AZ-104 Exam Preparation - Load Balancing

Questions and Answers

What should you set for session persistence to enable Sticky Sessions in Azure Load-Balancer?

Client IP and Protocol (correct)

Idle Time-out (minutes) to 20

Protocol to UDP

Health probe

NSG1 uses only the default rules.

True

NSG2 has a custom incoming rule allowing TCP on port 3389.

True

Before creating a load balancing rule for HTTPS traffic between VM1 and VM2, which two additional resources are needed?

A health probe

What type of public IP address SKU and assignment should you use for an Azure VPN gateway if it must connect to an on-premises database server?

A basic SKU and a dynamic IP address assignment

VM1 resolves to the IP address 131.107.3.3 in VNET1.

True

Fabrikam.com is a public DNS zone.

False

Which SKU should you deploy for an ExpressRoute gateway that supports up to 10 Gbps and FastPath?

ErGw3AZ

What should you deploy to ensure webapp1 can connect to an on-premises SMB share named Share1?

An Azure Virtual Network Gateway

What enables a virtual machine to forward traffic with a different source IP address?

IP forwarding

Azure Backup supports backup of 64-bit Windows 10 operating system.

True

Azure Backup supports backup of 64-bit Ubuntu Server operating system from Ubuntu 12.04.

True

Azure Backup supports backup of VMs that are shutdown or offline.

True

What should you create for Azure Monitor to send an email when CPU usage exceeds 80 percent for VM1?

An action group

What should you do first to protect VM3 and VM4 using Recovery Services?

Create a new Recovery Services vault

What is a Recovery Services vault?

A storage entity in Azure that houses backup data.

Does creating a metric on Network In and Network Out from Azure Monitor meet the goal of inspecting all network traffic from VM1 to VM2 for a period of three hours?

No

Does creating an inbound security rule that denies all traffic from the 131.107.100.50 source with a priority of 64999 ensure that connections to App1 can be established successfully?

No

What should you do first to create the peering between VNet1 and VNet2?

Modify the address space of VNet1

Which DNS names can you use to ping VM2 from VM1 if VNET1 is linked to a private DNS zone named contoso.com?

comp1.contoso.com, comp2.contoso.com, comp3.contoso.com, and comp4.contoso.com

Does setting the Startup type for the IPSec Policy Agent service to Automatic on Computer2 allow you to establish a point-to-site VPN connection to VNet1?

No

What should you configure to ensure that visitors are serviced by the same web server for each request in your Azure load balancer setup?

Session persistence to Client IP and protocol

Which public IP addresses can you use to create a public Azure Standard Load Balancer?

IP3 only

What should you configure on the AKS cluster to restrict network traffic between pods?

the Calico network policy

What are the correct answers for Azure Custom Script Extension? (Select all that apply)

Azure Custom Script Extension

What should you configure to ensure all traffic from VM1 to storage1 travels across the Microsoft backbone network?

A network security group (NSG)

Which tunneling protocol should you use for route-based Site-to-Site VPN connections?

IKEv2

Which subnet will the virtual machine VM1 be connected to after a test failover when VNET2 is specified?

TestSubnet1

What should you configure to ensure that visitors are serviced by the same web server for each request?

Session persistence to Client IP

What should you use to ensure that NGINX is available on all Azure virtual machines after deployment?

A Desired State Configuration (DSC) extension

Which port should you configure for inbound security rule to allow access to the virtual machines via Bastion1?

443

To which virtual networks can you deploy an Azure firewall named AF1?

VNET1 only

What is the minimum number of connection monitors you should deploy to monitor connectivity between the virtual machines and the on-premises network?

2

What should you configure to manage outbound traffic from VNET1 using Firewall1?

Create a route table.

Which resources can be protected by using Bastion1?

VM1 only

What should you do to prevent VM1 from accessing VM2 on port 3389?

Create a network security group (NSG) that has an outbound security rule to deny destination port 3389 and apply it to the network interface of VM1.

What is the minimum number of Bastion hosts required for secure RDP connections to the virtual machines?

3

What should you use to ensure that NGINX is available on all the virtual machines after they are deployed in a scale set?

A Desired State Configuration (DSC) extension

What should you configure for an Azure container instance to set up DNS name label scope reuse?

The public networking type

Which setting should you change to ensure that an Azure container instance can use private networking when the option is unavailable?

Networking type

Which virtual machines can you back up by using Azure Backup?

