Prepare smarter for your AZ-104 exam with our free, accurate, and 2025-updated questions.
At Cert Empire, we are committed to providing the best and the latest exam questions to the aspiring students who are preparing for Microsoft AZ-104 Exam. To help the students prepare better, we have made sections of our AZ-104 exam preparation resources free for all. You can practice as much as you can with Free AZ-104 Practice Test.
Question 1
Show Answer
B. Azure PowerShell: While Azure PowerShell can manage Azure DNS, it lacks a single,
dedicated cmdlet for importing an entire zone ๏ฌle. Accomplishing this would require writing a
custom script to parse the ๏ฌle and create each record individually, which is more effort.
C. the Azure portal: Using the Azure portal would require manually creating each of the
1,000 DNS records. This is the most time-consuming and error-prone method, representing
the maximum administrative effort.
D. the DNS Manager console: This tool is used to manage on-premises Windows Server
DNS. It has no native capability to interact with or migrate zones directly to the Azure DNS
service.
1. Microsoft Azure Documentation, "Tutorial: Import and export a DNS zone ๏ฌle using the
Azure CLI": This of๏ฌcial tutorial explicitly details the use of the az network dns zone import
command as the primary method for importing a zone ๏ฌle. It states, "This article explains
how to import and export a DNS zone ๏ฌle for Azure DNS by using the Azure CLI."
URL: https://learn.microsoft.com/en-us/azure/dns/dns-import-export
2. Microsoft Azure Documentation, "az network dns zone import": The reference for the
speci๏ฌc Azure CLI command con๏ฌrms its purpose: "Create a DNS zone and records from a
local zone ๏ฌle." This directly addresses the requirement to move the zone with minimal
effort.
3. Microsoft Azure Documentation, "New-AzDnsRecordSet": The documentation for the
comparable Azure PowerShell cmdlet shows it is designed to create individual record sets,
con๏ฌrming that a bulk import requires additional scripting, unlike the Azure CLI's direct
import command.
URL: https://learn.microsoft.com/en-us/powershell/module/az.dns/new-azdnsrecordset
Question 2
Show Answer
B. a new public load balancer for VM3: This is an inef๏ฌcient and unnecessary solution. The
existing load balancer is capable of handling this requirement with the correct rule
con๏ฌguration, avoiding additional cost and complexity.
C. a frontend IP con๏ฌguration: This de๏ฌnes the public IP address for the load balancer.
While necessary for the load balancer to function, it does not de๏ฌne the rules for directing
traf๏ฌc to backend resources.
D. a load balancing rule: A load balancing rule would distribute RDP connections across all
three virtual machines (VM1, VM2, and VM3), not direct them exclusively to VM3 as
required.
1. Microsoft Azure Documentation - What is Azure Load Balancer?: "An inbound NAT rule
forwards incoming traf๏ฌc sent to the frontend IP address and port combination to a speci๏ฌc
virtual machine or instance in the backend pool. A load balancing rule distributes incoming
traf๏ฌc across all instances within the backend pool."
URL: https://docs.microsoft.com/en-us/azure/load-balancer/load-balanceroverview#inbound-nat-rule
2. Microsoft Azure Documentation - Manage inbound NAT rules for Azure Load Balancer:
"Azure Load Balancer supports inbound network address translation (NAT) rules. You use
these rules to specify a backend resource to route traf๏ฌc to from the load balancer
frontend."
URL: https://docs.microsoft.com/en-us/azure/load-balancer/manage-inbound-nat-rules
Question 3
/page_825_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Subscription1 contains the virtual machines in the following table.
/page_825_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
In Subscription1, you create a load balancer that has the following con๏ฌgurations:
Name: LB1
SKU: Basic
Type: Internal
Subnet: Subnet12
Virtual network: VNET1
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Hot Area:
/page_826_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
โข
Microsoft Azure Documentation - Load Balancer SKUs: This document
explicitly details the differences between Basic and Standard SKU load
balancers. In the feature comparison table, under "Backend pool," it speci๏ฌes
that the Basic SKU backend pool is limited to a "single availability set, single
virtual machine scale set, or a single virtual machine." This con๏ฌrms that
multiple standalone VMs are not supported in a single backend pool for the
Basic SKU.
o URL: https://docs.microsoft.com/en-us/azure/load-balancer/skus (Refer
to the "SKU comparison" section).
โข
Microsoft Azure Documentation - Load Balancer Components: This page
details the components of a load balancer, including the backend pool. It
states, "For a Basic load balancer, the backend pool can't include more than
one virtual machine that isn't part of an availability set or a virtual machine
scale set."
o URL: https://learn.microsoft.com/en-us/azure/loadbalancer/components#backend-pools (Refer to the "Backend pools"
section).
Question 4
/page_829_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to identify which DNS zones you can link to VNET1 and the DNS zones to which
VM1 can automatically register.
Which zones should you identify? To answer, select the appropriate options in the answer
area.
Hot Area:
/page_830_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
1. Microsoft Azure Docs What is Azure Private DNS? (Functions: linking, auto-registration)
https://learn.microsoft.com/en-us/azure/dns/private-dns-overview#virtual-network-links
2. Microsoft Azure Docs Create a private DNS zone and link it to a virtual network (linking
rules, auto-registration option)
3. Microsoft Azure Docs Reverse DNS for Private DNS (automatic PTR registration)
https://learn.microsoft.com/en-us/azure/dns/private-dns-reverse-zones
Question 5
/page_832_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to add the address space of 10.33.0.0/16 to VNet1. The solution must ensure that
the hosts on VNet1 and VNet2 can communicate.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
/page_832_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
A. Disassociating the NSG removes all its rules, permitting not blocking Internet access.
B. Inbound rules govern traf๏ฌc entering the VM; they do not control outbound traf๏ฌc to
websites.
D. The outbound deny rule already blocks port 80; no modi๏ฌcation is required its scope
must simply include both VMs.
1. Microsoft Azure Documentation Network security groups overview, Associations section:
An NSG linked to a subnet applies to all network interfaces in that subnet.
https://learn.microsoft.com/azure/virtual-network/network-security-groupsoverview#associations
2. Microsoft Azure Documentation Security rules table: Outbound rules ๏ฌlter traf๏ฌc leaving
the VM to the Internet on speci๏ฌed ports. https://learn.microsoft.com/azure/virtualnetwork/network-security-groups-overview#security-rules
Question 6
/page_835_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
A. Disassociating the NSG removes all its rules, permitting not blocking Internet access.
B. Inbound rules govern traf๏ฌc entering the VM; they do not control outbound traf๏ฌc to
websites.
D. The outbound deny rule already blocks port 80; no modi๏ฌcation is required its scope
must simply include both VMs.
1. Microsoft Azure Documentation Network security groups overview, Associations section:
An NSG linked to a subnet applies to all network interfaces in that subnet.
https://learn.microsoft.com/azure/virtual-network/network-security-groupsoverview#associations
2. Microsoft Azure Documentation Security rules table: Outbound rules ๏ฌlter traf๏ฌc leaving
the VM to the Internet on speci๏ฌed ports. https://learn.microsoft.com/azure/virtualnetwork/network-security-groups-overview#security-rules
Question 7
/page_837_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
VM1 and VM2 are deployed from the same template and host line-of-business applications.
You con๏ฌgure the network security group (NSG) shown in the exhibit. (Click the Exhibit tab.)
/page_837_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to prevent users of VM1 and VM2 from accessing websites on the Internet over
TCP port 80.
What should you do?Show Answer
A. Disassociating the NSG removes all its rules, permitting not blocking Internet access.
B. Inbound rules govern traf๏ฌc entering the VM; they do not control outbound traf๏ฌc to
websites.
D. The outbound deny rule already blocks port 80; no modi๏ฌcation is required its scope
must simply include both VMs.
1. Microsoft Azure Documentation Network security groups overview, Associations section:
An NSG linked to a subnet applies to all network interfaces in that subnet.
https://learn.microsoft.com/azure/virtual-network/network-security-groupsoverview#associations
2. Microsoft Azure Documentation Security rules table: Outbound rules ๏ฌlter traf๏ฌc leaving
the VM to the Internet on speci๏ฌed ports. https://learn.microsoft.com/azure/virtualnetwork/network-security-groups-overview#security-rules
Question 8
Show Answer
A. Move VM1 to Subscription2: Moving a virtual machine does not establish connectivity
between the virtual networks themselves.
