Range 50-60) First match > DNS Blocked
Rule 1 Allow http (Range 50-500) First Match > http Allow.

If we delete Rule 2, Rule 1 Allows http and DNS. First match > It works.
upvoted 28 times

  Bigc0ck Most Recent  5 months, 1 week ago

NO DNS questions have been showing up my past 2 tests, wierd
upvoted 4 times

  EmnCours 9 months, 2 weeks ago

correct Answer
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Box 1:
Rule2 blocks ports 50-60, which includes port 53, the DNS port. Internet users can reach to the Web server, since it uses port 80.
Box 2:
If Rule2 is removed internet users can reach the DNS server as well.
Note: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes
as rules with higher priorities are not processed.
upvoted 7 times

  Pasmo 1 year, 1 month ago

Answer is correct

Rule 2 Blocked DNS (Range 50-60) First match > DNS Blocked. port 80 not affected

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 118/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

After deleting rule 2

Rule 1 Allow DNS (Range 50-500) First Match > port 53 and the port 80 and 443 is allowed.
upvoted 2 times
  DrJoness 1 year, 2 months ago
Question appeared in exam today. The answer is correct.
upvoted 1 times

  shyams9977 1 year, 2 months ago

This question was in exam on 20-03-2022
upvoted 1 times

  shyams9977 1 year, 2 months ago

This question on exam 20/3/2022
upvoted 1 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  theorut 1 year, 3 months ago

keep also in mind dns uses UDP on port 53.
upvoted 2 times

  ahyaa 1 year, 3 months ago

This question appeared in my exam today Feb 26, 2022, and I got 784! yay!! I passed!!! thank you, review buddies!!
upvoted 4 times

  subramani2018 1 year, 3 months ago

Do we have voucher code to unlock all questions in az104..if 50percent off, please let me know
upvoted 2 times

  H3adcap 1 year, 3 months ago

Was in exam today 17/22/2022
upvoted 3 times

  Krypt11 1 year, 7 months ago

Correct
upvoted 1 times

  omw2wealth 1 year, 8 months ago

new question hehe, hopefully i find it later in my exam !
upvoted 3 times

  nsknexus478 1 year, 8 months ago

There was a similar question previously as well.
upvoted 2 times

  pakman 1 year, 8 months ago

Correct
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 119/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49 Topic 4

You plan to deploy three Azure virtual machines named VM1, VM2, and VM3. The virtual machines will host a web app named App1.
You need to ensure that at least two virtual machines are available if a single Azure datacenter becomes unavailable.
What should you deploy?

A. all three virtual machines in a single Availability Zone

B. all virtual machines in a single Availability Set

C. each virtual machine in a separate Availability Zone

D. each virtual machine in a separate Availability Set

Correct Answer: C
Use availability zones to protect from datacenter level failures.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/tutorial-availability-sets

Community vote distribution

C (82%) A (18%)

  allray15 Highly Voted  2 years, 3 months ago

i always get nervous when the discussion count hits 30-50+ . You know something isn't right :D , if its just below 20, then i just skip and continue
upvoted 121 times

  sarpay784 2 years ago

:D :D :D :D me too
upvoted 2 times

  ciscogeek 2 years, 2 months ago

or, 30+
upvoted 4 times

  Izee24 1 year, 9 months ago

Me too.
upvoted 1 times

  Tarifa123 1 year, 1 month ago

Same :D
upvoted 1 times

  kt_tk_2020 Highly Voted  2 years, 6 months ago

C is the correct answer - if you want Datacenter level high availability - vms should be deployed in different zones.
upvoted 97 times

  Somewhatbusy 2 years, 5 months ago

Availability set - Within data centre - configure update domains and fault domains
Availability zone - Within region (usually three data centres per region)
upvoted 74 times

  walexkino 2 years, 1 month ago

your explanation was simple and precise unlike other sprouting nonsense here.
upvoted 11 times

  FitObelix 2 years ago

Simply adding that an availability zone can have only one datacenter. That´s why i think it can´t be option A. C option ensures the availability,
even if each zone is made of only one datacenter each
upvoted 7 times

  GokuSS Most Recent  1 month, 4 weeks ago

C is the correct answer. Availability sets are used to protect applications from hardware failures within an Azure data center, availability zones
protect applications from complete Azure data center failures.
upvoted 1 times

  NJTH 2 months, 1 week ago

Exactly the same question was on todays exam.
(7th April 2023)

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 120/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 5 times
  Jamal786 6 months, 3 weeks ago
ANSWER:C

Explanation: An Availability Zone in an Azure region is a combination of a fault domain and an update domain. For example, if you create three or
more VMs across three zones in an Azure region, your VMs are effectively distributed across three fault domains and three update domains. The
Azure platform recognizes this distribution across update domains to make sure that VMs in different zones are not updated at the same time.

Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-availability/5-review-availability-zones
upvoted 2 times

  Asymptote 7 months, 2 weeks ago

Within each Azure region are 1 to three unique physical locations, referred to as availability zones.

as some AZ has only 1 datacenter,

C should be more accurate.
upvoted 1 times

  61Reasons 9 months, 4 weeks ago

A is tempting, but remember, according to MSFT an AZ "could" have just ONE data center, and if that failed then no redundancy. So the only
option that is 100% sure in all situations is C.
upvoted 3 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 3 times

  klexams 11 months, 2 weeks ago

Your confusion stops here. Answer is A. This comment jrv116psu below led me to A.
jrv116psu 9 months ago
Mlantonis ... i completely agree about the AZ AS description.. but AZ's dont have limit of number of available machines do they? it says ensure that
at least 2 machines are available... if you ave VM1 in AZ1 vm2 in AZ2, vm3 in AZ3, there's nothing stopping AZ1 and 2 going offline... AZ3 wont
autocorrect and spinup new vms... thoughts?
upvoted 2 times

  Pravda 11 months, 2 weeks ago

Key phrase ".... if a single Azure datacenter becomes unavailable." Can't be A, B or D. Go with C
upvoted 3 times

  suryamk 12 months ago

Answer is C
You can think of each availability zone as a separate fault domain and update domain. So in a given azure region if you have 3 availability zones,
then it's like you have 3 fault domains and 3 update domains.

So, for example, if you create three VMs across three availability zones in an Azure region, your VMs are effectively distributed across three fault
domains and three update domains.
If one of the Availability Zones has gone down for some reason, we still have 2 VMs from the rest of the 2 availability zones. Similarly, if there is an
update or a patch to be applied, azure schedules these at different times for different availability zones. So this means, we have just one of the
availability zones affected while the update is being applied. The rest of the 2 zones are unaffected.
upvoted 3 times

  BorisBoef 1 year ago

Selected Answer: A
Placing in three seperate zones does not garantee availability over these zones
upvoted 2 times

  GregGG 1 year ago

Selected Answer: C
Put all VMs in "one" AZ will not guarantee redundancy.
upvoted 4 times

  Lazylinux 1 year ago

Selected Answer: C
C for me.. AV zone should be 3 as refers to 3 different Data centers, hence lose one 2 available
upvoted 3 times

  manalshowaei 1 year ago

Selected Answer: C
C. each virtual machine in a separate Availability Zone
upvoted 2 times

  epomatti 1 year ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 121/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: C
Correct answer: C - each virtual machine in a separate Availability Zone
upvoted 2 times

  adamp54 1 year ago

Selected Answer: C
Definitely C ... separate Availability Zones protect in case of datacenter failure
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 122/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50 Topic 4

You have an Azure virtual machine named VM1 that runs Windows Server 2019.
You save VM1 as a template named Template1 to the Azure Resource Manager library.
You plan to deploy a virtual machine named VM2 from Template1.
What can you configure during the deployment of VM2?

A. operating system

B. administrator username

C. virtual machine size

D. resource group

Correct Answer: B
When deploying a virtual machine from a template, you must specify:
✑ the Resource Group name and location for the VM
✑ the administrator username and password
✑ an unique DNS name for the public IP
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template

Community vote distribution

D (81%) Other

  fedztedz Highly Voted  2 years, 6 months ago

not correct. Answer is Resource Group. I tried the only ones that need to be updated manually are resource group and password.
upvoted 156 times

  Shailen 1 year, 11 months ago

yes D. Resource Group is the correct answer: Admin user, password, vm size and os are the part of ARM templates. But resource group is not
hence needs to be mentioned while deployment! Refer below sample ARM template for reference in which all above attributes passed in
parameter.
https://github.com/Azure/azure-quickstart-templates/blob/master/101-vm-simple-windows/azuredeploy.json
upvoted 11 times

  Max19 1 year, 2 months ago

The file is missing by the link, please send a new one.
upvoted 2 times

  rawrkadia 1 year, 11 months ago

Confirming RG.

Manual steps: log in, deploy VM1. Accept all defaults. Go to resource > template > save to library. View library > deploy template, It pre-
populates the subscription but you have to set an RG. VM Name can be customized, admin user/pass are pulled from template.

Costs about $.15 to verify and less than 5 minutes, if you're in doubt sign up for azure pass and do it yourself.
upvoted 38 times

  cmbkc88 1 year, 12 months ago

I go adm psw. We can configure the name of rg for vm, not rg itself.
upvoted 2 times

  itmp 1 year, 11 months ago

what "adm psw" ? maybe in another question ...
upvoted 2 times

  jecawi9630 1 year, 11 months ago

@itmp adm psw means administrator password
upvoted 2 times

  RoastChicken 1 year, 11 months ago

This is correct. Answer is Resource Group.
upvoted 4 times

  IvanDan Highly Voted  2 years, 6 months ago

"what can you configure"... you can't configure a resource group, but you can choose one. A resource group should be already configured. An
administrator username is not preconfigured, so you have to make a new one. I will go with B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 123/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 45 times

  JayBee65 2 years ago

You can select a RG for a selection - so you are configuring which RG to use.
upvoted 5 times

  AubinBakana 1 year, 9 months ago

You are not paying attention to the fact that this was being created from an ARM template. All these can be specified in the template. It is not
however recommended to enter keys and secrets in plain text in your code.
upvoted 2 times

  xRiot007 Most Recent  2 weeks ago

Theoretically you can configure anything, just parametrize it in your template and then provide it in your deployment script :))
upvoted 1 times

  vinsom 1 month, 2 weeks ago

Answer: D
Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
Here the .json parameters section contains VM size, Username, OS details etc, with no RG information embedded. RG is created using the CLI,
before New-AzResourceGroupDeployment, using the custom template
upvoted 1 times

  Balvosko 1 month, 3 weeks ago

Retarded question, both options are correct, you are providing both (admin password and rg ) during deployment.
upvoted 2 times

  djgodzilla 2 months, 3 weeks ago

This should be a multiple answers question
Both B and D (admin Username+RG) are valid here
upvoted 3 times

  shadad 3 months, 1 week ago

Selected Answer: D
I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: D
upvoted 6 times

  AK4U 3 months, 1 week ago

When you save a template of an existing VM and then choose "Deploy a custom template" from "All services" you chose the saved template and
then you can only specify the RG.

Answer is D
upvoted 1 times

  BYNeo 7 months ago

I attended the couse before and always have to configure the Administrator Name and password first
upvoted 2 times

  compldc72 7 months, 1 week ago

During deployment you can configure the Username and resource group so the answer is B and D. the question asks what you can do , not chose
one.
upvoted 2 times

  majerly 8 months, 2 weeks ago

today in exam , is D
upvoted 2 times

  F117A_Stealth 9 months, 1 week ago

Selected Answer: D
D. Resource Group
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: D
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
upvoted 3 times

  David1990 10 months, 1 week ago

Selected Answer: D
D is correct answer
upvoted 2 times

  nkhan19 11 months ago

Selected Answer: D

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 124/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

RG has to be mentioned
upvoted 2 times
  Lazylinux 12 months ago
Selected Answer: D
Correct answer is D:
When you deploy a template, you specify a resource group that will contain the resources. Before running the deployment command, create the
resource group or during deployment also we can create the resource group. If you try to deploy your own template in the portal, there are 3
available options - "Subscription", "Resource Group", "Location". Resource group is the only one of the three options available in this list of
answers.
upvoted 7 times

  manalshowaei 1 year ago

Selected Answer: C
C. each virtual machine in a separate Availability Zone
upvoted 2 times

  Deepakijzer 12 months ago

You are just ctrl c ctrl v the wrong answer in the wrong question.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 125/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51 Topic 4

You have an Azure subscription that contains an Azure virtual machine named VM1. VM1 runs a financial reporting app named App1 that does not
support multiple active instances.
At the end of each month, CPU usage for VM1 peaks when App1 runs.
You need to create a scheduled runbook to increase the processor performance of VM1 at the end of each month.
What task should you include in the runbook?

A. Add the Azure Performance Diagnostics agent to VM1.

B. Modify the VM size property of VM1.

C. Add VM1 to a scale set.

D. Increase the vCPU quota for the subscription.

E. Add a Desired State Configuration (DSC) extension to VM1.

Correct Answer: E
Reference:
https://docs.microsoft.com/en-us/azure/automation/automation-quickstart-dsc-configuration

Community vote distribution

B (96%) 4%

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Here we need to modify the size of the VM to increase the number of vCPU's assigned to the VM. This can be included as a task in the runbook.
The VM size property can be modified by a runbook that is triggered by metrics, but you can schedule it monthly.

C: Scheduled vertical scaling could be a solution, but then you don't need a scheduled runbook and it states that it does not support multiple
active instances. Scale Set is not a n option.

E: DSC is only useful to keep the resources on a VM (OS, File shares, etc.) in a consistent state, not to change VM properties.

Reference:

https://www.apress.com/us/blog/all-blog-posts/scale-up-azure-
vms/15823864#:~:text=If%20you%20select%20the%20option,to%20the%20next%20larger%20size
upvoted 169 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered B
upvoted 15 times

  Theguy97 4 months, 3 weeks ago

Your comments have no value , you comment on every question and we don't know which one will be on exam or not, please careful you
affect other people
upvoted 7 times

  Durden871 3 months ago

I appreciate knowing if a question has been literally on the exam recently.
upvoted 2 times

  garmatey 2 months, 1 week ago

There just isnt a reason to assume a question isnt on the test unless people are saying it isnt...
upvoted 1 times

  AK4U 3 months, 1 week ago

ET moderators modify comments on a regular basis
upvoted 1 times

  GenjamBhai 12 months ago

Agreed. Correct Answer: B
Refer to https://www.youtube.com/watch?v=pQ9dQ13B2vM
upvoted 4 times

  klasbeatz 11 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 126/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

They only part that confuses me is that I didn't think size was a determining factor when increasing processor capacity / power? Unless this is a
different when referring to VM's? I figure the two are un-related
upvoted 1 times

  fedztedz Highly Voted  2 years, 6 months ago

not correct. Answer is B. Scale up the VM using Automation virtual scale set runbooks which trigger a webhook
upvoted 103 times

  ScreamingHand 1 year, 12 months ago

why not create a scale set and scale up?
upvoted 1 times

  T____T 1 year, 11 months ago

the question asks about runbook specifically so you have to go with that context
upvoted 7 times

  sandipk91 1 year, 9 months ago

this the reason why we can't use scale set - "App1 that does not support multiple active instances"
upvoted 15 times

  biglebowski 1 year, 12 months ago

Do you think it's a good job to be executed in runbook every month?
upvoted 1 times

  T____T 1 year, 11 months ago

you can scale up or down via the run book check the portal.
upvoted 1 times

  alex88andru 1 year, 5 months ago

I don t get it, B. Modify the VM size property of VM1. How is this a runbook? or any relation to your B answer? Thanks
upvoted 4 times

  ZhuBajie5953 Most Recent  3 months, 3 weeks ago

i think the question is asking after you change the VM size.....how do you ensure after reboot, all the service are running. Hence, DSC come into the
picture.
upvoted 2 times

  Mo22 4 months, 3 weeks ago

Selected Answer: B
B. Modify the VM size property of VM1.
upvoted 1 times

  raym1980 5 months, 1 week ago

Correct Answer B
Came up in exam today
920/1000
upvoted 6 times

  rajagopalanr 9 months ago

Today (13/04/2022) I Passed exam
upvoted 5 times

  F117A_Stealth 9 months, 1 week ago

Selected Answer: B
B. Modify the VM size property of VM1.
upvoted 1 times

  libran 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  lebowski 9 months, 2 weeks ago

Selected Answer: B
It cannot be D: "Desired State Configuration (DSC) is a feature in PowerShell 4.0 and above that helps administrators to automate the configuration
of Windows and Linux operating systems (OSes)"
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: B
answer is B
upvoted 1 times

  Pravda 11 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 127/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I'm not so sure B is the correct answer. How does modifying the VM size property create a scheduled runbook to increase the processor
performance at the END OF THE MONTH? Modifying the VM size is what the script needs to do, but modifying the VM size doesn't have anything
to do with scheduling. I would choose answer E, only one that makes sense.
upvoted 1 times

  tweedo 10 months, 2 weeks ago

It makes perfect sense. This app can only be single-instanced, which rules out scaling out - we cannot use VMSS with load-balancers. What we
can do is only scale up. Changing VM size will increase the computing power (more available vCPUs, we assume that app is multithreaded) and
will reduce the processing time.
upvoted 3 times

  klexams 8 months, 1 week ago

it asks "what task should be included in the runbook". Not the other way around.
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: E
E. Add a Desired State Configuration (DSC) extension to VM1.
upvoted 1 times

  Lazylinux 1 year ago

Selected Answer: B
Definitely B
Azure Automation uses runbooks to run tasks such as:
Restart/Stop VM
Remove VM
Scale up or Scale Down VM
It adds New run as account as per following paragraph taken from azure
upvoted 3 times

  elhafdi 1 year ago

Selected Answer: B
B is correct
upvoted 2 times

  michaelmorar 1 year, 1 month ago

Selected Answer: B
B- increase VM size. The app heavily uses CPU during peak workloads and cannot scale laterally (it only supports one instance), so the only option
is to beef up the CPU.
upvoted 1 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 1 times

  techie_11 1 year, 2 months ago

On exam 04/12/2022
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 128/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52 Topic 4

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.
You need to ensure that NGINX is available on all the virtual machines after they are deployed.
What should you use?

A. Deployment Center in Azure App Service

B. A Desired State Configuration (DSC) extension

C. the New-AzConfigurationAssignment cmdlet

D. a Microsoft Intune device configuration profile

Correct Answer: B
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.
In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx
webserver. az vm extension set \
--resource-group myResourceGroup \
--vm-name myVM --name customScript \
--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}
Note:
There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
Reference:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Note: There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
upvoted 185 times

  ABhi101 1 year, 5 months ago

Thanks
upvoted 1 times

  Takloy 1 year, 7 months ago

Thanks!
upvoted 2 times

  Volh 12 months ago

thanks !
upvoted 2 times

  fedztedz Highly Voted  2 years, 4 months ago

Answer is correct "B" with ARM templates, DSC is used.
upvoted 20 times

  zellck Most Recent  4 months ago

Same as Question 67.
https://www.examtopics.com/discussions/microsoft/view/67546-exam-az-104-topic-4-question-67-discussion
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 129/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  zellck 4 months ago
Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
upvoted 2 times

  Jamal786 6 months, 3 weeks ago

During my training with MS, i had this question but solution B was not given there so in that case this is the solution below:

You are going to deploy multiple Virtual machines having Windows Server Operating System by using Azure Resource Manager Template. While
completing the Virtual machines deployment you need to make sure that NGINX should be available on all the Virtual machines. What should you
do?

Answer: Azure Custom Script Extension

Explanation
A Custom Script Extension(CSE) can be used to automatically launch and execute virtual machine customization tasks post configuration. Your
script extension may perform simple tasks such as stopping the virtual machine or installing a software component. However, the script could be
more complex and perform a series of tasks.

Reference link
https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-extensions/3-implement-custom-script-extensions
upvoted 4 times

  F117A_Stealth 9 months, 1 week ago

Selected Answer: B
B. A Desired State Configuration (DSC) extension
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 2 times

  devilcried 11 months, 3 weeks ago

Selected Answer: B
The Azure DSC extension uses the Azure VM Agent framework to deliver, enact, and report on DSC configurations running on Azure VMs.
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview
upvoted 3 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey because it is B
Desired State Configuration (DSC) extension
upvoted 3 times

  manalshowaei 1 year ago

Selected Answer: B
B. A Desired State Configuration (DSC) extension
upvoted 2 times

  KIRANdxc 1 year, 1 month ago

Got his question in exam !!
upvoted 2 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 4 times

  willt 1 year, 2 months ago

Correct
upvoted 1 times

  ahyaa 1 year, 3 months ago

This question appeared in my exam today Feb 26, 2022, and I got 784! yay!! I passed!!! thank you, review buddies!!
upvoted 6 times

  az4o2n 1 year, 4 months ago

Thank you so much, your contributions are highly valued
upvoted 1 times

  pappkarcsiii 1 year, 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 130/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
1. a Desired State Configuration (DSC) extension
upvoted 1 times

  N4d114 1 year, 4 months ago

Correct answer is B : Desired State Configuration (DSC) extension
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 131/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53 Topic 4

HOTSPOT -
You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: 10.244.0.0/16 -
The Pod CIDR.
Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your network environment. This range includes any on-
premises network ranges if you connect, or plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN connection.
This address range must be large enough to accommodate the number of nodes that you expect to scale up to. You can't change this address
range once the cluster is deployed if you need more addresses for additional nodes.

Box 2: 10.0.0.0/16 -
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 132/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: 10.244.0.0/16
The Pod CIDR, because containers live inside Pods.
Note: You can't change this address range once the cluster is deployed, if you need more addresses for additional nodes.

Box 2: 10.0.0.0/16
The Service CIDR is used to assign internal services in the AKS cluster an IP address.

Reference:
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet

https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#plan-ip-addressing-for-your-cluster
upvoted 119 times

  krisbla Highly Voted  2 years, 1 month ago

I'm writing the exam in 3 hours .. I'll go with the given selections - wish me luck!
upvoted 22 times

  JimBobSquare101 1 year, 10 months ago

Im guessing you passed as you havent been back...lol
upvoted 16 times

  kennynelcon 1 year, 1 month ago

The author won't get notification when one even replies, so it is tough to say
upvoted 3 times

  yellownikk 2 years ago

what was the result?
upvoted 4 times

  walexkino 2 years ago

lol witch
upvoted 2 times

  shnz03 2 years ago

Personally amazing for me and kind of funny also
upvoted 2 times

  garmatey Most Recent  2 months, 1 week ago

another question, another acronym ive never heard of
upvoted 1 times

  NJTH 2 months, 1 week ago

Exactly the same question was on todays exam.
(7th April 2023)
upvoted 1 times

  AzZnLuVaBoI 2 months, 2 weeks ago

On the Exam 3/29/23.
upvoted 2 times

  mohsanarfandanish 2 months, 3 weeks ago

Cleared Exam 930 was appeared in exam 18/3/2023 ANS most upvoted
upvoted 4 times

  shadad 3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:

Box 1: 10.244.0.0/16
you can create containers live inside Pods.

Box 2: 10.0.0.0/16
service CIDR is used to assign internal services in the AKS cluster an IP address.
upvoted 3 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 3 times

  majerly 8 months, 2 weeks ago

Today in exam, answer is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 133/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EmnCours 9 months, 4 weeks ago

Given answer is correct
upvoted 1 times

  Lazylinux 12 months ago

Given answer is correct
upvoted 1 times

  manalshowaei 1 year ago

Box 1: 10.244.0.0/16 -
The Pod CIDR.
Note: The --pod-cidr should be a large address space that isn't in use elsewhere in your network environment. This range includes any on-premises
network ranges if you connect, or plan to connect, your Azure virtual networks using Express Route or a Site-to-Site VPN connection.
This address range must be large enough to accommodate the number of nodes that you expect to scale up to. You can't change this address
range once the cluster is deployed if you need more addresses for additional nodes.

Box 2: 10.0.0.0/16 -
The --service-cidr is used to assign internal services in the AKS cluster an IP address.
upvoted 1 times

  babzbabz 1 year ago

Came on exam today (24/05-2022)
upvoted 3 times

  fodocel235 1 year, 1 month ago

B1: 10.244.0.0/16
B2: 10.0.0.0/16
upvoted 1 times

  DrJoness 1 year, 2 months ago

Question appeared in exam today. The answer is correct.
upvoted 3 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 4 times

  antivrillee 1 year, 3 months ago

Doing the exam tomorrow
upvoted 2 times

  soportepruebasnoc 1 year, 2 months ago

Good luck
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 134/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54 Topic 4

HOTSPOT -
You have the App Service plan shown in the following exhibit.

The scale-in settings for the App Service plan are configured as shown in the following exhibit.

The scale out rule is configured with the same duration and cool down tile as the scale in rule.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 135/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: 5 -
The maximum 5 will kept as the CPU Usage >= 30.

Box 2: 3 -
As soon as the average CPU usage drops below 30%, the count will decrease by 1. After the 5 minute cool-down it will decrease by another 1,
reaching 3.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: 2
70% for 1h, and then 90% for 5 minutes. So, from the default of 1 it will scale out out 1 more. So, 2 in total.

Box 2: 4
90% for 1h and then 25% for 9minutes. So, from the default of 1 it will it scale in to the max 5 (60/5 = 12, which means 6 times scale out, because
we have 5 minutes period of cool down). Then when it drops to 25% for 9 minutes and it will scale in once after 5 mins (since the average of the
last 5 minutes is under 30% ), so it will decrease by 1, so 4 in total. Then it will have a cooldown of 5 minutes before scaling in again, but since only
4 minutes left from 9 minutes (9-5 = 4), it won't scale in again. So, 4 in total.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 136/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-autoscale-performance-schedule
https://docs.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings
upvoted 355 times

  Takloy 1 year, 6 months ago

I respect your answer mlantonis, but you explaination on box 2 confused me.
Can't we just say that while it was on 90% we all know that it stays at 5 instances. When the threshold dropped down to 25% for 9 minutes, the
count decreased by 1 only since it didn't reach 10 minutes.
Nonetheless, Mlantonis is correct and explanation is also correct.
upvoted 16 times

  Juli98 1 year, 5 months ago

it starts at 1. Scale out if CPU > 85% over 5 min and pause during 5 min (Cool Down).
Assuming instant scaling...and CPU still at 90% at all time (very simplified view).
If CPU is at 90% for one hour we have
0 min : 1 (default)
5 min : 2
5-10 min : Still 2 (Cooldown time)
10 min : 3 (average last 5 is still CPU>90%)
10 min-15 min : Still 3
15 min : 4
and so on until we reach 5 (maximum capacity).

The calculation provided by Fed seems not correct as it is assumed that after the cool down time, the system wait another 5 min to collect
metrics which seems not the case.
upvoted 8 times

  Exilic 1 year ago

Also came to the conclusion 2, 4 perhaps my math is wrong
upvoted 1 times

  klasbeatz 8 months, 1 week ago

There was no time frame specified in the question for the scale increase it only shows the threshold % at which it increases. These questions
don't give details. Do we just assume it follows the same time as the decreasing rule?
upvoted 3 times

  Chickpea2016 6 months, 1 week ago

"The scale out rule is configured with the same duration and cool down tile as the scale in rule."
upvoted 5 times

  klexams 8 months, 1 week ago

Correct!! Just to add: the last 4 mins is for the cooldown anyway so won't count regardless.
upvoted 5 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

Box1: 2
Box2: 4
upvoted 13 times

  Moyuihftg Highly Voted  2 years, 1 month ago

I think:
2
4
upvoted 123 times

  NJTH Most Recent  2 months, 1 week ago

Simular question was on todays exam.
(7th April 2023)
upvoted 4 times

  Rams_84zO6n 2 months, 2 weeks ago

mlantonis is right, i'm changing my answer to 2 and 4. I missed to notice "The scale out rule is configured with the same duration and cool down
tile as the scale in rule." Another observation i made is Max statistic works differently than Avg for the duration.
Box1: 2 - When CPU reaches 90%, Max doesn't need to wait for duration 5 min. to evaluate, so instance count goes to 2 right away. But
cooldown=5 min, so instance count stays at 2 after CPU holds at 90% for 5 minutes.
Box 2: 4 - When CPU goes below 25%, after 5 minutes count=4. Cool down 5 min, so instance count after CPU stays below 25% for 9 minutes is 4.
upvoted 1 times

  Rams_84zO6n 2 months, 3 weeks ago

Box 1: 2, Box 2: 3
Right after the 60th min, average CPU usage is below 25%. So at 60.01 min, CPU count is 4. Allowing 5 min cool down period, next check is at 65.1
min. CPU count will decrease by 1 again. So when you check CPU count at 69th minute, it would be 3
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 137/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  zellck 4 months ago

1. 2 (min 1 + 1 scale out)
2. 4 (max 5 - 1 scale in)
upvoted 1 times

  JackieTYF 7 months ago

Box 2 = 4
When it drops to 25% for 9 minutes and it will scale in once after 5 mins (since the average of the last 5 minutes is under 30% ), so it will decrease
by 1, so 4 in total. Then it will have a cooldown of 5 minutes before scaling in again, but since only 4 minutes left from 9 minutes (9-5 = 4), it won't
scale in again. So, 4 in total.
upvoted 1 times

  BYNeo 7 months ago

Base on the answer, Agree with answer 5 and 3.
Reason:
Box 1: CPU Usage >= 30 will increase 1 and scale out mention (Max) 85 increase 1
Base on question 70% will for 1 hour will reach 5 already (every 5 mins increase 1).

Box2: 90% for 1 hour will be 5

the moment it drop 25% it will reduce from 5 to 4
Then base on ever 5 mins will from 1, in 9 mins will be drop from 4 to 3
upvoted 2 times

  OrwellMB 7 months ago

Hey,
Box2:
for scale-in, (Average) Cpu% <30 for 5 minutes. So it needs 5 minutes constantly under 30% for the scale-in to take effect, not the moment it
drops!
Answer is 4 (from 5->4 at the 5th minute mark, then it will be 3 at the 10th minute, but after 9mins, it is 4)
upvoted 1 times

  bdumois 8 months, 2 weeks ago

Box 1: 5
If the scale out rule Tile is configured the same as the scale in tile, the CPU is set to 305 (regardless of the rule name [...(Maximum) CpuPercentage
> 85], one could presume the value is set to 30, because the instruction say "The scale out rule is configured with the same duration and cool down
tile as the scale in rule" .
With this setting scaling out starts right away with 70% CPU utilization and reaches 5.

Box 2-4
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

I think:
2
4
upvoted 1 times

  Isacco 10 months, 2 weeks ago

incorrect answer, 1--> 2 and 2--> 4
upvoted 2 times

  Lazylinux 12 months ago

for sure 2 and 4
Box 1: is 2 start with 1 and adds 1 because threshold of 85% exceed ones
Box2: 4 because threshold 85% been exceed for 1hr hence total vms is max vms that is 5 then goes down below since threshold of 30% for only 9
minutes hence only scale in by 1 vm and hence total left is 4
upvoted 6 times

  manalshowaei 1 year ago

Box 1: 5 -
The maximum 5 will kept as the CPU Usage >= 30.

Box 2: 3 -
In 9 minutes the count will be decreased twice from 5 reaching 3.
upvoted 1 times

  waqarahmed78 12 months ago

For Box 2: it would be 4 as utilization at 25% was for 9 minutes.
Hence, after 1 hour of 90 % utilization of maximum, 5 -> will reduce to 4 after 5 minutes of utilization at 25%.
In the next 4 minutes, it will not scale in as cool down time is 5 minutes.
upvoted 1 times

  Chrys941 1 year ago

******The scale out rule is configured with the same duration and cool down tile as the scale in rule 5Min
70 %for 1 hour that mean
60 min - 1
65 min +1 = 2 total 2

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 138/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

box 2
90 % 60 min - 5 - which is the maximum
25 % 61 min - 5
25 % 62 min - 5
25 % 63 min - 5
25 % 64 min - 5
25 % 65 min - 5
25 % 66 min - 4
25 % 67 min - 4
25 % 68 min - 4
25 % 69 min - 4
25 % 66 min - 4
upvoted 5 times

  Rams_84zO6n 2 months, 3 weeks ago

25% 61 min - why the count stays at 5? shouldn't it be 4? cooldown: The amount of time to wait after a scale operation before scaling again
upvoted 2 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 3 times

  Ahmed_Root 1 year, 2 months ago

actually it will scale out at the end of the first 5 minutes. So:
as a diagram
minutes-instance
0-1
5-2
10-2
15-3
20-3
25-4
30-4
35-5
40-5
45-5
50-5
and so on
upvoted 3 times

  Dhanya2022 1 year, 2 months ago

5 (no cooldown period),3( initially when <30, decreases 1 and after 5 min)
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 139/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55 Topic 4

You have an Azure virtual machine named VM1 that runs Windows Server 2019. The VM was deployed using default drive settings.
You sign in to VM1 as a user named User1 and perform the following actions:
✑ Create files on drive C.
✑ Create files on drive D.
✑ Modify the screen saver timeout.
✑ Change the desktop background.
You plan to redeploy VM1.
Which changes will be lost after you redeploy VM1?

A. the modified screen saver timeout

B. the new desktop background

C. the new files on drive D

D. the new files on drive C

Correct Answer: C

Community vote distribution

C (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: C

For Windows Server, the temporary disk is mounted as “D:\”.

For Linux based VM’s the temporary disk is mounted as “/dev/sdb1”.

Reference:

https://www.cloudelicious.net/azure-vms-and-their-temporary-storage
upvoted 134 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered C
upvoted 8 times

  ahyaa Highly Voted  1 year, 3 months ago

In the exam on Feb 26, 2022, I passed today's exam 784. happy weekend!!
upvoted 25 times

  General45 10 months ago

Yyyyghhhhhy
upvoted 1 times

  zr79 1 year, 3 months ago

You must have the great muscle memory to remember the questions that appeared. Congrats btw
upvoted 9 times

  Gino_Slim 11 months, 2 weeks ago

That's what I'm thinking. It's also weird to see people pass and then come all the way back here
upvoted 17 times

  yaguitoEC Most Recent  1 month ago

Why not all?
upvoted 1 times

  IBR 3 months, 3 weeks ago

T F are they calling this redeployment?
upvoted 2 times

  Mev4953 9 months ago

After you redeploy a VM, all the data that you saved on the temporary disk and Ephemeral disk is lost.

Ref:https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/redeploy-to-new-node-windows
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 140/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EmnCours 9 months, 4 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 3 times

  manalshowaei 1 year ago

Selected Answer: C
C. the new files on drive D
upvoted 3 times

  Lazylinux 1 year ago

Selected Answer: C
C is correct D drive is temp and Microsoft warns about its usage i.e. temp storage and lost via reboot
upvoted 1 times

  Phani1701 1 year ago

Any data stored on D:\ will be gone after a reboot/redeployment therefore the answer is C:
upvoted 1 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 3 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 6 times

  ahyaa 1 year, 3 months ago

This question appeared in my exam today Feb 26, 2022, and I got 784! yay!! I passed!!! thank you, review buddies!!
upvoted 2 times

  ITprof99 1 year, 5 months ago

This question on exam 01.02.22
Answer: C
upvoted 5 times

  sanbt 1 year, 6 months ago

This question on 12/12/21.
Most of the questions from this dump.
upvoted 6 times

  fabylande 1 year, 7 months ago

In exam October 16, 2021
upvoted 7 times

  ScreamingHand 1 year, 11 months ago

C it's D
upvoted 3 times

  mhker 1 year, 12 months ago

Correct C:D
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 141/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56 Topic 4

You have an Azure subscription.

You have an on-premises virtual machine named VM1. The settings for VM1 are shown in the exhibit. (Click the Exhibit tab.)

You need to ensure that you can use the disks attached to VM1 as a template for Azure virtual machines.
What should you modify on VM1?

A. the memory

B. the network adapters

C. the hard drive

D. the processor

E. Integration Services

Correct Answer: C
From the exhibit we see that the disk is in the VHDX format.
Before you upload a Windows virtual machine (VM) from on-premises to Microsoft Azure, you must prepare the virtual hard disk (VHD or
VHDX). Azure supports only generation 1 VMs that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the
VHD is 1,023 GB. You can convert a generation 1 VM from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image

Community vote distribution

C (100%)

  mlantonis Highly Voted  2 years ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 142/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: C

The Virtual hard disk is VHDx, it should be formated to VHD before migration from on-premises to Azure. Azure supports only generation 1 VMs
that are in the VHD file format and have a fixed sized disk. The maximum size allowed for the VHD is 1,023 GB. You can convert a generation 1 VM
from the VHDX file system to VHD and from a dynamically expanding disk to fixed-sized.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
upvoted 88 times

  fedztedz Highly Voted  2 years, 6 months ago

Correct. the VIrtual hard disk is VHDx, it should be format to VHD before migration from on-premis to Azure
upvoted 52 times

  Vgopi 2 years, 4 months ago

Correct
upvoted 7 times

  EmnCours Most Recent  9 months, 4 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 3 times

  Lazylinux 12 months ago

Selected Answer: C
C is correct
the VIrtual hard disk is VHDx, it should be format to VHD before using it in Azure cloud environment as Azure VMs support only VHD format
upvoted 4 times

  manalshowaei 1 year ago

Selected Answer: C
C. the hard drive
upvoted 2 times

  babzbabz 1 year ago

Came on exam today (24/05-2022)
upvoted 3 times

  michaelmorar 1 year, 1 month ago

SO they've highlighted Integration Services simply to misdirect the candidates attention? Nefarious!
upvoted 4 times

  Olram 1 year, 1 month ago

Passed today. this is part of the exam. 4/23/22
upvoted 5 times

  yolap31172 1 year, 2 months ago

Not relevant to actual question, but how is that possible that this machine has two network interfaces connected to two different VNETs?
upvoted 2 times

  pr_cerda 10 months ago

on-prem VM, in thos case Hyper-V according to the picture, so it can have multiple VNETs.
upvoted 2 times

  Hemang_Vyas 1 year ago

Yes that is possible , Its a Hyper V VM & it can have multiple NIC which can be associated with the different VNET(different different networks)
upvoted 2 times

  DrJoness 1 year, 2 months ago

Selected Answer: C
Question appeared in exam today. The answer is correct. VHDx will not work
upvoted 2 times

  LuciosVanHatter 1 year, 2 months ago

wish me luck writing tomorrow and I am stressed
upvoted 2 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 3 times

  ahyaa 1 year, 3 months ago

This question appeared in my exam today Feb 26, 2022, and I got 784! yay!! I passed!!! thank you, review buddies!!
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 143/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  okeyken1 1 year, 5 months ago

Came out 29 Dec 2021 hard disk
upvoted 6 times

  exam999999999 1 year, 6 months ago

Good luck!!
upvoted 2 times

  rigonet 1 year, 8 months ago

Correct Answer: C
C. the hard drive
- The Virtual hard disk is VHDx, it should be formated to VHD before migration from on-premises to Azure.

Azure supports both generation 1 and generation 2 VMs that are in VHD file format and that have a fixed-size disk. The maximum size allowed for
the OS VHD on a generation 1 VM is 2 TB.

Before you upload a Windows virtual machine (VM) from on-premises to Azure, you must prepare the virtual hard disk (VHD or VHDX). You can
convert a VHDX file to VHD, convert a dynamically expanding disk to a fixed-size disk, but you can't change a VM's generation.
upvoted 3 times

  silver_bullet666 1 year, 9 months ago

Answer correct, convert HDD from VHDX to VHD however the explanation is not entirely correct as Gen2 VM's are also supported, with VHD disks
only; see https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 144/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57 Topic 4

HOTSPOT -
You have an Azure subscription that contains a virtual machine scale set. The scale set contains four instances that have the following
configurations:
✑ Operating system: Windows Server 2016
✑ Size: Standard_D1_v2
You run the get-azvmss cmdlet as shown in the following exhibit:

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 145/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

The Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.

Box 1: 0 -
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.

Box 2: 4 -
Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for
all instances in the scale set.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: 4
If you resize the Scale Set all the VMs get resized at once, thus 4 is the correct answer.

Box 2: 1
Automatic OS updates update 20% of the VMs at once, with a minimum of 1 VM instance at a time. Also 20% of 4 = 0.8.

Reference:
https://docs.microsoft.com/en-us/learn/modules/build-app-with-scale-sets/2-features-benefits-virtual-machine-scale-sets
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set
upvoted 175 times

  yoelalan14 1 year, 6 months ago

For Box 2, what about the Automatic Updated feature that is turned "off"? Wouldn't the answer be 0?
upvoted 8 times

  e_karma 1 year, 6 months ago

That is patches where as this is os upgrades
upvoted 7 times

  solarwinds123 Highly Voted  2 years, 5 months ago

The question asks "if the administrator changes the size", not if it gets scaled up vertically. I tested this, and if you resize the scale set all the virtual
machines get resized at once, thus 4 is the correct answer. For the second part, automatic OS updates update 20% of the VMs at once, with a
minimum of 1 VM instance at a time.
upvoted 95 times

  ciscogeek 2 years, 3 months ago

Most trustworthy, and correct as per other explanations and references as well.
upvoted 10 times

  oshoparsi 2 years, 2 months ago

20% 4 = 0.8 but minimum would be 1 vm.
upvoted 3 times

  lulzsec2019 Most Recent  3 months ago

Guys, sorry for the noob question. where did you get the value "4"? I don't see any number 4 in the picture.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 146/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times

  redbull2023 2 months, 2 weeks ago

read the question again bro
upvoted 2 times

  yellowdot 3 months ago

Box1 - 4
This refers to the second PS cmdlt 'UpgradePolicy' which "determines what happens next after you change the scale set model" (ex. VM size, OS
ver, extensionPolicy). Box1 asks what happens when size of VM changes. Since it's set to 'automatic', the change will be applied to all the VMs in
the scale set at once

[ref: https://msftstack.wordpress.com/2016/11/15/azure-scale-set-upgrade-policy-explained/]

Box2 - 0
This refers to the first PS cmdlt 'UpgradePolicy' which "determines what happens when image publishers publishes the latest image OS image -
which in this case Microsoft released the Win Server 2016 image. Since it's set to 'false', there will be no changes made- u[dates will need to
happen manually with user intervention.

[ref: https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-service-fabric-enableautomaticupdates/ba-p/834246]
upvoted 2 times

  Standa_82 3 months, 3 weeks ago

It seems to me that picture doesn't match questions.
upvoted 5 times

  dc2k79 7 months, 3 weeks ago

Box 1: 4
The first command has nothing to do with VM Resizing.

Box 2: 1
What's set to 'false' is Patch updates. This is recommended to be set to 'False' when Automatic OS upgrades are set to 'True'. What this means is
that the automatic rolling OS Upgrades will happen at 20%.
upvoted 7 times

  Bobby1977 9 months ago

WindowsConfiguration.EnableAutomaticUpdates PropertyGets or sets indicates whether Automatic Updates is enabled for the Windows virtual
machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning.

Based on the above note, as EnableAutomaticUpdates = False the OS updates will not happen. So answers are Box1: 4 and Box 2: 0
upvoted 2 times

  tt2tt 10 months, 3 weeks ago

There're seven more confusing comments here, I am totally lost... as usual, I will follow the answer from mlantonis
upvoted 9 times

  Davin0406 9 months, 1 week ago

Me too bro
upvoted 6 times

  NotMeAnyWay 11 months ago

Part one: Answer 0
The Administrator is doing a manual change to the virtual machine scale set MODEL (AKA OS Build), however this model change does not take
immediate affect for the exsiting machines in the Scale Set, see this section of the doc:
Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#how-to-update-global-scale-
set-properties)

Part 2: Answer 4
The Upgrade policy (Don't get confused with "Update" Policy, which is for OS Patches) is set to Automatic. When the Upgrade policy is set to
automatic, all the VMs may be taken down and upgraded at the same time, as per the MS docs:
Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set#how-to-bring-vms-up-to-date-
with-the-latest-scale-set-model)

NB: The 20% policy for upgrades mentioned in other comments is for Extensions in a VMSS, not the actual VM scale set.
upvoted 3 times

  manalshowaei 1 year ago

Box 1: 0 -
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.

Box 2: 4 -
Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all
instances in the scale set.
upvoted 2 times

  Scoobysnaks86 1 year ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 147/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I'm tired of these questions being more of tests of English comprehension than actually doing the job. Trick questions with diagrams that are
unimportant or intentionally misleading does not do anything to test knowledge.
upvoted 23 times

  EleChie 1 year, 4 months ago

Explanation
the Get-AzVmssVM cmdlet gets the model view and instance view of a Virtual Machine Scale Set (VMSS) virtual machine.
Box 1: 0
The enableAutomaticUpdates parameter is set to false. To update existing VMs, you must do a manual upgrade of each existing VM.
Box 2: 1
Below is clearly mentioned in the official Website
"The upgrade orchestrator identifies the batch of VM instances to upgrade, with any one batch having a maximum of 20% of the total instance
count, subject to a minimum batch size of one virtual machine." So, 20% from 4 ~1
upvoted 5 times

  c64basic 1 year, 4 months ago

So basically, what we are looking at here is the UpgradePolicy only, as neither of the two actions (resizing the VM and upGRADING the OS)
conern Windows settings. The top command (WindowsConfiguration) doesn't have anything to do with the questions.
upvoted 1 times

  Mozbius_ 1 year, 4 months ago

Box 1:
In case we want to disable the windows updates, we need to set “enableAutomaticUpdates” as false

https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-service-fabric-enableautomaticupdates/ba-p/834246

This is not a windows update but a VM size change.

upvoted 4 times

  Juli98 1 year, 5 months ago

For Q2
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
For scale sets using Windows virtual machines, starting with Compute API version 2019-03-01, the property
virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates property must set to false in the scale set model definition. The
enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches without replacing the OS
disk. With automatic OS image upgrades enabled on your scale set, an extra patching process through Windows Update is not required.
So its not 0 but
An upgrade works by replacing the OS disk of a VM with a new disk created using the latest image version. Any configured extensions and custom
data scripts are run on the OS disk, while data disks are retained. To minimize the application downtime, upgrades take place in batches, with no
more than 20% of the scale set upgrading at any time.

Its 4x0,2 = 0,8 => 1 (minimum)

upvoted 4 times

  hanyahmed 1 year, 5 months ago

it should be 4 and 1
upvoted 3 times

  arkadius 1 year, 5 months ago

For scale sets using Windows virtual machines, starting with Compute API version 2019-03-01, the property
virtualMachineProfile.osProfile.windowsConfiguration.enableAutomaticUpdates property must set to false in the scale set model definition. The
enableAutomaticUpdates property enables in-VM patching where "Windows Update" applies operating system patches without replacing the OS
disk. With automatic OS image upgrades enabled on your scale set, an extra patching process through Windows Update is not required.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
upvoted 2 times

  Sara_Mo 1 year, 6 months ago

Option1: 4
Option2: 1
upvoted 2 times

  [Removed] 1 year, 8 months ago

0 and 4
as nothing changes simultaneously
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 148/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58 Topic 4

You have an Azure subscription named Subscription1 that is used by several departments at your company. Subscription1 contains the resources
in the following table:

Another administrator deploys a virtual machine named VM1 and an Azure Storage account named storage2 by using a single Azure Resource
Manager template.
You need to view the template used for the deployment.
From which blade can you view the template that was used for the deployment?

A. VM1

B. RG1

C. storage2

D. container1

Correct Answer: B
View template from deployment history
1. Go to the resource group for your new resource group. Notice that the portal shows the result of the last deployment. Select this link.

2. You see a history of deployments for the group. In your case, the portal probably lists only one deployment. Select this deployment.

3. The portal displays a summary of the deployment. The summary includes the status of the deployment and its operations and the values that
you provided for parameters. To see the template that you used for the deployment, select View template.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 149/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template

Community vote distribution

B (100%)

  fedztedz Highly Voted  2 years, 6 months ago

Correct answer B RG1. the only way to see both together storage and VM
upvoted 57 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered B
upvoted 4 times

  mlantonis Highly Voted  2 years ago

Correct Answer: B
upvoted 46 times

  raym1980 Most Recent  5 months, 1 week ago

Selected Answer: B
Correct Answer B
Came up in exam today
920/1000
upvoted 4 times

  mscbgslt 7 months ago

Same as " A colleague named Jon Ross makes use of a solitary Azure Resource Manager (ARM) template to deploy a virtual machine and an
additional Azure Storage account.
You want to review the ARM template that was used by Jon Ross. "
upvoted 2 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey Because it is B
upvoted 2 times

  manalshowaei 1 year ago

Selected Answer: B
B. RG1
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 150/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Pasmo 1 year, 3 months ago
Selected Answer: B
Correct Answer: B
upvoted 1 times

  awssecuritynewbie 1 year, 3 months ago

you can only deploy resources into resource group so that is where you would see the the history of your deployments!
upvoted 1 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: B
Correct answer B RG1. the only way to see both together storage and VM
upvoted 2 times

  hanyahmed 1 year, 5 months ago

yes it should be visible from resource group
upvoted 2 times

  Krypt11 1 year, 7 months ago

Correct answer B RG1.
upvoted 2 times

  AubinBakana 1 year, 9 months ago

They really want to know that we know the portal inside out. And I'm definitely getting more practice. Easy, this one.
upvoted 1 times

  McRowdy 1 year, 12 months ago

The clue here is that it is in the same RG (RG1). Hence the answer is "B"
upvoted 1 times

  Tamilarasan 2 years ago

Correct answer is B
Automate deploying resources with Azure Resource Manager templates in a single, coordinated operation. Define resources and configurable input
parameters and deploy with script or code.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 151/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59 Topic 4

You have an Azure web app named App1. App1 has the deployment slots shown in the following table:

In webapp1-test, you test several changes to App1.

You back up App1.
You swap webapp1-test for webapp1-prod and discover that App1 is experiencing performance issues.
You need to revert to the previous version of App1 as quickly as possible.
What should you do?

A. Redeploy App1

B. Swap the slots

C. Clone App1

D. Restore the backup of App1

Correct Answer: B
When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the
slots. We can easily revert the deployment by swapping back.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

Community vote distribution

B (100%)

  fedztedz Highly Voted  2 years, 6 months ago

Correct Swap slots. this is advantage of using slots. where each slot has its own host name while the app content and configuration elements are
the one who are swapped. this is done seamlessly for traffic direction and no requests are dropped or downtime happens.
upvoted 58 times

  solomonmana 1 year, 5 months ago

Correct
upvoted 6 times

  mlantonis Highly Voted  2 years ago

Correct Answer: B

When you swap deployment slots, Azure swaps the Virtual IP addresses of the source and destination slots, thereby swapping the URLs of the slots.
We can easily revert the deployment by swapping back.

Deployment slots are live apps with their own host names. App content and configurations elements can be swapped between two deployment
slots, including the production slot.

Deploying your application to a non-production slot has the following benefits:

1. You can validate app changes in a staging deployment slot before swapping it with the production slot.
2. Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped
into production.

Reference:

https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 52 times

  AzZnLuVaBoI Most Recent  2 months, 2 weeks ago

On the Exam 3/29/23.
upvoted 4 times

  shadad 3 months, 1 week ago

Selected Answer: B
I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 152/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  zellck 4 months ago
Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots#roll-back-a-swap
If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by swapping the
same two slots immediately.
upvoted 1 times

  RougePotatoe 4 months, 1 week ago

"If any errors occur in the target slot (for example, the production slot) after a slot swap, restore the slots to their pre-swap states by swapping the
same two slots immediately."
https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots#roll-back-a-swap
upvoted 1 times

  majerly 8 months, 2 weeks ago

today in exam , is B
upvoted 1 times

  EmnCours 9 months, 4 weeks ago

Selected Answer: B
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
upvoted 2 times

  Lazylinux 12 months ago

Selected Answer: B
I Luv Honey Because it is B

Swap slots, this is Beauty of using slots. you can test at ease and as please
upvoted 2 times

  manalshowaei 1 year ago

Selected Answer: B
B. Swap the slots
upvoted 2 times

  babzbabz 1 year ago

Came on exam today (24/05-2022)
upvoted 1 times

  dasEnder 1 year, 1 month ago

Selected Answer: B
Correct Answer
upvoted 2 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 3 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  kippp 1 year, 5 months ago

i took the exam on 2/1/2021.. overal 59 question..failed the exam 652.. not even 10 question come from this dump.. they change to new set
upvoted 3 times

  ABhi101 1 year, 5 months ago

I am depressed now, i have mine tomorrow :(
upvoted 1 times

  pmzone 1 year, 4 months ago

@ABhu101 - Did the questions come from this dump ?
upvoted 1 times

  zr79 1 year, 3 months ago

is it 2022 or 2021?
upvoted 1 times

  aliashif 1 year, 5 months ago

contributor access is mandatory to access content?

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 153/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Cloudpie 1 year, 5 months ago

Looks like it is mandatory because i am unable to browse beyond this page...Not sure if its worth it to buy the subscription as my exam is on 31-
Dec-21
upvoted 1 times

  [Removed] 1 year, 6 months ago

Was in exam on 15/11/2021
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 154/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60 Topic 4

HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines VM1 and VM2. VM1 and VM2 run
Windows Server
2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Note: The new VM must be in the same region.

Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: Any Windows computer that has Internet connectivity

For files recovery, you download and run a windows executable to map a network drive. It can only run when the OS meets the requirements. Any
computer running Windows Server 2016 or Windows 10 is suitable. File recovery can be done from any machine on the Internet.

Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2 only as an answer.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 155/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: VM1 or a new Azure virtual machine only

For restoring a VM, you can choose 'Create new' or 'Replace existing'.

Reference:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-restore-files-from-vm.md#for-windows-os
upvoted 149 times

  GBAU 4 months ago

If you are going to read into the wording "Any" to mean literally any windows computer out there back to Windows 1, then you also need to
read into "only" in VMw and VM2 only to mean NO other computers anywhere. Its a crappy worded question, I think generalising Any is more
reasonable that generalising Only.
upvoted 3 times

  bartfto 1 month, 2 weeks ago

what is Windows 1?
upvoted 1 times

  Kizz 1 year, 7 months ago

Box 1 should be VM1 and VM2 only:
"Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and protected to a Recovery Services
vault."
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
Box 2: VM1 or New AZure VM only:
When restoring a VM, you can't use the replace existing VM option for ADE encrypted VMs. This option is only supported for unencrypted
managed disks.
https://docs.microsoft.com/en-us/azure/backup/restore-azure-encrypted-virtual-machines
upvoted 14 times

  DrMiyu 11 months, 3 weeks ago

Agree this should VM1 or VM2 as in the docs they wrote "Select Download Executable (for Windows Azure VMs) or Download Script (for
Linux Azure VMs, a Python script is generated) to download the software used to copy files from the recovery point."

So the scenario is made to run everything within azure. I'm expecting that this should be doable via another machine but then with
connection to the Azure / Account / configuration (that are not really specified here)
upvoted 1 times

  imartinez 1 year, 9 months ago

The provided answer from ETopics is correct
Box1: VM1 or a new Azure virtual machine only.
You and MS docs clearly says that Windows Server 2016 or Windows 10 are suitable, but these are not all OS Windows system on the internet.
Box2 it's correct
upvoted 7 times

  Lkk51 2 years ago

VM1 is affected by ransomware that encrypts data.
Can we use VM1 to recover file?
upvoted 5 times

  Herald3883 9 months, 1 week ago

The key phrase is "encrypts data", not the whole disk.
upvoted 1 times

  juniorccs 1 year, 1 month ago

exactly what I thought
upvoted 1 times

  fedztedz Highly Voted  2 years, 6 months ago

File recovery can be done from any machine on internet. for restoring the VM, you can restore the backed up disk and either restore the disk
before the malware (VM) or create a any virtual machine
upvoted 89 times

  Meesaw 2 years, 5 months ago

the question is file recovery to VM1 and not from any machine on internet.
upvoted 8 times

  Netspud 1 year, 4 months ago

Restore (Q2) is correct VM1 or new. But Q1, file recovery a little harder, After reading:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
It constantly say VM, so they can only be restored to a VM. (Anyway the internet one says any windows PC, and support only goes back to 7, so
that not ANY windows PC).
Then there are some restrictions, that we have no idea if VM1 or WM2 comply with, along with recommendations if drivers are over a certain
size.
So assuming we can create a VM with the same OS (or client compatible OS) in the same region (which is a reasonable conclusion) we can only
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 156/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

recover to a New VM, because this is the only way we can be sure everything complies. But this question in my opinion is somewhat incomplete
with details.
My vote:
Q1 New Only
Q2 VM1 and New
(I am confident it is NOT internet PCs)
upvoted 1 times

  magichappens 1 year, 2 months ago

How can Q1 be not any? Every other answer excluded VM2 which does not make any sense. So only possible answer is any machine with
internet as you can mount the storage via script. Compatibility is not relevant for this question.
upvoted 4 times

  diligent176 2 years, 5 months ago

Yes, file recovery can be done from any computer with internet connection (provided it meets a few other compatibility requirements in this
article):
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
2nd part - the Restore can be done to the same VM1 or to a new VM
upvoted 7 times

  Miles19 2 years, 2 months ago

For file recovery, I wouldn't suggest going for the option "any computer with the internet connection" because of the OS compatibility
problem. When recovering files, you can't restore files to a previous or future operating system version. In this case, we need either Windows
Server 2016 machine or windows 10 client machines, not windows 8.1, or windows 8. Here is the link: https://docs.microsoft.com/en-
us/azure/backup/backup-azure-restore-files-from-vm#for-windows-os
Therefore, I suggest the option "VM1 and VM2 only" as we definitely know that their O.S. is compatible.
upvoted 11 times

  KOSACA 2 years, 5 months ago

If you read step 3 only Windows 10 PC can be used to restore the file from Windows Server 2016. So the "Any computer with internet
activity" is not correct. So I guess the answers are correct.
upvoted 11 times

  GenjamBhai 11 months, 3 weeks ago

Box 1 = VM1 and VM2 Only
"When recovering files, you can't restore files to a previous or future operating system version"
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#for-windows-os
upvoted 3 times

  oshoparsi 2 years, 2 months ago

the mars agent is for when we want to restore to the on-prem machine. and it says we don't have it so the option
of to any win computer is wrong .and to any new azure vm is also impossible because of the os type and region restriction concern on both
scenarios.on first it should be restored to just vms with os compatible not any new azure vm. and in second one it should be a vm in the same
azure region so again no all the new azure vms.
upvoted 5 times

  RandomNickname Most Recent  1 week, 3 days ago

For box 2 the answer looks correct, VM1 or a new Azure VM.

Box 1 is a little tricky as people are suggesting.

Provided the VM's are compatible as per below it could be, VM1 & VM2 only or VM1 and a new VM only but not sure I'm happy with the latter, I
guess it depends on what Microsoft are actually questioning us on.

However looking at the below URL and step 4, I'd be tempted to say, Any Windows that has internet connectivity. (Provided it's compatible)
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 1 times

  Madbo 1 month, 3 weeks ago

In the first scenario, the correct answer is "VM1 and VM2 only" because the question asks where you can restore the latest backup of VM1, and
VM1 is not affected by ransomware. Therefore, you need to restore the backup to a compatible machine, which is either VM1 or VM2.

In the second scenario, the correct answer is "VM1 or a new Azure virtual machine only" because the question asks where you can restore the
entire VM, not just files. You can choose to create a new VM or replace the existing one, but the restore can only be done to VM1 or a new Azure
virtual machine.
upvoted 1 times

  Rams_84zO6n 2 months, 3 weeks ago

Assumption: The compromised VM must have been created using ARM deployment, and Un-encrypted.
Box 1: Any Windows computer that has Internet connectivity
Box 2: VM1 or new Azure VM only - referred as OLR - Original Location Recovery and ALR - Alternate location recovery -
https://learn.microsoft.com/en-us/azure/backup/about-azure-vm-restore#restore-scenarios
upvoted 1 times

  AK4U 3 months, 1 week ago

Yhttps://www.youtube.com/watch?v=1_P6sfB5vRA
You can restore VM1 to VM1 or a new Azure virtual machine only
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 157/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  zellck 4 months ago

1. Any Windows computer that has Internet
2. VM or new Azure VM only

https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm

https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#choose-a-vm-restore-configuration
- Create new: Use this option if you want to create a new VM. You can create a VM with simple settings, or restore a disk and create a customized
VM.
- Replace existing: Use this option if you want to replace disks on an existing VM.
upvoted 2 times

  SedateBloggs 4 months, 1 week ago

Whilst it sounds arcane, the answer to Box 1 is any computer that has internet connectivity. I have tested and can confirm I can restore files from a
Azure VM restore point that is in an Azure Recovery Vault to a physical windows 10 laptop connected to the internet . This laptop is non Hybrid,
non domain joined and happily recovered any files I chose to itself. Box2 is New or Replace existing - i also tested this and those were the two
options to fully restore VM1.
upvoted 3 times

  AzureG0d 7 months, 2 weeks ago

I could be wrong but when you look at the question and the answers. I legit think the answer is correct as stands (poorly worded question).
Therefore as long as it meets the requirements and as long as its ONLY a vm as outlined: "This feature is available for Azure VMs deployed using
the Resource Manager model and protected to a Recovery Services vault. File recovery from an encrypted VM backup isn't supported."

I could be wrong because the question is very very tricky, but i'm going to trust my guy here.

As much as we love mlantonis and by all mean's he's the G.O.A.T! But i do think he has it wrong here, because it specifically states VM's ONLY.
Therefore it cannot be Any pc that has internet connectivity even though in theory that makes sense but for microsoft that doesn't comply with
their article found in the link below.

https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 1 times

  Shivz81 8 months, 1 week ago

@mlantonis Box 1 which one did u choose? Any Windows computer that has Internet connectivity or VM1 and VM2 only as an answer. I am really
confused.
upvoted 1 times

  Mohd1899 4 months, 2 weeks ago

He chose VM1 VM2 because he mentioned that restore to any new machine may have compatibility issues
upvoted 1 times

  majerly 8 months, 2 weeks ago

Today in exam, answer correct by mlantonis
upvoted 2 times

  EmnCours 9 months, 4 weeks ago

Box 1: Any Windows computer that has Internet connectivity

VM1 or a new Azure virtual machine only

upvoted 3 times

  NotMeAnyWay 11 months ago

Part 1: Answer 3 - VM1 and VM2 only
The File Recovery needs to be on a VM with a compatible OS to the one where the backup orginated. From the question we know that VM2 is also
a Windows Server 2016, so that is the allowed. VM1 can also be used for the Recovery as it does not mention it contains "Storage Spaces" which is
one limitation of the using the origin VM.
Read Here:
(https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#step-2-ensure-the-machine-meets-the-requirements-
before-executing-the-script)

Part 2: Answer 2 - VM1 or a new Azure virtual machine only

This is referring to the entire VM restore from a restore point, not the individual File Recovery. Entire VM1 restores can be to the origin VM (OLR) or
to a new Azure VM (ALR).
IT wouldnt make sense to restore to VM2 as that would overwrite the contents of VM2 and leave you with one less VM.
Read Here:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore#concepts
upvoted 3 times

  Lazylinux 12 months ago

Given answer is incorrect as other also pointed out

Box 1: Any Windows computer that has Internet connectivity

Box 2: VM1 or a new Azure virtual machine only

For restoring a VM, you either options Create new vm or Replace existing one
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 158/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  VladanO 1 year ago

1.VM1and VM2 only
Without any another conditions, file recovery of VM1 can be done on "VM1and VM2 only".
2.VM1 or new Azure virtual machine only
This is better solution then "VM1 and VM2 only".
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms =>
Restore option:
Create a new VM
Replace existing
upvoted 1 times

  manalshowaei 1 year ago

Note: The new VM must be in the same region.
upvoted 1 times

  Armina 1 year, 1 month ago

Box 1: Any Windows computer that has Internet connectivity For files recovery, you download and run a windows executable to map a network
drive. It can only run when the OS meets the requirements. Any computer running Windows Server 2016 or Windows 10 is suitable. File recovery
can be done from any machine on the Internet. Note: There might be compatibility issues with any Windows computer, so consider VM1 and VM2
only as an answer.
Box 2: VM1 or a new Azure virtual machine only
For restoring a VM, you can choose 'Create new' or 'Replace existing'.
Reference:
ref1: https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
ref2: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-restore-files-from-vm.md#for-windows-os
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 159/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61 Topic 4

You plan to back up an Azure virtual machine named VM1.

You discover that the Backup Pre-Check status displays a status of Warning.
What is a possible cause of the Warning status?

A. VM1 is stopped.

B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.

C. VM1 has an unmanaged disk.

D. A Recovery Services vault is unavailable.

Correct Answer: B
The Warning state indicates one or more issues in VM's configuration that might lead to backup failures and provides recommended steps to
ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this
class of issues.
Reference:
https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks/

Community vote distribution

B (100%)

  Omar_Aladdin Highly Voted  1 year, 8 months ago

Answer is Correct,
Check the REF they provided, and this REF by Microsoft also, proves that:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/backup/backup-azure-manage-windows-server.md
upvoted 14 times

  Mozbius_ 1 year, 4 months ago

[Warning: This state indicates one or more issues in the VM's configuration that might lead to backup failures. It provides recommended steps
to ensure successful backups. For example, not having the latest VM Agent installed can cause backups to fail intermittently. This situation will
provide a warning state.]

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
upvoted 4 times

  Mozbius_ 1 year, 4 months ago

Correct
upvoted 2 times

  JYKL88 Highly Voted  6 months ago

This came out in my exam
upvoted 7 times

  vbohr899 Most Recent  3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 6 times

  zellck 4 months, 1 week ago

Selected Answer: B
B is the answer.

https://azure.microsoft.com/en-us/blog/azure-vm-backup-pre-checks
Warning: This state indicates one or more issues in VM’s configuration that might lead to backup failures and provides recommended steps to
ensure successful backups. Not having the latest VM Agent installed, for example, can cause backups to fail intermittently and falls in this class of
issues.
upvoted 4 times

  omgMerrick 4 months, 1 week ago

Selected Answer: B
Answer is correct, B: VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.

The Azure VM Agent is required for managing virtual machines, and it provides the communication between the virtual machine and Azure. The
latest version of the Azure VM Agent is required for Azure Backup to work correctly. If the agent is not installed or is outdated, the Backup Pre-
Check status might display a warning.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 160/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  klexams 7 months, 2 weeks ago

Selected Answer: B
B. VM1 does not have the latest version of the Azure VM Agent (WaAppAgent.exe) installed.
upvoted 1 times

  Mev4953 8 months, 3 weeks ago

Selected Answer: B
Correct answer B
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md#backup-pre-check-
status:~:text=Warning%3A%20This%20state,a%20warning%20state.
upvoted 3 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 4 times

  Pasmo 1 year, 3 months ago

Selected Answer: B
Correct Answer: B
Warning indicates one or more issues in the VM's configuration that might lead to backup failures. It provides recommended steps to ensure
successful backups. For example, not having the latest VM Agent installed can cause backups to fail intermittently. This situation will provide a
warning state.

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-manage-windows-server.md
upvoted 4 times

  JIGT 1 year, 5 months ago

vm is stopped
upvoted 2 times

  Netspud 1 year, 4 months ago

You can backup a stopped VM.
upvoted 7 times

  Gumer 1 year, 7 months ago

Got this on 27/10 exam
upvoted 2 times

  LeomHD 1 year, 8 months ago

correcto según la URL
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 161/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62 Topic 4

A. Yes

B. No

Correct Answer: B
You would need to redeploy the VM.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/redeploy-to-new-node

Community vote distribution

B (100%)

  Omar_Aladdin Highly Voted  1 year, 8 months ago

Redeploy the machine, Reply If i was wrong
upvoted 11 times

  theOldOne 1 year, 8 months ago

As the other questions of this type have stated. Redeploy the machine.
upvoted 3 times

  garmatey Most Recent  2 weeks ago

What exactly does "host" mean here?
upvoted 1 times

  JayLearn2022 3 months, 4 weeks ago

There are several versions of this question. The following are the correct and incorrect answers that will be presented.

Correct Answer: Meets the goal.

-Solution: From the Redeploy blade, you click Redeploy.

Incorrect Answers: Does not meet the goal.

-Solution: From the Overview blade, you move the virtual machine to a different subscription.

-Solution: From the Update management blade, you click Enable.

-Solution: From the Overview blade, you move the virtual machine to a different resource group.
upvoted 4 times

  moshos 4 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Dannxx 9 months, 2 weeks ago

The Q says "...move the virtual machine to a different resource group", which basically does not do anything, used just for management purposes.
upvoted 1 times

  j777 1 year, 4 months ago

So, what is the difference between move and redeploy? Because from what I read redeploy is actually turning off the machine. While moving is just
going to another location without powering down. I would think you would still have the same settings.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 162/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  klexams 8 months, 1 week ago

redeploy mean it moves the VM to a different host.
upvoted 3 times

  Dannxx 9 months, 2 weeks ago

The Q says "...move the virtual machine to a different resource group", which basically does not do anything, used just for management
purposes.
upvoted 2 times

  JIGT 1 year, 5 months ago

Selected Answer: B
redeploy
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 163/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63 Topic 4

HOTSPOT -
You have an Azure subscription.
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: 2 -
Use two fault domains.
2 or 3 is max, depending on which region you are in.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 164/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: 20 -
Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A
higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
Reference:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks
https://github.com/Azure/acs-engine/issues/1030

  pakman Highly Voted  1 year, 8 months ago

first box: platformFaultDomainCount should be 3 (since its in East US)
ref: https://stackoverflow.com/questions/49779604/how-to-find-maximum-update-domains-fault-domains-available-in-an-azure-region

second box: platformUpdateDomainCount = 20

upvoted 76 times

  vijesh_shenoy 1 year, 8 months ago

Yes, but they have the below caveat:
"You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.".

East US - you could have 2-3 fault domains.

So, Correct answer is 2 and 20
upvoted 4 times

  juniorccs 1 year, 1 month ago

if you can have 2 or 3 and it asks for the max of VM, why would you choose 2 fault domains ? if you have to and 50 VM, if you domain fails
you will lose 25, in the case of 3 fault domains you would loose only 18 or 18 or 14, because the 50 are split in the 3 domains...
upvoted 22 times

  Omar_Aladdin 1 year, 8 months ago

Yeah it is a trick; UpdateDomains are up to 20 Domains only,
there isn't 30/40 update domains available for a single availability-set, so far in azure
upvoted 4 times

  MahadevVasista 1 year, 7 months ago

I agree with 3 FD , since we have condition "You need to ensure that as many virtual machines needs to be available on failure"
Having 3 FD will ensure - 1FD: 17vM, 2FD : 17VM and 3FD : 16VM each.
If One FD goes down we will have max VM's available at any given time rather than choosing 2 FD 's of 25VM each.
upvoted 6 times

  EleChie Highly Voted  1 year, 4 months ago

Number of Fault Domains per region
Region Max # of Fault Domains
East US 3
East US 2 3
West US 3
West US 2 2
Central US 3
North Central US 3
South Central US 3
West Central US 2
Canada Central 3
Canada East 2
North Europe 3
West Europe 3
UK South 2
UK West 2
East Asia 2
South East Asia 2
Japan East 2
Japan West 2
South India 2
Central India 2
West India 2
Korea Central 2
Korea South 2
UAE North 2
China East 2
China East 2 2
China North 2
China North 2 2
Australia East 2
Australia Southeast 2
Australia Central 2
Australia Central 2 2
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 165/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Brazil South 2
US Gov Virginia 2
US Gov Texas 2
US Gov Arizona 2
US DoD Central 2
US DoD East 2
Ref: https://github.com/MicrosoftDocs/azure-docs/blob/master/includes/managed-disks-common-fault-domain-region-list.md#number-of-fault-
domains-per-region
upvoted 13 times

  xRiot007 2 weeks ago

And MS expects us to memorize this garbage ? Gimme a break
upvoted 2 times

  renzoku 9 months ago

oh god, I have to memorize that whole list
upvoted 26 times

  AzZnLuVaBoI Most Recent  2 months, 2 weeks ago

On the Exam 3/29/23.
upvoted 6 times

  Rams_84zO6n 2 months, 3 weeks ago

as many virtual machines as possible are available if the fabric fails or during servicing. - With FD=2, only 25 VMs will be available. With FD=3, you
get 33 VMs on fault. So FD=3 is better option than FD=2. As for UPD, UPD=max (UPD)=20.
upvoted 1 times

  GeeB1 3 months ago

3 FD 20 UD
upvoted 1 times

  shadad 3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:
Max. Fault domain=3
Max. Update domain =20
its none sense to remember and memorize the number of Fault Domains per region lol
upvoted 5 times

  obaali1990 2 months, 3 weeks ago

That is why we are topping up on this platform. Lol
upvoted 2 times

  Spam101198 3 months, 1 week ago

Max. Fault domain=3
Max. Update domain =20
upvoted 2 times

  zellck 4 months, 1 week ago

1. 3
2. 20

https://learn.microsoft.com/en-us/azure/virtual-machines/availability-set-overview#how-do-availability-sets-work
Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. Each availability set
can be configured with up to three fault domains and twenty update domains.
upvoted 4 times

  alirasouli 7 months, 3 weeks ago

In each availability set:
- Maximum platformFaultDomainCount is 2 or 3, depending on the region you are deploying in.\
- Maximum platformUpdateDomainCount is 20.

These regions have 3 Fault Domains:

* East US
* East US 2
* West US
* Central US
* North Central US
* South Central US
* Canada Central
* North Europe
* West Europe
The rest have 2 Fault Domains.
upvoted 5 times

  bdumois 8 months, 2 weeks ago

I say select the maximum number for both Fault domains and update domains.
Box1: 3
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 166/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box2: 20
upvoted 5 times
  randy0077 8 months, 3 weeks ago
ans is 3 and 20. confirmed.
upvoted 3 times

  EmnCours 9 months, 1 week ago

Box 1: 2 -
Use two fault domains.
2 or 3 is max, depending on which region you are in.

  David1990 9 months, 1 week ago

3 20 correct answer
upvoted 2 times

  juniorccs 1 year, 1 month ago

I tested today, you can create 3 fault domains (max) in eastus, so the answer is 3and 20, because the update domain max is 20. Don't know why 2,
it's not right in my point of view
upvoted 2 times

  Armina 1 year, 1 month ago

update: eastUS -> 3 fault domains ( region dependent )
update domains is 20 everywhere
https://docs.microsoft.com/en-us/azure/virtual-machines/availability
upvoted 2 times

  Armina 1 year, 1 month ago

Explanations:
An availability group is a logical grouping feature that allows you to ensure in Azure that the VM resources it contains are isolated from each
other when they are deployed in an Azure data center. Azure ensures that the virtual machines within an availability group are distributed across
multiple physical servers, compute racks, storage units and network switches. If a hardware or software error occurs in Azure, only a part of your
VMs will be affected and the application as a whole remains operational and will remain available to your customers. Availability groups are an
important function for creating reliable cloud solutions.
upvoted 1 times

  Armina 1 year, 1 month ago

In a typical VM-based solution, there may be four front-end web servers and two back-end VMs. You can define two availability groups in
Azure before deploying your VMs: an availability group for the web level and an availability group for the back-end level. When creating a
new VM, you can then specify the availability group as a parameter for the "az vm create" command so that Azure automatically ensures that
the VMs created in the availability group are isolated across multiple physical hardware resources. If there is a problem with the physical
hardware running your web server or back-end VMs, you can be confident that the other instances of your web server and back-end VMs
will continue to run properly because they are on other hardware.
upvoted 1 times

  Armina 1 year, 1 month ago

Each virtual machine in the availability group is assigned to an update domain (UD) and an error domain (FD) of the underlying Azure
platform. For a specific availability group, five non-user-configurable update domains are assigned by default (Resource Manager
deployments can then be enlarged to provide up to 20 update domains) to identify the virtual machine groups and their physical
hardware elements that can be restarted at the same time. If more than five virtual machines are configured within an availability group,
the sixth virtual machine is stored in the same update domain as the first virtual machine, the seventh in the same update domain as the
second virtual machine, etc. During scheduled maintenance, the update domains may not be restarted in order, but only one update
domain will be restarted at a time. A newly started update domain waits 30 minutes before initiating maintenance for another update
domain.
upvoted 1 times

  Armina 1 year, 1 month ago

Moreover, Fault domains define the group of virtual machines that share a power source and a network switch. By default, the virtual
machines configured within your availability group are distributed over up to three error domains for Resource Manager deployments
(two error domains for classic deployments). Although availability groups cannot fully protect your application from operating system
or application failures itself, they reduce the impact of potential hardware failures, network failures or power interruptions.

The number of error domains for managed availability groups vary by region: two or three per region.
upvoted 1 times

  karrigen 1 year, 1 month ago

Another ridiculous question, how can we remember all the maximum number of fault domain for each region?
upvoted 9 times

  juniorccs 1 year, 1 month ago

agree with you
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 167/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 168/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64 Topic 4

A. Yes

B. No

Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview

Community vote distribution

A (100%)

  odisor Highly Voted  1 year, 4 months ago

The answer is correct.
1. Log analytics agent - Install in VM.
2. Log analytics workspace - collect the log files from Log Analytics Agent.
3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace.
upvoted 20 times

  ScoutP Highly Voted  1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 10 times

  Dat_doge Most Recent  3 months, 2 weeks ago

Selected Answer: A
correct
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

did this question get reworded? all of the comments talk about "log analytics agent," but the question says to install "microsoft monitoring (scom)
agent". log analytics is being replaced by AZURE monitoring agent (not microsoft monitoring agent) in august 2024. are we all still sure 'microsoft
monitoring agent' is what needs to be installed here?
upvoted 1 times

  azaad_a 8 months, 1 week ago

Exam Question 08OCT2022
upvoted 5 times

  EmnCours 9 months, 1 week ago

Selected Answer: A
Correct Answer: A 🗳️
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run
log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to
perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 169/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EmnCours 9 months, 1 week ago

Correct Answer: A 🗳️
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically run
log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be configured to
perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview
upvoted 1 times

  dasEnder 1 year, 1 month ago

Selected Answer: A
Correct.
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  MentalG 1 year, 2 months ago

900 is a score not a percentage, but congrats on you passing mate :)
upvoted 3 times

  Pasmo 1 year, 3 months ago

Correct
upvoted 1 times

  pakman 1 year, 8 months ago

Correct.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 170/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65 Topic 4

HOTSPOT -
You have an Azure subscription.
You deploy a virtual machine scale set that is configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 171/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal

  shravan101 Highly Voted  1 year, 5 months ago

box-1 : 3
box-2: 1
upvoted 35 times

  mufflon 1 year, 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 172/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

why is it 1 on the second question, it decreases by 1 when CPU utilization goes below 25%, but there is no rule for when to count down again
and so on ? it only exist for the scale out rule.
upvoted 6 times

  xRiot007 2 weeks ago

The scale in rule applies each 10 minutes. it decreases VM count by 1, meaning -6 in 60 minutes. We can't have -1 VMs and we can't have 0
either, because the minimum is 1.
upvoted 1 times

  Mohd1899 4 months, 2 weeks ago

There must be duration otherwise it will not scale in properly ,
example , if it does not consider the duration for scale in , it will never go less than 4 vms
that's why I agree Box 2 should be 2 we should consider scale out duration for scale in too
upvoted 1 times

  Mohd1899 4 months, 2 weeks ago

sorry my typo mistake Box2 should be 1 scale in (-1) vm every 10 minutes.
upvoted 2 times

  Hyrydar 9 months, 1 week ago

I agree with you because it did not say when the duration for countdown starts..and by the way, the question states there are 5 instances to
start with. We must not assume what these questions are asking of us. go with the strict and stated meaning of the question. i say 3 for box1
and 4 for box2. please somebody correct if a am wrong.
upvoted 8 times

  buzzerboy 5 months, 1 week ago

wouldnt it scale in every 10 minutes and decrease count by 1 unit. From 10am to 11am there are 6 x 10 min slots. Each time it scales in, it
will bring the count down by 1 until it reaches minimum which is 1?
upvoted 1 times

  Hyrydar 9 months, 1 week ago

Mufflon, you did not say what your answer is.
upvoted 2 times

  JayLearn2022 Highly Voted  3 months, 3 weeks ago

Box-1 : 3
Initial starts 2 VM's 15 minutes have passed. at 10 minutes 1 VM was added we now have 3 VM's. Cool down is 5 Minutes before another 10
minute wait cycle starts so the answer is 3.

Box-2: 1
Initial 5 VM's 60 minutes Pass. 1 VM removed every 15 minute cycle. 10 minutes wait timer plus 5 minute cool down equals 15 minutes cycle. Four
15 minute cycles pass equaling 60 minutes removing 4 VM's. We have 1 VM left.

Default Scale in and Out Default Durations are 10 minutes with 5 minute cool down.

The default scale set settings in Azure are:

-Minimum number of instances 1
-Maximum number of instances 10
-Scale out CPU threshold (%) 75
-Duration in minutes10
-Number of instances to increase by 1
-Scale in CPU threshold (%) 25
-Number of instances to decrease by -1

https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-portal#create-a-rule-to-automatically-
scale-in
upvoted 13 times

  kcanwi 2 months, 3 weeks ago

"1 VM removed every 15 minute cycle"

May I know how you got the value 15 mins?

upvoted 1 times

  mlooney 2 months, 1 week ago

"Default Scale in and Out Default Durations are 10 minutes with 5 minute cool down. "
upvoted 2 times

  Slimus 2 weeks, 4 days ago

I don't see 5 min cool down value anywhere. Is it a default value?
upvoted 2 times

  AzZnLuVaBoI Most Recent  2 months, 2 weeks ago

On the Exam 3/29/23.
upvoted 6 times

  Rams_84zO6n 2 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 173/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The autoscale job runs every 30 to 60 seconds, depending on the resource type. Until 9:10 AM, rules can't apply because granularity period not
reached. At 9:10 AM, count=3. It quickly jumps up every minute to max value in drop-down which is 5. Between 10-11 AM, the count starts
dropping from 5 to 1. So Box-1: 5, Box-2: 1
upvoted 3 times

  zellck 4 months ago

1. 3 (initial count for 2 + scale out 1)
2. 1 (scale in until min. 1 instance)
upvoted 1 times

  kameltz 5 months ago

Answers are box-1 : 3 and box-2: 1
for the second choice without any countdown duration, the default is 10 mins, so it will reach the minimum of VM.
upvoted 1 times

  Rizwannazirabbasi 6 months, 3 weeks ago

this is correct only .. at 10 am now VMs are it checks every ten minutes ..
utilization is down to 15 percent for 1 hour .. so it will be one for box no 2
upvoted 1 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 2 times

  majerly 8 months, 2 weeks ago

today in exam, box-1 : 3
box-2: 1
upvoted 7 times

  Bobby1977 9 months, 1 week ago

B1: 3 B2:4
upvoted 9 times

  herodes 3 months, 3 weeks ago

this is incorrect as it drops one VM per 15mins. Even though its start on 5VMs after 60 minutes it drops to 1VM. 60/15=4. 5-4=1
upvoted 1 times

  ZacAz104 9 months, 1 week ago

minimum VMs are 2 after 15 minutes 2 other should be added so it will be 4 i dont know why it says 3????!!!
upvoted 1 times

  Pieman125 9 months, 1 week ago

Because it scales up by one after 10 minutes. So after 10 minutes 1 is added, but it won't add another for another 10 minutes and only 5 more
minutes have passed, so the answer is 3.
upvoted 4 times

  EmnCours 9 months, 1 week ago

box-1 : 3
box-2: 1
upvoted 1 times

  MentalG 1 year, 1 month ago

Why is the second box not 3 aswell?
It starts with 5 instances at 10:00AM
10:25: After 25 minutes, it decreases by 1. =4
10:50: After 25 minutes, it decreases by 1. =3
10:50 - 11 - Not enough time to decrease again.

Can someone correct me on this?

upvoted 1 times

  MentalG 1 year, 1 month ago

My mistake, there is no duration in minutes for the scale in.
upvoted 3 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 3 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 5 times

  Nichols 1 year, 4 months ago

Impossible to answer box-2, because we don't know the duration and cool down for scale in...

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 174/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

  webfunky 1 year, 3 months ago

The answer for box-2 is 1. After creating a scale set, go the the resource, click Scaling under Settings and open the scale in rule. You will find
Duration(minutes) is defaulted to 5. I tested this scenario just to check the default duration because at the time of creating the VMSS on the
portal you don't get an option to choose duration for Scal in.
upvoted 17 times

  HananS 1 year, 5 months ago

It says it is for 15 minute so the minimum is 1 and add one after 10 minute then it is 2
The answer is
box-1 : 2
box-2: 1
upvoted 3 times

  cjAzure 1 year, 5 months ago

I think you are mistaking the initial instance count (which is 2) as the minimum (which is the number of VMs to add when the threshold is
crossed).
upvoted 8 times

  slsl 1 year, 5 months ago

Agree, since it says that the scale set starts at 9:00, it means it starts with 2 instances.
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 175/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66 Topic 4

You have web apps in the West US, Central US and East US Azure regions.
You have the App Service plans shown in the following table.

You plan to create an additional App Service plan named ASP5 that will use the Linux operating system.
You need to identify in which of the currently used locations you can deploy ASP5.
What should you recommend?

A. West US, Central US, or East US

B. Central US only

C. East US only

D. West US only

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

Community vote distribution

A (91%) 5%

  Snownoodles Highly Voted  1 year, 5 months ago

Hi guys:
What does this question want to test?
I couldn't get the point.
upvoted 25 times

  Spooky7 2 months, 1 week ago

There used to be a limitation in which you couldn't have Windows and Linux AppService Plan in the same RESOURCE GROUP. So most likely this
question is referencing that.
upvoted 2 times

  renzoku 9 months ago

it's a trap
upvoted 6 times

  Hyrydar 8 months ago

No. It is a dumb question..pointless.
upvoted 9 times

  Asymptote 7 months, 1 week ago

questions like this are intend to test the candidates and see how many they can fail and re-take the exam.
upvoted 15 times

  JohnCox 1 year, 5 months ago

I might be missing something but it seems to be an absolutely pointless question
upvoted 13 times

  JESUSBB Highly Voted  1 year, 6 months ago

In the exam today 11-DEC-2021.
Ans: A. West US, Central US, or East US
upvoted 23 times

  LeomHD 1 year, 5 months ago

how do you know?
upvoted 3 times

  AZ_Guru_Wannabe 1 year, 4 months ago

He took the exam, that's how he knows that question was in his exam

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 176/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 40 times
  Anthony053 8 months, 2 weeks ago
because web apps are in the West US, Central US and East US Azure regions.
upvoted 1 times

  Andreas_Czech Most Recent  1 day, 20 hours ago

Selected Answer: A
Service Plan Limits:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#app-service-limits
we have Standard and Premium Plans -> unlimited Plans per Region
upvoted 1 times

  dennysheng 1 month, 3 weeks ago

But since you have a Windows based App service plan on West US, how can a Linux app be deployed on that plan?
upvoted 1 times

  cloudbaron 1 month ago

I think they key lies here - "in which of the currently used ****locations***"
upvoted 1 times

  JayLearn2022 3 months, 3 weeks ago

The Answer is : A

This question is asking in which regional locations can a APP service plan be deployed to. It tells you it will be a Linux Plan to throw you off and
make you wonder if it matters. Which is does not.

Then it asks what should you recommend to make you think you are supposed to choose. The fact is you can recommend any region.

An APP service plan can be deployed in any region and multiple APP service plans can be deployed in a region.

The Plan type you choose depends on the APP's your going to deploy and whether the programing language can be run on Linux or Windows.

https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans
upvoted 6 times

  zellck 4 months ago

Selected Answer: A
A is the answer.
upvoted 1 times

  CloudVillain 5 months ago

Selected Answer: D
How can you create a single ASP5 in multiple locations in the same time? surely it's West US since it's missing a Linux App service plan!!
upvoted 1 times

  RougePotatoe 3 months, 3 weeks ago

Consider the following. You have extra chromosomes Y or Y?
upvoted 3 times

  Bigc0ck 5 months, 1 week ago

Selected Answer: A
definitly on the test
upvoted 2 times

  Max_on_neptune 6 months, 1 week ago

Exam Question 01DEC22
upvoted 5 times

  rqFamily 6 months, 1 week ago

hello i planning to take the soon, are most of the question are similar to the one from this sample exam thanks
upvoted 1 times

  ALEX_PARIS 6 months, 2 weeks ago

For me the good answer is D because you already have Linux plan for Central and West US. If you want to spread your app workload across regions
for reduce latency, you actually miss a Linux plan in West US. After creating West US APP plan, you will be able to host app instances in all 3
regions.
upvoted 3 times

  SuganthM 6 months ago

We can host multiple apps in APP plan. They why create and pay for the same region again, its not cost effective, create in West US. Answer D
upvoted 2 times

  klexams 7 months, 2 weeks ago

A - just a trick question. you can deploy app svc plan in any locations.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 177/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

  GBAU 4 months ago

Yes, but the question is "What should you recommend?". You already have Linux App service plan in the other regions so you should
'recommend' West US as you can just use the Linux AS in the other regions. Having said that they have 2 ASPs in East US, so they clearly don't
care about having multiple....
Very poorly worded question
upvoted 1 times

  azaad_a 8 months, 1 week ago

Exam Question 08OCT22
upvoted 2 times

  whitezik 9 months ago

An App service plan could be any of the regions mentioned, if it was just the deploying the App based on the required OS then it could be
streamlined to the OS+region..so A makes sense
upvoted 2 times

  BD1988 9 months ago

This question is little tricky as it is asking where to deploy a new App Service Plan that will be based on Linux. It can be deployed anywhere and
whatever is mentioned in the table has no impact on new APPSERVICE PLAN. If it were an app to be deployed out of the 4 app service plans then
we would have to analyze the table data.
upvoted 6 times

  favela 9 months, 1 week ago

Yes it is answer A in my exam I choose east us only what mistake but anyways I passed with 900 score
upvoted 4 times

  EmnCours 9 months, 1 week ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Mayurchati 9 months, 1 week ago

Team it is an application (ASP5) that runs on both windows and linux, that is why it can work across regions. ASP.net 4 does not work on linux
however ASP.Net Core works on windows and linux.
upvoted 1 times

  klexams 8 months, 1 week ago

ASP in here = App Service Plan. Not ASP.net you mentioned.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 178/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67 Topic 4

A. the New-AzConfigurationAssignment cmdlet

B. a Desired State Configuration (DSC) extension

C. Azure Active Directory (Azure AD) Application Proxy

D. Azure Application Insights

Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview

Community vote distribution

B (100%)

  reddragondms Highly Voted  1 year, 5 months ago

Correct Answer: B

  olsenOnS Highly Voted  1 year, 6 months ago

B. a Desired State Configuration (DSC) extension
upvoted 11 times

  fuchsm999 Most Recent  3 months, 1 week ago

Selected Answer: B
B is correct
upvoted 2 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 2 times

  zellck 4 months, 1 week ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
upvoted 2 times

  omgMerrick 4 months, 1 week ago

Selected Answer: B
Answer is correct: B. a Desired State Configuration (DSC) extension

A Desired State Configuration (DSC) extension is a way to configure virtual machines in Azure using PowerShell DSC. You can use a DSC extension
to automate the installation of NGINX on the virtual machines in your scale set as part of the deployment process. This will ensure that NGINX is
available on all virtual machines after they are deployed, and it will also help you maintain consistency in your configuration. To use a DSC
extension, you would include the configuration in your Azure Resource Manager template and specify the extension in the deployment process.
upvoted 1 times

  meeko86 6 months ago

Selected Answer: B
Correct Answer: B
Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines. In the
following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx webserver.
az vm extension set \
--resource-group myResourceGroup \
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 179/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

--vm-name myVM --name customScript \

--publisher Microsoft.Azure.Extensions \
--settings '{"commandToExecute": "apt-get install -y nginx"}
upvoted 1 times
  EmnCours 9 months, 1 week ago
Selected Answer: B
Correct Answer: B
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 5 times

  Empel 1 year, 4 months ago

Question 59 was the same, is repeated. Desired State Configuration (DSC) extension by the way
upvoted 6 times

  JIGT 1 year, 5 months ago

Publish-AzVMDscConfiguration
upvoted 1 times

  blockhead72 1 year, 5 months ago

Correct. B.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 180/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68 Topic 4

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

In Azure Cloud Shell, you need to create a virtual machine by using an Azure Resource Manager (ARM) template.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-6.6.0

  ninjia Highly Voted  1 year, 5 months ago

Box 1: New-AzResourceGroupDeployment. This cmdlet allows you to use a custom ARM template file to deploy resources to a resource group. For
example:

New-AzResourceGroup -Name $resourceGroupName -Location "$location"

New-AzResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-simple-
windows/azuredeploy.json" `
-adminUsername $adminUsername `
-adminPassword $adminPassword `
-dnsLabelPrefix $dnsLabelPrefix

Box 2: -ResourceGroupName RG1. It’s one of parameters of New-AzResourceGroupDeployment to specify to which resource group you want to
deploy resources.

You could use New-AzVm to create a VM, but it doesn’t use a template. You would need to provide all parameters in the command line.

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azvm?view=azps-7.0.0
upvoted 51 times

  sid132 Highly Voted  1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 14 times

  zellck Most Recent  4 months, 1 week ago

1. New-AzResourceGroupDeployment
2. -ResourceGroupName RG1

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 181/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  husam421 1 year, 4 months ago

New-AzResourceGroupDeployment -ResourceGroupName myResourceGroup -TemplateFile

New-AzResourceGroupDeployment `
-Name ExampleDeployment `
-ResourceGroupName RG1 `
-TemplateFile

Answer is correct
upvoted 3 times

  MaximKotov 1 year, 5 months ago

The answer is correct! Don't take the command name literally. It's using for custom template deployment. We specify the name of an existing
group and the path to the template.
upvoted 1 times

  S3ktar 1 year, 5 months ago

The resource group is already created as per the question. It is asking for the command to deploy a vm, thus the answer is "New-AZvm".....second
part "-ResourceGroupName RG1"
upvoted 1 times

  MrBlueSky 1 year, 5 months ago

No. The fact that this is a VM is already specified in the ARM template. We only need to give it a command to deploy into a resource group, and
then specify which resource group.
upvoted 4 times

  adrian_borowski 1 year, 5 months ago

Lab thing guys before posting! You are wrong. New-AzVm does NOT accept argument TemplateUri
upvoted 6 times

  Yaydel 1 year, 6 months ago

Answer is correct.

https://docs.microsoft.com/ko-kr/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-0.10.0
upvoted 3 times

  hanahjane13 1 year, 6 months ago

New-AzVm `
-ResourceGroupName "myResourceGroup" `
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-powershell
upvoted 1 times

  adrian_borowski 1 year, 5 months ago

You are wrong. New-AzVm does NOT accept argument TemplateUri
upvoted 3 times

  olsenOnS 1 year, 6 months ago

I think the answer is correct.

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"

$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
$adminUsername = Read-Host -Prompt "Enter the administrator username"
$adminPassword = Read-Host -Prompt "Enter the administrator password" -AsSecureString
$dnsLabelPrefix = Read-Host -Prompt "Enter an unique DNS name for the public IP"

New-AzResourceGroup -Name $resourceGroupName -Location "$location"

______________________________________________
New-AzResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.compute/vm-simple-
windows/azuredeploy.json" `
-adminUsername $adminUsername `
-adminPassword $adminPassword `
-dnsLabelPrefix $dnsLabelPrefix
-------------------------------------------------------------------------------

(Get-AzVm -ResourceGroupName $resourceGroupName).name

upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 182/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69 Topic 4

A. Yes

B. No

Correct Answer: B
To deploy a YAML file, the command is:
kubectl apply -f <file_name>.yaml
Reference:
https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough

Community vote distribution

B (100%)

  j5y Highly Voted  1 year, 11 months ago

Answer: NO

To deploy a YAML file, the command is:

kubectl apply -f example.yaml

Src: https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
upvoted 33 times

  Acai 1 year, 10 months ago

yep yep yep
upvoted 1 times

  melatocaroca 1 year, 8 months ago

https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#deployments-and-yaml-manifests
upvoted 1 times

  achmadirvanp Highly Voted  1 year, 11 months ago

Answer is correct, Appear On Exam July 1 2021
upvoted 9 times

  JayLearn2022 Most Recent  3 months, 4 weeks ago

There are several versions of this question. The following are the correct and incorrect answers that can be presented.

Correct Answer: Meets the goal.

-Solution: From Azure Cloud Shell, you run the kubectl client.

Incorrect Answers: Does not meet the goal.

-Solution: From Azure Cloud Shell, you run az aks.

-Solution: From Azure CLI, you run azcopy

upvoted 2 times

  zellck 4 months, 1 week ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#deployments-and-yaml-manifests
Deployments are typically created and managed with kubectl create or kubectl apply. Create a deployment by defining a manifest file in the YAML
format.
upvoted 1 times

  spaceman12 4 months, 1 week ago

Besides the comments w/ answers here is a short summary I found useful from chatgpt:

az aks is a command-line interface (CLI) tool provided by Microsoft Azure to manage and deploy Kubernetes clusters on Azure, while kubectl is the
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 183/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

command-line tool for interacting with a Kubernetes cluster.

The main difference between the two is the scope of their functionality:

- az aks is focused on provisioning and managing AKS clusters, including creating and scaling the cluster, managing authentication and network
configurations, and upgrading the cluster.

- kubectl is focused on interacting with and managing the components running within a Kubernetes cluster, such as deploying and managing
applications, inspecting cluster state, and troubleshooting issues.

Both tools can be used together to effectively manage an AKS cluster, with az aks being used for cluster-level tasks and kubectl for workload-level
tasks.
upvoted 3 times
  ChakaZilly 4 months, 2 weeks ago
Yes: This is really a trick question, as Mangicurry points out you can embed kubectl-command in "az aks": az aks command invoke \
--resource-group myResourceGroup \
--name myAKSCluster \
--command "kubectl apply -f deployment.yaml -n default" \
--file deployment.yaml
upvoted 1 times

  Mangocurry 5 months ago

Well, technically you can do this with az aks command invoke so this is a bad question imo :( https://learn.microsoft.com/en-
us/azure/aks/command-invoke
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Answer: NO
upvoted 1 times

  AubinBakana 1 year, 9 months ago

az aks? even if you didn't know the answer you gotta know this is wrong :)
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 184/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70 Topic 4

A. Yes

B. No

Correct Answer: B
You must install the Microsoft Monitoring Agent on VM1, and not the Microsoft Monitoring Agent VM extension.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview

Community vote distribution

B (86%) 14%

  mlantonis Highly Voted  2 years ago

Correct Answer:

You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct

1. Log analytics agent - Install in VM.

2. Log analytics workspace - collect the log files from Log Analytics Agent.
3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
upvoted 116 times

  Goofer 2 months, 2 weeks ago

In 2023 you can add Microsoft Monitoring Agent VM extension to VM1

See: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal
upvoted 2 times

  magichappens 1 year, 2 months ago

That linked article from @mlantonis actually mentions that [...the Azure Monitor agent is meant to replace the Log Analytics agent, Azure
Diagnostic extension and Telegraf agent for both Windows and Linux machines...] and [...The Azure Monitor agent is only available as a virtual
machine extension...] so guess nowadays it would be rather "yes"?
upvoted 8 times

  klasbeatz 8 months, 1 week ago

Agreed

Virtual machines, scale sets Virtual machine extension Installs the agent by using Azure extension framework.

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
upvoted 2 times

  Lapiduse Highly Voted  2 years, 5 months ago

I think the Answer should be - Yes.
You need to click the Add button on Portal-> Settings-> Extensions to Install the Extension on VM.
Azure Monitor currently has multiple agents because of recent consolidation of Azure Monitor and Log Analytics. The Azure Monitor Agent is
implemented as an Azure VM extension.
Windows/Linux name: Microsoft.Azure.Monitor
Windows type: AzureMonitorWindowsAgent
Linix type: AzureMonitorLinuxAgent
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/azure-monitor-agent-install?
tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 185/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 32 times

  klexams 8 months, 1 week ago

The question is about MMA (microsoft monitoring agent) which is the legacy agent which needs to be installed on the VM.
upvoted 1 times

  YooOY 1 year, 8 months ago

The Azure Monitor agent is only available as a virtual machine extension. The Log Analytics extension for Windows and Linux install the Log
Analytics agent on Azure virtual machines. The Azure Monitor Dependency extension for Windows and Linux install the Dependency agent on
Azure virtual machines. These are the same agents described above but allow you to manage them through virtual machine extensions. You
should use extensions to install and manage the agents whenever possible.

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#virtual-machine-extensions
upvoted 2 times

  YooOY 1 year, 8 months ago

so add extension does not mean the agent is installed, agent can still be missing.
upvoted 2 times

  spaceman12 4 months, 1 week ago

Not quite, it seems that installing the extension will also automatically install the agernt. See table where it says Agent Installed: Azure
Monitor Agent

Reference docs here:

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
upvoted 1 times

  QiangQiang 2 years, 4 months ago

agreed, should be yes
upvoted 3 times

  Muffay Most Recent  5 months, 1 week ago

Selected Answer: B
After some reasearch now I understand why it should be B:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux?tabs=azure-cli#use-cases-and-samples

Note that the Monitoring extension is for *LINUX*, not for Windows.

I hope this question is replaced with a new one, as Azure Monitor Agent should replace the previous Microsoft Monitoring Agent, and then it
would be this extension:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal#virtual-machine-extension-
details
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 2 times

  atilla 10 months ago

event should be logged to the System event log on the VM.. it says not that Log Analytics workspace should be used
upvoted 1 times

  sayedd 10 months, 3 weeks ago

So many errors in examtopics dumps and the support team is doing nothing..
What is the difference between this question and question next to this that is question 2 ??
upvoted 1 times

  lebowski 9 months, 1 week ago

This question: "You add the Microsoft Monitoring Agent VM extension to VM1"
Next question: "You install the Microsoft Monitoring Agent VM extension to VM1"
upvoted 2 times

  garmatey 2 weeks ago

next question isnt an extension
upvoted 1 times

  Jay1111 10 months, 3 weeks ago

Should be No. It talks about Microsoft Monitoring agent(MMA) and not Azure Monitor agent and MMA is not available as an extension but only as
installable.

https://docs.microsoft.com/en-us/services-hub/health/mma-setup
upvoted 1 times

  Dileep75 11 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 186/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I would go with yes. I dont think we have to worry about add and install.. for me both looks same.
upvoted 1 times

  Dileep75 11 months, 1 week ago

this is funny .. the next question , they are back with install word . :( . If it comes in exam , i will go with No.
upvoted 1 times

  ThatDowntownSmell 12 months ago

The key here ultimately is that there are two versions of this same question. Only one is going to be "yes", they aren't going to slightly word two
test questions differently and both come out as "yes". So "no" if it says add, "yes" if it says install.
upvoted 4 times

  manalshowaei 1 year ago

Selected Answer: B
B. NoB. No
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: B
B. No correct
upvoted 1 times

  Scoobysnaks86 1 year ago

add vs install??? really? In a field that we often use the two words interchangeably, THIS is the trick question they decided to ask. ffs
upvoted 5 times

  Def21 1 year ago

This is confusing. Azure Monitor agent is a replacement to old ones
"Eventually, the Azure Monitor agent will replace the following legacy monitoring agents that are currently used by Azure Monitor."
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview

It is an extension which is "installed"

"The Azure Monitor agent is implemented as an Azure VM extension with the details in the following table. It can be installed using any of the
methods to install virtual machine extensions including those described in this article."
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage
upvoted 1 times

  michaelmorar 1 year, 1 month ago

Selected Answer: B
Latest reading of this relates option B to 'Microsoft Monitoring Agent VM extension' which is wrong. So B is the correct answer
upvoted 1 times

  sjb666 1 year, 1 month ago

Selected Answer: A
A. It's not often I'm in disagreement with mlantonis but the docs talk about an extension and having just set this up in the lab, from the LAW, it
refers to installation of the 'extension'.
upvoted 1 times

  sjb666 1 year, 1 month ago

Sorry, I've changed my mind. I do however think this is an evil question and can be read two ways. 'Install log Analytics Agent' seems a little
more generic but prob right.
upvoted 2 times

  kakakayayaya 1 year, 2 months ago

You can add MMA agent
1) manual installation
2) extension
2.1) auto provisioning
2.2) policy (deploy)
2.3) manually from LAW
2.4) ARM
2.5) Powershell

So answer sould be Yes.

upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  kennynelcon 1 year, 1 month ago

Please what is the right answer ?
upvoted 1 times

  kennynelcon 1 year, 1 month ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 187/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

From next question and mlantonis answer, the right answer is B (NO)
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 188/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71 Topic 4

A. Yes

B. No

Correct Answer: A
Alerts in Azure Monitor can identify important information in your Log Analytics repository. They are created by alert rules that automatically
run log searches at regular intervals, and if results of the log search match particular criteria, then an alert record is created and it can be
configured to perform an automated response.
The Log Analytics agent collects monitoring data from the guest operating system and workloads of virtual machines in Azure, other cloud
providers, and on- premises. It collects data into a Log Analytics workspace.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response https://docs.microsoft.com/en-us/azure/azure-
monitor/platform/agents-overview

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct

1. Log analytics agent - Install in VM.

2. Log analytics workspace - collect the log files from Log Analytics Agent.
3. Azure Monitor - Create alert based on logs read from Log Analytics Workspace.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agents-overview
upvoted 70 times

  xRiot007 1 week, 6 days ago

I really think this question is one of those like 'can't see the forest from the trees'. "Adding" can mean any number of things, from selecting from
a list, uploading something or installing something. They should rephrase this to a clearer form or remove it altogether.
upvoted 1 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920. Thanks guys!
upvoted 4 times

  JohnAvlakiotis Highly Voted  2 years, 6 months ago

I mean what's the difference with the above? The words "add" versus "install"? That would be ridiculous...
upvoted 34 times

  JohnnyChimpo 4 months, 3 weeks ago

Agent is installed directly in the host. Extension is added in the Azure portal
upvoted 2 times

  JohnAvlakiotis 2 years, 6 months ago

I saw the difference in the extension name. Anyway, it's correct.
upvoted 9 times

  Magis 8 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 189/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

In my opinion both are correct as when you add extension it installs agent in a background anyway.
upvoted 1 times

  QiangQiang 2 years, 4 months ago

it's still ridiculous
upvoted 7 times

  j777 1 year, 4 months ago

I know it's over year since you answered, but if you look at both one said agent VM extension and the other just said agent.
upvoted 3 times

  AubinBakana 1 year, 9 months ago

Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This question
is important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you know that the
extension need to be installed first, before it appears

It's not a trick.

upvoted 3 times

  JayLearn2022 Most Recent  3 months, 4 weeks ago

There are several different versions of this question. The following are the correct and incorrect solutions you might encounter.

Correct Solution:
-Solution: You create an Azure Log Analytics workspace and configure the data settings. You install the Microsoft Monitoring Agent on VM1. You
create an alert in Azure Monitor and specify the Log Analytics workspace as the source.

Incorrect Solutions:
-Solution: You create an Azure storage account and configure shared access signatures (SASs). You install the Microsoft Monitoring Agent on VM1.
You create an alert in Azure Monitor and specify the storage account as the source.

-Solution: You create an event subscription on VM1. You create an alert in Azure Monitor and specify VM1 as the source.
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  manalshowaei 1 year ago

Selected Answer: A
A. Yes A. Yes
upvoted 2 times

  manalshowaei 1 year ago

Selected Answer: A
A. Yes
upvoted 2 times

  watermeloner 1 year, 1 month ago

should we use VM insight nowadays
?
upvoted 1 times

  josevirtual 1 year, 2 months ago

Selected Answer: A
A - Yes is correct
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  pappkarcsiii 1 year, 4 months ago

You add the Microsoft Monitoring Agent VM extension to VM1 > This is WRONG
You Install the Microsoft Monitoring Agent VM agent to VM1 > This is Correct
upvoted 2 times

  JESUSBB 1 year, 6 months ago

In exam today 11-DEC-2021 Ans: Yes
upvoted 3 times

  ohana 1 year, 8 months ago

Took the exam today on 17 Oct. This question came out. Ans: Yes
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 190/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  orion1024 1 year, 8 months ago

I'm confused. As per https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

"The Azure Monitor agent is only available as a virtual machine extension."

So it should be B right ? Or does Microsoft considers that adding an extension is the same as installing the agent ? They shouldn't since they clearly
differentiate between this question and the previous one.
upvoted 2 times

  AubinBakana 1 year, 9 months ago

Answer is correct.

Microsoft tries not to have everything installed for memory, storage, and performance. Installing and adding are 2 different things. This question is
important because if you're in a work environment and try to add and it's not there, you might not know what to do unless you know that the
extension need to be installed first before it appears

It's not a trick.

upvoted 1 times

  AubinBakana 1 year, 9 months ago

If you got the previous answer wrong, you definitely have a chance to get this one right because this question brings to your attention that the
extension is to be installed first.

Answer is correct
upvoted 1 times

  Jotess 1 year, 10 months ago

This question was on Jul 23, 2021 - passed the exam. Answers given by fedztedz and mlantonis are correct. Correct answer is Yes
upvoted 3 times

  mkoprivnj 2 years ago

A is correct!
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 191/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72 Topic 4

You have an Azure subscription that contains the resources shown in the following table.

All virtual machines run Windows Server 2016.

On VM1, you back up a folder named Folder1 as shown in the following exhibit.

You plan to restore the backup to a different virtual machine.

You need to restore the backup to VM2.
What should you do first?

A. From VM1, install the Windows Server Backup feature.

B. From VM2, install the Microsoft Azure Recovery Services Agent.

C. From VM1, install the Microsoft Azure Recovery Services Agent.

D. From VM2, install the Windows Server Backup feature.

Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-windows-server

Community vote distribution

B (90%) 10%

  Asymptote Highly Voted  7 months, 1 week ago

Microsoft Azure Recovery Services Agent also known as MARS or Azure Backup Agent can be used to restore data for entire volume or just
individual folders and files.

reference:
https://learn.microsoft.com/en-us/azure/backup/restore-all-files-volume-mars
upvoted 8 times

  Kem81 Highly Voted  8 months, 4 weeks ago

A bit confused on this question. From my understanding, I thought RSV could only backup from resources located in the same region? VM2 is in a
different region here.
upvoted 6 times

  madao322 2 months, 3 weeks ago

MARS Agent can recover data without region restriction and that is why it exists on top of the normal RSV. correct me if i am wrong :)
upvoted 1 times

  JoshuaAlkar 5 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 192/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

this is what I thought too

upvoted 1 times

  vinsom Most Recent  1 month, 2 weeks ago

Question looks dubious. Azure docs states 'The new VM must be created in the same region as the source VM'
Reference: https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 1 times

  zellck 4 months, 1 week ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/backup/backup-azure-about-mars#recovery-scenarios
upvoted 1 times

  BShelat 5 months, 2 weeks ago

I am puzzled. Even though installing MARS agent on VM2 how can we restore VM1 's backup on VM2? VM1 and RSV are sitting in EAST US and
VM2 is sitting west US. My understanding is that one can restore in the same region only. Let me know how my understanding is wrong.
upvoted 1 times

  vinsom 1 month, 2 weeks ago

Perfectly right. Azure docs states 'The new VM must be created in the same region as the source VM'
Reference: https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 1 times

  UK7 5 months, 3 weeks ago

Selected Answer: B
Came on 21st Dec 2022 (score 930)
Answer B
upvoted 3 times

  awssecuritynewbie 8 months, 4 weeks ago

I thought it was Windows backup and recovery the image shown in the question so i would say D
upvoted 1 times

  klexams 8 months, 1 week ago

no. the screenshot is from MARS agent. So it's B.
upvoted 2 times

  Burnie 9 months ago

Tested in lab: B
upvoted 2 times

  NassimB 9 months, 1 week ago

Selected Answer: B
you recover from the target
upvoted 2 times

  Lu5ck 9 months, 1 week ago

Selected Answer: C
nope, i think it's C because there is no Indication that VM1 is already backing up to the vault. What we see here is the local window server backup
features.
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
B. From VM2, install the Microsoft Azure Recovery Services Agent.
upvoted 2 times

  virgilpza 9 months, 1 week ago

Selected Answer: B
correct ans: B
upvoted 1 times

  WISSYWISE 9 months, 2 weeks ago

The answer is correct:B
upvoted 1 times

  Jenny2021 1 year, 8 months ago

The answer is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 193/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73 Topic 4

HOTSPOT -
You have an Azure subscription.
You need to use an Azure Resource Manager (ARM) template to create a virtual machine that will have multiple data disks.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 194/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  ppp131176 Highly Voted  1 year, 11 months ago

Is correct: https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 35 times

  chaudha4 1 year, 10 months ago

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 11 times

  Asymptote 7 months, 1 week ago

Hi....Aanmelden
upvoted 1 times

  achmadirvanp Highly Voted  1 year, 11 months ago

Answer is correct, Appear On Exam July 1 2021
upvoted 19 times

  VVR141 1 year, 11 months ago

came across any LABS ?
upvoted 3 times

  zellck Most Recent  4 months, 1 week ago

1. copy
2. copyIndex

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#syntax
Add the copy element to the resources section of your template to set the number of items for a property. The copy element has the following
general format:
- The count property specifies the number of iterations you want for the property

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties#property-iteration
Use the length function on the array to specify the count for iterations, and copyIndex to retrieve the current index in the array.
upvoted 6 times

  klexams 7 months, 2 weeks ago

i didnt know. but yeah copy - copyindex
By adding copy loop to the properties section of a resource in your template, you can dynamically set the number of items for a property during
deployment
and copyIndex to retrieve the current index in the array.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 195/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EmnCours 9 months, 1 week ago

Box1: Copy
Box2: copyIndex
upvoted 2 times

  Armina 1 year, 1 month ago

Box1: Copy
Box2: copyIndex
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources

By adding the copy loop to the resource section of your template, you can dynamically set the number of resources to be deployed. In addition,
you avoid the repetition of template syntax.

The copy loop can also be used with properties, variables and output.

Fügen Sie das copy-Element dem Ressourcenabschnitt ihrer Vorlage hinzu, um mehrere Instanzen der Ressource bereitzustellen. Das copy-Element
hat das folgende allgemeine Format:

"copy"
:{
"name": "<name-of-loop>",
"count": <number-of-iterations>,
"mode": "serial" <or> "parallel",
"batchSize": <number-to-deploy-serially>
}
The copyIndex() function returns the current iteration of the loop. copyIndex() is zero-based.
By default, Resource Manager creates the resources simultaneously. There is no limit to the number of resources provided in parallel, except for
limiting the total number to 800 resources in the template. The order in which they are created is not guaranteed.
upvoted 4 times

  epomatti 1 year, 1 month ago

Copy, copyIndex

Provided answer is correct.

upvoted 2 times

  DrJoness 1 year, 2 months ago

Question appeared on my exam today. April 7 2022
upvoted 5 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 6 times

  sabyasachide 1 year, 2 months ago

How to recall this answer
upvoted 3 times

  zr79 1 year, 3 months ago

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times

  WS_21 1 year, 3 months ago

"copy": [
"[copyIndex

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times

  _punky_ 1 year, 5 months ago

LUN - is associated with index
upvoted 3 times

  deadhead82 1 year, 5 months ago

On a lighter note , you have to have a sharp memory to pass these certs.
upvoted 7 times

  zr79 1 year, 3 months ago

Yes, for Cringy Microsoft
upvoted 4 times

  Karthik3498 1 year, 5 months ago

memory is definitely required, but I don't think it should be sharp as you mean I think if we understand concepts it will be registered in our
brain
upvoted 6 times

  JESUSBB 1 year, 6 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 196/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

In the exam today 11-DEC-2021 Ans: Copy - CopyIndex

upvoted 9 times

  Takloy 1 year, 7 months ago

Copy
CopyIndex
https://docs.microsoft.com/nl-nl/azure/azure-resource-manager/templates/copy-properties
upvoted 1 times

  ohana 1 year, 8 months ago

Took the exam today on 17 Oct. This question came out. Ans: copy, copyIndex
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 197/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74 Topic 4

Subscription1 also includes a virtual network named VNET2. VM1 connects to a virtual network named VNET2 by using a network interface
named NIC1.
You need to create a new network interface named NIC2 for VM1.
Solution: You create NIC2 in RG1 and West US.
Does this meet the goal?

A. Yes

B. No

Correct Answer: A
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
also referred to as a region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Community vote distribution

A (83%) B (17%)

  Asymptote Highly Voted  7 months, 1 week ago

Multiple NICs allow a VM to connect to different subnets.

VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.

Each NIC attached to a VM must exist in the same location and subscription as the VM.

Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.

Reference:

https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 15 times

  RougePotatoe 4 months, 1 week ago

Yes. Remember you goal! "You need to create a new network interface named NIC2 for VM1." You can pretty much ignore everything expect for
the location of VM1. The question only asked if you can create a new NIC for VM1 in westus not if you can connect it to any subnets or vNets.

"Each NIC attached to a VM must exist in the same location and subscription as the VM. Each NIC must be connected to a VNet that exists in
the same Azure location and subscription as the NIC. You can change the subnet a VM is connected to after it's created. You can't change the
virtual network. Each NIC attached to a VM is assigned a MAC address that doesn't change until the VM is deleted."

https://learn.microsoft.com/en-us/azure/virtual-network/network-overview#network-interfaces
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 198/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  RougePotatoe 4 months, 1 week ago

I've also tested it in a lab to see if NIC 2 being in a different resource group will affect the ability of a VM to use that NIC. VMs can use NICs
in another RG without any issues.
upvoted 1 times

  JayLearn2022 Most Recent  3 months, 4 weeks ago

Answer: A

The resource group the NIC is created in does not matter. What matters is the region the NIC is connected to. NIC's attached to VM's must be
located in the same region as the VNET/Subnet it is connected to. The NIC must also be created in the same subscription.

Multiple NICs allow a VM to connect to different subnets.

VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.

Each NIC attached to a VM must exist in the same Region and belong to the same subscription as the VM.

Each NIC must be connected to a VNet that exists in the same Azure Region and belong to the same Subscription as the NIC.
upvoted 4 times

  JayLearn2022 3 months, 4 weeks ago

Answer: A

Multiple NICs allow a VM to connect to different subnets.

VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.

Each NIC attached to a VM must exist in the same Region and belong to the same subscription as the VM.

Each NIC must be connected to a VNet that exists in the same Azure Region and belong to the same Subscription as the NIC.
upvoted 1 times

  Reviewer 4 months ago

Why A? the question does not show the location for VNET2 is.
upvoted 2 times

  zellck 4 months, 1 week ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#create-a-network-
interface
- A network interface can exist in the same, or different resource group, than the virtual machine you attach it to, or the virtual network you
connect it to.
- The virtual machine you add the network interface to must also exist in the same location and subscription as the network interface.
upvoted 1 times

  dagomo 4 months, 2 weeks ago

Selected Answer: A
Hello guys,
in this kind of questions I guess the clue is the following:
VM1 connected to VNET2 with NIC1 on location West US.
Then VNET2 location is West US and only the NICs on West US locations will be ok for the answers.
upvoted 1 times

  CloudVillain 5 months ago

Selected Answer: B
RG2 and WestUS
upvoted 1 times

  klexams 7 months, 2 weeks ago

A.
NIC2 needs to be in the same location as VM which is west us. RG can be anywhere.
upvoted 2 times

  LiamAzure 7 months, 2 weeks ago

Makes no sense at all, what region is NIC 1 in? A vm can only have 1 NIC at a time I thought!?
upvoted 2 times

  Asymptote 7 months, 1 week ago

must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.

Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 199/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  rocroberto 8 months, 2 weeks ago
I believe the answer wants to stress that they belong to the same region (and the fact the Resource Group is different is irrelevant)
upvoted 1 times

  nox2447 9 months, 1 week ago

So the question is basically:
You need to create X in Y.
Solution: You create X in Y, does this meet your goal?
...um yeah?
upvoted 3 times

  Magis 8 months, 2 weeks ago

What you need to remind in this type of questions that resource group is global resource and doesn`t belong to any region even if it is getting
region tag where it was created :) It is one of the most confusing things in Azure and this is why you will see a lot of questions about it :)
upvoted 5 times

  shadad 4 months, 1 week ago

am getting confuse always by the resource group on the question. thanks for pointing to this.
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  WISSYWISE 9 months, 2 weeks ago

The answer is correct:A
upvoted 1 times

  ExamTopicsTST 9 months, 2 weeks ago

Selected Answer: A
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-
interface#:~:text=Before%20creating%20a%20network%20interface%2C%20you%20must%20have%20an%20existing%20virtual%20network%20in
%20the%20same%20location%20and%20subscription%20you%20create%20a%20network%20interface%20in
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 200/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75 Topic 4

A. Yes

B. No

Correct Answer: B
The virtual machine you attach a network interface to and the virtual network you connect it to must exist in the same location, here West US,
also referred to as a region.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Community vote distribution

B (100%)

  Slimus 2 weeks, 4 days ago

Selected Answer: B
B - No. NIC2 must be in the same location as VM1
upvoted 1 times

  zellck 4 months, 1 week ago

Selected Answer: B
B is the answer.

  zellck 4 months, 1 week ago

Selected Answer: B
B is the answer.

A is the answer.

  dagomo 4 months, 2 weeks ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 201/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Hello guys,
in this kind of questions I guess the clue is the following:
VM1 connected to VNET2 with NIC1 on location West US.
Then VNET2 location is West US and only the NICs on West US locations will be ok for the answers.
upvoted 1 times
  Asymptote 7 months, 1 week ago
B
Multiple NICs allow a VM to connect to different subnets.

VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.

Each NIC attached to a VM must exist in the same location and subscription as the VM.

Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.

Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 3 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  ExamTopicsTST 9 months, 2 weeks ago

Selected Answer: B
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-
interface#:~:text=Before%20creating%20a%20network%20interface%2C%20you%20must%20have%20an%20existing%20virtual%20network%20in
%20the%20same%20location%20and%20subscription%20you%20create%20a%20network%20interface%20in
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 202/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76 Topic 4

A. Yes

B. No

Community vote distribution

A (100%)

  Mat_m0381 Highly Voted  9 months ago

Selected Answer: A
Correct Answer: A

Resource Group doesn't matter in this question, as long as the NIC is in the same location as the VNET & VM
upvoted 17 times

  zellck Most Recent  4 months, 1 week ago

Selected Answer: A
A is the answer.

  dagomo 4 months, 2 weeks ago

  Asymptote 7 months, 1 week ago

Multiple NICs allow a VM to connect to different subnets.

VM must have at least one NIC. A virtual machine can have more than one NIC, depending on the size of the VM you create.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 203/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Each NIC attached to a VM must exist in the same location and subscription as the VM.

Each NIC must be connected to a VNet that exists in the same Azure location and subscription as the NIC.

Reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-overview
upvoted 2 times
  informix 9 months ago
compare with Q74, have not idea which one is correct.
upvoted 4 times

  lucy3246 9 months ago

location
upvoted 2 times

  BaldFury401 8 months, 2 weeks ago

Please explain further. How is this different than Q 74?
upvoted 1 times

  Imy 9 months ago

This doesn’t make sense should be B
upvoted 2 times

  maverick2223 9 months, 1 week ago

Correct Answer: A
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 204/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77 Topic 4

You develop the following Azure Resource Manager (ARM) template to create a resource group and deploy an Azure Storage account to the
resource group.

Which cmdlet should you run to deploy the template?

A. New-AzResource

B. New-AzResourceGroupDeployment

C. New-AzTenantDeployment

D. New-AzDeployment

Correct Answer: B
Deployment scope.
You can target your deployment to a resource group, subscription, management group, or tenant. Depending on the scope of the deployment,
you use different commands.
To deploy to a resource group, use New-AzResourceGroupDeployment.
Incorrect:
Not C: To deploy to a tenant, use New-AzTenantDeployment.
Not D: To deploy to a subscription, use New-AzSubscriptionDeployment which is an alias of the New-AzDeployment cmdlet.
To deploy to a management group, use New-AzManagementGroupDeployment.
Not A: The New-AzResource cmdlet creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 205/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

resource group.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell

Community vote distribution

D (78%) B (22%)

  Tinkers69 Highly Voted  9 months ago

Selected Answer: D
D is correct here.

We are creating RG and storage acc. in this RG.

By using New-AzResourceGroupDeployment command -> "Adds an Azure deployment to a resource group."
upvoted 26 times

  skydivex 3 months, 2 weeks ago

agreed..... To add resources to a resource group, use the New-AzResourceGroupDeployment which creates a deployment at a resource group.
The New-AzDeployment cmdlet creates a deployment at the current subscription scope, which deploys subscription level resources.
upvoted 2 times

  Tarni 8 months, 3 weeks ago

Agree Answer should be D
1. The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment
requires.

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-8.3.0
upvoted 4 times

  Asymptote Highly Voted  7 months, 1 week ago

Selected Answer: D
D

New-AzResource -
creates an Azure resource, such as a website, Azure SQL Database server, or Azure SQL Database, in a resource group.

Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresource

New-AzResourceGroupDeployment -
adds a deployment to an existing resource group.

Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment

New-AzDeployment -
The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment requires.

Reference:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment

Ner-AzTenanDeployment just exceeded the scope.

upvoted 14 times

  RandomNickname Most Recent  1 week, 2 days ago

Selected Answer: D
I'm with D as per below URL.

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-10.0.0&viewFallbackFrom=azps-9.7.0

You're adding RG and Storage not resources.

From URL;
The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment requires.

An Azure resource is a user-managed Azure entity. A resource can live in a resource group, like database server, database, website, virtual machine,
or Storage account. Or, it can be a subscription level resource, like role definition, policy definition, etc.

To add resources to a resource group, use the New-AzResourceGroupDeployment which creates a deployment at a resource group. The New-
AzDeployment cmdlet creates a deployment at the current subscription scope, which deploys subscription level resources.
upvoted 1 times

  maxustermann 3 weeks, 4 days ago

Selected Answer: B
Answers have been switched, its B now:
New-AzResourceGroupDeployment

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 206/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  vinsom 1 month, 2 weeks ago
Answer: D. New-AzDeployment

  Exilic 1 month, 2 weeks ago

Selected Answer: D
OpenAI

The cmdlet you should run to deploy the ARM template is D. New-AzDeployment.

The New-AzDeployment cmdlet is used to deploy resources to an Azure resource group. It takes an ARM template as input and creates the
resources defined in the template.

The other cmdlets listed are also used to create Azure resources, but they are not specifically designed to deploy ARM templates.

New-AzResource: This cmdlet is used to create a new Azure resource in a resource group, but it does not take an ARM template as input.
New-AzResourceGroupDeployment: This cmdlet is specifically used to deploy an ARM template to a resource group, but it has been deprecated
and replaced by the New-AzDeployment cmdlet.
New-AzTenantDeployment: This cmdlet is used to deploy an ARM template to a tenant, which is a collection of subscriptions, rather than a specific
resource group. However, it is also being deprecated and replaced by the New-AzDeployment cmdlet.
upvoted 1 times

  ArronGC 1 month, 3 weeks ago

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-resource-manager/templates/quickstart-create-template-specs.md

Answer is B
upvoted 1 times

  LogoHogo 2 months, 2 weeks ago

Selected Answer: B
Answers and their letters have been switched... Answer is now B which was D...
New-AzResourceGroupDeployment
upvoted 3 times

  lulzsec2019 2 months, 4 weeks ago

I'm confused. so which letter is the answer? B or D?
B. New-AzResourceGroupDeployment
D. New-AzDeployment
From the comments, it seems Examtopics edited the choices and interchanged B and D.
upvoted 5 times

  LogoHogo 2 months, 2 weeks ago

^^^THIS^^^
upvoted 2 times

  curtmcgirt 3 months, 3 weeks ago

Selected Answer: D
New-AzResourceGroupDeployment adds an Azure deployment to a resource group.
upvoted 1 times

  SedateBloggs 4 months, 1 week ago

Answer is D. This site explains it well. https://samcogan.com/deploying-resource-groups-with-arm-templates/
Answer B would not work here
upvoted 1 times

  MeysamBayani 4 months, 1 week ago

D is Correct
The New-AzResourceGroupDeployment cmdlet adds a deployment to an existing resource group
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-8.3.0
upvoted 1 times

  zellck 4 months, 1 week ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-9.3.0
Create a deployment at the current subscription scope.
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 207/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: D
D is correct here.
upvoted 1 times

  olandese 5 months, 2 weeks ago

Selected Answer: D
this template needs to be deployed at subscription level: a RG is create in the template and the a inner template deployment is executed.
To create a deployment at subscription level use New-AzDeployment
See:
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment?view=azps-9.2.0
upvoted 1 times

  dagomo 6 months ago

D is correct here. We are creating RG and storage.

Description
The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment requires.

  rqFamily 6 months, 3 weeks ago

The answer is B:
they are asking to deploy at the resource group level, and New-AzResourceGroupDeployment takes a resource group as a parameter.
New-AzDeployment doesn't take resource group as a parameter and only relay on what's inside your template, and that does not guarantee that
such resource is at the resource group level
upvoted 1 times

  rqFamily 6 months, 1 week ago

i stand to be corrected, the answer is D, since the template is deploying the resource group and the storage account, hence new-AsDeployment
doesnt take resource group as a parameter
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 208/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78 Topic 4

HOTSPOT -
You have an Azure App Service app named WebApp1 that contains two folders named Folder1 and Folder2.
You need to configure a daily backup of WebApp1. The solution must ensure that Folder2 is excluded from the backup.
What should you create first, and what should you use to exclude Folder2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: An Azure Storage account -

App Service can back up the following information to an Azure storage account and container that you have configured your app to use.

App configuration -

File content -

Database connected to your app -

Note: Choose your backup destination by selecting a Storage Account and Container. The storage account must belong to the same
subscription as the app you want to back up. If you wish, you can create a new storage account or a new container in the respective pages.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 209/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: A _backup.filter file -

Exclude files from your backup.
Suppose you have an app that contains log files and static images that have been backup once and are not going to change. In such cases, you
can exclude those folders and files from being stored in your future backups. To exclude files and folders from your backups, create a
_backup.filter file in the D:\home\site
\wwwroot folder of your app. Specify the list of files and folders you want to exclude in this file.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/manage-backup

  Muffay Highly Voted  5 months, 1 week ago

Yes, the given answer is correct.

As I was quite confused, let me add some more details:

You need a Recovery service vault if you want to backup VMs, File Shares, SAP HANA in a VM or SQL Server in a VM.

You need a Backup vault if you want to backup Azure Disks, Azure Blobs or Azure Database for PostgreSQL Server.

The question asks about an App Service, this one backs up to a storage account.
upvoted 31 times

  vinsom 1 month, 2 weeks ago

Insightful! Thanks for sharing this
upvoted 1 times

  CK9797 Highly Voted  8 months, 2 weeks ago

Given answer correct.
This question was in the exam today. layout slightly different.
70-75% of the questions are from ET
I passed today 800
upvoted 22 times

  wpestan 6 months ago

Hi, i doubt. To configure a daily backup, we don´t need a Recovery service vault?
upvoted 2 times

  Muffay 5 months, 1 week ago

I got into this trap as well.

You need a Recovery service vault if you want to backup VMs, File Shares, SAP HANA in a VM or SQL Server in a VM.

The question asks about an App Service, this one backs up to a storage account.
upvoted 17 times

  jcallahan9 3 months ago

Microsoft really needs to consolidate things. They have made things way too complicated with "gotcha" knowledge. Unbelievable they
have RSV but don't back everything up to it.
upvoted 3 times

  zellck Most Recent  4 months, 1 week ago

1. Azure Storage Account
2. _backup.filter file

https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#create-a-custom-backup
In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container.

https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#configure-partial-backups
Partial backups are supported for custom backups (not for automatic backups). Sometimes you don't want to back up everything on your app.

To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of your app.
Specify the list of files and folders you want to exclude in this file.
upvoted 11 times

  Asymptote 7 months, 1 week ago

Given ET answers are correct.

1.In your app management page in the Azure portal, in the left menu, select Backups.

2. At the top of the Backups page, select Configure custom backups.

3. In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container.

4. To back up the linked database(s), select Next: Advanced > Include database, and select the database(s) to back up.

Partial backups are supported for custom backups (not for automatic backups).

