Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 30% OFF All Azure Reviewers – Practice Exams as LOW as $9.09 USD!

AZ-104 Microsoft Azure Administrator Sample Exam Questions

Home » Others » AZ-104 Microsoft Azure Administrator Sample Exam Questions

AZ-104 Microsoft Azure Administrator Sample Exam Questions

Last updated on July 11, 2025

Here are 10 AZ-104 Microsoft Azure Administrator practice exam questions to help you gauge your readiness for the actual exam.

Question 1

Your company has an Azure Storage account named TutorialsDojo1.

You have to copy your files hosted on your on-premises network to TutorialsDojo1 using AzCopy.

What Azure Storage services will you be able to copy your data into?

  1. Table and Queue only
  2. Blob, Table, and File only
  3. Blob, File, Table, and Queue
  4. Blob and File only

Correct Answer: 4

The Azure Storage platform is Microsoft’s cloud storage solution for modern data storage scenarios. Core storage services offer a massively scalable object store for data objects, disk storage for Azure virtual machines (VMs), a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

Azure Blob storage is Microsoft’s object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn’t adhere to a particular data model or definition, such as text or binary data. 

Blob storage is designed for:

– Serving images or documents directly to a browser.

– Storing files for distributed access.

– Streaming video and audio.

– Writing to log files.

– Storing data for backup and restore disaster recovery, and archiving.

– Storing data for analysis by an on-premises or Azure-hosted service. 

Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.

One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world using a URL that points to the file and includes a shared access signature (SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific amount of time.

File shares can be used for many common scenarios:

– Many on-premises applications use file shares. This feature makes it easier to migrate those applications that share data to Azure. If you mount the file share to the same drive letter that the on-premises application uses, the part of your application that accesses the file share should work with minimal, if any, changes.

– Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them and that they use the same version.

– Diagnostic logs, metrics, and crash dumps are just three examples of data that can be written to a file share and processed or analyzed later.

Hence, the correct answers are: Blob and File only.

The option that says: Table and Queue only is incorrect because Table and Queue are not supported services by AzCopy. 

The option that says: Blob, Table, and File only is incorrect because Table is not a supported service by AzCopy. The AzCopy command-line utility can only copy blobs or files to or from a storage account.

The option that says: Blob, File, Table, and Queue is incorrect. Although Blob and File types are supported by AzCopy, the Table and Queue services are not supported.

References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Check out this Azure Storage Overview Cheat Sheet:
https://tutorialsdojo.com/azure-storage-overview/

Azure Blob vs. Disk vs. File Storage:
https://tutorialsdojo.com/azure-blob-vs-disk-vs-file-storage/

Question 2

Your organization has deployed multiple Azure virtual machines configured to run as web servers and an Azure public load balancer named TD1.

There is a requirement that TD1 must consistently route your user’s request to the same web server every time they access it.

What should you configure?

  1. Hash based
  2. Session persistence: None
  3. Session persistence: Client IP
  4. Health probe

Correct Answer: 3

A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance Internet traffic to your VMs.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

Session persistence is also known session affinity, source IP affinity, or client IP affinity. This distribution mode uses a two-tuple (source IP and destination IP) or three-tuple (source IP, destination IP, and protocol type) hash to route to backend instances.

When using session persistence, connections from the same client will go to the same backend instance within the backend pool.

Session persistence mode has two configuration types:

– Client IP (2-tuple) – Specifies that successive requests from the same client IP address will be handled by the same backend instance.

Tutorials dojo strip

– Client IP and protocol (3-tuple) – Specifies that successive requests from the same client IP address and protocol combination will be handled by the same backend instance.

Hence, the correct answer is: Session persistence: Client IP.

Hash based is incorrect because this simply allows traffic from the same client IP to be routed to any healthy instance in the backend pool. You would need session persistence if you need users to connect to the same virtual machine for each request.

Session persistence: None is incorrect because this will route the user request to any health instance in the backend pool.

Health probe is incorrect because this is only used to determine the health status of the instances in the backend pool. During load balancer creation, configure a health probe for the load balancer to use. This health probe will determine if an instance is healthy and can receive traffic.