B. Move VNet1 to Subscription2: This is a signi๏ฌcant administrative change. The direct
method to connect the networks as they are is with gateways, not by moving resources
between tenants.
C. Modify the IP address space of VNet2: The IP address spaces (10.0.0.0/16 and
10.10.0.0/24) do not overlap, so modi๏ฌcation is unnecessary.
1. Microsoft Azure Documentation - Con๏ฌgure a VNet-to-VNet VPN gateway connection by
using the Azure portal: This of๏ฌcial guide outlines the procedure. The ๏ฌrst major
con๏ฌguration step after creating the VNets is to "Create the virtual network gateways."
2. Microsoft Azure Documentation - Virtual network peering: This document clari๏ฌes the
limitations of VNet peering, stating that while it can work across subscriptions, those
subscriptions must be associated with the same Azure Active Directory tenant. This
con๏ฌrms peering is not an option in the given scenario.
3. Microsoft Azure Documentation - About VNet-to-VNet VPN gateway connections: This
resource con๏ฌrms that VNet-to-VNet connections are the appropriate solution for
connecting VNets in different subscriptions, which is necessary for cross-tenant scenarios.
URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vnet-to-vnet
Question 9
/page_841_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
The planned disk con๏ฌgurations for VM1 are shown in the following exhibit.
/page_842_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to ensure that VM1 can be created in an Availability Zone.
Which two settings should you modify? Each correct answer presents part of the solution.Show Answer
B. OS disk type: The disk type (e.g., Standard HDD, Premium SSD) is not the constraint.
The requirement is that the disk must be managed, regardless of its performance tier.
D. Size: The StandardB2s VM size supports Availability Zones in regions where zones are
available. This setting is not the primary con๏ฌguration that needs to be changed.
E. Image: Standard Azure Marketplace images, such as Windows Server 2016 Datacenter,
are fully compatible with deployment into an Availability Zone.
1. Microsoft Azure Documentation - Create a virtual machine in an availability zone using
the Azure portal: "To use availability zones, your VM must be created in a supported Azure
region. ... VMs must use Azure managed disks to be placed in an availability zone." This
source con๏ฌrms that both the availability option must be set and managed disks must be
used.
URL: https://learn.microsoft.com/en-us/azure/virtual-machines/create-portal-availabilityzone
2. Microsoft Azure Documentation - Availability options for Azure Virtual Machines:
"Availability zones... To protect your applications from datacenter-level failures, you can
create a virtual machine in an availability zone." This highlights that the "Availability options"
setting is the direct control for this feature.
URL: https://learn.microsoft.com/en-us/azure/virtual-machines/availability
3. Microsoft Azure Documentation - Introduction to Azure managed disks: "Azure managed
disks are required for... Availability zones." This document explicitly states the dependency
on managed disks for the Availability Zone feature.
URL: https://learn.microsoft.com/en-us/azure/virtual-machines/managed-disksoverview#availability-zones
Question 10
/page_844_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
VMSS1 is set to VM (virtual machines) orchestration mode.
You need to deploy a new Azure virtual machine named VM1, and then add VM1 to
VMSS1.
Which resource group and location should you use to deploy VM1? To answer, select the
appropriate options in the answer area.
/page_844_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Hot Area:Show Answer
1. Microsoft Learn Add an existing VM to a ๏ฌexible scale set
https://learn.microsoft.com/azure/virtual-machine-scale-sets/๏ฌexible-guestvms#prerequisites
(The VM you add must be in the same subscription, resource group, region, and virtual
network as the scale set.)
Question 11
/page_846_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Peering for VNET2 is con๏ฌgured as shown in the following exhibit.
/page_846_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Peering for VNET3 is con๏ฌgured as shown in the following exhibit.
/page_846_img_3.jpg "Free AZ-104 Practice Test - 2025 Updated")
How can packets be routed between the virtual networks? To answer, select the
appropriate options in the answer area.
/page_847_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Hot Area:Show Answer
โข
Microsoft Azure Documentation | Virtual network peering: This of๏ฌcial
documentation explicitly states that virtual network peering is non-transitive.
o URL: https://docs.microsoft.com/en-us/azure/virtual-network/virtualnetwork-peering-overview
o Speci๏ฌc Section: Under the "Connectivity" section, it states: "Virtual
network peering is non-transitive. For example, if you peer VNetA to
VNetB and VNetB to VNetC, VNetA isn't peered to VNetC." This
directly applies to the scenario where VNET2 (VNetA) cannot reach
VNET3 (VNetC) through VNET1 (VNetB).
Question 12
Show Answer
1. Microsoft Learn, "Con๏ฌgure a Point-to-Site VPN connection to a VNet using native Azure
certi๏ฌcate authentication: Azure portal": This document explicitly states the requirement for
client-side certi๏ฌcates: "Each client computer that you want to connect to a VNet using a
Point-to-Site connection must have a client certi๏ฌcate installed." This con๏ฌrms that the
solution must involve certi๏ฌcate installation, not policy changes in Azure AD.
2. Microsoft Learn, "About Point-to-Site VPN": This article outlines the different
authentication methods available for P2S VPNs, clearly separating "Native Azure certi๏ฌcate
authentication" from "Azure Active Directory authentication." This distinction demonstrates
that modifying policies for one does not affect the other.
URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-siteabout#authentication
Question 13
Show Answer
1. Microsoft Learn | Con๏ฌgure a Point-to-Site VPN client for certi๏ฌcate authentication: "For a
P2S connection from a Windows client computer to Azure, you must install a client
certi๏ฌcate. The client certi๏ฌcate is used for authentication... For every client computer that
you want to connect to a VNet using a Point-to-Site connection, you must install a client
certi๏ฌcate." This documentation con๏ฌrms that a client certi๏ฌcate is a mandatory installation
on the client machine.
2. Microsoft Learn | What is an Azure AD joined device?: "Azure AD join allows you to join
devices directly to Azure AD without the need to join to on-premises Active Directory... It
provides users with a single sign-on (SSO) experience to your cloud and on-premises
apps." This source de๏ฌnes Azure AD Join, showing its purpose is related to identity and
access, not certi๏ฌcate distribution for VPNs.
URL: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
Question 14
Show Answer
1. Azure Resource Locks: Microsoft Learn. (2023). Lock resources to prevent unexpected
changes. "Azure Resource Manager provides the ability to lock a subscription, resource
group, or resource to prevent other users in your organization from accidentally deleting or
modifying critical resources." https://learn.microsoft.com/en-us/azure/azure-resourcemanager/management/lock-resources
2. Azure Policy Overview: Microsoft Learn. (2024). What is Azure Policy?. "Azure Policy is a
service in Azure that you use to create, assign, and manage policies. These policies
enforce different rules and effects over your resources, so those resources stay compliant
with your corporate standards and service level agreements."
https://learn.microsoft.com/en-us/azure/governance/policy/overview
3. Network Security Groups: Microsoft Learn. (2023). Network security groups. "A network
security group contains a list of security rules that allow or deny network traf๏ฌc to resources
connected to Azure Virtual Networks (VNet)." https://learn.microsoft.com/enus/azure/virtual-network/network-security-groups-overview
Question 15
/page_853_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
From Computer1, you attempt to connect to VM1 by using Remote Desktop, but the
connection fails.
You need to establish a Remote Desktop connection to VM1.
What should you do ๏ฌrst?Show Answer
A. Change the priority of the RDP rule: The exhibit of effective security rules shows no
existing rule that allows RDP. You cannot change the priority of a rule that does not exist.
B. Attach a network interface: The problem description explicitly states that a network
interface named vm1173 has already been added to VM1, making this action redundant.
C. Delete the DenyAllInBound rule: DenyAllInBound is a default security rule within a
Network Security Group (NSG) and cannot be deleted. It can only be overridden by creating
a new rule with a higher priority.
1. Troubleshoot RDP connections: Microsoft Learn. The primary step in troubleshooting
RDP issues is to check the VM's status. "Check the status of the virtual machine: 1. Sign in
to the Azure portal. 2. Select Virtual machines. 3. Select the problematic virtual machine. 4.
In the overview pane for the virtual machine, check the status of the virtual machine. If the
status of the virtual machine is not Running, start it."
2. Adding a Network Interface: Microsoft Learn. This document con๏ฌrms that adding a NIC
requires the VM to be stopped. "You can only add a network interface to a VM when it's
stopped (deallocated)." This supports the high probability that VM1 is currently stopped.
