Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 191:

  Your company has four branch offices and an Azure subscription. The subscription contains an Azure VPN gateway named GW1. The branch offices are configured as shown in the following table.

  

  The branch office routers provide internet connectivity and Site-to-Site VPN connections to GW1.

  The users in Branch1 report that they can connect to internet resources, but cannot access Azure resources.

  You need to ensure that the Branch1 users can connect to the Azure resources. The solution must meet the following requirements:

  1.

  Minimize downtime for all users.

  2.

  Minimize administrative effort. What should you do first?

  A. Recreate LNG1.

  B. Reset RTR1.

  C. Reset Connection1.

  D. Reset GW1.

  Correct Answer: C

  Azure VPN gateway Site-to-Site VPN connections local network gateway

  Resetting an Azure VPN gateway or gateway connection is helpful if you lose cross-premises VPN connectivity on one or more site-to-site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but aren't able

  to establish IPsec tunnels with the Azure VPN gateways.

  Connection reset

  When you select to reset a connection, the gateway doesn't reboot. Only the selected connection is reset and restored.

  Incorrect:

  Not D: Resetting GW1 would affect all VPN connections.

  Gateway reset

  A VPN gateway is composed of two VM instances running in an active-standby configuration. When you reset the gateway, it reboots the gateway, and then reapplies the cross-premises configurations to it.

  Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/reset-gateway

• Question 192:

  You have a hub-and-spoke topology. The topology includes multiple on-premises locations that connect to a hub virtual network in Azure via ExpressRoute circuits.

  You have an Azure Application Gateway named GW1 that provides a single point of ingress from the internet.

  You plan to migrate the hub-and-spoke topology to Azure Virtual WAN.

  You need to identify which changes must be applied to the existing topology. The solution must ensure that you maintain a single point of ingress from the internet.

  Which three changes should you include in the solution? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Add user-defined routes.

  B. Add virtual network peerings.

  C. Replace the user-defined routes used by the current topology.

  D. Create virtual network connections.

  E. Remove the existing virtual network peerings.

  F. Redeploy GW1.

  Correct Answer: CDE

  Transition connectivity to virtual WAN hub:

  Step 1. (E) Delete the existing peering connections from Spoke virtual networks to the old customer-managed hub. Access to applications in spoke virtual networks is unavailable until steps 1-3 are complete.

  Step 2. (D) Connect the spoke virtual networks to the Virtual WAN hub via VNet connections.

  Step 3. (C) Remove any user-defined routes (UDR) previously used within spoke virtual networks for spoke-to-spoke communications. This path is now enabled by dynamic routing available within the Virtual WAN hub.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology

• Question 193:

  Your company has 40 branch offices that are linked by using a Software-Defined Wide Area Network (SD-WAN). The SD-WAN uses BGP.

  You have an Azure subscription that contains 20 virtual networks configured as a hub and spoke topology. The topology contains a hub virtual network named Vnet1.

  The virtual networks connect to the SD-WAN by using a network virtual appliance (NVA) in Vnet1.

  You need to ensure that BGP route advertisements will propagate between the virtual networks and the SD-WAN. The solution must minimize administrative effort.

  What should you implement?

  A. An Azure VPN Gateway that has BGP enabled

  B. a NAT gateway

  C. Azure Traffic Manager

  D. Azure Route Server

  Correct Answer: D

  Update route tables by using Azure Route Server

  Use Azure Route Server to manage the dynamic routing between NVAs and virtual networks. Simplify NVA maintenance, and avoid manually updating route tables.

  Workflow

  *

  This hub-and-spoke architecture has a hub virtual network and one spoke virtual network. The hub virtual network has multiple subnets, each containing virtual machines (VMs).

  *

  The border gateway protocol (BGP) makes the exchange of IP addresses between on-premises and Azure components possible. This protocol directs packets between autonomous systems. Such systems are small networks or huge pools of routers that a single organization runs.

  *

  Etc.

  Components

  *

  Route Server simplifies dynamic routing between NVAs that support BGP and virtual networks. This service eliminates the administrative overhead of maintaining route tables.

  *

  Etc.

  Reference: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/networking/manage-routing-azure-route-server

• Question 194:

  You have an Azure subscription that contains the following resources:

  1.

  A virtual network named Vnet1

  2.

  Two subnets named subnet1 and AzureFirewallSubnet

  3.

  A public Azure Firewall named FW1

  4.

  A route table named RT1 that is associated to Subnet1

  5.

  A rule routing of 0.0.0.0/0 to FW1 in RT1

  After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.

  You need to ensure that the virtual machines can be activated.

  What should you do?

  A. On FW1, create an outbound service tag rule for AzureCloud.

  B. Add an internet route to RT1 for the Azure Key Management Service (KMS).

  C. On FW1, configure a DNAT rule for port 1688.

  D. Deploy an Azure Standard Load Balancer that has an outbound NAT rule.

  Correct Answer: B

  Troubleshoot Azure Windows virtual machine activation problems

  Cause

  Generally, Azure VM activation issues occur if the Windows VM is not configured by using the appropriate KMS client setup key, or the Windows VM has a connectivity problem to the Azure KMS service (kms.core.windows.net, port 1688).

  Incorrect:

  Not C: DNAT rules are for incoming traffic.

  Note: You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the

  NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic.

  Reference: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems

  https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat

• Question 195:

  You have an Azure subscription.