References:
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts

Check out this Azure Load Balancer Cheat Sheet:
https://tutorialsdojo.com/azure-load-balancer/

Question 3

Your company has a Microsoft Entra ID tenant named tutorialsdojo.onmicrosoft.com and a public DNS zone for tutorialsdojo.com.

You added the custom domain name tutorialsdojo.com to Microsoft Entra ID. You need to verify that Azure can verify the domain name.

What DNS record type should you use?

  1. A
  2. RRSIG
  3. SOA
  4. MX

Correct Answer: 4

Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization.

Every new Microsoft Entra ID tenant comes with an initial domain name, <domainname>.onmicrosoft.com. You can’t change or delete the initial domain name, but you can add your organization’s names. Adding custom domain names helps you to create user names that are familiar to your users, such as azure@tutorialsdojo.com.

You can verify your custom domain name by using TXT or MX record types.

Hence, the correct answer is: MX.

A is incorrect. A records are used to map domain names to IP addresses and are unrelated to domain verification in Microsoft Entra ID.

RRSIG is incorrect. RRSIG records are used in DNSSEC (Domain Name System Security Extensions) to provide cryptographic signatures for DNS records. These signaturess simply validate the authenticity of DNS data and not used for ownership verification.

SOA is incorrect. SOA records provide administrative details about the domain. This record is not relevant for domain verification.

References:

https://learn.microsoft.com/en-us/entra/fundamentals/whatis
https://learn.microsoft.com/en-us/entra/fundamentals/add-custom-domain

Check out this Azure Active Directory Cheat Sheet:
https://tutorialsdojo.com/microsoft-entra-id/

Question 4

You have an existing Azure subscription that has the following Azure Storage accounts.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

There is a requirement to identify the storage accounts that can be converted to zone-redundant storage (ZRS) replication. This must be done only through a live migration from Azure Support.

Which of the following accounts can you convert to ZRS?

  1. tdaccount1
  2. tdaccount2
  3. tdaccount3
  4. tdaccount4

Correct Answer: 1

Azure Storage always stores multiple copies of your data so that it is protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures.

When deciding which redundancy option is best for your scenario, consider the tradeoffs between lower costs and higher availability. The factors that help determine which redundancy option you should choose to include are:

– How your data is replicated in the primary region.

– Whether your data is replicated to a second region that is geographically distant to the primary region, to protect against regional disasters.

– Whether your application requires read access to the replicated data in the secondary region if the primary region becomes unavailable for any reason.

Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers four options for how your data is replicated:

  1. Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option but is not recommended for applications requiring high availability.
  2. Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability.
  3. Geo-redundant storage (GRS) copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region.
  4. Geo-zone-redundant storage (GZRS) copies your data synchronously across three Azure availability zones in the primary region using ZRS. It then copies your data asynchronously to a single physical location in the secondary region.

You can switch a storage account from one type of replication to any other type, but some scenarios are more straightforward than others. If you want to add or remove geo-replication or read access to the secondary region, you can use the Azure portal, PowerShell, or Azure CLI to update the replication setting. However, if you want to change how data is replicated in the primary region, by moving from LRS to ZRS or vice versa, then you must perform a manual migration.

The following table provides an overview of how to switch from each type of replication to another:

AZ-104 Microsoft Azure Administrator Sample Exam Questions

To request a live migration to ZRS, GZRS, or RA-GZRS, you need to migrate your storage account from LRS to ZRS in the primary region with no application downtime. To migrate from LRS to GZRS or RA-GZRS, first switch to GRS or RA-GRS and then request a live migration. Similarly, you can request a live migration from GRS or RA-GRS to GZRS or RA-GZRS. To migrate from GRS or RA-GRS to ZRS, first switch to LRS, then request a live migration.

Live migration is supported only for storage accounts that use LRS or GRS replication. If your account uses RA-GRS then you need to first change your account’s replication type to either LRS or GRS before proceeding. This intermediary step removes the secondary read-only endpoint provided by RA-GRS before migration.

