Designing and Implementing Microsoft Azure Networking Solutions
Exam Details
Exam Code
:AZ-700
Exam Name
:Designing and Implementing Microsoft Azure Networking Solutions
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:390 Q&As
Last Updated
:Apr 08, 2025
Microsoft Microsoft Certifications AZ-700 Questions & Answers
Question 161:
You have an Azure subscription that contains two virtual networks named VritualNetwork1 and VritualNetwork2.
You have a Windows 10 device that connects to VritualNetwork1 by using a Point-to-Site (P2S) IKEv2 VPN. You have implemented virtual network peering between VritualNetwork1 and VritualNetwork2.
VritualNetwork1 allows gateway transit. VritualNetwork2 can use the remote gateway. You discover that you cannot communicate with VritualNetwork2 from the Windows 10 device. You need to ensure that you can communicate with
VritualNetwork2 from the Windows 10 device.
To achieve the requirement, you download and reinstall the VPN client configuration.
Did you achieve the requirement?
A. Yes
B. No
Correct Answer: A
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.
You need to recommend a configuration for the ExpressRoute connection from the Boston datacenter. The solution must meet the hybrid networking requirements and business requirements. What type of ExpressRoute gateway should you recommend?
A. High Performance (ERGw2AZ)
B. Standard Performance (ERGw1AZ)
C. Ultra-Performance (ERGw3AZ)
Correct Answer: C
Scenario: The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection. To configure FastPath, the virtual network gateway must be either: Ultra-Performance ErGw3AZ https://docs.microsoft.com/en-us/azure/expressroute/about-fastpath#gateways
Question 163:
You have an Azure Virtual Desktop deployment that has 500 session hosts.
All outbound traffic to the internet uses a NAT gateway.
Some users report that they cannot access internet resources during peak hours.
In Azure Monitor, you discover many failed SNAT connections.
You need to increase the available SNAT connections.
What should you do?
A. Bind the NAT gateway to another subnet.
B. Add a public IP address.
C. Deploy Azure Standard Load Balancer that has outbound rules.
Correct Answer: B
Correct Answer(s):
Add a public IP address - A single NAT gateway resource supports from 64,000 up to 1 million concurrent flows. Each IP address provides 64,000 SNAT ports to the available inventory. You can use up to 16 IP addresses per NAT gateway
resource.
Frequently the root cause of SNAT exhaustion is an anti-pattern for how outbound connectivity is established, managed, or configurable timers changed from their default values.
Steps
1.
Check if you have modified the default idle timeout to a value higher than 4 minutes.
2.
Investigate how your application is creating outbound connectivity (for example, code review or packet capture).
3.
Determine if this activity is expected behavior or whether the application is misbehaving. Use metrics in Azure Monitor to substantiate your findings. Use "Failed" category for SNAT Connections metric.
4.
Evaluate if appropriate patterns are followed.
5.
Evaluate if SNAT port exhaustion should be mitigated with additional IP addresses assigned to NAT gateway resource.
Bind the NAT gateway to another subnet Not a valid solution to mitigate the issue.
Deploy Azure Standard Load Balancer that has outbound rules This replaces the need for outbound rules for backend pool outbound SNAT.
Question 164:
Which of the following statements are true with respect to Azure Firewall?
A. Azure firewall replaces Network Security groups
B. Azure firewall is a stateless service
C. Used to inspect inbound internet traffic only
D. Azure Firewall provides inbound protection for non-HTTP/S protocols
E. Forced tunneling is supported in Azure Firewall
Correct Answer: DE
Capabilities supported in Azure Firewall: Stateful firewall as a service Built-in high availability with unrestricted cloud scalability FQDN filtering FQDN tags Network traffic filtering rules Outbound SNAT support Inbound DNAT support Centrally create, enforce, and log application and network connectivity policies across Azure subscriptions and VNETs Fully integrated with Azure Monitor for logging and analytics https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
Question 165:
Which three actions should you perform in sequence from the below list of actions?
1.
Create a health probe
2.
Create a public load balancer in the Standard SKU
3.
Create a public load balancer in the Basic SKU
4.
Create a backend pool that contains VMScaleSet1
5.
Create a NAT rule
6.
Create an outbound rule
A. 1,4,6
B. 3,4,5
C. 3,4,6
D. 2,4,6
E. 2,4,5
Correct Answer: D
Only standard SKU load balancer supports outbound connections.
The backend pool must be VMScaleSet1 since the requirement is to implement outbound connectivity for VMScaleSet1.
Outbound rules allow you to explicitly define SNAT(source network address translation) for a public standard load balancer.
You need to recommend a configuration for the ExpressRoute connection from the Boston datacenter. The solution must meet the hybrid networking requirements and business requirements. What should you recommend minimizing latency of traffic to Vnet2?
A. Create a dedicated ExpressRoute circuit for Vnet2
B. Connect Vnet2 directly to the ExpressRoute circuit
C. Configure gateway transit for the peering between Vnet1 and Vnet2
Correct Answer: C
Scenario:
Health Engine wants to minimize costs whenever possible, as long as all other requirements are met.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized. The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Gateway transit allows you to share an ExpressRoute or VPN gateway with all peered VNets and lets you manage the connectivity in one place. Sharing enables cost-savings and reduction in management overhead.
You have an Azure environment that contains two subscriptions named Subscription1 and Subscription2.
Each subscription is associated to a different Azure AD tenant.
Subscription1 contains a virtual network named VNet1.
VNet1 contains an Azure virtual machine named VM1 and has an IP address space of 10.0.3.0/24.
Subscription2 contains a virtual network named VNet2.
Vnet2 contains an Azure virtual machine named VM2 and has an IP address space of 10.190.0.0/24.
You need to connect VNet1 to VNet2.
What should you do first?
A. Modify the IP address space of VNet2
B. Provision virtual network gateways
C. Move VM1 to Subscription2
D. Move VNet1 to Subscription2
Correct Answer: B
Correct Answer(s):
Provision virtual network gateways - Virtual network gateway allows to establish connectivity between two virtual networks. Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different
subscriptions, the subscriptions don't need to be associated with the same Active Directory tenant.
Modify the IP address space of VNet2 - IP addresses are not overlapping. So, modification to IP range is not required.
Move VM1 to Subscription2 - The requirement is to connect VNets. Moving a VM to a different VNet does not provide connectivity between VNets. Move VNet1 to Subscription2 - VNets are logical isolation of cloud resources. Moving VNet1 to
the Subscription2 does not provide connectivity between VNets. Also, Subscription2 is in a different Azure AD tenant.
Question 168:
You have a web application that will be deployed to an Azure App Service Web App.
You need to optimize web application responsiveness and reliability by routing HTTP request and responses to the endpoint with the lowest network latency for the client.
What should you consider?
A. Use Azure Application Gateway
B. Use Azure Monitor
C. Use Azure Security Centre
D. Use Azure Traffic Manager
Correct Answer: D
Correct Answer(s):
Use Azure Traffic Manager - Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness.
Traffic Manager improves application responsiveness by directing traffic to the endpoint with the lowest network latency for the client.
Use Azure Application Gateway - Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Application Gateway cannot distribute traffic based on network latency.
Use Azure Monitor - Azure Monitor delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It is not a load balancer.
Use Azure Security Centre - Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in
the cloud. It is not a load balancer.
Question 169:
You have an Azure environment that contains a virtual network named VNet1 with IP address space of 10.2.0.0/16.
No devices are connected to VNet1.
You plan to peer VNet1 with another virtual network named VNet2.
VNet2 has an address space of 10.2.0.0/16.
You need to create the peering.
What should you do first?
A. Configure a service endpoint on VNet2.
B. Add a gateway subnet to VNet1.
C. Create a subnet on VNEt1 and VNet2.
D. Modify the address space of VNet1.
Correct Answer: D
Correct Answer(s):
Modify the address space of VNet1 - Address spaces of virtual networks (VNet) must not overlap to enable VNet Peering. The IP address range for VNet1 and VNet2 are overlapping. Therefore, the first step is to modify the IP address range for VNet1. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#vnet-peering
Configure a service endpoint on VNet2 - Service endpoints provide secure and direct connectivity to Azure services over Azure backbone network.
Add a gateway subnet to VNet1 - You need to create a gateway subnet for your VNet to configure a virtual network gateway. It is not required for Vnet peering.
Create a subnet on VNEt1 and VNet2 - Subnets are not mandatory for VNet peering.
Question 170:
You have an Azure subscription that contains two virtual networks named VritualNetwork1 and VritualNetwork2.
You have a Windows 10 device that connects to VritualNetwork1 by using a Point-to-Site (P2S) IKEv2 VPN. You have implemented virtual network peering between VritualNetwork1 and VritualNetwork2.
VritualNetwork1 allows gateway transit. VritualNetwork2 can use the remote gateway. You discover that you cannot communicate with VritualNetwork2 from Windows 10 device. You need to ensure that you can communicate with
VritualNetwork2 from Windows 10 device.
To achieve the requirement, you enable BGP on the gateway of VritualNetwork1.
Did you achieve the requirement?
A. Yes
B. No
Correct Answer: B
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology. If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your AZ-700 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.