Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 11:

  HOTSPOT

  You have an Azure subscription that contains a virtual network gateway named VNetGwy1. VNetGwy1 has a public IP address of 20.25.32.214.

  You need to query the health probe of VNetGwy1,

  How should you complete the URI? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-cannot-connect#step-7-verify-the-azure-gateway-health-probe

• Question 12:

  HOTSPOT

  You have an Azure subscription that contains an app named Appl. App1 is hosted on the Azure App Service instances shown in the following table.

  

  You need to implement Azure Traffic Manager to meet the following requirements:

  1.

  App1 traffic must be assigned equally to each App Service instance in each Azure region.

  2.

  App1 traffic from North Europe must be routed to the Appl instances in the North Europe region.

  3.

  App1 traffic from North America must be routed to the Appl instances in the East US Azure region.

  4.

  If an App Service instance fails, all the traffic for that instance must be routed to the remaining instances in the same region.

  How should you configure the Traffic Manager profiles? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: 2

  Need one profile for each region.

  Note: Azure Traffic Manager supports six traffic-routing methods to determine how to route network traffic to the various service endpoints. For any profile, Traffic Manager applies the traffic-routing method associated to it to each DNS query it

  receives. The traffic-routing method determines which endpoint is returned in the DNS response.

  Box 2: Geographic

  The following traffic routing methods are available in Traffic Manager:

  *

  Geographic: Select Geographic routing to direct users to specific endpoints (Azure, External, or Nested) based on where their DNS queries originate from geographically. With this routing method, it enables you to be in compliance with scenarios such as data sovereignty mandates, localization of content and user experience and measuring traffic from different regions.

  *

  Priority: Select Priority routing when you want to have a primary service endpoint for all traffic. You can provide multiple backup endpoints in case the primary or one of the backup endpoints is unavailable.

  *

  Weighted: Select Weighted routing when you want to distribute traffic across a set of endpoints based on their weight. Set the weight the same to distribute evenly across all endpoints.

  *

  Performance: Select Performance routing when you have endpoints in different geographic locations and you want end users to use the "closest" endpoint for the lowest network latency.

  *

  Etc.

  Reference: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods

• Question 13:

  HOTSPOT

  You have an Azure subscription that contains the virtual networks shown in the following table.

  

  You have a virtual machine named VM5 that has the following IP address configurations:

  1.

  IP address:10.4.0.5

  2.

  Subnet mask:255.255.255.0

  3.

  Default gateway: 10.4.0.1

  4.

  DNS server: 168.63.129.16

  You have an Azure Private DNS zone named fabrikam.com that contains the records shown in the following table.

  

  The virtual network links in the fabrikam.com DNS zone are configured as shown in the exhibit. (Click the Exhibit tab.)

  

  VM5 fails to resolve the IP address for app1.fabrikam.com.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  VM5 is in VNET3 and VNET3 isn't linked to the fabrikam.com private DNS zone. This means it won't be able to resolve anything in that private DNZ zone until it is linked.

• Question 14:

  HOTSPOT

  You are planning an Azure Front Door deployment that will contain the resources shown in the following table.

  

  Users will connect to the App Service through Front Door by using a URL of https://www.fabrikarn.com. You obtain a certificate for the host name of www.fabfikam.com.

  You need to configure a DNS record for www.fabrikam.com and upload the certificate to Azure. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: A secret in Azure Key Vault

  Azure Front Door supports Azure-managed certificates and customer-managed certificates.

  If you already have a certificate, you can upload it to your key vault. Otherwise, create a new certificate directly through Azure Key Vault from one of the partner certificate authorities (CAs) that Azure Key Vault integrates with.

  Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets.

  Box 2: FD93.azurefd.net

  Update your domain's DNS settings to point to your Front Door service's DNS endpoint. This will typically involve creating a CNAME record that maps your custom domain to the Front Door service endpoint, which will be in the form

  "yourfrontdoordns.azurefd.net".