Hence, the correct answer is: tdaccount1.

tdaccount2 is incorrect because you need to first change your account’s replication type to either LRS or GRS before you change to zone-redundant storage (ZRS). The requirement states that you must only request live migration.

tdaccount3 is incorrect because a general-purpose V1 storage account type does not support zone-redundant storage (ZRS) as its replication option. Only General-purpose V2, FileStorage, and BlockBlobStorage support ZRS.

tdaccount4 is incorrect because a BlobStorage account type does not support zone-redundant storage (ZRS) as its replication option. Only General-purpose V2, FileStorage, and BlockBlobStorage support ZRS.

References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
https://docs.microsoft.com/en-us/azure/storage/common/redundancy-migration

Check out these Azure Cheat Sheets:
https://tutorialsdojo.com/azure-storage-overview/
https://tutorialsdojo.com/locally-redundant-storage-lrs-vs-zone-redundant-storage-zrs/

Question 5

A company has two virtual networks named TDVnet1 and TDVnet2. A site-to-site VPN, using a VPN Gateway (TDGW1) with static routing, connects your on-premises network to TDVnet1. On your Windows 10 computer, TD1, you’ve set up a point-to-site VPN connection to TDVnet1.

You’ve recently established a virtual network peering between TDVnet1 and TDVnet2. Tests confirm connectivity to TDVnet2 from your on-premises network and to TDVnet1 from TD1. However, TD1 is currently unable to access TDVnet2.

What steps are necessary to enable a connection from TD1 to TDVnet2?

  1. Enable transit gateway for TDVnet1.
  2. Restart TDGW1 to re-establish the connection.
  3. Download the VPN client configuration file and re-install it on TD1.
  4. Enable transit gateway for TDVnet2.

Correct Answer: 3

Point-to-Site (P2S) VPN connection allows you to create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client’s computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a helpful solution to utilize instead of S2S VPN when you have only a few clients that need to connect to a VNet. 

AZ-104 Microsoft Azure Administrator Sample Exam Questions

As part of the Point-to-Site configuration, you install a certificate and a VPN client configuration package which are contained in a zip file. Configuration files provide the settings required for a native Windows, Mac IKEv2 VPN, or Linux clients to connect to a virtual network over Point-to-Site connections that use native Azure certificate authentication and are specific to the VPN configuration for the virtual network.

Take note that after creating the point-to-site connection between TD1 and TDVnet1, there is already a change in network topology when you created the virtual network peering with TDVnet1 and TDVnet2. Whenever there is a change in the topology of your network, you will always need to download and re-install the VPN configuration file.

Hence, the correct answer is: Download the VPN client configuration file and re-install it on TD1.

The option that says: Restart TDGW1 to re-establish the connection is incorrect because restarting the VPN gateway is only done when you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. In this scenario, TD1 can connect to TDVnet1 which implies that TDGW1 is working and running.

The options that say: Enable transit gateway for TDVnet1 and Enable transit gateway for TDVnet2 are incorrect. Transit gateway is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. Since TDVnet2 can connect to the on-premises network, it means that the transit gateway is already enabled and as such, enabling the transit gateway is not necessary.

References:

https://azure.microsoft.com/en-us/services/vpn-gateway/

https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about

 

Check out this Azure VPN Gateway Cheat Sheet:

https://tutorialsdojo.com/azure-vpn-gateway/

Question 6

You have a file share in your Azure subscription named Manila-Subscription-01.

You plan to synchronize files from your on-premises file server named TDFileServer1 to Azure.

You created an Azure file share and a storage sync service.

Which four actions should you perform in sequence to synchronize files from TDFileServer1 to Azure?

Instructions: To answer, drag the appropriate item from the column on the left to its description on the right. Each correct match is worth one point.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

 

Correct Answer: 

Deploy the Azure File Sync agent to TDFileServer1 

Register TDFileServer1 with Storage Sync Service 

Create a sync group and a cloud endpoint 

Create a server endpoint 

Azure Files enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.