3. Default NSG Rules: Microsoft Learn. This document explains that default rules cannot be
removed. "You can't remove the default rules, but you can override them by creating rules
with higher priorities."
Question 16
/page_856_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
A DNS service is installed on VM1.
You con๏ฌgure the DNS servers settings for each virtual network as shown in the following
exhibit.
/page_856_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to ensure that all the virtual machines can resolve DNS names by using the DNS
service on VM1.
What should you do?Show Answer
A. Con๏ฌgure a conditional forwarder on VM1: A conditional forwarder is used to forward
queries for speci๏ฌc domains. It does not solve the fundamental network connectivity
problem between the isolated virtual networks.
B. Add service endpoints on VNET1: Service endpoints provide a secure, direct connection
to speci๏ฌc Azure PaaS services (like Azure Storage or SQL Database), not for enabling
general communication between virtual networks.
C. Add service endpoints on VNET2 and VNET3: Similar to option B, service endpoints are
not the correct mechanism for enabling communication from one VNet to a virtual machine
in another VNet.
1. Virtual network peering: "Virtual network peering enables you to seamlessly connect two
or more Azure virtual networks. The virtual networks appear as one for connectivity
purposes. The traf๏ฌc between virtual machines in peered virtual networks uses the
Microsoft backbone infrastructure."
Microsoft Learn. (2024). Azure virtual network peering. Retrieved from
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
2. Name resolution for resources in Azure virtual networks: "When you're using your own
DNS servers, Azure provides a non-authoritative recursive DNS service. You must specify
your own DNS servers in the virtual network settings. The endpoints for your own DNS
servers must be reachable from the virtual machines in that virtual network." This highlights
the need for reachability, which peering provides.
Microsoft Learn. (2023). Name resolution for resources in Azure virtual networks. Retrieved
3. Virtual network service endpoints: "Virtual Network (VNet) service endpoints extend your
virtual network private address space and the identity of your VNet to the Azure services,
over a direct connection." This con๏ฌrms service endpoints are for connecting to Azure
services, not other VNETs.
Microsoft Learn. (2024). Virtual Network service endpoints. Retrieved from
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpointsoverview
Question 17
/page_859_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You add inbound security rules to a network security group (NSG) named NSG1 as shown
in the following table.
/page_859_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
You run Azure Network Watcher as shown in the following exhibit.
/page_860_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You run Network Watcher again as shown in the following exhibit.
/page_861_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Hot Area:
/page_862_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
1. Microsoft Azure documentation Network security groups default and user rules
https://learn.microsoft.com/azure/virtual-network/network-security-groupsoverview#security-rules
(see table: AllowVNetInBound priority 65000, DenyAllInBound priority 65500)
2. Microsoft Azure documentation Diagnose a virtual machine network traf๏ฌc ๏ฌlter problem
https://learn.microsoft.com/azure/network-watcher/connection-troubleshoot
(example output shows matched NSG rule and explains precedence of lower-number
priority)
Question 18
Show Answer
A. Modify the address space of the local network gateway: This de๏ฌnes the on-premises IP
address ranges for routing purposes over the VPN; it does not enforce any traf๏ฌc ๏ฌltering
rules.
C. Remove the public IP addresses from the virtual machines: This would prevent the
applications from being accessible over the internet on port 443, which violates a key
requirement of the solution.
D. Modify the address space of Subnet1: This changes the internal IP address range for the
subnet and has no impact on ๏ฌltering inbound traf๏ฌc from the internet.
1. Microsoft Documentation: Network security groups. "A network security group contains
security rules that allow or deny inbound network traf๏ฌc to, or outbound network traf๏ฌc from,
several types of Azure resources."
URL: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groupsoverview
2. Microsoft Documentation: Create, change, or delete a network security group. This page
details the process of creating security rules, including specifying protocol (TCP),
destination port (3389), source (Internet service tag), and action (Deny).
3. Microsoft Documentation: Virtual network service tags. "A service tag represents a group
of IP address pre๏ฌxes from a given Azure service. The Internet service tag... contains the IP
address ranges that are outside of the virtual network and reachable by the public internet."
URL: https://learn.microsoft.com/en-us/azure/virtual-network/service-tagsoverview#available-service-tags
Question 19
/page_865_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Subnet1 is associated to VNet1. NIC1 attaches VM1 to Subnet1.
You need to apply ASG1 to VM1.
What should you do?Show Answer
B. Modify the properties of ASG1: The properties of an ASG itself (like its name or location)
do not include a list of member VMs or NICs. The association is con๏ฌgured on the NIC, not
the ASG.
C. Modify the properties of NSG1: A Network Security Group (NSG) uses ASGs as sources
or destinations within its security rules. Modifying the NSG is for de๏ฌning traf๏ฌc rules, not for
associating a VM with an ASG.
Microsoft Azure Documentation - Application security groups: "You associate a network
interface to an application security group. A virtual machine has one or more network
interfaces attached to it." This source directly con๏ฌrms that the association is made at the
network interface level.
Microsoft Azure Documentation - Tutorial: Filter network traf๏ฌc with a network security group
using the Azure portal: This tutorial provides a step-by-step guide. In the section "Associate
network interfaces to ASGs," the procedure is to select the network interface and then
associate it with an application security group.
Question 20
Show Answer
D. Create a gateway subnet: While a gateway subnet (named GatewaySubnet) is a
mandatory prerequisite for deploying a virtual network gateway, it is a network con๏ฌguration
step. The question asks for the three main actions to create the VPN solution, which are
best represented by the three core VPN resources (VNG, LNG, and Connection).
E. Create a VPN gateway that uses the Basic SKU: The Basic SKU is not supported for
con๏ฌgurations where a VPN Gateway and an ExpressRoute gateway coexist in the same
virtual network.
1. Coexistence SKU Limitation: Microsoft Azure Documentation. (2023). Con๏ฌgure
ExpressRoute and Site-to-Site VPN connections that coexist. "Limits and limitations".
"Coexistence is not supported on the Basic SKU."
2. S2S VPN Components: Microsoft Azure Documentation. (2024). Tutorial: Create a Site-
to-Site VPN connection in the Azure portal. This tutorial outlines the main steps, which
include creating the virtual network gateway (C), the local network gateway (B), and the
connection (A).
URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
3. Gateway Subnet Prerequisite: Microsoft Azure Documentation. (2024). About VPN
Gateway con๏ฌguration settings. "Gateway subnet". "Before you create a virtual network
gateway, you must create a gateway subnet." This con๏ฌrms it as a prerequisite for the
gateway itself.
URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateway-settings#gwsub
Question 21
/page_869_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Use the drop-down menus to select the answer choice that completes each statement
based on the information presented in the graphic.
/page_869_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Hot Area:Show Answer
1. Azure Virtual Network peering | Microsoft Learn: This of๏ฌcial Microsoft
documentation explains the different peering statuses. It clari๏ฌes that a
Connected status is required for connectivity and describes the Disconnected
state.
o URL: https://learn.microsoft.com/en-us/azure/virtual-network/virtualnetwork-peering-overview
o Relevant Section: "Peering status" section explains that if one side of
a peering is deleted, the status on the remaining side becomes
Disconnected.
2. Create, change, or delete a virtual network peering | Microsoft Learn:
This guide details the management of VNet peerings. It implicitly supports the
answer by explaining the process for creating and deleting peerings. To ๏ฌx a
Disconnected state, which results from deleting the remote link, the local link
must also be deleted and then both must be recreated.
o URL: https://learn.microsoft.com/en-us/azure/virtual-network/virtualnetwork-manage-peering
o Relevant Section: The "Permissions" and "Create a peering" sections
outline the requirements for establishing a Connected state, which
involves reciprocal actions on both virtual networks. The process to
recover from a Disconnected state involves deleting the remaining
peering and starting over.
Question 22
/page_872_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You install the Web Server server role (IIS) on VM1 and VM2, and then add VM1 and VM2
to LB1.
LB1 is con๏ฌgured as shown in the LB1 exhibit. (Click the LB1 tab.)
/page_872_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Rule1 is con๏ฌgured as shown in the Rule1 exhibit. (Click the Rule1 tab.)
/page_873_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Hot Area:
/page_874_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
โข
Azure Load Balancer SKUs Documentation: States the constraints for
Basic SKU, including the requirement for backend pool members to be in a
single availability set or scale set.
o Source: Microsoft Azure Documentation
o URL: https://learn.microsoft.com/en-us/azure/load-balancer/skus#skus
(Refer to the "Backend pool" row in the comparison table).