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 210/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 7 times
  Mev4953 9 months ago
First create: Azure Storage Account

To exclude Folder 2: _backup.filter

https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#:~:text=Create%20a%20file,is%20(not%20deleted).
upvoted 3 times

  favela 9 months, 1 week ago

Passed today and this question came I almost forgot and choose another answer but at the end I decide to choose this answer I was confused with
others question but finally I decide to choose these answer and my score was 900
upvoted 12 times

  EmnCours 9 months, 1 week ago

Answer is correct!
upvoted 2 times

  qwerty100 9 months, 2 weeks ago

Correct Answer:

- An Azure Storage account

- a backup.filter file

https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#create-a-custom-backup
https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal#configure-partial-backups
upvoted 1 times

  F117A_Stealth 9 months, 2 weeks ago

Answer is correct!

"To exclude folders and files from being stored in your future backups, create a _backup.filter file in the %HOME%\site\wwwroot folder of your app.
Specify the list of files and folders you want to exclude in this file."

https://docs.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 211/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79 Topic 4

A. the Publish-AzVMDscConfiguration cmdlet

B. Azure Application Insights

C. Azure Custom Script Extension

D. a Microsoft Endpoint Manager device configuration profile

Correct Answer: C
Use Azure Resource Manager templates to install applications into virtual machine scale sets with the Custom Script Extension.
Note: The Custom Script Extension downloads and executes scripts on Azure VMs. This extension is useful for post deployment configuration,
software installation, or any other configuration / management task.
To see the Custom Script Extension in action, create a scale set that installs the NGINX web server and outputs the hostname of the scale set
VM instance.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template

Community vote distribution

C (93%) 7%

  Mev4953 Highly Voted  9 months ago

There are several versions of this question in the exam. The question has two correct answers:
1. A Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
upvoted 29 times

  zellck Most Recent  4 months, 1 week ago

Same as Question 89.
https://www.examtopics.com/discussions/microsoft/view/95713-exam-az-104-topic-4-question-89-discussion
upvoted 2 times

  zellck 4 months, 1 week ago

Selected Answer: C
C is the answer.

  Bigc0ck 5 months, 1 week ago

I dint see any NGINX questions on my previous tests
upvoted 2 times

  BShelat 5 months, 2 weeks ago

Selected Answer: C
There are several versions of this question in the exam. The question has two correct answers:
1. A Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
upvoted 2 times

  Asymptote 7 months, 1 week ago

Selected Answer: C
C

The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or GitHub

Reference:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 212/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

For DSC extension, as im not a server expert,

it might be able to use for Microsoft IIS which is a native role and feature but not for the NGNIX.

Hope other can give an proper conclusion..

upvoted 3 times
  LiamAzure 7 months, 2 weeks ago
Selected Answer: C
Correct Answer
upvoted 1 times

  matix781 8 months ago

Selected Answer: C
C for sure
upvoted 1 times

  Imy 9 months ago

Why is one person voting thrice and scewing the results
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: C
Correct Answer: C
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: C
Correct Answer: C
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: C
upvoted 1 times

  ExamTopicsTST 9 months, 2 weeks ago

Selected Answer: C
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-
windows#:~:text=This%20extension%20is%20useful%20for%20post%2Ddeployment%20configuration%2C%20software%20installation%2C%20or
%20any%20other%20configuration%20or%20management%20task.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 213/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80 Topic 4

HOTSPOT -
You have an Azure subscription. The subscription contains a virtual machine that runs Windows 10.
You need to join the virtual machine to an Active Directory domain.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 214/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: "Microsoft.Compute/VirtualMachines/extensions",
The following JSON example uses the Microsoft.Compute/virtualMachines/extensions resource type to install the Active Directory domain join
extension.
Parameters are used that you specify at deployment time. When the extension is deployed, the VM is joined to the specified managed domain.
Box 2: "ProtectedSettings":{
Example:
{
"apiVersion": "2015-06-15",
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('dnsLabelPrefix'),'/joindomain')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', parameters('dnsLabelPrefix'))]"
],
"properties": {
"publisher": "Microsoft.Compute",
"type": "JsonADDomainExtension",
"typeHandlerVersion": "1.3",
"autoUpgradeMinorVersion": true,
"settings": {
"Name": "[parameters('domainToJoin')]",
"OUPath": "[parameters('ouPath')]",
"User": "[concat(parameters('domainToJoin'), '\\', parameters('domainUsername'))]",
"Restart": "true",

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 215/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

"Options": "[parameters('domainJoinOptions')]"
},
"protectedSettings": {
"Password": "[parameters('domainPassword')]"
}
}
}
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template

  ExamTopicsTST Highly Voted  9 months, 2 weeks ago

Answer is correct.

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template
upvoted 26 times

  EmnCours Highly Voted  9 months, 1 week ago

Correct Answer:

box1: Microsoft.Compute/virtualMachines/extensions
box2: protectedSettings

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-overview
upvoted 9 times

  zellck Most Recent  4 months, 1 week ago

1. Microsoft.Compute/virtualMachines/extensions
2. ProtectedSettings

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-overview
The following JSON example uses the Microsoft.Compute/virtualMachines/extensions resource type to install the Active Directory domain join
extension.
upvoted 1 times

  UK7 5 months, 3 weeks ago

Came on 21st Dec 2022 Exam
Answer is correct
upvoted 6 times

  Mev4953 9 months ago

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-
template#:~:text=example%20uses%20the-,Microsoft.Compute/virtualMachines/extensions,-resource%20type%20to
upvoted 2 times

  qwerty100 9 months, 2 weeks ago

Correct Answer:

box1: Microsoft.Compute/virtualMachines/extensions
box2: protectedSettings

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm-template#azure-resource-manager-template-overview
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 216/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82 Topic 4

HOTSPOT
-

You are creating an Azure Kubernetes Services (AKS) cluster as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 217/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Correct Answer:

  Alex2022_31 Highly Voted  5 months, 1 week ago

1) Modify the Network configuration setting
"To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure CNI
(advanced) network plugin."

Ref: https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli

2) AKS-Managed Azure Active Directory

Ref: https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli
upvoted 31 times

  zellck Highly Voted  4 months, 1 week ago

1. modify the Network configuration setting
2. AKS-managed Azure AD

https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli#create-an-aks-cluster
To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure CNI
(advanced) network plugin.

https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli
The AKS to ACR integration assigns the AcrPull role to the Azure Active Directory (Azure AD) managed identity associated with your AKS cluster.
upvoted 8 times

  ericZX Most Recent  1 month, 2 weeks ago

(1) Modify the Network configuration setting
Tested in lab, if the Network configuration is Kubenet, you will not be able to add a windows node pool, you have to change it from Kubenet to
Azure CNI first.

Next step, you need to add a new node pool

All AKS clusters are created with a default first node pool, which is Linux-based. This node pool contains system services that are needed for the
cluster to function. ...The first Linux-based node pool can't be deleted unless the AKS cluster itself is deleted.
https://learn.microsoft.com/en-us/azure/aks/windows-faq?tabs=azure-cli
upvoted 2 times

  ChakaZilly 4 months, 2 weeks ago

Increase the number of node pools (First node is linux only)
AKS-managed Azure Active Directory (Needs the ACR-Pull role)
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 218/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  examtopics999 4 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli

"To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses Azure CNI
(advanced) network plugin."

Above diagram uses Kubenet Network configuration - That needs to be modified to Azure CNI. Hence firt box answer is "modify the network
configuration setting"

To use Windows Server node pools, you must use Azure CNI. The use of kubenet as the network model is not available for Windows Server
containers.

Also, Windows Containers need their own Node pool as default AKS configuration is for Linux containers. There is a possibility of "increase the
number of node pools" as well - as current node pool count is 1. However, first step would be to fix Network configuration.
upvoted 5 times

  yaboo1617 2 months, 1 week ago

If first node is for Linux, then CNI is only required for the second pool. So first step would be to add a pool.
upvoted 1 times

  1475 5 months, 1 week ago

By default, an AKS cluster is created with a node pool that can run Linux containers. Use az aks nodepool add command to add an additional node
pool that can run Windows Server containers alongside the Linux node pool.

https://learn.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 219/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83 Topic 4

HOTSPOT
-

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named Cluster1. Cluster1 hosts a node pool named
Pool1 that has four nodes.

You need to perform a coordinated upgrade of Cluster1. The solution must meet the following requirements:

• Deploy two new nodes to perform the upgrade.

• Minimize costs.

How should you complete the command? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Correct Answer:

  Muffay Highly Voted  5 months, 1 week ago

Answer is WRONG.

I assume there is a typo, where it says "updates" it should be "update".

az aks nodepool **update** -n pool1 -g RG1 --cluster-name cluster1 **max-surge 2**

https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest
We want to edit an existing node pool, so we cannot use "add":
"Add a node pool to the managed Kubernetes cluster."

We want to update the properties of the node pool, so we need to use:

az aks nodepool update
"Update a node pool properties."

We want to set it up to use more nodes during an update, so this one is right:
--max-surge
"Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%."
upvoted 27 times

  BooMz Highly Voted  3 months, 3 weeks ago

Based on document, it is
Box 1: Update
Box 2: --max-surge

I'm very new here, and I could be wrong. Here is the link. Please verify and don't take my word for it.
https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli
upvoted 12 times

  RandomNickname Most Recent  1 week, 2 days ago

Agree with others for update.

I don't believe it's scale since this is referring to low resource as per below;

https://learn.microsoft.com/en-us/azure/aks/scale-cluster?tabs=azure-cli

And the question doesn't mention the need for a new pool, since we need to minimise costs and use existing pool to to do so, I'd have to presume
to use existing so;
1: Update
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 220/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

2: Max surge

See:
https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli#upgrade-an-aks-cluster
upvoted 1 times
  FreeSwan 1 month, 3 weeks ago
It's already existing cluster, So "update" an "max-surge 2" is fit in...
upvoted 2 times

  ericZX 2 months, 1 week ago

az aks nodepool update --max-surge 2 will add two new nodes
az aks nodepool scale --node-count 2 Running nodes will change from 4 to 2
so
box 1: Update
box 2: --max-surge

https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli
https://learn.microsoft.com/en-us/azure/aks/scale-cluster?tabs=azure-cli
upvoted 1 times

  ericZX 2 months, 1 week ago

az aks nodepool add
Add a node pool to the managed Kubernetes cluster

Can't find az aks nodepool get-updates

az aks nodepool get-upgrades

Get the available upgrade versions for an agent pool of the managed Kubernetes cluster.
https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest
upvoted 1 times

  Slawekyo 2 months, 2 weeks ago

Since they are not asking us to update but to DEPLOY
I think the answer should be

1.Scale

2.Node count
upvoted 2 times

  Fedele 2 months, 3 weeks ago

https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli

1: Add
2: max-surge
upvoted 1 times

  Gzt 3 months, 1 week ago

No necessary to scale a pool because we are asked to minimize costs, so we need to use "update" with "max-surge" parameter to have additional
nodes (buffer nodes) only during upgrade https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli#upgrade-an-aks-cluster
upvoted 2 times

  CloudEnth 3 months, 2 weeks ago

It is clearly stated on the doc 1st Box) scale 2nd Box ) --node-count
az aks nodepool scale \
--resource-group myResourceGroup \
--cluster-name myAKSCluster \
--name mynodepool \
--node-count 5 \
--no-wait
https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools
upvoted 1 times

  ukivanlamlpi 4 months ago

question is to ask add new node not nodepool, should be 'scale' instead of update:
az aks nodepool scale --cluster-name
--name
--resource-group
[--no-wait]
[--node-count]
upvoted 2 times

  ukivanlamlpi 4 months ago

Box 2 answer is node count
upvoted 1 times

  zellck 4 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 221/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

1. updates
2. --max-surge 2

https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest#az-aks-nodepool-update
Update a node pool properties.

https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest#az-aks-nodepool-update-optional-parameters
max-surge
- Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%.
upvoted 3 times

  lombri 4 months, 2 weeks ago

Update min-count or max-count for cluster autoscaler.
Azure CLI

az aks nodepool update --update-cluster-autoscaler

--max-surge

Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%.
upvoted 3 times

  Notteb 4 months, 3 weeks ago

Summary of the comments:
1. Update (misspelled)
2. Max Surge 2
upvoted 3 times

  Mo22 4 months, 3 weeks ago

az aks nodepool updates -n pool1 -g rg1 --cluster-name cluster --max-surge2
upvoted 1 times

  CloudVillain 5 months ago

Box1: Update
Box2:
--max-count
Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [0, 1000] for user
nodepool, and [1,1000] for system nodepool.

--max-surge
Extra nodes used to speed upgrade. When specified, it represents the number or percent used, eg. 5 or 33%.

According to the explanation above, it should be max-Surge 2

https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest#az-aks-nodepool-update-required-parameters
upvoted 1 times

  dagomo 5 months ago

Hi guys,
I guess the answer is wrong and should be scale & node-count2

Explanation:
Scale a node pool manually
As your application workload demands change, you may need to scale the number of nodes in a node pool. The number of nodes can be scaled up
or down.

To scale the number of nodes in a node pool, use the az aks node pool scale command. The following example scales the number of nodes in
mynodepool to 5:

az aks nodepool scale \

--resource-group myResourceGroup \
--cluster-name myAKSCluster \
--name mynodepool \
--node-count 5 \
--no-wait

https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools
upvoted 3 times

  insanewriters 3 months, 3 weeks ago

Agree. Read the documentation carefully. I have no idea why everybody is saying "update" can be used to add nodes to a pool.
upvoted 1 times

  insanewriters 3 months, 3 weeks ago

I stand corrected - it is "update" since we're upgrading the node pool. a max-surge of 2 gives two extra temp nodes to perform the upgrade.
upvoted 1 times

  sss123412 5 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 222/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Should be a wrong answer?

According to: https://learn.microsoft.com/en-us/cli/azure/aks/nodepool?view=azure-cli-latest

"add" command aim to add new node pools instead of adding nodes to an existing one, however the question has already show that we are
adding to pool1 as specified in the command.

I'm assuming the answer would be update + max-count?

update: Update a node pool properties.

Update a node pool to enable/disable cluster-autoscaler or change min-count or max-count. When called with no optional arguments this
attempts to move the node pool to its goal state without changing the current node pool configuration. This can be used to move out of a non
succeeded state.

max-count: Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [0,
1000] for user nodepool, and [1,1000] for system nodepool
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 223/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84 Topic 4

HOTSPOT
-

You have an Azure subscription.

You create the following file named Deploy.json.

You connect to the subscription and run the following commands.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 224/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  Alex2022_31 Highly Voted  5 months, 1 week ago

Answers: Yes / No / Yes

Y: The 4 resources created are the RG1 resource group + the 3 storage accounts
N: the location of the storage accounts is defined by the parameter "location" in the "resources" item that has the value of the Resource Group
(stated by the "resourceGroup().location" function that returns the location of the resource group RG1 which is in Central US)
Y: the names of the storages account have the prefix given by the copyIndex() function in "name": "
[concat(copyIndex(),'storage',uniqueString(resourceGroup().id))]", which starts at the position 0
upvoted 36 times

  garmatey 1 week, 6 days ago

how do you know central US?
upvoted 1 times

  garmatey 1 week, 6 days ago

nvm my b
upvoted 1 times

  tEaMpRaEn 1 month, 2 weeks ago

YNY is correct.
Resource groups, subscriptions, management groups, and tags are also examples of resources.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 2 times

  Bayer2517 3 months, 3 weeks ago

A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the
solution, or only those resources that you want to manage as a group.
upvoted 1 times

  pramodk78 5 months, 1 week ago

resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual networks are
examples of resources. Resource groups, subscriptions, management groups, and tags are also examples of resources.
-- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 11 times

  RandomNickname Most Recent  1 week, 2 days ago

The links in the comments helped understand this.

Y,N,Y
upvoted 1 times

  zellck 4 months, 1 week ago

YNY is the answer.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources#resource-iteration
Notice that the name of each resource includes the copyIndex() function, which returns the current iteration in the loop. copyIndex() is zero-based.
upvoted 3 times

  Muffay 5 months, 1 week ago

The commands will create four new resources - NO. A Resource Group is not a resource, so it will only create 3 storage accounts as resources.
The commands will create storage accounts in the West US Azure region - NO. Note the "location": "[resourceGroup().location]". This will set the
location to the location of the resource group, which is Central US.
"The first storage account that is create will have a prefix of 0": YES. As the name is concated starting with the copyIndex(), that is true.
upvoted 3 times

  Muffay 5 months, 1 week ago

I was incorrect. A Resource Group *is* a resource, so the first answer is YES.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#terminology
resource - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual networks are
examples of resources. Resource groups, subscriptions, management groups, and tags are also examples of resources.
upvoted 7 times

  sharkzor 5 months, 1 week ago

N - RG != resource
Y - Westus is in the template. no parameter override given

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 225/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Y
upvoted 3 times

  djgodzilla 5 months, 1 week ago

can't speak about the override . but for
1. you already have RG1 created and it was specified in the command New-AzResourceGroupDeployment hence it adds a deployment to an
existing resource group.
and 1. = is NO ( 3 resources only)
upvoted 2 times

  djgodzilla 5 months, 1 week ago

EDIT: the override is "location": "[resourceGroup().location]"
so :
N- 3 storage accounts
N- central us
Y- count iteration always starts with 0
Y
upvoted 2 times

  sandorh 5 months, 1 week ago

This is wrong, a resource group is a resource.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview
"Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources. Resource groups, subscriptions,
management groups, and tags are also examples of resources."
upvoted 3 times

  buzzerboy 5 months, 1 week ago

the location is set to read from the resource groups location, and the resource group location is specified to central in the New-
AzResourceGroup command
upvoted 1 times

  Muffay 5 months, 1 week ago

For your second Y - in the template the location is calculated using the Resource Group location. So, it actually is N - it will be the location of
the RG, which is Central US.

Combining your answer with Alexs answer will give you the correct responses then :D
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 226/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85 Topic 4

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.

You need to ensure that NGINX is available on all the virtual machines after they are deployed.

What should you use?

A. Azure Custom Script Extension

B. Deployment Center in Azure App Service

C. the Publish-AzVMDscConfiguration cmdlet

D. the New-AzConfigurationAssignment cmdlet

Correct Answer: A

Community vote distribution

A (100%)

  Naywonni 3 months, 3 weeks ago

I think A is the answer
upvoted 1 times

  zellck 4 months, 1 week ago

Same as Question 89.
https://www.examtopics.com/discussions/microsoft/view/95713-exam-az-104-topic-4-question-89-discussion
upvoted 2 times

  zellck 4 months, 1 week ago

Selected Answer: A
A is the answer.

  DeBoer 4 months, 1 week ago

Selected Answer: A
funny enough, in the first part of the set, the answer often was DSC for similar questions. Makes you wonder.
upvoted 1 times

  xRiot007 1 week, 6 days ago

It can be any of the 2. Either use a an Azure custom script or a desired configuration script extension.
upvoted 1 times

  Tim_May_88 4 months, 2 weeks ago

Same as question 79. Duplication in the questions is unfortunate. We paid to see a variety of different questions across all the subject matter
domain. Please remove the duplicates.
upvoted 1 times

  Notteb 4 months, 3 weeks ago

Selected Answer: A
A. Azure Custom Script Extension
upvoted 1 times

  Ashfaque_9x 5 months ago

Selected Answer: A
A. Azure Custom Script Extension
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

A. Azure Custom Script Extension
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 227/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  buzzerboy 5 months, 1 week ago

There are two ways to ensure specific things are installed. One is by using DesiredStateConfiguration extension, and the other is by running a
custom script along with a custom script extension. In this case the only available option is custom script. So A)
upvoted 2 times

  buzzerboy 5 months, 1 week ago

It is not the *Publish-AzVMDscConfiguration cmdlet* because that cmdlet just "uploads a Desired State Configuration (DSC) script to Azure blob
storage, which later can be applied to Azure virtual machines using the Set-AzVMDscExtension cmdlet."
https://learn.microsoft.com/en-us/powershell/module/az.compute/publish-azvmdscconfiguration?view=azps-9.2.0
upvoted 2 times

  Muffay 5 months, 1 week ago

On a second thought, it might also be "the Publish-AzVMDscConfiguration cmdlet".

We can publish a DSC configuration with that one - but what is missing here is assigning the DSC configuration to the VMs. So I think A is still the
more complete solution.
upvoted 1 times

  Muffay 5 months, 1 week ago

Selected Answer: A
A is correct, a Custom Script extension can be used to install custom resources after a deployment.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 228/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #86 Topic 4

HOTSPOT
-

You have an Azure subscription that contains a resource group named RG1.

You plan to use an Azure Resource Manager (ARM) template named template1 to deploy resources. The solution must meet the following
requirements:

• Deploy new resources to RG1.

• Remove all the existing resources from RG1 before deploying the new resources.

How should you complete the command? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Correct Answer:

  sss123412 Highly Voted  5 months, 1 week ago

correct answer

-Mode
Specifies the deployment mode. The acceptable values for this parameter are:

Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template.
Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified in the
template.

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.2.0

There is no such mode called "All"

upvoted 23 times

  Ashfaque_9x Highly Voted  4 months, 2 weeks ago

Passed today on 29Jan23 with a score of 970. This question was in the exam.
The provided answer is correct. "-ResourceGroupName" and "Complete".
upvoted 12 times

  zellck Most Recent  4 months, 1 week ago

1. -ResourceGroupName
2. Complete

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 229/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.3.0#-resourcegroupname
Specifies the name of the resource group to deploy.

https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.3.0#-mode
Specifies the deployment mode. The acceptable values for this parameter are:
-Complete: In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template.
- Incremental: In incremental mode, Resource Manager leaves unchanged resources that exist in the resource group but are not specified in the
template.
upvoted 8 times

  zellck 3 months, 4 weeks ago

Got this in Feb 2023 exam.
upvoted 7 times

  Paul_white 3 months, 3 weeks ago

WOULD BE WRITING MINE ON THE 25 :)
upvoted 1 times

  Onobhas01 5 months ago

- ResourceGroupName
- Complete Mode
upvoted 1 times

  Muffay 5 months, 1 week ago

Answer is correct.
"In complete mode, Resource Manager deletes resources that exist in the resource group but are not specified in the template."
https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azresourcegroupdeployment?view=azps-9.2.0#-mode
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 230/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87 Topic 4

HOTSPOT
-

You have an Azure App Service web app named app1.

You configure autoscaling as shown in following exhibit.

You configure the autoscale rule criteria as shown in the following exhibit.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 231/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 232/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  sss123412 Highly Voted  5 months, 1 week ago

2, 15
Initial instance is 1 as specified in first figure.
80% for 15 minutes reaches 10 minutes duration, but haven't reached second turn of scale out, so only one new instance is created.
Since cool down time is 5 minutes, which means after one scale happens, it will count 5 minutes before counting a new 10 minutes, so 15 minutes
total.
upvoted 39 times

  zellck 4 months, 1 week ago

The counting of 10 mins starts from last scale out, not from after cool down timer.

https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings#autoscale-setting-schema
Cool down (minutes)
- The amount of time to wait after a scale operation before scaling again. For example, if cooldown = “PT10M”, autoscale doesn't attempt to
scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances.
upvoted 2 times

  SimonSM178 2 months, 3 weeks ago

but the trigger to scale out says "if CPU use is greater than 75% for 10 minutes". shouldn't you interpret it is as 5 minutes cooldown = 5
minutes for which no scaling action will be performed. after 5 minutes, Azure can scale again, but it needs 10 minutes of CPU higher than
75% to perform another scale out, right? so 5 cooldown + 10 minutes (according to the rule) should be 15 minutes. please correct me if I'm
wrong
upvoted 1 times

  Rams_84zO6n 2 months, 2 weeks ago

shouldn't the second answer be 5 minutes? First time the stats are not available, so it has to wait 10 min for stats, increase instance count,
cool down for 5 minutes. Now it has stats that goes back to 10 minutes, so there is no need to wait for another 10 minutes to compute
stats. So min. time to wait before additional instance creation must be 5 minutes. Do you agree?
upvoted 2 times

  SimonSM178 2 months, 2 weeks ago

I don't think so, the action trigger is CPU usage greater than 70% for 10 minutes. It doesn't say "as soon as CPU usage is greater than
70%". In my opinion, there are 5 minutes cooldown since the last scale-out, if after the scale-out CPU still is at 70%, then you need 10
minutes more.
upvoted 1 times

  zellck Highly Voted  4 months, 1 week ago

1. 2 instances
2. 10 minutes

https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started#create-your-first-autoscale-setting

https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings#autoscale-setting-schema
Cool down (minutes)
- The amount of time to wait after a scale operation before scaling again. For example, if cooldown = “PT10M”, autoscale doesn't attempt to scale
again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances.
upvoted 12 times

  Spooky7 2 months, 2 weeks ago

But cooldown is 5 minutes here, not 10. So why 10 minutes?
upvoted 1 times

  RougePotatoe 3 months, 3 weeks ago

In support of this answer read through the comments on this link.
https://github.com/MicrosoftDocs/azure-docs/issues/17169
upvoted 4 times

  RandomNickname Most Recent  1 week, 2 days ago

Q1 is straight forward
Q2, From what I understand and reading the URL
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings#autoscale-evaluation

Duration. The amount of time to look back for metrics. For example, timeWindow = "PT10M" means that every time autoscale runs, it queries
metrics for the past 10 minutes. The time window allows your metrics to be normalized and avoids reacting to transient spikes.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 233/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Cool down (minutes). The amount of time to wait after a scale operation before scaling again. For example, if cooldown = "PT10M", autoscale
doesn't attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances.

So should be 5min for Q2

upvoted 1 times
  ppolychron 1 month ago
3 instances , 5 minutes

Explanation:
Lets say that the process starts at 00:00
a) At 00:10 we have enough metrics so an evaluation is performed.
Average is above 70% so increase instance by 1. Now we have 2 instances
b)Cool down is 5 minutes, so next evaluation is AT 00:15 and it checks the metrics from 00:05-00:15. Average is above 70% so increase instance by
1. Now we have 3 instances
b)Cool down is 5 minutes, so next evaluation is AT 00:20 and it checks the metrics from 00:10-00:20 and so on.....

I was very confused from all the comments so I checked this in my LAB. The only difference is that I used a cool down of 2 minutes. I generated
traffic using apache benchmark tool (https://www.apachelounge.com/download/). After the first scale out, every 2 minutes another scale-out would
happen.

Note: CMD for Apache Tool: abs -n 15000 -c 100 https://<youapp>.azurewebsites.net/

upvoted 6 times

  Ccastan1 2 weeks, 3 days ago

I agree with you
upvoted 1 times

  msxdan 1 month, 1 week ago

2, 10
I see a lot of people here stating different results, but to be honest, the cooldown is used to avoid scaling before the metrics are stable

What would happen if the condition is evaluated every 1 minute? it will wait for cooldown before scaling even if the condition is met

So if cooldown is 5 minutes and the evaluation is 10, when it's checking the condition the cooldown is over, so it will scale

I use a lot of AppServices with auto scaling and that's how it works, as a real example I could say that in one AppService it scales every 5 mins when
there's load, the condition is checked every minute and the cooldown is 5 minutes, if people that thinks that is time + cooldown it would be 6 mins,
but it's not

Would be something like this (triggered when duration time occurs):

if (conditionIsMet) {
if (elapsedTime >= cooldown)
scale();
}
else { /**/ }
}

https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-get-started?toc=%2Fazure%2Fapp-service%2Ftoc.json#cool-down-
period-effects
upvoted 1 times

  ericZX 2 months, 1 week ago

I will go 2 & 15
“The short answer is that the metric duration does not include the cool down period.”
from
https://github.com/MicrosoftDocs/azure-docs/issues/56120
upvoted 1 times

  Spooky7 2 months, 2 weeks ago

I don't know why but it seems that majority of people commenting here don't know exactly how autoscaling works. So let me explain few things.
Duration value is only used for data range - how much data autoscaling system has to aggregate to determine if rule applies or not. Cooldown -
how much time has to pass before next autoscale operation to trigger. So once you start you app the first autoscale may happen not earlier than
after duration value (because you need specific data range). Each next will happen every cooldown value. So:
- first scale out will happen after 10 minutes (duration value)
- next scale out will happen after 15 minutes (+5 minutes of cooldown)
Therefore answer for first question is 3 instances

Second one is simpler. Scaling operation just happened. So next scaling may happen after cooldown time which is 5 minutes.
upvoted 11 times

  Rams_84zO6n 2 months, 3 weeks ago

one small correction. It should be at t+14 (not t+4), instance count is 4. apologies.
upvoted 1 times

  Rams_84zO6n 2 months, 3 weeks ago

The answer must be: instance count=4, time=5 min. Here is why.
At some time t-1, 80% cpu reached. The instance count is 1. After a minute(at time t), Max(last 1 min CPU %)= 80%, so instance count increments
to 2. At t+5 (cooldown time), cont is 3. At t+10, count=4. At t+4, the CPU has be holding steady at 80% for 15 minutes. So the instance count=4.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 234/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

There is still 1 minute cool down time left. For the second question, since cooldown time=5 min, it should allow 5 minutes before evaluate
TimeAggregation rule again.
upvoted 1 times
  OscarAlvAzure 3 months, 1 week ago
3/4, 5min
Initial instance = 1, so after 15min it can scalate 3 times, the first one could match or not depending on the metrics before the first scalate runs (we
know that 5min before it was 85% CPU but we don't know metrics about 10min to 5min, the duration is set to 10min so the first one could not
match)
After a scale out triggers the next one will be 5min later because of the cooldown (duration only is the amount of time to look back for metrics)
https://learn.microsoft.com/en-us/azure/azure-monitor/autoscale/autoscale-understanding-settings#autoscale-setting-schema
upvoted 1 times

  Yey1236 3 months, 2 weeks ago

3 instances, 5 minutes
Cool down is used to not increase (decrease) too quickly, so at this time no adding/removing happen. But average is taken from last 10 minutes.
So CPU is reaching 80% at 0:00 then at 0:10 (or earlier but probably here is "average CPU usage" not usage) will add one instance, then system will
wait 5 minutes (cool down) and at 00:15 will check again utilization and, as it is still above 80%, it will add another instance.
upvoted 9 times

  aksuxin 1 week, 1 day ago

Unfortunately, the correct answer is embedded here and nobody would notice.
upvoted 1 times

  NItesh 3 months, 3 weeks ago

I think the answer should be 2 and 5 minutes.
Explanation of point 2:
Suppose Matrix data pooling start at 2AM. This will fetch data from 1:50 AM to 2:00AM to check the average in last 10 minutes. If the condition
matches, scale out will happen.
So the first scale happened on 2:00AM
Now since we have cool down period. It will wait till 2:05 AM before it scan the matrix data again to verify scale condition. Now the data which will
be fetched would be from 1:55 AM to 2:05AM. If the avg CPU is till higher, then again the second scale will happen. which will result in second scale
up.
so second scale up would be at 2:05AM.
This gives a
minimum duration between 2 scales = 5 minutes
upvoted 3 times

  RougePotatoe 3 months, 3 weeks ago

Bruh according to that logic, without cool down configured then VMs will scale until it hits the cap without pausing because it has collected the
data from 10 minutes ago. Which is simply ridiculous. The scale out rule is pretty simple... You need usage of 70% or higher lasting for at least
10 minutes. The cool down runs parallel to the rule and it only prevents another scale out for 5 minutes after the last scale out.
upvoted 3 times

  Stevy_nash 4 months ago

If you have an auto-scaling rule configured with a scale-out duration of 10 minutes and a cool-down period of 5 minutes, then the minimum time
before an additional instance will be created is 15 minutes.

Here's how it works:

When the auto-scaling rule is triggered, it will initiate the scale-out process and create a new instance.
Once the new instance is created, the cool-down period of 5 minutes starts. During this period, the auto-scaling system will not initiate any further
scale-out operations, even if the triggering conditions are still met.
After the cool-down period of 5 minutes has passed, the auto-scaling system will start monitoring the triggering conditions again.
If the triggering conditions are still met, the auto-scaling system will initiate another scale-out operation, creating a new instance.
So, in total, the minimum time between two scale-out operations is 10 minutes (scale-out duration) + 5 minutes (cool-down period) = 15 minutes.
upvoted 3 times

  Spooky7 2 months, 2 weeks ago

No, that's now how it works! Why would you have 2 separate values (cooldown and duration) if they would do almost same thing? The only
thing which prevents from scaling out/in to quickly is cooldown. Duration is just a data range to build your metric on. So first scale in/out
operation may happen not sooner than duration value (because you need a data set), but each next one can happen after cooldown period (so
every 5 minutes in this example) and that's what cooldown is for
upvoted 2 times

  ChakaZilly 4 months, 2 weeks ago

2,
10: After cool-down period the scale-out is evaluated using all available metrics since last scale-out
upvoted 3 times

  AbleApe 5 months ago

Initial instance is 1 (default instance). After 10 min instance is increased by 1. 5 min cool down time. Leaves us with 2 instances.

After 2nd instance is created (t+10 min NOT 15), we have a 5 min cool down, then another 10 min of high usage will yield another instance. 15 min
total.
upvoted 4 times

  Alex2022_31 5 months, 1 week ago

Correct Answers
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 235/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  sandorh 5 months, 1 week ago
How is 2 and 15 the answers? Shouldn't it be 4 and 10??
upvoted 1 times

  FabrityDev 5 months, 1 week ago

sss123412 explained it very well
upvoted 2 times

  zellck 4 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 236/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88 Topic 4

You have an Azure subscription.

You plan to deploy the Azure container instances shown in the following table.

Which instances can you deploy to a container group?

A. Instance1 only

B. Instance2 only

C. Instance1 and Instance2 only

D. Instance3 and Instance4 only

Correct Answer: C

Community vote distribution

D (92%) 8%

  Notteb Highly Voted  4 months, 3 weeks ago

Selected Answer: D
Answer is D.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports deployment of a
single container instance. While we are working to bring all features to Windows containers, you can find current platform differences in the service
upvoted 24 times

  Mebyxu Most Recent  3 months ago

Selected Answer: C
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-overview#linux-and-windows-containers
upvoted 3 times

  vldt 1 month, 3 weeks ago

actually the link you have provided is supporting the D option, not C:
"Some features are currently restricted to Linux containers: Multiple containers per container group"
upvoted 1 times

  kilobaik 3 months, 2 weeks ago

Selected Answer: D
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports deployment of a
single container instance. While we are working to bring all features to Windows containers, you can find current platform differences in the service
upvoted 2 times

  zellck 4 months, 1 week ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups#what-is-a-container-group
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports deployment of a
single container instance.
upvoted 3 times

  DeBoer 4 months, 1 week ago

Selected Answer: D
Since the question states "... deploy to a container group?" I'd also go for D here
upvoted 2 times

  equipowindows 4 months, 3 weeks ago

Answer is C, is a single container (just Windows), not a multigroup container (just linux).
Multi-container groups currently support only Linux containers.
For Windows containers, Azure Container Instances only supports deployment of a single container instance.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 237/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Notteb 4 months, 2 weeks ago

so...D then, if we're following your explanation
upvoted 2 times

  moshos 4 months, 3 weeks ago

Selected Answer: D
Correct answer:D
upvoted 3 times

  Henryjb3 4 months, 3 weeks ago

Answer is D.
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-groups
Multi-container groups currently support only Linux containers. For Windows containers, Azure Container Instances only supports deployment of a
single container instance. While we are working to bring all features to Windows containers, you can find current platform differences in the service
upvoted 3 times

  AzureJobsTillRetire 4 months, 4 weeks ago

I agree. I think there is no docker image for core service installation of windows server 2019
upvoted 1 times

  DeBoer 4 months, 1 week ago

yes - there is a core image (ltsc2019): https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-base-
images
upvoted 1 times

  uise 4 months, 4 weeks ago

I think the correct answer is D
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 238/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89 Topic 4

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.

You need to ensure that NGINX is available on all the virtual machines after they are deployed.

What should you use?

A. Azure Custom Script Extension

B. Deployment Center in Azure App Service

C. the New-AzConfigurationAssignment cmdlet

D. Azure AD Application Proxy

Correct Answer: A

Community vote distribution

A (100%)

  thelukas1997 Highly Voted  4 months ago

Key word 'NGINX' always will be '...extension'. It was in all of this questions.
upvoted 6 times

  zellck Most Recent  4 months, 1 week ago

Selected Answer: A
A is the answer.

  Tim_May_88 4 months, 2 weeks ago

I have seen this question no less than 3 times in the different question sets. Please, remove the duplicates.
upvoted 2 times

  Ashfaque_9x 4 months, 2 weeks ago

Selected Answer: A
A. Azure Custom Script Extension
upvoted 1 times

  Notteb 4 months, 3 weeks ago

Selected Answer: A
This question comes up maybe 4 times in this dump, answer is still A
upvoted 4 times

  GeoPoi 4 months, 4 weeks ago

Selected Answer: A
As per previous questions, look for the extension key in the answer
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 239/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90 Topic 4

You have an Azure subscription that has the public IP addresses shown in the following table.

You plan to deploy an Instance of Azure Firewall Premium named FW1.

Which IP addresses can you use?

A. IP2 only

B. IP1 and IP2 only

C. IP1, IP2, and IP5 only

D. IP1, IP2, IP4, and IP5 only

Correct Answer: D

Community vote distribution

B (88%) 12%

  zellck Highly Voted  4 months ago

Selected Answer: B
B should be the correct answer instead.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
Azure Firewall
- Dynamic IPv4: No
- Static IPv4: Yes
- Dynamic IPv6: No
- Static IPv6: No

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall requires at least one
public static IP address to be configured. This IP or set of IPs are used as the external connection point to the firewall. Azure Firewall supports
standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported.
upvoted 29 times

  ericZX Most Recent  1 month, 2 weeks ago

Selected Answer: B
Azure Firewall doesn't currently support IPv6. It can operate in a dual stack VNet using only IPv4, but the firewall subnet must be IPv4-only.
upvoted 4 times

  hfk2020 1 month, 4 weeks ago

Answer is C
When deploying an Azure Firewall Premium instance, you can choose from two types of public IP addresses: Standard SKU and Global SKU.

The Standard SKU public IP address is assigned to a specific region and can be used for Azure Firewall instances deployed within that region only.

The Global SKU public IP address, as the name suggests, is a globally unique IP address that can be used for Azure Firewall instances deployed in
any region around the world.

In general, if you plan to deploy Azure Firewall instances in multiple regions, it is recommended to use the Global SKU. However, if you only plan to
deploy Azure Firewall instances in a single region, the Standard SKU may be more cost-effective.
upvoted 2 times

  mscert2023 3 months ago

Selected Answer: B
B = C - IPv6
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 240/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  AzureMasterChamp 3 months, 1 week ago

Answer should be "IP1, IP2, and IP5" as Azure firewall supports standard SKU, static public IP addresses.
upvoted 1 times

  amiray 3 months, 1 week ago

IP5 is in IPv6 Static which isn't supported link bellow date of 08 Feb 2023
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
upvoted 3 times

  kilobaik 3 months, 2 weeks ago

Selected Answer: B
Azure Firewall supports standard SKU public static IPv4 addresses.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
upvoted 3 times

  ktrfrnd26 3 months, 3 weeks ago

IPv6 not currently supported If you add an IPv6 address to a rule, the firewall fails. Use only IPv4 addresses. IPv6 support is under investigation.
https://learn.microsoft.com/en-us/azure/firewall/overview
upvoted 3 times

  skydivex 4 months ago

B is the correct answer…… Firewall supports only IPv4, Standard and Static
upvoted 4 times

  keszi 4 months ago

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview
Azure Firewall doesn't currently support IPv6. It can operate in a dual stack VNet using only IPv4, but the firewall subnet must be IPv4-only.
upvoted 1 times

  infinity1989 4 months ago

C as it requires public static and stand sku ip address.
upvoted 1 times

  infinity1989 4 months ago

Answer should be B as it does not support IPv6
upvoted 2 times

  lkjsatlwjwwge 4 months ago

Selected Answer: B
Just to change the most voted answer which now shows as C. r3nenge explains why B is the answer.
upvoted 4 times

  GBAU 4 months ago

Selected Answer: B
Answer: B. IP1 and IP2 only

Azure Firewall Front-end configuration currently only supports Static IPv4

Tier is not important in this question.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
upvoted 3 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

  zellck 4 months ago

B should be the correct answer instead.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
Azure Firewall
- Dynamic IPv4: No
- Static IPv4: Yes
- Dynamic IPv6: No
- Static IPv6: No

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall requires at least one
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 241/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

public static IP address to be configured. This IP or set of IPs are used as the external connection point to the firewall. Azure Firewall supports
standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported.
upvoted 2 times
  Texas_Tigger 4 months ago
Given the link that cofx provided the only right answer would be IP1, IP2, and IP4 but that is not an option so I would default to B because IPV6 is
not supported based on the table in the link
upvoted 1 times

  elior19940 4 months ago

why 1pv6 is not supported?
upvoted 1 times

  sd9876 4 months ago

Need Public IP with static option. Standard SKU. So IP1, IP2, and IP5 only
https://learn.microsoft.com/en-us/azure/firewall/quick-create-multiple-ip-template
upvoted 1 times

  sd9876 4 months ago

Need Public IP with static option
https://learn.microsoft.com/en-us/azure/firewall/quick-create-multiple-ip-template
upvoted 1 times

  biscaldis 4 months ago

Selected Answer: C
1, 2, 5

"Azure Firewall is a cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall requires at least one
public static IP address to be configured. This IP or set of IPs are used as the external connection point to the firewall. Azure Firewall supports
standard SKU public IP addresses. Basic SKU public IP address and public IP prefixes aren't supported."

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-firewall
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 242/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91 Topic 4

HOTSPOT
-

You have an Azure subscription.

You need to deploy a virtual machine by using an Azure Resource Manager (ARM) template.

How should you complete the template? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Correct Answer:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 243/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  crymo99 Highly Voted  1 month, 1 week ago

- dependsON: resoureceID
- storageProfile: ImageReference

ref: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/ps-template
upvoted 14 times

  chiquito Most Recent  1 month ago

- dependsON: resoureceID
- storageProfile: ImageReference
Reference :
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-dependency#dependson
https://learn.microsoft.com/en-us/javascript/api/@azure/arm-compute/storageprofile?view=azure-node-latest
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 244/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 5 - Question Set 5

Question #1 Topic 5

HOTSPOT -
You have an Azure subscription named Sub1.
You plan to deploy a multi-tiered application that will contain the tiers shown in the following table.

You need to recommend a networking solution to meet the following requirements:

✑ Ensure that communication between the web servers and the business logic tier spreads equally across the virtual machines.
✑ Protect the web servers from SQL injection attacks.
Which Azure resource should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: an internal load balancer

Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual
network with a regional scope.
Box 2: an application gateway that uses the WAF tier
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 245/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: an internal load balancer

Azure Internal Load Balancer (ILB) provides network load balancing between virtual machines that reside inside a cloud service or a virtual network
with a regional scope.

Box 2: an application gateway that uses the WAF tier

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common
exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities.
Application gateway which uses WAF tier.
upvoted 130 times

  zvasanth2 1 year, 9 months ago

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common
exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL
injection and cross-site scripting are among the most common attacks
upvoted 6 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct.
- Internal Load Balancer. check the example in https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
- Application gateway which uses WAF tier.
upvoted 59 times

  Georges_Hawat_2000 Most Recent  2 months ago

But doesn’t the application gateway provide some load balancing features?
upvoted 1 times

  Ashfaque_9x 4 months, 2 weeks ago

Passed today on 29Jan23 with a score of 970. This question was in the exam.
Correct Answer:
Box 1: an internal load balancer
Box 2: an application gateway that uses the WAF tier
upvoted 6 times

  EmnCours 9 months, 3 weeks ago

Given Answer is correct
upvoted 1 times

  Lazylinux 11 months, 3 weeks ago

Given Answer is correct
Answer is correct.

- Internal Load Balancer

- Application gateway which uses WAF tier.
Web Application Firewall (WAF)

Provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by
malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. A WAF
solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each individual web application. WAF
can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) service from Microsoft. WAF on
Azure CDN is currently under public preview. WAF has features that are customized for each specific service. For more information about WAF
features for each service, see the overview for each service.
upvoted 4 times

  Lazylinux 11 months, 3 weeks ago

Protects against malicious attacks such as:
*SQL Injection
*Cross-site scripting
*Broken Authentication
*Sensitive data exposure
*XML External entities
*Broken Access control
*Security misconfiguration
*Insecure deserialization
*Vulnerable components
*Insufficient logging
More info here:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 246/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 3 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer:
- Internal Load Balancer
- Application gateway which uses WAF tier
upvoted 10 times

  AubinBakana 1 year, 9 months ago

This one is super tough. I have not worked with Logic Apps that much, so I had to do some research here. But it's pretty interesting.
upvoted 1 times

  AubinBakana 1 year, 9 months ago

correct answer
upvoted 1 times

  achmadirvanp 1 year, 11 months ago

Answer is correct, Appear On Exam July 1 2021
upvoted 5 times

  inemumoren 1 year, 11 months ago

Answer is correct.
An internal load balancer to spread the traffic and
an application gateway with WAF tier to prevent malicious attacks.
upvoted 1 times

  ScreamingHand 1 year, 12 months ago

Always nice to see a straight forward question
upvoted 5 times

  ZUMY 2 years, 3 months ago

- for RG1, nothing is changed as the policy is only applied on resources not resource groups. So, the answer is tag1: value1
- for storage account, the policy is applied as a new resource is created. Also, nothing mentioned about inheritance from RG. accordingly, the
answer is tag2:value2 from policy1 and tag3: value3 as applied directly.
upvoted 4 times

  AlexLiourtas 2 years, 2 months ago

what the...?
upvoted 6 times

  3abmula 2 years, 1 month ago

Might be a correct answer, but to the wrong question :D
upvoted 9 times

  Santy7 1 year, 10 months ago

ha ha ha
upvoted 2 times

  ZUMY 2 years, 3 months ago

  toniiv 2 years, 3 months ago

Answers and explanations are correct.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 247/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 5

Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter.
You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The
virtual networks are peered.
You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters.
What should you create?

A. three Azure Application Gateways and one On-premises data gateway

B. three virtual hubs and one virtual WAN

C. three virtual WANs and one virtual hub

D. three On-premises data gateways and one Azure Application Gateway

Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

Community vote distribution

B (86%) 14%

  mlantonis Highly Voted  2 years ago

Correct Answer: C

There can only be one hub per Azure region.

It should be 2 Virtual Hubs and 1 WAN.
Since we have just two region, it may be impossible to have 3 hubs.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 68 times

  Milan1988 3 months ago

you are right.
three virtual hubs and one virtual WAN) would also not be the best solution as it would require multiple virtual hubs to be set up, which would
again add complexity to the network architecture.
upvoted 1 times

  usamnkkid 3 months ago

No you are wrong you can create two hubs in the same region. tested in lab created two hubs in central India.
upvoted 2 times

  alejox96 4 months, 2 weeks ago

This time you were wrong friend, 100% sure, this question came up in a Cloudlabs mock exam, Correct answer: B.
upvoted 4 times

  rupayan87 6 months, 4 weeks ago

agree, as a matter of fact we create a WAN first and then create HUBs under it. So the ideal answer will be 2 hubs and 1 wan but here we have
option 3 hubs 1 wan so that is the closest right
upvoted 1 times

  zeal0 Highly Voted  2 years, 9 months ago

They're all wrong because the question says there are 2 Azure regions, and the below documentation says each region only has a single hub...
Should be 2 hubs and one WAN.
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

"Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your on-
premises network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or even
connect mobile users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. There can only be one hub per
Azure region."
upvoted 49 times

  PriyankaSmriti 5 months, 2 weeks ago

Microsoft has removed the limitation of having only 1 hub per region.
"A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your on-
premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or even
connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual hubs can be
created in the same region."

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 248/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference - https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 10 times
  marcellov 2 years, 1 month ago
Agree. In the link below there is a very good architecture that shows almost the same example as in the question, and we can see 1 virtual WAN
and 2 hubs:
https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology#architecture
The closest answer would be 'B', 3 hubs and 1 WAN. Even if we don´t have 3 regions being used, we can still create 3 hubs in 3 different regions.
upvoted 20 times

  imartinez 1 year, 9 months ago

They are rigth,
The question mentions than regions are peered, so you just need to connect one region to the hub.
"Each region contains a virtual network. The virtual networks are peered"
upvoted 7 times

  rusll 2 years, 6 months ago

agree with you
upvoted 2 times

  Rwj Most Recent  1 month ago

On Exam, 04/22/2023
upvoted 2 times

  Exilic 1 month, 2 weeks ago

Selected Answer: B
OpenAI

"The best solution to connect the three datacenters to the Azure subscription while minimizing network latency is to use a virtual WAN with three
virtual hubs, one for each datacenter. This would allow for centralized management of the network and optimized routing between the virtual
networks in the East and West Azure regions. Option B, "three virtual hubs and one virtual WAN," is the correct choice for this scenario."
upvoted 1 times

  Durden871 3 months ago

From Udemy:
Explanation
A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your on-premises
network (vpnsite), you can connect to a VPN Gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or even connect mobile
users to a Point-to-site gateway in the virtual hub. The hub is the core of your network in a region. There can only be one hub per Azure region.

The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links to all your
virtual hubs that you would like to have within the virtual WAN. Virtual WAN resources are isolated from each other and cannot contain a common
hub. Virtual hubs across Virtual WAN do not communicate with each other.

There are two regions in this question, so two virtual hubs and one virtual WAN.

https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 1 times

  usamnkkid 3 months ago

Selected Answer: B
B is correct
upvoted 1 times

  msingh20 3 months, 1 week ago

Selected Answer: B
B:

"Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your on-
premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect ExpressRoute circuits to a virtual hub, or even
connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual hubs can be
created in the same region."
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 1 times

  AzureMasterChamp 3 months, 1 week ago

Should be: B
upvoted 1 times

  Nyll 3 months, 2 weeks ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 249/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

When multiple hubs are enabled in a single virtual WAN, the hubs are automatically interconnected via hub-to-hub links, thus enabling global
connectivity between branches and Vnets that are distributed across multiple regions.

Reference:
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-global-transit-network-architecture
upvoted 2 times
  skydivex 4 months ago
Correct Answer: C
There can only be one hub per Azure region. The best answer would have been two virtual hubs and 3 virtual WANs, one per each data center.
https://www.azure-heros.com/blog/azure-virtual-wan-
network#:~:text=There%20can%20only%20be%20one,for%20ExpressRoute%20and%20VPN%20Gateway.
upvoted 2 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#resources
Virtual WAN: The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links
to all your virtual hubs that you would like to have within the virtual WAN. Virtual WANs are isolated from each other and can't contain a common
hub. Virtual hubs in different virtual WANs don't communicate with each other.

https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about#transit-vnet
Virtual WAN allows transit connectivity between VNets. VNets connect to a virtual hub via a virtual network connection. Transit connectivity
between the VNets in Standard Virtual WAN is enabled due to the presence of a router in every virtual hub. This router is instantiated when the
virtual hub is first created.
upvoted 1 times

  SedateBloggs 4 months ago

Answer B. Ignore the very old comments (dating back 2 years). I have designed this before in production. 1 vWAN and multiple hubs.
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
upvoted 2 times

  Stevy_nash 4 months ago

Selected Answer: B
The correct answer is B. three virtual hubs and one virtual WAN.

A Virtual WAN is a networking service that enables you to connect your on-premises infrastructure to Azure over a secure, encrypted connection.
With a virtual WAN, you can create hub-spoke network topologies to route network traffic between multiple sites, such as remote offices, branches,
and data centers, over a single connection.

Each datacenter can be connected to a virtual hub in the nearest Azure region to minimize network latency. The virtual hubs can then be connected
to the virtual WAN to create a single, secure connection between the datacenters and the Azure subscription.

Azure Application Gateways and On-premises data gateways are used for different purposes and do not minimize network latency between
datacenters.
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

Selected Answer: C
The correct answer is C: three virtual WANs and one virtual hub.

Virtual WAN (wide area network) is a networking service that simplifies the creation and management of branch-to-branch network connections. It
provides a high-bandwidth, low-latency network connection between multiple locations, such as datacenters, remote offices, and cloud resources.
By creating three virtual WANs in the East US and West US regions and peering them with the virtual networks in the subscription, you can
minimize network latency between the datacenters and the subscription
upvoted 3 times

  khaled_razouk 5 months, 1 week ago

Selected Answer: C
There can only be one hub per Azure region.
upvoted 1 times

  spike15_mk 6 months, 1 week ago

Selected Answer: B
For example, a branch office in an Azure region in the UK can connect to a region in the USA. They connect using hub-to-hub connectivity through
the Azure global network.
In a single virtual WAN that spans multiple regions, with multiple hubs deployed, the hubs are automatically interconnected by hub-to-hub links.
These interconnections enable the global connectivity to branches and virtual networks.
upvoted 2 times

  spike15_mk 6 months, 1 week ago

Correct Answer is B
For example, a branch office in an Azure region in the UK can connect to a region in the USA. They connect using hub-to-hub connectivity through
the Azure global network.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 250/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

In a single virtual WAN that spans multiple regions, with multiple hubs deployed, the hubs are automatically interconnected by hub-to-hub links.
These interconnections enable the global connectivity to branches and virtual networks.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 251/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 5

HOTSPOT -
You plan to deploy five virtual machines to a virtual network subnet.
Each virtual machine will have a public IP address and a private IP address.
Each virtual machine requires the same inbound and outbound security rules.
What is the minimum number of network interfaces and network security groups that you require? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: 5 -
A public and a private IP address can be assigned to a single network interface.

Box 2: 1 -
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same
network security group can be associated to as many subnets and network interfaces as you choose.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses

  fedztedz Highly Voted  2 years, 5 months ago

Answer should be : 5 Network interfaces and 1 Network security group
upvoted 101 times

  Rain_walker_6ix 1 year ago

Nice !
upvoted 2 times

  mlantonis Highly Voted  2 years ago

Box 1: 5
A public and a private IP address can be assigned to a single network interface.
By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM's NIC, you can

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 252/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the private IP.

Box 2: 1
You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same
network security group can be associated to as many subnets and network interfaces as you choose.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses
upvoted 78 times
  shadad Most Recent  3 months, 1 week ago
I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:
Box 1: 5
Box 2: 1
upvoted 2 times

  Bigc0ck 5 months, 1 week ago

on the test, easiest question
upvoted 1 times

  SumanSaurabh 6 months ago

I know Mlantonis is giving best answer with detail explanation but this guy fedztedz is also good and giving correct answers in most of the
question. You both are amazing :)
upvoted 2 times

  fabras 7 months, 2 weeks ago

nic 5
nsg 1
correct answer
upvoted 3 times

  mercuryit 8 months, 1 week ago

Correct answer
nic 5
nsg 1
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Given answer is correct.
Both Private and Public IP addresses can be assigned to a virtual machine's network interface controller (NIC)
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct
upvoted 1 times

  [Removed] 1 year, 6 months ago

Was on exam dated 15/11/2021
upvoted 3 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 2 times

  joydeep1 1 year, 12 months ago

Answers correct. Ques was in exam today.
upvoted 5 times

  KenDo 2 years, 1 month ago

This is more of an English test than a technical question!
upvoted 4 times

  aboelnaga 2 years, 1 month ago

the answer should be 10 Network interfaces and 1 network security group
upvoted 1 times

  3abmula 2 years, 1 month ago

You can test deploy a VM with both private and public IP address and you'll figure that out. It only requires 1 NIC to have private and public IP
address.
upvoted 1 times

  JimBobSquare101 1 year, 10 months ago

Lol...where do you get the amount of 10 NI's from?
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 253/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  ASIMIS 1 year, 11 months ago

With all due respect, Please stop giving answers for the sake of posting on the chat, you are misleading people to fail. You clearly just guessed
without even research or testing it yourself. Its better to keep quiet, and I dont mean this out of dis but please respect peoples time and stop
posting just for fun.
upvoted 8 times

  ZetaZeti 2 years, 2 months ago

5-1

By default a NIC is associated to one IP address. Anyway nothing prevents a NIC to have MORE THAN ONE IP address. So to the VM's NIC, you can
associate the public and the private IP at the same time. You are not forced to have one NIC for the public IP and one NIC for the private IP. So 5
NICs.
https://www.loadtestingtool.com/help/how-setup-ip.shtml

Since the five VMs require the same rules you can define just one NSG and apply that SAME NSG to the 5 NICs. So 1 NSG.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 4 times

  allray15 2 years, 2 months ago

Are these guys purposely higlithing the incorrect answers??
upvoted 5 times

  ASIMIS 1 year, 11 months ago

This is exactly what i mean. People have nothing better to do, its very childish and selfish. This is meant to help people not to confuse and
mislead.
upvoted 1 times

  mg 2 years, 3 months ago

5 NIC
1 NSG
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 254/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 5

You have an Azure subscription that contains the resources shown in the following table.

LB1 is configured as shown in the following table.

You plan to create new inbound NAT rules that meet the following requirements:
✑ Provide Remote Desktop access to VM1 from the internet by using port 3389.
✑ Provide Remote Desktop access to VM2 from the internet by using port 3389.
What should you create on LB1 before you can create the new inbound NAT rules?

A. a frontend IP address

B. a load balancing rule

C. a health probe

D. a backend pool

Correct Answer: A

Community vote distribution

A (70%) B (30%)

  Mercator Highly Voted  1 year, 10 months ago

I think the answer is correct. Key is port 3389 from the internet for both VMs. If we want to connect to two different machines on the same port we
need to have two different frontend IPs for the port forwarding.
upvoted 58 times

  lebowski 9 months, 1 week ago

That's right, you need to know the specific IP address of the VM, otherwise, you will randomly access any VM in the LB. It is A
upvoted 3 times

  Vlako Highly Voted  1 year, 11 months ago

This does not make sense. On existing LB, you can create NAT rule right away. The frontend IP address is already there.
Imho maybe B is right, you need to set the load balancing rule for port 3389.
upvoted 35 times

  joergsi 1 year, 5 months ago

Yes, the LB has one public IP assigned, but this is used for the Web-Server (Port 80 is in use), now we are adding a new service on port 3389
which needs a dedicated external IP.
upvoted 2 times

  kmaneith 7 months, 1 week ago

impossible
IP1:3389 -> vm1:3389
IP1:3389 -> vm2:3389 ???

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 255/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

possible
IP1:3389 -> vm1:3389
IP2:3389 -> vm2:3389
or
IP1:3389 -> vm1:3389
IP1:3388 -> vm2:3389
upvoted 4 times

  mung 6 months, 3 weeks ago

Load balancer has a feature called 'Floating IP' that enables to reuse the backend ports with same Loadbalancer's FronendIP.
So you are wrong.
upvoted 1 times

  kmaneith 7 months, 1 week ago

https://learn.microsoft.com/en-us/azure/load-balancer/manage-inbound-nat-rules?tabs=inbound-nat-rule-portal
upvoted 1 times

  awssecuritynewbie 8 months, 4 weeks ago

it does not make sense they have listed the Fronted IP address as being "public" so it is there why we need it again.
upvoted 1 times

  fazedenk 1 year, 11 months ago

Wouldn't you need a health probe first before defining a load balancing rule?
upvoted 3 times

  fazedenk 1 year, 11 months ago

You can try this out yourself; when creating a new load balancing rule; you have to add a health probe inside the rule. Unless you are going
to re-use the port 80 health probe which doesnt make sense.
upvoted 3 times

  Rick2022 Most Recent  6 days, 13 hours ago

Answer is B Tested.
You can use the same public ip with 2 rules balancing different ports for the same backend pool.
upvoted 1 times

  Exilic 1 month, 2 weeks ago

Selected Answer: A
OpenAI

"Before creating the new inbound NAT rules, you need to create a frontend IP address on LB1. The frontend IP address will be used to map the
incoming traffic to the backend pool and backend VMs. Once you have created the frontend IP address, you can then create the new inbound NAT
rules for port 3389 to provide Remote Desktop access to VM1 and VM2 from the internet.

So the correct answer is A. a frontend IP address."

upvoted 2 times

  margotfrpp 1 month, 3 weeks ago

Selected Answer: B
90% sure
upvoted 1 times

  dennysheng 1 month, 3 weeks ago

Weird question. What is the topic exactly willing to ask? Access RDP via LB? Attach LB a Public IP first? Whats is the point???
upvoted 1 times

  hfk2020 1 month, 4 weeks ago

Before you can create the new inbound NAT rules to provide Remote Desktop access to VM1 and VM2, you need to create a frontend IP address
on LB1. Therefore, the answer is option A.

A frontend IP address is required to receive traffic from the internet and map it to the appropriate backend pool and VMs. After you create the
frontend IP address, you can create the inbound NAT rules to provide Remote Desktop access to VM1 and VM2 on port 3389.
upvoted 1 times

  FlowerChoc1 2 months ago

Cleared the exam on 04/12/2023. This question came and my answer was A.
upvoted 2 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 5 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: A
Before creating new inbound NAT rules on LB1, you need to create a frontend IP address.
Creating a frontend IP address is necessary because it is the public IP address that external clients use to connect to the load balancer. Without a
frontend IP address, the load balancer cannot receive incoming traffic from the internet.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 256/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

To enable Remote Desktop access to VM1 and VM2 from the internet using port 3389, you need to create two new inbound NAT rules on LB1. Each
NAT rule maps an external port on the frontend IP address to an internal port on a specific virtual machine's IP address and port number.
Therefore, you need to create a frontend IP address first so that the NAT rules can use it to receive external traffic.
upvoted 3 times
  msingh20 3 months, 4 weeks ago
Selected Answer: A
A: We can setup a floating IP for the frontend.

"If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.When Floating IP is enabled, Azure
changes the IP address mapping to the Frontend IP address of the Load Balancer frontend instead of backend instance's IP."

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip
upvoted 2 times

  morito 3 months ago

Are you certain? The way I understand it, floating IPs are great if the backend pool is full of servers that provide the same service. But what if
you want to explictly connect to either one of the hosts for management? Floating IP will just drop you on a random host, will it not?
upvoted 1 times

  zellck 4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/load-balancer/manage-inbound-nat-rules
upvoted 1 times

  GBAU 4 months ago

Selected Answer: A
You can't use one single public IP & port combination to decidedly connect to two different systems based on readying your mind.

Something has to tell the Firewall which VM you want to connect too. With the options provided, the only way is adding an additional frontend IP
address.

Hit one IP on 3389 you go to VM1

Hit the other IP on 3389 you go to VM2
upvoted 4 times

  AliRi 2 months, 1 week ago

Yup, you are right. This question is stupid as hell.
But this is not about stupidity here, it's about the functionality we need to understand.
And, at the end, we will have it on exam and we will need to answer it.
upvoted 1 times

  kanag1 4 months, 1 week ago

Selected Answer: A
Key is port 3389 from the internet for both VMs
upvoted 2 times

  ChakaZilly 4 months, 2 weeks ago

B: We already have a public-ip, now with option B, use the port ip:3389... It will be a random outcome on which machine you'll wind up, however
machine selection is not a requirement.
upvoted 4 times

  Ashfaque_9x 4 months, 2 weeks ago

Selected Answer: A
A. a frontend IP address
Passed today on 29Jan23 with a score of 970. This question was in the exam.
upvoted 12 times

  dimsok 5 months ago

Selected Answer: A
Without a public ip, nothing can happem
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 257/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5 Topic 5

HOTSPOT -
You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.

You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1.
Which A records will be added to the adatum.com zone for each virtual machine? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios

  mlantonis Highly Voted  2 years ago

Correct Answer:

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.

Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network links).

Reference:

https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
upvoted 86 times

  mlantonis 2 years ago

Box 1: Private
Box 2: Private

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 258/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 35 times
  fedztedz Highly Voted  2 years, 5 months ago
Answer is correct. Private/Private
check https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios#scenario-split-horizon-functionality
upvoted 56 times

  SScott 2 years, 2 months ago

That's it, good reference
upvoted 5 times

  CyberKelev Most Recent  3 months, 2 weeks ago

For VM1, the A record added to the adatum.com zone will be the Private IP address only (10.1.0.4), since the DNS suffix configured in Windows
Server is Adatum.com and auto-registration is enabled in VNET1.

For VM2, no A record will be added to the adatum.com zone, since the DNS suffix configured in Windows Server is Contoso.com and auto-
registration is not enabled in VNET1 for the Contoso.com DNS zone.
upvoted 2 times

  CyberKelev 3 months, 2 weeks ago

Answer is : Private Ip address only and none
upvoted 3 times

  DeBoer 4 months, 1 week ago

Checked in lab; the DNS records in the private zone are created using the " Virtual network links" to the VNet. The DNS name in the VM itself has
no impact on this. So yes, Both "Private" is correct.
upvoted 4 times

  Max_on_neptune 6 months, 1 week ago

Exam Question on 01DEC2022
upvoted 6 times

  arifi 5 months, 3 weeks ago

did u pass?
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Answer is correct. Private/Private
upvoted 1 times

  vsharma041990 10 months, 3 weeks ago

The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.

Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network links).
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Yep given answer is correct Private/Private
VNET and Private DNS:

You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones can be
linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-registration option set.
upvoted 4 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 3 times

  atilla 1 year, 3 months ago

both private because of same vnet1, you add vnet in private dns zone...
upvoted 1 times

  khengoolman 1 year, 8 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is private, private.
upvoted 9 times

  AubinBakana 1 year, 9 months ago

The question is confusing because VM2 has a different DNS connection suffix. But because they are both part of the VNet1, they'd both be
exposed to the internal DNS zone at 168.63.129.16.

-Private IP for VM1

-Private IP for VM2
upvoted 4 times

  ZUMY 2 years, 3 months ago

01.Private IP Address only
02.Private IP Address only
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 259/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network links)
upvoted 6 times
  PektoTheGreat 2 years, 3 months ago
The keyword is "auto-registration from VNET1".

VM1 and VM2 belongs to the same VNET. So upon VM1 and VM2 creation they will be auto registered on adatum Private DNS Zone having A
Record as their Private IPs. Cheeers yo!
upvoted 8 times

  toniiv 2 years, 3 months ago

Correct, both private addresses since auto registration from VNET1 has been enabled on the Azure Private DNS zone.
upvoted 3 times

  mikl 2 years, 4 months ago

Can anyone please explain to me why a VM2 that belongs to contoso.com is registered in adatum.com ?
upvoted 7 times

  ScreamingHand 1 year, 12 months ago

adatum.com is a private DNS zone which has been 'linked' to VNET1 with autoregistration, therefore, ever VM which resides in VNET1 will have
an A name record in adatum.com
upvoted 2 times

  AlexJacobson 2 years ago

OS DNS suffix has no affect on this. Private subnet is applicable to both VM1 and VM2.
upvoted 2 times

  waterzhong 2 years, 4 months ago

Virtual Network named "A" contains two VMs (VNETA-VM1 and VNETA-VM2). Each of these have Private IPs associated. Once you create a Private
Zone named contoso.com and link this virtual network as a Registration virtual network, Azure DNS will automatically create two A records in the
zone as depicted. Now, DNS queries from VNETA-VM1 to resolve VNETA-VM2.contoso.com will receive a DNS response that contains the Private IP
of VNETA-VM2. Furthermore, a Reverse DNS query (PTR) for the Private IP of VNETA-VM1 (10.0.0.1) issued from VNETA-VM2 will receive a DNS
response that contains the name of VNETA-VM1, as expected.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 260/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 5

HOTSPOT -
You have an Azure virtual network named VNet1 that connects to your on-premises network by using a site-to-site VPN. VNet1 contains one
subnet named
Sunet1.
Subnet1 is associated to a network security group (NSG) named NSG1. Subnet1 contains a basic internal load balancer named ILB1. ILB1 has
three Azure virtual machines in the backend pool.
You need to collect data about the IP addresses that connects to ILB1. You must be able to run interactive queries from the Azure portal against
the collected data.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: An Azure Log Analytics workspace

In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data
sources, and solutions

Box 2: ILB1 -
Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-standard-diagnostics

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: An Azure Log Analytics workspace

In the Azure portal you can set up a Log Analytics workspace, which is a unique Log Analytics environment with its own data repository, data
sources, and solutions.

Box 2: NSG1
NSG flow logs allow viewing information about ingress and egress IP traffic through a Network security group. Through this, the IP addresses that
connect to the ILB can be monitored when the diagnostics are enabled on a Network Security Group.

We cannot enable diagnostics on an internal load balancer to check for the IP addresses.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 261/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

As for Internal LB, it is basic one. Basic can only connect to storage account. Also, Basic LB has only activity logs, which doesn't include the
connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
upvoted 182 times

  awssecuritynewbie 8 months, 4 weeks ago

very good catch! Because yes you are right after looking at the link : https://learn.microsoft.com/en-gb/azure/load-balancer/skus#skus
you cannot do diagnostics for the load balancer you know, which is crazy i would of picked that over the NSG.
Box 2: NSG1
upvoted 5 times

  elrizos 2 months ago

you r my hero
upvoted 1 times

  mlantonis 2 years ago

Reference:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-create-workspace
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics
upvoted 22 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is not correct. The correct answer is
- Create a Log Analytics Workspace
- NSG
As for Internal LB, it is basic one. Basic can only connect to storage account. Also Basic LB has only activity logs which doesn't include the
connectivity workflow. So, we need to use NSG to meet the mentioned requirements.
upvoted 92 times

  Alvaroll 2 years, 5 months ago

I think the answer given is correct.
- Azure Log Analytics workspace
- ILB1 (Standard Load Balance)
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-monitor-log
upvoted 3 times

  Alvaroll 2 years, 5 months ago

sorry, it's basic LB
upvoted 5 times

  YooOY 1 year, 8 months ago

Basic LB no diagnositcs
https://docs.microsoft.com/en-us/azure/load-balancer/skus
upvoted 3 times

  s9p3r7 1 year, 11 months ago

but you can't enable NSG flow logs with Log Analytics Workspace, you need a storage account.
answer: storage acc and nsg
ref: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log
upvoted 4 times

  s9p3r7 1 year, 11 months ago

ignore my previous comment as Traffic Analytics can be integrated with Log Analytics Workspace,,
upvoted 6 times

  shadad Most Recent  3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:

Box1: An Azure Log Analytics workspace

Box2: Box 2: NSG1
upvoted 4 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 3 times

  CyberKelev 3 months, 2 weeks ago

To collect data about the IP addresses that connect to ILB1 and run interactive queries from the Azure portal against the collected data,
you should create an Azure Log Analytics workspace.
You should enable diagnostic settings on ILB1. This will allow you to collect data about the IP addresses that connect to ILB1 and run interactive
queries from the Azure portal against the collected data.
upvoted 1 times

  Ashfaque_9x 4 months, 2 weeks ago

Passed today on 29Jan23 with a score of 970. This question was in the exam.
Correct Answer:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 262/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 1: An Azure Log Analytics workspace

Box 2: NSG1
upvoted 4 times
  djgodzilla 5 months, 1 week ago
I think it's good to pause and watch a video describing the available monitoring service for standard Load balancer (classic metrics view vs load
balancer insights). It'll allow you to understand instead of just picking an answer .
guess basic has no monitoring feature satisfying the question's requirement.
https://www.youtube.com/watch?v=qfzOTNKYTgU&ab_channel=MicrosoftAzure
upvoted 2 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

An azure log analytics workspace
NSG1
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

given answer not correct
Box 1: An Azure Log Analytics workspace
use Log Analytics workspace, which sets Log Analytics environment with its own data repository, data sources, and solutions.

Box 2: NSG1
NSG flow logs, which provide you information about ingress and egress IP traffic through a Network Security Group associated to individual
network interfaces, VMs, or subnets. By analyzing raw NSG flow logs, and inserting intelligence of security, topology, and geography, traffic
analytics can provide you with insights into traffic flow in your environment. Traffic Analytics provides information such as most communicating
hosts, most communicating application protocols, most conversing host pairs, allowed/blocked traffic, inbound/outbound traffic, open internet
ports, most blocking rules, traffic distribution per Azure datacenter, virtual network, subnets, or, rogue networks.
upvoted 3 times

  Akman 1 year, 7 months ago

I'm tired of entering capcha in every page turn
upvoted 5 times

  verifedtomic 1 year, 7 months ago

Just sign-up for free account. Then you'll have to enter captcha every three or so pages.
upvoted 2 times

  nzmike 1 year, 7 months ago

that's why they have the subscription...
upvoted 8 times

  khengoolman 1 year, 8 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is LAW, NSG
upvoted 11 times

  [Removed] 1 year, 8 months ago

The question states that you must be able to run interactive queries from
the Azure portal against the collected data.
The Azure portal exposes the load balancer metrics via the Metrics page, which is available on both the load balancer resource page for a particular
resource and the Azure Monitor page.

To view the metrics for your Standard Load Balancer resources:

Go to the Metrics page and do either of the following:
On the load balancer resource page, select the metric type in the drop-down list.
On the Azure Monitor page, select the load balancer resource.
Hence my guess is
Log Analytics
ILB1
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-diagnostics
upvoted 1 times

  Mukesh_Aggarwal_07 1 year, 8 months ago

- Create a Log Analytics Workspace
- NSG
upvoted 1 times

  AubinBakana 1 year, 9 months ago

Correct. Thank you
upvoted 1 times

  jsexamprep 1 year, 9 months ago

Box 1: An Azure Storage account. "Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization
tool, SIEM, or IDS of your choice. ... While flow logs target NSGs, they are not displayed the same as the other logs. Flow logs are stored only within
a storage account..."
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 263/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: NSG1

See this link for both of the above: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

Logs can be exported to Traffic Analytics, not to be confused with Azure Log Analytics.
upvoted 6 times
  bacana 1 year, 10 months ago
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 264/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7 Topic 5

You have the Azure virtual networks shown in the following table.

To which virtual networks can you establish a peering connection from VNet1?

A. VNet2 andVNet3 only

B. VNet2 only

C. VNet3 and VNet4 only

D. VNet2, VNet3, and VNet4

Correct Answer: C
Address spaces must not overlap to enable VNet Peering.
Incorrect Answers:
A, B, D: The address space for VNet2 overlaps with VNet1. We therefore cannot establish a peering between VNet2 and VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-networks-faq#vnet-peering

Community vote distribution

C (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: C

VNet1 10.11.0.0/16 = 10.11.0.1 - 10.11.255.255 (overlap VNet2)

VNet2 10.11.0.0/17 = 10.11.0.1 - 10.11.127.254 (overlap VNet1)
VNet3 10.10.0.0/22 = 10.10.0.1 - 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 - 192.168.19.254 (no overlap)

Possible peerings are:

VNet1 -> Vnet3
VNet1 -> Vnet4

If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be connected.
upvoted 90 times

  bogdan89 Highly Voted  2 years, 6 months ago

Tested, in this context answer is correct. Vnet 2 and Vnet 1 can not be peered and also Vnet 2 and vnet3 or vnet 4 can not be peered.

But tested more and discovered that Vnet1 can make a peering with Vnet 3 and Vnet4. Pay attention if there will be a modification in the answer.
The strange way of Microshit qestions.
upvoted 33 times

  Kopy 1 year, 10 months ago

"also Vnet 2 and vnet3 or vnet 4 can not be peered." WHY?
upvoted 1 times

  Kopy 1 year, 10 months ago

ignore
upvoted 2 times

  Notteb Most Recent  4 months, 3 weeks ago

Selected Answer: C
Correct Answer:C
upvoted 1 times

  swetha_2022 6 months ago

Selected Answer: C
Correct Answer:C
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 265/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  EmnCours 9 months, 3 weeks ago
Selected Answer: C
Correct Answer: C
upvoted 1 times

  NotMeAnyWay 11 months ago

Selected Answer: C
Virtual Peering Requirements:
• Virtual Peering comes in two forms: Virtual Peering for within a Region and Global Virtual Peering for across regions. The question does not limit
the peering to one region. So peering permitted to VNET3 and VNET4
• Virtual Peering cannot have overlapping address spaces so no peering can be had with VNET2 until there is an address space change (requires
recreation of the VNET).

Therefore only logical answer is C: VNET3 & VNET4:

Read Here:
(https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview)
upvoted 4 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C
Given answer is correct... Peering should NOT have overlapping Address Space/subnets
upvoted 3 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: C
Possible peerings are:
VNet1 -> Vnet3
VNet1 -> Vnet4
upvoted 3 times

  _punky_ 1 year, 5 months ago

FYI: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
upvoted 1 times

  hanyahmed 1 year, 5 months ago

VNet1 -> Vnet3
VNet1 -> Vnet4
upvoted 1 times

  [Removed] 1 year, 6 months ago

Was on exam dated 15/11/2021
upvoted 3 times

  DevOpposite 1 year, 8 months ago

how do you work this out without pen and paper?
upvoted 3 times

  AubinBakana 1 year, 9 months ago

Correct. Thank you
upvoted 1 times

  Kopy 1 year, 10 months ago

why not 2,3, and 4, the last option?
upvoted 1 times

  pakman 1 year, 8 months ago

VNET 1 and VNET2 have an IP address overlap.
upvoted 1 times

  ScreamingHand 2 years ago

Given that VNET1's subnet is the same space as VNET2's address space, it was an obvious overlap, - and answer C was the only one which didn't
feature VNET2, the answer popped out pretty quickly
upvoted 2 times

  boozy 2 years, 2 months ago

VNet1 10.11.0.0/16 = 10.11.0.1 - 10.11.255.255 (overlap VNet2)
VNet2 10.11.0.0/17 = 10.11.0.1 - 10.11.127.254 (overlap VNet1)
VNet3 10.10.0.0/22 = 10.10.0.1 - 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 - 192.168.19.254 (no overlap)
Possible peerings are
VNet1 -> Vnet3
VNet1 -> Vnet4
Correct answer is C
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 266/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 9 times
  wesleyzhong 2 years, 2 months ago
If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be connected.
Before you define an address range, consider whether you might want to connect the virtual network to other virtual networks or on-premises
networks in the future. Microsoft recommends configuring virtual network address ranges with private address space or public address space
owned by your organization.
https://docs.microsoft.com/en-us/azure/virtual-network/manage-virtual-network
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 267/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8 Topic 5

You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and
Production.
The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the
Production subnet.
You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:
✑ The NVAs must run in an active-active configuration that uses automatic failover.
✑ The load balancer must load balance traffic to two services on the Production subnet. The services have different IP addresses.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Deploy a basic load balancer

B. Deploy a standard load balancer

C. Add two load balancing rules that have HA Ports and Floating IP enabled

D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled

E. Add a frontend IP configuration, a backend pool, and a health probe

F. Add a frontend IP configuration, two backend pools, and a health probe

Correct Answer: BCF

A standard load balancer is required for the HA ports.
Two backend pools are needed as there are two services with different IP addresses.
Floating IP rule is used where backend ports are reused.
Incorrect Answers:
E: HA Ports are not available for the basic load balancer.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-multivip-overview

Community vote distribution

BDE (49%) BCF (32%) Other

  xagiter622 Highly Voted  2 years, 7 months ago

The given answer is correct:
B - HA ports need are not supported by a basic loadbalancer
C - You need a floating ip for the active-active configuration to switch over quickly
F - You need 2 backend pools for the 2 different services
upvoted 115 times

  jsexamprep 1 year, 9 months ago

Correct, this link clears up the HA ports and floating IP being enabled: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-
ports-overview

For Floating IP…This configuration does not allow any other load-balancing rule configuration on the current load balancer resource. It also
allows no other internal load balancer resource configuration for the given set of back-end instances.
upvoted 3 times

  djgodzilla 5 months, 1 week ago

you're maybe right BCF:
Rule type #2: backend port reuse by using Floating IP
Azure Load Balancer provides the flexibility to reuse the frontend port across multiple frontends configurations. Additionally, some application
scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool. Common examples
of port reuse include
"clustering for high availability, --Network virtual appliances, and exposing multiple TLS endpoints without re-encryption.
upvoted 1 times

  flurgen248 8 months ago

It shouldn't be C, since HA ports are also active-active. Also we don't need to reuse a backend port, so floating IP isn't needed.

If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip#floating-ip
HA ports are recommended for NVAs.
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview#why-use-ha-ports

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 268/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Not sure about the other answers though.

upvoted 2 times
  tsss 2 years, 7 months ago
F: 1 service are the NVAs. the other service is for backend servers
upvoted 5 times

  JayBee65 2 years ago

Why do you say that? It just states 2 services, e.g. web and email
upvoted 3 times

  fedztedz Highly Voted  2 years, 5 months ago

The Answer is not correct. It should be BDE. Why?
- Basically we are just want to load balance the NVM , that's all. So, we will need HA ports for HA and failover. But since we don't want to balance
the services themselves , so we go with disabled IP floating and one backend service for NVM. check https://docs.microsoft.com/en-us/azure/load-
balancer/load-balancer-ha-ports-overview#a-single-non-floating-ip-non-direct-server-return-ha-ports-configuration-on-an-internal-standard-
load-balancer
However, if we need to also Load Balance the production two services using the same LB, then we would need Floating IP and also another
backend pool for those 2 services. then the answer would be BCF.
But the question here, can LB send balance traffic to those production services. I think it can by using the health probe and some monitoring to
balance the requests sent to IPs.
upvoted 55 times

  jimmyli 2 years, 4 months ago

I think it should be BCF.
The original link that examtopics provided in its answer area has made it clear floating IP is needed: https://docs.microsoft.com/en-
us/azure/load-balancer/load-balancer-multivip-overview, under Rule type #2: backend port reuse by using Floating IP section.
upvoted 4 times

  Lkk51 2 years ago

If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview#rule-type-2-backend-port-reuse-by-using-floating-ip
upvoted 1 times

  cloudbaron 3 weeks, 5 days ago

True about Floating IP and backend port reusability.
However, in this scenario, we do not need to reuse the backend port across multiple rules. We only need to create one rule that points to the
backend pool containing the NVAs. So there is no need to enable Floating IP
upvoted 1 times

  HaoHu 2 years, 4 months ago

Just think about that LB traffic will ‘passthrough’ two NVA……
upvoted 1 times

  PeterTest 2 years, 5 months ago

The question is clear about that LBs need to be able to failover, so we need to make sure 2 services can still working while only 1 LB is available
which means in the same LB, so BCF?
upvoted 5 times

  SIAMIANJI Most Recent  1 month ago

Selected Answer: BDE
ChatGPT: BDE
To implement an Azure load balancer for the NVAs that meet the requirements specified, you should perform the following three actions:

Deploy a standard load balancer:

You need a standard load balancer to support active-active configuration and automatic failover.

Add a frontend IP configuration, a backend pool, and a health probe:

You need to add a frontend IP configuration that includes a public IP address, a backend pool that includes the two NVAs in the NVA subnet, and a
health probe to monitor the health of the services on the Production subnet.

Add two load balancing rules that have HA Ports enabled and Floating IP disabled:
You need to add two load balancing rules that map the frontend IP address to the backend pool and health probe. Each rule should have HA Ports
enabled and Floating IP disabled to load balance traffic to the two services on the Production subnet that have different IP addresses.
upvoted 1 times

  Exilic 1 month, 2 weeks ago

Interesting answer from openAI

"To implement an Azure load balancer for the NVAs that meet the requirements, you should perform the following three actions:

A. Deploy a basic load balancer. Basic load balancer is sufficient for this scenario, as it supports automatic failover for active-active scenarios.

C. Add two load balancing rules that have HA Ports and Floating IP enabled. HA ports are required for active-active failover, and Floating IP is
required to maintain the same IP address during failover.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 269/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

E. Add a frontend IP configuration, a backend pool, and a health probe. The frontend IP configuration is used to receive incoming traffic, the
backend pool is used to route traffic to the services in the Production subnet, and the health probe is used to monitor the health of the NVAs and
remove them from the load balancer if they are not responding.

Therefore, the correct options are A, C, and E. Option B is not necessary as a basic load balancer meets the requirements. Option D is incorrect as
Floating IP is required for maintaining the same IP address during failover. Option F is incorrect as only one backend pool is required to route
traffic to the services in the Production subnet."
upvoted 1 times
  Madbo 1 month, 3 weeks ago
The correct answers are BDE.

B. Deploy a standard load balancer: As per the requirements mentioned in the question, we need to implement an Azure load balancer for the
NVAs. A standard load balancer provides the option to use HA Ports and Floating IP, which is required to meet the active-active configuration and
automatic failover requirements.

D. Add two load balancing rules that have HA Ports enabled and Floating IP disabled: Since the two services on the Production subnet have
different IP addresses, we do not need to balance traffic to them. We only need to load balance traffic to the NVAs. Therefore, we only need to
create a load balancing rule for the NVAs, with HA Ports enabled for active-active configuration and Floating IP disabled.

E. Add a frontend IP configuration, a backend pool, and a health probe: This is required to set up the Azure load balancer. The frontend IP
configuration specifies the IP address that clients will use to access the load balancer. The backend pool contains the network interfaces of the two
NVAs. The health probe monitors the health of the NVAs and ensures that traffic is only sent to healthy NVAs.
upvoted 2 times

  levan1988 2 months ago

chat GPT say " To implement an Azure load balancer for the NVAs that meets the requirements, you should perform the following three actions:

A. Deploy a basic load balancer: Basic load balancers support active-active configurations, which are required in this scenario.

E. Add a frontend IP configuration, a backend pool, and a health probe: This step is required to configure the load balancer with the IP address for
the frontend, the backend pool with the IP addresses of the services to load balance, and the health probe to monitor the availability of the
services.

C. Add two load balancing rules that have HA Ports and Floating IP enabled: The load balancing rules are required to specify how the traffic is
distributed among the services in the backend pool. In this scenario, the rules should have HA Ports enabled for high availability and Floating IP
enabled for faster failover.

Therefore, the correct actions are A, E, and C. Options B, D, and F are not required or do not meet the requirements of the scenario. "
upvoted 1 times

  Durden871 3 months ago

From Udemy:
1. A standard load balancer is required for the HA ports.

2. Floating IP must be enabled if you need more than one HA port front end for the same back-end pool.

3. Two backend pools are needed since there are two services.

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview

https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview
upvoted 2 times

  Nitestorm 3 months ago

I believe a more straight forward reasoning for option "C" (floating IP enabled) is simply from the link: https://docs.microsoft.com/en-
us/azure/load-balancer/load-balancer-ha-ports-overview

If you don't enable floating IP with HA ports, then the load balancer simply won't support more than 1 load balancing rule, so "D" isn't a
possible option at all.

I also agree the correct answer is "B", "C", and "F".

upvoted 1 times

  Durden871 3 months ago

Which comes out to B, C, F

The exam prep I use tend to disagree with ET often so I trust this answer while WW3 is being raged on this topic.
upvoted 1 times

  hfk2020 3 months, 1 week ago

When FIP is enabled, the load balancer assigns a single IP address as the source IP address for outbound traffic from the VMs and as the
destination IP address for inbound traffic to the VMs. This IP address is known as the Floating IP address, and it is assigned to the load balancer.
When a client sends a request to the load balancer, the load balancer selects one of the backend VMs based on its algorithm and forwards the
request to the selected VM using the Floating IP address as the source IP address.

Enabling FIP can actually be useful for network traffic inspection, because it ensures that the NVAs receive the original packets with their original
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 270/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

source and destination IP addresses, so that they can perform their inspection functions accurately. The load balancer will redirect the traffic to one
of the NVAs using the Floating IP address as the source IP address, but the NVAs will still be able to see the original source and destination IP
addresses of the packets, which is important for network traffic inspection.
upvoted 1 times
  ozlaoliu 3 months, 2 weeks ago
Selected Answer: BCF
Asked the question to Bing AI and ChatGPT, both gave BCF
upvoted 1 times

  MrBlueSky 3 months, 1 week ago

It's literally just reading the comments on here though.
upvoted 7 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: BCE
The correct actions to perform are:

B. Deploy a standard load balancer: Since you need to implement an active-active configuration with automatic failover, you should deploy a
Standard Load Balancer. The Standard Load Balancer supports active-active scenarios and provides automatic failover between multiple instances.

C. Add two load balancing rules that have HA Ports and Floating IP enabled: You need to add two load balancing rules that use HA Ports and
Floating IP enabled. This ensures that the traffic is distributed evenly across the two services and that automatic failover is enabled.

E. Add a frontend IP configuration, a backend pool, and a health probe: You need to add a frontend IP configuration that contains the IP address
that the clients will use to access the NVAs. You also need to create a backend pool that contains the IP addresses of the two services running on
the Production subnet. Finally, you need to create a health probe to ensure that the services are available.

Therefore, the correct answers are B, C, and E.

upvoted 3 times

  ConanBarb 3 months, 2 weeks ago

Selected Answer: BCF
Tricky indeed! BCF is definitely the most likely answer

There will probably be two LBs in the deployed LB service - one in front of the NVAs and one between the NVAs and the B-E services (perhaps the
same can be accomplished with one LB in the LB service). The NVAs inspect packages and forwards to next LB.
See this diagram:
https://azure.microsoft.com/en-us/blog/best-practices-to-consider-before-deploying-a-network-virtual-appliance/

Important to note is that both C and D propose TWO rules. I.e one rule for health checking the NVAs and one to load balance the B-E services as
per requirement. Makes sense, right?

B. Deploy a standard load balancer

Yes - for HA Ports etc

C. Add two load balancing rules that have HA Ports and Floating IP enabled
Yes - HA Ports to cover all ports TCP and UDP. Floating IP to send the NVAs untranslated packages for their inspection.

F. Add a frontend IP configuration, two backend pools, and a health probe

Yes - one pool for the NVAs (health check) and one for the services (load balancing)
upvoted 2 times

  rhaseeb1 4 months ago

Deploy a standard load balancer (B): Create a Standard Load Balancer in the same virtual network as the NVAs, in the NVA subnet.

Add a frontend IP configuration, two backend pools, and a health probe (F): Create a frontend IP configuration that specifies the public IP address
used to access the Load Balancer, two backend pools in the Load Balancer, each pool will contain one of the two NVAs, and a health probe to
monitor the health of the NVAs.

Add two load balancing rules that have HA Ports enabled and Floating IP disabled (D): Create two Load Balancer rules, each rule will map a
different IP address of the two services on the Production subnet to a different backend pool. The load balancer will use these rules to load balance
traffic to the two services. Enable HA Ports for automatic failover and disable Floating IP for active-active configuration
upvoted 1 times

  rhaseeb1 4 months ago

According to chatGBT it is BDF
upvoted 3 times

  orionduo 4 months, 2 weeks ago

Selected Answer: BCF
A standard load balancer is required for the HA ports.

Two backend pools are needed as there are two services with different IP addresses.

Floating IP rule is used where backend ports are reused.

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 271/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  khaled_razouk 5 months, 1 week ago

Selected Answer: BCF
The given answer is correct:
upvoted 1 times

  spike15_mk 6 months, 1 week ago

Selected Answer: BCF
B- Standard Load Balancer support High Availability
C- We need 2 High availability ports Rules ( backend pools ) and Float IP enabled. The HA ports load-balancing rules help you with scenarios, such
as high availability and scale for network virtual appliances (NVAs) inside virtual networks.
F- For the 2 High availability ports Rules need to set 1 Front IP of LB and 2 backend pool (2 services) and health probe
upvoted 5 times

  spike15_mk 6 months, 1 week ago

Additional Explanation:
1st High availability ports Rule: Front End IP (LB) , backend1(service1),health probe, HA port selected and Float IP selected
2nd High availability ports Rule: Front End IP (LB) , backend2(service2),health probe, HA port selected and Float IP selected
upvoted 2 times

  klexams 8 months ago

Selected Answer: BCE
so many different opinions here.. im gonna give it a try:
must admin the question is ambiguous which does not help! e.g. two services - does it use 2 different ports or same ports? etc etc
Anywho.. let's get to work:
- Multiple frontends can be used but the answers only say "a" frontend IP. So one frontend IP.
- It clearly says the LB is for the NVAs. So it is one backend which is for NVAs. The services in the production is a moot point because the LB is not
for it. But I agree it gets confusing when it says the LB must load-balance traffic to the two services on the Prod subnet but at the same time we
must stick with the requirement of "You need to implement an Azure load balancer for the NVAs" ; and since it says "traffic" NVA will load-balance
the traffic.
So we have "E" as definite answer here: one frontend IP, one backend pool.
upvoted 1 times

  klexams 8 months ago

- HA means Standard LB must be used.
so we have "B" as the answer.

Now, the last action is where the confusion strikes!

- the remaining options of the answer say: two LB rules and HA ports. So the question is now whether it needs Floating IP or not? Again,
nothing is clear here. The only thing that makes me choose to use Floating IP is this statement "Common examples of port reuse include
clustering for high availability, network virtual appliances, and exposing multiple TLS endpoints without re-encryption." NVAs commonly use
port reuse and to reuse port you must enable Floating IP.
Hope this will help someone out there :-).
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 272/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 5

You have an Azure subscription named Subscription1 that contains two Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN
gateway named
VPNGW1 that uses static routing. There is a site-to-site VPN connection between your on-premises network and VNet1.
On a computer named Client1 that runs Windows 10, you configure a point-to-site VPN connection to VNet1.
You configure virtual network peering between VNet1 and VNet2. You verify that you can connect to VNet2 from the on-premises network. Client1
is unable to connect to VNet2.
You need to ensure that you can connect Client1 to VNet2.
What should you do?

A. Download and re-install the VPN client configuration package on Client1.

B. Select Allow gateway transit on VNet1.

C. Select Allow gateway transit on VNet2.

D. Enable BGP on VPNGW1

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

Community vote distribution

A (89%) 11%

  Coldriver Highly Voted  2 years, 9 months ago

"If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again"

I would go with `A` is the correct option as the S2S config has been changed AFTER the P2S client installation was performed. Installation of the
client software package needs installing again post S2S config changes.
upvoted 93 times

  Sacs 2 years, 8 months ago

I agree, This is the exact verbiage from Microsoft: If you make a change to the topology of your network and have Windows VPN clients, the
VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.
upvoted 8 times

  Bl4ck 2 years, 9 months ago

I think this is correct: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multipeered
upvoted 6 times

  bleepbl0p 2 years, 6 months ago

100% correct. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
upvoted 7 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A

If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again.

Reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
upvoted 48 times

  Bur_Han Most Recent  2 months, 3 weeks ago

A. Download and re-install the VPN client configuration package on Client1.
B. Select Allow gateway transit on VNet1.
C. Select Allow gateway transit on VNet2.
D. Enable BGP on VPNGW1
upvoted 1 times

  Bur_Han 2 months, 3 weeks ago

B. Select Allow gateway transit on VNet1.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 273/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Explanation:

The issue here is that Client1 is not able to connect to VNet2. This is because VNet2 is not connected to the VPN gateway and doesn't have a
gateway of its own. To enable traffic from Client1 to VNet2, we need to enable gateway transit on VNet1.

Gateway transit allows a virtual network to use the VPN gateway in another virtual network to access resources in that network. In this case,
enabling gateway transit on VNet1 will allow Client1 to access resources in VNet2 using the VPN gateway in VNet1.

Enabling gateway transit on VNet2 (option C) is not needed in this scenario because VNet2 doesn't have a VPN gateway. Enabling BGP on
VPNGW1 (option D) is not required because the scenario mentions that static routing is being used.

Downloading and re-installing the VPN client configuration package (option A) is not required as the point-to-site VPN connection from Client1
to VNet1 is already established and working. The issue is with accessing resources in VNet2, which can be resolved by enabling gateway transit
on VNet1.
upvoted 1 times
  vbohr899 3 months, 2 weeks ago
Cleared Exam today 26 Feb, This question was there in exam.
upvoted 3 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: C
The issue is that the point-to-site VPN connection from Client1 is not able to connect to VNet2. This is because virtual network peering in Azure
does not propagate gateway transit. Therefore, the VPN gateway (VPNGW1) in VNet1 cannot be used to reach VNet2. To allow Client1 to connect
to VNet2, we need to enable gateway transit on VNet2 so that the traffic from VNet1 can flow through VNet2 to reach Client1.

Therefore, the correct answer is:

C. Select Allow gateway transit on VNet2.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
A is correct
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again and also ensure you use the same certificate and if other scenario i.e. new workstation Pt - Site vpn then download
and install client and export certificate from other workstation that is already got working connection and import into new workstation
upvoted 4 times

  dasEnder 1 year, 1 month ago

Selected Answer: A
Correct
upvoted 2 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 2 times

  AubinBakana 1 year, 9 months ago

Answer is correct. The VPN client on the PC is no longer valid because the network topology has changed
upvoted 3 times

  Adebowale 1 year, 10 months ago

100% correct
upvoted 2 times

  McRowdy 1 year, 12 months ago

"A" is the correct answer. The trick here is "You verify that you can connect to VNet2 from the on-premises network. Client1 is unable to connect to
VNet2.". - This tells us the network is actually connected fine, it is just the client (in this scenario the Win10 PC) that cannot connect to VNet2.
upvoted 2 times

  sargis1177 2 years, 2 months ago

Actually in this case both A and B are correct answers
upvoted 3 times

  JayBee65 2 years ago

No B is not correct. "You verify that you can connect to VNet2 from the on-premises network" suggests gateway transit is already configured
correctly, so B is not required.
upvoted 6 times

  NeerajY 2 years, 2 months ago

Without allowing gateway transit, can client1 connect to vnet2 even after re-installing package?

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 274/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  JayBee65 2 years ago

"You verify that you can connect to VNet2 from the on-premises network" suggests it is already configured
upvoted 2 times

  ZUMY 2 years, 3 months ago

A is correct
upvoted 3 times

  toniiv 2 years, 3 months ago

Answer A. is the good one. VPN clien re-installation is the key here.
upvoted 3 times

  waterzhong 2 years, 4 months ago

Multiple peered VNets
In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 is peered with VNet2. VNet 2 is peered with VNet3. VNet1 is peered
with VNet4. There is no direct peering between VNet1 and VNet3. VNet1 has “Allow gateway transit” and VNet2 and VNet4 have “Use remote
gateways” enabled.

Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet peering
or the network topology. Non-Windows clients can access directly peered VNets. Access is not transitive and is limited to only directly peered
VNets.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 275/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10 Topic 5

HOTSPOT -
You have an Azure subscription. The subscription contains virtual machines that run Windows Server 2016 and are configured as shown in the
following table.

You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
You create a virtual network link for contoso.com as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 276/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration

  mlantonis Highly Voted  2 years ago

Correct Answer:

All three VMs are in VNET2. Auto registration is enabled for private Azure DNS zone named contoso.com, which is linked to VNET2. So, VM1, VM2
and VM3 will auto-register their host records to contoso.com.

None of the VM will auto-register to the public Azure DNS zone named adatum.com. You cannot register private IPs on the internet (adatum.com)

Box 1: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.

Box 2: Yes
Auto registration is enabled for private Azure DNS zone named contoso.com.

Box 3: No
None of the VM will auto-register to the public Azure DNS zone named adatum.com

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration

https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 108 times

  NickyDee Highly Voted  2 years, 5 months ago

1. The PRIVATE zone contoso.com is linked to VNET1
2. All three VMs are in VNET1
3. All of the VMs will auto-register their host records to contoso.com
4. None of the VMs will auto-register to a public DNS zone. You cannot register private IPs on the internet (adatum)

The answer given is correct

Yes, Yes, No
upvoted 66 times

  cruisey 2 years, 1 month ago

You mean VNET 2 nor VNET 1
upvoted 17 times

  edengoforit 11 months, 3 weeks ago

Probably he meant VNET2 in 2.
upvoted 1 times

  Aluksy Most Recent  2 months, 1 week ago

Valid came out in my exam today 08 April 2023.
upvoted 3 times

  Bigc0ck 5 months, 1 week ago

on the test
upvoted 1 times

  azaad_a 8 months, 1 week ago

Exam Question 08OCT22
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 277/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  favela 9 months, 1 week ago

Correct answer
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

YES
YES
NO
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct YYN.. as for N VNET1 is linked to Private DNS and hence will register there due to fact auto-register is enabled
upvoted 1 times

  Lazylinux 1 year ago

Agree with YYN
upvoted 1 times

  benvdw 1 year, 3 months ago

YYN - on exam 13/3/2022
upvoted 3 times

  hanyahmed 1 year, 5 months ago

YES
YES
NO
upvoted 1 times

  khengoolman 1 year, 8 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is Y Y N
upvoted 7 times

  AubinBakana 1 year, 9 months ago

VM3 will be added to contoso.com, the connection suffix will change to contoso.com
upvoted 2 times

  AubinBakana 1 year, 9 months ago

Correct. Thank you
upvoted 2 times

  sandipk91 1 year, 9 months ago

I think it should be Y-Y-Y

ref: https://docs.microsoft.com/en-us/azure/dns/dns-faq-private#i-have-configured-a-preferred-dns-suffix-in-my-windows-virtual-machine--why-
are-my-records-still-registered-in-the-zone-linked-to-the-virtual-network-
upvoted 1 times

  maxmarco71 1 year, 10 months ago

answer is
yes
yes
yes
Why? solution below
I have configured a preferred DNS suffix in my Windows virtual machine. Why are my records still registered in the zone linked to the virtual
network?
The Azure DHCP service ignores any DNS suffix when it registers the private DNS zone. For example, if your virtual machine is configured for
contoso.com as the primary DNS suffix, but the virtual network is linked to the fabrikam.com private DNS zone, the virtual machine's registration
appears in the fabrikam.com private DNS zone.
https://docs.microsoft.com/en-us/azure/dns/dns-faq-private
upvoted 3 times

  Empel 1 year, 4 months ago

Wrong! On the last one they are asking if it will register in adatum. If they where asking about contoso then it will be Yes
upvoted 2 times

  wsscool 1 year, 11 months ago

in exam 7/3/2021
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 278/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11 Topic 5

You have an Azure subscription that contains the resources in the following table.

To which subnets can you apply NSG1?

A. the subnets on VNet1 only

B. the subnets on VNet2 and VNet3 only

C. the subnets on VNet2 only

D. the subnets on VNet3 only

E. the subnets on VNet1, VNet2, and VNet3

Correct Answer: D
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same
region and subscription as the resource.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm

Community vote distribution

D (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: D

You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 64 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. "D". VNET3 only
upvoted 32 times

  Vitu Most Recent  5 months, 4 weeks ago

Selected Answer: D
its ok
upvoted 1 times

  klexams 7 months, 2 weeks ago

Selected Answer: D
same region
upvoted 3 times

  Mev4953 9 months ago

Because, Vnet3 and NSG are in the same region (EAST US)
upvoted 1 times

  Mev4953 9 months ago

I tried it on the portal. Only VNet3 is shown under the drop down menu, when i associate to other subnets.
upvoted 4 times

  Mev4953 9 months ago

Because, Vnet3 and NSG are in the same region (EAST US)
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: D
Correct Answer: D
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 279/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lazylinux 1 year ago

Selected Answer: D
D is correct = Summary VM-VNIC-VNET-NSG MUST ALL be in same region
upvoted 4 times

  bur88 1 year, 3 months ago

Answer D
on exam 04.03.2022. Passed 761 points.
Thank you, dear commenters!
upvoted 2 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: D
Correct Answer: D

You can assign NSG to the Subnet of the VNet in the same region where NSG is.
NSG1 is in East US and only VNet3 Subnets are in East US.
upvoted 2 times

  Redimido 1 year, 4 months ago

Selected Answer: D
Azure network security groups can't be moved between regions. You'll have to associate the new NSG to resources in the target region.
https://docs.microsoft.com/en-us/azure/virtual-network/move-across-regions-nsg-portal
upvoted 3 times

  AubinBakana 1 year, 9 months ago

Region boundary. Answer is correct.
upvoted 2 times

  villanz 1 year, 10 months ago

628/1000 23/07/21 failed :(
upvoted 10 times

  lucy3246 9 months, 3 weeks ago

try again
upvoted 1 times

  JimBobSquare101 1 year, 10 months ago

I also failed first time...thought I could just wing it and get by..I got 567...
Rewrite tomorrow....
upvoted 6 times

  Bertleman 1 year, 7 months ago

Same! Taking it 2nd time on Friday
upvoted 3 times

  pakman 1 year, 8 months ago

did you pass?
upvoted 1 times

  wsscool 1 year, 11 months ago

in exam 7/3/2021
upvoted 6 times

  acmaws 1 year, 11 months ago

Correct is D:
Azure network security groups can't be moved between regions
upvoted 4 times

  McRowdy 1 year, 12 months ago

"D" is correct. Easiest way to remember is NSG must follow region AND subscription.
upvoted 7 times

  BinSelman 2 years ago

the given answer is correct.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 280/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 5

DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. Virtual machines connect to the virtual networks.
The virtual networks have the address spaces and the subnets configured as shown in the following table.

You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:

Correct Answer:

Step 1: Remove peering between Vnet1 and VNet2.

You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.
Step 2: Add the 10.44.0.0/16 address space to VNet1.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 281/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Step 3: Recreate peering between VNet1 and VNet2

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering

  mlantonis Highly Voted  2 years ago

COrrect Answer:

Step 1: Remove peering between Vnet1 and VNet2

You can't add address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.

Step 2: Add the 10.33.0.0/16 address space to VNet1

Step 3: Recreate peering between VNet1 and VNet2

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
upvoted 120 times

  dagomo 6 months ago

Correct Answer but this is the best reference:
https://learn.microsoft.com/en-us/windows-server/networking/sdn/vnet-peering/sdn-vnet-peering

Once you peer a virtual network with another virtual network, you cannot add or delete address ranges in the address space.

Tip

If you need to add address ranges:

Remove the peering.

Add the address space.
Add the peering again.
upvoted 3 times

  WindowAFX 1 year, 1 month ago

Agreed but it doesn't state the current ones are peered?
upvoted 2 times

  WindowAFX 1 year, 1 month ago

ignore me - is correct
upvoted 5 times

  shoutiv Highly Voted  7 months, 1 week ago

Since September 2022 you can update the address space for peered virtual networks without removing the peering.

"Updating the address space for peered virtual networks now is now generally available. This feature allows you to update the address space or
resize for a peered virtual network without removing the peering."

Source:
https://azure.microsoft.com/en-us/updates/resizing-of-peered-virtual-networks-is-now-generally-available/

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#resize-the-address-space-of-azure-virtual-networks-
that-are-peered
upvoted 18 times

  Mev4953 Most Recent  9 months ago

Tested in Lab
1.Remove peering between Vnet1 and VNet2
2.Add 10.33.0.0/16
3.Recreate peering between VNet1 and VNet2
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Answer is correct.
upvoted 1 times

  Bartol0 10 months ago

I see one problem. You can't add subnet 10.33.0.0/16 to vnet 10.1.0.0/16. It is out of range.
Error: The subnet address range "10.33.0.0/16" is not contained in this virtual network's address spaces.
upvoted 2 times

  Bartol0 10 months ago

Edit: I see my mistake, you need to add address space not subnet. Mlantonis answer is correct. Tested in lab.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 282/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Lazylinux 11 months, 4 weeks ago
Given answer is correct
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 2 times

  husam421 1 year, 4 months ago

You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another
virtual network. To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering. To add
address ranges to, or remove address ranges from virtual networks
upvoted 1 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 2 times

  ahmedageba 1 year, 4 months ago

How many questions from this dumb
upvoted 1 times

  Redimido 1 year, 4 months ago

The answer is correct, although there's a new way of the things happening now:

"Updating the address space of a virtual network that has peers will cause the peered virtual networks to not be able to connect to this new
address space until you perform a sync operation on the peerings. You can sync the peered virtual networks in the peerings tab, but requires you
have contributor permissions on the peered virtual networks."

https://azure.microsoft.com/en-us/blog/how-to-resize-azure-virtual-networks-that-are-peered-now-in-preview/

So now, it would be:

1. Change the address range
2. ReSync the Peerings
upvoted 3 times

  Redimido 1 year, 4 months ago

You can check it yourself in the portal. This is the exact message it shows, once you change the address space.
upvoted 2 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer:
- Remove peering between Vnet1 and VNet2
- Add the 10.33.0.0/16 address space to VNet1
- Recreate peering between VNet1 and VNet2
upvoted 6 times

  AubinBakana 1 year, 9 months ago

The only problem with this answer is that peering is set from both sides. While this answer is correct in the selection, It neglects what the impact
will be on the peer from VNet2.
upvoted 2 times

  1Sri 1 year, 11 months ago

Received this question on 4th July exam.
There were many other questions from this list(around 16). I could clear the exam.
Thanks :-)
upvoted 6 times

  ScreamingHand 1 year, 12 months ago

Many organizations deploy a virtual networking architecture that follows the Hub and Spoke model. At some point, the hub virtual network might
require additional IP address spaces. However, address ranges can't be added or deleted from a virtual network's address space once it's peered
with another virtual network.
To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering manually.
https://docs.microsoft.com/en-us/azure/architecture/networking/prefixes/add-ip-space-peered-vnet
upvoted 2 times

  jitkv20 2 years, 2 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 283/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

But it doesnt say peering exist already to remove one? Please correct me if im wrong.
upvoted 5 times

  oshoparsi 2 years, 2 months ago

in the table peering column.
upvoted 6 times

  allray15 2 years, 2 months ago

Tested! Correct answer
upvoted 3 times

  ciscogeek 2 years, 2 months ago

Is Gateway Peering required to be enabled ?
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 284/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 5

HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.

RG1 contains the resources shown in the following table.

VM1 is running and connects to NIC1 and Disk1. NIC1 connects to VNET1.
RG2 contains a public IP address named IP2 that is in the East US location. IP2 is not assigned to a virtual machine.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Yes -

You can move storage -

Box 2: No -
You can't move to a new resource group a NIC that is attached to a virtual machine.

Box 3: No -
Azure Public IPs are region specific and can't be moved from one region to another.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources https://docs.microsoft.com/en-
us/azure/virtual-network/move-across-regions-publicip-powershell

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 285/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  NickyDee Highly Voted  2 years, 5 months ago

Tested this in an identical lab:

1. YES. I was able to move the storage from RG1 to RG2, however it stayed in the West US region.

2. YES. I was able to move NIC1 from RG1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region.

3. NO. The location of IP2 did not change. However I was able to move LP2 from RG2 to RG1 as it isn't associated with any other resource, however
it stayed in the East US region.

All resources moved to the new resource groups, but the region did not change
upvoted 193 times

  rgullini 2 years, 2 months ago

Also tested, you are correct.
upvoted 16 times

  silver_bullet666 1 year, 8 months ago

I also tested and was able to move the NIC attached to a running VM to a different RG. Took a while though!
upvoted 4 times

  itgg11 1 year, 4 months ago

YYN. tested in lab
upvoted 8 times

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: Yes
You can move the Storage Account to RG2, however it stayed in the West US region. You cannot change the Region, you need to recreate the
Storage Account.

Box 2: Yes
You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can move a
NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new Subscription, you
must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example, you must also move the
virtual machine, and other virtual machine-related resources.

Box 3: No
You can move IP2 to RG1, as it isn't associated with any other resource, however it stayed in the East US region. The location will not change.
upvoted 114 times

  mlantonis 2 years ago

Note: Resources can be everywhere regardless of the resource group they belong to. The resource group is only a collection of metadata
relative to the resources defined inside it. You can move a resource from one resource group to another group. The resources in a resource
group can be located in different regions than the resource group.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
upvoted 33 times

  manortmar 1 year, 10 months ago

"as it isn't associated with any other resource" really? According to the above explanation being associated shouldn't be a problem to move
between RGs.
upvoted 2 times

  AzureCrawler001 12 months ago

mlantonis - can I buy you a beer or coffee?
upvoted 20 times

  JohnnyChimpo 4 months, 3 weeks ago

Y-N
Mlantonis' answer
upvoted 3 times

  Georgego 5 months ago

machine learning Antonis is a gun!
upvoted 1 times

  Durden871 Most Recent  3 months, 1 week ago

Literally just tested this albeit backwards.
RG1 - US East
RG2 - US West
Created Linux VM in RG1

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 286/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

My VM is up and running with the auto-created NIC attached, all in RG1. Validating....Taking awhile. This really does take awhile.

It moved to the US West located RG2 without turning off or decommissioning the VM. The location of the NIC is in US East still. The correct answer
is YYN.
upvoted 1 times
  orionduo 4 months, 2 weeks ago
YYN
You can move move NIC1 to RG2 which was associated with VM1 and VNET1 subnet1, however it stayed in the West US region. You can move a
NIC to a different RG or Subscription by selecting (change) next to the RG or Subscription name. If you move the NIC to a new Subscription, you
must move all resources related to the NIC with it. If the network interface is attached to a virtual machine, for example, you must also move the
virtual machine, and other virtual machine-related resources.
upvoted 1 times

  hitit 8 months ago

Y-Y-N
This is my test result.
upvoted 1 times

  EmnCours 9 months, 1 week ago

Answer Y-Y-N
upvoted 1 times

  Jayad 1 year, 2 months ago

I know many of you have tested moving the NIC to a different RG, but, is it a supported configuration ?
upvoted 1 times

  Redimido 1 year, 4 months ago

1. YES -
2. YES - I tested it personally. It will work, although you will have to update your scripts (if you have any associated with the moved NIC) to use the
new NIC's resourceID, as this one will change also.
3. NO
upvoted 1 times

  JohnPhan 1 year, 7 months ago

Yes
No - You can move HDInsight clusters to a new subscription or resource group. However, you can't move across subscriptions the networking
resources linked to the HDInsight cluster (such as the virtual network, NIC, or load balancer). In addition, you can't move to a new resource group a
NIC that is attached to a virtual machine for the cluster.
No
upvoted 2 times

  AubinBakana 1 year, 9 months ago

You can't just move the NIC, it's part of the VM.
upvoted 2 times

  AubinBakana 1 year, 9 months ago

I am referring to NIC1 in RG1.
upvoted 1 times

  Kamex009 1 year, 9 months ago

This question was asked on exam taken on 8/22/2021
upvoted 5 times

  Kopy 1 year, 10 months ago

"In addition, you can't move to a new resource group a NIC that is attached to a virtual machine for the cluster."
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources
upvoted 2 times

  slsl 1 year, 5 months ago

Apply only to Microsoft.HDInsight no VMs
upvoted 1 times

  guptavishal7982 2 years, 1 month ago

YYN - Tested!
upvoted 2 times

  ashishg2105 2 years, 1 month ago

YES - You can move resources across resource groups
YES- Even though NIC1 is connected to demovm1 and vnet1, you can still change the resource group for the resource
NO- When you change the resource group for the resource , the location of the resource does not change.
upvoted 2 times

  AlexLiourtas 2 years, 2 months ago

Y-Y-N tested in labs
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 287/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Ant0ny 2 years, 2 months ago

There's really no argument here, you just need to test. box two is YES. I have tested and moved the NIC from one RG to another without issue while
attached to a VM. The NIC stays in the same region, but it still successfully moves across resource groups
YYN
upvoted 1 times

  ZetaZeti 2 years, 2 months ago

Resources can be everywhere regardless of the resource group they belong to. The resource group is only a collection of metadata relative to the
resources defined inside it.
"You can move a resource from one resource group to another group. " "The resources in a resource group can be located in different regions than
the resource group." https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
Yes: you are moving storage1 from RG1 to RG2 so you are modifying metadata inside RG1 and RG2 to reflect the group resource moving but
storage1 doesn't move physically from where it is
Yes: same as above this time for NIC1
No: again IP2 doesn't physically move and there is only a modification in the metadata of RG1 and RG2 to accomodate the resource group moving.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 288/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14 Topic 5

You have an Azure web app named webapp1.

You have a virtual network named VNET1 and an Azure virtual machine named VM1 that hosts a MySQL database. VM1 connects to VNET1.
You need to ensure that webapp1 can access the data hosted on VM1.
What should you do?

A. Deploy an internal load balancer

B. Peer VNET1 to another virtual network

C. Connect webapp1 to VNET1

D. Deploy an Azure Application Gateway

Correct Answer: D

Community vote distribution

C (100%)

  Az209co Highly Voted  2 years, 8 months ago

I think the answer should be C.
<https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet>
upvoted 85 times

  jantoniocesargatica 2 years, 1 month ago

You are unable to connect a Webapp to a Vnet, if the Vnet is not empty. In this case there is a VM.
upvoted 4 times

  slimjago 2 years ago

based on that, webapp needs it's own VNET, right? which could be peered with VNET1. what do you think?
upvoted 2 times

  a4andrew 1 year, 7 months ago

webapp only needs it own empty(not delegated nor has any resources within) subnet, not VNET (which can contain many subnets) and a
/29 subnet is the smallest you can use for such a service.
upvoted 9 times

  tita_tovenaar 1 year, 11 months ago

correct but the network integrator in app service lets you create a subnet in the same vnet, precisely for this scenario.. check the ref above ;-)
upvoted 4 times

  luxaflow 1 year, 8 months ago

This is correct, tested in Lab:
Was able to connect webapp to a VNet containing a VM. During connection creation, was requested to create a new subnet.
upvoted 7 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is wrong. It should be "C"
Connect the webapp to VNET using webapp VNET integration. where webapp can access the resources in the VNET.
upvoted 77 times

  itgg11 1 year, 4 months ago

Answer is C. tested in the lab. web app pricing plan needed to be upgraded to Standard. There must be a vnet with a subnet that is not being
used. If the subnet is used, you can create a new one.
upvoted 4 times

  PersonT 1 year, 10 months ago

True
https://docs.microsoft.com/nl-nl/azure/application-gateway/overview
upvoted 3 times

  sabin001 1 year, 7 months ago

Correct! VNet integration feature enables your apps to access resources in or through a VNet.
upvoted 1 times

  Appu008 1 year, 6 months ago

Wrong, the answer is D only. Because there is no mention that VM1 is in Vnet1, its is said that VM1 only connects to Vnet1 (it is mentioned to
distract students towards wrong answer)
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 289/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  shash_ank 1 year ago

Once a VM is connected to a VNET, it is part of that VNET, it is inside that VNET.

VM connecting to VNET and VM being inside a VNET is one and the same. Don't overthink, it induces wrong answers
upvoted 6 times

  dasEnder 1 year, 1 month ago

What is the difference if a VM?? A VM cannot be in two VNets so, if has a NIC in the VNet is in it. Only if you consider that the VM connects
using a VPN or peered or any networking. I think this is not what it means here. Also if is not in VNet1, where?
upvoted 1 times

  medaziz Most Recent  1 week ago

I think the web app is a PaaS service so it has a public IP so either we use private link or Azure Application Gateway
upvoted 1 times

  Kimoz 3 months ago

c is the correct answer
upvoted 1 times

  skydivex 3 months, 2 weeks ago

the best answer is D.... application gateway would provide a perfect option for webapp to connect to your resources, such as virtual machines or
storage accounts.
Connecting web app to a VNET requires specific subnet creation and few other items and consideration. It would not be my first choice if it is my
own network. but it would definitely doable.
https://learn.microsoft.com/en-us/azure/application-gateway/overview
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: C
The correct answer is C. Connect webapp1 to VNET1.
By connecting the web app to the virtual network, you can enable access from the web app to resources on the virtual network, including the
MySQL database hosted on VM1. This can be done by enabling VNet Integration for the web app and then selecting VNET1 as the virtual network
to integrate with. Once the integration is set up, the web app will be able to communicate with VM1 on VNET1 as if it were on the same network.

Option A, deploying an internal load balancer, is not necessary in this scenario, as load balancing is not required.

Option B, peering VNET1 to another virtual network, is also not necessary for this scenario, as it does not address the requirement to enable
communication between the web app and the MySQL database hosted on VM1.

Option D, deploying an Azure Application Gateway, is not necessary for this scenario, as it is primarily used for load balancing and routing of
HTTP/HTTPS traffic. It does not address the requirement to enable communication between the web app and the MySQL database hosted on VM1.
upvoted 4 times

  ConanBarb 3 months, 2 weeks ago

Selected Answer: C
C
"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications."
upvoted 1 times

  omgMerrick 4 months, 1 week ago

Selected Answer: C
C is the correct answer.

By connecting webapp1 to VNET1 (answer C), the web app will be able to access the data hosted on VM1 through the virtual network. The other
options do not directly address the requirement to allow webapp1 access to the data hosted on VM1. An internal load balancer and a peered
virtual network may provide other benefits, but they would not by themselves ensure that webapp1 can access the data hosted on VM1. An Azure
Application Gateway is a reverse proxy that is often used for load balancing, SSL termination, and URL-based routing, but it would not directly
allow webapp1 to access the data hosted on VM1.
upvoted 2 times

  jp_mcgee 6 months, 3 weeks ago

Corect Answer C:

C. Connect webapp1 to VNET1

"The App Service virtual network integration feature enables your apps to access resources in or through a virtual network."
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration

D. Deploy an Azure Application Gateway

"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications." see here:
https://learn.microsoft.com/en-us/azure/application-gateway/overview
upvoted 4 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 290/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  nkhan19 11 months ago

Selected Answer: C
VNet Integration can be used
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C
C is correct and means is VNET integration
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

More info
Azure Web App – VNET Integration
Since we know that Azure Web App is predominately for public access and that is does NOT have Internal IP address therefore it is NOT possible
for either the Azure Web App or internal Apps or DBS to communicate with each other and this is where VNET INTEGRATION comes into play. It
Allows App Service to access the resources within the VNET
VNET Integration allows ONLY the Azure Web App to communicate internally and NOT other way round I.e. internal Apps cannot communicate
directly with Azure Web APP. Example => lets say we have Azure Web App called AppDB and this App needs to communicate with internal
Database VM in order to process requests, this can only be done via VNET Integration where AppDB initiates the contact with DB VM and the
DB VM will pass back the required information in order to satisfy the request BUT DB VM or any other internal VM can NEVER make direct
communication with AppDB I.e. IT DOES NOT allow private inbound access to your Web App (AppDB) from the virtual Network. As per diagram
below
upvoted 8 times

  EleChie 1 year ago

I think answer is "C"
Virtual network integration gives your app access to resources in your virtual network, but it doesn't grant inbound private access to your app from
the virtual network. Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network.
Virtual network integration is used only to make outbound calls from your app into your virtual network. The virtual network integration feature
behaves differently when it's used with virtual networks in the same region and with virtual networks in other regions.

https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 2 times

  Bellonaire 1 year, 1 month ago

I think the answer should be C , utilizing web app VNET integration. https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-
vnet
upvoted 1 times

  yangxs 1 year, 4 months ago

Selected Answer: C
D is wrong. App Gateway cannot pass SQL traffic
upvoted 2 times

  vihanga93 1 year, 5 months ago

Selected Answer: C
I think the answer should be C.
upvoted 1 times

  Sara_Mo 1 year, 5 months ago

C. Connect webapp1 to VNET1
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 291/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 5

You create an Azure VM named VM1 that runs Windows Server 2019.
VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

You need to enable Desired State Configuration for VM1.

What should you do first?

A. Connect to VM1.

B. Start VM1.

C. Capture a snapshot of VM1.

D. Configure a DNS name for VM1.

Correct Answer: B
Status is Stopped (Deallocated).
The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure.
The VM needs to be started.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 292/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: B

Status is Stopped (Deallocated). The DSC extension for Windows requires that the target Virtual Machine is able to communicate with Azure. First
you start the VM, because you need VM online to deploy DSC Extension.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
upvoted 68 times

  sri1972 Highly Voted  2 years, 5 months ago

Came in 01/09/21 exam. Passed exam with 906 marks. 98% of the questions are from this dump.
upvoted 65 times

  AlexJacobson 2 years ago

I don't consider this "a dump", actually. I believe the vast majority of people here (me included) are actually studying for the exam hard (reading
online documentation, experimenting in their Azure subscription, etc.) and using this just as a way to plug the holes in their knowledge (as one
simply can't know every single detail and possible scenario regarding Azure).
upvoted 153 times

  greeklover84 3 months, 1 week ago

exactly.....plugging holes in our knowledge..... and get a feedback from people tried the exam !!!
upvoted 1 times

  StreetRat 1 year, 3 months ago

100$ agreed Alex. Secondly I dont understand why is Microsoft testing this kind of stupidity? They should give us simulations and ask to
solve the problems, make the exam 2 Hours - 10 - 15 simulations and 10 - 15 straight forward questions based on what they have actually
published rather than wondering all the time what are they going to ask.
upvoted 14 times

  Asymptote 7 months, 1 week ago

Agree,
here all we can get is how Microsoft structured their exam,
and we do not get absolute ansers from here,
it require candidates have the knowledge to make extra effort for securing the exam.
upvoted 2 times

  dimsok 5 months ago

This is obviously far away from the truth
upvoted 2 times

  smaa 1 year, 6 months ago

Hi, is it 98% from the whole set? Or 98 % from topic5 questions? Thanks.
upvoted 1 times

  zzreflexzz Most Recent  1 month, 2 weeks ago

on exam 4/29/23
upvoted 1 times

  Rwj 1 month ago

how many from this dump? are these legit? taking exam next week
upvoted 1 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 4 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Gino_Slim 11 months, 2 weeks ago

I'm starting not to believe all of these "This was on my test"...then why are you here if you passed...?
upvoted 11 times

  KrisDeb 10 months, 3 weeks ago

B-O-T-S
upvoted 6 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
i Luv Honey Because it is B

Start the VM as it is deallocated

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 293/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  josevirtual 1 year, 2 months ago
Selected Answer: B
Start the VM, correct
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 2 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer: B
upvoted 6 times

  rohitmedi 1 year, 9 months ago

Correct..
upvoted 1 times

  AubinBakana 1 year, 9 months ago

I can't believe I read you need to disable the DSC. Haha... Answer is correct
upvoted 1 times

  ZUMY 2 years, 3 months ago

B is correct!
upvoted 4 times

  toniiv 2 years, 3 months ago

Answer B. is correct. First you start the VM. You need VM online to deploy DSC Extension
upvoted 4 times

  waterzhong 2 years, 4 months ago

The extension uploads and applies a PowerShell DSC Configuration on an Azure VM. The DSC Extension calls into PowerShell DSC to enact the
received DSC configuration on the VM.
upvoted 5 times

  dadageer 2 years, 5 months ago

Answer correct! you cannot apply DSC if VM is shut.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 294/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.
You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.
You need to ensure that visitors are serviced by the same web server for each request.
What should you configure?

A. Floating IP (direct server return) to Disabled

B. Session persistence to None

C. Floating IP (direct server return) to Enabled

D. Session persistence to Client IP

Correct Answer: D
With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure
Load-Balancer For
Sticky Sessions set Session persistence to Client IP or to Client IP and protocol.
On the following image you can see sticky session configuration:
Note:
✑ Client IP and protocol specifies that successive requests from the same client IP address and protocol combination will be handled by the
same virtual machine.
✑ Client IP specifies that successive requests from the same client IP address will be handled by the same virtual machine.
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

Community vote distribution

D (100%)

  mtec2017 Highly Voted  1 year, 11 months ago

This is correct
upvoted 9 times

  nicktco Highly Voted  2 months, 2 weeks ago

from now on, you will see this question appears 10 times, good luck:)
upvoted 8 times

  Juanchooo Most Recent  4 weeks ago

Came in my exam today 17/05/23
upvoted 1 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 3 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: D
D. Session persistence to Client IP.

To ensure that visitors are serviced by the same web server for each request, you need to enable session persistence, which maps a client's session
to a specific server. In this case, you would want to use Client IP session persistence so that subsequent requests from the same client are sent to
the same web server.

Floating IP (direct server return) is an option that enables traffic to bypass the load balancer and go directly to the backend servers. This is typically
used for scenarios where the backend servers need to return traffic directly to the client, such as for media streaming or UDP-based protocols.
However, it is not relevant for ensuring session persistence.
upvoted 3 times

  Bigc0ck 5 months, 1 week ago

This was on my 2nd test
upvoted 2 times

  meeko86 6 months ago

Selected Answer: D
Answer D: Session persistence to Client IP
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 295/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Session persistence mode has two configuration types:

Client IP (2-tuple) - Specifies that successive requests from the same client IP address will be handled by the same backend instance.
Client IP and protocol (3-tuple) - Specifies that successive requests from the same client IP address and protocol combination will be handled by
the same backend instance.
upvoted 6 times
  favela 9 months, 1 week ago
Correct passed with 900 score
upvoted 4 times

  EmnCours 9 months, 1 week ago

Selected Answer: D
D. Session persistence to Client IP
upvoted 1 times

  virgilpza 9 months, 1 week ago

Selected Answer: D
this is correct - sticky/ persistent sessions to the client ip
upvoted 1 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: D
Ans: D. Session persistence to Client IP
upvoted 2 times

  JESUSBB 1 year, 6 months ago

In the exam today 11-DEC-2021
Ans: D. Session persistence to Client IP
upvoted 4 times

  stevhas 1 year, 6 months ago

Passed exam today 11/19/21 only about 25-30% of the question are in this dump. Suggestion, do not rely solely on dumps. MS learn, udemy etc.
had like 5 different case scenarios where they throw a lot of white noise in to confuse.
upvoted 4 times

  rohitmedi 1 year, 9 months ago

Correct D
upvoted 2 times

  [Removed] 1 year, 9 months ago

This is correct answer. What we have to do after Topic4 Q-30 ? Does anyone has valid discount code to unlock next set of questions ?
upvoted 2 times

  Kamex009 1 year, 9 months ago

This question was asked on exam taken on 8/22/2021
upvoted 4 times

  Dajmahn 1 year, 11 months ago

On exam 7/13/21
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 296/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17 Topic 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

Community vote distribution

A (68%) B (32%)

  ihavespoken Highly Voted  2 years, 6 months ago

My comments were incorrect, late night study :-). The answer is Yes. The main point i miss was that NSG-Subnet 1 is correctly modified with TCP
3389 and NSG-VM1 is removed. In this case you should be able to connect.
- "Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the Any source to the *destination for port range 3389
and uses the TCP protocol. You remove NSG-VM1 from the network interface of VM1."
upvoted 99 times

  joergsi 1 year, 5 months ago

we only want to have RDP to VM1, but with this rule, we would allow RDP to all VMs in the Network, because of this I would go for No (B)
upvoted 6 times

  bartfto 1 month, 2 weeks ago

Nowhere does it say it has to be exclusive to VM1.
upvoted 1 times

  itguy2 1 year, 3 months ago

the question was specific to VM1.. didn't mention anything about all VMs so answer is A
upvoted 4 times

  Junhui74 1 year, 10 months ago

reference to https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works , answer is yes
upvoted 1 times

  Hibs2016 2 years, 6 months ago

Agreed answer is incorrect. The answer should be Yes.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 297/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 12 times
  al2 2 years, 1 month ago
Then how come this Q has two correct answers? both this one here and the one on the next page are correct? I assume if this one is partly
correct, then I'll go with NO for this one and YES for the one next page which is "more" correct. wdyt?
upvoted 1 times

  RamanAgarwal 2 years ago

On next question the protocol used for subnet nsg is UDP which is wrong hence the answer is No.
upvoted 2 times

  rdsserrao 1 year, 11 months ago

It works with both TCP and UDP protocols
upvoted 2 times

  mlantonis 2 years ago

Some question sets might have more than one correct solution, while others might not have a correct solution.
upvoted 6 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

By adding the rule to NSG-Subnet1 you are allowing RDP on Subnet level. Then you delete NSG-VM1, so you are able to RDP.
Note: A rule to permit RDP traffic may not be created automatically when you create your VM.

Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 61 times

  Slimus 2 weeks, 3 days ago

Agree! there is only one NSG on sub-net level remain.
upvoted 1 times

  lafegob 5 months, 2 weeks ago

yep agree , we need to remove NSG-VM1 because it has already a rule to allow UDP. And the RDP connection will use tcp but will try to make
use of udp too in order to improve the connection delay.
upvoted 1 times

  meeko86 6 months, 2 weeks ago

Answer Yes.
Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port
3389. It provides network access for a remote user over an encrypted channel.
https://www.cisecurity.org/insights/white-papers/security-primer-remote-desktop-
protocol#:~:text=Overview,user%20over%20an%20encrypted%20channel.
upvoted 1 times

  ivan0590 Most Recent  1 month ago

Selected Answer: A
Answer is A.
The question clearly states ‘You need to be able to establish Remote Desktop connections from the internet to VM1’.
It says nothing about restricting RDP traffic in the subnet.
The proposed solution is not the best possible solution, but it would work. You would be able to establish an RDP connection to VM1 and the rest
of the VMs in the subnet.
upvoted 1 times

  Exilic 1 month, 2 weeks ago

Selected Answer: B
OpenAI

"B. No.

The solution provided is not correct as it adds an inbound security rule for TCP protocol to NSG-Subnet1 and removes NSG-VM1 from the network
interface of VM1. However, the custom inbound security rule in NSG-VM1 is for UDP protocol, not TCP, and removing NSG-VM1 from the network
interface of VM1 would also remove the custom inbound security rule that allows Remote Desktop connections.

To meet the goal of establishing Remote Desktop connections from the internet to VM1, you should add a custom inbound security rule to NSG-
VM1 that allows connections from the internet to the public IP address of VM1 for port 3389 using the TCP protocol. The rule should have a lower
priority than the existing custom inbound security rule in NSG-VM1 to ensure that it is evaluated first."
upvoted 2 times

  morito 3 months ago

Selected Answer: A
Answer is Yes, albeit its a really weird way to solve this. From applying the same NSG to an interface and a Vnet, to allowing RDP into a whole
network instead of scoping it to a single server.
upvoted 2 times

  CyberKelev 3 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 298/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
No, this does not meet the goal because the NSG-VM1 has a custom inbound security rule that allows connections on UDP protocol to port 3389,
which is required for Remote Desktop Protocol (RDP) on Windows. By removing NSG-VM1 from the network interface of VM1, this rule would be
deleted, and RDP connections would not be allowed. The correct solution would be to add an inbound security rule to NSG-VM1 that allows
connections from the Internet to the *destination for port range 3389 and uses the TCP protocol. This would allow RDP connections to VM1 from
the Internet while still maintaining the security of the subnet using NSG-Subnet1.
upvoted 2 times

  loner_123 3 months, 1 week ago

"and RDP connections would not be allowed."
Who is there to deny the RDP connections? There is no NSG assigned to the VM to do this.
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

Selected Answer: B
No
The custom inbound security rule in NSG-VM1 allows connections from Any source to the destination for port range 3389 using the UDP protocol,
which is required for Remote Desktop connections. Removing NSG-VM1 from the network interface of VM1 will remove this security rule and
prevent Remote Desktop connections to VM1. To allow Remote Desktop connections from the internet to VM1, you should keep NSG-VM1
associated to the network interface of VM1 and add the necessary inbound security rule to NSG-Subnet1.
upvoted 1 times

  GBAU 4 months ago

" You remove NSG-VM1 from the network interface of VM1"
All rules in NSG-VM1 are now irrelevant.
Answer is A (Yes)
upvoted 2 times

  BYNeo 7 months ago

Selected Answer: B
It menton that "You need to be able to establish Remote Desktop connections from the internet to VM1", if we choose A, mean allow connections
from the Any source to the *destination for port range 3389 and uses the TCP protocol which I do not agree.
upvoted 1 times

  Pear7777 6 months, 1 week ago

B, the snagg is in the *destination .. there's no designated destination
upvoted 1 times

  GBAU 4 months ago

"VM1 has a public IP address"
Connect to this public IP on 3389 which NSG-Subnet1 allows through (You add an inbound security rule to NSG-Subnet1 that allows
connections from the Any source to the *destination for port range 3389 and uses the TCP protocol).
NSG-VM1 is irrelevant as it is removed from VM1s NIC

Answer is A: Yes
upvoted 1 times

  matejka 7 months, 2 weeks ago

Selected Answer: A
Definitely yes. Add a rule to subnet which allows the connection and remove the rule on VM-NIC level that denies the connection.
upvoted 2 times

  CJWit 7 months, 2 weeks ago

the big clue is UDP..... lol
upvoted 1 times

  GBAU 4 months ago

Nope, the big clue is "You remove NSG-VM1 from the network interface of VM1"
upvoted 1 times

  hitit 8 months ago

Yes
RDP version 8 use UDP 3389 but the later version RDP is not use UDP3389 no more.
Condition show the usp 3390 allow rule, to enable RDS, create new rule for TCP 3389
upvoted 2 times

  Jeff8989 8 months, 1 week ago

Selected Answer: A
This is a poorly worded question. RDP protocol can work on both TCP and UDP. Microsoft recommends adding NSG groups at the subnet level as
adding NSG at the NIC level can be complex when it comes to troubleshooting and management. Therefore I lean towards answer A. But
technically having a NSG attached to a subnet and another attached to the NIC at the same time works as long as the NSG rules on both subnet
and NIC level allow the same kind of traffic (with ports, protocols etc.)
upvoted 3 times

  awssecuritynewbie 8 months, 4 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 299/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: A
Yes! the reason is because a SUBNET OR NIC that has no NSG will allow all traffic. The current NSG only applies to UDP 3389, which the question
states and also we know that RDP (3389) is actually TCP. So therefore by removing the NSG the traffic will flow.
upvoted 2 times

  MartyMart 9 months, 3 weeks ago

Selected Answer: A
Correct answer is A. Note: NSG-VM1 was removed.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  regazzi 10 months, 2 weeks ago

Selected Answer: A
tested
upvoted 2 times

  pkg007 11 months ago

Answer is Yes
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 300/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 5

Protocol: UDP -

✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for
port range 3389 and uses the UDP protocol.
Does this meet the goal?

A. Yes

B. No

Community vote distribution

B (77%) A (23%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

The default port for RDP is TCP port 3389.

Reference:

https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 51 times

  aMiPL Highly Voted  2 years, 4 months ago

Such a silly question :).
By default it will not work but you can make it work so there isn't really a good answer xD.

By default servers accepts on both TCP and UDP.

UDP will work as long as client machine(the one you are connecting from) will have registry updated to use UDP by default :>

So the answer is "No" in but you can actually make it work if you change settings outside of azure.
upvoted 15 times

  Exilic Most Recent  1 month, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 301/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
OpenAI

"No, this solution will not meet the goal. The current inbound security rule in NSG-VM1 allows Remote Desktop connections using the TCP
protocol on port 3389. The proposed inbound security rule in NSG-Subnet1 allows connections using the UDP protocol, which is not used for
Remote Desktop connections. Therefore, you should add an inbound security rule to NSG-VM1 that allows connections from the internet source to
the VirtualNetwork destination for port range 3389 and uses the TCP protocol."
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: B
No, this solution will not meet the goal as Remote Desktop Protocol (RDP) uses TCP, not UDP. The inbound security rule should be configured to
allow connections from the internet source to the VirtualNetwork destination for port range 3389 and use the TCP protocol, not UDP. Additionally,
the NSG-VM1 should remain associated with the network interface of VM1 as it allows the RDP traffic to reach the virtual machine.
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

On my 2nd test
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
The default port for RDP is TCP port 3389
upvoted 1 times

  pkg007 11 months ago

I just tested - Crated an Azure VM ( windows Server ) with RDP coonections it showing RDP connection on TCP protocol port 3389. When you try to
add an inbound rule and select "RDP" - it will automatically select "TCP" protocol and Destination port range " 3389" connection Answer is B
upvoted 2 times

  nkhan19 11 months ago

Selected Answer: B
RDP works on TCP 3389
upvoted 2 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
No for sure 3389 is TCP not UDP
upvoted 2 times

  amunator 1 year ago

Selected Answer: B
RDP use TCP protocol, not UDP.
upvoted 1 times

  sjb666 1 year, 1 month ago

Selected Answer: B
Answer is B. Have also tested in lab, definitely can't connect to UDP 3389 alone (although it is cited on several sites that it improves the experience
in some cases).
upvoted 3 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  carmash 1 year, 3 months ago

Selected Answer: B
B. RDP uses TCP
upvoted 4 times

  hm67 1 year, 4 months ago

Selected Answer: A
RDP default TCP not UDP. Traffic is denied by the DenyAllInbound default security rule.
upvoted 4 times

  hm67 1 year, 4 months ago

Click the wrong answer, should be B.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 302/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  csgx 1 year, 4 months ago
Selected Answer: B
UDP is the key to choose B..
upvoted 2 times

  yangxs 1 year, 4 months ago

Selected Answer: A
Should be Yes. There is nothing block the traffic.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 303/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network that has a subnet named Subnet1
✑ Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1
✑ A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections
NSG-Subnet1 has the default inbound security rules only.
NSG-VM1 has the default inbound security rules and the following custom inbound security rule:
✑ Priority: 100
✑ Source: Any
✑ Source port range: *
✑ Destination: *
✑ Destination port range: 3389
✑ Protocol: UDP
✑ Action: Allow
VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to
Subnet1.
You need to be able to establish Remote Desktop connections from the internet to VM1.
Solution: You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork
destination for port range 3389 and uses the TCP protocol.
Does this meet the goal?

A. Yes

B. No

Correct Answer: A
The default port for RDP is TCP port 3389. A rule to permit RDP traffic must be created automatically when you create your VM.
Note on NSG-Subnet1: Azure routes network traffic between all subnets in a virtual network, by default.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-rdp-connection

Community vote distribution

A (57%) B (43%)

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. YES.
To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol. this is matches the given suggested solution.
For the existing custom rule, priority doesn't matter if it is 100 or not. As "Network security group security rules are evaluated by priority using the
5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic." So Azure checks the first rule, it
finds that it has UDP. then It will check the second rule, it will find allow TCP on port 3389. So it will allow. Since the protocols are different, so those
are totally different rules.
Please read the page https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 61 times

  jam7272 2 years, 2 months ago

Exactly this! The rule is evaluated, if the rule is not matched it moves on to the next rule. So in this case the UDP rule is effectively ignored
because the traffic is TCP. The TCP rule then permits the traffic.
upvoted 1 times

  lcdr_scl 2 years ago

Agree!! Yes and tested
upvoted 4 times

  Kopy 1 year, 9 months ago

Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes
as rules with higher priorities are not processed.
upvoted 1 times

  Kopy 1 year, 9 months ago

but what the guy is saying is valid as they are both different rules (protocols)
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 304/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  boozy 2 years, 2 months ago
Agree! YES!
Because RDP TCP is allowed at subnet and on VM level NSGs.
"You add an inbound security rule to NSG-Subnet1 and NSG-VM1 that allows connections from the internet source to the VirtualNetwork
destination for port range 3389 and uses the TCP protocol."
upvoted 3 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

RDP TCP is allowed at Subnet and on VM level NSGs.

The default port for RDP is TCP port 3389.
To enable RDP, you need to add "Allow" rule for 3389 port on TCP protocol.

Reference:

https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-rdp-connection
upvoted 33 times

  isijama Most Recent  6 days, 7 hours ago

Selected Answer: A
"To allow port x to the virtual machine, both NSG1 and NSG2 must have a rule that allows port x from the internet." Or, in this scenario the port
would be 3389, so the answer is YES.
upvoted 1 times

  isijama 6 days, 7 hours ago

reference:
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 1 times

  RandomNickname 1 week ago

Selected Answer: A
Agree with existing comments, RDP doesn't explicitly require UDP, so TCP will work.

Answer should be correct.

upvoted 1 times

  picho707 1 week, 5 days ago

Correct. It is "YES" because the two NSG are allowing TCP and UDP 3389 to the subnet and VM.
upvoted 1 times

  Exilic 1 month, 2 weeks ago

Selected Answer: B
OpenAI

"No, the proposed solution is not correct.

The existing custom inbound security rule on NSG-VM1 is already allowing inbound traffic on port 3389 using the UDP protocol. However, Remote
Desktop Protocol (RDP) uses TCP protocol, not UDP.

To meet the goal of being able to establish Remote Desktop connections from the internet to VM1, you need to modify the existing custom
inbound security rule on NSG-VM1 to use the TCP protocol instead of UDP.

Adding an inbound security rule to NSG-Subnet1 is not necessary as it only affects inbound traffic to resources within the subnet and does not
have any impact on inbound traffic to VM1."
upvoted 1 times

  djgodzilla 2 months, 2 weeks ago

even ChatGPT pleads the fifth:
"In your specific case, if you have an inbound NSG rule that allows traffic on port 3389 using TCP protocol and another inbound rule that allows
traffic on port 3389 using UDP protocol, both rules will be evaluated in the order described above. If there are no default rules in the NSG, the rule
with the lowest priority number will be evaluated first.

Assuming the priority numbers are the same for both rules, the next evaluation will be based on the traffic direction. Inbound rules are evaluated
first, so both rules will be evaluated. Finally, the rules will be evaluated based on their rule type. In this case, both rules are Allow rules, so the order
of evaluation does not matter."
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: B
B. No.

The proposed solution is not correct because it adds a new inbound security rule that allows TCP protocol on port 3389 to both NSG-Subnet1 and
NSG-VM1, but the existing inbound security rule on NSG-VM1 allows UDP protocol on port 3389, not TCP. Therefore, the proposed solution does

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 305/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

not meet the goal of allowing Remote Desktop connections to VM1 from the internet.

To meet the goal, a new inbound security rule should be added to NSG-VM1 that allows TCP protocol on port 3389, in addition to the existing
inbound security rule that allows UDP protocol on port 3389. The inbound security rule on NSG-Subnet1 can remain as the default rule.
upvoted 3 times

  MrBlueSky 3 months, 1 week ago

This is wrong.

The existing NSG rule that allows UDP over 3389 can be ignored. RDP uses TCP, so it needs to allow TCP over port 3389. It also allowing UDP
over port 3389 doesn't break anything, even though it's not helping.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Lu5ck 10 months, 3 weeks ago

Selected Answer: A
Removing NSG-VM1 simply means VM is no longer regulated by any NSG.
Adding rules that allow 3389 which is RDP port and on TCP protocol to NSG-Subnet means the subnet now allow RDP connections.
upvoted 1 times

  Dumber 10 months, 4 weeks ago

Selected Answer: A
after re-reading the solution multiple times... The anser is yes.
You add an inbound security rule to NSG-Subnet1 AND NSG-VM1.....

So both NSG's will have the TCP rule and hence it will be allowed.
upvoted 1 times

  pkg007 11 months ago

Tested in lab - Answer is Yes
upvoted 1 times

  nkhan19 11 months ago

Selected Answer: B
This wont work.

Remember there are 2 NSGs, one is assigned on NIC of the VM which has a UDP protocol and another on the Subnet which now is added with TCP
3389.

Both the NSG-VM1 and NSG-Subnet1 are evaluated one after the other and both the rules should allow this traffic.

Either remove the NSG-VM1 or change UDP to TCP.

upvoted 2 times

  trackstar 10 months, 3 weeks ago

The question clearly states: You add an inbound security rule to NSG-Subnet1 and NSG-VM1

The TCP rule allowing TCP 3389 (RDP) is created on BOTH NSGs.
Therefore the answer is yes.
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
Yes both Subnet and NIC level rules are set to allow
upvoted 1 times

  fonte 1 year ago

Selected Answer: A
Allowing RDP in both NSG will do the trick.
upvoted 1 times

  TechIsi 1 year ago

Please ignor my last comment, answer is Yes
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 306/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20 Topic 5

HOTSPOT -
You have a virtual network named VNet1 that has the configuration shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 307/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: add an address space -

Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you
specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.

Box 2: add a network interface -

The 10.2.1.0/24 network exists. We need to add a network interface.
Reference:
https://docs.microsoft.com/en-us/office365/enterprise/designing-networking-for-microsoft-azure-iaas

  vojehol452 Highly Voted  2 years, 6 months ago

- Add an address space
- Add a subnet
upvoted 200 times

  usamnkkid 2 months, 4 weeks ago

No you can't add 10.2.1.0/24 because it overlaps with 10.2.0.0/16. Check on Lab
upvoted 2 times

  usamnkkid 2 months, 4 weeks ago

No, I am wrong I am adding 10.2.1.0/24 in address space however it already exists. I need to add a subnet. I get confuse between address
spaces and subnets.
upvoted 4 times

  Alex2022_31 5 months, 1 week ago

Agree: Add an Address Space and then Add a subnet. Just tested it on the Portal and worked :)
upvoted 4 times

  Throwitawaynow Highly Voted  2 years, 6 months ago

Also wrong, the subnet range being created is 10.2.0.0 - 10.2.0.255 . So if you want to add an IP address from 10.2.1.0/24 you need to add a new
subnet.

Why are so many of these wrong?

upvoted 167 times

  AbleApe 4 months, 4 weeks ago

There are other similar dumps on the internet which have incorrect answers. My best guess is the base for these questions come from what the
Exam Topics team was able to find online. From that base their moderators can update the questions and community can vote on what looks
like the best option. Personally, I like to be able to read everyone's comments and read through the additional information and viewpoints.
Some of the questions are just bad in general and I like knowing I'm not the only one who thinks they're bad.
upvoted 4 times

  izzotop 8 months, 1 week ago

Some of them are obviously wrong and not getting corrected. It looks like this service is intentionally kind of paired with MS behind the scenes,
to force us learn on dumps instead of us trying to learn dumps answers by hard.
upvoted 1 times

  zewenwu 2 years, 4 months ago

don't you mean that the vnet range originally created is 10.2.0.0 - 10.2.255.255?
upvoted 5 times

  JamesDC 2 years, 4 months ago

so what?... if you don't have any subnet how can you use those IPs?... Throw is correct!
upvoted 8 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 308/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  tom999 2 years, 3 months ago

There is no dissent. Throw says the initial _subnet_ is 10.2.0.0 - 10.2.0.255. You say the initial vnet _address space_ is 10.2.0.0 - 10.2.255.255.
Both is true.

However, in the first question you have to _first_ add an address space. (and then a subnet)
In the second question you only have to add a subnet as 10.2.1.0/24 is within the vnet's address range 10.2.0.0/16
upvoted 10 times

  Nicksin 1 year, 11 months ago

Yeah there's tons, dunno how anyone is passing, lol.
upvoted 14 times

  jecawi9630 1 year, 11 months ago

You can almost ignore the answers / look at the questions, discussions, do your own research, and at the end if you didn’t already lose your
mind, then pass the exam 🤦🏻‍♂️
upvoted 37 times

  WindowAFX 1 year ago

I assume like most, people use this for study and if not clear research the answer. NOT just memorise the Qs and answers given on these
cheat sheets.
upvoted 4 times

  tita_tovenaar 1 year, 11 months ago

start to like this place. Tried some other sites with “correct” answers without comments and didn’t trust it, lol.
upvoted 9 times

  Exilic Most Recent  1 month, 2 weeks ago

OpenAI

"Before a virtual machine on VNet1 can receive an IP address from 192.168.1.0/24, you must first add a subnet. This is because the current address
space of VNet1 is 10.2.0.0/16, which does not include the 192.168.1.0/24 address range.

Before a virtual machine on VNet1 can receive an IP address from 10.2.1.0/24, no further action is required as this address range falls within the
existing address space of VNet1 (10.2.0.0/16) and a subnet with the required address prefix can be created within this address space."
upvoted 1 times

  habbey 1 month ago

In don't even know what to believe anymore
upvoted 2 times

  CyberKelev 3 months, 2 weeks ago

To allow a virtual machine on VNet1 to receive an IP address from 192.168.110/24, you must first add a network interface.

To allow a virtual machine on VNet1 to receive an IP address from 10.2.1.0/24, you must first add a subnet.
upvoted 2 times

  isaugar 4 months, 2 weeks ago

1. Add an address space
2. Add a subnet

Laboratory tested 100%

upvoted 4 times

  CloudNov 5 months ago

Please correct me if I am wrong. Box 1 should be "Delete Subnet". Without that not possible to edit the address space. Tested in lab
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

definitly on test, i missed the first one. put delete a subnet by mistake
upvoted 5 times

  Georgego 5 months ago

Have been seeing you comment quite a bit on here, thanks for the heads up! Hopefully you have picked up your certificate by now.
upvoted 2 times

  spike15_mk 6 months, 1 week ago

First Answer: delete subnet
Explanation: Current IP Address Range of VNET1 is 10.2.0.0/16 with subnet 10.2.0.0/24. We want VM1 to get IP from 192.168.1.0/24. In order to do
that we need to change the IP address range of VNET1. We can not add a new IP address range on existing one. I see so many comments add an
address space.
1.Delete Subnet 10.2.0.0/24
2.Change the IP range Address Range in Address Space from 10.2.0.0/16 to 192.168.0.0/16
3.Add Subnet with 192.168.1.0/24
Second Answer: Add Subnet
The new Subnet with address10.2.1.0/24 is in the range of IP Address range of VNET1 10.2.0.0/16(10.2.0.0 to 10.2.255.255)
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 309/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lexxsuse 5 months, 4 weeks ago

1 is wrong. One CAN add/remove/update address ranges. https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-
network#add-or-remove-an-address-range
upvoted 1 times

  rupayan87 6 months, 3 weeks ago

The only subnet in the vnet is of address range 10.2.0.0/24
So address range usable for any VM is 10.2.0.4 to 10.2.0.254
For assigning the IP from the space 10.2.1.0/24 you need a subnet with that IP range.
upvoted 3 times

  ZakySama 7 months, 2 weeks ago

- Add an address space
- Add a subnet
upvoted 2 times

  micropbl4 8 months ago

ANS1: add an address space
ANS2: add a subnet
upvoted 1 times

  EmnCours 9 months, 1 week ago

ANS1: add an address space
ANS2: add a subnet
upvoted 3 times

  cypherx 9 months, 3 weeks ago

Add Address Space
Add Subnet
is correct imo, question specify 10.2.1.0/24 which is separate subnet to 10.2.0.0/24, if it was a /16 ET answer would be correct
upvoted 1 times

  MartyMart 9 months, 3 weeks ago

ANS1: add an address space
ANS2: add a subnet
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

1.add an address space
2.add a subnet
upvoted 1 times

  David1990 9 months, 3 weeks ago

Box 1: add an address space –
Your IaaS virtual machines (VMs) and PaaS role instances in a virtual network automatically receive a private IP address from a range that you
specify, based on the address space of the subnet they are connected to. We need to add the 192.168.1.0/24 address space.

Box 2: add a subnet –

The 10.2.1.0/24 network exists. We need to add a network interface.
upvoted 3 times

  David1990 9 months, 3 weeks ago

Box 2: add a subnet –

The 10.2.1.0/24 network exists. We need to add a network interface.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 310/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21 Topic 5

You have an Azure subscription that contains a virtual network named VNET1. VNET1 contains the subnets shown in the following table.

Each virtual machine uses a static IP address.

You need to create network security groups (NSGs) to meet following requirements:
✑ Allow web requests from the internet to VM3, VM4, VM5, and VM6.
✑ Allow all connections between VM1 and VM2.
✑ Allow Remote Desktop connections to VM1.
✑ Prevent all other network traffic to VNET1.
What is the minimum number of NSGs you should create?

A. 1

B. 3

C. 4

D. 12

Correct Answer: C
Each network security group also contains default security rules.
Note: A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual
Networks (VNet).
NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

Community vote distribution

A (71%) B (29%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A

NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). You can
associate zero, or one, NSG(s) to each VNet subnet and NIC in a virtual machine. The same NSG can be associated to as many subnets and NICs as
you choose.

So, you can create 1 NSG and associate it with all 3 Subnets.

- Allow web requests from internet to VM3, VM4, VM5 and VM 6: You need to add an inbound rule to allow Internet TCP 80 to VM3, VM4, VM5 and
VM6 static IP addresses.
- Allow all connections between VM1 & VM2: You do not need an NSG as communication in the same VNet is allowed by default, without even
configuring NSG.
- Allow remote desktop to VM1: You need to add an inbound rule to allow RDP 3389 in VM1’s static IP address .
- Prevent all other network traffic to VNET1: You do not need to configure any NSG as the there is explicit deny rule (DenyAllInbound) in every NSG.
upvoted 301 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920. Thanks guys!
upvoted 9 times

  Durden871 3 months ago

There is no way you need 4. Congrats on the 920, but this might have been one of the few you got wrong.

From Udemy:
Explanation
Each VM has a static IP address. So, we can create multiple rules with in NSG to allow or block traffic based on IP address.

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 1 times

  Slawekyo 2 months, 2 weeks ago

I think he meant that mlantonis's answer was valid

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 311/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  usamnkkid 2 months, 4 weeks ago
The keyword here is each VM use a static IP.
upvoted 1 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered A
upvoted 15 times

  itgg11 1 year, 4 months ago

A is correct. Initially, I thought 3 NSGs were needed . but I was mixed up rules with NSGs. Only 1 NGS needed
upvoted 9 times

  JohnAvlakiotis Highly Voted  2 years, 6 months ago

I believe it's wrong. I would go with 1 NSG only. NSGs can associate to multiple subnets. There is no conflict in rules so all can be in 1 NSG. My
penny.
upvoted 103 times

  djgodzilla 5 months ago

You guys seriously think a decent admin would allow such a mess in his network?
let's put one NSG for the whole sub while we're at it .
if MSFT really put answer A as valid in the exam . Then their sending their certified folks right to the cliff.
so much for best practices smh!
upvoted 1 times

  MrBlueSky 3 months, 1 week ago

The knowledge it's testing here is "How many NSGs are needed to accomplish the below?"

Not "What is the best practice?"

It's gauging your understanding of NSGs

upvoted 2 times

  djgodzilla 5 months ago

*Subscription
upvoted 1 times

  djgodzilla 5 months ago

*they're
upvoted 1 times

  JohnAvlakiotis 2 years, 6 months ago

Hmm... now that I think of it, the last prereq of deny all other traffic makes it to go for 4.
upvoted 2 times

  JohnAvlakiotis 2 years, 6 months ago

Damn!.. I think I will choose 1 NSG, because based on priorities I believe you can answer all the requirements.
upvoted 11 times

  canbe20 2 years, 6 months ago

How it's possible with 1 NSG? Web requests for those 4 VMs require 1 NSG and RDP for VM1 requires 1 NSG, so at least 2 are required.
upvoted 1 times

  JulienYork 2 years, 6 months ago

They have the STATIC IP,
So you will provide the static ips of the vms as destinations and create rules per vm on ONE NSG
upvoted 15 times

  RoastChicken 1 year, 11 months ago

You attach a single NSG to each subnet.
upvoted 1 times

  ASIMIS 1 year, 11 months ago

NO NO NO, by default there will be a deny all at the bottom of all the rules. You dont need to create any deny traffic after adding allow
statements. By default there is an implicit deny all at the end. So JohnAvlakiotis is correct.
upvoted 3 times

  ASIMIS 1 year, 11 months ago

Sorry i meant to say that your first statement was correct. You only need one NSG with several allow rules.
upvoted 1 times

  d0bermannn 1 year, 11 months ago

as one time solution agreed, 1 nsg will work,
but in enterprise network rules better to implement: 1 rule =1 service
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 312/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Hafeezzahidi 2 years, 4 months ago

keyword to this question is "Minimum NSG", so you are right
upvoted 6 times

  zzreflexzz Most Recent  1 month, 2 weeks ago

on exam 4/29/23
upvoted 1 times

  Durden871 3 months ago

lol 4?! ET really wants you to get this question wrong. You need 1. I understand people saying 3. The 4th ask applies to all VMs, so why even have a
separate policy for it?
upvoted 1 times

  GBAU 4 months ago

Depends on how many NSGs already existed? Assuming ZERO

Answer A (1)

Lets call it NSG1

-Add Rule Priority 100 ANY-> 80/443 to IPs of VM3,4,5,6 Allow
-Add Rule Priority 101 ANY-> 3389 to IP of VM1 Allow
-Default Rule Deny Prevents all other inbound connections
Apply it to all Subnets

Job Done
upvoted 1 times

  Mo22 4 months, 1 week ago

Selected Answer: B
One NSG for the web requests from the internet to VM3, VM4, VM5, and VM6.
One NSG for the connections between VM1 and VM2.
One NSG for the Remote Desktop connections to VM1.
By configuring these NSGs, you can allow the required traffic and prevent all other network traffic to VNET1.
upvoted 2 times

  MrBlueSky 3 months, 1 week ago

Wrong.

There's nothing stopping you from putting all the rules into a single NSG and then attaching the one NSG to every subnet.
upvoted 2 times

  CloudNov 4 months, 4 weeks ago

Should be A: 1, tested in Lab
upvoted 1 times

  darthfodio 5 months, 2 weeks ago

The correct answer should include more than 1 NSG. MeasureUp practice questions for this exam include a question with this exact scenario but
with 7 VMs. I chose 1 NSG as my answer and got the question wrong. The answer was 3 NSGs. Microsoft also throws a hint in the wording of the
question that their expecting more than 1 NSG, by stating "network security groups (NSGs)."
upvoted 1 times

  darthfodio 5 months, 2 weeks ago

Here is the solution explanation by Measure up:

You need to create at least three security groups (NSGs). These would include:

- One NSG assigned to Subnet(x) and Subnet(y) to allow connections from the internet and deny any other connections.
- One NSG assigned to Subnet(n) to allow connections between virtual machines (VMs) and deny any other connections.
- One NSG assigned to VM to Deny (or Allow for this scenario) Remote Desktop connections.
You can assign the same NSG to multiple subnets.

The recommended method to manage network security through NSGs is to use NSGs assigned at the subnet level whenever possible. NSGs
should be assigned directly to VMs only as necessary to handle exceptions.
upvoted 1 times

  darthfodio 5 months, 2 weeks ago

References:

Create, change, or delete a network security group - https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-

group?tabs=network-security-group-portal

Create, change, or delete a network interface - https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?

tabs=network-interface-portal

Network security groups - https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 313/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  spike15_mk 5 months, 3 weeks ago

Correct Answer is 4 NSGs

Explanation:
You can not associate multiple Subnet to 1 NSG (Subnet Level)
1. NSG1-Subnet2 (VM3 and VM4 Allow web request)
2. NSG2-Subnet3 (VM5 and VM6 Allow web request)
3. NSG3-Subnet1 (VM1 and VM2 Prevent all other network traffic to VNET1)
4.NSG4-NICVM1 (Allow Remote Desktop connections to VM1 not VM2 we must set on NIC)
upvoted 1 times

  chikorita 4 months, 1 week ago

i wish there was a DOWNVOTE option
upvoted 2 times

  cassucena 7 months, 1 week ago

I would go for 01 NSG but at the simulated test by Microsoft (enterprise Skills) the answer is B, 03 NSGs.
upvoted 2 times

  shoutiv 6 months, 4 weeks ago

Agree, 3 NSGs. There was explanation if I remember correctly:
- First NSG assigned to Subnet 2 and Subnet3 to allow connections from internet and deny other traffic
- Second NSG assigned to Subnet1 to allow connections between Vms (1 and 2) and deny other traffic
- Third NSG assigned to VM1 to allow RDP
upvoted 1 times

  obatunde 8 months, 2 weeks ago

Selected Answer: A
You only need to create one NSG and you can associate it with all the three subnets
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  King4o 10 months, 1 week ago

every fucking question is wrong ,I am really pissed off
upvoted 3 times

  nkhan19 11 months ago

Selected Answer: B
Answer is 3 NSGs.

NSG can be associated with Subnet or NIC of the VMs,

Look at first condition, VM3,VM4 (1 NSG on subnet) & VM5, VM6 (1 NSG on subnet). there goes your A into trash.

One more is needed for RDP and block other traffic. 3 NSG it is!
upvoted 2 times

  MarkMac 11 months, 4 weeks ago

I was looking for "2" as that seems to be the best answer. Having an NSG associated to each subnet per protocol, allows it to managed much easier
than having to maintain a rule list of IPs. Just wondering what MS is actually encouraging Admins to do. :-/
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
A is correct..Silly me i mixed up rules with NSG!! luckily no answer shows 2 as this is number of rules needed and because of that i rethink the
answer and yes it is 1 NSG..
1NSG can be linked to multiple subnets and can have a number of rules and based on the requirement ONLY 2 Inbound rules are needed as other
2 requirement are defaults hence no action is required
needed rules are
1- Allow web requests from internet to VM3, VM4, VM5 and VM 6
2- Allow remote desktop to VM1
upvoted 1 times

  Lazylinux 1 year ago

Selected Answer: A
A=1 for Sure as per others explanation..in Summary Subnet => 1 NSG and NSG can be applied to multiple subnets and can be applied to vNIC
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 314/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 5

You have an Azure subscription that contains the resources shown in the following table.

The Not allowed resource types Azure policy that has policy enforcement enabled is assigned to RG1 and uses the following parameters:
Microsoft.Network/virtualNetworks
Microsoft.Compute/virtualMachines
In RG1, you need to create a new virtual machine named VM2, and then connect VM2 to VNET1.
What should you do first?

A. Remove Microsoft.Compute/virtualMachines from the policy.

B. Create an Azure Resource Manager template

C. Add a subnet to VNET1.

D. Remove Microsoft.Network/virtualNetworks from the policy.

Correct Answer: A
The Not allowed resource types Azure policy prohibits the deployment of specified resource types. You specify an array of the resource types to
block.
Virtual Networks and Virtual Machines are prohibited.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/not-allowed-resource-types

Community vote distribution

A (100%)

  khengoolman Highly Voted  1 year, 8 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A
upvoted 28 times

  nidhogg Highly Voted  1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 12 times

  zellck Most Recent  4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/governance/policy/overview#azure-policy-objects
Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
upvoted 1 times

  Notteb 4 months, 3 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Max_on_neptune 6 months, 1 week ago

Exam Question on 01DEC 2022
upvoted 6 times

  Manu_0502 6 months ago

Hi max, how many questions came from ExamTopics?
upvoted 1 times

  Magis 8 months, 2 weeks ago

Selected Answer: A
Correct Answer A. Tested in LAB
upvoted 3 times

  EmnCours 9 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 315/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: A
Correct Answer: A
upvoted 1 times

  rasmart 1 year, 2 months ago

Selected Answer: A
check comment
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

  hanahjane13 1 year, 6 months ago

A, no need to add the vnet
upvoted 3 times

  yoelalan14 1 year, 6 months ago

Answer is A because we already have the VNET in place, so the only thing that would get blocked by this policy would be the NEW vm we are
creating
upvoted 10 times

  filipov1 1 year, 6 months ago

so dump question
upvoted 3 times

  binq 1 year, 6 months ago

Love what you did here : )
upvoted 4 times

  JayJay22215 1 year, 3 months ago

If it was intentional, yes :D
upvoted 1 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 3 times

  Beng_ali 1 year, 8 months ago

Correct answer, asked on my exam today 02/10/21
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 316/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23 Topic 5

Your company has an Azure subscription named Subscription1.

The company also has two on-premises servers named Server1 and Server2 that run Windows Server 2016. Server1 is configured as a DNS server
that has a primary DNS zone named adatum.com. Adatum.com contains 1,000 DNS records.
You manage Server1 and Subscription1 from Server2. Server2 has the following tools installed:
✑ The DNS Manager console
✑ Azure PowerShell
✑ Azure CLI 2.0
You need to move the adatum.com zone to an Azure DNS zone in Subscription1. The solution must minimize administrative effort.
What should you use?

A. Azure CLI

B. Azure PowerShell

C. the Azure portal

D. the DNS Manager console

Correct Answer: B
Step 1: Installing the DNS migration script
Open an elevated PowerShell window (Administrative mode) and run following command install-script PrivateDnsMigrationScript

Step 2: Running the script -

Execute following command to run the script

PrivateDnsMigrationScript.ps1 -
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide

Community vote distribution

A (83%) B (17%)

  asdf12345a Highly Voted  2 years, 6 months ago

Answer is incorrect, it should be A - Azure CLI.
https://docs.microsoft.com/en-us/azure/dns/dns-import-export
- Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
supported via Azure PowerShell or the Azure portal.

PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.
upvoted 124 times

  AubinBakana 1 year, 9 months ago

Windows Server 2016 is a legacy server, isn't it? :)
upvoted 1 times

  vikki 2 years, 4 months ago

Agree. Besides, prerequisites of using PrivateDNSMigrationScript were lack to provide in the question:
1. Make sure you have installed latest version of Azure PowerShell.
2. Make sure that you've Az.PrivateDns module for the Azure PowerShell installed.

I think the point of this question is "The solution must minimize administrative effort." without proper scenario.
upvoted 2 times

  vikki 2 years, 4 months ago

Due to the statements in the document: The migration process is simple, and we've provided a PowerShell script to automate this process.
https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide
upvoted 3 times

  Anurag_Azure Highly Voted  2 years, 1 month ago

so basically we are just paying for a collection of questions and ability to ask others for answers....EXAMTOPICS has no responsibility to at least
mark right answers...otherwise give that access to us so that as community we correct answers too
upvoted 92 times

  theorut 1 year, 3 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 317/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

In my opinion Examtopic does a great job and I like to pay for this service. Incorrect answers are no problem for me and I learn a lot from these
discussions.
upvoted 22 times

  hanosh 10 months, 1 week ago

u work for them? lol
upvoted 11 times

  Durden871 3 months ago

Blatantly wrong answers makes me lose faith in their services. The comments are a wonderful edition, but even then sometimes the back and
forth creates a popsicle headache.
upvoted 3 times

  61Reasons 10 months, 1 week ago

And how would ET confirm the real answer? Ask MSFT? Not. And, don't forget even MSFT can write an ambiguous question, which means ET
would have to say "Exam answer according to MSFT is B, but really it's A. So I don't share your concern, I think doing it the way they did was
best for all of us.
upvoted 7 times

  GBAU 4 months ago

Well they could pay someone to go through and assess/fix all the oblivious wrong answers listed on questions as the answers.
upvoted 4 times

  ScreamingHand 1 year, 12 months ago

Yes, - and I am very happy with that, I enjoy reading the discussions
upvoted 30 times

  onincasimiro 1 year, 11 months ago

I agree which is very much exciting. ExamTopics already provided their answers and almost of their explanations
upvoted 6 times

  Makkee 1 year, 9 months ago

You're not paying anything...
upvoted 5 times

  rockhound 1 year, 9 months ago

i did pay 15 euros...
upvoted 16 times

  orion1024 1 year, 8 months ago

Access to information is free though
upvoted 1 times

  VM090 1 year, 4 months ago

Not 100%, only 70% access for free and remaining 30% requires sub
upvoted 17 times

  Gino_Slim 11 months, 2 weeks ago

Yep, that's where they got me. I take the test tomorrow and I got hit with the remaining piece costs.
upvoted 8 times

  safwansalama 1 year, 6 months ago

Me too
upvoted 3 times

  kengy Most Recent  1 week, 6 days ago

Selected Answer: A
Azure CLI
https://learn.microsoft.com/en-us/azure/dns/dns-import-export#introduction-to-dns-zone-migration
upvoted 1 times

  zambonini 2 weeks, 5 days ago

Answer is Azure CLI

Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone file import is not currently
supported via Azure PowerShell or the Azure portal.

PrivateDNSMigrationScript is for migrating legacy Azure DNS private zones to the new Azure DNS private zone resource.

Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-import-export https://docs.microsoft.com/en-us/azure/dns/private-dns-migration-guide
upvoted 1 times

  SIAMIANJI 3 weeks, 1 day ago

Selected Answer: A

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 318/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I changed my mind. A is correct:

Azure DNS supports importing and exporting zone files via the Azure CLI. Importing zone files via Azure PowerShell or the Azure portal is not
supported currently.

https://learn.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 1 times
  SIAMIANJI 3 weeks, 1 day ago
Selected Answer: B
To move the adatum.com zone to an Azure DNS zone in Subscription1 while minimizing administrative effort, you should use Azure PowerShell.

Azure PowerShell provides a comprehensive set of cmdlets specifically designed for managing Azure resources and services, including Azure DNS.
Using Azure PowerShell, you can easily automate the process of creating an Azure DNS zone, importing the existing DNS records from Server1, and
configuring the necessary settings.
upvoted 1 times

  JustGotMacki 3 weeks, 3 days ago

Answer is A. Azure CLI

Azure DNS supports importing and exporting zone files via the Azure CLI. Importing zone files via Azure PowerShell or the Azure portal is not
supported currently.

https://learn.microsoft.com/en-us/azure/dns/dns-import-export#introduction-to-dns-zone-migration
upvoted 1 times

  SIAMIANJI 1 month ago

Selected Answer: B
B is correct.
ChatGPT:
Steps:

Export the DNS zone file from Server1 using the DNS Manager console or PowerShell.
Modify the zone file to remove any unsupported DNS record types and ensure that it is in a compatible format for Azure DNS.
Use Azure PowerShell to create a new Azure DNS zone in Subscription1.
Use Azure PowerShell to import the modified zone file into the new Azure DNS zone.
Using Azure PowerShell can help automate the process and reduce manual effort. With the appropriate PowerShell cmdlets, the entire process can
be scripted and run in a repeatable, consistent manner. The DNS Manager console is a GUI-based tool and may be more time-consuming for a
large number of DNS records. The Azure portal can also be used, but PowerShell provides more flexibility and automation capabilities. The Azure
CLI can also be used, but PowerShell has better support for Azure DNS cmdlets.
upvoted 1 times

  SimoneP 1 month, 2 weeks ago

Selected Answer: A
Azure DNS supports importing and exporting zone files via the Azure CLI. Importing zone files via Azure PowerShell or the Azure portal is not
supported currently.

https://learn.microsoft.com/en-us/azure/dns/dns-import-export
upvoted 2 times

  Exilic 1 month, 2 weeks ago

Selected Answer: B
OpenAI

"The correct option to move the adatum.com zone to an Azure DNS zone in Subscription1 while minimizing administrative effort is B. Azure
PowerShell.

Using Azure PowerShell, you can create a new Azure DNS zone in Subscription1 and then import the DNS records from the adatum.com zone on
Server1 to the new Azure DNS zone. This can be achieved using the following high-level steps:

Install the Azure PowerShell module on Server2 if it is not already installed.

Create a new Azure DNS zone in Subscription1 using the New-AzDnsZone cmdlet.
Export the adatum.com zone file from Server1 using the Export-DnsServerZone cmdlet.
Convert the adatum.com zone file to an Azure DNS zone file using the ConvertTo-AzDnsZoneFile cmdlet.
Import the converted Azure DNS zone file to the new Azure DNS zone in Subscription1 using the Set-AzDnsRecordSet cmdlet.

Option A (Azure CLI), Option C (the Azure portal), and Option D (the DNS Manager console) can also be used to manage Azure DNS, but they may
require more administrative effort than using Azure PowerShell for this specific task."
upvoted 2 times

  Pscor33 2 months, 2 weeks ago

Hello all, I just passed with an 870. Thanks for all your inputs. You can pass with these questions and explanations
upvoted 2 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: A
In general, Microsoft says whatever workflow you trying to implement with azure CLI, you can do them using PS and azure portal. But there are
always exceptions and this is one of those.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 319/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  CyberKelev 3 months, 2 weeks ago
Selected Answer: B
B. Azure PowerShell

Using Azure PowerShell, you can export the DNS zone from Server1 to a file, and then use Azure PowerShell to create an Azure DNS zone in
Subscription1 and import the DNS zone file. This approach minimizes administrative effort and avoids manual entry of DNS records. The DNS
Manager console is not used for managing Azure DNS zones. The Azure portal could be used, but Azure PowerShell is a more efficient tool for this
task. Azure CLI 2.0 is also an option, but Azure PowerShell provides a more seamless and consistent experience for managing Azure resources.
upvoted 2 times

  Muffay 5 months, 1 week ago

Selected Answer: A
How should anyone know that out of the back of his mind?
Thanks guys, I will go with Azure CLI as it was pointed out that this is the only one supporting importing and exporting zone files.
upvoted 6 times

  BYNeo 7 months ago

Selected Answer: A
Found this on one of the website "Azure DNS supports importing and exporting zone files by using the Azure command-line interface (CLI). Zone
file import is not currently supported via Azure PowerShell or the Azure portal."
upvoted 8 times

  HMO 8 months, 3 weeks ago

Correct answer A --- Azure DNS supports importing and exporting zone files via the Azure CLI.
upvoted 3 times

  EmnCours 9 months, 1 week ago

Selected Answer: A
Correct answer : A
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 320/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 5

You have a public load balancer that balances ports 80 and 443 across three virtual machines named VM1, VM2, and VM3.
You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.
What should you configure?

A. an inbound NAT rule

B. a new public load balancer for VM3

C. a frontend IP configuration

D. a load balancing rule

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal https://pixelrobots.co.uk/2017/08/azure-
load-balancer-for-rds/

Community vote distribution

A (100%)

  [Removed] Highly Voted  1 year, 8 months ago

An inbound NAT rule forwards incoming traffic to a specific virtual machine
Service: RDP
Protocol: TCP
Port: 3389
Target VM =VM3
upvoted 37 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 3 times

  natka1130 Highly Voted  1 year, 8 months ago

The difference between inbound NAT rules and port mapping in load balancer rules is that inbound NAT rules apply to direct forwarding to a VM,
whereas load balancer rules forward traffic to a backend pool.
upvoted 20 times

  tomasek88 Most Recent  2 months, 2 weeks ago

Selected Answer: A
A is correct
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: A
A. an inbound NAT rule.

To direct all RDP connections to VM3 only, you need to create an inbound NAT rule that maps the RDP port (3389) to the RDP port of VM3. You
can do this by specifying the frontend IP configuration of the public load balancer, the protocol (TCP), the frontend port (3389), and the backend
port (3389) of VM3 in the inbound NAT rule. This will route all incoming RDP traffic to VM3 only, regardless of the load balancing configuration.
upvoted 1 times

  sourabhg 7 months ago

Selected Answer: A
An inbound NAT rule forwards incoming traffic to a specific virtual machine
Service: RDP
Protocol: TCP
Port: 3389
Target VM =VM3
upvoted 4 times

  Mev4953 9 months ago

See this, 11:22
https://www.youtube.com/watch?v=ow5fZM6abtA&ab_channel=TeachMeCloud
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: A

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 321/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: A
upvoted 2 times
  Dobby25 1 year, 2 months ago
Received this on my exam today 19/03/2022
upvoted 2 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: A
An inbound NAT rule forwards incoming traffic to a specific virtual machine
upvoted 2 times

  GD01 1 year, 8 months ago

A is correct .... An inbound NAT rule forwards incoming traffic sent to frontend IP address and port combination. The traffic is sent to a specific
virtual machine or instance in the backend pool.

https://docs.microsoft.com/en-us/azure/load-balancer/components
upvoted 9 times

  Waltwhiteman 1 year, 8 months ago

Correct.
Inbound Network Address Translation (NAT) rules are an optional setting in Azure Load Balancer. These rules essentially create another port
mapping from the frontend to the backend, forwarding traffic from a specific port on the frontend to a specific port in the backend.
upvoted 5 times

  omaro 1 year, 8 months ago

Discussion button says: Exam AZ-104 topic 5 question 31 discussion.
But I see nothing
upvoted 1 times

  ScoutP 1 year, 8 months ago

Because there is no discussion for this question yet
upvoted 3 times

  omaro 1 year, 8 months ago

????????????????????????????
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 322/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25 Topic 5

HOTSPOT -
You have an Azure subscription named Subscription1 that contains the virtual networks in the following table.

Subscription1 contains the virtual machines in the following table.

In Subscription1, you create a load balancer that has the following configurations:
✑ Name: LB1
✑ SKU: Basic
✑ Type: Internal
✑ Subnet: Subnet12
✑ Virtual network: VNET1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

Basic Load Balancer: Backend pool endpoints for Virtual machines in a single availability set or virtual machine scale set.

Subnet12 association will be used to assign an IP for the internal load balancer, not to load balance the VMs in the Subnet.

Box 1: Yes
VM1 and VM are in the Availability Set.
Box 2: No
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 323/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Both VMs are not part of any Availability Set or Scale Set.
Box 3: No
Both VMs are not part of any Availability Set or Scale Set.

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/skus
upvoted 138 times

  nkhan19 11 months ago

BASIC SKU : Virtual machines in a single availability set or virtual machine scale set
upvoted 4 times

  Aghora Highly Voted  2 years, 6 months ago

answer is correct
y: vm1 and vm2 is same scale set
no : both vms are in single VMs not in scale set or Av set
no: same as 2

you can not use basic load balancer to balance between single VMs . the have to be in a scale set or availability set
https://docs.microsoft.com/en-us/azure/load-balancer/skus
upvoted 59 times

  Steve1983 1 year, 11 months ago

Correct my friend!

"They are the machines or services that create a backend pool. The Basic Tier is quite limiting. It can only have a single availability set, virtual
machine scale set or a single machine. The Standard Tier can span any virtual machine in a single virtual network which includes blends of scale
sets, availability sets, and machines."
upvoted 12 times

  BShelat Most Recent  5 months, 2 weeks ago

LB1 is in subnet 12 NOT in subnet 11. Now VM1 & 2 are in single availability set but they are in subnet 11 So how can LB1 sitting in subnet 12 can
balance the traffic among VM1 & 2 ? VM3 & 4 are in subnet 11 with no availability set. VM5 & 6 are in subnet 12 but without availability set. So in
my opinion answer is "No" for all 3 conditions. Where am I wrong and why?
upvoted 4 times

  Muffay 5 months, 1 week ago

An internal load balancer enables the following types of load balancing:
Within a virtual network. Load balancing from VMs in the virtual network to a set of VMs that reside within the same virtual network.
https://learn.microsoft.com/en-us/training/modules/configure-azure-load-balancer/4-implement-internal

Note that it mentions *within the same virtual network*, not *within the same subnet*.
upvoted 2 times

  ZakySama 7 months, 2 weeks ago

Basic SKU: Virtual machines in a single availability set or virtual machine scale set
Standard SKU: Any virtual machines or virtual machine scale sets in a single virtual network
upvoted 3 times

  klexams 7 months, 2 weeks ago

Y - same vnet1
N - basic LB needs VMs in AS
N - different vnet and VMs not in AS
upvoted 2 times

  qwerty100 8 months ago

The questions posted by @observador081 aren't included in the "examtopics AZ-104". I think that can be posibles questions
(You can check below in the comments)
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

answer is correct
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

YES NO NO
YES both VMs are are in Av set
Both NOs because all VMs are not part of the AV set
upvoted 3 times

  Lazylinux 1 year ago

I agree with answer and mlantonis explained it really well
upvoted 3 times

  observador081 1 year ago

You have an Azure subscription that contains a user called User1, a resource group called RG1, and a virtual machine called VM1.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 324/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

You enable a system-assigned managed identity for VM1.

Which identities can you assign the Report Reader role to?

Please select only one answer.

A-User1 only

B-Only User1 and RG1

C-Only User1 and VM1

D-User1, RG1 and VM1

upvoted 1 times

  GenjamBhai 12 months ago

A = User1 only.
Ref: https://docs.microsoft.com/en-us/answers/questions/598795/reports-reader-role.html
upvoted 1 times

  observador081 1 year ago

You have an Azure Active Directory tenant that contains the following identities:

User1, a user in Azure Active Directory

Group1, a security group that uses dynamic user membership

Group2, a Microsoft 365 group that uses assigned membership

Group3, a security group that uses assigned membership

Which identity or identities can be added as members of Group3?

Please select only one answer.

A-User1 only

B-Only User1 and Group1

C-Only User1 and Group2

D-User1, Group1 and Group2

upvoted 1 times

  GenjamBhai 11 months, 4 weeks ago

B - User1 and Group1
upvoted 1 times

  observador081 1 year ago

You have an Azure Kubernetes Service (AKS) cluster named AKS1 that runs Kubernetes version 1.21.9.

You need to ensure that you can run a Windows Server container in AKS1.

What should you do first?

Please select only one answer.

A-Add a node pool to AKS1.

B-Modify the AKS1 network settings.

C-Integrate AKS1 and Azure Container Registry.

D-Upgrade AKS1 to a newer version of Kubernetes.

upvoted 1 times

  GenjamBhai 11 months, 4 weeks ago

B - Win Srv container needs CNI
upvoted 1 times

  GenjamBhai 11 months, 4 weeks ago

https://docs.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli#create-an-aks-cluster
upvoted 1 times

  observador081 1 year ago

You plan to create an Azure Kubernetes cluster that will use the following settings:

Kubernetes cluster name: Kubernetes1

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 325/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Cluster preset configuration: Standard ($$)

Kubernetes version: 1.22.6

Enable virtual nodes: Off

Network configuration: Kubenet

You need to add a Windows Server node pool to Kubernetes1.

Which setting should you modify?

Please select only one answer.

A-Default cluster configuration

B-Kubernetes version

C-Enable Virtual Nodes

D-network configuration
upvoted 1 times

  GenjamBhai 11 months, 4 weeks ago

D - network config, needs CNI
https://docs.microsoft.com/en-us/azure/aks/learn/quick-windows-container-deploy-cli#create-an-aks-cluster
upvoted 1 times

  observador081 1 year ago

You have an Azure subscription that contains the following features:

VM1: A virtual machine that runs Microsoft SQL Server and is deployed in the US West location
VM2: A virtual machine that runs Microsoft SQL Server and is deployed in the US East location
SQL1: An Azure SQL Server deployed in the US West location
Vault1: A Recovery Services vault deployed in the US West location
What resources can you back up to Vault1?

Please select only one answer.

A-VM1 only

B-VM1 and VM2 only

C-VM1 and SQL1 only

D-VM1, VM2 and SQL1

upvoted 1 times

  GenjamBhai 11 months, 4 weeks ago

C - VM1 and SQL1, protected resource needs to be in same region as vault
upvoted 2 times

  observador081 1 year ago

You have the following Azure resources:

a virtual machine called VM1

a Recovery Services vault named Vault1
On January 1, you configure backups for VM1 using the following backup policy:

Frequency: daily
Time: 23:00
Time Zone: UTC (Coordinated Universal Time)
Retain Instant Recovery snapshots for: 2 days
Daily backup point retention: 7 days
Azure Backup resource group: Backup1RG
How many restore points from collections of restore points will be stored on Backup1RG on January 10th?

Please select only one answer.

A-2

B-7

C-9

D-10
upvoted 1 times

  GenjamBhai 11 months, 4 weeks ago

B - 7, includes the 2 Instant Recovery Snapshots along with Daily Backup points
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 326/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  AzureJobsTillRetire 6 months, 2 weeks ago

Sorry I'm confused. Would it be 9 if we add 2 instant recovery snapshots to 7 daily backups that are still retained?
upvoted 1 times

  observador081 1 year ago

You have a Windows Server Azure virtual machine named VM1.

You need to back up two folders in VM1 by using Azure Backup. The solution should minimize administrative effort.

What should you deploy first?

Please select only one answer.

A-Azure Backup Server

B-Recovery Services Agent

C-Microsoft Monitoring Agent

D-Windows Server Backup Function

upvoted 2 times

  GenjamBhai 11 months, 4 weeks ago

B - Microsoft Azure Recovery Services (MARS) agent
https://docs.microsoft.com/en-us/azure/backup/install-mars-agent
upvoted 2 times

  observador081 1 year ago

You have a Recovery Services vault called Recovery1 that includes a backup policy called Policy1.

You back up multiple Azure virtual machines to Recovery1 using Policy1.

Also, you need to see the Azure Backup reports.

What should you do first?

A-Please select only one answer.

B-Create an Azure Log Analytics workspace.

C-Modify the Recovery1 backup configuration settings.

D-Configure Recovery1 diagnostic settings.

upvoted 2 times

  GenjamBhai 11 months, 4 weeks ago

B - Create an Azure Log Analytics workspace.
https://docs.microsoft.com/en-us/azure/backup/configure-reports
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 327/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 5

HOTSPOT -
You have an Azure virtual machine that runs Windows Server 2019 and has the following configurations:
✑ Name: VM1
✑ Location: West US
✑ Connected to: VNET1
✑ Private IP address: 10.1.0.4
✑ Public IP addresses: 52.186.85.63
✑ DNS suffix in Windows Server: Adatum.com
You create the Azure DNS zones shown in the following table.

You need to identify which DNS zones you can link to VNET1 and the DNS zones to which VM1 can automatically register.
Which zones should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: Private
Box 2: Private

You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones. Private DNS zones can be

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 328/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

linked with VNETs (not public ones). And VM can auto-register to any private DNS zone linked with the Vnet and with auto-registration option set.
To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks
have full access and can resolve all DNS records published in the private zone.
upvoted 118 times
  fedztedz Highly Voted  2 years, 5 months ago
Answer is correct. Private zones only / Private zones only.
You can only link Virtual networks to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
check https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 65 times

  EmnCours Most Recent  9 months, 3 weeks ago

Answer is correct. Private zones only / Private zones only.
You can only link Virtual networks to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
check https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 3 times

  Bhuw 10 months, 1 week ago

IS private DNS not required to be in the region of VNET/VM ?
upvoted 2 times

  Muffay 5 months, 1 week ago

Just tested it in my Azure environment - no, it is not required to be in the same region, I can add VNets from different regions.
upvoted 1 times

  atilla 1 year, 3 months ago

tested and verified
upvoted 1 times

  atilla 1 year, 3 months ago

answer is correct
upvoted 1 times

  JIGT 1 year, 5 months ago

Box 1: Private
Box 2: Private

You can only link VNETs to private DNS zones only and accordingly auto register a VNET only to a private DNS zones.
upvoted 2 times

  PBA1211 2 years, 3 months ago

I think it is not correcxt
1 = Private zones
2 = Adatum.com since it is set to the server , thus the nic
that takes precedent over other dns settings.
If the settings did not sauy adatum.com on the server lver, than it was both private dns
upvoted 2 times

  Ario 2 years, 1 month ago

well Adatum.com could be correct if mention auto register is enabled.
upvoted 1 times

  ZUMY 2 years, 3 months ago

  toniiv 2 years, 3 months ago

Both answers are correct. Private DNS zones can be linked with Vnets (not public ones). And VM can auto-register to any private DNS zone linked
with the Vnet and with auto-registration option set.
upvoted 9 times

  waterzhong 2 years, 4 months ago

Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a
custom DNS solution.
upvoted 2 times

  nasa1515 2 years, 5 months ago

Is this the right answer?
upvoted 1 times

  waterzhong 2 years, 5 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 329/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked virtual networks
have full access and can resolve all DNS records published in the private zone.
upvoted 3 times

  waterzhong 2 years, 6 months ago

If you enable autoregistration on a virtual network link, the DNS records for the virtual machines on that virtual network are registered in the
private zone. When autoregistration is enabled, Azure DNS also updates the zone records whenever a virtual machine is created, changes its' IP
address, or is deleted.
upvoted 5 times

  Hibs2016 2 years, 6 months ago

Anyone got an explantion for this?
upvoted 4 times

  VipinP 2 years, 6 months ago

Auto registration happen only on private DNS and specific to region.
upvoted 9 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 330/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27 Topic 5

DRAG DROP -
You have an on-premises network that you plan to connect to Azure by using a site-so-site VPN.
In Azure, you have an Azure virtual network named VNet1 that uses an address space of 10.0.0.0/16 VNet1 contains a subnet named Subnet1 that
uses an address space of 10.0.0.0/24.
You need to create a site-to-site VPN to Azure.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
NOTE: More than one order of answer choice is correct. You will receive credit for any of the correct orders you select.
Select and Place:

Correct Answer:

  ZUMY Highly Voted  2 years, 3 months ago

The answers are in order and are correct.

Always work from the Azure side first, it's a dependency. Dependency is the key to all order obviously...

1 - Start with a Gateway subnet. You need the subnet in place first before you can associate a VPN gateway with it, which is what is created next.

2 - Create a VPN gateway. Associate the VPN gateway with the gateway subnet you created (there are other steps but for the sake of what is
available for answers, the prem side is now configured)

Now for the premice side.

3. Create a local gateway. You need the local gateway in order to complete the tunnel, then you can create a VPN connection
upvoted 251 times

  ErenYeager 2 years, 1 month ago

I hereby declare this answer fit for viewership🙃
upvoted 47 times

  LeomHD 1 year, 8 months ago

according this url, a vpn gateway is created first and then the subnet gateway, could you help me to clarify it?
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 331/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  magichappens 1 year, 2 months ago

Doesn't matter. If you don't have a gateway subnet, one will be created during gateway setup.
upvoted 3 times

  ShaulS 1 year, 7 months ago

What's the fourth answer?
upvoted 1 times

  pappkarcsiii 1 year, 4 months ago

4. then you can create a VPN connection
upvoted 2 times

  mlantonis Highly Voted  2 years ago

Correct Answer:
As per documentation:
1. Create a virtual network
2. Create a VPN gateway
3. Create a local network gateway
4. Create a VPN connection
5. Verify the connection
6. Connect to a virtual machine

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal
upvoted 94 times

  CyberKelev Most Recent  3 months, 2 weeks ago

The correct order of actions to create a site-to-site VPN to Azure from an on-premises network is as follows:

Create a local network gateway in Azure that represents the on-premises network, specify the public IP address of the VPN device, and define the
address space of the on-premises network.
Create a VPN gateway in Azure and configure the gateway type, VPN type, and SKU.
Create a gateway subnet in VNet1 to host the VPN gateway.
Create a VPN connection between the on-premises VPN device and the Azure VPN gateway, specify the shared key, and select the local network
gateway and the VPN gateway.
Note: Creating a custom DNS server is not necessary for creating a site-to-site VPN connection.
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

The correct order of actions to create a site-to-site VPN to Azure from an on-premises network is as follows:

Create a local network gateway in Azure that represents the on-premises network, specify the public IP address of the VPN device, and define the
address space of the on-premises network.
Create a VPN gateway in Azure and configure the gateway type, VPN type, and SKU.
Create a connection between the on-premises VPN device and the Azure VPN gateway, specify the shared key, and select the local network
gateway and the VPN gateway.
Configure the on-premises VPN device to connect to the Azure VPN gateway, specify the public IP address of the Azure VPN gateway, and
configure the necessary settings, such as the authentication method, encryption algorithm, and IKE version
upvoted 1 times

  klexams 7 months, 2 weeks ago

create gateway subnet part of creating vpn gateway
create virtual network gateway / vpn gatewat
create local gw
create vpn connection
upvoted 2 times

  Seb 8 months, 3 weeks ago

Answers are in order and are Correct, more info: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times

  libran 9 months, 1 week ago

Given Answer is Correct
1. Gateway subnet
2. VPN Gateway
3. Local Gateway
4. Create VPN Connection
upvoted 5 times

  EmnCours 9 months, 3 weeks ago

The answers are in order and are correct.
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 332/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The requirements are as per below

Create a virtual network ( That is the Gateway Subnet)

Create a VPN gateway, A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises
network to the VNet

Create a local network gateway ** The purpose for this GW is to have replica information about the on-prem VPN GW and provides it to the Azure
VPN GW*** such info is Public IP and the private IP address pool. An abstraction of the on-premises VPN appliance. Network traffic from the cloud
application to the on-premises network is routed through this gateway.

Create a VPN connection, The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN
appliance to encrypt traffic

Verify the connection

Connect to a virtual machine

upvoted 7 times

  cloudera 1 year ago

1. Gateway subnet
2. VPN Gateway
3. Local Network Gateway
4. Create VPN Connection
upvoted 2 times

  cloudera 1 year ago

You could start from VPN Gateway but will require you to create a subnet first before your can progress with creating VPN Gateway. This mean
creating a subnet is the first step.
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  FabioVi 1 year, 4 months ago

Creating the gateway subnet is not mandatory, because if you go straight to create the VPN gateway and you have not previously created the
gateway subnet, Azure suggests a range for creating the gateway subnet on the fly along with VPN gateway creation... But as the questions
requires 4 responses, and there are 2 that does not make sense, so creating a gateway subnet is the first in order, and the following 3 are OK, so
answer is correct :-)
upvoted 3 times

  khengoolman 1 year, 8 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer
upvoted 8 times

  AubinBakana 1 year, 9 months ago

Easy! :)
upvoted 1 times

  Adebowale 1 year, 10 months ago

Good work guys on this discussions. Very very educator and enlightening
upvoted 5 times

  wsscool 1 year, 11 months ago

in exam 7/3/2021
upvoted 5 times

  lucky_18 1 year, 11 months ago

came in exam on June 28 2021
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 333/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28 Topic 5

You have an Azure subscription that contains the resources in the following table.

VM1 and VM2 are deployed from the same template and host line-of-business applications.
You configure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)

You need to prevent users of VM1 and VM2 from accessing websites on the Internet over TCP port 80.
What should you do?

A. Disassociate the NSG from a network interface

B. Change the Port_80 inbound security rule.

C. Associate the NSG to Subnet1.

D. Change the DenyWebSites outbound security rule.

Correct Answer: C
You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group

Community vote distribution

C (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: C

Outbound rule “DenyWebSites” is setup correctly to block outbound internet traffic over port 80. In the screenshot it states, "Associated with: 0
subnets, 0 NIC's", so you need to associate the NSG to Subnet1.You can associate or dissociate a network security group from a NIC or Subnet.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group
upvoted 95 times

  RougePotatoe 4 months, 1 week ago

Check top-right corner of image. Notice associated with 0 subnets and 0 network interfaces.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 334/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Hibs2016 Highly Voted  2 years, 6 months ago

Answer is correct - C. Outbound rule: DenyWebSites is setup correctly to block outbound internet traffic over port 80.
upvoted 20 times

  Hyrydar 9 months, 3 weeks ago

I agree with the answer given and all the replies, but someone correct me if i am wrong. Shouldn't the proper choice given be "associate the
NSG rule with network interface" because network interface has priority over subnet in outbound flow
upvoted 1 times

  Skankhunt 2 years, 5 months ago

Agreed, in screenshot it states "Associated with: 0 subnets, 0 NIC's" ;)
upvoted 10 times

  EmnCours Most Recent  9 months, 3 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C
Given answer is correct
Associated with: 0 subnets, 0 NIC's and hence need to associate with Subnet1
upvoted 2 times

  rasmart 1 year, 2 months ago

Selected Answer: C
check mlantonis
upvoted 5 times

  AzureG0d 7 months, 2 weeks ago

LOL!! its sad how true this is, along with fedztez and lazylinux. thank God for them
upvoted 2 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 5 times

  AubinBakana 1 year, 9 months ago

Easy :)
upvoted 1 times

  sourav4312 1 year, 10 months ago

Probably the easiest answer in the series.
upvoted 1 times

  Chief 2 years, 1 month ago

One of the easiest question I guess. Associate the NSG to subnet1
upvoted 4 times

  ZUMY 2 years, 3 months ago

C is correct
Oubound rule blocking port 80 is configured correctly
upvoted 5 times

  toniiv 2 years, 3 months ago

Answer C. is correct. Outbound rule is right, you only need to associate the NSG to the Subnet to apply the rules.
upvoted 2 times

  mikl 2 years, 4 months ago

Valid question - answer is correct.
Microsoft just wants us to know that a NSG has to be associated with something, to actually work.

Associated with : 0 subnets, 0 nic interfaces.

upvoted 3 times

  kannan8685 2 years, 5 months ago

yes i agree
upvoted 2 times

  fedztedz 2 years, 5 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 335/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is correct. "C"

upvoted 10 times

  rusll 2 years, 6 months ago

is this the type of questions that will come up in the exam (hopefully) ? i feel like im wasting my time
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 336/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29 Topic 5

You have two subscriptions named Subscription1 and Subscription2. Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1. VNet1 contains an Azure virtual machine named VM1 and has an IP address space of
10.0.0.0/16.
Subscription2 contains a virtual network named VNet2. VNet2 contains an Azure virtual machine named VM2 and has an IP address space of
10.10.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?

A. Move VM1 to Subscription2.

B. Move VNet1 to Subscription2.

C. Modify the IP address space of VNet2.

D. Provision virtual network gateways.

Correct Answer: D
The virtual networks can be in the same or different regions, and from the same or different subscriptions. When connecting VNets from
different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a virtual network to another virtual network using the
VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connectivity
types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating.
The local network gateway for each VNet treats the other VNet as a local site. This lets you specify additional address space for the local
network gateway in order to route traffic.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal

Community vote distribution

D (80%) C (20%)

  mlantonis Highly Voted  2 years ago

Correct Answer: D

There is no overlap between the VNets:

VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255
VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255

Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be
connected.

You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from
different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the same Active
Directory tenant.

Reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
upvoted 102 times

  Alex2022_31 5 months, 1 week ago

Correct answer and well explained
There is a typo in your VNet2 CIDR IP Rage : 10.10.0.0 - 10.10.0.255 (instead of 10.0.0.255)
:)
upvoted 4 times

  cassucena 7 months, 2 weeks ago

a peering is not possible in this situation? tks
upvoted 2 times

  Jayad 1 year, 2 months ago

Nicely explained
upvoted 3 times

  fedztedz Highly Voted  2 years, 5 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 337/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists. Also, No need to have the same Azure AD. They just
need to have a Virtual network gateway to communicate using Public IP where it is secured using SSTP or IKEv2
upvoted 67 times

  magichappens 1 year, 2 months ago

I found answer D is the only one that makes sense as well but I actually miss "peering" here as this would be a way better way of connecting
both VNET´s. Its supported for cross tenant and cross subscription connections so it would be more accurate.
upvoted 4 times

  CyberKelev Most Recent  3 months, 2 weeks ago

Selected Answer: D
To connect VNet1 to VNet2, you need to create a site-to-site VPN connection between the two virtual networks. The first step to accomplish this is
to provision virtual network gateways in both subscriptions. Therefore, the correct answer is:

D. Provision virtual network gateways.

Once the virtual network gateways are provisioned, you can configure the VPN connection between them to enable traffic to flow between VNet1
and VNet2. Moving VM1 to Subscription2 or modifying the IP address space of VNet2 is not required to establish the VPN connection between the
two virtual networks. Similarly, moving VNet1 to Subscription2 is not required, but you may need to create a peering connection between the
virtual networks after the VPN connection is established to enable communication between the virtual machines.
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: D
Correct Answer: D
upvoted 1 times

  El7arani 10 months, 3 weeks ago

Selected Answer: D
D is correct
upvoted 1 times

  nkhan19 11 months ago

Selected Answer: C
C. Modify the IP address space of VNet2.
B/C you have 10.10.0.0/24 , no space for GatewaySubnet

only after modifying address space, you can create Gw Subnet and then add gw for VNet-VNet
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: D
D is correct
Create a virtual network ***( That is the Gateway Subnet)***
Create a VPN gateway, A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises
network to the VNet
upvoted 3 times

  Tyy27 11 months ago

good man for commenting the correct answers recently in these discussions
upvoted 1 times

  EleChie 1 year ago

Answer is correct: (the VNets IP ranges are confusing many of you)
VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255
VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255
As we see the VNet2 range is not part of the VNet1 IP range, So there is no overlap between these two VNets. and therefore no need to modify the
IP address space of VNet2
upvoted 1 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: D
Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists.
upvoted 1 times

  Barrie 1 year, 7 months ago

Got to think this question is out of date.
I wouldn't do any of the provided options. A global VNET peer achieves the required outcome, without the need for additional infrastructure.
upvoted 9 times

  maxmarco71 1 year, 8 months ago

ANSWER IS "D" CORRECT
NO Overlapping. Proof using
https://network00.com/NetworkTools/IPv4CheckOverlappingNetworks/
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 338/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  AubinBakana 1 year, 9 months ago

They should have asked - what's the best way. Because top 2 options do lead to the solution, with a little more effort.

Answer is correct
upvoted 1 times

  riccardo 1 year, 11 months ago

sorry but in order to create an vpn gateway subnet should be bigger, not /24 but at least /27. because you have to create the gateway subnet. so I
would modify the address space of vnet 2 and answer C
upvoted 2 times

  GuyForget 1 year, 9 months ago

It doesn't say anything about the subnet taking up the entire /24 address space.
upvoted 1 times

  Cosy 1 year, 11 months ago

/24 is actually bigger than /27
upvoted 4 times

  AubinBakana 1 year, 9 months ago

Haha... I guess he worked out that 27 is bigger than 24 and therefore... haha. Good call. I hope he reads your comment.
upvoted 1 times

  JayBee65 1 year, 11 months ago

and you would get it wrong. The question doesn't mention subnets that the VNETs contain, so they may already have vpn gateway subnets.
There is no need at all to modify the VNETs unless you are guessing that they contain no space for a vpn gateway subnet. There is nothing in
the question to suggest this is the case.
upvoted 1 times

  AubinBakana 1 year, 9 months ago

The smallest peering size is actually /29. Largest /2
upvoted 1 times

  Wizard69 2 years, 3 months ago

There is no overlap here:
10.0.0.0/16 - 10.0 is the network
10.10.0.0/24 - 10.10.0 is the network

Since there is no option to do a straight peering, gateway must be correct

upvoted 8 times

  ZUMY 2 years, 3 months ago

Answer given is correct
if you want to connect two vnets, you have two options: peering and vpn,
Virtual network gateway is required to establish vpn on this case
upvoted 7 times

  Merma 2 years, 3 months ago

The answer is "C. Modify the IP address space of VNet2." You can modify the address space of VNet2 by adding an address space that does not
have IP overlap. Lets say 13.0.0.0/16, adding a new subnet 13.0.0.0/24 and then attaching the resources to the new subnet and finally delete the old
subnet and VNet with the overlapping IP range.
upvoted 1 times

  Merma 2 years, 3 months ago

Oops, I was so wrong. 10.0 vs. 10.10 No overlap. D. Correct answer.
upvoted 3 times

  Merma 2 years, 3 months ago

Overlap?
10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255, Subnet mask 255.255.0.0
10.0.0.0/24 - CIDR IP Range 10.0.0.0 - 10.0.0.255, Subnet mask 255.255.255.0
upvoted 1 times

  Rambogan12 1 year, 11 months ago

10.10.0.0/24 *
upvoted 1 times

  AubinBakana 1 year, 9 months ago

They're in entirely different regions and have different subscriptions. And they are not overlapping it's 10.0.0.0/16 vs 10.10.0.0/24( not
10.>0<.0.0/24)
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 339/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 5

You plan to create an Azure virtual machine named VM1 that will be configured as shown in the following exhibit.

The planned disk configurations for VM1 are shown in the following exhibit.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 340/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

You need to ensure that VM1 can be created in an Availability Zone.

Which two settings should you modify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Use managed disks

B. OS disk type

C. Availability options

D. Size

E. Image

Correct Answer: AC
A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.
C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone
dropdown.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 341/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/create-portal-availability-zone

Community vote distribution

AC (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A and C

A: Your VMs should use managed disks if you want to move them to an Availability Zone by using Site Recovery.

C: When you create a VM for an Availability Zone, Under Settings > High availability, select one of the numbered zones from the Availability zone
dropdown.

Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/move-azure-vms-avset-azone
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/create-portal-availability-zone
https://docs.microsoft.com/en-us/azure/virtual-machines/manage-availability
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#availability-zones
upvoted 88 times

  MicroJ Highly Voted  2 years, 6 months ago

Explanation is correct but marked answer is wrong. should be Availability Zones and Managed Disks
upvoted 51 times

  Max_on_neptune Most Recent  6 months, 1 week ago

Exam Question 01DEC22
upvoted 4 times

  azaad_a 8 months, 1 week ago

Exam Question 08OCT22
upvoted 9 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: AC
Correct Answer: A and C
upvoted 1 times

  nkhan19 11 months ago

Selected Answer: AC
Explanation is correct but marked answer is wrong. should be Availability Zones and Managed Disks
upvoted 2 times

  ScarfaceRecords 11 months, 2 weeks ago

AC is the correct one.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 342/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 3 times

  Lazylinux 1 year ago

Selected Answer: AC
AC is correct
upvoted 2 times

  MikeHuang 1 year ago

Selected Answer: AC
Should be A, C
upvoted 1 times

  Niraj22 1 year ago

Correct Answer: A and C
upvoted 1 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: AC
A and C are correct answer.
upvoted 1 times

  khengoolman 1 year, 8 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is A C
upvoted 8 times

  DevOpposite 1 year, 8 months ago

so I am drunk and I am not reading whole questions, but only reading last 3-4 lines of questions, answering questions and getting them right. Am I
ready to take exam?
upvoted 8 times

  michaelknight 1 year, 7 months ago

Absolutely, you just need to make sure that you are also drunk during the exam.
upvoted 37 times

  obaali1990 3 months ago

You made me laugh to release stress
upvoted 1 times

  nimeshabhinav 1 year, 5 months ago

Buddy , have you cleared the exam ? As I am doing the same , so asking you the same :P
upvoted 4 times

  AubinBakana 1 year, 9 months ago

Ease :)
upvoted 1 times

  wsscool 1 year, 11 months ago

in exam 7/3/2021
upvoted 5 times

  lucky_18 1 year, 11 months ago

came in exam on June 28 2021
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 343/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31 Topic 5

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

VMSS1 is set to VM (virtual machines) orchestration mode.

You need to deploy a new Azure virtual machine named VM1, and then add VM1 to VMSS1.
Which resource group and location should you use to deploy VM1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: RG1, RG2, or RG3 -

The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that
metadata is stored.

Box 2: West US only -

Note: Virtual machine scale sets will support 2 distinct orchestration modes:
ScaleSetVM ‫ג‬€" Virtual machine instances added to the scale set are based on the scale set configuration model. The virtual machine instance
lifecycle - creation, update, deletion - is managed by the scale set.
VM (virtual machines) ‫ג‬€" Virtual machines created outside of the scale set can be explicitly added to the scaleset.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: RG1, RG2, or RG3

The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that
metadata is stored. The location of the RG doesn't influence the choice of the location of VM. best practice would be to create the VM1 in the RG1
because the scale set is in RG1. And Microsoft recommends that resources contained in a Resource Group share the same resource lifecycle.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 344/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: West US only

You can add the virtual machine to a scale set in the same region, zone, and resource group.

Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes
upvoted 92 times

  maria_saprykina 6 months, 2 weeks ago

Yes you can use any RG, but here it asks what RG you SHOULD use? That sounds like by this question Microsoft encourages us to follow their
recommendations, and the answer should be RG1 only.
upvoted 4 times

  DrMiyu 11 months, 3 weeks ago

Completely agree even if it say "Should" you use. TO be honest, I wanted to asnwer different because I think I should use "RG1 only" except if
there is a good reason behind (cost / department / etc) and so to have all my VM in the same RG for easier management.
upvoted 5 times

  SumanSaurabh 6 months, 1 week ago

superb
upvoted 1 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. The location of the RG doesn't influence the choice of the location of VM. The location of the VM should be the same like the VM
Scale set (single zone or zone redundant )
upvoted 62 times

  itgg11 1 year, 3 months ago

Answer is not correct. I just tested it in the lab and a new VM needed to be in the SAME resource group and region. Otherwise, a given VMSS
was not available.
upvoted 7 times

  Lazylinux 11 months, 4 weeks ago

Not sure how you tested it...Did you consult Bill Gates!!
Anyway the VMSS set should and would be available as long as you are in the right subscription, it will give you option to chose the resource
group then you can chose the VMSS.
Just remember this RG and Subscriptions ONLY hold the meta data of the resources, what matters is the region
upvoted 3 times

  RandomNickname Most Recent  6 days, 12 hours ago

Focus on the "should" like others have.
Following MS url below;

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview

So for Box 1;
It can be R1, RG2, RG3, but should be RG1.

For Box 2;

Should be in West US.

upvoted 1 times

  xRiot007 1 week, 5 days ago

The question is poorly written. "Should" is a very ambiguous term. The VM can be created in any RG, but best practices tell us that it should be
done in RG1 to have similar lifecycle. So, in theory, both RG1 only and R1,2,3 should be correct answers.
upvoted 1 times

  manthlan 7 months ago

Question asks,"Which resource group and location should you use to deploy VM1? " not "can". So it should be RG1.Isn't it?
upvoted 3 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 1 times

  qwerty100 7 months, 3 weeks ago

Tested in lab with this result:
Resource group: RG1 only
Location: West US Only

When you are going to create de vm1 you can read this:

You can add your virtual machine to a virtual machine scale set to design highly available and scalable application architecture. Virtual machines
inside a scale set can be deployed into fault domains or Availability zones. The scale set must be set to flexible orchestration mode, and in the same
region and resource group.
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 345/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EmnCours 9 months, 1 week ago

Correct Answer:

Box 1: RG1, RG2, or RG3

Box 2: West US only

You can add the virtual machine to a scale set in the same region, zone, and resource group.

  61Reasons 10 months, 1 week ago

I can see it both ways. But they gave us all three RGs as a choice together. Tough call, and for MSFT's part not "fair". They need more context or a
better word.
upvoted 1 times

  pingpongset 11 months ago

If the location is "West US", should not it also determine the resource group, which is RG2, and not RG1, RG2, or RG3? Because a resource group
uses a location too.
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct..
RG holds the meta data of resources and hence its location dont matter but Resources should mostly be in same region and in this case the VM
and the VMSS MUST be in same region
upvoted 2 times

  rafacazus 1 year ago

Creating virtual machines in virtual machine scale set is only allowed for scale sets with flexible orchestration mode. When you create a VM, you
can optionally specify that it is added to a virtual machine scale set. A VM can only be added to a scale set at time of VM creation. The newly
created VM must be in the same resource group as the Flexible scale set regardless of deployment methods.
Tested in the lab.
https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets
upvoted 1 times

  Scoobysnaks86 1 year ago

"should" is the word. Not "can". Best practice is to put the VM in a scale set in the same resource group.
Answer is A and C
upvoted 4 times

  itgg11 1 year, 3 months ago

Answer is not correct.
Resource groups should be RG1
"The newly created VM must be in the same resource group as the Flexible scale set regardless of deployment methods."
source https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets
upvoted 13 times

  Snownoodles 1 year, 5 months ago

The first answer is not correct, it should be RG1 - same resource group as VMSS:
https://docs.microsoft.com/en-us/azure/virtual-machines/flexible-virtual-machine-scale-sets
"When you create a VM, you can optionally specify that it is added to a virtual machine scale set. A VM can only be added to a scale set at time of
VM creation. The newly created VM must be in the same resource group as the Flexible scale set regardless of deployment methods"
So the VM should be in same RG, same location
upvoted 8 times

  Snownoodles 1 year, 5 months ago

BTW "Flexible scale set" should be the new name of "VM orchestration mode"
upvoted 3 times

  AubinBakana 1 year, 9 months ago

The few times RGs affect each content is when there's a lock on it. It's usually safe to ignore its location.
upvoted 2 times

  Harishsk 2 years ago

we have flexible mode.
Before you can deploy virtual machine scale sets in Flexible orchestration mode, you must first register your subscription for the preview feature.
The registration may take several minutes to complete. You can use the following Azure PowerShell or Azure CLI commands to register.
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#register-for-flexible-
orchestration-mode
upvoted 2 times

  Harishsk 2 years ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 346/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#get-started-with-flexible-
orchestration-mode

Add your VM to the scale set in Flexible orchestration mode by selecting the scale set in the Availability options. You can add the virtual
machine to a scale set in the same region, zone, and resource group.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 347/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32 Topic 5

HOTSPOT -
You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3.
Peering for VNET1 is configured as shown in the following exhibit.

Peering for VNET2 is configured as shown in the following exhibit.

Peering for VNET3 is configured as shown in the following exhibit.

How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 348/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1. VNET2 and VNET3 -

Box 2: VNET1 -
Gateway transit is disabled.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

VNet1: Peered with VNet2 and VNet3

VNet2: Peered with VNet1
VNet3: Peered with VNet1

Box 1. VNET2 and VNET3

VNet1 is peered with VNet2 and VNet3. Also Gateway transit is disabled.

Box 2: VNET1 only

Gateway transit is disabled, so it can only communicate with the connected VNET1.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
upvoted 95 times

  mdyck Highly Voted  2 years, 1 month ago

Answer Correct. Gateway transit is disabled so they can only communicate with VNET1.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
upvoted 20 times

  Devgela 2 years, 1 month ago

Agree with mdyck
upvoted 4 times

  verifedtomic 1 year, 7 months ago

If Gateway Transit was enabled, then they all would be able to communicate between eachother, since VNET1 is Peering with both VNET2 and
VNET3?
upvoted 1 times

  magichappens 1 year, 2 months ago

No, for this to work you need use defined routes and either Azure Firewall or an NVA. mdyck is wrong. https://docs.microsoft.com/en-
us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering
upvoted 5 times

  fedev21 1 year, 4 months ago

As far as I know virtual peering is not transitive and Spoke-to-Spoke traffic is not allowed. Enabling Gateway transit allows for cross-premises
communication but not for Spoke-to-Spoke traffic. The only way to make possible spoke-to-spoke traffic is to use an NVA in the HUB VNet
upvoted 7 times

  shadad Most Recent  3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:

Box 1. VNET2 and VNET3

VNet1 is peered with VNet2 and VNet3

Box 2: VNET1 only

Gateway transit is disabled
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 349/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  UK7 5 months, 3 weeks ago

Came on 21st Dec 2022
Answer is correct
upvoted 1 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 1 times

  majerly 8 months, 2 weeks ago

today in exam, answer is correct
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

Answer Correct
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct but explanation for part 2 is not

Gateway transit only applies when there is a VPN gateway created and Gateway transit is a peering property that lets one virtual network use the
VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity hence really allows for reduced cost and
administrative effort since only one VPN GW to manage and pay for

So in summary the Gateway transit option that you enable allows you to use the VPN GW for rooting, Now assuming the VPN GW has all necessary
routes then yes communication between VNET2 and VNET3 is possible but if for argument sake that the VPN GW dont have routes of VNET2 and
VNET3 then both VNETs will NOT be able to communicate
upvoted 7 times

  vaisat 1 year, 5 months ago

Second port is INCORRECT -
1. Packets from VNET1 can be forwarded VNET2 and VNET3.
2. Packets from VNET2 can be routed to BOTH VNET1 and VNET3.
This is insured by default parameter "Traffic forwarded from remote virtual network".
Please note, "Gateway Transit" parameter has nothing to do with this. Gateway might not even exist in this example.
upvoted 1 times

  itgg11 1 year, 3 months ago

Your 2nd answer is not correct.
upvoted 1 times

  itgg11 1 year, 3 months ago

tested in the lab. GW transit must be enabled to allow for routing packets between vnet3 and vnet2
upvoted 1 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer:
-VNET2 and VNET3
- VNET1 only
upvoted 4 times

  Takloy 1 year, 6 months ago

If we were to enable GW Transit, which VNET? Is it VNET1?
upvoted 1 times

  a4andrew 1 year, 7 months ago

What would happen if Gateway Transit was enabled?
upvoted 1 times

  walkwolf3 1 year, 7 months ago

Then all three vnets can talk to each other.
upvoted 1 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 3 times

  AubinBakana 1 year, 9 months ago

Easy :)
upvoted 1 times

  rdsserrao 1 year, 11 months ago

Answer is correct, but explanation is not.
Gateway transit only applies when there is a VPN gateway created.
Since there is no mention of that, all that matters are the peerings between the Vnets.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 350/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Vnet1 -> Vnet2 and Vnet3

Vnet2 -> Vnet1
Vnet3 -> Vnet1
This means that Vnet2 cannot see Vnet3.
Am I wrong?
upvoted 4 times

  amf 1 year, 10 months ago

You are right. Gateway transit only applies when there is a VPN gateway created. So the explanation given is not correct.
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

You are absolutely right..
Gateway transit only applies when there is a VPN gateway created and Gateway transit is a peering property that lets one virtual network use
the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity hence really allows for reduced cost and
administrative effort since only one VPN GW to manage
upvoted 3 times

  Chief 2 years, 1 month ago

Correct answer. Gateway transit is disabled so they only communicate with the connected VNETs
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 351/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 5

A. Yes

B. No

Correct Answer: B
Instead export the client certificate from Computer1 and install the certificate on Computer2.
Note:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Instead export the client certificate from Computer1 and install the certificate on Computer2.

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A
P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets
from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few
clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.
upvoted 76 times

  SumanSaurabh 6 months, 1 week ago

Mlantonis if you are alive, God Bless You !!
upvoted 9 times

  mlantonis 2 years ago

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
upvoted 11 times

  Asymptote 7 months, 1 week ago

Mlantonis, pls make a cloud training platform,
you are really good at passing knowledge.
upvoted 7 times

  SumanSaurabh 6 months, 1 week ago

I second, I took course from Cloud academy but was useless.
upvoted 3 times

  Slawekyo 2 months, 2 weeks ago

Sounds about right huh
upvoted 1 times

  ZUMY Highly Voted  2 years, 3 months ago

B is correct:
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the
self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
upvoted 19 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 352/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  margotfrpp Most Recent  1 month, 3 weeks ago

Selected Answer: B
Solution: You export the client certificate from Computer1 and install the certificate on Computer2.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B

Given answer is correct and explanation correct as Certificate is needed

upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 3 times

  AubinBakana 1 year, 9 months ago

The solution was so dull I got confused for a moment. Who would think of that? haha...
upvoted 2 times

  JayBee65 2 years ago

"A client certificate that is generated from the root certificate. The client certificate installed on each client computer that will connect to the VNet.
This certificate is used for client authentication." - see https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-
resource-manager-portal
upvoted 2 times

  toniiv 2 years, 3 months ago

Answer B. is correct as well as the explanation.
upvoted 3 times

  NickyDee 2 years, 5 months ago

Copy the cert from the first computer and install it on the 2nd
upvoted 2 times

  fedztedz 2 years, 5 months ago

Answer is correct. B
upvoted 7 times

  waterzhong 2 years, 5 months ago

Create a self-signed root certificate
Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate. For additional parameter information, see New-
SelfSignedCertificate.
upvoted 5 times

  DA0410 2 years, 8 months ago

B is correct
upvoted 10 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 353/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34 Topic 5

A. Yes

B. No

Correct Answer: B
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

A client computer that connects to a VNet using Point-to-Site must have a client certificate installed. Instead export the client certificate from
Computer1 and install the certificate on Computer2.

  mlantonis 2 years ago

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
upvoted 10 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct No
upvoted 13 times

  JayLearn2022 Most Recent  3 months, 4 weeks ago

There are several versions of this question. The following are the correct and incorrect answers that can be presented.

Correct Answer: Meets the goal.

-Solution: You export the client certificate from Computer1 and install the certificate on Computer2.

Incorrect Answers: Does not meet the goal.

-Solution: You join Computer2 to Azure Active Directory (Azure AD).

-Solution: You modify the Azure Active Directory (Azure AD) authentication policies.
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B

Given answer is correct and explanation correct as Certificate is needed

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 354/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  Olami2021 1 year ago
Answer is No
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 3 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer: B
upvoted 1 times

  AubinBakana 1 year, 9 months ago

Haha... Easy
upvoted 1 times

  anoj_cha 1 year, 8 months ago

What's the point of these comments in all these questions?
upvoted 6 times

  oriduri 2 years, 1 month ago

B is Correct
upvoted 1 times

  ZUMY 2 years, 3 months ago

B is Correct
A client computer that connects to a VNet using Point-to-Site must have a client certificate installed.
upvoted 2 times

  toniiv 2 years, 3 months ago

Answer B. is correct as well as the explanation.
upvoted 2 times

  Hibs2016 2 years, 6 months ago

B is correct. You need to install the certificate on computer2.
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 355/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35 Topic 5

A. Yes

B. No

Correct Answer: B

Community vote distribution

B (75%) A (25%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

You need to use a custom policy definition, because there is not a built-in policy and Resource Lock is an irrelevant solution.

Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 75 times

  arseyam Highly Voted  2 years, 8 months ago

An example of such policy is found here
https://markgossa.blogspot.com/2018/11/azure-policy-deny-inbound-rdp-from.html
upvoted 18 times

  d0bermannn 1 year, 11 months ago

as they said there is more than one way to skin a cat, that is a developer style)
upvoted 1 times

  CyberKelev Most Recent  3 months, 2 weeks ago

No, creating a resource lock and assigning it to the subscription will not meet the goal of automatically blocking TCP port 8080 between virtual
networks when an NSG is created.

To achieve this goal, you can create an Azure Policy that enforces the required network security rule across all the virtual networks in the
subscription. The policy should specify the rule that blocks TCP port 8080 traffic between the virtual networks. When a new NSG is created, it will
automatically be associated with the policy, and the required network security rule will be enforced.

Resource locks are used to prevent accidental deletion or modification of Azure resources. They do not affect the behavior or configuration of
resources such as NSGs.
upvoted 2 times

  cambis 3 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  sourabhg 7 months ago

Selected Answer: A
correct
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 356/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
I Luv Honey Because it is B
Lock has nothing to do with this situation, it is used on RG and resources
upvoted 1 times

  AubinBakana 1 year, 9 months ago

haha... Common, please!
upvoted 2 times

  ZUMY 2 years, 3 months ago

No is answer
upvoted 3 times

  Aniruddha_dravyakar 2 years, 3 months ago

Lock is used to restrict creattion or accidental deletion of any resource. .. I dont think it is used for blocking traffic
upvoted 3 times

  StixxNSnares 2 years, 3 months ago

Correct - B
upvoted 3 times

  I 2 years, 3 months ago

In NSG, create a inbound security rule that set TCP8080 -> Deny and the priority number should be smaller.
upvoted 4 times

  toniiv 2 years, 3 months ago

Answer B. is correct. Nothing to do with RG locks
upvoted 5 times

  macross 2 years, 4 months ago

Allow-Deny 8080 (NSG) answer is correct
upvoted 2 times

  asaz 2 years, 5 months ago

by default NSG blocks all the ports. it has to be explicitly defined which port to open.
upvoted 3 times

  janshal 2 years, 5 months ago

There is no Connectivity Between different Vent so unless you connect them trough VPN Gatway or Vnet Peering there will be No access from any
Ports so i say A

Tricky One
upvoted 1 times

  janshal 2 years, 5 months ago

There is no Connectivity Between different Vent so unless you connect them trough VPN Gateway or VNet Peering there will be No access from any
Ports so i say A

Tricky One
upvoted 2 times

  Acai 1 year, 10 months ago

I hate you
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 357/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36 Topic 5

You have an Azure subscription named Subscription1. Subscription1 contains a virtual machine named VM1.
You have a computer named Computer1 that runs Windows 10. Computer1 is connected to the Internet.
You add a network interface named vm1173 to VM1 as shown in the exhibit. (Click the Exhibit tab.)

From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the connection fails.
You need to establish a Remote Desktop connection to VM1.
What should you do first?

A. Change the priority of the RDP rule

B. Attach a network interface

C. Delete the DenyAllInBound rule

D. Start VM1

Correct Answer: D
Incorrect Answers:
A: Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.
Once traffic matches a rule, processing stops. RDP already has the lowest number and thus the highest priority.
B: The network interface has already been added to VM.
C: The Outbound rules are fine.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Community vote distribution

D (100%)

  prashantjoge Highly Voted  2 years, 6 months ago

nevertheless a stupid question
upvoted 154 times

  j777 1 year, 3 months ago

So, if you're so smart what are you doing on this site?
upvoted 26 times

  rupayan87 6 months, 4 weeks ago

I wonder how moderators approve these comments in the first place that has no value to add
upvoted 10 times

  Takloy 1 year, 6 months ago

The more stupid questions they give, the higher chances of passing the exam!
upvoted 37 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 358/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  mlantonis Highly Voted  2 years ago

Correct Answer: D

Αny resource with a dynamically assigned public IP address will display the 'name' you gave it when the resource it is assigned to is offline. A static
address will be shown regardless of the resource state. This means that we need to start the VM1.

A: RDP rule has the highest priority. priority.

B: The network interface has already been added to VM1.
C: DenyAllInBound has really low priority.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
upvoted 122 times

  klasbeatz 11 months ago

Wouldn't you need to configure a public IP in order to RDP from the other computer to the VM? Or are you saying its only showing an internal
IP because the VM is not started?
upvoted 2 times

  bur4an 6 months ago

Azure GOD!
upvoted 7 times

  Allfreen 1 year, 4 months ago

Good Explanation
upvoted 3 times

  nkhan19 11 months ago

Excellent observation !
upvoted 2 times

  NaniCynic Most Recent  1 week, 1 day ago

VM does not work in O-F-F mode:

Agree with answer D

upvoted 1 times

  garmatey 1 month, 3 weeks ago

So what exactly is the "DenyAllInBound" rule doing?
upvoted 1 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: D
"Computer1 is connected to the Internet." - that threw me off a bit. So it is configured to connect to internet but at this point is not actually
connected to internet because it is not running? never mind. Only D seems the be best option compared to other options.
upvoted 1 times

  morito 3 months ago

Selected Answer: D
This question can be answered by rule of elimination:

A. Change the priority of the RDP rule --> Priority is already lowest so no need
B. Attach a network interface --> Question states its already attached so no need
C. Delete the DenyAllInBound rule --> Obviously never to that, but it would also not solve this because it has lowest priority by default
D. Start VM1 --> Remains as the only viable option
upvoted 3 times

  _fvt 5 months, 2 weeks ago

Selected Answer: D
Correct Answer: D

You need to stop the VM before attaching a network interface, so starting the VM is the first you should do after attaching it:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm

And anyways the other proposed answers are wrong:

A: wrong: RDP rule is correct and have Higher Priority than the Deny one.
B: wrong: We already have a network interface with a public IP attached and the correct NSG allowing RDP, adding another one will not solve our
issue.
C: wrong: You cannot delete a default rule, and this rule is a default one. And in all cases this rule have lower priority than the RDP one so not an
issue.
upvoted 4 times

  matejka 7 months, 2 weeks ago

It's really important to know that IP address is displayed as a name rather than numerical representation for a not running machine. A funny
question indeed.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 359/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 6 times
  EmnCours 9 months, 3 weeks ago
Selected Answer: D
Correct Answer: D
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: D
D is correct
upvoted 1 times

  atilla 1 year, 3 months ago

Selected Answer: D
for C , you cannot delete the given rules
D is correct
upvoted 1 times

  ron_azenkot 1 year, 4 months ago

look i am no expert but i am pretty sure that to use something you need to start it
answer is d
upvoted 2 times

  Sharathjogi 1 year, 5 months ago

Wow...common..question has to be like this :)
upvoted 1 times

  TheBody 1 year, 6 months ago

This is not a question about knowing an obscure fact about whether a public IP address shows when a VM is on or off, it's a pure problem solving
question.
The RDP rule already has the highest priority so it can't be A or C.
The question states the network interface has been added and that's shown in the exhibit so it can't be B.
That leaves D. And if the virtual machine is not switched on then the symptom described(can't connect via RDP) would be present.
Even in Azure checking that stuff is plugged in and turned on is a good first troubleshooting step.
upvoted 7 times

  ShockWaveSix 1 year, 7 months ago

Even in Azure... "Is it plugged in? Is it turned on?"
upvoted 7 times

  AubinBakana 1 year, 9 months ago

Haha... You know they never even said that the machine was off.
upvoted 5 times

  pakman 1 year, 8 months ago

accelerated networking is disabled
upvoted 1 times

  matapolillas 1 year, 7 months ago

you can tell the VM is off by looking at the public IP address field of the machine. When the VM is offline/powered off it displays the name of
the public IP resource
upvoted 8 times

  matapolillas 1 year, 7 months ago

and what that does have to do with anything?
upvoted 1 times

  Adebowale 1 year, 10 months ago

A really trickish question though
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 360/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37 Topic 5

You have the Azure virtual machines shown in the following table.

A DNS service is installed on VM1.

You configure the DNS servers settings for each virtual network as shown in the following exhibit.

You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1.
What should you do?

A. Configure a conditional forwarder on VM1

B. Add service endpoints on VNET1

C. Add service endpoints on VNET2 and VNET3

D. Configure peering between VNET1, VNET2, and VNET3

Correct Answer: D
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.
Incorrect Answers:
B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network.
Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP
addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-peering-overview

Community vote distribution

D (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: D

Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs. Virtual network peering enables you
to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual
machines uses the Microsoft backbone infrastructure.

B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables
private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
upvoted 79 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. D.
Use Virtual network peering to connect virtual networks to be able to connect to other VMs in different VNETs
upvoted 75 times

  EmnCours Most Recent  9 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 361/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: D
Correct Answer: D
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: D
D is correct and peering is required to reach the DNS
upvoted 1 times

  EleChie 1 year ago

Answer is correct D
But FYI ___ conditional forwarder is for external DNS not for internal (local) one " VM1 is Confiured as Internal DNS Server"
upvoted 3 times

  valkyrieShadow 1 year, 2 months ago

This article explains why connecting two networks using either S2S or Peering utilizes custom DNS configured on either the VNET or VNIC. And
explains precedence and how forwarding and recursive queries work in Azure networks. Link: https://docs.microsoft.com/en-us/azure/virtual-
network/virtual-networks-name-resolution-for-vms-and-role-instances#specify-dns-servers
upvoted 2 times

  ra_aly 1 year, 2 months ago

Selected Answer: D
[D]- it's saying local DNS on VM1, conditional forwarder is external DNS not local so answer is D.
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: D
Answer is correct. D.
a: A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as contoso.com, to forward queries to.
b-c no
upvoted 3 times

  fabylande 1 year, 8 months ago

In exam today! October 16, 2021
upvoted 6 times

  AubinBakana 1 year, 9 months ago

D does look like the best answer but there's a lot more to do after the peering.

Answer is correct
upvoted 3 times

  bsdhjbfu3423asdfd 1 year, 11 months ago

Correct answer is A. Configure a conditional forwarder on VM1
Virtual Peering doesn't help to resolve DNS
upvoted 3 times

  Mack279 1 year, 9 months ago

It does help, in what sense that you set the DNS server if you cant reach that virtual server hosting the dns server role in the first place? So
Peering is needed before everything else works for VM1 as the dns server.
upvoted 1 times

  CloudyTech 1 year, 11 months ago

Answer is A
upvoted 1 times

  ykmoh 2 years ago

Correct answer is A. Configure a conditional forwarder on VM1
Virtual Peering doesn't help to resolve DNS
A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such
as contoso.com, to forward queries to. Instead of the local DNS server trying to resolve queries for records
in that domain, DNS queries are forwarded to the configured DNS for that domain
upvoted 3 times

  ScreamingHand 1 year, 12 months ago

You would use a conditional forwarder to forward requests from one DNS server to another DNS server in a another namespace.
upvoted 4 times

  d0bermannn 1 year, 11 months ago

but the devices can't reach the DNS server, so peering between vnets must be first
upvoted 5 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 362/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  armandolubaba 2 years ago

Answer is correct. D.
upvoted 1 times

  Aniruddha_dravyakar 2 years, 2 months ago

Enabling peering is must
upvoted 4 times

  mg 2 years, 3 months ago

Answer is correct
peering enables connectivity between Vnets with different subnets
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 363/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38 Topic 5

HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.

You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.

You run Azure Network Watcher as shown in the following exhibit.

You run Network Watcher again as shown in the following exhibit.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 364/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: No -
It limits traffic to VM2, but not VM1 traffic.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 365/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: Yes -
Yes, the destination is VM2.

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: No
NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2.

Box 2: Yes
Since Network Watcher is showing that traffic from VM1 to VM2 is not reaching on the TCP port, that means that NSG1 is applied to VM2. We can
understand for sure, that it is not applied to VM1.

Box 3: Yes
In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.
upvoted 173 times

  Dunkelheit 7 months, 2 weeks ago

Box 1: Agree
Box 2: No - The TCP rule is an inbound rule which states that traffic is allowed to VM2 if it comes from VM1. It has higher priority than the TCP -
Deny rule. So if the rule would apply to VM2, the traffic via port 8080 should succeed, IF there is something on VM2 using Port 8080.
upvoted 14 times

  deepeshukla 3 months, 3 weeks ago

Agree with this. It should be NNY
upvoted 5 times

  Penguinyo 1 year, 4 months ago

Box 2 - what if the 8080 port on VM2 was not open on any service ?
upvoted 6 times

  dave160222 1 year, 1 month ago

We can't say for sure if VM2 is listening on tcp port 8080. But if you ignore rule 100, and pretend you did not see it, then you can still answer
the question. VM1 can ping VM2 and rule 101 would block ICMP from vm1 to vm2. So the NSG is not applied (and it does not matter what
TCP ports VM2 is listening on)
upvoted 2 times

  Guest 7 months, 1 week ago

No, rule 101 only applies to tcp traffic, it would not block icmp traffic
upvoted 3 times

  matt_dns 1 year, 5 months ago

I agree box 2 is Yes but not because of anything network watcher is showing, network watcher contradicts the NSG. Rather I read this as another
cruel question that simply means the NSG would affect routing for VM2 were it applied, it clearing hasn’t been applied here (unless there’s a
subnet NSG we know nothing about which we have to assume there isn’t).
upvoted 6 times

  _punky_ 1 year, 5 months ago

Ans: NNY. Box 2: yes the NSG1 should be applied to VM2 to allow correct communication as it is in exhibit2. But there is problem the VM1
cannot connect to VM2. On last image we can see that VM1 is reachable from VM2.
Therefore the conclusion of this is NSG1 hasn't been applied yet.
upvoted 16 times

  NalChi 1 year, 3 months ago

I Agree his opinion. NGS1 only allows TCP traffic but its ICMP commnication was succeed : it means VM2 does not applies to NGS1
upvoted 8 times

  GenjamBhai 12 months ago

YYY

NSG is limiting/blocking VM1 traffic to VM2

VM1 traffic cannot reach VM2 so NSG inbound rules applied on VM2
VMs in vnet can communicate by default i.e. ICMP working
upvoted 3 times

  Andersonalm Highly Voted  2 years, 6 months ago

N-Y-Y
upvoted 42 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 366/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JayBee65 2 years ago

Please explain why you say this.
upvoted 2 times

  signalincode 1 year, 9 months ago

This answer is wrong.
upvoted 3 times

  signalincode 1 year, 9 months ago

2nd question asks if NSG is applied to VM2. The NSG allows all TCP traffic from VM1 subnet to VM2 subnet, yet TCP connectivity test on port
8080 is showing unreachable from VM1. The image also shows ICMP traffic is reaching and returning from VM2 to VM1. Therefore, the NSG
is not applied to VM2.
upvoted 9 times

  Ali1982 1 year, 4 months ago

icmp is not the tcp/udp
upvoted 3 times

  garmatey Most Recent  1 month, 3 weeks ago

ok so based on this comment section I will be purely guessing on this question...
upvoted 10 times

  ericZX 2 months ago

my thinking:
NSG1 is working on subnet level.
Box1: No, NSG1 is not limiting Subnet1 or VM1's traffic
Box2: Yes, VM2's IP is in 172.16.2.0/24 (Subnet2). Regarding the unreachable TCP test, I am assuming there is another Nic level NSG on VM2
(blocking TCP traffic)
upvoted 1 times

  Goofer 2 months, 2 weeks ago

NNY

As per first Network Watcher test, TCP connection from VM1 to VM2 did not succeed. NSG1 specifically allows VM1 subnet to connect to VM2
subnet on TCP.
As per second Network Watcher test is working but NSG1 blocks ICMP
So NSG1 was NOT applied to VM2 or its subnet.

1) NSG1 if applied to VM1 or its subnet will limit VM1 traffic. It will allow TCP traffic only to VM2 subnet, rest is denied.(ICMP also)

2) NSG1 was not applied to VM2 as per second Network Watcher test, ICMP connection from VM1 to VM2 did succeed.

3) Next hop is VM2 IP which implies they are part of the same vnet.
upvoted 3 times

  liza1234 2 months, 3 weeks ago

box1: Yes
NSG1 limits the traffic to only TCP that's why network watcher status is UNREACHABLE.
ICMP is not a TCP traffic. It is also not UDP.
Thus, protocol should be set to ANY.
ANY basically means allowing ALL traffic.
box2: Yes
box3: Yes
upvoted 1 times

  liza1234 2 months, 3 weeks ago

correct answer: Y-Y-Y

box2: Yes

box3: Yes
upvoted 1 times

  msingh20 3 months, 3 weeks ago

No - NSG1 only limits traffic to subnet 2 (which vm2 is on)
No - If it did apply the connection would succeed as the rule allows the subnet of VM1 to reach the subnet of VM2.
No- net watcher confirms this
No
upvoted 1 times

  GBAU 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 367/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Here is my take:

Box 1: No
Neither of the Inbound rules in the NSG limit traffic to 172.16.1.0/24 subnet where VM1 lives.

Box 2: No*
Actually not enough information to know either way. Both tests are from Subnet 172.16.1.0/24 to 172.16.2.0/24. Nothing in the NSG1 blocks traffic
between the two subnets (given the Allow has a higher priority to the Deny and they are both scoped for the same Ports/Protocol), which is also
the same result as if they were in the same VNET with no NSG applied to anything anyway.

*I would say No though because the rule is defined to the Subnet, not the IP of the VM, which implies it's designed to apply at the Subnet level. It
is grasping at straws but that's all we have. There is no other way to answer this question.

Box 3: Yes
I don't think anyone disagrees on this.
upvoted 3 times

  JDWaters 4 months, 2 weeks ago

Box 1: interesting wording. note that it doesn’t say NGS1 limits traffic “To” VM1 or “From” VM1. It just says “NGS1 limits VM1 Traffic”. I gotta go
with YES on this one, but I question whether the folks that came up with this question were more interested in playing word games, than testing
our knowledge of Azure.

Box 2: Yes

Box 3: Yes, I gotta agree with mlantonis. In Network Watcher you can see that the next hop from VM1 is VM2, so…….
upvoted 2 times

  klexams 7 months, 2 weeks ago

N
NSG is inbound and destination is VM2/subnet2. So doesnt apply to vm1 but does it limit the traffic? No coz the nsg does not apply to anywhere.
N. VM1 should reach VM2 if the nsg applies.
Y. Next hop reachable is the proof
upvoted 7 times

  bdumois 8 months, 2 weeks ago

YYY
1) NSG1 limits traffic from VM1 to VM2 subnet, so it applies to VM1.
2) NSG1 limits traffic VM1 to VM2 subnet, so it applies to VM2.
3) successful ping implies they are part of the same vnet, different subnets.
upvoted 2 times

  pkkalra 9 months, 1 week ago

YNY

As per first Network Watcher test, TCP connection from VM1 to VM2 did not succeed. NSG1 specifically allows VM1 subnet to connect to VM2
subnet on TCP.
So NSG1 was NOT applied to VM2 or its subnet.

1) NSG1 if applied to VM1 or its subnet will limit VM1 traffic. It will allow TCP traffic only to VM2 subnet, rest is denied.

2) NSG1 was not applied to VM2 as per first Network Watcher test, TCP connection from VM1 to VM2 did not succeed. It should have if NSG1 was
applied to VM2.

3) Next hop is VM2 IP which implies they are part of the same vnet.
upvoted 6 times

  EmnCours 9 months, 1 week ago

Correct Answer:

Box 1: No
NSG1 limits the traffic that is flowing into 172.16.2.0/24 (Subnet2), which host VM2.

Box 3: Yes
In Network Watcher, you can see that the next hop is the destination VM2. This means that they are part of the same virtual network.
upvoted 1 times

  robin1337 10 months ago

Worst question. You have to implicitly guess where the NSG is attached. This makes me automatically think which other NSG/Rules could implicitly
be in this scenario. Unnecessary confusion. NYY makes under Micro$oft logic sense though.
upvoted 1 times

  klexams 10 months, 1 week ago

I'm with pingpongset YNY.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 368/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  pingpongset 11 months ago

I think the correct answers are below:

Box 1 - Yes
If the NSG applies to VM2, the first test via TCP should pass (because the source is from vm1's subnet, and the destination is from vm2's subnet),
but it failed.

Thus, the NSG applies to VM1. Because when the source is from vm1's subnet, and the destination is from vm2's subnet, the setting is strange
resulting in failure.

ICMP is reachable because of the default AllowVnetInBound.

Box 2 - No
See the reasoning above.

Box 3 - Yes
Both are in the same VNET. Otherwise, the ping would have failed.
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 369/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39 Topic 5

You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each
virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises
network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises
network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?

A. Modify the address space of the local network gateway

B. Create a deny rule in a network security group (NSG) that is linked to Subnet1

C. Remove the public IP addresses from the virtual machines

D. Modify the address space of Subnet1

Correct Answer: B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by
using the RDP or
SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by
using the RDP or
SSH protocol over the site-to-site VPN connection. You have to deny direct RDP or SSH access over the internet through an NSG.

Reference:

https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
upvoted 83 times

  jmartinezm Highly Voted  2 years, 8 months ago

Definitely B. A makes no sense
upvoted 35 times

  FlowerChoc1 Most Recent  2 months ago

Cleared the exam on 04/12/2023. This question came up. Make sure to read the comments in the discussion. It's really helpful.
upvoted 1 times

  djgodzilla 2 months, 2 weeks ago

Selected Answer: B
exp: removing Public IPs will prevent the applications access on port 443 to users on the internet which is a requirement. Deny rule is a more
appropriate solution
upvoted 1 times

  DeBoer 4 months, 1 week ago

Selected Answer: B
Yes, it's B. Obviously.

But these MS answers re: NSGs are seriously leading newer folks into dangerous territory: you DO NOT create Deny rules for specific ports. Instead,
DENY everything - and only open what you NEED.

Anything else is a disaster waiting to happen - especially in this scenario with machines directly facing the internet...

TL/DR: answer B for the test but do the right thing in a real environment
upvoted 3 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 370/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  djgodzilla 5 months ago

B - but I don't think it's that straightforward.
I might be wrong , but I see it more like : adding 2 rules
1. high prio allow RDP from gateway CIDR
2. (above prio -1 )deny RDP from internet.
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Jey117 11 months, 2 weeks ago

Selected Answer: B
- You wake up.
- VNet1 contains a subnet named Subnet1.
- Subnet1 contains three Azure virtual machines.
- Each virtual machine has a public IP address.
- You drink some coffee.
- The virtual machines host several applications that are accessible over port 443 to users on the Internet.
- You make a sandwidch.
- Your on-premises network has a site-to-site VPN connection to VNet1.
- You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises
network.
- You travel to the moon for vacations.
- You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises
network.
- When you are back you receive a medall.
- You figure out how to overcome speed of light.
- The solution must ensure that all the applications can still be accessed by the Internet users.
upvoted 7 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B
upvoted 3 times

  cloudera 12 months ago

Selected Answer: B
Correct answer is: Deny direct RDP or SSH access through an NSG.

You do need public IPs for the VMs mainly because internet users need to be able to reach the VM via TCP 443. If LB is in place/mentioned, the VM
won't necessarily need public IP.
upvoted 3 times

  patoalcorta 1 year, 12 months ago

Definitely B. Why would anyone think of A?
upvoted 4 times

  raulgar 2 years, 2 months ago

B is correct, configure a nsg rule.C can't be because vm need access through internet
upvoted 2 times

  tux_alket 2 years, 2 months ago

I would say B is the correct Answer
upvoted 3 times

  allray15 2 years, 2 months ago

Tested - B correct and only place where you can allow source which can connect to RDP.
upvoted 2 times

  mg 2 years, 3 months ago

Answer is correct.
Create a deny rule in NSG connected to subnet1
upvoted 2 times

  ZUMY 2 years, 3 months ago

B is correct.
add a port 3389 blocking rule to NSG in Vnet
upvoted 3 times

  toniiv 2 years, 3 months ago

Answer B. is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 371/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 372/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40 Topic 5

You have an Azure subscription that contains the resources in the following table.

Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.

You need to apply ASG1 to VM1.
What should you do?

A. Associate NIC1 to ASG1

B. Modify the properties of ASG1

C. Modify the properties of NSG1

Correct Answer: A
Application Security Group can be associated with NICs.
References:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups

Community vote distribution

A (100%)

  bogdan89 Highly Voted  2 years, 6 months ago

Full explanation:
Correct Answer is A:

Associate Virtual Machines

An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then
use the application security group as a source or destination in NSG rules.

The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the virtual
machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups that this NIC
should join, and then click Save to commit the change.

https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 104 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A

Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group
virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual
maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on
your business logic.

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group
upvoted 66 times

  DeBoer Most Recent  4 months, 1 week ago

Selected Answer: A
You can use the Tthe Networking blade of virtual machine to add a machine to one or more ASGs
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Correct Answer: A

https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 373/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
A is correct
An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then
use the application security group as a source or destination in NSG rules.
upvoted 3 times

  AubinBakana 1 year, 9 months ago

ASG are not much covered in the Learn module, not that I remember. Answer is correct
upvoted 5 times

  mg 2 years, 3 months ago

Answer is correct.
Application security group ASG can be associated with NIC
upvoted 4 times

  ZUMY 2 years, 3 months ago

A is answer
Associate Virtual Machines
An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then
use the application security group as a source or destination in NSG rules.

https://petri.com/understanding-application-security-groups-in-the-azure-
portal#:~:text=You%20can%20start%20the%20process,Application%20Security%20Group%20blade%20appears.
upvoted 5 times

  aMiPL 2 years, 4 months ago

ASG cannot only be added to NIC so the only option according to MS docs.
upvoted 2 times

  ckyap 2 years, 4 months ago

Came in exam 1st Feb 2021. Selected A
upvoted 5 times

  waterzhong 2 years, 4 months ago

All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned
to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the
virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You cannot add network interfaces
from different virtual networks to the same application security group.
upvoted 4 times

  macross 2 years, 4 months ago

Good explanation - thank you.
upvoted 1 times

  Hardikm007 2 years, 5 months ago

ASG are NOT in exams. Check on site.
upvoted 4 times

  fedztedz 2 years, 5 months ago

Answer is correct. "A"
ASG is a virtual grouping of VMs through their NIC. Accordingly, you need to connect NIC to ASG.
upvoted 18 times

  waterzhong 2 years, 5 months ago

  chenmat 2 years, 6 months ago

Answer: A

Refer https://tutorialsdojo.com/network-security-group-nsg-vs-application-security-group/
upvoted 5 times

  Andersonalm 2 years, 6 months ago

Answer C
upvoted 1 times

  jelly_baby 2 years, 6 months ago

Don't spam answers without an explanation. Everyone's saying A but you say C but don't explain why? Shut up.
upvoted 61 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 374/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  az104bd 2 years, 3 months ago

I can feel that brother !!!!! :D
upvoted 3 times

  antonio_ferraz 2 years, 6 months ago

Answer A.
In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3 is a member of the AsgLogic application
security group. NIC4 is a member of the AsgDb application security group. Though each network interface in this example is a member of only one
network security group, a network interface can be a member of multiple application security groups, up to the Azure limits. None of the network
interfaces have an associated network security group. NSG1 is associated to both subnets and contains the following rules:
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 375/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41 Topic 5

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises
network by using
Azure ExpressRoute.
You plan to prepare the environment for automatic failover in case of ExpressRoute failure.
You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Create a connection

B. Create a local site VPN gateway

C. Create a VPN gateway that uses the VpnGw1 SKU

D. Create a gateway subnet

E. Create a VPN gateway that uses the Basic SKU

Correct Answer: ADE

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Community vote distribution

ABC (83%) Other

  mlantonis Highly Voted  2 years ago

Correct Answer: A, B and C

For a site to site VPN, you need:

- a local gateway
- a gateway subnet
- a VPN gateway
- a connection to connect the local gateway and the VPN gateway

However, the question states that VNet1 connects to your on-premises network by using Azure ExpressRoute. For an ExpressRoute connection,
VNET1 must already be configured with a gateway subnet so we don't need another one.

Note: BasicSKU cannot coexist with ExpressRoute. You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN
gateway.
upvoted 151 times

  mlantonis 2 years ago

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
https://azure.microsoft.com/es-es/pricing/details/vpn-gateway
upvoted 17 times

  cloudera 1 year ago

Th question asked to pick 3 options. I believe a correct answer can also be BCD as well.
upvoted 2 times

  Leandroalonso Highly Voted  2 years, 6 months ago

Vnet1 is already connected by ExpressRoute, wich we presume that the subnet gateway was already created.
SKU need to be VpnGw1 because Basic does not coexist with ExpressRoute.

So, answers should be A, B and C.

upvoted 133 times

  Hibs2016 2 years, 6 months ago

Do you have a link for Basic not working with ExpressRoute?
upvoted 1 times

  jimmyli 2 years, 5 months ago

here: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
in which it reads, "Next, create your Site-to-Site VPN gateway. For more information about the VPN gateway configuration, see Configure a
VNet with a Site-to-Site connection. The "GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance
VPN gateways. ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. The VpnType must be RouteBased."
upvoted 17 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 376/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  irosh412 2 years, 1 month ago

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#add
upvoted 2 times

  QiangQiang 2 years, 4 months ago

I think you are 100% right
upvoted 6 times

  VladanO 1 year ago

You right.
answer: A,B,C
See link https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
"ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU."
upvoted 2 times

  Exilic Most Recent  6 days, 19 hours ago

Selected Answer: BDE
OpenAI

"To connect VNet1 to the on-premises network using a site-to-site VPN while minimizing cost, you should perform the following three actions:

B. Create a local site VPN gateway: A local site VPN gateway represents the on-premises VPN device. By creating a local site VPN gateway, you can
establish a connection between your on-premises network and Azure.

D. Create a gateway subnet: The gateway subnet is a subnet dedicated to hosting the VPN gateway. You need to create a gateway subnet within
VNet1 to deploy the VPN gateway.

E. Create a VPN gateway that uses the Basic SKU: The Basic SKU is the most cost-effective option for a VPN gateway. It provides the necessary
functionality for site-to-site connectivity between your on-premises network and Azure.

So, the correct actions to perform are B, D, and E."

upvoted 1 times

  Exilic 6 days, 19 hours ago

Me
Does basic SKU support express route

ChatGPT

I apologize for the confusion in my previous response. The Basic SKU does not support ExpressRoute connectivity. It only supports site-to-site
VPN connectivity.

If you want to prepare the environment for automatic failover in case of ExpressRoute failure, you would need to use the High Performance or
Ultra Performance SKU for the VPN gateway.

Therefore, the correct actions to perform in this scenario would be:

A. Create a connection: This refers to creating a connection object that represents the link between your virtual network and the on-premises
network.

C. Create a VPN gateway that uses the VpnGw1 SKU: This SKU supports ExpressRoute connectivity and provides the necessary performance and
capabilities for automatic failover in case of ExpressRoute failure.

D. Create a gateway subnet: A gateway subnet is required to host the VPN gateway.

So, the correct actions to perform are A, C, and D.

upvoted 1 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: ABC
It can't be D or E. Since express route exist already, it must have a gateway subnet. BasicSKUs can't co-exist with express route gateway.
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 1 times

  wolf13 3 months, 3 weeks ago

Create a local site VPN gateway
This will allow you to provide the local gateway settings, for example public IP and the on-premises address space, so that the Azure VPN gateway
can connect to it.
Create a Connection
You need to link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the connection between your on-
premises network and Azure through
ExpressRoute will be established.
Create a VPN gateway that uses the VpnGw1 SKU
The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. ExpressRoute-VPN Gateway
coexist configurations are not supported on the Basic SKU. The VpnType must be RouteBased.
upvoted 1 times

  Notteb 4 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 377/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: ABC

Following mIantonis, seems logical.
Just maybe not in the ABC order, rather CBA i believe
upvoted 1 times

  sourabhg 7 months ago

Selected Answer: ABC
Vnet1 is already connected by ExpressRoute, wich we presume that the subnet gateway was already created.
SKU need to be VpnGw1 because Basic does not coexist with ExpressRoute.

So, answers should be A, B and C.

upvoted 1 times

  Babushka 7 months ago

Selected Answer: ABC
Come on folks, should know your ABC
upvoted 1 times

  klexams 7 months, 2 weeks ago

Selected Answer: ABC
co-exist with expressroute so must use VpnGw1. the rest is just standard vpn gateway setup steps.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: ABC
ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. The VpnType must be RouteBased.

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
upvoted 3 times

  nkhan19 11 months ago

Selected Answer: ABC
Gateway subnet is already there with ER on VNet1
Basic VNG does not support coexistence
upvoted 3 times

  Gino_Slim 11 months, 2 weeks ago

Just here to let everyone know it's not E at all. Express doesn't support Basic SKU
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: ABC
ABC is correct
Subnet GW already exist (catchy one)
Basic GW will not work with expressroute
upvoted 2 times

  Cyberjunky 1 year ago

Selected Answer: ADE
Because you are setting up a site-to-site VPN connection the Basic SKU will work in this case, see the link below.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
upvoted 1 times

  tdienst 1 year, 2 months ago

Create the site-to-site VPN gateway and local network gateway. For more information about the VPN gateway configuration, see Configure a VNet
with a Site-to-Site connection. The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways.
ExpressRoute-VPN Gateway coexist configurations aren't supported on the Basic SKU. The VpnType must be RouteBased.

https://docs.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal?toc=/azure/vpn-gateway/toc.json
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 378/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42 Topic 5

HOTSPOT -
You have peering configured as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: vNET6 only -

Peering status to both VNet1 and Vnet2 are disconnected.

Box 2: delete peering1 -

Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
Reference:
https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/

  mlantonis Highly Voted  2 years ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 379/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: vNET6 only

Peering status to both VNet1 and Vnet2 are disconnected. So, only communication inside vNET6.

Box 2: delete peering1

Peering to vNET1 is enabled but disconnected. We need to delete the peering from both virtual networks, and then re-create them. You can't add
address ranges to or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network. To
add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 86 times

  Rams_84zO6n 2 months, 2 weeks ago

mlantonis - while i agree with your answer for Box2, one of the statement is incorrect. https://learn.microsoft.com/en-us/azure/virtual-
network/virtual-network-peering-overview#resize-the-address-space-of-azure-virtual-networks-that-are-peered . You can change address
space of peered network. You need to sync the networks after peering
upvoted 1 times

  fedztedz Highly Voted  2 years, 5 months ago

The Answer is correct.
- Since both peerings are disconnected. then only communication inside VNet6
- It should be to create peerings on Vnet1 to enable. However, since it is an option here. Then the nearest one is to delete the peering also on
Vnet6 then recreate again.
upvoted 72 times

  marcellov 2 years, 1 month ago

Confirmed.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 15 times

  Bigc0ck Most Recent  5 months, 1 week ago

I remember a similar question like this, might be it on 2nd test
upvoted 4 times

  obaali1990 2 months, 3 weeks ago

Sorry for writing twice
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Correct Answer:

Box 1: vNET6 only

Peering status to both VNet1 and Vnet2 are disconnected. So, only communication inside vNET6.

Box 2: delete peering1

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct
Box 1: vNET6 only it is default behavior
Box 2: delete peering1 and redo it to establish connection state up
upvoted 2 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. answer correct
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 2 times

  Appu008 1 year, 6 months ago

most dumb options for second question
upvoted 2 times

  im82 1 year, 6 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 380/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Was on exam today 19.11.2021. Passed with 920.

Correct answer:
- VNET6 only
- Delete peering 1
upvoted 2 times

  _cube_ 1 year, 8 months ago

Box 1: vNET6 only is not correct imho.
The NSG default rules allow communication in between the virtual networks within the same subscription and I just tested it so the last option (all
vnets in the same subscription) is in my opinion the correct one.
upvoted 1 times

  AubinBakana 1 year, 9 months ago

Honestly, I didn't even notice that the peerings were disconnected because it seemed too easy.
upvoted 1 times

  MrBlueSky 3 months, 1 week ago

You seeing that and understanding what it means is the entire point of this question
upvoted 1 times

  JayBee65 2 years ago

"The peering status is "Disconnected"
To resolve this issue, delete the peering from both virtual networks, and then re-create them." - https://docs.microsoft.com/en-us/azure/virtual-
network/virtual-network-troubleshoot-peering-issues#the-peering-status-is-disconnected
upvoted 2 times

  Crhistian 2 years, 1 month ago

Why they dont include the complete answer...
delete and recreate the peering.
upvoted 4 times

  Sandroal29 2 years, 2 months ago

The provided answer is correct.
upvoted 1 times

  ZUMY 2 years, 3 months ago

Given answers are correct
1.peering status disconnected so connection with other VNETs
upvoted 3 times

  toniiv 2 years, 3 months ago

Both answers are correct. To re-create peering first you need to delete current one.
upvoted 5 times

  mikl 2 years, 4 months ago

peering1/2 shows "disconnected" so only VNet6.

Other options are not valid - so delete, and re-create.

upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 381/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43 Topic 5

HOTSPOT -
You have an Azure subscription that contains the resources in the following table.

You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1.
LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.)

Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 382/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: Yes -
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.

Box 2: Yes -
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend
endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows.
You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health
probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop
sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted.

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/skus
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: Yes
A Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.

Box 2: Yes
When using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend
endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows. You
can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health probe
and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop sending new
flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted.

Box 3: No
There will be no loadbalancing between the VMs.

Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 383/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network.
upvoted 126 times

  mlantonis 2 years ago

Reference:

https://docs.microsoft.com/en-us/azure/load-balancer/skus

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
upvoted 14 times

  morito 3 months ago

I'm a bit torn on the first answer, couldn't they both technically be in the same scale set, therefore the answer could also be no?
upvoted 1 times

  Paul_white 3 months, 3 weeks ago

Azure GOD!!!!!!
upvoted 3 times

  techrat 1 year, 2 months ago

agreed. it's on my exam yesterday and I passed it with 923.
upvoted 17 times

  denccc Highly Voted  2 years, 1 month ago

Answer seems correct to me:
- For Basic Sku load balancer, network interface and load balancer have to be in the same availability set. (Y)
- Principal of LB (Y)
- Deletion of rule: there will no loadbalancing to the VM's (N)
upvoted 13 times

  EmnCours Most Recent  9 months, 3 weeks ago

  Lazylinux 11 months, 4 weeks ago

YYN..given answer is correct and as per other comments
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

More info
Load Balancing rules: Determines how inbound traffic gets disturbed to the backend pool instances – example - incoming request on Port 80
can be either redirected to backend pool instances on different port or can be same port 80 ..so means you remove the rule then LB1 will NOT
load balance

Backend pool endpoints

STD LB: Any virtual machines or virtual machine scale sets in a single virtual network Basic LB: Virtual machines in a single availability set or
virtual machine scale set
upvoted 2 times

  Snownoodles 1 year, 10 months ago

I think Box 1 should be 'No'. Basic Load Balancer supports "Virtual machines in a single availability set or virtual machine scale set", so availability
set is not the only option to Basic LB.
I just did a test, if you put 2 VMs in a VMSS that in a single placement group, you can add this VMSS into Basic LB's backend pool.
https://docs.microsoft.com/en-us/azure/load-balancer/skus

Any suggestions?
upvoted 2 times

  Mozbius_ 1 year, 2 months ago

True. The question should have been formulated as [VM1 is in the same SET as VM2]. That being said in the context of the question I believe the
intent of the question is to test if you are aware that a basic load balancer doesn't work with individual VMS and only supports AVAILABILITY &
SCALE sets. In such context availability set is an ok answer. If I see that exact formulation in the exam I will let the testers know how badly is that
question formulated.
upvoted 1 times

  J_Dawg 2 years ago

Y-Y-Y
Check the link provided in the answer: LB Basic SKU is "Open by default. Network security group optional."
upvoted 4 times

  JayBee65 1 year, 12 months ago

How will it know what to load-balance? :)
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 384/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  imartinez 1 year, 11 months ago

I checked based on your comment. You are totally wrong and misreading the documentation .
"TCP connections stay alive on an instance probe down. All TCP connections end when all probes are down."
What you find is related to NSGs protecting the LB!!
upvoted 2 times

  mashk19 2 years ago

Am I missing something here? If you delete the load balancing rule, surely you'd still have the load balancer? And the Load Balancer's job is to
spread traffic between the machines sitting behind it?
upvoted 3 times

  nzmike 1 year, 7 months ago

You've got the load balancer still sure, but what's telling it what to do? No rule(s), no balancing.
upvoted 3 times

  Moyuihftg 2 years, 1 month ago

Answer is correct
upvoted 2 times

  fdelacortina 2 years, 1 month ago

I would say that is Y, Y, Y. Because if you delete rule 1, LB would not balance traffic from port 80 to port 80.
upvoted 1 times

  hamzajeljeli 2 years, 1 month ago

Any confirmation that this is a correct answer ?
upvoted 1 times

  Ario 2 years, 1 month ago

yes answer is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 385/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44 Topic 5

HOTSPOT -
You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:
✑ Subnet: 10.0.0.0/24
✑ Availability set: AVSet
✑ Network security group (NSG): None
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Public IP address: 40.90.219.6 (dynamic)
You deploy a standard, Internet-facing load balancer named slb1.
You need to configure slb1 to allow connectivity to VM1.
Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Change the private IP address of VM1 to static

Box 1: Remove the public IP address from VM1
Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are
accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to
your VMs.
Box 2: Create and configure an NSG
NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not
allowed to reach this resource.
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: Remove the public IP address from VM1

Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are
accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your
VMs. Load balancer and the public IP address SKU must match when you use them with public IP addresses. Only Basic SKU IPs work with the Basic
SKU load balancer and only Standard SKU IPs work with Standard SKU load balancers.

Box 2: Create and configure an NSG

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 386/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not
allowed to reach this resource.
upvoted 133 times

  ConanBarb 3 months, 2 weeks ago

mlantonis is correct as always.

