Microsoft Updated AZ-104 Exam Questions and Answers by andy

When deploying Azure Virtual Machines (VMs) — individually or within a Virtual Machine Scale Set (VMSS) — administrators often need to automate post-deployment configuration tasks such as installing software, running configuration scripts, or setting up environment dependencies.

According to Microsoft Azure Administrator documentation, the Azure Custom Script Extension is designed precisely for this purpose. It downloads and executes scripts on Azure VMs after deployment. The extension integrates directly with Azure Resource Manager (ARM) templates, Azure CLI, or PowerShell, enabling automated installation and configuration of software packages like NGINX, IIS, or custom utilities.

The Custom Script Extension runs PowerShell scripts on Windows VMs and shell scripts on Linux VMs. In the case of deploying Windows Server 2022 VMs in a scale set, you can embed the Custom Script Extension JSON configuration into your ARM template, specifying the script’s location in Azure Storage or GitHub and the command to execute (for example, Install-WindowsFeature Web-Server or an NGINX installer command).

This approach aligns with Microsoft’s best practices for Azure automation and infrastructure-as-code, ensuring consistent, repeatable deployments across all instances in the scale set. It also minimizes manual intervention, reduces configuration drift, and ensures each VM instance has the required software components available immediately after provisioning.

This question evaluates understanding of Azure Virtual Network (VNet) peering behavior, specifically routing rules, non-transitive connectivity, and gateway transit settings.

From the exhibit, VNET1 has two peerings configured:

Peering1: VNET1 ↔ VNET2 (Connected)

Peering2: VNET1 ↔ VNET3 (Connected)

For both peerings, Gateway transit is Disabled.

Packets from VNET1

According to Microsoft Azure networking documentation:

VNet peering allows direct routing between peered VNets

A VNet can communicate with all VNets it is directly peered with

Since VNET1 is directly peered with both VNET2 and VNET3, traffic originating in VNET1 can be routed to both networks.

✅ Packets from VNET1 can be routed to VNET2 and VNET3

Packets from VNET2

Azure VNet peering is not transitive. This means:

Even though VNET2 is peered with VNET1

And VNET1 is peered with VNET3

VNET2 does NOT automatically gain access to VNET3

Additionally:

Gateway transit is disabled

No user-defined routing or hub-and-spoke gateway configuration is present

Therefore, VNET2 can only route traffic to its directly peered network, which is VNET1.

✅ Packets from VNET2 can be routed to VNET1 only

Key Microsoft Azure Principles Applied

VNet peering enables direct connectivity only

Peering connections are non-transitive

Gateway transit must be explicitly enabled for transitive routing scenarios

Without gateway transit or NVA routing, VNets cannot route through each other

Final Verified Answer:

Packets from VNET1: ✅ VNET2 and VNET3

Packets from VNET2: ✅ VNET1 only

No, No, No

Comprehensive and Detailed 150 to 250 words of Explanation From [Microsoft Azure Administrator/Course Guide/topics]:

Although VNet1 and VNet2 are peered, routing must be valid in both directions for ping to succeed. Azure virtual network peering enables private connectivity between peered virtual networks, and Azure adds virtual network peering system routes when peering is configured. However, user-defined routes override system routes when they conflict, and Azure selects routes by longest prefix match before applying route-source priority.

VM11 can send traffic toward VM2 through the VNet1-to-VNet2 peering route, but VM2’s return traffic to VM11 matches Route2 in RT2: destination 10.10.1.0/24, next hop type None. Microsoft defines None as dropping traffic rather than forwarding it, so the ping fails. VM2 also cannot initiate a successful ping to VM11 for the same reason: its outbound traffic to 10.10.1.10 is dropped by Route2. VM3 cannot ping VM12 because VNet3 is not peered with VNet1, and Route3 points to a virtual appliance IP in a network without direct connectivity. Microsoft specifies that a virtual appliance next hop IP requires direct connectivity, otherwise the UDR configuration is invalid. Study Guide reference: AZ-104 Configure and manage virtual networking , routing, route tables, and virtual network peering.

When configuring an Azure App Service app (WebApp1), several hosting plans determine scaling capabilities and supported features such as custom domains, SSL, and auto-scaling.

According to Microsoft Azure Administrator Documentation:

Custom Domain Verification:To map a custom domain (like app.contoso.com) to an Azure Web App, Azure must verify that you own the domain.Microsoft documentation specifies:

“To verify a custom domain, create a TXT record in your DNS zone. The TXT record contains a verification token that Azure uses to confirm ownership of the domain before binding it to your App Service.”

(Source: Azure App Service – Map custom domain)

While an A record or CNAME record is eventually used to direct traffic to the app, the TXT record is used solely for domain verification.

Scaling Requirement (Up to 8 Instances):The Free and Shared App Service plans have significant limitations:

Free / Shared: No scaling (only 1 instance, no custom domain SSL support).

Basic: Supports up to 3 instances.

Standard: Supports up to 10 instances, includes auto-scaling, and supports custom domains and SSL.

Premium: Adds advanced scaling and isolation but is more expensive and unnecessary here.

Microsoft documentation states:

“The Standard pricing tier supports auto-scaling up to 10 instances and custom domains, offering a balance between cost and capability.”

(Source: Azure App Service Plan Tiers Overview)

Since the requirement includes automatic scaling up to eight instances and custom domain verification, the Standard plan is the minimum suitable tier — satisfying both performance and cost-efficiency conditions.

✅ Final Verified Answer:

Pricing plan: Standard

Record type: TXT

Justification Summary (from Microsoft Documentation):

Custom domain verification → Requires a TXT record.

Auto-scale up to 8 instances → Requires at least the Standard plan.

Minimize cost and effort → Standard plan is the optimal balance.