Try 10 focused AZ-104 questions on Configure and Manage Virtual Networking, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
| Field | Detail |
|---|---|
| Exam route | AZ-104 |
| Topic area | Configure and Manage Virtual Networking |
| Blueprint weight | 25% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Configure and Manage Virtual Networking for AZ-104. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 25% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Configure and Manage Virtual Networking
You manage a web VM behind an NSG. Internet HTTPS access fails. Azure Network Watcher IP flow verify returns:
Flow state : Blocked
Direction : Inbound
Protocol : TCP
Source : 203.0.113.5:443
Destination: 10.0.1.4:443
Rule name : DenyAllInBound
Priority : 65500
The site must be reachable over HTTPS from any internet client. Direct RDP from the internet is not allowed; admins use Azure Bastion.
Which of the following NSG configurations should you AVOID? (Select THREE.)
Options:
A. Add an inbound rule “AllowHTTPS” with priority 100 that allows TCP 443 from Any source to the VM’s private IP; keep the other NSG rules unchanged.
B. Disassociate the NSG from the subnet so Azure Network Watcher will no longer report DenyAllInBound for HTTPS traffic.
C. Add an inbound rule “AllowAllInternet” with priority 100 that allows Any protocol from Any source to Any destination on Any port.
D. Add an inbound rule “AllowHTTPS” with priority 200 that allows TCP 443 from Any source to the web subnet; keep the existing DenyAllInBound rule.
E. Change the existing DenyAllInBound rule to action Allow instead of Deny so HTTPS is no longer blocked by the NSG.
Correct answers: B, C and E
Explanation: Azure Network Watcher IP flow verify shows which NSG rule decides a specific traffic flow. In this scenario, the HTTPS traffic from the internet to the VM is blocked by the default DenyAllInBound rule (priority 65500). To meet the requirement, you need to introduce a more specific allow rule for TCP 443 with a lower priority number (higher precedence) than 65500, while keeping the NSG as a protective layer and not exposing other ports such as RDP.
Safe configurations add a narrow allow rule for HTTPS only, above the deny-all inbound rule, and do not open up additional services or remove NSG protection. Unsafe configurations either disable or bypass the NSG entirely or introduce overly permissive rules that allow far more traffic than required, clearly violating Azure security best practices and the stated requirement to avoid direct RDP from the internet.
Topic: Configure and Manage Virtual Networking
Which THREE statements about Azure application security groups (ASGs) are correct from an administrator’s perspective? (Select THREE.)
Options:
A. ASGs let you group virtual machine network interfaces by application role and reference the group in NSG rules instead of individual IP addresses.
B. A single network interface can be associated with multiple ASGs at the same time.
C. When you add a VM’s network interface to an ASG, Azure automatically creates NSG rules to open the required ports for that VM’s workloads.
D. All network interfaces in the same ASG must be deployed in the same virtual network.
E. ASGs can be used as targets for Azure load balancer backend pools and for user-defined routes in route tables.
F. ASGs can directly contain both subnets and network interfaces so that NSG rules apply to entire subnets at once.
Correct answers: A, B and D
Explanation: Application security groups (ASGs) simplify network security rule management in Azure by letting you group network interfaces (typically of VMs) that share the same security requirements. Instead of writing NSG rules that reference individual IP addresses, you reference ASGs as the source or destination in NSG rules. This makes it easier to manage rules when IPs change or when you add or remove VMs.
ASGs are applied at the NIC level and are limited to a single virtual network. A NIC can be a member of multiple ASGs, which allows you to model roles and security zones flexibly. However, ASGs do not replace NSGs, they do not auto-generate rules, and they are not used for routing or load balancing; they are purely a construct for simplifying NSG rule targeting.
Topic: Configure and Manage Virtual Networking
You manage a single Azure virtual network named VNet1 (10.1.0.0/16) with two subnets:
VNet1 DNS servers are configured to use 10.1.0.10, a working domain controller that can resolve corp.contoso.com.
WebVM’s network interface, however, has a custom DNS server setting of 10.1.0.4, which is a decommissioned DNS server.
An NSG named NSG-DB is associated with db-subnet. Its inbound rules include:
Your application on WebVM must connect to SqlVM using the FQDN sqlvm.corp.contoso.com over TCP 1433. Currently:
nslookup sqlvm.corp.contoso.com from WebVM failsDeny (NetworkSecurityGroup)You need to ensure that WebVM can resolve the SQL server name and connect to SqlVM over TCP 1433, while keeping inbound SQL access restricted to only web-subnet VMs.
Which of the following actions will meet these requirements? (Select TWO.)
Options:
A. Configure a user-defined route on web-subnet to send traffic destined for 10.1.2.0/24 to the Internet as the next hop.
