Here are some of the sample exam questions for the AZ-104 Azure Administrator Exam. They are simple and help you to gauge your knowledge. These are especially helpful if you have not taken the AZ-900 exam. After you complete these, take my more difficult, exam-oriented practice tests to evaluate your preparedness.
Q1. Your company is migrating its on-premises infrastructure to Azure. As part of the migration, you need to create a new virtual network in Azure and configure it to allow communication between the on-premises network and the Azure virtual network. You also need to ensure that traffic between the virtual networks is encrypted. How would you achieve this?
A. Create a virtual network in Azure and configure a VPN gateway to establish a Point-to-Site VPN connection between the on-premises network and the Azure virtual network. Enable IPsec/IKE encryption for the VPN connection.
B. Create a virtual network in Azure and configure a VPN gateway to establish a Site-to-Site VPN connection between the on-premises network and the Azure virtual network. Enable IPsec/IKE encryption for the VPN connection.
C. Create a virtual network in Azure and configure a VPN gateway to establish an ExpressRoute connection between the on-premises network and the Azure virtual network. Enable IPsec/IKE encryption for the VPN connection.
D. Create a virtual network in Azure and configure a VPN gateway to establish a VNet-to-VNet connection between the on-premises network and the Azure virtual network. Enable IPsec/IKE encryption for the VPN connection.
Explanation: Option A is incorrect because a Point-to-Site VPN connection is used for remote access, not for site-to-site connectivity. It would not be used to connect the on-premises network to the Azure virtual network.
Option C is incorrect because ExpressRoute is used for dedicated and private connection to Azure and not for site-to-site connectivity.
Option D is incorrect because the VNet-to-VNet connection is used for connecting two virtual networks in Azure, not for site-to-site connectivity with an on-premises network.
To establish a Site-to-Site VPN connection between the on-premises network and the Azure virtual network, we need to create a virtual network in Azure and configure a VPN gateway. By enabling IPsec/IKE encryption for the VPN connection, we can ensure that the traffic between the virtual networks is encrypted.
Correct answer: b
Q2. Which of the following Azure services can be used to store and manage virtual hard disks (VHDs)?
a. Azure File Storage
b. Azure Blob Storage
c. Azure Data Lake Storage
d. Azure Queue Storage
Explanation: Azure Blob Storage allows you to store and manage unstructured data like VHDs, files, images, and videos. Azure File Storage is for file shares, Azure Data Lake Storage is for big data analytics and Azure Queue Storage is for messaging.
Correct answer: b. Azure Blob Storage
Q3. How can you implement role-based access control (RBAC) for a virtual machine in Azure?
a. Use Azure AD groups
b. Use Azure AD Privileged Identity Management (PIM)
c. Use Azure Policy
d. Use Azure App Service Authentication
Explanation: Azure Policy allows you to create and manage policies that enforce different rules and effects on your resources. Azure AD groups, PIM, and App Service Authentication are used for different purposes.
Correct answer: c. Use Azure Policy
Q4. Your company has an Azure subscription with several virtual machines deployed in different resource groups. You need to ensure that virtual machines in one resource group can communicate with virtual machines in another resource group, but that virtual machines in one resource group cannot communicate with virtual machines in a third resource group. How would you achieve this?
A. Create Network Security Groups (NSGs) for each resource group, and then configure the NSGs with appropriate inbound and outbound rules to allow or deny traffic between the resource groups.
B. Create firewall rules for each resource group, and then configure the firewall rules with appropriate inbound and outbound rules to allow or deny traffic between the resource groups.
C. Create security rules for each resource group, and then configure the security rules with appropriate inbound and outbound rules to allow or deny traffic between the resource groups.
D. Create Access Control Lists (ACLs) for each resource group, and then configure the ACLs with appropriate inbound and outbound rules to allow or deny traffic between the resource groups.
Explanation: To achieve the desired network segmentation, we can use Azure Network Security Groups (NSGs) to create rules that control traffic flow between the resource groups. We can create NSGs for each resource group and configure inbound and outbound rules to allow or deny traffic between the resource groups as needed. Note that firewall rules, security rules, and Access Control Lists (ACLs) are not applicable to resource groups, but to subnets, Network interfaces, and other resources, so they are not the correct answer.
Correct answer: a
Q5. Your company has an Azure subscription with several virtual machines deployed in different regions. You need to ensure that virtual machines in one region can communicate with virtual machines in another region, but that virtual machines in one region cannot communicate with virtual machines in a third region. How would you achieve this?
