Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 121:

  You have an Azure application gateway configured for a single website that is available at https://www.contoso.com.

  The application gateway contains one backend pool and one rule. The backend pool contains two backend servers. Each backend server has an additional website that is available on port 8080.

  You need to ensure that if port 8080 is unavailable on a backend server, all the traffic for https://www.contoso.com is redirected to the other backend server.

  What should you do?

  A. Create a health probe

  B. Add a new rule

  C. Change the port on the listener

  D. Add a new listener

  Correct Answer: A

  By default, Azure Application Gateway probes backend servers to check their health status and to check whether they're ready to serve requests. Users can also create custom probes to mention the host name, the path to be probed, and the status codes to be accepted as Healthy. In each case, if the backend server doesn't respond successfully, Application Gateway marks the server as Unhealthy and stops forwarding requests to the server. After the server starts responding successfully, Application Gateway resumes forwarding the requests.

  Note: The default probe request is sent in the format of ://127.0.0.1:/. For example, http://127.0.0.1:80 for an http probe on port 80. Only HTTP status codes of 200 through 399 are considered healthy. The protocol and destination port are inherited from the HTTP settings. If you want Application Gateway to probe on a different protocol, host name, or path and to recognize a different status code as Healthy, configure a custom probe and associate it with the HTTP settings.

  Reference: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting

• Question 122:

  You have deployed a virtual named VM1 that connects over port number 4444 to an application named App1.

  App1 is hosted in your on-premises environment.

  You discover that VM1 is not able to connect to App1.

  You need to verify whether the issue relates to the network security groups.

  What should you use?

  A. Diagnostic settings in Azure Monitor

  B. Diagnose and solve problems in Traffic Manager Profiles

  C. The security recommendations in Azure Advisor

  D. IP flow verify in Azure Network Watcher

  Correct Answer: D

  Correct Answer(s):

  IP flow verify in Azure Network Watcher - IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied

  by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the

  on-premises environment.

  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

  Wrong Answers:

  Diagnostic settings in Azure Monitor Diagnostic settings are used to define the type of metric and log data to send to the destinations.

  Diagnose and solve problems in Traffic Manager Profiles Not a valid option. Traffic manager is not used in the scenario given in the question.

  The security recommendations in Azure Advisor - The Advisor dashboard displays personalized recommendations for all your subscriptions. You can get security recommendations from the Security tab on the Advisor dashboard.

  This does not provide the packet drop or traffic flow logs.

• Question 123:

  You have two Azure virtual networks named VNet1 and VNet2.

  VNet1 contains an Azure virtual machine named VM1.

  VNet2 contains an Azure virtual machine named VM2.

  VM1 hosts a frontend application that connects to VM2 to retrieve data. Users report that the frontend application is slower than usual. You need to view the average round-trip time (RTT) of the packets from VM1 to VM2.

  Which Azure Network Watcher feature should you use?

  A. IP flow verify

  B. Connection troubleshoot

  C. Connection monitor

  D. NSG flow logs

  Correct Answer: C

  Correct Answer(s):

  Connection monitor - Connection Monitor provides you RTT values on a per-minute granularity. The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology

  changes between the VM and the endpoint.

  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring

  Wrong Answers:

  IP flow verify - IP flow verify checks if a packet is allowed or denied to or from a virtual machine.

  Connection troubleshoot -- Enable you to troubleshoot network performance and connectivity issues in Azure.

  NSG flow logs - allows you to log information about IP traffic flowing through an NSG.

• Question 124:

  You have an Azure virtual network named Hub1.

  Hub1 connects to an on-premises network by using a Site-to-Site VPN connection.

  You created an Azure Virtual network named Spoke1.

  You are implementing peering between Hub1 and Spoke1.

  You need to ensure that a virtual machine connected to Spoke1 can connect to the on-premises network through Hub1.

  How should you complete the PowerShell script?

  

  A. Code Block1: -AllowForwardedTraffic

  B. Code Block1: -AllowGatewayTransit

  C. Code Block1: -UseRemoteGateways

  D. Code Block2: -AllowForwardedTraffic

  E. Code Block2: -AllowGatewayTransit

  F. Code Block2: -UseRemoteGateways

  Correct Answer: BF

  Virtual network peering is a non-transitive relationship between two virtual networks. You can configure spokes to use the hub gateway to communicate with remote networks. To allow gateway traffic to flow from spoke to hub and connect to

  remote networks, you must:

  Configure the peering connection in the hub to allow gateway transit.

  Configure the peering connection in each spoke to use remote gateways.

  Configure all peering connections to allow forwarded traffic.

  Below is the sample code.

