Microsoft Microsoft Certified: Azure Network Engineer Associate AZ-700 Questions & Answers
Question 1:
HOTSPOT
You have an on-premises network.
You have an Azure subscription that contains the resources shown in the following table.
You need to implement an ExpressRoute circuit to access the resources in the subscription. The solution must ensure that the on-premises network connects to the Azure resources by using the ExpressRoute circuit.
Which type of peering should you use for each connection? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Private peering Azure Private Peering. One goal of implementing ExpressRoute is to connect on-premises networks with remote Azure networks. Private peering connects an on-premises network with Azure Cloud services such as virtual networks and resources connected to those virtual networks. Azure private peering makes the Azure networks a trusted extension of the core, on-premises network.
Note: In order for you to successfully establish private peering connectivity from on-premises to the ExpressRoute circuit, you'll need to engage your service provider with the circuit service key.
Incorrect:
*
Public peering, Microsoft peering
Note that if the ExpressRoute circuit is unavailable, the VPN route will handle only private peering connections. Public peering and Microsoft peering connections pass over the Internet.
*
Public Peering.
It's not really an option because public peering is depreciated for all new ExpressRoute circuits. We won't go into details on public peering because it's depreciated, but it's worth mentioning if you ever run into it on older ExpressRoute circuits.
Box 2: Microsoft peering
Microsoft peering connection on-premises networks to Microsoft 365 and Azure PaaS services, Office products for example.
Azure SQL Database is a fully managed platform as a service (PaaS) database engine that handles most of the database management functions such as upgrading, patching, backups, and monitoring without user involvement.
Your company has 40 branch offices across North America and Europe.
You have an Azure subscription that contains the following virtual networks:
1.
Two networks in the East US Azure region
2.
Three networks in the West Europe Azure region
You need to implement Azure Virtual WAN. The solution must meet the following requirements:
1.
Each branch office in North America must have an ExpressRoute circuit and a Site-to-Site VPN that connects to the East US region.
2.
Each branch office in Europe must have an ExpressRoute circuit and a Site-to-Site VPN that connects to the West Europe region.
3.
Transitive connections must be supported between all the branch offices and all the virtual networks.
4.
Costs must be minimized.
What is the minimum number of Virtual WAN resources required? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Two Standard virtual WANs.
Need Standard for ExpressRoute.
Two VLANs: One for North America, and one for Europe.
Note: Virtual WAN: The virtualWAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources. It contains links to all your virtual hubs that you would like to have within the virtual WAN. Virtual WANs
are isolated from each other and can't contain a common hub. Virtual hubs in different virtual WANs don't communicate with each other.
Virtual WAN types
There are two types of virtual WANs: Basic and Standard. The following table shows the available configurations for each type.
*
Basic Site-to-site VPN only
*
Standard ExpressRoute User VPN (P2S) VPN (site-to-site) Inter-hub and VNet-to-VNet transiting through the virtual hub Azure Firewall NVA in a virtual WAN
Box 2: Five Virtual WAN hubs
One virtual WAN hub for each site; two in East US and three in West Europe.
Note: Hub: A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity. From your on-premises network (vpnsite), you can connect to a VPN gateway inside the virtual hub, connect
ExpressRoute circuits to a virtual hub, or even connect mobile users to a point-to-site gateway in the virtual hub. The hub is the core of your network in a region. Multiple virtual hubs can be created in the same region.
A hub gateway isn't the same as a virtual network gateway that you use for ExpressRoute and VPN Gateway. For example, when using Virtual WAN, you don't create a site-to-site connection from your on-premises site directly to your VNet.
Instead, you create a site-to-site connection to the hub. The traffic always goes through the hub gateway. This means that your VNets don't need their own virtual network gateway. Virtual WAN lets your VNets take advantage of scaling easily
through the virtual hub and the virtual hub gateway.
Box 3: Two virtual network gateways
One virtual gateway for East US and one for West Europe.
You have an Azure subscription that contains the resource groups shown in the following table.
You have the virtual networks shown in the following table.
You have the subnets shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Yes
Move an Azure virtual network to another region by using Azure PowerShell.