A. Create Network Security Groups (NSGs) for each region, and then configure the NSGs with appropriate inbound and outbound rules to allow or deny traffic between the regions.
B. Create routing tables for each region and then configure the routing table with appropriate routing rules to allow or deny traffic between the regions.
C. Create Azure Firewall for each region and then configure the firewall with appropriate rules to allow or deny traffic between the regions.
D. Create Azure ExpressRoute for each region and then configure the ExpressRoute with appropriate rules to allow or deny traffic between the regions.
Explanation: Azure Firewall is a managed service that allows you to create and configure firewalls for your Azure Virtual Network. It allows you to control traffic based on source and destination IP addresses, ports, and protocols. By creating Azure Firewall for each region and configuring appropriate rules, you can ensure that virtual machines in one region can communicate with virtual machines in another region, but that virtual machines in one region cannot communicate with virtual machines in a third region. NSGs, routing tables, and Azure ExpressRoute is not the correct answer as they have different purposes and cannot be used to deny or allow traffic between different regions.
Correct answer: c
Q6. How can you create and manage backups for Azure virtual machines?
a. Use Azure Backup
b. Use Azure Site Recovery
c. Use Azure File Storage
d. Use Azure Blob Storage
Explanation: Azure Site Recovery can be used to create and manage backups for Azure virtual machines. Azure Backup, Azure File Storage, and Azure Blob Storage are used for different purposes.
Correct answer: b. Use Azure Site Recovery
Q7. Your company has an Azure subscription with several virtual machines deployed in a different subscription. You need to ensure that virtual machines in one subscription can communicate with virtual machines in another subscription, but that virtual machines in one subscription cannot communicate with virtual machines in a third subscription. How would you achieve this?
A. Create Azure Virtual Network Peering between the subscriptions and then configure the peering with appropriate rules to allow or deny traffic between the subscriptions.
B. Create Azure ExpressRoute between the subscriptions and then configure the ExpressRoute with appropriate rules to allow or deny traffic between the subscriptions.
C. Create Azure Firewall for each subscription and then configure the firewall with appropriate rules to allow or deny traffic between the subscriptions.
D. Create Azure Traffic Manager between the subscriptions and then configure the traffic manager with appropriate rules to allow or deny traffic between the subscriptions.
Explanation: Azure Virtual Network Peering allows you to connect virtual networks in different subscriptions. By creating peering between the subscriptions and configuring appropriate rules, you can ensure that virtual machines in one subscription can communicate with virtual machines in another subscription, but that virtual machines in one subscription cannot communicate with virtual machines in a third subscription. Azure ExpressRoute, Azure Firewall, and Azure Traffic Manager are not the correct answer as they have different purposes and cannot be used to connect or deny communication between different subscriptions.
Correct answer: a
Q8. Your company has an Azure subscription with several virtual machines deployed in different availability zones. You need to ensure that virtual machines in one availability zone can communicate with virtual machines in another availability zone, but that virtual machines in one availability zone cannot communicate with virtual machines in a third availability zone. How would you achieve this?
A. Create Azure Application Gateway for each availability zone and then configure the application gateway with appropriate rules to allow or deny traffic between the availability zones.
B. Create Azure Load Balancer for each availability zone and then configure the load balancer with appropriate rules to allow or deny traffic between the availability zones.
C. Create Azure Traffic Manager for each availability zone and then configure the traffic manager with appropriate rules to allow or deny traffic between the availability zones.
D. Create Azure Network Security Groups (NSGs) for each availability zone and then configure the NSGs with appropriate inbound and outbound rules to allow or deny traffic between the availability zones.
Explanation: To achieve the desired network segmentation, we can use Azure Network Security Groups (NSGs) to create rules that control traffic flow between the availability zones. By creating NSGs for each availability zone and configuring inbound and outbound rules, we can ensure that virtual machines in one availability zone can communicate with virtual machines in another availability zone, but that virtual machines in one availability zone cannot communicate with virtual machines in a third availability zone. Azure Application Gateway, Azure Load Balancer, and Azure Traffic Manager are not the correct answer as they have different purposes, they are used for load balancing, Application delivery, and traffic routing respectively, and cannot be used to deny or allow traffic between different availability zones.
Correct answer: d
Q9. Your company has an Azure subscription with several storage accounts deployed in different regions. You need to ensure that data stored in one storage account can be accessed by virtual machines in another region, but that data stored in one storage account cannot be accessed by virtual machines in a third region. How would you achieve this?