VM1, VM2, VM3 and VM4

To which virtual machines can you connect through Bastion1?

VM1 and VM2 only

You have five Azure virtual machines that run Windows Server 2016. What should you configure to ensure that visitors are serviced by the same web server for each request?

Session persistence to Client IP and protocol

What should you do first to ensure Bastion1 can support 100 concurrent SSH users minimizing administrative effort?

Upgrade Bastion1 to the Standard SKU

What should you configure to ensure that visitors are serviced by the same web server for each request?

Session persistence to Client IP and protocol

Which IP addresses can you use when deploying an Azure Bastion Basic SKU host named Bastion1?

IP1 and IP2 only

What should you configure to support the same web server for different requests on Azure load balancer LB1?

Session persistence to Client IP

To enable multi-user authorization (MAU) for a Recovery Services vault named Vault1, which resource should you create first?

A resource guard

What should you configure to ensure that all traffic from VM1 to storage1 travels across the Microsoft backbone network?

Service endpoints

What should you use to ensure that NGINX is available on all the virtual machines after deployment in a scale set?

A Desired State Configuration (DSC) extension

What should you use to ensure that NGINX is available on all the virtual machines after deployment with an Azure Resource Manager template?

Azure Custom Script Extension

Does creating an inbound security rule allowing any traffic from AzureLoadBalancer source and has a priority of 150 meet the goal for establishing connections to App1 from a specific IP?

True

What should you do first to enable Desired State Configuration for VM1?

Connect to VM1

Which resources can be protected by Bastion1 in the provided Azure subscription scenario?

VM1 only

What configuration should be set on the Azure load balancer to ensure that web server visitors are serviced by the same instance for each request?

Session persistence to Client IP and protocol

What additional configuration is needed on Azure load balancer LB1 to maintain the same web server servicing for various client requests?

Configure session affinity

Which IP address assignment is appropriate for creating a public Azure Standard Load Balancer?

A static public IP address

What initial step should be taken to ensure Bastion1 can support a high number of concurrent SSH users?

Configure network security groups appropriately

What setting should you use on an Azure load balancer to maintain session persistence based on the client's IP address?

Configure session persistence to Client IP.

If you want to ensure NGINX is deployed on multiple Azure virtual machines in a scale set, which command should you use?

Use the Publish-AzVMDscConfiguration cmdlet.

What are the SKUs available for ExpressRoute virtual network gateways?

Standard, HighPerformance, UltraPerformance, ErGw1Az, ErGw2Az, ErGw3Az.

What should you avoid configuring if you want to ensure an Azure load balancer does not failover to another server?

Avoid setting the Floating IP (direct server return) to Enabled.

In the context of NSG rules, what does a higher priority for a rule imply?

A higher priority means that the rule will be evaluated first and can override other rules with lower priority values.

Which type of Azure load balancer configuration would you use if you aim to establish a distinct server return for each request without persistence?

Use Session persistence set to None.

How does the default rule for NSGs impact communication if no explicit block exists?

The default rules allow communication, meaning traffic can flow unrestricted between allowed sources and destinations.

What is the primary purpose of the Azure load balancer when configuring web servers?

To distribute traffic evenly among the web servers.

To ensure the effective deployment of software across Azure VMs, what infrastructure should be utilized?

Use an Azure Resource Manager template.

What is the significance of the CIDR notation 10.10.2.0/24 in the context of inbound security rules?

CIDR notation defines a subnet, specifying a range of IP addresses for which the inbound rule applies.

In what scenario would you enable UDP protocol in Azure load balancer settings?

When session persistence is not required and real-time traffic like gaming is used.

What happens if an inbound rule in an NSG is designed to block certain VM communications?

If the rule is prioritized appropriately, it will prevent traffic between the specified source and destination, enforcing security.

What deployment strategy ensures that Azure virtual machines automatically install specific software like NGINX post-launch?

Implement Desired State Configuration (DSC).

What role do security groups (NSGs) play in managing traffic in Azure virtual networks?

NSGs control inbound and outbound traffic to network interfaces and subnets, enhancing security.

Can ExpressRoute gateways improve site-to-site VPN performance?

Yes, ExpressRoute offers a dedicated connection, enhancing performance compared to public Internet connections.

What is the importance of understanding network traffic routing for Azure virtual machines?

Understanding traffic routing ensures that VMs communicate effectively with each other and external networks while maintaining security.

What does enabling IP forwarding on a network interface allow the virtual machine to do?

