AZ-104 STUDY GUIDE TEST 2025/2026 QUESTIONS WITH
ANSWERS GRADED A+
✔✔What extension should be enabled for Azure Scale sets to auto scale based on in-
guest virtual machine metrics?
a. Azure Diagnostics Extension
b. Azure DCS Extension
c. Azure VM Extension
d. Azure Custom Script Extension - ✔✔a. Azure Diagnostics Extension
Automatic scaling can only be done if metrics collection is successful on each virtual
machine in the scale set. The Azure Diagnostics Extension provides the monitoring and
diagnostics capabilities that meet the metrics collection needs of the autoscale
resource.
✔✔Your application requires a high number of IOPS to satisfy minimum performance
thresholds. You have selected Premium disks, and are now reviewing replication
options.Which replication options offer the most redundancy, based on your selection of
Premium disks?
a. LRS
b. GRS
c. RA-GRS
d. ZRS - ✔✔a. LRS
Azure Premium Disk Storage currently supports only locally redundant storage (LRS).
Block blob storage accounts support locally redundant storage (LRS) and zone
redundant storage (ZRS) in certain regions.
✔✔Your organization wants to secure customer personal data stored within your Azure
Virtual Machine (VM) environment. You suggest Azure Disk Encryption, which is an
option available to both Linux and Windows VMs. While the encryption process is
actually pretty straightforward, and is as easy as deploying a VM extension in
PowerShell, what is one caveat to the process that adds a level of complexity?
a. Bitlocker enabled and Azure Backup Service are mutually exclusive processes.
b. Bitlocker is ineffective at encrypting the operating system
c. A mechanism must be in place to manage the encryption keys for the encrypted
disk.d. ZRS
d. The process of creating the encryption keys is complex. - ✔✔The one caveat to the
Bitlocker process that adds a somewhat difficult level of complexity is managing the
encryption keys that go along with encrypting your disk. After all, if you lock something
away, someone has to keep track of the keys to reopen it. The good news is Azure
provides what is called the Azure Key Vault service which is used to help you manage
,and control your disk-encryption keys and secrets used by cloud applications and
services.
✔✔A company is planning to deploy a set of web servers and database servers. They
want to ensure high availability through availability sets. Which of the following is the
recommended design practice to use?
a. Place the web servers and database servers in the same availability set.
b. Place half of the web servers and half of the database servers in one availability set,
and the other half in another availability set.
c. Place all the web servers in one availability set and the database servers in another
availability set.
d. Have an availability set for each web server and database server. - ✔✔The best
design practice when it comes to availability sets is to place the servers which serve the
same purpose in one availability set. So application servers and web servers should be
placed in their own availability sets. This ensures that each tier in your application will
have at least one Virtual machine running at any point in time.
✔✔Which of the following is not part of the default metrics for Azure Virtual machines
when using the Azure Monitor service?
a. PercentageCPU
b. Disk Read Bytes
c. Memory Consumed
d. Network Out - ✔✔c. Memory Consumed
The following are the valid metrics available for the Microsoft.Compute/virtualMachines
resource:
Percentage CPU - The percentage of allocated compute units that are currently in use
by the virtual machine(s)
Disk Read Bytes - Total bytes read from disk during monitoring period
Network Out - The number of bytes out on all network interfaces by the virtual
machine(s) (Outgoing Traffic)
Even though memory consumption is not one of Azure Monitor's default metrics, you
can always use the diagnostic extension available for virtual machines to pick up the
memory consumption metrics.
✔✔Your IT landscape in Azure consists of both Linux and Windows virtual machines.
You configured consistent backup of Windows VMs with Azure Backup using Volume
Shadow Copy Service (VSS). Now you want to configure application consistent backup
on the Azure Linux virtual machines. What statement below about Azure Backup on
Linux virtual machines is correct?