There are various scenarios for moving an existing Azure virtual network from one region to another. For example, you might want to create a virtual network with the same configuration for testing and availability as your existing virtual
network. Or you might want to move a production virtual network to another region as part of your disaster recovery planning.
You can use an Azure Resource Manager template to complete the move of the virtual network to another region. You do this by exporting the virtual network to a template, modifying the parameters to match the destination region, and then
deploying the template to the new region.
Move networking resources to new resource group or subscription.
You can move virtual networks and other networking resources to a new resource group or Azure subscription.
Azure Resource Mover helps you move Azure resources between Azure regions.
All Azure resources are created in an Azure region and subscription. A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
Note: VNet1 is in East US. Vnet1 is in RG1. RG1 is in East US.
RG3 is in UK West.
Box 2: No
VNet1 is the only virtual network in East US. Vnet1 has one subnet Subnet1-1 with IP address range 10.1.1.0/24. This address range has only 256 unique IP addresses.
Box 3: No
RG2 already has a VNET named Vnet2.
Scope
All Azure resource types have a scope that defines the level of that resource and that the resource names must be unique. A resource must have a unique name within its scope.
For example, a virtual network has a resource group scope, which means that there can be only one network named vnet-prod-westus-001 in a given resource group. Other resource groups could have their own virtual network named vnetprod-westus-001.
You have an Azure subscription that contains an app named App1. App1 is deployed to the Azure App Service apps shown in the following table.
You need to publish App1 by using Azure Front Door. The solution must ensure that all the requests to App1 are load balanced between all the available worker instances.
What is the minimum number of origin groups and origins that you should configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: 1
How many origins and origin groups should I create?
An origin group represents a set of origins that are functionally able to serve the same kinds of requests. You should use a separate origin group for each distinct application or workload.
For example, suppose you host an application on Azure App Service. The way that you configure Front Door depends on how many application instances you deploy:
*
Multi-region active/passive deployment: Create a single origin group. Within that origin group, create an origin for each of the App Service apps. Configure each origin's priority to ensure that the primary application has a higher priority than the secondary application.
*
Multi-region active/active deployment: Create a single origin group. Within that origin group, create an origin for each of the App Service apps. Configure each origin's priority to be the same. Configure each origin's weight to set the proportion of requests that should go to that origin.
*
Single-region deployment: Create a single origin group.
Box 2: 8
Within an origin group, create an origin for each distinct server or service instance that can serve requests.
Note:
Origin
An origin refers to the application deployment that Azure Front Door retrieves contents from when caching isn't enabled or when a cache gets missed. Azure Front Door supports origins hosted in Azure and applications hosted in your on-
premises datacenter or with another cloud provider. An origin shouldn't be confused with your database tier or storage tier. The origin should be viewed as the endpoint for your application backend.
Origin group An origin group in Azure Front Door refers to a set of origins that receives similar traffic for their application. You can define the origin group as a logical grouping of your application instances across the world that receives the same traffic and responds with an expected behavior. These origins can be deployed across different regions or within the same region. All origins can be deployed in an Active/Active or Active/Passive configuration.
An origin group defines how origins get evaluated by health probes. It also defines the load balancing method between them.
You have an Azure environment shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
1.
VM1 Can Communicate with On-Premise datacenter due to S2S VPN and VM2 due to Bi-Directional VNet Peering
2.
VM2 an Communicate with On-Premise datacenter, VM1 due Gateway transit( VNET1-VNET2) and S2S VPN (VNET1-Datacenter), and VM3 (VNET2-VNET3 VNet Peering)
You have an Azure subscription that contains the resources shown in the following table.
You purchase a certificate for app1.contoso.com from a public certification authority (CA) and install the certificate on appservice1.
You need to ensure that App1 can be accessed by using a URL of https://app1.contoso.com. The solution must ensure that all the traffic for App1 is routed via FD1.
Which type of DNS record should you create, and where should you store the certificate? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
DNS: CNAME (When you added a custom domain to your Front Door's frontend hosts, you created a CNAME record in the DNS table of your domain registrar to map it to your Front Door's default .azurefd.net hostname)
Store certificate in: KeyVault1 (Your key vault must be configured to use the Key Vault access policy permission model.)
There you have a link with all explained https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https.
Question 7:
HOTSPOT
You have an Azure subscription that contains multiple virtual machine scale sets and multiple Azure load balancers. The load balancers balance traffic across the scale sets.
You plan to deploy Azure Front Door to load balance traffic across the load balancers.
You need to identify which Front Door SKU to configure, and what to use to route the traffic to the load balancers. The solution must minimize costs.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Premium
Premium is required for an Azure private link.
Note: Azure Front Door offers two different tiers, Standard and Premium. Both Azure Front Door tier combines capabilities of Azure Front Door (classic), Azure CDN Standard from Microsoft (classic), and Azure WAF into a single secure cloud
CDN platform with intelligent threat protection.
Azure Front Door Standard is content delivery optimized, offering both static and dynamic content acceleration, global load balancing, SSL offload, domain and certificate management, enhanced traffic analytics, and basic security capabilities.
Azure Front Door Premium builds on capabilities of Azure Front Door Standard, and adds extensive security capabilities across WAF, BOT protection, Azure Private Link support, integration with Microsoft Threat Intelligence, and security
analytics. WAF and Private Link pricing is included in Azure Front Door Premium.
Box 2: Azure private link
Example:
When you use other internet-facing services, like Azure Front Door, it's important to consider whether they support Private Link for inbound traffic. If they don't, consider how your traffic flows through each path to your solution.
For example, suppose you build an internet-facing application that runs on a virtual machine scale set. You use Azure Front Door, including its web application firewall (WAF), for security and traffic acceleration, and you configure Front Door
to send its traffic through a private endpoint to your backend (origin) service. Tenant A connects to your solution by using a public endpoint, and tenant B connects by using a private endpoint. Because Front Door doesn't support Private Link
for incoming connections, tenant B's traffic bypasses your Front Door and its WAF:
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the resources shown in the following table.
You need to publish App1 by using AG1 and a URL of https://app1.contoso.com. The solution must meet the following requirements:
1.
TLS connections must terminate on AG1.
2.
Minimize the number of targets in the backend pool of AG1.
3.
Minimize the number of deployed copies of the SSL certificate of App1.
How many locations should you import to the certificate, and how many targets should you add to the backend pool of AG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Question 9:
HOTSPOT
You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2.
Both subnets contain virtual machines.
You create a NAT gateway named NATgateway1 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Both Subnet1 and Subnet2 From exhibit: Subnets None Virtual network: VNet1
VNet1 contains Subnet1 and Subnet2.
Azure NAT Gateway resources enable outbound Internet connections from subnets in a virtual network.
After NAT gateway is added to the subnet of the virtual network, all new connections will then use NAT gateway for making outbound connections.
Incorrect:
* Gateway subnet Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. Never deploy anything else (for example, additional VMs) to the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' let's Azure know that this is the subnet to deploy the virtual network gateway VMs and services to.
Box 2: 16 IP addresses
From exhibit: Public IP address: None
Public IP prefix is specified.
The /28 address range in the prefix provided 16 IP addresses.
Note: Add public IP prefix
Public IP prefixes extend the extensibility of SNAT for outbound connections from the NAT gateway. A public IP prefix avoids SNAT port exhaustion. Each IP provides 64,512 ephemeral ports to NAT gateway for connecting outbound.
When assigning a public IP prefix to a NAT gateway, the entire range will be used.
HOTSPOT You have an Azure subscription that contains a virtual network named Vnetl. Vnetl has a /24 IPv4 address space. You need to subdivide Vnet1. The solution must maximize the number of usable subnets. What is the maximum number of IPv4 subnets you can create, and how many usable IP addresses will be available per subnet? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: 3
Subnet address range: The range must be within the address space you entered for the virtual network. The smallest range you can specify is /29, which provides eight IP addresses for the subnet. Azure reserves the first and last address in
each subnet for protocol conformance. Three more addresses are reserved for Azure service usage. As a result, a virtual network with a subnet address range of /29 has only three usable IP addresses.
Box 2: 32
We can make 32 /29 subnets of a /24 IPv4 address space.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your AZ-700 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.