B. On NSG-DB, add an inbound security rule that allows TCP port 1433 from the 10.1.1.0/24 source subnet (web-subnet) to the db-subnet.
C. Enable a service endpoint for Microsoft.Sql on db-subnet and remove NSG-DB from the subnet.
D. On the WebVM network interface, remove the custom DNS setting (10.1.0.4) so that WebVM inherits the VNet-level DNS server (10.1.0.10).
E. Create a private DNS zone for corp.contoso.com in Azure DNS and link it to VNet1, then add an A record for sqlvm pointing to SqlVM’s private IP.
F. Assign a public IP address to SqlVM and create an NSG rule that allows TCP 1433 from any source to that public IP.
Correct answers: B and D
Explanation: The scenario describes two clear issues preventing WebVM from connecting to SqlVM by FQDN over TCP 1433:
DNS misconfiguration on WebVM: The VNet is correctly configured to use a working DNS server at 10.1.0.10, but WebVM’s NIC overrides this with 10.1.0.4, a decommissioned DNS server. As a result, nslookup sqlvm.corp.contoso.com fails from WebVM.
NSG blocking SQL port 1433: The NSG attached to db-subnet (NSG-DB) allows only RDP and HTTP, followed by a default deny rule. Network Watcher shows the connection to SqlVM on port 1433 is denied by the NSG, so the required SQL traffic is blocked.
To fully meet the requirements, you must:
corp.contoso.com.Removing the NIC-level custom DNS entry on WebVM makes it inherit the VNet DNS (10.1.0.10), restoring proper name resolution. Adding a rule on NSG-DB to allow TCP 1433 from 10.1.1.0/24 (web-subnet) to SqlVM/db-subnet permits the application traffic while maintaining least-privilege network access.
Other options either break routing, overly expose the SQL server, or introduce unnecessary complexity without addressing the root misconfigurations described in the scenario.
Topic: Configure and Manage Virtual Networking
You manage a VNet 10.10.0.0/16. VM1 in subnet AppSubnet (10.10.1.0/24) must reach an on-premises network 10.50.0.0/16 over a VPN gateway, but all other traffic should use the default internet route. VM1-NIC Effective routes currently show only system routes. You will add a route table to AppSubnet.
Which TWO of the following actions should you AVOID? (Select TWO.)
Options:
A. Add a user-defined route on the AppSubnet route table with address prefix 10.50.0.0/16 and next hop type Virtual network gateway.
B. Add a user-defined route on the AppSubnet route table with address prefix 0.0.0.0/0 and next hop type Virtual network gateway.
C. Do not create any user-defined route for 0.0.0.0/0 so that the system default route to the internet remains visible in VM1-NIC Effective routes.
D. Enable Virtual network gateway route propagation on the AppSubnet route table so VPN-learned prefixes can appear in VM1-NIC Effective routes.
E. Add a user-defined route on the AppSubnet route table with address prefix 10.0.0.0/8 and next hop type None (blackhole).
Correct answers: B and E
Explanation: Effective routes on a network interface show the final set of routes Azure will use after combining system routes, BGP-learned routes, and any user-defined routes (UDRs) from associated route tables. User-defined routes have higher precedence than system routes for the same prefix length, and Azure always selects the most specific prefix (longest prefix match) when multiple routes could apply.
In this scenario, VM1 must send traffic to the on-premises network 10.50.0.0/16 over a VPN gateway, while all other traffic should continue to use the system internet route. When you associate a route table to AppSubnet, any UDRs you add will appear in the VM1-NIC Effective routes blade, and they will change how traffic is forwarded.
Creating a UDR that directly targets 10.50.0.0/16 with a next hop of Virtual network gateway is appropriate, because only that prefix is affected. The default system route 0.0.0.0/0 to the internet remains in the Effective routes, so all non-on-premises traffic still uses Azure’s internet path.
By contrast, a UDR for 0.0.0.0/0 pointing to the VPN gateway overrides the system internet route. In the Effective routes view, you would now see the 0.0.0.0/0 entry with next hop Virtual network gateway, forcing all outbound traffic over the VPN. This contradicts the stated requirement.
Similarly, adding a blackhole UDR for 10.0.0.0/8 would cause any traffic to addresses in that range that do not have a more specific route to be dropped. Because 10.50.0.0/16 is within 10.0.0.0/8 and there is no more specific route for it in that configuration, the Effective routes list would effectively send 10.50.0.0/16 to the None next hop, breaking connectivity to on-premises.
Understanding how these UDRs show up in the Effective routes view and how prefix length and precedence work is essential to predicting and troubleshooting actual traffic flow for a NIC.
