Azure 104 Renewal Questions with Explanation

NOTE that this article is being populated with more questions(not the exhaustive set for renewal exam)as time progresses, the first draft has been published as on Jan 1 2024.

Bastion

1. Minimum Subnet Requirement

You have an Azure subscription that contains a virtual network named VNET1. VNET1 uses the following address spaces:

• 10.10.1.0/24
• 10.10.2.0/28

VNET1 contains the following subnets:

• Subnet1- has an address space of 10.10.1.0/24
• Subnet2- has an address space of 10.10.2.0/28

To Subnet1, you deploy a virtual machine named VM1 that runs Windows Server 2022. VM1 has Remote Desktop enabled.

VM1 does NOT have a public IP address.

You need to be able to deploy Azure Bastion to protect VM1.

What should you do first?

Select only one answer.

• Add a new subnet to VNET1.
• Add a public IP address to VM1.
• Add an extension to VM1.
• Modify the address space of VNET1.

Answer:Modify the address space of VNET1.

Explanation:

· A vnet can have multiple IP spaces unlike traditional network

· When you deploy Azure Bastion using any SKU except the Developer SKU, Bastion requires a dedicated subnet named AzureBastionSubnet

o Subnet name must be AzureBastionSubnet.

o Subnet size must be /26 or larger (/25, /24 etc.).

o The subnet must be in the same virtual network and resource group as the bastion host.

o The subnet can’t contain other resources.

· There is insufficient space in the VNET address space as all addresses are used by the subnet

2.Peering across vnets and using Bastion

You have an Azure subscription that contains the following fully peered virtual networks:

• VNet1, located in the West US region. 5 virtual machines are connected to VNet1.
• VNet2, located in the West US region. 7 virtual machines are connected to VNet2.
• VNet3, located in the East US region, 10 virtual machines are connected to VNet3.
• VNet4, located in the East US region, 4 virtual machines are connected to VNet4.

You plan to protect all of the connected virtual machines by using Azure Bastion.

What is the minimum number of Azure Bastion hosts that you must deploy?

• 1
• 2
• 3
• 4

ANSWER-1

EXPLANATION-

· Azure Bastion and VNet peering can be used together.

· When VNet peering is configured, you don’t have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host.

· Azure Bastion works with the following types of peering:

- Virtual network peering: Connect virtual networks within the same Azure region.

- Global virtual network peering: Connecting virtual networks across Azure regions.

· Architecture:

When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.

Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same VNet and peered VNets. This means you can consolidate Bastion deployment to single VNet and still reach VMs deployed in a peered VNet, centralizing the overall deployment.

The diagram shows the architecture of an Azure Bastion deployment in a hub-and-spoke model. In the diagram, you can see the following configuration:

• The bastion host is deployed in the centralized hub virtual network.
• Centralized Network Security Group (NSG) is deployed.
• A public IP is not required on the Azure VM.

Storage

1.Tiering of Block Blobs+ Default setting at storage account level+ Archive Restore process

You have an Azure Storage account named storage1 that is configured to use the Hot access tier.
Storage1 has a container named container1 and the lifecycle management rule with following settings:

• Move blob to cool storage: Selected
• Days after last modification: 3
• Move blob to archive storage: Selected
• Days after last modification: 5

On December 1, you create a file named File1 in container1.
On December 10, you rehydrate File1 and move the file to the Hot access tier.
When will File1 be moved to archive storage?
Select only one answer.

- within 24 hours

- on December 15

- on December 18

- on January 1

ANSWER: Within 24 hours

Explanation:

· Based on ‘last modified date’ ,file1 is moved to cool tier on December 4th (1st+3 days) and file1 is moved to archive tier on December 6 th (1st +5 days) · NOT (1st+3+5) December 9th

o ‘Last Modified Date’ was used above, which is Dec 1st

o Last Modified Date does not get impacted on changing tier

o Dec 4th has no significance in moving from cool to archive, only see last modified date

· There are 2 ways to rehydrate a blob from Archive tier: Move (change tier) and Copy

-CAUTION:

• Changing a blob’s tier doesn’t affect its last modified time.
• If there is a lifecycle management policy in effect for the storage account, then rehydrating a blob with Set Blob Tier can result in a scenario where the lifecycle policy moves the blob back to the Archive tier after rehydration because the last modified time is beyond the threshold set for the policy.
• To avoid this scenario, rehydrate the archived blob by copying it instead.

On December 10th, the last modified date is still December 1st, file should have technically been in archive already (contradiction detected, move within 24 hrs).

2.Encryption Scopes

You have an Azure Storage account named storage1.

You create the following encryption scopes for storage1:

• Scope1 that has an encryption type of Microsoft-managed keys

• Scope2 that has an encryption type of Customer-managed keys

Which storage services can be used with Scope2?

Select only one answer.

• blob only
• file only
• blob and file only
• table and queue only
• blob, file, table, and queue

ANSWER: Blob only.

Explanation:

-Encryption scopes enable you to manage encryption with a key that is scoped to a container or an individual blob.