It allows the virtual machine to receive and send network traffic not destined for its assigned IP addresses.

How does routing need to be configured on a virtual machine for it to use multiple network interfaces effectively?

Routing must be enabled on the virtual machine to handle traffic across its multiple network interfaces correctly.

What must be applied to Subnet1 and Subnet2 for RT1 to be effective?

RT1 must be applied to both Subnet1 and Subnet2 to enable the defined routing rules for those subnets.

In Azure, what happens if no rules explicitly block communication between two virtual machines on the same subnet?

Default rules are applied, which allow communication between the virtual machines.

What happens when IP forwarding is not enabled on a network interface?

The virtual machine cannot receive or send traffic not meant for its assigned IP addresses.

What is the significance of enabling IP forwarding for every network interface attached to a virtual machine?

It is crucial for allowing the VM to forward traffic that it needs, regardless of the number of interfaces it has.

Why is it important to configure routing on VM3 when it has IP forwarding enabled?

Configuring routing on VM3 ensures proper management and direction of network traffic through its multiple interfaces.

What do default network security rules in Azure generally allow regarding communication between virtual machines?

They typically allow full communication between virtual machines within the same subnet unless explicitly restricted.

What must you configure in Azure to ensure that VNet1 and VNet2 traffic uses the Microsoft backbone network?

You should configure an ExpressRoute.

Which configuration allows Azure Bastion to support file uploads and downloads while minimizing address usage?

Configure Azure Bastion in a single shared subnet with sufficient capacity.

What is required to allow secure remote access to virtual machines in VNet1 through Azure Bastion?

You need to configure an Azure Bastion host.

What is the benefit of using VNet peering among virtual networks in Azure?

VNet peering allows seamless connectivity between virtual networks with low latency.

For connecting various Azure VNets with efficient data flow, which service should you consider aside from VNet peering?

You can consider using Azure VPN Gateway.

Match the ExpressRoute virtual network gateway SKUs with their supported capabilities:

Standard = Basic connectivity HighPerformance = Up to 1 Gbps bandwidth UltraPerformance = Supports up to 10 Gbps with FastPath ErGw1Az = High availability for small workloads

Match the inbound security rule configurations with their effects:

NSG1 = Allows TCP port 1433 from Subnet2 to Subnet1 NSG2 = Blocks TCP port 1433 from VM2 to VM1 Default Rules = Allow communication unless explicitly blocked Higher Priority Rule = Takes precedence over lower priority rules

Match the components of a virtual network with their descriptions:

VNET1 = The primary virtual network containing subnets Subnet1 = Location for VM1 Subnet2 = Location for VM2 and VM3 Network Security Group (NSG) = Used to control traffic to and from network interfaces

Match the following Azure services with their functions:

ExpressRoute = Establishes private connections to Azure Network Security Group (NSG) = Filters network traffic to resources Azure Monitor = Collects and analyzes telemetries Azure Backup = Provides backup capabilities for VMs

Match the Azure resources with their primary usages:

VM1 = Database server VM2 = Application server Bastion1 = Provides secure RDP/SSH access Recovery Services Vault = Manages backups for Azure resources

Match the Azure network configurations with their traffic flow characteristics:

Allow Rule = Permits traffic based on source/destination Deny Rule = Blocks traffic from specific sources/ports Default Security Rules = Allow all inbound traffic unless specified Higher Priority Deny Rule = Overrides Allow Rule if conflicting

Match the following Azure load balancer configurations with their purposes:

Floating IP (direct server return) Enabled = Allows multiple IP addresses to point to the same virtual machine Floating IP (direct server return) Disabled = Enables session persistence for clients Health Probe = Checks the health of the backend instances Session Persistence = Keeps user sessions on the same VM across requests

Match the following components of an Azure virtual network with their descriptions:

VPN Gateway = Establishes secure connections to on-premises networks Subnets = Divides a virtual network into smaller address spaces Virtual Appliance = Provides routing or security layer functions Network Security Group (NSG) = Controls inbound and outbound traffic to resources

Match the types of Azure virtual machines with their specifications:

Windows Server 2016 = Supports various enterprise applications Ubuntu Server 18.04 = Popular choice for developers and cloud-native apps Azure Kubernetes Service (AKS) = Orchestrates containerized applications General-purpose VM = Balancing of CPU and memory usage

Match the following Azure resources with their main functionality:

