Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 211:

  Azure virtual networks in the East US Azure region as shown in the following table.

  

  The virtual networks are peered to one another. Each virtual network contains four subnets.

  You plan to deploy a virtual machine named VM1 that will inspect and route traffic between all the subnets on both the virtual networks.

  What is the minimum number of IP addresses that you must assign to VM1?

  A. 1

  B. 2

  C. 4

  D. 8

  Correct Answer: A

  https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#can-azure-firewall-forward-and-filter-network-traffic-between-subnets-in-the-same-virtual-network-or-peered-virtual-networks

  Can Azure Firewall forward and filter network traffic between subnets in the same virtual network or peered virtual networks?

  Yes. However, configuring the UDRs to redirect traffic between subnets in the same VNET requires additional attention. While using the VNET address range as a target prefix for the UDR is sufficient, this also routes all traffic from one machine to another machine in the same subnet through the Azure Firewall instance. To avoid this, include a route for the subnet in the UDR with a next hop type of VNET. Managing these routes might be cumbersome and prone to error. The recommended method for internal network segmentation is to use Network Security Groups, which don't require UDRs.

• Question 212:

  You have an Azure virtual network named Vnet1 and an on-premises network.

  The on-premises network has policy-based VPN devices. In Vnet1, you deploy a virtual network gateway named GW1 that uses a SKU of VpnGw1 and is route-based.

  You have a Site-to-Site VPN connection for GW1 as shown in the following exhibit.

  

  You need to ensure that the on-premises network can connect to the route-based GW1. What should you do before you create the connection?

  A. Set Connection Mode to ResponderOnly.

  B. Set BGP to Enabled.

  C. Set Use Azure Private IP Address to Enabled.

  D. Set IPsec / IKE policy to Custom.

  Correct Answer: D

  BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. BGP enables the Azure VPN Gateways and your on-premises VPN devices, called BGP

  peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by

  propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.

  Incorrect:

  Not C: A VPN gateway must have a Public IP address. Verify that you have an externally facing public IPv4 address for your VPN device.

  Reference:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli

• Question 213:

  You are planning the IP addressing for the subnets in Azure virtual networks. Which type of resource requires IP addresses in the subnets?

  A. Azure DDoS Protection for virtual networks

  B. private endpoints

  C. Azure Virtual Network NAT

  D. service endpoint policies

  Correct Answer: B

  A private endpoint is a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint,

  you're bringing the service into your virtual network.

  Private endpoint properties

  A private endpoint specifies the following properties:

  *

  Name

  *

  Subnet

  The subnet to deploy, where the private IP address is assigned.

  *

  Etc.

  A read-only network interface is automatically created for the lifecycle of the private endpoint. The interface is assigned a dynamic private IP address from the subnet that maps to the private-link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint. Reference: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

• Question 214:

  You have an Azure virtual network and an on-premises datacenter.

  You need to implement a Site-to-Site VPN connection between the datacenter and the virtual network.

  Which two resources should you create? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  A. a virtual network gateway

  B. Azure Firewall

  C. a local network gateway

  D. Azure Web Application Firewall (WAF)

  E. an on-premises data gateway

  F. an Azure application gateway

  G. a user-defined route

  Correct Answer: AC

  a virtual network gateway

  a local network gateway

  To establish a Site-to-Site VPN connection between an on-premises datacenter and an Azure virtual network, you must include two resources in your plan: a virtual network gateway in Azure and a local network gateway in the datacenter.

  A virtual network gateway acts as the VPN endpoint in Azure and allows the VPN connection to be established with the datacenter.

  A local network gateway represents the on-premises VPN device and its IP address. This allows Azure to establish a VPN connection with the datacenter over the public Internet.

  The virtual network gateway and the local network gateway work together to create the VPN connection, allowing secure communication between the datacenter and the virtual network.

• Question 215:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure subscription that contains the following resources:

  1.

  A virtual network named Vnet1

  2.

  A subnet named Subnet1 in Vnet1

  3.

  A virtual machine named VM1 that connects to Subnet1

  4.

  Three storage accounts named storage1, storage2, and storage3

  You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.

  Solution: You create a network security group (NSG). You configure a service tag for Microsoft.Storage and link the tag to Subnet1.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

• Question 216:

  You have Azure App Service apps in the West US Azure region as shown in the following table.

  

  You need to ensure that all the apps can access the resources in a virtual network named Vnet1 without forwarding traffic through the internet. How many integration subnets should you create?

  A. 0

  B. 1

  C. 3

  D. 4

  E. 6

  Correct Answer: C

  One integration subnet is required per App Service Plan regardless of how many apps are running in the App Service Plan.

  Reference: https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration

• Question 217:

  You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.

  You configure the application gateway to direct traffic to the URL of the application gateway.

  You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

  

  You need to ensure that the URL is accessible through the application gateway.

  Solution: You configure a custom cookie and an exclusion rule.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  The log shows that WAF rule with ruleId 920300 was trigged. Instead we should disable the WAF rule that has a ruleId 920300.

  Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot

• Question 218:

  You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.

  You configure the application gateway to direct traffic to the URL of the application gateway.

  You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

  

  You need to ensure that the URL is accessible through the application gateway.

  Solution: You create a WAF policy exclusion request headers that contain 137.135.10.24.

  Does this meet the goat?

  A. Yes

  B. No

  Correct Answer: B

• Question 219:

  You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF).

  FD1 uses a frontend host named app1.contoso.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region.

  You need to configure FD1 to block requests to app1.contoso.com from all countries other than the United States.

  What should you include in the WAF policy?

  A. a frontend host association

  B. a managed rule set

  C. a custom rule that uses a rate limit rule

  D. a custom rule that uses a match rule

  Correct Answer: C

• Question 220:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while

  others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.

  You configure the application gateway to direct traffic to the URL of the application gateway.

  You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

  

  You need to ensure that the URL is accessible through the application gateway.

  Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24. Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  The parameter here should be RemoteAddr not Request header. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules- overview#match-variable-required