One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world using a URL that points to the file and includes a shared access signature (SAS) token. You can generate SAS tokens; they allow specific access to a private asset for a specific amount of time.

File shares can be used for many common scenarios:

1. Many on-premises applications use file shares. This feature makes it easier to migrate those applications that share data to Azure. If you mount the file share to the same drive letter that the on-premises application uses, the part of your application that accesses the file share should work with minimal, if any, changes.

2. Configuration files can be stored on a file share and accessed from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them and that they use the same version.

3. Resource logs, metrics, and crash dumps are just three examples of data that can be written to a file share and processed or analyzed later.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

You can use Azure File Sync to centralize your organization’s file shares in Azure Files while keeping the flexibility, performance, and compatibility of an on-premises file server. Azure File Sync transforms Windows Server into a quick cache of your Azure file share. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.

You can sync TDFileServer1 to Azure using the following steps in order:

1. Prepare Windows Server to use with Azure File Sync

– You need to disable Internet Explorer Enhanced Security Configuration in your server. This is required only for initial server registration. You can re-enable it after the server has been registered.

2. Deploy the Storage Sync Service

– Allows you to create sync groups that contain Azure file shares across multiple storage accounts and multiple registered Windows Servers.

3. Deploy the Azure File Sync agent to TDFileServer1

– The Azure File Sync agent is a downloadable package that enables Windows Server to be synced with an Azure file share.

4. Register TDFileServer1 with Storage Sync Service

– This establishes a trust relationship between your server (or cluster) and the Storage Sync Service. A server can only be registered to one Storage Sync Service and can sync with other servers and Azure file shares associated with the same Storage Sync Service.

– 5. Create a sync group and a cloud endpoint

– A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other.

6. Create a server endpoint

– A server endpoint represents a specific location on a registered server, such as a folder on a server volume.

Hence, the correct order of deployment are:

1. Deploy the Azure File Sync agent to TDFileServer1

2. Register TDFileServer1 with Storage Sync Service

3. Create a sync group and a cloud endpoint

4. Create a server endpoint

References:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction
https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-deployment-guide

Check out this Azure Files Cheat Sheet:
https://tutorialsdojo.com/azure-file-storage/

Question 7

You have an Azure subscription named Davao-Subscription1.

You will be deploying a three-tier application as shown below:

AZ-104 Microsoft Azure Administrator Sample Exam Questions

Due to compliance requirements, you need to find a solution for the following:

  • Traffic between the web tier and application tier must be spread equally across all the virtual machines.

  • The web tier must be protected from SQL injection attacks.

Free AWS Courses

Which Azure solution would you recommend for each requirement?

Select the correct answer from the drop-down list of options. Each correct selection is worth one point.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

AZ-104 Microsoft Azure Administrator Sample Exam Questions

 

Correct Answer: 

Traffic between the web tier and application tier must be spread equally across all the virtual machines.: Internal Load Balancer

The web tier must be protected from SQL injection attacks.: Application Gateway WAF tier

Private (or Internal) Load balancer provides a higher level of availability and scale by spreading incoming requests across virtual machines (VMs). Private load balancer distributes traffic to resources that are inside a virtual network.

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. For example, you can route traffic based on the incoming URL. So if /images are in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. If /video is in the URL, that traffic is routed to another pool that’s optimized for videos.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.1, 3.0, or 2.2.9. These rules can be disabled on a rule-by-rule basis.

The WAF protects against the following web vulnerabilities:

– SQL injection attacks

– Cross-site scripting attacks

– Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion

– HTTP protocol violations

– HTTP protocol anomalies, such as missing host user-agent and accept headers

– Bots, crawlers, and scanners

– Common application misconfigurations (for example, Apache and IIS)

Take note that Internal load balancers distribute traffic within a VNET while public load balancers balance traffic to and from an internet-connected endpoint.

Therefore, you have to use the Internal Load Balancer to equally spread traffic between your web tier and application tier virtual machines.

Conversely, to protect your web tier from SQL injection attacks, you need to deploy the Application Gateway WAF tier.

