Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 181:

  Which virtual machines can VM4 ping successfully?

  A. VM3 only

  B. VM1 and VM3 only

  C. VM1, VM2 and VM3 only

  D. VM1, VM2, VM3 and VM5

  Correct Answer: C

  VM4 is in VNet3.

  VNet3 is peered with VNet1 and VNet2.

  There is no NSG rule blocking outbound ICMP from VNet3.

  There are no NSG rule blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or VNet2 from VNet3.

  NSG10 blocks inbound ICMP from VNet4 (Source IP address is 10.10.0.0/16).

  Therefore, VM4 can ping VM1 in VNet1/Subnet1, VM2 in VNet1/Subnet2 and VM3 in VNet2.

• Question 182:

  You have an Azure subscription that contains the resources shown in the following table.

  

  You need to ensure that VM1 and VM2 can connect only to storage1. The solution must meet the following requirements:

  1.

  Prevent VM1 and VM2 from accessing any other storage accounts.

  2.

  Ensure that storage1 is accessible from the internet.

  What should you use?

  A. a network security group (NSG)

  B. a private endpoint

  C. a private link

  D. a service endpoint policy

  Correct Answer: D

  Virtual network service endpoint policies for Azure Storage Virtual Network (VNet) service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over service endpoint, and allow data exfiltration to only specific Azure Storage accounts. Endpoint policies provide granular access control for virtual network traffic to Azure Storage when connecting over service endpoint.

  Incorrect:

  *

  a network security group (NSG)

  Azure service tags for network security groups allow you to restrict virtual network outbound traffic to specific Azure Storage regions. However, this allows traffic to any account within selected Azure Storage region.

  *

  a private endpoint

  You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each

  storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

  *

  Private link

  Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.

  Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.

  Reference: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints https://learn.microsoft.com/en-us/azure/private-link/private-link-overview

• Question 183:

  Your company has five offices. Each office has a firewall device and a local internet connection. The offices connect to a third-party SD-WAN.

  You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual network gateway named Gateway1. Each office connects to Gateway1 by using a Site-to-Site VPN connection.

  You need to replace the third-party SD-WAN with an Azure Virtual WAN.

  What should you include in the solution?

  A. Delete Gateway1.

  B. Create new Point-to-Site (P2S) VPN connections on the firewall devices.

  C. Create an Azure Traffic Manager profile.

  D. Enable active-active mode on Gateway1.

  Correct Answer: A

  Virtual Wan requires a Wan Hub Gateway, so Gateway1 should be deleted (after the new gateway is connected).

  https://learn.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology#step-5-transition-connectivity-to-virtual-wan-hub

• Question 184:

  You are planning the IP addressing for the subnets in Azure virtual networks.

  Which type of resource requires IP addresses in the subnets?

  A. Azure Virtual Network NAT

  B. virtual network peering

  C. service endpoints

  D. private endpoints

  Correct Answer: A

• Question 185:

  You have an Azure subscription that contains the resources shown in the following table.

  

  '

  You create a virtual network named Vnet2 in the West US region. You plan to enable peering between Vnet1 and Vnet2.

  You need to ensure that the virtual machines connected to Vnet2 can connect to VM1 and VM2 via LB1.

  What should you do?

  A. From the Peerings settings of Vnet2, set Traffic forwarded from remote virtual network to Allow.

  B. Change the Floating IP configurations of LB1.

  C. From the Peerings settings of Vnet1, set Traffic forwarded from remote virtual network to Allow.

  D. Change the SKU of LB1.

  Correct Answer: D

  What are the constraints related to Global VNet Peering and Load Balancers?

  If the two virtual networks in two different regions are peered over Global VNet Peering, you cannot connect to resources that are behind a Basic Load Balancer through the Front End IP of the Load Balancer. This restriction does not exist for

  a Standard Load Balancer.

  Note: The following resources can use Basic Load Balancers which means you cannot reach them through the Load Balancer's Front End IP over Global VNet Peering. You can however use Global VNet peering to reach the resources

  directly through their private VNet IPs, if permitted.

  VMs behind Basic Load Balancers

  Virtual machine scale sets with Basic Load Balancers

  Redis Cache

  Application Gateway (v1) SKU

  Service Fabric

  API Management (stv1)

  Active Directory Domain Service (ADDS)

  Logic Apps

  HDInsight

  Azure Batch

  App Service Environment

  You can connect to these resources via ExpressRoute or VNet-to-VNet through VNet Gateways.