A. Create Azure Storage Firewall for each storage account and then configure the firewall with appropriate rules to allow or deny access to the storage account based on the origin of the request.
B. Create Azure Role-Based Access Control (RBAC) for each storage account and then configure the RBAC with appropriate roles to allow or deny access to the storage account based on the identity of the user or group.
C. Create Azure Virtual Network Service Endpoints for each storage account and then configure the service endpoints with appropriate rules to allow or deny access to the storage account based on the source virtual network.
D. Create Azure Network Security Groups (NSGs) for each storage account and then configure the NSGs with appropriate inbound and outbound rules to allow or deny access to the storage account based on the source IP address.
Explanation: Azure Virtual Network Service Endpoints allow you to secure access to a storage account from specific virtual networks. By creating service endpoints for each storage account and configuring appropriate rules, you can ensure that data stored in one storage account can be accessed by virtual machines in another region, but that data stored in one storage account cannot be accessed by virtual machines in a third region. Azure Storage firewall, Azure Role-Based Access Control, and Azure Network Security Groups (NSGs) are not the correct answer as they have different purposes and cannot be used to secure access to storage accounts from specific virtual networks.
Correct answer: c
Q10. Your company has an Azure subscription with several web applications deployed in different resource groups. You need to ensure that web applications in one resource group can be accessed by users on the internet, but that web applications in another resource group can only be accessed by users on the company’s internal network. How would you achieve this?
A. Create Azure Application Gateway for each resource group and then configure the application gateway with appropriate rules to allow or deny access to the web applications based on the origin of the request.
B. Create Azure Firewall for each resource group and then configure the firewall with appropriate rules to allow or deny access to the web applications based on the origin of the request.
C. Create Azure Web Application Firewall (WAF) for each resource group and then configure the WAF with appropriate rules to allow or deny access to the web applications based on the origin of the request.
D. Create Azure Virtual Network Service Endpoints for each resource group and then configure the service endpoints with appropriate rules to allow or deny access to the web applications based on the source virtual network.
Explanation: Azure Virtual Network Service Endpoints allow you to secure access to a web application from specific virtual networks. By creating service endpoints for each resource group and configuring appropriate rules, you can ensure that web applications in one resource group can be accessed by users on the internet, but that web applications in another resource group can only be accessed by users on the company’s internal network. Azure Application Gateway, Azure Firewall, and Azure Web Application Firewall (WAF) are not the correct answer as they have different purposes and cannot be used to secure access to web applications from specific virtual networks.
Correct answer: d
Q11. Your company has an Azure subscription with several virtual machines deployed in different regions. You need to ensure that the virtual machines are backed up regularly and that the backups are stored in a secure and compliant location. What Azure service(s) would you use to achieve this?
A. Azure Backup
B. Azure Site Recovery
C. Azure Backup Server
D. Azure Data Factory
E. A and B
Explanation: Azure Backup is a service that allows you to create and manage backups of Azure virtual machines, SQL databases, and other Azure resources. Azure Site Recovery is a service that allows you to create and manage disaster recovery plans for Azure virtual machines, SQL databases, and other Azure resources. By using Azure Backup and Azure Site Recovery together, you can ensure that the virtual machines are backed up regularly and that the backups are stored in a secure and compliant location. Azure Backup Server and Azure Data Factory are not the correct answer as they have different purposes, they are used for creating and managing on-premises backups and data integration and movement respectively, and cannot be used to backup Azure resources.
Correct answer: e
Q12. Your company has an Azure subscription with several virtual machines running different services. The virtual machines are deployed in different resource groups, regions, and availability zones. The company also has a compliance requirement to encrypt all data at rest and in transit. What Azure service(s) would you use to achieve this?
A. Azure Disk Encryption
B. Azure Key Vault
C. Azure ExpressRoute
D. Azure Virtual Network Service Endpoints
E. A, B, and D
Explanation: To achieve this level of encryption, multiple Azure services would have to be used in combination. Azure Disk Encryption allows you to encrypt the OS and data disks of Azure virtual machines using the BitLocker feature of Windows or the DM-Crypt feature of Linux. Azure Key Vault allows you to manage and protect the encryption keys used by Azure Disk Encryption. Azure Virtual Network Service Endpoints allow you to secure access to resources from specific virtual networks and it also encrypts all data in transit. Azure ExpressRoute is not the correct answer as it has different purposes, it is used for creating dedicated and private connections to Azure and it doesn’t encrypt data at rest or in transit.
By using Azure Disk Encryption, Azure Key Vault, and Azure Virtual Network Service Endpoints together, you can ensure that all data at rest and in transit is encrypted in compliance with the company’s requirements.
Correct answer: e
Q13. Your company has an Azure subscription with several virtual machines running different services. The virtual machines are deployed in different resource groups, regions, and availability zones. The company also has a compliance requirement to monitor all network traffic and identify any suspicious activities. What Azure service(s) would you use to achieve this?
A. Azure Security Center
B. Azure Network Watcher
C. Azure Log Analytics
D. Azure Monitor
E. A, B, and C
Explanation: To achieve this level of monitoring, multiple Azure services would have to be used in combination.
Azure Security Center is a service that allows you to monitor and protect your Azure resources. It provides security recommendations and automated security assessments, which can help you identify security vulnerabilities and misconfigurations.
Azure Network Watcher is a service that allows you to monitor and diagnose network-related issues in Azure. It provides features like IP flow verify, connection troubleshoot and VPN troubleshoot which can help you identify any suspicious activities on the network.
Azure Log Analytics is a service that allows you to collect and analyze log data from Azure resources. It can help you monitor and identify any suspicious activities on the network.
Azure Monitor is a service that allows you to monitor the performance and health of Azure resources. It provides features like metrics, alerts, and diagnostics which can help you identify any suspicious activities on the network, but it’s not enough to achieve the compliance requirement.
By using Azure Security Center, Azure Network Watcher, and Azure Log Analytics together, you can ensure that all network traffic is monitored and any suspicious activities are identified in compliance with the company’s requirements.
Correct answer: e
Q14. Your company has an Azure subscription with several virtual machines running different services. The virtual machines are deployed in different resource groups, regions, and availability zones. The company also has a compliance requirement to ensure high availability and disaster recovery for all virtual machines. What Azure service(s) would you use to achieve this?
A. Azure Availability Zones
B. Azure Site Recovery
C. Azure Load Balancer
D. Azure Traffic Manager
E. A and B
Explanation: To achieve this level of high availability and disaster recovery, multiple Azure services would have to be used in combination.
Azure Availability Zones is a service that allows you to deploy virtual machines in different physical locations within a region, this feature will ensure that if one zone goes down, the virtual machines will still be accessible in other zones.
Azure Site Recovery is a service that allows you to create and manage disaster recovery plans for Azure virtual machines, SQL databases, and other Azure resources. This service allows you to replicate virtual machines in different regions, this feature will ensure that if one region goes down, the virtual machines will still be accessible in other regions.
Azure Load Balancer is a service that allows you to distribute incoming traffic evenly across multiple virtual machines. This service can help to ensure high availability but it’s not enough for disaster recovery.
Azure Traffic Manager is a service that allows you to route incoming traffic to different endpoints based on a set of rules. This service can help to ensure high availability but it’s not enough for disaster recovery.
By using Azure Availability Zones and Azure Site Recovery together, you can ensure that all virtual machines are deployed in different physical locations within a region and replicated.
Correct answer: e
Q15. Your company has an Azure subscription and wants to implement a monitoring solution for the virtual machines and applications running on Azure. Which Azure service should you use to achieve this?
A. Azure Monitor
B. Azure Log Analytics
C. Azure Event Grid
D. Azure Stream Analytics
E. A and B
Explanation: Azure Monitor is a service that allows you to monitor the performance and health of Azure resources. It provides features like metrics, alerts, and diagnostics which can help you monitor the virtual machines and applications running on Azure. But it’s not enough to achieve the goal.
Azure Log Analytics is a service that allows you to collect and analyze log data from Azure resources. It can help you monitor the virtual machines and applications running on Azure.
Azure Event Grid is a service that allows you to manage events and event-driven architectures in Azure. It allows you to subscribe to events from various Azure services and route them to different event handlers. It’s not related to monitoring.
Azure Stream Analytics is a service that allows you to collect and analyze data streams in Azure. It allows you to create real-time analytics and insights on streaming data. It’s not related to monitoring.
By using Azure Monitor and Azure Log Analytics together, you can ensure that you are able to monitor the virtual machines and applications running on Azure and collect and analyze log data from Azure resources which is necessary to achieve the goal.
Correct answer: e
For more practice tests, visit my AZ-104 Practice Test course.