, a. Linux has built in VSS that Azure Backup agent can utilize.
b. Linux does not require any additional configuration since backup is done
transparently for the application.
c. Using Azure Backup on Linux requires custom pre- and post-scripts to complete
application consistent backup.
d. Azure Backup provides scripts for open source operating systems like Linux. - ✔✔c.
Using Azure Backup on Linux requires custom pre- and post-scripts to complete
application consistent backup.
Azure Backup relies on the framework which can execute pre and post which will
ensure that the application is consistent during every backup.
✔✔Which of the following choices are true about Azure Storage encryption at rest?
(Choose 2 answers)
a. Azure Storage encryption is two-way encryption with asymmetric keys.
b. Azure Storage encryption is managed transparently by Azure.
c. Azure Storage encryption is one-way encryption with asymmetric keys.
d. Azure Storage encryption is two-way encryption with symmetric keys. - ✔✔Azure
Storage encryption uses two-way symmetric keys and managed transparently by Azure
and thus both parties have access to the secret key hence the symmetric nature.
Asymmetric key encryption (such as public/private key cryptography) is not valid in
Azure Storage encryption.
✔✔Which statement regarding Azure Network Watcher's IP Flow Verify is correct?
a. It can test packet flow between any two Azure endpoints.
b. It checks network security group for any rule(s) that deny the connection.
c. It reviews all NSG rules associated with either connection endpoint.
d. It verifies both directions of traffic simultaneously. - ✔✔b. It checks network security
group for any rule(s) that deny the connection.
IP Flow Verify tests if packets flow between a VM and a second endpoint only. It checks
for any NSG rules which deny the connection. It only reviews one direction at a time,
and for NSG rules associated with one connection point at a time.
✔✔You have successfully containerized your application within an Azure Container
Registry, created an image of your application and pushed it into the container registry.
You have also created an AKS cluster. Now you want to deploy the containerized
application onto your AKS cluster. Which three steps do you need to complete?
(Choose 3 answers)
a. Get credentials to authenticate kubectl commands sent to the Kubernetes cluster.
b. Create a manifest file declaring the required Kubernetes resources.
c. Create the resources in the cluster
ANSWERS GRADED A+
✔✔What extension should be enabled for Azure Scale sets to auto scale based on in-
guest virtual machine metrics?
a. Azure Diagnostics Extension
b. Azure DCS Extension
c. Azure VM Extension
d. Azure Custom Script Extension - ✔✔a. Azure Diagnostics Extension
Automatic scaling can only be done if metrics collection is successful on each virtual
machine in the scale set. The Azure Diagnostics Extension provides the monitoring and
diagnostics capabilities that meet the metrics collection needs of the autoscale
resource.
✔✔Your application requires a high number of IOPS to satisfy minimum performance
thresholds. You have selected Premium disks, and are now reviewing replication
options.Which replication options offer the most redundancy, based on your selection of
Premium disks?
a. LRS
b. GRS
c. RA-GRS
d. ZRS - ✔✔a. LRS
Azure Premium Disk Storage currently supports only locally redundant storage (LRS).
Block blob storage accounts support locally redundant storage (LRS) and zone
redundant storage (ZRS) in certain regions.
✔✔Your organization wants to secure customer personal data stored within your Azure
Virtual Machine (VM) environment. You suggest Azure Disk Encryption, which is an
option available to both Linux and Windows VMs. While the encryption process is
actually pretty straightforward, and is as easy as deploying a VM extension in
PowerShell, what is one caveat to the process that adds a level of complexity?
a. Bitlocker enabled and Azure Backup Service are mutually exclusive processes.
b. Bitlocker is ineffective at encrypting the operating system
c. A mechanism must be in place to manage the encryption keys for the encrypted
disk.d. ZRS
d. The process of creating the encryption keys is complex. - ✔✔The one caveat to the
Bitlocker process that adds a somewhat difficult level of complexity is managing the
encryption keys that go along with encrypting your disk. After all, if you lock something
away, someone has to keep track of the keys to reopen it. The good news is Azure
provides what is called the Azure Key Vault service which is used to help you manage
,and control your disk-encryption keys and secrets used by cloud applications and
services.
✔✔A company is planning to deploy a set of web servers and database servers. They
want to ensure high availability through availability sets. Which of the following is the
recommended design practice to use?
a. Place the web servers and database servers in the same availability set.
b. Place half of the web servers and half of the database servers in one availability set,
and the other half in another availability set.
c. Place all the web servers in one availability set and the database servers in another
availability set.
d. Have an availability set for each web server and database server. - ✔✔The best
design practice when it comes to availability sets is to place the servers which serve the
same purpose in one availability set. So application servers and web servers should be
placed in their own availability sets. This ensures that each tier in your application will
have at least one Virtual machine running at any point in time.
✔✔Which of the following is not part of the default metrics for Azure Virtual machines
when using the Azure Monitor service?
a. PercentageCPU
b. Disk Read Bytes
c. Memory Consumed
d. Network Out - ✔✔c. Memory Consumed
The following are the valid metrics available for the Microsoft.Compute/virtualMachines
resource:
Percentage CPU - The percentage of allocated compute units that are currently in use
by the virtual machine(s)
Disk Read Bytes - Total bytes read from disk during monitoring period
Network Out - The number of bytes out on all network interfaces by the virtual
machine(s) (Outgoing Traffic)
Even though memory consumption is not one of Azure Monitor's default metrics, you
can always use the diagnostic extension available for virtual machines to pick up the
memory consumption metrics.
✔✔Your IT landscape in Azure consists of both Linux and Windows virtual machines.
You configured consistent backup of Windows VMs with Azure Backup using Volume
Shadow Copy Service (VSS). Now you want to configure application consistent backup
on the Azure Linux virtual machines. What statement below about Azure Backup on
Linux virtual machines is correct?
, a. Linux has built in VSS that Azure Backup agent can utilize.
b. Linux does not require any additional configuration since backup is done
transparently for the application.
c. Using Azure Backup on Linux requires custom pre- and post-scripts to complete
application consistent backup.
d. Azure Backup provides scripts for open source operating systems like Linux. - ✔✔c.
Using Azure Backup on Linux requires custom pre- and post-scripts to complete
application consistent backup.
Azure Backup relies on the framework which can execute pre and post which will
ensure that the application is consistent during every backup.
✔✔Which of the following choices are true about Azure Storage encryption at rest?
(Choose 2 answers)
a. Azure Storage encryption is two-way encryption with asymmetric keys.
b. Azure Storage encryption is managed transparently by Azure.
c. Azure Storage encryption is one-way encryption with asymmetric keys.
d. Azure Storage encryption is two-way encryption with symmetric keys. - ✔✔Azure
Storage encryption uses two-way symmetric keys and managed transparently by Azure
and thus both parties have access to the secret key hence the symmetric nature.
Asymmetric key encryption (such as public/private key cryptography) is not valid in
Azure Storage encryption.
✔✔Which statement regarding Azure Network Watcher's IP Flow Verify is correct?
a. It can test packet flow between any two Azure endpoints.
b. It checks network security group for any rule(s) that deny the connection.
c. It reviews all NSG rules associated with either connection endpoint.
d. It verifies both directions of traffic simultaneously. - ✔✔b. It checks network security
group for any rule(s) that deny the connection.
IP Flow Verify tests if packets flow between a VM and a second endpoint only. It checks
for any NSG rules which deny the connection. It only reviews one direction at a time,
and for NSG rules associated with one connection point at a time.
✔✔You have successfully containerized your application within an Azure Container
Registry, created an image of your application and pushed it into the container registry.
You have also created an AKS cluster. Now you want to deploy the containerized
application onto your AKS cluster. Which three steps do you need to complete?
(Choose 3 answers)
a. Get credentials to authenticate kubectl commands sent to the Kubernetes cluster.
b. Create a manifest file declaring the required Kubernetes resources.
c. Create the resources in the cluster