Topic: Configure and Manage Virtual Networking
You administer a three-tier application in Azure. The web tier is exposed to the internet by an Azure Application Gateway. The middle-tier API VMs run in the BackendSubnet of the same virtual network. You must load-balance traffic from the web tier to the API VMs using only private IP connectivity so that only resources inside the virtual network can reach the API tier.
Which of the following configurations should you AVOID? (Select TWO.)
Options:
A. Create a Standard public load balancer with a public frontend IP and add the API VMs to its backend pool. Configure an NSG on BackendSubnet to allow inbound traffic from any Internet source to the load balancer.
B. Create a Standard internal load balancer with a private frontend IP in BackendSubnet and add all API VMs to its backend pool. Use NSGs to allow traffic only from the web tier subnet to the load balancer.
C. Assign a public IP address directly to each API VM and create a public DNS record that round-robins between those addresses instead of using a load balancer.
D. Create an internal Standard load balancer with a private frontend IP and add the API VMs to the backend pool. Restrict the frontend’s inbound rules to only the web tier subnet IP range.
E. Place an internal Standard load balancer in the same virtual network with a private frontend IP and backend pool of the API VMs. Configure Application Gateway to send traffic to the load balancer’s private IP.
Correct answers: A and C
Explanation: The requirement is to load-balance traffic to the API VMs while ensuring that only internal resources inside the virtual network can reach that tier. In Azure, this is achieved with a Standard internal load balancer using a private frontend IP, combined with network security groups that restrict source IP ranges to internal subnets (such as the web tier or Application Gateway subnet).
Any configuration that introduces a public frontend IP on the load balancer or direct public IPs on the API VMs exposes the middle tier to the internet and contradicts the requirement for private-only access. These are clear anti-patterns for internal service tiers in a tiered application architecture.
Topic: Configure and Manage Virtual Networking
You manage an internal load balancer, LB1, for two VMs running a web app that listens on HTTP port 8080 and responds at /health. The health probe is configured as HTTP on port 80. An NSG on the subnet blocks traffic from AzureLoadBalancer to port 8080. The backend pool currently has no NICs associated. Probes are failing, but http://localhost:8080/health returns 200 OK on each VM. You must restore healthy probes and load-balanced traffic without exposing the VMs directly to the internet. Which of the following actions will meet these requirements? (Select THREE.)
Options:
A. Change the health probe to use HTTP on port 8080 so it matches the web app listener.
B. Associate the NICs of VM1 and VM2 with the LB1 backend pool.
C. Add an inbound NSG rule that allows TCP 8080 from the AzureLoadBalancer service tag to the subnet.
D. Assign a public IP address to each VM and have clients connect directly, bypassing LB1.
E. Replace LB1 with a Basic public load balancer to avoid NSG configuration for probes.
Correct answers: A, B and C
Explanation: Azure load balancer health probes determine whether backend instances are healthy and eligible to receive traffic. If probes fail, the load balancer marks instances as unhealthy and stops sending them traffic, even if the application itself is running correctly.
In this scenario, the web app is verified to be healthy on each VM at http://localhost:8080/health, but the health probes are failing. The configuration reveals three separate issues:
AzureLoadBalancer to port 8080.To restore healthy probes and proper load balancing without exposing VMs directly to the internet, you must correct the probe port, permit probe traffic through the NSG, and attach the VM NICs to the backend pool. Changing the load balancer type or bypassing it entirely would not meet the stated requirements and would weaken the network design.
Topic: Configure and Manage Virtual Networking
You manage a flat virtual network that contains web, application, and database virtual machines on the same subnet. A single network security group (NSG) secures the subnet using many rules that reference individual VM private IP addresses. When VMs are redeployed or scaled out, their IPs change, making NSG maintenance time‑consuming and error‑prone. You must simplify rule management by grouping VMs by role and avoid dependence on specific IP addresses, without adding new security appliances. What should you do to optimize this design?
Options:
A. Create a dedicated NSG for each VM and move all IP-based rules from the shared NSG into the per-VM NSGs so that each VM is isolated by its own rules.
B. Move the web, app, and database VMs into separate subnets and apply subnet-level NSGs that continue to reference the VMs’ private IP addresses in the rules.
C. Create application security groups for the web, app, and database tiers; associate each VM NIC with the appropriate group; then update the existing NSG rules to use the ASGs as source and destination instead of IP addresses.
D. Deploy Azure Firewall in the virtual network and configure firewall rules using the VMs’ private IP addresses instead of NSG rules, then remove most NSG rules.
Best answer: C
Explanation: Application security groups (ASGs) let you logically group virtual machine NICs by application role (for example, web, app, database) and then reference these groups directly in network security group (NSG) rules. This removes the need to maintain large numbers of IP-based rules, especially in environments where VMs may be redeployed, scaled, or otherwise change IP addresses.
