Designing and Implementing Microsoft Azure Networking Solutions
Exam Details
Exam Code
:AZ-700
Exam Name
:Designing and Implementing Microsoft Azure Networking Solutions
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:390 Q&As
Last Updated
:Mar 31, 2025
Microsoft Microsoft Certifications AZ-700 Questions & Answers
Question 111:
You are planning the IP addressing for the subnets in Azure virtual networks. Which type of resource requires IP addresses in the subnets?
A. internal load balancers
B. Azure DDoS Protection for virtual networks
C. service endpoint policies
D. service endpoints
Correct Answer: A
During the creation of the load balancer, you'll configure:
Frontend IP address Backend pool Inbound load-balancing rules
When you create an internal load balancer, a virtual network is configured as the network for the load balancer.
A private IP address in the virtual network is configured as the frontend for the load balancer. The frontend IP address can be Static or Dynamic.
Incorrect:
* service endpoints
A service endpoint is created in a virtual subnet, but there is no IP address defined for the Service endpoint.
Service endpoints are a way for Azure DevOps to connect to external systems or services. They're a bundle of properties securely stored by Azure DevOps, which includes but isn't limited to the following properties:
Service name Description Server URL Certificates or tokens User names and passwords
* service endpoint policies Service Endpoint Policy object, example.
You have an Azure subscription that contains the Azure App Service web apps shown in the following table.
You need to deploy Azure Traffic Manager. The solution must meet the following requirements:
Traffic to https://www.fabrikam.com must be directed to App1eu.
If App1eu becomes unresponsive, all the traffic to https://www.fabrikam.com must be directed to App1us.
You need to implement Traffic Manager to meet the requirements.
Which two resources should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a Traffic Manager profile that uses the priority routing method
B. a Traffic Manager profile that uses the geographic routing method
C. a CNAME record in a DNS domain named fabrikam.com
D. a TXT record in a DNS domain named fabricam.com
E. a real user measurements key in Traffic Manager
Correct Answer: AC
Disaster recovery using Azure DNS and Traffic Manager Automatic failover using Azure Traffic Manager
(A) Step 1: Create a new Azure Traffic Manager profile
Create a new Azure Traffic manager profile with the name contoso123 and select the Routing method as Priority.
Priority Routing – Priority routing is based on health checks of endpoints. By default, Azure Traffic manager sends all traffic to the highest priority endpoint, and upon a failure or disaster, Traffic Manager routes the traffic to the secondary endpoint.
Incorrect:
* geographic routing Geographic: Select Geographic routing to direct users to specific endpoints (Azure, External, or Nested) based on where their DNS queries originate from geographically. With this routing method, it enables you to be in compliance with scenarios such as data sovereignty mandates, localization of content and user experience and measuring traffic from different regions.
Step 2: Create endpoints within the Traffic Manager profile
Step 3: Set up health check and failover configuration
C: Create a DNS zone Create DNS zone records Update CNAME record
Only CNAME records are supported when you configure a domain name using the Traffic Manager endpoint. Because A records are not supported, a root domain mapping, such as contoso.com is also not supported.
You have an Azure subscription that contains the resources shown in the following table.
Users on HP1 connect to App1 by using a URL of https://app1.contoso.com.
You need to ensure that the IDPS on FW1 can identify security threats in the connections from HP1 to Server1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable TLS inspection for FW1.
B. Import a server certificate to KV1.
C. Enable threat intelligence for FW1.
D. Add an application group to HP1.
E. Add a secured virtual network to FW1.
Correct Answer: AB
A: TLS inspection Azure Firewall Premium provides TLS inspection capability by decrypting the outbound traffic, inspecting it, processing it, and then re-encrypting the data and sending it to the destination. Azure Firewall Premium intercepts outbound HTTPS traffic and auto-generates a server certificate for the URL that you are trying to access. End-user browsers and the client applications must trust your organization's Root CA certificate or intermediate CA certificate for this procedure to work.
Why TLS inspection is important
Encrypted traffic has a security risk, as it can hide illegal user activity and malicious traffic. Azure Firewall without TLS inspection has no visibility into the data that flows in the encrypted TLS tunnel, and so it cannot provide full protection coverage for the outbound traffic.
How TLS inspection works in Azure Firewall Premium
TLS inspection is achieved by using an Intermediate CA certificate. An intermediate certificate works as a substitute of a root certificate. Intermediate certificates are also used as a stand-in for a root certificate by playing a “Chain of Trust” between an end entity certificate and a root.
B: How to Enable TLS Inspection in Azure Firewall Premium with auto-generate new certification feature in a POC environment:
1.
Navigate to the Azure Firewall Premium Policy you want to enable TLS inspection.
2.
From the left menu pane, Select - TLS Inspection - and click on the Enabled option.
3.
In the Key Vault section, under Managed identity, select (New) Managed Identity Name.
The following new resources with a random name will be created Managed Identity Key Vault Self-signed Root CA certificate
4.
Click on Save button at the bottom of the page to commit the changes.
5.
Once saved, a new Managed identity and new Azure Key vault will be created along with a new root certificate (You can view the certificate under the certificates section).
6.
Once you click on certificate, you will get an option to download the certificate in both PFX/PEM and CER format. Download the certificate in .CER format and copy it to the end user's machine from where you would like to access a secure public website.
7.
Configure an Application Rule in the Azure firewall policy to allow the outbound web traffic from the end user's machine. Since TLS inspection is enabled in this outbound rule, all outbound traffic will be inspected by the Azure Firewall.
Incorrect:
* threat intelligence Azure Firewall threat intelligence-based filtering You can enable Threat intelligence-based filtering for your firewall to alert and deny traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.
You have an Azure virtual network named VNet1 that contains the subnets shown in the following table.
You need to deploy an Azure application gateway named AppGW1 to VNet1. To where can you deploy AppGW1?
A. GatewaySubnet only
B. Subnet2 only
C. Subnet1 or Subnet2 only
D. Subnet2 or GatewaySubnet only
E. Subnet1, Subnet2, and GatewaySubnet
Correct Answer: B
An application gateway is a dedicated deployment in your virtual network. Within your virtual network, a dedicated subnet is required for the application gateway. You can have multiple instances of a given application gateway deployment in a
subnet. You can also deploy other application gateways in the subnet. But you can't deploy any other resource in the application gateway subnet.
You have an Azure subscription that includes a virtual network named VNet1 and a private Azure Kubernetes Service (AKS) cluster named AKS1. VNet1 is connected to your on-premises environment via an Azure ExpressRoute circuit.
AKS1 is connected to VNet1.
You need to implement an off-cluster ingress controller for AKS1. The solution must provide connectivity from the on-premises environment to containerized workloads hosted on AKS1.
Which Azure service should you use?
A. Azure Application Gateway
B. Azure Front Door
C. Azure Traffic Manager
D. Azure Load Balancer
Correct Answer: A
Traffic from application users to the cluster
Incoming (ingress) controllers can be used to expose applications running in the AKS clusters.
Ingress controllers can expose applications and APIs with a public or a private IP address.
Application traffic can come from either on-premises or the public internet. The following picture describes an example where an Azure Application Gateway is configured to reverse-proxy connections to the clusters both from on-premises and
from the public internet.
Traffic from on-premises follows the flow of the numbered blue callouts in the previous diagram.
1.
The client will resolve the FQDN assigned to the application, either using the DNS servers deployed in the connectivity subscription or on-premises DNS servers.
2.
After resolving the application FQDN to an IP address (the private IP address of the application gateway), traffic is routed through a VPN or ExpressRoute gateway.
3.
Routing in the gateway subnet is configured to send the request to the web application firewall.
4.
The web application firewall sends valid requests to the workload running in the AKS cluster.
The Azure Application Gateway in this example can be deployed in the same subscription as the AKS cluster, since its configuration is closely related to the workloads deployed in AKS and is therefore managed by the same application team.