  Reference:

  https://www.c-sharpcorner.com/article/how-to-configure-front-door-for-an-azure-app/

  https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain

• Question 15:

  HOTSPOT

  You have an Azure application gateway named AppGw1.

  You need to create a rewrite rulefor AppGw1. The solution must rewrite the URL of requests from https://www.contoso.com/fashion/shirts to ttps://www.contoso.com/buy.aspx?category-fashionandproduct=shirts.

  How should you complete the rule? To answer NOTE: Each correct selection is worth onepoint appropriate options in the answer area.

  Hot Area:

  

  Correct Answer:

  

  Box 1: uri_path Server variables Application Gateway uses server variables to store useful information about the server, the connection with the client, and the current request on the connection.

  Application gateway supports the following server variables:

  *

  uri_path Identifies the specific resource in the host that the web client wants to access. This is the part of the request URI without the arguments. Example: In the request http://contoso.com:8080/article.aspx?id=123andtitle=fabrikam, uri_path value will be /article.aspx

  Incorrect:

  *

  query_string

  The list of variable/value pairs that follows the "?" in the requested URL. Example: In the request http://contoso.com:8080/article.aspx?id=123andtitle=fabrikam, query_string value will be id=123andtitle=fabrikam

  *

  content_type

  There is no server variable named content_type.

  Box 2: URL (Both URL path and URL query string) There are 3 types of rewrites available:

  *

  Rewriting URL components

  URL path: The value to which the path is to be rewritten to.

  URL Query String: The value to which the query string is to be rewritten to.

  Re-evaluate path map

  *

  Rewriting request headers

  URL path and query string

  With URL rewrite capability in Application Gateway, you can:

  Rewrite the host name, path and query string of the request URL

  Choose to rewrite the URL of all requests on a listener or only those requests which match one or more of the conditions you set. These conditions are based on the request properties (request header and server variables).

  Choose to route the request (select the backend pool) based on either the original URL or the rewritten URL

  Note: Rewrite HTTP headers and URL with Application Gateway Application Gateway allows you to rewrite selected content of requests and responses. With this feature, you can translate URLs, query string parameters as well as modify request and response headers. It also allows you to add conditions to ensure that the URL or the specified headers are rewritten only when certain conditions are met. These conditions are based on the request and response information.

  Reference: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url

• Question 16:

  HOTSPOT

  You have an Azure virtual network and an on-premises datacenter that connect by using a Site-to-Site VPN tunnel.

  You need to ensure that all traffic from the virtual network to the internet is routed through the datacenter.

  How should you complete the PowerShell script to configure forced tunneling? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Get-AzLocalNetworkGateway See step 5 below.

  Configure forced tunneling

  1.

  Create a resource group.

  New-AzResourceGroup -Name 'ForcedTunneling' -Location 'North Europe'

  2.

  Create a virtual network and specify subnets.

  3.

  Create the local network gateways.

  Example:

  $lng1 = New-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "ForcedTunneling" -Location "North Europe" -GatewayIpAddress "111.111.111.111" -AddressPrefix "192.168.1.0/24"

  4.

  Create the virtual network gateway.

  5.

  Assign a default site to the virtual network gateway. The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so take care to configure this setting properly.

  $LocalGateway = Get-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "ForcedTunneling" $VirtualGateway = Get-AzVirtualNetworkGateway -Name "Gateway1" -ResourceGroupName "ForcedTunneling" Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

  6.

  Establish the Site-to-Site VPN connections. Details omitted.

  Box 2: Set-AzVirtualNetworkGatewayDefaultSite

  Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm

• Question 17:

  HOTSPOT

  You have an Azure load balancer that has the following configurations:

  1.

  Name: LB1

  2.

  Location: East US 2

  3.

  SKU: Standard

  4.

  Private IP address: 10.3.0.7

  5.

  Load balancing rule: rule1 (Tcp/80)

  6.

  Health probe: probe1 (Http:80)

  7.