Public Load Balancer is incorrect because you only use this if you want to load balance Internet traffic to your virtual machines. Public Load Balancer also does not support WAF protection for your web tier.

Traffic Manager is incorrect because Traffic Manager does not protect your application from SQL injection attacks. This service is mainly used for DNS-based traffic load balancing.

Application Gateway Standard tier is incorrect because the standard tier cannot protect your web tier from SQL Injection attacks. You have to use the Application Gateway WAF tier instead.

References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
https://docs.microsoft.com/en-us/azure/application-gateway/understanding-pricing

Check out these Azure Networking Services Cheat Sheets:
https://tutorialsdojo.com/azure-load-balancer/
https://tutorialsdojo.com/azure-application-gateway/

Question 8

You have the following resources deployed in Azure:

azure104-1-08 image

There is a requirement to connect TDVnet1 and TDVnet2.

What should you do first?

  1. Create virtual network peering.
  2. Change the address space of TDVnet2.
  3. Transfer TDVnet1 to TD2.
  4. Transfer VM1 to TD2.

Correct Answer: 1

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.

There are two ways to connect two virtual networks, based on your specific scenario and needs, you might want to pick one over the other.

VNet Peering provides low latency, high bandwidth connection useful in scenarios such as cross-region data replication and database failover scenarios. Since traffic is completely private and remains on the Microsoft backbone, customers with strict data policies prefer to use VNet Peering as public Internet is not involved. Since there is no gateway in the path, there are no extra hops, ensuring low latency connections.

VPN Gateways provide a limited bandwidth connection and is useful in scenarios where encryption is needed, but bandwidth restrictions are tolerable. In these scenarios, customers are also not latency-sensitive.

Hence, the correct answer is: Create virtual network peering.

The option that says: Change the address space of TDVnet2 is incorrect because the address spaces of TDVnet1(10.1.0.0/16) and TDVnet2(10.10.0.0/18) do not overlap. Therefore, you can directly connect the two VMs by creating two virtual network gateways without changing the IP address ranges.

The options that say: Transfer TDVnet1 to TD2 and Transfer VM1 to TD2 are incorrect because VNet-to-VNet connections that use VPN gateways work across Microsoft Entra Tenant. You can also connect two virtual networks that have different subscriptions.

References: 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal

Check out this Azure Virtual Network Cheat Sheet:
https://tutorialsdojo.com/azure-virtual-network-vnet/

Question 9

You have an Azure subscription that contains an Azure virtual network named TDVnet1 with an address space of 10.1.0.0/18 and a subnet named TDSub1 with an address space of 10.1.0.0/22.

Your on-premises network has multiple branch offices, and you plan to connect them to Azure using a site-to-site VPN. You need to ensure that routing between your branch offices and Azure is dynamic and can adapt automatically to network changes.

Which four actions should you perform in sequence?

Instructions: To answer, drag the appropriate item from the column on the left to its description on the right. Each correct match is worth one point.

Correct Answer: 

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the Internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own datacenter but brings with it additional benefits of Azure’s infrastructure, such as scale, availability, and isolation.

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

You can create a site-to-site VPN connection by deploying the following in order:

1. Deploy a virtual network

2. Deploy a gateway subnet

– You need to create a gateway subnet for your VNet in order to configure a virtual network gateway. All gateway subnets must be named ‘GatewaySubnet’ to work properly. Don’t name your gateway subnet something else. It is recommended that your gateway subnet be /27 or bigger (/26, /25, etc.).

3. Deploy a VPN gateway

– A VPN gateway is a specialized virtual network gateway used to establish encrypted communication between an Azure virtual network and an on-premises environment over the public Internet. Optionally, you can enable Border Gateway Protocol (BGP) on a VPN gateway to allow Azure and your on-premises network to exchange routing information automatically. This eliminates the need for manual updates to route tables and ensures the network adapts dynamically to topology changes.

4. Deploy a local network gateway

– The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes.