โข
Azure Load Balancer Components Documentation: Explains that load
balancing rules are used to de๏ฌne how traf๏ฌc is distributed to the VMs and
that a health probe monitors the health of the backend instances.
o Source: Microsoft Azure Documentation
o URL: https://learn.microsoft.com/en-us/azure/loadbalancer/components#load-balancing-rule
o URL: https://learn.microsoft.com/en-us/azure/load-balancer/loadbalancer-custom-probe-overview
Question 23
/page_876_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Hot Area:Show Answer
โข
Microsoft Azure Documentation (Of๏ฌcial Vendor Documentation):
o Regarding removing the Public IP: In the tutorial for creating a public
standard load balancer, the documentation explicitly states, "Virtual
machines in the backend pool can't have a public IP address. If your
virtual machines have public IP addresses, you must remove them
before you add them to the backend pool of the load balancer."
ยง
Source: Microsoft Learn, Quickstart: Create a public load
balancer - Azure portal, Section: "Create virtual machines".
Direct URL: https://learn.microsoft.com/en-us/azure/loadbalancer/quickstart-load-balancer-standard-public-
portal?tabs=bicep#create-virtual-machines
o Regarding the need for an NSG: The Standard Load Balancer
overview states, "A standard load balancer is closed to inbound
connections unless opened by a network security group. You can
create a network security group and associate it with a virtual machine
to allow traf๏ฌc."
ยง
Source: Microsoft Learn, What is Azure Load Balancer?,
Section: "Standard Load Balancer > Secure by default". Direct
URL: https://learn.microsoft.com/en-us/azure/load-balancer/loadbalancer-overview#standard-load-balancer
Question 24
/page_879_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to create a network interface named NIC1.
In which location can you create NIC1?Show Answer
A. No VNet exists in North Europe, so a NIC cannot be created there.
C. West Europe and North Europe lack a VNet; without one, a NIC cannot be created in
those regions.
D. West Europe lacks a VNet, so a NIC cannot be created there.
1. Microsoft Azure documentation Create a network interface: The network interface must
be in the same region and subscription as the virtual network.
2. Microsoft Azure documentation Requirements and constraints: same-region requirement
reiterated.
Question 25
/page_881_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You create a public Azure DNS zone named adatum.com and a private Azure DNS zone
named contoso.com.
For controso.com, you create a virtual network link named link1 as shown in the exhibit.
(Click the Exhibit tab.)
/page_881_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
You discover that VM1 can resolve names in contoso.com but cannot resolve names in
adatum.com. VM1 can resolve other hosts on the Internet.
You need to ensure that VM1 can resolve host names in adatum.com.
What should you do?Show Answer
A. Update the DNS suf๏ฌx on VM1 to be adatum.com: A DNS suf๏ฌx is used for resolving
unquali๏ฌed, single-label names. It does not ๏ฌx the underlying inability to resolve a fully
quali๏ฌed domain name (FQDN) in a public zone.
C. Create an SRV record in the contoso.com zone: An SRV record is for locating speci๏ฌc
services and has no role in resolving standard host (A) records for a different domain
(adatum.com).
D. Modify the Access control (IAM) settings for link1: IAM roles manage permissions for
Azure resources. They do not affect the DNS resolution process for virtual machines within
a virtual network.
1. Microsoft Azure Documentation, "Tutorial: Host your domain in Azure DNS": This tutorial
explicitly states the requirement to delegate the domain. "Before you can delegate your
DNS zone to Azure DNS, you need to know the name servers for your zone... Once the
DNS zone is created... you need to update the parent domain with the Azure DNS name
servers. Each registrar has its own DNS management tools to change the name server
records for a domain."
URL: https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
2. Microsoft Azure Documentation, "What is Azure DNS?": This document outlines the
function of public DNS zones. "To host your domain in Azure DNS, you need to buy a
domain name... You then create a DNS zone in Azure DNS for that domain name... Finally,
you must con๏ฌgure the name servers for your domain to point to the Azure DNS name
servers. This process is called domain delegation."
URL: https://docs.microsoft.com/en-us/azure/dns/dns-overview
3. Microsoft Azure Documentation, "Azure Private DNS FAQ": This document clari๏ฌes the
distinction between private and public zones. The problem described for adatum.com is a
public DNS con๏ฌguration issue, separate from the private zone contoso.com which is
working correctly via the VNet link.
URL: https://docs.microsoft.com/en-us/azure/dns/private-dns-faq
Question 26
Show Answer
1. Microsoft Learn | Azure Network Watcher | IP ๏ฌow verify overview: "IP ๏ฌow verify checks
if a packet is allowed or denied to or from a virtual machine... If the packet is denied by a
security group, the name of the rule that denied the packet is returned."
URL: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-๏ฌowverify-overview
2. Microsoft Learn | Azure Network Watcher | Troubleshoot connections with Azure Network
Watcher using the Azure portal: "Connection troubleshoot provides the capability to check a
direct TCP connection from a virtual machine (VM) to a VM, fully quali๏ฌed domain name
(FQDN), URI, or IPv4 address."
URL: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcherconnectivity-portal
3. Microsoft Learn | Azure Network Watcher | What is Azure Network Watcher?: This
document provides an overview of the diagnostic tools, distinguishing the purpose of IP ๏ฌow
verify (diagnose connectivity ๏ฌltering problems) from Connection troubleshoot (test
connections between a source and destination).
URL: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcheroverview#diagnose
Question 27
/page_886_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You con๏ฌgure the network interfaces of the virtual machines to use the settings shown in
the following table.
/page_886_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
From the settings of VNET1 you con๏ฌgure the DNS servers shown in the following exhibit.
/page_886_img_3.jpg "Free AZ-104 Practice Test - 2025 Updated")
The virtual machines can successfully connect to the DNS server that has an IP address of
192.168.10.15 and the DNS server that has an IP address of
193.77.134.10.
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Hot Area:Show Answer
โข
Microsoft Azure Documentation, Name resolution for VMs and role instances:
"If you specify a custom DNS server for a virtual network, you can also specify a
different DNS server for one or more network interfaces in the virtual network. The
DNS server setting for a network interface overrides the DNS server setting for the
virtual network." This document outlines the order of precedence for DNS settings in
Azure.
own-dns-server (Refer to the section on "Name resolution that uses your own
DNS server" and the speci๏ฌcs on Network Interface settings).
Question 28
/page_889_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
RG1 contains the resources shown in the following table.
/page_889_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to identify which resources you can move from RG1 to RG2, and which resources
you can move from RG2 to RG1.
Which resources should you identify? To answer, select the appropriate options in the
answer area.
Hot Area:
/page_890_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
1. Microsoft Azure Documentation: Move resources to a new resource
group or subscription. This document provides the primary guidelines for
resource moves.
o Speci๏ฌc Section: Under the "Checklist before moving resources," the
document states, "The source and destination resource groups must
exist in the same subscription." and "When moving a resource, you
also move its dependent resources."
2. Microsoft Azure Documentation: Move guidance for virtual machines.
This resource details the speci๏ฌc requirements for moving virtual machines
and their dependencies.
o Speci๏ฌc Section: The table for the Microsoft.Compute resource
provider con๏ฌrms that virtual machines, disks, and network interfaces
can be moved. It speci๏ฌes that for a VM, dependent resources like
NICs and disks must be in the same resource group and must be
moved together.
3. Microsoft Azure Documentation: Move guidance for networking
resources. This page con๏ฌrms the movability of virtual networks.
o Speci๏ฌc Section: The table for the Microsoft.Network resource
provider explicitly lists virtualNetworks as a movable resource.
Question 29
/page_892_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You deploy a load balancer that has the following con๏ฌgurations:
Name: LB1
Type: Internal
SKU: Standard
Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Basic SKU public IP address, associate the address to the network
interface of VM1, and then start VM1.
Does this meet the goal?Show Answer
1. Azure Load Balancer SKUs Comparison: Microsoft Learn. "Virtual machines with a
Standard SKU Public IP address or no Public IP address can be added to the backend pool
of a Standard Load Balancer. Virtual machines with a Basic SKU Public IP address...can be
added to the backend pool of a Basic Load Balancer." This explicitly states the compatibility
rules.
URL: https://learn.microsoft.com/en-us/azure/load-balancer/skus#skus
2. Load Balancer and Public IP address SKUs: Microsoft Learn. "You can't have both basic
and standard SKU resources. You can't mix SKU types for standalone virtual machines,
availability sets, or virtual machine scale sets in the same backend pool." This reinforces
the rule against mixing SKUs.
URL: https://learn.microsoft.com/en-us/azure/load-balancer/skus#limitations
Question 30
/page_894_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You deploy a load balancer that has the following con๏ฌgurations:
Name: LB1
Type: Internal
SKU: Standard
Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create a Standard SKU public IP address, associate the address to the
network interface of VM1, and then stop VM2.
Does this meet the goal?Show Answer
1. Microsoft Azure Documentation - Load Balancer SKUs: "For a standard SKU load
balancer, the virtual machines in the backend pool must have standard SKU public IP
addresses or no public IP address. The network interfaces of the virtual machines must be
associated with a standard SKU public IP address." This document explicitly states the SKU
requirements.
URL: https://learn.microsoft.com/en-us/azure/load-balancer/skus#skus
2. Microsoft Azure Documentation - Azure Load Balancer overview: "Standard Load
Balancer backend pool members can have either no public IP address or a Standard SKU
public IP address." This con๏ฌrms that Basic SKU public IPs are not permitted in the
backend pool of a Standard Load Balancer.
3. Microsoft Azure Documentation - Upgrade a public IP address: "Stopping the resource
does not deallocate the public IP address." This reference clari๏ฌes that stopping a VM does
not disassociate or change the properties of its public IP, which is the ๏ฌaw in the proposed
solution's logic.
Question 31
/page_896_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You deploy a load balancer that has the following con๏ฌgurations:
Name: LB1
Type: Internal
SKU: Standard
Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You create two Standard SKU public IP addresses and associate a Standard SKU
public IP address to the network interface of each virtual machine.
Does this meet the goal?Show Answer
1. Microsoft Azure documentation Upgrade a Basic public IP to Standard
(Only Standard public IP addresses can be associated with resources behind a Standard
Load Balancer.)
2. Microsoft Azure documentation Upgrade a basic load balancer to Standard
https://learn.microsoft.com/en-us/azure/load-balancer/upgrade-basicstandard#incompatible-resources
(A VM NIC with a Basic public IP cannot be added to a Standard Load Balancer backend.
Replace the Basic public IP with a Standard SKU IP or remove it.)
Question 32
Show Answer
1. Microsoft Azure Documentation, "Install an exported client certi๏ฌcate": This of๏ฌcial guide
explicitly states, "To create a P2S connection from a different client computer, you must
install a client certi๏ฌcate on that computer. When you install a client certi๏ฌcate, you'll need
the password that was created when the client certi๏ฌcate was exported." This directly
validates the proposed solution.
Source: Microsoft Learn, "Con๏ฌgure a Point-to-Site VPN connection to a VNet using native
Azure certi๏ฌcate authentication: Azure portal", Section: "Install an exported client
certi๏ฌcate".
2. Microsoft Azure Documentation, "Generate and export certi๏ฌcates for Point-to-Site
connections": This document details the certi๏ฌcate management process. The step to
export a client certi๏ฌcate is a prerequisite for installing it on client computers, con๏ฌrming that
the certi๏ฌcate is a portable credential intended for this purpose.
Source: Microsoft Learn, "Generate and export certi๏ฌcates for Point-to-Site connections
using PowerShell", Section: "Export the client certi๏ฌcate".
Question 33
/page_900_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You deploy a web server on VM1, and then create a secure website that is accessible by
using the HTTPS protocol. VM1 is used as a web server only.
You need to ensure that users can connect to the website from the Internet.
What should you do?Show Answer
A. Modify the protocol of Rule4: Rule4 is for RDP (port 3389). Modifying it would not enable
HTTPS on port 443 and would likely break remote desktop access.
B. Delete Rule1: Rule1 allows traf๏ฌc within the virtual network. Deleting it is unnecessary,
unrelated to allowing internet traf๏ฌc, and could disrupt internal communications.
C. For Rule5, change the Action to Allow and change the priority to 401: Rule5 already
allows HTTP on port 80. Changing its priority does not enable the required HTTPS traf๏ฌc on
port 443.
1. Microsoft Learn: Network security groups. This document explains how NSGs ๏ฌlter
network traf๏ฌc. It states, "To ๏ฌlter traf๏ฌc, you create security rules... For each rule, you can
specify a source and destination, port, and protocol." This supports the creation of a new
rule for a speci๏ฌc port and protocol.
URL: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groupsoverview
2. Microsoft Learn: Create, change, or delete a network security group. This guide details
the properties of a security rule, including Destination port ranges, Protocol (TCP, UDP,
etc.), Action (Allow or Deny), and Priority. This con๏ฌrms that creating a new rule with these
speci๏ฌc properties is the correct procedure.
3. Microsoft Learn: Default security rules. This page lists the default inbound rules, including
DenyAllInbound with a priority of 65500, which blocks all inbound traf๏ฌc unless a rule with a
lower priority number explicitly allows it. This explains why a new "Allow" rule is necessary.
Question 34
Show Answer
1. Azure Resource Providers and Types: This document explains that Microsoft.Network is
the provider for ARM virtual networks and NSGs, while Microsoft.ClassicNetwork is for the
classic model. Unregistering the classic provider does not affect ARM resources.
Microsoft Learn. (2024). Azure resource providers and types. Retrieved from
2. Network Security Groups - Default Security Rules: This of๏ฌcial documentation lists the
default rules created with every NSG. None of these rules speci๏ฌcally block port 8080; in
fact, the AllowVNetInBound rule permits all traf๏ฌc between virtual networks by default.
Microsoft Learn. (2023). Network security groups. Retrieved from
3. Azure Policy for NSGs: To automatically enforce rules on NSGs, Azure Policy is the
correct tool. This tutorial shows how to create policies to manage NSG rules, which is the
appropriate solution for the scenario.
Microsoft Learn. (2023). Tutorial: Create and manage policies to enforce compliance.
Retrieved from https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/createand-manage (This tutorial covers the general mechanism applicable to NSGs).
Question 35
/page_905_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
The virtual networks contain the following subnets:
/page_905_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Subscription2 contains the following virtual network:
Name: VNETA
Address space: 10.10.128.0/17
Location: Canada Central
VNETA contains the following subnets:
/page_905_img_3.jpg "Free AZ-104 Practice Test - 2025 Updated")
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Hot Area:
/page_906_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
Microsoft Learn: Azure Virtual Network peering overview. This document outlines the key
capabilities and constraints, stating, "You can peer virtual networks that exist in two different
regions (also known as Global VNet Peering)" and "You can peer virtual networks in the
same, or different subscriptions."
URL: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peeringoverview
Microsoft Learn: Create, change, or delete a virtual network peering. This guide details the
requirements, including the need for "non-overlapping IP address spaces."
Question 36
/page_908_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are con๏ฌgured correctly.
You need to ensure that connections to App1 can be established successfully from
131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traf๏ฌc from the 131.107.100.50
source and has a cost of 64999.
Does this meet the goal?Show Answer
1. Microsoft Learn: Network security groups. This document explains how Azure processes
security rules. It states, "Security rules in a network security group are processed by
priority... When traf๏ฌc matches a rule, processing stops. If you add a new rule, you can
specify its priority to determine its place in the processing order." The proposed Deny rule
would stop processing and block the traf๏ฌc.
2. Microsoft Learn: How network security groups ๏ฌlter network traf๏ฌc. This page details the
rule evaluation process. To allow the traf๏ฌc, a new rule with an "Allow" action and a higher
priority (a lower number) than any blocking rule is required. The proposed solution does the
opposite.
URL: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-itworks
Question 37
/page_910_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are con๏ฌgured correctly.
You need to ensure that connections to App1 can be established successfully from
131.107.100.50 over TCP port 443.
Solution: You delete the BlockAllOther443 inbound security rule.
Does this meet the goal?Show Answer
1. Microsoft Azure Documentation: How network security groups ๏ฌlter network traf๏ฌc. This
document explains that rules are processed in priority order. If no explicit allow or deny rule
matches, the default rules are applied.
URL: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-itworks
2. Microsoft Azure Documentation: Default security rules. This page lists the default inbound
security rules, including DenyAllInbound at priority 65500, which blocks any traf๏ฌc not
expressly permitted by a preceding rule.
3. Microsoft Azure Documentation: Azure Load Balancer and Network Security Groups.
When using a load balancer, the source IP of the traf๏ฌc arriving at the backend virtual
machine's NIC is the original client's IP address, not the load balancer's. Therefore, NSG
rules must allow the client's IP.