Recovery Services Vault = Stores backup copies for recovery Azure Bastion = Enables secure RDP and SSH access to VMs Azure Load Balancer = Distributes network traffic across multiple servers ExpressRoute Gateway = Facilitates private connections between on-premises and Azure

Match the Azure monitoring tools with their respective features:

Azure Monitor = Tracks performance and availability metrics Network Watcher = Monitors and diagnoses network health Azure Security Center = Provides security recommendations Log Analytics = Aggregates and analyzes log data

Match the following Azure security features with their uses:

NSG Custom Rules = Allows or denies traffic based on specified criteria Application Security Group = Groups VMs for easier management of network security rules IP Forwarding = Enables a VM to forward traffic to other destinations Azure Policy = Enforces organizational standards and assesses compliance

Match the following types of IP addresses used in Azure with their characteristics:

Public IP Address = Can be accessed over the internet Private IP Address = Used for internal network communication within Azure Dynamic IP Address = Assigned automatically and can change upon VM restart Static IP Address = Manually assigned and does not change

Match the following Azure concepts with their definitions:

Virtual Network (VNet) = A private network in Azure for resource communication Scalability = The ability to increase resources based on demand Failover = Automatically shifting to a standby system in case of failure High Availability = Ensures a service remains operational and accessible

Match the following Azure connectivity options with their descriptions:

Site-to-Site VPN = Connects on-premises networks to Azure Point-to-Site VPN = Enables individual clients to connect to Azure ExpressRoute = Provides a dedicated private connection to Azure Azure Virtual Network Peering = Allows connectivity between two virtual networks in Azure

Match the following Azure backup types with their characteristics:

Storage Backups = Protects data in Azure storage accounts VM Backups = Protects entire Azure virtual machines File Backups = Covers specific files or folders within VMs Application Backups = Ensures data consistency for applications running in Azure

Match the Azure service with its primary functionality:

Azure Virtual Network = Facilitates secure communication between virtual machines and services Azure Bastion = Provides secure RDP and SSH connectivity Azure Backup = Protects data and applications by backup Azure Monitor = Tracks the performance and health of Azure resources

Match the Azure networking concept with its description:

IP Forwarding = Allows a network interface to receive traffic not destined for its IPs Route Tables = Defines how network traffic is directed within subnets Network Security Groups (NSGs) = Controls inbound and outbound traffic to network interfaces Subnets = Segments a virtual network into smaller address spaces

Match the Azure product with its deployment scenario:

ExpressRoute = Provides dedicated private connections VPN Gateway = Establishes secure site-to-site connections Load Balancer = Distributes traffic among virtual machines Application Gateway = Handles web application firewall capabilities

Match the Azure resource with its required settings:

Public IP Address = Needed for internet routing to Azure resources Recovery Services Vault = Stores backup data for Azure resources Azure Firewall = Manages and logs network traffic Private DNS Zone = Resolves domain names for internal resources

Match the route configuration with its purpose:

User-defined routes = Custom routes that override default Azure routes Default routes = System-generated paths for outgoing traffic BGP routes = Dynamic routing paths based on Border Gateway Protocol Peering routes = Connects traffic between virtual networks

Match the Azure monitoring feature with its functionality:

Alerts = Notifies users of critical issues in the environment Metrics = Tracks and analyzes performance data Logs = Records events for analysis and troubleshooting Dashboards = Provides a visual representation of resource health

Match the Azure compliance concept with its definition:

Data residency = Ensures data is stored within specified geographical locations Regulatory compliance = Adherence to laws and guidelines for data management Information protection = Security measures to safeguard sensitive data Identity and access management = Controls user access to resources

Match the Azure solution with its scenario:

Azure CDN = Speeds up the delivery of web content Azure Load Balancer = Scales and balances network traffic Azure App Service = Hosts web applications and APIs Azure Logic Apps = Automates workflows between services

Match the Azure components with their respective functionalities:

Recovery Services Vault = Backup and restore services for Azure resources Network Security Group (NSG) = Filter network traffic to and from Azure resources Azure Bastion = Securely connect to virtual machines via RDP/SSH Azure Load Balancer = Distribute network traffic across multiple servers

Match the Azure virtual machine features with their purposes:

Scalability = Ability to handle varying loads by adding/removing resources High Availability = Ensuring service continuation during failures Disaster Recovery = Restoration of services after an outage Static IP Address = IP address that does not change over time

Match the Azure DNS records with their types:

A Record = Maps a domain name to an IP address CNAME Record = Alias or nickname for a domain name MX Record = Mail exchange server for domain emails PTR Record = Maps an IP address to a domain name

Match the Azure VPN types with their characteristics:

Point-to-Site VPN = Connects individual clients to Azure resources Site-to-Site VPN = Connects entire networks to Azure ExpressRoute = Dedicated private connection to Azure Policy-Based VPN = Uses static routing to enforce traffic rules

Match the Azure backup types with their purposes:

File Backup = Backup specific files and folders VM Backup = Backup entire virtual machines Application Backup = Backup applications and their data System State Backup = Backup critical system settings and files

Match the Azure security features with their functions:

Role-Based Access Control (RBAC) = Manage user access to Azure resources Azure Firewall = Control outbound and inbound traffic Azure Security Center = Monitor and improve security posture Application Gateway = Manage web traffic through a firewall

Match the Azure services with their primary use cases:

Azure Functions = Run serverless code without managing servers Azure Kubernetes Service = Orchestrate containerized applications Azure Logic Apps = Automate workflows between apps and services Azure Data Lake = Store and analyze large amounts of data

Match the Azure storage types with their attributes:

Blob Storage = Unstructured data storage for large amounts of data File Storage = Fully managed file shares in the cloud Queue Storage = Store large numbers of messages for cloud applications Table Storage = NoSQL key-value storage for structured data

Match the Azure components with their primary function:

Recovery Services vault = Houses backup data for Azure services Azure Monitor = Tracks performance metrics and sends alerts Azure Load Balancer = Distributes incoming traffic across multiple VMs Azure Storage Account = Stores data in the cloud

Match the Azure services with their appropriate operational tasks:

VM Backup = Recover data from the Recovery Services vault Application Insights = Monitor application performance Network Security Group = Control inbound and outbound traffic Azure Firewall = Manage and filter network traffic

Match the email notification settings with their functionalities:

Action Group = Collection of notification preferences Alert Rule = Defines criteria for sending notifications Signal = Specific metric being monitored Email Notification = Alert sent to users via email

Match these Azure VM settings with their descriptions:

Sticky Sessions = Ensures users connect to the same server Automatic Startup = Service start type configuration Public IP Address SKU = Determines IP attributes for services NSG Rules = Control access to Azure resources

Match the Azure infrastructure components with their specific roles:

Virtual Machine = Computing resource in Azure Virtual Network = Network layer for resources Bastion Host = Provides secure RDP connections ExpressRoute Gateway = Establishes private connection to Azure

Match the backup policies with their appropriate functionalities:

Azure Backup = Backs up VM and file data Recovery Services Vault = Stores backup instances Backup Policy = Defines backup time and retention specified Multi-user Authorization = Enhances backup operation security

Match the Azure monitoring strategies with their purposes:

Connection Monitor = Checks connectivity between resources Metrics Alerts = Triggers alerts based on metric thresholds Log Analytics = Analyzes and queries log data Email Alerts = Notifies users on performance issues

Match the Azure features with their key benefits:

Auto-scaling = Adjusts resources based on demand Geo-replication = Copies data across geographic locations Load balancing = Distributes loads effectively Disaster recovery = Ensures business continuity during failures

Study Notes

Azure Load Balancer and Network Configuration

• Load balancing of HTTPS connections requires defining appropriate load balancer rules and configuring backend pools.
• Effective monitoring of network traffic in Azure utilizes Azure Monitor, but merely creating metrics on Network In and Out is insufficient for full inspection.
• For connections to an app running on Azure VMs, ensure security configurations allow traffic through. Denial rules must align with desired access, otherwise, connections will fail.

Azure Virtual WAN and Connectivity

• Establishing connectivity between on-premises sites via Azure Virtual WAN necessitates a series of specific configuration steps in the correct order.
• Peering of virtual networks requires non-overlapping IP address spaces; ensure modifications are made to avoid conflicts.

Azure DNS and Name Resolution

• Private DNS zones enable seamless name resolution for VMs; specific DNS names must be validated based on linked records to successfully ping target VMs.
• When resolving hosts in a private DNS zone, ensure all relevant records are correctly configured to allow communication.

Network Security and Access Control

• Network Security Groups (NSGs) control inbound and outbound traffic. When configuring NSGs, least privilege principles should be applied to allow only necessary traffic.
• Point-to-Site VPN connections necessitate client certificates for successful authentication. Install client certificates to maintain secure connections.

