Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 101:

  You have the on-premises networks shown in the following table.

  

  You have an Azure subscription that contains an Azure virtual WAN named VWAN1 and a virtual network named VNet1. VWAN is connected to the on-premises networks and VNet1 in a full mesh topology. The virtual hub routing preference

  for VWAN1 is AS Path.

  You need to route traffic from VNet1 to 10.61.1.5.

  Which path will be used?

  A. the VPN connection to Branch1

  B. the VPN connection to Branch2

  C. the ExpressRoute connection to Branch2

  D. the ExpressRoute connection to Branch3

  Correct Answer: D

  1- VWAN prefers ER over VPN2- it doesn't have BGP prepend .. Branch 2 has three AS hops so it is less preferred

• Question 102:

  You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the following subnets:

  1.

  AzureFirewallSubnet

  2.

  GatewaySubnet

  3.

  Subnet1

  4.

  Subnet2

  5.

  Subnet3

  Subnet2 has a delegation to the Microsoft.Web/serverfarms service.

  The subscription contains the resources shown in the following table.

  

  You need to implement an Azure application gateway named AG1 that will be integrated with an Azure Web Application Firewall (WAF). AG1 will be used to publish VMSS1.

  To which subnet should you connect AG1?

  A. GatewaySubnet

  B. AzureFirewallSubnet

  C. Subnet2

  D. Subnet1

  E. Subnet3

  Correct Answer: E

  An application gateway is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the application gateway. You can have multiple instances of a given application gateway deployment in a

  subnet. You can also deploy other application gateways in the subnet. But you can't deploy any other resource in the application gateway subnet.

  Subnet3 is not in use.

  Incorrect:

  Not A: GatewaySubnet is in use. It used by the Azure VPN gateway.

  Not B: AzureFirewallSubnet is in use. It used by an Azure Firewall.

  Not C: Subnet2 is already in use.

  Subnet2 has a delegation to the Microsoft.Web/serverfarms service.

  Not D: Networking for Azure Virtual Machine Scale Sets

  Note that the application gateway must be in the same virtual network as the scale set but must be in a different subnet from the scale set.

  Reference:

  https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure

  https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking

• Question 103:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.

  You configure the application gateway to direct traffic to the URL of the application gateway.

  You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

  

  You need to ensure that the URL is accessible through the application gateway.

  Solution: You disable the WAF rule that has a ruleld of 920300.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

• Question 104:

  You are planning the IP addressing for the subnets in Azure virtual networks.

  Which type of resource requires IP addresses in the subnets?

  A. storage account

  B. internal load balancers

  C. service endpoints

  D. virtual network peering

  Correct Answer: B

  During the creation of the load balancer, you'll configure:

  1.

  Frontend IP address

  2.

  Backend pool

  3.

  Inbound load-balancing rules

  When you create an internal load balancer, a virtual network is configured as the network for the load balancer.

  A private IP address in the virtual network is configured as the frontend for the load balancer. The frontend IP address can be Static or Dynamic.

  Reference:

  https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal

• Question 105:

  You have an Azure subscription that contains a virtual network named VNet1 and the virtual machines shown in the following table.

  

  All the virtual machines are connected to Vnet1.

  You need to ensure that the applications hosted on the virtual machines can be accessed from the internet. The solution must ensure that the virtual machines share a single public IP address.

  What should you use?

  A. an internal load balancer

  B. Azure Application Gateway

  C. a NAT gateway

  D. a public load balancer

  Correct Answer: D

  A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are

  used to load balance internet traffic to your VMs.

  Load Balancer load-balances traffic at layer 4 (TCP or UDP).

  Incorrect:

  Not A: An internal (or private) load balancer is used where private IPs are needed at the frontend only. Internal load balancers are used to load balance traffic inside a virtual network. A load balancer frontend can be accessed from an on-

  premises network in a hybrid scenario.

  Not B: How do Application Gateway and Azure Load Balancer differ?

  Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2). It supports capabilities such as TLS termination, cookie-based session affinity, and round robin for load-

  balancing traffic. Load Balancer load-balances traffic at layer 4 (TCP or UDP).

  What protocols does Application Gateway support?

  Application Gateway supports HTTP, HTTPS, HTTP/2, and WebSocket.

  Not C: NAT gateway is for outbound access.

  Reference:

  https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

  https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq

• Question 106:

  You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual machine named VM1 and an Azure firewall named FW1.

  You have an Azure Firewall Policy named FP1 that is associated to FW1.

  You need to ensure that RDP requests to the public IP address of FW1 route to VM1.

  What should you configure on FP1?

  A. a network rule

  B. URL filtering

  C. a DNAT rule

  D. an application rule

  Correct Answer: C

  You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the NAT

  rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic.

  Note: Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application

  rule collections, and all rules are terminating.

  There are three types of rule collections:

  Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.

  Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.

  NAT rules: Configure DNAT rules to allow incoming Internet connections.