In the scenario, there is already a single NSG applied and the main issue is operational complexity from managing IP-based rules. The stated goal is to simplify rule management based on VM roles without introducing new appliances. Using ASGs with the existing NSG directly targets this problem by enabling role-based rules that remain valid even when IPs change.
Other options either increase complexity (per-VM NSGs), introduce unnecessary services (Azure Firewall), or require a network redesign while still depending on IP addresses (separate subnets with IP-based NSG rules). None of those options fully meets the requirement to simplify management by grouping VMs by role and avoiding IP dependency.
Topic: Configure and Manage Virtual Networking
You run Azure Network Watcher NSG diagnostics for an Azure VM to investigate blocked HTTPS traffic. For TCP 443 inbound from the internet to the VM’s NIC over the last 60 minutes, diagnostics show:
| NSG rule | Action | Matched flows |
|---|---|---|
| Allow-HTTPS-Inbound | Allow | 900 |
| Deny-Internet-All | Deny | 100 |
What percentage of HTTPS connection attempts were denied by the NSG? Give your answer as a whole percent.
Options:
A. 15%
B. 5%
C. 10%
D. 20%
Best answer: C
Explanation: Azure Network Watcher NSG diagnostics (or NSG insights) can show how many flows match each NSG rule, including both allowed and denied traffic. Those rule hit counts are essential for identifying which rules are blocking or permitting specific traffic flows.
In this scenario, diagnostics for TCP 443 inbound from the internet to the VM’s NIC show:
Allow-HTTPS-Inbound.Deny-Internet-All.Because every HTTPS connection attempt is either allowed or denied by the NSG, the total number of HTTPS attempts is the sum of allowed and denied flows:
The percentage of attempts that were denied is:
So, the diagnostics indicate that 10% of HTTPS connection attempts are being blocked by the NSG, and the deny rule Deny-Internet-All is responsible for those blocked flows.
Topic: Configure and Manage Virtual Networking
In Azure Load Balancer, which condition must be met for a backend virtual machine (VM) to be considered healthy by a load-balancer health probe?
Options:
A. The VM must successfully respond on the probe’s configured port and protocol to the load balancer’s probe requests.
B. The VM’s network security group (NSG) must allow inbound traffic from any Internet source on the probe port.
C. The backend pool must contain only a single VM instance so the load balancer can always route traffic to it.
D. The VM must be running and have the Azure Diagnostics extension installed to report health to the load balancer.
Best answer: A
Explanation: Azure Load Balancer uses health probes to determine whether each backend VM is able to receive traffic. A health probe is configured with a protocol (TCP, HTTP, or HTTPS), a port, and an interval. The load balancer periodically sends probe requests from its own IPs to each backend VM on that port.
For a VM to be considered healthy, it must respond successfully to these probe requests according to the selected protocol. For TCP probes, this means the VM completes the TCP handshake (ACKs). For HTTP/HTTPS probes, the VM must return an HTTP 200 OK response. If the VM fails to respond successfully a configured number of times, it is marked unhealthy and removed from the load-balancing rotation until it becomes healthy again.
Common misconfigurations that cause probe failures include the VM not listening on the configured port, the wrong port being used in the probe configuration, or NSG/firewall rules blocking the probe traffic. Understanding that the probe is a direct network check on a specific port helps troubleshoot these issues quickly.
Topic: Configure and Manage Virtual Networking
Which of the following statements about Azure public load balancers is INCORRECT? (Select THREE.)
Options:
A. NICs attached to VMs in the same virtual network as the load balancer can be added as targets in the backend pool.
B. A public load balancer can use a single frontend public IP with multiple load-balancing rules mapping to different backend ports.
C. A public load balancer terminates client TLS/SSL sessions and then forwards unencrypted HTTP traffic to the backend VMs.
D. Each backend VM in a public load balancer’s backend pool must have its own public IP address to receive load-balanced traffic.
E. If a VM fails the load balancer health probe, all existing TCP connections to that VM are immediately dropped.
F. Health probes are used by the load balancer to decide which backend pool instances are healthy and should receive new connections.
Correct answers: C, D and E
Explanation: Azure public load balancers distribute incoming traffic from a public frontend IP address to a set of backend pool instances, typically VMs with private IPs in the same virtual network. They operate at layer 4 (TCP/UDP) and use health probes to determine which instances are healthy and should receive new flows.
The load balancer does not inspect or modify higher-layer protocols such as HTTP or HTTPS. It simply forwards packets according to configured rules and hashes. When a backend instance fails a health probe, the load balancer stops sending new connections to it, but established sessions can continue until they close, helping maintain connection stability for users.
Use the AZ-104 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try AZ-104 on Web View AZ-104 Practice Test
Read the AZ-104 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.