  # Peer hub to spoke

  Add-AzVirtualNetworkPeering -Name HubtoSpoke -VirtualNetwork $VNetHub -RemoteVirtualNetworkId $VNetSpoke.Id -AllowGatewayTransit

  # Peer spoke to hub

  Add-AzVirtualNetworkPeering -Name SpoketoHub -VirtualNetwork $VNetSpoke -RemoteVirtualNetworkId $VNetHub.Id -AllowForwardedTraffic UseRemoteGateways

  https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps#peer-the-hub-and-spoke-virtual-networks https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub- spoke?tabs=cli#virtual-networkpeering

  Wrong Answers:

  Code Block1: -AllowForwardedTraffic and Code Block2: -AllowForwardedTraffic

  Allow forwarded traffic is used if you require connectivity between spokes. You can create routes to forward traffic from the spoke to the firewall or network virtual appliance, which can then route to the second spoke.

• Question 125:

  You plan to create a Point-to-Site (P2S) VPN connection for a remote user to connect to your Azure environment. Which of the following protocols should you use?

  A. OpenVPN

  B. IPSec

  C. Secure Socket Tunneling Protocol (SSTP)

  D. IKEv2 VPN

  E. FTP

  Correct Answer: ACD

  Point-to-site VPN can use one of the following protocols:

  OpenVPN?Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).

  Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).

  IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above). https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about#protocol

• Question 126:

  Which virtual machines can VM1 ping successfully?

  A. VM2 only

  B. VM2 and VM4 only

  C. VM2, VM3 and VM4 only

  D. VM2, VM3, VM4 and VM5 only

  Correct Answer: C

  VM1 is in VNet1/Subnet1.

  VNet1 is peered with VNet2 and VNet3.

  There is no NSG rule blocking outbound ICMP from VNet1.

  There are no NSG rule blocking inbound ICMP to VNet1/Subnet2, VNet2 or VNet3.

  Therefore, VM1 can ping VM2 in VNet1/Subnet2, VM3 in VNet2 and VM4 in VNet3.

• Question 127:

  You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF).

  FD1 uses a frontend host named app1.healthengine.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region.

  You need to configure FD1 to block requests to app1.healthengine.com from all countries other than the United States.

  What should you include in the WAF policy?

  A. a frontend host association

  B. a managed rule set

  C. a custom rule that uses a rate limit rule

  D. a custom rule that uses a match rule

  Correct Answer: D

  Correct Answer(s):

  a custom rule that uses a match rule - Custom rules allow you to create tailored rules to suit the exact needs of your applications and security policies. Now, you can restrict access to your web applications by country/region. As with all

  custom rules, this logic can be compounded with other rules to suit the needs of your application.

  To create a geo-filtering custom rule in the Azure portal, simply select Geo location as the Match Type, and then select the country/region or countries/regions you want to allow/block from your application.

  https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/geomatch-custom-rules

  Wrong Answers:

  a frontend host association This is to add a frontend profile.

  a managed rule set - Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats.

  a custom rule that uses a rate limit rule - A rate control rule limits abnormally high traffic from any client IP address.

• Question 128:

  Your company has an Azure virtual network named Vnet1 that uses an IP address space of 192.168.0.0/20.

  Vnet1 contains a subnet named Subnet1 that uses an IP address space of 192.168.0.0/24. You create an IPv6 address range to Vnet1 by using a CIDR suffix of /48. You need to enable the virtual machines on Subnet1 to communicate with

  each other by using IPv6 addresses assigned by the company.

  The solution must minimize the number of additional IPv4 addresses.

  What should you do for each virtual machine?

  A. Create an additional IP configuration

  B. Create an additional NIC

  C. Create a public IPv6 address

  Correct Answer: A

  You need to configure the VM NICs with an IPv6 address. https://docs.microsoft.com/en-us/azure/load-balancer/ipv6-add-to-existing-vnet-cli

• Question 129:

  You need to deploy an Azure Load Balancer that support outbound traffic rules. Which SKU should you use? Costs must be minimal.

  A. Basic

  B. Standard

  Correct Answer: B

• Question 130:

  You have an Azure subscription that contains the following resources:

  A virtual network named Vnet1

  A subnet named Subnet1 in Vnet1

  A virtual machine named VM1 that connects to Subnet1

  Three storage accounts named storage1, storage2, and storage3

  You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.

  To achieve the requirement, you configure the firewall on storage1 to only accept connections from Vnet1.

  Did you achieve the requirement?

  A. Yes

  B. No

  Correct Answer: B

  If you configure the firewall on storage1 to only accept connections from Vnet1, any virtual machine from Vnet1 will be able to connect to the storage1. VM1 can also access other storage accounts depending on the firewall settings on other storage accounts.