Tested in lab. If the VM has a dynamic (hence basic) public IP it cannot be chosen to the B-E pool with the following error msg:
"The SKU of the resource's IP address is different from the SKU of the load balancer."
upvoted 3 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

Box1: Remove the public IP address from VM1

Box2: Create and configure an NSG
upvoted 11 times

  nkhan19 11 months ago

the only reason to remove public IP is due to its nature (dynamic)

only Basic SKU Public IP can be Dynamic or Static

Standard SKU public IP can only be STATIC

Standard SKU LB needs Standard SKU public IP or else remove it.

upvoted 8 times

  Netspud 1 year, 4 months ago

Box 1: Remove Publilc IP.
But not seen anything that was forcing this as the option. Found this "The default outbound access IP is disabled when a public IP address is
assigned to the virtual machine, or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound
rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the default outbound access IP is
disabled." here : https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-
load-balancer-standard.
My big issues is I don't see any of the answers as a "MUST". Typical MS question.
upvoted 2 times

  Pradh Highly Voted  1 year, 5 months ago

Guys !! its simple! Don't get confused with complicated text book explanation in comment section .

1) Remove Public IP address from VM1 --> Reason being when you create a LB and add VM to backend pool make sure VM doesn't have a Public
IP assigned to it .

2) Create and configure an NSG . --> key thing to notice in question is "STANDAR LB " . Backend pool VM in standard LB should compulsorily have
NSG associated to it and configured with required port to be allowed.

I created an LB with Basic sku and not standard..

Example :

With basic sku LB i was able to connect vm via rdp without any nsg..

Now when I tested with standard LB I had to configure and NSG for the vm nic and allow port 3389 to rdp it.. Without nsg it won't allow to connect
upvoted 29 times

  vbohr899 Most Recent  3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 3 times

  GBAU 4 months ago

Summary: There is no correct answer for Box 1 or 2
Maybe historically there were limitations but as Feb 2023, they do not apply.

Justification:

Lab Test Results (Feb '23):

Created Standard SKU LB

Created VM (FreeBSD) with :

-Basic PIP
-Dynamic LIP
-In an Availability Set
-NO Network Security Group

Attempted to create a Backend Pool in the LB:

-I could create a BackEnd pool (IP Configuration) on the LB and add this VM above to the Backend pool of the LB.

So there is actually NOTHING you MUST do to CREATE the backend pool.

There is no correct answer for Box 1

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 387/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I created a new load balancing rule for TCP22 on the LB to the backend pool with the VM in it. Succeeded no problem

Attempted Connection to FrontEnd PIP of LB on TCP22 in Putty and got the certificate pop up you would accept. Accepted the certificate and got
the login prompt

So there is actually NOTHING you MUST do to CONNECT to VM1 from the LB

There is no correct answer for Box 2

It was all good practice for me for my exam anyway :)

upvoted 2 times
  klexams 7 months, 2 weeks ago
box1: remove IP because dynamic IP is not compatible with standard LB.
box2: NSG because Standard load balancer is built on the zero trust network security model. Standard load balancers and standard public IP
addresses are closed to inbound connections unless opened by Network Security Groups.
upvoted 4 times

  EmnCours 9 months, 3 weeks ago

Given Answer
upvoted 1 times

  Dumber 10 months, 4 weeks ago

please see:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#securebydefault

- Standard load balancer is built on the zero trust network security model.

- Standard Load Balancer is secure by default and part of your virtual network. The virtual network is a private and isolated network.

- Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. NSGs
are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual machine resource, traffic isn't allowed to
reach this resource. To learn about NSGs and how to apply them to your scenario, see Network Security Groups.

- Basic load balancer is open to the internet by default.

- Load balancer doesn't store customer data.

upvoted 3 times

  Lazylinux 11 months, 4 weeks ago

Given Answer is correct and mlantonis is well explained
upvoted 2 times

  Scoobysnaks86 1 year ago

Just tested in the Azure portal. I was able to put the VM in the backend pool WITHOUT a NSG. The dynamic IP addresses are not compatible with a
standard load balancer, as those IP's are basic. Basic Ip's cannot be mixed and used with a standard LB. The dynamic addresses had to be deleted
from the NIC, and a static one created. mlantonis actually wrong on this one. Also, front facing LB's do not need Vms with public IP addresses as
they have one themselves. Delete it
Box 1: Remove the public IP address from VM1
Box2: Change Private IP address to static
again, you do not need a NSG to connect a VM to a backend pool
upvoted 2 times

  vinsom 1 month, 2 weeks ago

Pls check this -
For a standard load balancer, the VMs in the backend pool are required to have network interfaces that belong to a network security group.
Link: https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-cli
upvoted 1 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 1 times

  josevirtual 1 year, 3 months ago

I think that Box1 should be to change the private IP to static. If I understood well the documentation, you need both a static private IP address and
a NSG. Box 1 asks what you "must" do. I don't think you "must" delete the public IP address, it just won't work.
upvoted 1 times

  FabioVi 1 year, 4 months ago

Correct. Regarding box 2, reason is because Standard Load Balancer is "Closed to inbound flows unless allowed by a network security group"

https://docs.microsoft.com/en-us/azure/load-balancer/skus#skus
upvoted 2 times

  marco_aimi 1 year, 5 months ago

guys, joke? Dinamic for LB??????????????
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 388/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  chaudha4 1 year, 9 months ago
Verified it in Azure by setting this up.

Box 1: Remove the public IP address from VM1 - You can only attach virtual machines in the backend pool that have a standard SKU public IP
configuration or no public IP configuration. Since the Public IP of VM is dynamic, the IP must be a Basic SKU IP. You cannot add such a VM (with
Basic SKU IP) to a standard SKU load balancer. The VM does not even show up in the backend pool portal for selection unless you remove the
public IP or convert it to a Standard SKU IP.

Box 2: Create and configure an NSG - Standard load balancer is built on the zero trust network security model. Standard load balancers and
standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. NSGs are used to explicitly permit
allowed traffic.
upvoted 11 times

  Mozbius_ 1 year, 2 months ago

Thank you for the precision / explanation.
upvoted 1 times

  ScreamingHand 1 year, 12 months ago

Why not:
Create and assign an NSG to VM1
Change the private IP address of VM1 to static
?
upvoted 5 times

  JayBee65 1 year, 12 months ago

Before you can create the backend pool you must set the private IP to static, otherwise this may change on reboot, and the backend pool would
not be valid..

Before you connect as many people have called out - "Basic SKU Load Balancers use Basic SKU IP Addresses, which aren't compatible with Standard
SKU Load Balancers as they require Standard SKU IP Addresses" The IP Addresses are Dynamically assigned, therefore making them, "Basic SKU.".
So remove the public IP address.

You don't NEED a NSG.

upvoted 3 times

  JayBee65 1 year, 12 months ago

Actually you do :) "Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network
Security Groups. NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual machine
resource, traffic isn't allowed to reach this resource. "
So answer must be 1) Change private IP 2) Create NSG
upvoted 3 times

  Scoobysnaks86 1 year ago

Just tested in the Azure portal. I was able to put the VM in the backend pool WITHOUT a NSG. The dynamic IP addresses are not compatible
with a standard load balancer, as those IP's are basic. Basic Ip's cannot be mixed and used with a standard LB. The dynamic addresses had to
be deleted from the NIC, and a static one created. mlantonis actually wrong on this one. Also, front facing LB's do not need Vms with public
IP addresses as they have one themselves. Delete it
Box 1: Remove the public IP address from VM1
Box2: Change Private IP address to static
again, you do not need a NSG to connect a VM to a backend pool
upvoted 2 times

  ranbhule 2 years ago

Answer is correct,

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-balancer-
standard
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 389/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45 Topic 5

You have an Azure subscription that contains the resources shown in the following table.

You need to create a network interface named NIC1.

In which location can you create NIC1?

A. East US and North Europe only

B. East US only

C. East US, West Europe, and North Europe

D. East US and West Europe only

Correct Answer: B
Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network interface
in.

If you try to create a NIC on a location that does not have any Vnets you will get the following error: "The currently selected subscription and
location lack any existing virtual networks. Create a virtual network first."

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface
upvoted 86 times

  buzzerboy 5 months, 1 week ago

It doesnt say what purpose we want the NIC for, so we're assuming it needs to connect to VNET1? If we assume this, then yes it needs to be in
USEAST1.

But it doesnt say what the plan is for the NIC, so wouldnt that mean we can put it anywhere?
upvoted 2 times

  Slimus 1 month, 1 week ago

pay attention to what mlantonis saying. In order to create a NIC you must have/attach it to existing VNET.
upvoted 2 times

  farasatkhan Highly Voted  2 years, 1 month ago

Correct.
"Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in."
upvoted 20 times

  shadad Most Recent  3 months, 1 week ago

Selected Answer: B
I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: B
upvoted 3 times

  DagoMad 6 months, 2 weeks ago

Selected Answer: B
Correct Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 390/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  EmnCours 9 months, 3 weeks ago
Selected Answer: B
Correct Answer: B
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

"Before creating a network interface, you must have an existing virtual network in the same location and subscription you create a network
interface in."
upvoted 1 times

  atilla 9 months, 3 weeks ago

it doesnt say ithat it is for vnet1
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B

Here is summary .. VNET=>VNIC=>VM=>NSG=>AV set all MUST be in same location

upvoted 4 times

  djhyfdgjk 10 months, 3 weeks ago

Such an idiot ..
upvoted 2 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 2 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 5 times

  areza 1 year, 5 months ago

passed 902. in exam 29.12.21 - answer B
upvoted 2 times

  JohnPhan 1 year, 7 months ago

The correct answer is B
upvoted 1 times

  AubinBakana 1 year, 9 months ago

Can only create a NIC in a region that has a VNet. Since we've only been told of 1 VNet, that will be the only option.
upvoted 3 times

  joydeep1 1 year, 12 months ago

Correct answer. Ques was in exam today
upvoted 4 times

  ScreamingHand 1 year, 12 months ago

How did you find the exam overall?
upvoted 1 times

  Davar39 2 years, 1 month ago

Correct answer. If you try to create a NIC on a location that does not have any Vnets you will get the following error :
"The currently selected subscription and location lack any existing virtual networks. Create a virtual network first."
upvoted 11 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 391/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46 Topic 5

You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.

You create a public Azure DNS zone named adatum.com and a private Azure DNS zone named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit. (Click the Exhibit tab.)

You discover that VM1 can resolve names in contoso.com but cannot resolve names in adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?

A. Update the DNS suffix on VM1 to be adatum.com

B. Configure the name servers for adatum.com at the domain registrar

C. Create an SRV record in the contoso.com zone

D. Modify the Access control (IAM) settings for link1

Correct Answer: A
If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you must
either use Fully
Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Adatum.com is a public DNS zone. The Internet top level domain DNS servers need to know which DNS servers to direct DNS queries for
adatum.com to. You configure this by configuring the name servers for adatum.com at the domain registrar.
upvoted 176 times

  Slimus 1 month, 1 week ago

Answer is correct: B. However How do you know it's a public DNS zone? I can be private DNS too.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 392/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  ivan0590 1 month ago

The question crearly states that adatum.com is a PUBLIC Azure DNS zone, while contoso.com is a PRIVATE Azure DNS zone.
And the question is only asking about adatum.com, so it can't be a private DNS zone.
upvoted 1 times

  Moyuihftg Highly Voted  2 years, 1 month ago

I think the answer should be B
upvoted 32 times

  d0bermannn 1 year, 11 months ago

you are absolutely right
upvoted 3 times

  Kimoz Most Recent  3 months ago

B is correct --A is not the correct answer because updating the DNS suffix on VM1 to adatum.com only affects the hostname resolution for that
specific suffix, and it will not help to resolve names in the adatum.com zone.
upvoted 1 times

  Blippen 5 months ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  HMO 9 months, 1 week ago

"For all other options you must either use Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual
machines" This one is for private DNS not for public DNS
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B
Public DNS..you need create record for it @ your Domain Registrar..this is really NOT Azure question more of generic networking question
upvoted 5 times

  Sheriff_of_beacon 10 months, 3 weeks ago

That joke never gets old :)
upvoted 2 times

  Jaydude 1 month, 2 weeks ago

Oh yes it does!
upvoted 1 times

  AzureCrawler001 12 months ago

Selected Answer: B
create DNS records for the domain name
upvoted 1 times

  josevirtual 1 year, 3 months ago

Selected Answer: B
You still need to register the domain. B is correct.
upvoted 2 times

  theorut 1 year, 3 months ago

You need a DNS forwarder to accomplish this but since there's no option given for that you need to choose for A - update the DNS suffix in VM1.
Question is still vage.
upvoted 2 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: B
Correct Answer: B
upvoted 3 times

  kyu1979 1 year, 4 months ago

the answer is b
upvoted 1 times

  Redimido 1 year, 4 months ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 393/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

You have to register your public DNS zone.

upvoted 3 times
  pooya2008 1 year, 4 months ago
Correct answer is B.
upvoted 1 times

  [Removed] 1 year, 5 months ago

Selected Answer: B
The correct answer is B.
Documentation: https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
upvoted 4 times

  Vatz 1 year, 5 months ago

Selected Answer: B
Correct answer:B
upvoted 3 times

  helpaws 1 year, 5 months ago

Selected Answer: B
Correct Answer: B
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 394/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47 Topic 5

HOTSPOT -
You plan to use Azure Network Watcher to perform the following tasks:
✑ Task1: Identify a security rule that prevents a network packet from reaching an Azure virtual machine.
✑ Task2: Validate outbound connectivity from an Azure virtual machine to an external host.
Which feature should you use for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: IP flow verify -

At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables
you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify
then tests the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.

Box 2: Connection troubleshoot -

Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and
another VM, an FQDN, a
URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at
a point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using
connection-troubleshoot.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 395/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 1: IP flow verify

At some point, a VM may become unable to communicate with other resources, because of a security rule. The IP flow verify capability enables you
to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). IP flow verify then tests
the communication and informs you if the connection succeeds or fails. If the connection fails, IP flow verify tells you which.

Box 2: Connection troubleshoot

Diagnose outbound connections from a VM: The connection troubleshoot capability enables you to test a connection between a VM and another
VM, an FQDN, a
URI, or an IPv4 address. The test returns similar information returned when using the connection monitor capability, but tests the connection at a
point in time, rather than monitoring it over time, as connection monitor does. Learn more about how to troubleshoot connections using
connection-troubleshoot.
upvoted 121 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

Box1: IP flow verify

Box2: Connection troubleshoot
upvoted 11 times

  Kem81 8 months, 2 weeks ago

thanks for confirming. I'll be sitting the exam at the end of October.
upvoted 5 times

  Babushka 7 months, 2 weeks ago

How did it go?
upvoted 2 times

  mdyck Highly Voted  2 years, 1 month ago

IP Flow Verify
"You might override Azure's default rules, or create additional rules. At some point, a VM may become unable to communicate with other
resources, because of a security rule. IP flow verify then tests the communication and informs you if the connection succeeds or fails."

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#diagnose-network-traffic-filtering-problems-to-
or-from-a-vm

Connection Troubleshoot
"The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address"

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#connection-troubleshoot
upvoted 18 times

  zellck Most Recent  4 months ago

1. IP flow verify
2. Connection troubleshoot

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP,
local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source
or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the
on-premises environment.
upvoted 3 times

  zellck 4 months ago

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-connectivity-overview
The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a
virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they're implemented using
network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting
connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect connectivity issues. The results returned
can provide insights into whether a connectivity issue is due to a platform or a user configuration issue. Connectivity can be checked with
PowerShell, Azure CLI, and REST API.
upvoted 3 times

  Bigc0ck 5 months, 1 week ago

Here 1/5/23
upvoted 3 times

  kf01234 7 months, 2 weeks ago

A & C (from teacher and slide)
Today just finished the total summary of AZ104 extended course (before the exam)
upvoted 1 times

  favela 9 months, 1 week ago

Correct today came this question and I choose IP flow and troubleshoot passed 900 score
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 396/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box1: IP flow verify

Box2: Connection troubleshoot
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Given Answer is correct

IP Flow Verify: This can used to check if packet is allowed or denied to or from a virtual machine. If a packet is being denied by security group, you
can see which rule is denying the packet

Connection Troubleshoot: Check the connection from a virtual machine to virtual machine, fully qualified domain name, URI or IPv4 address. The
test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than
monitoring it over time.
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  ITprof99 1 year, 5 months ago

On exam 01.02.22
Answer:
Box 1: IP Flow Verify
Box 2: Connection Troubleshoot
upvoted 3 times

  Tshetu 1 year, 6 months ago

The question came in the exam today 03/12/21.
upvoted 2 times

  fabylande 1 year, 8 months ago

In exam today! October 16, 2021
upvoted 1 times

  Adebowale 1 year, 10 months ago

Nice Explanation, Well done Guys!!!
upvoted 1 times

  chaewon 2 years ago

What is the difference between NSG diagnostic and IP flow verify?
upvoted 1 times

  Lkk51 2 years ago

I guess you mean NSG flow logs and IP Flow Verify

NSG flow logs is to show the actual traffic that happens from/to VM.
For IP flow verify is more on testing. You can validate and see if the connection between each resources. If the connection fails, IP flow verify
tells you which security rule allowed or denied the communication
upvoted 3 times

  Kiano 2 years, 1 month ago

The answer is correct:
Explanation/Reference: Task 1: IP flow verify IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information
consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that
denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity
issues from or to the internet and from or to the on-premises environment.
Task 2: With the addition of Connection Troubleshoot, Network Watcher will see an incremental increase in its capabilities and ways for you to
utilize it in your day to day operations. You can now, for example, check connectivity between source (VM) and destination (VM, URI, FQDN, IP
Address). References: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
https://azure.microsoft.com/en-us/blog/networkwatcher- connection-troubleshoot-now-generally-available/
upvoted 6 times

  fdelacortina 2 years, 1 month ago

I think it is correct.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 397/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48 Topic 5

HOTSPOT -
You have an Azure subscription that contains the Azure virtual machines shown in the following table.

You configure the network interfaces of the virtual machines to use the settings shown in the following table.

From the settings of VNET1 you configure the DNS servers shown in the following exhibit.

The virtual machines can successfully connect to the DNS server that has an IP address of 192.168.10.15 and the DNS server that has an IP
address of
193.77.134.10.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Yes -
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.

Box 2: No -
You can set DNS servers per VM or cloud service to override the default network settings.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 398/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 3: Yes -
You can set DNS servers per VM or cloud service to override the default network settings.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#name-resolution-dns

  mlantonis Highly Voted  2 years ago

Correct Answer:

NIC configured DNS servers takes precedence over VNET configured DNS servers.

Box 1: Yes
VM1 uses the VNET configured DNS 193.77.134.10.
You can specify DNS server IP addresses in the VNet settings. The setting is applied as the default DNS server(s) for all VMs in the VNet.
The DNS is set on the VNET level.

Box 2: No
VM2 uses the NIC configured DNS 192.168.10.15.
You can set DNS servers per VM or cloud service to override the default network settings.
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.

Box 3: Yes
VM3 uses the NIC configured DNS 192.168.10.15
You can set DNS servers per VM or cloud service to override the default network settings.
This VM has 192.168.10.5 set as DNS server, so it overrides the default DNS set on VNET1.
upvoted 120 times

  lisley 6 months, 2 weeks ago

why are Box 2 and 3 different (Yes and No) but with the same explanation?
upvoted 5 times

  Muffay 5 months, 1 week ago

Because the IP addresses in the question are different ;)
upvoted 6 times

  Voldemort 1 year, 8 months ago

Great Explanation Buddy!
upvoted 7 times

  Kent_020 1 year, 7 months ago

Where did you get the '192.168.10.5' from the info given?
----------------
VM1 uses the VNET configured DNS 193.77.134.10
VM2 uses the NIC configured DNS 192.168.10.15
VM3 uses the NIC configured DNS 192.168.10.15
upvoted 3 times

  odisor 1 year, 4 months ago

Both VMs have 192.168.10.15 assigned to their NICs
upvoted 2 times

  Alses1970 Highly Voted  2 years, 1 month ago

1. Yes - as per link the DNS is set on the VNET level
2. No - this VM has 192.168.10.5 set as DNS server so it overrides the default DNS set on VNET1
3. Yes - this VM has 192.168.10.5 set as DNS server so it overrides the default DNS set on VNET1
upvoted 28 times

  vbohr899 Most Recent  3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 2 times

  GBAU 4 months ago

Here is my problem with this question. It is not possible to set a NICs DNS to "None".
The question is invalid.

It is either set to "Inherit from virtual network" or "Custom", in which case you must provide a DNS Server address.

I think they wanted to test your knowledge on default DNS assignments for a NIC but couldn't bring themselves to basically put the answer to part
of the question in the question as that is the way the option is worded in the portal, so they throw a "None" in. VERY POOR, it should be "Default
Setting" or "Unchanged".
upvoted 1 times

  GBAU 4 months ago

PS: From my experience trying to set DNS servers using the VMs internal DNS setting can seriously screw up your VM and prevent it from
getting network access. You have to change the DNS settings in Azure to reset them back to Azure managed (DHCP locally on host) to fix.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 399/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Mat_m0381 8 months, 3 weeks ago
The answer is YNY
Others comment is correct, please find the link below

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#can-i-override-my-dns-settings-on-a-per-vm-or-cloud-service-basis
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

answer y/n/y
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

YES NO YES as per others comments
upvoted 1 times

  TtotheA2021 1 year, 4 months ago

Common guys thi question is so easy. you have too look right to the DNS, see explanation MLANTONIS he is 100% correct.

most of you are confusing on the NIC and DNS, the dns ip of vm2 192.168.10.15 overrules custom ip.

YNY
upvoted 2 times

  pappkarcsiii 1 year, 4 months ago

VM1 uses the VNET configured DNS 193.77.134.10
VM2 uses the NIC configured DNS 192.168.10.15
VM3 uses the NIC configured DNS 192.168.10.15
upvoted 2 times

  areza 1 year, 5 months ago

passed 902. in exam 29.12.21 - answer y/n/y
upvoted 4 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 2 times

  joydeep1 1 year, 12 months ago

Andwer correct . Ques in exam today
upvoted 4 times

  riri5678 2 years ago

Am I missing something? VM 2 and VM 3 have the exact same info, so how can VM2 be no and VM3 be yes?
upvoted 1 times

  riri5678 2 years ago

*Same info DNS serverwise
upvoted 2 times

  ScreamingHand 2 years ago

Different question, different answer
upvoted 1 times

  Franpb90 2 years ago

Different IP in the question.
upvoted 1 times

  Devgela 2 years, 1 month ago

YNY from me
upvoted 1 times

  denccc 2 years, 1 month ago

The network interface can inherit the setting from the virtual network the network interface is assigned to, or have a custom setting that overrides
the setting for the virtual network it's assigned to (https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface) so Y-
N-Y seems correct to me
upvoted 2 times

  Moyuihftg 2 years, 1 month ago

Answer seems correct. Y-N-Y
NIC configured DNS servers takes precedence over VNET configured DNS servers

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 400/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

VM1 uses the VNET configured DNS 193.77.134.10

VM2 uses the NIC configured DNS 192.168.10.15
VM3 uses the NIC configured DNS 192.168.10.15
upvoted 13 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 401/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49 Topic 5

HOTSPOT -
You have an Azure subscription that contains the resource groups shown in the following table.

RG1 contains the resources shown in the following table.

You need to identify which resources you can move from RG1 to RG2, and which resources you can move from RG2 to RG1.
Which resources should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: IP1, Storage1 -

IP addresses and storage accounts can be moved.
Virtual networks cannot be moved.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 402/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

There is no lock on RG1.

Box 2: None -
There is a delete lock on RG2.
Note: When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the
lock from the parent.
The most restrictive lock in the inheritance takes precedence.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all
authorized users to the permissions granted by the Reader role.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources https://docs.microsoft.com/en-us/azure/azure-
resource-manager/management/move-support-resources

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: IP1, VNET2, and storage1

Box 2: IP2, VNET2, and storage2

Locks are designed for any update or removal. In this case we want to move only, we are not deleting, and we are not changing anything in the
resource.
upvoted 155 times

  habbey 1 month ago

You got box 1 wrong because any resource that has a resource lock cannot be modified in any way and that includes moving said resource to
another resource group
upvoted 2 times

  habbey 3 weeks, 2 days ago

...any resource that has a read-only lock cannot be modified in any way**
upvoted 1 times

  ivan0590 1 month ago

I think you are wrong.

As far as I know, having a lock of any type on a resource won't stop you from moving the resource to another RG.

Now, if the lock is not on the resource, but on the target RG, then you would only be able to move the resource if the lock type is Delete. A
Delete lock on the RG doesn't restrict the addition of new resources to the RG, it only restricts the deletion of the resources already present
in the RG.
On the other hand, you won't be able to move the resource if the target RG has a Read-only lock.
upvoted 1 times

  abdelmim 4 weeks, 1 day ago

correct and tested
upvoted 3 times

  Abubaker3030 1 year ago

The question should specify the resources are available in RG2, because if not there's nothing to move from RG2 to RG1. Its a misleading
question
upvoted 19 times

  awssecuritynewbie 8 months, 2 weeks ago

i think the question is missing some tables and resources lol
upvoted 11 times

  Magis 8 months, 2 weeks ago

Tested it in Lab today. RO or Delete locks does not have any impact for Move operation and it doesn`t matter if it comes from RG level or are
directly attached to the resource.

VNETS can be moved as well. Only limitation is VNET Peering needs to be disabled first. But is is not a case for this question.

Correct Answer:

Box 1: IP1, VNET2, and storage1

Box 2: IP2, VNET2, and storage2
upvoted 10 times

  Moyuihftg Highly Voted  2 years, 1 month ago

Don't see a table with IP1, storage1 and VNET1. To test anyway, I created storage2, VNET2 and IP2 in RG1. Then I applied the locks as stated in the
tables. I was able to move all resources from RG1 to RG2. After that I could also move all resources from RG2 back to RG1.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 403/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

So based on the current information, I go for answer:

IP1, VNET2, and storage1
IP2, VNET2, and storage2
upvoted 87 times

  lksilesian 1 year, 7 months ago

This is the first question I tested in lab - because I could not find a definitive answer and could not take it on faith. But you are right, no matter
what lock is set - I was able to move resources. The -> ONLY <- situation where I was NOT able to MOVE resources is when i set READ-ONLY
lock on the DESTINATION resource group.
upvoted 18 times

  pmzone 1 year, 4 months ago

If the Read-only Lock is applied on either Source or target RG, the movement of resources won't happen.
upvoted 9 times

  Vad133 5 months, 2 weeks ago

Agree! Tested in Azure today. Moving a resource = changing its property (RG). If resource is read-only then no property can be changed
and moving fails.
upvoted 2 times

  Devgela 2 years, 1 month ago

I made some tests too and I can move VNET from 1 RG to another RG even there is lock.
upvoted 7 times

  GiJoe1987 1 year, 3 months ago

The vet has a read only lock on it in rg1 so it can't be moved. Thou as you said I thought we would be able to move all resources for rg2 as it is
only a delete lock not a read-only lock.
upvoted 1 times

  cyna58 2 years, 1 month ago

Your answer is correct. We can move all resources
upvoted 6 times

  garmatey Most Recent  1 month, 2 weeks ago

Is this a trick question or just containing typos....
upvoted 1 times

  ivan0590 1 month, 3 weeks ago

To me, this question is wrong and incomplete, both in the question text itself and in the solution. I know this because I saw this question in another
website (paid).

First of all, the RG1 resources listed are not in fact in RG1, but in RG2. Notice that all of their names end with a 2.

Second of all, the real RG1 resources are the same as the resources in RG2, but they all end with a 1 instead of a 2, and they have no locks at all.
So, based on all this, the solutions would be:

Box 1: IP1, VNET1 and storage 1

I know that the question shows VNET2 instead of VNET1, but I think that is a typo. These 3 resources could be moved since they have no locks and
RG2 has a delete lock, not a read-only lock. Also, the solution is lying, Virtual Networks can be moved. The only thing is that all their associated
resources will also be moved.

Box 2: IP2 and storage only

Delete locks do not interfere with moving resources from an RG to another RG, so storage2 could be moved. IP2 has no locks, it can be moved.
And finally, VNET2 cannot be moved because it has a read-only lock.
upvoted 3 times

  bevissthet 2 months ago

Answer is: Box 1: None, Box 2: None.
None of the resources listed in Box 1 is present on the RG1.
Each of the resources from RG2 would have the name/type conflict with ones from RG1
upvoted 1 times

  bloodtech 3 months, 4 weeks ago

I've just tested this in a lab. You cannot move a resource which have a read-only lock. You also cannot move a resource to a resource group which
have read-only lock.

So storage and IP only.

Delete locks are no issue when moving resources.

upvoted 3 times

  GBAU 4 months ago

Clearly this question is incorrectly replicated. Nothing said about anything being in RG2. IP1 and Storage1 doesn't even exist in the question.
upvoted 1 times

  Aanandan 5 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 404/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I feel the question is in-complete because they have mentioned what all resources available in the RG2.
upvoted 3 times

  darthfodio 5 months, 2 weeks ago

Is it just me or is there an exhibit missing? Heading says resources for RG1 are shown in the table however there is only a table for RG2 resources. I
guess I have to take everyone's word for the correct answer.
upvoted 2 times

  matejka 7 months, 2 weeks ago

Not enough information in the question. Nothing about storage1 and IP1. Impossible to answer.
upvoted 3 times

  rocroberto 8 months ago

The way I see it: You would be able to move everything from RG1 to RG2 were it not for the fact the VNET has got a read only (it cannot be
deleted). So, Storage and IP can be moved RG1 ==>>> RG2
As RG2 has a lock (delete) nothing can be deleted RG2 ===>> RG1
upvoted 2 times

  majerly 8 months, 2 weeks ago

today in exam,
Box 1: IP1, VNET2, and storage1
Box 2: IP2, VNET2, and storage2
upvoted 2 times

  NotMeAnyWay 11 months ago

• The question is missing the RG2 contents table!
• Plus the RG1 resource numbers do not match the answer options for part one.
• So this question is a bit messed up.

But based on the question being in the MS practise questions for AZ-104:
• A Delete Lock allows you to move a resource.
• Read only lock prevents the move, the lock needs to be removed first
Read Here:
(https://docs.microsoft.com/en-us/certifications/resources/az-104-sample-questions#question--15-multiple-choice)
upvoted 7 times

  Lu5ck 11 months ago

1. You can only move resources that do not have any forms of locks.
2. You can still move resources even if resource group has a delete lock.

Therefore, vnet and ip cannot be moved.

We can also assume RG2 has no resource as the question didn't say it has any.
upvoted 1 times

  Lu5ck 11 months ago

Ignore this, I have doubts and I can't test it. Sadge
upvoted 1 times

  devilcried 11 months ago

Tested in my lab.
Box 1: IP1, VNET2, and storage1
Box 2: IP2, VNET2, and storage2
upvoted 2 times

  Frost312321 11 months, 3 weeks ago

According to Microsoft itself, from Sample Question #15: "To move a resource between resource groups, you need to first remove any locks
associated with the resource. Disk1 has an inherited lock from ResourceGroup1. To move Disk1 you must first remove the lock.
ResourceGroup2 has a Delete lock. However, this will not affect the ability to move or create resources in this resource group."

https://docs.microsoft.com/en-us/learn/certifications/resources/az-104-sample-questions

And we see that both RG1 and RG2 have the same resources with the same locks as shown here:
https://vceguide.com/which-resources-should-you-identify/

Also when you apply a lock at a parent scope, all resources within that scope inherit the same lock, threfore all the resources from RG2 will have the
RG2's lock as well.

Therefore the correct answers should be:

Box1 : IP1 only

Box2 : None
upvoted 5 times

  Dunkelheit 7 months, 4 weeks ago

The big discussion is if Read-Only Lock is a factor in moves. Some guys here claim that they tested this in the lab and read-only did not work in
a move. Incidently, the microsoft sample questions that you linked have a read-only lock as well. Maybe this is why they are protecting the
move?
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 405/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  VladanO 1 year ago

Are you sure that the above question is complete or maybe an additional table and / or text is missing ?!
The data for RG2, IP2, storage1, VNET1 are not mentioned
upvoted 3 times

  VladanO 12 months ago

I just passed the exam and I had this question on the exam. As I suspected, this question is not completely presented here. There were 2 x tables
for RG1 and RG2.
RG1: storage1, VNET1 and IP1
RG2: storage2, VNET2 and IP2
The rest of the text of the question is identical
upvoted 11 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 406/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50 Topic 5

You deploy a load balancer that has the following configurations:

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B
A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a
standard SKU public IP or no public IP.

The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do
have them they have to be standard SKU. Vms can only be from a single network. When they don’t have a public IP they are assigned an ephemeral
IP.

Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.

Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 58 times

  klexams 7 months, 2 weeks ago

Also the LB is internal so no public IP.
upvoted 3 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered B
upvoted 6 times

  mlantonis 2 years ago

It's not valid, because:
LB1: Standard SKU
VM1: Basic SKU public IP
VM2: Basic SKU public IP
upvoted 16 times

  Pear7777 6 months ago

The thing is this is a STANDARD, LB which can not work with BASIC ip's.
upvoted 3 times

  GBAU 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 407/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I lab tested it, they can. Lab was with a Public LB though. It just didn't care the VM had a basic dynamic LIP and a basic dynamic PIP, I
could still attach it to the backend pool, create a rule to LB a port and connect to it through the LB's PIP.
upvoted 1 times

  Abubaker3030 1 year ago

Basic SKU: If you are creating a public IP address in a region that supports availability zones, the Availability zone setting is set to None by
default. Basic Public IPs do not support Availability zones. Standard SKU: A Standard SKU public IP can be associated to a virtual machine or a
load balancer front end
upvoted 1 times

  mdyck Highly Voted  2 years, 1 month ago

B. No

Tested this and as you are creating the back end it says:
"You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines must
have a standard SKU public IP or no public IP."

-It does not matter if the VM is stopped or started.

-The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs but if they do
have them they have to be standard SKU. Vms can only be from a single network.
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
-When they dont have a public IP they are assigned an ephemeral IP.
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-load-
balancer-standard#create-virtual-machines
upvoted 25 times

  Eugene77 Most Recent  1 month ago

The question and discussions are not very clear. What is a problem with adding VM1 and VM2 by private IP addresses? Internal LB will work.
upvoted 1 times

  Spam101198 3 months, 1 week ago

as LB is standard then IP should be standard only.
upvoted 1 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU resources.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B - No
upvoted 1 times

  NotMeAnyWay 11 months ago

Simply put you cannot mix the SKU type for a Load Balancer and a Public IP. Both in this case should be Standard SKUs:

Read Here (Under the important section as the bottom of the SKU section):
(https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku)
upvoted 2 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

  Takloy 1 year, 6 months ago

The moment I saw Basic SKU for the Public IP, I know it's a NO straight away.
upvoted 2 times

  NareshNK 2 years, 1 month ago

So you need a standard sku public IP address and not basic Sku.
upvoted 1 times

  stepient 2 years, 1 month ago

Tested, you can't add a VM with a public IP address to an internal LB backend pool.
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 408/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  mdyck 2 years, 1 month ago

I would say yes you can connect the VM. The actions will put the VM1 into the same state as VM2.

The LB needs to be a standard SKU to accept individual VMs outside an availability set or vmss. VMs do not need to have public IPs. Vms can only
be from a single network.

https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management

When they dont have a public IP they are assigned an ephemeral IP.

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal?tabs=option-1-create-internal-load-
balancer-standard#create-virtual-machines
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 409/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51 Topic 5

You deploy a load balancer that has the following configurations:

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
Does this meet the goal?

A. Yes

B. No

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a
standard SKU public IP or no public IP.

Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.

Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 32 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered B
upvoted 5 times

  mlantonis 2 years ago

It's not valid, because:
LB1: Standard SKU
VM1: Standard SKU public IP
VM2: Basic SKU public IP
upvoted 26 times

  NareshNK Highly Voted  2 years, 1 month ago

Both Vm should have standard sku ip address.
upvoted 8 times

  ojogbon Most Recent  2 months, 1 week ago

On the exam Apr 2nd, 2023
upvoted 3 times

  JayLearn2022 3 months, 4 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 410/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

There are several versions of this question. The following are the correct and incorrect answers that can be presented.

Correct Answer: Meets the goal.

-Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual
machine.

Incorrect Answers: Does not meet the goal.

-Solution: You disassociate the public IP address from the network interface of VM2.

-Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.

-Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B - No
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

  cowboy 2 years, 1 month ago

Tested only Standard sku public IP can be added to backend pool.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 411/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52 Topic 5

You deploy a load balancer that has the following configurations:

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each
virtual machine.
Does this meet the goal?

A. Yes

B. No

Correct Answer: A
A Backend Pool configured by IP address has the following limitations:
✑ Standard load balancer only
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management

Community vote distribution

A (82%) B (18%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a
standard SKU public IP or no public IP.

Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.

Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 62 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered A
upvoted 4 times

  Acai 1 year, 10 months ago

One of the few slip-ups from Azure Jesus. The provided answer is correct, the reasoning is correct but missed that VM1 has a basic SKU.
upvoted 3 times

  Acai 1 year, 10 months ago

Nope AJ is correct, thought it was the other question.
upvoted 2 times

  stdevops 1 year, 7 months ago

you need to start VM also
upvoted 3 times

  xRiot007 1 week, 5 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 412/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

No, the VM can remain stopped.

upvoted 1 times

  mlantonis 2 years ago

It's valid, because:
LB1: Standard SKU
VM1: Standard SKU public IP
VM2: Standard SKU public IP
upvoted 15 times

  Moyuihftg Highly Voted  2 years, 1 month ago

Answer correct.
You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines must have
a standard SKU public IP or no public IP.
upvoted 11 times

  ojogbon Most Recent  2 months, 1 week ago

On the exam Apr 2nd, 2023
upvoted 1 times

  JayLearn2022 3 months, 4 weeks ago

There are several versions of this question. The following are the correct and incorrect answers that can be presented.

Correct Answer: Meets the goal.

-Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual
machine.

Incorrect Answers: Does not meet the goal.

-Solution: You disassociate the public IP address from the network interface of VM2.

-Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.

-Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
upvoted 4 times

  meeko86 5 months, 4 weeks ago

Selected Answer: A
For this series question, there are two possible answers:
1. You create two Standard public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual machine.
2. You disassociate the public IP address from the network interface of VM2.
upvoted 2 times

  kusucu 8 months ago

Selected Answer: A
mlatonis is right
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Answer correct.
You can only attach virtual machines that are in the same location and on the same virtual network as the loadbalancer. Virtual machines must have
a standard SKU public IP or no public IP.
upvoted 1 times

  DragonDagger 10 months, 1 week ago

Selected Answer: A
A is correct
upvoted 1 times

  benvdw 1 year, 3 months ago

A- on exam 13/3/2022 (the one above as well)
upvoted 3 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

  FDZ83 1 year, 3 months ago

Correct: YES
Tested in lab:
no matter LB internal o public, vm in backend can keep their public ip (even if it's no sense in load balancing env...). The only requirement is SKU of
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 413/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

public ip:
LB standard=>standard PIP
LB Basic=>basic PIP
Stopped Vm can be added to backend pool
The answers to this question could be:
-add standard public ip to vm
-remove public ip from vm
upvoted 3 times
  G_unit_19 1 year, 3 months ago
Selected Answer: A
mlantonis has the correct answer
upvoted 1 times

  Oskarma 1 year, 4 months ago

Selected Answer: A
Tested in Lab:
Correct: A. Yes
You can only attach virtual machines in same location that have a standard SKU public IP configuration or no public IP configuration. All IP
configurations must be on the same virtual network.
upvoted 3 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 6 times

  wafferrr 1 year, 4 months ago

Selected Answer: B
VM is off so answer is B
upvoted 2 times

  asmi3342344 1 year, 9 months ago

what about starting the VM1, that is not mentioned in the steps so the answer is No.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 414/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53 Topic 5

A. Yes

B. No

Correct Answer: A
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

Export the client certificate from Computer1 and install the certificate on Computer2.

Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the
self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
upvoted 65 times

  RamanAgarwal 2 years ago

Same certificate can be used on multiple client machines ?
upvoted 10 times

  Rayane 5 months, 3 weeks ago

Yes, because this is a root certificate that you will export, if I'm not wrong
upvoted 3 times

  achmadirvanp Highly Voted  1 year, 11 months ago

Answer is correct, Appear On Exam July 1 2021
upvoted 9 times

  lss83 Most Recent  7 months ago

AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
upvoted 1 times

  kusucu 8 months ago

Selected Answer: A
mlatonis is right
upvoted 2 times

  Mev4953 9 months ago

There is a good explanation, if you want to dive in
https://www.youtube.com/watch?v=uN0Daq77nQc&ab_channel=ROHITTECH
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 415/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

This question came in the exam today 8/Mar/2022.

I passed the exam, 95% questions came from here.
upvoted 5 times

  michaeltheknight 1 year, 2 months ago

taking mine tomorrow. finding this site was a blessing. it's great to not have to betate with myself whether an approach is correct or not and to
see how others go about it :)
upvoted 1 times

  michaeltheknight 1 year, 2 months ago

*debate
upvoted 1 times

  Teringzooi 1 year, 3 months ago

Selected Answer: A
Correct Answer: A - Yes
upvoted 1 times

  ExameHero 1 year, 4 months ago

ExamTopics is the Best!!!
upvoted 1 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer: A
upvoted 5 times

  sachin007 1 year, 6 months ago

Good Job , best wishes :)
upvoted 1 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 2 times

  MrJR 1 year, 10 months ago

Answer seems correct "If you want to install a client certificate on another client computer, you can export the certificate."
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
upvoted 4 times

  Devgela 2 years, 1 month ago

Correct
upvoted 3 times

  lock12333 2 years, 1 month ago

aaaaaaaaaaaaaaaaaaaaaaaaaaaa
upvoted 4 times

  d0bermannn 1 year, 11 months ago

you jammed a finger in keyboard, so pity)
upvoted 1 times

  denccc 2 years, 1 month ago

Correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 416/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54 Topic 5

You have an Azure virtual machine named VM1.

The network interface for VM1 is configured as shown in the exhibit. (Click the Exhibit tab.)

You deploy a web server on VM1, and then create a secure website that is accessible by using the HTTPS protocol. VM1 is used as a web server
only.
You need to ensure that users can connect to the website from the Internet.
What should you do?

A. Modify the protocol of Rule4

B. Delete Rule1

C. For Rule5, change the Action to Allow and change the priority to 401

D. Create a new inbound rule that allows TCP protocol 443 and configure the rule to have a priority of 501.

Correct Answer: C
HTTPS uses port 443.
Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.
Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher priorities are not processed.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:
✑ Modify the action of Rule1.
✑ Change the priority of Rule6 to 100.
✑ For Rule4, change the protocol from UDP to Any.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Community vote distribution

C (93%) 7%

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 417/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  mlantonis Highly Voted  2 years ago

Correct Answer: C

HTTPS uses port 443.

Rule2, with priority 500, denies HTTPS traffic.
Rule5, with priority changed from 2000 to 401, would allow HTTPS traffic.

Note: Priority is a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers,
because lower numbers have higher priority. Once traffic matches a rule, processing stops. As a result, any rules that exist with lower priorities
(higher numbers) that have the same attributes as rules with higher priorities are not processed.
upvoted 84 times

  mlantonis 2 years ago

Note: There are several versions of this question in the exam.
The question has two possible correct answers:
1. Change the priority of Rule3 to 450.
2. For Rule5, change the Action to Allow and change the priority to 401.
Other incorrect answer options you may see on the exam include the following:
✑ Modify the action of Rule1.
✑ Change the priority of Rule6 to 100.
✑ For Rule4, change the protocol from UDP to Any.

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
upvoted 36 times

  YooOY 1 year, 8 months ago

Why it works with destination set to Virtualnetwork not the PublicIP ?
upvoted 2 times

  aner 6 months, 3 weeks ago

It works because Source (users on the Internet) is set to Any. The destination (web server) is ok to be VirtualNetwork because the web
server's VM is a part of Virtual network.
upvoted 1 times

  Moyuihftg Highly Voted  2 years, 1 month ago

Answer C is correct

Although not the best solution (opening range 50-5000, when you only whant to allow https/443)
upvoted 33 times

  Sharathjogi 1 year, 5 months ago

Absolutely agree...that's what I am thinking, we are unnecessarily opening lot of ports here, instead of allowing just 443.
upvoted 2 times

  ppuff 11 months, 1 week ago

microsoft testing logic lol
upvoted 3 times

  UWSFish Most Recent  1 month, 1 week ago

It does not speak well for Micosoft that their correct answer is very shitty IT.
upvoted 1 times

  Phlogiston 4 months ago

Yes, as many have commented, the correct answer is also a stupid answer that you would, if you were halfway competent, never implement in the
real world. It is a poorly designed question that aspires to meet the goal of testing your ability to synthesis and analyze information, rather than
simply regurgitate facts from memory. The best designed questions will require that you not only be able to recall facts but that you be able to use
those facts to troubleshoot, resolve problems, or create solutions. However, the correct responses to the questions should not be bonkers stupid as
this one is.
upvoted 1 times

  MightyMonarch74 4 months ago

Another terrible question with a ridiculous answer that does not reflect the real world!
upvoted 2 times

  Mohd1899 4 months, 2 weeks ago

Microsoft want to tell us, this is not security exam so do not expect the best secured answer is the correct one,
do n't expect the best practice has been implemented for each question
this is a way to stop you for a simple question thinking about which answer you should select here.
upvoted 2 times

  chikorita 4 months, 1 week ago

he works for microsoft
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 418/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  lombri 4 months, 2 weeks ago

Selected Answer: D
No, it is not a good practice to open a range of ports from 400 to 500 for security reasons. In general, it is recommended to only open the specific
ports that are required for a particular service to function, and to limit access to only the minimum set of IP addresses that need it.

For example, in the scenario described, you only need to open port 443 to allow incoming HTTPS traffic to the web server. Opening a wider range
of ports could expose the system to unnecessary security risks, as it increases the attack surface of the system.

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal

https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group?tabs=network-security-group-portal
upvoted 1 times

  Mohd1899 4 months, 2 weeks ago

I would agree with you if the priority for answer D is set to 499 or below
in fact 501 priority eliminate this option completely because of Rule2
so the answer is C
upvoted 1 times

  hubble13 4 months, 3 weeks ago

I want an option for this question as "non of the above" lol!!! Really? Are we going to get such kind of option in the exam?
upvoted 1 times

  Asymptote 7 months ago

Selected Answer: C
This is why Microsoft always get hacked.
BRAVO
upvoted 3 times

  kusucu 8 months ago

Selected Answer: C
mlantonis is right
upvoted 1 times

  Kem81 8 months, 2 weeks ago

The correct answer for this is madness. As other users have commented, if any IT engineer left all those ports open, they would get fired lol. I know
this isn't an option but surely you would just delete Rule 1 and set Rule 2 to priority 400 and allow? What is MS trying to do!? get us fired? just
wow
upvoted 2 times

  JohnnyChimpo 4 months, 2 weeks ago

My boss would fire my ass
upvoted 1 times

  Kem81 8 months, 2 weeks ago

upon further investigation, you would also need to modify the rule to only allow internet traffic to the VM ofc. This is a really bad question and
not something anyone should do in real world scenario.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  blasdelezo 10 months ago

Selected Answer: C
Once traffic matches a rule, processing stops
upvoted 1 times

  justjeroen 11 months, 2 weeks ago

C will only work for virtualnetwork, not for traffic from Internet
upvoted 1 times

  Amrx 11 months, 3 weeks ago

Selected Answer: C
C is the right answer but damn those are a lot of ports left open lol.
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 419/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

C is correct and as per other comments

upvoted 1 times
  G_unit_19 1 year, 3 months ago
Selected Answer: C
mlantonis is yet again correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 420/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55 Topic 5

A. Yes

B. No

Correct Answer: B
You should use a policy definition.
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

You need to use a custom policy definition, because there is not a built-in policy.

Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.

Reference:

https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
upvoted 52 times

  dasnc Highly Voted  2 years, 9 months ago

Answer is correct
upvoted 13 times

  EmnCours Most Recent  9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  G_unit_19 1 year, 3 months ago

Selected Answer: B
B is clearly the correct answer
upvoted 2 times

  AubinBakana 1 year, 9 months ago

haha... sorry I couldn't help it :)
upvoted 1 times

  Devgela 2 years, 1 month ago

Answer is No
upvoted 1 times

  tg01234 2 years, 3 months ago

Answer is No.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 421/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  ZUMY 2 years, 3 months ago

NO is the answer
upvoted 3 times

  toniiv 2 years, 3 months ago

Answer B. is correct, this is more related to Policies
upvoted 2 times

  waterzhong 2 years, 4 months ago

Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that
resource group.
upvoted 3 times

  janshal 2 years, 5 months ago

Tricky one but Vnets cannot communicate with other Vnets by default....
upvoted 4 times

  waterzhong 2 years, 5 months ago

Azure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition
is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by using aliases. When
a resource property field is an array, a special array alias can be used to select values from all array members and apply a condition to each one.
Learn more about conditions.
upvoted 4 times

  Akanyang 2 years, 7 months ago

what is the answer yes or no?
upvoted 1 times

  raBLar 2 years, 6 months ago

answer: no
upvoted 2 times

  Bhaskardegala 2 years, 6 months ago

Answer is No
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 422/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56 Topic 5

HOTSPOT -
You manage two Azure subscriptions named Subscription1 and Subscription2.
Subscription1 has following virtual networks:

The virtual networks contain the following subnets:

Subscription2 contains the following virtual network:

✑ Name: VNETA
✑ Address space: 10.10.128.0/17
✑ Location: Canada Central
VNETA contains the following subnets:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Yes -
With VNet-to-VNet you can connect Virtual Networks in Azure across different regions.

Box 2: Yes -
Azure supports the following types of peering:
✑ Virtual network peering: Connect virtual networks within the same Azure region.
✑ Global virtual network peering: Connecting virtual networks across Azure regions.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 423/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 3: No -
The virtual networks you peer must have non-overlapping IP address spaces.
Reference:
https://azure.microsoft.com/en-us/blog/vnet-to-vnet-connecting-virtual-networks-in-azure-across-different-regions/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints

  mlantonis Highly Voted  2 years ago

Correct Answer:

VNET1: 10.10.10.0 - 10.10.10.255

VNET2: 172.16.0.0 - 172.16.255.255
VNETA: 10.10.128.0 - 10.10.255.255

Box 1: No
To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a Gateway
Subnet and thus to establish a VNet to VNet VPN connection.

Box 2: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.

Box 3: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 181 times

  Slimus 1 week, 1 day ago

Box 3: NO - "You have two subscriptions named Subscription1 and Subscription2". How are you going to do VNET peering for two different
subscriptions? Also consider same scenario from the question below:
https://www.examtopics.com/discussions/microsoft/view/39450-exam-az-104-topic-5-question-29-discussion/
upvoted 1 times

  piotrekpal 1 year ago

About Box 1: Site-to-Site connection is dedicated to Azure - On Premise connection NOT Azure-Azure.
upvoted 4 times

  Lazylinux 11 months, 3 weeks ago

Not entirely true, i though so myself but then realized can be done with some difference here is link you can read..MS is so confusing
sh*t...Make it simple Stupid
I just dont see why not keep it peering for vnet-vnet and S-S for Azure and On-prem
Hope this helps
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
upvoted 7 times

  skydivex 3 months, 2 weeks ago

you are correct... nice findings.... as the link explains, VNET to VNET is the same as S2S, but the IP settings are done automatically. you do
not need to create gateway subnet.... the correct answers is YES, Yes, Yes
upvoted 1 times

  David1123 10 months, 2 weeks ago

We can modify the subnet11 and add Gatewaysubnet, thus YES, a site-to-site connection can be established between VNET1 and VNET2
upvoted 3 times

  rupayan87 6 months, 4 weeks ago

that way every question in the exam will have a yes answer... you are not asked to modify address range here.
upvoted 5 times

  przema86 6 months ago

I am also choosing Yes, Yes, Yes,
Box1: - they are not asking "do you have all required elements to establish site-to-site VPN". Question is only if that "...can be
established between VNET1 and VNET2?" (assume that all required technical missing you can arrange in some way). I would guess
that question is to check if we understand subnetting etc.
upvoted 3 times

  Thuncroow Highly Voted  2 years, 1 month ago

The answer should be N-Y-Y :
1: No because to create a Vnet to Vnet VPN you need to have a special gateway subnet. Here the Vnet has only /24 CIDR blocks of address space
and this space is already taken by its Subnet. Hence there is no sufficient address space to create a gateway subnet and thus to establish a Vnet to
Vnet VPN connection.
For 2 & 3 : They address spaces for the Virtual network don't overlap, we can thus establish a peering connection between the Virtuals Networks.
upvoted 83 times

  shnz03 2 years ago

I disagree. Address space /24 can create /27 or /28 for gateway subnet which btw is the recommended prefix by MS. Also I have tested it. So Y Y
Y
upvoted 11 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 424/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JayBee65 1 year, 11 months ago

That's nonesense.
If you did what you are suggesting you would have, for example:
subnet1: 10.10.10.0 - 10.10.10.255
gateway subnet: 10.10.10.0/27 which would be 10.10.10.0 - 10.10.10.31 which would clearly overlap with subnet1
upvoted 7 times

  ASIMIS 1 year, 11 months ago

In theory yes you can break down the /24 subnet into smaller subnets, then use one of the subnets as Gateway subnet, but in reality you will
not have enough addresses left to use for users and devices. Besides the question does NOT mention subnetting the addresses. The key to
answering questions is to use only what is mentioned in the question. So no, you cant use that subnet.
Box 1 - NO
Box 2 - Yes
Box 3 - Yes
upvoted 5 times

  Bon_ 1 year, 9 months ago

You didn't look at the subnet breakdown for VNet1 close enough. Subnet11 takes up the entire address space provided by VNet1, so there's
no room to add a gateway subnet. Therefore, the first answer is NO.
upvoted 9 times

  imartinez 1 year, 11 months ago

First box is Yes:
"Configuring a VNet-to-VNet connection is a simple way to connect VNets. When you connect a virtual network to another virtual network with
a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises location"
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
upvoted 3 times

  Moyuihftg 2 years, 1 month ago

Yes, good observation!
upvoted 7 times

  MrJR 1 year, 10 months ago

Well you could create the gateway subnet in VNET2 but would that be a S2S connection between VNET2 and VNET1 instead of VNET1 and
VNET2. Is the question saying that the connection must be established from VNET1. That's tricky.
upvoted 1 times

  vbohr899 Most Recent  3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 6 times

  zellck 4 months ago

NYY is the answer.

https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#about-the-gateway-subnet
The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that
you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed
depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We recommend
that you create a gateway subnet that uses a /27 or /28.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#requirements-and-constraints
The virtual networks you peer must have non-overlapping IP address spaces.
upvoted 2 times

  medijv 7 months ago

Y,Y,Y
https://stackoverflow.com/questions/62307832/site-2-site-between-2-azure-vnets
upvoted 4 times

  alirasouli 7 months, 2 weeks ago

Box 1 is also Yes.
Quote from Microsoft:
While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if you have
the available address space to do so. This will accommodate most configurations.

My final answer is YYY.

Reference:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
upvoted 3 times

  majerly 8 months, 2 weeks ago

today in exam , NNY
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 425/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EmnCours 9 months, 3 weeks ago

Box 2: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.

Box 3: Yes
For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 1 times

  King4o 10 months, 1 week ago

Honestly ,Sick and tired of Exam Topics ,NYY
upvoted 4 times

  Mohd1899 4 months, 2 weeks ago

To be honest we should say Microsoft not exam topic,
there are many questions that have not enough details to select the best correct answer among 2-3 correct options !
upvoted 1 times

  QulFi 11 months, 2 weeks ago

However, I think that:
Box1: NO
You cannot create an additional subnet for VPN, because there is already a network that fills the entire VNET1 address space.

VNET1 10.10.10.0/24
Subnet11 10.10.10.0/24
Box2: Yes
Box3: Yes
upvoted 2 times

  EleChie 1 year ago

Correct Answer are:

BOX 1: YES
This is possible. You can connect 2 Azure VNETS using a S2S VPN, VNET to VNET connection (which is just a azure managed S2S VPN), or VNET
Peering. It is a best practice to use VNET to VNET connections for Azure VNETs, and then S2S for other connections.

You could make a S2S connection between 2 VNets with 2 VPN gateways or deploy a VPN software device in one VNet and VPN gateway in
another.
Reference:
Connect Vnet to Vnet usins S2S VPN
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
About Highly Available gateway configurations - Azure VPN Gateway
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

BOX 2: YES
BOX 3: YES
There are no overlapping between networks where:
VNETA 10.10.128.0/17 has IP range (10.10.128.1 - 10.10.255.254) and
VNET1 10.10.10.0/24 has IP range (10.10.10.1 - 10.10.10.254)
upvoted 1 times

  klexams 7 months, 3 weeks ago

Your answer on box1 would be correct had the address space was bigger than /24, as it needs another subnet for the gateway address. So the
answer is No.
upvoted 1 times

  rmadana 1 year, 1 month ago

I have exam on 16th may 2022 ..Pls wish me :)
upvoted 6 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  Sara_Mo 1 year, 5 months ago

Correct Answer: VNET1: 10.10.10.0 - 10.10.10.255 VNET2: 172.16.0.0 - 172.16.255.255 VNETA: 10.10.128.0 - 10.10.255.255
Box 1: No To create a VNet to VNet VPN you need to have a special Gateway Subnet. Here, the VNet has no sufficient address space to create a
Gateway Subnet and thus to establish a VNet to VNet VPN connection.
Box 2: Yes For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNET2 do not overlap.
Box 3: Yes For VNet peering the only consideration is that the VNets do not overlap. VNET1 and VNETA do not overlap.
upvoted 2 times

  Plextor 1 year, 6 months ago

On exam Today 17 Dec 21
upvoted 2 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 426/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  fabylande 1 year, 8 months ago

In exam today! October 16, 2021
upvoted 7 times

  silver_bullet666 1 year, 8 months ago

I tested and confirmed you cannot create a subnet that overlaps with another subnet address space in the same VNET.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 427/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57 Topic 5

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/

Community vote distribution

B (100%)

  IHensch Highly Voted  2 years ago

"Attach network interface" Button is enabeld! That means, VM is Stopped and deallocated!
upvoted 71 times

  sztiki 1 year ago

Reading all the other options in this case, probably that's the answer. Pretty annoying though...
upvoted 3 times

  nNeo 1 year, 12 months ago

Very good observation !!!
upvoted 11 times

  suryamk 11 months, 3 weeks ago

even public IP is not visible in network interface!!
upvoted 1 times

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

You want to establish a successful connection from 131.107.100.50 over TCP port 43, and the solution suggests to create a deny inbound rule with
low priority. It doesn’t make any sense.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 428/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. The
destination port and address range are for the destination computer, not the load balancer.

AllowAzureLoadBalancerInBound: The AzureLoadBalancer service tag translates to the virtual IP address of the host, 168.63.129.16 where the Azure
health probe originates. Actual traffic does not travel through here, and if you don’t use Azure Load Balancing, this rule can be overridden.
upvoted 48 times

  mlantonis 2 years ago

Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#azure-platform-considerations

https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules

http://gowie.eu/index.php/azure/best-practice/23-nsg-best-practice
upvoted 9 times

  mlantonis 2 years ago

The Load Balancer backend pool VMs may not be responding to the probes due to any of the following reasons:
- Load Balancer backend pool VM is unhealthy.
- Load Balancer backend pool VM is not listening on the probe port.
- Firewall, or a network security group is blocking the port on the Load Balancer backend pool VMs.
- Other misconfigurations in Load Balancer.

Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that
allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 12 times

  dimsok Most Recent  4 months, 4 weeks ago

a cost of 64999???????
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

Was on my 2nd test
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

Here 1/5/23
upvoted 1 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 1 times

  klexams 7 months, 2 weeks ago

Selected Answer: B
this is to ensure connections to App1 can be established successfully from 131.107.100.50 over TCP port 443, not denying.
upvoted 1 times

  libran 9 months, 2 weeks ago

Selected Answer: B
B is the Answer..!
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 4 times

  EleChie 12 months ago

Correct answer: B

After considering the issue a bit more I've realized that AllowAzureLoadBalancerInBound security rule only applies to the traffic originated by the
Load Balancer - health probes, etc.

So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting this rule
will solve the issue.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 429/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  szabi777 1 year, 3 months ago

The VM is turned off as the Attach network interface option is avalilable. The solution is to turn on the VM.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-existing-vm
upvoted 4 times

  AbhiYad 1 year, 5 months ago

There is no Public IP for VM2 to establish connection from external computer.
As rule already allows inbound connection, need to create Public IP for VM2 to facilitate connections.
upvoted 2 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer: B
upvoted 2 times

  Saravana12g 1 year, 9 months ago

No.
Rule BlockAllOther441 is blocking all the Inbound Traffic including Load Balancer traffic and hence the Load Balancer traffic is also not reaching to
access the App.
upvoted 1 times

  qyy 1 year, 10 months ago

ALB forwarded the request to VM1. VM1 should have a similar inbound rule configured.
upvoted 1 times

  RMJ21 1 year, 12 months ago

answer it would B for me. There is no Public IP address assigned, that means the VM is stopped and deallocated. We have to start first the VM
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 430/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58 Topic 5

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You delete the BlockAllOther443 inbound security rule.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/

Community vote distribution

B (67%) A (33%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200) and it allows inbound traffic over TCP 443 from source
131.107.100.50. App1 (VM1 and VM2) is in a VNet, so this rule applies. Unfortunately, we still cannot access App1, so the issue is somewhere else,
maybe the VMs are off, or the firewall is blocking it.
upvoted 61 times

  Goofer 2 months, 2 weeks ago

Answer should be A (yes) I think. Because deleting rule BlockAllOther443, would cause default rule 65001 to allow the traffic from the
loadbalancer reach VM1/VM2
upvoted 1 times

  mlantonis 2 years ago

It's a tricky question. It might also be YES.

Note: Check if a Deny All network security groups rule on the NIC of the VM or the subnet that has a higher priority than the default rule that
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 431/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

allows LB probes & traffic (network security groups must allow Load Balancer IP of 168.63.129.16).

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-troubleshoot-health-probe-status
upvoted 25 times

  alexander_890512 1 week, 6 days ago

Hello guys, the NIC is not attached to any vm, look at the attach options.
upvoted 2 times

  klexams 7 months, 2 weeks ago

The communication on these ports with 168.63.129.16 is not subject to the configured network security groups. So answer is No. Dont worry
about 168.63.129.16.
https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
upvoted 3 times

  kansaj 1 year, 8 months ago

also the destination is for virtual network only so its doesn't matter still wouldn't work
upvoted 2 times

  Moyuihftg Highly Voted  2 years, 1 month ago

Answer should be A (yes) I think. Because deleting rule BlockAllOther441, would cause default rule 65001 to allow the traffic from the loadbalancer
reach VM1/VM2
upvoted 41 times

  MichalGr 1 year, 10 months ago

you could be right... I just wonder if there's a typo...
BlockAllOther441 [screen] / BlockAllOther443 [ans.]
upvoted 4 times

  ScreamingHand 2 years ago

An active "Attach network interface" suggests that VM2 is not running.
upvoted 6 times

  garmatey 1 month, 2 weeks ago

omg thank you, ive been looking through the comments of all three of these questions looking for this answer
upvoted 1 times

  itgg11 1 year, 3 months ago

I think you are spot on. the VM is off. Answer: B
upvoted 2 times

  rupayan87 6 months, 3 weeks ago

but VM1 may be running. The NSG is tied to subnet
upvoted 1 times

  FDZ83 1 year, 3 months ago

Correct: yes
Traffic come from LB, not directly from internet (vm has not public ip). So the rule that permits connection is 65001, we have only to remove the
rule that blocks 443.
upvoted 2 times

  Lkk51 2 years ago

Question is ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
upvoted 1 times

  krzysiekr Most Recent  1 month, 2 weeks ago

"Attach network interface" Button is enabled! That means, VM is Stopped and deallocated!"
Copied from another.
upvoted 1 times

  bsaksham 2 months, 2 weeks ago

Azure evaluates network security group (NSG) rules in ascending order by priority value, with lower numbers taking precedence over higher
numbers. When a traffic flow matches a rule with a deny action, the traffic is blocked and the NSG evaluation stops. Therefore, the allow rule with a
priority of 100 will not be applied if there is a matching deny rule with a higher priority of 200.

so First is Yes!!
upvoted 1 times

  Dimedrol1 3 months, 1 week ago

Selected Answer: B
I believe that answer should be - "B".
My logic is:
Our VM is working behind the LoadBalancer, which means, when client from 131.107.100.50 connects to our Application, in fact he's connecting to
our LoadBalancer, which forwards the request further, but this "second hop" will be from our LoadBalancer's internal address (e.g. 10.0.1.3), not
from 131.107.100.50.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 432/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

So - adding or removing the "Allow_131.107.100.50" gives nothing. No connection could be made directly from 131.107.100.50. (BTW - check, the
VM's got only internal IP)
upvoted 2 times
  ChakaZilly 3 months, 4 weeks ago
Correct answer Yes: Rule 100 is not relevant. Rule 200 blocks on the NIC-level. When you delete Rule 200 "the allow rule" of 65001 kicks in.
upvoted 1 times

  MeysamBayani 4 months, 1 week ago

I think so we have to assign network security group to subnet. right now it assign to NIC
upvoted 1 times

  MeysamBayani 4 months, 1 week ago

and Also I think the NIC not Attached to any WM
upvoted 1 times

  MeysamBayani 4 months, 1 week ago

I test in lab when in network blade statues of Attach network interface is not gray out it is mean the VM is stope
upvoted 1 times

  JoshuaAlkar 6 months ago

why ya all confusing other students with your comments? its the same question as above, the VM is powered off as no NetWork interface attached
as mentioned in the last question's discussion
upvoted 1 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 3 times

  matejka 7 months, 2 weeks ago

If the connection to VM fails the reason is somewhere else than in the NSG as the very first rule allows the connection on port 443 from the
131.107.100.50 IP address. So answer for all three questions in this section are NO.
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Answer should be A (yes) I think. Because deleting rule BlockAllOther441, would cause default rule 65001 to allow the traffic from the loadbalancer
reach VM1/VM2
upvoted 2 times

  cypherx 9 months, 3 weeks ago

Selected Answer: A
Rule one Apply to Virtual network, NSG assigned to NIC
upvoted 1 times

  Lu5ck 11 months ago

Selected Answer: A
Loan balancer is active, the traffic source is load balancer and not some IP.
upvoted 1 times

  nkhan19 11 months ago

Selected Answer: A
we need to allow probes on 443, hence deleting this rule will help.
upvoted 1 times

  Durden871 3 months ago

You're allowing 443 through that IP address though. It has a higher priority. Why would this be the answer?
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B

Allow_131.107.100.50 rule has a higher priority (100) than BlockAllOther441 (200) which means traffic for port 443 is allowed

Guys pay attention to the NIC interface of VM2.. it is currently NOT attached to VM2 because the unattached option is grayed out and the attach is
Blue hence it is NOT attached otherwise it will be the other way round.
upvoted 9 times

  EleChie 12 months ago

Correct answer should be: A

After considering the issue a bit more I've realized that AllowAzureLoadBalancerInBound security rule only applies to the traffic originated by the
Load Balancer - health probes, etc.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 433/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting this rule
will solve the issue.
upvoted 2 times
  Pousko 1 year ago
The rule 'BlockAllOther443' do not exist here. Correct answer is B
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 434/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59 Topic 5

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B
The rule currently has the highest priority.
Reference:
https://fastreroute.com/azure-network-security-groups-explained/

Community vote distribution

B (86%) 14%

  mlantonis Highly Voted  2 years ago

Correct Answer: B - No

Allow_131.107.100.50 rule has a higher priority (100). The issue is not related with the priority of the rule.
upvoted 38 times

  Dalias Highly Voted  2 years, 1 month ago

Answer is correct.
Current rule is already at the highest priority.. i hope such questions appear in the exams to take away some of the stress.
upvoted 16 times

  Liriano Most Recent  7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 1 times

  mung 6 months, 4 weeks ago

Stop commenting like that dude..
Most Highly voted answers are still wrong on ET.
upvoted 2 times

  kf01234 7 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 435/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: A
Delete 200 makes 65501 workable
upvoted 1 times

  chikorita 4 months, 1 week ago

no dude
upvoted 1 times

  reagan3698 7 months, 4 weeks ago

Selected Answer: B
Just checked in Azure. The Attach Network Interface icon is lit, this means the VM is powered off.
upvoted 5 times

  JoshuaAlkar 6 months ago

It's mentioned in previous discussion, Its clear that VM is powered off
upvoted 1 times

  garmatey 1 month, 2 weeks ago

why are you upset it is being mentioned here as well?
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  EleChie 12 months ago

Correct Answer is B:
But the solution is -
After considering the issue a bit more I've realized that AllowAzureLoadBalancerInBound security rule only applies to the traffic originated by the
Load Balancer - health probes, etc.

So rule 200 is blocking the LB Probe traffic which in its turn let LB knows that VM2 (or pool members) is alive/working and hence deleting this rule
will solve the issue.
upvoted 1 times

  suryamk 1 year ago

rule name allow_131.107.100.50 has to be updated the destination to “any” will solve this issue>??
upvoted 1 times

  szabi777 1 year, 3 months ago

The VM is turned off as the Attach network interface option is avalilable. The solution is to turn on the VM.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm#add-a-network-interface-to-an-existing-vm
upvoted 3 times

  MrAzureGuru 1 year, 7 months ago

Beware that "You modify the priority" can also mean increasing the number, not just decreasing (as other questions usually demand you do).
upvoted 2 times

  orion1024 1 year, 8 months ago

As observed by IHensch in the 2 previous questions, the VM is stopped ("Attach network interface" is enabled). So unless the VM is started nothing
will change.
upvoted 4 times

  Saravana12g 1 year, 9 months ago

No.
Rule BlockAllOther441 is blocking all the Inbound Traffic including Load Balancer traffic and hence the LoadBalancer traffic is also not reaching to
access the App.
upvoted 3 times

  kerker 1 year, 11 months ago

VM is not running
So Start the vM
:))
upvoted 9 times

  JayBee65 1 year, 11 months ago

Allow_131.107.100.50 already has the highest priority so making this higher will have zero effect.
upvoted 1 times

  ScreamingHand 1 year, 11 months ago

An active "Attach network interface" suggests that VM2 is not running.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 436/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  RMJ21 1 year, 12 months ago

answer is correct.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 437/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60 Topic 5

A. Yes

B. No

Correct Answer: B
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

Community vote distribution

B (100%)

  STH Highly Voted  2 years, 11 months ago

there is no such built-in policy (yet), that is why we need a custom one
upvoted 72 times

  ScreamingHand 2 years ago

Exactly. I will memorise ALL of the built-in policies to ensure I am well prepared for the MS exam.
upvoted 74 times

  Lazylinux 11 months, 4 weeks ago

I can lend U the Blue Book Bill Gates gave me, it contains Summary bullet points style of All MS Technologies
upvoted 13 times

  MrMacro 1 year, 6 months ago

lol... too funny.
upvoted 6 times

  zzzzzz12345 1 year, 9 months ago

MS almost leads everyone to cheating with exam-dumps, I see no other reasonable way of understanding questions like this :)
upvoted 31 times

  Def21 1 year ago

It might be intentional that they have ~10-20% of very detailed questions. You get most of them wrong, but you still easily succeed (I
think you need to have 70% score). However, if you happen to have expertise on a specific topic, it benefits you.
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

This is How Microsoft was Built on theft of other technologies and label it Windows logo..So old habits die hard
upvoted 8 times

  DodgyD 2 years, 5 months ago

Not sure what you are referring to ..There are many Built-in Policy Definitions for you to choose from. Sorting by Category will help you locate
what you need..
https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies

I'd say ans: B, too - as a custom policy would be required for specific ports.
upvoted 5 times

  d0bermannn 1 year, 11 months ago

agreed, if there is no device drivers [for winmodem for example], write it yourself [true unixway] ))
upvoted 1 times

  I 2 years, 3 months ago

I cannot agree you more!

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 438/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times
  mlantonis Highly Voted  2 years ago
Correct Answer: B - No

You need to use a custom policy definition, because there is not a built-in policy.

Reference:

https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
upvoted 43 times

  majerly Most Recent  8 months, 2 weeks ago

Today in exam , is B
upvoted 3 times

  favela 9 months, 1 week ago

Answer is B passed today score 900
upvoted 5 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: B
there is no such built-in policy (yet), that is why we need a custom one
upvoted 2 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B

Nothing relates to the solution no such thing in NSG

upvoted 2 times

  EleChie 12 months ago

Correct Answer B: NO

We need to use a custom policy definition, because there is no such a built-in policy.
upvoted 1 times

  AubinBakana 1 year, 9 months ago

I would have answered A here. Thank heavens I have spent time going through these. So there's no such a built-in role huh?! :)
upvoted 4 times

  Sharathjogi 1 year, 5 months ago

Me too...
upvoted 2 times

  Adebowale 1 year, 10 months ago

Hello STH, Well done for the clarification
upvoted 1 times

  ZUMY 2 years, 3 months ago

Sorry ignore previous
No is answer
when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs . unless you peer the networks or create VPN
gateway
upvoted 3 times

  ZUMY 2 years, 3 months ago

No is correct!
when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs So i think that the answer to All Q in this series is
YES. unless you peer the networks or create VPN gateway
upvoted 2 times

  toniiv 2 years, 3 months ago

Answer B. is correct. You need to create a custom policy
upvoted 4 times

  janshal 2 years, 5 months ago

again, when NSG is created the default NSG rule will NOT permit any traffic between 2 different VNETs So i think that the answer to All Q in this
series is YES. unless you peer the networks or create VPN gateway between them, they will NOT be able to Talk to each other

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 439/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times

  Laurent_Byanjira 2 years, 4 months ago

AllowVNetInBound
ALLOWVNETINBOUND
Priority Source Source ports Destination Destination ports Protocol Access
65000 VirtualNetwork 0-65535 VirtualNetwork 0-65535 Any Allow

I think you are not right. This default rule will allow Vnet to communicate by default
upvoted 1 times

  oooMooo 2 years, 5 months ago

You need to use a custom policy definition.
upvoted 11 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 440/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61 Topic 5

You have an Azure subscription.

You plan to deploy an Azure Kubernetes Service (AKS) cluster to support an app named App1. On-premises clients connect to App1 by using the
IP address of the pod.
For the AKS cluster, you need to choose a network type that will support App1.
What should you choose?

A. kubenet

B. Azure Container Networking Interface (CNI)

C. Hybrid Connection endpoints

D. Azure Private Link

Correct Answer: B
With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your
network space.
Incorrect Answers:
A: The kubenet networking option is the default configuration for AKS cluster creation. With kubenet, nodes get an IP address from the Azure
virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes.
Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.
C, D: AKS only supports Kubenet networking and Azure Container Networking Interface (CNI) networking
Reference:
https://docs.microsoft.com/en-us/azure/aks/concepts-network

Community vote distribution

B (100%)

  fedztedz Highly Voted  2 years, 4 months ago

Answer is correct "B". To have previously reserved IP address for a certain Pod, you should use Azure Container Networking Interface (CNI)
upvoted 62 times

  zzzzzz12345 1 year, 9 months ago

The answer for this question is "B", correct.
However, in real world, this is many times seen as a bad-practice: in k8s you should prefer connect to "services" instead of "pods-ips". Very bad
practice...
upvoted 13 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 7 times

  mlantonis Highly Voted  2 years ago

Correct Answer: B
upvoted 40 times

  EmnCours Most Recent  9 months, 3 weeks ago

Selected Answer: B
Correct Answer: B

Nodes = Kubenete
Pods = CNI
upvoted 10 times

  robin1337 10 months ago

"On-premises clients connect to App1 by using the IP address of the pod." - seriously, who connects to an App by providing the ClusterIP of a Pod?
Pods are ephemeral and get a new IP assigned when they restart. Asking a question in that way is like MS encourages bad practices.
upvoted 5 times

  klasbeatz 7 months, 2 weeks ago

I noticed this too and kind of thought why are they connecting to a POD? no Load balancer or anything just strait to the pod IP address. LOL
upvoted 2 times

  alen995454 11 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 441/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Nodes = Kubenete
Pods = CNI
upvoted 10 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B

If using Kubnetes Networking then receive an IP address from logically different address space to Azure Virtual Network Subnet and NAT is then
used to translate IPs from the PODs to the Azure virtual Network and vice versa

If using Azure Container Networking Interface (ACNI): then All PODs get IP from the subnet and can be accessed directly, the ONLY problem with
such method is that it could lead to IP address exhaustion
upvoted 6 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. correct answer
upvoted 3 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  MMsdk 1 year, 2 months ago

Did you have over 200 questions in your exam?
upvoted 9 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 3 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 4 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer: B
upvoted 8 times

  ZUMY 2 years, 3 months ago

B is correct
upvoted 2 times

  waterzhong 2 years, 3 months ago

With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly.
upvoted 5 times

  toniiv 2 years, 3 months ago

CNI is correct
upvoted 2 times

  emv 2 years, 4 months ago

In AKS, you can deploy a cluster that uses one of the following two network models:

Kubenet networking - The network resources are typically created and configured as the AKS cluster is deployed.
Azure Container Networking Interface (CNI) networking - The AKS cluster is connected to existing virtual network resources and configurations.
upvoted 12 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 442/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62 Topic 5

You deploy a load balancer that has the following configurations:

✑ Name: LB1
✑ Type: Internal
✑ SKU: Standard
✑ Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You disassociate the public IP address from the network interface of VM2.
Does this meet the goal?

A. Yes

B. No

Correct Answer: B

Community vote distribution

A (100%)

  Moyuihftg Highly Voted  2 years, 1 month ago

You can only attach virtual machines that have a standard SKU public IP configuration or no public IP configuration. All IP configurations must be
on the same virtual network.

ALso, VMs do not have to be powered on when adding them to a backend pool.

So answer should be A (Yes)

upvoted 86 times

  GenjamBhai 11 months, 3 weeks ago

2 possible ways - either no Public IPs on BE VMs or Std Public IPs on both VMs matching Std LB SKU
upvoted 7 times

  GBAU 4 months ago

Tested in a Lab Feb '23. Standard SKU LB had ZERO problems using VMs with basic PIPs and LIPs in the backend pool.
upvoted 2 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered A
upvoted 8 times

  Takloy 1 year, 6 months ago

That's what I thought!
upvoted 4 times

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a
standard SKU public IP or no public IP.

Also, when adding them to a backend pool, it doesn’t matter in which status are the VMs.

Note: Load balancer and the public IP address SKU must match when you use them with public IP addresses.
upvoted 77 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 443/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  andrew_ura 6 months, 2 weeks ago

Public IP of the VM is basic SKU, not standad. And if "The LB needs to be a standard SKU to accept individual VMs outside an availability set or
vmss. VMs do not need to have public IPs but if they do have them they have to be standard SKU. ", then it will fail!?
B - No is correct
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

-we're _removing_ the public IP from vm2, so it doesn't matter anymore if the public IP sku is basic or standard.
-the lb _IS_ a standard SKU, so it can accept these individual VMs that have no public IPs.
upvoted 1 times

  mlantonis 2 years ago

It's valid, because:
LB1: Standard SKU
VM1: No public IP
VM2: No public IP
upvoted 31 times

  KelvinTan 1 year, 10 months ago

disassociate the public IP address from the network interface of VM2
upvoted 2 times

  kennynelcon 1 year, 1 month ago

Mlantonis oil dey your head
upvoted 2 times

  haazybanj 11 months, 2 weeks ago

Baba werey. Dis one no be Naija o.Answer is right
upvoted 2 times

  fastlearner21 Most Recent  1 month, 2 weeks ago

Can someone explain why ET has answer B. How is this answer selected on ET platform?
upvoted 1 times

  JayLearn2022 3 months, 4 weeks ago

There are several versions of this question. The following are the correct and incorrect answers that can be presented.

Correct Answer: Meets the goal.

-Solution: You create two Standard SKU public IP addresses and associate a Standard SKU public IP address to the network interface of each virtual
machine.

Incorrect Answers: Does not meet the goal.

-Solution: You disassociate the public IP address from the network interface of VM2.

-Solution: You create a Basic SKU public IP address, associate the address to the network interface of VM1, and then start VM1.

-Solution: You create a Standard SKU public IP address, associate the address to the network interface of VM1, and then stop VM2.
upvoted 2 times

  garmatey 1 week, 4 days ago

why post all this on multiple different questions and not make sure its correct...
upvoted 1 times

  obaali1990 2 months, 3 weeks ago

Your provided guidelines for option 2 is not valid
upvoted 1 times

  meeko86 5 months, 4 weeks ago

  EmnCours 9 months, 3 weeks ago

Selected Answer: A
Correct Answer: A

You can only attach virtual machines that are in the same location and on the same virtual network as the LB. Virtual machines must have a
standard SKU public IP or no public IP.
upvoted 1 times

  Gino_Slim 11 months, 2 weeks ago

Selected Answer: A
It's A....they need to update this.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 444/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Pramodswagh 11 months, 3 weeks ago
Selected Answer: A
Need is to have either standard sku public ip or no public ip so answer is yes.
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
A for sure
As the Basic Public IP SKU had been removed and the LB is STD which means can support singles VMs to be added and dont need be in AV set or
VM scale set and all are in same region
upvoted 2 times

  cloudera 12 months ago

Selected Answer: A
VM1 has no public IP, VM2 has public IP.

To add VM1 and VM2 as LB back-end pools - you can either remove the public IP of VM2 or assign standard SKU public IP to both the VMs.
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  Jeo007 1 year, 3 months ago

Selected Answer: A
I have chosen also the A, but it shows me that B is the correct answer.
do anybody knows why?
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  Teringzooi 1 year, 3 months ago

Selected Answer: A
Answer: A
You can only attach virtual machines that have a standard SKU public IP configuration or no public IP configuration. All IP configurations must be
on the same virtual network.
upvoted 1 times

  _punky_ 1 year, 5 months ago

Selected Answer: A
My ans
upvoted 1 times

  [Removed] 1 year, 5 months ago

Selected Answer: A
Correct answer is A. VM2 is using a Basic SKU public IP address which is not compatible with a Standard ILB. Therefore you must remove the public
IP.
upvoted 1 times

  Takloy 1 year, 5 months ago

Selected Answer: A
love this voting comment feature.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 445/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63 Topic 5

A. Yes

B. No

Correct Answer: A
Resource policy definition used by Azure Policy enables you to establish conventions for resources in your organization by describing when the
policy is enforced and what effect to take. By defining conventions, you can control costs and more easily manage your resources.
Reference:
https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A - Yes

You need to use a custom policy definition, because there is not a built-in policy.

Reference:

https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

https://docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
upvoted 50 times

  tuta Highly Voted  2 years, 6 months ago

given answer is correct
upvoted 15 times

  JayLearn2022 Most Recent  3 months, 4 weeks ago

There are several versions of this question. The following are the correct and incorrect answers that can be presented.

Correct Answer: Meets the goal.

-Solution: You configure a custom policy definition, and then you assign the policy to the subscription.

Incorrect Answers: Does not meet the goal.

-Solution: You create a resource lock, and then you assign the lock to the subscription.

-Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider

-Solution: You assign a built-in policy definition to the subscription.

upvoted 2 times

  majerly 8 months, 2 weeks ago

Today in exam , is A
upvoted 2 times

  favela 9 months, 1 week ago

Yes custom policy not built
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: A

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 446/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: A

You need to use a custom policy definition, because there is not a built-in policy
upvoted 2 times
  ajayasa 1 year, 3 months ago
this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  G_unit_19 1 year, 3 months ago

Selected Answer: A
A is the correct answer
upvoted 1 times

  AubinBakana 1 year, 9 months ago

I sure won't forget this one, ha!
upvoted 7 times

  ZUMY 2 years, 3 months ago

A is correct!
upvoted 8 times

  toniiv 2 years, 3 months ago

Answer A. is correct. Custom policy is the key
upvoted 4 times

  TheOne1 2 years, 4 months ago

Correct
upvoted 3 times

  Hibs2016 2 years, 6 months ago

Answer is correct
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 447/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64 Topic 5

You have two Azure virtual networks named VNet1 and VNet2. VNet1 contains an Azure virtual machine named VM1. VNet2 contains an Azure
virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data.
Users report that the frontend application is slower than usual.
You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.
Which Azure Network Watcher feature should you use?

A. IP flow verify

B. Connection troubleshoot

C. Connection monitor

D. NSG flow logs

Correct Answer: C
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology
changes between the VM and the endpoint
Incorrect Answers:
A: The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction
(inbound or outbound). IP flow verify then tests the communication and informs you if the connection succeeds or fails. If the connection fails,
IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem.
B: The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address.
The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather
than monitoring it over time, as connection monitor does.
D: The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied
by an NSG.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

Community vote distribution

C (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: C

Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every
60 seconds, so you can monitor latency over time.

Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 74 times

  hstorm Highly Voted  2 years, 9 months ago

I was really not sure, but found this about connection monitor:
"Lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every 60 seconds, so you
can monitor latency over time."

So guess answer is right

upvoted 39 times

  shadad Most Recent  3 months, 1 week ago

Selected Answer: C
I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: C
upvoted 5 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 448/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

changes between the VM and the endpoint.

Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a connection,
you may find that you can decrease the latency by moving your Azure resources to different Azure regions.
upvoted 1 times
  lombri 4 months, 2 weeks ago
Connection Monitor is a feature of Azure Network Watcher that enables you to monitor network connectivity between virtual machines within or
across virtual networks, and on-premises resources. It helps you diagnose and resolve connectivity issues by providing real-time insights into the
health of your network connections, including RTT, jitter, and packet loss metrics.
upvoted 1 times

  klexams 7 months, 2 weeks ago

Selected Answer: C
The key is the word “average” which needs to run for a period of time which is what connection monitor does. If it is a one time only then it would
be connection troubleshoot
upvoted 3 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 3 times

  majerly 8 months, 2 weeks ago

Today in exam is C
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 5 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C
Actually B is correct answer too, the only reason i Chose C is because of this statement

You need to view the ***average round-trip time (RTT)*** of the packets from VM1 to VM2

Average RTT which means overtime and NOT one time result which Connection troubleshoot does, so because it said average then had to be
connection monitor,
Just note: Connection Monitor is New replacing the Network Performance Monitor
upvoted 2 times

  Teringzooi 1 year, 3 months ago

Selected Answer: C
Correct Answer: C

Connection monitor lets you know the round-trip time to make the connection, in milliseconds. Connection monitor probes the connection every
60 seconds, so you can monitor latency over time.

Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 2 times

  areza 1 year, 5 months ago

passed 902. this question in exam 29.12.21 - answer C
upvoted 3 times

  jantoniocesargatica 2 years, 1 month ago

Connection Monitor.
Please check this link:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 2 times

  ddb116 2 years, 2 months ago

Answer is C
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal

The monitoring data includes the percentage of checks that failed and the round-trip time (RTT).
upvoted 2 times

  ZUMY 2 years, 3 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 449/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

C answer
upvoted 5 times

  StixxNSnares 2 years, 3 months ago

C
Ref: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
Jump to Create a connection monitor - Test section
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 450/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65 Topic 5

HOTSPOT -
You have an Azure subscription that contains the public load balancers shown in the following table.

You plan to create six virtual machines and to load balance requests to the virtual machines. Each load balancer will load balance three virtual
machines.
You need to create the virtual machines for the planned solution.
How should you create the virtual machines? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: be created in the same availability set or virtual machine scale set.
The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine.
Box 2: be connected to the same virtual network
The Standard tier can span any virtual machine in a single virtual network, including blends of scale sets, availability sets, and machines.
Reference:
https://www.petri.com/comparing-basic-standard-azure-load-balancers

  HGD545 Highly Voted  1 year, 7 months ago

Correct:
Standard SKU: any virtual machines or virtual machine scale sets in a single virtual network.
Basic SKU: Virtual machines in a single availability set or virtual machine scale set.

https://docs.microsoft.com/en-us/azure/load-balancer/skus>
upvoted 32 times

  pakman Highly Voted  1 year, 8 months ago

Correct.
upvoted 17 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 451/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  garmatey Most Recent  1 week, 4 days ago

I really hate how the words "basic" and "standard" are pretty close to synonyms. It'd be like a restaurant having two sizes of drink: Regular or
Medium.
upvoted 2 times

  googlearch 1 year, 5 months ago

The VMs should be in same VNet is applicable for both cases Basic nd standard LB, what a crap question
upvoted 9 times

  areza 1 year, 5 months ago

passed 902. this question in exam 29.12.21 - answer C
upvoted 7 times

  cktck 1 year, 5 months ago

XD??????
upvoted 18 times

  kaloszertest 1 year, 5 months ago

What's the point of load balancing a single machine?
upvoted 2 times

  [Removed] 1 year, 5 months ago

There is no point which is why you wouldn't. But for a basic SKU load balancer it can only be attached to a single availability set. So you would
create an availability set, then when you create your VMs add them to that availability set. At which point, you can now load balance multiple
VMs with a Basic SKU availability set.
upvoted 2 times

  adrian_borowski 1 year, 5 months ago

You are NOT LOAD balancing single machine but a set of same machines that were created by scaling out due to LOAD. Just sayin'
upvoted 3 times

  klexams 7 months, 3 weeks ago

he's referring to this:
The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set, or a single machine.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 452/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66 Topic 5

HOTSPOT -
You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure
virtual network named VNet1. VNet1 contains a gateway subnet.
You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises
VPN device fails, the failure will not cause an interruption that is longer than two minutes.
What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select
the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: 4 -
Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 453/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: 2 -
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption
that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.

Box 3: 2 -
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

  Darkren4eveR Highly Voted  2 years ago

2
2
2
Appear in the Microsoft Exam Test Prep
upvoted 98 times

  joergsi 1 year, 5 months ago

How could this be, if I have 2 times 2 Gateways I would need 4 public IP-Addresses, correct?
upvoted 1 times

  tyohaina 7 months, 1 week ago

But not in Azure. The question specifies, how many of these are required in AZURE.
upvoted 7 times

  skydivex 4 months ago

with that logic, how do you explain "local network gateways required in Azure"?
When local network gateway refers to the on-premise network..... the correct answer is 4-2-2..... you need 4 public IP to setup redundant
S2S VPN.
upvoted 1 times

  ConanBarb 3 months, 2 weeks ago

The "local network gateway" IS an azure resource (the on-prem VPN thing is called "VPN Device" in Microsoft Azure terminology)
(Hence correct answer is: 2-1-2)
You can try to create a "Local NW GW" yourself in Portal "Create a local network gateway to represent the on-premises site that you
want to connect to a virtual network. The local network gateway specifies the public IP address of the VPN device and IP address
ranges located on the on-premises site. Later, create a VPN gateway connection between the virtual network gateway for the virtual
network, and the local network gateway for the on-premises site."

And if you try to create a VPN Gateway Standard in Active-Active mode you will see that only one VNet is required. The A-A config
takes care of the rest.

Hence the following _in Azure_:

2 Public IPs (assuming Active-Active, which comes from <2 minutes requirement)
1 VNet (see config of VPN GW in Azure)
2 Local Gateways (as you have 2 "VPN Devices" on-prem)
upvoted 5 times

  holytoni 2 months, 1 week ago

Yes you're right.
1 x virtual network gateway resource in azure always represents two actual virtual gateways. In an active active solution both are up
at the same time. In active passive only one.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#step-2---create-the-vpn-gateway-
for-testvnet1-with-active-active-mode
Therefore the right solution is 2-1-2.
upvoted 1 times

  albertozgz 1 year, 8 months ago

" longer than two minutes", Thus, we dont need Active - Active, we are in "Multiple on-premises VPN devices", thus 2-2-2 is the correct

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 454/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

  rigonet 1 year, 7 months ago

As you can read at https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable:

"For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For unplanned issues, the connection recovery will
be longer, about 1 to 3 minutes in the worst case."

So, with active/passive the connection recovery can take up to 3 minutes. We need and active/active scenario.
· 2 Public IPs
· 2 Virtual Gateways
· 2 Local Gateways
upvoted 7 times

  Hyrydar 7 months, 3 weeks ago

Hey fellow study buddies, there can be only ONE virtual network gateway in a Virtual network.
But when you create one, it spuns two instances in an active-standby configuration.
upvoted 3 times

  magichappens 1 year, 4 months ago

I also got these answers in my exam prep but I don´t get it. As you only need to deploy one virtual network gateway instance this is very
misleading. You even can´t deploy more that one per virtual network if I am not mistaken.
upvoted 2 times

  magichappens 1 year, 3 months ago

Just got the question again in MeasureUp and this time they changed it. So correct answer is:
- 2 Public IP´s
- 2 Local network gateways
- 1 Virtual network gateway
And that finally makes sense to me. However I am struggling with MeasureUp question quality as this is misleading exam preperations.
upvoted 11 times

  Netspud 1 year, 4 months ago

I agree mostly, 2,2,2.
Details are here:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

But the questions state failure of a single azure or local gateway. So we need to use "Dual-redundancy: active-active VPN gateways for both
Azure and on-premises networks". As best I can tell (because it is not explicit), we only need two public IP's on the premises gateways. The
reason for this being Azure will "dial out" or "connect" to the premises gateways, thus Azure not needing public IPs to create the circuit. This
should also be OK for the other requirements too.
upvoted 2 times

  Netspud 1 year, 4 months ago

CHANGE MY MIND
Although after seeing this: https://azure.microsoft.com/en-gb/blog/vnet-peering-and-vpn-gateways/, which even for a vnet to vnet vpn
requires 2 ips (for a single ipsec gateway).
I am going to switch to 4,2,2
upvoted 4 times

  Gadzee 1 year, 4 months ago

4,2,2
Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and two
connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec tunnels between
your Azure virtual network and your on-premises network.

All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously,
upvoted 1 times

  hm67 1 year, 4 months ago

What is the minimum number of public IP addresses, virtual network gateways, and local network gateways "required in Azure"?
Only 2 in Azure.
upvoted 4 times

  mlantonis Highly Voted  2 years ago

Correct Answer:

The questions asks how many are required in Azure, so the on-premise ones should not be counted.

Box 1: 2
2 public IP addresses in the on-premises data center, and 2 public IP addresses in the VNET for the active-active. The most reliable option is to
combine the active-active gateways on both your network and Azure, as shown in the diagram below.

Box 2: 1
Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that
happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet
connections.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 455/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 3: 1
Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks
upvoted 89 times

  Hyrydar 7 months, 3 weeks ago

I disagree with your box 3 answer. It should be 2. Every VPN device in the data center must have a local network gateway by which the VPN
gateway can connect to. There are two on-prem devices, so two local network gateways
upvoted 6 times

  ConanBarb 3 months, 2 weeks ago

Correct. Assuming that you have two VPN Devices on-prem in Active-Active mode.
The "local network gateway" is an azure resource (the on-prem VPN thing is called "VPN Device" in Microsoft Azure terminology)
You can try to create a "Local NW GW" yourself in Portal "Create a local network gateway to represent the on-premises site that you want to
connect to a virtual network. The local network gateway specifies the public IP address of the VPN device and IP address ranges located on
the on-premises site. Later, create a VPN gateway connection between the virtual network gateway for the virtual network, and the local
network gateway for the on-premises site."

And if you try to create a VPN Gateway Standard in Active-Active mode you will see that only one VNet is required. The A-A config takes care
of the rest.

Hence the following _in Azure_:

2 Public IPs (assuming Active-Active, which comes from <2 minutes requirement)
1 VNet (see config of VPN GW in Azure)
2 Local Gateways (as you have 2 "VPN Devices" on-prem)
upvoted 1 times

  darsy2001 2 years ago

you are mixing active-active with active-standby in your explanation
upvoted 3 times

  ConanBarb 3 months, 2 weeks ago

Yes, but actually there are two configurations to talk about.
The Azure VPN GW config and the on-prem VPN Devices config.

You can have Azure GW config in A-A (requiring 1 GW Vnet and 2 PIPs), and the on-prem VPN Devices in Active-Passive (requiring only one
public ip and thus 1 Local Network Gateway)
Active-Passive for on-prem could have explained why Mlantonis answers 1 on box 3. But doesnät rhyme with his own motivation " active-
active VPN gateways for both Azure and on-premises network"
upvoted 1 times

  tweedo 1 year, 10 months ago

2-1-2:
2 Public IP addresses (each Azure VPN gateway spawns 2 VPN endpoints, each with its own IP

1 - single Azure VPN gateway is redundant by default

2= two on-premise VPN devices are mentioned, and single local network gateway can only be set up with a SINGLE ip for on-premise VPN
device, two local network gateway are needed for redundancy.
upvoted 24 times

  yangxs 1 year, 4 months ago

I totally agree with you that "The questions asks how many are required in Azure, so the on-premise ones should not be counted."
Base on this box 3 should be 0 since it is not in Azure, but there is no such choice.
They should make the question/answer more clear.
upvoted 1 times

  Ashfaque_9x 5 months, 4 weeks ago

Local Network Gateway in S2S VPN is created at the Azure end.
upvoted 3 times

  Andy_S Most Recent  2 weeks, 1 day ago

Answer is wrong:
Q1 - 1
Q2 - 1
Q3 - 2
You can deploy ONLY ONE Virtual Network Gateway per network. It could be Active-Standby or Active-Active. In requirements mentioned 2
minutes for failover which is Ok for Active-Standby (90 seconds during unplanned outages). For such kind of configuration, we have to add 1 Public
IP address. From on-premises side we have to add 2 Devices (Local gateways) and BGP configuration to support auto switchover. As a result, the
MINIMUM requirements are 1 Virtual Network Gateway, 1 Public IP Address and 2 Local Gateways.
upvoted 1 times

  Andy_S 2 weeks, 1 day ago

Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable
upvoted 1 times

  ericZX 1 month, 2 weeks ago

(1)In active-standby mode, unplanned issues' recovery time is 1 to 3 minutes, so we need to enable active-active mode
(2)Every VPN gateway consists of two instances, in active-standby mode, we just need one IP,when the active instance fails, the standby instance

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 456/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

will take over the IP; in active-active mode, each instance has its own IP.
(3)one local network gateway represents one on-premise Device
(4)One VPN gateway can connect more than one local network gateway
So the Answer is 2, 1, 2
1 VPN gateway(2 active VM instances=2IP) <--> 2 local network gateway <--> 2 on-premise devices
upvoted 1 times

  ericZX 1 month, 2 weeks ago

Dual-redundancy Graph
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#dual-redundancy-active-active-vpn-gateways-for-both-
azure-and-on-premises-networks
Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and two
connections for your two on-premises VPN devices as described above.
upvoted 1 times

  Exilic 1 month, 2 weeks ago

OpenAI

"To achieve high availability, you can create two Azure virtual network gateways (active-standby) and two on-premises local network gateways
(active-active). Each Azure virtual network gateway requires two public IP addresses. Therefore, the minimum number of public IP addresses
required is four.

Minimum number of resources required:

Azure virtual network gateways: 2

Local network gateways: 2
Public IP addresses: 4"
upvoted 1 times

  FreeSwan 1 month, 3 weeks ago

Supporting Info: Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or
unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN
or VNet-to-VNet connections. The switch over will cause a brief interruption. For planned maintenance, the connectivity should be restored within
10 to 15 seconds. For unplanned issues, the connection recovery will be longer, about 1 to 3 minutes in the worst case. For P2S VPN client
connections to the gateway, the P2S connections will be disconnected and the users will need to reconnect from the client machines.

https://learn.microsoft.com/en-us/azure/vpn-gateway/media/vpn-gateway-highlyavailable/multiple-onprem-vpns.png
upvoted 1 times

  FreeSwan 1 month, 3 weeks ago

IMO, 2 local VPN devices connected to one VPN gateway will suffice as per description to recover within 2min.

1. 3 Public IPs (2 for Local Network GW and 1 for VPN GW )

2. 1 Virtual GW
3. 2 local network GW
upvoted 1 times

  Rams_84zO6n 2 months, 2 weeks ago

4,2,2 - The answer is in the 3 bullets of https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#multiple-on-premises-
vpn-devices
2 GatewayIpAddress, 2 BgpPeerIpAddress = 4 IP address
create one local network gateway for each VPN device - 2 local network gateways
Need 2 Azure VPN gateway - for failover.
upvoted 1 times

  bsaksham 2 months, 2 weeks ago

2 public IP addresses: Two public IP addresses are required for two Azure VPN gateways to be deployed in an active-standby configuration.
2 virtual network gateways: Two virtual network gateways are required to be created in VNet1, with one gateway attached to each of the two VPN
devices in the on-premises data center. Each gateway should be configured with a public IP address and an SKU that supports high availability and
active-standby configuration, such as VpnGw1 or VpnGw2.
2 local network gateways: Two local network gateways are required to be created in Azure, one for each of the two VPN devices in the on-premises
data center. The local network gateways should be configured with the public IP addresses of the VPN devices and their corresponding on-
premises subnets.
With this configuration, if a single instance of an Azure VPN gateway fails or a single on-premises VPN device fails, the other instance/gateway will
take over and ensure continuous VPN connectivity. The maximum downtime in such a scenario would be around 2 minutes.
upvoted 2 times

  [Removed] 3 months, 3 weeks ago

ITTCA) IT TRAINING AND CERTIFICATION AGENCY

NO UFRONT PAYMENT!!

GET CERTIFIED.
100%PASS GUARANTEED.

WhatsApp +1(409)223 7790

1. COMPTIA (network+ security+)

2: GMAT,GRE exams

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 457/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

3: IAPP Certifications
(CIPP/ CIPM, CIPT)

4: ISACA certifications (CISA,CISM/ CRISC)

5: EC-COUNCIL Certification (CEH , CCISO )

6: PMI (PMP/CAPM/ACP/PBA ,RMP)

7: IMA (CMA certification)

8: CIA,IFRS, CERTIFICATIONS

9: ACCA,CFA,ICAEW certifications

10: ISO certification

11 PASS CISSP EXAM

12. CSCP CERTIFICATION

Book for online proctor exam and we’ll remotely take the exam for you. Pay us after confirmation of results
ITTCA.org

WhatsApp +1(409)223 7790

upvoted 2 times
  msingh20 3 months, 3 weeks ago
2 in azure
2 as "The switch over will cause a brief interruption. For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For
unplanned issues, the connection recovery will be longer, about 1 to 3 minutes in the worst case. "
Since, It should not be down longer than 2 minutes we cannot guarantee this with a single gateway. So provisioning two gateways make sense.
2 - two gateways on azure so we need two on prem as well
upvoted 1 times

  skydivex 4 months ago

made a commen a bit early but put wrong answers.... my apologies.
the correct answer is:
4 Public IPs
1 Azure Gateway in active\active mode which creates 2 nodes for redundant VPN setup.
2 Local Gateways for on-premise network.
Please refer to the following link for detailed lab steps:
https://www.cloudcorner.gr/microsoft/azure/create-an-ultra-high-available-on-prem-azure-vpn-connection/
upvoted 1 times

  DeBoer 4 months, 1 week ago

The answer is:
2 PiPs
1 VPN gateway (active/active)
2 Local gateways

It makes sense if you follow the tutorial at https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#part-2--

-establish-an-active-active-cross-premises-connection ...

The Virtual / VPN gateway in active/active mode can have one of the instances fail without any problems - but needs 2 pIPs to work.

To create connections to the 2 onprem devices you need a representation of each in Azure - so 2 local gateways.

Obviously you'll need to get tourintg and/or BGP set up as well, but that's not part of this question.
upvoted 2 times

  dagomo 5 months ago

Hello guys, from my point of view the answer is correct.
4
2
2
On azure side you will need 2 virtual network gateways, 2 local network gateways and 4 public IPs for those 4 resources in Azure side.
2 public IPs from Azure and 2 public IPs from on-premises.
Then you will need 4 Public IPs to configure all the environment on Azure side.
upvoted 1 times

  dagomo 4 months, 2 weeks ago

SORRY GUYS,
should be the following:
- 1 Public Ip
- 1 Virtual Gateway
- 2 Local Gateways
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 458/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  bur4an 6 months ago

read the very end of this Learn article, you cant create more then 1 gateway in vnet. Also check this out for an answer
https://learn.microsoft.com/en-us/training/modules/configure-vpn-gateway/11-determine-high-availability-scenarios

I think its
2, 1, 2
upvoted 2 times

  bur4an 6 months ago

sorry first missing link of Learn article here https://learn.microsoft.com/en-us/training/modules/configure-vpn-gateway/5-create
upvoted 1 times

  GauravRahi 6 months, 2 weeks ago

My answer is
1
1
2
upvoted 1 times

  GauravRahi 6 months, 2 weeks ago

I change my mind : it should be 2/2/2
upvoted 1 times

  klexams 7 months, 2 weeks ago

if it says only for Azure then:
2 PIP as for 2 VPN GW
2 VPN / virtual network GW
2 local network GW
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 459/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67 Topic 5

You have an Azure subscription that contains two virtual machines as shown in the following table.

You perform a reverse DNS lookup for 10.0.0.4 from VM2.

Which FQDN will be returned?

A. vm1.core.windows.net

B. vm1.azure.com

C. vm1.westeurope.cloudapp.azure.com

D. vm1.internal.cloudapp.net

Correct Answer: B

Community vote distribution

D (100%)

  Moyuihftg Highly Voted  2 years, 1 month ago

Answer D
Tested in lab, and got vm1.internal.cloudapp.net.
upvoted 89 times

  t1ck3ts Highly Voted  2 years ago

Correct Answer: D

testadmin1@VMTEST1:~$ ping -c 5 VMTEST1

PING VMTEST1.qb3monnoaiyubgstehdkra0paa.ax.internal.cloudapp.net (10.0.0.4) 56(84) bytes of data.
64 bytes from vmtest1.internal.cloudapp.net (10.0.0.4): icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from vmtest1.internal.cloudapp.net (10.0.0.4): icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from vmtest1.internal.cloudapp.net (10.0.0.4): icmp_seq=3 ttl=64 time=0.040 ms
64 bytes from vmtest1.internal.cloudapp.net (10.0.0.4): icmp_seq=4 ttl=64 time=0.042 ms
64 bytes from vmtest1.internal.cloudapp.net (10.0.0.4): icmp_seq=5 ttl=64 time=0.044 ms

--- VMTEST1.qb3monnoaiyubgstehdkra0paa.ax.internal.cloudapp.net ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4073ms
rtt min/avg/max/mdev = 0.013/0.036/0.044/0.012 ms
testadmin1@VMTEST1:~$
upvoted 58 times

  Jitu1989 1 year, 6 months ago

Thanks for response. Do you all use PAYG service or is there service provided like AWS for a year.
upvoted 3 times

  beem84 1 year, 6 months ago

Look up Azure pass or you can get a free account with 200USD credit which you can convert to PAYG after 30 days.Free account has some
restrictions but should be fine for labs.
upvoted 4 times

  kennynelcon 1 year, 1 month ago

For me Azure Pass is pretty pricy as it gets used up very fast
upvoted 2 times

  Blippen Most Recent  5 months ago

Selected Answer: D
Answer is D:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#reverse-dns-considerations
upvoted 1 times

  alikhan1234 6 months, 2 weeks ago

Selected Answer: D
D 100% is correct
upvoted 1 times

  Zordrak 7 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 460/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: D
Answer D, can test and prove.
upvoted 3 times

  David1990 9 months ago

Selected Answer: D
d correct
upvoted 1 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: D
Correct Answer: D
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: D
internal.cloudapp.net is default DNS suffix for Azure provisioned DNS if no specific DNS is configured in the network
upvoted 7 times

  Lazylinux 1 year ago

Selected Answer: D
D for Sure..
Reverse DNS is supported in all ARM based virtual networks. You can issue reverse DNS queries (PTR queries) to map IP addresses of virtual
machines to FQDNs of virtual machines.

All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net

Forward lookup on FQDNs of form [vmname].internal.cloudapp.net will resolve to IP address assigned to the virtual machine.

If the virtual network is linked to an Azure DNS private zones as a registration virtual network, the reverse DNS queries will return two records. One
record will be of the form [vmname].[privatednszonename] and the other will be of the form [vmname].internal.cloudapp.net
upvoted 10 times

  Pasmo 1 year, 1 month ago

Selected Answer: D
Correct answer is D
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times

  azay 1 year, 3 months ago

Selected Answer: D
Correct extension
upvoted 1 times

  Teringzooi 1 year, 3 months ago

Selected Answer: D
Correct Answer: D
internal.cloudapp.net is correct extension.
upvoted 1 times

  JudeSharp 1 year, 4 months ago

Answer should be D
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#reverse-dns-considerations
All PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net
upvoted 1 times

  fumeta 1 year, 4 months ago

tem cenário na prova para testar isso ?
upvoted 1 times

  [Removed] 1 year, 5 months ago

Selected Answer: D
Correct answer D
upvoted 1 times

  shumin_00 1 year, 5 months ago

Selected Answer: D
Answer is D
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 461/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 462/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68 Topic 5

You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are configured correctly.
You need to ensure that connections to App1 can be established successfully from 131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Does this meet the goal?

A. Yes

B. No

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Community vote distribution

B (54%) A (46%)

  Bursuc03 Highly Voted  2 years ago

The rule with priority 200 blocks all inbound trafic. That involves the Azure Load Balancer health probe directed to the VM. That results in VM2
being considered unhealthy and the LB does not route traffic to it (hence the issue). By placing a rule with the priority 150 that allows the
AzureLoadBalancer traffic tag, VM2 is discovered as functional/healthy, the LB directs traffic to it => problem solved.
upvoted 134 times

  rupayan87 6 months, 3 weeks ago

agree, the NSG is attached to subnet as can be seen in exhibit, hence either of the VMs are unhealthy for the LB due to rule 200.
upvoted 3 times

  nzalex1 1 year, 7 months ago

Thanks, true. The issue here is deeper than it looks and the issue is broken health probes by rule 200, you are right
upvoted 4 times

  suryamk 1 year ago

rule with priority 200 is only blocking 442 inbound connection and not all the traffic.
upvoted 4 times

  Durden871 3 months ago

Health probes can be port 80 or 443. I'm not overly experienced in this field (hence why I'm using this after using labs and courses), but my
presumption here is that we're making the assumption the probe is using port 443. 443 is allowed from the public IP of the client, but it's not
going to be the IP of the load balancer. The load balancer will show up as unhealthy and fail if it can't communicate.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 463/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  JayBee65 1 year, 11 months ago
Very good, the first answer that explains the correct reason for the failure
upvoted 8 times

  biglebowski 1 year, 11 months ago

The question is about connections "from 131.107.100.50". Why do you try to fix it by adding LB traffic? We don't know the IP of LB. Let's
focus on 131.107.100.50 only.
upvoted 4 times

  rawrkadia 1 year, 11 months ago

The load balancer is the reason the traffic is being blocked. Read the OP this chain replies to it explains it about as simply and clearly as
possible.
upvoted 3 times

  GabeCanada 1 year, 11 months ago

The answer is correct. 1- The fact the VM2 is offline does not mean anything, question states App1 is hosted on VM1 too so we can't
assume both are offline (that's the exact reason a LB is deployed in the first place so you can shut down one VM and keep services
running). 2- The question is displaying the NSG (required if using LB) so we can verify the rules, it will show up the same way if looked
from VM1 so offline VM is irrelevant. 3- Rule 1 allows 443 from an specific IP, rule 2 deny all including LB 4- its suggested by the
question a new rule that will allow LB traffic on 443 as well, before the deny which makes the answer correct. This could be done by
moving rule 2 down just below the LB allow any rule.
upvoted 10 times

  garmatey 1 month, 2 weeks ago

"Rule 1 allows 443 from an specific IP"

Yea, and that specific IP is failing to connect to App1, even though the highest priority rule is supposed to be specifically allowing it.
So it seems like the issue is with something else besides the rules since the highest priority rule is specifically allowing a connection
that is failing.

What am I missing?
upvoted 2 times

  darsy2001 Highly Voted  2 years ago

the "attach network interface" button is available. I have tested this in lab and this button only appears clikable when the vm is stopped. Should this
be the problem in the whole series of questions?
upvoted 31 times

  ukivanlamlpi 4 months ago

i don't think a VM can create without network interface
upvoted 1 times

  mbravo 2 years ago

"The effective network security configurations for VM2 are shown" - this doesn't mean that the NSG is attached to the VM. From the show
exhibit, it is clear that this NSG is attached to a subnet which renders your comment obsolete.
upvoted 2 times

  orion1024 1 year, 8 months ago

why ? if VM is off no traffic is ever going to get there.
upvoted 3 times

  boyzz 1 year, 1 month ago

doesn't mean that the "other" VM (VM1) also has the same attach network interface option enabled as it is off.. the screenshot clearly
shows only VM2 and not VM1 and we definitely cannot afford to think VM1 is off too. So the AzLB rule in NSG takes precedence
upvoted 1 times

  s9p3r7 1 year, 12 months ago

how so?! if the VM is powered off that mean the whole NSG rules stuff is misleading, the admin should start the VM before even begin to
start NSG rules evaluation
upvoted 7 times

  pri32 Most Recent  2 weeks, 5 days ago

Selected Answer: B
Don't able to find any concept of setting up the cost to set the priority. If the statement is re[laced with the priority of 150 then it can be yes but in
current scenario it is no.
upvoted 1 times

  lulek 2 weeks, 6 days ago

fact1: Traffic arrives to VMs from LB with LB IP address (not the end client ip) (not 131.107.100.50)
fact2: LB lives in it's own subnet, so in order to communicate with any VM it has to cross subnets => the NSG rules kick in:
The first rule is always skipped as the source is never: 131.107.100.50, but IP of LB
The second rule kicks in and denies the access.
So, if we add the suggested rule in between it will work => traffic from LB IP will be allowed on 443
Answer: A
The VM2 might be actually stopped. The connection should work anyway, because VM1 might be UP (we don't know the actual state of it, so
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 464/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

assuming that both VMs are down is an unjustified assumption)

The bottom line is that the existing rules block traffic for LB IP.
upvoted 1 times
  Eugene77 1 month ago
Very tricky question that cannot have correct answer at all. With knowing nothing about LB, another VMs, subnets and all NSG used in this
configuration nobody can ensure that required connection will work.
upvoted 1 times

  Goofer 2 months, 2 weeks ago

Selected Answer: B
Answer is no
'Allows any traffic FROM the AzureLoadBalancer'. Wrong way.
You need traffic TO the loadbalancer
BlockAlltOher443 blocks traffic to the loadbalancer
upvoted 1 times

  djgodzilla 2 months, 2 weeks ago

Selected Answer: B
Guys, wake up . The network interface is detached (see top left options of the page).
this is why the VM isn't reachable
upvoted 5 times

  monroesteffie 1 month, 1 week ago

what is the correct ans yes or no
upvoted 1 times

  bsaksham 2 months, 2 weeks ago

So NO!!
upvoted 1 times

  cillo2000 3 months ago

It has to be B: "You verify that the Load Balancer rules are configured correctly." Why would you need another rule if the rules are verified as
correct?
Anyway:

Adding the rule of priority of 150 just removes the effectiveness of the "BlockAllOther443" rule.

There is some other issue causing the problem - maybe the "attach network interface" option being available, as mentioned by others.
upvoted 1 times

  ukivanlamlpi 4 months ago

I don't think VM can create without network interface (but i can explain why add network interface button is enable), the VM2 is associated to
VM2-NIC1. i also don't think the NIC public IP can be blank. another problem is the NSG link to another network interface subnet11. all above can't
re-produce, the only thing to look at is the inbound port rules, but it is nothing wrong. such a question, i always rate 'B'
upvoted 1 times

  ukivanlamlpi 4 months ago

I don't think VM can create without network interface (but i can't explain why add network interface button is enable), the VM2 is associated to
VM2-NIC1. i also don't think the NIC public IP can be blank. another problem is the NSG link to another network interface subnet11. all above
can't re-produce, the only thing to look at is the inbound port rules, but it is nothing wrong. such a question, i always rate 'B'
upvoted 1 times

  zellck 4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance
For Load Balancer's health probe to mark up your instance, you must allow this IP address in any Azure network security groups and local firewall
policies. By default, every network security group includes the service tag AzureLoadBalancer to permit health probe traffic.
upvoted 1 times

  GBAU 4 months ago

Selected Answer: B
Answer A (Yes)

When an Azure Load Balancer get created, it will probe backend to detect if the backend service is healthy or not, the probe packet is sent from
source address "AzureLoadBalancer", the IP address of "AzureLoadBalancer" is always 168.63.129.16.
https://msazure.club/addendum-of-azure-load-balancer-and-nsg-rules/

What is happening here is the LB Health Probe of TCP 443 to VM1 & VM2 are getting blocked by Rule 200 so it thinks both VM1 and VM2 are
down. Hence App1 is failing as the LB won't direct any 443 traffic anywhere as it considers all Hosts are down.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 465/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

This proposed solution is really the same as moving the existing rule 65001 up to 150, so the Health Probe will start working again, it will find a
health host and start to direct 443 traffic from 131.107.100.50 to it.
App1 is alive!
upvoted 3 times

  herodes 3 months, 3 weeks ago

Answer is Yes and then selected B, wtf
upvoted 6 times

  MeysamBayani 4 months, 1 week ago

I am 100% sure answer is No, if you check the picture you will see you can attach network interface (NIC) it is mean that VM2's status is stop
upvoted 2 times

  GBAU 4 months ago

But there is also VM1 so VM2 being down means nothing towards the answer.
upvoted 2 times

  dimsok 4 months, 4 weeks ago

Selected Answer: B
The rule is there and it is correct. Something else is wrong (e.g. VM stopped?)
upvoted 5 times

  shadad 5 months ago

The network security configurations for VM2 was showing, the rules are correct, but the "Attach network interface" is enabled = mean the VM is
off. if its not off then the public IP will be shown. no matter what rule you create it will not help since the VM is off.

beside what is this cost of 150? there is no such thing called cost. priority yes but cost no.

Answer is B . NO
upvoted 3 times

  Bigc0ck 5 months, 1 week ago

Here 01/05/23 present on test
upvoted 6 times

  Abhi3956 5 months, 2 weeks ago

This question has multiple answers
Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a priority of 64999
Answer: NO

Solution: You create an inbound security rule that allows any traffic from the AzureLoadBalancer source and has a cost of 150.
Answer: Yes

Solution: You create an inbound security rule that denies all traffic from the 131.107.100.50 source and has a cost of 64999.
Answer: No

Solution: You delete the BlockAllOther443 inbound security rule.

Answer: No

Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Answer: No
upvoted 8 times

  ericZX 1 month, 2 weeks ago

Solution: You delete the BlockAllOther443 inbound security rule.
Answer: Yes ??
Because deleting rule BlockAllOther443, would cause default rule 65001 to allow the traffic from the load balancer reach VM1/VM2
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 466/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69 Topic 5

You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.
You need to ensure that you can configure a point-to-site connection from an on-premises computer to VNet1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Add a service endpoint to VNet1

B. Reset GW1

C. Create a route-based virtual network gateway

D. Add a connection to GW1

E. Delete GW1

F. Add a public IP address space to VNet1

Correct Answer: CE
C: A VPN gateway is used when creating a VPN connection to your on-premises network.
Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It
is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).
E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec
tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet
filtering and processing engine.
Incorrect Answers:
F: Point-to-Site connections do not require a VPN device or a public-facing IP address.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portal https://docs.microsoft.com/en-us/azure/vpn-
gateway/vpn-gateway-connect-multiple-policybased-rm-ps

Community vote distribution

CE (88%) 8%

  MikeHugeNerd Highly Voted  2 years, 10 months ago

Answer in proper order: E, C
upvoted 46 times

  mlantonis Highly Voted  2 years ago

Correct Answer: C and E
upvoted 42 times

  lulzsec2019 3 months, 1 week ago

First time seeing your answer very short without explanation :(.
upvoted 4 times

  Teringzooi 1 year, 3 months ago

Which order? E and C?
upvoted 1 times

  cloudbaron Most Recent  1 week, 1 day ago

Selected Answer: CD
Policy-based virtual network gateways are typically used with certain firewall devices and support a specific type of VPN configuration. They do not
support point-to-site connections.

Wouldnt we need a point-to-site connection from an on-premises computer to VNet1, and so we will need to use a route-based virtual network
gateway instead.

So C and D
upvoted 1 times

  Exilic 1 month, 2 weeks ago

Selected Answer: CD
OpenAI

"To configure a point-to-site connection from an on-premises computer to VNet1, you need to perform the following two actions:
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 467/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

D. Add a connection to GW1: You need to add a point-to-site connection to GW1. This will allow the on-premises computer to connect to VNet1
via GW1.

C. Create a route-based virtual network gateway: You need to create a route-based virtual network gateway to ensure that the point-to-site
connection can be established from the on-premises computer to VNet1.

Therefore, the correct answers are D and C.

The other options are not required for setting up a point-to-site connection from an on-premises computer to VNet1.

A. Adding a service endpoint to VNet1 is used for enabling the traffic from the subnet to use the service provided by Azure services privately.

B. Resetting GW1 is not required for this task.

E. Deleting GW1 would remove the virtual network gateway, which is not required.

F. Adding a public IP address space to VNet1 would not be required for a point-to-site connection."
upvoted 1 times
  FreeSwan 1 month, 3 weeks ago
CE

--VPN types--
When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The VPN type that you choose
depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type.
upvoted 3 times

  P123123 5 months ago

"you would use VPN type RouteBased because P2S requires a RouteBased VPN type."

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#vpntype
upvoted 4 times

  klexams 7 months, 2 weeks ago

Selected Answer: CE
E then C. point to site is only supported by route-based vpn gateway.
upvoted 5 times

  klexams 7 months, 2 weeks ago

Policy-based VPN: (IKEv1): 1 S2S/connection tunnel; no P2S
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: CE
or establishing point-to-
site
connectivity,
you need a route-based
VPN type
upvoted 3 times

  EmnCours 9 months, 1 week ago

For establishing point-to-site connectivity, you need a route-based VPN type
upvoted 2 times

  libran 9 months, 1 week ago

Selected Answer: C
Correct Answer: C and E
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 5 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: CE
Yep Delete Existing GW and create New route-based GW

When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The VPN type that you choose
depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type. A VPN type can also
depend on the hardware that you're using. S2S configurations require a VPN device. Some VPN devices only support a certain VPN type

PolicyBased VPNs can only be used on the Basic gateway SKU. This VPN type is not compatible with other gateway SKUs.
upvoted 10 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 468/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lazylinux 11 months, 4 weeks ago

You can have only 1 tunnel when using a PolicyBased VPN.

You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN Gateway configurations require a
RouteBased VPN.

RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment model. RouteBased VPNs use
"routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. The tunnel interfaces then encrypt or
decrypt the packets in and out of the tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards).
The value for a RouteBased VPN type is RouteBased.
upvoted 3 times

  Lazylinux 1 year ago

Selected Answer: CE
C and E is correct
upvoted 2 times

  Pasmo 1 year, 1 month ago

Selected Answer: CE
Correct Answer is C,E
C. Create a route-based virtual network gateway
E - Delete GW (policy based)
upvoted 2 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 1 times

  areza 1 year, 5 months ago

passed 902. this question in exam 29.12.21
upvoted 5 times

  Eltooth 1 year, 6 months ago

Answer C + E.
Policy based VPN Gateway do not support P2S connections.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#config
upvoted 11 times

  diotmac 1 year, 8 months ago

Answer is C and E. "You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN Gateway configurations
require a RouteBased VPN." https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 469/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70 Topic 5

HOTSPOT -
You have an Azure subscription that contains the resources in the following table:

In Azure, you create a private DNS zone named adatum.com. You set the registration virtual network to VNet2. The adatum.com zone is configured
as shown in the following exhibit:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 470/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: No -
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration
virtual network. VM5 does not belong to the registration virtual network though.

Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong
to a resolution virtual network.

Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from
any of the virtual machines within the registration virtual network.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview

  mlantonis Highly Voted  2 years ago

Correct Answer:

VNet1 (NOT A Registration Netvork) : VM5

VNet2 (IS A Registration Netvork) : VM1, VM6 and VM9

So here we go:

1. VM5 is in VNet1 - answer is NO.

2. VM5 is in VNet1 - answer is NO.
3. VM6 is in VNet2 - answer is YES.
upvoted 104 times

  Borbz Highly Voted  2 years, 6 months ago

I think the Answer is correct.
NO, NO, YES.
the second answer is NO because VM5 belongs to Vnet1 and the DNS is registered to Vnet2 therefore VM5 cannot reach the DNS service.
upvoted 89 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

NNY
upvoted 11 times

  Skankhunt 2 years, 5 months ago

Agreed, there is no mention of Vnet peering, thus we can assume the two Vnet's is not connected.
upvoted 14 times

  vbohr899 Most Recent  3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 5 times

  klexams 7 months, 2 weeks ago

N coz vm5 = vnet1
N coz vm5 = vnet1
Y coz vm6 = vnet2 which is linked to the private dns zone.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 471/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 5 times

  EmnCours 9 months, 2 weeks ago

Box 1: No -
Azure DNS provides automatic registration of virtual machines from a single virtual network that's linked to a private zone as a registration virtual
network. VM5 does not belong to the registration virtual network though.

Box 2: No -
Forward DNS resolution is supported across virtual networks that are linked to the private zone as resolution virtual networks. VM5 does belong to
a resolution virtual network.

Box 3: Yes -
VM6 belongs to registration virtual network, and an A (Host) record exists for VM9 in the DNS zone.
By default, registration virtual networks also act as resolution virtual networks, in the sense that DNS resolution against the zone works from any of
the virtual machines within the registration virtual network.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
upvoted 4 times

  Lazylinux 11 months, 4 weeks ago

NO NO YES
VM5 is on VNET1 which is not associated with private DNS, where is VM6 is in VNET2 which is linked to private DNS and hence can resolve
upvoted 3 times

  Teringzooi 1 year, 3 months ago

1. VM5 is in VNet1 - answer is NO.
2. VM5 is in VNet1 - answer is NO.
3. VM6 is in VNet2 - answer is YES.

VNet1 (NOT A Registration Netvork) : VM5

VNet2 (IS A Registration Netvork) : VM1, VM6 and VM9
upvoted 1 times

  spoondev1 1 year, 7 months ago

Is this not a AZ303 question?
upvoted 3 times

  AKAKAKAK 1 year, 7 months ago

In my opinion Answer is:
NO: Since no mention that the private DNS zone is connected to VNET1. Thus VM5 will not be registered automatically in the adatum.com zone.
NO: Same rationale. Since it's not mentioned the VNET1 is linked to private zone, hence VM5 will not be able to ressolve VM9.adatum.com
YES: Since VM6 is part of VNET2 and VNET has auto-registeration of DNS enabled on this zone which means VNET2 is linked to this private Zone,
hence it can ressolve all the records populated in this zone.
upvoted 3 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 4 times

  CARIOCA 2 years ago

This question is very divided in the feedback, after all what would be the answer and which justified it?

After a debate of 14 comments, is the final answer to the question the same or not?

My humble suggestion for the Exam Topics would be to have an official moderator who, depending on the debate on the issues, should be
responsible for changing the submitted template.

I think the debate is healthy, but a better organization is needed following an established pattern because in some issues they get very confused
and generate more doubts than clarifications.
upvoted 5 times

  ScreamingHand 1 year, 11 months ago

Why don't you appoint yourself as official moderator?
upvoted 7 times

  Veronika1989 2 years ago

I think No, No, No
1. VM5 is in Vnet1
2. VM2 is in Vnet1
3. V9 record already exists
upvoted 1 times

  JayBee65 2 years ago

So why does that make 3 No? Please explain your logic
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 472/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  RhinoMan 11 months, 1 week ago

The question is whether it can resolve it or not. Its registered and with the same suffix and the source vnet for vm5 is registered with the zone so
it will be able to resolve it hence the answer is Y
upvoted 1 times

  ZUMY 2 years, 3 months ago

NO,NO,YES
Answers are correct: To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked
virtual networks have full access and can resolve all DNS records published in the private zone. VNet1 is not linked to the Private DNS, so cannot
resolve
upvoted 9 times

  johanc68 1 year, 11 months ago

How do you know that VNET1 is not linked as a resolution virtual network only? It's not stated in the question I believe.
upvoted 1 times

  ddb116 2 years, 2 months ago

ZUMY is correct have a look at this link below
https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal
upvoted 2 times

  toniiv 2 years, 3 months ago

Answers are correct: To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Linked
virtual networks have full access and can resolve all DNS records published in the private zone. VNet1 is not linked to the Private DNS, so cannot
resolve
upvoted 2 times

  mikl 2 years, 4 months ago

This seems pretty simple.
How I see it.

VNet1 (NOT A - Registration Netvork) : VM5

VNet2 (IS A - Registration Netvork) : VM1, VM6 and VM9

So here we go:

1. VM5 is in VNet1 - answer is NO.

2. VM5 is in VNet1 - answer is NO.
3. VM6 is in VNet2 - answer is YES.
upvoted 25 times

  mhmyz 2 years, 4 months ago

No,Yes,Yes
Hostname resolution between virtual networks. Unlike Azure-provided host names, private DNS zones can be shared between virtual networks. This
capability simplifies cross-network and service-discovery scenarios, such as virtual network peering.
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview
upvoted 1 times

  leaderbud 2 years, 4 months ago

For the second answer, VM5 does not connect to the VNET2 where the DNS is registered. As per your link: 'To resolve the records of a private
DNS zone from your virtual network, you must link the virtual network with the zone.' So, you must have a connection to the Private DNS Zone
still to resolve hostname. The line you highlighted just mentioned that it is possible to share a Private DNS zone among VNETs so in case of
VNET peering (which is NOT the case here), you can use that Private DNS Zone for resolution with VNETs being peered (but at least one
connected to the Private DNS Zone). Again, here no VNET peering.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 473/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71 Topic 5

HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.

The subscription contains the private DNS zones shown in the following table.

You add virtual network links to the private DNS zones as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links https://docs.microsoft.com/en-us/azure/dns/private-dns-
autoregistration

  az_21 Highly Voted  1 year, 11 months ago

https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

A virtual network can be linked to private DNS zone as a registration or as a resolution virtual network.

Registration virtual network:

A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone associated
with it.

Resolution virtual network:

One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated to it.

1. Yes
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 474/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

No registration zone for VNET2.

2. Yes
A virtual network can have multiple resolution zones associated to it.

3.Yes
No registration zone for VNET2.
upvoted 121 times

  Netspud 1 year, 4 months ago

Sorry I don't agree.
ref: https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
1. Yes - "When you link a virtual network with a private DNS zone with this setting enabled", suggested is needs to be done when created, but
you could recreate the link to do it.
2. No - "A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled", so if auto VM
enabled only one zone.
3. No - as above, only one zone with Auto VM, although technically you could delete the other link and it would then work, but that seems out
the scope of the question.
Again another somewhat poorly written question. But I would say Yes, No, No.
upvoted 26 times

  ConanBarb 3 months, 2 weeks ago

Please test and verify before you make certain claims.
In my understanding verified by tests:
Y-Y-Y

"You can enable auto registration for Link2": Yes

This setting can be changed on an already existing link (provided that the change doesn't yield two VNET links with both auto registration on
them, that will fail).