Incorrect:
* Azure Front Door, Azure Traffic Manager
Clients from the public internet resolve the DNS name for the application using Azure Traffic Manager. Alternatively, other global load-balancing technologies like Azure Front Door can be used.
You have an Azure subscription that contains four virtual machines. The virtual machines host an app named App1.
You deploy an Azure Standard Load Balancer named LB1 to load balance incoming HTTPS requests to App1.
You need to reduce how long it takes for LB1 to stop sending App1 traffic to failed servers. The solution must minimize administrative effort.
What should you modify?
A. the Backend pools settings
B. the Diagnostic settings
C. the Load-balancing rules
D. the Health probes settings
Correct Answer: D
Azure Load Balancer rules require a health probe to detect the endpoint status. The configuration of the health probe and probe responses determines which backend pool instances will receive new connections. Use health probes to detect
the failure of an application. Generate a custom response to a health probe. Use the health probe for flow control to manage load or planned downtime. When a health probe fails, the load balancer will stop sending new connections to the
respective unhealthy instance. Outbound connectivity isn't affected, only inbound.
Add a TCP health probe
In this example, you'll create a TCP health probe to monitor port 80.
1.
Sign in to the Azure portal.
2.
In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.
3.
Select myLoadBalancer or your load balancer.
4.
In the load balancer page, select Health probes in Settings.
You have an Azure subscription that contains the resources shown in the following table.
Gateway1 provides access to App1 by using a URL of http://app1.contoso.com.
You create a new web app named App2.
You need to configure Gateway1 to enable minimize administrative effort.
What should you configure on Gateway1?
A. a backend pool and a routing
B. a listener and a routing rule
C. a listener, a backend pool, and a routing rule
D. a listener and a backend pool
Correct Answer: C
Question 118:
You have an Azure subscription that contains an Azure Front Door named FD1.
You plan to deploy an app named App1 by using Azure App Service. Users will access App1 by using FD1.
You need to provide FD1 with access to App1. The solution must meet the following requirements:
1.
Ensure that users can only access App1 by using FD1.
2.
Ensure that users cannot access App1 directly from the internet. What should you create for App1?
A. an access restriction
B. a private endpoint
C. a subnet delegation
D. a service endpoint
Correct Answer: A
Create a Rule pointing to Azure Front Door https://techcommunity.microsoft.com/t5/azure-architecture-blog/permit-access-only-from-azure-front-door-to-azure-app-service-as/ba-p/2000173
Question 119:
You have an Azure subscription that contains the resources is shown in the following table.
You need to ensure that the apps hosted on VM1 can resolve the IP address of the What should you create first?
A. a public DNS zone named database.windows.net
B. a private DNS zone named database.windows.net
C. a public DNS zone named private link.database.windows.net
D. a private DNS zone named private link.database.windows.net
Correct Answer: D
Azure Private Endpoint DNS configuration
You can use the following options to configure your DNS settings for private endpoints:
*
Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
*
Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
*
Use your DNS forwarder (optional).
For Azure services, use the recommended zone names as described in the following table:
*
Azure SQL Database (Microsoft.Sql/servers) / sqlServer Private DNS zone name: privatelink.database.windows.net
You have a web application that uses Azure Traffic Manager for load balancing. End users must be routed to the closest endpoint for lowest network latency. Which traffic-routing method should you configure?
A. Performance
B. Geographic
C. Priority
Correct Answer: A
Correct Answer(s):
Performance Use when you have endpoints in different geographic locations, and you want end users to use the "closest" endpoint for the lowest network latency.
Wrong Answers:
Geographic - Select this routing method to direct users to specific endpoints (Azure, External, or Nested) based on where their DNS queries originate from geographically.
Priority - Select this routing method when you want to have a primary service endpoint for all traffic. You can provide multiple backup endpoints in case the primary or one of the backup endpoints is unavailable
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your AZ-700 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