-You can use encryption scopes to create secure boundaries between data that resides in the same storage account but belongs to different customers.

Encryption scopes can use either Microsoft-managed keys or customer-managed keys.

• Encryption scopes apply to BLOBS only. Further, these support CMK or MMK.

Following diagram consolidates the Storage Account Encryption options(applied at storage acc level as whole):

Network Security Group(NSG)

1.Rule Evaluation Logic

You have an Azure virtual network named VNET1 that is connected to a network security group (NSG) named NSG1. NSG1 has the following inbound security rules:

• Rule1 has a priority of 100 and allows port 3389 on TCP protocol from any source and to any destination
• Rule2 has a priority of 200 and allows ports 80 and 8080 on UDP protocol from any source and to any destination
• Rule3 has a priority of 300 and denies ports 1–2000 on TCP protocol from any source and to any destination
• Rule4 has a priority of 400 and allows ports 50–500 on TCP protocol from VirtualNetwork source and to any destination
• Rule5 has a priority of 500 and allows ports 80 and 443 on TCP protocol from any source and to any destination

You need to allow http and https connections from the internet to VNET1.

What should you change for NSG1?

Select only one answer.

• Priority for Rule3 to 450
• Priority for Rule4 to 250
• Priority for Rule5 to 250
• Protocol for Rule2 to TCP

Answer: Priority for Rule5 to 250

Explanation:

Note that http uses TCP port 80 and https uses TCP port 445.

How are these rules evaluated:

An NSG usually contains multiple rules under INBOUND and OUTBOUND rules sections.

i.NSG security rules are evaluated by priority. Low rule number implies higher priority.

Rules are processed and evaluated top-down,first match wins ie once a match found, further processing stops.

NSG Rules are evaluated by priority,using the 5 tuple information

ii.Rules are evaluated using the 5-tuple information of the traffic to match the defined rules fields — source IP, source port, destination IP, destination port and protocol.

================================

NOTE1: ‘Action’ can be ALLOW or DENY(Unlike AWS where only ALLOW exists).

This means that when a match is found (the 5 tuple information) for a packet(traffic) going in /going out of the subnet (or NIC) ; Azure should apply the said action and stop further processing.

NOTE2:

NSG Inbound Rules

NSG Inbound Outbound Rules

It must be noted that the above images for INBOUND/OUTBOUND rules under NSG (Azure portal) show only Source IP, Destination IP and ‘Destination’ Port.(when the portal does not explicitly mention ‘source’ or ‘destination’ port,it always reflects ‘destination’ port and omits showing ‘source’ port)

For all practical purposes, while analyzing traffic flow, one must think of all 4 entries- Source IP, Destination IP, Source Port and Destination Port, as reflected clearly while clicking on a rule:

Complete Details on a NSG Rule

Kind of dislike Microsoft for not clarifying this in the overall dialog which is a cause of 90 percent of confusions/oblivion.

2.RULE NUMBERING

You have an Azure subscription that includes a network security group named NSG1.

You plan to add an inbound security rule named Rule1 to NSG1.

You need to configure a priority for Rule1. Rule1 must have the highest priority for inbound security rules in NSG1.

Which priority should you configure for Rule1?

Select only one answer.

• 0
• 1
• 10
• 100
• 1000

Answer-100

Explanation-

Priority:

-A number between 100 and 4096.

-Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority.

-Once traffic matches a rule, processing stops.

-As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities aren’t processed.

• Azure default security rules are given the highest number with the lowest priority to ensure that custom rules are always processed first.

Virtual Network

1. Vnet and VM/NIC of any resource — Region restriction

You have Azure subscription that includes virtual network named VNet1 in West US region.

You plan to deploy following container instances:

• Instance1, running Windows container image in West US region
• Instance2, running Linux container image in West US region
• Instance3, running Windows container image in East US region

Which container instances can be deployed to VNet1?

Select only one answer.

• Instance1 and Instance2 only
• Instance1 and Instance3 only
• Instance1, Instance2 and Instance3
• Instance1 only
• Instance2 only

Answer- Instance1 and Instance2 only

Explanation-

A resource can only be created in a virtual network that exists in the same region and subscription as the resource.

NOTE-VM and VNET can belong to different Resource Groups.

2. Vnet and VM/NIC of any resource — Region restriction but no RG restriction

You have an Azure subscription that contains the following resources:

• A resource group named RG1 in the West US region
• A resource group named RG2 in the Central US region
• A virtual network named VNet1 that is deployed to the West US region in RG1
• A virtual network named VNet2 that is deployed to the Central US region in RG1
• A virtual network named VNet3 that is deployed to the West US region in RG2

You need to deploy a virtual machine named VM1 to RG1 in the West US region.

To which virtual network or virtual networks can you connect VM1?

Select only one answer.

• VNet1 only
• VNet1 or VNet2 only
• VNet1 or VNet3 only
• VNet1, VNet2 or VNet3

ANSWER- VNet1 or VNet3 only

EXPLANATION-you can use the Vnet in the different resource group than the VM. But the limitation is your Vnet and VM must be in the same region.