Question 38
/page_912_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are con๏ฌgured correctly.
You need to ensure that connections to App1 can be established successfully from
131.107.100.50 over TCP port 443.
Solution: You modify the priority of the Allow_131.107.100.50 inbound security rule.
Does this meet the goal?Show Answer
1. Microsoft Azure Documentation Network security groups: security rules
(Evaluation order and DenyAll rule at priority 65500)
2. Microsoft Azure Documentation Manage NSG rules
(Priority affects only ordering; rule must explicitly allow required port)
Question 39
Show Answer
1. Microsoft Azure Documentation - Understand Azure Policy effects: This document
explains the different policy effects. The append effect is explicitly shown as a way to add
security rules to an NSG, which would be required here. This implies a custom de๏ฌnition is
needed.
URL: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#append
2. Microsoft Azure Documentation - Tutorial: Create a custom policy de๏ฌnition: This tutorial
demonstrates that for speci๏ฌc organizational requirements not covered by built-in policies,
you must create your own custom policy de๏ฌnitions.
URL: https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-custompolicy-de๏ฌnition
3. Microsoft Azure Documentation - Azure Policy built-in de๏ฌnitions for Azure Networking: A
review of the built-in policies for networking con๏ฌrms that there is no policy to automatically
add a speci๏ฌc custom rule to an NSG.
URL: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-inpolicies#network
Question 40
Show Answer
A. kubenet: With kubenet, pods receive IPs from a logically separate address space and
use Network Address Translation (NAT) to communicate, hiding the pod's actual IP behind
the node's IP. This prevents direct connectivity.
C. Hybrid Connection endpoints: This is a feature of Azure App Service and Functions used
for connecting from Azure to on-premises resources. It is not a network model for an AKS
cluster.
D. Azure Private Link: This service provides private connectivity to an endpoint representing
a service (like an internal load balancer), not to individual pod IPs. It is a method to expose
a service, not a fundamental cluster network type.
1. Microsoft Azure Documentation: "Concepts - Networking in Azure Kubernetes Services
(AKS)". This document explicitly compares kubenet and Azure CNI. It states, "With Azure
CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP
addresses must be unique across your network space... This network model allows for
more separation of control and management of resources."
URL: https://learn.microsoft.com/en-us/azure/aks/concepts-network#compare-networkmodels
2. Microsoft Azure Documentation: "Con๏ฌgure Azure CNI networking in Azure Kubernetes
Service (AKS)". This source details the functionality of Azure CNI. It con๏ฌrms, "Each pod
receives an IP address in the virtual network subnet. Pods can communicate with other
pods in the virtual network and on-premises networks."
URL: https://learn.microsoft.com/en-us/azure/aks/con๏ฌgure-azure-cni
Question 41
/page_917_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You deploy a load balancer that has the following con๏ฌgurations:
Name: LB1
Type: Internal
SKU: Standard
Virtual network: VNET1
You need to ensure that you can add VM1 and VM2 to the backend pool of LB1.
Solution: You disassociate the public IP address from the network interface of VM2.
Does this meet the goal?Show Answer
1. Microsoft Learn Load Balancer SKUs: For an internal Standard Load Balancer, backend
instances must be in the same virtual network as the load balancer.
https://learn.microsoft.com/azure/load-balancer/skus#feature-comparison
2. Microsoft Learn Add virtual machines to the backend pool: A VM may have a public IP or
none; backend pool membership depends on the NIC virtual-network location, not on
public-IP presence.
These authoritative sources demonstrate that public-IP removal alone is insuf๏ฌcient to add
VM2 to LB1 backend pool.
Question 42
Show Answer
1. Microsoft Learn - Tutorial: Manage network security groups by using Azure Policy: This
of๏ฌcial tutorial demonstrates how to create a policy initiative that includes a policy to
"Append a network security group to each subnet." While the speci๏ฌc goal is different, it
validates the core concept of using Azure Policy with an append effect to modify network
resources like NSGs automatically.
URL: https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/manage-networksecurity-groups
2. Microsoft Learn - Understand Azure Policy effects: This document details the modify and
append effects. The modify effect can "add, update, or remove properties or tags on a
resource during creation or update." This is precisely what is needed to add a security rule
to a new NSG.
URL: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#modify
3. Microsoft Learn - Azure Policy built-in de๏ฌnitions for Azure Networking: This page lists
built-in policies, including ones that manage NSG rules. A custom policy can be modeled
after these to create the speci๏ฌc rule required by the scenario.
URL: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-inpolicies#network
Question 43
Show Answer
A. IP ๏ฌow verify: This tool checks if traf๏ฌc is allowed or denied by Network Security Group
(NSG) rules for a speci๏ฌc ๏ฌow. It does not measure performance metrics like RTT.
B. Connection troubleshoot: This provides a point-in-time connectivity check and reports the
latency for that single attempt, not an average over time.
D. NSG ๏ฌow logs: This feature records IP traf๏ฌc ๏ฌowing through an NSG for security
auditing and traf๏ฌc analysis. It does not provide performance data like RTT.
Connection Monitor: Microsoft Learn. (2023). Connection monitor overview. "Connection
Monitor provides uni๏ฌed, end-to-end connection monitoring in Azure Network Watcher...
You can monitor network connectivity and con๏ฌgure alerts for virtual machines...
Connection Monitor can measure the round-trip time and packet loss for TCP, ICMP, and
HTTP connections."
URL: https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
Connection Troubleshoot: Microsoft Learn. (2023). Tutorial: Diagnose a virtual machine
network routing problem using the Azure portal. "Connection troubleshoot... checks a direct
TCP connection from a virtual machine (VM) to a VM... It returns information about the
connection attempt, including the latency in milliseconds."
URL: https://learn.microsoft.com/en-us/azure/network-watcher/diagnose-vm-networkrouting-problem
IP Flow Verify: Microsoft Learn. (2023). Introduction to IP ๏ฌow verify in Azure Network
Watcher. "IP ๏ฌow verify indicates if a packet is allowed or denied to or from a virtual
machine."
URL: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-๏ฌowverify-overview
Question 44
/page_923_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You plan to create six virtual machines and to load balance requests to the virtual
machines. Each load balancer will load balance three virtual machines.
You need to create the virtual machines for the planned solution.
How should you create the virtual machines? To answer, select the appropriate options in
the answer area.
Hot Area:
/page_923_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
1. Microsoft Azure Of๏ฌcial Documentation, "Azure Load Balancer SKUs":
This document directly compares the Basic and Standard SKUs. In the
"Backend pool endpoints" row, it speci๏ฌes that for Basic Load Balancer, the
endpoints must be "Virtual machines in a single availability set or virtual
machine scale set." For Standard Load Balancer, it allows "Any virtual
machines or virtual machine scale sets in a single virtual network."
o URL: https://learn.microsoft.com/en-us/azure/load-balancer/skus
o Section: SKU comparison table.
2. Microsoft Azure Of๏ฌcial Documentation, "Azure Load Balancer
components": This document details the components of a load balancer. It
reinforces that a load balancer rule cannot span two virtual networks,
establishing the virtual network as the boundary for all load balancer
operations, which is the baseline requirement for the more ๏ฌexible Standard
SKU.
o URL: https://learn.microsoft.com/en-us/azure/loadbalancer/components
o Section: Limitations.
Question 45
/page_926_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Hot Area:Show Answer
1. Microsoft Learn Con๏ฌgure active-active VPN gateway connections
https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-activeactive-con๏ฌg
An active-active VPN gateway has two gateway instances. Each instance has its own public
IP address.
For cross-premises connections, create two local network gatewaysone for each on-
premises VPN device.
2. Microsoft Learn About VPN Gateway redundancy
https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable
Describes single virtual network gateway object with multiple instances and SLA failover
behavior.
Question 46
/page_928_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You perform a reverse DNS lookup for 10.0.0.4 from VM2.
Which FQDN will be returned?Show Answer
A. vm1.core.windows.net: This FQDN suf๏ฌx (core.windows.net) is used for Azure Storage
services, not for virtual machine DNS names.
B. vm1.azure.com: This is a generic domain and not a standard FQDN format that Azure
automatically assigns to virtual machines.
C. vm1.westeurope.cloudapp.azure.com: This is the standard FQDN format for a VM's
public IP address. A reverse lookup on the private IP uses the internal DNS suf๏ฌx, not the
public one.