"You can add a virtual network link for VNET1 to Zone3.com": Yes
One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated to it.
https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

"You can add a virtual network link for VNET2 to Zone1.com and enable auto registration": Yes
The current link(s) for VNET2 does not have auto registration, so a new link with auto. reg. can be added.
upvoted 4 times

  JimmyYop 4 months, 1 week ago

Tested in Lab, above answer is correct YES YES YES
upvoted 3 times

  piotrekpal 1 year ago

About second and third question not agree with you because "However, every virtual network can only have one registration zone
associated with it." So it could have many zones but only one with registration enabled.
upvoted 4 times

  piotrekpal 1 year ago

https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 2 times

  GenjamBhai 11 months, 3 weeks ago

Yes - zone can only have one reg network (auto-reg enabled), currently none

Yes - zone can have 1 reg network and multiple resolution networks (auto-reg not enabled)

No - Zone1 already has a reg nw (vnet1)

upvoted 8 times

  Hyrydar 7 months, 2 weeks ago

OK this is the rule...a private dns zone can have multiple vnets linked to it...BUT, a vnet can be linked to only ONE private zone.
Answer Y N N.
upvoted 2 times

  moshos 4 months, 3 weeks ago

https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
"A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it."
"One private DNS zone can have multiple resolution virtual networks and a virtual network can have multiple resolution zones associated to it."
upvoted 3 times

  SumanSaurabh 6 months ago

Does location between zone and link doesn't matter here ?
upvoted 2 times

  nkhan19 11 months ago

Number of private DNS zones a virtual network can get linked to with auto-registration enabled = 1
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 475/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  mashk19 Highly Voted  2 years ago

1. Yes

2. Yes. You can link VNET1 to Zone3.com A private DNS zone can have multiple registration virtual networks. However, every virtual network can
only have one registration zone associated with it.

3. No. Auto registration is already enabled on Zone 1. When you add a link from VNET2 to Zone
upvoted 61 times

  dc2k79 7 months, 3 weeks ago

Auto Registration is a Zone-to-VNet mapping. If one VNet is auto-registered with a Private Zone, that does not mean another VNet cannot be
Auto-Registered with it.

A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone
associated with it.

https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
upvoted 3 times

  ppp131176 1 year, 11 months ago

For 2. are you sure? shouldn't this be no? Wouldn't zone3 be the second registration zone?
upvoted 8 times

  JayBee65 1 year, 11 months ago

No, because zone 3 does not have autoregistration enabled, so this would be a resolution zone not a registration zone
upvoted 4 times

  zvasanth2 1 year, 9 months ago

The 3rd question must be yes. after adding the 3rd question to the existing list looks below:
Link1 - Zone1 - VNET1 - Yes
Link2 - Zone2 - VNET2 - No
Link3 - Zone3 - VNET3 - No
Link4 - Zone1 - VNET2 - Yes

This is the definition for "Registration virtual network"

point 1- A private DNS zone can have multiple registration virtual networks.
point 2- However, every virtual network can only have one registration zone associated with it.

Link1 and Link4 satisfies the point1 and point2

point1 - Zone is having multiple registration virtual networks like VNET1, VNET2
point2 - VNET2 is not associated with any other zone registered.
Link2 has VNET2 but that is a resolution not a registration

So answer must be Y Y Y
upvoted 12 times

  J4U 1 year, 9 months ago

3. Yes. Going by (2), a zone can have multiple registrations while a VNET can have only one. So VNET2 can register to Zone 1.
upvoted 6 times

  ostych 1 year, 2 months ago

Correct, tested in the LAB.
Y
Y
N - Error in azure: Failed to create virtual network link 'link5'. Error: A virtual network can only be linked to 1 Private DNS zone(s) with auto-
registration enabled; conflicting Private DNS zone is ...
upvoted 11 times

  ostych 1 year, 2 months ago

Update:
Y
Y
Y
There was leftover of wrong config in third one.
upvoted 9 times

  lancegong 11 months, 1 week ago

Yes. I am agree with you. Tested and the correct answer should be YYY. It is true that if vnet2 has auto-registration enabled in zone2, you
won't be able to enable auto-registration for vnet2 to add another zone. But the Box 1 simply asks you if you can enable auto-registration
or not which doesn't mean vnet2 has auto-registration enabled when you answer the Box 3.
upvoted 2 times

  Zonci Most Recent  3 weeks, 3 days ago

Y Y N is the correct answer guys
upvoted 3 times

  SimoneP 3 weeks, 4 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 476/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration
A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however, link
multiple virtual networks to a single DNS zone.
upvoted 1 times

  ericZX 1 month, 2 weeks ago

Number of private DNS zones a virtual network can get linked to with auto-registration enabled=1
Number of private DNS zones a virtual network can get linked=1000
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-dns-limits
upvoted 1 times

  Sumit_Kumar 1 month, 2 weeks ago

https://dev.to/kaiwalter/using-azure-private-links-and-private-dns-zones-with-globally-distributed-resources-4ce3
upvoted 1 times

  FreeSwan 1 month, 3 weeks ago

auto registration could be enabled even after private DNS zone created.
1. Yes
2. No (since another zone)
3. No (since another zone)
upvoted 1 times

  mfalkjunk 2 months, 1 week ago

Yes
Yes
No

https://www.youtube.com/watch?v=Hiohn35DIqA
Great explanation of Azure DNS, zones, registrations and links.
upvoted 1 times

  Doman01 2 months, 2 weeks ago

I think it should be YNN

2. ADD network link VNET1-Zone3

Vnet1 is linked to Zone1 with autoregistration and MS says:

"A specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled. You can, however, link
multiple virtual networks to a single DNS zone."

3. add link VNET2-Zone1 and auto registration

VNET2 has link to Zone2 without autoregistration
Zone1 has autoregistration enabled

As pasted above, vnet can be connected to only one private dns zone when auto registration is connected so we technically can do it BUT we
would have to delete link VNET2-Zone2 to be able to do that
upvoted 1 times

  Doman01 2 months, 2 weeks ago

I made Typo

1. is NO - you cannot enable auto registration when link is already created, we would have to delete and recreate the link
upvoted 1 times

  Rams_84zO6n 2 months, 2 weeks ago

- Yes - In the case you are converting VNET2 to a registration VNET with zone2.com
- Yes - In this case you are creating VNET1 as a resolution VNET with zone zone3.com
- Yes - In this case, you are creating VNET2 as registration VNET with zone zone1.com
upvoted 2 times

  sjb666 2 months, 3 weeks ago

To settle any argument I just lab'd this:
Y
Y
N
The Auto registration gives the following error:
Failed to create virtual network link 'Link5'. Error: A virtual network can only be linked to 1 Private DNS zone(s) with auto-registration enabled;
conflicting Private DNS zone is 'defaultresourcegroup-eus/providers/microsoft.network/privatednszones/zone2.com'>zone2.com'.
upvoted 1 times

  lkjsatlwjwwge 4 months ago

Correct answer:
1. Yes
2. Yes
3. Yes
4. 42
5. Black please, thank you
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 477/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  MeysamBayani 4 months, 1 week ago

Y: test in lab
N: A virtual network can only be linked to 1 Private DNS zone(s) with auto-registration enable
N: different Location
upvoted 2 times

  kamlau 4 months, 3 weeks ago

https://learn.microsoft.com/zh-tw/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-dns-limits

It should be YYN

The limit of Number of private DNS zones a virtual network can get linked to with auto-registration enabled is 1. Box 3 should be N as Zone1.com
is linked to VNet1 with auto-registration enabled.
upvoted 2 times

  LauLauLauw 4 months, 3 weeks ago

answer should be YNN

Yes - you can enable auto registration as long as VNET2 is the only zone connected to Link2
No - VNET1 already has auto registration enabled on Link1 and therefore cant have a second zone linked.
No - same reason as above, if the question was only to add VNET3 to zone1 it would have been possible but not able to enable auto registration.
upvoted 2 times

  Mo22 4 months, 3 weeks ago

Y;Y;N
A specific virtual network can be linked to multiple private DNS zones when automatic VM DNS registration is enabled.
upvoted 1 times

  spike15_mk 6 months, 1 week ago

VNET1 is registered to Zone1.com and it can be considered as registered Virtual Network
VNET2 is not registered to Zone2.com and it can be considered as resolution Virtual Network
VNET3 is not registered to Zone3.com and it can be considered as resolution Virtual Network

YES we can change the status of Enable Auto Registration tested

YES VNET1 can be considered as Resolution Virtual Network in Zore3.com
YES VNET2 is note registered to Zone2.com we can add link for VNET2 to Zone1.com and to registered VNET2.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 478/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72 Topic 5

HOTSPOT -
You have an Azure subscription.
You plan to use an Azure Resource Manager template to deploy a virtual network named VNET1 that will use Azure Bastion.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 479/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Reference:
https://medium.com/charot/deploy-azure-bastion-preview-using-an-arm-template-15e3010767d6

  dookiecloud Highly Voted  2 years ago

answer is correct
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your VNet address space with a /27 subnet mask. For example, 10.1.1.0/27.

https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal
upvoted 45 times

  rigonet Highly Voted  1 year, 7 months ago

This question is outdated.
At this very moment you can read at documentation:
+ Subnet Name | AzureBastionSubnet
AzureBastionSubnet addresses | A subnet within your VNet address space with a subnet mask /26 or larger.
For example, 10.1.1.0/26.
upvoted 32 times

  [Removed] 1 year, 5 months ago

Correct. Have just gone to create a new Bastion resource in my lab. This info message is given:
To associate a virtual network with a Bastion, it must contain a subnet with name AzureBastionSubnet and a prefix of at least /26.

Also see documentation here:

https://docs.microsoft.com/en-gb/azure/bastion/quickstart-host-portal

For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All
Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly
recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.
upvoted 19 times

  kennynelcon 1 year, 1 month ago

Thank you
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 480/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  shadad Most Recent  3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:

1. AzureBastionSubnet
2. 10.10.10.0/27
upvoted 8 times

  zellck 4 months ago

1. AzureBastionSubnet
2. 10.10.10.0/27

https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#subnet
Azure Bastion requires a dedicated subnet: AzureBastionSubnet. You must create this subnet in the same virtual network that you want to deploy
Azure Bastion to.

For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure
Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly
recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.
upvoted 3 times

  UK7 5 months, 3 weeks ago

Came on 21st Dec 2022
Answer is correct
upvoted 4 times

  mung 6 months, 4 weeks ago

When creating Azure Bastion, it requires some configuration,
1. Subnet name must be "AzureBastionSubnet".
2. Subnet size must be /26 or larger.
3.For host scaling /26 is recommended
4.etc.

https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
upvoted 2 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 2 times

  klexams 7 months, 2 weeks ago

/26 or larger (/25 /24 etc) is now the recommended. /27 is the closest in this case.
upvoted 1 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 5 times

  majerly 8 months, 2 weeks ago

Today in exam, answer is correct
upvoted 3 times

  kukeleku 8 months, 4 weeks ago

Had this question on my exam today(19-09-2022), I answered AzureBastionSubnet 10.10.10.0/27.
upvoted 6 times

  favela 9 months, 1 week ago

The only question that came today on my exam was so different the scenario was 10 vents but all vents peer so the question was how many azure
bastion requires I choose only one as all vents is peering. Passed today with score 900
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

answer is correct*

https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal
upvoted 1 times

  anantasthana2002 10 months ago

Answer is correct
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct
upvoted 3 times

  Armina 1 year, 1 month ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 481/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is correct
zure Bastion is a service you provide that allows you to connect to a virtual machine using your browser and the Azure portal. Azure Bastion is a
fully managed PaaS service that you can deploy to your virtual network. This service enables secure and seamless RDP and SSH connections to your
virtual machines via TLS directly in the Azure portal. When connecting through Azure Bastion, your virtual machines do not require a public IP
address, agent, or special client software.

Bastion provides secure RDP and SSH connections to all virtual machines in the virtual network where the service is deployed. Using Azure Bastion
prevents your virtual machines from making RDP and SSH ports publicly available. At the same time, we continue to enable secure access via
RDP/SSH.

Azure Bastion requires a subnet called AzureBastionSubnet within your virtual network. The subnet must have at least the subnet mask /27, or be
larger.

The following Microsoft Docs articles contain more information on the topic:
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
upvoted 1 times

  cirspass 1 year, 3 months ago

why subnet is /27，30 I think it so! Someone can help me understand this ?
upvoted 1 times

  GGbis 1 year ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 482/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73 Topic 5

A. Yes

B. No

Correct Answer: A
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet
capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining
information on network intrusions, to debug client-server communications and much more.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

Community vote distribution

A (81%) B (19%)

  mashk19 Highly Voted  2 years ago

If you initiated a packet capture from VM1 to VM2 and ran a capture for three hours, wouldn't you have file which contained all traffic between
VM1 and VM2?
upvoted 22 times

  JayBee65 1 year, 11 months ago

Yes exactly
upvoted 2 times

  s9p3r7 1 year, 11 months ago

yes you would, considering you didn't specify any filtering which is optional.
upvoted 4 times

  omw2wealth 1 year, 8 months ago

Ans is YES.
upvoted 1 times

  kilowd 1 year ago

Answer is YES
Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network.

Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network
problems and determine whether network security policies are being followed.
upvoted 3 times

  dookiecloud Highly Voted  2 years ago

Should use connection monitor for a period of time

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 13 times

  erenklclar 1 year ago

Tested in the lab. A is correct.
upvoted 1 times

  loganharris 1 year, 11 months ago

this link supports yes. links to more information about packet capture
upvoted 4 times

  Luke7389 1 year, 2 months ago

Connection monitor doesn't capture packets, Network Watcher does therefore A is correct

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 483/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 3 times
  JayLearn2022 Most Recent  3 months, 4 weeks ago
There are several versions of this question. The following are the possible Correct and Incorrect solutions.

Correct solution: Meets the goal.

-Solution: From Azure Network Watcher, you create a packet capture.

Incorrect solution: Does not meet the goal.

-Solution: From Azure Monitor, you create a metric on Network In and Network Out.

-Solution: From Azure Network Watcher, you create a connection monitor.

-Solution: From Performance Monitor, you create a Data Collector Set (DCS).
upvoted 7 times

  zellck 4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture
helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on
network intrusions, to debug client-server communications and much more.
upvoted 2 times

  zellck 3 months, 4 weeks ago

Got this in Feb 2023 exam.
upvoted 3 times

  Bigc0ck 5 months, 1 week ago

Still on test 01/05/2023
upvoted 5 times

  klexams 7 months, 2 weeks ago

Selected Answer: B
it specifically says from VM1 to VM2. Nature of packet capture is to run the capture in a VM/machine, it does not matter where the traffic is sent to.
You use filter if you want to see certain packets including where it goes, type of traffic etc etc. Yes you can use this tool for VM to VM but it is not
the best tool to use it. For the purpose, I'd got with Connection Monitor.
upvoted 2 times

  klexams 7 months, 2 weeks ago

OK I have to change it to A now - I saw this one "Packet Capture enables you to capture all traffic on a VM in your virtual network." from here
https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 4 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Answer is YES
upvoted 1 times

  kay000001 10 months ago

Answer is yes. This is a copy and paste straight from exam-104 text book:

The Packet Capture tool allows you to capture network packets entering or leaving your virtual machines. It is a powerful tool for deep network
diagnostics. You can capture all packets, or a filtered subset based on the protocol and local and remote IP addresses and ports. You can also
specify the maximum packet and overall capture size, and a time limit (captures start almost immediately once configured).
Packet captures are stored as a file on the VM or in an Azure storage account, in which case NSGs must allow access from the VM to Azure storage.
These captures are in a standard format and can be analyzed off-line using common tools such as WireShark or Microsoft Message Analyzer.

**Also, if you go into Network Watcher, you will see under diagnostic tools - Packet Capture.
upvoted 6 times

  David1990 10 months, 3 weeks ago

Selected Answer: A
I will go A
upvoted 1 times

  NotMeAnyWay 11 months ago

Selected Answer: B
Answer B - No

• **Packet Capture**: Is run on a VM to monitor the in and out flows of IP traffic. It is not used to monitor traffic BETWEEN two VMs.
MS Docs: ("Packet Capture enables you to capture all traffic on a VM in your virtual network.")

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 484/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

• **Connection Monitor**: Is used to monitor connectivity and latency between VMs over a period of time.
MS Docs: ("Connection Monitor allows you to monitor connectivity and latency between a VM and another network resource.")

Read Here:
https://docs.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 3 times

  NotMeAnyWay 11 months ago

IGNORE the above, as the question states all traffic: Answer A - Yes
"You need to inspect **all** the network traffic from VM1 to VM2 for a period of three hours."

You will need Packet Capture. as it has an option to specify ALL protocols
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

NB: (exam-topics, needs an option to delete your own comment).

upvoted 2 times

  Traian 9 months ago

It is better this way I was wondering why packet capture and not connection monitor myself.Your wrong answer and the follow up were really
helpful
upvoted 1 times

  nkhan19 11 months ago

Selected Answer: A
Connection monitor doesn't capture packets, Network Watcher does therefore A is correct
upvoted 1 times

  EleChie 11 months, 3 weeks ago

Should be A:
Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.

Capture packets to and from a VM

Network Watcher variable packet capture allows you to create packet capture sessions to track traffic to and from a virtual machine. Packet capture
helps to diagnose network anomalies both reactively and proactivity.

References:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 1 times

  Lazylinux 1 year ago

Selected Answer: A
Packet capture is correct similar to wireshark, it allows for Sources/Des IP, Ports and times allocation and can be triggered automatically via VMs
alert
upvoted 3 times

  rafacazus 1 year ago

Selected Answer: A
It should be the packet capture as we've got in the configuration 'Time limit' field - the duration of the capture session to the file. Connection
monitor has got the 'Test frequency' setting - how frequently sources will ping destinations, we're not collecting the traffic for the future inspection.
The idea in the Connection monitor is to pass a test.
upvoted 2 times

  ostych 1 year, 2 months ago

Selected Answer: A
Packet capture can be set to specified interval and connection monitor is for end-to-end monitoring specific connections. Here you have to capture
all network traffic.
upvoted 2 times

  Jayad 1 year, 2 months ago

You can use the Network Watcher for packet capturing :
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 1 times

  knoonan 1 year, 2 months ago

It's says inspect Traffic, not Data, I'm going with Connection Monitor.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 485/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74 Topic 5

A. Yes

B. No

Correct Answer: A
Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

Community vote distribution

B (87%) 13%

  Deevine78 Highly Voted  1 year, 12 months ago

No.

We need to inspect all the network traffic "from" VM1 "to" VM2 and not between the 2 VMs.
Even if we were using Connection monitor, this one would inspect only network traffic over a specific port.
And for a period of 3 hours, packet capture session time limit default value is 18000 seconds or 5 hours.
upvoted 42 times

  ShaulSi 1 year, 6 months ago

I have checked this and indeed connection monitor setup asks you for port and indeed the question asks you for all traffic.
upvoted 9 times

  azslayer 1 year ago

No
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 2 times

  skydivex 4 months ago

packet capture definitely makes more sense since connection monitor only inspects TCP traffic. I think you are correct. :)
upvoted 2 times

  dookiecloud Highly Voted  2 years ago

Yes
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 6 times

  [Removed] 1 year, 5 months ago

It's no, the question says that we need to inspect all the network traffic. This doesn't allow for that. Packet Capture does however.
upvoted 3 times

  JayLearn2022 Most Recent  3 months, 4 weeks ago

There are several versions of this question. The following are the possible Correct and Incorrect solutions.

Correct solution: Meets the goal.

-Solution: From Azure Network Watcher, you create a packet capture.

Incorrect solution: Does not meet the goal.

-Solution: From Azure Monitor, you create a metric on Network In and Network Out.

-Solution: From Azure Network Watcher, you create a connection monitor.

-Solution: From Performance Monitor, you create a Data Collector Set (DCS).
upvoted 4 times

  zellck 4 months ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 486/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

B is the answer.

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
Connection Monitor provides unified, end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature supports
hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related metrics for your Azure
deployments.

Connection monitors:

Provide ongoing monitoring of connectivity between two resources

Can alert you if connectivity is lost or degraded
Do not capture the actual packets, so you cannot view the contents of the traffic
Packet captures:

Allow you to view the contents of the traffic

Can be useful for analyzing specific issues or problems
Require you to manually start and stop the capture
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

still on test
upvoted 3 times

  klexams 7 months, 2 weeks ago

Selected Answer: A
"Packet Capture enables you to capture all traffic on a VM in your virtual network."
https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 1 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
B. No - With Packet capture, You can Set a time constraint on the packet capture session. The default value is 18000 seconds or 5 hours.
upvoted 2 times

  NotMeAnyWay 11 months ago

Answer A - Yes

Read Here:
https://docs.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions#what-tools-does-network-watcher-provide-
upvoted 3 times

  NotMeAnyWay 11 months ago

IGNORE the above, as the question states all traffic: Answer B - No
"You need to inspect **all** the network traffic from VM1 to VM2 for a period of three hours."

You will need Packet Capture. as it has an option to specify ALL protocols
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview

NB: (exam-topics, needs an option to delete your own comment).

upvoted 2 times

  RhinoMan 11 months, 1 week ago

Selected Answer: B
A connection is not traffic its a to a specific port not all
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 487/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EleChie 11 months, 3 weeks ago

Monitor communication between a virtual machine and an endpoint

The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology
changes between the VM and the endpoint.

Connection monitor also provides the minimum, average, and maximum latency observed over time. After learning the latency for a connection,
you may find that you're able to decrease the latency by moving your Azure resources to different Azure regions.

Capture packets to and from a VM

Advanced filtering options and fine-tuned controls, such as the ability to set time and size limitations, provide versatility. The capture can be stored
in Azure Storage, on the VM's disk, or both. You can then analyze the capture file using several standard network capture analysis tools.
Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining
information on network intrusions, to debug client-server communications and much more.
upvoted 1 times

  Jayad 1 year, 2 months ago

I would go with Yes based on the following guide from Microsoft:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
upvoted 1 times

  josevirtual 1 year, 2 months ago

Selected Answer: B
The answer should be NO
upvoted 2 times

  Teringzooi 1 year, 3 months ago

Selected Answer: B
No
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology
changes between the VM and the endpoint.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 1 times

  [Removed] 1 year, 5 months ago

Selected Answer: B
Incorrect. Question specifies that you need to inspect the packets. Correct Answer B
upvoted 3 times

  NinjaPenguin 1 year, 5 months ago

It's NO. Question is "You need to inspect all the network traffic from VM1 to VM2 for a period of three hours." per https://docs.microsoft.com/en-
us/azure/network-watcher/network-watcher-monitoring-overview "he connection monitor capability monitors communication at a regular interval
and informs you of reachability, latency, and network topology changes between the VM and the endpoint." This does NOT capture all traffic, just
checks it at intervals.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 488/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75 Topic 5

A. Yes

B. No

Correct Answer: B
Use the Connection Monitor feature of Azure Network Watcher.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview

Community vote distribution

B (100%)

  SilverFox22 Highly Voted  1 year, 8 months ago

At least we can agree that this one is No :)
upvoted 30 times

  skydivex 4 months ago

A Data Collector Set organizes data collection points, such as performance counters and event trace data, into a single collection. Data Collector
Sets enable you to schedule data collection, so that you can analyze the results and view reports later.
upvoted 1 times

  bur88 1 year, 3 months ago

I agree Answer is: No.
Correct answer is packet capture in Azure Network Watcher.
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview
upvoted 5 times

  AzureG0d 7 months, 2 weeks ago

right lol love after war
upvoted 1 times

  Abubaker3030 1 year ago

well played haha
upvoted 2 times

  ScreamingHand Highly Voted  2 years ago

Nice try, but no banana. You need the trusty Connection Monitor in this scenario
upvoted 6 times

  ScreamingHand 1 year, 11 months ago

Sorry, my cocky answer above is incorrect, - Connection Monitor will only inspect traffic on a specific port, - we need Packet Capture, - which
will capture all traffic
upvoted 35 times

  Slimus Most Recent  1 month, 1 week ago

No, there is no such thing as "Data Collector Set (DCS)" in the Network Watcher
upvoted 1 times

  JayLearn2022 3 months, 4 weeks ago

There are several versions of this question. The following are the possible Correct and Incorrect solutions.

Correct solution: Meets the goal.

-Solution: From Azure Network Watcher, you create a packet capture.

Incorrect solution: Does not meet the goal.

-Solution: From Azure Monitor, you create a metric on Network In and Network Out.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 489/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

-Solution: From Azure Network Watcher, you create a connection monitor.

-Solution: From Performance Monitor, you create a Data Collector Set (DCS).
upvoted 5 times

  obaali1990 3 months ago

Good, keep up the good work
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
I agree Answer is: No.
upvoted 1 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. B correct answer
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  Redimido 1 year, 4 months ago

Selected Answer: B
Here it is a definitive NO! ... hopefully :)
upvoted 1 times

  fabylande 1 year, 8 months ago

In exam today! October 16, 2021
upvoted 2 times

  Acai 1 year, 10 months ago

Performance Monitor and a Data Collector Set huh. RIP Windows Server 70-410.
upvoted 5 times

  AravindITGuy 2 years ago

Answer No - Connection monitor is used for packets, RTT, etc
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 490/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76 Topic 5

DRAG DROP -
You have an Azure subscription that contains the resources shown in the following table.

You need to load balance HTTPS connections to vm1 and vm2 by using lb1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-public-zone-redundant-portal

  [Removed] Highly Voted  1 year, 5 months ago

Answer is correct:
1) Remove the Public IP addresses. They are basic Public IPs and we're using a Standard Load Balancer which aren't compatible.
2) Create a backend pool and health probes.
3) Create a load balancer rule.
upvoted 57 times

  Allfreen 1 year, 3 months ago

This is correct Answer
Remove NSG1
Remove Public IP

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 491/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

create Health Probe

what if NSG blocks port 80 for health prob ?

upvoted 1 times

  tyohaina 7 months, 1 week ago

It does not mention NSG being associated with those VMs or Vnet. Its in the subscription but we don't know if its in use at all or in use for
different resources.
upvoted 3 times

  magichappens 1 year, 2 months ago

What if the machines are actually off? Seriously, just read the information that are given. NSG is not blocking port 80 by default so it is
irrelevant.
upvoted 11 times

  Aymenwerg Highly Voted  1 year, 8 months ago

The Answer is correct :
Create a backend pool.
Create health probes.
Create a load balancer rule.
upvoted 13 times

  Netspud 1 year, 4 months ago

That is not the answer provided, and your answer is wrong (the one provided is correct).
1 is remove the Public IPs (basic IP's can't be used with a standard LB). Also a pool is only NEEDED for a basic LB.
2. and 3. are correct.
2. Create a health probe
3. Create a lb rule.
upvoted 8 times

  Zippy12 1 year, 2 months ago

How is this highly voted? Two of the steps you've listed (creating a backend pool and health probe) aren't even separate steps in the answer
options.
upvoted 11 times

  Rams_84zO6n Most Recent  2 months, 2 weeks ago

Answer is correct.
- [ ] Remove the public IP addresses from vm1 and 2 - SLB can’t work with basic sku IP addresses
- [ ] Create health probe and backend pool on lb1 - Need health probe and back-end pool for the LB
- [ ] Create a LB rule on LB1 - need a load balancing rule for LB
upvoted 7 times

  CyberKelev 3 months, 1 week ago

Basic Public IPs are compatible with both Basic and Standard Load Balancers in Azure. However, Standard Public IPs can only be used with Standard
Load Balancers.
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Availability set
Health probe
Load balancing rule
upvoted 1 times

  xRiot007 5 days, 21 hours ago

No need for an AS for Standard LB, only Basic
upvoted 1 times

  GBAU 4 months ago

Funny fact: Feb 2023, I created a standard LB and had no issues creating a backend pool and adding a VM that had basic PIP and dynamic LIP (and
no NSG at all). Added a LB rules and could connect to it through the LB.
Don't believe me? Try it yourself.
upvoted 3 times

  klexams 7 months, 2 weeks ago

correct:
1. remove public ip
2. create hp and be pool
3. create lb rule
upvoted 3 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 5 times

  F117A_Stealth 9 months, 2 weeks ago

Answer is correct
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 492/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  MitchelLauwers1993 1 year, 3 months ago

came in exam today
upvoted 2 times

  hanyahmed 1 year, 5 months ago

Answer is correct
upvoted 2 times

  Snownoodles 1 year, 6 months ago

The answer is correct.
Regarding availability set - you can only add a VM into an availability set when the VM is being created, you cannot add a VM into an availability
set after the VM is created.
upvoted 2 times

  gbgmail 1 year, 3 months ago

You can use the Add-AzureRmAvSetVmToAvailabilitySet powershell command to add an existing VM to an availability set. That being said, the
original answer is correct.
upvoted 1 times

  Snownoodles 1 year, 6 months ago

I forgot to post the link:
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/change-availability-
set#:~:text=A%20VM%20can%20only%20be,both%20Linux%20and%20Windows%20VMs.&text=If%20your%20VM%20is%20attached,script%2
0to%20handle%20that%20case.
upvoted 1 times

  Invisired 1 year, 7 months ago

Create Availability Set - to acomotade vms
Health probes
Load Balancer rule
upvoted 1 times

  verifedtomic 1 year, 7 months ago

The given answer is correct. No need for Availability Set since LB1 is a Standard Load Balancer, and Standard LBs can balance traffice to VMs
that are in the same vNET. Availability Set is needed only for Basic Load Balancers
upvoted 4 times

  ppavank06 1 year, 7 months ago

correct
upvoted 1 times

  nirujogi 1 year, 8 months ago

Correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 493/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77 Topic 5

A. Yes

B. No

Correct Answer: B
Reference:
https://azure.microsoft.com/en-us/updates/general-availability-azure-network-watcher-connection-monitor-in-all-public-regions/

Community vote distribution

B (100%)

  MrBlueSky Highly Voted  1 year, 5 months ago

God bless all you people putting the wrong answers on these so we can have people confidently correct you.
upvoted 12 times

  pappkarcsiii Highly Voted  1 year, 4 months ago

Selected Answer: B
You use the Packet Capture, not Connection Monitor nor Network watcher
upvoted 11 times

  pmsiva 8 months, 1 week ago

https://learn.microsoft.com/en-us/azure/network-watcher/frequently-asked-questions
upvoted 1 times

  Bigc0ck Most Recent  5 months, 1 week ago

still test
upvoted 1 times

  klexams 7 months, 2 weeks ago

No. Azure Monitor does not even inspect traffic.
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 4 times

  Teringzooi 1 year, 3 months ago

Selected Answer: B
Answer is B: No
You use the Packet Capture, not Connection Monitor nor Network watcher
upvoted 3 times

  Lincoln01 1 year, 4 months ago

This is not right. Should be the connection Monitor feature of the Network watcher.
upvoted 1 times

  Bere 1 year, 7 months ago

As described here:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal
Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine.
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 494/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Aymenwerg 1 year, 8 months ago

Need to use connection monitor
upvoted 3 times

  omw2wealth 1 year, 8 months ago

nope, you create a packet capture.
upvoted 35 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 495/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78 Topic 5

A. Yes

B. No

Correct Answer: B
Reference:
https://fastreroute.com/azure-network-security-groups-explained/

Community vote distribution

B (100%)

  Zarzi Highly Voted  1 year, 7 months ago

i'm not a robot
upvoted 29 times

  im82 Highly Voted  1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct answer: B
upvoted 11 times

  GBAU Most Recent  4 months ago

Selected Answer: B
Answer B (No)

Make a new rule above 200 or move rule 65001 up to <200, so the Health Probe will start working again, it will find a health host and start to direct

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 496/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

443 traffic from 131.107.100.50 to it.

App1 is alive!
upvoted 6 times

  Student2023 2 months, 2 weeks ago

For this question (and other questions with similar context) this is the first time the explanation made total sense.

Thank you!
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

still on test
upvoted 2 times

  klexams 7 months, 3 weeks ago

Selected Answer: B
as rule 200 will still block port 443.
upvoted 2 times

  klexams 7 months, 2 weeks ago

and we want to allow traffic from 131.107.100.50 over TCP port 443, not deny it.
upvoted 1 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 3 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  theorut 1 year, 3 months ago

You need to start the VM - check Attach Network which is available. This happens only when VM is turned off.
upvoted 5 times

  JJoh 1 year, 4 months ago

The screen cap already work, you do not need to do anythings
upvoted 1 times

  hberesford 1 year, 5 months ago

you need to change the priority of the inbound rule
upvoted 2 times

  hberesford 1 year, 5 months ago

I mean the priority should not be 6995
upvoted 1 times

  hberesford 1 year, 5 months ago

64999 it should be 150
upvoted 2 times

  SK_2_SK 1 year, 6 months ago

Answer is No. You need to start VM.
upvoted 2 times

  omw2wealth 1 year, 8 months ago

Answer is correct :
No.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 497/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79 Topic 5

DRAG DROP -
You have an Azure subscription that contains two on-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal

  Sirkhunz Highly Voted  1 year, 8 months ago

Doing my AZ-104 this month, please pray for me
upvoted 50 times

  GepeNova 1 year, 8 months ago

good look for me tomorrow
upvoted 5 times

  GepeNova 1 year, 8 months ago

**luck
upvoted 4 times

  bogard 1 year, 7 months ago

did you pass?
upvoted 2 times

  gregigitty 1 year, 6 months ago

We need to know! :-)
upvoted 3 times

  nimeshabhinav 1 year, 5 months ago

If he is not back to this site, he passed the exam 😊
upvoted 54 times

  shadad 3 months, 4 weeks ago

LOL come on.
i returned after i passed TEAMS administrator :)
upvoted 3 times

  im82 Highly Voted  1 year, 6 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 498/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Was on exam today 19.11.2021. Passed with 920.

Correct answer:
1. Create Azure Virtual WAN
2. Create Virtual Hub
3. Create VPN sites
4. Connect VPN sites to virtual hub
upvoted 46 times

  xRiot007 Most Recent  5 days, 21 hours ago

Create Virtual WAN > Create Hub > Create VPN Sites > Connect VPN sites to Hub
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Answe is correct
upvoted 2 times

  zellck 4 months ago

1. Create Virtual WAN
2. Create Virtual Hub
3. Create VPN sites
4. Connect VPN sites to hub

https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
upvoted 4 times

  sabsyed 4 months ago

Correct answer 👍
upvoted 1 times

  GBAU 4 months ago

Even if you didn't know for sure you can kinda fake it till you make it with something like this:

You need to pick 4/5 so only one has to go

2 options are about creating virtual wan+hub resources and 3 of them are about connecting.
There has to only be one way to connect in the answer (virtual network or VPN site) (so both wan+hub are needed either way to get to 4) but we
have two apparent processes

Either you
-"Connect the virtual networks to the hub"
or
-"Create VPN Sites" &
-"Connect VPN site to the hub" (what VPN sites, you have to create them, bingo, above option)

Go with the one that gives you 4 steps :)

upvoted 4 times

  klexams 7 months, 2 weeks ago

correct:
Create a virtual WAN
Configure virtual hub Basic settings
Configure site-to-site VPN gateway settings
Create a site
Connect a site to a virtual hub
Connect a VPN site to a virtual hub
upvoted 2 times

  perko28 9 months ago

Wish me luck. Exam in 4 hours....
upvoted 3 times

  Kem81 7 months, 2 weeks ago

how did it go? My exam is next week...
upvoted 1 times

  ZakySama 7 months, 2 weeks ago

mine it is next week 11/11/2022
upvoted 1 times

  MoSea 7 months, 1 week ago

mine is on the same day! Good luck to you!!
upvoted 1 times

  EmnCours 9 months, 1 week ago

Correct answer:
1. Create Azure Virtual WAN
2. Create Virtual Hub

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 499/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

3. Create VPN sites

4. Connect VPN sites to virtual hub
upvoted 3 times

  Davin0406 9 months, 1 week ago

I can see your comments all over the questions haha
So helpful, thank you!
upvoted 1 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. correct answer
upvoted 2 times

  nipi 1 year, 2 months ago

Create a virtual WAN
Configure hub Basic settings
Configure site-to-site VPN gateway settings
Create a site
Connect a site to a hub
Connect a VPN site to a hub
Connect a VNet to a hub
Download a configuration file
View or edit your VPN gateway
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
upvoted 4 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 2 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 3 times

  practical_93 1 year, 4 months ago

Looks like you got all the 341 questions on your exam. I see your comment on every single question lol
upvoted 12 times

  FabioVi 1 year, 4 months ago

Correct Answer.
Kind of tricky is that the remaining action "Connect a VNet to a hub" is also part of the Azure Virtual WAN setup, but it would definitely go after the
others, and question asks for the first four...
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 500/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80 Topic 5

HOTSPOT -
You have an Azure subscription that contains the virtual networks shown in the following table.

You have the virtual machines shown in the following table.

You have the virtual network interfaces shown in the following table.

Server1 is a DNS server that contains the resources shown in the following table.

You have an Azure private DNS zone named contoso.com that has a virtual network link to VNET2 and the records shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

  speed2fast Highly Voted  1 year, 8 months ago

Solution seems wrong. Should be No/Yes/No (not tested)

No: Server2 uses Server1 for DNS. Server1 has no host2.contoso.com record for 131.107.50.50. It would work if VNET1 hat a virtual network link to
the private zone contoso.com.
Yes: Server2 uses Server1 for DNS. Server1 has a host1.contoso.com record for 131.107.10.15
No: Server3 uses 10.10.0.4 as DNS (inherited from VNET2). 10.10.0.4 (Server1) has no record for host2.contoso.com. The virtual network link for the
private zone contoso.com on VNET2 won't be used since the DNS from VNET1 is set on VNET2. VNET1 DNS is not aware of the private zone
contoso.com. It would work if VNET1 had a virtual network link to the private zone contoso.com.
upvoted 88 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 501/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  przema86 6 months ago

I agree with this answers N/Y/N
I hate such questions, such scenarios doesn't exist in real life. If I would see such thing in production I would shout on engineers.
upvoted 9 times

  itgg11 1 year, 3 months ago

Answer 3 is not correct.
I had to test in the lab to make sure.
Answer 3 is YES.
Server3 is able to resolve host2.contoso.com
Reason:
Server3 is connected to VNET2 which is linked to a private DNS zone containing an "A" record for host2.contoso.com 131.107.50.50.
upvoted 14 times

  magichappens 1 year, 2 months ago

Are you really sure you also setup the peering in your lab? Server3 would actually reach the DNS Server1 and would resolve to a different IP.
I think it´s No/Yes/No
upvoted 2 times

  [Removed] 1 year, 5 months ago

I agree with this. The answer should be No, Yes, No.
upvoted 2 times

  theOldOne 1 year, 8 months ago

I got the same thing
upvoted 3 times

  alex_p 1 year, 8 months ago

How Server3 uses 10.10.0.4 for DNS Server!? Could you explain, please? For NIC3 we have DNS settings "Inherit from virtual network". In
addition Server3 is in VNET2. VNET2 is linked to the private zone contoso.com which has a record for host2.contoso.com. So Server3 would
be able to resove it. I think the 3th is YES!
N-Y-Y
upvoted 26 times

  theOldOne 1 year, 8 months ago

Alex-p I can see where you are coming from
upvoted 1 times

  nzalex1 1 year, 7 months ago

Vnet2 has DNS 10.10.10.4 configured. Unless forwarder on this DNS configured to Azure (and we don't have this info), the linked private
zone will not have an effect
upvoted 4 times

  Sharathjogi 1 year, 5 months ago

VNET2 don't have 10.10.10.4 as DNS server. That DNS server is of NIC2, which belong to VNET1. VNET2 is linked to
private.contoso.com, which as a record for host2.contoso.com. Hence it should resolve.
upvoted 2 times

  Sharathjogi 1 year, 2 months ago

I take my words back, NIC configured DNS takes precedence over VNET configured DNS.
upvoted 4 times

  slimshady Highly Voted  1 year, 8 months ago

I just tested this for myself, results were:
server 2 resolve host2.contoso.com - NO - only host1 exists in the server1-hosted DNS zone, so cannot resolve - and setting server2 to use server1
as a DNS server means it does not use any other DNS servers.
server 2 resolve host1.contoso.com - YES to the server1 hosted DNS address ie. 131.107.10.15
server3 resolve host2.contoso.com - YES to the Azure hosted DNS address ie. 131.107.50.50.
server3 can also resolve host1.contoso.com to the Azure hosted DNS address (of course).
hope this helps :)
upvoted 41 times

  mdwSysOps 3 months, 1 week ago

This is the right answer!!
upvoted 1 times

  ejml 1 year, 8 months ago

slimshady, in your test, have you peered the vnet's?. Thanks
upvoted 1 times

  slimshady 1 year, 8 months ago

actually I just noticed after reading the comments again that i forgot to set the server1 DNS server on VNET2 - when i did this and updated the
servers, server3 could no longer resolve host2.contoso.com as it was using the server1 hosted DNS server. so i say the answer is NO-YES-NO
upvoted 34 times

  picho707 Most Recent  1 week, 2 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 502/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I see it this way.

Server2 => NIC2 => NIC2 DNS 10.0.0.4 = YES
Server2 => NIC2 => NIC2 DNS 10.0.0.4 = YES
Server3 => NIC3 => VNET2 DNS Provided 10.0.0.4 = YES
upvoted 1 times

  SIAMIANJI 3 weeks ago

The correct answer is No/Yes/No
upvoted 1 times

  FreeSwan 1 month, 3 weeks ago

1. No (Server 2 – NIC2 resolves based on Server 1 DNS)
2. Yes (Server 2 – NIC2 resolves based on Server 1 DNS)
3. Yes (Server 2 – NIC3 resolved inherit VNET2)
upvoted 2 times

  Goofer 2 months, 1 week ago

Server2 = Nic2 - DNS server 10.10.0.4 = A-Record Host2.contoso.com = Not available
Server2 = Nic2 - DNS server 10.10.0.4 = A-Record Host1.contoso.com = 131.107.10.15
Server3 = Nic3 - Azure private DNS = A-Record Host2.contoso.com = 131.107.50.50
Answers are: N-Y-Y
upvoted 5 times

  Rams_84zO6n 2 months, 2 weeks ago

- [ ] No - Host2 is A record on private zone. Server2 is on VNET1 which is not attached to the private zone
- [ ] Yes - host1 is both on private and public zone. Server2 can access public zone and resolves host1 to the 131.107.10.15 IP
- [ ] Yes. - host2 is only on private zone. VNET2 attached to private zone. Server3 is on VNET2 and resolves host2 to 131.107.50.50
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

vnet1 uses azure dns.
vnet2 is linked to azure private zone contoso.com, but
vnet2 uses 10.0.0.4 server1 dns.
.
server2 nic 2 is in vnet1, but nic specifies 10.0.0.4 dns.
server3 nic 3 is in vnet2, and uses 10.0.0.4 dns inherited from vnet2.
.
10.0.0.4 server1 dns has no host2 record.
10.0.0.4 server1 dns says host1 is at the .15 address.
.
no, server2 can't resolve host2.
yes, server2 resolves host1 to the .15 address.
no, server3 can't resolve host2.
upvoted 4 times

  zellck 4 months ago

NYN is the answer.

1. No resolution on custom DNS server1

2. Resolved on custom DNS server1
3. No resolution on custom DNS server1
upvoted 3 times

  GBAU 4 months ago

No
Yes
No

Key: Server1 considers itself authoritive for contoso.com (its a Primary DNS zone)
If it doesn't have a record, that's game over man

Server2 gets a DNS server of Server 1 (NIC2 is hard set to Server1's IP)
Server2 can not resolve host2.contoso.com as Server1 has no record for it
Server2 resolve host1.contoso.com as 131.107.10.15 as that's Server1's record for it

Server3 (NIC3) inherits from it VNET (VNET2) which is also Server1

Server3 resolves host2.contoso.com the same as Server2 with NO resolution

No
Yes
No
upvoted 3 times

  hepgvm 4 months ago

server 3 is connect to VNET2 so he can resolve host2 (n/y/y)
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 503/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

vnet2 specifies 10.0.0.4 for dns, and there is no host2 in 10.0.0.4 dns.
upvoted 1 times

  dc2k79 7 months, 3 weeks ago

No/Yes/No
upvoted 1 times

  klexams 7 months, 3 weeks ago

NYY
1. Server2 > NIC2 > VNET1. NIC2 has DNS 10.0.0.4 which has no host2 record.
2. Server2 > NIC2 > VNET1. NIC2 has DNS 10.0.0.4 which has host1 record.
3. Server3 > NIC3 > VNET2. VNET3 has Azure private DNS which has host2 record.
upvoted 7 times

  klexams 7 months, 2 weeks ago

sorry should be N Y N
3. Server3 > NIC3 > VNET2. VNET2 has DNS 10.0.0.4 which has host2 record.
upvoted 4 times

  hitit 7 months, 4 weeks ago

N.Y.N
Server3's DNS is 10.10.0.4, so Server3 can resolve it.
upvoted 1 times

  Kem81 8 months, 2 weeks ago

So for me, it seems that almost everyone is in agreement for the first two boxes, No, Yes. However, the last box is causing some confusion...
Server 3/NIC3 is set to use the VNET preference for DNS and the question clearly states above the final box, VNET2 is set to use Azure Private DNS
linked to VNET2. So the last box is clearly YES it can resolve the host.
upvoted 1 times

  Kem81 7 months, 2 weeks ago

I want to correct myself here, my final answer is, NYN.

The first table clearly states DNS server is configured to user server1 located in VNET1 and server3 NIC is set to use vnet configured dns. so the
last box is No. hope that helps anyone that was confused as I was :D
upvoted 3 times

  David1990 8 months, 3 weeks ago

N Y Y is correct
upvoted 1 times

  randy0077 8 months, 3 weeks ago

its NYY. NIC configured DNS takes precedence
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 504/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81 Topic 5

You have a virtual network named VNet1 as shown in the exhibit. (Click the Exhibit tab.)

No devices are connected to VNet1.

You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?

A. Modify the address space of VNet1.

B. Add a gateway subnet to VNet1.

C. Create a subnet on VNet1 and VNet2.

D. Configure a service endpoint on VNet2.

Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces. The exhibit indicates that VNet1 has an address space of
10.2.0.0/16, which is the same as VNet2, and thus overlaps. We need to change the address space for VNet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq

Community vote distribution

A (100%)

  pakman Highly Voted  1 year, 8 months ago

Correct. Modify the address space of VNET1, since it'd be overlapping with the one of VNET2 if you don't.
upvoted 28 times

  xRiot007 Most Recent  1 week ago

A - modify the address space of VNET1
You have to do this because to eliminate the overlap between VNET1 and VNET2
upvoted 1 times

  zellck 4 months ago

Selected Answer: A
A is the answer.

  klexams 7 months, 2 weeks ago

A as the only correct option. addresses cannot overlap for peering to happen.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 505/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  EmnCours 9 months, 1 week ago
Selected Answer: A
Correct Answer: A
upvoted 1 times

  libran 9 months, 1 week ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Teringzooi 1 year, 3 months ago

Selected Answer: A
Correct. Modify the address space of VNET1, since it'd be overlapping with the one of VNET2 if you don't.
upvoted 1 times

  Efficia 1 year, 4 months ago

Selected Answer: A
Correct Answer: A
The virtual networks you peer must have non-overlapping IP address spaces.

Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints
upvoted 4 times

  fabylande 1 year, 8 months ago

In exam today! October 16, 2021
upvoted 3 times

  GepeNova 1 year, 8 months ago

Correct A
Both VNETs have the same address space
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 506/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82 Topic 5

You have the Azure virtual machines shown in the following table.

VNET1 is linked to a private DNS zone named contoso.com that contains the records shown in the following table.

You need to ping VM2 from VM1.

Which DNS names can you use to ping VM2?

A. comp2.contoso.com and comp4.contoso.com only

B. comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com

C. comp2.contoso.com only

D. comp1.contoso.com and comp2.contoso.com only

E. comp1.contoso.com, comp2.contoso.com, and comp4.contoso.com only

Correct Answer: B
Reference:
https://medium.com/azure-architects/exploring-azure-private-dns-be65de08f780 https://simpledns.plus/help/dns-record-types

Community vote distribution

C (96%) 4%

  Quantigo Highly Voted  1 year, 8 months ago

Correct Answer C: comp2.contoso.com only
A record: Is used to map a DNS/domain name to an IP
Ref:https://www.cloudflare.com/learning/dns/dns-records/dns-a-record/
TXT records in a lot of cases get used to prove ownership of a domain, it has other purposes too.
Reference:
https://support.google.com/a/answer/2716800?hl=en#:~:text=TXT%20records%20are%20a%20type,and%20to%20ensure%20email%20security.
PTR: A Reverse DNS lookup is used by remote hosts to determine who 'owns' an IP address.
Reference:
https://www.mailenable.com/kb/content/article.asp?ID=ME020206
CNAME records get used to redirect a DNS name or subdomain name to another DNS name or domain name or subdomain name.
reference: https://support.dnsimple.com/articles/cname-record/
It would do good to read up on DNS record types and what they are used for, you will be lost if you don't have a basic understanding of it.
https://ns1.com/resources/dns-types-records-servers-and-queries
DNS is a key component In the IT field.
I hope this info will help.
upvoted 86 times

  Takloy 1 year, 6 months ago

So agree man! you just reminded me to review DNS and DNS alone.
upvoted 3 times

  slimshady Highly Voted  1 year, 8 months ago

tested this, i say it is C - comp2.contoso.com ONLY. i created each of the records in my Azure DNS zone, a TXT record is not resolvable, an A record
is resolvable, the CNAME is pointing to comp1 which again is not resolvable, and the PTR record should be an IP to a name, when i created the PTR
record it wanted me to enter a domain name eg. contoso.com, not an IP address but i put the IP address in anyway, and it did not resolve. So i say
it is C - comp2 ONLY
upvoted 30 times

  AZ_Guru_Wannabe 1 year, 3 months ago

good testing thx
upvoted 1 times

  friendlyvlad Most Recent  2 weeks, 3 days ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 507/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

C must be correct. When you ping an IP address, the DNS resolver is not involved. The rest of the choices will require the DNS resolver. BTW the
PTR record is wrong. Its value must be domain and not IP.
upvoted 1 times

  habbey 1 month, 2 weeks ago

anybody know why we cant use comp3 ?
upvoted 1 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: C
A record resolves ip address 10.0.0.5 to comp2.contoso.com. The only other name we could find is a alias name (CNAME) record. But there is no
CNAME entries listed for comp2 so C is the answer
upvoted 1 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/dns/dns-zones-records#record-types
Each DNS record has a name and a type. Records are organized into various types according to the data they contain. The most common type is an
'A' record, which maps a name to an IPv4 address.
upvoted 4 times

  zellck 3 months, 4 weeks ago

Got this in Feb 2023 exam.
upvoted 7 times

  GBAU 4 months ago

You can't ping a txt record even if the text in the record is formatted as an IP address
Pinging a CNAME that points to a text record has the same result.
You can't ping a PTR record

Basically you can only ping an A record or a CNAME pointing to an A record (ignoring IP6)
upvoted 3 times

  typales2005 5 months ago

Selected Answer: C
Was in the 09/01/2023 exam
upvoted 4 times

  Pear7777 6 months ago

Correct answer schould be Comp2.contoso.com AND Comp3.contoso,com, because comp in the end also resolves to wanted IP. but that aswwr is
not there, so only C
upvoted 2 times

  andi_y 6 months ago

This is not correct. COMP3.contoso.oom redirects to COMP1.contoso.com BUT COMP1.contoso.com is a TXT RECORD and so not pingable. So
the only correct answer is C (COMP2.contoso.com)
upvoted 2 times

  klexams 7 months, 2 weeks ago

C. comp2 only. A record resolves fwd lookup.
upvoted 1 times

  sesky 7 months, 2 weeks ago

Who creates these sorts of answers? Can't get any more wrong!
upvoted 2 times

  dc2k79 7 months, 3 weeks ago

C
Comp 1 - TXT - it's just a text record used for domain validation, and is not used for resolving address
Comp2 - A Record - the actual record for IPv4-to-Domain resolution (others are CNAME and AAAA).
Comp 3 - CNAME - This is CNAMing to another computer and not Comp2
Comp4 - PTR - this record does not resolve to an IP. It resolves to a domain name.

Only correct choice is 'C'

upvoted 2 times

  crazyrobban 7 months, 3 weeks ago

Selected Answer: C
So many people saying B? The question clearly states what you can -ping- VM2 with.
Answer is C.
upvoted 1 times

  LUISCA2021 7 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 508/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
nslookup working in any DNS
upvoted 1 times

  LUISCA2021 7 months, 3 weeks ago

The correct option is B. nslookup working in all DNS , this question in the exam 20 oct 22.
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

who said anything about nslookup? the question says "ping," so the txt and ptr records, and a cname pointing at a txt record, don't do us any
good.
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  EleChie 9 months, 2 weeks ago

You can lookup for any DNS records by using command line cmd:
1. nslookup -q=ptr google.com "PTR record"
2. nslookup -q=a google.com "A record" "IP address"
3. nslookup -q=mx google.com "Mail exchange record "
4. nslookup -q=cname google.com "Alias name"
5. nslookup -q=txt google.com "info"
6. nslookup -q=ns google.com "Identify DNS servers"
7. nslookup -q=dchid google.com "Inormation related to DHCP"
upvoted 4 times

  curtmcgirt 3 months, 3 weeks ago

now do 'ping' like the question says.
upvoted 1 times

  Hyrydar 7 months, 3 weeks ago

Your point being!!
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 509/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83 Topic 5

HOTSPOT -
You have a network security group (NSG) named NSG1 that has the rules defined in the exhibit. (Click the Exhibit tab.)

NSG1 is associated to a subnet named Subnet1. Subnet1 contains the virtual machines shown in the following table.

You need to add a rule to NSG1 to ensure that VM1 can ping VM2. The solution must use the principle of least privilege.
How should you configure the rule? To answer, select the appropriate options in the answer area.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 510/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Reference:
https://www.thomasmaurer.ch/2019/09/how-to-enable-ping-icmp-echo-on-an-azure-vm/

  speed2fast Highly Voted  1 year, 8 months ago

Answer is wrong. We need to undo the DENY_PING rule with the principle of least privilege.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 511/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 300 times

  Takloy 1 year, 6 months ago

This is what I had in mind. I thought I'm going nuts when I saw the answer. Admin should change it.
upvoted 23 times

  mdwSysOps 3 months, 3 weeks ago

this is the correct answer
upvoted 1 times

  Fananico 1 year, 7 months ago

I test it your answer is current
upvoted 7 times

  techrat 1 year, 2 months ago

I can confirm it's speed2fast is correct. it's on my exam yesterday, I passed with score 923 and got 100% correct on all of the network related
questions.
upvoted 15 times

  Quantigo Highly Voted  1 year, 8 months ago

Correct answer:
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
the given solution is not correct.
upvoted 33 times

  theOldOne 1 year, 8 months ago

What about inbound? Keep the rest the same.
upvoted 2 times

  yolap31172 1 year, 4 months ago

Since VM1 and VM2 are in the same subnet, NSG would apply both inbound and outbound rules to traffic. Your inbound rule could let the
ICMP request reach VM2, but existing outbound rule would prevent it from going out of VM1 in the first place.

Having an outbound rule with priority 110 overrides the existing Deny rule.
upvoted 11 times

  Jzx Most Recent  2 months, 1 week ago

Ping doest work if you mention only one direction.. ie VM1-->VM2

ping contains icmp echo request VM1---->VM2 & ICMP echo response VM2----> VM1 so its biderectional.. the given answer makes more sense...
upvoted 1 times

  Andrew04 2 months, 4 weeks ago

I've tested on my tenant:
Outbound rule
Source 10.0.0.10 (VM1)
Dest 10.0.0.11 (VM2)
Priority 110
Protocol ICMP

it works!
upvoted 2 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 7 times

  Zeppoonstream 5 months, 2 weeks ago

Why is source and destination not 10.1.0.10; 10.1.0.11 ? Dont you need the rule to be vice versa?
upvoted 1 times

  Zeppoonstream 5 months ago

Edit: Ok got it. Its about the handshake. Only one connection is needed. You dont need to ensure that a inbound rule exists, because the traffic
is already allowed by the outbound rule.
upvoted 1 times

  Archie1206 7 months, 1 week ago

ping need to be two way, so the source and destination should both be 10.1.0.10/10.1.0.11. and direction outbound
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 512/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  klexams 7 months, 2 weeks ago

to override the existing rule DENY_PING:
Inbound
10.1.0.10
10.1.0.11
110
upvoted 2 times

  klexams 7 months, 3 weeks ago

inbound/outbound is allowed within VNET, BUT rule 111 stop the outbound. So we need a higher priority rule to allow this outbound for VM1 ping
to VM2. And with principle of least privilege in mind. Answer is:
Outbound
10.1.0.10
10.1.0.11
110
upvoted 5 times

  pkkalra 9 months, 1 week ago

as speed2fast said.

Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110

Please note that the rule won't block outbound response from VM2.
NSGs allow or deny the establishment of a TCP connection. Once a connection is established, traffic can flow both ways as needed without
obstruction. NSGs will not end active TCP connections either.
upvoted 2 times

  ZacAz104 9 months, 1 week ago

cant believe they got this wrong sounds stupid you have to mention source ip destination less priority
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 1 times

  EmnCours 9 months, 1 week ago

Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 1 times

  F117A_Stealth 9 months, 2 weeks ago

Correct answer:
Direction: Outbound
Source 10.1.0.10 (VM1)
Destination: 10.1.0.11 (VM2)
Priority: 110
upvoted 2 times

  gg905 1 year, 1 month ago

If you do Priority 111, will it overwrite the existing deny rule?
upvoted 1 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 3 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 513/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84 Topic 5

A. Yes

B. No

Correct Answer: B
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from
the self-signed root certificate, and then export and install the client certificate. If the client certificate is not installed, authentication fails.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Community vote distribution

B (100%)

  Quantigo Highly Voted  1 year, 8 months ago

Correct Answer: B
the certificate needs to be installed on the machine you are counting from.
upvoted 30 times

  zellck Most Recent  4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#clientcert
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. You generate a client certificate from the
self-signed root certificate, and then export and install the client certificate. If the client certificate isn't installed, authentication fails.
upvoted 1 times

  mung 6 months, 4 weeks ago

You have to export a self signed certificate from the root certificate and install it in the machine.
upvoted 1 times

  klexams 7 months, 2 weeks ago

No. You need the cert on comp2.
upvoted 1 times

  Oualy 8 months, 3 weeks ago

Correct Answer: B
You must export the client certificate from Computer1 and install the certificate on Computer2.
The point-to-site connection uses a self-signed certificate.
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 2 times

  bduhamel 1 year, 3 months ago

Selected Answer: B
Answer is B
upvoted 1 times

  Teringzooi 1 year, 3 months ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 514/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer: B

you need to install certificate on the machine you are counting from.
upvoted 1 times
  JayJay22215 1 year, 3 months ago
Selected Answer: B
Correct approach would be to export Cert from Computer1 and install it on Computer2
upvoted 1 times

  nileshlg 1 year, 5 months ago

Selected Answer: B
Answer is B
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 515/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85 Topic 5

A. Session persistence to Client IP and protocol

B. Protocol to UDP

C. Session persistence to None

D. Floating IP (direct server return) to Enabled

Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal

Community vote distribution

A (100%)

  HananS Highly Voted  1 year, 5 months ago

The following options are available:

None (hash-based) - Specifies that successive requests from the same client may be handled by any virtual machine.
Client IP (source IP affinity two-tuple) - Specifies that successive requests from the same client IP address will be handled by the same virtual
machine.
Client IP and protocol (source IP affinity three-tuple) - Specifies that successive requests from the same client IP address and protocol combination
will be handled by the same virtual machine.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal
The answer is A
upvoted 8 times

  zellck Most Recent  4 months ago

Selected Answer: A
A is the answer.

  Manu_0502 5 months, 3 weeks ago

Selected Answer: A
A. Session persistence to Client IP and protocol
upvoted 1 times

  klexams 7 months, 2 weeks ago

Selected Answer: A
A. Session persistence to Client IP and protocol
upvoted 1 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 3 times

  EmnCours 9 months, 1 week ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  G_unit_19 1 year, 3 months ago

Selected Answer: A
Straight forward easy question
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 516/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  Teringzooi 1 year, 3 months ago
Selected Answer: A
Answer is correct: A

Session persistence!
upvoted 2 times

  Sukorak 1 year, 6 months ago

Anser is correct :A
upvoted 4 times

  Sukorak 1 year, 6 months ago

Answer is correct: A
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 517/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #86 Topic 5

You have an Azure subscription that uses the public IP addresses shown in the following table.

You need to create a public Azure Standard Load Balancer.

Which public IP addresses can you use?

A. IP1, IP2, and IP3

B. IP2 only

C. IP3 only

D. IP1 and IP3 only

Correct Answer: C
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU
resources.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses

Community vote distribution

C (100%)

  Sukorak Highly Voted  1 year, 6 months ago

Answer is correct: C
upvoted 13 times

  shadad Highly Voted  3 months, 1 week ago

Selected Answer: C
I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: C
upvoted 9 times

  JayLearn2022 Most Recent  3 months, 3 weeks ago

Answer: C
A Basic Load Balancer can use the Basic SKU Public IP address's, but a Standard load balancer requires a Standard SKU Public IP address.

Excerpt from link below:

The standard SKU is required if you associate the address to a standard load balancer. For more information about standard load balancers, see
Azure load balancer standard SKU.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-public-ip-address

Excerpt from link below:

Key scenarios that you can accomplish using Azure Standard Load Balancer include:
-Enable support for load-balancing of IPv6.

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#why-use-azure-load-balancer
upvoted 3 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

  GBAU 4 months ago

C is the most correct. I don't think you can currently use IP6 for load balances yet. Needs to be IPv4 but all IPs are listed as 6 and there is no "None"
option so just roll with it.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 518/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  GBAU 4 months ago

My bad, seems they can. (I was sure I read a few hours ago they couldn't)
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
upvoted 3 times

  meeko86 5 months, 4 weeks ago

Selected Answer: C
Matching SKUs are required for load balancer and public IP resources. You can't have a mixture of Basic SKU resources and standard SKU resources.
upvoted 1 times

  klexams 7 months, 2 weeks ago

IP3 as both SKUs of IL and PIP have to be the same i.e. Standard
upvoted 2 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 4 times

  majerly 8 months, 2 weeks ago

today in exam is C
upvoted 2 times

  EmnCours 9 months, 1 week ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  Teringzooi 1 year, 3 months ago

Selected Answer: C
Answer is correct: C
Basic SKU IP can not be combined with standard LB.
upvoted 2 times

  JayJay22215 1 year, 3 months ago

None of the given, because noone is using ipv6!
All jokes aside, its C
upvoted 2 times

  Redimido 1 year, 4 months ago

Selected Answer: C
BASIC SKU not an option here.
upvoted 2 times

  amiri7171 1 year, 4 months ago

Selected Answer: C
Answer is correct: C
upvoted 2 times

  [Removed] 1 year, 5 months ago

Weird question this one, because IP1 is an iPv6 Basic address but it says that it's Static. That is not supported as part of the Basic SKU. But
regardless, the answer is correct: C. Because you can't mix SKUs with Load Balancers.
upvoted 2 times

  blockhead72 1 year, 5 months ago

Selected Answer: C
C is correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 519/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87 Topic 5

You have an Azure subscription.

You are deploying an Azure Kubernetes Service (AKS) cluster that will contain multiple pods. The pods will use kubernet networking.
You need to restrict network traffic between the pods.
What should you configure on the AKS cluster?

A. the Azure network policy

B. the Calico network policy

C. pod security policies

D. an application security group

Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/aks/use-network-policies

Community vote distribution

B (98%)

  ninjia Highly Voted  1 year, 5 months ago

Selected Answer: B
I think the correct answer is B.
The question describes “the pods will use kubernet networking.”

To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).

Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and kubenet
(Linux).

Hence, the correct answer is B.

Reference
https://docs.microsoft.com/en-us/azure/aks/use-network-policies
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
upvoted 30 times

  RougePotatoe 4 months ago

To summarize. You need calico network policy because this question explicitly stated "pods will use kubernet networking." which means you
need a policy that can support kubernet networking.

Look at supported networking options of the following link.

https://learn.microsoft.com/en-us/azure/aks/use-network-policies#differences-between-azure-network-policy-manager-and-calico-network-
policy-and-their-capabilities
upvoted 1 times

  ITprof99 Highly Voted  1 year, 5 months ago

On exam 01.02.22
Answer: B
upvoted 16 times

  ojogbon Most Recent  2 months, 1 week ago

On the exam Apr 2nd, 2023
upvoted 6 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: A
To restrict network traffic between pods in an Azure Kubernetes Service (AKS) cluster, you should configure the Azure network policy.
upvoted 1 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/aks/use-network-policies#differences-between-azure-network-policy-manager-and-calico-network-
policy-and-their-capabilities
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 520/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  zellck 3 months, 4 weeks ago

Got this in Feb 2023 exam.
upvoted 2 times

  zellck 4 months ago

Calico Network Policy Supported networking options
- Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux)
upvoted 1 times

  typales2005 5 months ago

Selected Answer: B
was in the 09/01/2023 exam
upvoted 7 times

  klexams 7 months, 2 weeks ago

B for kubenet.
Azure NPM:
Linux, Windows Server 2022
Azure CNI

Calico Network Policy:

Linux, Windows Server 2019 and 2022
Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux)
upvoted 2 times

  Makarand123 7 months, 2 weeks ago

There's other way also using 'linkered' service mesh but not given here
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
B. the Calico network policy Most Voted
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  mmtechsolutionsinc 1 year, 3 months ago

Selected Answer: B
I think the correct answer is B.
The question describes “the pods will use kubernet networking.”

To provide network connectivity, AKS clusters can use kubenet (basic networking) or Azure CNI (advanced networking).

Azure Network Policies supports Azure CNI only. Calico Network Policies supports both Azure CNI (Windows Server 2019 and Linux) and kubenet
(Linux).

Hence, the correct answer is B.

Reference
https://docs.microsoft.com/en-us/azure/aks/use-network-policies
https://docs.microsoft.com/en-us/azure/aks/configure-kubenet
upvoted 2 times

  theorut 1 year, 3 months ago

Caligula policy.
upvoted 3 times

  daniel1ionut 1 year, 4 months ago

On exam 05/02/22
Asnwer:B
upvoted 4 times

  amiri7171 1 year, 4 months ago

Answer: B

" The Network Policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster."

reference: https://docs.microsoft.com/en-us/azure/aks/use-network-policies
upvoted 2 times

  deltarj 1 year, 4 months ago

Where are mlantonis and fedztedz? ...demo version ended? :(
upvoted 11 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 521/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  AzureG0d 7 months, 2 weeks ago

lmfao right! I promise i keep thinking the same thing. Who are these new faces i see!
upvoted 1 times

  Gadzee 1 year, 4 months ago

Hahahahaha, very few comments now.
upvoted 4 times

  _punky_ 1 year, 5 months ago

Hey, but in Kub u can get rid off Calico and use alternative networking solution. So idk
upvoted 1 times

  _punky_ 1 year, 5 months ago

https://docs.microsoft.com/en-us/azure/aks/use-network-policies#network-policy-options-in-aks
upvoted 1 times

  HananS 1 year, 5 months ago

The answer is correct because azure kubernates network policy works only in Linux so calico is the one who works in Linux or windows
https://docs.microsoft.com/en-us/azure/aks/use-network-policies
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 522/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88 Topic 5

HOTSPOT -
You have an Azure subscription that contains a virtual network named VNet1. VNet1 uses an IP address space of 10.0.0.0/16 and contains the
VPN Gateway and subnets in the following table:

Subnet1 contains a virtual appliance named VM1 that operates as a router.

You create a routing table named RT1.
You need to route all inbound traffic from the VPN gateway to VNet1 through VM1.
How should you configure RT1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: 10.0.0.0/16
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 523/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Address prefix
destination-> Vnet 1 (Address space of Vnet1)

Box 2: Virtual appliance

Next hop type
VM1 ->Virtual Appliance. You can specify IP address of VM 1 when configuring next hop as Virtual appliance.

Box 3: Gateway Subnet

Assigned to
This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout Table -> subnet -
>Associate.
upvoted 135 times

  AzureG0d 7 months, 2 weeks ago

finally he's back lol
upvoted 33 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

Box1: 10.0.0.0/16
Box2: Virtual appliance
Box3: GatewaySubnet
upvoted 15 times

  Tom900 Highly Voted  2 years, 6 months ago

Answer is correct.

See the explanation below from AZ-103 source.

Address prefix- destination-> Vnet 1 (Address space of Vnet1)

2. Next Hop - VM1 ->Virtual Appliance (You can specify IP address of VM 1 when configuring next hop as virtual appliance)
3.Assignment - This route is to be followed by Gateway Subnet for the incoming traffic. You can associate routing table to the Subnet from Rout
Table -> subnet ->Associate
upvoted 56 times

  mikl 2 years, 4 months ago

Agree!
upvoted 2 times

  picho707 Most Recent  1 week, 2 days ago

Microsoft naming convention drives me nuts!!!.
upvoted 1 times

  yaboo1617 2 months ago

ROUTE Address prefix = TO
ROUTE Next Hop = THROUGH
ROUTE Assignment = FROM
upvoted 3 times

  zellck 4 months ago

1. 10.0.0.0/16
2. Virtual appliance
3. GatewaySubnet

https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal
upvoted 3 times

  klexams 7 months, 2 weeks ago

traffic to vnet1 addresses 10.0.0.0/16
VM1 as the next hop as router is a Virtual Appliance
outside traffic comes through GatewaySubnet
upvoted 2 times

  EmnCours 9 months, 3 weeks ago

Answer is correct.
upvoted 2 times

  manalshowaei 1 year ago

See the explanation below from AZ-103 source.

Address prefix- destination-> Vnet 1 (Address space of Vnet1)

  babzbabz 1 year ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 524/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Came on exam today (24/05-2022)

upvoted 1 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 3 times

  Tokawa 1 year, 8 months ago

Why is this not an IP address for Subnet1?
upvoted 1 times

  AubinBakana 1 year, 8 months ago

Answer is correct:

- Source: 10.0.254.0
- Next Hop: NVA
- Assigned to 10.0.0.0/16. This covers 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24
upvoted 2 times

  AubinBakana 1 year, 9 months ago

I can picture this question coming in every single test. Answer is correct
upvoted 2 times

  JimBobSquare101 1 year, 10 months ago

In 30 July 2021
upvoted 5 times

  _UNA_ 1 year, 11 months ago

You can watch this video for more clarity https://www.youtube.com/watch?v=sBII38Fngmk
upvoted 5 times

  MimeTalk 1 year, 10 months ago

thanks for sharing
upvoted 2 times

  Shiven12 1 year, 11 months ago

This question came in Exam
upvoted 2 times

  Raj_az104 2 years, 2 months ago

How did we get 10.0.0.0/16
upvoted 3 times

  ddb116 2 years, 2 months ago

Because we want all data from the /16 to go to the router.
upvoted 6 times

  SnakePlissken 2 years, 1 month ago

10.0.0.0/16 is the IP address space of VNET1.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 525/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89 Topic 5

A. Floating IP (direct server return) to Enabled

B. Floating IP (direct server return) to Disabled

C. a health probe

D. Session persistence to Client IP and Protocol

Note:
There are several versions of this question in the exam. The question can have other incorrect answer options, including the following:
1. Idle Time-out (minutes) to 20
2. Protocol to UDP
Reference:
https://cloudopszone.com/configure-azure-load-balancer-for-sticky-sessions/

Community vote distribution

D (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: D

With Sticky Sessions when a client starts a session on one of your web servers, session stays on that specific server. To configure An Azure Load-
Balancer for Sticky Sessions set Session persistence to Client IP.
upvoted 49 times

  Hibs2016 Highly Voted  2 years, 6 months ago

Answer is correct, D - Session Persistence to Client IP and Protocol
upvoted 34 times

  zellck Most Recent  4 months ago

Selected Answer: D
D is the answer.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 526/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP and protocol
- Traffic from the same client IP and protocol is routed to the same backend instance
upvoted 1 times
  klexams 7 months, 2 weeks ago
Selected Answer: D
D. Session persistence to Client IP and Protocol
upvoted 2 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: D
Correct Answer: D
upvoted 1 times

  Lazylinux 12 months ago

Selected Answer: D
D is correct and is called Sticky Sessions like Microsoft ones sticks never let go!!
upvoted 3 times

  manalshowaei 1 year ago

Selected Answer: D
D. Session persistence to Client IP and Protocol
upvoted 2 times

  amunator 1 year ago

Selected Answer: D
Correct answer.
upvoted 1 times

  josevirtual 1 year, 3 months ago

Selected Answer: D
Session Persistence is correct
upvoted 3 times

  hanyahmed 1 year, 5 months ago

it is right answer "Session persistence"
upvoted 1 times

  khengoolman 1 year, 8 months ago

Passed 11 Oct 2021 with 947. This question appeared, correct Answer is D
upvoted 7 times

  kashi1983 1 year, 10 months ago

Answer is D.
upvoted 2 times

  nimz77 1 year, 10 months ago

came in 8.8.2021 exam.
upvoted 4 times

  nimz77 1 year, 10 months ago

Same in 8.8.2021 exam.
upvoted 2 times

  wsscool 1 year, 11 months ago

in exam 7/3/2021
upvoted 3 times

  lucky_18 1 year, 11 months ago

came in exam on June 28 2021
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 527/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90 Topic 5

HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table:

VM1 and VM2 use public IP addresses. From Windows Server 2019 on VM1 and VM2, you allow inbound Remote Desktop connections.
Subnet1 and Subnet2 are in a virtual network named VNET1.
The subscription contains two network security groups (NSGs) named NSG1 and NSG2. NSG1 uses only the default rules.
NSG2 uses the default rules and the following custom incoming rule:
✑ Priority: 100
✑ Name: Rule1
✑ Port: 3389
✑ Protocol: TCP
✑ Source: Any
✑ Destination: Any
✑ Action: Allow
NSG1 is associated to Subnet1. NSG2 is associated to the network interface of VM2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct . No, Yes, Yes.
No: VM1 has default rules which denies any port open for inbound rules
Yes: VM2 has custom rule allowing RDP port
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
upvoted 160 times

  namkio0o 8 months, 2 weeks ago

Not agree. NO, NO, Yes.
for the second NO: NSG1 is associated with subnet which blocks RDP and in order for RDP to work, both the subnet and the NIC NSGs need to
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 528/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

allow RDP in.

upvoted 12 times

  Slimus 1 week, 1 day ago

Box 2: YES - "NSG1 is associated to Subnet1" - VM2 is in Subnet2
upvoted 1 times

  otonx 6 months, 3 weeks ago

read again the question \, you are misleading
upvoted 2 times

  crazyrobban 7 months, 3 weeks ago

VM2 is associated with NSG2, not NSG1. So the answer is yes.
upvoted 1 times

  Pwnisnoob 2 years, 5 months ago

No yes no. With nsg rdp ports need to be open in both
upvoted 7 times

  Durden871 3 months ago

N, Y, Y. You opened inbound traffic from literally anywhere on VM2. Why would it work on the internet, but not VM1? There's no mention of
them being on a different network. Outbound is allow all by default. Inbound is the opposite.
upvoted 1 times

  mung 6 months, 4 weeks ago

defualt NSG allows all traffic for inbound which means rdp is allowed as well.
upvoted 3 times

  Julie444 2 years ago

Exactly no one pays attention to the Q! RDP people, RDP.
upvoted 1 times

  Lkk51 2 years ago

Subnet1 and Subnet2 are in a virtual network named VNET1.

check default NSG rule https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

upvoted 3 times

  DodgyD 2 years, 5 months ago

I would suggest Yes to box 3 because
Yes: NSG2 is using the default rules - deny all - but has a higher priority rule allowing RDP protocol from anywhere on the NIC, so RDP access
from VM1 is permitted. Without this rule, if a default rule NSG was applied to the NIC, RDP would fail regardless of VMs being in same subnet.
upvoted 5 times

  DodgyD 2 years, 5 months ago

Intra-Subnet traffic
It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. For example, if a
rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other.
Another rule would have to be added specifically to allow this.
upvoted 5 times

  Lapiduse 2 years, 4 months ago

Agree, nothing to add
No, Yes, Yes.
upvoted 4 times

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: No
NSG1 has default rules, which denies any port open for inbound rules

Box 2: Yes
NSG2 has custom Rule1, allowing RDP port 3389 with TCP.

Box 3: Yes
VM1 and VM2 are in the same Vnet. By default, communication is allowed.
upvoted 118 times

  RougePotatoe 4 months ago

Box3 is questionable. The question asked specifically on if VM1 can RDP into VM2.

The VMs are on azure. The only ways I can think of that will allow you to RDP into the other server are through RDP or bastion which will require
the use of RDP on the first server. Nested RDP is not supported.

"Only one level of nested Remote Desktop connection is supported. Establishing a Remote Desktop connection from inside a nested Remote

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 529/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Desktop connection isn't supported."

https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/run-remote-desktop-connection-session
upvoted 2 times

  RougePotatoe 4 months ago

In theory, if you ignore the fact that you probably RDP'd into VM1, you could RDP into VM2. Unless someone can come up with a way that
would allow you to connect to VM1 that doesn't use bastion or RDP i'm going to say you can't RDP into VM2 because nested RDP is not
supported.
upvoted 1 times

  RougePotatoe 3 months, 4 weeks ago

Well I just tested in azure with RDP (downloaded file) then from VM1 tried RDC (remote desktop connection app) into vm2 over public IP
and it worked so you can RDP then RDC into another vm. Both uses port 3389
upvoted 2 times

  Benzitho Most Recent  1 month ago

Correct Answer : Yes, Yes , Yes
Box1: The default inbound rule allows traffic from all sources to all destinations on all ports and protocols, unless a more specific rule is defined
that overrides this rule. This means that if you create a new VM and associate it with an NSG that has only the default inbound rule, the VM will be
accessible from anywhere on the internet.
Box 2: NSG2 has custom Rule1, allowing RDP port 3389 with TCP.
Box 3:VM1 and VM2 are in the same Vnet. By default, communication is allowed.
upvoted 1 times

  zellck 4 months ago

NYY is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules
upvoted 1 times

  adeyhtech87 4 months, 2 weeks ago

The correct answer is NO -> Yes -> Yes.

1. VM1 is in subnet 1 which has default Inbound rules. SO traffic is blocked from the internet.
2. As VM2 is in SUbnet 2 and NSG 2 with Custom RDP port allow rule on NSG2 is attached to VM2's NIC level and as Subnet 2 doesn't have any
NSG attached, so any traffic from internet will reach the NSG2 from VNET -> SUbnet2 -> NSG2. And on NSG2, due to custom allowed rule of 3389,
RDP will work from the internet over VM's public IP.
3. Azure routes traffic within a VNET automatically. As NSG2 has RDP port allowed from any source, so VM1 can connect to VM2 over it's private IP.
upvoted 2 times

  adeyhtech87 4 months, 2 weeks ago

I think the answer is No -> No -> Yes.

NSG1 is attached to Subnet1 which is with the default rule. In the Default rule, there's no allowance of RDP from Internet.Hence, RDP won't work on
VM1 from the internet.

For second box, the VM2 has NSG2 attached on it’s NIC and VM2 is attached to Subnet 2, which doesn’t seem to have any Security rule / separate
custom NSG attached (at least didn’t see in the question), so I presume that Subnet 2 has Default NSG rule whereas VM2’s NIC has allowance for
RDP. But since the Vm2 inbound traffic on port 3389 is blocked at Subnet 2 level due to default rule, so Internet to VM2 is ‘No’.

Since within VNET / Subnet all traffic allowed, so RDP is allowed by default. Hence, it’s ‘Yes’.
upvoted 1 times

  perix 5 months ago

Did test in the lab.
n, n, y
When I removed nsg1 or added rdp rule to nsg1 only then vm2 could be connected from the internet with RDP.
upvoted 1 times

  perix 5 months ago

It is N, Y, Y I tested wrong.
My bad.
upvoted 4 times

  Bigc0ck 5 months, 1 week ago

similar question on the test! makee sure to understand this as they wills withc it up
upvoted 2 times

  klexams 7 months, 2 weeks ago

N VM1 > subnet1 > NSG1 applies = no rdp allowed.
Y VM2 > subnet2 > NIC > NSG2 applies = rdp allowed.
Y same VNET = no restriction between subnets by default. RDP is allowed on both VMs themselves.
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

Answer is correct . No, Yes, Yes.
No: VM1 has default rules which. Inbound rules: By default, there will be three inbound security rules (allow virtual network traffic, allow load
balancer traffic, deny all other traffic) added to an NSG when you create NSG. All inbound traffic except the traffic from virtual network and Azure
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 530/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

load balancer is not allowed.

Yes: VM2 has custom rule allowing RDP port
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed
upvoted 5 times
  Lazylinux 11 months, 4 weeks ago
NYY and as per others comments
upvoted 2 times

  Lazylinux 1 year ago

NO YES YES
Here it is described the default security rules:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules

As you can see, by default, it allows:

AllowVNetInBound
AllowAzureLoadBalancerInBound
AllowVnetOutBound
AllowInternetOutBound
upvoted 1 times

  mbaybarsk 1 year ago

NNY, not even debatable.

NSG1 is associated with subnet which blocks RDP and in order for RDP to work, both the subnet and the NIC NSGs need to allow RDP in.

https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
"For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a
network security group associated to the network interface, if there is one."
upvoted 4 times

  mbaybarsk 1 year ago

I'm apparently wrong. NSG1 is only associated with one of the subnets.
upvoted 3 times

  juniorccs 1 year, 1 month ago

I tested it today. The answers are

No: VM1 has default rules which deny any port open for inbound rules (YES)
Yes: VM2 has custom rule allowing RDP port (it's possible)
Yes: VM1 and VM2 are in the same Vnet. by default, communication are allowed and The Windows firewall by default opens the 3389 in the
Windows. I am not sure why in the question it says that you enabled the RDP from VM1 to VM2, it's by default enabled
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 3 times

  DES123 1 year, 3 months ago

For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a
network security group associated to the network interface, if there is one.

VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. Unless you've created a rule that allows
port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the
network interface. If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. To allow port 80 to the virtual machine,
both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

After checking this example from Microsoft, NSG1 will block RDP by deafult therefore, it is not processed by NSG2. so RDP is not allow to vm1 and
2 from the internet.
Since nsg2 allow rdp on interface level, vm1 can rdp to vm2 so the answer is:
NNY
upvoted 5 times

  Pak149 1 year, 4 months ago

No, No Yes
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 3 times

  Pak149 1 year, 3 months ago

NO, Yes, Yes - since the NSG1 is assigned to subnet 1 only.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 531/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91 Topic 5

You have an Azure subscription that contains two virtual machines named VM1 and VM2.
You create an Azure load balancer.
You plan to create a load balancing rule that will load balance HTTPS traffic between VM1 and VM2.
Which two additional load balancer resources should you create before you can create the load balancing rule? Each correct answer presents part
of the solution.
NOTE: Each correct selection is worth one point.

A. a frontend IP address

B. an inbound NAT rule

C. a virtual network

D. a backend pool

E. a health probe

Correct Answer: DE
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/components

Community vote distribution

DE (88%) 10%

  tp42 Highly Voted  1 year, 1 month ago

Selected Answer: DE
D and E.
You can't create a LB without FrontEnd IP, so if we have a LB we also have a FrontEnd IP already. You can however create a LB without a backend
pool and without any rules. If you want to add a rule to your LB later you have to create a backend pool and health probe first. Those are
mandatory properties for a rule. I also tested it in my lab to be sure.
upvoted 40 times

  Jayz5436 1 year, 1 month ago

Tried in my lab as well this is correct. You need a frontend ip to create an empty load balancer which in this case the question says that it's
created. adding a load balancing rule requires you to specify backend pool and health probe
upvoted 4 times

  Mev4953 9 months ago

Yes, you`re right. It says LB is created already og ask about LB rule. To get created the LB requires frontend IP must first be created , which is
not issue in this case
upvoted 1 times

  kennynelcon Highly Voted  1 year, 1 month ago

Selected Answer: AD
Answer ; A and D
Select; Frontend IP
When done with configuration steps.

Select Next: Backend pools

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal
upvoted 5 times

  zellck Most Recent  4 months ago

Selected Answer: DE
DE is the answer.

https://learn.microsoft.com/en-us/azure/load-balancer/components
upvoted 1 times

  FindOcult 7 months ago

I don't think that options A, B, and C are Load Balancer resources. Am I right?
upvoted 1 times

  awssecuritynewbie 8 months, 2 weeks ago

Selected Answer: DE

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 532/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

this makes sense, you would need a frontendip but the LB has been created so to have a rule for the LB you would need the backend pool and
health probe
upvoted 1 times
  EmnCours 9 months, 1 week ago
Selected Answer: DE
Correct Answer: DE
upvoted 1 times

  sjb666 1 year, 1 month ago

Selected Answer: DE
D & E. I have just double checked this in the portal, mandatory fields are Health Probe and Backend Pool.
upvoted 2 times

  michaelmorar 1 year, 1 month ago

Selected Answer: DE
DE seems correct - I might be wrong but if you have an LB, it follows that you already have a Frontend IP?

So you need a Backend Pool and Health Probe

Experts, please jump in and correct me!

upvoted 1 times

  mikextreme 1 year, 1 month ago

Selected Answer: AB
Should be A,B

Get an Frontend IP
Get an Backend Pool

Then we will be able to set up load balancing rules

upvoted 1 times

  MentalG 1 year, 1 month ago

Do you mean A,D?
upvoted 2 times

  mikextreme 1 year, 1 month ago

Sorry Im wrong
https://docs.microsoft.com/en-us/azure/load-balancer/manage-rules-how-to
According to this Article,
We need

A. Get an Frontend IP
D. Get an Backend Pool
E. Health Probe

B and C apparently is wrong.

Since D. Get an Backend Pool - This is mentioned and we know it's VM1 and VM2 but never saying a pool has been created

So it left us A D and E

But D Option got mentioned and test asks for 2 answers, I would choose A and E, but Assume that all combinations btw those 3 might be
considered as correct.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 533/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #92 Topic 5

You have an on-premises network that contains a database server named dbserver1.
You have an Azure subscription.
You plan to deploy three Azure virtual machines. Each virtual machine will be deployed to a separate availability zone.
You need to configure an Azure VPN gateway for a site-to-site VPN. The solution must ensure that the virtual machines can connect to dbserver1.
Which type of public IP address SKU and assignment should you use for the gateway?

A. a basic SKU and a static IP address assignment

B. a standard SKU and a static IP address assignment

C. a basic SKU and a dynamic IP address assignment

Correct Answer: C
VPN gateway supports only Dynamic.
Note: VPN gateway requires a public IP address for its configuration. A public IP address is used as the external connection point of the VPN.
Specify in the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The
public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when
the gateway is deleted and recreated.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Community vote distribution

B (81%) C (19%)

  RichardBill Highly Voted  9 months, 2 weeks ago

Selected Answer: B
Ok this one is new but Lets talk about it: So this would be a "Zonal Gateway at least right"? Theres no talk about the gateway being Zoneredundant
but for it to be even Zonal it needs to be an AZ-SKU Tier right? And those always come with a Standard Public IP SKU which is Static? So B? Heres
my source https://docs.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways The explanation given here is definitley
rubbish
upvoted 19 times

  mung 6 months, 4 weeks ago

It's c.
VPN Gateway supports only "dynamic".
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 2 times

  rqFamily 6 months, 2 weeks ago

no dynamic type only supported under basic ip address type , and we need to create standard ip address type to support zonal so ip address
must be static
upvoted 2 times

  klexams Highly Voted  7 months, 2 weeks ago

Selected Answer: B
Answer is B. since the VMs are in AZ then VPN gateway will have to on AZ which will rely on Azure public IP resource Standard SKU. And must be
Static as Dynamic is only for non-AZ. See links below.
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#at-a-glance
https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways
upvoted 9 times

  margotfrpp Most Recent  1 month, 3 weeks ago

Selected Answer: B
Focus on this part of the question: " Each virtual machine will be deployed to a separate availability zone."
ALWAYS REMENBER THAT :
- Basic Load Balancer: Virtual machines in a single availability set or virtual machine scale set.
- Standard Load Balancer: Any virtual machines or virtual machine scale sets in a single virtual network.
So in this case it's Standart
upvoted 7 times

  CyberKelev 3 months, 1 week ago

Selected Answer: B
The correct answer is B. a standard SKU and a static IP address assignment
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 534/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  yana_b 3 months, 1 week ago

Correct answer is B
Open your portal -> Create new resource -> in Market place type in 'Virtual network gateway' => create new
-> make a note that the IP SKU is fixed text, no option to change it at all and is set to 'Standard'
-> Assignment is set to 'static' and greyed out (can not be changed at all)
upvoted 1 times

  ozlaoliu 3 months, 1 week ago

Selected Answer: B
Both Bing AI and ChatGPG chose B. a standard SKU and a static IP address assignment
upvoted 3 times

  GBAU 4 months ago

Answer is B as Microsoft never ask an exam question where the answer for a solution is one of their basic offerings.😂
upvoted 4 times

  Phlogiston 4 months ago

Please do not make this assumption on the exams as a go-to solution. It is not as if the exam authors sit around a table and say to one another
that they should design questions that only have higher priced SKUs as the correct answer. That said, a lot of the exam content will likely test
"marketing and sales" knowledge. So, you should know your SKUs.
upvoted 1 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
Standard IPs can be non-zonal, zonal, or zone-redundant. Zone redundant IPs can only be created in regions where 3 availability zones are live. IPs
created before zones are live won't be zone redundant.
upvoted 1 times

  Irism 5 months ago

still not clear if B or C for me
upvoted 2 times

  BShelat 5 months, 2 weeks ago

Standard SKU supports availability zones but basic SKU does not. For VPN, Dynamic IPv4 is supported only in non availability zones. Static IPv4 is
supported for both AZ and non-AZ. So for this particular scenario it has to be standard SKU since VPN will need to be in AZ and since VPN is in AZ
only static IP can be assigned. So answer is "B".

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses
upvoted 5 times

  cwamboo 5 months, 4 weeks ago

Selected Answer: B
B
"Zone-redundant gateways and zonal gateways both rely on the Azure public IP resource Standard SKU. The configuration of the Azure public IP
resource determines whether the gateway that you deploy is zone-redundant, or zonal. If you create a public IP resource with a Basic SKU, the
gateway will not have any zone redundancy, and the gateway resources will be regional."
https://learn.microsoft.com/en-us/azure/vpn-gateway/about-zone-redundant-vnet-gateways
upvoted 1 times

  MrJJ10 6 months ago

Selected Answer: C
I'm going with C.
Check out section "Can I get my VPN gateway IP address before I create it?"
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

"Zone-redundant and zonal gateways (gateway SKUs that have AZ in the name) both rely on a Standard SKU Azure public IP resource. Azure
Standard SKU public IP resources must use a static allocation method."
upvoted 2 times

  MrJJ10 6 months ago

My Apologies, I Meant Anserr "B" not C.
Clicking to fast
upvoted 3 times

  darren888 6 months, 1 week ago

Selected Answer: B
Basic public IPs can be assigned to any Azure resource that can be assigned a public IP address, such as network interfaces, VPN gateways,
application gateways, and internet-facing load balancers. They do not support availability zone scenarios. You must use a Standard SKU public IP
for an availability zone scenario.
upvoted 2 times

  mung 6 months, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 535/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: C
The official Microsoft docs says "VPN gateway supports only Dynamic.".
So i guess i will go with C..
upvoted 1 times

  mung 6 months, 4 weeks ago

It's c.
VPN Gateway supports only "dynamic".
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 3 times

  Asten 7 months ago

C is correct. VPN gateway supports only Dynamic IP address
upvoted 3 times

  YUNITO 7 months ago

C is correct check this link: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
When you create a vpn gw, the public ip assignement is dynamic and the public ip is basic
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 536/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93 Topic 5

HOTSPOT -
You have the Azure virtual machines shown in the following table.

VNET1, VNET2, and VNET3 are peered.

VNET1 and VNET2 are linked to an Azure private DNS zone named contoso.com that contains the records shown in the following table.

The virtual networks are configured to use the DNS servers shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Yes -
VM1 is in VNET1. In VNET1 Server1 resolves to 131.107.3.3

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 537/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: No -
VM2 is in VNET2. VNET2 uses custom DNS server 192.168.05
Box 3: Yes

  randy0077 Highly Voted  9 months ago

Hi Admin,

This looks like incomplete question or something is missing. Could you please correct this and add more discussion?
upvoted 53 times

  ivan0590 1 month ago

With some deduction, you can complete the question yourself.
The IP of VM4 is used as custom DNS in VNET2 and VNET3. Therefore, VM4 is a DNS server.
The table shown after ‘VNET1, VNET2, and VNET3 are peered’ is just displaying the records for the custom DNS server.
So, some VMs use the private Azure DNS Zone and others use the custom DNS server. And both DNSs have server1 and server2 records.
Knowing all that, you can now figure out what IP will be resolved in each case.
upvoted 1 times

  spike15_mk Highly Voted  6 months, 1 week ago

CORRECT ANSWER
YES
NO
YES

YES -For VM1,server1.contoso.com resolves to 131.107.3.3

VM1 is connected to VNET1 which has Default(Azure-Provided) DNS Server and linked to Azure Private DNS Server contoso.com (131.107.3.3 and
131.107.3.4 DNS Servers). That means VM1 has these 2 DNS servers for resloving.
DNS Servers for VNET1
server1.contoso.com = 131.107.3.3
server2.contoso.com = 131.107.3.4

NO-For VM2,server1.contoso.com resolves to 131.107.3.3

VM2 belongs to VNET2 has Custom DNS:192.168.0.5 IP of VM4 ( not takes from dedault Azure: the server1.contoso.com = 131.107.3.4 and
server2.contoso.com = 131.107.3.4) -NO
VM2 will resolve from VM4 (DNS Server1.contoso.com=131.107.2.3 and Server2.contoso.com=131.107.2.4)

YES- For VM3,server2.contoso.com resolves to 131.107.2.4

VM3 belongs to VNET3 has Custom DNS:192.168.0.5 IP of VM4 ( not takes from default Azure: the server1.contoso.com = 131.107.3.4 and
server2.contoso.com = 131.107.3.4)
VM3 will resolve from VM4 (DNS Server1.contoso.com=131.107.2.3 and Server2.contoso.com=131.107.2.4)
upvoted 25 times

  Benzitho 1 month ago

Sport On .. Well done
upvoted 1 times

  Brockssn 2 months, 1 week ago

Y, Y, Y.
VM2 is resolving a FQDN of server 1. The vnet DNS does not state it is contoso.com, so therefore resolving the FQDN would resolve correctly.
upvoted 1 times

  yaboo1617 Most Recent  1 month, 3 weeks ago

Another fucked-up question, still there untouched after months... They should really add a REPORT button instead of new SALES each week :)
upvoted 4 times

  Rams_84zO6n 2 months, 2 weeks ago

Two Observations from given information:
- [ ] VNET1 has default DNS server so it will be resolved by the private zone.
- [ ] VNET2 and VNET3 has DNS servers listed to IP address of VM4, which is in VNET3. So VMs on VNET2 and VNET3 will be resolved by the DNS
server in VM4.

Based on those observations:

- [ ] Yes - Is VM1 resolved by private zone? Yes. So it resolves name to 137.107.3.3
- [ ] No - Is VM2 also resolve by private zone? No, It is resolved by VM4. Why? VM2 in VNET2. VNET2 has DNS server that points to VM4, which is
in VNET3. So VM2 uses dns zone in VM4 to resolve the name.
- [ ] Yes - Is VM3 resolved by dns zone in VM4? Yes. VM3 in VNET3. VNET3 has DNS server that points to VM4. So it will resolve name to IP address
131.107.2.4
upvoted 2 times

  Trevor_VT 2 months, 3 weeks ago

This is one of the several questions asking which one has higher priority - the (custom) DNS bound to a VNET or the private DNS zone linked to the
same VNET. According to my test (and also the answer from chatGPT), the private DNS zone has priority. It is the only one which is used if the

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 538/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

request is going to a domain hosted by the private DNS zone. If the request is going to a domain which is not in the provate DNS zone, then the
default or custom DNS for the VNET is used.

Based on this, the answers are Y-Y-Y

Why - because both VM1 and VM2 are linked to the private DNS zone, where we have the record for server1.contoso.com -> 131.107.3.3
Also, asuming that the missing explanation of the second table says "VM4 is DNS server and it has the following records", and VM3 points to this
DNS server, it will see and resolve the server2.contoso.com -> 131.107.2.4. Note that VNET3 (where VM3 is) is not linked to the private DNS zone.
upvoted 5 times

  Zemar 2 months, 3 weeks ago

I am betting on your explanation as it makes good sense. Thanks for this
upvoted 4 times

  msingh20 3 months, 1 week ago

Im assuming we are missing a line above the table saying "VM4 is a DNS server that contains the following records". If that is the case the answer is
YNY

Server 1 , A , 131.107.2.3
Server 2 , A, 131.107.2.3
upvoted 2 times

  curtmcgirt 3 months, 3 weeks ago

i think this question has been edited.

vnet1 uses azure dns.

vnet2-3 use 192.168.0.5 vm4 for dns (which we can assume is what the unlabeled 2nd table contains).
all vnets are peered so all could use 192.168.0.5 vm4 dns if they wanted.
.
vm1 is in vnet1, so vm1 uses azure dns.
vm2-4 are in vnet3, so vm2-4 use 192.168.0.5 vm4 dns.
.
yes, vm1 resolves 'server1' to the 3.3 address via azure dns.
no, vm2 resolves 'server1' to the 2.3 address via 192.168.0.5 vm4 dns. (not 3.3 via azure dns)
yes, vm3 resolves 'server2' to the 2.4 address via 192.168.0.5 vm4 dns.
upvoted 2 times

  zellck 4 months ago

YNY is the answer.

1. Resolved using Azure Private DNS.

2. Resolved using custom DNS server.
3. Resolved using custom DNS server.
upvoted 2 times

  shadad 3 months, 3 weeks ago

You mean YNN
if 2 and 3 can resolve the custom DNS then both should have the same answer NN
upvoted 2 times

  curtmcgirt 3 months, 3 weeks ago

in the question, the ip addresses resolved are different for the "from vm2" and "from vm3" parts. that's why vm2 is N and vm3 is Y.
upvoted 2 times

  shadad 3 months, 2 weeks ago

holly! how did i miss this part? now i see this and it is resolve the table above it :(
you are right YNY.
upvoted 1 times

  dagomo 4 months, 2 weeks ago

Hello guys,
the answer should be YNN.
Explanation:
When you set custom DNS servers you are specifying the list of DNS servers to be given to VMs via DHCP, which means they will not be querying
the Azure private DNS.

https://learn.microsoft.com/en-us/answers/questions/1150496/private-dns-vs-custom-dns-for-one-vnet
upvoted 3 times

  picho707 1 week, 2 days ago

You are correct. The information in question does not say anything about the custom DNS servers being setup as forwarders of the Azure
private DNS zone either. This should be Y/N/N.
upvoted 1 times

  RougePotatoe 3 months, 4 weeks ago

There are 3 questions which question is your statement an answer to?

VM2/3 (vNet 3/4) both use VM4 as the DNS server.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 539/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

VM4's DNS entries are:

server1: 131.107.2.3 doesn't match question 2
server2: 131.107.2.4 match question 3
upvoted 1 times
  jp_mcgee 6 months, 3 weeks ago
After: "VNET1, VNET2, and VNET3 are peered."
Missing Line: "VM4 has a DNS server that is authoritative for a zone named Contoso.com and contains the records shown in the following table."
upvoted 15 times

  mung 6 months, 4 weeks ago

They are all peered so i guess YYY?
upvoted 2 times

  klexams 7 months, 2 weeks ago

who can find the official link on which DNS takes precedence: vnet linked DNS or vnet DNS?
anyhow this is incomplete question but im gonna assume 192.168.0.5 is the DNS for the 131.107.2.0 records. so answer is

Y = VM1 > VNET1 > Azure priv DNS > server1 is 131.107.3.3
Y = VM2 > VNET2 > Azure priv DNS and Custom DNS > I'm gonna say Azure priv will resolve this because of contoso.com,192.168.0.5 does not
have contoso.com zone > server1 is 131.107.3.3
N = VM3 > VNET3 > Custom DNS > server2 is 131.107.3.4 for the same reason as above.
upvoted 5 times

  SandCloud 1 month, 3 weeks ago

this is the right anwser, custom dns override
upvoted 1 times

  qwerty100 7 months, 3 weeks ago

Tested in lab with peered VNET and a Local DNS server:

- From VM1, server1.contoso.com resolves to 131.107.3.3: yes

VNET1 has linked private DNS zone constoso.com and it uses Default (Azure-provided) DNS
(VM1 is on VNET1)

-From VM2, server1.contoso.com resolves to 131.107.3.3: no

VNET2 has linked private DNS zone constoso.com, but it uses 192.168.0.5 DNS
(VM2 is on VNET2)

-From VM3, server2.constoso.com resolves to 131.107.2.4: Yes

No private dns zone linked

(VM3 is on VNET3)
upvoted 11 times

  dc2k79 7 months, 3 weeks ago

Default DNS won't resolve the private Zone.
upvoted 1 times

  randy0077 8 months, 3 weeks ago

considering 192.168.0.5 is DNS server. ans should be YNY.
upvoted 1 times

  ZacAz104 9 months ago

I think it is YNN
VM3 is part of VNET3 which has 192.168.0.5 as dns server this is the ip of VM4 which is in VNET3 and doesnt have any record of server 2 so the
correct anwer would be No for the last one
upvoted 17 times

  chvz 8 months ago

I agree
VMNameVNET DNS Server Peering Azure Private DNS Zone(Linked)
VM1 VNET1 Default (Azure-Provided) VNET2, VNET3 contoso.com
VM2 VNET2 Custom:192.168.0.5 VNET1, VNET3 contoso.com
VM3 VNET3 Custom:192.168.0.5 VNET2, VNET3 N/A
VM4 VNET3 Custom:192.168.0.5 VNET2, VNET3 N/A
upvoted 4 times

  JonM93 9 months, 2 weeks ago

Question is incomplete.
Mu guess is that just before the first set of DNS records there is : "VM4 has a DNS server configured with a zone named contoso.com that contains
the following records"
In that case the answer is correct
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 540/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  DeltaSM 9 months, 2 weeks ago

Please ignore my previous answer:
I would say Y - N - Y.
I think the first table is linked to DNS Server 192.168.0.5 but info is missing.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 541/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #94 Topic 5

HOTSPOT -
You have two Azure virtual machines as shown in the following table.

You create the Azure DNS zones shown in the following table.

You perform the following actions:

✑ ‫׀‬¢‫ ¾׀‬fabrikam.com, you add a virtual network link to vnet1 and enable auto registration.
✑ For contoso.com, you assign vm1 and vm2 the Owner role.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Yes -
The DNS zone uses the Public IP address of vm1.

Box 2: Yes -
Fabrikam.com is a Private DNS zone. The private IP address is used.
Note: The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you
link a virtual network with a private DNS zone with this setting enabled, a DNS record gets created for each virtual machine deployed in the
virtual network.
For each virtual machine, an A record and a PTR record are created. DNS records for newly deployed virtual machines are also automatically
created in the linked private DNS zone.
Note: If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. For all other options you
must either use
Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 542/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

  RichardBill Highly Voted  9 months, 2 weeks ago

N Y Y? Only private AZ DNS Zones can use auto registration. The set DNS search suffix in the client changes nothing about that
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration
upvoted 49 times

  qwerty100 9 months, 1 week ago

I agree whit you
upvoted 3 times

  klexams Highly Voted  7 months, 2 weeks ago

N = none of the actions in question added the VM1 record to contoso.com dns
Y = vnet1 is linked and auto-rego is enabled, records get added automatically.
Y = vnet1 is linked and auto-rego is enabled, records get added automatically.
upvoted 12 times

  FasterN8 Most Recent  2 months, 2 weeks ago

I'm trying to figure out the effects of VM1 and VM2 being owner of contoso.com. Wouldn't that automatically add them to the DNS zone? Maybe
as a SRV record and not an A record though...
upvoted 1 times

  zellck 4 months ago

NYY is the answer.

https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration
upvoted 4 times

  dc2k79 7 months, 3 weeks ago

No/Yes/Yes
upvoted 3 times

  atspace 7 months, 3 weeks ago

N - Public Ips wont auto register DNS
Y - Auto registration is enabled
N - Linux won't do auto registration
upvoted 9 times

  Slimus 1 month, 1 week ago

The MS doc doesn't say anything about Linux VMs anymore, just...
The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network.
upvoted 1 times

  [Removed] 7 months, 3 weeks ago

Linux does auto register.
upvoted 5 times

  moshos 4 months, 3 weeks ago

Where has it been stated that Linux does not support auto-registration?
According to this link there the restrictions don't include OS type:
https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration
upvoted 1 times

  crazyrobban 7 months, 3 weeks ago

Good catch with the Linux VM. This is the correct answer.
upvoted 1 times

  Al007 7 months, 3 weeks ago

Checked in lab environment - Linus does auto register
upvoted 10 times

  adrianspa 8 months ago

NYY. Adding a VM with the OWNER role does not change anything in the name resolution process
upvoted 4 times

  awssecuritynewbie 8 months, 2 weeks ago

so the contoso.com is public DNS and you cannot auto registration. but it just says if it would have the record but it does it has that value in the
box at the top right?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 543/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JoeGV 8 months, 2 weeks ago

DNS records are created automatically only for the primary virtual machine NIC. If your virtual machines have more than one NIC, you can manually
create the DNS records for other network interfaces.
DNS records are created automatically only if the primary virtual machine NIC is using DHCP. If you're using static IPs, such as a configuration with
multiple IP addresses in Azure, auto registration doesn't create records for that virtual machine.
Answer should be YNN Based on the above restrictions.
upvoted 1 times

  mung 6 months, 4 weeks ago

Did the question mentioned anything about static? No it doesn't. Don't go too deep
upvoted 2 times

  ETokLayaa 8 months, 3 weeks ago

I think it should be N N Y
upvoted 1 times

  kukeleku 8 months, 4 weeks ago

I agree on N Y Y, based on auto registration on public DNS is not possible!
upvoted 2 times

  ZacAz104 9 months, 1 week ago

i think you only manualy add public ips in public dns
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 544/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95 Topic 5

You have an on-premises datacenter and an Azure subscription.

You plan to connect the datacenter to Azure by using ExpressRoute.
You need to deploy an ExpressRoute gateway. The solution must meet the following requirements:
✑ Support up to 10 Gbps of traffic.
✑ Support availability zones.
✑ Support FastPath.
✑ Minimize costs.
Which SKU should you deploy?

A. ERGw1AZ

B. ERGw2

C. ErGw3

D. ErGw3AZ

Correct Answer: D
ErGw3Az supports FastPath.
The following table shows the features supported across each gateway type.

Note: ExpressRoute virtual network gateways can use the following SKUs:

Standard -

HighPerformance -

UltraPerformance -

ErGw1Az -

ErGw2Az -

ErGw3Az -
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways

Community vote distribution

D (65%) A (35%)

  GaneshPP Highly Voted  8 months, 3 weeks ago

Cant believe Azure expects us to memorize these abbreviations!
upvoted 68 times

  JohnnyChimpo 4 months, 2 weeks ago

Its all about marketing. It benefits them in the long run if all the certified admins have sku features memorized. We are most likely to gravitate
towards their solutions as opposed to 3rd parties if we already memorized their offerings
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 545/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  DaviZZZZ 1 week, 1 day ago

Jejeje that is true....
upvoted 1 times

  curtmcgirt Highly Voted  3 months, 3 weeks ago

final answer: GTFOHms
upvoted 19 times

  ivan0590 Most Recent  1 month ago

Questions like these are what make me hate Azure certifications so much.

They ask super specific questions that you have to learn by heart, when you shouldn't, and nobody in real life does.
Also, they don't allow brain dumps. Instead, they want you to rely on their terrible documentation and only use tests officially supported by
Microsoft.
Try passing the exam using only that. Yes, you can do it, but seriously, good luck...

Perhaps the reason people resort to brain dumps has to do with all that nonsense?
I understand they ask complex questions to test your knowledge, but questions like this one are not complex, they are just pure evil.
upvoted 3 times

  Balvosko 1 month, 2 weeks ago

This is a joke, right ? This question is just first april joke.
upvoted 4 times

  Phil_Spencer 3 months ago

As head of Xbox Game Studios i think this question is pretty dumb. A better question would have being "What's the price of Xbox Game Pass
Ultimate".
upvoted 7 times

  zellck 4 months ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
upvoted 2 times

  SKR94 4 months, 2 weeks ago

No comment...
upvoted 3 times

  Mugamed 4 months, 2 weeks ago

How random :-o
upvoted 2 times

  darthfodio 5 months, 2 weeks ago

I will most certainly leave feedback on the exam if I have this or similar type of questions. It's ridiculous.
upvoted 5 times

  ageorgieva 6 months, 1 week ago

Selected Answer: A
came here for the comments :D
upvoted 6 times

  Mohaamed 6 months, 4 weeks ago

daaamn so now we have to memorize these ridicules abbreviations!!!!!
upvoted 5 times

  Maython20 7 months, 4 weeks ago

Selected Answer: D
ErGw3Az supports FastPath.

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
upvoted 4 times

  Oualy 8 months, 3 weeks ago

ErGw3AZ support fastpath
Answer : D
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways
upvoted 8 times

  RougePotatoe 4 months ago

More specifically

Ultra Performance SKU/ErGw3Az

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 546/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gatewayfeaturesupport
upvoted 1 times
  DeltaSM 9 months, 2 weeks ago
Selected Answer: D
ErGw3AZ seem to be the answer.
Answer: D
upvoted 5 times

  Jaydude 1 month, 2 weeks ago

Question #96 Topic 5

HOTSPOT -
You have a virtual network named VNET1 that contains the subnets shown in the following table:

You have Azure virtual machines that have the network configurations shown in the following table:

For NSG1, you create the inbound security rule shown in the following table:

For NSG2, you create the inbound security rule shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Yes -
The inbound security rule for NSG1 allows TCP port 1433 from 10.10.2.0/24 (or Subnet2 where VM2 and VM3 are located) to 10.10.1.0/24 (or
Subnet1 where
VM1 is located) while the inbound security rule for NSG2 blocks TCP port 1433 from 10.10.2.5 (or VM2) to 10.10.1.5 (or VM1). However, the
NSG1 rule has a higher priority (or lower value) than the NSG2 rule.

Box 2: Yes -
No rule explicitly blocks communication from VM1. The default rules, which allow communication, are thus applied.

Box 3: Yes -
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 548/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

No rule explicitly blocks communication between VM2 and VM3 which are both on Subnet2. The default rules, which allow communication, are
thus applied.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

  JohnAvlakiotis Highly Voted  2 years, 6 months ago

I believe it should be No, Yes, Yes. The NSG2 on the NIC of VM1 blocks the request that passes through NSG1 which is attached on the subnet.
There is no priority bypass between NSGs. Traffic is filtered independently between NSGs.
upvoted 246 times

  darthfodio 5 months ago

This is a bit confusing but remember, NSGs attached at the subnet level get priority. Since NSG1 is attached to VNET1- Subnet1, it takes priority
over NSG2, which is attached to VM1(this would have to be attached to the NIC).
upvoted 2 times

  BJack 5 months ago

Subnet attached NSGs don't have priority over NIC attached NSGs. It depends of whether he traffic is inbound or outbound -
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 9 times

  darthfodio 5 months ago

NSG1 also has a lower priority (101) as well so it would take priority based on the rule priority.
upvoted 1 times

  rusll 2 years, 6 months ago

I agree, mixing the rules would create a problem : in case we have two rules with the same priority, how would we decide ...
upvoted 5 times

  rcdumps 2 years, 5 months ago

The NSG2 blocks INBOUND requests, not OUTBOUND, hence VM2 can reach VM1.
upvoted 10 times

  klexams 7 months, 3 weeks ago

NSG2 is on VM1 so it block inbound to VM1.
upvoted 2 times

  tita_tovenaar 1 year, 11 months ago

thought so too but it is wrong. Look at the destination addresses.
Basically you can imagine that NSG1 covers subnet 1 and NSG2 covers VM1 specifically. Tricky question, but answer is No. VM3 could RDP
into VM1, if that makes it more clear.
upvoted 5 times

  JamesDC 2 years, 4 months ago

Oh Dear!... do you understand VM2 and VM is on different subnets and both NSGs are applicable on subnet1 resources... so, there's no
concept of outbound rule... Agree with Jhon, NSG1 is on subnet and NSG2 is on NIC, even VM2 can enter to the sunbet1 but NSG2 will block
while going to VM1.
upvoted 18 times

  Bhuw 10 months, 3 weeks ago

Think you're correct
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
upvoted 1 times

  aaa112 Highly Voted  2 years, 5 months ago

1. NO - VM1 has the NSG1 on Subnet1, which allows traffic over port 1433 between Subnet2 and Subnet1. BUT NSG2 also applied on NIC level for
VM1 that blocks the traffic on port 1433. Hence No traffic allowed. Answer is NO.

2. YES - For VM2 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.

3. YES - For VM3 there are no NSGs applied neither on subnet or NIC level hence all traffic is allowed.
upvoted 150 times

  RogerDingo 2 years, 5 months ago

thanks for confirming.. i came to the same conclusion as you.
upvoted 8 times

  LeomHD 1 year, 9 months ago

Here explanation priority Subnet over NIC: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 2 times

  monus 1 year, 8 months ago

yes, NSG at subnet as well as VM has to be open in order to allow traffic
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 549/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  subramani2018 1 year, 3 months ago

but by default tcp3389 blocked in nsg for vm3 right..
upvoted 1 times

  pgazure Most Recent  1 month, 2 weeks ago

Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both.
Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface,
you can have unexpected communication problems that require troubleshooting.
upvoted 1 times

  RDIO 1 month, 2 weeks ago

First box is easy to understand why is "No". Think about the traffic flow and the direction to where it will go... The traffic reaches NSG1 on the
subnet and it says.. "OK you may go", then the next step is the VM and it will reaches the VM NIC and have NSG2 attached that says "No way, this
traffic is blocked".
upvoted 1 times

  Goofer 2 months, 1 week ago

No: NSG2 block
Yes: default rules NSG1 + NSG2
Yes: traffic in subnet
upvoted 1 times

  sjb666 2 months, 2 weeks ago

Hopefully to settle an argument, I lab'd this and tested with IP flow verify:
Y
N
Y
There!
upvoted 1 times

  Doman01 2 months, 3 weeks ago

According to this article
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic

When you look at the specific scenario they created there and this line "To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a
rule that allows port 80 from the internet." it is clear that both NSGs would have to allow inboud over TCP 1433 to VM1 for first box to be YES
upvoted 1 times

  ktrfrnd26 3 months, 1 week ago

For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules
in a network security group associated to the subnet, if there is one.
Per below - https://learn.microsoft.com/en-us/answers/questions/44091/which-will-override-the-other-azure-nsg-on-the-sub
upvoted 2 times

  hfk2020 3 months, 1 week ago

When a network security group (NSG) is applied to a subnet and to a network interface card (NIC) of a virtual machine (VM), the rules of both NSGs
are evaluated in the following order:

Inbound traffic from the internet or other subnets is evaluated against the rules of the NSG applied to the subnet.

If the traffic is allowed by the subnet NSG, the inbound traffic is then evaluated against the rules of the NSG applied to the NIC.

If the traffic is allowed by both the subnet NSG and the NIC NSG, the traffic is allowed to the virtual machine.

If the traffic is denied by either the subnet NSG or the NIC NSG, the traffic is blocked and not allowed to the virtual machine.
upvoted 2 times

  lkjsatlwjwwge 4 months ago

Y-Y-Y. Regarding the first one, the allow rule takes precedence because subnet NSGs are evaluated before NIC NSGs for inbound traffic (and vice
versa). Nothing to do with cross rule priority numbers.
upvoted 2 times

  zellck 4 months ago

For statement 1, after NSG2 is evaluated, NSG1 is evaluated which will block the traffic.
upvoted 3 times

  zellck 4 months ago

NYY is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works#inbound-traffic
For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there's one, and then the rules in a network
security group associated to the network interface, if there's one. This includes intra-subnet traffic as well.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 550/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  zellck 3 months, 4 weeks ago

Got this in Feb 2023 exam.
upvoted 1 times

  DeBoer 4 months, 1 week ago

2nd one might be "NO" since it's between VNets and the question doesn't state that peering is on... but then 1st one would be "NO" as well.
upvoted 1 times

  msingh20 3 months, 1 week ago

They are under the same VNET just different subnets.. as long as they are in the same subnet the allow virtual network inbound rule would set
on vm2 and vm3 by default on all ports.
upvoted 1 times

  dagomo 4 months, 2 weeks ago

NO - VM1 is linked to NSG2 that blocks TCP/1433 from 10.10.2.5 (VM2) to 10.10.1.5 (VM1). Subnet 1 allows the communication but it is blocked on
VM1 NIC.

NO - VM2 (the target machine) has no NSG neigther on NIC nor on Subnet 2 - all incoming requests are blocked.

NO - VM3 (the target machine) has no NSG neigther on NIC nor on Subnet 2 - all incoming requests are blocked.
upvoted 2 times

  chikorita 4 months, 1 week ago

brother, if no NSG is associated then ALL TRAFFIC IS ALLOWED (default config unlike you come from AWS background)
NSGs are put in place to restrict traffic
upvoted 1 times

  KingChuang 6 months, 3 weeks ago

According thie doc.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine.

So in box1, the traffic flow is VM2→NSG1→NSG2→VM1

NSG2 will deny it.

Box1 : N

Therefore, it is not that NSG1 Priority is greater than NSG2 as others have said.
That refers to the order of RULE in NSG. It does not mean that the NSGs in the whole process are mixed together to compare Priority.
upvoted 6 times

  Alex2022_31 5 months, 1 week ago

Completely agree: the link you provide is very clear on that.

For inbound trafic from VM2 to VM1:

VM1: The security rules in NSG1 are processed, since it's associated to Subnet1 and VM1 is in Subnet1.
The rule created allows port 1433 inbound, so the traffic is allowed by the security rule
The traffic is then processed by NSG2 which denied access to the virtual machine VM1 from VM2.
Both NSG1 and NSG2 must have a rule that allows port 1433 from the VM2 subnet or VM2 to allow the connection.

Box 1: NO
upvoted 1 times

  YUNITO 7 months ago

for me is: nyy
upvoted 1 times

  klexams 7 months, 2 weeks ago

N = VM2 > no NSG | VM1 > NSG2 inbound > block 10.10.2.0 to 10.10.1.0
Y = VM1 > no NSG outbound | VM2 > no NSG > allowed between subnets by default
Y = VM2 > no NSG | VM3 > no NSG > allowed between subnets by default
upvoted 5 times

  matejka 7 months, 2 weeks ago

NO - VM1 is linked to NSG2 that blocks TCP/1433 from 10.10.2.5 (VM2) to 10.10.1.5 (VM1). Subnet 1 allows the communication but it is blocked on
VM1 NIC.

NO - VM2 (the target machine) has no NSG neigther on NIC nor on Subnet 2 - all incoming requests are blocked.

NO - VM3 (the target machine) has no NSG neigther on NIC nor on Subnet 2 - all incoming requests are blocked.
upvoted 8 times

  rupayan87 6 months, 4 weeks ago

Resources within the virtual network can communicate with each other privately,
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-service

here all Vms are in same Vnet so traffic is open by default. Only Vm1 has a deny rule over NSG which is blocking Vm2 to Vm1 TCP connection
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 551/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 552/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97 Topic 5

HOTSPOT -
You have an Azure subscription named Subscription1.
Subscription1 contains the virtual machines in the following table:

Subscription1 contains a virtual network named VNet1 that has the subnets in the following table:

VM3 has multiple network adapters, including a network adapter named NIC3. IP forwarding is enabled on NIC3. Routing is enabled on VM3.
You create a route table named RT1 that contains the routes in the following table:

You apply RT1 to Subnet1 and Subnet2.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

IP forwarding enables the virtual machine a network interface is attached to:

✑ Receive network traffic not destined for one of the IP addresses assigned to any of the IP configurations assigned to the network interface.
Send network traffic with a different source IP address than the one assigned to one of a network interface's IP configurations.

The setting must be enabled for every network interface that is attached to the virtual machine that receives traffic that the virtual machine
needs to forward. A virtual machine can forward traffic whether it has multiple network interfaces or a single network interface attached to it.

Box 1: Yes -

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 553/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The routing table allows connections from VM3 to VM1 and VM2. And as IP forwarding is enabled on VM3, VM3 can connect to VM1.

Box 2: No -
VM3, which has IP forwarding, must be turned on, in order for VM2 to connect to VM1.

Box 3: Yes -
The routing table allows connections from VM1 and VM2 to VM3. IP forwarding on VM3 allows VM1 to connect to VM2 via VM3.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://www.quora.com/What-is-IP-forwarding

  klexams Highly Voted  7 months, 2 weeks ago

Y = RT is not applied to VM3. VM3 will have the default route between subnets in a vnet.
N = VM2 > Subnet2 has RT applied to it. VM3 is the next hop which is turned off.
Y = VM3 has has IP forwarding enabled which can fwd traffic from VM1 to VM2.
upvoted 25 times

  martin_k1 Highly Voted  8 months, 2 weeks ago

YNY

if UDR was not set, connectivity between three VMs would work by default.
1) With UDR, it still works, but return traffic from VM1 and VM2 to VM3 goes straight to VM3 instead of subnet gateway (which is one of reserverd
subnet IPs)

2) and 3) are clear.

upvoted 12 times

  zellck Most Recent  4 months ago

YNY is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=network-interface-portal#enable-or-disable-ip-
forwarding
upvoted 5 times

  mbaybarsk 1 year, 1 month ago

N/N/Y

VM3 subnet does not have a route for VM1 subnet. The default route drops packets that belong to 10.0.0.0/8 -> No

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

VM2 cannot connect to VM1 because the router (VM3) is offline -> No

VM1 can connect to VM2 as there's a routing table -> Yes

upvoted 4 times

  Babushka 7 months, 2 weeks ago

What pythonier said, because UDR is only applied to subnet 1 & 2.
upvoted 1 times

  pythonier 9 months, 2 weeks ago

Y/N/Y - VM3 is on the same VNET as VM2 and VM1, therefore, no routes are needed
upvoted 13 times

  sjb666 1 year, 1 month ago

I believe this is correct. Ordinarily all three should be able to speak to each other as they're all subnets within the same VNet. However, the route
table directs them to the machine that is switched off, thus breaking contact. Answer is correct
upvoted 7 times

  Mev4953 9 months ago

Agree.
upvoted 2 times

  WindowAFX 1 year, 1 month ago

Correct
I believe this to be correct
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 554/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #98 Topic 5

Your on-premises network contains an SMB share named Share1.

You have an Azure subscription that contains the following resources:
✑ A web app named webapp1
✑ A virtual network named VNET1
You need to ensure that webapp1 can connect to Share1.
What should you deploy?

A. an Azure Application Gateway

B. an Azure Active Directory (Azure AD) Application Proxy

C. an Azure Virtual Network Gateway

Correct Answer: C
A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1
or IKEv2) VPN tunnel.
This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to
it.
Incorrect Answers:
B: Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Community vote distribution

C (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: C

A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or
IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP
address assigned to it.

A: Application Gateway is for http, https and Websocket - Not SMB

B: Application Proxy is also for accessing web applications on-prem - Not SMB. Application Proxy is a feature of Azure AD that enables users to
access on-premises web applications from a remote client.

Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
upvoted 93 times

  SumanSaurabh 6 months, 1 week ago

you were missed until now , welcome back
upvoted 10 times

  KingChuang 6 months, 3 weeks ago

Better Ref:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-s2s-vpn
upvoted 1 times

  AzureG0d 7 months, 2 weeks ago

welcome back lol
upvoted 3 times

  Wizard69 Highly Voted  2 years, 3 months ago

With the answers that we have:
Application Gateway is for http, https and Websocket - Not SMB
Application Proxy is also for accessing web applications on-prem - Not SMB
So the only answer can be VPN Gateway
upvoted 35 times

  zellck Most Recent  4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 555/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual network and
on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the
Microsoft network. Multiple connections can be created to the same VPN gateway. When you create multiple connections, all VPN tunnels share
the available gateway bandwidth.
upvoted 3 times
  moshos 4 months, 3 weeks ago
Selected Answer: C
Correct answer: C
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

This was on the test
upvoted 1 times

  rocroberto 7 months, 2 weeks ago

This question appeared today in my exam. I answered C. Passed with 810 :-)
60/70% of questions are from here. Thanks guys!!!
Keep up the good work
upvoted 4 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C
Given answer is correct..comments as per others
upvoted 1 times

  benvdw 1 year, 3 months ago

C - on exam 13/3/2022
upvoted 2 times

  Snownoodles 1 year, 5 months ago

Selected Answer: C
C is correct.
To achieve the goal, the web app needs to integrate with Vnet so that web app can get an IP from vnet.
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
upvoted 1 times

  Kamex009 1 year, 9 months ago

This question was asked on exam taken on 8/22/2021
upvoted 5 times

  lucky_18 1 year, 11 months ago

came in exam on June 28 2021
upvoted 5 times

  ZUMY 2 years, 3 months ago

C is correct
upvoted 3 times

  PektoTheGreat 2 years, 3 months ago

Keyword is "On-Premise" so the answer is C. VNG. Isn't it amazing? ^_^
upvoted 4 times

  toniiv 2 years, 3 months ago

Answer C. is correct, you need a Virtual Network Gateway to create a site-to-site VPN connection to on-prem
upvoted 3 times

  fedztedz 2 years, 5 months ago

Answer is correct. "C" Virtual Network Gateway"
upvoted 13 times

  Lbaz 2 years, 8 months ago

sorry did't understand well, answer is C or A??
upvoted 2 times

  kvnpri 2 years, 7 months ago

Answer is C Virtual Network gateway
upvoted 11 times

  finolweb 2 years, 5 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 556/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-available web
front end in Azure.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 557/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99 Topic 5

A. the Publish-AzVMDscConfiguration cmdlet

B. Azure Application Insights

C. Azure Custom Script Extension

D. the New-AzConfigurationAssignement cmdlet

Correct Answer: C
Note:
There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ Deployment Center in Azure App Service
✑ a Microsoft Intune device configuration profile
Reference:
https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration

Community vote distribution

C (92%) 8%

  mlantonis Highly Voted  2 years ago

Correct Answer: C

  mlantonis 2 years ago

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview

https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-install-apps-template

https://docs.microsoft.com/en-us/samples/mspnp/samples/azure-well-architected-framework-sample-state-configuration

https://docs.microsoft.com/en-us/azure/architecture/framework/devops/automation-configuration
upvoted 13 times

  waterzhong Highly Voted  2 years, 6 months ago

C. Azure Custom Script Extension
upvoted 17 times

  curtmcgirt Most Recent  3 months, 3 weeks ago

i hope i get this question half as many times on the exam as it appears here.
upvoted 3 times

  zellck 4 months ago

Same as Question 89.
https://www.examtopics.com/discussions/microsoft/view/95713-exam-az-104-topic-4-question-89-discussion
upvoted 1 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 558/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
The Custom Script Extension downloads and runs scripts on Azure virtual machines (VMs). This extension is useful for post-deployment
configuration, software installation, or any other configuration or management task. You can download scripts from Azure Storage or GitHub, or
provide them to the Azure portal at extension runtime.
upvoted 2 times
  Ashfaque_9x 4 months, 2 weeks ago
Passed today on 29Jan23 with a score of 970. This question was in the exam.
Correct answers for this question:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
upvoted 3 times

  EmnCours 9 months, 3 weeks ago

Selected Answer: C
Correct Answer: C
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C
C is correct..see below
A Desired State Configuration (DSC) extension

Azure virtual machine extensions are small packages that run post-deployment configuration and automation on Azure virtual machines.

In the following example, the Azure CLI is used to deploy a custom script extension to an existing virtual machine, which installs a Nginx webserver.

az vm extension set \

--resource-group myResourceGroup \

--vm-name myVM --name customScript \

--publisher Microsoft.Azure.Extensions \

--settings '{"commandToExecute": "apt-get install -y nginx"}

upvoted 2 times

  elmertar 1 year, 4 months ago

Selected Answer: C
C. Azure Custom Script Extension
upvoted 1 times

  peymani 1 year, 4 months ago

support the correct answer "C"
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
upvoted 1 times

  peymani 1 year, 4 months ago

Selected Answer: C
The Publish-DscConfiguration cmdlet publishes a Windows PowerShell Desired State Configuration (DSC) configuration document on set of
computers. This cmdlet does not apply the configuration. Configurations are applied by either the Start-DscConfiguration cmdlet when it is used
with the UseExisting parameter or when the DSC engine runs its consistency cycle.
https://docs.microsoft.com/en-us/powershell/module/psdesiredstateconfiguration/publish-dscconfiguration?view=dsc-1.1
upvoted 3 times

  deltarj 1 year, 4 months ago

Selected Answer: C
I will go with ans C.
upvoted 2 times

  deltarj 1 year, 4 months ago

if no DSC is offered than it is azCSE... right? (see Q59T4 and Q74T4)
upvoted 1 times

  johnseong97 1 year, 4 months ago

Selected Answer: C
Correct Answer: C
Note: There are several versions of this question in the exam. The question has two correct answers:
1. a Desired State Configuration (DSC) extension
2. Azure Custom Script Extension
The question can have other incorrect answer options, including the following:
✑ the Publish-AzVMDscConfiguration cmdlet
✑ Azure Application Insights
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 559/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  JIGT 1 year, 5 months ago

Selected Answer: A
Publish-AzVMDscConfiguration cmdlet
upvoted 1 times

  brunomd 1 year, 6 months ago

Correct is C.

I thought that the correct was A, but does not, because of this:

"The Publish-AzVMDscConfiguration cmdlet uploads a Desired State Configuration (DSC) script to Azure blob storage, which later can be applied
to Azure virtual machines using the Set-AzVMDscExtension cmdlet."
upvoted 1 times

  mdmdmdmd 1 year, 9 months ago

This question is in the wrong topic, should be topic 3 "Deploy and manage Azure compute resources". It's also repeated in some form there.
upvoted 1 times

  AubinBakana 1 year, 9 months ago

pretty sure this question was already asked.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 560/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100 Topic 5

Your on-premises network contains a VPN gateway.

You have an Azure subscription that contains the resources shown in the following table.

You need to ensure that all the traffic from VM1 to storage1 travels across the Microsoft backbone network.
What should you configure?

A. a network security group (NSG)

B. service endpoints

C. Azure Peering Service

D. Azure Firewall

Correct Answer: A

Community vote distribution

B (100%)

  additionalpylons Highly Voted  9 months, 2 weeks ago

Selected Answer: B
I believe it should be B

"Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. "

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 33 times

  johnboy222 Highly Voted  7 months, 2 weeks ago

Admin, Let’s get this fixed please. The correct answer is B.
upvoted 10 times

  SimoneP Most Recent  3 weeks, 4 days ago

Selected Answer: B
B service endpoint
upvoted 1 times

  5864619 1 month, 3 weeks ago

Why is every question on this ETE wrong and the community is discussing over what is right. This brings confusion as there are multiple options:
Microsoft wrong Community right - Results in Wrong answer while being right

Community wrong, Micrsoft right - Results in wrong answer

Community right - Results in Unreliable questions
upvoted 1 times

  ivan0590 1 month ago

I think that Exam Topics don't get the questions an their answers, they just get the questions and then they try to answer them. That would
explain why they fail so much.
Microsoft has nothing to do with it.
upvoted 1 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables
private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 561/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times
  meeko86 6 months, 1 week ago
Answer should be B
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
"Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure
backbone network. "
"Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your virtual
networks, through forced-tunneling, without impacting service traffic."
upvoted 3 times

  klexams 7 months, 2 weeks ago

Selected Answer: B
service endpoints to ensure traffic uses ms backbone network, it does not go out to the internet.
upvoted 2 times

  sujidurga 8 months, 1 week ago

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview Check Limititations. So Ans is NSG
upvoted 4 times

  engnr2000 2 months ago

The mention of the "on-premises network" is a distraction. Both resources are part of an AZ Subscription.
upvoted 1 times

  Andrew04 3 months ago

but the traffic is from VM1 to storage1, not from on-prem, so endpoint should be the good answer
upvoted 2 times

  sujidurga 8 months, 1 week ago

Endpoints can't be used for traffic from your premises to Azure services. For more information, see Secure Azure service access from on-premises
upvoted 3 times

  engnr2000 2 months ago

You're correct, however, the mentioned "on-premises network" is a distraction. Both resources are part of an AZ Subscription.
upvoted 1 times

  Mev4953 9 months ago

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-
overview#:~:text=Virtual%20Network%20(VNet)%20service%20endpoint%20provides%20secure%20and%20direct%20connectivity%20to%20Azure
%20services%20over%20an%20optimized%20route%20over%20the%20Azure%20backbone%20network.
upvoted 2 times

  pythonier 9 months, 1 week ago

Selected Answer: B
Service endpoints and Private endpoints are the services that allows you to use MSFT backbone to communicate with Azure services
upvoted 2 times

  DanishHassan 9 months, 1 week ago

Selected Answer: B
Correct Answer is B
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: B
Correct Answer: B
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 562/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101 Topic 5

You plan to deploy route-based Site-to-Site VPN connections between several on-premises locations and an Azure virtual network.
Which tunneling protocol should you use?