  Reference:

  https://learn.microsoft.com/en-us/azure/firewall/firewall-faq

  https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat

• Question 107:

  You have an Azure subscription mat contains tour virtual networks named VNet1, VNet2, VNet3, and VNet4.

  You plan to deploy a hub and spoke topology by using virtual network peering.

  You need to configure VNet1 as the hub network. The solution must meet the following requirements:

  1.

  Support transitive routing between spokes.

  2.

  Maximize network throughput.

  What should you include in the solution?

  A. Azure VPN Gateway

  B. Azure Route Server

  C. Azure Private Link

  D. Azure Firewall

  Correct Answer: D

  Azure Firewall is the best response Communication through an NVA If you need connectivity between spokes, consider deploying Azure Firewall or another NVA in the hub. Then create routes to forward traffic from a spoke to the firewall or NVA, which can then route to the second spoke. In this scenario, you must configure the peering connections to allow forwarded traffic. You can also use a VPN gateway to route traffic between spokes, although this choice affects latency and throughput. For configuration details, see Configure VPN gateway transit for virtual network peering. https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

• Question 108:

  You are planning the IP addressing for the subnets in Azure virtual networks.

  Which type of resource requires IP addresses in the subnets?

  A. Azure DDoS Protection for virtual networks

  B. virtual network peering

  C. internal load balancers

  D. service endpoints

  Correct Answer: C

  During the creation of the load balancer, you'll configure:

  1.

  Frontend IP address

  2.

  Backend pool

  3.

  Inbound load-balancing rules

  When you create an internal load balancer, a virtual network is configured as the network for the load balancer.

  A private IP address in the virtual network is configured as the frontend for the load balancer. The frontend IP address can be Static or Dynamic.

  Incorrect:

  * service endpoints

  A service endpoint is created in a virtual subnet, but there is no IP address defined for the Service endpoint.

  Service endpoints are a way for Azure DevOps to connect to external systems or services. They're a bundle of properties securely stored by Azure DevOps, which includes but isn't limited to the following properties:

  Service name Description Server URL Certificates or tokens User names and passwords

  * service endpoint policies Service Endpoint Policy object, example.

  "serviceEndpointPolicyDefinitions": [

  {

  "description": null,

  "name": "MySEP-Definition",

  "resourceGroup": "MySEPDeployment",

  "service": "Microsoft.Storage",

  "serviceResources": [

  "/subscriptions/subscriptionID/resourceGroups/MySEPDeployment/providers/Microsoft.Storage/storageAccounts/mystgacc"

  ],

  "type": "Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions"

  } ]

  Reference: https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

• Question 109:

  You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains 20 subnets and 500 virtual machines. Each subnet contains a virtual machine that runs network monitoring software.

  You have a network security group (NSG) named NSG1 associated to each subnet.

  When a new subnet is created in Vnet1 an automated process creates an additional network monitoring virtual machine in the subnet and links the subnet to NSG1.

  You need to create an inbound security rule in NSG1 that will allow connections to the network monitoring virtual machines from an IP address of 131.107.1.15. The solution must meet the following requirements:

  1.

  Ensure that only the monitoring virtual machines receive a connection from 131.1071.15.

  2.

  Minimize changes to NSG1 when a new subnet is created. What should you use as the destination in the inbound security rule?

  A. an application security group

  B. a service tag

  C. a virtual network

  D. an IP address

  Correct Answer: A

  Application security groups

  Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your

  security policy at scale without manual maintenance of explicit IP addresses.

  Incorrect:

  Not B: The network monitoring software is not an Azure service so service tags cannot be used.

  Not D: Requires maintenance of explicit IP addresses.

  Note: You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound

  network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

  Security rules

  A network security group contains zero, or as many rules as desired, within Azure subscription limits. Each rule specifies the following properties:

  *

  Source or destination Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. If you specify an address for an Azure resource, specify the private IP address assigned to the resource.

  *

  Etc.

  *

  Service tags

  A service tag represents a group of IP address prefixes from a given Azure service. It helps to minimize the complexity of frequent updates on network security rules.

  Reference: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups

• Question 110:

  You have an Azure subscription that contains the resources shown in the following table.

  

  Subnet1 contains three virtual machines that host an app named App1. App1 is accessed by using the SFTP protocol.

  From NSG1, you configure an inbound security rule named Rule2 that allows inbound SFTP connections to ASG1.

  You need to ensure that the inbound SFTP connections are managed by using ASG1. The solution must minimize administrative effort.

  What should you do?

  A. From NSG1, modify the priority of Rule2.

  B. From each virtual machine, associate the network interface to ASG1.

  C. From Subnet1, create a subnet delegation.

  D. From ASG1, modify the role assignments.

  Correct Answer: B

  An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then use the application security group as a source or destination in NSG rules.

  The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups that this NIC should join, and then click Save to commit the change.

  Reference: https://medium.com/awesome-azure/azure-application-security-group-asg-1e5e2e5321c3