AZ-104 Free Practice Test

- (Topic 5)
You have an Azure subscription that contains a user named User1.
You need to ensure that User1 can deploy virtual machines and manage virtual networks. The solution must use the principle of least privilege.
Which role-based access control (RBAC) role should you assign to User1?

1. A. Owner
2. B. Virtual Machine Administrator Login
3. C. Contributor
4. D. Virtual Machine Contributor

Correct Answer: D
To ensure that User1 can deploy virtual machines and manage virtual networks, you need to assign an RBAC role that grants the necessary permissions to perform these tasks. The solution must also use the principle of least privilege, which means that you should only grant the minimum level of access required to accomplish the goal.
Based on these requirements, the best RBAC role to assign to User1 is D. Virtual Machine Contributor. This role allows User1 to create and manage virtual machines, disks, snapshots, and network interfaces. It also allows User1 to connect virtual machines to existing virtual networks and subnets. However, it does not allow User1 to create or delete virtual networks or subnets, or to access the virtual machines themselves. This role follows the principle of least privilege by limiting User1’s access to only the resources and actions that are relevant to deploying virtual machines and managing virtual networks1.

- (Topic 5)
You have an app named App1 that runs on an Azure web app named webapp1.
The developers at your company upload an update of App1 to a Git repository named GUI. Webapp1 has the deployment slots shown in the following table.

You need to ensure that the App1 update is tested before the update is made available to users.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

1. A. Swap the slots
2. B. Deploy the App1 update to webapp1-prod, and then test the update
3. C. Stop webapp1-prod
4. D. Deploy the App1 update to webapp1-test, and then test the update
5. E. Stop webapp1-test

Correct Answer: AD
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots

- (Topic 5)
You have an Azure subscription that contains a storage account named account1.
You plan to upload the disk files of a virtual machine to account! from your on-premises network. The on-premises network uses a public IP address space of 131.107.1.0/24.
You plan to use the disk files to provision an Azure virtual machine named VM1. VM1 will be attached to a virtual network named VNet1. VNet1 uses an IP address space of 192.168.0.0/24.
You need to configure account1 to meet the following requirements:
• Ensure that you can upload the disk files to account1.
• Ensure that you can attach the disks to VM1.
• Prevent all other access to account1.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

1. A. From the Networking blade of account1, select Selected networks
2. B. From the Service endpoints blade of VNet1, add a service endpoint.
3. C. From the Networking blade of account11, add the 131.107.1.0/24 IP address range.
4. D. From the Networking blade of account1. select Allow trusted Microsoft services to access this storage account
5. E. From the Networking blade of account1, add VNet1.

Correct Answer: AE
To restrict access to account1, you need to enable the firewall and virtual network settings on the storage account. This allows you to specify which networks can access the storage account. By selecting Selected networks, you can block all access from the public internet and only allow access from the specified networks. By adding VNet1, you can allow access from the virtual network that contains VM1. You do not need to add the on-premises IP address range or enable the service endpoint option, as these are not required for uploading the disk files to the storage account. You do not need to allow trusted Microsoft services, as this is not relevant for the scenario. Then, References: [Configure Azure Storage firewalls and virtual networks] [Upload a generalized VHD to Azure]

HOTSPOT - (Topic 5)
You deploy an Azure Kubernetes Service (AKS) cluster that has the network profile shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Answer:

Solution:
Box 1 : Containers will get the IP address from the virtual network subnet CIDr which is 10.244.0.0/16
Box 2 : Services in the AKS cluster will be assigned an IP address in the service CIDR which is 10.0.0.0/16

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

HOTSPOT - (Topic 5)
You have an Azure subscription.
You plan to use Azure Resource Manager templates to deploy 50 Azure virtual machines
that will be part of the same availability set.
You need to ensure that as many virtual machines as possible are available if the fabric fails or during servicing.
How should you configure the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Solution:
Box 1 = max value Box 2 = 20
Explanation
Use max for platformFaultDomainCount
2 or 3 is max value, depending on which region you are in. Use 20 for platformUpdateDomainCount
Increasing the update domain (platformUpdateDomainCount) helps with capacity and availability planning when the platform reboots nodes. A higher number for the pool (20 is max) means that fewer of their nodes in any given availability set would be rebooted at once.
References:
https://www.itprotoday.com/microsoft-azure/check-if-azure-region-supports-2-or-3-fault-domains-managed-disks
https://github.com/Azure/acs-engine/issues/1030

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A