A. IKEv1

B. PPTP

C. IKEv2

D. L2TP

Correct Answer: C
A Site-to-Site (S2S) VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1
or IKEv2) VPN tunnel.
IKEv2 supports 10 S2S connections, while IKEv1 only supports 1.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal https://docs.microsoft.com/en-
us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

Community vote distribution

C (100%)

  klexams Highly Voted  7 months, 2 weeks ago

C. IKEv2 IPsec
keyword is "Route-Based" coz "Policy-based" only supports IKEv1.
upvoted 14 times

  zellck Most Recent  4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps#azure-support-for-policy-based-vpn
upvoted 4 times

  EmnCours 9 months, 1 week ago

Selected Answer: C
Correct Answer: C
upvoted 2 times

  qwerty100 9 months, 1 week ago

Selected Answer: C
Correct Answer: C
upvoted 2 times

  DeltaSM 9 months, 2 weeks ago

Selected Answer: C
Answer: C
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 563/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102 Topic 5

You have an Azure subscription that contains the resources shown in the following table.

You configure Azure Site Recovery to replicate VM1 between the US East and West US regions.

You perform a test failover of VM1 and specify VNET2 as the target virtual network.

When the test version of VM1 is created, to which subnet will the virtual machine be connected?

A. TestSubnet1

B. DemoSubnet1

C. RecoverySubnetA

D. RecoverySubnetB

Correct Answer: A

Community vote distribution

B (85%) A (15%)

  zellck Highly Voted  4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping
The subnet of the target VM is selected based on the name of the subnet of the source VM.
- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.
- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.
upvoted 25 times

  Rams_84zO6n Highly Voted  2 months, 2 weeks ago

Selected Answer: B
LOL, alphabetical order my a.... Never would have guessed
upvoted 8 times

  xRiot007 1 week, 4 days ago

It''s pretty silly. Should be done using CIDR match, but hey "lOgeec" :))
upvoted 1 times

  Atul_0902 Most Recent  3 months, 1 week ago

Source subnet name is Subnet2, so A is correct
upvoted 1 times

  Jared144 3 months, 2 weeks ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping
upvoted 1 times

  djgodzilla 3 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 564/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: A
logically when you failover same subnet CIDR means less work to do.
upvoted 1 times

  djgodzilla 3 months, 2 weeks ago

but obviously Azure doesn't follow logic by default . Answer is B .
"Specify a subnet
The subnet of the target VM is selected based on the name of the subnet of the source VM.
- If a subnet with the same name as the source VM subnet is available in the target network, that subnet is set for the target VM.
- If a subnet with the same name doesn't exist in the target network, the first subnet in the alphabetical order is set as the target subnet.
You can modify the target subnet in the Network settings for the VM.
2. IP address assignment during failover
- Same address space: IP address of the source VM NIC is set as the target VM NIC IP @.If the address isn't available, the next available IP is set
as the target.
- Different address space: The next available IP address in the target subnet is set as the target VM NIC address. <<-- this means it can be a
different IP CIDR. "
https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-network-mapping#set-up-ip-addressing-for-target-vms
upvoted 3 times

  SedateBloggs 4 months ago

I also think A. https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-architecture
upvoted 1 times

  SedateBloggs 4 months ago

and this https://learn.microsoft.com/en-us/azure/site-recovery/concepts-network-security-group-with-site-recovery#azure-to-azure-
replication-with-nsg which states "Site Recovery can create replicas of Contoso VNet and Contoso Subnet on the target Azure region when
replication is enabled for the VM."
upvoted 1 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: A
A. TestSubnet1
https://learn.microsoft.com/en-us/azure/site-recovery/concepts-network-security-group-with-site-recovery
upvoted 5 times

  sss123412 5 months, 1 week ago

A is correct.

If no specific subnet is specified, VM1's test version would be deployed to the same subnet in VNET2, same subnet refers to the same address .
upvoted 4 times

  zellck 4 months ago

  azhunter 5 months, 1 week ago

Correct answer A
https://learn.microsoft.com/en-us/azure/site-recovery/concepts-network-security-group-with-site-recovery
upvoted 3 times

  wpestan 5 months, 1 week ago

all networks is in overlap exception RecoverySubnetA, are there any problem?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 565/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Protocol to UDP

B. Session persistence to None

C. Floating IP (direct server return) to Disabled

D. Session persistence to Client IP

Correct Answer: D

Community vote distribution

D (86%) 14%

  krzychuPl89 1 month, 3 weeks ago

Somebody realy wants us to remember this ...
upvoted 2 times

  lulzsec2019 3 months ago

This question appeared at least 5 times.
upvoted 3 times

  zellck 4 months ago

Same as Question 108.
https://www.examtopics.com/discussions/microsoft/view/94077-exam-az-104-topic-5-question-108-discussion
upvoted 2 times

  zellck 4 months ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
Session persistence: Client IP
- Traffic from the same client IP is routed to the same backend instance
upvoted 3 times

  omgMerrick 4 months, 2 weeks ago

Selected Answer: C
Correct answer: C

Session persistence to Client IP

Reference: https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
upvoted 1 times

  omgMerrick 4 months, 2 weeks ago

I meant to select D. :)

Reference is still correct.

upvoted 1 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: D
Correct Answer
D. Session persistence to Client IP
upvoted 1 times

  azhunter 5 months, 1 week ago

Correct Answer
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 566/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  khaled_razouk 5 months, 1 week ago

Selected Answer: D
To ensure that visitors are serviced by the same web server for each request, you should configure session persistence to "Client IP" on the Azure
load balancer.
upvoted 2 times

Question #104 Topic 5

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.

You need to ensure that NGINX is available on all the virtual machines after they are deployed.

What should you use?

A. the Publish-AzVMDscConfiguration cmdlet

B. a Microsoft Endpoint Manager device configuration profile

C. Deployment Center in Azure App Service

D. a Desired State Configuration (DSC) extension

Correct Answer: D

Community vote distribution

D (100%)

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: D
Correct Answer
D. a Desired State Configuration (DSC) extension
upvoted 3 times

  khaled_razouk 5 months, 1 week ago

Selected Answer: D
D. a Desired State Configuration (DSC) extension
upvoted 3 times

  Ras_Al_Ghul 5 months, 1 week ago

Selected Answer: D
correct answer D
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 567/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #105 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Floating IP (direct server return) to Disabled

B. Session persistence to Client IP

C. Protocol to UDP

D. Idle Time-out (minutes) to 20

Correct Answer: B

Community vote distribution

B (100%)

  curtmcgirt Highly Voted  3 months, 3 weeks ago

i hope i get this question on the exam half as often as it appears here.
upvoted 11 times

  loic90 Most Recent  2 months, 1 week ago

La réponse est la B
upvoted 1 times

  zellck 4 months ago

Same as Question 108.
https://www.examtopics.com/discussions/microsoft/view/94077-exam-az-104-topic-5-question-108-discussion
upvoted 2 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

  omgMerrick 4 months, 2 weeks ago

Selected Answer: B
Correct answer: B
Session persistence to Client IP

Reference: https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
upvoted 1 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: B
Correct Answer
B. Session persistence to Client IP
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

Selected Answer: B
correct
B. Session persistence to Client IP
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 568/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106 Topic 5

You have an Azure subscription that contains 20 virtual machines, a network security group (NSG) named NSG1, and two virtual networks named
VNET1 and VNET2 that are peered.

You plan to deploy an Azure Bastion Basic SKU host named Bastion1 to VNET1.

You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1.

Which port should you configure for the inbound security rule?

A. 22

B. 443

C. 389

D. 8080

Correct Answer: B

Community vote distribution

B (74%) A (26%)

  Ashfaque_9x Highly Voted  5 months, 1 week ago

Selected Answer: B
Correct Answer
B. 443

Using Bastion your RDP/SSH session is over TLS on port 443.

https://learn.microsoft.com/en-us/azure/bastion/bastion-overview

If you say port 22 then what about windows VM as it is not mentioned that the VM is windows or Linux? You will have to allow port 443 in NSG.
upvoted 13 times

  bajjiteam Highly Voted  5 months, 1 week ago

Correct answer A....As Bastion connects to VM via port 22/3389..Azure portal connects to Bastion via port 443..as the question is to inbound rule for
vm from Bastion...Correct answer is PORT 22...option A
upvoted 11 times

  hbor 2 months, 2 weeks ago

Correct Answer is B. The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port 3389/22 are
NOT required to be opened on the AzureBastionSubnet https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
upvoted 1 times

  rugoki Most Recent  2 days, 13 hours ago

look at first picture internet port 443 -> bastion ports 3389/22 -> VM, answer A.
https://learn.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal
upvoted 1 times

  testtaker13 1 month, 3 weeks ago

Selected Answer: A
Based on the provided link by other fellows in the comments I choose SSH as well. Although the whole answer seems a bit incomplete. Maybe the
idea is to confuse you. But It is clearly explained that the second part of the connectivity from Bastion to the backend subnet/resources uses the
actual RDP/SSH ports. NSG on BastionSubnet is Egress and NSG on backend services should be Inbound!

https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
upvoted 1 times

  iamweasel 2 months, 2 weeks ago

Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over SSL
on port 443 enabling you to traverse corporate firewalls securely.
upvoted 1 times

  Slawekyo 2 months, 2 weeks ago

Selected Answer: A
I believe that you need port 443 for you to connect to bastion (aka azure portal)
But for the bastion to connect to the VM you need port 22/3389 therefore I am willing to go with answer: A
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 569/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Pexonian 2 months, 2 weeks ago

Selected Answer: A
Correct Answer is A
Reference: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
upvoted 1 times

  flaviobrf 2 months, 3 weeks ago

Selected Answer: A
This question is terrible, the worst of all… I believe tha is A because, there is no information about the VMs OS, we can’t figure out if are Windows,
Linux or both… and where is the nsg, based on those seems to be A, but that is true that it’s used port 443 until the bastion and then 22/3389
upvoted 1 times

  flaviobrf 2 months, 3 weeks ago

I said A but I meant B, sorry
upvoted 1 times

  ktrfrnd26 3 months, 1 week ago

Selected Answer: B
Answer B: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
Ingress Traffic:
Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port
3389/22 are NOT required to be opened on the AzureBastionSubnet. Note that the source can be either the Internet or a set of public IP addresses
that you specify.

Egress Traffic:
Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM
subnets for port 3389 and 22. If you are using the custom port feature as part of Standard SKU, the NSGs will instead need to allow egress traffic to
other target VM subnets for the custom value(s) you have opened on your target VMs.
upvoted 4 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 3 times

  RougePotatoe 3 months, 2 weeks ago

Selected Answer: A
Bastion connections to the VM via RDP (3389) or SSH(22)

Azure portal connects to Bastion via port 443

"Using Bastion your RDP/SSH session is over TLS on port 443."

https://learn.microsoft.com/en-us/azure/bastion/bastion-overview

If you're not convinced take a look at this picture.

https://learn.microsoft.com/en-us/azure/bastion/media/bastion-nsg/figure-1.png
upvoted 5 times

  RougePotatoe 3 months, 2 weeks ago

Read the question very carefully.

"You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1."

You need to configure a NSG that allows bastion to connect to the VMs, not you need to allow yourself access to bastion.
upvoted 3 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
upvoted 2 times

  RougePotatoe 3 months, 2 weeks ago

B is not the answer.

Bastion connects to VMs via port 22/3389 (ssh/RDP).

You connect from portal to bastion via port 443.
Bastion does not interact with the VMs with 443. You talk to bastion on 443.
https://learn.microsoft.com/en-us/azure/bastion/media/bastion-nsg/figure-1.png

Question: "You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1."

Configure NSG1 to allow bastion access to vms.

upvoted 1 times

  AndreaStack 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 570/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: B
If you look in the pic, you'll notice that Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your
RDP/SSH session is over TLS on port 443. Pic reference:
https://learn.microsoft.com/en-us/azure/bastion/media/bastion-overview/architecture.png
upvoted 1 times

  RougePotatoe 3 months, 2 weeks ago

B is not the answer.

Bastion connects to VMs via port 22/3389 (ssh/RDP).

Question: "You need to configure NSG1 to allow inbound access to the virtual machines via Bastion1."

Configure NSG1 to allow bastion access to vms.

upvoted 2 times

  lkjsatlwjwwge 4 months, 1 week ago

Yet another ambigous question? According to https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg, if using NSGs, the bastion subnet
should allow incoming 443, and the VMs subnets should allow incoming ssh/RDP... So both A and B seem to be valid. How can we tell if we're not
told to which subnet NSG1 is linked? However, inbound 443 from Internet is not a default NSG rule, while intra-vnet traffic is. So it shouldn't be
necessary to explicitly allow inbound 22/3389 to the VMs, whereas without allowing 443 you shouldn't be able to reach the bastion. I guess I'd go
with B.
Side note, I'd gladly pay good money to have a private word with whoever makes this exam questions...
upvoted 5 times

  JDWaters 4 months, 2 weeks ago

Selected Answer: B
From Learn.Microsoft.com. “Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public
IP for ingress traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet. Note that the source can be either the Internet or a
set of public IP addresses that you specify.“
upvoted 1 times

  DeBoer 4 months, 1 week ago

Problem is that the question doesn't really specify to which subnet the NSG is linked - so we don't know if they're talking about traffic from
outside to Bastion (443) or from Bastion to the VM (22 on Linux or 3389 on Windows)
upvoted 2 times

  azhunter 5 months, 1 week ago

Correct answer A either SSH/RDP 22/3389
upvoted 3 times

  Afsan 5 months, 1 week ago

Inbound (ingress) traffic from Azure Bastion on ports 3389 (RDP) or 22 (SSH). This because Azure Bastion will reach the targeted VM over its private
IP and depending on the type of VM (Windows or Linux) port 3389 or 22 will be used.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 571/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107 Topic 5

HOTSPOT
-

Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the servers
shown in the following table.

You plan to migrate contoso.com to Azure.

You create an Azure virtual network named VNET1 that has the following settings:

• Address space: 10.0.0.0/16

• Subnet:
o Name: Subnet1
o IPv4: 10.0.1.0/24

You need to move DC1 to VNET1. The solution must ensure that the member servers in contoso.com can resolve AD DS DNS names.

How should you configure DC1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 572/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  tunaparker Highly Voted  5 months ago

I think the answers should be:

1) Obtain an IP address automatically

The first 4 IP addresses within a subnet space are getting reserved for Azure automatically. Thus, 10.0.1.3 can't be the right answer. 10.0.2.1 is in the
VNET space but falls out of the subnet space. 192.168.2.1 is just out of the VNET.

2) Configure VNET1 to use a custom DNS server

This VNET1 should use our pre-created DNS server as its DNS server so tahat the member servers in contoso.com can resolve AD DS DNS names.

Pls do not hesitate to correct me if I am wrong :)

upvoted 20 times

  zellck 4 months ago

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Azure DNS private zones is the preferred solution and gives you flexibility in managing your DNS zones and records.
upvoted 1 times

  GBAU 4 months ago

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-
that-uses-your-own-dns-server

VMs and role instances

Your name resolution needs might go beyond the features provided by Azure. For example, you might need to use Microsoft Windows
Server Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios, Azure enables you to use your own
DNS servers.

Private DNS Zones do not support Active Directory Integration

upvoted 2 times

  AX341 4 months, 1 week ago

Reading this, makes me think you are right: https://social.technet.microsoft.com/wiki/contents/articles/23377.how-to-manage-your-dcdns-
servers-with-dynamic-ips-in-azure.aspx
upvoted 1 times

  SKR94 4 months, 2 weeks ago

IDK...
1) ok
2) if you set IP address automatically, what do you set in custom DNS? I think is better create a private DNS...
upvoted 4 times

  Phlogiston Highly Voted  4 months ago

Another dumb correct response. The only correct responses appear to be to use a dynamic IP address and custom DNS. But, in the real world, you
would never configure a DC to use a dynamic IP address. Imagine the chaos if it is rebooted and acquires a different IP address and the SRV
records are possibly not updated, not to mention the fact that now the client DNS configurations are pointing to an incorrect DNS address and
won't be able to resolve A and SRV records for the domain. Madness.
upvoted 10 times

  djgodzilla Most Recent  2 months, 2 weeks ago

not sure , I can understand what is the right answer here.
"For environments where name resolution across Azure and on-premises is required, it is recommended to use DNS Private Resolver service along
with Azure Private DNS Zones. It offers many benefits over virtual machines based DNS solution, including cost reduction, built-in high availability,
scalability, and flexibility.

If you need to use existing DNS infrastructure (for example, Active Directory integrated DNS), ensure that the DNS server role is deployed onto at
least two VMs and configure DNS settings in virtual networks to use those custom DNS servers."

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-resources

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 573/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  djgodzilla 2 months, 2 weeks ago

2) Custom DNS zone
Deploy ADDS in Azure VNET:
If the new deployed Domain Controllers (DC) VMs will have also the role of DNS servers, it's recommended to configure them as custom DNS
server at the Azure Virtual Network level.
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain
not sure about the IP
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Answer is 10.1.0.3 and configure Vnet1 to use a custom DNS server
upvoted 3 times

  Goofer 2 months, 1 week ago

10.1.0.3 is not possible. you can use 10.1.0.4 and higher.
upvoted 1 times

  GBAU 4 months ago

IP: Automatic
Name Resolution: Custom

1: As soon as you move DC1 to VNET1, irrespective of the DNS/IP config, Server1 can not resolve AD DS DNS names as there is ZERO mention of a
P2P VPN between onsite where Server1 still is and the VNET...

however
2: Lets assume the question means if Server 2 is also moved as well, or if there is a VPN\Express Route:

You don't want to give a DC a DHCP IP but you are going to have too!:
-10.0.2.1 and 192.168.2.1 are not in any defined subnet in the vNET.
-10.0.1.3 is a reserved IP in a /24 network and can not be assigned
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq

You need to point DNS for any domain members to the DC for AD DNS resolution so it has to be a Custom IP (of whatever gets assigned to DC1).
(Private DNS zones don't support Active Directory DNS Zone Integration).

Just pray no one shuts down DC1 and it gets a different IP when it starts up.

Who decides the answers to these questions? This one couldn't be more wrong.
upvoted 2 times

  SimoneP 1 month, 2 weeks ago

I like your answer but:
For environments where name resolution across Azure and on-premises is required, it is recommended to use DNS Private Resolver service
along with Azure Private DNS Zones. It offers many benefits over virtual machines based DNS solution, including cost reduction, built-in high
availability, scalability, and flexibility. so I go with "Create an Azure Private DNS zone"
upvoted 1 times

  SimoneP 1 month, 2 weeks ago

Ref: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/dns-for-on-premises-and-azure-
resources
upvoted 1 times

  zellck 4 months ago

1. Obtain an IP address automatically
2. Create an Azure Private DNS zone named contoso.com

https://learn.microsoft.com/en-us/azure/dns/private-dns-overview
Azure Private DNS provides a reliable and secure DNS service for your virtual network. Azure Private DNS manages and resolves domain names in
the virtual network without the need to configure a custom DNS solution. By using private DNS zones, you can use your own custom domain name
instead of the Azure-provided names during deployment. Using a custom domain name helps you tailor your virtual network architecture to best
suit your organization's needs. It provides a naming resolution for virtual machines (VMs) within a virtual network and connected virtual networks.
upvoted 3 times

  GBAU 4 months ago

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-
uses-your-own-dns-server

VMs and role instances

Your name resolution needs might go beyond the features provided by Azure. For example, you might need to use Microsoft Windows Server
Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios, Azure enables you to use your own DNS
servers.

Private DNS Zones do not support Active Directory Integration

upvoted 2 times

  zellck 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 574/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  SedateBloggs 3 months, 3 weeks ago

you dont use private DNS zones for AD DS: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-
vms-and-role-instances and quoting "Your name resolution needs might go beyond the features provided by Azure. For example, you might
need to use Microsoft Windows Server Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios,
Azure enables you to use your own DNS servers.". This would lend itself to Auto IP and using custom DNS - NOT private zones
upvoted 2 times

  DeBoer 4 months, 1 week ago

Best practise is to always have VMs in Azure assigned automatically. For a DC it makes sense to reserve the address in the "sort of DHCP" Azure
does so it always gets the same one ;-)

You can also eliminate the answers quite easily:

Azure reserves the first four and last IP address for a total of 5 IP addresses within each subnet. So 10.0.1.3/24 can't be used;
10.0.2.1 is also in the first 5 of another subnet - so can't use that either.
192.168.2.1 isn't even in the address space...

As to the custom DNS, yes, point the VNET at the custom DNS server (the DC). Bonus points of you point the DNS settings op de DC's VM to
Azure's DNS servers in the VM's properties (saves you a lot of work in resolving private DNS zones of e.g. Private Endpoints ;-) )
upvoted 4 times

  ant650 4 months, 2 weeks ago

Should be obtain automatically. x.x.x.1 is reserved for gateway, x.x.x.2-3 reserved for Azure DNS
upvoted 1 times

  bouk75 5 months ago

IP address: 10.0.1.3 shouldn't able to be use
Azure reserves the first four and last IP address for a total of 5 IP addresses within each subnet.

For example, the IP address range of 192.168.1.0/24 has the following reserved addresses:

192.168.1.0 : Network address

192.168.1.1 : Reserved by Azure for the default gateway
192.168.1.2, 192.168.1.3 : Reserved by Azure to map the Azure DNS IPs to the VNet space
192.168.1.255 : Network broadcast address.
upvoted 9 times

  elrizos 2 months, 2 weeks ago

Correct
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#are-there-any-restrictions-on-using-ip-addresses-within-these-
subnets
upvoted 1 times

  Ashfaque_9x 5 months, 1 week ago

I feel the correct answers are
IP address: 10.0.1.3
Name Resolution: Configure VNET1 to use a custom DNS server
upvoted 6 times

  lulzsec2019 1 week, 1 day ago

I see you posted you got very high score in this exam. So this is one of the questions you got the wrong answer? hehe
upvoted 1 times

  wpestan 5 months, 1 week ago

i believe is correct
-IP 10.0.1.3 same range new network o IPv4: 10.0.1.0/24
-create a private dns contoso.com
upvoted 1 times

  wpestan 5 months, 1 week ago

- create can be wrong, its better use a custon dns
upvoted 3 times

  zellck 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 575/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #108 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Session persistence to None

B. a health probe

C. Session persistence to Client IP

D. Idle Time-out (minutes) to 20

Correct Answer: C

Community vote distribution

C (100%)

  curtmcgirt Highly Voted  3 months, 3 weeks ago

i hope i get this question on the exam half as often as it appears here.
upvoted 5 times

  lulek Most Recent  2 weeks, 2 days ago

My favourite question - I always get it right! ;)
upvoted 3 times

  SIAMIANJI 1 month, 1 week ago

Selected Answer: C
C is correct.
upvoted 1 times

  zellck 4 months ago

Same as Question 116.
https://www.examtopics.com/discussions/microsoft/view/95628-exam-az-104-topic-5-question-116-discussion
upvoted 1 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

  B0SS930 4 months, 1 week ago

Imagine this question not to be asked in the exam itself.
upvoted 3 times

  Notteb 4 months, 3 weeks ago

Selected Answer: C
this question is maybe 10 times in this dump.
upvoted 4 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: C
Correct Answer
C. Session persistence to Client IP
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 576/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Bigc0ck 5 months, 1 week ago

Similar question on the test
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 577/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109 Topic 5

You have an Azure subscription that contains the virtual networks shown in the following table.

You need to deploy an Azure firewall named AF1 to RG1 in the West US Azure region.

To which virtual networks can you deploy AF1?

A. VNET1, VNET2, VNET3, and VNET4

B. VNET1 and VNET2 only

C. VNET1 only

D. VNET1, VNET2, and VNET4 only

E. VNET1 and VNET4 only

Correct Answer: C

Community vote distribution

C (68%) E (30%)

  Ashfaque_9x Highly Voted  5 months, 1 week ago

Selected Answer: C
C. VNET1 only

No idea why people are saying option E as the question clearly states that "You need to deploy an Azure firewall named AF1 to RG1 in the West
US", so RG1 in the West US region means the correct answer is C(VNET1).
upvoted 28 times

  garmatey 1 month, 2 weeks ago

But it says which virtual networks *can* you deploy AF1....
upvoted 2 times

  kilobaik 3 months, 1 week ago

You right

"Are there any firewall resource group restrictions? Yes. The firewall, VNet, and the public IP address all must be in the same resource group."

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 5 times

  biscaldis 4 months ago

That's correct. This is the only case in which the resource group must be the same
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 3 times

  r3nenge 4 months ago

Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
upvoted 9 times

  AK4U 3 months, 1 week ago

THANK YOU!
upvoted 2 times

  Muffay Highly Voted  5 months, 1 week ago

Selected Answer: E
Should be E - Vnet 1 and Vnet 4.

As all resources, the resource group is just a logical grouping and the real limitations do come from the region. An Azure Firewall can be used with
peered networks, but as the question does not mention peering the firewall cannot be applied to networks in another region.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 578/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

"You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks
to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central firewall virtual network.
Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues across regions. For best
performance, deploy one firewall per region."

I also just tried it out, I cannot connect an Azure Firewall to a VNET which is in another region.
upvoted 11 times

  RougePotatoe 4 months ago

Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 4 times

  Rwj Most Recent  2 weeks, 3 days ago

VNET 1 Only
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.
upvoted 1 times

  SIAMIANJI 1 month, 1 week ago

Selected Answer: C
C is correct.
upvoted 1 times

  RDIO 1 month, 2 weeks ago

Selected Answer: C
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-
restrictions:~:text=Yes.%20The%20firewall%2C%20VNet%2C%20and%20the%20public%20IP%20address%20all%20must%20be%20in%20the%20sa
me%20resource%20group.
upvoted 2 times

  madao322 3 months ago

Selected Answer: C
Firewall must be in the same RG with other needed resources. MS allows you to allocate resources in different RG/location/VNet but many of them
just dont work. Additionally, moving resources will also casuse undesible system error as well. TBH, that is not understandable
upvoted 1 times

  AK4U 3 months, 1 week ago

Microsoft's words: "Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group."

Source:
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: B
Same region and resource group as af1
upvoted 1 times

  NIOBruno 3 months, 4 weeks ago

Selected Answer: C
C: Is correct
upvoted 1 times

  herodes 3 months, 4 weeks ago

Selected Answer: C
Its states you need to deploy to RG1 and West US, based on this there is only one solution and its VNET1
upvoted 1 times

  RougePotatoe 4 months ago

Here's a funny thing. The Faqs page I've been posting is incorrect. I was able to create a firewall with the public IP address in another RG but in the
same region.

The firewall must be in the same region and RG as the vNet.

The firewall does not need to be in the same RG as the public ip address.
The firewall does need to be in the same region as the public ip address.
upvoted 3 times

  r3nenge 4 months ago

Selected Answer: C
Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 579/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
upvoted 3 times
  zellck 4 months ago
C is the answer.

"RG1 in the West US Azure region"

upvoted 2 times

  RougePotatoe 4 months ago

Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 2 times

  zellck 4 months ago

Isn't C the answer then? =)
upvoted 1 times

  chikorita 4 months, 1 week ago

Mlantonis resurfaced as Muffay
god bless both
upvoted 1 times

  lkjsatlwjwwge 4 months, 1 week ago

Selected Answer: C
Muffay's reasoning is flawless, but there's a gotcha pointed out by Alexander K.
upvoted 2 times

  Kirucha 4 months, 2 weeks ago

Selected Answer: C
Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 2 times

  LauLauLauw 4 months, 2 weeks ago

Selected Answer: C
Answer is C.
The FW needs to be in the same resourcegroup as the VNET as stated here:
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 580/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110 Topic 5

You have an on-premises network.

You have an Azure subscription that contains three virtual networks named VNET1. VNET2. and VNET3. The virtual networks are peered and
connected to the on-premises network. The subscription contains the virtual machines shown in the following table.

You need to monitor connectivity between the virtual machines and the on-premises network by using Connection Monitor.

What is the minimum number of connection monitors you should deploy?

A. 1

B. 2

C. 3

D. 4

Correct Answer: B

Community vote distribution

B (71%) A (27%)

  dagomo Highly Voted  4 months, 2 weeks ago

Selected Answer: B
Connection monitor resource: A region-specific Azure resource.

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#before-you-begin
upvoted 14 times

  vbohr899 Highly Voted  3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 7 times

  werdy92 3 months, 2 weeks ago

So you came back, scrolled through all of the ~450 questions until you found the ones which where in your exam and posted this because of
altruism? I dont think so.
upvoted 20 times

  rugoki 2 days, 12 hours ago

good notice my loyal minion!

that creature has posted same message on 34 questions I have used the power of google to track it! Its a marketing bot. or a very strange
being
upvoted 1 times

  AK4U 3 months, 1 week ago

Why wouldn't you believe that? This is a great deed from someone who just took the exam and is back to help the others. I appreciate this.
upvoted 10 times

  alexander_890512 Most Recent  1 week, 3 days ago

Answer: B

Select a region for your connection monitor. You can select only the source VMs that are created in this region.

As we have two regions, we need to create to connection monitors.

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#create-a-connection-monitor
upvoted 1 times

  kalyan1986 1 month ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 581/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I checked the portal https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal

The unique parameter is the "region" while creating a connection monitor and nothing else.
Since we have 2 regions in this question, the answer shud be 2
upvoted 1 times

  Goofer 2 months, 1 week ago

Selected Answer: B
2 regions = 2 connection monitors
upvoted 2 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: A
For sure. https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview . One connection monitor instance can connect
(a) on-premise network (b) VMs, VMSS (with NW extensions). I don't think region would matter given VNETs are peered and have on-premise
connectivity.
upvoted 1 times

  Leunis 2 months, 2 weeks ago

Selected Answer: A
The key is in the VNET peering. Only 1 monitor is required technically.
upvoted 1 times

  bsaksham 2 months, 2 weeks ago

You should deploy at least 2 connection monitors: one to monitor connectivity between the virtual machines in VNET1 and the on-premises
network, and another one to monitor connectivity between the virtual machine in VNET2 and the on-premises network. The virtual machine in
VNET3 is not connected to the on-premises network, so it does not need to be monitored for connectivity to it.

Therefore, the answer is B. 2.

upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: C
Because Vnet1,VNET2, vnet3
upvoted 1 times

  djgodzilla 3 months, 2 weeks ago

B likely but the Doc sucks nonethless
Connection monitor resource: A region-specific Azure resource. All the following entities are properties of a connection monitor resource.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 1 times

  not_mlantonis 3 months, 3 weeks ago

Answer is B, 2.

Network Watcher can monitor cross-region traffic, but it is enabled on a regional basis.

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview

All subscriptions that have a virtual network are enabled with Network Watcher. When you create a virtual network in your subscription, Network
Watcher is automatically enabled in the virtual network's region and subscription. This automatic enabling doesn't affect your resources or incur a
charge. Ensure that Network Watcher isn't explicitly disabled on your subscription.
upvoted 4 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview#create-a-connection-monitor-1
Connection monitor resource: A region-specific Azure resource. All the following entities are properties of a connection monitor resource.
upvoted 3 times

  MahendraC 4 months, 1 week ago

Selected Answer: B
You will need 2 connection monitors as per the microsoft documentation

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal#create-test-groups-in-a-connection-monitor

It clearly states here "To choose Azure agents, select the Azure endpoints tab. Here you see only VMs or Virtual Machine Scale Sets that are bound
to the region that you specified when you created the connection monitor."
upvoted 2 times

  lkjsatlwjwwge 4 months, 1 week ago

Selected Answer: B
I failed to find any reference that would answer the global vs. regional dilemma (MLANTONIS, why have you forsaken us?), so I tried the Azure
Portal and here's my humble contribution: when creating a Connection Monitor resource, you must first choose a region. After that, when defining

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 582/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

your test groups, you are requested to add sources and destinations. For the destinations, you can pick any region you like. However, the source
endpoints are limited to the region you chose for the CM resource (the region is grayed out). So to monitor the connection from Azure VMs to
your on-prem network, you'd need one CM in each region, to be able to choose the VMs in the region as the source, and your on-prem endpoints
as the destination. Therefore, you'd need 2 CM instances. To use just one CM, I guess you'd have to pick your on-prem network as the source, and
then add all the Azure VMs as destinations. However, I'm not sure that's the solution they had in mind with this question.
What do you think?
upvoted 5 times
  hjou 4 months, 2 weeks ago
Selected Answer: A
A. 1

https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
"Here are some benefits of Connection Monitor:

- Unified, intuitive experience for Azure and hybrid monitoring needs

- Cross-region, cross-workspace connectivity monitoring
"

"
Here are some use cases for Connection Monitor:

You want VMs/scale sets in, for example, the East US region to ping VMs/scale sets in the Central US region, and you want to compare cross-region
network latencies.
You have multiple on-premises office sites, one in Seattle, Washington, for example, and another in Ashburn, Virginia. Your office sites connect to
Microsoft 365 URLs. For your users of Microsoft 365 URLs, you want to compare the latencies between Seattle and Ashburn."
upvoted 3 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: A
A. 1

all the VNets are peered and have connectivity with on-premise endpoints.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal
upvoted 3 times

  vitodobra 5 months, 1 week ago

Selected Answer: B
Connection monitor resource: A region-specific Azure resource.
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
upvoted 3 times

  KennethLZK 4 months, 4 weeks ago

On-premises network
upvoted 1 times

  dimsok 4 months, 4 weeks ago

Cross-region, cross-workspace connectivity monitoring
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 583/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #111 Topic 5

HOTSPOT
-

You plan to deploy the following Azure Resource Manager (ARM) template.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 584/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 585/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Correct Answer:

  FabrityDev Highly Voted  5 months, 1 week ago

I would say that the correct answer is NO NO NO.

Box 1: instead of "netname" there should be the value of netname variable

Box 2: I don't see Resource Group mentioned anywhere in the template
Box 3: I don't see parameters being referred anywhere in the template, only variables are referred, e.g. "sku" variable.
upvoted 15 times

  VinayV 2 months, 2 weeks ago

You have posted the question with wrong answer?
upvoted 1 times

  pino1 5 months ago

Box 1: No - "netname" is the name of the variable
Box 2: No - the LB must be in the same region as the virtual network, but the Resource group can be anywhere
Box 3: No - There are no parameter defined in the template
upvoted 5 times

  DeBoer Highly Voted  4 months, 1 week ago

It's NO - YES - NO

Box 1: NO - the value of 'netname' is 'App1', so it's created in the App1 subnet (not netname)
Box 2: YES - There's no OTHER resource groups specified so it assumes it needs to find the resource in the one you're deploying to. reference:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#remarks-3
Box 3: NO - 'sku' is a variable, not a parameter - so you can't use it as a parameter.
upvoted 6 times

  Doman01 Most Recent  2 months, 1 week ago

NO-YES-NO

Yes, Azure Load Balancer must be in the same resource group as the virtual network (vnet) it is being used with. This is because Load Balancer is a
resource that is used to distribute incoming network traffic across multiple virtual machines (VMs) in a backend pool. The VMs in the backend pool
must also be in the same resource group as the Load Balancer and vnet.

When you create a Load Balancer, you must specify the vnet it will be used with, and the resource group that both the Load Balancer and vnet
belong to. If you try to create a Load Balancer in a different resource group than the vnet, you will receive an error message.

It's important to note that while the Load Balancer and vnet must be in the same resource group, they can be in different regions. However, for
optimal performance, it's recommended to keep them in the same region to minimize latency.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 586/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  werdy92 3 months, 2 weeks ago

N - netname will be resolved to App1
Y - the answer uses incorrectly "the resource group" when "a resource group" was meant. It is obvious that a VNET with name VNET1 is needed
here since it is the value of the variable. So this VNET must be present in whatever RG this will be deployed to. It does not matter that there is no
mention of resource groups.
N - sku is not a parameter
upvoted 5 times

  CyberKelev 3 months, 2 weeks ago

Yes, no, yes
upvoted 1 times

  ChakaZilly 3 months, 3 weeks ago

Second box, Yes: if question is read as: "LB1 can be deployed only to a resource group that contains a VNET named VNET1" because ARM-
templates requires a VNET named VNET1.
upvoted 2 times

  zellck 4 months ago

NNN is the answer.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/variables
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/parameters
upvoted 3 times

  zellck 4 months ago

1. subnet name is "APP1".
2. no RG defined.
3. sku is a variable and fixed as "Standard" already.
upvoted 1 times

  Mo22 4 months, 1 week ago

No;No;Yes
upvoted 2 times

  DanSuaricius 5 months ago

Answer are: NO NO NO
Box 1: No - The name of the subnet indicated in the template is APP1
Box 2: No - No reference about the Resource Group
Box 3: No - The label "Parameters" is empty so there are no parameter defined for this template.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 587/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112 Topic 5

You have an Azure subscription that contains a storage account. The account stores website data.

You need to ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location.

What should you configure?

A. private endpoints

B. Azure Firewall rules

C. Routing preference

D. load balancing

Correct Answer: C

Community vote distribution

C (91%) 9%

  Muffay Highly Voted  5 months, 1 week ago

Selected Answer: C
C is correct.
https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-routing
upvoted 14 times

  FabrityDev 5 months, 1 week ago

I agree, the source provided justifies this choice in my opinion.
upvoted 2 times

  banton442 Most Recent  2 months, 1 week ago

Selected Answer: C
The correct option to configure for ensuring inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location is option
C, Routing preference.

Routing preference in Azure Traffic Manager allows you to specify how to route traffic to your Azure service endpoints based on various criteria,
such as the geographic location of the client or the endpoint, the performance of the endpoint, or the priority of the endpoint.

By configuring routing preference, you can direct incoming user traffic to the Microsoft point-of-presence (POP) closest to the user's location,
ensuring the best possible user experience. This can be achieved by selecting the "Performance" routing method in Azure Traffic Manager, which
uses DNS-based traffic routing to direct users to the endpoint that offers the best performance from the user's location.
upvoted 2 times

  djgodzilla 3 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview
upvoted 1 times

  djgodzilla 3 months, 2 weeks ago

C obviously.
upvoted 2 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/storage/common/network-routing-preference#microsoft-global-network-versus-internet-routing
By default, clients outside of the Azure environment access your storage account over the Microsoft global network. The Microsoft global network
is optimized for low-latency path selection to deliver premium network performance with high reliability. Both inbound and outbound traffic are
routed through the point of presence (POP) that is closest to the client. This default routing configuration ensures that traffic to and from your
storage account traverses over the Microsoft global network for the bulk of its path, maximizing network performance.
upvoted 2 times

  er101q 4 months, 1 week ago

D. load balancing.

To ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location, you should configure load balancing.
Azure Traffic Manager provides global load balancing for the endpoint for the storage account, routing traffic to the closest Microsoft POP based
on the lowest latency.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 588/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  DeBoer 4 months, 1 week ago

you're right in that an LB will use the closest POP. But: you can't put a storage account behind a LB (okay, you can, if you use the SA as a static
website, but that's pretty out of scope here, I think - and you'd better use CDN for that anyways)
upvoted 1 times

  FabrityDev 5 months, 1 week ago

Selected Answer: C
The article linked by Muffray explains it well enough why it should be C.
upvoted 3 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: A
A. Private endpoints
https://intellipaat.com/blog/how-to-use-azure-cdn/#no5
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

Selected Answer: A
A. private endpoints
To ensure that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's location, you should configure Azure Traffic
Manager for your storage account
Routing preference is not a valid option for ensuring that inbound user traffic uses the Microsoft point-of-presence (POP) closest to the user's
location.
upvoted 1 times

  FabrityDev 5 months, 1 week ago

I don't agree. Private endpoints are used to limit exposure to to public internet. If you check
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
you will see that POP is not mentioned anywhere in the article. On the other hand, network routing preference is related directly to POP used.
upvoted 1 times

  Muffay 5 months, 1 week ago

Can you provide a source for that statement?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 589/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113 Topic 5

You have two Azure virtual machines named VM1 and VM2 that run Windows Server. The virtual machines are in a subnet named Subnet1.
Subnet1 is in a virtual network named VNet1.

You need to prevent VM1 from accessing VM2 on port 3389.

What should you do?

A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network
interface of VM1.

B. Configure Azure Bastion in VNet1.

C. Create a network security group (NSG) that has an outbound security rule to deny source port 3389 and apply the NSG to Subnet1.

D. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.

Correct Answer: A

Community vote distribution

A (88%) 13%

  AK4U Highly Voted  3 months, 1 week ago

Answer is correct. However, it will prevent VM1 from connecting to any machine using 3389, not just VM2
upvoted 6 times

  Rams_84zO6n 2 months, 2 weeks ago

The rule could be further tightened by specifying both source and destination in the rule. That would address your concern.
upvoted 1 times

  CyberKelev Most Recent  3 months, 2 weeks ago

Selected Answer: D
D. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.
upvoted 1 times

  Elm2021 2 weeks, 1 day ago

I thought the same but it is just that, with D, Both Devices (VM1 And VM2) will be restricted to access the same Port.
upvoted 1 times

  mdwSysOps 3 months, 3 weeks ago

Correct Answer is A, however it will prevent VM1 from connecting using RDP not only to VM2 but to any other VM created...to my understanding is
a poorly designed rule, but it will work.
upvoted 1 times

  djgodzilla 3 months, 2 weeks ago

which is crazy . what are they tying to teach people. "How to lock yourself up"?
upvoted 2 times

  GBAU 4 months ago

A: The rule works although it will prevent VM1 from connecting to anything on 3389 they way it is described in the question (no limit to the
destination IP detailed).

Configuring a Bastion will do nothing to prevent VM1 from accessing VM2 in anyway.

C & D are wrong as they are SOURCE port Deny not destination port Deny.
A connection to remote port of 3389 is not going to be from a source port of 3389 (especially if RDP is already listening on these VMs as that port
will be unavailable as a source port), it could be any port in 1024-65535.
upvoted 4 times

  zellck 4 months ago

Selected Answer: A
A is the answer.
upvoted 1 times

  zellck 4 months ago

We need to deny destination port 3389, not source port 3389, hence A.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 590/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  AndreaStack 4 months ago

Selected Answer: A
Correct Answer: A
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network
interface of VM1.

By creating an outbound security rule in a network security group (NSG) to deny destination port 3389, you can prevent VM1 from accessing port
3389 on VM2. By applying the NSG to the network interface of VM1, you can enforce the security rule specifically for VM1.

This solution provides a centralized way to manage and enforce network security for VM1, and it helps to prevent unwanted access to port 3389 on
VM2 from VM1.

***If it was D. "Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1"
you could prevent access to port 3389 on VM2 from ANY SOURCE (including VM1). By applying the NSG to Subnet1, you can apply the security
rule to both VM1 and VM2.
The question asked "to prevent VM1 from accessing VM2 on port 3389", not from any source.
upvoted 1 times

  AndreaStack 4 months ago

Anyway, missing the "least privilege" requirement, both two answers (A&D) could be good.
But I choose A, for above explained reason!
upvoted 1 times

  zellck 4 months ago

D is not an answer because it is referring to source port 3389, not destination port 3389.
upvoted 1 times

  Kimoz 4 months, 1 week ago

A is correct , if you appied NSG on the inbound ov VM2 no other vms will access it also as well , and here in the question he mentioned that you
want to prevent VM1 means the action should be taken in VM1
upvoted 2 times

  er101q 4 months, 1 week ago

D. Create a network security group (NSG) that has an inbound security rule to deny source port 3389 and apply the NSG to Subnet1.

To prevent VM1 from accessing VM2 on port 3389, you need to create an NSG with an inbound security rule that denies traffic from the source
port 3389. Then you need to apply the NSG to Subnet1, which will block the traffic to all the virtual machines in the subnet.
upvoted 1 times

  FabrityDev 5 months, 1 week ago

Selected Answer: A
A is correct. It will prevent connections from VM1 on port 3389 to any destination, including the other VM. Question does not say that VM1 should
be able to access other VMs on this port so it's fine to block all outgoing connections.
upvoted 4 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: A
A. Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply the NSG to the network
interface of VM1.
upvoted 1 times

  azhunter 5 months, 1 week ago

Correct answer A
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 591/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114 Topic 5

You have an Azure subscription that contains the resources shown in the following table.

You need to manage outbound traffic from VNET1 by using Firewall1.

What should you do first?

A. Configure the Hybrid Connection Manager.

B. Upgrade ASP1 to the Premium SKU.

C. Create a route table.

D. Create an Azure Network Watcher.

Correct Answer: C

Community vote distribution

C (100%)

  fatihaxi Highly Voted  5 months, 1 week ago

Route all traffic to the firewall
When you create a virtual network, Azure automatically creates a default route table for each of its subnets and adds system default routes to the
table. In this step, you create a user-defined route table that routes all traffic to the firewall, and then associate it with the App Service subnet in the
integrated virtual network.
Section3 in document.
https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall
upvoted 21 times

  DeBoer 4 months, 1 week ago

I have to (reluctantly) agree; normally I'd say RTs are for IaaS resources only and ASPs are a PaaS resource. However - all other answers make
even less sense. IF we assume that the ASP has VNet integration and the switch to send all traffic across the VNet has been toggled then yes, a
RT would work to force the traffic to the AF.
upvoted 1 times

  FabrityDev 5 months, 1 week ago

Agree with that
upvoted 1 times

  zellck Most Recent  4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall#3-route-all-traffic-to-the-firewall
When you create a virtual network, Azure automatically creates a default route table for each of its subnets and adds system default routes to the
table. In this step, you create a user-defined route table that routes all traffic to the firewall, and then associate it with the App Service subnet in the
integrated virtual network.
upvoted 3 times

  er101q 4 months, 1 week ago

A. Configure the Hybrid Connection Manager.

Before you can manage outbound traffic from VNET1 using Firewall1, you need to have the Hybrid Connection Manager configured. The Hybrid
Connection Manager is required for Firewall1 to function as an outbound-only firewall. Once the Hybrid Connection Manager is configured, you
can manage outbound traffic from VNET1 using Firewall1.
upvoted 1 times

  GBAU 4 months ago

No mention of Firewall to function as an outbound-only firewall.
No mention of needing to ensure App1 goes through the firewall (App1 is a red herring)

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 592/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

The ONLY thing you need to do is "manage outbound traffic from VNET1 by using Firewall1"

Hence C: Create a route table.

upvoted 2 times
  KingChuang 5 months, 1 week ago
Selected Answer: C
C. Create a route table.

Step 3. Route all traffic to the firewall

https://learn.microsoft.com/en-us/azure/app-service/network-secure-outbound-traffic-azure-firewall
upvoted 1 times

  FabrityDev 5 months, 1 week ago

Selected Answer: C
As described by fatihaxi and the source
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
it is the route table creation
upvoted 1 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: C
C. Create a route table.
upvoted 1 times

  sss123412 5 months, 1 week ago

Correct answer B.

Outbound traffic management using Azure Firewall is only available for App Service apps or function apps that are hosted on an App Service plan
in the Premium SKU
upvoted 1 times

  GBAU 4 months ago

The question is not asking how to get APP1 to connect through the firewall, its asking how to get VNET1 to connect through the Firewall (so
you can manage its traffic). APP1 is a red herring in this question.
upvoted 1 times

  FabrityDev 5 months, 1 week ago

Where did you get that information from? I looked into
https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
as well as source provided by fatihaxi and didn't find such information. On the other hand, creating a route table is explicitly described.
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

Definitly on the test and I answered it wrong lmao
upvoted 1 times

  FabrityDev 5 months, 1 week ago

No one asked. If you want to comment then give some details. Which answer did you pick? Which answer is correct in your opinion?
upvoted 1 times

  Onobhas01 5 months ago

Dude mind your business. Though you don't care, some people actually care if a question has been in the exams recently.
upvoted 2 times

  RougePotatoe 4 months ago

Spend more time learning less time worrying about which questions are going to be on the test ROFL.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 593/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #115 Topic 5

You have an Azure subscription that contains the resources shown in the following table.

All the resources connect to a virtual network named VNet1.

You plan to deploy an Azure Bastion host named Bastion1 to VNet1.

Which resources can be protected by using Bastion1?

A. VM1 only

B. contoso.com only

C. App1 and contoso.com only

D. VM1 and contoso.com only

E. VM1, App1, and contoso.com

Correct Answer: A

Community vote distribution

A (95%) 5%

  martin_k1 Highly Voted  1 month, 3 weeks ago

Be aware when checking CyberKelev comments - I think he is a troll as most of the time he posts wrong answers. Always verify with other
comments
upvoted 15 times

  zellck Highly Voted  4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or
RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside
your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When
you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software.
upvoted 9 times

  CyberKelev Most Recent  3 months, 2 weeks ago

Selected Answer: E
E. VM1, App1, and contoso.com can all be protected by using Bastion1.
upvoted 1 times

  AndreaStack 4 months ago

Selected Answer: A
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned.
Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the out-side world, while still providing secure access using
RDP/SSH.

"Protection against port scanning : Your VMs are protected against port scanning by rogue and malicious users because you don't need to expose
the VMs to the internet."

https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
upvoted 1 times

  Notteb 4 months, 1 week ago

Selected Answer: A
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects
your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 594/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  er101q 4 months, 1 week ago

E. VM1, App1, and contoso.com.

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP/SSH connectivity to the virtual machines within a virtual
network. By deploying Bastion1 to VNet1, you can protect the access to all the resources connected to the virtual network, including VM1, App1,
and contoso.com. Bastion1 provides a secure and streamlined way to access the virtual machines within VNet1 without the need to configure a
public IP address or a VPN.
upvoted 1 times

  GBAU 4 months ago

Bastion only connects to RDP and SSH in the back end. Neither a WebApp and a AD DS listen on 3389 or 22 (i.e. provide no services on these
ports) so Bastion can't even connect to them, let alone protect them.

Bastions protect VMs by allowing you to connect to them to manage them in a more secure way (i.e. RDP to Windows and SSH to Linux)
upvoted 3 times

  pramodk78 4 months, 4 weeks ago

Selected Answer: A
correct answer A -- https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 595/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Session persistence to None

B. a health probe

C. Session persistence to Client IP and protocol

D. Idle Time-out (minutes) to 20

Correct Answer: C

Community vote distribution

C (100%)

  Mugamed Highly Voted  4 months, 3 weeks ago

Selected Answer: C
For the hundredth time, it's ,C.
upvoted 17 times

  curtmcgirt Highly Voted  3 months, 3 weeks ago

i hope i get this question on the exam half as often as it appears here.
upvoted 8 times

  Pakawat 1 day, 20 hours ago

i hope so
upvoted 1 times

  zellck Most Recent  4 months ago

Selected Answer: C
C is the answer.

  Gardener01 4 months, 4 weeks ago

Correct - Answer C
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 596/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #117 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. a health probe

B. Floating IP (direct server return) to Enabled

C. Session persistence to Client IP and protocol

D. Protocol to UDP

Correct Answer: C

  amar_dhillon Highly Voted  3 months, 3 weeks ago

lol, everyone is so fed up seeing this question again and again that no one commented on this one. This is the comment no one will read,
hopefully, 😂
upvoted 26 times

  brucespr 1 month, 3 weeks ago

Sorry you failed ... I read it :D
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

they keep adding more new copies of it.
upvoted 2 times

  Jared144 Highly Voted  3 months, 2 weeks ago

I love seeing this one, one less question to learn out of the 43,356 questions we have to get through
upvoted 8 times

  obaali1990 3 months ago

The az-104 exams itself is repetition of questions and so this is normal
upvoted 1 times

  lulzsec2019 Most Recent  1 week, 1 day ago

Kagebunshin no jutsu!
upvoted 1 times

  SimoneP 1 month, 2 weeks ago

i hope I will find the same occurrences of this question during my exam
upvoted 2 times

  Rachy 1 month, 3 weeks ago

This question is always a breeze :)
upvoted 1 times

  brucespr 1 month, 3 weeks ago

Hope to get this question 7 times on my exam 😂
upvoted 1 times

  zone9gardening 2 months ago

You know what!! I will vote B this time.
upvoted 1 times

  Naebun 2 weeks, 2 days ago

hhahaha
upvoted 1 times

  AK4U 3 months, 1 week ago

This better be on the exam
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 597/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  vg123 3 months, 2 weeks ago

this makes me happy in the tiring revision
upvoted 4 times

  Paul_white 3 months, 2 weeks ago

C IS THE CORRECT ANSWER!!!!
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 598/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118 Topic 5

You have an Azure subscription that contains 10 virtual machines and the resources shown in the following table.

You need to ensure that Bastion1 can support 100 concurrent SSH users. The solution must minimize administrative effort.

What should you do first?

A. Resize the subnet of Bastion1

B. Configure host scaling.

C. Create a network security group (NSG)

D. Upgrade Bastion1 to the Standard SKU

Correct Answer: D

Community vote distribution

D (72%) A (28%)

  zellck Highly Voted  4 months ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#instance
When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of
instances. This is called host scaling.

Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. Once the concurrent
sessions are exceeded, an additional scale unit (instance) is required.
upvoted 9 times

  GBAU 4 months ago

Agreed, going by that page, a Basic Bastion can only support up to 80 concurrent SSH connections as it is deployed with 2 instances/scale units
and you can't add more to a Basic SKU).
upvoted 2 times

  alexander_890512 Most Recent  1 week, 3 days ago

Answer: D

Basic SKU: 2 instances (50 connections at most)

Standart SKU: you can specify the number of instances between 2-50 (25 connections by instance at most).

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-bastion-limits
upvoted 2 times

  gshzwi 1 week, 5 days ago

i think subnet can`t be resize? need to re-create the Bastion to others larger subnet?
upvoted 1 times

  SIAMIANJI 3 weeks, 2 days ago

Selected Answer: A
/26 just support 64ip. We need 100 concurrent connections.
upvoted 1 times

  _fkucuk 1 month, 1 week ago

Selected Answer: D
D. Upgrade Bastion1 to the Standard SKU.

To support 100 concurrent SSH users, you need to upgrade the Basic SKU Azure Bastion to the Standard SKU. The Basic SKU only supports 10
concurrent SSH users, while the Standard SKU supports up to 100 concurrent SSH users.

Resizing the subnet of Bastion1 or creating an NSG would not directly address the need to support more concurrent SSH users, and host scaling is
not applicable in this scenario.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 599/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  CyberKelev 3 months, 2 weeks ago
Selected Answer: A
/26 just support 64ip. We need 100
upvoted 4 times

  elior19940 4 months ago

is it new question?
upvoted 3 times

  yousseftn 4 months, 1 week ago

Selected Answer: D
In general when you deploy the Azure Bastion Basic SKU Microsoft deploys two instances which supports 20-24 concurrent sessions which means
each instance support 10-12 sessions.

https://reimling.eu/2021/07/azure-bastion-supports-scalability-for-ssh-rdp-connections-with-the-new-standard-sku/
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 600/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #119 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Session persistence to Client IP and protocol

B. Protocol to UDP

C. Session persistence to None

D. Floating IP (direct server return) to Disabled

Correct Answer: A

  Jared144 Highly Voted  3 months, 2 weeks ago

I'm never going to remember this one :(
upvoted 12 times

  ivan0590 4 weeks, 1 day ago

Hahaha, I see where you are going :)
upvoted 1 times

  StevieTests Highly Voted  3 months, 3 weeks ago

this is a joke at this point
upvoted 8 times

  curtmcgirt 3 months, 3 weeks ago

they keep adding more new copies of it
upvoted 3 times

  NJTH Most Recent  2 months, 1 week ago

Well, it was on todays exam, and I'm pretty sure I got it right ;-)
upvoted 3 times

  puyas 3 months ago

Guys I think a question about Session persistence to Client IP and protocol might be in the exam
upvoted 5 times

  ruqing888 2 months, 3 weeks ago

it better be in the exam
upvoted 3 times

  Andreew883 3 months, 1 week ago

The response is A.
upvoted 1 times

  joykdutta 3 months, 3 weeks ago

Same question 10 times
upvoted 3 times

  studysmart 3 months, 3 weeks ago

You again....
Give a thumb up if you're curious on what has been discussed on this question.
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 601/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120 Topic 5

DRAG DROP
-

You have a Windows 11 device named Device and an Azure subscription that contains the resources shown in the following table.

Device1 has Azure PowerShell and Azure Command-Line Interface (CLI) installed.

From Device1, you need to establish a Remote Desktop connection to VM1.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.

Correct Answer:

  bsaksham Highly Voted  2 months, 3 weeks ago

Correct Answer!
Nobrainer :)
Just learn from ET, no need for another study material. I passed the exam yesterday with 930 out of 1000. Best of luck guys
upvoted 9 times

  voraciousreader 2 months, 2 weeks ago

is that true, does most the questions came from ET?
upvoted 1 times

  lombri Highly Voted  3 months ago

Navigate to the Configuration page for your Bastion resource. Verify that the SKU Tier is Standard. If it isn't, select Standard.

Select the box for Native Client Support, then apply your changes.

To connect via RDP, use the following command (az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --
target-resource-id "<VMResourceId>")

https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
upvoted 6 times

  garmatey Most Recent  1 month, 2 weeks ago

Why does it need to be standard?

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 602/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  SimoneP 1 month ago

https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
This configuration requires the Standard SKU tier for Azure Bastion.
upvoted 2 times

  djgodzilla 2 months, 2 weeks ago

*) Select native client support
The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key
pair and Azure Active Directory (Azure AD). Additionally with this feature, you can now also upload or download files, depending on the connection
type and client.

https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows

3) From Azure CLI on device1 run: az network bastion rdp

https://learn.microsoft.com/en-us/cli/azure/network/bastion?view=azure-cli-latest#az-network-bastion-rdp
upvoted 1 times

  pramodk78 3 months ago

Answer seems ok as per link https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
upvoted 6 times

  Kimoz 3 months ago

new question :(
upvoted 3 times

  voraciousreader 3 months ago

Will we get questions exactly from ET? does ET alone is enough to clear the exam? please guide.
upvoted 3 times

  KingChuang 1 month, 3 weeks ago

ET enough~
Passed. Score 9xx
upvoted 2 times

  obaali1990 2 months, 3 weeks ago

Nope, learn MS Learn in addition and Youtube. But it all depends on you. Follow the discussions too
upvoted 1 times

  voraciousreader 3 months ago

yay, first comment
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 603/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #121 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Floating IP (direct server return) to Enabled

B. Session persistence to Client IP

C. Protocol to UDP

D. Idle Time-out (minutes) to 20

Correct Answer: B

  bec123123 Highly Voted  2 months, 3 weeks ago

I'm just mad now
upvoted 10 times

  ivan0590 Highly Voted  4 weeks, 1 day ago

If I continue to see this question, I'm pretty sure I will have a nightmare in which someone kills me while continuously screaming "Session
persistence to Client IP!"
upvoted 5 times

  Chris2603 6 days, 19 hours ago

at least we all know the answer now lol
upvoted 1 times

  Pakawat Most Recent  1 day, 20 hours ago

again and again
upvoted 2 times

  joykdutta 1 month, 1 week ago

It is the way or trick to increase the total number of questions
upvoted 1 times

  Madbo 2 months ago

The correct option is B. Session persistence to Client IP.
To ensure that visitors are serviced by the same web server for each request, we need to configure session persistence on the Azure load balancer.
Session persistence is also known as affinity, and it ensures that all requests from a client are sent to the same backend server. This is important for
applications that maintain session state, such as web applications that require authentication or shopping carts.
upvoted 3 times

  ozlaoliu 3 months ago

I don't understand what is the point to add this question again since it has already appeared more than 10 times.
upvoted 4 times

  obaali1990 3 months ago

Take it easy, that is the beauty of the game. Life itself is full of repetition. Repetition makes life easier and enjoyable.
upvoted 8 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 604/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122 Topic 5

You have an Azure subscription that has the public IP addresses shown in the following table.

You plan to deploy an Azure Bastion Basic SKU host named Bastion1.

Which IP addresses can you use?

A. IP1 only

B. IP1 and IP2 only

C. IP3, IP4, and IP5 only

D. IP1, IP2, IP4, and IP5 only

E. IP1, IP2, IP3, IP4, and IP5

Correct Answer: B

Community vote distribution

B (100%)

  jupi17 Highly Voted  1 month, 1 week ago

The answer is correct: B
Azure Bastion supports standard SKU public IP addresses:
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-bastion
upvoted 6 times

  xRiot007 1 week ago

From your link : "Public IP addresses are available in two SKUs; standard, and basic. The selection of SKU determines the features of the IP
address. The SKU determines the resources that the IP address can be associated with." - Can a BASIC Bastion support STANDARD IPs ?
upvoted 1 times

  lulzsec2019 Most Recent  1 week, 1 day ago

It mentioned in the question as "Azure Bastion Basic SKU", why not choose ip3?
upvoted 1 times

  jwu2023 1 month ago

https://learn.microsoft.com/en-us/azure/bastion/configuration-settings
Azure Bastion requires a Public IP address. The Public IP must have the following: configuration:
The Public IP address SKU must be Standard.
The Public IP address assignment/allocation method must be Static.
upvoted 2 times

  SimoneP 1 month ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-bastion
Azure Bastion supports standard SKU public IP addresses.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 605/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Floating IP (direct server return) to Disabled

B. Floating IP (direct server return) to Enabled

C. a health probe

D. Session persistence to Client IP

Correct Answer: D

  lulzsec2019 1 week, 1 day ago

wow new question! :P
upvoted 2 times

  johan13 1 month, 1 week ago

I bet this is not the last time I see this question before I reach the end :)
upvoted 4 times

  ivan0590 4 weeks, 1 day ago

If I were to bet against you, I would probably lose with a 99.99% chance...
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 606/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124 Topic 5

You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for each request.

What should you configure?

A. Floating IP (direct server return) to Enabled

B. Idle Time-out (minutes) to 20

C. a health probe

D. Session persistence to Client IP

Correct Answer: D

Community vote distribution

D (100%)

  johan13 Highly Voted  1 month, 1 week ago

Haha like I said in the previous question's comment ;)
upvoted 6 times

  ivan0590 4 weeks, 1 day ago

LOL!
In the previous question, I replied to you that if I were to bet against you, I would lose. I said that without knowing that this was the next
question.
Sadly, I was right...
upvoted 4 times

  lulzsec2019 Most Recent  1 week, 1 day ago

Wow another new question! ;P
upvoted 1 times

  kengy 1 week, 6 days ago

Selected Answer: D
Pehaps the right answer - Session persistence to Client IP
But I'm not 100% sure :) LOL
upvoted 1 times

  Naebun 2 weeks, 2 days ago

HAHAHAHAHAH
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 607/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #125 Topic 5

You have two Azure subscriptions named Sub1 and Sub2.

Sub1 contains a virtual machine named VM1 and a storage account named storage1.

VM1 is associated to the resources shown in the following table.

You need to move VM1 to Sub2.

Which resources should you move to Sub2?

A. VM1, Disk1, and NetInt1 only

B. VM1, Disk1, and VNet1 only

C. VM1, Disk1, and storage1 only

D. VM1, Disk1, NetInt1, and VNet1

Correct Answer: D

Community vote distribution

D (100%)

  _fkucuk Highly Voted  1 month, 1 week ago

Selected Answer: D
When you move a virtual machine from one subscription to another, you need to ensure that all the dependent resources are also moved along
with it.

In the given scenario, VM1 is associated with the resources Disk1 (OS Disk), NetInt1 (Network Interface), and VNet1 (Virtual Network), and the
storage account named storage1 is not associated with VM1.

Therefore, to move VM1 to Sub2, you need to move the following resources:

VM1: This is the virtual machine that you want to move to Sub2.
Disk1: This is the OS disk for VM1, and it contains the operating system and boot files.
NetInt1: This is the network interface that is attached to VM1 and provides connectivity to the virtual network.
VNet1: This is the virtual network that is associated with VM1, and it provides the network connectivity to the virtual machine.
upvoted 6 times

  chiquito Most Recent  1 week, 4 days ago

Provided answer D is correct.
We should move VM1, Disk1, NetInt1, and VNet1 to sub2. The only resource that could cause an issue was NetInt1 if it was associated to a Public IP
Standard sku address.

There is a limitation with moving Public IPs between subscriptions:

Public IPs with Basic SKU could be moved between subscriptions

Public IPs with Standard SKU can't be moved between subscriptions
You will need to Disassociate it first.
As there is no such info in the question, all the resources can be moved to sub2.
Ref: https://learn.microsoft.com/en-us/answers/questions/559276/move-virtual-machines-to-a-new-subscription-within
upvoted 1 times

  SIAMIANJI 1 month, 1 week ago

Selected Answer: D
D is correct.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 608/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 6 - Question Set 6

Question #1 Topic 6

You have an Azure subscription that has a Recovery Services vault named Vault1. The subscription contains the virtual machines shown in the
following table:

You plan to schedule backups to occur every night at 23:00.

Which virtual machines can you back up by using Azure Backup?

A. VM1 and VM3 only

B. VM1, VM2, VM3 and VM4

C. VM1 and VM2 only

D. VM1 only

Correct Answer: B
Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Azure Backup supports backup of VM that are shutdown or offline.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://docs.microsoft.com/en-us/azure/virtual-
machines/linux/endorsed-distros

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.
Azure Backup supports backup of 64-bit Windows 10 operating system.
Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.
Azure Backup supports backup of VM that are shutdown or offline.

The Backup service installs the backup extension whether or not the VM is running.
upvoted 87 times

  laszeklsz 7 months, 1 week ago

good to see you, old friend
upvoted 13 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is Correct. "B". Backup is supported for the whole VM for all the OS types mentioned. Also, backup operation can be done while VM is
offline or shutdown
upvoted 67 times

  Madbo Most Recent  2 months ago

Azure Backup can back up the following operating systems:

Windows Server
Windows client operating systems (Windows 7 and later)
Linux

Based on this, you can back up VM1, VM2, and VM4 using Azure Backup, as they are running Windows Server 2012 R2, Windows Server 2016, and
Windows 10 (a Windows client operating system) respectively. VM3 cannot be backed up using Azure Backup as it is running Ubuntu Server.

Therefore, the answer is B. VM1, VM2, VM4, and VM3.

upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 609/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  CyberKelev 3 months, 2 weeks ago

Selected Answer: B
According to Microsoft's official documentation on Azure Backup, the supported operating systems for VM backup using Azure Backup are:

Windows Server 2019, 2016, 2012 R2, and 2012

Windows Server Essentials
Windows 10 (64-bit)
Ubuntu 20.04 LTS, 18.04 LTS, and 16.04 LTS
Based on this information, we can conclude that the answer is B. VM1, VM2, VM3, and VM4 can all be backed up using Azure Backup.
upvoted 1 times

  AndreaStack 4 months ago

Selected Answer: B
B.
All OSs are supported.
Shutdown or not, VMs can still be backed up.

You don’t have to stop your virtual machines (VMs) in order to backup them in Azure. You can backup your VMs while they are running or while
they are in a deallocated state.

However, No, you cannot delete a virtual machine (VM) while it is being backed up. The backup process requires the virtual machine to be available
and running so that the backup data can be captured. If you try to delete a VM while it is being backed up, the deletion process will be blocked
until the backup is complete.
upvoted 1 times

  er101q 4 months, 1 week ago

B. VM1, VM2, VM3, and VM4.

Azure Backup can be used to back up Windows and Linux virtual machines that are running in Azure. All four virtual machines in the table, VM1,
VM2, VM3, and VM4, are Azure virtual machines, which means they can be backed up by using Azure Backup. You can schedule backups to occur
at a specific time every day, including 23:00, by using the Recovery Services vault, Vault1.
upvoted 1 times

  klexams 7 months, 2 weeks ago

B. VM1, VM2, VM3 and VM4
All OSes listed are supported. shutdown or not, VMs can still be backed up.
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct B
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I luv Honey Because it is B
Here is Summary:

**Azure Backup supports backup of 64-bit Windows server operating system from Windows Server 2008.

**Azure Backup supports backup of 64-bit Windows 10 operating system.

**Azure Backup supports backup of 64-bit Debian operating system from Debian 7.9+.

**Azure Backup supports backup of VM that are shutdown or offline or online

upvoted 3 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 3 times

  stormshaun 1 year, 3 months ago

Selected Answer: B
You can back all types of OSes and even those that are shutdown.
upvoted 2 times

  Fusionaddware 1 year, 3 months ago

Selected Answer: B
Correct B
upvoted 1 times

  Netspud 1 year, 4 months ago

Selected Answer: B
I agree, all of them
upvoted 1 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 610/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  hosseny 1 year, 10 months ago

Azure Backup supports backup of VM that are shutdown or offline.
upvoted 3 times

  wsscool 1 year, 11 months ago

in exam 7/3/2021
upvoted 5 times

  Devgela 2 years, 1 month ago

This is a logical problem.
upvoted 3 times

  ZUMY 2 years, 3 months ago

"B". Backup is supported for the whole VM for all the OS types mentioned. Also, backup operation can be done while VM is offline or shutdown
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 611/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 6

HOTSPOT -
You create a Recovery Services vault backup policy named Policy1 as shown in the following exhibit:

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 612/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: 10 years -
The yearly backup point occurs to 1 March and its retention period is 10 years.

Box 2: 36 months -
The monthly backup point occurs on the 1
of every month and its retention period is 36 months.
st

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. 10 years and 36 months.
Azure retention policy takes the longest period of retention for each backup. In case of conflict between 2 different policies.
upvoted 84 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

Box1: 10y
Box2: 36mo
upvoted 7 times

  mikl 2 years, 3 months ago

Please do explain the difference between these two jobs then?

1 March
1 November
upvoted 2 times

  Nilf 2 years, 2 months ago

All 1-st of each Month will be store for 35 weeks like monthly backup. Only -1st March will be stored like Years backup for 10 years
upvoted 8 times

  Nilf 2 years, 2 months ago

36 weeks*
upvoted 6 times

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: 10 years
The yearly backup point occurs to 1 March and its retention period is 10 years.

Box 2: 36 months
The monthly backup point occurs on the 1
of every month and its retention period is 36 months.

Note: Azure retention policy takes the longest period of retention for each backup. In case of conflict between 2 different policies.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide
upvoted 75 times

  bassmonster Most Recent  1 month, 3 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 613/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

This question is just pathetic..it's testing to see if you can read properly and select the required table....
upvoted 1 times

  klexams 7 months, 2 weeks ago

The longest retention takes precedence.
March 1 = Yearly backup = 10 years
Nov 1 = Monthly = 36 months
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

Box 1: 10 years -
The yearly backup point occurs to 1 March and its retention period is 10 years.

Box 2: 36 months -
The monthly backup point occurs on the 1
of every month and its retention period is 36 months.
upvoted 1 times

  minix 11 months, 3 weeks ago

came in today's exam 25/6/2022
upvoted 4 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct
upvoted 1 times

  ajayasa 1 year, 3 months ago

similar question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  areza 1 year, 5 months ago

in exam 29.12.21 - answer 10 years, 36 months
upvoted 5 times

  Takloy 1 year, 6 months ago

Got it! 10 years and 36 months!
Azure retention policy takes the longest period of retention for each backup. In case of conflict between 2 different policies.
Thanks fedztedz and mlantonis.
upvoted 2 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 5 times

  Altera2k 1 year, 8 months ago

In exam 09/20/2021 - Answer 100% correct. (Got 100% in this part)
upvoted 5 times

  nasraaqan 2 years, 2 months ago

in exam 21 of march 2021 the answer was right
upvoted 4 times

  Raj_az104 2 years, 2 months ago

Where do we see the second date as Nov 1. It screen shot it just says '1'. How do you know month as Nov.
upvoted 5 times

  3abmula 2 years, 1 month ago

It doesn't matter. The monthly backup is taken on 1st day of each month and it's retained for 36 months, so whether it's November, December
or whatever, as long it's 1st of the month, the answer would be 36 months. And the "Sunday" was just to add more confusion as well.
upvoted 4 times

  allray15 2 years, 2 months ago

The answer is correct, you will get confused if you just read on the wordings ''Sunday" , "November" , March 1st. The answer is easy if you read and
understood the question well.
upvoted 2 times

  ZUMY 2 years, 3 months ago

10 Y
36 M Retention occurs on 1st day of every month ( So it could be a November +a Sunday)
upvoted 3 times

  TheOGMrBee 2 years, 3 months ago

Ok, Maybe I'm missing something, and if I am, please correct me. If the Azure retention uses the longer retention period to store the backup, then
surely both would be 10 years? The reason I say this, is because the backups all occur on the first. The retention policy for the Yearly backup, stored
for 10 years occurs on the 1st of March. If the system is creating and keeping all the backups created on that day, then the question is not specific

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 614/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

enough to be answered with any certainty. This is not the case as the Azure retention policy takes the longes rentention period the 'winning'
retention, in the event of a conflict, which makes sense else you will fail audits or compliance checks.
upvoted 1 times

  LexusNX425 2 years, 2 months ago

The 10 year retention period is specifically set for March 1st, not any other 1st day of the month. It's like an extra factor to check for when
setting a retention period (I.e. for the 10 year retention, is it the first day of the month, and is that day in March?). It must qualify for both criteria
before the retention period is applied to it.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 615/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 6

You have the Azure virtual machines shown in the following table:

You have a Recovery Services vault that protects VM1 and VM2.
You need to protect VM3 and VM4 by using Recovery Services.
What should you do first?

A. Create a new Recovery Services vault

B. Create a storage account

C. Configure the extensions for VM3 and VM4

D. Create a new backup policy

Correct Answer: A
A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for
virtual machines
(VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services
Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replicatio

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A

VM3 and VM4 are in a different region from VM1 and VM2. So, we need to create a new Recovery Services Vault in the same region with VM3 and
VM4.
For storage account, it is created automatically by Azure.

A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual
machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services.

Reference:

https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-tutorial-enable-replication
upvoted 74 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. "A" Create a new Recovery Services Vault. As the VM3 and VM4 are in a different region. then we need to create a new one in the
same region of VM3 and VM4 (data source). For storage account, it is created automatically by Azure.
for more details checl https://docs.microsoft.com/bs-cyrl-ba/azure/backup/backup-create-rs-vault#create-a-recovery-services-vault
upvoted 73 times

  petersoliman Most Recent  3 months ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Spam101198 3 months, 1 week ago

Steps: 1) Create Recovery Service vault
2) Create Backup Policy
3) Select Azure Resources
4) Schedule Backup
upvoted 1 times

  klexams 7 months, 2 weeks ago

vault and vm have to be in the same region. in this case, the current vault is in west europe.
vm3 and vm4 is in north europe, so answer is A. Create a new Recovery Services vault

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 616/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  EmnCours 9 months, 2 weeks ago
Selected Answer: A
Correct Answer: A

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
VM3 and VM4 need their own ARSV as are in different region to VM1 and VM2
upvoted 3 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. Correct answer A
upvoted 3 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 2 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 4 times

  ITprof99 1 year, 5 months ago

On exam 01.02.22
Answer: Create a new Recovery Services Vault
upvoted 4 times

  MaxToRo 1 year, 6 months ago

Is right!
upvoted 1 times

  barcellos 1 year, 10 months ago

A - Vm3 and vm4 are in a different region.
upvoted 1 times

  Merkur76 1 year, 10 months ago

came in exam 07/30/2021 - passed
A my answer
upvoted 3 times

  ScreamingHand 2 years ago

Recovery Services Vault and the VMs need to be in the same Region and Subscription for backups.
The Storage account must be in the same region as the Recovery Services vault to store the reports.
The Log Analytics workspace can be in any region. It does not need to be in the same region as the recovery services vault.
Blobs cannot be backed up to service vaults.
upvoted 2 times

  ZUMY 2 years, 3 months ago

A is correct- A recovery service vault from the same Region
upvoted 2 times

  toniiv 2 years, 3 months ago

Answer is correct. Recovery Services Vault should be available on the same region as target VMs to be protected.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 617/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 6

HOTSPOT -
You have an Azure subscription that contains an Azure Storage account named storage1 and the users shown in the following table.

You plan to monitor storage1 and to configure email notifications for the signals shown in the following table.

You need to identify the minimum number of alert rules and action groups required for the planned monitoring.
How many alert rules and action groups should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

  mlantonis Highly Voted  2 years ago

Correct Answer:

You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.

Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).

Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 618/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 178 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 3 times

  skydivex 3 months, 2 weeks ago

User 1 already has a group name Group1... the correct answer is as follow:
Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).

Box 2: 2
You need 2 Additional Action Groups (1xUser1 and User3, 1xUser1 User2 and User3). Check ‘Users to notify’ column.

Check the question again..... it is asking how many new alerts and groups.
upvoted 1 times

  Katlegobogosi 1 month, 1 week ago

where do you see "new" in the question?
upvoted 1 times

  KrisJin 1 month, 2 weeks ago

Don't mess things up if you do not know anything
upvoted 1 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

Box1: 4
Box2: 3
upvoted 12 times

  Chisom_J 2 years ago

thanks for the explanation
upvoted 14 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. 4 Alert rules and 3 action groups
upvoted 44 times

  SIAMIANJI Most Recent  1 month, 1 week ago

You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.

Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).

Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3).
upvoted 2 times

  zzreflexzz 1 month, 2 weeks ago

on exam 4/29/23
upvoted 3 times

  FlowerChoc1 2 months ago

Cleared the exam on 04/12/2023. This question came.
Box 1: 4
Box 2:3
upvoted 2 times

  djgodzilla 2 months, 2 weeks ago

exp: You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.
Storage Metrics :
- Used Capacity - Ingress/Egress - transactions
- Transactions -Availability
- Success Server Latency - Success E2E Latency
Storage:
StorageDelete - StorageRead - StorageWrite
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftclassicstoragestorageaccounts
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-categories#microsoftstoragestorageaccountsblobservices
upvoted 1 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 2 times

  zellck 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 619/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Got this in Feb 2023 exam.

upvoted 4 times

  klexams 7 months, 2 weeks ago

rules are 4 as quite obvious.
AG are 3:
user1 n 3
user1
user1 , 2 n 3
upvoted 3 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 4 times

  majerly 8 months, 2 weeks ago

Today in exam, 4 and 3
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Correct Answer:

You can define only one activity log signal per alert rule. To alert on more signals, create another alert rule.

Box 1: 4
You need 1 alert rule per 1 signal (1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges).

Box 2: 3
You need 3 Action Groups (1xUser1 and User3, 1xUser1 only, 1xUser1 User2 and User3). Check ‘Users to notify’ column.
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

given answer is correct
upvoted 1 times

  cloudera 12 months ago

Box 1: 4 1xIngress, 1xEgress, 1xDelete storage account, 1xRestore blob ranges

Box 2: 4 As appose to others' comments below, my answer is 4.

'Activity Log' for restored required two action groups - one for Delete x 1 and Restore x1.Otherwise, when the storage account is restored User2
will get notified, we don't want that based on the table.
upvoted 1 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. Correct answer 4 and 3
upvoted 4 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 620/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5 Topic 6

You have an Azure subscription that contains the identities shown in the following table.

User1, Principal1, and Group1 are assigned the Monitoring Reader role.
An action group named AG1 has the Email Azure Resource Manager Role notification type and is configured to email the Monitoring Reader role.
You create an alert rule named Alert1 that uses AG1.
You need to identity who will receive an email notification when Alert1 is triggered.
Who should you identify?

A. User1 and Principal1 only

B. User1, User2, Principal1, and Principal2

C. User1 only

D. User1 and User2 only

Correct Answer: C
Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

Community vote distribution

D (63%) C (37%)

  mlantonis Highly Voted  2 years ago

Correct Answer: C

Email will only be sent to Azure AD user members of the Monitoring Reader role. Email will not be sent to Azure AD groups or service principals.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups

https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
upvoted 122 times

  yaboo1617 1 month, 3 weeks ago

When you set up the Resource Manager role:

Assign an entity of type User to the role.

Make the assignment at the subscription level.
Make sure an email address is configured for the user in their Azure AD profile.
upvoted 1 times

  wsrudmen 1 year, 2 months ago

Yes it's not sent to a group. But User2 inherits of the Monitoring Reader role.
So he will receive also the notification
upvoted 17 times

  rawrkadia 1 year, 11 months ago

Did you actually test this? The question doesn't involve sending an email to a group but is instead concerned with role assignment inheritance
from the group. The link you're all posting isn't necessarily relevant. User 2 should inherit the role assignment from the group, you can easily
validate that in the portal.

I am waiting out the 24hr lag period before testing. Alert group scoped to email on VM creation or deletion, one user assigned role directly and
one via group. Will report back.
upvoted 12 times

  panjie_s 1 year, 8 months ago

result?
upvoted 7 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 621/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  suriyaswamy 1 year, 10 months ago

Thanks for this Info
upvoted 2 times

  complexxL9 Highly Voted  2 years ago

Answer is D.
AG sends to users that have 'reader' role, User2 inherits that role through Group1 membership.
upvoted 49 times

  green_arrow 1 year, 11 months ago

I'm agree
upvoted 5 times

  NotMeAnyWay 11 months ago

Anwser c: User1 only
Can't be true, just send 10 seconds reading this from MS Docs:
https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager-role
Only the users in the Manager Role receive the email alert, not the group members or Principals.
upvoted 5 times

  Babushka 7 months ago

Folks that do say it's D are saying that's the answer because User 2 inherits Manager Role through Group 1. The AG is configured to send
alert on the role which User 2 will have.
upvoted 2 times

  Razvan123 10 months ago

You should not confuse group email (generated on group creation) with individual emails for group members.
upvoted 2 times

  SIAMIANJI Most Recent  3 weeks, 2 days ago

Selected Answer: D
User1 and User2 only
upvoted 1 times

  SedateBloggs 3 months, 1 week ago

I Lab'd this by creating a test user account and adding that test user to an azure group that had an Azure Role assignment setup against it (i
happened to use the Contributor role, but it can be any role). The test user did NOT have any direct azure role assigned it it. I then setup an action
group with the action to email the azure resource manager role (and selected contributor). I then tested the action group and a few minutes later
the test email popped into the test users mailbox. This to me indicates that even though the role assignment is to a group, the users nested in that
group would receive the alert from the action group. I would therefore suggest it is User 1 and User 2 in this scenario
upvoted 10 times

  lombri 3 months, 2 weeks ago

Selected Answer: D
in this scenario, User2 is a member of Group1, which is assigned the Monitoring Reader role. As a result, User2 will inherit the Monitoring Reader
role from the group and will be able to receive email notifications when the alert rule named Alert1 is triggered.
upvoted 2 times

  manthlan 4 months ago

If an email is not going to be sent to group1 in the first place ,so how is user2 as a member of the group going to receive the email?
upvoted 2 times

  GBAU 4 months ago

Everyone be like "Email will not be sent to Azure AD groups or service principals."
I be like, "What about Azure AD groups MEMBERS"

Mail enabled groups exist, so they definitely wouldn't get any notification email from the above, but what about the members of the group, they
inherit the assignment that would qualify them for the email?

I think I have to assume it means both, the Group and its members leaving C the answer.
upvoted 1 times

  GBAU 4 months ago

As in, when MS coded it, they only parse the Role Membership for Users and they ignore Groups and Principals. They do not traverse Groups
(and possibly sub-groups) in the role looking for more Users. They shortcutted their coding, maybe to reduce load and latency on the actions
process.
upvoted 2 times

  AndreaStack 4 months ago

Correct Answer: D

User1 and User2 only.

To be precise, Managed Identities (Principal1 and Principal2)DO NOT HAVE an email address associated with them and therefore CANNOT receive
email notifications from Azure Alerts. In this scenario, only User1 and User2 (as members of Group1) will receive email notifications when the Alert1
is triggered.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 622/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

User2 inherits the Monitoring Reader role from his group, Group1. In Azure Active Directory (Azure AD), you can assign roles to groups, and then
add users as members to those groups. Members of a group will inherit the role assignments of the group, allowing you to manage role
assignments for multiple users in a centralized way.

So, in this scenario, User2 is a member of Group1, which is assigned the Monitoring Reader role. As a result, User2 will inherit the Monitoring
Reader role from the group and will be able to receive email notifications when the alert rule named Alert1 is triggered.
upvoted 5 times
  lkjsatlwjwwge 4 months, 1 week ago
Both supporters of C and D make sense, and there's no intrinsic argument in favor of any answer. The problem is the documentation is ambiguous.
If MS meant to say that the email ARM role notification only worked for direct members of the role they could have certainly done a better job. I
guess the only way to know is to test this, I'm surprised no one did that yet...
upvoted 2 times

  er101q 4 months, 1 week ago

The correct answer is D. User1 and User2 only.

When Alert1 is triggered, an email notification will be sent to the recipients who are assigned the Monitoring Reader role. In this case, User1 and
Principal1 are assigned the Monitoring Reader role and will receive an email notification. User2 and Principal2 are not assigned the Monitoring
Reader role and will not receive an email notification.
upvoted 1 times

  MacGyver83 4 months, 3 weeks ago

Selected Answer: D
User2 Inherits the role, and receives the e-mail too.
upvoted 1 times

  otonx 6 months, 3 weeks ago

Selected Answer: D
i choose D
upvoted 1 times

  OrwellMB 6 months, 4 weeks ago

So basically if the Alert would be configured to mail a "group", none of the group members would get mail, right?
But if a Group gets assigned a role, all members of the group got this role (Monitoring Reader), so emailing Monitoring Readers would send an
email to the group members, individually.
upvoted 1 times

  Babushka 7 months ago

Selected Answer: D
D - i agree with folks about User 2 inheriting the role from the Group. The alert is sending to a role, and user 2 will have that role.
upvoted 2 times

  car10589 7 months ago

Selected Answer: C
Correct answer: C
upvoted 1 times

  compldc72 7 months, 1 week ago

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups
The Above states that:
When you use this type of notification, you can send email to the members of a subscription's role. Email is only sent to Azure Active Directory
(Azure AD) user members of the role. Email isn't sent to Azure AD groups or service principals.

The below mentions that "Managed identity" is a service principal

https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

Therefore the Answer is C as User1 is Not in a Group is not a Managed identity

User2 and Principal1 are members of a Group

Principal1 and Principal2 are of type Managed identity
upvoted 4 times

  klexams 7 months, 2 weeks ago

AG1 to email Monitoring reader. Monitoring reader are User1, Principal1, and Group1.
It can only email user object. so answer is:
C. User1 only
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 623/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 6

HOTSPOT -
You have an Azure virtual machine named VM1 and a Recovery Services vault named Vault1.
You create a backup policy named Policy1 as shown in the exhibit. (Click the Exhibit tab.)

You configure the backup of VM1 to use Policy1 on Thursday, January 1 at 1:00 AM.
You need to identify the number of available recovery points for VM1.
How many recovery points are available on January 8 and January 15? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 624/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: 6 -
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.

Box 2: 8 -
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
Reference:
https://social.technet.microsoft.com/Forums/en-US/854ab6ae-79aa-4bad-ac65-471c4d422e94/daily-monthly-yearly-recovery-points-and-
storage-used? forum=windowsazureonlinebackup

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct in case yearly backup is also in the question.
If we assumed we have yearly, then the answer will be:
- @8 JAN: 5 daily backups ( 1 weekly backup included) + 1 monthly = 6
- @ 15 JAN: 5 daily backups ( 1 weekly backup included) + 1 weekly + 1 monthly +1 yearly = 8 backups
upvoted 119 times

  jimmyli 2 years, 2 months ago

in other words, 2nd box should be 7 which is not included in the four choices. because yearly backup is not mentioned, the correct answer
should be 5 daily backups including the latest weekly backup + 1 weekly for the previous weekend + 1 monthly backup
upvoted 9 times

  Thomas_L 2 years, 1 month ago

its 6. We retain the 5 daily backups from January 4th - January 8th. There is a weekly backup on the 4th that we do NOT include in the count
because it's already backed up by the 5-day retention period of the daily backups.
Then we have a monthly backup on the 2nd, that is outside the 5-day retention period.
5 daily backups + 1 monthly backup = 6 backup points.
upvoted 29 times

  MrJJ10 6 months, 2 weeks ago

I understand this explanation very good, however Weeklys started on the 1st @ 1400, and yes you only retain 5 Daily backups, which
would be the 4th-8th. The monthly is scheduled to take place on the 2nd and Retain
for 20 weeks. Not understanding why would you count a Weekly Back (Sunday at 2pm) as part of the Daily when Weekly's are maintained
for 20 weeks. I think the count would be 7 (5 Daily(4th-8th) + 1 Weekly(Sunday) +
1 monthly(2nd which is a Friday)). I understand that 7 is not part of the presented answers so you would have to go with 6. My real world
Weekly backups run seperately from the Daily.
upvoted 2 times

  kerimnl 9 months, 1 week ago

This comment is PERFECT to understand.
upvoted 1 times

  Miles19 2 years, 2 months ago

correct.
upvoted 2 times

  PRabiu 2 years, 5 months ago

15th Jan is a Friday = 5 daily backups (Monday - Friday) + 2 Weekly (2 sundays) + 1 Monthly = 8 backups
upvoted 12 times

  Franpb90 2 years ago

15th Jan is a Thursday, and 1 weekly backup is the same that 1 daily backup. It should be 7 the second answer.
upvoted 4 times

  learning23497 12 months ago

How do you know it is Thursday? No year is mentioned. Also - 8 is the closest answer to 7, so in that case i would also go with 8 :-)
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 625/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  Grimstad 11 months, 2 weeks ago

It says January 1st is a Thursday, which would make the 15th also a Thursday.
upvoted 4 times

  Turbosco 3 weeks, 6 days ago

Box 1 is 6: 5 Daily backups (4 Jan - 8 Jan including weekly backup at 4 Jan ) + Monthly backup (2 Jan)

Box 2 is 8: 5 Daily backups (11 Jan - 15 Jan including weekly backup at 11 Jan) + 1 Weekly backup (4 Jan) + 1 Monthly backup (2
Jan) + 1 Yearly backup (9 Jan)
upvoted 1 times

  XolexHp 1 year, 9 months ago

I totally dont understand why only 6 - 8 recovery point??? Why we have daily backup, it means that everyday, each day has a point
=> Then means, from 1 JAN to 8 JAN we had 8 days <=> 8 points?!?!
Please help meeeeee
upvoted 6 times

  imartinez 1 year, 9 months ago

Check for retention of daily backup point, in the daily case is set to 5, that means that every daily BK, called recovery points by Azure, oldest
than 5 days will be deleted.

https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq
upvoted 18 times

  XolexHp 1 year, 9 months ago

Thank you, imartinez, understood
upvoted 5 times

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 2: 8
5 latest daily recovery points, plus two weekly backups, plus the monthly recovery point.
15th January is a Friday = 5 daily backups (Monday - Friday) + 2 Weekly (2 Sundays) + 1 Monthly = 8 backups
upvoted 67 times

  jose 1 year, 8 months ago

The answer is correct, but the explanation is not because 15th January is Thursday. So:
5 daily backups (11th Sunday weekly backup included) + 1 weekly backup (4th Sunday) + 1 Monthly + 1 Yearly = 8 backups

Box 2: 8.
upvoted 25 times

  itgg11 1 year, 3 months ago

Jose you are spot on. mlantonis missed a yearly backup on 09.01. 6 and 8 recovery points still.
upvoted 6 times

  Henryjb3 4 months, 2 weeks ago

Why is the 1 weekly backup included in box 1 then not included in box 2?
upvoted 2 times

  cloudera 1 year ago

8th January = 5 daily backups. How did we come up with 5 days?

On the question, I can't see any description that says backups only happen on the weekdays. So backups Mon-Sunday be 7 backups + 1 weekly
+ 1 Monthly = 9 backups. What am I missing here? Can someone explain to me? Thanks
upvoted 1 times

  Grimstad 11 months, 2 weeks ago

Daily backups are only retained for 5 days, so you will only have a maximum of 5 daily backups. Monday-Friday doesn't make any sense to
me - whether it's a weekday or not is irrelevant.
upvoted 1 times

  MonkeyIntelligence Most Recent  5 days, 7 hours ago

you need to be an effin mathematician to solve this. why is this even a question?
upvoted 1 times

  Frank_2022 3 weeks, 5 days ago

Box 1: 6
5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly recovery point.
8th January = 5 daily backups (1 weekly backup included) + 1 Monthly = 6 backups
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 626/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 2: 8

5 daily backups (11th Sunday weekly backup included) + 1 weekly backup (4th Sunday) + 1 Monthly + 1 Yearly = 8 backups
upvoted 1 times
  brucespr 1 month, 3 weeks ago
It probably doesnt count the yearly backup, as it just started 9 days after creation of that job, so it doesnt count as a complete yearly backup for
now ...
upvoted 1 times

  shadad 3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:
Box 1: 6
Box 2: 8
That is the only question i had to memorize it answer just in case. My exam machine was bad and i lost time on it before they let me proceed the
exam on another one. i had to do what i had to do :( . its still better to know the calculation of the backups as explained by mlantonis .
upvoted 4 times

  AK4U 3 months, 1 week ago

I am blind, or can someone please explain to me why for Box 1 there wouldn't be 7 (even though there is no 7 in the answer)??

5 daily
1 weekly
and the monthly update happens on the 2nd day of every month. so why wouldn't we have also 1 monthly if the policy is applied on January 1st?
upvoted 1 times

  AK4U 3 months, 1 week ago

Ahh i just read the explanation "5 latest daily recovery points, which includes the weekly backup from the previous Sunday, plus the monthly
recovery point". Thats a bit tricky
upvoted 1 times

  Dat_doge 3 months, 2 weeks ago

answer1: 5 daily backups (including weekly backup sunday 4th) + 1 monthly backup (friday 2nd) = 6

answer2: 5 daily backups (including weekly backup sunday 11th) + 1 weekly backup (sunday 4th) + 1 monthly backup (friday 2nd) + 1 yearly
backup (friday 9th) = 8
I guess the question has changed over the years thats why there is this confusion.
upvoted 1 times

  zellck 4 months ago

1. 5 daily + 1 weekly = 6
2. 5 daily + 2 weekly + 1 yearly = 8
upvoted 1 times

  zellck 4 months ago

Correction.

1. 4 daily + 1 daily/weekly + 1 monthly = 6

2. 4 daily + 1 daily/weekly + 1 weekly + 1 monthly + 1 yearly = 8
upvoted 3 times

  RougePotatoe 4 months ago

6
8
Number is constant count.
jan 1 (thrusday) +1
2 fri +1
3 sat +1
4 sun +1
5 mon +1
6 tue +1 -1
7 wed +1 jan 2 available for 24; no -1
8 thr +1 -1
9 fri +1 jan 5 available for 20 weeks
10 sat +1 -1
11 sun +1 -1
12 mon +1 -1
13 tue +1 -1
14 wed +1 jan 9 available for 5 years; no -1
15 thr +1 -1
upvoted 2 times

  RougePotatoe 3 months, 3 weeks ago

Essentially after the first 4 days (IE on the 5th day) you will always have 5 consistent backups. What you are looking for here is when would it not
lose a backup due to the 5 day daily backup rule because another rule replaced it such as the weekly or yearly.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 627/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  spike15_mk 6 months ago
CORRECT ANSWER:

Janyary 8 at 02:00 PM [answer choice]: 6

Daily Backups : 5 backups (from 4th to 8th of January)

Weeky Backups : 0 backup (Sunday 04th of January) .04th of January is included in retention daily. Next day on 09th of January the backup for 04th
January will be kept as monthly recovery point
Monthly Backups: 1 backup (2nd of January)

Totally: 6 backups (There are diffrent recovery points for daily,weekly,monthly and yearly)

Janyary 15 at 02:00 PM [answer choice]: 8

Daily Backups : 5 backups (from 11th to 15th of January)

Weeky Backups : 1 backup (Sunday 04th and 11th of January) 11th of January is exist in Daily retention(last 5 days) and for weekly will have only 1
from 04th of January
Monthly backup : 1 backup (2nd of January)
Yearly Backup : 1 backup (9th of January)

Totally: 8 backups (There are diffrent recovery points for daily,weekly,monthly and yearly)
upvoted 2 times

  spike15_mk 6 months ago

Please Note: All the backups are set on 02:00 AM so if the backup time matches between for example daily and monthly (2nd of every month )
Recovery service Vault will do only once backup an it will keep as daily retention in the next 5 days and the next 6th day will move as monthly
recovery point.
If the backups are set with different times then if the date matches but times not (different time for backup) Recovery service Vault will do
backup separately
upvoted 2 times

  mung 6 months, 3 weeks ago

It looks like yearly was added later so the current answer should be 7 and 9
upvoted 1 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 1 times

  klexams 7 months, 2 weeks ago

Jan 1 2am = thur
Jan 8 2pm = thur
there is 1 sunday in between which is Jan 4 > 1 RP
Jan 8 minus 5day = Jan 3 > 5 RPs which includes Jan 4
Jan 2 > 1 RP
Box1 = 6 RPs

Jan 8 = thur
Jan 15 2pm = thur
there is 1 sunday in between which is Jan 11 > 1 RP
Jan 15 minus 5day = Jan 10 > 5 RPs which includes Jan 11
Jan 4 as kept for 2 weeks > 1 RP
Jan 2 as kept for 24 months > 1 RP
Jan 9 > 1 RP
Box 2 = 8 RPs
upvoted 1 times

  tahirMScert 8 months, 2 weeks ago

this was on exam 03oct2022 , I scored 870 and answered as Examtopics answer
upvoted 2 times

  majerly 8 months, 2 weeks ago

today in exam, 6 and 8
upvoted 1 times

  renzoku 8 months, 4 weeks ago

Care, only 1 backup could do on a day
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 628/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7 Topic 6

HOTSPOT -
You have the web apps shown in the following table.

You need to monitor the performance and usage of the apps by using Azure Application Insights. The solution must minimize modifications to the
application code.
What should you do on each app? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 629/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps

  ShanYuen Highly Voted  1 year, 6 months ago

Correct.
Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the PowerShell Gallery. It replaces Status
Monitor.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-detailed-instructions
upvoted 23 times

  wsrudmen Highly Voted  1 year, 2 months ago

Correct
There are two ways to enable application monitoring for OnPrem, VM or App Services Web APP:
- Auto-instrumentation by using Application Insight Agent
Manual instrumentation by installing the Application Insight SDK through code

So as it's mentioned the solution must minimize the modification then it's Application Insight Agent
upvoted 17 times

  djgodzilla Most Recent  2 months, 2 weeks ago

old school video explaining how app insight agent works.
https://youtu.be/2grHLBHpdG0
upvoted 2 times

  mung 6 months, 4 weeks ago

Both C, D can be used for Application Insights.
But Application insights SDK requires editing your application code so answer should be D which doesn't requires code editing.
upvoted 5 times

  klexams 7 months, 2 weeks ago

Auto-instrumentation application monitoring (ApplicationInsightsAgent).
This method is the easiest to enable, and no code change or advanced configurations are required. It's often referred to as "runtime" monitoring.
For App Service, we recommend that at a minimum you enable this level of monitoring. Based on your specific scenario, you can evaluate whether
more advanced monitoring through manual instrumentation is needed.

Manually instrumenting the application through code by installing the Application Insights SDK.
upvoted 5 times

  Timock 1 year, 4 months ago

Application Insights Agent (formerly named Status Monitor V2) is a PowerShell module published to the PowerShell Gallery. It replaces Status
Monitor. Telemetry is sent to the Azure portal, where you can monitor your app.

Note:
The module currently supports codeless instrumentation of .NET and .NET Core web apps hosted with IIS. Use an SDK to instrument Java and
Node.js applications.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/status-monitor-v2-overview
upvoted 8 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 630/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  haitao1234 1 year, 6 months ago

Correct, key is to minimize code change to application.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps
upvoted 1 times

  MrMacro 1 year, 6 months ago

Answer looks correct based on the link provided.

Agent-based application monitoring (ApplicationInsightsAgent).

This method is the easiest to enable, and no code change or advanced configurations are required. It is often referred to as "runtime" monitoring.
For Azure App Services we recommend at a minimum enabling this level of monitoring, and then based on your specific scenario you can evaluate
whether more advanced monitoring through manual instrumentation is needed.

The following are support for agent-based monitoring:

.NET Core
.NET
Java
Nodejs
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 631/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8 Topic 6

You have an Azure virtual machine named VM1.

You use Azure Backup to create a backup of VM1 named Backup1.
After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.
✑ Copy a file named Budget.xls to a folder named Data.
✑ Reset the password for the built-in administrator account.
✑ Add a data disk to VM1.
An administrator uses the Replace existing option to restore VM1 from Backup1.
You need to ensure that all the changes to VM1 are restored.
Which change should you perform again?

A. Modify the size of VM1.

B. Reset the password for the built-in administrator account.

C. Add a data disk.

D. Copy Budget.xls to Data.

Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore

Community vote distribution

D (73%) C (27%)

  ninjia Highly Voted  1 year, 5 months ago

If it's a single selection, I would select D. However, the test result reveals it should be two (C and D).

I have tested this in Azure.

Prepare
1. Create a Windows VM with size D2S_v3.
2. Backup the VM.
Made changes after the backup.
1. Modify the VM size to DS1_v2.
2. RDP to the VM and create a new file.
3. Reset the password for the built-in administrator.
4. Add a data disk to the VM.

Restore the VM from the backup. Here are the results:

1. VM size remains as DS1_v2.
2. RDP to VM with the changed password.
3. Data disk is gone.
4. A new file is gone.

Conclusion, VM size and password will not be overridden by the restore process.
You will need to perform the changes again:
1. Add a data disk
2. Copy the file.
upvoted 50 times

  Baconrind 7 months ago

Data disk is not gone, it just becomes unattached, as there is no option to re-attach disk, the only "change to perform again" is Copy Budget.xls
to Data. No need to add/create a data disk again it already exists.
upvoted 9 times

  Dhanishetty 5 months, 3 weeks ago

If it already exists, then why copy Budget.xls again. ?
Just simply Attaching will be enough.?
upvoted 4 times

  rugoki 2 days, 9 hours ago

case file might be in a different disk saved
upvoted 1 times

  klexams 7 months, 3 weeks ago

Answer is C.
The new file is not gone. It said "copy file to a folder named Data". It never said "copy to the data disk".
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 632/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times

  klexams 7 months, 3 weeks ago

Also, if wanna be a bit more pedantic :-). The data disk was added AFTER the file copy, so this proves the files was NOT copied to the data
disk.
upvoted 2 times

  klexams 7 months, 3 weeks ago

oppss.. Correction: yes the file IS gone. So agreed answer is:
1. Add a data disk.
2. Copy the file.
upvoted 3 times

  Netspud 1 year, 4 months ago

Sadly I agree.
Ref: https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#replace-existing-disks-from-a-restore-point
Suggest all disks are replaced by the ones in the snapshot.
ALTHOUGH the disk is not deleted, and still available in the RG (but you have to assume it needs added back).
For me the safest answer is D, that file is defo gone.
upvoted 6 times

  Nilvam 1 year, 4 months ago

Data disk will not gone (deleted). It will be unmapped.
upvoted 5 times

  sourabhg Highly Voted  7 months ago

Selected Answer: D
The correct answer is D, i.e., copy the file again.
a. You don't need to resize the VM after backup. The latest size will be applicable.
b. The latest credentials will work.
c. This one is a bit ambiguous. The additional data disk will not be deleted after the restoration. However, you will have to attach it again to the VM.
D. The file will be lost and needs to be created again.
upvoted 7 times

  SIAMIANJI Most Recent  3 weeks, 2 days ago

Selected Answer: D
Copy Budget.xls to Data.
upvoted 1 times

  Madbo 2 months ago

The correct answer is C. Add a data disk.

When you use the "Replace existing" option to restore a virtual machine from an Azure Backup, the entire virtual machine is replaced with the
backup data, including the operating system disk and all data disks that were attached to the virtual machine at the time the backup was taken.
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: C
In Backup does not exist new added Disk in meanwhile. We should add this Disk again
upvoted 1 times

  zellck 4 months ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
upvoted 2 times

  Phlogiston 4 months ago

Stupid, ambiguous question that should not have made it past QA. Assuming that events are described in order, the file is copied to a folder
named Data, which must exist on C:. That said, we do not know with any certainty where this folder resides because there is no explicit indication. It
could reside on the C: drive but this is based on an inference that the question posits the activities in the order they were performed. However, the
similarity between the folder name (Data) and the "data" disk in the question also causes the reader to make an inference about the location of the
folder. The best answer is, therefore, C because you will always have to attach the additional drives after a restoration. D: is also valid if the Data
folder is on the data drive, but we have no way of knowing this with any certainty. /rant off
upvoted 2 times

  er101q 4 months, 1 week ago

B. Reset the password for the built-in administrator account.

This change should be performed again because restoring a virtual machine from a backup using the "Replace existing" option will restore the
virtual machine to its state at the time the backup was created. Any changes made after the backup was created will be lost and will need to be
performed again. In this case, resetting the password for the built-in administrator account is a change that was made after the backup was
created, so it will need to be performed again after restoring the virtual machine from the backup.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 633/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  spike15_mk 6 months ago

Correct Answer is C
Explanation:
When we create Backup1 we create backup with Size of VM1, folder Data as mention (without Budget.xls inside) and password for the built-in
administrator account.
After creating Backup1, you perform the following changes to VM1:
✑ Modify the size of VM1.(size of VM exist in backup)
✑ Copy a file named Budget.xls to a folder named Data.(Data folder exist in backup without Budget.xls)
✑ Reset the password for the built-in administrator account.(Old Password exist on Backup)
✑ Add a data disk to VM1. (Not Exist in Backup)

When we do Replace Existing Option restore VM1 from Bakup1:

✑ Modify Size of VM1 will be replaced with old one
✑ All the matched Files in Data Folder will be replaced from Backup1 and new ones which exist in our case Bidget.xls will remain
✑ Password for build-in Administrator Account will replaced from the Backup1
✑ In Backup does not exist new added Disk in meanwhile. We should add this Disk again
upvoted 1 times

  tyohaina 7 months, 1 week ago

Selected Answer: D
I overthought this initially. The correct answer imo is D (not tested).
What 'Replace existing' restore does is restore the data disk from the backup. This means the following things will remain unchanged:
✑ Modified size of VM1.
✑ Reset the password for the built-in administrator account.
✑ Added data disk to VM1. (It might get unmapped, and can simply be mapped) The option says 'add'.

The only thing that changes is a copy of the file to 'Data' folder. Given that 'Data' folder is located in the same disk, the copied file will disappear
upon restore. Hence, D. Copy Budget.xls to Data.

"If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM
configuration."
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 5 times

  majerly 8 months, 2 weeks ago

today in exam is C
upvoted 2 times

  Wonkas 8 months, 3 weeks ago

Which answer should go for C OR D in exam ? 83 % voted D ? But Examtopics Answer is C , still we believe on ET Answer?
upvoted 3 times

  Wonkas 8 months, 3 weeks ago

Correction : Which answer should go for C OR D in exam ? 83 % voted C ? But Examtopics Answer is D, still we believe on ET Answer?
upvoted 2 times

  etwykolpmwaf 8 months, 3 weeks ago

C. Add a data disk.

The question itself is (as usual) tricky, but Microsoft probably wants to test if you are aware about the Data Disk not being mapped anymore.
The question also states "Changes made to VM1", to me it seems they refer to any change relevant to the VM (or the system) itself. The File is gone
indeed, but the changes made to vm, given the other options implicating changes to the VM or System, leaving the only obvious one (the file) as
"trap" (other that trying to point that the file is on the Data disk, when it's just in in a "Data Folder", that could be on System drive as well.
C. Add a Data disk is probably the right one.
upvoted 3 times

  Marz 7 months, 1 week ago

totally agree to this logic
upvoted 1 times

  ZacAz104 9 months, 1 week ago

In real world when i restore a full backup of a VM all changes before that goes away i havent tried in Azure
upvoted 1 times

  EmnCours 9 months, 1 week ago

Selected Answer: C
C. Add a data disk.
upvoted 1 times

  NStarker 1 year, 1 month ago

i think its C
the file is copied to data disk, so why should I do this again? the data disk is not deleted and must be attached again, so the file is already on the
data disk
upvoted 2 times

  wsrudmen 1 year, 2 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 634/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: C
After a restore, the VM size remain, the admin password remains. The the OS disk are well backuped.
The mapping of the data disk is lost but not the data disk. We just need to map again the disk.
Regarding the file the location is not mentioned. If it was on the OS disk it would have been present.
Then better answer is C
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 635/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 6

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.

You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)

You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods
tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 636/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: No -
Two methods are required.

Box 2: No -
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.

Box 3: Yes -
As a User Administrator, User3 can add security questions to the reset process.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-
directory/authentication/active-directory-passwords-faq

  fedztedz Highly Voted  2 years, 5 months ago

Answer is not correct. It should be
- NO: User2 needs 2 authentication methods. Security questions are not enough to reset password
- NO: User1 is not part of the SSPR Group1
- NO: to be able to add security questions to the process. you need Global admin role
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites
& https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions
upvoted 120 times

  picho707 1 week, 1 day ago

See below what MS Chat AI has to say about this:
Stop Responding
Yes, user administrators can manage self-service password reset policies. By default, administrator accounts are enabled for self-service
password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for
your users, and this policy can’t be changed
upvoted 1 times

  mrshegz 1 year, 10 months ago

what is SSPR

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 637/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Takloy 1 year, 6 months ago

Sometimes, Some People Remember...
upvoted 67 times

  mdmahanti 10 months, 3 weeks ago

Sometime, Silly Points Resurface
upvoted 8 times

  raydel92 1 year, 9 months ago

Self Service Password Reset
upvoted 40 times

  DodgyD 2 years, 4 months ago

Agree: User administrator role do not have permissions to manage MFA.
upvoted 2 times

  vikki 2 years, 4 months ago

Did not see exactly the information regarding to add security questions to the process, however I do find that User Administrator permission is
able to reset password from the link.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#password-reset-permissions
upvoted 2 times

  mlantonis Highly Voted  2 years ago

C0rrect Answer:

Box 1: No
Two methods are required (Mobile phone and Security questions).

Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.

Box 3: No
To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot add
security questions to the reset process. User Administrator doesn’t have MFA permissions.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr
https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 93 times

  morito Most Recent  3 months ago

Took a bit of digging, but here are my answers:

- NO: User2 must provide two authentication methods before they can reset their password
- NO: User 1 is not enabled for SSPR
- NO: A User must have the role of global Administrator or Authentication Policy Administrator to change SSPR (https://learn.microsoft.com/en-
us/azure/active-directory/authentication/tutorial-enable-sspr).
upvoted 2 times

  djgodzilla 3 months, 1 week ago

Box 1: No
Two methods are required (Mobile / Security questions).

Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.

Box 3: No
User3 is User Administrator, With a two-gate policy, administrators don't have the ability to use security questions.
Admin users cannot do the following:
- Cannot manage MFA.
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 1 times

  djgodzilla 3 months, 1 week ago

Only Authentication administrators can do so not global globa can give authentication admin role to someone though).
upvoted 1 times

  zellck 4 months ago

NNN is the answer.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 638/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 1 times

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 3 times

  typales2005 5 months ago

Was on the 09/01/2023 exam.
upvoted 3 times

  RKETBO 6 months, 1 week ago

The Number of methods required to reset option determines the minimum number of available authentication methods or gates a user must go
through to reset or unlock his password. It can be set to either 1 or 2. Since this option is set to 2, user2 will not be able to reset his password after
only one method has been run.

User1 is a member of group1. Self-service password reset is enabled only for group2.

As a user administrator, user3 cannot add security questions to the reset process.

The following Technet articles contain more information about the topic

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
upvoted 1 times

  klexams 7 months, 2 weeks ago

N - need mobile phone too
N - user2 is not in the group1
N - apparently it needs GA
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Box 1: No
Two methods are required (Mobile phone and Security questions).

Box 2: No
Self-service password reset is only enabled for Group2, and User1 is not a member of Group2.

  dani12 10 months ago

SSP stands for Self Service Password reset.
upvoted 2 times

  Lazylinux 1 year ago

For sure NO NO NO and as per others comments - read mlantonis
upvoted 3 times

  ra_aly 1 year, 2 months ago

why azure exams are so confusing and there is a lack of knowledge, there are conflicting opinions and unclear direction.
upvoted 4 times

  Lazylinux 11 months, 3 weeks ago

It is Microsoft my friend..Tell me anything about Microsoft that makes sense..yet people buy it!! Linux is the King Kong of the Universe
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 5 times

  ZacAz104 1 year, 4 months ago

correct answer i think is Yes-No-No because user2 is only member of Group2
upvoted 1 times

  ravi000001 1 year, 9 months ago

NO
NO
NO

Reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator
upvoted 2 times

  Kpup 1 year, 10 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 639/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Still learning azure so excuse the lack of knowledge but the sspr is targetted at group 2, user 1 is not a member, so could they not reset using the
mobile app?
upvoted 2 times

  CloudyTech 1 year, 11 months ago

NoNoNo , User admin cannot add
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 640/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10 Topic 6

Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company's security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?

A. Assign the User administrator role to User1.

B. From the Device settings blade, modify the Maximum number of devices per user setting.

C. Create a point-to-site VPN from the home network of User1 to Azure.

D. From the Device settings blade, modify the Users may join devices to Azure AD setting.

Correct Answer: B
The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user
reaches this quota, they will not be able to add additional devices until one or more of the existing devices are removed.
Incorrect Answers:
C: Azure AD Join enables users to join their devices to Active Directory from anywhere as long as they have connectivity with the Internet.
D: The Users may join devices to Azure AD setting enables you to select the users who can join devices to Azure AD. Options are All, Selected
and None. The default is All.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal http://techgenix.com/pros-and-cons-azure-
ad-join/

Community vote distribution

B (92%) 8%

  mlantonis Highly Voted  2 years ago

Correct Answer: B

Keyword: "user was able to connect the device in the past".

The Maximum number of devices setting enables you to select the maximum number of devices that a user can have in Azure AD. If a user reaches
this quota, they will not be able to add additional devices until one or more of the existing devices are removed. By default, the maximum number
of devices per user is 50.

Azure portal -> Azure Active Directory -> Devices

Azure portal -> Azure Active Directory -> Users > Select a user > Devices
upvoted 75 times

  CyberKelev 3 months, 2 weeks ago

Or maybe he has changed of home network and in that case is answer C
upvoted 1 times

  KingChuang 6 months, 3 weeks ago

Ref:
https://learn.microsoft.com/zh-tw/azure/active-directory/devices/device-management-azure-portal

https://learn.microsoft.com/zh-tw/troubleshoot/azure/active-directory/maximum-number-of-devices-joined-workplace
upvoted 1 times

  balflearchen Highly Voted  2 years, 4 months ago

For those who choose D, please read the question carefully, "You verify that User1 was able to join devices to Azure AD in the past." So the join
device setting should be ok, but he already reach the maximum number of devices per user. Answer B is correct.
upvoted 65 times

  mikl 2 years, 4 months ago

Agree.
upvoted 2 times

  Sam2969 2 years, 1 month ago

agree.
by default the maximum number of devices per user is 50
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 641/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  Madbo Most Recent  2 months ago
Yes, option B is the correct answer. By modifying the "Maximum number of devices per user" setting, you can allow User1 to join the personal
device to Azure AD. The default value for this setting is 20 devices per user, so if User1 has already reached this limit, they will be unable to join
additional devices to Azure AD.
upvoted 2 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: C
Answer C make the most sense
upvoted 1 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 3 times

  er101q 4 months, 1 week ago

D. From the Device settings blade, modify the Users may join devices to Azure AD setting.

The reason for this is that if the "Users may join devices to Azure AD" setting is set to "No", then even if a user has the necessary permissions to
join a device to Azure AD, they will be unable to do so. By modifying this setting to "Yes", you are allowing User1 to join their personal device to
Azure AD from their home network. The other options, such as assigning the User administrator role to User1 or modifying the maximum number
of devices per user setting, would not necessarily resolve the issue with User1's ability to join their device to Azure AD. A point-to-site VPN from
the home network of User1 to Azure may or may not be necessary, depending on the specific network configuration and security requirements.
upvoted 1 times

  klexams 7 months, 2 weeks ago

Selected Answer: B
user1 was able in the past and is no longer, so he maxed out the number of devices he's allowed to join.
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Correct Answer: B
upvoted 1 times

  Gino_Slim 11 months, 2 weeks ago

Selected Answer: B
If you picked A....you're the reason breaches happen.
upvoted 5 times

  chikorita 4 months, 2 weeks ago

*nods*
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: B
I Luv Honey Because it is B
User did add devices in past
3 years ago migration took place hence user properly during that time been adding devices and hence run out of quota
upvoted 3 times

  dasEnder 1 year, 1 month ago

I think B and C are valid. I don't have to explain B. But if there is a conditional access policy C will be correct. This is an assumption, but I have seen
question were wilder assumptions need to be made.
upvoted 2 times

  Teringzooi 1 year, 3 months ago

Selected Answer: B
Correct Answer: B

Key: "user was able to connect the device in the past".

upvoted 1 times

  Takloy 1 year, 6 months ago

Damn! keep forgetting this one. Answer is B!
upvoted 2 times

  wsscool 1 year, 11 months ago

in exam 7/3/2021
upvoted 4 times

  toniiv 2 years, 3 months ago

Answer B is correct. Nothing has changed, so max devices user quota has reached.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 642/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  waterzhong 2 years, 4 months ago
Manage devices
There are two locations to manage devices in Azure AD:

Azure portal > Azure Active Directory > Devices

Azure portal > Azure Active Directory > Users > Select a user > Devices
upvoted 2 times

  shankatna 2 years, 4 months ago

I believe D is the answer. Reason "user was able to connect the device in the past", probably the setting have changed recently and he is not able
to connect now.
for B to be the answer, question would have been like, the user was able to connected his computer and now trying to connect his mobile etc.
hinting for max number of devices settings
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 643/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11 Topic 6

HOTSPOT -
You have two Azure App Service app named App1 and App2. Each app has a production deployment slot and a test deployment slot.
The Backup Configuration settings for the production slots are shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

  Mozbius_ Highly Voted  1 year, 1 month ago

NNY

On January 15th you will have 9 backups as 0 day retention is defined as indefinite.

[How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.]

https://docs.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest

The DevOps / Web apps backup in the questions only includes the production slot. One cannot restore a test slot from a production slot backup.

[If a slot is not specified, the API will create a backup for the production slot.]

https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/backup-slot

January 6th backup will still be within the 30 days retention as of January 15th.
upvoted 44 times

  garmatey 1 month, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 644/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

great, i love when they use zero and don't mean zero...
upvoted 4 times

  Citmerian 7 months, 2 weeks ago

app1 dont' have a retention configured but option " keep at least one backup" is yes. on 15th have one backup.
Y,N,Y
upvoted 6 times

  Benzitho 1 month ago

Well sported ...Well done ..I totally missed it .
upvoted 1 times

  MrJJ10 5 months, 1 week ago

Question States, "Will have ONLY ONE backup in storage" because retention is set to "0" for indefinite, you will have more than ONLY ONE
upvoted 1 times

  tyohaina 7 months, 1 week ago

That's 'at least'. Not 'at most'
upvoted 2 times

  bluefoot Highly Voted  1 year, 1 month ago

NNY
1. https://docs.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest
--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.
2. didn't mention test slot backup at all
3. https://docs.microsoft.com/en-us/rest/api/appservice/web-apps/restore-slot
we can restore a specific backup to another app (or deployment slot, if specified).
upvoted 22 times

  DanishHassan 9 months, 1 week ago

It is mentioned in a Question:
Each app has a production deployment slot and a test deployment slot.
upvoted 1 times

  DanishHassan 9 months, 1 week ago

However, The Backup Configuration settings is provided for the production slots so answer is NO.
upvoted 5 times

  xRiot007 Most Recent  1 week ago

N - 0 means indefinite days, not zero days.
N - test slots are not backed up
N - test slots are not backed up.
upvoted 2 times

  xRiot007 1 week ago

Correction. Last Box is Yes : you can restore a production backup to the test slot.
upvoted 2 times

  Reddy9874 2 months ago

For custom backups, the retention period can be "0-30 days or indefinite" (selecting 0 doesn't mean indefinite)

https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal

Answer is YNY
upvoted 2 times

  xRiot007 1 week, 4 days ago

"selecting 0 doesn't mean indefinite" - it actually does. "--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention." https://learn.microsoft.com/en-
us/cli/azure/webapp/config/backup?view=azure-cli-latest&viewFallbackFrom=azure-cli-latest--retention
upvoted 1 times

  macrawat 2 months, 2 weeks ago

Actually, the question is vague, the tier of the app service is not provided.
For Basic tier, only the production slot can be backed up and restored.
source :
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 1 times

  zellck 4 months ago

NNY is the answer.

https://learn.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest#az-webapp-config-backup-update-optional-parameters
--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.
upvoted 4 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 645/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  kameltz 5 months, 1 week ago

NNY
N, --retention (How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.)
upvoted 1 times

  Vitu 5 months, 4 weeks ago

I think tha one backup of production and nothing for test. My answer is YNY
upvoted 2 times

  MyZ 6 months, 2 weeks ago

You cannot backup and restore test slot

Backup and restore are supported in Basic, Standard, Premium, and Isolated tiers. For Basic tier, only the production slot can be backed up and
restored.

https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 1 times

  shoutiv 7 months ago

NNY

N - If you go to Azure Portal -> App Service -> Backups then Set Schedule -> Retention you have information "Keep your backup files for up to 30
days, or enter 0 to keep them indefinitely", so there will be 9 backups
N - Test slot doesnt have any backups configured
Y - From Azure Portal -> Backups -> Select backup and click 'Restore' -> You have "Choose destination" where you can choose App Service and
Deployment slot (new or existing)
upvoted 11 times

  Babushka 7 months, 2 weeks ago

No
Yes "Each app has a production deployment slot and a test deployment slot."
Yes
upvoted 2 times

  xRiot007 1 week ago

Probably there variants of these questions where only one of the slots appear or both, in which case the asnwers would look differently for each
of the variants.
upvoted 1 times

  Babushka 7 months ago

After looking at the question again. Thinking it's actually N N Y as mentioned above only production slots shown so not entirely sure what the
test slots are configured like.
upvoted 2 times

  Nzudin 3 months, 3 weeks ago

yes you are correct
upvoted 1 times

  klexams 7 months, 2 weeks ago

N - app1's retention is indefinite. so "only 1" is a bit under estimate :-).
N - no backup for test slot, only prod slot.
Y - can restore to a specific slot, OR restore to prod then swap to test slot.
upvoted 3 times

  rocroberto 7 months, 3 weeks ago

or is it the opposite retention days = 0 means keep everything ?
upvoted 2 times

  shoutiv 7 months ago

In Azure Portal it says "Keep your backup files for up to 30 days, or enter 0 to keep them indefinitely"
upvoted 1 times

  rocroberto 7 months, 3 weeks ago

Retention days 0 means that daily backup are not kept except, as there is the condition of retaining at least one backup ===>>> only 1 back up
available
upvoted 1 times

  JayLearn2022 3 months, 3 weeks ago

Your Wrong! A setting of 0 means indefinite storage.
In Azure Portal it says "Keep your backup files for up to 30 days, or enter 0 to keep them indefinitely"

Excerpt from the following Link:

--retention
How many days to keep a backup before automatically deleting it. Set to 0 for indefinite retention.

https://learn.microsoft.com/en-us/cli/azure/webapp/config/backup?view=azure-cli-latest#az-webapp-config-backup-update-optional-
parameters%20--retention
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 646/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  pmsiva 8 months, 1 week ago
No - On January 15, 2021, App1 will have only one backup in storage
On January 15th you will have 9 backups as 0 day retention is defined as indefinite.
Retention: Set to 0 for indefinite retention.

No - On Febraury 6, 2021, you can access the backup of the App2 test slot from January 15, 2021
Backup in the questions only includes the production slot. So no backup policy for test slots.

Yes - On January 15, 2021, you can restore the App2 production slot backup from January 6 to the App2 test slot
You can restore the production backup to any slot or new deployment slot
https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 5 times

  awssecuritynewbie 8 months, 2 weeks ago

I am a bit confused if someone can help me out i would appreciate it.
So the "backup retention" set to 0 means it is retained indefinite?
upvoted 1 times

  charf94 8 months, 3 weeks ago

YNY
- "keep at least 1 backup" If on january 15th you don't have any backup why is schedule the backup? For me the first box is Yes, don't have at least
one back up in storage has no sense for me.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 647/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 6

HOTSPOT -
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-
premises Active
Directory domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
✑ Number of methods required to reset: 2
✑ Methods available to users: Mobile phone, Security questions
✑ Number of questions required to register: 3
✑ Number of questions required to reset: 3
You select the following security questions:
✑ What is your favorite food?
✑ In what city was your first job?
✑ What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: No -
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing
passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through Self-service password reset (SSPR). They
can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD.
An administrator cannot use secret
Questions & Answers as a method to reset password.

Box 2: Yes -
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 648/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

contact IT staff.

Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment

  Mozbius_ Highly Voted  1 year, 1 month ago

By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This
policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset
functionality as a user without any Azure administrator roles assigned.

With a two-gate policy, administrators don't have the ability to use security questions.

The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-password-policy-differences

Therefore I would say N N Y as SecAdmin1 and BillAdmin1 are both administrators.

NOTE: I have tried to test in lab but was unsuccessful (somehow SSPR isn't even recognized as being enabled, hell one of the user is taking forever
to show an updated assigned role).
upvoted 45 times

  Citmerian 7 months, 3 weeks ago

Answer: NO, NO, YES
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced.
This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password
reset functionality as a user without any Azure administrator roles assigned.

With a two-gate policy, administrators don't have the ability to use security questions.

The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
upvoted 12 times

  AzureMasterChamp 3 months, 1 week ago

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
upvoted 1 times

  Mtijnz0r 1 year, 1 month ago

SSPR for Administrators isn't enabled on the tenant. SSPR for Administrators (SSPR-A) was the first implementation of SSPR. After SSPR for
Users (SSPR-U) was introduced, users could have two separate configurations.

The old SSPR-A implementation is used when an Azure AD account has an admin role, such as Global Administrator or Billing Administrator.
However, the SSPR management on the Azure portal is for SSPR-U only. Therefore, SSPR-A might not be enabled on the tenant.

https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/password-writeback-error-code-sspr-009
upvoted 4 times

  awssecuritynewbie Highly Voted  8 months, 2 weeks ago

So after some research it does look like "Security questions aren't used as an authentication method during a sign-in event. Instead, security
questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security
questions as verification method with SSPR."
so it means the administrator cannot use security questions as verification method for SSPR. so it would be N N Y . check the link the first line of
the link. PLEASE LIKE THIS COMMENT

Ref https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 32 times

  DonVish 6 months ago

So it SSPR is not used for any kind of administrator ? Global , Local ..etc. ?
upvoted 1 times

  Lexxsuse 5 months, 3 weeks ago

Admins CAN use SSPR. But they can not use security questions to reset passwords.
upvoted 2 times

  kmsalman Most Recent  1 month, 2 weeks ago

Number of security questions required to reset password is 3. My opinion is that user can also not self reset the password by answering just one
question. So the Answer should be N, N, N
upvoted 2 times

  zellck 4 months ago

NNY is the answer.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 649/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

With a two-gate policy, administrators don't have the ability to use security questions.

All the following Azure administrator roles are affected:

- Billing administrator
- Security administrator
upvoted 5 times
  RougePotatoe 4 months ago
N
N
Y

"Administrator accounts can't use security questions as verification method with SSPR."
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 3 times

  LauLauLauw 4 months, 2 weeks ago

NNY

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
This link shows the list of administrators that arre not able to use security questions.
upvoted 2 times

  azhunter 5 months, 1 week ago

Answer is NNY
upvoted 1 times

  omerco61 5 months, 4 weeks ago

NNY
"Administrator accounts can't use security questions as verification method with SSPR."
Quote from microsoft
Link:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 1 times

  compldc72 7 months, 1 week ago

Agree with N N Y
upvoted 2 times

  klexams 7 months, 2 weeks ago

NNY
All the following Azure administrator roles are affected:
Application administrator
Application proxy service administrator
Authentication administrator
Azure AD Joined Device Local Administrator
Billing administrator
Compliance administrator
Device administrators
Directory synchronization accounts
Directory writers
Dynamics 365 administrator
Exchange administrator
Global administrator or company administrator
Helpdesk administrator
Intune administrator
Mailbox Administrator
Partner Tier1 Support
Partner Tier2 Support
Password administrator
Power BI service administrator
Privileged Authentication administrator
Privileged role administrator
Security administrator
Service support administrator
SharePoint administrator
Skype for Business administrator
User administrator
upvoted 10 times

  aye_kyaw 7 months, 3 weeks ago

NNY
With a two-gate policy, administrators don't have the ability to use security questions.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 650/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  adrianspa 8 months ago
YYN, check https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
upvoted 2 times

  majerly 8 months, 2 weeks ago

NNY, With a two-gate policy, administrators don't have the ability to use security questions.
Billing administrator and security administrator, don´t have ability to use security questions, view ling for mozbius
upvoted 1 times

  Stanly_Az 9 months ago

9/16/2022
upvoted 3 times

  dominko 1 year, 1 month ago

I agree, N-N-Y

By default, administrator accounts are enabled for self-service password reset, and a "strong default two-gate password reset policy is enforced. [...]
With a two-gate policy, administrators don't have the ability to use security questions.
The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. A two-gate policy
applies in the following circumstances:

All the following Azure administrator roles are affected:

[...]
Billing administrator
[...]
Security administrator
[...]

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
upvoted 6 times

  Ewong 1 year, 1 month ago

NO
NO
YES

Administrator reset policy differences

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-password-policy-differences
upvoted 4 times

  northstar88 9 months, 2 weeks ago

Agree. In the link provided, it's stated that "With a two-gate policy, administrators don't have the ability to use security questions.".
Below that is a list of affected administrator roles, which includes Billing Administrator and Security Administrator
upvoted 1 times

  ert13 1 year, 1 month ago

I think Y-Y-Y. It says all users in the question. Security admin is a user too and the question is in the list.
upvoted 5 times

  ert13 1 year, 1 month ago

And Admins can reset their password too. (Set Notify all admins when other admins reset their password? to Yes.)
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 651/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 6

User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.

You need to create new user accounts in external.contoso.onmicrosoft.com.
Solution: You instruct User1 to create the user accounts.
Does that meet the goal?

A. Yes

B. No

Correct Answer: A
Only a global administrator can add users to this tenant.
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/add-users-to-azure-ad

Community vote distribution

A (84%) B (16%)

  awssecuritynewbie Highly Voted  8 months, 2 weeks ago

Selected Answer: A
ARE YOU GUYS HIGH?? IT SAYS
User1 creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com."

SO IF USER 1 has created the new tenant then obv it can create users within it as well and it is GA.
upvoted 76 times

  Durden871 3 months ago

It's crazy that so many people voted no and it's honestly kind of depressing. I know these exam dumps are broken so the comments are super
helpful. With that said, seeing 29 people vote "no" means it's hard to know who to trust, which I guess is good because I sometimes go back
and test for myself. You can create a whole new directory, but you can't edit its contents? Wut.
upvoted 4 times

  Dat_doge 3 months, 2 weeks ago

I usually don't get high like one month before an exam.
upvoted 6 times

  RougePotatoe 4 months ago

Man that was a chuckle
upvoted 2 times

  Kem81 8 months, 2 weeks ago

I was literally thinking the same thing. User1 has created the new tenant so he is also the owner of that tenant. User1 can do anything in the
new tenant.
upvoted 4 times

  ltkiller Highly Voted  1 year ago

Selected Answer: B
B:No, when you create a new tenant, the creator is the only global admin and owner, he must first give access to others to allow anything.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant#your-user-account-in-the-new-
tenant
upvoted 14 times

  LiamAzure 7 months, 2 weeks ago

Yes, but User 1 created the Tenant..
upvoted 15 times
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 652/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Manual_Override 6 months, 2 weeks ago

Damn I didn't notice that detail....
upvoted 3 times

  shadad 3 months, 1 week ago

Its OK. there are many version of this Q here and the exam on my case was showing the right input on the Question which is the user1. i
wont blame you.
upvoted 1 times

  Lexxsuse 5 months, 3 weeks ago

There's a different flavor of this question, where it's being asked whether User2-3-4 can create new users in the new tenant
upvoted 3 times

  Citmerian 7 months, 3 weeks ago

User1 create a New Tenant. When you create a new Azure AD tenant, you become the first user of that tenant ad the Owner. As the first user,
you're automatically assigned the Global Admin role.
ANSWER: Yes
upvoted 12 times

  klexams 7 months, 3 weeks ago

your explanation means the answer is A. User1 is the tenant creator who is then the global admin and owner. So User1 can create user accounts.
upvoted 3 times

  Magis 8 months, 2 weeks ago

So why Solution: You instruct User1 to create the user accounts if User1 is mentioned tenant creator ?
upvoted 2 times

  klexams 7 months, 2 weeks ago

the same reason why we have to sit this exam at all.
upvoted 5 times

  Angurajesh Most Recent  2 days, 1 hour ago

Selected Answer: A
In the given scenario, User1, who is a Global Administrator, creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
As a Global Administrator, User1 has the necessary permissions to create new user accounts in the Azure AD tenant.

Therefore, instructing User1 to create the user accounts in the new external.contoso.onmicrosoft.com tenant is a valid and appropriate solution.
User1 has the required privileges and can perform the necessary administrative actions to create new user accounts within the newly created Azure
AD tenant.
upvoted 1 times

  Angurajesh 2 days, 1 hour ago

In the given scenario, User1, who is a Global Administrator, creates a new Azure Active Directory tenant named external.contoso.onmicrosoft.com.
As a Global Administrator, User1 has the necessary permissions to create new user accounts in the Azure AD tenant.

  xRiot007 1 week, 4 days ago

Answer is A, User 1 is the OWNER of the tenant.
upvoted 1 times

  Naebun 2 weeks, 2 days ago

Selected Answer: A
Think this is the first time i've seen a Yes to this question, all the others were no.
upvoted 1 times

  SIAMIANJI 1 month, 1 week ago

Selected Answer: A
A is correct.
upvoted 1 times

  sofunny 2 months ago

Selected Answer: A
Chosen Answer is A
upvoted 1 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: A
It is A not because User1 is GA but because User1 is owner of the account (implicitly granted because User1 created the AD tenant). As a owner,
User1 can create user accounts.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 653/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Charithcool 2 months, 2 weeks ago

Selected Answer: A
Let's get votes up for Answer A. The only answer possible without a question.
upvoted 1 times

  madao322 3 months ago

Selected Answer: A
The one who created the AD will always be the domain admin(owner). It shows so many ppl dont really know the fundation of Windows
server/Domain system.
upvoted 2 times

  Gzt 3 months, 1 week ago

Selected Answer: A
If a non-administrative user of organization 'Contoso' creates a test organization 'Test,' then:
By default, the user who creates a organization is added as an external user in that new organization, and assigned the global administrator role in
that organization.
The administrators of organization 'Contoso' have no direct administrative privileges to organization 'Test,' unless an administrator of 'Test'
specifically grants them these privileges. However, administrators of 'Contoso' can control access to organization 'Test' if they sign in to the user
account that created 'Test.'
If you add or remove an Azure AD role for a user in one organization, the change does not affect the roles that the user is assigned in any other
Azure AD organization.
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-directory-independence#administrative-independence
upvoted 2 times

  shadad 3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: A

User1 create a New Tenant. When you create a new Azure AD tenant, you become the first user of that tenant ad the Owner.

there are many version of this Q . User2 , User 3 and User 4 all are wrong. only user 1 as he is the creator of this Tenant.
upvoted 2 times

  AK4U 3 months, 1 week ago

NO ONE CAN CREATE A TENANT external.contoso.onmicrosoft.com
there's no tenant inside of another tenant.
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

Selected Answer: A
will this let me vote twice? A
upvoted 2 times

  herodes 3 months, 3 weeks ago

Selected Answer: A
Its A) Yes
Its related to questions from beginning of dumps where it asks for U2, U3 and U4 all with answer NO
upvoted 4 times

  curtmcgirt 3 months, 3 weeks ago

Selected Answer: A
user1 created the tenant, user1 can do whatever in that tenant.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 654/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14 Topic 6

You have an existing Azure subscription that contains 10 virtual machines.

You need to monitor the latency between your on-premises network and the virtual machines.
What should you use?

A. Service Map

B. Connection troubleshoot

C. Network Performance Monitor

D. Effective routes

Correct Answer: C
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between
various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor
the performance of Azure ExpressRoute.
You can monitor network connectivity across cloud deployments and on-premises locations, multiple data centers, and branch offices and
mission-critical multitier applications or microservices. With Performance Monitor, you can detect network issues before users complain.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor

Community vote distribution

C (100%)

  NickyDee Highly Voted  2 years, 5 months ago

Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 160 times

  jimmyli 2 years, 2 months ago

great summary, thank you!
upvoted 4 times

  magichappens 1 year, 2 months ago

Should be updated to "Connection Monitor" as Network Performance Monitor is deprecated.
upvoted 7 times

  kennynelcon 1 year, 1 month ago

Connection Monitor in Azure Network Watcher true
upvoted 2 times

  mlantonis Highly Voted  2 years ago

Correct Answer: C

Network Watcher is a Suite of tools offering but not limited to the following:
- Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
- Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
- IP Flow - latency and network issues at the VM LEVEL
- Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 70 times

  Madbo Most Recent  2 months ago

C. Network Performance Monitor is the correct option in this scenario. It provides monitoring and diagnostics tools to help you optimize the
performance and availability of your network infrastructure. It can be used to monitor the network connectivity and latency between your on-
premises network and Azure resources, including virtual machines. Service Map provides a visual representation of your application and server
dependencies, Connection troubleshoot is used for identifying and resolving connection issues, and Effective routes is used to verify the effective
routes of a virtual machine's network interface.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 655/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  zellck 4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various
points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the
performance of Azure ExpressRoute.
upvoted 2 times

  klexams 7 months, 2 weeks ago

Selected Answer: C
monitoring latency between on-prem and vms - NPM is your friend. But NPM has retired.
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: C
Network Watcher - a Suite of tools offering but not limited to the following
* Connection Monitor - latency and network issues with IaaS devices over a PERIOD OF TIME
* Connection troubleshoot - latency and network issues with IaaS devices ONE-TIME
* IP Flow - latency and network issues at the VM LEVEL
* Network Performance Monitor - latency and network issues in hybrid, ON-PREM, across environments
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: C
Network Performance Monitor is correct however it is been replaced with Connection Monitor which is part of Network watcher tool set
upvoted 2 times

  dasEnder 1 year, 1 month ago

Selected Answer: C
Correct. See comments of magichappens about the deprecated name
upvoted 1 times

  josevirtual 1 year, 3 months ago

Selected Answer: C
Network Performance Monitor is correct
upvoted 1 times

  Adebowale 1 year, 10 months ago

@NickyDee Thank you for the Summary
upvoted 1 times

  CloudyTech 1 year, 11 months ago

Network Performance Monitor is correct
upvoted 1 times

  ZUMY 2 years, 3 months ago

C is okay
upvoted 4 times

  toniiv 2 years, 3 months ago

Answer is correct. Network Performance Monitor is the tool: https://docs.microsoft.com/fr-fr/azure/network-watcher/migrate-to-connection-
monitor-from-network-performance-monitor
upvoted 3 times

  waterzhong 2 years, 4 months ago

Configure the solution
Add the Network Performance Monitor solution to your workspace from the Azure marketplace. You also can use the process described in Add
Azure Monitor solutions from the Solutions Gallery.

Open your Log Analytics workspace, and select the Overview tile.

Select the Network Performance Monitor tile with the message Solution requires additional configuration.
upvoted 2 times

  tinyflame 2 years, 5 months ago

Network monitoring is out of scope for the exam, is this still a question?
upvoted 2 times

  DodgyD 2 years, 4 months ago

I believe network monitoring is included in exam per the exam guide.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 656/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  balflearchen 2 years, 4 months ago

Ha ha, funny, if this happened in your exam session, can you ignore it and say it should not be in my exam?
upvoted 3 times

  fedztedz 2 years, 5 months ago

Answer is correct. "C" Network Performance Network
upvoted 6 times

  NickyDee 2 years, 5 months ago

Connection Troubleshoot from Network Watcher can monitor latency. you can test all 10 VMs from one place in Azure, and its minimal effort.
upvoted 1 times

  balflearchen 2 years, 4 months ago

In question, you need to monitor the latency between your "ON-PREMISES" network and the virtual machines. So connection troubleshooting is
wrong.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 657/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 6

HOTSPOT -
You have an Azure App Service plan named ASP1.
CPU usage for ASP1 is shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 658/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: four times -

From the exhibit we see that the time granularity is 6 hours: Last 30 days (Automatic - 6 hours).
CPU Percentage Last days Automatic - hours

Box 2: scaled up -
Scale up when:
* You see that your workloads are hitting some performance limit such as CPU or I/O limits.
* You need to quickly react to fix performance issues that can't be solved with classic database optimization.
* You need a solution that allows you to change service tiers to adapt to changing latency requirements.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-troubleshoot https://azure.microsoft.com/en-us/overview/scaling-
out-vs-scaling-up

  awssecuritynewbie Highly Voted  8 months ago

so to just explain a bit better hopefully :)

look at the top right you can see it is auto updated every 6 hours so within 24hours it is checked 4 times (4*6=24h) .
It would need to scale up to have a bigger CPU to support the load that is getting as it is currently 100%
upvoted 40 times

  DeBoer 4 months, 1 week ago

Agree with the first answer, disgress on the second. Scaling up will incur the new, higher, cost at all times. You can alsow get more power into
the app by scaling OUT; if you automate with autoscaling you can get the costs much lower. The AVERAGE usage is pretty low - so this app
should scale out/in pretty well https://learn.microsoft.com/en-us/azure/architecture/best-practices/auto-scaling
upvoted 5 times

  Mohaamed Highly Voted  6 months, 1 week ago

Answer is correct

Box 1 : look at the top right of the picture it says 6 hours so 24hours/6hours = 4 times
box2: this is app plan and VM so you scale up only
upvoted 9 times

  Rams_84zO6n Most Recent  2 months, 2 weeks ago

Four times, scaled up -
First observation - 30 days - 30 peaks (roughly) in average graph. So focus on a single day - how max cpu graph can be averaged over a time
window to get the average graph. A 1 hr window would vary rapidly, a 24 hour window would be smooth as silk - a 6 hr window would give the
current smoothness of the average graph - so average CPU calculated 4 times per day.
From max graph, it looks like the web app is going through CPU deprivation so a scale up would definitely help alleviate the current issues with
performance.
Honestly - a 6 hour moving window for average graph would be calculated much more than 4 times a day, but it is the best answer from given
data.
upvoted 2 times

  ChakaZilly 3 months, 1 week ago

The second box, I would say: scale down: Avg CPU is only 4% (occasional spikes of 100% don' t matter that much).
upvoted 4 times

  Gzt 3 months, 1 week ago

Agree. Especially who works with SCOM is understanding it ;)

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 659/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  jp_mcgee 6 months, 3 weeks ago
Box2 should be Scaled Out.

The average CPU is <10%, and we see occasional and continuous spikes over 70%. This says that most of the time the hardware is barely used
(<10%), and we need to autoscale when there is a heavy load (>70%). Scaling up to a new SKU (scaling vertically) has a limit and is kind of old
school and a waste of money during inactivity (<10%). Azure gives us the ability to scale out to more infrastructure when needed and scale in when
the infrastructure is not in demand.
upvoted 2 times

  djgodzilla 3 months, 1 week ago

the problem with scaling out is out is that everything is doubled not just CPU ( RAM, bandwidth , network..). So you burn money on either
(up/out)
upvoted 1 times

  JimmyYop 4 months ago

If you scale out, you are increasing the instance count by using Custom OR Manual autoscaling. With the Scale up, you are changing the App
Tier to a higher tier with more processing power 'awssecuritynewbie' answer is correct.
upvoted 1 times

  Lexxsuse 5 months, 3 weeks ago

I would agree that scaling out seems a better idea, since the instance is already underutilized most of the time.
upvoted 1 times

  mung 6 months, 3 weeks ago

Scale out = Add more CPU to the VM
Scale up = Reduce CPU from the VM

Your explanation is correct though.

upvoted 1 times

  PCG1 6 months, 2 weeks ago

No.
"You scale up by changing the pricing tier of the App Service plan that your app belongs to.
Scale out: Increase the number of VM instances that run your app."
upvoted 3 times

  jp_mcgee 6 months, 2 weeks ago

Scale-up by changing the pricing tier is manual unless you build something to scale-up and hopefully scale-down.

Scale-up means your employer/customer is paying for worst-case scenario all of the time.....OUCH!!! This works, technically, but is a waste
of money and resources.

Scale-out with auto-scaling means your employer/customer only pays for the additional CPU when it's needed.

https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-app-service-automatic-scaling/ba-p/2983300
upvoted 3 times

  xRiot007 1 week, 4 days ago

You need to optimize CPU usage, not cost, so a scale up will solve your spike problems. Depending on the business requirements, your
client might be willing to pay for the "worst-case" scenario all the time, if that scenario happens 100 times a day and the app needs to
always perform well.
upvoted 1 times

  jp_mcgee 6 months, 2 weeks ago

Read the auto-scaling section here for why vertical/scale-up is a bad idea for this scenario: https://azure.microsoft.com/en-
us/resources/cloud-computing-dictionary/scaling-out-vs-scaling-up/#autoscaling
upvoted 1 times

  chikorita 4 months ago

funniest answer i've ever seen
upvoted 3 times

  klexams 7 months, 2 weeks ago

- the chart shows 6 hrs interval. so 24/6 = 4 times.
- for CPU you need to scale UP.
upvoted 3 times

  todorov 9 months, 1 week ago

The average CPU is only around 4%
upvoted 3 times

  EmnCours 9 months, 1 week ago

Answer is correct.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 660/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  DeltaSM 9 months, 2 weeks ago

Based on graphics I would answer:
- 4 times
- scaled out (scale up / down is for App Plans)
upvoted 3 times

  humnahibataynge 9 months, 2 weeks ago

"You have an Azure App Service plan named ASP1."

This is App service plan only so it should be scale up.

upvoted 4 times

  Magis 8 months, 2 weeks ago

Nope. App services plans support both options - Scale UP and Scale Out. Scale up will give you more powerful single instance and Scale Out
will distribute your load on multiple instances of the same size.
https://learn.microsoft.com/en-us/azure/app-service/manage-scale-up
upvoted 3 times

  F117A_Stealth 9 months, 2 weeks ago

Answer is correct.

24hrs/6hrs = 4 times...
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 661/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16 Topic 6

DRAG DROP -
You have an Azure Linux virtual machine that is protected by Azure Backup.
One week ago, two files were deleted from the virtual machine.
You need to restore the deleted files to an on-premises Windows Server 2016 computer as quickly as possible.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:

Correct Answer:

Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer
Generate and download script to browse and recover files:
Step 4: Copy the files using File Explorer!
After the disks are attached, use Windows File Explorer to browse the new volumes and files. The restore files functionality provides access to

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 662/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

all files in a recovery point. Manage the files via File Explorer as you would for normal files.
Step 1-3 below:
To restore files or folders from the recovery point, go to the virtual machine and perform the following steps:
1. Sign in to the Azure portal and in the left pane, select Virtual machines. From the list of virtual machines, select the virtual machine to open
that virtual machine's dashboard.
2. In the virtual machine's menu, select Backup to open the Backup dashboard.
3. In the Backup dashboard menu, select File Recovery.

The File Recovery menu opens.

4. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery point is
already selected.
5. Select Download Executable (for Windows Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated) to download
the software used to copy files from the recovery point.
Running the script and identifying volumes:
For Linux machines, a python script is generated. Download the script and copy it to the relevant/compatible Linux server.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm https://docs.microsoft.com/en-us/azure/backup/backup-
azure-vms-automation#restore-files-from-an-azure-vm-backup

  biglebowski Highly Voted  1 year, 11 months ago

Restore of Linux VM can be only performed on compatiblie Linux client.
In my opinion correct order is:
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 663/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer (LINUX!!!)
Step 4. Copy the files by using AZCopy (yes, to blob storage and next to Windows 2016)
upvoted 56 times

  bur88 1 year, 3 months ago

we should restore As soon as possible. File explorer will be faster than AZCopy to blob storage and next to Windows 2016.
I would select Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer (Windows scripts can be created aswell)
Step 4. Copy the files by using File explorer
upvoted 25 times

  Lexxsuse 5 months, 3 weeks ago

It's only there's no File Explorer on Linux. And since we are required to restore Linux backup we seem to do that on Linux machine only.
So I believe we should go with some console option. Like AZCopy.
upvoted 5 times

  Magis 8 months, 2 weeks ago

Agree with bur88 and magichappens. Completed this procedure multiple times in practice and you can use File Explore for sure.
upvoted 6 times

  magichappens 1 year, 2 months ago

It's an on-premise Windows Server. AzCopy will take way to long. Assuming that I have access to the server anyhow I can just copy files using
File Explorer.
upvoted 9 times

  onincasimiro Highly Voted  1 year, 11 months ago

Watch out for below context:

"You need to restore the deleted files to an on-premises Windows Server 2016 computer"
Answer would be: Copy the files by using File Explorer.

"You need to restore the deleted files to an on-premises computer"

Answer would be: Copy the files by using AZ Copy.
upvoted 31 times

  djgodzilla Most Recent  3 months, 1 week ago

Correct Answer . see link
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 1 times

  SedateBloggs 3 months, 3 weeks ago

Answer is that it can only be run on a linux client. You cant run the downloaded linux script on a windows system. Ive lab'd this and looked at the
python scirpt this would download in this specific example and the python script that downloads refers to os.getuid() and this method is available
only on UNIX platforms. In addtion, the script that downloads states in the script itself "print("This script can be run on a machine with below
operation systems.")
print("Ubuntu 12.04 and above")
print("CentOS 6.5 and above")
print("RHEL 6.7 and above")
print("Debian 7 and above")
print("Oracle Linux 6.4 and above")
print("SLES 12 and above")
print("OpenSUSE 42.2 and above")
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

On the test!
upvoted 6 times

  klexams 7 months, 2 weeks ago

this one is misleading coz "In Linux, the OS of the computer used to restore files must support the file system of the protected virtual machine" so
you cannot restore it to Windows machine.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm#for-linux-os
BUT for the sake of answering:
- click File recovery
- select restore point
- download and run script
- copy files using file explorer
upvoted 2 times

  Herald3883 9 months, 1 week ago

Linux VM to Windows VM restore won't work as this is what the documentation says, In Linux, the OS of the computer used to restore files must
support the file system of the protected virtual machine. Windows doesn't support Linux filesystems natively at least.
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 664/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lazylinux 11 months, 4 weeks ago

Given Answer is correct as you are restoring on Windows system

Step 1: From the Azure portal, click File Recovery from the vault
Step 2. Select a restore point that contains the deleted files
Step 3: Download and run the script to mount a drive on the local computer -Windows 2016, when you run it it will download VHD and
automatically mount it then you just need explorer to find the files
Step 4. Copy the files by using Explorer
upvoted 6 times

  justauser 1 year, 2 months ago

Answer is CORRECT

https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm

Scroll about halfway and see red box highlighting "1 Recovery volumes attached" in screencap, immediately followed by "OPEN EXPLORER TO
BROWSE FOR FILES" - nowhere does it suggest azcopy, even for Linux.
upvoted 3 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 3 times

  DES123 1 year, 3 months ago

The provided answer is correct, as per the link below, azcopy was used on windows and compatible file explorer on Linux in order to copy the
backup.

https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
upvoted 1 times

  theorut 1 year, 3 months ago

This is not possible must be a typo - Windows instead of Linux restore.
upvoted 1 times

  rustamsariyev94 1 year, 6 months ago

To restore files or folders from the recovery point, go to the virtual machine and choose the desired recovery point.
Step 0. In the virtual machine’s menu, click Backup to open the Backup dashboard.
Step 1. In the Backup dashboard menu, click File Recovery.
Step 2. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery
point is already selected.
Step 3: To download the software used to copy files from the recovery point, click Download Executable (for Windows Azure VM) or Download
Script (for Linux
Azure VM, a python script is generated).
Step 4: Copy the files by using AzCopy
AzCopy is a command-line utility designed for copying data to/from Microsoft Azure Blob, File, and Table storage, using simple commands
designed for optimal performance. You can copy data between a file system and a storage account, or between storage accounts.
References:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy
upvoted 7 times

  MrAzureGuru 1 year, 7 months ago

The file provided to download is a Python script - it won't run on Windows?
upvoted 1 times

  theOldOne 1 year, 8 months ago

Seems many people commenting are confused as to the difference between restoring a VM and restoring some files from a backed up VM. In this
instance we are only interested in the files that were stored during the backup. The original OS requirements are handled by Azure and the script.
The OS used for recovery here is a Windows machine. The steps shown are correct
upvoted 4 times

  JirkaM 1 year, 8 months ago

And what about

restore VM (disk)
select restore point
map VHD (to existing linux)
AZcopy (twice)

Nice Microsoft adventure game. But no sense in test without question study.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 665/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 666/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17 Topic 6

HOTSPOT -
You purchase a new Azure subscription named Subscription1.
You create a virtual machine named VM1 in Subscription1. VM1 is not protected by Azure Backup.
You need to protect VM1 by using Azure Backup. Backups must be created at 01:00 and stored for 30 days.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: A Recovery Services vault

You can set up a Recovery Services vault and configure backup for multiple Azure VMs.

Box 2: A backup policy -

In Choose backup policy, do one of the following:
✑ Leave the default policy. This backs up the VM once a day at the time specified, and retains backups in the vault for 30 days.
✑ Select an existing backup policy if you have one.
✑ Create a new policy, and define the policy settings.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: A Recovery Services vault

You can set up a Recovery Services vault and configure backup for multiple Azure VMs.

Box 2: A backup policy

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 667/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-first-look-arm
upvoted 108 times

  vinsom 1 month, 2 weeks ago

@mlantonis - are you the ET admin as well? How come the ET suggested answer matches every letter of yours
upvoted 1 times

  Naebun 2 weeks, 2 days ago

Admins sometimes change the answers of incorrect ones, to the top voted ones.
upvoted 1 times

  Katlegobogosi 1 month, 1 week ago

Not all the answer match @mlantonis.
congragulations on your pass yesterday
upvoted 1 times

  denccc Highly Voted  2 years, 1 month ago

Answers are correct
upvoted 10 times

  djgodzilla Most Recent  2 months, 2 weeks ago

Box1: Recovery service vault
Azure Backup uses Recovery Services vaults to orchestrate and manage backups for the following workload types - Azure VMs, SQL in Azure VMs,
SAP HANA in Azure VMs, Azure File shares and on-premises workloads using Azure Backup Agent, Azure Backup Server and System Center DPM

https://learn.microsoft.com/en-us/azure/backup/backup-support-matrix#supported-operations

Azure Recovery Services vaults protects

Azure Virtual machines
SQL in Azure VM/SAP HANA in Azure VM
Azure Files (Azure Storage)
Azure Backup Server (MABS)
Azure Backup Agent DPM
on-premises workloads using Azure Backup Agent
Azure Backup Vault : uses Recovery Services vaults to backup
Azure Database for PostgreSQL servers
Azure Blobs (Azure Storage)
Azure Disks
Kubernetes Service
AVS Virtual machines (via MABS)

https://learn.microsoft.com/en-us/azure/backup/media/backup-vault-overview/datasource-types.png
upvoted 1 times

  mohsanarfandanish 2 months, 3 weeks ago

Cleared Exam 930 was appeared in exam 18/3/2023 ANS most upvoted
upvoted 5 times

  obaali1990 2 months, 3 weeks ago

Congratulations!!!
upvoted 1 times

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 5 times

  Bigc0ck 5 months, 1 week ago

Definitly on the test
upvoted 2 times

  destrophy 6 months, 3 weeks ago

took exam today, 24.11.2022 - this question shows up, passed with 900/1000
upvoted 4 times

  klexams 7 months, 2 weeks ago

location: vault
configure: backup policy
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Given answer is correct
Box 1: A Recovery Services vault
Box 2: A backup policy
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 668/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Lazylinux 11 months, 4 weeks ago

Given answer is correct
Box 1: A Recovery Services vault
Box 2: A backup policy
upvoted 3 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
upvoted 3 times

  JimBobSquare101 1 year, 10 months ago

In 30 July 2021
upvoted 3 times

  Devgela 2 years, 1 month ago

Answers are correct to me
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 669/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 6

You have an Azure virtual machine named VM1.

Azure collects events from VM1.
You are creating an alert rule in Azure Monitor to notify an administrator when an error is logged in the System event log of VM1.
Which target resource should you monitor in the alert rule?

A. virtual machine extension

B. virtual machine

C. metric alert

D. Azure Log Analytics workspace

Correct Answer: D
For the first step to create the new alert tule, under the Create Alert section, you are going to select your Log Analytics workspace as the
resource, since this is a log based alert signal.
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-monitor

Community vote distribution

D (89%) 11%

  mlantonis Highly Voted  2 years ago

Correct Anser: D

For the first step to create the new alert tule, under the Create Alert section, you are going to select your Log Analytics workspace as the resource,
since this is a log based alert signal.

The log data goes to the analytics workspace and it is from there that the alert is triggered.

Reference:

https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-monitor
upvoted 68 times

  Hims001 3 months, 1 week ago

Where have you selected the source(VM) in the process?
upvoted 1 times

  ppolychron 4 weeks, 1 day ago

First you enable the Azure Monitor Agent (Not the Log Analytics agent since it will be deprecated by August 2024) for the VM you want
(VM->Monitoring->Logs).

Then Create Data collection rule:

-Data sources : Select the Windows Event Logs you want. Destination, the log analytics workspace you want
-Resources: Select resource types, Virtual Machines
upvoted 1 times

  fedztedz Highly Voted  2 years, 4 months ago

Answer is correct D
upvoted 39 times

  Madbo Most Recent  2 months ago

B. Virtual machine.

Since the goal is to monitor the System event log of VM1, the target resource that should be monitored in the alert rule is the virtual machine itself
(option B). This will enable Azure Monitor to continuously monitor the event logs on the virtual machine and trigger the alert rule when an error is
detected. Option A (virtual machine extension) is incorrect as it is used to configure additional features or settings on the virtual machine. Option C
(metric alert) is incorrect as it is used to monitor performance metrics of Azure resources, such as CPU utilization, and not event logs. Option D
(Azure Log Analytics workspace) is also incorrect as it is used for collecting, analyzing, and visualizing data from multiple sources, including Azure
resources and other log sources, but it is not used for setting up alert rules on a specific virtual machine.
upvoted 2 times

  Hims001 3 months, 1 week ago

If we create an Alert Rule under a resource, target resource type becomes the type of the resource. If we create an Alert Rule from Azure Monitor,
Azure provides option to select a Target resource. As question says to create an Alert Rule for VM1, Target resource type becomes "Virtual
Machine". Hence. answer is "B".
Try creating one from Azure portal to get correct answer on your own.
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 670/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  CyberKelev 3 months, 2 weeks ago
Selected Answer: B
the correct answer is B. virtual machine.
upvoted 1 times

  AndreaStack 4 months ago

Selected Answer: D
D correct!
upvoted 2 times

  er101q 4 months, 1 week ago

B. virtual machine. You should monitor the virtual machine because it is the source of the events being collected by Azure, specifically the System
event log of VM1. By creating an alert rule on the virtual machine, you can be notified when an error is logged in the System event log, allowing
you to take appropriate action.
upvoted 3 times

  bsaksham 2 months, 2 weeks ago

correct i agree!!!
upvoted 1 times

  klexams 7 months, 2 weeks ago

VM's event log sends data to LA workspace. Alert is created based on LAW as the source.
D. Azure Log Analytics workspace
upvoted 3 times

  Stanly_Az 9 months ago

This question was there on 09/16/2022
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: D
Correct Answer: D
upvoted 1 times

  Gino_Slim 11 months, 2 weeks ago

Selected Answer: D
Verifying that I went with D too (that's what she said)
upvoted 3 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: D
D is correct
upvoted 2 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. correct answer D
upvoted 3 times

  ajayasa 1 year, 3 months ago

this question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  MMsdk 1 year, 2 months ago

All 341questions?🙄
upvoted 6 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 1 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 6 times

  [Removed] 1 year, 6 months ago

Was in exam dated 15/11/2021
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 671/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 6

You have an Azure subscription that contains 100 virtual machines.

You regularly create and delete virtual machines.
You need to identify unattached disks that can be deleted.
What should you do?

A. From Azure Cost Management, view Cost Analysis

B. From Azure Advisor, modify the Advisor configuration

C. From Microsoft Azure Storage Explorer, view the Account Management properties

D. From Azure Cost Management, view Advisor Recommendations

Correct Answer: D
From Home ‫ג‬€"> Cost Management + Billing ‫ג‬€"> Cost Management, scroll down on the options and select View Recommendations:

Azure Cost Management / Advisor -

From here you will see the recommendations for your subscription, if you have orphaned disks, they will be listed.
Reference:
https://codeserendipity.com/2020/07/08/microsoft-azure-find-unattached-disks-that-can-be-deleted-and-other-recommendations/

Community vote distribution

D (82%) C (18%)

  mlantonis Highly Voted  2 years ago

Correct Answer: D

From Home -> Cost Management + Billing -> Cost Management, scroll down on the options and select View Recommendations
upvoted 76 times

  raulgar Highly Voted  2 years, 1 month ago

I think the answer is correct, azure panel recommend you delete resources that are'nt in use, and if you have a lot of vm's it could be the easiest
way
upvoted 16 times

  Madbo Most Recent  2 months ago

The answer is D. From Azure Cost Management, view Advisor Recommendations. Azure Cost Management provides cost analysis and
recommendations, and one of the recommendations that it provides is to identify unattached disks that can be deleted. These recommendations
are generated by Azure Advisor, which uses machine learning to analyze your usage and provide recommendations for optimizing your resources.
upvoted 1 times

  CyberKelev 3 months, 2 weeks ago

Selected Answer: C

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 672/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Microsoft Azure Storage Explorer

upvoted 1 times

  Durden871 3 months ago

Udemy course I'm using also agrees with D.
Explanation
Correct Answer(s):

You use Azure Cost Management + Billing features to:

Conduct billing administrative tasks such as paying your bill

Manage billing access to costs

Download cost and usage data that was used to generate your monthly invoice

Proactively apply data analysis to your costs

Set spending thresholds

Identify opportunities for workload changes that can optimize your spending

https://docs.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview

Wrong Answers:

From Azure Cost Management, view Cost Analysis – Cost analysis provides current and future costs for Azure resources.

From Azure Advisor, modify the Advisor configuration – No need to modify Advisor configuration, instead look for Advisor recommendations.

From Microsoft Azure Storage Explorer, view the Account Management properties – Technically you can achieve the requirement, but with
hectic manual work.
upvoted 1 times

  klexams 7 months, 2 weeks ago

this would do it for you:
D. From Azure Cost Management, view Advisor Recommendations
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: D
Answer D is correct
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: D
D is correct
upvoted 2 times

  Neska 1 year, 2 months ago

Selected Answer: D
D is correct
upvoted 2 times

  InvisibleShadow 1 year, 3 months ago

Selected Answer: D
D is the answer
upvoted 2 times

  Ken88 1 year, 3 months ago

Selected Answer: D
D is correct.
upvoted 2 times

  TtotheA2021 1 year, 4 months ago

if it is related to costs saving > it is C
the question is only asking what you can identify and the simple method > it is D

so it is for this question answer D

upvoted 2 times

  oskirch 1 year, 6 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 673/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: C
I think is C
upvoted 1 times

  PRM 1 year, 8 months ago

"C"
https://docs.microsoft.com/pt-br/azure/virtual-machines/disks-find-unattached-portal
upvoted 1 times

  Bere 1 year, 6 months ago

The link you have provided doesn't even mention Storage Explorer.
By the way, the Account Management properties doesnt give the info we want in Storage Explorer:
https://docs.microsoft.com/en-us/azure/vs-azure-tools-storage-manage-with-storage-explorer?tabs=windows
upvoted 2 times

  chaudha4 1 year, 9 months ago

It is a trick question. Most people will know that you have to use Advisor. I picked B without reading all other options. That is obviously wrong since
there is no option to modify Advisor configuration. The correct answer would be:
1) From Azure Advisor, view the Cost Recommendations
2) From Azure Cost Management, view Advisor Recommendations
upvoted 10 times

  Vadlamua 1 year, 4 months ago

The question only talks about identifying only. So option D
upvoted 2 times

  Moyuihftg 2 years, 1 month ago

Answer D is correct
upvoted 1 times

  nguyenhung1121990 2 years, 1 month ago

It should C - From Microsoft Azure Storage Explorer, view the Account Management properties
upvoted 3 times

  KhaledMaster 1 year, 7 months ago

The URL is irrelevant!!!
upvoted 1 times

  JayBee65 1 year, 11 months ago

No, it should be D, see https://feedback.azure.com/forums/919474-azure-advisor/suggestions/18963412-have-azure-advisor-show-up-unused-
disks-resources
upvoted 2 times

  SumanKumarP 1 year, 10 months ago

Correct - Advisor for some reason doesn't give recommendations for unused disks.
Through Storage Explorer we can look for the disk state i.e. if its left unattached.
upvoted 1 times

  jantoniocesargatica 2 years, 1 month ago

Azure Storage Explorer does not provide any information about unused disks. You can test it downloading the software and connecting to your
account. Create a virtual machine and stop it. The go to Storage Explorer. You will see the the disk, but this is all. There is no information
regarding unused.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 674/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20 Topic 6

You have an Azure web app named webapp1.

Users report that they often experience HTTP 500 errors when they connect to webapp1.
You need to provide the developers of webapp1 with real-time access to the connection errors. The solution must provide all the connection error
details.
What should you do first?

A. From webapp1, enable Web server logging

B. From Azure Monitor, create a workbook

C. From Azure Monitor, create a Service Health alert

D. From webapp1, turn on Application Logging

Correct Answer: A

Community vote distribution

A (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: A

Raw HTTP request data is provided by Web server logging and the question mentions 500 error codes.

You need to catch connection error. When the connection fails it happens on web server, not within application. You can do it opening the web
application -> Application Service logs -> Web server logging (there are multiple switches there).

You can also see the errors live going to "Log stream" pane.

Web server logging Windows App Service file system or Azure Storage blobs Raw HTTP request data in the W3C extended log file format. Each log
message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on.
upvoted 100 times

  Spooky7 2 months, 1 week ago

No, 500 error code means "Internal Server Error" and usually is caused by the application itself. So application logging seems right here and will
provide more useful information to developers than web server logs
upvoted 4 times

  zyta Highly Voted  2 years, 10 months ago

I think A as well. You need to catch connection error. When the connection fails it happens on web server, not within application. You can do it
openining the web application >> Application Service logs >> Web server logging (there are multiple switches there)
You can also see the errors live going to "Log stream" pane
upvoted 48 times

  er101q Most Recent  4 months, 1 week ago

D. From webapp1, turn on Application Logging.

To provide the developers with real-time access to the connection errors, you should first enable Application Logging for the web app. This will
enable the logging of detailed information about the application, including any connection errors, to the file system, which the developers can then
access to troubleshoot the issue. After Application Logging has been enabled, you may also consider additional monitoring and alerting solutions,
such as Azure Monitor or Service Health alerts, to provide ongoing visibility into the health and performance of the web app.
upvoted 2 times

  Muffay 5 months, 1 week ago

I don't like this question.

HTTP 500 is an internal server error, not really a connection error. In my world this is mostly caused by the application code, so I would look into
the application logs first. But as this question explicitly asks about connection errors, I am just confused.
upvoted 3 times

  Muffay 5 months, 1 week ago

Second thought:
Application logging here means *Windows Application Logs*. Ok, those do not contain the logging from my custom application code - thus,
WebServer logging is correct.
upvoted 2 times

  AbleApe 4 months, 2 weeks ago

Since they're using an Azure Web App those logs are stored on the Web App platform. I don't think they mean Windows application logs
here. 500 errors you can find in an IIS application log.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 675/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  SGKN 5 months, 2 weeks ago
i think answer should be "D" 'Application Log'
How do I check my 500 error in Azure portal?
Check logs
Open your bot in the Azure portal.
Open the App Service Settings / All App service settings page to see all service settings.
Open the Monitoring / Diagnostics Logs page for the app service. Ensure that Application Logging (Filesystem) is enabled. ...
Switch to the Monitoring / Log Stream page.
upvoted 1 times

  Aanandan 5 months, 3 weeks ago

Answer is D.. Application logging... have checked there is no option like web server logging in the application service..
upvoted 2 times

  _fvt 5 months, 2 weeks ago

Here it is: https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs
upvoted 1 times

  klexams 7 months, 2 weeks ago

out of the four options, realtime error details will be:
A. From webapp1, enable Web server logging
upvoted 2 times

  matejka 7 months, 2 weeks ago

500 error can be pretty much anything either on a webserver or within the app itself. Webserver logs are good to investigate but definitely does
not provide all error logs that are needed. There is no correct answer here, but A + D is the closest.
upvoted 2 times

  Raj70 7 months, 3 weeks ago

Think D is right. HTTP 500 is more of an application error than a web server connectivity error
upvoted 1 times

  dc2k79 7 months, 3 weeks ago

HTTP 500 is a Layer 7 (Application Layer) error. Should be checked at Web Server level.
upvoted 2 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
Web server logging is correct
upvoted 2 times

  dasEnder 1 year, 1 month ago

Selected Answer: A
Correct
upvoted 1 times

  barcellos 1 year, 10 months ago

Correct Answer: A

Raw HTTP request data is provided by Web server logging and the question mentions 500 error codes.
the error 500 is proved form web server,
The error 500 is proved from web server. the application do not response.
Error 500 is an Internal Server Error (HTTP) status. It indicates that some type of issue is affecting the performance of the server of the site you are
trying to access.

does not mention for windows or linux. however Correct Answer A

upvoted 4 times

  ZUMY 2 years, 3 months ago

A is correct
upvoted 6 times

  Merma 2 years, 3 months ago

Final answer A is correct. For more insight on web server logging vs. application logging:
https://stackify.com/azure-app-service-log-files/
upvoted 4 times

  barry12 2 years, 3 months ago

indeed, this explanation shows that weblogging is more or less the only option to help with real-time troubleshooting
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 676/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  toniiv 2 years, 3 months ago
Answer is correct. Web server logging to see HTTP logs, App logging if it were App logs
upvoted 3 times

  waterzhong 2 years, 4 months ago

Web server logging
Raw HTTP request data in the W3C extended log file format. Each log message includes data such as the HTTP method, resource URI, client IP,
client port, user agent, response code, and so on.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 677/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21 Topic 6

You have an Azure web app named App1.

You need to monitor the availability of App1 by using a multi-step web test.
What should you use in Azure Monitor?

A. Azure Service Health

B. Azure Application Insights

C. the Diagnostic settings

D. metrics

Correct Answer: B
Upload the web test -
1. In the Application Insights portal on the Availability pane select Add Classic test, then select Multi-step as the SKU.
2. Upload your multi-step web test.
3. Set the test locations, frequency, and alert parameters.
4. Select Create.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/availability-multistep

Community vote distribution

B (100%)

  Kem81 Highly Voted  7 months, 2 weeks ago

Selected Answer: B
this must be a new question...?
upvoted 7 times

  obaali1990 2 months, 3 weeks ago

Yep, that is correct
upvoted 1 times

  ZakySama 7 months, 2 weeks ago

New question
upvoted 2 times

  mivalsten Highly Voted  9 months, 1 week ago

Selected Answer: B
Correct, naswer is B
upvoted 7 times

  zellck Most Recent  4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-multistep
upvoted 2 times

  er101q 4 months, 1 week ago

B. Azure Application Insights.

Azure Application Insights is a performance monitoring solution for web applications that allows you to monitor the availability of your application
by using a multi-step web test. With Application Insights, you can create a web test that specifies a series of HTTP requests to your web app and
defines the expected responses. The web test will then periodically send requests to your app and verify that the responses match the expected
results, providing you with real-time visibility into the availability of your app. Additionally, Application Insights provides a wealth of other
monitoring and diagnostic capabilities, such as performance analysis, exception tracking, and logging, making it a comprehensive solution for
monitoring the health and performance of your web app in Azure.
upvoted 3 times

  KingChuang 6 months, 3 weeks ago

Selected Answer: B
Correct answer:B
Ref:
https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview?source=recommendations
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 678/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  klexams 7 months, 2 weeks ago

this is only my guess:
B. Azure Application Insights
upvoted 3 times

  ddu 7 months, 3 weeks ago

Multi-step web tests are deprecated

https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-multistep
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 679/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 6

HOTSPOT -
You have an Azure subscription that has diagnostic logging enabled and is configured to send logs to a Log Analytics workspace.
You are investigating a service outage.
You need to view the event time, the event name, and the affected resources.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: AzureActivity -
The AzureActivity table has entries from the Azure activity log, which provides insight into subscription-level or management group-level events
occuring in Azure.
Let's see only Critical entries during a specific week.
The where operator is common in the Kusto Query Language. where filters a table to rows that match specific criteria. The following example
uses multiple commands. First, the query retrieves all records for the table. Then, it filters the data for only records that are in the time range.
Finally, it filters those results for only records that have a Critical level.

AzureActivity -
| where TimeGenerated > datetime(10-01-2020) and TimeGenerated < datetime(10-07-2020)
| where Level == 'Critical'

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 680/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Incorrect:
not Perf: The Perf table has performance data that's collected from virtual machines that run the Log Analytics agent.

Box 2: | project -
Select a subset of columns: project.
Use project to include only the columns you want. Building on the preceding example, let's limit the output to certain columns:

AzureActivity -
| where TimeGenerated > datetime(10-01-2020) and TimeGenerated < datetime(10-07-2020)
| where Level == 'Critical'
| project TimeGenerated, Level, OperationNameValue, ResourceGroup, _ResourceId
Reference:
https://github.com/MicrosoftDocs/dataexplorer-docs/blob/main/data-explorer/kusto/query/tutorial.md

  ExamTopicsTST Highly Voted  9 months, 2 weeks ago

answer is correct

https://www.shudnow.io/2020/03/06/retrieving-activity-log-data-from-azure-log-analytics-part-2/
upvoted 25 times

  kukeleku 8 months, 4 weeks ago

I agree!
upvoted 1 times

  meeko86 Highly Voted  5 months, 4 weeks ago

Box 1: AzureActivity
The AzureActivity table has entries from the Azure activity log, which provides insight into subscription-level or management group-level events
occuring in Azure. Let's see only Critical entries during a specific week.
Box 2: | project
Use project to include only the columns you want. Building on the preceding example, let's limit the output to certain columns
upvoted 10 times

  Balvosko Most Recent  1 month, 2 weeks ago

First part:
AzureActivity - This table contains the activity logs from your Azure subscription, including information about the events, their time, and the
affected resources.

Second part:
| where Level == 'critical' - This filters the logs to only show critical events.

Third part:
| project TimeGenerated, OperationNameValue, ResourceId - This projects the required columns: the event time (TimeGenerated), the event name
(OperationNameValue), and the affected resources (ResourceId).
upvoted 1 times

  zellck 4 months ago

1. AzureActivity
2. project

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace
Activity log data in a Log Analytics workspace is stored in a table called AzureActivity that you can retrieve with a log query in Log Analytics.

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectoperator
Select the columns to include, rename or drop, and insert new computed columns.
upvoted 3 times

  obaali1990 2 months, 3 weeks ago

Did you pass your exams?
upvoted 1 times

  klexams 7 months, 2 weeks ago

AzureActivity
| project
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 681/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23 Topic 6

You have a Recovery Services vault named RSV1. RSV1 has a backup policy that retains instant snapshots for five days and daily backup for 14
days.
RSV1 performs daily backups of VM1. VM1 hosts a static website that was updated eight days ago.
You need to recover VM1 to a point eight days ago. The solution must minimize downtime.
What should you do first?

A. Deallocate VM1.

B. Restore VM1 by using the Replace existing restore configuration option.

C. Delete VM1.

D. Restore VM1 by using the Create new restore configuration option.

Correct Answer: B
Replace existing:
You can restore a disk, and use it to replace a disk on the existing VM.
The current VM must exist. If it's been deleted, this option can't be used.
Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks
connected to the VM are replaced with the selected restore point.
The snapshot is copied to the vault, and retained in accordance with the retention policy.
After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they
aren't needed.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms

Community vote distribution

D (57%) B (43%)

  Sileymane Highly Voted  3 months, 2 weeks ago

J'ai passé mon examen le 24/02/2023 avec une réussite de 810 points.
Je vous conseille de faire tous les exercices, car il y a 70% de questions d'examen ici.
upvoted 12 times

  Marz Highly Voted  7 months, 1 week ago

I think its D. the B options needs you to shutdown the VM first, causing downtime. We must minimize downtime. Ref: https://petri.com/restore-an-
azure-virtual-machines-disks-from-backup/
upvoted 11 times

  er101q 4 months, 1 week ago

NOT Option D, "Restore VM1 by using the Create new restore configuration option," may not be the best option because it creates a new virtual
machine, which means you will have to recreate the virtual machine's configuration and re-provision resources. This can result in longer
downtime and more complex configurations.

In contrast, the Replace existing restore configuration option allows you to restore the virtual machine to a specific point in time while
preserving the existing virtual machine configuration and resources. This minimizes downtime and eliminates the need to recreate the virtual
machine's configuration, making it a more efficient solution for recovery.
upvoted 4 times

  Rams_84zO6n 2 months, 2 weeks ago

I think option D is correct - Even if it takes longer to create new VM the question only asks to "minimize downtime". Creating a new VM lets
you to not touch the production website while still enables you to restore from backup and test the website independently. Once you are
satisfied, it would be a simple switch that result in close to 0 downtime.
upvoted 5 times

  SIAMIANJI Most Recent  1 month, 1 week ago

Selected Answer: D
D is correct.
upvoted 1 times

  Exilic 1 month, 1 week ago

Selected Answer: B
OpenAI

"To recover VM1 to a point eight days ago with minimal downtime, you should restore VM1 using the "Replace existing restore configuration"

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 682/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

option.

Option A (Deallocate VM1) is not necessary as the restore process can be performed without deallocating the VM.

Option B (Restore VM1 by using the Replace existing restore configuration option) is the correct option. This option will restore the VM to the
specified restore point and replace the existing VM with the restored version. This will minimize downtime as the restored VM will take the place of
the original VM, so no additional configuration is needed.

Option C (Delete VM1) is not necessary as deleting the VM would result in data loss and is not relevant to the scenario.

Option D (Restore VM1 by using the Create new restore configuration option) would create a new VM, which would require additional
configuration and result in more downtime compared to using the "Replace existing restore configuration" option."
upvoted 2 times
  Balvosko 1 month, 2 weeks ago
Option B: Restore VM1 by using the Replace existing restore configuration option.
This option will restore VM1 directly to the specified point in time, overwriting the current VM1. This will cause downtime during the restore
process, as the current VM1 will be unavailable.

Option D: Restore VM1 by using the Create new restore configuration option.
This option creates a new virtual machine from the backup at the specified point in time without affecting the existing VM1. This minimizes
downtime, as you can continue running the current VM1 while the new one is being restored. Once the new VM is ready and tested, you can switch
over to it and minimize the downtime of the website.

In general, option D is considered better if you prioritize minimizing downtime and want to ensure a smooth transition between the current VM1
and the restored version.
upvoted 2 times

  SimonSM178 2 months, 2 weeks ago

Selected Answer: D
It is not mentioned that the website is currently offline, so it is still hosted on the VM1. Choosing B. means that you would create downtime,
because restoring to the same VM requires the VM to be allocated
On the contrary, if you select D., while it is true that you may need to redeploy configurations etc., but the website would still be online because it's
still hosted on B (so no downtime).
B. would be correct if the question asked a solution to minimize administrative effort.
Answer is D.
upvoted 2 times

  mdwSysOps 3 months, 1 week ago

Selected Answer: B
B. Restore VM1 by using the Replace existing restore configuration option.

To recover VM1 to a point eight days ago, you need to restore a backup from that time. However, since the backup policy for RSV1 retains only
daily backups for 14 days and instant snapshots for five days, the only backup available for a recovery point eight days ago is a daily backup.

To minimize downtime during the recovery process, you can use the Replace existing restore configuration option. This option restores the VM to
the same resource group and virtual network as the original VM, so you do not need to create a new VM.

Therefore, you should choose option B to restore VM1 by using the Replace existing restore configuration option.
upvoted 3 times

  skydivex 3 months, 3 weeks ago

i used the https://chat.openai.com/chat for testing the AI... put the whole question, without the answeres....here is what I got...... Here are the steps
you should follow:

Go to the Azure portal and select the Recovery Services vault named RSV1.
In the left-hand menu, select "Backup items" and then select "Azure Virtual Machines."
Find VM1 in the list of virtual machines and select it.
In the "Backup items" menu for VM1, select "Restore VM."
In the "Restore configuration" blade, select the restore point that is eight days old.
Choose the restore type, which can be "Create new virtual machine" or "Restore disks."
Provide the required details and then start the restore process.
upvoted 1 times

  zellck 4 months ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms#restore-options
Create a new VM
- Quickly creates and gets a basic VM up and running from a restore point.
upvoted 3 times

  AndreaStack 4 months ago

Selected Answer: B
Option B "Restore VM1 by using the Replace existing restore configuration" might be a better choice in this case.
This option would restore the virtual machine and replace the existing one, keeping the same IP configuration and other network settings, which
would minimize downtime. The downside of this option is that it requires you to stop the existing virtual machine before you can restore the new

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 683/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

one, which could cause a brief interruption in service.

So to summarize, either option B or option D could be a valid solution depending on the specific requirements and trade-offs.
Option B minimizes downtime but requires a brief interruption in service, while option D allows the original virtual machine to continue serving
visitors but requires more steps to set up the new virtual machine and transfer data.
upvoted 3 times
  LindyLou 4 months, 1 week ago
Selected Answer: D
B requires VM to be stopped during restore.
upvoted 3 times

  lkjsatlwjwwge 4 months, 1 week ago

It all comes down to whether your app is still functional or not. If it´s out of service, naturally you should replace the existing one. However, if you
need to restore it to a point in the past, it should probably be working with some problems. In this case, you might be better off keeping the
current VM up until you have restored to a new one. Another tricky and ambiguous riddle from our beloved MS friends...
upvoted 2 times

  er101q 4 months, 1 week ago

In contrast, the Replace existing restore configuration option allows you to restore the virtual machine to a specific point in time while preserving
the existing virtual machine configuration and resources. This minimizes downtime and eliminates the need to recreate the virtual machine's
configuration, making it a more efficient solution for recovery.
upvoted 1 times

  er101q 4 months, 1 week ago

B. Restore VM1 by using the Replace existing restore configuration option.

To recover VM1 to a point eight days ago and minimize downtime, you can restore the VM by using the Replace existing restore configuration
option in the Recovery Services vault. This will allow you to restore the VM to the point in time eight days ago while keeping the existing network
configuration, disk configuration, and virtual machine properties intact. Once the restore is complete, you can start the restored VM and ensure
that it is running as expected, with minimal disruption to the static website hosted on VM1
upvoted 4 times

  LauLauLauw 4 months, 2 weeks ago

Selected Answer: B
D is wrong here, if we restore to a new VM we have aftercare like fixing the ip adress and more unknown stuff what also result in downtime and
increases the complexity.

B gives the least ammount of downtime

upvoted 3 times

  mung 6 months, 3 weeks ago

Answer should be D

Restore option Details

Create a new VM Quickly creates and gets a basic VM up and running from a restore point.
https://learn.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms
upvoted 3 times

  MyZ 6 months, 3 weeks ago

It's "B"
https://azure.microsoft.com/en-us/blog/an-easy-way-to-bring-back-your-azure-vm-with-in-place-restore/
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 684/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 6

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

You plan to create a data collection rule named DCR1 in Azure Monitor.
Which resources can you set as data sources in DCR1, and which resources can you set as destinations in DCR1? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 685/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: VM1 only -

A virtual machine may have an association to multiple DCRs, and a DCR may have multiple virtual machines associated to it.
In the Resources tab, add the resources (virtual machines, virtual machine scale sets, Arc for servers) that should have the Data Collection Rule
applied.

Box 2: Workspace1 only -

On the Destination tab, add one or more destinations for the data source. You can select multiple destinations of same of different types, for
instance multiple Log
Analytics workspaces (i.e. "multi-homing").
Note: The Data Collection Rules (or DCR) improve on a few key areas of data collection from VMs including like better control and scoping of
data collection (e.g. collect from a subset of VMs for a single workspace), collect once and send to both Log Analytics and Azure Monitor
Metrics, send to multiple workspaces (multi- homing for Linux), improved Windows event filtering, and improved extension management.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent

  Mev4953 Highly Voted  8 months, 4 weeks ago

Correct answer. Tested in Lab.
First: You can only choose VM
Second: Only Workspace
upvoted 30 times

  KingChuang 6 months, 3 weeks ago

Agree.

Ref:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection
upvoted 2 times

  KingChuang 6 months, 3 weeks ago

In ref doc.
Source from Azure Monitor Agent(VM)、REST API and Azure Resource.

Confused about other items.

But your LAB test has only VM.
upvoted 1 times

  KingChuang 6 months, 3 weeks ago

I understand, it must be LOG-related REST API and Azure resources
upvoted 1 times

  Anarchira 8 months, 3 weeks ago

i found this reference, https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview
I think that only VM could be use too
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 686/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  klexams Highly Voted  7 months, 2 weeks ago

1. VM only.
it uses Azure monitor agent which needs to be installed on a VM.
2. Workspace1 only.
Data then gets sent to Workspace.
upvoted 6 times

  Procurement Most Recent  1 month, 1 week ago

When you create the rule in the azure portal you get the following info message:
Pick a set of machines to collect data from. The Azure Monitor Agent will be automatically installed on virtual machines, scale sets, and Arc-enabled
servers.
upvoted 1 times

  zellck 4 months ago

1. VM1 only
2. Workspace1 only

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-structure#datasources

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-structure#destinations
This section contains a declaration of all the destinations where the data will be sent. Only Log Analytics is currently supported as a destination.
Each Log Analytics destination will require the full Workspace Resource ID, as well as a friendly name that will be used elsewhere in the DCR to refer
to this workspace.
upvoted 3 times

  DeBoer 4 months, 1 week ago

Source needs to be either a VM or "something" that can send its logs to a REST API. A storage account or SQL database will not do that (AFAIK)
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview

Target needs to be a LA Workspace indeed, so that's an easy choice.

upvoted 1 times

  dc2k79 7 months, 3 weeks ago

VM1 only
Workspace1 only
upvoted 1 times

  northstar88 9 months, 2 weeks ago

The destination is correct based on the following doc:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-
structure#:~:text=Only%20Log%20Analytics%20is%20currently%20supported%20as%20a%20destination.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 687/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25 Topic 6

HOTSPOT -
You have the role assignment file shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 688/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  humnahibataynge Highly Voted  9 months, 2 weeks ago

Answers are correct:

User1 - Owner of the subscription. (He can manage any resources in the subscription.)
User 2 - Owner of RG2(He can manage any resources in the RG2.)
User 3 - Owner of a single VM that is VM1.(he can manage VM1 only)
User 4 - Contributor of RG1.(He can manage everything in RG1, even he can delete VMs in RG1. But cannot change RABC)

Box1: Owner of VM1 - User1, User3

Box2 : Create VM in RG1 - User1,User4
upvoted 68 times

  JayLearn2022 3 months, 3 weeks ago

Correct. You should note that User 1 being owner of the Subscription is the Owner of every resource under it. He has Full power to do anything
under the Subscription.
upvoted 1 times

  RougePotatoe 3 months, 3 weeks ago

The question is more down to if user 1 is "assigned" as a owner . Yes user 1 is an owner of VM1 but their role is inherited. Only User 3 is
explicitly assigned the owner role for VM1. So it really depends on what the hell they mean by "assigned".
upvoted 4 times

  noppy 5 months ago

Box1 : User3 is
Box2 : User1 and User4
Is User1 assigned to Owner role for VM1 only? User1 is owner of all resources in the subscription. I think that User1 has rights of owner with
VM1 but it's not "assigned". It's "inherited".

So
upvoted 3 times

  FabrityDev 5 months ago

One correction, it's RBAC (Role Based Access Control) not RABC. But I guess it's just a typo
upvoted 1 times

  Bigc0ck Highly Voted  5 months, 1 week ago

very annoying ass question its on the test
upvoted 8 times

  SedateBloggs Most Recent  3 months, 3 weeks ago

The answer provided is correct. Box 1 User1 and User3. Box 2 is User 1 and User 4. Labbed Box 1 and confirmed
upvoted 1 times

  Mohaamed 6 months, 1 week ago

user 1 : subscription owner
User 2 - Owner of RG2
User 3 - Owner of a single VM1
User 4 - Contributor of RG1

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 689/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

user 1 have the assigned role of subscription owner which inherrtly only owns resources under him
user 3 is the only one with assigned role as owner

Box 1 : user 3 only

box 2 : user 1 and user 4
upvoted 5 times
  MyZ 6 months, 2 weeks ago
Box 1: is User 3 - the question is asking "assigned the owner role for VM1"
there is a difference between "inherited" and "assigned". They don't ask "who is the owner"
upvoted 4 times

  awssecuritynewbie 8 months, 2 weeks ago

It is a very simple question that makes it a bit tricky is that USER 3 has a different Resource group! If you are a owner at the subscription you can be
a owner at everything within that subscription,
if you are a owner at resource group you can do whatever within that resource group.
If you are contributor then you can also create resources but you cannot modify permissions!
upvoted 1 times

  Hyrydar 8 months, 1 week ago

user`3 is in RG1 and owns VM1 only. Why isn't user3 in the given answers?
upvoted 1 times

  Tarni 8 months, 3 weeks ago

Question asked is "assigned owner role for VM1" User1 is owner at RG level, that makes him owner of VM ultimately. question is bit confusing. I
would still go with user3 only.
upvoted 1 times

  kayyaly 8 months, 4 weeks ago

Answer is correct
Box1: user1 and user 3
Box2:user1 and user 4
upvoted 1 times

  northstar88 9 months, 2 weeks ago

I think it should be
User 1 and User 3 assigned the Owner role for VM1
User1, User3, and User4 can create virtual machine in RG1

User 4 is a contributor, and contributor is able to create and manage resources of all types but not delete.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
upvoted 4 times

  awssecuritynewbie 8 months, 2 weeks ago

user 3 is the owner of that single VM nothing anything else
upvoted 2 times

  humnahibataynge 9 months, 2 weeks ago

But User3 is the owner of only VM1, he can not create new VMs.
upvoted 5 times

  northstar88 9 months, 2 weeks ago

My bad. You are correct. User 3 cannot create new VMs.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 690/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 6

HOTSPOT -
You have the following custom role-based access control (RBAC) role.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 691/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  fabio79 Highly Voted  9 months, 2 weeks ago

For Me N,Y,Y.
Microsoft.Compute/virtualMachines/* Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual
machines. Execute scripts on virtual machines.
upvoted 90 times

  Alex2022_31 5 months, 1 week ago

The "resourceGroups/read" permission means that the user with that role can't create/modify/delete resource groups BUT if you have an
existing RG, you can create a VM in it as you have the "Microsoft.Compute/VirtualMachines/*" permission that includes all the actions on VMs

Correct answer imo would be N, Y, Y

upvoted 7 times

  Dhanishetty 5 months, 3 weeks ago

How about permissions regarding resource groups. I guess user has only read permission for resource groups
upvoted 1 times

  KingChuang 6 months, 3 weeks ago

Agree!
upvoted 1 times

  Dunkelheit 7 months, 3 weeks ago

All those permissions are happening in the "actions" section though. Isn't the appropriate sections for VM permissions the "dataActions"
section?
upvoted 1 times

  Dunkelheit 7 months, 3 weeks ago

Need to correct myself, here is a JSON for Virtual Machine Contributor:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
upvoted 1 times

  klexams Highly Voted  7 months, 2 weeks ago

N - ms.auth/*/write is NOT allowed.
Y - ms.comp/vm/* is allowed.
Y - ms.net/netint/* is allowed.
upvoted 31 times

  friendlyvlad Most Recent  2 weeks, 2 days ago

I think it should be NNY. The user cannot assign to the role1 other users since ms.auth/*/write is not allowed. The user cannot create a VM since
she is a reader at the RG level. The user with the Reader role on a resource group does not have permission to create a virtual machine (VM) within
that resource group. The Reader role is a read-only role that only allows the user to view the resources and their configurations within the resource
group. However, she can modify the IP address of the existing VM because she is a VM Contributor.
upvoted 2 times

  SIAMIANJI 3 weeks, 1 day ago

Correct answer is N, Y, Y
upvoted 1 times

  SIAMIANJI 1 month, 1 week ago

The correct answer is N, Y, Y
upvoted 1 times

  yaboo1617 1 month, 3 weeks ago

isn't dataactions needed to create virtualmachines ?
upvoted 1 times

  Phlogiston 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 692/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

A misleading question that tests your ability to parse JSON more than anything else. The JSON value "Microsoft.Compute/virtualMachines/* gives
the user with role1 the ability to perform all actions, including the ability create virtual machines. Any actions that are described by this wildcard,
including /start, /deallocate, etc are not necessary to add the role. They are simply noise that is deliberately inserted to confuse the reader.
Inserting noise in exhibits is a favourite tactic to lead people to an incorrect response.
upvoted 4 times

  er101q 4 months, 1 week ago

N,Y,N
The "permissions" property of the custom RBAC role "Role1" specifies a list of actions that the users assigned this role are allowed to perform
within the specified "assignableScopes". The actions in the "notAction" list are explicitly excluded from the allowed actions, meaning that users with
this role cannot perform these actions.

Based on this information, we can conclude that:

Users assigned Role1 cannot assign Role1 to other users because the "Microsoft.Authorization/*/Write" action is in the "notAction" list.
Users assigned Role1 can deploy new virtual machines because the "Microsoft.Resources/deployments/*" action is in the "actions" list.
Users assigned Role1 cannot set a static IP address on a virtual machine because there is no mention of the action
"Microsoft.Network/networkinterfaces/*/write" or similar in the "actions" or "notAction" list.
upvoted 2 times

  xRiot007 1 week, 4 days ago

Last one is a YES. networkinterfaces/* means ALL actions below that, including /*/write
upvoted 1 times

  azhunter 5 months, 1 week ago

Answer is NYY
upvoted 1 times

  _fvt 5 months, 2 weeks ago

N,Y,Y.
If you look at the virtual machine contributor built-in role which allows you to "Create and manage virtual machines, ..."
(https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor), you'll see that it does only have
"resourceGroups/read" permission.
upvoted 2 times

  lss83 5 months, 3 weeks ago

This question in 19/12/2022 exam, 90% of the questions coming from here. I scored 950. So happy
upvoted 12 times

  Robert69 6 months, 3 weeks ago

Microsoft.Compute/virtualMachines/* grants access to all operations of virtual machines and its child resource types. So the answer must be N,Y,Y.
upvoted 1 times

  Liriano 7 months, 2 weeks ago

In exam today, go with highly voted
upvoted 5 times

  Gilad 7 months, 2 weeks ago

Was on exam 28 Oct 2022. 90% questions from examtopics. I answer N Y Y
upvoted 7 times

  rqFamily 6 months, 1 week ago

Hello, did you get any lab hands-on questions where you have to setup or configure anything or just multiple choice questions
upvoted 1 times

  Sukkelaar 7 months, 3 weeks ago

What about action line 5, "Microsoft.Compute/*/read", isnt that blocking the creation of vm's altogether?
upvoted 1 times

  Sukkelaar 7 months, 3 weeks ago

found out, ignore the question..:-)
upvoted 1 times

  polred 8 months ago

Agree. N, Y, Y should be the correct answer.
Box 1: Authorization actions are explicitly prohibit in the "NotAction" section.
For Box 2 and 3. In case of wildcards:
"Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource. If the roles include Actions
that have a wildcard (*), the effective permissions are computed by subtracting the NotActions from the allowed Actions."
Since there are no actions relating to VMs or network interfaces in the "NotAction" section and the user has the wildcard(*) permission for both, it
should be possible to deploy VM and set static IP addresses.
Ref: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
upvoted 6 times

  awssecuritynewbie 8 months, 2 weeks ago

I agree it is N, Y, Y
The Assigning of role is actually under the "NOT ACTIONS" so yeah it self explains lol
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 693/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Microsoft.Compute/virtualMachines/* / you are able to perform all actions under the authorization resource provider.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 694/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27 Topic 6

HOTSPOT -
You have an Azure subscription that contains the resources shown in the following table.

NSG1 is configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 695/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  qwerty100 Highly Voted  9 months, 1 week ago

I think is :

Yes
Yes
No
upvoted 39 times

  metafaim 9 months ago

I'm assuming that the NSG is applied to Subnet1.

Y. Outbound rules have 145 priority for allow storage1 access

Y. Inbound rules has default Vnet to Vnet allow so VM2 can access VM1. The deny rule 110 is for Internet traffic coming in.

N. We can see the NSG is associated to 1 subnet from the image.

upvoted 23 times

  yellowdot 3 months ago

Yes
No - since it's saying it's using the HTTPS protocol
"HTTPS ports are dedicated network ports that allow internet users to transmit data via a secure connection encrypted using an SSL/TLS
certificate. The most common examples are ports 443 and 8443."

No
upvoted 2 times

  klexams 7 months, 3 weeks ago

yep seems incomplete. it says it applies to 1 subnet but did not say which subnet.
upvoted 5 times

  alirasouli Highly Voted  7 months, 2 weeks ago

The question is incomplete. With some assumptions, we can answer the question.
Assumptions:
* VM1 is tied with subnet1
* VM2 is tied with subnet2
* NSG1 associated with subnet1
* storage1 is associated with VNet1

VM1 can access storage1. In addition to the "Storage_Access" outbound policy, we have "AllowVnetOutBound", which means all the traffic can be
safely exchanged from VM1 to storage1.

VM2 can access VM1 over the VNet. However, VM1 is banned from getting accessed through the internet because of the "HTTPS_VM1_Deny"
Inbound Policy. Thus VM2 cannot access VM1 by using the HTTPS protocol.

Based on the exhibit figure, NSG1 is just associated with one subnet.

So the answer is Yes-No-No.

upvoted 15 times

  FabrityDev 5 months ago

You are wrong, answer is Yes-Yes-No. Your explanation of Box 1 and Box3 is correct but for Box2 it is incorrect. You assumed that VM1 is in
Subnet1 and VM2 is in Subnet2 and you don't even have to assume that, just look at the IP addresses, they fit within subnets ranges.

So if both VMs are in the same VNET, why would you assume that "HTTPS_VM1_Deny" would block the connection, if it clearly says that it
blocks connections from Internet, not from inside the VNET?
upvoted 7 times

  BigLao 3 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 696/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

He's not assuming. we have been given the address spaces for each subnet and we also have ip addresses for each vm. this tells us which
subnet the vms belong
upvoted 1 times

  Rwj Most Recent  3 weeks, 4 days ago

YNN
@nd question asking for conncetion thru HTTPS, Port 443 is blocked, its not just saying can connect to VM1. in that case it will connect since in the
same Vnet but not thru internet.
upvoted 1 times

  yaboo1617 1 month, 3 weeks ago

yet another shitty question
upvoted 4 times

  Rams_84zO6n 2 months, 2 weeks ago

Observation: The rule name - HTTPS_VM1_Deny indicates it is intended to deny HTTPS access from internet to VM1 and has to be attached to
subnet1 on which VM1 resides. “1 subnets, 0 NICs” indicates that NSG1 is attached to subnet1 and not subnet2

First yes - storage1, by default allow all access. NSG1 outbound rule allows 443 access to storage from VNETs
Second Yes - VM2 on VNET2 outbound access to another VNET - no restriction. VM1 inbound access on 443 only restricted for internet sources,
not from VNET source
Third No - NSG1 is not applied to VM2 which is on subnet2. Both the VM2 NIC and subnet2 uses default rules and not NSG1 rules.
upvoted 6 times

  BigLao 3 months ago

The NSG is applied to subnet 1 alone.
based on the IP address spaces and IP addresses of VMs 1 and 2, they belong to subnets 1and 2 respectively.
my answer to this question is YYN
Y: an outbound rule clearly allows this
Y: an inbound rule clearly refuses https into VM1 but the source is the internet
N: NSG is applied to subnet one no the entire vnet

i stand to ne corrected
upvoted 3 times

  scomma 3 months ago

Y - NSG outbound 145 allows vnet resources to reach storage over 443
Y - VM1 443 port only blocked for internet
N - NSG config does not specify
upvoted 2 times

  SedateBloggs 3 months, 3 weeks ago

Factual: VM1 in Subnet1. VM2 in Subnet 2.
Surmised: NSG applies to Subnet 1 (due to the inbound rule 110 listing destination 10.3.0.15)
VM1 can access storage1 Yes. outbound rule 145 showing destination as storage (not sure why it lists port 443 for it)
VM2 can access VM1 using https. Yes . Outbound default rule 65000.
NSG1 apply to any VM in VNet1. No as applies to subnet 1 only.
upvoted 1 times

  curtmcgirt 3 months, 3 weeks ago

how can you mention "inbound rule 110 listing destination 10.3.0.15" in the same comment as "vm2 can access vm1 using https?"
upvoted 1 times

  JayLearn2022 3 months, 4 weeks ago

I see people saying the question is incomplete but the point of the question is to see if you are paying attention enough to know what you think is
missing.

Note:
NSG1 Applies to Subnet1 only.

Yes - VM1 can access the Storage account because there is nothing blocking it the on the virtual network. There is a rule that actually allows
outbound access to storage.

Yes- VM2 is on the Same VNET there is nothing blocking access to it from VM1 on the Virtual network. The Deny rule for HTTPS_VM1_Deny is for
inbound connections from the internet.

No- You have a Inbound deny rule for VM1 from the the internet with a destination of the 10.3.0.15 which is in Subnet1. This proves the NSG is
associated to Subnet1 and only subnet one because the image shows it is connected to only 1 subnet. VM2 is on Subnet2 which you can
determined by its IP address. This means that NSG1 does not apply to VM2.
upvoted 12 times

  Rams_84zO6n 2 months, 2 weeks ago

You explained everything. Thank you.
upvoted 1 times

  zellck 4 months ago

YYN is the answer.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 697/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules
upvoted 2 times
  rpalanivel83 5 months ago
Since there is no information on subnet mapping in this question, we have to consider the IP address. IP address for VM1 is 10.3.0.15 which is
assigned to destination of Inbound rule. So, the NSG1 is assigned to subnet1.

If so, the answer would be Yes; Yes; No

upvoted 2 times

  Aanandan 5 months, 3 weeks ago

In question they didn't mentioned for which subnet NSG is associated.. We cant able to assume whether is associate to subnet 1 or subnet.. How
we find that.. please anyone suggest
upvoted 1 times

  P123123 5 months ago

- The image shows that the NSG is associated with 1 subnet.
- The NSG inbound rule "HTTPS_VM1_Deny" has a destination of 10.3.0.15, which is the IP address of VM1, which is within Subnet1

=> Combined, these imply that the NSG is associated with Subnet1 only
upvoted 4 times

  spike15_mk 6 months ago

Correct Answer:
YES - VM1 can access to storage1 with the rule 145 from Outbound Security Rules
YES - When traffic is outbound from VMs, always we are checking Outbound Rules not Inbound Security Rules. Default rule 65000 allow that
NO- this NSG1 is associated with 1 subnet in our case Subnet 1 because there are rules for VM1
upvoted 5 times

  awssecuritynewbie 8 months, 2 weeks ago

Yes , No , no

You can access the storage account as you can see the first outbound rule is allowing it on port 443

the traffic for inbound from vm1 to vm2 you can see vm1 inbound traffic is denying anything from the internet to the source IP of Vm1.. on port
443. we do not know if VM2 is part of the same VNET! so if anyone can tell me if vm2 is actually part of the same VNET or we just assuming?

Any VM associated with the VNET would get the same NSG is not true as it is associated with only ONE SUBNET
upvoted 6 times

  klexams 7 months, 2 weeks ago

the 2nd is YES regardless, the block is for Source: Internet, not VM2.
upvoted 2 times

  awssecuritynewbie 8 months, 2 weeks ago

so yeah the subnet 2 is part of vnet1 which it means the second option is Yes!! because the inbound rule only deny applies to internet coming
into Vm1. VM2 would access vm1 without following under the internet as source.
upvoted 2 times

  FabrityDev 5 months ago

I don't they would go as far as giving VMs IP addresses that fit within subnets IP ranges only to trick us.
upvoted 1 times

  gonzalobd 8 months, 3 weeks ago

IMPORTANT DETAIL: destination of first inbound rule is an ip of subnet 1. So no need to specify that nsg1 applies to subnet 1
upvoted 5 times

  kayyaly 8 months, 4 weeks ago

Yes
Yes
No
upvoted 3 times

  randy0077 9 months ago

Hi Admin, Could you please verify if this question is complete?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 698/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28 Topic 6

A. Select Use the remote virtual network's gateway or Route Server on VNet1 to VNet2 peering.

B. Select Use the remote virtual network s gateway or Route Server on VNet2 to VNet1 peering.

C. Download and re-install the VPN client configuration package on Client1.

D. Enable BGP on VPNGW1.

Correct Answer: C

Community vote distribution

C (100%)

  JN62 Highly Voted  9 months ago

After changes in topology it is needed to re-install the VPN client
Answer is C
upvoted 13 times

  humnahibataynge Highly Voted  9 months, 2 weeks ago

Selected Answer: C
correct answer C
upvoted 8 times

  Pakawat Most Recent  23 hours, 42 minutes ago

Again question
upvoted 1 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again in order for the changes to be applied to the client.
upvoted 2 times

  er101q 4 months, 1 week ago

B. Select Use the remote virtual network's gateway or Route Server on VNet2 to VNet1 peering.

This option allows communication between VNet1 and VNet2 through the VPN gateway in VNet1. With this configuration, Client1 can connect to
VNet2 through the VPN connection to VNet1. It's important to select this option on the VNet2 to VNet1 peering to ensure that the traffic flows
properly between the two virtual networks.
Option C (Download and re-install the VPN client configuration package on Client1) is not relevant to the issue of connecting Client1 to VNet2. The
issue is related to the virtual network peering configuration between VNet1 and VNet2, and downloading and re-installing the VPN client
configuration package on Client1 is unlikely to resolve the issue. Option B (Select Use the remote virtual network's gateway or Route Server on
VNet2 to VNet1 peering) addresses the root cause of the issue by allowing traffic to flow between the two virtual networks through the VPN
gateway in VNet1.
upvoted 1 times

  meeko86 5 months, 4 weeks ago

Selected Answer: C
Answer C: Download and re-install the VPN client configuration package on Client1.
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be
downloaded and installed again.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
upvoted 2 times

  chostes 7 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 699/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Same question as Topic5 Question9 Nov2022

upvoted 2 times

  LiamAzure 7 months, 2 weeks ago

Selected Answer: C
Peering was made after the VPN client was already installed. Re-install the vpn client due to the changes
upvoted 1 times

  klexams 7 months, 2 weeks ago

C - need to reinstall vpn config again if you make changes on the vpn.
upvoted 1 times

  kayyaly 9 months, 1 week ago

Selected Answer: C
C correct
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 700/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29 Topic 6

HOTSPOT -
You have two Azure subscriptions named Sub1 and Sub2. Sub1 is in a management group named MG1. Sub2 is in a management group named
MG2.
You have the resource groups shown in the following table.

You have the virtual machines shown in the following table.

You assign roles to users as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

  James3958904 Highly Voted  9 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 701/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

I think the answers should be: N N N

1. User1 can sign in to VM1
No
User1 is assigned as Virtual Machine Contributor in MG1.
And Virtual Machine Contributor can't log in to VM as a regular user.

2. User2 can manage disks and disk snapshots of VM1

No
Since User2 only has Virtual Machine User in Sub1, so he can log in to VM1 but can't manage disks or snapshots

3. User2 can manage disks and disk snapshots of VM3

No
Virtual Machine Contributor only has permission to manage disks, but not disk snapshots (Disk Snapshot Contributor permission)
upvoted 54 times

  daws08322 4 months, 1 week ago

What is Virtual Machine Contributor role good for in Azure?
Experience Level: Senior
Tags: Azure CloudAzure Virtual Machines
Answer
Create and manage virtual machines,
manage disks and disk snapshots,
install and run software,
reset password of the root user of the virtual machine using VM extensions,
and manage local user accounts using VM extensions.
This role does not grant you management access to the virtual network or storage account the virtual machines are connected to.

This role does not allow you to assign roles in Azure RBAC.
upvoted 2 times

  flurgen248 7 months, 4 weeks ago

I think you're right. Virtual Machine contributor does have some Recovery Services permissions, but none for SnapShots.

NNN

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
upvoted 4 times

  Ravi1383 8 months ago

User1 can sign in to VM1
No - Only for classic VM contributor!

Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage
account they're connected to.

Virtual Machine Contributor Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the
virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to
the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.
upvoted 2 times

  yfontana 7 months, 3 weeks ago

Virtual Machine Contributor doesn't include the data action Microsoft.Compute/virtualMachines/login/action, which is what's required to
login to a VM.

Compare https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor and

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login
upvoted 2 times

  James3958904 9 months, 2 weeks ago

refer:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 4 times

  jellybiscuit Highly Voted  8 months, 3 weeks ago

N - effective rights are virtual machine contributor. This doesn't grant login.
N - effective rights are virtual machine login. This doesn't grant disk management.
N - effective rights are virtual machine contributor. This does not grant snapshot access.
upvoted 17 times

  airmancompsci 7 months, 1 week ago

What about the Virtual Machine User Login role that User1 is granted through Sub1? Since VM1 is in Sub1, won't User1 be able to access it
since it is in the same subscription? I see everyone putting "No" for the first one, and I just want to know why the Virtual Machine User Login
doesn't work.
upvoted 1 times

  Lexxsuse 5 months, 3 weeks ago

User1 is granted login through Sub2, not Sub1
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 702/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Doman01 Most Recent  2 months, 3 weeks ago

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor

Compare those rights with https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-snapshot-contributor for answer

3 - NO VM contributor does not have snapshots/ rights

And with https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login for Answer 1 VM

Contributor does not have login/ in data actions

So answers:

NO
NO
NO
upvoted 1 times

  gunHO 3 months ago

Virtual machine contributor Role:
Create and manage virtual machines,
manage disks and disk snapshots,
install and run software,
reset password of the root user of the virtual machine using VM extensions,
and manage local user accounts using VM extensions.
This role does not grant you management access to the virtual network or storage account the virtual machines are connected to.
Based on the above user 2 can manage disks and disk snapshots on VM3. The key is ON vm 3, not the storage account, which user 3 does not have
permissions for.

This role does not allow you to assign roles in Azure RBAC.
upvoted 2 times

  User 3 months, 3 weeks ago

I've just completed the test 23/02/2023. Scored 930/1000. Thanks to Exam Topics site. Prepare all the questions from this site including discussions
and spend much time to study about the similar questions well. Best of luck!!
upvoted 4 times

  zellck 4 months ago

NNN is the answer.

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor
upvoted 2 times

  Bigc0ck 5 months, 1 week ago

Very similar question on the test, make sure to remember it
upvoted 3 times

  BShelat 5 months, 1 week ago

N, N, N
upvoted 1 times

  spike15_mk 6 months ago

CORRECT ANSWER

YES - User1 is Virtual Machine Contributor on MG1. That means he has this role on every VMs under MG1. In our case it is MG1/Sub1/RG1/VM1.
Virtual Machine Contributor- Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the
virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to
the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.

NO- User2 has only Virtual Machine User Login on Sub1( Sub1/RG1/VM1).
Virtual Machine User Login- View Virtual Machines in the portal and login as a regular user. Only read the Public IP addresses ,Virtual Networks,
LoadBalancers, Network Interfaces, VMs,
Hybrid Compute/machines and list credentials for endpoints. Also can Login to Virtual Machine and Hybrid Compute Machines.

YES- User2 has Virtual Machine Contributor on MG2 (MG2/Sub2/RG2/VM2 and VM3) .
upvoted 7 times

  FabrityDev 5 months ago

You are wrong, Contributor cannot log in to VM so the first is NO.
upvoted 1 times

  avicrj 4 months, 2 weeks ago

How can a contributor install apps and manage vms without login ?
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 4 times

  RougePotatoe 4 months ago

Well if you actually looked at your own link you would know.

Virtual machine contributor

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 703/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

"Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to."
dataActions": [],

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login

Virtual machine user login

"View Virtual Machines in the portal and login as a regular user.",
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.HybridCompute/machines/login/action"
],

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login
upvoted 2 times

  Benzitho 1 month, 1 week ago

Classic Virtual Machine Contributor :" Lets you manage VMs, but not access them..." That's the old concept referring to VMs managed
by ASM (Azure Service Manager ). Contributor Roles allows everything except assigning roles to others .
upvoted 1 times

  klexams 7 months, 2 weeks ago

N - to sign in you need "VM user login". so.. NOT to VM1 coz VM1 is in Sub1 > RG1.
N - user2 is vm contributor on MG2 > Sub2 > VM2. Not VM1.
N - user2 is vm contributor on MG2 > Sub2 > VM3. but apparently contributor cannot do disk snapshot.
upvoted 5 times

  klexams 7 months, 2 weeks ago

  Ravi1383 8 months ago

Correct answer - 1. Y
2. N
3. N
upvoted 2 times

  FabrityDev 5 months ago

Wrong, first is NO
upvoted 2 times

  randy0077 8 months, 3 weeks ago

role can manage disk but cant take snapshot of disk.
upvoted 3 times

  randy0077 8 months, 3 weeks ago

  Bobby1977 8 months, 3 weeks ago

for the 3rd one, User2 has VM Contributor permission at MG2 and at VM level, he is VM user. So thinking like 3rd one is Yes. NNY?
upvoted 3 times

  JN62 9 months ago

The Virtual machine contributor role lets you manage virtual machines, but not access their operating system or manage the virtual network and
storage account they are connected to.

Virtual Machine User Login: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.

I think answers should be: N N N

upvoted 3 times

  Bobby1977 9 months ago

for me also it is NNN
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 704/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 6

You have an Azure Active Directory (Azure AD) tenant that is linked to 10 Azure subscriptions.
You need to centrally monitor user activity across all the subscriptions.
What should you use?

A. Azure Application Insights Profiler

B. access reviews

C. Activity log filters

D. a Log Analytics workspace

Correct Answer: D

Community vote distribution

D (100%)

  klexams Highly Voted  7 months, 2 weeks ago

Selected Answer: D
keywords are "centrally monitor" and "all subs"
upvoted 9 times

  LiamAzure 7 months, 2 weeks ago

Can you explain why those giveaway its Log Analytics Workspace?
upvoted 1 times

  mung 6 months, 3 weeks ago

Log Analytics can monitor any resources regardless of the location of the resources.
So It's the only one that can do central monitoring.
upvoted 7 times

  mung 6 months, 3 weeks ago

Because Log Analytics gathers user activity logs from your Azure Service.
upvoted 1 times

  CyberKelev Most Recent  3 months, 2 weeks ago

Selected Answer: D
D. a Log Analytics workspace.
upvoted 1 times

  zellck 4 months ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace
Send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature, where you:
- Consolidate log entries from multiple Azure subscriptions and tenants into one location for analysis together.
upvoted 4 times

  Mo22 4 months, 3 weeks ago

Selected Answer: D
To centrally monitor user activity across all the Azure subscriptions, you should use a Log Analytics workspace. The Azure Activity Log, which is
available in the Log Analytics workspace, allows you to view and analyze activity logs from Azure resources, including Azure AD, across all the
subscriptions linked to your Azure AD tenant.
upvoted 1 times

  Lu5ck 8 months, 2 weeks ago

Monitor user activity & Alert rules (Q18) = Log Analytics workspace
upvoted 2 times

  kayyaly 8 months, 4 weeks ago

Selected Answer: D
D is correct
upvoted 1 times

  pythonier 9 months, 1 week ago

I think answer is C, activity log tells you what task has been done within your subscription and which user performed the action.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 705/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  pythonier 9 months, 1 week ago

nevermind, you can send the activity logs to log analytics workspace and get the logs from there. D is correct IMO:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell
upvoted 4 times

  humnahibataynge 9 months, 2 weeks ago

Selected Answer: D
Correct
https://techcommunity.microsoft.com/t5/azure-observability/log-analytics-workspace-with-multiple-subscription/m-p/324805
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 706/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31 Topic 6

DRAG DROP -
You have an Azure subscription that contains a virtual machine name VM1.
VM1 has an operating system disk named Disk1 and a data disk named Disk2.
You need to back up Disk2 by using Azure Backup.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:

Correct Answer:

  metafaim Highly Voted  9 months ago

Azure Recovery Services vaults can protect the following types of datasources:

Azure Virtual machines

SQL in Azure VM
Azure Files (Azure Storage)
SAP HANA in Azure VM
Azure Backup Server
Azure Backup Agent
DPM

Azure Backup vaults can protect the following types of datasources:

Azure Database for PostgreSQL servers

Azure Blobs (Azure Storage)
Azure Disks
Kubernetes Service
AVS Virtual machines
upvoted 53 times

  Babushka 7 months ago

Good info
upvoted 4 times

  kerimnl Highly Voted  9 months, 1 week ago

Correct Answer:
1- Create an Azure backup vault.
2- Create a backup policy and configure the backup
3- Configure a managed identity

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 707/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Link: https://docs.microsoft.com/en-us/azure/backup/backup-managed-disks#:~:text=Review%20%2B%20create.-,Configure%20backup,-
Azure%20Disk%20backup
upvoted 32 times
  soild79 Most Recent  3 months ago
Got this in Mar 23 exam. Good lucks guys
upvoted 9 times

  zellck 4 months ago

1. Create an Azure Backup vault.
2. Create a backup policy and configure the backup.
3. Configure a managed identity.

https://learn.microsoft.com/en-us/azure/backup/backup-managed-disks
upvoted 6 times

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 8 times

  klexams 7 months, 2 weeks ago

1 Create an Azure backup vault.
2 Create a backup policy and configure the backup
3 Configure a managed identity
first 2 was no brainer, the 3rd threw me a bit but confirmed below.
Azure disk backup:
Backup vault uses managed identity to access other Azure resources.
upvoted 24 times

  klexams 7 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/backup/backup-managed-disks
upvoted 2 times

  awssecuritynewbie 8 months ago

This article explains how to back up Azure Managed Disk from the Azure portal.

In this article, you'll learn how to:

Create a Backup vault

Create a backup policy

Configure a backup of an Azure Disk

Run an on-demand backup job

upvoted 3 times

  awssecuritynewbie 8 months ago

ref https://learn.microsoft.com/en-us/azure/backup/backup-managed-disks
upvoted 2 times

  adrianspa 8 months ago

https://azurealan.ie/2022/05/31/azure-backup-recovery-services-vault-versus-backup-vault/
upvoted 2 times

  aaaabb 9 months ago

Correct Answer: 1)Azure backup vault, 2) backup policy 3) managed identity
Azure disks are only supported in Azure backup vault. Recovery service vault does not support disks as a data source.
https://docs.microsoft.com/en-us/answers/questions/405915/what-is-difference-between-recovery-services-vault.html
upvoted 5 times

  akavoor 9 months ago

Answer is correct - https://docs.microsoft.com/en-us/azure/backup/backup-managed-
disks#:~:text=Review%20%2B%20create.-,Configure%20backup,-Azure%20Disk%20backup
upvoted 1 times

  Bobby1977 9 months, 1 week ago

The correct answer will be
1. Create Recovery Service Vault (it has Azure Backup and Azure Site Recovery)
2. Create Azure Backup Vault
3. Create backup policy and configure the backup
upvoted 8 times

  James3958904 9 months, 2 weeks ago

The answer is correct
Reference:
https://www.cloudiqtech.com/how-to-backup-and-restore-azure-managed-disks-using-azure-backup-vault/
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 708/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 709/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32 Topic 6

You have a subnet named Subnet1 that contains Azure virtual machines. A network security group (NSG) named NSG1 is associated to Subnet1.
NSG1 only contains the default rules.
You need to create a rule in NSG1 to prevent the hosts on Subnet1 form connecting to the Azure portal. The hosts must be able to connect to
other internet hosts.
To what should you set Destination in the rule?

A. Application security group

B. IP Addresses

C. Service Tag

D. Any

Correct Answer: C

Community vote distribution

C (100%)

  bernardwk3 Highly Voted  9 months, 2 weeks ago

You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services
that have public endpoints. Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from
AzureCloud or other available service tags of specific Azure services.

https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
upvoted 16 times

  klexams Highly Voted  7 months, 2 weeks ago

C - "Azure portal" is in the list of Service tag.
upvoted 11 times

  OrangeSG Most Recent  6 months, 2 weeks ago

Selected Answer: C
A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the
service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security
rules.
You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in
place of specific IP addresses when you create security rules and routes

Reference
Virtual network service tags
https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
upvoted 5 times

  awssecuritynewbie 8 months, 2 weeks ago

Selected Answer: C
service tag enables you to be very specific on the service you are bloking.
upvoted 2 times

  kayyaly 9 months, 1 week ago

Selected Answer: C
C correct
upvoted 2 times

  HMO 9 months, 1 week ago

Selected Answer: C
You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services
that have public endpoints
upvoted 4 times

  HMO 9 months, 1 week ago

You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 710/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 6

You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1.
You need to view the error events from a table named Event.
Which query should you run in Workspace1?

A. search in (Event) "error"

B. Event | where EventType is "error"

C. select * from Event where EventType == "error"

D. Get-Event Event | where {$_.EventType == "error"}

Correct Answer: A

Community vote distribution

A (86%) 14%

  virgilpza Highly Voted  9 months, 1 week ago

In this case the answer is A
other options are:
1. Event | search "error"
2. Event | where EventType == "error"
3. search in (Event) "error"
upvoted 31 times

  meeko86 6 months, 1 week ago

The first and third option works. The second option did not work for me. EventType does not exist. However this worked for me: Event | where
EventLevelName == "Error"
upvoted 2 times

  Cowsarered Highly Voted  9 months, 2 weeks ago

Selected Answer: A
Answer is Correct
upvoted 11 times

  AnKiLa Most Recent  4 months ago

Selected Answer: A
Correct answer is A. Answer B is wrong because the operator 'is' is not valid. Instead we have to use '=='. See https://learn.microsoft.com/en-
us/azure/data-explorer/kusto/query/datatypes-string-operators
upvoted 4 times

  er101q 4 months, 1 week ago

Option B is correct because it is written in the Log Analytics query language, which is used to query data in an Azure Log Analytics workspace. The
query uses the "Event" table and filters the results to only include events with an "EventType" of "error".

The other options are not written in the Log Analytics query language and would not work as written in a Log Analytics workspace.
upvoted 2 times

  Mo22 4 months, 1 week ago

Selected Answer: B
Option B is the correct query to use in Azure Log Analytics to view error events from a table named Event.

The syntax for Azure Log Analytics queries uses a pipeline style and typically begins with the name of the table, in this case "Event", followed by
one or more operators, in this case the "where" operator, which filters the results based on the specified criteria. The correct syntax would be:

Event | where EventType is "error"

upvoted 3 times

  vishalgu 4 months, 3 weeks ago

option B.
explanation:- In Azure Log Analytics, you use the "Kusto Query Language" (KQL) to query the data stored in a Log Analytics workspace. To view the
error events from the table named "Event" in Workspace1, you should run the following query:
Event | where EventType is "error"

This query will filter the "Event" table to only show the events where the "EventType" is "error" and you will be able to see all the events with errors.
upvoted 1 times

  mahesha9449295905 3 months, 1 week ago

corrrect

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 711/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  ccemyilmazz 4 months, 3 weeks ago
Selected Answer: A
1. Event | search "error"
2. Event | where EventType = "error"
3. search in (Event) "error"
upvoted 3 times

  klexams 7 months, 2 weeks ago

A. search in (Event) "error"
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 712/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34 Topic 6

You have an Azure App Service web app named App1.

You need to collect performance traces for App1.
What should you use?

A. Azure Application Insights Profiler

B. the Activity log

C. the Deployment center

D. the Diagnose and solve problems settings

Correct Answer: B

Community vote distribution

A (100%)

  F117A_Stealth Highly Voted  9 months, 2 weeks ago

Selected Answer: A
"With Application Insights Profiler, you can capture and view performance traces for your application in all these dynamic situations, automatically
at-scale, without negatively affecting your end users."

https://docs.microsoft.com/en-us/azure/azure-monitor/profiler/profiler-overview
upvoted 33 times

  SIAMIANJI Most Recent  3 weeks, 1 day ago

Selected Answer: A
A is correct.
upvoted 1 times

  Andrew04 3 months ago

Selected Answer: A
https://learn.microsoft.com/en-us/azure/azure-monitor/profiler/profiler-overview
upvoted 2 times

  zellck 4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/azure-monitor/profiler/profiler-overview
With Application Insights Profiler, you can capture and view performance traces for your application in all these dynamic situations, automatically
at-scale, without negatively affecting your end users.
upvoted 2 times

  Shipada 4 months, 2 weeks ago

Selected Answer: A
Should be A
upvoted 1 times

  klexams 7 months, 2 weeks ago

A. Azure Application Insights Profiler
upvoted 4 times

  klexams 7 months, 2 weeks ago

With Application Insights Profiler, you can capture and view performance traces for your application in all these dynamic situations,
automatically at-scale, without negatively affecting your end users
upvoted 1 times

  tahirMScert 8 months, 3 weeks ago

A. Azure Application Insights Profiler

https://learn.microsoft.com/en-us/azure/azure-monitor/profiler/profiler-overview
upvoted 4 times

  hatoom2006 6 months, 4 weeks ago

In the question mentioned to collect not to view performance traces which you may find it in activity log
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 713/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  kerimnl 9 months, 1 week ago

Selected Answer: A
A. Azure Application Insights Profiler
upvoted 4 times

  DanishHassan 9 months, 1 week ago

Answer is A
upvoted 2 times

  humnahibataynge 9 months, 2 weeks ago

Selected Answer: A
Azure Application Insights Profiler
upvoted 2 times

  Dannxx 9 months, 2 weeks ago

Should be A
upvoted 3 times

  Dannxx 9 months, 2 weeks ago

With Application Insights Profiler, you can capture and view performance traces... @https://docs.microsoft.com/en-us/azure/azure-
monitor/profiler/profiler-overview
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 714/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35 Topic 6

You have an Azure subscription that contains the storage accounts shown in the following table.

You deploy a web app named App1 to the West US Azure region.

You need to back up App1. The solution must minimize costs.

Which storage account should you use as the target for the backup?

A. storage1

B. storage2

C. storage3

D. storage4

Correct Answer: D

Community vote distribution

B (76%) A (24%)

  khaled_razouk Highly Voted  5 months, 1 week ago

Selected Answer: B
To minimize costs, you should use the storage account that is in the same region as the web app that you are backing up. In this case, the web app
is in the West US region, so you should use storage2
upvoted 28 times

  Muffay Highly Voted  5 months, 1 week ago

Selected Answer: A
Let me correct my previous vote, I will go for A.

We can backup to any region.

https://learn.microsoft.com/en-us/azure/storage/common/storage-account-upgrade?tabs=azure-portal
General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage
upvoted 6 times

  chikorita 4 months ago

what the about the DATA TRANSFER charges that we incur for cross-region transfer between regions
upvoted 17 times

  Exilic Most Recent  1 month, 1 week ago

Selected Answer: B
OpenAI

"Since you need to back up a web app named App1 deployed to the West US Azure region and you want to minimize costs, you should choose a
storage account in the same region as the web app.

Out of the available options, only storage2 and storage3 are located in the West US region. Among these two, Blob Storage (storage2) is the most
cost-effective option for storing backups.

Therefore, the correct answer is B. storage2."

upvoted 1 times

  5864619 1 month, 3 weeks ago

This is confusing as F*ck. The ETE states Storage 4 and everyone and their mothers are saying A to B. How are we supposed to know which one is
correct if there is 3 possible answers to the question?
upvoted 4 times

  Rams_84zO6n 2 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 715/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: A
I know - we have the storage cost vs access cost dilemma. GPv2 gives lowest storage cost. Here we use the storage account for backup of webapp,
not to serve assets to a CDN site, so i don't think we need to worry about minimizing the access cost. Only need to focus on minimizing storage
cost.
upvoted 1 times

  SD_Coordinator 3 months ago

Sharing ChatGPT's answer with you guys.

To minimize the cost of the backup solution, you should choose the storage account that is located in the same region as the web app. In this case,
the web app is located in the West US region, so the best option for the backup target would be storage2 or storage3, which are also located in
West US.

However, since storage2 is a BlobStorage account type and storage3 is a BlockBlobStorage account type, you should consider the specific
requirements of your backup solution. If your backup needs to store only block blobs, then storage3 would be the more appropriate choice. On the
other hand, if your backup requires different types of blobs (page blobs, append blobs, and block blobs), then storage2 might be a better fit.

Therefore, the best option for the backup target would be either storage2 or storage3, depending on the specific requirements of your backup
solution.
upvoted 4 times

  Zemar 2 months, 4 weeks ago

freaking awesome lol
upvoted 1 times

  djgodzilla 3 months, 1 week ago

Selected Answer: A
This has better explanation regarding region agnostic storage for app custom backups (only automatic backups are stored in same region by
default) .
https://stackoverflow.com/a/74794083
this is on top of the fact that General-purpose v2 storage has lowest per-gigabyte capacity prices.
upvoted 1 times

  ConanBarb 3 months, 2 weeks ago

I would go for A since it is GPv2 even though its not the closest.
Not B: Microsoft recommends Standard GPv2 instead of legacy Standard Blob Storage.
Not C or D: BlockBlobStorage and FileStorage means premium = expensive
upvoted 2 times

  JayLearn2022 3 months, 3 weeks ago

Explanation
Correct Answer: A

In Backup Configuration tutorial it is mentioned that:

"In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container."

It is not mentioned that it has to be in the same location. So general-purpose is available and cheapest.

General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage

Reference:

https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal

https://learn.microsoft.com/en-us/azure/storage/common/storage-account-upgrade?tabs=azure-portal
upvoted 3 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

Backup to same region and non-premium BlobStorage

upvoted 2 times

  AndreaStack 4 months ago

Selected Answer: B
In a general scenario like this, not depending on specific requirements and trade-offs, it's best to use a storage account LOCA
TED IN THE SAME REGION AS THE WEB APP to minimize data transfer costs and reduce latency, which can result in cost savings. Therefore, in this
case, using Stor-age2, which is a Blob Storage account located in the West US region, would be the better choice to minimize costs (B).

By using a storage account in the same region as the web app, you can reduce data transfer costs as data transfers between storage accounts
within the same region are usually cheaper than transfers between different regions. Additionally, using a storage account in the same region can
reduce latency, making the backup process faster and more efficient.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 716/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  GBAU 4 months ago

So what saves you more, less data transfer in the backup to get to another region, or lower cost storage?
upvoted 1 times

  er101q 4 months, 1 week ago

Option C, storage3, is the best choice for the target of the backup because it is located in the same region as the web app (West US) and is of the
"BlockBlobStorage" kind, which is well-suited for unstructured data such as backups.

By using a storage account in the same region as the web app, you minimize the latency and costs associated with transferring data across regions.
BlockBlobStorage is more cost-effective than StorageV2 (storage1) and FileStorage (storage4) and provides the functionality needed for backing up
unstructured data.

Using storage3 as the target for the backup will minimize costs while ensuring that the backup is stored in the same region as the web app for low-
latency access.
upvoted 1 times

  er101q 4 months, 1 week ago

my bad, I'm sorry. answer is B. The target storage account for the backup should be the one that is closest to the location of the deployed web
app to minimize costs and ensure fast and efficient data transfer. Since the web app named App1 is deployed in the West US region, storage2,
which is also in the West US region, should be used as the target for the backup. This will minimize the costs associated with data transfer and
ensure the backup process is efficient.
upvoted 1 times

  GBAU 4 months ago

but storage3 is also in West US.
The question is really now only if it should be Blob or BlockBlob
upvoted 1 times

  RougePotatoe 4 months ago

Block blob is only available in premium. Unless there is a specific need for block blob, which I can't come up with any, the cheapest option
is blob storage.

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction#storage-accounts
upvoted 2 times

  RDNEA 4 months, 1 week ago

Selected Answer: B
I agree with khaled_razouk
upvoted 1 times

  Exilic 4 months, 2 weeks ago

50/50 on this question for votes.
upvoted 1 times

  Mo22 4 months, 3 weeks ago

Selected Answer: B
Azure Blob storage is generally considered to be the more cost-effective option for storing backups of a web app.

Azure Blob storage has several different storage tiers, including Hot, Cool, and Archive, each with different pricing models. The Cool storage tier is
designed for infrequent access data and has the lowest storage costs. This makes it the most cost-effective option for storing backups of a web
app.
upvoted 3 times

  FabrityDev 5 months ago

Selected Answer: A
I'd go with A.

In Backup Configuration tutorial it is mentioned that:

"In Storage account, select an existing storage account (in the same subscription) or select Create new. Do the same with Container."

It is not mentioned that it has to be in the same location. So general-purpose is available and cheapest.

https://learn.microsoft.com/en-us/azure/app-service/manage-backup?tabs=portal
upvoted 2 times

  vitodobra 5 months ago

Selected Answer: B
la mas esconomica es la B porque hay que tener encuenta el trafico del backup
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 717/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36 Topic 6

HOTSPOT
-

You have an Azure subscription that is linked to an Azure AD tenant. The tenant contains two users named User1 and User2.

The subscription contains the resources shown in the following table.

The subscription contains the alert rules shown in the following table.

The users perform the following action:

• User1 creates a new virtual disk and attaches the disk to VM1
• User2 creates a new resource tag and assigns the tag to RG1 and VM1

Which alert rules are triggered by each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 718/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  MightyMonarch74 Highly Voted  3 months, 4 weeks ago

Tested in a lab.
User 1 - Alert 1 and Alert 2 fired
Alert 1 operations:
Microsoft.Compute/virtualMachines/write
Microsoft.Compute/disks/write

Alert 2 operations:
Microsoft.Compute/virtualMachines/write

User 2 - Alert 1 fired

Alert 1 operations:
Microsoft.Resources/tags/write
upvoted 24 times

  xRiot007 1 week, 4 days ago

So assigning a tag is not an administrative operation ? This doesn't look very human readable on Microsoft's part. Tags are used in many admin
operations, including cost management.
upvoted 1 times

  Zemar 2 months, 4 weeks ago

Thanks very much for this :)
upvoted 1 times

  JayLearn2022 3 months, 4 weeks ago

Thank you for this information
upvoted 2 times

  FabrityDev Highly Voted  5 months ago

Please correct me if I'm linking a wrong resource but according to
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema#administrative-category

"Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type
is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category.
Administrative events also include any changes to Azure role-based access control in a subscription."

Therefore operations described in this question are administrative operations. So First selection should be only Alert2 as it is related only to VM,
and second selection should be Alert1 and Alert2 as operation relates to both RG and VM.
upvoted 10 times

  seeyainthecloud 4 months, 1 week ago

VM1 (created in RG1) is a part of the resource group. Don't you think that's an Administrative activity for both VM1 and RG1? This will ofcourse
trigger both the alerts.
upvoted 2 times

  hfk2020 Most Recent  1 week, 4 days ago

creating a disk and adding it to the VM is a provision task not an administrative task
upvoted 2 times

  lulzsec2019 2 months ago

I'm also confused as there are 2 different answers here in comment section.
upvoted 2 times

  zellck 4 months ago

User1: Alert1 and Alert2 are triggered.
User2: Alert1 and Alert2 are triggered.
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 719/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  DanSuaricius 4 months, 1 week ago

It is another ambiguous question because it is not specificated in which Resource Group is created the Storage account. In my opinion (assuming
that the Storage account is not created in RG1) is the next:
- User1: Alert2 (Attaching the Disk File only affects to the VM1)
- User2: Alert1 y Alert2
upvoted 6 times

  SIAMIANJI 3 weeks, 1 day ago

It's not a storage account. It's just a disk and when you are creating a disk for a VM you do not specify the RG.
upvoted 1 times

  elior19940 4 months, 3 weeks ago

im confiused. what is the correct answer?
upvoted 4 times

  HMKM 4 months, 3 weeks ago

Tested on Azure. My conclusion is User1 triggers both and User2 triggers Alert1 only.
- User1 triggers Alert1 for two operations: "Microsoft.Compute/virtualMachines/write to VM" and "Microsoft.Compute/disks/write to Disk"
- User1 also triggers Alert2 for an operation: "Microsoft.Compute/virtualMachines/write to VM"
- User2 only triggers Alert1 for one operation: "Microsoft.Resources/tags/write to both RG and VM"
upvoted 3 times

  moshos 4 months, 3 weeks ago

I tested this as well but my results differ from yours. My results:
- User1 actions triggered Alert1 and Alert2
- User2 actions triggered Alert1 and Alert2
upvoted 16 times

  xRiot007 1 week, 4 days ago

@moshos - on what operations exact does User 2 trigger Alert 2 ?
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

correct answer User1 when will create a new virtual disk and attaches the disk to VM1 it will create an alert N2 because there'is a scope contain the
VM1
https://www.examtopics.com/exams/microsoft/az-104/view/6/#
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 720/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37 Topic 6

You plan to deploy several Azure virtual machines that will run Windows Server 2019 in a virtual machine scale set by using an Azure Resource
Manager template.

You need to ensure that NGINX is available on all the virtual machines after they are deployed.

What should you use?

A. a Desired State Configuration (DSC) extension

B. the New-AzConfigurationAssignment cmdlet

C. Azure Application Insights

D. a Microsoft Endpoint Manager device configuration profile

Correct Answer: A

Community vote distribution

A (100%)

  FabrityDev Highly Voted  5 months ago

Selected Answer: A
Duplicate question, answer is DSC. There is another version of this question where Custom Script Extension is the right answer and there is no DSC
option to choose.
upvoted 7 times

  chikorita Highly Voted  4 months ago

if this exam doesnt show up in exam,i'd be really disappointed
i've seen this one like 10times now! yikes!!!
upvoted 5 times

  AStark1080 4 months ago

I swear studying this question 10 times in a row better pay off for my exam
upvoted 2 times

  chikorita 4 months ago

if this exam [question]**
upvoted 1 times

  Rwj Most Recent  3 weeks, 3 days ago

On exam 4/22/23
DSC
upvoted 2 times

  zellck 4 months ago

Same as Question 67.
https://www.examtopics.com/discussions/microsoft/view/67546-exam-az-104-topic-4-question-67-discussion
upvoted 3 times

  zellck 4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
upvoted 1 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: A
A. a Desired State Configuration (DSC) extension
upvoted 1 times

  wpestan 5 months, 1 week ago

Selected Answer: A
A. a Desired State Configuration (DSC) extension
upvoted 1 times

  khaled_razouk 5 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 721/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Selected Answer: A
A. a Desired State Configuration (DSC) extension
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 722/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38 Topic 6

You have an Azure subscription that contains eight virtual machines and the resources shown in the following table.

You need to configure access for VNET1. The solution must meet the following requirements:

• The virtual machines connected to VNET1 must be able to communicate with the virtual machines connected to VNET2 by using the Microsoft
backbone.
• The virtual machines connected to VNET1 must be able to access storage1, storage2, and Azure AD by using the Microsoft backbone.

What is the minimum number of service endpoints you should add to VNET1?

A. 1

B. 2

C. 3

D. 5

Correct Answer: D

Community vote distribution

B (98%)

  sharkzor Highly Voted  5 months, 1 week ago

Selected Answer: B
Should be B, 2 service endpoints. VM is not a service endpoint type. So the first question is irrelevant.
Both storage accounts must have service endpoints in vnet 1, so awnser should be 2
upvoted 15 times

  elrizos 2 months, 1 week ago

it's ok
terraform sample:
resource "azurerm_storage_account" "storage2" {
name = "examplestorage2"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
account_tier = "Standard"
account_replication_type = "LRS"

network_rules {
default_action = "Deny"
virtual_network_subnet_ids = ["${azurerm_subnet.example.id}"]
}

service_endpoint {
service = "Microsoft.Storage"
location = "eastus"
}
}
upvoted 1 times

  ConanBarb 3 months, 2 weeks ago

Yes B (2 s-e:s) but not for the reason you or other people below state

You create one Service Endpoint per Azure service per Vnet (Vnet-to-Vnet does not require nor can it be configured with service endpoints)
Hence:
1 service endpoint for Vnet1 to Microsoft.Storage service
1 service endpoint for Vnet1 to Microsoft.KeyVault service

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 723/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Try it your self in portal and you'll see

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 9 times

  djgodzilla 2 months, 2 weeks ago

Agree , Azure AD is not supported as service endpoint but Vault is.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 1 times

  SimoneP 1 month, 2 weeks ago

I see it in my lab: vNet --> select vnet --> Add Service Endpoint --> Service --> Microsoft.AzureActiveDirectory
upvoted 1 times

  moshos Highly Voted  4 months, 3 weeks ago

Selected Answer: B
My answer: 2
First service endpoint: One service endpoint for Microsoft.Storage added to VNET1.
The question asks how many to add to VNET1. When adding service endpoints on the VNET1 side you only get to choose the service (
Microsoft.Storage ) not the actual storage accounts. Once you add this service endpoint it can be then linked to on the storage side for both
accounts.

Second Service Endpoint: Microsoft.AzureActiveDirectory.

Total:2
upvoted 12 times

  Alex1184 1 month, 1 week ago

Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS
Gen 1. Azure AD doesn't support service endpoints natively
upvoted 1 times

  macrawat 2 months, 2 weeks ago

second service endpoint : Key Vault
upvoted 2 times

  riquesg 1 month, 3 weeks ago

The question does not require adding a Key Vault service endpoint. Why should we add it?
upvoted 5 times

  adminpack Most Recent  1 month ago

B
In Azure, you typically need one endpoint per storage account. Endpoints are used to enable communication with your storage account from
different sources, such as an application or a client tool.

If you have two storage accounts, you can create two separate endpoints, one for each storage account. Each endpoint will have a unique URL that
you can use to access the storage account.

However, it's also possible to use a single endpoint for multiple storage accounts by using a virtual network and a virtual network service endpoint.
This approach allows you to access multiple storage accounts through a single endpoint, which can simplify management and reduce costs.
upvoted 2 times

  _fkucuk 1 month, 1 week ago

Selected Answer: B
Answer is 2.

One service endpoint is required for Azure Storage, which allows virtual machines connected to VNET1 to access storage1 and storage2 over the
Microsoft backbone.

Another service endpoint is required for Azure Active Directory (Azure AD), which allows virtual machines connected to VNET1 to access Azure AD
resources, such as user accounts and security groups, over the Microsoft backbone.

Since the requirement also includes communication between VNET1 and VNET2 using the Microsoft backbone, no additional service endpoints are
needed for this purpose, as Microsoft automatically routes traffic between virtual networks over the Microsoft backbone.

Therefore, the answer is B. 2.

upvoted 1 times

  RDIO 1 month, 2 weeks ago

Selected Answer: B
I think it's 2, but am I missing something?

The requirement regarding service endpoints is "The virtual machines connected to VNET1 must be able to access storage1, storage2, and Azure
AD by using the Microsoft backbone." Where is key vault requested?

And when you are choosing service endpoints through the list "storage" is there and "Azure AD" is also there. "KeyVault" also exists but it's not
requested in this question.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 724/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  5864619 1 month, 3 weeks ago
You have an Azure subscription that contains eight virtual machines and the resources shown in the following table.
upvoted 1 times

  matt65 2 months, 1 week ago

Selected Answer: A
1 service endpoint for storage service
upvoted 1 times

  Spooky7 2 months, 1 week ago

It seems answer is A - 1 service endpoint. Only storage accounts and key vault can be connected by using service endpoints. You need only 1
service endpoint for both storage account (don't confuse service endpoint with private link). And Azure Key Vault is not part of the requirement
upvoted 2 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: B
Forgot to mention - Azure KV does provide service endpoint, but it is not a requirement in the question for VMs to access KV service endpoint, so
the answer is 2 - for 2 service endpoints for 2 storage accounts
upvoted 3 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
As per the docs, you can configure virtual network to access storage1 and storage2 with service endpoints. Other don't provide service endpoints.
upvoted 1 times

  ConanBarb 3 months, 2 weeks ago

Selected Answer: B
B (2 s-e:s)

Try it your self in portal and you'll see

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 4 times

  ivan0590 3 weeks, 6 days ago

Azure Key Value is not part of the requirements, therefore the answer should be 1
upvoted 1 times

  studysmart 3 months, 2 weeks ago

Selected Answer: B
end points for each azure storage. so 2
upvoted 1 times

  skydivex 3 months, 3 weeks ago

I think the correct answer is 5 endpoints. >>>> Answer D <<<<
Since the location of the storage accounts and the ley vault are unknown, we have to consider one service end point for each resources.
I am just ging based on what i could understand from following link:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 2 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview#standard-endpoints
A standard service endpoint in Azure Storage includes the protocol (HTTPS is recommended), the storage account name as the subdomain, and a
fixed domain that includes the name of the service.
upvoted 2 times

  sadhou2004 5 months ago

The Minimum should be One as for Storage accounts acces is managed by Service endpoint policy where we can include all Storage accounts
under Subscription or Resource Group.
upvoted 3 times

  Ashfaque_9x 5 months, 1 week ago

Selected Answer: B

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 725/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

B. 2

Two storage accounts will require 2 service endpoints.

upvoted 5 times
  khaled_razouk 5 months, 1 week ago
Selected Answer: B
To meet the requirements, you would need to add at least two service endpoints to VNET1.

One service endpoint would be required for VNET1 to communicate with VNET2 over the Microsoft backbone.

Another service endpoint would be required for the virtual machines connected to VNET1 to access storage1, storage2, and Azure AD over the
Microsoft backbone.

Therefore, the minimum number of service endpoints you should add to VNET1 is 2.
upvoted 2 times

  P123123 5 months ago

Answer is right, but the rationale is wrong

- It should be 1 service endpoint for each storage account (2 service endpoints total)
- You wouldn't use service endpoints to enable communication between the VNETs. Peering would be the likely solution for VNET to VNET
communication
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 726/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39 Topic 6

You need to configure an Azure web app named contoso.azurewebsites.net to host www.contoso.com.

What should you do first?

A. Create A records named www.contoso.com and asuid.contoso.com.

B. Create a TXT record named asuid that contains the domain verification ID.

C. Create a CNAME record named asuid that contains the domain verification ID.

D. Create a TXT record named www.contoso.com that has a value of contoso.azurewebsites.net.

Correct Answer: C

Community vote distribution

B (64%) C (21%) Other

  Irism Highly Voted  5 months ago

nice to see 3 answers
upvoted 27 times

  sharkzor Highly Voted  5 months, 1 week ago

Selected Answer: B
should be a TXT record, B
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli
upvoted 20 times

  GBAU 4 months ago

Shouldn't that mean the correct answer is actually using the subdomain option :Create a TXT record named contoso.asuid that contains the
domain verification ID. (or www.asuid?)
upvoted 1 times

  moshos 4 months, 3 weeks ago

From that link : "To add a custom domain to your app, you need to verify your ownership of the domain by adding a verification ID as a TXT
record with your domain provider."
upvoted 3 times

  Balvosko Most Recent  1 month, 2 weeks ago

Selected Answer: B
To configure an Azure web app to host a custom domain, you first need to verify the ownership of the domain in Azure. In this case, you should:

B. Create a TXT record named asuid that contains the domain verification ID.

This will help Azure verify that you own the domain. After the domain is verified, you can proceed to create a CNAME or A record to point your
custom domain (www.contoso.com) to the Azure web app (contoso.azurewebsites.net).
upvoted 3 times

  Rams_84zO6n 2 months, 2 weeks ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli
Observations: www.constoso.com is a subdomain. Only root domain scenario requires A record. For subdomain, you need CNAME record. Before
you click on Validate to validate your DNS records in webapp, you must do “something” on the domain registrar? What are those steps? In the Add
custom domain step, you enter the subdomain info, select record type as CNAME record. Before you click validate, you need to do “something” on
domain registrar (godaddy) site. What is that? What should you do first?

For adding subdomain records, there is a CNAME record and TXT record to be added. Only the TXT record has name with asuid and a domain
verification ID. So answer is B.
upvoted 3 times

  mfalkjunk 2 months, 2 weeks ago

Selected Answer: D
Chat GPT says D:

D. Create a TXT record named www.contoso.com that has a value of contoso.azurewebsites.net.

Explanation:

To configure an Azure web app to host a custom domain, the first step is to create a TXT record for the domain with the web app's default
hostname as the value. In this case, the domain is www.contoso.com, and the web app's default hostname is contoso.azurewebsites.net.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 727/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

This TXT record is used for domain verification, which proves that you own the domain and have the right to use it with the web app. After the TXT
record is created and verified, you can then configure the custom domain in the Azure portal and update the DNS records for the domain to point
to the web app.
upvoted 3 times
  scott_mckendry 2 months, 4 weeks ago
Selected Answer: B
The answer is B.
The CNAME record for a web app should point to the default domain name of the web app, not the ASUID.
upvoted 1 times

  wlevels 3 months ago

It is pretty confusing. The attached page mentions like other people are confirming here. CNAME record is required, TXT is optional but
recommended. However, the only CNAME option to chose specifically mentions "create a CNAME record named asuid" which is not a requirement.
Probably it does work, but it is another way to cause confusion I guess.

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=wildcard%2Cazurecli
upvoted 1 times

  Andrew04 3 months ago

Selected Answer: C
CNAME is the record for a web app: https://learn.microsoft.com/it-it/azure/app-service/app-service-web-tutorial-custom-domain?
tabs=root%2Cazurecli
upvoted 2 times

  Shutdown 3 months, 1 week ago

Selected Answer: B
Com base neste link, acredito que a resposta correta seja realmente a "B"
https://learn.microsoft.com/pt-br/azure/app-service/app-service-web-tutorial-custom-domain?tabs=root%2Cazurecli
Explicação: O primeiro passo, que é o que a questão está perguntando, seria realmente criar um registro A. No entanto, ele menciona a opção de
asuid que é compatível apenas em um registro TXT. No link acima diz o seguinte: "Se você configurou o registro TXT, mas não o registro A ou
CNAME, o Serviço de Aplicativo o trata como um cenário de migração de domínio e permite que a validação seja bem-sucedida".
upvoted 1 times

  ingenierodiaz79 3 months, 1 week ago

Selected Answer: C
Cname is required, txt is optional
upvoted 1 times

  CyberKelev 3 months, 1 week ago

Selected Answer: B
B. Create a TXT record named asuid that contains the domain verification ID is the first step that you need to perform to configure an Azure web
app named contoso.azurewebsites.net to host www.contoso.com.
upvoted 1 times

  studysmart 3 months, 2 weeks ago

Selected Answer: C
create an alias record
upvoted 1 times

  SedateBloggs 3 months, 3 weeks ago

i concur its B. Note the two records mentioned here and the only ones that would be relevant
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=root%2Cazurecli
upvoted 1 times

  NItesh 3 months, 3 weeks ago

I think the answer should be B. Reason because option are talking about CNAME or TXT records with record named "asuid". The asuid host
property is only available for TXT
record, not for CNAME record.
upvoted 1 times

  Samooo 3 months, 3 weeks ago

A is the correct answer

"Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.

Create the A record (the

first thing you do as what the question says)
An A record is used to map a name to its IP address. In the following example, assign "@" as an A record using your web app IPv4 address. @
typically represents the root domain.

Get the IPv4 address

In the left navigation of the App Services page in the Azure portal, select Custom domains, then copy the IP address of your web app:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 728/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Screenshot of Azure App Service Custom domains page showing the web app I P address.

Create the record

To create the A record, use:

Azure PowerShell

Copy
New-AzDnsRecordSet -Name "@" -RecordType "A" -ZoneName "contoso.com" `
-ResourceGroupName "MyAzureResourceGroup" -Ttl 600 `
-DnsRecords (New-AzDnsRecordConfig -IPv4Address "<ip of web app service>")
Important

The A record must be manually updated if the underlying IP address for the web app changes.

Create the TXT record"

upvoted 1 times
  spaceman12 4 months ago
Both cname and TXT can be used to verify domain ownership but I wonder if this question is testing in depth TXT and CNAME difference?

With TXT record you get a verification code that you need to input into your domain registrar service. So you have to copy the TXT record and the
verification code in separate fields.

With CNAME, Azure will generate the record but in the record itself contains the verification code. So you just have to copy and paste the cname
record to verify the domain.

Seems CNAME record is the answer from semantics standpoint

upvoted 2 times

  grzfidler 4 months ago

CNAME is required, TXT is optional "While it's not absolutely required to add the TXT record, it's highly recommended for security."
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 729/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40 Topic 6

You have an Azure subscription that contains 10 network security groups (NSGs), 10 virtual machines, and a Log Analytics workspace named
Workspace1. Each NSG is connected to a virtual machine.

You need to configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected.

What should you do first?

A. Deploy Connection Monitor.

B. Configure data collection endpoints.

C. Configure a private link.

D. Configure NSG flow logs.

Correct Answer: D

Community vote distribution

D (89%) 11%

  Muffay Highly Voted  5 months, 1 week ago

Selected Answer: D
I think D is correct.
https://learn.microsoft.com/en-us/azure/network-watcher/network-insights-overview#traffic
The Traffic tab provides access to all NSGs configured for NSG flow logs and Traffic Analytics for the selected set of subscriptions, grouped by
location.
upvoted 11 times

  moshos 4 months, 3 weeks ago

Also https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
" Identify unknown or undesired traffic." in Common use cases
upvoted 2 times

  khaled_razouk Highly Voted  5 months, 1 week ago

Selected Answer: D
To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, you should first configure
NSG flow logs.

NSG flow logs provide information about traffic that is allowed or denied by an NSG. By configuring NSG flow logs, you will be able to monitor the
traffic passing through your NSGs and detect any suspicious activity.
upvoted 11 times

  Exilic Most Recent  1 month, 1 week ago

Selected Answer: D
OpenAI

"The correct answer is D. Configure NSG flow logs.

To configure an Azure Monitor Network Insights alert that will be triggered when suspicious network traffic is detected, you need to enable NSG
flow logs for each NSG that is connected to a virtual machine. NSG flow logs capture information about inbound and outbound traffic flowing
through an NSG.

Once NSG flow logs are enabled, you can use Azure Monitor to analyze the logs and create alerts for suspicious traffic patterns. Therefore, the first
step is to configure NSG flow logs.

Option A, B, and C are not directly related to configuring an Azure Monitor Network Insights alert for detecting suspicious network traffic.
Connection Monitor is used to monitor connectivity to Azure resources. Configuring data collection endpoints is related to collecting data from
various sources, and configuring a private link is used to securely access Azure services over a private connection."
upvoted 1 times

  djgodzilla 2 months, 2 weeks ago

Traffic Analytics: Analyzes Network Watcher - NSG flow logs to provide insights into traffic flow in your Azure cloud.
Requires >> Network Watcher, (NSG) flow logs enabled, Storage account, to store raw flow logs, Log Analytics workspace, with read and write
access.
upvoted 1 times

  sjb666 2 months, 3 weeks ago

Reluctantly, I have to agree that Flow Logs looks more correct. The Log Analytics Workspace bit would appear to be a red herring.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 730/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  sjb666 2 months, 3 weeks ago
Selected Answer: A
Hmmm...not often I disagree with 100% vote but here goes:
The question specifically says there is a Log Analytics workspace named Workspace1.
A Log Analytics Workspace is used for Connection Monitor, NOT NSG Flow Logs, which use a storage account instead.
NSG Flow Logs:
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#read-and-export-flow-logs)
Connection Monitor:
https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview#data-collection-analysis-and-alerts)

So answer is A
upvoted 3 times

  CyberKelev 3 months, 1 week ago

Selected Answer: D
the correct answer is D. Configure NSG flow logs
upvoted 1 times

  zellck 4 months ago

Selected Answer: D
D is the answer.

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#why-use-flow-logs
It is vital to monitor, manage, and know your own network for uncompromised security, compliance, and performance. Knowing your own
environment is of paramount importance to protect and optimize it. You often need to know the current state of the network, who is connecting,
where they're connecting from, which ports are open to the internet, expected network behavior, irregular network behavior, and sudden rises in
traffic.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 731/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41 Topic 6

HOTSPOT
-

You have an Azure subscription named Sub1 that contains the resources shown in the following table.

Sub1 contains the following alert rule:

• Name: Alert1
• Scope: All resource groups in Sub1
o Include all future resources
• Condition: All administrative operations
• Actions: Action1

Sub1 contains the following alert processing rule:

• Name: Rule1
• Scope: Sub1
• Rule type: Suppress notifications
• Apply the rule: On a specific time
o Start: August 10, 2022
o End: August 13, 2022

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Correct Answer:

  FabrityDev Highly Voted  5 months ago

Y - "alert is listed" does not mean a notification in my understanding therefore yes
N - The date is within suppression rule boundaries therefore email will be suppressed
Y - The date is outside suppression rule boundaries
upvoted 25 times

  zellck Highly Voted  4 months ago

YNY is the answer.

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-processing-rules?tabs=portal#what-should-this-rule-do
Suppression: This action removes all the action groups from the affected fired alerts. So, the fired alerts won't invoke any of their action groups, not

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 732/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

even at the end of the maintenance window. Those fired alerts will still be visible when you list your alerts in the portal, Azure Resource Graph, API,
or PowerShell.
upvoted 7 times

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 9 times

  Paul_white 3 months, 2 weeks ago

writing mine tomorrow, wish me lick :D
upvoted 4 times

  werdy92 3 months, 2 weeks ago

How was it? :)
upvoted 2 times

  adminpack Most Recent  2 weeks, 4 days ago

It's YNN.
Chat GPT: Adding a tag to a resource group in Azure is not considered an administrative action. Tags are a metadata feature in Azure that allows
you to add key-value pairs to resources to categorize and organize them for better management and identification.
upvoted 1 times

  NJTH 2 months, 1 week ago

Simular question was on todays exam.
(7th April 2023)
upvoted 4 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 6 times

  HMKM 4 months, 3 weeks ago

In Create an alert processing rule - Rule settings, it says:
Suppress notifications: The alert will still fire, but the action groups won't be invoked so you won't receive any notifications when it fires.
So imho,
Y - A new alert will be listed on Monitor - Alerts
N - Action group will not be triggered.
Y - Out of time range of the alert processing rule, so email will be sent.
upvoted 3 times

  AMOLMANTHALKAR 5 months, 1 week ago

Sorry i mean N- suppress notifications Y - as per rule N - date is beyond 13 aug
upvoted 1 times

  AMOLMANTHALKAR 5 months, 1 week ago

shud be YNY
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 733/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42 Topic 6

You have an Azure subscription that contains a storage account named storage1 in the North Europe Azure region.

You need to ensure that when blob data is added to storage1, a secondary copy is created in the East US region. The solution must minimize
administrative effort.

What should you configure?

A. operational backup

B. object replication

C. geo-redundant storage (GRS)

D. a lifecycle management rule

Correct Answer: C

Community vote distribution

B (83%) C (17%)

  sadhou2004 Highly Voted  4 months, 3 weeks ago

Selected Answer: B
With GRS you can't choose the Destination region and for North Europe the paired region is West Europe so correct answer Object replication.
upvoted 20 times

  DeBoer 4 months, 1 week ago

Easy to confirm in lab (just did) and you're absolutely right
upvoted 6 times

  Mo22 Highly Voted  4 months, 3 weeks ago

Selected Answer: B
Object replication is a feature that allows you to replicate data, such as blobs, across different storage accounts or containers within the same
storage account. This can be configured to automatically copy data from one storage location to another, either within the same region or across
different regions. Object replication can be used to create disaster recovery solutions or to distribute data globally for better performance and
availability.
It is similar to GRS but it is more flexible as you can choose the storage account and container to replicate the data.
The GRS of a North Europe region is a secondary copy of the data stored in a different region. The exact location of the secondary region will
depend on the specific Azure region you have selected. For the North Europe region, the secondary copy is stored in the West Europe region. This
means that if there is an outage or disaster in the North Europe region, your data will still be available in the West Europe region. This provides a
high level of data durability and protection.
upvoted 7 times

  5864619 Most Recent  1 month, 3 weeks ago

Why is every question something else. Quite frankly I'm only interested in the "right" answer. It doesn't matter if B is applicable in real life if
Microsoft is going to give me a fail and takes my money if I don't pass. What is the correct answer when taking the test? Having 3 options for every
question I try to remember spreads doubt in my mind.
upvoted 1 times

  AK4U 3 months, 1 week ago

Excuse me, but you can't select the region when doing object replication either! You mean, you will need to create a storage account with the
wished region and do the replication to that storage account.
upvoted 1 times

  xRiot007 1 week, 4 days ago

It's not about selecting a region, it's about having control of where the replication happens. Object replication offers the ability to send replicas
to a storage account that was created in a region of OUR choosing. GRS does not offer destination control.
upvoted 1 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-overview
Object replication asynchronously copies block blobs between a source storage account and a destination account.
upvoted 1 times

  Kimoz 4 months, 1 week ago

B is the correct answer :With GRS you can't choose the Destination region
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 734/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  SKR94 4 months, 2 weeks ago
Is not C, North Europe(Netherlands) Cross-Region is North Europe (Irland)

https://learn.microsoft.com/en-us/azure/reliability/cross-region-replication-azure
upvoted 1 times

  Shipada 4 months, 2 weeks ago

Selected Answer: B
With GRS you can't choose the Destination region
upvoted 2 times

  salambrosalam 4 months, 3 weeks ago

Selected Answer: C
I guess that correct answer is C
upvoted 3 times

  Theguy97 4 months, 3 weeks ago

Selected Answer: C
Correct Answer : C
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 735/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43 Topic 6

You have an Azure subscription that contains two Log Analytics workspaces named Workspace1 and Workspace2 and 100 virtual machines that
run Windows Server.

You need to collect performance data and events from the virtual machines. The solution must meet the following requirements:

• Logs must be sent to Workspace1 and Workspace 2.

• All Windows events must be captured.
• All security events must be captured.

What should you install and configure on each virtual machine?

A. the Azure Monitor agent

B. the Windows Azure diagnostics extension (WAD)

C. the Windows VM agent

Correct Answer: A

Community vote distribution

A (100%)

  zellck Highly Voted  4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview
Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to
Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Azure Monitor Agent
replaces all of Azure Monitor's legacy monitoring agents.
upvoted 9 times

  azure_cert Most Recent  2 months, 2 weeks ago

A is answer
upvoted 2 times

  djgodzilla 3 months, 1 week ago

A
but this medium teach about the use case for each monitoring agent/diag extension within Azure . better than guessing the answer and forget
about it after the exam.
https://adisimon.medium.com/choosing-the-right-azure-monitor-agent-for-your-vms-4e94a624d344
upvoted 1 times

  DeBoer 4 months, 1 week ago

Selected Answer: A
Azure Monitor agent will help with the collection of all of these; https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-
rule-azure-monitor-agent?tabs=portal

The only thing that might be an issue here is that we're writing to 2 LA workspaces, but the documentation states that you can use data rules to
ingest multiple sources and write to multiple destinations.
upvoted 1 times

  salambrosalam 4 months, 3 weeks ago

Selected Answer: A
I think that correct answer is A. (Azure Monitor)
upvoted 1 times

  B_M_A 4 months, 3 weeks ago

Yes SME please update this.
upvoted 1 times

  Ashfaque_9x 4 months, 3 weeks ago

Selected Answer: A
A. the Azure Monitor agent
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 736/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  Georgego 4 months, 3 weeks ago

Selected Answer: A
Answer is correct
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#install-the-agent-and-configure-data-collection
upvoted 3 times

  1475 4 months, 3 weeks ago

wake up experts tell us the answer
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 737/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44 Topic 6

You have an Azure subscription that contains a virtual machine named VM1 and an Azure function named App1.

You need to create an alert rule that will run App1 if VM1 stops.

What should you create for the alert rule?

A. an application security group

B. a security group that has dynamic device membership

C. an action group

D. an application group

Correct Answer: C

Community vote distribution

C (100%)

  omgMerrick Highly Voted  4 months, 1 week ago

Selected Answer: C
Answer is correct, C.

An action group is a collection of actions that are triggered by an Azure alert. In this scenario, you need to create an alert rule that will run App1 if
VM1 stops, and for this purpose, you need to create an action group. An action group defines the set of actions to be taken when an alert is
triggered, such as running an Azure function, sending an email, or creating an Azure ticket.

By creating an action group and associating it with the alert rule, you can automate the process of running App1 if VM1 stops, without the need for
manual intervention. This helps ensure that critical systems, such as App1, are automatically activated when necessary, improving the overall
reliability and availability of your Azure services.
upvoted 11 times

  HMKM Highly Voted  4 months, 3 weeks ago

Create an action group.
In Home > Monitor | Alerts > Action groups > Create action group > Actions tab, select action type "Azure Function" and choose the Function app
and Function.
upvoted 6 times

  GBAU Most Recent  4 months ago

C: It sounded most right. I wanted something to happen, actions do something, so I went with Action Group. Looks like from others actual
knowledge I scored some bonus points if this was a real exam :)
upvoted 4 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule
You create an alert rule by combining:
- The resources to be monitored.
- The signal or telemetry from the resource.
- Conditions.

Then you define these elements for the resulting alert actions by using:
- Alert processing rules
- Action groups
upvoted 4 times

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 6 times

  Georgego 4 months, 3 weeks ago

Selected Answer: C
Answer is correct.
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups#action-specific-information
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 738/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45 Topic 6

You have an Azure subscription that contains a virtual network named VNet1.

VNet1 uses two ExpressRoute circuits that connect to two separate on-premises datacenters.

You need to create a dashboard to display detailed metrics and a visual representation of the network topology.

What should you use?

A. Azure Monitor Network Insights

B. a Data Collection Rule (DCR)

C. Azure Virtual Network Watcher

D. Log Analytics

Correct Answer: A

Community vote distribution

A (87%) 13%

  zellck Highly Voted  4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/network-watcher/network-insights-overview
Azure Monitor Network Insights provides a comprehensive and visual representation through topologies, of health and metrics for all deployed
network resources, without requiring any configuration. It also provides access to network monitoring capabilities like Connection Monitor, flow
logging for network security groups (NSGs), and Traffic Analytics. And it provides other network diagnostic features.
upvoted 9 times

  vishalgu Highly Voted  4 months, 3 weeks ago

Ans: C
expl: Azure Virtual Network Watcher, on the other hand, is a service that provides network topology visualization, diagnostic and visualization tools,
and information on virtual network security flow. It allows you to see the topology of your virtual network, and also provides detailed metrics and
visual representation of the network topology which is the requirement mentioned in the question.
upvoted 6 times

  spaceman12 4 months ago

This is a little tricky as both Network Watcher and Azure Monitor Network Insights offer topology visualization but the focus/use cases are
different.

Network watcher is more monitoring network traffic and security.

Azure monitor network insights is more for application performance and dependencies.

If I had to pick based on the question saying “detailed metrics” I would go with azure monitor network insights rather and something that
focuses on traffic/security… so just semantics?
upvoted 9 times

  Jol 2 months, 3 weeks ago

Thanks for breaking it down so clearly.
upvoted 2 times

  AbleApe 4 months, 1 week ago

Virtual Network Watcher seems quite VM-based. I do not see support for monitoring Express Routes or creating dashboards.
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
upvoted 2 times

  Spooky7 Most Recent  2 months, 1 week ago

It seems to me that Azure Network Watcher topology visualization is still in preview and can handle only limited resources (Azure Express Route is
not included). So I would definitely go with answer A - Azure Monitor Network Insights
upvoted 2 times

  mfalkjunk 2 months, 2 weeks ago

Selected Answer: C
ChatGPT

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 739/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

C. Azure Virtual Network Watcher

Explanation:

To create a dashboard to display detailed metrics and a visual representation of the network topology in Azure, you can use Azure Virtual Network
Watcher. Azure Virtual Network Watcher provides a set of networking monitoring and diagnostic tools that help you to monitor, diagnose, and
gain insights into the network performance and health of your Azure virtual network.

Azure Monitor Network Insights is a service that helps you to monitor and diagnose network performance and connectivity issues in your Azure
network environment. However, it does not provide the capability to create a dashboard for displaying network topology.
upvoted 1 times
  djgodzilla 3 months, 1 week ago
Selected Answer: A
perfect example to explain the difference and when to use each monitoring solution
https://adisimon.medium.com/choosing-the-right-azure-monitor-agent-for-your-vms-4e94a624d344
upvoted 1 times

  CyberKelev 3 months, 1 week ago

Selected Answer: C
Azure Virtual Network Watcher
upvoted 1 times

  Ashfaque_9x 4 months, 3 weeks ago

Selected Answer: A
A. Azure Monitor Network Insights
upvoted 2 times

  Georgego 4 months, 3 weeks ago

Selected Answer: A
Answer is correct.
upvoted 1 times

  Onobhas01 4 months, 4 weeks ago

Azure Monitor Network Insights is correct.
Reference: https://learn.microsoft.com/en-us/azure/network-watcher/network-insights-overview
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 740/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46 Topic 6

You deploy Azure virtual machines to three Azure regions

Each region contains a virtual network. Each virtual network contains multiple subnets peered in a full mesh topology.

Each subnet contains a network security group (NSG) that has defined rules.

A user reports that he cannot use port 33000 to connect from a virtual machine in one region to a virtual machine in another region.

Which two options can you use to diagnose the issue? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A. Azure Virtual Network Manager

B. IP flow verify

C. Azure Monitor Network Insights

D. Connection troubleshoot

E. elective security rules

Correct Answer: BC

Community vote distribution

BD (100%)

  zellck Highly Voted  4 months ago

Selected Answer: BD
BD is the answer.

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 6 times

  NJTH Highly Voted  2 months, 1 week ago

Exactly the same question was on todays exam.
(7th April 2023)
upvoted 6 times

  CyberKelev Most Recent  3 months, 1 week ago

Selected Answer: BD
B. IP flow verify and D. Connection troubleshoot are the two options that can be used to diagnose the issue.
upvoted 3 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 3 times

  RealSJ 4 days, 10 hours ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 741/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

You used BD as the answer ?

upvoted 1 times

  omgMerrick 4 months, 1 week ago

Selected Answer: BD
Answer is correct, B & D.

The IP flow verify (B) and connection troubleshoot (D) options can be used to diagnose the issue reported by the user.

IP flow verify is a feature of Azure Network Watcher that you can use to verify if a packet is allowed or denied to or from a virtual machine based
on the security group rules defined on the subnet. By using IP flow verify, you can determine if a rule is blocking traffic to port 33000 from one
virtual machine to another in different regions.

Connection troubleshoot is another feature of Azure Network Watcher that provides a simple and easy-to-use solution for troubleshooting
connectivity issues between virtual machines. With connection troubleshoot, you can determine if the network security groups (NSGs) or firewall
rules are blocking traffic to port 33000, and identify the exact rule that is causing the issue.
upvoted 5 times

  vishalgu 4 months, 3 weeks ago

Ans:- AD
Expla: A. Azure Virtual Network Manager: It allows you to view the topology of your virtual network, and can help you diagnose issues with virtual
network peering.

D. Connection troubleshoot: It is a feature of Azure Network Watcher that allows you to troubleshoot and diagnose connectivity issues between
virtual machines within a virtual network or across virtual networks. It can help you identify if the issue is with the NSG rules or with the virtual
network peering.
upvoted 1 times

  Ashfaque_9x 4 months, 3 weeks ago

Selected Answer: BD
Correct Answers

B. IP flow verify
D. Connection troubleshoot
upvoted 2 times

  kamlau 4 months, 3 weeks ago

Selected Answer: BD
Azure Monitor Network Insights provides sth like dashboard and access to the diagnostics toolkit only, which cannot perform troubleshooting as IP
flow verify and connection troubleshoot. Thus, I think the ans is B & D
upvoted 5 times

  kamlau 4 months, 3 weeks ago

Azure Monitor Network Insights provides sth like dashboard and access to the diagnostics toolkit only, which cannot perform troubleshooting as IP
flow verify and connection troubleshoot. Thus, I think the ans is B & D
upvoted 3 times

  Karpovsky2222 4 months, 4 weeks ago

The correct answer is B and D
upvoted 6 times

  1475 4 months, 3 weeks ago

Whats the reference
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 742/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47 Topic 6

You have an Azure subscription.

You need to receive an email alert when a resource lock is removed from any resource in the subscription.

What should you use to create an activity log alert in Azure Monitor?

A. a resource, a condition, and an action group

B. a resource, a condition, and a Microsoft 365 group

C. a Log Analytics workspace, a resource, and an action group

D. a data collection endpoint, an application security group, and a resource group

Correct Answer: A

Community vote distribution

A (100%)

  zellck Highly Voted  4 months ago

Selected Answer: A
A is the answer.

Then you define these elements for the resulting alert actions by using:
- Alert processing rules
- Action groups
upvoted 9 times

  CyberKelev Most Recent  3 months, 1 week ago

Selected Answer: A
A. a resource, a condition, and an action group is what you should use to create an activity log alert
upvoted 3 times

  Spam101198 3 months, 2 weeks ago

A is the answer
upvoted 2 times

  elior19940 4 months ago

is it new question?
upvoted 2 times

  DanSuaricius 4 months, 1 week ago

The correct answer is A
"You create an alert rule by combining:
The resources to be monitored.
The signal or telemetry from the resource.
Conditions"
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 743/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48 Topic 6

HOTSPOT
-

You have an Azure subscription that contains the alerts shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

NOTE: Each correct selection is worth one point.

Correct Answer:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 744/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  fcert1att Highly Voted  1 month ago

Tested in lab.

Correct answer for:

Box1: can be changed to New or Acknowledged
Explanation: "Changing the user response doesnt affect the alert condition" is what the portal says while changing the response of an alert whose
user response is closed

Box2: can be changed to Acknowledged or Closed

upvoted 7 times

  Eugene77 Most Recent  1 month ago

Would be strange if such question can be used in exam. Even if you can see options in select box "Select the user response" it means nothing. If
resource is not available or any other restrictions then you get ERROR messages without being able to change the final value.
upvoted 1 times

  chiquito 1 month ago

Correct answer :
Box 1 : Can be changed to New or Acknowledged
Box 2 : Can be changed to Acknowledged or Closed
https://social.msdn.microsoft.com/Forums/azure/en-US/bf9b3579-eea5-42d6-8d45-6dfeb4c7350a/how-do-you-change-azure-alert-status-using-
powershell?forum=azureautomation
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-managing-alert-states?toc=%2Fazure%2Fazure-
monitor%2Ftoc.json#change-the-state-of-an-alert
upvoted 2 times

  joykdutta 1 month, 1 week ago

Will it come in the exam?
upvoted 2 times

  eliisiita1 1 month, 1 week ago

primer comentario por aquí!!!!!!!!!
upvoted 1 times

  _fkucuk 1 month, 1 week ago

Answers are correct

Based on the information presented in the graphic:

For Alert1, the user response is closed and it cannot be changed.

For Alert2, the user response is new and it can be changed to Acknowledged or Closed
upvoted 4 times

  xRiot007 1 week ago

Answers are not correct. Alerts can change state from any to any as many times as required. So Close can change to New or Ack, and New can
change to Ack or Close.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 745/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 7 - Testlet 1

Question #1 Topic 7

Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study
before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem
statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the
subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.
Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment -
Currently, Contoso uses multiple types of servers for business operations, including the following:
File servers
Domain controllers
Microsoft SQL Server servers
Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.
You have a public-facing application named App1. App1 is comprised of the following three tiers:
A SQL database
A web front end

A processing middle tier -

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

Planned Changes -
Contoso plans to implement the following changes to the infrastructure:
Move all the tiers of App1 to Azure.
Move the existing product blueprint files to Azure Blob storage.
Create a hybrid directory to support an upcoming Microsoft 365 migration project.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 746/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.

User Requirements -
Contoso identifies the following requirements for users:
Ensure that only users who are part of a group named Pilot can join devices to Azure AD.
Designate a new user named Admin1 as the service admin for the Azure subscription.
Admin1 must receive email alerts regarding service outages.
Ensure that a new user named User3 can create network objects for the Azure subscription.

Question
HOTSPOT -
You need to configure the Device settings to meet the technical requirements and the user requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
Hot Area:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 747/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

Box 1: Selected -
Only selected users should be able to join devices

Box 2: Yes -
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

  mlantonis Highly Voted  2 years ago

Correct Answer:

Box 1: Selected
As per User requirements “Ensure that only users who are part of a group named Pilot can join devices to Azure AD.”
So, “Selected” must be selected for “User may join devices to Azure AD”

Box 2: Yes
As per User Requirements “Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their
identity”.
So, “Yes” must be selected for “Require Multi-Factor Auth to join devices”.
upvoted 81 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. You just need to mark the box that should be changed so I
marked the first one "User may join devices to Azure AD" and almost last box "Require Multi-Factor Auth to join devices"
upvoted 13 times

  Alim786 Highly Voted  2 years, 1 month ago

Correct Answer
upvoted 11 times

  NJTH Most Recent  2 months, 1 week ago

This case study was on was on todays exam.
(7th April 2023)

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 748/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 4 times
  bigz2021 3 months, 1 week ago
The same casestudy # question
Topic: 7, 10, 14 - Contoso, ltd manufacturing company worldwide
Topic: 8, 9, 11, 15 - Contoso consulting company
Topic: 12, 13, 16 - Litware, Inc
upvoted 1 times

  shadad 3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was:
Box 1: Selected
Box 2: Yes
upvoted 6 times

  CarlosclATG 3 months, 3 weeks ago

On exam 2023-02-22.
Almost all questions from here. Scored +900.
You must retake twice all questions and follow the discussions to understand.
upvoted 7 times

  Navz 6 months, 1 week ago

Wrote the exam on the 02/12/2022 this case study came out. Passed with 870
Most questions were from this dump so they are still valid. about 5 - 7 new questions. Go through the discussions.
Good luck all.
upvoted 8 times

  seussiii 9 months, 1 week ago

This appears to be the exact same as "Testlet 1", is this just a duplicate?
upvoted 3 times

  humnahibataynge 9 months, 2 weeks ago

Received this on my exam today 03/09/2022
total of 6 questions for this Case Study
upvoted 5 times

  EmnCours 9 months, 2 weeks ago

Box 1: Selected -
Only selected users should be able to join devices

Box 2: Yes -
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
upvoted 2 times

  Dobby25 1 year, 2 months ago

Received this on my exam today 19/03/2022
total of 5 questions for this Case Study
upvoted 6 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 4 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 4 times

  MitchelLauwers1993 1 year, 3 months ago

came in exam today, followed mlantonis
upvoted 3 times

  Mozbius_ 1 year, 3 months ago

During the exam do they provide a pencil and paper to take notes make drawings?
upvoted 1 times

  jorgecalle28 1 year, 2 months ago

dont think so.
upvoted 1 times

  YUCHAN2022 1 year, 3 months ago

On the exam today, 19 Feb 2022. Passed with 862/1000, Thank you ExamTopics.
upvoted 3 times

  nidhogg 1 year, 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 749/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

On the exam today, 1.feb.2022, 1st question!

Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 750/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 7

To start the case study -

A processing middle tier -

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

Technical Requirements -
Contoso must meet the following technical requirements:
Move all the virtual machines for App1 to Azure.
Minimize the number of open ports between the App1 tiers.
Ensure that all the virtual machines for App1 are protected by backups.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Ensure that partner access to the blueprint files is secured and temporary.
Prevent user passwords or hashes of passwords from being stored in Azure.
Use unmanaged standard storage for the hard disks of the virtual machines.
Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.
Minimize administrative effort whenever possible.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 751/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
You need to meet the user requirement for Admin1.
What should you do?

A. From the Azure Active Directory blade, modify the Groups

B. From the Azure Active Directory blade, modify the Properties

C. From the Subscriptions blade, select the subscription, and then modify the Access control (IAM) settings

D. From the Subscriptions blade, select the subscription, and then modify the Properties

Correct Answer: D
Scenario:
✑ Designate a new user named Admin1 as the service admin for the Azure subscription.
✑ Admin1 must receive email alerts regarding service outages.
Follow these steps to change the Service Administrator in the Azure portal.
1. Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
2. Sign in to the Azure portal as the Account Administrator.
3. Open Cost Management + Billing and select a subscription.
4. In the left navigation, click Properties.
5. Click Service Admin.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/classic-administrators

Community vote distribution

D (53%) C (47%)

  mlantonis Highly Voted  2 years ago

Correct Answer: D

As per User Requirements “Designate a new user named Admin1 as the service admin for the Azure subscription.”
So, In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties blade of your
subscription.

Check this: https://i.imgur.com/fKzqPKq.png

upvoted 153 times

  Abubaker3030 1 year ago

https://i.imgur.com/fKzqPKq.png - This doesnt show in my current subscription
I verified in my subscription "Properties" option is not listed
This question itself should not be listed by Microsoft as it is outdated
upvoted 3 times

  eeo123 2 weeks ago

Not listed in my sub either, and yes, I'm the owner.
upvoted 1 times

  LeBeano 10 months, 2 weeks ago

Are signed in as owner of the sub?
upvoted 2 times

  Lazylinux 11 months, 3 weeks ago

Well it is listed on Mine and - properties is listed under settings - click on it then => option at top left hand corner reads "CHANGE SERVICE
ADMIN'
upvoted 3 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered D

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 752/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 5 times

  1475 4 months, 1 week ago

Your comment is in almost every question's comment. How many questions were on your exam
upvoted 5 times

  AK4U 3 months, 1 week ago

Because ET modify most comments
upvoted 3 times

  DevOpposite 1 year, 8 months ago

thanks legend..
upvoted 17 times

  sri1972 Highly Voted  2 years, 5 months ago

Came in 01/09/21 exam. Passed exam with 906 marks. 98% of the questions are from this dump.
upvoted 47 times

  asaz 2 years, 5 months ago

Thanks for input. I also passed. many of questions from the dump
upvoted 16 times

  BRDA Most Recent  3 days, 5 hours ago

Selected Answer: D
Subscription > select yourt subs > properties > change service admin
upvoted 3 times

  eeo123 1 week, 6 days ago

This is great. Basically a 50/50 split between C and D, with everybody on each side convinced they are right. I do not have a "Properties" blade
under Settings in my subscription, and I've spent 3 hours trying to get some definitive answer from the web to no avail. I'm not sure if the
Properties blade has been removed or is unavailable, or if something is wrong. I am going to just have to wing it on the exam I guess...Maybe C. At
least IAM is there in my subscription...
upvoted 1 times

  eeo123 1 week, 6 days ago

Service Admin is a Classic Administrators role. I'm not sure we'll all see that anymore. I think the answer is now C, IAM....
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
upvoted 1 times

  Madbo 2 months ago

D can also be used to assign the Service Administrator role to Admin1. In the classic deployment model, the Service Administrator role is a built-in
role that provides full access to all Azure resources, and it can be assigned to only one user at a time. This role can be assigned to a user in the
Properties of the subscription.

However, it's important to note that the classic deployment model is being phased out in favor of the Azure Resource Manager deployment model,
which uses a different approach to manage access control and resource permissions.

In the context of the given scenario, the requirement to assign the Service Administrator role to Admin1 is better accomplished using Option C,
which applies to the Azure Resource Manager deployment model. The Access control (IAM) settings provide a more granular and flexible way to
manage roles and permissions for Azure resources, including the subscription, which allows you to assign the Service Administrator role to Admin1
as well as manage other roles and permissions for users, groups, and applications.
upvoted 4 times

  mfalkjunk 2 months, 2 weeks ago

Selected Answer: D
To meet the user requirement for Admin1 to be designated as the service admin for the Azure subscription, you would need to follow these steps:

Sign in to the Azure portal as the Account Administrator.

Open Cost Management + Billing and select the subscription.
In the left navigation, click Properties.
Click Change service admin.
In the Edit service admin page, enter the email address for the new Service Administrator.
Click OK to save the change.
upvoted 1 times

  WD_Boti 2 months, 2 weeks ago

Selected Answer: D
Correct Answer: D

"Designate a new user named Admin1 as the service admin for the Azure subscription.”
This means you need to change the Service Admin!
So, you need to
"Follow these steps to change the Service Administrator in the Azure portal."
Make sure your scenario is supported by checking the limitations for changing the Service Administrator.
Sign in to the Azure portal as the Account Administrator.
Open Cost Management + Billing and select a subscription.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 753/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

In the left navigation, click Properties.

Click Change service admin.
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators
upvoted 1 times
  djgodzilla 3 months, 1 week ago
Selected Answer: D
I was puzzled but then read the requirement twice :
" Designate a new user admin1 as the Service admin for the subscription... "
There is only one service admin per subscription see link https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-
admin-roles#:~:text=1%20per%20Azure%20subscription
Hence we need to change not add a second one. In the IAM section we can only add a Co-administrator role which is slightly different than service
admin (see same link).
Answer is D: Subscription-Settings-Properties-Change service admin.
#stillHateIt
upvoted 1 times

  AK4U 3 months, 1 week ago

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#change-the-service-administrator

In this screenshot on the left side menu the "Properties" blade is listed
My permissions
Resource providers
Deployments
Properties <<<<<<<<<<<<<<<
Resource locks

Looking in the Azure portal nowadays, the "Properties" blade is no longer there.

Also, removing a service admin is done via IAM > Classic admins > remove.

ANSWER IS C
upvoted 3 times

  CyberKelev 3 months, 1 week ago

Selected Answer: C
Admin1 needs service admin so need IAM modifications
upvoted 1 times

  Ismailha 3 months, 4 weeks ago

Selected Answer: C
To meet the user requirement for Admin1 to be designated as the service admin for the Azure subscription and receive email alerts regarding
service outages, you need to modify the Access control (IAM) settings for the subscription.

Option C is the correct answer.

Access control (IAM) allows you to manage access to your Azure resources, and you can assign roles to users, groups, and services to grant specific
permissions to manage the resources. By modifying the IAM settings for the subscription, you can assign the "Owner" role to Admin1, which will
grant them full access to manage the subscription, and also allow them to receive email alerts regarding service outages.

Option A refers to modifying groups in Azure AD, which is not related to the user requirement for Admin1.

Option B and D refer to modifying the properties of Azure AD or the subscription, but they do not provide the necessary options to assign roles
and permissions for Admin1 to manage the subscription and receive email alerts.
upvoted 4 times

  RougePotatoe 3 months, 3 weeks ago

Go in IAM and find me the Service Admin role. It doesn't exist its only for the old deployment model.

How to change service admin:

https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#change-the-service-administrator

Classic admins:
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators

Scroll down to remove service admin and you will see the role is located in classic admin role section. Which could not be assigned through
IAM.
upvoted 1 times

  RougePotatoe 4 months ago

Selected Answer: C
"In the Azure portal, you can view or change the Service Administrator or view the Account Administrator on the properties blade of your
subscription."
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles

Step by step how to change service admin:

"In the left navigation, click Properties. Click Change service admin."
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators#change-the-service-administrator

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 754/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  RougePotatoe 4 months ago

Service admins are not part of the new Azure RBAC model. If you don't see it it's because you are not on classic deployment model.

"Microsoft recommends that you manage access to Azure resources using Azure role-based access control (Azure RBAC). However, if you are
still using the classic deployment model, you'll need to use a classic subscription administrator role: Service Administrator and Co-Administrator.
For more information, see Azure Resource Manager vs. classic deployment."
https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators

More details can be found here:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/deployment-models#understand-support-for-the-models
upvoted 1 times

  eeo123 1 week, 6 days ago

So "C" then?
upvoted 1 times

  GBAU 4 months ago

Selected Answer: D
Subscription-Settings-Properties-"Change service admin"
upvoted 2 times

  er101q 4 months, 1 week ago

Option C is the correct choice because it addresses the requirement for Admin1 by modifying the Access control (IAM) settings in the Azure
Subscription. The Access control (IAM) feature in Azure allows you to manage access to resources in the subscription by assigning roles to users. In
this case, you need to assign the role of Service Admin to Admin1, which will give them the necessary permissions to receive email alerts regarding
service outages. This is the most direct and efficient way to meet the requirement for Admin1.
upvoted 1 times

  maheshm124 4 months, 2 weeks ago

100% its option c
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles
upvoted 2 times

  sa66ath 4 months, 2 weeks ago

correct answer is C: Please find link to MS article "Assign a user as an administrator of an Azure subscription" : https://learn.microsoft.com/en-
us/azure/role-based-access-control/role-assignments-portal-subscription-admin
upvoted 1 times

  KennethLZK 5 months ago

Selected Answer: D
Answer is D
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 755/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 8 - Testlet 10

Question #1 Topic 8

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Existing Environment -
Contoso has an Azure subscription named Sub1 that is linked to an Azure Active Directory (Azure AD) tenant. The network contains an on-
premises Active
Directory domain that syncs to the Azure AD tenant.
The Azure AD tenant contains the users shown in the following table.

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 756/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Planned Changes -
Contoso plans to implement the following changes:
Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.
Create a storage account named storage5 and configure storage replication for the Blob service.
Create an NSG named NSG1 that will have the custom inbound security rules shown in the following table.

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Technical Requirements -
Contoso must meet the following technical requirements:
Create container1 and share1.
Use the principle of least privilege.
Create an Azure AD security group named Group4.
Back up the Azure file shares and virtual machines by using Azure Backup.
Trigger an alert if VM1 or VM2 has less than 20 GB of free space on volume C.
Enable User1 to create Azure policy definitions and User2 to assign Azure policies to RG1.
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1
Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.
Whenever possible, grant Group4 Azure role-based access control (Azure RBAC) read-only permissions to the Azure file shares.

Question
HOTSPOT -
You need to configure Azure Backup to back up the file shares and virtual machines.
What is the minimum number of Recovery Services vaults and backup policies you should create? To answer, select the appropriate options in the
answer area.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 757/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: 3 -
If you have data sources in multiple regions, create a Recovery Services vault for each region.
The File Shares and VMs are located in three Regions: West US, East US, Central US.

Box 2: 6 -
A backup policy is scoped to a vault. For each vault we need one backup policy for File Shares and one backup policy for VM.
Note:
Back up the Azure file shares and virtual machines by using Azure Backup

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 758/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-create-rs-vault https://docs.microsoft.com/en-us/azure/backup/guidance-best-
practices

  favela Highly Voted  9 months, 1 week ago

Came this question today and I choose 3 and 6 and my score was 900
upvoted 47 times

  GBAU 4 months ago

Nice, but unfortunately that doesn't mean you got this question correct
upvoted 7 times

  vg123 3 months, 2 weeks ago

but the probability was more :)
upvoted 2 times

  GBAU 4 months ago

Even though I think you did 😊
upvoted 4 times

  Marcelmikael 4 months, 1 week ago

Legend
upvoted 3 times

  klexams Highly Voted  7 months, 2 weeks ago

To back up the file shares and virtual machines.
one vault per region. 3 vaults for 3 regions
File shares: 3 region.
VMs: 3 region.
so...
vault = 3
backup policies = 3FS + 3VM = 6
upvoted 29 times

  mohsanarfandanish Most Recent  2 months, 3 weeks ago

Cleared Exam 930 was appeared in exam 18/3/2023 ANS most upvoted
upvoted 4 times

  CyberKelev 3 months, 1 week ago

To configure Azure backup to back up the file shares and virtual machine you need to create 1 Recovery Services vault and two backup policies
upvoted 1 times

  keszi 3 months, 2 weeks ago

This case study was on the exam March 2023
upvoted 4 times

  obaali1990 2 months, 3 weeks ago

Did you sail through the exams?
upvoted 1 times

  stonwall12 3 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 759/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Total 3 Recovery Service Vaults --> This means 1 RSV per region; West US, Central US, and East US

Total 6 Backup Policies --> We require one per storage account and Virtual Machine across the 3 Recovery Service Vaults.
upvoted 2 times

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 8 times

  GBAU 4 months ago

RSV: 3 We have 3 regions and VMs in all of them without even looking at Storage
https://learn.microsoft.com/en-us/azure/backup/backup-create-recovery-services-vault
Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same region
as the data source.

back up the file shares and virtual machines

+3 :1 for VMs in each region to their RSV
+1 :for Storage4 to Central US RSV
+1 :for Storage2 to East US RSV
+1 :for Storage1 to West US RSV
#Note we are not backing up Blobs, only Files Shares so don't backup Storage3.

Result: 6 Polices
upvoted 3 times

  Karlos1985 6 months, 1 week ago

Why you are not counting region East US 2? There is 1 File share.
upvoted 2 times

  coringlax 6 months ago

There is no File share on that Storage account.
3 & 6 correct.
upvoted 3 times

  DagoMad 6 months, 2 weeks ago

In my opinion:
Vault: 3
Policies: 3

Source: https://learn.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
upvoted 1 times

  qwerty100 7 months, 3 weeks ago

In my opinion:

3 Recovery Services Vault:

-West US
-Central US
-East US

6 Backups policies:

- Virtual machines West US

- Virtual machines Central US
- Virutal machines East US
- Storage 1
- Storage2
- Storage 4
upvoted 15 times

  djgodzilla 3 months ago

Still real life scenario . You might not want to have one backup policy for a lump of VMs if they have nothing to share (different apps/dept) there
are thousands why vms have to be backed up separately. It would have been better if they asked the minimum backup policies.
upvoted 1 times

  djgodzilla 3 months ago

ok my bad , it literally said minimum lol
upvoted 1 times

  Nzudin 3 months, 3 weeks ago

thank you i understood from here
upvoted 1 times

  awssecuritynewbie 8 months ago

so each VM would require a separate vault so we have 3 region and plus one vault for the storage account (azure file). so that is 4 and we need 2
policy to manage them right?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 760/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  lol2525 8 months, 2 weeks ago

The Select virtual machines pane will open. Select the VMs you want to back up using the policy. Then select OK.
The selected VMs are validated.
You can only select VMs in the same region as the vault.
VMs can only be backed up in a single vault.
upvoted 2 times

  Derek_C 7 months, 3 weeks ago

so what's the answer
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 761/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 8

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 762/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
DRAG DROP -
You need to configure the alerts for VM1 and VM2 to meet the technical requirements.
Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 763/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Correct Answer:

  humnahibataynge Highly Voted  9 months, 2 weeks ago

Not sure but I think the answer should be :
1. Create a log Analytics workspace.
2. Collect windows performance counters from the Log Analytics agents.
3. Create an alert rule.
upvoted 103 times

  DeBoer 4 months, 1 week ago

Weird they give this as only correct option to this answer: the Log Analytics agent will be retired in 2024 and they're actively pushing Monitoring
agent on us now. Shows that the exams - even newish questions - lag behind reality :-)
upvoted 4 times

  akavoor 9 months ago

Yes this is correct. Ref: https://docs.microsoft.com/en-us/answers/questions/752170/cant-see-logs-about-free-disk-space-of-azure-vm.html
upvoted 4 times

  pmsiva 8 months, 1 week ago

This is correct. Log analytics workspace must be configured to receive performance counters from windows and then query the perf table to
create an alert.
upvoted 1 times

  nigw 7 months, 2 weeks ago

if 'Log Analytics agents' is part of the answer, it means that the Log Analytics agent needs to be installed on the VM first? there is no such step
listed. shouldn't it be 'Configure Diagnostic settings' instead?
upvoted 2 times

  awssecuritynewbie 8 months ago

that makes more sense! why would you spend money configuring a azure DB? the log analytics storage does that for you by storing it ( however
it does it) then go on to it and create alert rules that can be triggered if a certain query is discovered within the logs that is capturing via the log
analytics agent.
upvoted 1 times

  fabio79 Highly Voted  9 months, 2 weeks ago

For me is Create alog Analytics->Collect Windows performance..->create an alert rule
upvoted 16 times

  szymex 9 months, 1 week ago

https://www.catapultsystems.com/blogs/adding-alerts-for-log-analytics-in-azure/
upvoted 1 times

  clacla Most Recent  2 weeks ago

Came in exam today 31/05/23
upvoted 1 times

  SIAMIANJI 3 weeks, 1 day ago

1. Create a Log Analytics workspace.
2. Collect Windows performance counters from the Log Analytics agents.
3. Create an alert rule.
upvoted 2 times

  CAPacific 1 month ago

Order is correct .. Most questions from ET and Great website help pass the exam but definitely help me master more knowledge ..
upvoted 1 times

  kalyan1986 1 month ago

ANswer given is too wierd. Why do we need to have SQL database here?
upvoted 1 times

  CyberKelev 3 months, 1 week ago

1. Create log analytics 2. Configure diagnostic settings to send performance data to log analytics
3. Create an alert rule for the disk space below 20gb
upvoted 1 times

  marcelina50 3 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 764/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Just imagine paying SQL Server license just to have logs.

Like many said the answer is:
Create a Log Analytics Workspace
Collect Windows performance counters from the Log Analytics agents
Create an alert rule
upvoted 2 times

  Kevvie13 1 month, 2 weeks ago

I'm glad i'm not insane for the ridiculous ET answer.
upvoted 1 times

  stonwall12 3 months, 2 weeks ago

To configure alerts we need to do the following:
1. Create a Log Analytics Workspace to providing an environment to log data.
2. Collect performance counters for the agent, this is required to create a disk space alert.
3. Create the alert, derr.
Reference: https://docs.microsoft.com/en-us/answers/questions/752170/cant-see-logs-about-free-disk-space-of-azure-vm.html
upvoted 1 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 5 times

  Ismailha 3 months, 4 weeks ago

To configure the alerts for VM1 and VM2 to meet the technical requirements, you should perform the following actions in sequence:

Create a Log Analytics workspace: This will create a central location to store log data from multiple sources, including the performance counters
from VM1 and VM2.
Configure the Diagnostic settings: This will enable the VMs to send their performance counter data to the Log Analytics workspace.
Create an alert rule: This will create a rule that monitors the performance counters of VM1 and VM2 and triggers an alert if the free space on
volume C is less than 20 GB.
The correct sequence of actions is:

Actions
Create a Log Analytics workspace.
Configure the Diagnostic settings.
Create an alert rule.
upvoted 3 times

  Jaafer09 4 months ago

Came in exam today 10/2/23.
upvoted 4 times

  rpalanivel83 5 months ago

Answer is
1. Create a log Analytics Workspace
2. Collect windows performance counter from the Log Analytics agents (which collects disk space %)
3. Create an alert

Ref: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-performance-counters
upvoted 7 times

  Bigc0ck 5 months, 1 week ago

On the test, this case I hated because you can't go back
upvoted 5 times

  OrangeSG 6 months, 3 weeks ago

Microsoft learning portal has a very detailed guide on how to set up azure alert for disk space alert when 10gb or less.

I tend to agree with:

1. Create a log Analytics workspace.
2. Collect windows performance counters from the Log Analytics agents.
3. Create an alert rule.

Reference
help to set up azure alert for disk space alert when 10gb or less
https://learn.microsoft.com/en-us/answers/questions/165893/help-to-set-up-azure-alert-for-disk-space-alert-wh.html
upvoted 8 times

  KingChuang 6 months, 3 weeks ago

1. Create a log Analytics workspace.
2. Configure the Diagnostics settings.
3. Create an alert rule.

Ref:
Step 1 、 2 and 3 :
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/tutorial-resource-logs

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 765/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Step 3 Detail:
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-log-alert
upvoted 5 times

  ppolychron 4 weeks ago

I enabled diagnostic setting on my VM. The metrics go to a table in a storage account not in Log Analytics Workspace.
upvoted 1 times

  darthfodio 5 months, 2 weeks ago

Just to clarify, the diagnostic settings is used to send the resource logs from an Azure resource to a Log Analytics workspace for any Azure
resource, other than a virtual machine.

See - https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-log-alert#prerequisites
upvoted 2 times

  klexams 7 months, 2 weeks ago

this is perf mon metrics within a vm. so:
1. create a LAW
2. collect win perf counters using LA agent
3. create alert rule
upvoted 3 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 766/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 9 - Testlet 2

Question #1 Topic 9

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 767/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
HOTSPOT -
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical
requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 768/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/overview

  areza Highly Voted  1 year, 5 months ago

passed 902. in exam 29.12.21 - resource policy contributor for sub1, resource contributor for rg2
upvoted 37 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 9 times

  meet_satish 8 months, 3 weeks ago

Contributor can't create or update definitions and assignments
upvoted 3 times

  crabax 3 months, 4 weeks ago

based on the link, resource policy contributor can:
Microsoft.Authorization/policyassignments/*
Microsoft.Authorization/policydefinitions/*
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
upvoted 4 times

  favela 9 months, 1 week ago

Me too score 900 and I choose the mentioned answer
upvoted 4 times

  randy0077 8 months, 4 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 769/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

did you guys study anything else than examtopics and MS study guide to pass this exam?
upvoted 3 times

  StanAzure Highly Voted  1 year, 2 months ago

I passed this exam today 24 Mars 2022 with score 900.
This question was part of this exam.
90% of question s from the Dumps.
Thank to y'all guys and especially @MLANTONIS great Guy !!!!!
upvoted 32 times

  I_am_Ratno Most Recent  2 weeks, 1 day ago

This was in the exam on 5/30/23
upvoted 2 times

  clacla 2 weeks ago

Came in exam today 5/31/23
upvoted 1 times

  Rachy 1 month, 2 weeks ago

This was on my test this evening 25/04/2023
upvoted 3 times

  Aluksy 2 months, 1 week ago

Answer Valid, In exam today 08 April 2023. Scored 830.
upvoted 4 times

  bsaksham 2 months, 2 weeks ago

Answer valid! This question was on the exam 02/04/2023. Scored 920.
upvoted 3 times

  mohsanarfandanish 2 months, 3 weeks ago

Cleared Exam 930 was appeared in exam 18/3/2023 ANS most upvoted
upvoted 4 times

  stonwall12 3 months, 2 weeks ago

To create and assign initiatives, we need to assign the Resource Policy Contributor within Sub1 and RG2 for the respective users.

As per Microsoft documentation, Resource Policy Contributor provides “users with rights to create/modify resource policy, create a support ticket
and read resources/hierarchy”.

Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
upvoted 3 times

  zellck 4 months ago

Resource Policy Contributor

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.
- Create and manage policy assignments
- Create and manage policy definitions
upvoted 2 times

  zellck 4 months ago

Got this in Feb 2023 exam.
upvoted 6 times

  Jaafer09 4 months ago

Came in exam today 10/2/23
upvoted 4 times

  ttttaa 4 months, 3 weeks ago

Correct answer check: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
upvoted 2 times

  HMKM 4 months, 3 weeks ago

"The Resource Policy Contributor role includes most Azure Policy operations. ... Contributor may trigger resource remediation, but can't create or
update definitions and assignments."
Reference: https://learn.microsoft.com/en-us/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy
upvoted 1 times

  SumanSaurabh 6 months ago

correct answer is resource policy contributor for sub1, resource contributor for rg2.
When i started reading case studies oh boy getting sleep in the middle as it is too much read :)
Finally got trick to start reading questions and then look for Technical requirement and planned changes or any other details so basically Bottom to
Top Approach !
upvoted 11 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 770/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  sa66ath 4 months, 2 weeks ago

why RG2, technical requirements are 'assign policy for RG1' not RG2 ????
upvoted 2 times

  klexams 7 months, 2 weeks ago

- Resource Policy Contributor role
- Resource Policy Contributor role
The Resource Policy Contributor role includes most Azure Policy operations.
Contributor may trigger resource remediation, but can't create or update definitions and assignments.
Security Admin - View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update
the security policy and dismiss alerts and recommendations.
upvoted 8 times

  adrianspa 8 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/governance/policy/overview it seems that the owner role is needed
upvoted 1 times

  majerly 8 months, 2 weeks ago

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#resource-policy-contributor
Actions Description
*/read Read resources of all types, except secrets.
Microsoft.Authorization/policyassignments/* Create and manage policy assignments
Microsoft.Authorization/policydefinitions/* Create and manage policy definitions
Microsoft.Authorization/policyexemptions/* Create and manage policy exemptions
Microsoft.Authorization/policysetdefinitions/* Create and manage policy sets
Microsoft.PolicyInsights/*
Microsoft.Support/* Create and update a support ticket
upvoted 4 times

  ZacAz104 8 months, 4 weeks ago

i passed the exam today 18 sep 2022 with 870 score 49 out of 50 questions are from here some of them i was just looking at the answers without
reading the question but the catch is i reviewed the 391 questions almost 3 times i was going mad about this lol anyway hard work always results
great funny in the middle of exam i was like gee i know all these questions lol best of luck to everyone

And btw i finished in one hour almost instead of 2 hours

upvoted 21 times

  Kem81 8 months, 1 week ago

You are a legend sir. thank you.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 771/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 9

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 772/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
You need to ensure that you can grant Group4 Azure RBAC read only permissions to all the Azure file shares.
What should you do?

A. On storage2, enable identity-based access for the file shares.

B. Recreate storage2 and set Hierarchical namespace to Enabled.

C. On storage1 and storage4, change the Account kind type to StorageV2 (general purpose v2).

D. Create a shared access signature (SAS) for storage1, storage2, and storage4.

Correct Answer: A
Azure Files supports identity-based authentication over Server Message Block (SMB) through on-premises Active Directory Domain Services
(AD DS) and Azure
Active Directory Domain Services (Azure AD DS).
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 773/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Community vote distribution

A (100%)

  qwerty100 Highly Voted  9 months, 1 week ago

Selected Answer: A
I think is A, because storage1 and storage2 have enabled Azure Active Directory Domain services. I think that you have to enable in storage 2
identity-based access for the file shares too.

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#enable-identity-based-authentication
upvoted 15 times

  kukeleku 8 months, 4 weeks ago

Agree on this.
upvoted 3 times

  Mazinger Highly Voted  4 months ago

A. On storage2, enable identity-based access for the file shares.

To grant Group4 Azure RBAC read-only permissions to all the Azure file shares, you should enable identity-based access for the file shares on
storage2. Identity-based access enables you to manage access to file shares based on Azure AD identities, including users, groups, and service
principals. By enabling identity-based access, you can grant access to specific users or groups and manage access control centrally from Azure AD.

Recreating storage2 with Hierarchical namespace enabled (Option B) is not relevant to granting RBAC permissions to Azure file shares.

Changing the account kind type to StorageV2 (general purpose v2) (Option C) is not relevant to granting RBAC permissions to Azure file shares.

Creating a shared access signature (SAS) (Option D) provides temporary access to resources in storage accounts, but it does not allow you to grant
RBAC permissions to Azure file shares.

Therefore, the correct answer is A. On storage2, enable identity-based access for the file shares.
upvoted 5 times

  mdwSysOps 3 months, 1 week ago

ChatGpt answer, but i agree
upvoted 2 times

  Shely Most Recent  6 months ago

I think it should be A.
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
upvoted 1 times

  Babushka 7 months ago

Selected Answer: A
RBAC = Role Based Access Control and you will give Reader Role so you would need Azure AD for this, no? So A seems like a right answer
upvoted 3 times

  klexams 7 months, 3 weeks ago

the closest is A. the question is wrong. Azure RBAC is for Azure resource, not for File Share. Identity-based access is Azure AD which needs Azure
AD role.
upvoted 2 times

  awssecuritynewbie 8 months ago

storage 1 and 4 already had azure AD enabled so the only storage that does not have is storage 2 and you enable it. Storage 3 IS BOB NOT FILE
share so yeah :)
it also makes sense as it wants group4 plus RBAC. SAS does not go by Azure AD groupss
upvoted 2 times

  awssecuritynewbie 8 months ago

A is right
upvoted 1 times

  adrianspa 8 months, 2 weeks ago

Selected Answer: A
You have to look in the table. storag2 has the auth disabled.
upvoted 1 times

  lol2525 8 months, 2 weeks ago

Once either Azure AD DS or on-premises AD DS authentication is enabled, you can use Azure built-in roles or configure custom roles for Azure AD
identities and assign access rights to any file shares in your storage accounts. The assigned permission allows the granted identity to get access to
the share only, nothing else, not even the root directory. You still need to separately configure directory or file-level permissions for Azure file
shares.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 774/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  EleChie 9 months ago

Why not D ?
Since the File shares exist on Storage1, Storage2 and Storage4 !!
upvoted 2 times

  ivan0590 3 weeks, 5 days ago

Because SAS tokens != RBAC
upvoted 1 times

  akavoor 9 months ago

A is the correct answer
upvoted 1 times

  todorov 9 months, 1 week ago

Selected Answer: A
The question only asks about File Shares not Blob Storage
upvoted 1 times

  humnahibataynge 9 months, 2 weeks ago

The answer should be D?
Because with A we can give only to storage1 file shares only.
upvoted 3 times

  pmsiva 8 months, 1 week ago

The question is RBAC, D is SAS token
upvoted 3 times

  MoSea 7 months ago

thank you kind person. you made it make sense.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 775/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 10 - Testlet 3

Question #1 Topic 10

To start the case study -

A processing middle tier -

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 776/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
You need to implement a backup solution for App1 after the application is moved.
What should you create first?

A. a recovery plan

B. an Azure Backup Server

C. a backup policy

D. a Recovery Services vault

Correct Answer: D
A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup
job for a protected resource runs, it creates a recovery point inside the Recovery Services vault.
Scenario:
There are three application tiers, each with five virtual machines.
Move all the virtual machines for App1 to Azure.
Ensure that all the virtual machines for App1 are protected by backups.
Reference:
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal

Community vote distribution

D (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: D

As per requirements:
- Move all the tiers of App1 to Azure.
- There are three application tiers, each with five virtual machines.
- Ensure that all the virtual machines for App1 are protected by backups.

Before starting the backup process, you must create a Recovery Services Vault as an initial step, as a place for the backups, or restore points, to be
stored. Later steps include downloading recovery services agent, installing and registering the agent.

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job
for a protected resource runs, it creates a recovery point inside the Recovery Services vault.

Reference:
https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-portal
https://docs.microsoft.com/en-us/azure/app-service/manage-backup
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-windows-server-to-azure
upvoted 81 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered D
upvoted 7 times

  SandipSingha Highly Voted  2 years, 9 months ago

correct
upvoted 18 times

  Madbo Most Recent  2 months ago

D. a Recovery Services vault.

You need to create a Recovery Services vault to implement a backup solution for App1 after it is moved to Azure. A Recovery Services vault is an

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 777/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Azure resource used to manage backup and disaster recovery. It provides a consistent, scalable, and reliable backup and restore experience for
virtual machines. Once the Recovery Services vault is created, you can configure backup policies and associate them with virtual machines.
upvoted 1 times
  shadad 3 months, 1 week ago
Selected Answer: D
I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: D

App1 on VM and since this is the first thing, then you need Recovery Services vault
VM backup = Recovery Services vault first
simple.
upvoted 3 times

  CyberKelev 3 months, 1 week ago

Selected Answer: D
D. a Recovery Services vault

To implement a backup solution for App1 after the application is moved to Azure, the first step is to create a Recovery Services vault.
upvoted 1 times

  Mazinger 4 months ago

D. a Recovery Services vault

To implement a backup solution for App1 after the application is moved, the first thing you should create is a Recovery Services vault. A Recovery
Services vault is an Azure resource that allows you to manage backup and disaster recovery for virtual machines, files, and other resources. You can
use the Recovery Services vault to create a backup policy, which defines the backup schedule, retention policy, and other settings for the backups.

Once you have created the Recovery Services vault, you can create a backup policy (Option C) that defines the backup schedule and retention
policy for the application.

An Azure Backup Server (Option B) is a hybrid backup solution that allows you to back up on-premises data to the cloud. It is not necessary for
backing up an application in Azure.

A recovery plan (Option A) is a set of predefined steps that you can use to recover a system or application from a disaster. It is not necessary for
setting up a backup solution.

Therefore, the correct answer is D. a Recovery Services vault.

upvoted 2 times

  Ashfaque_9x 5 months ago

Selected Answer: D
Correct Answer: D
upvoted 1 times

  mung 6 months, 3 weeks ago

There are too many unneeded informations that makes my eye tired of reading the same content..!
upvoted 8 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: D
Correct Answer: D
upvoted 1 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: D
D is the correct answer and as per mlantonis comments
upvoted 1 times

  ajayasa 1 year, 3 months ago

this casestudy but not same question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  Leti 1 year, 3 months ago

Selected Answer: D
D is correct
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 3 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 778/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  nidhogg 1 year, 4 months ago
On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 3 times

  areza 1 year, 5 months ago

passed 902. in exam 29.12.21 - answer D
upvoted 5 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct Answer: D
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 779/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 10

To start the case study -

A processing middle tier -

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 780/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
You need to move the blueprint files to Azure.
What should you do?

A. Generate an access key. Map a drive, and then copy the files by using File Explorer.

B. Use Azure Storage Explorer to copy the files.

C. Use the Azure Import/Export service.

D. Generate a shared access signature (SAS). Map a drive, and then copy the files by using File Explorer.

Correct Answer: B
Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can
use it to upload and download data from Azure blob storage.
Scenario:
Planned Changes include: move the existing product blueprint files to Azure Blob storage.
Technical Requirements include: Copy the blueprint files to Azure over the Internet.
Reference:
https://docs.microsoft.com/en-us/azure/machine-learning/team-data-science-process/move-data-to-azure-blob-using-azure-storage-explorer

Community vote distribution

B (100%)

  mlantonis Highly Voted  2 years ago

Correct Answer: B

As per requirements:
- Move the existing product blueprint files to Azure Blob storage.
- Copy the blueprint files to Azure over the Internet.
- Ensure that the blueprint files are stored in the archive storage tier.
- Ensure that partner access to the blueprint files is secured and temporary.
- Minimize administrative effort whenever possible.

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure Storage data on Windows, macOS, and Linux. You can use it
to upload and download data from Azure blob storage. It’s the best solution, because copies data through Internet and minimizes administrative
effort.
C: Azure Import/Export service is not using Internet, but ships data drives using a shipping carrier such as FedEx, UPS, or DHL.
D: You can't use SAS with a mapped drive.
upvoted 92 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered B
upvoted 4 times

  imartinez 1 year, 11 months ago

I was for D, thinking than the best approach was to use a SAS.
It is possible to use a SAS on "Azure Storage Explorer" but option D also mentions map a drive, and that's different, it's using Windows Explorer
and it doesn't support SAS.
upvoted 7 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct. "B" using Azure Storage Explorer.
It matches all the requirements:
- Move the existing product blueprint files to Azure Blob storage.
- Copy the blueprint files to Azure over the Internet.
upvoted 61 times

  kalyan1986 1 month ago

Why cant we use import/export here? is it because they specifically need to copy files over internet?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 781/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  vince60370 2 years, 5 months ago

And you can add that it matchs the requirement "Minimize administrative effort whenever possible." Other solutions need more admin actions.
upvoted 14 times

  mikl 2 years, 4 months ago

Valid point there mr.
upvoted 3 times

  sn0rlaxxx 2 years, 5 months ago

best and shortest explanation of the answer.
upvoted 2 times

  NinjaPenguin 1 year, 5 months ago

And you can use SAS in Azure Storage Explorer
upvoted 1 times

  Madbo Most Recent  2 months ago

B. Use Azure Storage Explorer to copy the files.

To move the blueprint files to Azure Blob storage, you can use Azure Storage Explorer. This tool provides a user-friendly interface for managing
Azure Storage resources, including Blob storage. You can use it to upload the blueprint files to the appropriate Blob storage container in Azure.
This method is more efficient and secure than using File Explorer or generating a shared access signature (SAS) to map a drive and copy the files.
The Azure Import/Export service is typically used to move large amounts of data to and from Azure, but it is not necessary in this scenario since the
blueprint files can be moved over the internet.
upvoted 1 times

  CyberKelev 3 months, 1 week ago

Selected Answer: B
B. Use Azure Storage Explorer to copy the files.
upvoted 1 times

  nigw 7 months, 2 weeks ago

Selected Answer: B
Req1: 'Ensure that the blueprint files are stored in the archive storage tier'
Archive storage tier is only for blobs, this means that the answers containing File Explorer can't be right.

Req2: Copy the blueprint files to Azure over the Internet.

Azure Import/Export service doesn't use internet, you have to ship drives to Microsoft

Only remaining answer is: Azure Storage Explorer, which can be used to copy files to blob storage

Azure Import/Ex
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: B
Answer is correct. "B" using Azure Storage Explorer
upvoted 1 times

  SoSheBake 10 months, 2 weeks ago

How to filter this questions on New questions? it just updated today (Aug 1, 2022)
upvoted 1 times

  Lazylinux 11 months, 3 weeks ago

Selected Answer: B
Requirements: to watch for for this question
*Move the existing product blueprint files to Azure Blob storage.
*Copy the blueprint files to Azure over the Internet.*****
* Minimize administrative effort whenever possible.*****

Based on the above B is the Answer

upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 3 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 5 times

  areza 1 year, 5 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 782/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

passed 902. in exam 29.12.21 - answer B

upvoted 2 times

  nzalex1 1 year, 7 months ago

I think what missed in discussion - the archive storage is available only for blobs. And blueprints should be on archive storage. So Storage Explorer
is the only option.
upvoted 4 times

  ScoutP 1 year, 8 months ago

This question was asked on exam taken on Sept 30, 2021
upvoted 3 times

  Hatsh 1 year, 10 months ago

in exam 17/aug/2021
upvoted 4 times

  Merkur76 1 year, 10 months ago

came in exam 07/30/2021 - passed
B was my answer
upvoted 3 times

  Jotess 1 year, 10 months ago

the question was on Jul 23, 2021 exam
upvoted 2 times

  ZUMY 2 years, 3 months ago

Explicitly mentioned copy Giles over the Internet
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 783/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 10

To start the case study -

A processing middle tier -

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 784/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
HOTSPOT -
You need to identify the storage requirements for Contoso.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Yes -
Contoso is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Box 2: No -
Box 3: No

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct:
- Yes: As mentioned, move the files to blob storage , in addition the unmanaged storage is used for VM's disks.
- NO: Azure files is not required here. As it is basically used for managed file shares accessed by NFS or SMB protocols. In addition, you can't
archive them https://feedback.azure.com/forums/217298-storage/suggestions/35343037-add-cold-and-archive-tiers-to-azure-files
- NO: Azure tables are not needed as they act as structured NoSQL which is not required with SQL on VM.
upvoted 97 times

  atspace 7 months, 3 weeks ago

Was on exam 10/23/22
upvoted 7 times

  Holydud 9 months, 4 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 785/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered:

YNN
upvoted 8 times

  mlantonis Highly Voted  2 years ago

As per requirements:
- Move the existing product blueprint files to Azure Blob storage.
- Copy the blueprint files to Azure over the Internet.
- Ensure that the blueprint files are stored in the archive storage tier.
- Use unmanaged standard storage for the hard disks of the virtual machines.
- App1 is comprised of SQL database.
Box 1: Yes
Contoso is moving the existing product blueprint files to Azure Blob storage and requires using unmanaged standard storage for the hard disks of
the virtual machines. We use Page Blobs for these. As mentioned, move the files to blob storage , in addition the unmanaged storage is used for
VM's disks.
Box 2: No
Azure Tables are not needed as they act as structured NoSQL, which is not required with SQL on VM.
Box 3: No
Azure Files is not required here. As it is basically used for managed file shares accessed by NFS or SMB protocols. In addition, you can't archive
them.
upvoted 96 times

  zzreflexzz Most Recent  1 month, 2 weeks ago

on exam 4/29/23
upvoted 1 times

  Madbo 2 months ago

Yes to statement 1: Contoso requires a storage account that supports Blob storage. This is because Contoso plans to move the existing product
blueprint files to Azure Blob storage.

No to statement 2: Contoso does not require a storage account that supports Azure table storage. There is no indication in the scenario that
Contoso needs to use Azure table storage.

No to statement 3: Contoso does not require a storage account that supports Azure File Storage. There is no indication in the scenario that
Contoso needs to use Azure File Storage.
upvoted 1 times

  shadad 3 months, 1 week ago

I took Exam of Azure- 104 at 27/2/2023
I score 920 points out of 1000 points. This was on it and my answer was: Yes NO NO

- Yes: they mentioned move files to blob storage + unmanaged storage is used for VM's disks.
- NO: Azure files is not required + you can't archive them
- NO: Azure tables are not needed as they act as structured NoSQL which is not required with SQL on VM.
upvoted 5 times

  CyberKelev 3 months, 1 week ago

Yes, no, no
upvoted 1 times

  klexams 7 months, 2 weeks ago

Y - quite obvious.
N - Table for noSQL. There is only SQL.
N - this is tricky one, but there is no indication of Azure Files requirement.
Move the existing product blueprint files to Azure Blob storage.
Copy the blueprint files to Azure over the Internet.
Ensure that the blueprint files are stored in the archive storage tier.
Use unmanaged standard storage for the hard disks of the virtual machines.
A SQL database
upvoted 5 times

  EmnCours 9 months, 2 weeks ago

Box 1: Yes -
Contoso is moving the existing product blueprint files to Azure Blob storage.
Use unmanaged standard storage for the hard disks of the virtual machines. We use Page Blobs for these.

Box 2: No -

Box 3: No -
upvoted 1 times

  Lazylinux 11 months, 3 weeks ago

YNN
One MUST requirement
Move the existing product blueprint files to Azure Blob storage.
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 786/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  techie_11 1 year, 2 months ago

On exam 4/12/2022. Y N N right answer
upvoted 1 times

  InvisibleShadow 1 year, 3 months ago

This question came in the exam today 8/Mar/2022.
I passed the exam, 95% questions came from here.
upvoted 5 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 1 times

  YUCHAN2022 1 year, 3 months ago

On the exam today, 19 Feb 2022. Passed with 862
upvoted 2 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 4 times

  im82 1 year, 6 months ago

Was on exam today 19.11.2021. Passed with 920.
Correct Answer: Y-N-N
upvoted 9 times

  nathk 1 year, 8 months ago

Was on exam 21/9/21
upvoted 3 times

  MrJR 1 year, 9 months ago

What about "Create a hybrid directory to support an upcoming Microsoft Office 365 migration project."? Does it not mean that we require a Azure
Files directory?
upvoted 2 times

  Eltooth 1 year, 7 months ago

Not needed for O365 migration.
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 787/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 11 - Testlet 4

Question #1 Topic 11

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 788/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
HOTSPOT -
You need to create container1 and share1.
Which storage accounts should you use for each resource? To answer, select the appropriate options in the answer area.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 789/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers https://docs.microsoft.com/en-
us/azure/storage/common/storage-account-overview

  Bere Highly Voted  1 year, 7 months ago

Storage (general-purpose v1) doesn’t support tier.

Standard (general-purpose v2) supports tier for Blob service and for Azure file.

Premium BlockBlobStorage doesn’t support tier.

https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview

Legacy Standard BlobStorage supports tier.

https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview#default-account-access-tier-setting

Premium FileStorage doesn’t support tier.

https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal

Container1 with tier: Can be created in storage2 (storagev2) and storage3. The question refers to BlobStorage (standard legacy one that supports
tier) and not to BlockBlobStorage (Premium one that doesn’t support tier).

Share1 with tier: Can be created in storage2 (storagev2) only.

upvoted 33 times

  Snownoodles 1 year, 6 months ago

But if you go through Storagev2 account creation process, you will find storagev2 only support blob storage tier, doesn't support Azure files
tier(You can find this in 'advaince' option).

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 790/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  Snownoodles 1 year, 6 months ago

I apologize, please disregard my comment.
Azure StorageV2 does support Fileshare hot/cool tier when the fileshare is created in portal
upvoted 3 times

  Timock Highly Voted  1 year, 7 months ago

Objective: Create a blob container named container1 and a file share named share1 that will use the Cool storage tier.

Container1: Needs to be in a cool Storage Tier capable of supporting a container/vm.

In addition to storing Azure file shares, GPv2 storage accounts can store other storage resources such as blob containers, queues, or tables. File
shares can be deployed into the transaction optimized (default), hot, or cool tiers.
Storage accounts that support tiering Object storage data tiering between hot, cool, and archive is simply supported in Blob storage and GPv2
accounts. General Purpose v1 aka GPv1 accounts don’t maintain tiering. Therefore, customers should easily convert their existing GPv1 or Blob
storage accounts into GPv2 accounts through the Azure portal.
Storage1: No: Although GPv1 can do fileshares it cannot be used for tiering.
Storage2: Yes: Blob containers can be stored in GPv2 and tiering is supported
Storage3: Yes: This is literally blob storage and a blob container and supports tiering.
Storage4: No: Can only be used to storage Azure file shares.
upvoted 15 times

  ZZhere Most Recent  1 week, 4 days ago

Got this in today exam. Passed on 930
upvoted 2 times

  Benzitho 4 weeks ago

I passed the exam today 17/05/2023 from SA .Score 930 this testlet was on the exam
upvoted 1 times

  zzreflexzz 1 month, 2 weeks ago

on exam 4/29/23
upvoted 3 times

  yellowdot 3 months ago

share1: storage2 only

Azure File Share:

"Standard file shares may be deployed into one of the standard tiers: transaction optimized (default), hot, or cool. This is a per file share tier that is
not affected by the blob access tier of the storage account (this property only relates to Azure Blob storage - it does not relate to Azure Files at all).
You can change the tier of the share at any time after it has been deployed. Premium file shares cannot be directly converted to any standard tier."

[ref: https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal]
upvoted 1 times

  CyberKelev 3 months, 1 week ago

Answer provided seems correct
upvoted 2 times

  Bigc0ck 5 months, 1 week ago

came on test
upvoted 4 times

  MrBlueSky 3 months, 1 week ago

tmi dude
upvoted 7 times

  Moradiya 5 months, 1 week ago

This was appearedin exam on 01/04/23
upvoted 7 times

  Pear7777 6 months ago

This question is unbelievable, isf I wouldn';t have ET, or other sources, I would have needed to learn a 50 odd matrix befoure I could answer this,
this is no Exam question!
upvoted 8 times

  spike15_mk 6 months ago

General Purpose v2: Blob, File, Queue, Table Standard Hot, Cool, Archive
Disk/Page Premium Hot

Blob Block Storage : Blob Premium Hot

Blob Storage Blob Standard Hot, Cool, Archive

General Purpose v1 Blob, File, Queue, Table Standard Hot

Disk/Page Premium Hot

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 791/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

File Storage File Premium Hot

Follow this table and you'll never mistake.

1.storage2 and storage3 can support cool tier

2.storage2 only -General Purpose v2 can create container1 blobs and share1 at the same time where we can set cool tier
upvoted 5 times

  Benzitho 1 month, 1 week ago

Cool ..Thanks
upvoted 1 times

  favela 9 months, 1 week ago

Correct today I passed with 900 score and I choose this answer
upvoted 6 times

  atilla 1 year, 1 month ago

there is also a lot of information in the question which is not relevant
upvoted 2 times

  ajayasa 1 year, 3 months ago

this casestudy was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 792/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 11

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 793/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
HOTSPOT -
You need to create storage5. The solution must support the planned changes.
Which type of storage account should you use, and which account should you configure as the destination storage account? To answer, select the
appropriate options in the answer area.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 794/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal

  DevOpposite Highly Voted  1 year, 8 months ago

I m very lonely here
upvoted 39 times

  theOldOne 1 year, 8 months ago

Good. Its impossible to study with a lot of people around.
upvoted 22 times

  DevOpposite 1 year, 8 months ago

true, exam tomorrow. wish me luck O Old one..
upvoted 14 times

  juniorccs 1 year, 5 months ago

lucky or not ?
upvoted 3 times

  MoSea 7 months ago

I wish ET would provide notifications if someone replies to your comment. DevOpposite has no way of knowing you asked him
something. Neither will I know if someone ever replied to my comment. All these comments will be lost to time.....like tears in
rain....time to die.
upvoted 18 times

  hifoda9249 1 year, 8 months ago

Exam in 4 hours

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 795/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 13 times
  zodraz Highly Voted  1 year, 8 months ago
Answer is correct: Storage V2 and Storage 2. We want to use replication for blobs and only that storage type is available. The other one is in
Premium, which should never apply to the exams.
Quoting from https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-configure?tabs=portal:
"Before you configure object replication, create the source and destination storage accounts if they do not already exist. The source and
destination accounts can be either general-purpose v2 storage accounts or premium block blob accounts (preview). "
upvoted 34 times

  GohanF2 2 months, 1 week ago

that'shttps://www.examtopics.com/exams/microsoft/az-104/view/46/# right.
upvoted 1 times

  GohanF2 2 months, 1 week ago

thats right !
upvoted 1 times

  LiamAzure 7 months, 1 week ago

What is replication for blobs?
upvoted 1 times

  mohsanarfandanish Most Recent  2 months, 3 weeks ago

Cleared Exam 930 was appeared in exam 18/3/2023 ANS most upvoted
upvoted 3 times

  djgodzilla 3 months ago

Replication Only supported on General purpose v2 standard storage account
upvoted 1 times

  CyberKelev 3 months, 1 week ago

Answer provided seems correct
upvoted 1 times

  vbohr899 3 months, 2 weeks ago

Cleared Exam today 26 Feb, This question was there in exam.
upvoted 1 times

  laszeklsz 6 months, 3 weeks ago

Object replication is supported for general-purpose v2 storage accounts and premium block blob accounts. Both the source and destination
accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append blobs and
page blobs aren't supported.
upvoted 5 times

  techie_11 1 year, 2 months ago

On exam 4/12/2022. right answer. same question, but on a different case study.
upvoted 3 times

  ajayasa 1 year, 3 months ago

this casestudy but not same question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 4 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 1 times

  sid132 1 year, 3 months ago

On the exam today, 4.March.2022
upvoted 2 times

  nidhogg 1 year, 4 months ago

On the exam today, 1.feb.2022
Just 761/1000, but OK! :D
Thanks to ExamTopics and to you all!
upvoted 7 times

  Plextor 1 year, 6 months ago

On exam 17/12/21 I selected this storagev2 and storage2 approved, not sure if it is correct
upvoted 2 times

  Snownoodles 1 year, 6 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 796/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Answer is correct.
One more thing I want to bring your attention is the difference between Storage account redundancy vs replication, which confuses me a while.
Storage account redundancy GRS/RA-GRS support v1 and v2
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

but storage account replication only supports v2.

https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-overview
upvoted 14 times

  Mozbius_ 1 year, 3 months ago

Thank you for the clarification. Thanks to az104 training course not saying anything about storage replication I thought that redundancy and
replication were the same. SMH.
upvoted 2 times

  Timock 1 year, 7 months ago

Objective: Create storage5 and configure storage replication for the Blob Service.

Account Kind: Storage GPv2. It says nothing about Premium block blob accounts.

Destination: Storage2 is the only GPv2 account.

Azure Blob Storage contains three types of blobs: Block, Page and Append. A block is a single unit in a Blob.

Object replication is supported for general-purpose v2 storage accounts, and for premium block blob accounts in preview. Both the source and
destination accounts must be either general-purpose v2 or premium block blob accounts. Object replication supports block blobs only; append
blobs and page blobs are not supported.

Note: Object replication is supported when the source and destination accounts are in the hot or cool tier. The source and destination accounts
may be in different tiers.

In the question it states Blob Service but it literally means blob block as there are three types of blob storage and only block blobs are supported
for replication.

https://docs.microsoft.com/en-us/azure/storage/blobs/object-replication-overview
upvoted 12 times

  Ash3250 1 year, 7 months ago

DevOppsite, Have you received the questions from this Dump?
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 797/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 11

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 798/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements.
Which storage account should you identify?

A. storage1

B. storage2

C. storage3

D. storage4

Correct Answer: C
We use the BlobStorage account storage3 for retention.
Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire
data at the end of the data lifecycle.
Note: Enable flow logging for IP traffic from VM5 and retain the flow logs for a period of eight months.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 799/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview https://docs.microsoft.com/en-us/azure/network-
watcher/network-watcher-nsg-flow-logging-overview

Community vote distribution

B (100%)

  alirasouli Highly Voted  7 months, 2 weeks ago

Selected Answer: B
For at least two reasons, storage2 is the only candidate:
- Location: The storage account used must be in the same region as the NSG.
- Retention is available only if you use General Purpose v2 Storage accounts (GPv2).

Reference:
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
upvoted 40 times

  BobbyMc3030 1 week, 1 day ago

I agree that the answer is B. Documentation clearly states only General Purpose V2 Storage supports retention. It also states that the storage
must be in the same location as the nsg. That much I get. But can someone explain to me how the NSG being in the same region as the storage
applies to this question? I only see mention of 2 NSGs in the example and neither are applied to VNET 4 where VM 5 is. As far as I can tell, only
the storage type is relevant to this question. I’m open to being wrong if someone can explain it. Thanks.
upvoted 2 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920. Thanks guys!
upvoted 6 times

  lebowski Highly Voted  9 months, 1 week ago

Selected Answer: B
"Retention is available only if you use General purpose v2 Storage accounts (GPv2)"
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#how-logging-works
upvoted 6 times

  abdelmim Most Recent  1 month, 1 week ago

C is correct answer
Location: The storage account used must be in the same region as the network security group.
Performance tier: Currently, only standard-tier storage accounts are supported.
we dont need GPv2 account because it not supported yet
upvoted 1 times

  kmsalman 1 month, 1 week ago

Azure Blob storage is the right option. You can use immutable backup feature to enable retention in Azure Blob storage.
upvoted 1 times

  zzreflexzz 1 month, 2 weeks ago

on exam 4/29/23
upvoted 2 times

  CyberKelev 3 months, 1 week ago

Selected Answer: B
The correct answer is B. Storage2. Storage2 is a General Purpose v2 storage account, which supports the retention of logs for up to 365 days.
Storage1 is a General Purpose v1 storage account, which supports the retention of logs for up to 30 days. Storage3 is a Blob storage account,
which does not support flow logging. Storage4 is a File storage account, which does not support flow logging either.
upvoted 5 times

  SumanSaurabh 6 months, 1 week ago

Correct answer is B
Retention is available only if you use General Purpose v2 Storage accounts (GPv2)
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 800/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  wolf13 6 months, 2 weeks ago
Selected Answer: B
I agree with the answer given by Alirasouli.
This question appears in case study: Contoso LTD, Consulting Conpany
upvoted 1 times

  Mev4953 8 months, 3 weeks ago

Answer is B
Retention is available only if you use General purpose v2 Storage accounts (GPv2).

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#how-logging-
works:~:text=Retention%20is%20available%20only%20if%20you%20use%20General%20purpose%20v2%20Storage%20accounts%20(GPv2).
upvoted 3 times

  EleChie 8 months, 4 weeks ago

Correct Answer is: B
"Retention is available only if you use General purpose v2 Storage accounts (GPv2)"

Reference: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#how-logging-works
upvoted 4 times

  nox2447 9 months, 1 week ago

Selected Answer: B
Should be B
upvoted 2 times

  Amrrax 9 months, 2 weeks ago

Selected Answer: B
Retention is available only if you use General purpose v2 Storage accounts (GPv2)
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 801/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 12 - Testlet 5

Question #1 Topic 12

To start the case study -

Overview -
Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.
All the resources used by Litware are hosted on-premises.
Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com. The
tenant uses the
Premium P1 pricing tier.

Existing Environment -
The network contains an Active Directory forest named litware.com. All domain controllers are configured as DNS servers and host the
litware.com DNS zone.
Litware has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU)
that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective
department. New users are added frequently.
Litware.com contains a user named User1.
All the offices connect by using private connections.
Litware has data centers in the Montreal and Seattle offices. Each office has a firewall that can be configured as a VPN device.
All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs)

Requirements -

Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 802/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

Technical Requirements -
Litware must meet the following technical requirements:
Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.

Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.
Enable Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.litware.com.
Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Create a workflow to send an email message when the settings of VM4 are modified.
Create a custom Azure role named Role1 that is based on the Reader role.
Minimize costs whenever possible.

Question
You discover that VM3 does NOT meet the technical requirements.
You need to verify whether the issue relates to the NSGs.
What should you use?

A. Diagram in VNet1

B. Diagnostic settings in Azure Monitor

C. Diagnose and solve problems in Traffic Manager profiles

D. The security recommendations in Azure Advisor

E. IP flow verify in Azure Network Watcher

Correct Answer: E
Scenario: Contoso must meet technical requirements including:
Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP,
remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While
any source or destination IP can be chosen,
IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

Community vote distribution

E (100%)

  d0bermannn Highly Voted  1 year, 11 months ago

correct
use
Test-AzNetworkWatcherIPFlow to get NSG security rule which blocked traffic +
Get-AzEffectiveNetworkSecurityGroup to get details of NSG rules
https://docs.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-traffic-filtering-problem-powershell
upvoted 28 times

  fabylande Highly Voted  1 year, 8 months ago

in exam today! October 16, 2021
upvoted 12 times

  Madbo Most Recent  2 months ago

To verify whether the issue with VM3 relates to the NSGs, you should use IP flow verify in Azure Network Watcher. This feature allows you to test
the traffic flow to and from a virtual machine by specifying the source and destination IP addresses, port numbers, and protocol. It can also show
you whether traffic is allowed or denied by network security groups. By using this tool, you can identify any issues with NSGs that may be
preventing VM3 from establishing outbound connections over TCP port 8080 to the application servers in the Montreal office. Therefore, the
correct answer is E.
upvoted 1 times

  CyberKelev 3 months, 1 week ago

Selected Answer: E
E. IP flow verify in Azure Network Watcher should be used to verify whether the issue with VM3 relates to the NSGs.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 803/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times
  Mev4953 8 months, 3 weeks ago
IMO answer is E
"IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote
IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned"

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview
upvoted 2 times

  Mev4953 8 months, 3 weeks ago

IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
upvoted 2 times

  atilla 1 year, 1 month ago

why some much text for a simple question
upvoted 4 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 2 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  cirspass 1 year, 3 months ago

take exam on next monday, pray for me~~!!
upvoted 3 times

  pappkarcsiii 1 year, 4 months ago

Selected Answer: E
IpFlow can check port traffic
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 804/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 13 - Testlet 6

Question #1 Topic 13

To start the case study -

Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs)

Requirements -

Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 805/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

Question
You need to ensure that VM1 can communicate with VM4. The solution must minimize the administrative effort.
What should you do?

A. Create an NSG and associate the NSG to VM1 and VM4.

B. Establish peering between VNET1 and VNET3.

C. Assign VM4 an IP address of 10.0.1.5/24.

D. Create a user-defined route from VNET1 to VNET3.

Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Community vote distribution

B (86%) 14%

  Lionred Highly Voted  1 year, 8 months ago

I think this question is missing some critical info. Where does the VNET3 and 10.0.1.x/24 come from? No mentioning of them at all in the question!
upvoted 65 times

  JDWaters 4 months, 2 weeks ago

The reason why critical information is missing is because here the question is attached to the wrong case. The question pertains to Contoso, Ltd
Consulting, not Litware. See Topic 15 Question 4 and it will all make sense…and the correct answer is “Establish peering between VNET1 and
VNET3”
upvoted 22 times

  Paul_white 3 months, 2 weeks ago

Thank you brother
upvoted 4 times

  klexams 7 months, 2 weeks ago

yep missing big time!
upvoted 2 times

  VeiN Highly Voted  1 year, 5 months ago

I`ve passed the exam today with 900 and had this question. It was connected to testlet which has VNET1-4 and VM1-5.

Few maybe helpful info:

I got two case studies (testlests), each having 5 questions , one at the begining and one at the end (and in between 53 questions).
As you can see there is a lot missing questions in testlets but some of those were the same as previous "normal" cut from the case study content - I
got some with storage that I think I saw earlier.

From the rest questions I got about 4-5 new ones.

upvoted 27 times

  thainq Most Recent  1 month, 3 weeks ago

Just passed today 23-Apr-2023. All questions still in here. Thanks Examtopics
upvoted 3 times

  Madbo 2 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 806/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

B. Establish peering between VNET1 and VNET3.

Establishing VNet peering between VNET1 and VNET3 will allow VM1 to communicate with VM4 without the need for any additional configuration
on the virtual machines themselves. VNet peering enables traffic to flow securely between virtual networks across Azure regions with low latency
and high bandwidth. This approach minimizes administrative effort as there is no need to create or manage any additional network security groups
or user-defined routes.
upvoted 1 times

  shinzor 3 months ago

Has anybody considered that answer C is with or without context is already wrong by the wording? "Assign VM 4 an IP address of 10.0.1.5/24". A
/24 is a subnet CIDR only if it would be a /32 this answer would be valid.
upvoted 3 times

  CyberKelev 3 months, 1 week ago

Selected Answer: B
B. Establish peering between VNET1 and VNET3
upvoted 2 times

  herodes 3 months, 2 weeks ago

Selected Answer: B
B is the answer
upvoted 1 times

  Mazinger 4 months ago

B. Establish peering between VNET1 and VNET3.

Establishing peering between the virtual networks (VNETs) allows traffic to flow between them without the need for additional configuration or
routing. This solution minimizes administrative effort, as it requires only a single step to set up the peering. Option A, creating an NSG, would
require additional rules and configuration to allow communication between VM1 and VM4. Option C, assigning a specific IP address to VM4, does
not address the issue of network communication. Option D, creating a user-defined route, would also require additional configuration and
management.
upvoted 5 times

  zellck 4 months ago

Selected Answer: B
B is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for
connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic
between virtual machines in the same network, traffic is routed through Microsoft's private network only.
upvoted 2 times

  zellck 4 months ago

Selected Answer: C
C is the answer.

  azuredemo2022three 4 months, 3 weeks ago

Selected Answer B
upvoted 2 times

  ttttaa 5 months ago

The question belongs to the case study Topic 15 (where there are several tables with one having vm1...vm4)
not this one.
upvoted 1 times

  EleChie 8 months, 4 weeks ago

Question to Admin: Please load all the information in this question. So we can at least decide what could be wrong !!
upvoted 9 times

  bigsam23 9 months ago

Correct Answer C. We need to establish an IP foot print for VM4 and of the answers did.
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times

  kevin9988 1 year, 2 months ago

Selected Answer: B
B is correct
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 807/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  josevirtual 1 year, 2 months ago

I see two possibilities here:

1. There is missing information

2. With the available information we should be able to know which is the only option that might make sense.

For the second option I think that C is the only one that make sense...
upvoted 2 times

  josevirtual 1 year, 2 months ago

After finished (and passed, 900/1000) the exam, I can reply myself. I had this question and there is missing information here, but not in the
exam. The right answer is B.
upvoted 10 times

  techrat 1 year, 2 months ago

The correct should be B, establing peering. I passed my exam yesterday with score 923 and this question was on it. This question belongs to
another case study Contoso. Consulting company. On my score report, I got 100% correct on Configure and manage virtual networking section
and this question is related to networking, that's why I am positive the answer is B.
upvoted 9 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 808/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 13

To start the case study -

Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs)

Requirements -

Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 809/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
HOTSPOT -
You need to meet the connection requirements for the New York office.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Box 1: Create a virtual network gateway and a local network gateway.

Azure VPN gateway. The VPN gateway service enables you to connect the VNet to the on-premises network through a VPN appliance. For more
information, see
Connect an on-premises network to a Microsoft Azure virtual network. The VPN gateway includes the following elements:
✑ Virtual network gateway. A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-
premises network to the
VNet.
✑ Local network gateway. An abstraction of the on-premises VPN appliance. Network traffic from the cloud application to the on-premises
network is routed through this gateway.
✑ Connection. The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 810/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

to encrypt traffic.
✑ Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements, described in the
Recommendations section below.
Box 2: Configure a site-to-site VPN connection
On premises create a site-to-site connection for the virtual network gateway and the local network gateway.

Scenario: Connect the New York office to VNet1 over the Internet by using an encrypted connection.
Incorrect Answers:
Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not
go over the internet.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn

  meeko86 Highly Voted  6 months, 1 week ago

Answer copied from mlantonis:
Box 1: Create a virtual network gateway and a local network gateway.
Box 2: Configure a site-to-site VPN connection.
As per requirements:
- Connect the New York office to VNet1 over the Internet by using an encrypted connection.
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2)
VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. Site-
to-Site VPN connection requires Virtual network gateway, Local network gateway and Gateway Subnet.
Note: ExpressRoute connections don't go over the public Internet, the connection is private.
upvoted 25 times

  meeko86 6 months, 1 week ago

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/vpn
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-vpn-s2s
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-classic-portal
upvoted 1 times

  wsscool Highly Voted  1 year, 11 months ago

in exam 7/3/2021
upvoted 13 times

  bartfto Most Recent  1 month, 1 week ago

I don't understand why New York office needs local gateway if it does not have data centre.
"Litware has data centers in the Montreal and Seattle offices."
upvoted 1 times

  djgodzilla 3 months ago

This one is better and more recent doc
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 1 times

  favela 9 months, 1 week ago

Yes today I face this question and my score was 900
upvoted 5 times

  atilla 1 year, 1 month ago

I did this once on the azure portal, you really need to do it multiple time to get familiar with it
upvoted 2 times

  Risto83 1 year, 2 months ago

https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#LocalNetworkGateway
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 811/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  ajayasa 1 year, 3 months ago

this casestudy but not same question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  bartfto 1 month, 1 week ago

great score
upvoted 1 times

  ajayasa 1 year, 3 months ago

this question was on 16/03/2022 and answered what mentioned in the answer section
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  husam421 1 year, 4 months ago

in exam 10/2/2022
upvoted 2 times

  mfvsidiangco 1 year, 6 months ago

Does AZ-104 have labs or just case studies?
upvoted 1 times

  Oulmy1 1 year, 6 months ago

just case studies, no labs
upvoted 4 times

  Takloy 1 year, 5 months ago

Good to know! my first AZ104 had labs 3 years ago. I should have renewed it last year.
Now, I'm going through this review again :(
upvoted 1 times

  Mozbius_ 1 year, 3 months ago

My teacher told me that there may in fact be a lab but it would mostly already set and you would have to click on whatever option to fulfill
the question's requirement. So who knows if it's actually true or not.
upvoted 1 times

  Pamban 1 year, 7 months ago

in exam 15/11/2021
upvoted 1 times

  fabylande 1 year, 8 months ago

in exam today! October 16, 2021
upvoted 4 times

  theOldOne 1 year, 8 months ago

How do you create a local net work gateway inside of the Azure portal?
upvoted 5 times

  Barrie 1 year, 7 months ago

Search for local network gateway and create.
This is essentially a reference point for Azure to know how to connect to the remote endpoint. This is used when establishing the VPN
connection
upvoted 2 times

  chopper563 1 year, 9 months ago

The first is create a virtual network gateway & a local network gateway in the Azure Portal. Please see the steps for S2S VPN Connection at
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
upvoted 12 times

  dj88456 1 year, 9 months ago

Answer is correct.
upvoted 6 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 812/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 14 - Testlet 7

Question #1 Topic 14

To start the case study -

A processing middle tier -

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 813/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
HOTSPOT -
You need to recommend a solution for App1. The solution must meet the technical requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

This reference architecture shows how to deploy VMs and a virtual network configured for an N-tier application, using SQL Server on Windows
for the data tier.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 814/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Technical requirements include:
✑ Move all the virtual machines for App1 to Azure.
✑ Minimize the number of open ports between the App1 tiers.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server

  mlantonis Highly Voted  2 years ago

As per requirements:
- You have a public-facing application named App1. App1 is comprised of the following three tiers: A SQL database, A web front end and A
processing middle tier. Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
- Move all the virtual machines for App1 to Azure.
- Minimize the number of open ports between the App1 tiers.

Box 1: 1
1 VNET and then follow the N-tier application architecture.

Box 2: 3
3 Subnets (1 Subnet for each tier of the App1). The tiers can communicate each other, because they are inside the same VNET. Of course you would
need additional NSGs to restrict traffic.

Reference:

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server
upvoted 105 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 5 times

  fedztedz Highly Voted  2 years, 5 months ago

Answer is correct.
1 VNET
3 subnets
upvoted 36 times

  Gaskonader Most Recent  2 months, 2 weeks ago

On Exam 30/03/2023
upvoted 3 times

  EmnCours 9 months, 2 weeks ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 815/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Box 1: 1
1 VNET and then follow the N-tier application architecture.

Box 2: 3
3 Subnets (1 Subnet for each tier of the App1). The tiers can communicate each other, because they are inside the same VNET. Of course you would
need additional NSGs to restrict traffic.
upvoted 2 times

  RougePotatoe 3 months, 3 weeks ago

There is a special place in hell for people like you. If you're going just copy and paste a comment by mlantonis you might as well copy and paste
the entire thing with the reference link.
upvoted 3 times

  Lazylinux 11 months, 4 weeks ago

Given answer is correct and comments as per mlantonis
upvoted 1 times

  ajayasa 1 year, 3 months ago

this case study was there on 16/03/2022 but with different quesionaire
upvoted 2 times

  ScreamingHand 2 years ago

These case studies are huge, and yet you could just skip to the end, read the question, and very quickly ascertain the correct answer by going back
and skim reading the requirement.
upvoted 21 times

  rawrkadia 1 year, 11 months ago

This is probably the right play because it tells you specifically which pieces of info actually are relevant to the question at hand
upvoted 3 times

  Sharathjogi 1 year, 4 months ago

Absolutely, I realized the same. If we read the complete question, we end up wasting so much time, lol :)
upvoted 2 times

  Bon_ 1 year, 9 months ago

Agreed. Don't waste time reading through the whole blurb. A lot of it is extra fluff to distract you. Read the question first, and then go back to
the case study description to determine what information needs to be gathered to answer the question.
upvoted 7 times

  atilla 1 year, 1 month ago

exactly...
upvoted 1 times

  ciscogeek 2 years, 2 months ago

"Minimize the number of open ports between the App1 tiers.", With 1 VNET, we have all ports open between the App1 tiers. With 3 VNETs and 1
Subnet for each VNET, it can be solved.
upvoted 5 times

  EricJason 2 years, 2 months ago

I am a SA and I never did that design in my last two years.... nobody wants 3 vnet peering solutions for this..
upvoted 8 times

  nicksu 2 years, 1 month ago

1 x Vnet, 3 x Subnet and 3 x NSGs might solve this as well
upvoted 4 times

  mung 6 months, 3 weeks ago

Why do you need 3 NSGs?
Why not just assign a one NSG to a VNET?
upvoted 1 times

  ddb116 2 years, 2 months ago

You want the 3 subnets so that the tiers can communicate freely with each other. If you and 1 VNet and 1 Subnet you would need to create a
bunch of NSGs. That would create more administrative effort.
upvoted 6 times

  Vole51 2 years, 2 months ago

1 VNET and 3 Subnets. 1 Subnet for each Tier of the App1
upvoted 3 times

  ZUMY 2 years, 3 months ago

Given Answer is correct
1 Vnet
3 Subnet for 3 Tiers
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 816/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  toniiv 2 years, 3 months ago

Key here is: Minimize administrative effort whenever possible.
So One Vnet, three Subnets to separate the 3 tiers.
upvoted 8 times

  mikl 2 years, 3 months ago

1 VNET - 3 subnets
upvoted 2 times

  DRBKK 2 years, 4 months ago

Although you could place all VMs in a single subnet, that does not seem to be a recommended configuration.
upvoted 2 times

  mikl 2 years, 3 months ago

It sure does not : "Minimize the number of open ports between the App1 tiers."
upvoted 4 times

  Mozbius_ 1 year, 3 months ago

Thank you for the clarification.
upvoted 1 times

  Meesaw 2 years, 5 months ago

Came in exam 01 Jan 2021
upvoted 3 times

  maymaythar 2 years, 6 months ago

Anyone? Is that right answer plz? Thanks
upvoted 2 times

  rcdumps 2 years, 5 months ago

Yes, 1 VNET can contain the 3 Subnets for the 3 Tiers.
upvoted 8 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 817/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 14

To start the case study -

A processing middle tier -

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 818/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
You are planning the move of App1 to Azure.
You create a network security group (NSG).
You need to recommend a solution to provide users with access to App1.
What should you recommend?

A. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

B. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.

C. Create an incoming security rule for port 443 from the Internet. Associate the NSG to all the subnets.

D. Create an outgoing security rule for port 443 from the Internet. Associate the NSG to all the subnets.

Correct Answer: A
Incoming and the web server subnet only, as users access the web front end by using HTTPS only.
Note Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Community vote distribution

A (100%)

  mcleavin Highly Voted  2 years, 4 months ago

Congrats to anybody that got this far! Answer is correct
upvoted 200 times

  JohnnyChimpo 4 months, 2 weeks ago

My exam is tomorrow. I have studied my ass off. I didnt just memorize questions. Im already an Azure cloud admin, so my day-to-day work
deeply involves all of these topics. That being said, and with all my experience - these Microsoft questions are ridiculous. They focus too much
on memorization. Thank God for Exam Topics, so I know what to expect tomorrow. Godspeed y'all. Wish me luck!
upvoted 12 times

  lksilesian 1 year, 7 months ago

Nothing to congrate mate. I am taking exam day after tomorrow and are sh*ting my pants because I know how much I do not know...
upvoted 26 times

  scouttyper 1 year, 7 months ago

howd it go?
upvoted 2 times

  kennynelcon 1 year, 1 month ago

Site need send notif to users
upvoted 6 times

  obaali1990 2 months, 3 weeks ago

exactly
upvoted 1 times

  Holydud 9 months, 4 weeks ago

Was on exam 19 Aug 2022. Scored 870. Around 85% questions were also on ET. Answered A
upvoted 7 times

  Gadzee 1 year, 4 months ago

Hahahaha, this section is boring.
upvoted 5 times

  Jasonwcc Highly Voted  2 years, 4 months ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 819/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

All the best to everyone that has arrived at this final page. My first comment tho. Good Luck and Good Health to everyone! Cheers!
upvoted 96 times

  SScott 2 years, 2 months ago

Yes, everyone's discussion, comments and supportive opinions really make the forum and questions extremely constructive. Best of luck as well
to your future endeavors!
upvoted 40 times

  Madbo Most Recent  2 months ago

Option A is the correct solution.

To provide users with access to App1, we need to allow incoming traffic to the web front end tier on port 443, which is used for HTTPS. The NSG
should be associated with the subnet that contains the web servers to ensure that only traffic to and from the web front end is allowed.
upvoted 1 times

  AzZnLuVaBoI 2 months, 2 weeks ago

On the Exam 3/29/23.
upvoted 2 times

  CyberKelev 3 months, 1 week ago

Selected Answer: A
A. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
upvoted 1 times

  The_Punisher 3 months, 3 weeks ago

Planning on taking next week. Thanks to ET, so I know what the questions will look like. Anyone know about the questions you have to answer prior
taking the test which level to select?
upvoted 1 times

  zellck 4 months ago

Selected Answer: A
A is the answer.

https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic
upvoted 1 times

  Ashfaque_9x 5 months ago

Selected Answer: A
A. Create an incoming security rule for port 443 from the Internet. Associate the NSG to the subnet that contains the web servers.
upvoted 1 times

  EmnCours 9 months, 2 weeks ago

Selected Answer: A
Correct Answer: A 🗳️
Incoming and the web server subnet only, as users access the web front end by using HTTPS only.
Note Scenario: You have a public-facing application named App1. App1 is comprised of the following three tiers:
✑ A SQL database
✑ A web front end
✑ A processing middle tier
Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.
Monitor and back up Azure resources
upvoted 2 times

  Ash_B38 10 months, 1 week ago

Has anyone appeared for the exam recently? would like to know how accurate these dumps are. Cheers!
upvoted 2 times

  additionalpylons 9 months, 2 weeks ago

Writing today. I'll let you know!
upvoted 3 times

  Lazylinux 11 months, 4 weeks ago

Selected Answer: A
Given answer is correct and explanation too
upvoted 2 times

  michaelmorar 1 year, 1 month ago

Selected Answer: A
Simple questions like this give me anxiety! But it looks like there's a strong consensus for A which is great.

Outbound rules are irrelevant here. Inbound rule to 443 should only apply to the web tier.
upvoted 2 times

  techie_11 1 year, 2 months ago

A is correct. Lionred is also correct about the real world scenario
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 820/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  Jatinderjames 1 year, 2 months ago
my exam is in next 30 minutes.. not sure how many questions will come from this
upvoted 3 times

  ajayasa 1 year, 3 months ago

this casestudy was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  ajayasa 1 year, 3 months ago

this casestudy but not same question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  ajayasa 1 year, 3 months ago

this case study was there on 16/03/2022 with same question and passed with 900 percent and provided the answer mentioned in the answer
section
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 821/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 15 - Testlet 8

Question #1 Topic 15

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 822/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
HOTSPOT -
You implement the planned changes for NSG1 and NSG2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 823/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Box 1: No -

NSG2 blocks RDP to VM2 -

Box 2: Yes -

ICMP is not blocked -

Box 3: No -

NSG2 blocks RDP from VM2 -

Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

  humnahibataynge Highly Voted  9 months, 2 weeks ago

I think the Answers should be: YYN

VM1 has inbound rules, so no restriction on outbound.

VM2 has outbound rules, so no restrictions on inbound.

Hence VM1 can establish RDP to VM2.

VM2 —ping—> VM3: Yes(no restriction other than outbound RDP)

VM2 —RDP—> VM3: No(outbound RDP is not allowed on VM2)

Please correct me if I am wrong.

Tmrw I have my exam.
upvoted 51 times

  pythonier 9 months, 1 week ago

I agree that is YYN:

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 824/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

1-The rule is configured inbound from VM1 and VM2 will allow the traffic because of stateful firewall inspection, the traffic is allowed to come
in. If the traffic is initiated from VM2 them it wouldn't work.

2-ping will be allow because the vnets are already peered

3-No, traffic is initiated from VM2 and the outbound rule will block it.

Feel free to correct me if I am wrong.

upvoted 5 times
  Panapi 3 months, 3 weeks ago
Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 6 times

  fabio79 9 months, 1 week ago

how do you say it's one outbound rule for the VM2? NSG2 source for the rdp deny rule is a 10.0.0.0/16 and the ip of the VM1 is on this subnet. I
think that is NYN the answer
upvoted 6 times

  flurgen248 7 months, 4 weeks ago

I thought the same thing at first, and had to read it three times before I noticed what I was missing.

Create an NSG named NSG1 that will have the custom INBOUND security rules shown in the following table.
Create an NSG named NSG2 that will have the custom OUTBOUND security rules shown in the following table.

Capitalized for emphasis.

It's YYN.
upvoted 3 times

  humnahibataynge 9 months, 2 weeks ago

Passed the exam today with 920/1000.
This case was not there in my exam.
upvoted 6 times

  qwerty100 Highly Voted  8 months, 1 week ago

From VM1, you can Esablish a Remote Desktop sesion to VM2: Yes

They are in the same subnet and VM1 doesn't have restriction on outbound and VM2 doesn't have restriction on inbound

From VM2, you can ping VM3: No

Rule 400 only permit ping from 10.0.2.0/24 to 10.0.1.0/24. VM3 has 172.16.1.4 IP address

From VM2, you can establish a Remote Desktop sesion to VM3: No

Rule 200 only permit virtualNetwork (VNET1) destination RDP and VM3 is in VirtualNetwork VNET2
upvoted 18 times

  qwerty100 7 months, 4 weeks ago

Sorry, I made a mistake in the explanation:

From VM2, you can establish a Remote Desktop sesion to VM3: No

Rule 200 blocks RDP traffic
upvoted 1 times

  qwerty100 7 months, 3 weeks ago

Sorry I can't update the answer and I have to make a new post:

Finaly I think is : YYN

From VM1, you can Esablish a Remote Desktop sesion to VM2: Yes

They are in the same VNET and VM1 doesn't have restriction on outbound and VM2 doesn't have restriction on inbound

From VM2, you can ping VM3: Yes

Rule 400 only permit ping from 10.0.2.0/24 to 10.0.1.0/24. VM3 has 172.16.1.4 IP address, but there are implicit rules: any(port) any(protocol)
virtualnetwork(source) to virtualnetwork (destination). The VNETs are peered and ping works.

From VM2, you can establish a Remote Desktop sesion to VM3: No

Rule 200 blocks RDP traffic

upvoted 10 times

  clacla Most Recent  2 weeks ago

Came in exam today 5/31/23

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 825/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  abdelmim 1 month, 1 week ago
NYN Correct
No, if outgoing traffic on port 3389 is blocked, you will not be able to establish an RDP even if the incoming rdp is open in the remote server
upvoted 1 times

  abdelmim 1 month, 1 week ago

NYY Correct
No, if outgoing traffic on port 3389 is blocked, you will not be able to establish an RDP even if the incoming rdp is open in the remote server
upvoted 1 times

  CyberKelev 3 months, 1 week ago

N,Y, N
upvoted 1 times

  ukivanlamlpi 3 months, 4 weeks ago

i think no, no, no
no- RDP protocol , not TCP
no- window server by default not allow ping(echo request)
https://www.thomasmaurer.ch/2019/09/how-to-enable-ping-icmp-echo-on-an-azure-vm/
no-RDP, not TCP
upvoted 3 times

  darren888 6 months ago

New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4 this must be entered to allow a VM to ping another VM in a peered
network windows firewall blocks ICMP the case study indicates we are using windows machines.
upvoted 1 times

  Lexxsuse 5 months, 3 weeks ago

I'd say you are overthinking it. Nothing prevents us from thinking the firewalls are open as needed on the VMs. Here we need to justify ping
possibility from NSG configuration stand point. Yes the VM might not return the ping response. But it doesn't mean ping request can't reach the
destination.
upvoted 1 times

  spike15_mk 6 months ago

NO - Rule 200 outbound for VNET1/Subent2 and Rule 500 for Income from VNET1/Subent2(10.0.2.0/24) deny the traffic through port3389. VM1
don't have restriction to request on port 3389 to Subnet2 VM2, but VM2 when response on this request from VM1 on 3389 RULE 200 in NSG2 will
deny this message from VM2 response
YES - VNET1 and VNET2 are peered and default 65000 Rule AllowVnetOutBound allow any protocol and any port. Keep in mind default rules
existing in NSG
NO Rule 200 Deny
upvoted 5 times

  darren888 6 months, 1 week ago

YNN I dont believe you can ping VM3 from VM2 although they are in a peered network they are windows machines that block ICMP ping, VM3
would require a inbound rule to allow ICMP
upvoted 2 times

  jp_mcgee 6 months, 2 weeks ago

VM1/VNET1/SUBNET1/10.0.1.4
VM1/NSG1/INBOUND - Deny 3389 from VNET1/SUBNET2
VM1/NSG1/INBOUND - Allow ICMP

VM2/VNET1/SUBNET2/10.0.2.4
*/VNET1/SUBNET2/NSG2/OUTBOUND - Deny 3389 from 10.0.0.0/16 to vnet
*/VNET1/SUBNET2/NSG2/OUTBOUND - Allow ICMP from 10.0.2.0/24 to 10.0.1.0/24

VM3/VNET2/SUBNET1/172.16.1.4 (VNET2 peered to VNET1, VNET3)

From VM1, you can establish a Remote Desktop session to VM2

Yes. Same VNET. NSG1 denys inbound RDP to VM1 AND NSG2 denys outbound RDP from subnet2

From VM2, you can ping VM3

No. NSG2 Default rule DenyAllOutBound blocks VNET1 to VNET2

From VM2, you can establish a Remote Desktop session to VM3

No. NSG2 Default rule DenyAllOutBound blocks VNET1 to VNET3

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
upvoted 3 times

  kf 7 months ago
This question was on the test 11/12/2022: YYN
upvoted 2 times

  matejka 7 months, 2 weeks ago

Y-Y-N

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 826/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 3 times
  klexams 7 months, 3 weeks ago
VM1 - VNET1/Subnet1 - Inbound rules - No outbound rules
VM2 - VNET1/Subnet2 - Outbound rules - No inbound rules
VM3 - VNET2/Subnet1

Box1 - YES
VM1 no outbound rules
VM2 no Inbound rules.
same VNET, subnet to subnet Allowed by default.

Box2 - NO
VM2 has outbound ICMP rule to Allow from 10.0.2.0/24 to 10.0.1.0/24 only. VM3 is 172.16.1.4 but VNET1 and VNET2 are peered which means
inbound traffic between subnets has not restriction.

Box3 - NO
VM2 has outbound RDP rule to Deny from 10.0.0.0/16 to any VNET.
upvoted 6 times

  klexams 7 months, 3 weeks ago

I mean Box2 is YES. sorry.
upvoted 5 times

  awssecuritynewbie 8 months ago

please lets review this together guys,

"Associate NSG1 to the network interface of VM1" which is DENYING inbound traffic for 3389 from VM2. but the question states FROM VM1 -->
VM2 . so the NSG1 does not come in play as it is only for INBOUND RDP TRAFFIC TO VM1 not outbound vm

YES

YES
NO - as the outbound traffic is from source 10.0.0.0/16 ( the entire 10.0.255.255, that VM2 fails in) with port 3389 to any VNET
upvoted 1 times

  BD1988 8 months, 3 weeks ago

I think the answer is NYN.
1. VM1 will try to connect with VM2 but the VM2 have default inbound rules and by default port 3389 is blocked. For, this to happen VM2 has to
have inbound security rule that opens port 3389.
2. Yes : the VNET2 and VNET3 are peered.
3. No: Outbound RDP not allowed on VM2
upvoted 6 times

  Mev4953 8 months, 3 weeks ago

YES: VM1 => VM2 (RDP connection) NSG1 (inbound rule), hence no restriction

YES : VM2 => VM1 (ping) they are peered

NO : VM2 => VM3 (RDP connection) NG2 (outbound rule), hence NOT allowed
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 827/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 15

To start the case study -

Overview -

General Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Environment -

Sub1 contains two resource groups named RG1 and RG2 and the virtual networks shown in the following table.

User1 manages the resources in RG1. User4 manages the resources in RG2.
Sub1 contains virtual machines that run Windows Server 2019 as shown in the following table

No network security groups (NSGs) are associated to the network interfaces or the subnets.
Sub1 contains the storage accounts shown in the following table.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 828/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Requirements -

Associate NSG1 to the network interface of VM1.

Create an NSG named NSG2 that will have the custom outbound security rules shown in the following table.

Associate NSG2 to VNET1/Subnet2.

Question
You need to add VM1 and VM2 to the backend pool of LB1.
What should you do first?

A. Connect VM2 to VNET1/Subnet1.

B. Redeploy VM1 and VM2 to the same availability zone.

C. Redeploy VM1 and VM2 to the same availability set.

D. Create a new NSG and associate the NSG to VNET1/Subnet1.

Correct Answer: A
VM1 is already in VNET1/Subnet1.
VM2 is on VNET1/Subnet2, and must be moved to VNET1/Subnet1.
Note:
Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 829/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal

Community vote distribution

C (80%) A (15%) 5%

  tunaparker Highly Voted  5 months ago

de ja vu
upvoted 11 times

  GBAU Highly Voted  4 months ago

Selected Answer: C
No point in Connecting VM2 to VNET1/Subnet1 as you are going to have to redeploy it anyway.

"An existing VM cannot be added to an availability set after it is created."

https://learn.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-availability-sets

A VM can only be added to an availability set when it is created.

"https://learn.microsoft.com/en-us/azure/virtual-machines/windows/change-availability-set"

If they are already in the same availability set , then you don't need to do B anyway, your a good little Azure admin, keep it up and create your
backend pool with them in it. The fact that this question is being asked with no option of 'nothing' means they are not already in the same AS.
upvoted 5 times

  GBAU 4 months ago

Opps, should have read "then you don't need to do A anyway"
upvoted 1 times

  _adem Most Recent  1 week, 5 days ago

Question on exam on 02/06/2023. I passed. Chose the most voted for answer
upvoted 2 times

  joykdutta 1 month, 2 weeks ago

Do you think Q2 and Q3 in this Topic 15 are same? so answer will be same - Redeploy VM1 and VM2 to the same availability set.
upvoted 1 times

  Zemar 2 months, 4 weeks ago

Correct Answer = C

"It's not possible to switch a VM between subnets/vnets without deallocating/deleting-recreating the VM.

Easiest way to change subnet of VM:

- Delete the VM but keep the OS Disk.
- Deploy a new VM in the new subnet and use the still existing OS Disk."

Source: https://learn.microsoft.com/en-us/answers/questions/130410/how-to-change-the-vnet-of-a-vm
upvoted 2 times

  CyberKelev 3 months, 1 week ago

Selected Answer: A
the first step should be to connect VM2 to VNET1/Subnet1
upvoted 1 times

  AnKiLa 4 months ago

Selected Answer: A
I have not tested this one, but did some reaserch. Configuration through Azure portal supports only one subnet
(https://i.stack.imgur.com/v7ePg.png) and it is possible to create a LB with more than one availability set (https://learn.microsoft.com/en-
us/azure/load-balancer/tutorial-multi-availability-sets-portal). That's why I will go with answer A (Connect VM2 to VNET1/Subnet1).
upvoted 1 times

  shrp 4 months, 1 week ago

Selected Answer: C
I've tested, you can have VMs in different subnets of a VNET and be a member of the same availability set. The basic internal LB will accept this
configuration.

I don't like the wording of answer C, because you need to recreate not redeploy the VMs but the rest of the answers make no sense.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 830/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times
  dagomo 4 months, 2 weeks ago
Selected Answer: A
As our colleague prenominal said must be A
prenominal 4 months, 3 weeks ago
Selected Answer: A
Requirement: "Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1"

For this reason, I believe it's A (Connect VM2 to VNET1/Subnet1)

upvoted 2 times
upvoted 1 times

  Bigc0ck 5 months, 1 week ago

same quetion
upvoted 1 times

  Lexxsuse 5 months, 3 weeks ago

I really don't like term "Redeploy" in answer C. Redeploy has a specific meaning - it means restart VM on a new set of hardware. To add to an
availability set we actually need to recreate both VMs
upvoted 3 times

  Imy 8 months, 2 weeks ago

Same as the previous question.
upvoted 4 times

  EleChie 8 months, 3 weeks ago

*The Basic tier is quite restrictive. A load balancer is restricted to a single availability set, virtual machine scale set (VMSS), or a single machine.

*The Standard tier can span any virtual machine in a single virtual network (Vnet), including blends of scale sets, availability sets, and machines. In
another mening "Any virtual machines or virtual machine scale sets (VMSS) in a single virtual network"
upvoted 3 times

  DanishHassan 9 months, 1 week ago

Selected Answer: C
Should be C
upvoted 2 times

  prenominal 9 months, 1 week ago

Requirement: "Create an internal Basic Azure Load Balancer named LB1 and connect the load balancer to VNET1/Subnet1"

For this reason, I believe it's A (Connect VM2 to VNET1/Subnet1)

upvoted 4 times

  awssecuritynewbie 8 months ago

that is what i think,, can someONE PLEASE HELP , how do you know the availability set of the VMS?
upvoted 2 times

  flurgen248 7 months, 4 weeks ago

Since there's no mention of an availability set we have to assume there isn't one.

A Basic Load Balancer can only support multiple VMs if they're in a single Availability Set or a VM Scale Set.
upvoted 5 times

  darthfodio 5 months, 2 weeks ago

Plus, VM1 and VM2 are in different subnets. If they were already in an availability set, they would be in the same subnet already.
upvoted 1 times

  HMO 9 months, 1 week ago

Selected Answer: C
You can not use basic load balancer to balance between single VMs . the have to be in a scale set or availability set
upvoted 4 times

  libran 9 months, 1 week ago

Selected Answer: C
Redeploy VM1 and VM2 to the same availability set.
upvoted 1 times

  awssecuritynewbie 8 months, 1 week ago

WRONG! the deployment is good for a new AZ but not actually to change VM vnet
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 831/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 15

You need to ensure that VM1 can communicate with VM4. The solution must minimize administrative effort.

What should you do?

A. Create a user-defined route from VNET1 to VNET3.

B. Create an NSG and associate the NSG to VM1 and VM4.

C. Assign VM4 an IP address of 10.0.1.5/24.

D. Establish peering between VNET1 and VNET3.

Correct Answer: D

Community vote distribution

D (100%)

  Madbo 2 months ago

The correct option is D. Establish peering between VNET1 and VNET3.

To ensure that VM1 can communicate with VM4, we need to establish connectivity between the two virtual networks (VNET1 and VNET3) where the
VMs reside. VNet peering enables us to connect two virtual networks together so that VMs in either network can communicate with each other.
With VNet peering, the virtual networks are connected directly using the Azure backbone network, so we do not need to create any user-defined
routes or assign specific IP addresses to VMs. Additionally, peering reduces administrative effort by eliminating the need for complex network
configurations.
upvoted 2 times

  macrawat 2 months, 2 weeks ago

But vnet2 is peered with vnet1 and vnet3, so we shall not required to peer vnet1 to vnet3.
So there is no need to do anything.
vm1 can communicate with vm3
upvoted 1 times

  tabr 1 month, 3 weeks ago

VNETs are non-transitive
upvoted 3 times

  CyberKelev 3 months, 1 week ago

From contoso topic. D. Establish peering between VNET1 and VNET3.
upvoted 1 times

  Juniorr 3 months, 2 weeks ago

Hello there. Why would you peer VNET1 and VNET3 in order to let VNET4 communicate with VNET1 ? Am I missing something?
Shouldn't we be peering VNET1 and VNET4 both ways? The answer doesn't seem to make sense.
Thank you.
upvoted 1 times

  loner_123 3 months, 1 week ago

The question is to let VM1 and VM4 communicate. Not vNets
upvoted 1 times

  CyberKelev 3 months, 1 week ago

VM1 is connected to VNET1, VM4 is connected to VNET3, so establish a peering between the two can ensure VM1 can communicate with VM4
upvoted 2 times

  wpestan 5 months, 1 week ago

Selected Answer: D
i can´t see any issue to create a peering
D. Establish peering between VNET1 and VNET3.
upvoted 3 times

  vitodobra 5 months, 1 week ago

Selected Answer: D
Peering
upvoted 1 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 832/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 16 - Testlet 9

Question #1 Topic 16

To start the case study -

Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs)

Requirements -

Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 833/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

Question
HOTSPOT -
You need to implement Role1.
Which command should you run before you create Role1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

  Gromble_ziz Highly Voted  1 year, 11 months ago

Get-AzRoleDefinition -name "Reader" |ConvertTo-Json
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list?tabs=roles
upvoted 60 times

  Panapi 3 months, 3 weeks ago

Answer valid! This question was on the exam 22/02/2023. Scored 920.
upvoted 5 times

  Gromble_ziz 1 year, 11 months ago

Addition:
Create customer azure role from Json
https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azroledefinition?view=azps-6.2.0#example-2--create-using-json-file
upvoted 7 times

  atilla Highly Voted  1 year, 1 month ago

yes lets memorize all this azure cli commands... I got it correct becaouse I have a bit experience, but I look it up in the documentation
upvoted 12 times

  iRish Most Recent  1 week, 5 days ago

https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
This also shows why we need to convert the output to JSON
upvoted 1 times

  CyberKelev 3 months, 1 week ago

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 834/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json

upvoted 2 times

  michaelmorar 1 year, 1 month ago

Get-AzRoleDefinition + ConvertTo-Json
upvoted 2 times

  ajayasa 1 year, 3 months ago

this casestudy was there on 16/03/2022 with same question and passed with 900 percent
upvoted 2 times

  ajayasa 1 year, 3 months ago

this casestudy but not same question was there on 16/03/2022 with same question and passed with 900 percent
upvoted 1 times

  ajayasa 1 year, 3 months ago

this case study was there on 16/03/2022 with same question and passed with 900 percent and provided the answer mentioned in the answer
section
upvoted 1 times

  benvdw 1 year, 3 months ago

on exam 13/3/2022
upvoted 1 times

  husam421 1 year, 4 months ago

in exam 10/2/2022
upvoted 3 times

  FabioVi 1 year, 4 months ago

Correct. As the requirement states "Create a custom Azure role named Role1 that is based on the Reader role"...
... then you first need to know what the Reader role implies.
upvoted 4 times

  kandovn 1 year, 5 months ago

Correct answer
upvoted 1 times

  ITprof99 1 year, 5 months ago

On exam 01.02.22
Answer: Get-AzRoleDefinition <role_name> | ConvertTo-Json
upvoted 4 times

  Pamban 1 year, 7 months ago

in exam 15/11/2021
upvoted 4 times

  fabylande 1 year, 8 months ago

in exam today! October 16, 2021
upvoted 4 times

  Quantigo 1 year, 8 months ago

Answer is correct
Get-AzRoleDefinition <role_name> | ConvertTo-Json
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list?tabs=roles
upvoted 2 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 835/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 16

To start the case study -

Litware uses two web applications named App1 and App2. Each instance on each web application requires 1 GB of memory.
The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs)

Requirements -

Planned Changes -
Litware plans to implement the following changes:
Deploy Azure ExpressRoute to the Montreal office.
Migrate the virtual machines hosted on Server1 and Server2 to Azure.
Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).
Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 836/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question
You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical
requirements.
What should you include in the recommendation?

A. Azure AD B2C

B. dynamic groups and conditional access policies

C. Azure AD Identity Protection

D. an Azure logic app and the Microsoft Identity Management (MIM) client

Correct Answer: B
Scenario: Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.
The recommendation is to use conditional access policies that can then be targeted to groups of users, specific applications, or other
conditions.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Community vote distribution

B (100%)

  imartinez Highly Voted  1 year, 11 months ago

Answer is correct: "dynamic groups and conditional access policies"
Last question, wish you all the best!
upvoted 109 times

  lksilesian 1 year, 7 months ago

And all the best to you, if you took the exam - I hope you have passed!
upvoted 11 times

  Merkur76 Highly Voted  1 year, 10 months ago

Congratulations!
For reaching this end.

07/30/2021 AZ 104 passed with 909 points.

About 70% of the questions were from here.

Many given answers here are wrong.

Look carefully in the comments, there are more often the correct answers.

If you work through Microsoft Learn like I did, I'll give you a tip: Do everything you learn directly in Azure once yourself. This is the only way to have
a chance to answer the questions that are not listed here.
upvoted 56 times

  lksilesian 1 year, 7 months ago

Congrats on passing the exam. Comments and discussion are the main reasons why I am here. Apart from 1 course I could not find any place
with authoritative answers. Many places where you can BUY a test exam - they have questions from here with WRONG answers. I have learned
more from reading discussions here and FOLLOWING links attached to the official Microsoft documentation that I did from going through a
course that should prepare me for 104
upvoted 12 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 837/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  juniorccs 1 year, 5 months ago

I don't thinkg that many given answers are wrong here. I bought the Measure Up for$100 and got 206 questions there, none of those questions
were in my exam which I failed with 640, after taking it and coming back here, ExamTopics have more relevant questions. Going through all
Microsoft Learn is good, but it can take you months and it's huge, the knowledge there. For passing the exam, only dumps like these are good,
even though you pass the exam, doesn't mean you can work with azure without properly working with it!
upvoted 24 times

  Reddy9874 Most Recent  1 month, 2 weeks ago

Passed with 970 yesterday, 49 questions were from here and only 1 new question.
New Question:
Environment has subscription 1 and below resources:
RG1
VM1
MG1 (management group)

To which of the above, you can assign admin1 co-administrator role?

Answer is Sub1
upvoted 8 times

  Madbo 2 months ago

The correct option is B. Dynamic groups and conditional access policies.

To automate the configuration for the finance department users, we need to dynamically assign them to appropriate groups and enforce
conditional access policies based on their group membership. Dynamic groups are Azure AD security groups whose membership is based on user
or device attributes, such as department, job title, or location. We can create dynamic groups for the finance department users based on their
department attribute. Then we can use conditional access policies to restrict access to specific applications or resources based on the users' group
membership. For example, we can enforce multifactor authentication (MFA) for users in the finance group when they access sensitive financial
applications. Dynamic groups and conditional access policies meet the technical requirements by ensuring that user access is controlled based on
their group membership and by automating the process of assigning users to the appropriate groups.
upvoted 2 times

  obaali1990 2 months, 3 weeks ago

I passed today March 24, 2023. I had 90% over the total marks. I used about 50 minutes. I can confirmed that there was about 3 new questions in
the exams. The discussions on this page are fantastic. It helped me grasped what I Learnt from MS Learn. Thanks to all. I first wrote AZ 305 in
February 2023 and had 946/1000 and so I am through. Contributor access is ok to me but I wish it is review downwards.
upvoted 3 times

  djgodzilla 3 months ago

congrats everyone . For me this is page 47 meaning 400+ questions I kid you not I never seen this in ET. almost no duplicates . weeks and weeks of
reading.
pro tip : copy the questions in a text document with the right answers from the comments.
that way the review will be quick.
wish me good luck ;)
upvoted 3 times

  djgodzilla 2 months, 1 week ago

and I got it. 890.
50 questions 1h:40 1 scenario.
goof luck
upvoted 3 times

  CyberKelev 3 months, 1 week ago

To automate the configuration for the finance department users while meeting the technical requirements, you should recommend using dynamic
groups and conditional access policies.
upvoted 1 times

  Sleazy 3 months, 2 weeks ago

First time commenting on here, after 2 months of studying (failed my first attempt on the 23rd of November last year) hopefully I get my revenge
tomorrow! I feel ready this time, will update you guys!
upvoted 1 times

  Sleazy 3 months, 2 weeks ago

Yesss I passed everyone, got like 720, so it was very close but thanks to everyone for helping out!
upvoted 5 times

  obaali1990 2 months, 3 weeks ago

Congratulations
upvoted 1 times

  voraciousreader 3 months, 1 week ago

were most of the question are from here? me too lost first attempt.. :-(
upvoted 1 times

  lkjsatlwjwwge 3 months, 2 weeks ago

Hi everyone. I scored 990, thanks to all of your answers and discussions. Best of luck to those who come after, and awesome community job!
upvoted 5 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 838/839
6/15/23, 7:06 AM AZ-104 Exam – Free Actual Q&As, Page 1 | ExamTopics

  obaali1990 2 months, 3 weeks ago

Congratulations
upvoted 1 times

  PoschF 3 months, 3 weeks ago

Helpful videos on this Youtube channell: https://www.youtube.com/@Eydiea652/videos
upvoted 1 times

  MJFT 3 months, 3 weeks ago

Hi All, just sat the exam and barely passed with 725 points. About 30% of the questions were not on this dump. Thanks God the case study was
from here but even there some of the questions were new. Good luck to you all!
upvoted 3 times

  Shokri 3 months, 3 weeks ago

I passed today with score 870!
Thank you @ mlantonis for your comments, I just follow your Tips.
good luck for every one.
I can say 70% of exam was comming from here ;)
upvoted 4 times

  Mazinger 4 months ago

To automate the configuration for the finance department users, you should recommend using dynamic groups and conditional access policies.
This will allow you to automatically add users to a specific group based on certain criteria (such as department) and then apply conditional access
policies (such as Azure Multi-Factor Authentication) to that group. This solution meets the technical requirements and also minimizes costs. Option
A (Azure AD B2C) is not relevant to this scenario, option C (Azure AD Identity Protection) does not directly address the automation of user
configuration, and option D (an Azure logic app and the Microsoft Identity Management (MIM) client) is not the most efficient solution for this
scenario.
upvoted 1 times

  seeyainthecloud 4 months, 1 week ago

Good luck to y'all
Next stop ----> how to pass 'Captcha exam". lezzzgooo!!
upvoted 1 times

  BShelat 5 months, 1 week ago

I took the test today and passed - 840/1000. I opted to show myself as "Novice" for all questions asked before the start of the exam. 90-95%
Questions were from this dump. Thanks Examtopics.
upvoted 3 times

  przema86 5 months, 4 weeks ago

Something is wrong.. entire ET set should have 391 questions, if that one is last one then there is only 389.. Two questions are missing :)
upvoted 1 times

  SumanSaurabh 6 months, 1 week ago

Congratulations everyone for reaching out to this last question. Wishing you all good luck and score well. Now its time to do revision before the
exam.
upvoted 6 times

  coringlax 6 months ago

I'm glad to be here at the top of the EVEREST (391m high). Now I will climb down all the way to question 1. Wish me luck.
upvoted 4 times

https://www.examtopics.com/exams/microsoft/az-104/custom-view/ 839/839

.NET MAUI Cookbook: Build a full-featured app swiftly with MVVM, CRUD, AI, authentication, real-time updates, and more
From Everand
.NET MAUI Cookbook: Build a full-featured app swiftly with MVVM, CRUD, AI, authentication, real-time updates, and more
Alexander Russkov
No ratings yet
AZ-104T00A Azure Virtual Machines
100% (1)
AZ-104T00A Azure Virtual Machines
36 pages
Hands-On Azure Data Platform: Building Scalable Enterprise-Grade Relational and Non-Relational database Systems with Azure Data Services
From Everand
Hands-On Azure Data Platform: Building Scalable Enterprise-Grade Relational and Non-Relational database Systems with Azure Data Services
Sagar Lad
No ratings yet
Microsoft Azure Administrator Exam Prep (AZ-104): Make Your Career with Microsoft Azure Platform Using Azure Administered Exam Prep (English Edition)
From Everand
Microsoft Azure Administrator Exam Prep (AZ-104): Make Your Career with Microsoft Azure Platform Using Azure Administered Exam Prep (English Edition)
Lalit Rawat
4.5/5 (3)
Atellica-Sample-Handler SpecSheet FINAL
No ratings yet
Atellica-Sample-Handler SpecSheet FINAL
4 pages
Partner University Pre-Sales Learning Paths July 7 2022
No ratings yet
Partner University Pre-Sales Learning Paths July 7 2022
2 pages
Acer Veriton Z291G Emachines EZ1711 Wistron Pi010L 09194 1 E VMARR PDF
100% (1)
Acer Veriton Z291G Emachines EZ1711 Wistron Pi010L 09194 1 E VMARR PDF
31 pages
Azure Virtual Machines
100% (1)
Azure Virtual Machines
1 page
Introduction To Azure Virtual Machines
0% (1)
Introduction To Azure Virtual Machines
27 pages
winPS createManageVMs PDF
No ratings yet
winPS createManageVMs PDF
1,159 pages
AWS Solution Architect Certification Exam Practice Paper 2019
From Everand
AWS Solution Architect Certification Exam Practice Paper 2019
Tech Interviews
3.5/5 (3)
Azure Virtual Machines
50% (2)
Azure Virtual Machines
8 pages
Azure QA Assingnment
No ratings yet
Azure QA Assingnment
22 pages
Azure VMs
No ratings yet
Azure VMs
2 pages
AZ-104 Exam Part 2 Edited
No ratings yet
AZ-104 Exam Part 2 Edited
806 pages
AZ-104 Azure Administrator Practice Paper 2: AZ-104 Azure Administrator, #2
From Everand
AZ-104 Azure Administrator Practice Paper 2: AZ-104 Azure Administrator, #2
Tech Interviews
No ratings yet
Azure Virtual Machines
0% (1)
Azure Virtual Machines
5 pages
Azure VM
No ratings yet
Azure VM
3 pages
Azure MS Docs PDF
No ratings yet
Azure MS Docs PDF
766 pages
Azure MS Docs PDF
No ratings yet
Azure MS Docs PDF
766 pages
Azure
No ratings yet
Azure
886 pages
AZ 103T00A ENU PowerPoint - 02
No ratings yet
AZ 103T00A ENU PowerPoint - 02
42 pages
AZ-900 Azure Fundamentals Practice Paper 2: AZ-900 Azure Fundamentals, #2
From Everand
AZ-900 Azure Fundamentals Practice Paper 2: AZ-900 Azure Fundamentals, #2
Tech Interviews
No ratings yet
Expert Veri Ed, Online, Free.: Microsoft AZ-104 Exam Actual Questions
No ratings yet
Expert Veri Ed, Online, Free.: Microsoft AZ-104 Exam Actual Questions
1 page
AZ-900 Azure Fundamentals Practice Paper 3: AZ-900 Azure Fundamentals, #3
From Everand
AZ-900 Azure Fundamentals Practice Paper 3: AZ-900 Azure Fundamentals, #3
Tech Interviews
No ratings yet
AZ-104 Azure Administrator Practice Paper 1: AZ-104 Azure Administrator, #1
From Everand
AZ-104 Azure Administrator Practice Paper 1: AZ-104 Azure Administrator, #1
Tech Interviews
No ratings yet
Manage Virtual Machines
No ratings yet
Manage Virtual Machines
22 pages
Az 104t00a Enu Powerpoint 08
No ratings yet
Az 104t00a Enu Powerpoint 08
39 pages
Lab Answer Key - Deploying and Configuring Windows Server On Azure VMs
No ratings yet
Lab Answer Key - Deploying and Configuring Windows Server On Azure VMs
8 pages
Azure 2
No ratings yet
Azure 2
38 pages
AZ 104T00A ENU PowerPoint - 08
No ratings yet
AZ 104T00A ENU PowerPoint - 08
36 pages
Azure VM and Disk
No ratings yet
Azure VM and Disk
46 pages
Az 300
100% (1)
Az 300
15 pages
Task 11 Week 11 Q1, Q2, Q3
No ratings yet
Task 11 Week 11 Q1, Q2, Q3
10 pages
Autoscaling Report On Azure
No ratings yet
Autoscaling Report On Azure
7 pages
AZ 104+PDF+With+Notes+Section
No ratings yet
AZ 104+PDF+With+Notes+Section
64 pages
Microsoft AZ-104 Azure Administrator Associate Quick Reference Guide
No ratings yet
Microsoft AZ-104 Azure Administrator Associate Quick Reference Guide
56 pages
Programming APIs with C# and .NET: Develop high-performance APIs that ensure seamless application communication and enhanced security
From Everand
Programming APIs with C# and .NET: Develop high-performance APIs that ensure seamless application communication and enhanced security
Jesse Liberty
No ratings yet
Mod 2 - Lab - Deploy and Manage Virtual Machines
No ratings yet
Mod 2 - Lab - Deploy and Manage Virtual Machines
12 pages
Az-104 PDF
No ratings yet
Az-104 PDF
191 pages
Azure 4 Fundamental
No ratings yet
Azure 4 Fundamental
1,192 pages
Azure Continuum
No ratings yet
Azure Continuum
4 pages
1.1. Provision VMs & Configure VMs For Remote Access
No ratings yet
1.1. Provision VMs & Configure VMs For Remote Access
1 page
Windows Virtual Machines Overview - Azure - Microsoft Docs PDF
No ratings yet
Windows Virtual Machines Overview - Azure - Microsoft Docs PDF
1,071 pages
AZ-900 Azure Fundamentals Practice Paper 5: AZ-900 Azure Fundamentals, #5
From Everand
AZ-900 Azure Fundamentals Practice Paper 5: AZ-900 Azure Fundamentals, #5
Tech Interviews
No ratings yet
Azure Hands-On Lab (HOL) Build Your Infrastructure in The Cloud Using Windows Azure Infrastructure Services
No ratings yet
Azure Hands-On Lab (HOL) Build Your Infrastructure in The Cloud Using Windows Azure Infrastructure Services
18 pages
Module 05 Implement Infrastructure As A Service Solutions
No ratings yet
Module 05 Implement Infrastructure As A Service Solutions
49 pages
753 - V3
No ratings yet
753 - V3
11 pages
Microsoft Azure DevOps Engineer AZ 400
From Everand
Microsoft Azure DevOps Engineer AZ 400
Manish Soni
No ratings yet
Azure Virtual Machines Practical Exercises
No ratings yet
Azure Virtual Machines Practical Exercises
11 pages
ONLINE LAB: Setting Up Your First Virtual Machine Scale Set
No ratings yet
ONLINE LAB: Setting Up Your First Virtual Machine Scale Set
14 pages
D306 Study Guide
No ratings yet
D306 Study Guide
83 pages
vSphere Virtual Machine Management
From Everand
vSphere Virtual Machine Management
Rebecca Fitzhugh
No ratings yet
Azure Fa
No ratings yet
Azure Fa
4 pages
Azure Virtual MC
No ratings yet
Azure Virtual MC
1 page
Azure Essentials
No ratings yet
Azure Essentials
3 pages
Aws Sysops Final
No ratings yet
Aws Sysops Final
19 pages
Performance Tools
From Everand
Performance Tools
Ahmed Bouchefra
No ratings yet
AZ-900 Azure Fundamentals Practice Paper 6: AZ-900 Azure Fundamentals, #6
From Everand
AZ-900 Azure Fundamentals Practice Paper 6: AZ-900 Azure Fundamentals, #6
Tech Interviews
No ratings yet
Test
No ratings yet
Test
645 pages
Azure Fundamentals: Azure Virtual Machines - Practical Exercises
No ratings yet
Azure Fundamentals: Azure Virtual Machines - Practical Exercises
6 pages
AZ-900 Azure Fundamentals Practice Paper 1: AZ-900 Azure Fundamentals, #1
From Everand
AZ-900 Azure Fundamentals Practice Paper 1: AZ-900 Azure Fundamentals, #1
Tech Interviews
No ratings yet
WIT-windows VM Build Process-On-Prem Vcenter (1) 4
No ratings yet
WIT-windows VM Build Process-On-Prem Vcenter (1) 4
20 pages
ESP Scheduling Manual For Z/os
100% (2)
ESP Scheduling Manual For Z/os
634 pages
Hack BSD
No ratings yet
Hack BSD
3 pages
Connected But Alone by Sherry Turkle Transcript
No ratings yet
Connected But Alone by Sherry Turkle Transcript
5 pages
44x Premium Spotify Accounts
No ratings yet
44x Premium Spotify Accounts
4 pages
Frontend Developer Assignment - Ambee
No ratings yet
Frontend Developer Assignment - Ambee
4 pages
Low Cost Energy Efficient Smart Security System With Information Stamping For IoT Networks
No ratings yet
Low Cost Energy Efficient Smart Security System With Information Stamping For IoT Networks
5 pages
Maersk Delivery Order Guidebook v2
No ratings yet
Maersk Delivery Order Guidebook v2
14 pages
Nakul EMS
No ratings yet
Nakul EMS
15 pages
Wso2 Apim Quick Start Guide
No ratings yet
Wso2 Apim Quick Start Guide
37 pages
EOBD II Fault Codes Installation Package 08-02-2014
No ratings yet
EOBD II Fault Codes Installation Package 08-02-2014
2 pages
SEO Strategy Marble Business
No ratings yet
SEO Strategy Marble Business
3 pages
Asif
No ratings yet
Asif
75 pages
The Golden Tax Department and Emergence of Goldenspy Malware
No ratings yet
The Golden Tax Department and Emergence of Goldenspy Malware
26 pages
Nandini CV.1
No ratings yet
Nandini CV.1
1 page
Lab 13.0 - SNMP Analysis
No ratings yet
Lab 13.0 - SNMP Analysis
25 pages
Y Sangala NG 101
0% (1)
Y Sangala NG 101
5 pages
Khusmuddin Ansari Resume
No ratings yet
Khusmuddin Ansari Resume
1 page
MLNX-OS v3.11.2002 ReleaseNotes
No ratings yet
MLNX-OS v3.11.2002 ReleaseNotes
36 pages
TransferCFT InstallationGuide Windows en
No ratings yet
TransferCFT InstallationGuide Windows en
203 pages
Health First: A Platform That Helps To Restore Your Good Health
No ratings yet
Health First: A Platform That Helps To Restore Your Good Health
19 pages
Qlik Deployment Console (QDC)
No ratings yet
Qlik Deployment Console (QDC)
39 pages
Final Exam in Empowerment Technologies
No ratings yet
Final Exam in Empowerment Technologies
4 pages
Index of Greek Lessons - Pappas
No ratings yet
Index of Greek Lessons - Pappas
2 pages
12 08 52
No ratings yet
12 08 52
8 pages
DIY SMS Gateway - Send Messages Anytime, Anywhere
No ratings yet
DIY SMS Gateway - Send Messages Anytime, Anywhere
27 pages
B3-Test Scenario, Test Case, Traceability
No ratings yet
B3-Test Scenario, Test Case, Traceability
49 pages
Thesis Wordpress Theme Download Free
100% (2)
Thesis Wordpress Theme Download Free
8 pages