5. Deploy a VPN connection

– A VPN connection creates the link for the VPN gateway and local network gateway. It also gives you the status of your site-to-site connection.

Since you have deployed TDVnet1, the next step is to deploy a gateway subnet.

Hence, the correct order of deployment are:

1. Deploy a gateway subnet

2. Deploy a BGP-enabled VPN gateway

3. Deploy a local network gateway

4. Deploy a VPN connection

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

Check out this Azure VPN Gateway Cheat Sheet:
https://tutorialsdojo.com/azure-vpn-gateway/

Question 10

Your company has an Azure subscription that contains the following resources:

Virtual Network Subnets
TDVnet1 TDSub1, TDSub2
TDVnet2 TDSub3, TDSub4

 

Virtual Machine Subnet Availability Set
TD1 TDSub1 TDSub1
TD2 TDSub1 TDSub1
TD3 TDSub2 TDSub2
TD4 TDSub2 TDSub2
TD5 TDSub3 TDSub3
TD6 TDSub3 TDSub3

You plan to create an internal load balancer with the following parameters: Name: TDB1 SKU: Standard Subnet: TDSub2 Virtual network: TDVnet1 For each of the following items, choose Yes if the statement is true or choose No if the statement is false. Take note that each correct item is worth one point.

AZ-104 Microsoft Azure Administrator Sample Exam Questions

Correct Answer: Yes,Yes, No

A Private (or Internal) Load Balancer in Azure enhances availability and scalability by distributing incoming traffic across virtual machines (VMs) inside a virtual network. The load balancer routes traffic to resources within the virtual network, and Azure ensures that the front-end IP addresses of these resources are not directly exposed to the internet. This is ideal for internal, line-of-business applications that need to be accessed only from within Azure or from on-premises resources.

In this scenario, the question is whether you can load balance traffic between virtual machines (VMs) based on the parameters of the internal load balancer TDB1.

Load Balancer - Standard SKU

With the Standard SKU for the internal load balancer, Azure allows load balancing between VMs that are not necessarily in the same availability set or virtual machine scale set. The Standard SKU provides greater flexibility in terms of scalability and availability, and it supports more complex traffic scenarios. This SKU enables load balancing across VMs located in different subnets within the same virtual network, which enhances the ability to manage traffic in larger, more distributed systems.

A key component in this configuration is the backend pool, which defines the group of resources (in this case, VMs) to which the load balancer distributes traffic. Since TDB1 uses the Standard SKU, it can load balance traffic between VMs even if they are in different subnets or availability sets, as long as they are part of the same backend pool.

Hence, the correct statements are:

– Traffic between TD1 and TD2 can be load balanced by TDB1.

– Traffic between TD3 and TD4 can be load balanced by TDB1.

These VMs are part of the same virtual network and are configured to meet the backend pool requirements for load balancing.

The statement that says: Traffic between TD5 and TD6 can be load balanced by TDB1 is incorrect because the VMs are in different VNets (TDVnet1 and TDVnet2), and the Standard Load Balancer cannot load balance traffic between VMs in different VNets.

References:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
https://docs.microsoft.com/en-us/azure/load-balancer/skus

Check out this Azure Load Balancer Cheat Sheet:
https://tutorialsdojo.com/azure-load-balancer/

For more practice questions like these and to further prepare you for the actual AZ-900 AZ-104 Microsoft Azure Administrator exam, we recommend that you take our top-notch AZ-104 Microsoft Azure Administrator Practice Exams, which simulate the real unique question types in the AZ-900 exam such as drag and drop, dropdown, and hotspot.

Also, check out our AZ-104 Microsoft Azure Administrator exam study guide here.

🎁 Get 30% OFF All Azure Reviewers – Practice Exams as LOW as $9.09 USD!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

🧑‍💻 CodeQuest – AI-Powered Programming Labs

FREE AI and AWS Digital Courses

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Join Data Engineering Pilipinas – Connect, Learn, and Grow!

Data-Engineering-PH

Ready to take the first step towards your dream career?

Dash2Career

K8SUG

Follow Us On Linkedin

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?