  NAT rules: 0 inbound

  The backend pool of LB1 has the following configurations:

  1.

  Name: backend1

  2.

  Virtual network: Vnet2

  3.

  Backend pool configuration: NIC

  4.

  IP version: IPv4

  5.

  Virtual machines: VM1, VM2, VM3

  You have an Azure virtual machine named VM4 that has the following network configurations:

  1.

  Network interface: vm4981

  2.

  Virtual network/subnet: Vnet3/Subnet3

  3.

  NIC private IP address: 10.4.0.4

  4.

  Accelerated networking: Enabled

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  VM4 is in Vnet3/Subnet3.

  LB1 is in Vnet2. LB1 is a NIC based backend pool.

  The backend resources must be in the same virtual network as the load balancer for IP based LBs

  Box 2: Yes

  VM1 is in the backend pool of LB1. LB1 is in Vnet2.

  Box 3: No

  The Load balancing rule: rule1 (Tcp/80)

  However, HTTPS URLs begin with "https://" and use port 443 by default, whereas, HTTP URLs begin with "http://" and use port 80 by default.

  Reference: https://learn.microsoft.com/en-us/azure/load-balancer/backend-pool-management

• Question 18:

  HOTSPOT

  Your on-premises network contains a VPN device.

  You have an Azure subscription that contains a virtual network and a virtual network gateway.

  You need to create a Site-to-Site VPN connection that has a custom cryptographic policy.

  How should you complete the PowerShell script? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: New-AzIpsecPolicy Configure IPsec/IKE policy for S2S (Site-to-Site) VPN or VNet-to-VNet connections Create a S2S VPN connection with an IPsec/IKE policy

  1. Create an IPsec/IKE policy

  The following sample script creates an IPsec/IKE policy with the following algorithms and parameters:

  IKEv2: AES256, SHA384, DHGroup24 IPsec: AES256, SHA256, PFS None, SA Lifetime 14400 seconds and 102400000KB

  $ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA3

  2. Create the S2S VPN connection with the IPsec/IKE policy

  Create an S2S VPN connection and apply the IPsec/IKE policy created earlier. $vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 $lng6 = Get-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1

  New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroup Box 2: New-AzVirtualNetworkGatewayConnection Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

• Question 19:

  HOTSPOT

  You have the Azure resources shown in the following table.

  

  WebApp1 uses the Standard pricing tier.

  You need to ensure that WebApp1 can access the virtual machines deployed to Vnet1\Subnet1 and Vnet2\Subnet1. The solution must minimize costs.

  What should you create in each virtual network? To answer, select the appropriate options in the answer area.

  Hot Area:

  

  Correct Answer:

  

  Explanation:

  Box 1: An additional subnet

  Regional virtual network integration: When you connect to virtual networks in the same region, you must have a dedicated subnet in the virtual network you're integrating with.

  Box 2: A VPN gateway

  Gateway-required virtual network integration: When you connect directly to virtual networks in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway created in the target virtual network.

  Note: If your app is in an App Service Environment, it's already in a virtual network and doesn't require use of the VNet integration feature to reach resources in the same virtual network.

  Reference:

  https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration

• Question 20:

  HOTSPOT

  You have on-premises datacenters in New York and Seattle.

  You have an Azure subscription that contains the ExpressRoute circuits shown in the following table.

  

  You need to ensure that all the data sent between the datacenters is routed via the ExpressRoute circuits. The solution must minimize costs.

  How should you configure the network? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Global Reach

  ExpressRoute Global Reach is the service where if you have two datacenters, which are located at different geo-locations and both are connected to Microsoft Azure via Express Route then these two datacenters can also connect to each

  other securely via Microsoft's backbone.

  Incorrect:

  FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.

  Box 2: Private

  With ExpressRoute Global Reach, you can link ExpressRoute circuits together to make a private network between your on-premises networks.

  Reference:

  https://docs.microsoft.com/en-us/azure/expressroute/expressroute-global-reach