Session Persistence and Sticky Sessions

• Azure Load Balancer can maintain session persistence to ensure that clients are routed to the same server during a session, typically done through Client IP and protocol settings.
• For a consistent user experience, particularly for web applications, utilize session persistence configurations.

Public IP and Standard Load Balancer Compatibility

• Matching SKUs between public IP addresses and Standard Load Balancers is crucial; mixing Basic and Standard SKUs is not permitted in configurations.

Kubernetes Network Policies

• Restricting network traffic between pods in Azure Kubernetes Service (AKS) can be achieved through Calico network policies to enforce desired traffic controls.

Routing and Traffic Management

• Traffic routing through specific appliances or virtual machines in Azure is configurable via defined routing tables, ensuring that inbound traffic is correctly directed.

Remote Connectivity Configurations

• Ensure that Remote Desktop connections to Azure VMs are properly configured with necessary NSGs that permit inbound traffic on relevant ports.### NSG Rules and Virtual Machines
• NSG2 has a custom incoming rule allowing TCP traffic on port 3389 from any source to any destination.
• NSG1 is linked to Subnet1 and NSG2 is associated with VM2's network interface.

Load Balancing in Azure

• A load balancing rule for HTTPS traffic between VM1 and VM2 requires two additional resources:
  • A frontend IP address
  • A backend pool
• Inbound NAT rules, virtual networks, or health probes are not essential for this specific setup.

VPN Gateway Configuration

• When connecting an Azure VPN gateway for site-to-site VPN, use:
  • Basic SKU with dynamic IP assignment is supported for gateways.
• Essential for enabling virtual machines to connect to on-premises resources like a database server.

DNS and Virtual Networks

• Azure virtual networks can leverage Azure Private DNS zones with automatic record creation for linked VMs.
• Cross-VNET communication relies on accurate DNS configurations and peering.
• Custom DNS servers can restrict DNS lookup capabilities if misconfigured.

ExpressRoute Gateway Deployment

• To support up to 10 Gbps traffic with availability zones and FastPath, deploy the ErGw3Az SKU.
• Ensure that the chosen SKU aligns with organizational needs for performance and cost.

Route Tables and IP Forwarding

• IP forwarding allows VMs to receive traffic not destined for their IP addresses, enhancing routing flexibility.
• Route tables can facilitate or restrict connectivity between virtual machines based on defined routes.

Secure SMB Share Access

• To connect an Azure web app to an on-premises SMB share, deploy an Azure Virtual Network Gateway for a Site-to-Site VPN connection.

Automating Application Deployment

• For deploying NGINX across multiple Windows Server VMs in a scale set, utilize the Azure Custom Script Extension.
• Custom scripts facilitate the installation and configuration of applications post-deployment.

Ensuring Traffic across Microsoft Backbone

• Configure a network security group (NSG) for controlling traffic routes between VMs and Azure storage.

VPN Tunneling Protocol

• For route-based Site-to-Site VPN connections, IKEv2 is the recommended protocol, offering enhanced security and connection capabilities.

Azure Site Recovery and Subnet Connections

• In the event of a test failover of a VM, it will link to the specified subnet in the target virtual network, ensuring continuity and network segmentation.### Load Balancing with Azure
• To ensure consistent service from the same web server for each visitor request, configure session persistence to Client IP.
• Configuring a health probe is also necessary to monitor the availability and performance of the web servers behind the load balancer.

Azure Virtual Machine Scale Sets

• Deploy NGINX across virtual machines consistently by utilizing a Desired State Configuration (DSC) extension via Azure Resource Manager templates.

Azure Bastion Configuration

• For Azure Bastion access to virtual machines, configure network security group (NSG) inbound rules allowing port 443 for secure communications.
• Azure Bastion Basic SKU can support users via public IP addresses that fall under specific criteria.

Connection Monitoring

• Minimum connection monitors needed to track connectivity between multiple Azure virtual machines and an on-premises network is two.

DNS Resolution in Azure

• When migrating an on-premises Active Directory to Azure, ensure the domain controller (DC) can resolve AD DS DNS names for member servers.

Strengthening Network Security

• To prevent specific virtual machines from accessing others through remote desktop protocol (RDP), implement an NSG rule denying outbound traffic on port 3389.

Azure Network Management

• For managing outbound traffic from virtual networks using an Azure Firewall, creating a route table is a fundamental first step.
• Azure Bastion can protect specific resources within the same virtual network to facilitate secure access.