  You plan to implement Azure Virtual WAN as shown in the following exhibit.

  

  What is the minimum number of route tables that you should create?

  A. 1

  B. 2

  C. 4

  D. 6

  Correct Answer: B

  Consider the following when configuring Virtual WAN routing:

  *

  All branch connections (Point-to-site, Site-to-site, and ExpressRoute) need to be associated to the Default route table. That way, all branches will learn the same prefixes.

  *

  Etc.

  Note: The routing capabilities in a virtual hub are provided by a router that manages all routing between gateways using Border Gateway Protocol (BGP). A virtual hub can contain multiple gateways such as a Site-to-site VPN gateway, ExpressRoute gateway, Point-to-site gateway, Azure Firewall. This router also provides transit connectivity between virtual networks that connect to a virtual hub and can support up to an aggregate throughput of 50 Gbps. These routing capabilities apply to Standard Virtual WAN customers.

  Reference: https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing

• Question 196:

  You have an internal Basic Azure Load Balancer named LB1 that has two frontend IP addresses. The backend pool of LB1 contains two Azure virtual machines named VM1 and VM2. You need to configure the rules on LB1 as shown in the following table.

  

  What should you do for each rule?

  A. Enable Floating IP.

  B. Disable Floating IP.

  C. Set Session persistence to Enabled.

  D. Set Session persistence to Disabled.

  Correct Answer: A

  Azure Load Balancer Floating IP configuration Floating IP Some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool. Common examples of port reuse include:

  clustering for high availability network virtual appliances exposing multiple TLS endpoints without re-encryption.

  If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.

  In the diagrams below, you see how IP address mapping works before and after enabling Floating IP: Note: Azure Load Balancer supports rules to configure traffic to the backend pool. There are four types of rules:

  

  

  *

  Load-balancing rules - A load balancer rule is used to define how incoming traffic is distributed to the all the instances within the backend pool. A load-balancing rule maps a given frontend IP configuration and port to multiple backend IP addresses and ports.

  *

  High availability ports

  *

  Inbound NAT rule

  *

  Outbound NAT rule Reference:

  https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip https://learn.microsoft.com/en-us/azure/load-balancer/manage-rules-how-to

• Question 197:

  You need to use Traffic Analytics to monitor the usage of applications deployed to Azure virtual machines. Which Azure Network Watcher feature should you implement first?

  A. Connection monitor

  B. Packet capture

  C. NSG flow logs

  D. IP flow verify

  Correct Answer: C

  Network Watcher: A regional service that enables you to monitor and diagnose conditions at a network scenario level in Azure. You can turn NSG flow logs on and off with Network Watcher.

  Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG.

  Why use NSG Flow Logs?

  It is vital to monitor, manage, and know your own network for uncompromised security, compliance, and performance.

  Common use cases include Network Monitoring: Identify unknown or undesired traffic. Monitor traffic levels and bandwidth consumption. Filter flow logs by IP and port to understand application behavior.

  Reference:

  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

• Question 198:

  You have an Azure virtual machine named VM1.

  You need to capture all the network traffic of VM1 by using Azure Network Watcher.

  To which locations can the capture be written?

  A. blob storage only

  B. blob storage, a file path on VM1, and a premium storage account

  C. a file path on VM1 only

  D. blob storage and a file path on VM1 only

  E. blob storage and a premium storage account only

  F. a premium storage account only

  Correct Answer: D

  Once your packet capture session has completed, the capture file is uploaded to blob storage or to a local file on the virtual machine. The storage location of the packet capture is defined during creation of the packet capture.

  Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal

• Question 199:

  You have the Azure virtual networks shown in the following table.

  

  You have the Azure resources shown in the following table.

  

  You need to check latency between the resources by using connection monitors in Azure Network Watcher.

  What is the minimum number of connection monitors that you must create?

  A. 1

  B. 2

  C. 3

  D. 4

  E. 5

  Correct Answer: B

  As per MS guidelines *Region: Select a region for your connection monitor. You can select only the source VMs that are created in this region. Here you see only VMs or Virtual Machine Scale Sets that are bound to the region that you specified when you created the connection monitor. By default, VMs and Virtual Machine Scale Sets are grouped into the subscription that they belong to

  * Destination can be anywhere as per this Destinations: You can monitor connectivity to an Azure VM, an on-premises machine, or any endpoint (a public IP, URL, or FQDN) by specifying it as a destination. In a single test group, you can add Azure VMs, on-premises machines, Office 365 URLs, Dynamics 365 URLs, and custom endpoints. https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-create-using-portal

• Question 200:

  You have a network security group named NSG1.

  You need to enable network security group (NS) flow logs for NSG1. The solution must support retention policies.

  What should you create first?

  A. A standard general-purpose v2 Azure Storage account

  B. An Azure Log Analytics workspace

  C. A standard general-purpose v1 Azure Storage account

  D. A premium Block blobs Azure Storage account

  Correct Answer: A

  NSG flow logging considerations

  Storage account considerations:

  Location: The storage account used must be in the same region as the NSG.

  Performance Tier: Currently, only standard tier storage accounts are supported.

  Note:

  Flow Logs have a retention feature that allows automatically deleting the logs up to a year after their creation.

  Retention is available only if you use General purpose v2 Storage accounts (GPv2).

  Reference: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview