Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 231:

  You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe Azure region.

  You deploy an Azure App Service app named App1 to the West Europe region.

  You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.

  What should you do first?

  A. Create a private link.

  B. Create a new subnet.

  C. Create a NAT gateway.

  D. Create a gateway subnet and deploy a virtual network gateway.

  Correct Answer: B

  Create a new subnet, since both Vnet and App Service are in the same region.

  https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#enable-vnet-integration

  Regional VNet Integration = "If the VNet is in the same region, either create a new subnet or select an empty pre-existing subnet"

• Question 232:

  You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources:

  1.

  An Azure App Service app named App1

  2.

  An Azure DNS zone named contoso.com

  3.

  An Azure private DNS zone named private.contoso.com

  4.

  A virtual network named Vnet1

  You create a private endpoint for App1. The record for the endpoint is registered automatically in Azure DNS.

  You need to provide a developer with the name that is registered in Azure DNS for the private endpoint.

  What should you provide?

  A. app1.contoso.onmicrosoft.com

  B. app1.private.contoso.com

  C. app1.privatelink.azurewebsites.net

  D. app1.contoso.com

  Correct Answer: C

• Question 233:

  You have an Azure virtual network and an on-premises datacenter.

  You are planning a Site-to-Site VPN connection between the datacenter and the virtual network.

  Which two resources should you include in your plan? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. a user-defined route

  B. a virtual network gateway

  C. Azure Firewall

  D. Azure Web Application Firewall (WAF)

  E. an on-premises data gateway

  F. an Azure application gateway

  G. a local network gateway

  Correct Answer: BG

  Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

• Question 234:

  Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3. The departments at the company use the Azure subscriptions as shown in the following table.

  

  All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.

  You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.

  What is the minimum number of ExpressRoute circuits required?

  A. 1

  B. 2

  C. 3

  D. 4

  E. 5

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

• Question 235:

  You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway.

  You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

  

  You need to ensure that the URL is accessible through the application gateway.

  Solution: You add a rewrite rule for the host header.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

• Question 236:

  You have an Azure virtual network that contains the subnets shown in the following table.

  

  You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall. You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com. What should you do?

  A. In a firewall policy, create a DNAT rule.

  B. Create a network security group (NSG) and associate the NSG to Subnet2.

  C. In a firewall policy, create a network rule.

  D. In a firewall policy, create an application rule.

  Correct Answer: D

  Reference: https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal

• Question 237:

  You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance. You need to configure the policy to meet the following requirements:

  1.

  Log all connections from Australia.

  2.

  Deny all connections from New Zealand.

  3.

  Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute. What is the minimum number of objects you should create?

  A. three custom rules that each has one condition

  B. one custom rule that has three conditions

  C. one custom rule that has one condition

  D. one rule that has two conditions and another rule that has one condition

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview

• Question 238:

  You have an Azure subscription that contains multiple virtual machines in the West US Azure region.

  You need to use Traffic Analytics.

  Which two resources should you create? Each correct answer presents part of the solution. (Choose two.)

  NOTE: Each correct answer selection is worth one point.

  A. an Azure Monitor workbook

  B. a Log Analytics workspace

  C. a storage account

  D. an Azure Sentinel workspace

  E. an Azure Monitor data collection rule

  Correct Answer: BC

  A storage acccount is used to store network security group flow logs.

  A Log Analytics workspace is used by Traffic Analytics to store the aggregated and indexed data that is then used to generate the analytics.

  Reference:

  https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

• Question 239:

  You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.

  You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine. What should you use?

  A. Azure Monitor

  B. IP flow verify

  C. Connection Monitor

  D. Azure Internet Analyzer

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor

• Question 240:

  You have an Azure subscription that contains the following resources:

  1.

  A virtual network named Vnet1

  2.

  Two subnets named subnet1 and AzureFirewallSubnet

  3.

  A public Azure Firewall named FW1

  4.

  A route table named RT1 that is associated to Subnet1

  5.

  A rule routing of 0.0.0.0/0 to FW1 in RT1

  After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.

  You need to ensure that the virtual machines can be activated.

  What should you do?

  A. On FW1, create an outbound service tag rule for AzureCloud.

  B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).

  C. Deploy a NAT gateway.

  D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.

  Correct Answer: B

  Troubleshoot Azure Windows virtual machine activation problems

  Solution

  Step 1 Configure the appropriate KMS client setup key

  Step 2 Verify the connectivity between the VM and Azure KMS service

  This includes:

  make sure that the outbound network traffic to KMS endpoint with 1688 port is not blocked by the firewall in the VM.

  Note:

  Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines

  Azure uses different endpoints for KMS (Key Management Services) activation depending on the cloud region where the VM resides.

  Symptom

  When you try to activate an Azure Windows VM, you receive an error message resembles the following sample:

  Error: 0xC004F074 The Software LicensingService reported that the computer could not be activated. No Key ManagementService (KMS) could be contacted. Please see the Application Event Log for additional information.

  Cause

  Generally, Azure VM activation issues occur if the Windows VM is not configured by using the appropriate KMS client setup key, or the Windows VM has a connectivity problem to the Azure KMS service (kms.core.windows.net, port 1688).

  Reference:

  https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems

  https://learn.microsoft.com/en-us/azure/firewall/overview