Most Recent Microsoft AZ-104 Exam Dumps

According to theMicrosoft documentation, Azure Bastion is a service that provides more secure and seamless RDP and SSH access to virtual machines without any exposure through public IP addresses. You can provision the service directly in your local or peered virtual network to get support for all the VMs within it.

In your scenario, you have three virtual networks that are peered with each other. This means that they can communicate with each other as if they were in the same virtual network. Therefore, you can deploy one Bastion host in any of the virtual networks and use it to connect to all the virtual machines in the peered virtual networks. You don't need to deploy a separate Bastion host for each virtual network or each virtual machine.

For more information about how to deploy and use Azure Bastion, seeTutorial: Deploy Bastion using specified settings: Azure portal.

To restrict access to account1, you need to enable the firewall and virtual network settings on the storage account. This allows you to specify which networks can access the storage account. By selecting Selected networks, you can block all access from the public internet and only allow access from the specified networks. By adding VNet1, you can allow access from the virtual network that contains VM1. You do not need to add the on-premises IP address range or enable the service endpoint option, as these are not required for uploading the disk files to the storage account. You do not need to allow trusted Microsoft services, as this is not relevant for the scenario. Then, Reference: [Configure Azure Storage firewalls and virtual networks] [Upload a generalized VHD to Azure]

Routing preference is a feature that allows you to configure how network traffic is routed to your storage account from clients over the internet. By default, traffic from the internet is routed to the public endpoint of your storage account over the Microsoft global network, which is optimized for low-latency path selection and high reliability. Both inbound and outbound traffic are routed through the point of presence (POP) that is closest to the client. This ensures that traffic to and from your storage account traverses over the Microsoft global network for the bulk of its path, maximizing network performance. You can also change the routing preference to use internet routing, which minimizes the traversal of your traffic over the Microsoft global network, handing it off to the transit ISP at the earliest opportunity. This lowers networking costs, but may compromise network performance. Therefore, to ensure that inbound user traffic uses the Microsoft POP closest to the user's location, you should configure routing preference to use the Microsoft global network as the default routing option for your storage account.

Network routing preference for Azure Storage

Configure network routing preference for Azure Storage

No, this does not meet the goal. Unregistering the Microsoft.ClassicNetwork provider does not affect the creation of network security groups (NSGs) in the subscription.The Microsoft.ClassicNetwork provider is used for managing classic deployment model resources, such as virtual networks, network interfaces, and public IP addresses1.However, NSGs are only supported for Resource Manager deployment model resources2. Therefore, unregistering the Microsoft.ClassicNetwork provider will not automatically block TCP port 8080 between the virtual networks.

To meet the goal, you need to create a custom policy definition that enforces a default security rule for NSGs.A policy definition is a set of rules and actions that Azure performs when evaluating your resources3. You can use a policy definition to specify the required properties and values for NSGs, such as the direction, protocol, source, destination, and port of the security rule. You can then assign the policy definition to the subscription scope, so that it applies to all the resource groups and virtual networks in the subscription.

When you move an Azure virtual machine to another resource group, Azure Resource Manager treats the virtual machine as a resource that has required dependencies. For an IaaS VM, the VM resource depends on its network interface (NIC) for connectivity and its managed disks (OS disk and any data disks) for storage. Microsoft Azure Administrator guidance for resource moves explains that a move operation must include any dependent resources that are required for the resource to function after the move. If you attempt to move only the VM object while leaving required dependencies behind, the move would be blocked or the VM would be left in a nonfunctional state.

In this scenario, NIC1 is the network interface used by VM1, and Disk1 is the OS disk used by VM1; both are core dependencies and are moved along with the VM. VNet1 is a separate networking resource that typically hosts multiple subnets and can be shared by many resources; it is not required to move to move a VM, and moving the VNet would be unnecessary and potentially disruptive. Therefore, after moving VM1 from RG1 to RG2, the resources present in RG2 are VM1, NIC1, and Disk1, but not VNet1.