  Reference: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-are-the-constraints-related-to-global-vnet-peering-and-load-balancers

• Question 186:

  You have an Azure subscription that contains a virtual network.

  You plan to deploy an Azure VPN gateway and 90 Site-to-Site VPN connections. The solution must meet the following requirements:

  1.

  Ensure that the Site-to-Site VPN connections remain available if an Azure datacenter fails.

  2.

  Minimize costs.

  Which gateway SKU should you specify?

  A. VpnGw1AZ

  B. VpnGw2AZ

  C. VpnGw4AZ

  D. VpnGw5AZ

  Correct Answer: C

  VpnGw4AZ supports 90 Site-to-Site VPN connections at a lower cost than VpnGw5AZ. VpnGw1AZ, VpnGw2AZ, and VpnGw4AZ supports max 30.

  Gateway SKUs by tunnel, connection, and throughput

  

  Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

• Question 187:

  You have an Azure subscription that contains the resources shown in the following table.

  

  You plan to deploy an Azure Virtual Network NAT gateway named Gateway1. The solution must meet the following requirements:

  1.

  VM1 will access the internet by using its public IP address.

  2.

  VM2 will access the internet by using its public IP address.

  3.

  Administrative effort must be minimized.

  You need to ensure that you can deploy Gateway1 to Vnet1.

  What is the minimum number of subnets required on Vnet1?

  A. 2

  B. 3

  C. 4

  D. 5

  Correct Answer: C

  1.

  GatewaySubnet

  2.

  Subnet 2

  3.

  Subnet 1 with Basic SKU for Public IP

  4.

  NAT Gatway requires in VNET 1 and hence 4. Otherwise you could have used Subnet2 to avoid creating 4th Subnet. Requirement is to create NAT GW in VNET1 so you need 4th Subnet. https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview Check out - NAT gateway and basic SKU resources section

• Question 188:

  You are planning an Azure deployment that will contain three virtual networks in the East US Azure region as shown in the following table.

  

  A Site-to-Site VPN will connect Vnet1 to your company's on-premises network.

  You need to recommend a solution that ensures that the virtual machines on all the virtual networks can communicate with the on-premises network. The solution must minimize costs.

  What should you recommend for Vnet2 and Vnet3?

  A. VNet-to-VNet VPN connections

  B. peering

  C. service endpoints

  D. route tables

  Correct Answer: B

  Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.

  Reference: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

• Question 189:

  Your company has an office in New York.

  The company has an Azure subscription that contains the virtual networks shown in the following table.

  

  You need to connect the virtual networks to the office by using ExpressRoute. The solution must meet the following requirements:

  1.

  The connection must have up to 1 Gbps of bandwidth.

  2.

  The office must have access to all the virtual networks.

  3.

  Costs must be minimized.

  How many ExpressRoute circuits should be provisioned, and which ExpressRoute SKU should you enable?

  A. one ExpressRoute Premium circuit

  B. two ExpressRoute Premium circuits

  C. four ExpressRoute Standard circuits

  D. one ExpressRoute Standard circuit

  Correct Answer: A

  One SKU Premium required.

  Azure ExpressRoute offers three different circuit SKUs, known as Local, Standard, and Premium, which provide varying degrees of connectivity scope.

  Standard: a Standard SKU ExpressRoute circuit provides connectivity to resources in all Azure regions in a geopolitical area. Under this scenario, the on-premises network in London can connect to resources and access Azure's cloud

  services hosted in regions such as West Europe (Amsterdam, Netherlands) and France Central (Paris, France) through ExpressRoute

  Premium: a Premium SKU ExpressRoute circuit facilitates connectivity to resources and cloud services globally across all Azure regions. Specifically, this global connectivity is delivered over the Microsoft core network. In this case, the on-

  premises network in London can link a virtual network created in West Europe (Amsterdam, Netherlands) to an Azure ExpressRoute circuit created in Japan East (Tokyo, Japan)

  Reference: https://dgtlinfra.com/azure-expressroute-benefits-pricing-providers-locations/

• Question 190:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have two Azure virtual networks named Vnet1 and Vnet2.

  You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.

  You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.

  You discover that Client1 cannot communicate with Vnet2.

  You need to ensure that Client1 can communicate with Vnet2.

  Solution: You resize the gateway of Vnet1 to a larger SKU.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.

  Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing