You have the Azure virtual machines shown in the following table.A DNS service is installed on VM1.You configure the DNS servers settings for each virtual network as shown in the following exhibit.You need to ensure that all the virtual machines can resolve DNS names by using the DNS service on VM1. What should you do?
Answer(s): D
Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines uses the Microsoft backbone infrastructure.Incorrect Answers:B, C: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over anoptimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
HOTSPOT (Drag and Drop is not supported)You have an Azure subscription that contains the Azure virtual machines shown in the following table.You add inbound security rules to a network security group (NSG) named NSG1 as shown in the following table.You run Azure Network Watcher as shown in the following exhibit.You run Network Watcher again as shown in the following exhibit.For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Answer(s): A
Box 1: NoIt limits traffic to VM2, but not VM1 traffic.Box 2: YesYes, the destination is VM2. Box 3: No
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.The virtual machines host several applications that are accessible over port 443 to users on the Internet. Your on-premises network has a site-to-site VPN connection to VNet1.You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still beaccessed by the Internet users. What should you do?
Answer(s): B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
You have an Azure subscription that contains the resources in the following table.Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1. You need to apply ASG1 to VM1.What should you do?
Application Security Group can be associated with NICs.References:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups
References:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups
You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using Azure ExpressRoute.You plan to prepare the environment for automatic failover in case of ExpressRoute failure.You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.Which three actions should you perform? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.
Answer(s): A,B,C
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
HOTSPOT (Drag and Drop is not supported)You have peering configured as shown in the following exhibit.Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.NOTE: Each correct selection is worth one point.Hot Area:
Box 1: vNET6 onlyPeering status to both VNet1 and Vnet2 are disconnected.Box 2: delete peering1Peering to Vnet1 is Enabled but disconnected. We need to update or re-create the remote peering to get it back to Initiated state.
https://blog.kloud.com.au/2018/10/19/address-space-maintenance-with-vnet-peering/
HOTSPOT (Drag and Drop is not supported)You have an Azure subscription that contains the resources in the following table.You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2 to LB1. LB1 is configured as shown in the LB1 exhibit. (Click the LB1 tab.)Rule1 is configured as shown in the Rule1 exhibit. (Click the Rule1 tab.)For each of the following statements, select Yes if the statement is true. Otherwise, select No.NOTE: Each correct selection is worth one point.Hot Area:
Box 1: YesA Basic Load Balancer supports virtual machines in a single availability set or virtual machine scale set.Box 2: YesWhen using load-balancing rules with Azure Load Balancer, you need to specify health probes to allow Load Balancer to detect the backend endpoint status. The configuration of the health probe and probe responses determine which backend pool instances will receive new flows. You can use health probes to detect the failure of an application on a backend endpoint. You can also generate a custom response to a health probe and use the health probe for flow control to manage load or planned downtime. When a health probe fails, Load Balancer will stop sending new flows to the respective unhealthy instance. Outbound connectivity is not impacted, only inbound connectivity is impacted.Box 3: No Reference:https://docs.microsoft.com/en-us/azure/load-balancer/skushttps://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
HOTSPOT (Drag and Drop is not supported)You have an Azure virtual machine named VM1 that connects to a virtual network named VNet1. VM1 has the following configurations:Subnet: 10.0.0.0/24 Availability set: AVSetNetwork security group (NSG): None Private IP address: 10.0.0.4 (dynamic) Public IP address: 40.90.219.6 (dynamic)You deploy a standard, Internet-facing load balancer named slb1. You need to configure slb1 to allow connectivity to VM1.Which changes should you apply to VM1 as you configure slb1? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.Hot Area:
Change the private IP address of VM1 to static Box 1: Remove the public IP address from VM1Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs.Box 2: Create and configure an NSGNSGs are used to explicitly permit allowed traffic. If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource.
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
Share your comments for Microsoft AZ-104 exam with other users:
Alex 5/24/2025 12:54:15 AM
Can I trust to this source?