Scaling Azure Bastion

• Upgrade to Standard SKU if the goal is to support up to 100 concurrent SSH users with minimal administrative work.

Correct Configuration for Persistent Sessions

• Session persistence can also be achieved by setting it to Client IP alongside ensuring the load balancer protocol aligns with application requirements.

Key Practice Questions

• Understand the function of protocol types such as UDP in the context of Azure load balancers for specific scenarios.
• Familiarize with the rights and responsibilities of Azure subscription resources, including which virtual networks can support specific deployments, like firewalls.

Using Azure Tools

• For establishing Remote Desktop connections, specific sequences must be followed using Azure PowerShell and the Azure Command-Line Interface (CLI) to ensure connections are correctly authorized and secured.

ExpressRoute Virtual Network Gateways

• Several SKUs are available for ExpressRoute virtual network gateways: Standard, HighPerformance, UltraPerformance, ErGw1Az, ErGw2Az, ErGw3Az.

Network Security Groups (NSG)

• NSG1 allows TCP port 1433 from Subnet2 (10.10.2.0/24) to Subnet1 (10.10.1.0/24).
• NSG2 blocks TCP port 1433 from VM2 (10.10.2.5) to VM1 (10.10.1.5).
• NSG1 has a higher priority than NSG2, allowing communication from VM2 to VM1.
• Default rules permit communication unless explicitly blocked by rules in the NSGs.

Virtual Network Configuration

• Subscription1 contains a virtual network named VNet1, including two subnets.
• VM3 has multiple network adapters, with IP forwarding and routing enabled.
• Route table RT1 is applied to Subnet1 and Subnet2, facilitating controlled traffic routing.

Azure Load Balancer

• For consistent visitor servicing by the same web server, configure session persistence to Client IP.
• UDP protocol is not suitable for session persistence requirements.

NGINX Deployment in VM Scale Sets

• Use Azure Resource Manager templates for deploying Windows Server 2019 VMs in a scale set to ensure NGINX is available on all instances.

Azure Bastion Host

• Azure Bastion can protect specific resources, including virtual machines within the same virtual network.
• VMs can utilize Bastion for secure connections without needing public IP addresses.

Peering and Traffic Configuration

• Ensure all traffic between VNets traverses Microsoft’s backbone network by configuring ExpressRoute.
• VNet1 can potentially peer with other virtual networks based on connectivity configurations.

Key Community Insights

• Community voting indicates a strong preference for certain configurations, such as 93% support for a specific answer about VM routing.

Understanding Network Interfaces

• IP forwarding allows a VM network interface to receive traffic not aimed at its assigned IP addresses.
• Each interface needing to forward traffic must have IP forwarding separately enabled for proper functionality.

Azure Networking and Security

• Network Security Group (NSG): Controls inbound and outbound traffic to Azure resources. Essential for applying the principle of least privilege.

• Pinging Between VMs: To enable VM1 to ping VM2, appropriate NSG rules must be configured, highlighting the need for tailored network security settings.

• Routing Tables: Created to manage traffic flow in Azure. Routing in Azure can direct inbound traffic through specific virtual appliances like routers.

• Load Balancer Configuration: To ensure user requests are consistently served by the same web server, use features like session persistence.

Azure Virtual Machines and Subnets

• Virtual Network (VNet): A fundamental building block in Azure that allows for the creation of isolated network environments within the Azure cloud.

• IP Forwarding: Enables a virtual machine to receive and send traffic not meant for its assigned IP addresses. Must be enabled for each network interface that forwards traffic.

• Virtual Appliances: These can act as routers, affecting routing tables. Proper configuration is crucial for efficient traffic management.

Azure Backup and Monitoring

• Recovery Services Vault: A cloud storage solution for backing up and managing data across Azure services. Essential for data protection and recovery strategies.

• Monitor Azure Storage Accounts: Requires configuring alert rules and action groups to effectively track and respond to storage conditions or changes.

General Exam Strategy

• Focus on understanding Azure concepts and configurations related to virtual networking, security groups, load balancers, and monitoring tools.

• Practice scenario-based questions to familiarize with predictably configuring Azure resources while adhering to best practices.

Description

Prepare for the AZ-104 exam with this quiz focused on load balancing HTTPS connections in Azure. Test your knowledge on configuring resources like virtual machines and load balancers. Enhance your understanding of Azure subscription management and resource distribution.