Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 151:

  You need to implement name resolution for the cloud.healthengine.com.

  The solution must meet the networking requirements.

  What should you do to implement automatic DNS name registration in clould.healthengine.com?

  A. Create virtual network links

  B. Configure conditional forwarding

  C. Create an SOA record in cloud.healthengine.com

  Correct Answer: A

  Scenario: Automatically register the DNS names of Azure virtual machines to the cloud.healthengine.com zone

  After you create a private DNS zone in Azure, you'll need to link a virtual network to it. Once linked, VMs hosted in that virtual network can access the private DNS zone. When creating a link between a private DNS zone and a virtual network. You have the option to enable autoregistration. With this setting enabled, the virtual network becomes a registration virtual network for the private DNS zone. A DNS record gets automatically created for any virtual machines you deploy in the virtual network. DNS records will also be created for virtual machines already deployed in the virtual network.

  https://docs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

• Question 152:

  Your company has two on-premises sites in New York and Los Angeles.

  Your company has Azure virtual networks in the East US Azure region and the West US Azure region.

  Each on-premises site has Azure ExpressRoute circuits to both regions.

  You need to recommend a solution that meets the following requirements:

  Outbound traffic to the Internet from workloads hosted on the virtual networks must be routed through the closest available on-premises site.

  If an on-premises site fails, traffic from the workloads on the virtual networks to the Internet must reroute automatically to the other site.

  What should you include in the recommendation to route from virtual networks to on-premises locations?

  A. Azure Default routes

  B. Border Gateway Protocol (BGP)

  C. User-defined routes

  Correct Answer: B

  Correct Answer(s):

  Border Gateway Protocol (BGP) - You must use BGP to advertise on-premises routes to the Microsoft Edge router. You cannot create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual

  network gateway deployed as type: ExpressRoute.

  https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#next-hop-types-across- azure-tools

  Wrong Answers:

  Azure Default routes - When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm.

  User-defined routes - You cannot create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as type: ExpressRoute.

• Question 153:

  You have an on-premises network that uses an IP address space of 172.16.0.0/16.

  You plan to create a new Azure subscription and deploy 25 virtual machines.

  The requirements are as follows:

  All Azure virtual machines must be placed on the same subnet named Subnet1.

  All the Azure virtual machines must be able to communicate with all on-premises servers.

  The servers must be able to communicate between the on-premises network and Azure by using a site-to-site VPN.

  What should you include in the recommendation for Subnet1 and Gateway subnet IP address space?

  A. 172.16.0.0/16 and 172.16.1.0/28

  B. 172.16.0.0/16 and 192.168.0.0/24

  C. 172.16.1.0/28 and 192.168.0.0/24

  D. 192.168.0.0/24 and 172.16.1.0/28

  E. 192.168.0.0/24 and 192.168.1.0/28

  Correct Answer: E

  We cannot use these IP address spaces - 172.16.0.0/16 and 172.16.1.0/28 in Azure as these overlap with on- premises IP address space. The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part

  of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.

  When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require

  more IP addresses than others. We recommend that you create a gateway subnet that uses a /27 or /28.

  So, the subnet1 IP address space must be 192.168.0.0/24 and Gateway subnet IP address space must be 192.168.1.0/28

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager- portal#VNetGateway

  Wrong Answers:

  172.16.0.0/16 and 172.16.1.0/28 - Overlaps with on-premises IP address space.

  172.16.0.0/16 and 192.168.0.0/24 - Overlaps with on-premises IP address space.

  172.16.1.0/28 and 192.168.0.0/24 - Overlaps with on-premises IP address space.

  192.168.0.0/24 and 172.16.1.0/28 - Overlaps with on-premises IP address space.

• Question 154:

  You have an application deployed in to two Azure app services as shown below.

  

  You need to change the front end to an active/active application instances in which both regions process incoming connections. What should you do?

  A. Add a load balancer to each region

  B. Add an Azure application gateway to each region

  C. Add an Azure Content Delivery Network (CDN)

  D. Modify the Traffic Manager routing method.

  Correct Answer: D

  Correct Answer(s):

  Modify the Traffic Manager routing method - Azure Traffic Manager supports six traffic-routing methods to determine how to route network traffic to the various service endpoints.

  You can select Weighted routing when you want to distribute traffic across a set of endpoints based on their weight. Set the weight the same to distribute evenly across all endpoints.

  https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods

  Wrong Answers:

  Add a load balancer to each region - Existing traffic manager can distribute traffic to multiple regions. Azure Web App will have its own load balancer.

  Add an Azure application gateway to each region - Existing traffic manager can distribute traffic to multiple regions. Azure Web App will have its own load balancer.

  Add an Azure Content Delivery Network (CDN) - CDN is used to cache content near to user's location.

• Question 155:

  You need to ensure that the URL is accessible through the application gateway.

  To achieve the requirement, you create a WAF policy exclusion for request headers that contain 167.220.2.139.

  Did you achieve the requirement?

  A. Yes

  B. No

  Correct Answer: B

  RemoteAddr specifies the IP Address/Range of the remote computer connection. So, you should use RemoteAddr instead of request headers. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variable- required

• Question 156:

  You have an application deployed in to two Azure app services as shown below.

  

  You need to control the threshold for failing over the front end to the standby region. What should you configure?

  A. An application Insights availability test

  B. Azure SQL Database failover groups

  C. Connection Monitor in Azure Network Watcher

  D. Endpoint monitor settings in Traffic Manager

  Correct Answer: D

  Correct Answer(s):

  Endpoint monitor settings in Traffic Manager - You need to configure endpoint monitoring settings Tolerated number of failures - This value specifies how many failures a Traffic Manager probing agent tolerates before marking that endpoint

  as unhealthy. Its value can range between 0 and 9. A value of 0 means a single monitoring failure can cause that endpoint to be marked as unhealthy. If no value is specified, it uses the default value of 3.

  https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring

  Wrong Answers:

  An application Insights availability test - This is a simple test through the portal to validate whether an endpoint is responding, and measure performance associated with that response.

  Azure SQL Database failover groups - The requirement is front-end failover.

  Connection Monitor in Azure Network Watcher - Connection Monitor provides unified end-to-end connection monitoring in Azure Network Watcher. For example, your front-end web server VM communicates with a database server VM in a

  multi-tier application. You want to check network connectivity between the two VMs.

• Question 157:

  Your company has two on-premises sites in New York and Los Angeles.

  Your company has Azure virtual networks in the East US Azure region and the West US Azure region.

  Each on-premises site has Azure ExpressRoute circuits to both regions.

  You need to recommend a solution that meets the following requirements:

  Outbound traffic to the Internet from workloads hosted on the virtual networks must be routed through the closest available on-premises site.

  If an on-premises site fails, traffic from the workloads on the virtual networks to the Internet must reroute automatically to the other site.

  What should you include in the recommendation for automatic routing configuration following a failover?

  A. Host Standby Routing Protocol (HSRP)

  B. Border Gateway Protocol (BGP)

  C. Virtual Router Redundancy Protocol (VRRP)

  Correct Answer: B

  Correct Answer(s):

  Border Gateway Protocol (BGP) - Microsoft does not support any router redundancy protocols (for example, HSRP, VRRP) for high availability configurations. We rely on a redundant pair of BGP sessions per peering for high availability.

  https://docs.microsoft.com/en-us/azure/expressroute/expressroute-routing

  https://docs.microsoft.com/en-us/azure/expressroute/expressroute-optimize-routing#suboptimal-routing-from- customer-to-microsoft

  Wrong Answers:

  Host Standby Routing Protocol (HSRP) -Microsoft does not support any router redundancy protocols (for example, HSRP, VRRP) for high availability configurations.

  Virtual Router Redundancy Protocol (VRRP) -Microsoft does not support any router redundancy protocols (for example, HSRP, VRRP) for high availability configurations.

• Question 158:

  You have an Azure subscription named Subscription1.

  You have two virtual networks in Subscription1 named HubVNet and SpokeVNet.

  You have an Azure Firewall with a public IP address, configured as a Standard SKU in HubVNet.

  You have a Windows Server 2016 with private IP address in SpokeVNet.

  You need to connect to Windows Server using the public IP address of Azure firewall.

  What should you configure?

  A. ExpressRoute Gateway

  B. Virtual Network Peering

  C. Route Table

  D. Virtual Network Gateway

  E. NAT Rule for the Firewall

  Correct Answer: BCE

  For traffic to flow between the Hub and Spoke VNets, you will need a peer connection between the virtual networks.

  You will need a route table to route ingress traffic to the firewall virtual appliance.

  You can configure a NAT rule on the firewall to translate and filter inbound Internet traffic to your subnets.

• Question 159:

  You have an Azure environment.

  You are planning to deploy an Azure Firewall in a subscription named Subscription1.

  What is the name of the subnet that must be created?

  A. Default

  B. DMZsubnet

  C. AzureFirewallSubnet

  D. FirewallSubnet

  Correct Answer: C

  Correct Answer(s):

  AzureFirewallSubnet - The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet. https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal

  Wrong Answers:

  Default The default subnet that gets created along with virtual network. Azure firewall should have a dedicated subnet named AzureFirewallSubnet.

  DMZsubnet - Not a valid option.

  FirewallSubnet Not a valid option.

• Question 160:

  You have deployed multiple websites in Internet Information Server (IIS) by using Azure virtual machine scale sets (VMSS).

  User sessions must be routed to the same server by using cookie-based session affinity. The below image depicts the network traffic flow for the websites to the VMSS.

  

  What should you configure to make sure web traffic arrives at the appropriate server in the VMSS?

  A. Routing rules and backend listeners

  B. CNAME and A records

  C. Routing method and DNS time to live (TTL)

  D. Path-based redirection and websockets

  Correct Answer: A

  Correct Answer(s):

  Routing rules and backend listeners - You can configure the hosting of multiple web sites when you create an application gateway. You need to define backend address pools using virtual machines. You then configure listeners and rules

  based on domains that you own to make sure web traffic arrives at the appropriate servers in

  the pools.

  https://docs.microsoft.com/bs-latn-ba/azure//application-gateway/create-multiple-sites-portal

  Wrong Answers:

  CNAME and A records - These are used for domain registrations.

  Routing method and DNS time to live (TTL) - DNS TTL (time to live) is a setting that tells the DNS resolver how long to cache a query before requesting a new one. This is nothing to do with routing.

  Path-based redirection and websockets - Path Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request.