Microsoft Azure Documentation: "Name resolution for resources in Azure virtual networks".
This document explicitly states the FQDN format for Azure-provided internal name
resolution. Under the "Azure-provided name resolution" section, it con๏ฌrms the internal
FQDN format. The "Reverse DNS" section further clari๏ฌes that reverse queries for private
IPs within a VNet return this internal FQDN.
Microsoft Azure Documentation: "DNS in Azure". This page provides an overview of DNS
features, including the distinction between public and private DNS zones and the automatic
registration of VMs in Azure's internal DNS.
URL: https://learn.microsoft.com/en-us/azure/dns/dns-overview
Question 47
/page_930_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are con๏ฌgured correctly.
You need to ensure that connections to App1 can be established successfully from
131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that allows any traf๏ฌc from the
AzureLoadBalancer source and has a cost of 150.
Does this meet the goal?Show Answer
1. Network Security Groups - Rule Processing: Azure processes network security group
(NSG) rules in ascending order of priority. The ๏ฌrst rule that matches the traf๏ฌc is applied.
The existing deny rule at priority 200 will be evaluated before the default allow rules.
Microsoft Azure Documentation. (2023). Network security groups. Retrieved from
2. Azure Service Tags - AzureLoadBalancer: The AzureLoadBalancer service tag
represents the virtual IP address of the host node where Azure's health probes originate. It
is intended for health probe traf๏ฌc, not for client data traf๏ฌc forwarded by the load balancer.
Microsoft Azure Documentation. (2023). Virtual network service tags. Retrieved from
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#availableservice-tags
3. Azure Load Balancer and NSGs: When using a load balancer, the source IP address of
the packet arriving at the backend virtual machine is the original client's IP address, not the
load balancer's IP. Therefore, NSG rules must allow traf๏ฌc from the client's source IP.
Microsoft Azure Documentation. (2023). Filter network traf๏ฌc with a network security group.
Retrieved from https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-๏ฌlter-networktraf๏ฌc#create-security-rules (This tutorial demonstrates creating rules for web traf๏ฌc from the
Internet tag, not the AzureLoadBalancer tag).
Question 48
Show Answer
A: Service endpoints are used to secure Azure service resources to a virtual network, which
is unrelated to P2S VPN gateway functionality.
B: Resetting a gateway is a troubleshooting action to restart the device; it does not change
its underlying type from policy-based to route-based.
D: A "connection" resource is created for Site-to-Site (S2S) or VNet-to-VNet tunnels, not for
con๏ฌguring the P2S client pool on the gateway itself.
F: A virtual network is con๏ฌgured with a private IP address space. Public IP addresses are
assigned to speci๏ฌc resources like a gateway, not to the VNet's address space.
1. Microsoft Documentation: About VPN Gateway settings. This document includes a table
that explicitly states Point-to-Site connections are "Not supported" for PolicyBased VPN
gateways and "Supported" for RouteBased VPN gateways.
URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateway-settings#vpntype (Refer to the "Gateway types" and the comparison table under
the "VPN type" section).
2. Microsoft Documentation: Delete a virtual network gateway. This guide con๏ฌrms that to
change the gateway type, the existing gateway must be deleted and a new one created.
URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-delete-vnetgateway-portal#delete-the-virtual-network-gateway (The "Delete the virtual network
gateway" section outlines the procedure).
3. Microsoft Documentation: About P2S VPN. This article provides an overview of P2S
VPNs and their requirements, reinforcing that a route-based gateway is necessary.
URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about (The "What
VPN type is used for P2S?" section).
Question 49
/page_934_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
In Azure, you create a private DNS zone named adatum.com. You set the registration
virtual network to VNet2. The adatum.com zone is con๏ฌgured as shown in the following
exhibit:
/page_934_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
/page_935_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Hot Area:Show Answer
1. Microsoft Azure Documentation | What is an Azure Private DNS zone?:
o Content: This document explains the concepts of registration and
resolution virtual networks. It states, "If you designate a virtual network
as a registration network... DNS records for the virtual machines in that
virtual network are automatically registered in the zone." It also clari๏ฌes
that for resolution, a VNet must be linked to the zone.
o URL: https://learn.microsoft.com/en-us/azure/dns/private-dns-overview
o Speci๏ฌc Section: "Private DNS zones" and "Virtual network links".
2. Microsoft Azure Documentation | Azure Private DNS scenarios:
o Content: This source details the functionality of virtual network links for
name resolution. It speci๏ฌes that "To resolve records in a private DNS
zone from your virtual network, you must link the virtual network with
the zone. A linked virtual network has full access and can resolve all
DNS records in the private zone."
o URL: https://learn.microsoft.com/en-us/azure/dns/private-dns-scenarios
o Speci๏ฌc Section: "Name resolution for VMs in one VNet".
3. Microsoft Azure Documentation | Autoregistration feature:
o Content: This page describes the autoregistration feature in detail. It
con๏ฌrms that autoregistration works by creating a virtual network link
and enabling the "auto registration" setting on that link. This directly
supports the reason why VM1 (in the un-linked VNet1) is not
registered, while VMs in the linked VNet2 would be.
o URL: https://learn.microsoft.com/en-us/azure/dns/private-dnsautoregistration
o Speci๏ฌc Section: "How auto registration works with new and existing
VMs".
Question 50
/page_938_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Hot Area:
/page_939_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
โข
Azure DNS Private Zones Scenarios: Microsoft Learn. This document
outlines the capabilities and limitations of Azure Private DNS zones.
o URL: https://learn.microsoft.com/en-us/azure/dns/private-dns-scenarios
o Section: "Cross-region VNet linking support for private zones" - This
section details the limitation: "The private zone can only be linked to
one virtual network if they are in different regions."
โข
What is an Azure Private DNS zone: Microsoft Learn. This of๏ฌcial
documentation provides the fundamental concepts of private DNS zones and
virtual network links.
o URL: https://learn.microsoft.com/en-us/azure/dns/private-dnsoverview#virtual-network-links
o Section: "Virtual network links" - This section explains auto-registration
and the rule that "a virtual network can be linked to only one private
zone with autoregistration enabled." It also con๏ฌrms that a virtual
network can be linked to multiple zones for resolution.
Question 51
/page_942_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Hot Area:Show Answer
1. Azure Bastion Documentation - Subnet Settings: This of๏ฌcial Microsoft
documentation speci๏ฌes the requirements for the Azure Bastion subnet.
o Subnet Name: It explicitly states, "When you create this subnet, use
the name value AzureBastionSubnet."
o Subnet Size: It states, "The Azure Bastion subnet must be at least /26
or larger (/25, /24 etc.)." Although /26 is the current guidance, /27 was
the previous minimum and is the largest and only suitable option
provided in the question.
o URL: https://learn.microsoft.com/en-us/azure/bastion/bastionnsg#apply-nsgs-to-the-azurebastionsubnet (This section on NSGs
reiterates the naming and size requirements under the
"AzureBastionSubnet" heading.)
o URL: https://learn.microsoft.com/en-us/azure/bastion/con๏ฌgurationsettings#subnet (This section directly details the subnet con๏ฌguration
settings.)
2. Azure Resource Manager - virtualNetworks/subnets Template
Reference: This documentation outlines the properties for de๏ฌning subnets in
an ARM template, con๏ฌrming name and addressPre๏ฌx as required properties.
o URL: https://learn.microsoft.com/enus/azure/templates/microsoft.network/virtualnetworks/subnets?pivots=d
eployment-language-bicep#subnetpropertiesformat-object
Question 52
Show Answer
1. Microsoft Learn: Introduction to packet capture for virtual machines. This document
explicitly states, "Network Watcher packet capture allows you to create packet capture
sessions to track traf๏ฌc to and from a virtual machine... You can start, stop, and download
packet captures in the Azure portal."
URL: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packetcapture-overview
2. Microsoft Learn: Manage packet captures with the Azure portal. This tutorial
demonstrates the con๏ฌguration options, including setting a "Time limit (seconds)" and
adding ๏ฌlters based on source and destination IP addresses and ports, which directly
supports the solution's ability to target traf๏ฌc between VM1 and VM2 for a speci๏ฌc duration.
Question 53
Show Answer
1. Microsoft Learn - Connection Monitor Overview: "Connection Monitor provides uni๏ฌed
end-to-end connection monitoring in Azure Network Watcher... It helps you check the
reachability of an endpoint and measure latency and packet loss." This source con๏ฌrms that
Connection Monitor is for health and performance monitoring, not traf๏ฌc inspection.
URL: https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
2. Microsoft Learn - Packet Capture Overview: "Network Watcher packet capture allows you
to create packet capture sessions to track traf๏ฌc to and from an Azure virtual machine
(VM)... The captured data is stored in a .cap ๏ฌle... You can open the .cap ๏ฌle by using a
supported application, such as Wireshark." This source describes the exact functionality
required to "inspect all the network traf๏ฌc."
URL: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packetcapture-overview
Question 54
Show Answer
1. Azure Network Watcher - Packet Capture: Microsoft's of๏ฌcial documentation describes
packet capture as the tool for tracking traf๏ฌc to and from a virtual machine. It states,
"Network Watcher variable packet capture allows you to create packet capture sessions to
track traf๏ฌc to and from a virtual machine... The captured data is stored in a .cap ๏ฌle... You
can open the capture ๏ฌle by using a supported application, such as Wireshark." This
con๏ฌrms it is the correct tool for traf๏ฌc inspection.
Source: Microsoft Learn, "Introduction to packet capture in Azure Network Watcher," URL:
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-captureoverview
2. Windows Performance Monitor: Microsoft's documentation on Performance Monitor
details its function as a tool for analyzing how programs affect a computer's performance,
both in real-time and by collecting log data for later analysis. Its capabilities are centered on
performance counters, event traces, and con๏ฌguration information, not full packet content
capture.
Source: Microsoft Learn, "Windows Performance Monitor," URL:
https://learn.microsoft.com/en-us/windows-server/performance/performance-monitoringgetting-started
Question 55
Show Answer
1. Microsoft Learn | Azure Monitor Metrics overview: "Azure Monitor Metrics is a feature of
Azure Monitor that collects numeric data from monitored resources into a time-series
database." This source con๏ฌrms that metrics are numerical values, not packet data for
inspection.
URL: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-platformmetrics
2. Microsoft Learn | Supported metrics for Microsoft.Compute/virtualMachines: This
document lists "Network In Total" (Network In) and "Network Out Total" (Network Out) with
the unit "Bytes," con๏ฌrming they measure volume, not content.
3. Microsoft Learn | Packet capture with Azure Network Watcher: "Network Watcher packet
capture allows you to create packet capture sessions to track traf๏ฌc to and from a virtual
machine... Packet capture is a virtual machine extension that's remotely started through
Network Watcher." This source describes the correct tool for inspecting traf๏ฌc.
URL: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-packetcapture-overview
Question 56
/page_951_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You need to load balance HTTPS connections to vm1 and vm2 by using lb1.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
/page_951_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
โข
Remove nsg1: This is incorrect. The Network Security Group (NSG) is required to
allow incoming traf๏ฌc on port 443 to reach the virtual machines' network interfaces.
The load balancer directs traf๏ฌc, but the NSG permits it.
โข
Create an availability set: This is incorrect. While best practice for high availability,
an availability set is a construct for the VMs themselves and is not a required step to
con๏ฌgure the load balancer to distribute traf๏ฌc to existing VMs.
โข
Backend Pool IP Con๏ฌguration: Microsoft Learn documentation states that virtual
machines in the backend pool of a Standard Load Balancer cannot have instance-
level public IP addresses.
o Source: Microsoft Learn, "Azure Load Balancer SKUs". Under the "Standard
Load Balancer" section, it details backend pool constraints.
โข
Load Balancer Con๏ฌguration Steps: The of๏ฌcial tutorials for creating a public load
balancer outline the necessary components and order of creation. The sequence
involves de๏ฌning backend resources and health probes before creating the rules that
use them.
o Source: Microsoft Learn, "Quickstart: Create a public load balancer - Azure
portal", Section: "Create load balancer resources". This guide demonstrates
creating the backend pool, health probe, and then the load balancer rule.
Question 57
/page_954_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
Show Answer
โข
Connect the virtual networks to the hub: This action is incorrect in this context
because the requirement is to connect on-premises sites, not Azure virtual networks.
Connecting virtual networks is a separate step for integrating VNet spokes into the
hub.
โข
Microsoft Azure Documentation: The tutorial "Create a Site-to-Site connection
using Azure Virtual WAN" outlines these steps in sequence.
o URL: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-tosite-portal
o Speci๏ฌc Sections: The article's main body walks through the steps: "1.
Create a virtual WAN", "2. Create a hub", "3. Create a site", and "4. Connect
the VPN site to the hub". This directly corresponds to the required sequence.
Question 58
/page_956_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You discover that connections to App1 from 131.107.100.50 over TCP port 443 fail.
You verify that the Load Balancer rules are con๏ฌgured correctly.
You need to ensure that connections to App1 can be established successfully from
131.107.100.50 over TCP port 443.
Solution: You create an inbound security rule that denies all traf๏ฌc from the 131.107.100.50
source and has a priority of 64999.
Does this meet the goal?Show Answer
1. Microsoft Azure Documentation | How network security groups ๏ฌlter network traf๏ฌc:
"Security rules in a network security group are processed by priority. To determine the rule
to apply to the traf๏ฌc, Azure processes the rules in priority order (from the lowest number to
the highest number)... Once traf๏ฌc matches a rule, processing stops." This explains why a
new Allow rule with a lower priority number is needed to override the existing
DenyAllInBound rule.
URL: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-itworks
2. Microsoft Azure Documentation | Network security groups: "A network security group
contains security rules that allow or deny inbound network traf๏ฌc to, or outbound network
traf๏ฌc from, several types of Azure resources." This document con๏ฌrms that the action must
be 'Allow' to permit traf๏ฌc.
URL: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groupsoverview
Question 59
/page_958_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
You have the virtual machines shown in the following table.
/page_958_img_2.jpg "Free AZ-104 Practice Test - 2025 Updated")
You have the virtual network interfaces shown in the following table.
/page_958_img_3.jpg "Free AZ-104 Practice Test - 2025 Updated")
Server1 is a DNS server that contains the resources shown in the following table.
/page_958_img_4.jpg "Free AZ-104 Practice Test - 2025 Updated")
You have an Azure private DNS zone named contoso.com that has a virtual network link to
VNET2 and the records shown in the following table.
/page_959_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
For each of the following statements, select Yes if the statement is true. Otherwise, select
No.
Hot Area:Show Answer
โข
Azure Of๏ฌcial Documentation | Name resolution for resources in Azure
virtual networks: This document details the order of precedence for DNS
settings (NIC over VNet) and how name resolution works with custom DNS
servers. It explains that when a custom DNS server is speci๏ฌed, all queries
from VMs in that VNet are directed to that server.
o Speci๏ฌc Section: "Name resolution using your own DNS server".
โข
Azure Of๏ฌcial Documentation | Azure Private DNS zones scenarios: This
resource explains that for a VNet with a custom DNS server to resolve
records in a linked private zone, the custom server must have a conditional
forwarder pointing to Azure's DNS resolver (168.63.129.16). Since this is not
con๏ฌgured for Server1, clients using it cannot resolve records from the private
zone.
o URL: https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
o Speci๏ฌc Section: "VNet with a custom DNS server".
Question 60
/page_962_img_1.jpg "Free AZ-104 Practice Test - 2025 Updated")
No devices are connected to VNet1.
You plan to peer VNet1 to another virtual network named VNet2. VNet2 has an address
space of 10.2.0.0/16.
You need to create the peering.
What should you do ๏ฌrst?Show Answer
B. Add a gateway subnet to VNet1: A gateway subnet is only required for gateway transit,
an optional feature of VNet peering, not a prerequisite for establishing the peering
connection itself.
C. Create a subnet on VNet1 and VNet2: VNet peering is con๏ฌgured at the virtual network
level. The existence of subnets is not required to create the peering link between the two
VNets.
D. Con๏ฌgure a service endpoint on VNet2: Service endpoints provide secure connectivity to
Azure PaaS services and are unrelated to the process of peering two virtual networks
together.
Microsoft Azure Documentation - Virtual network peering - Constraints: "The virtual
networks you peer must have non-overlapping IP address spaces." This is the primary
constraint that must be met before peering can be created.
URL: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peeringoverview#constraints
Microsoft Azure Documentation - Create, change, or delete a virtual network peering: The
portal and CLI/PowerShell steps for creating a peering assume that the non-overlapping
address space requirement has already been met. If not, the operation will fail with an error.
URL: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-managepeering
