Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 21:

  HOTSPOT

  You have an Azure subscription that contains the resource groups shown in the following table.

  

  You have the virtual networks shown in the following table.

  

  Vnet1 contains two virtual machines named VM1 and VM2. Vnet2 contains two virtual machines named VM3 and VM4. You have the network security groups (NSGs) shown in the following table that include only default rules.

  

  You have the Azure load balancers shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  VM2 is in Vnet1.

  Vnet1 is located in East US.

  Vnet1 has the two subnets Sb1 and Sb2, both in RG1.

  Lb2 is in West US and has the Backend pool in Vnet2.

  Note: The backend resources must be in the same virtual network as the load balancer for IP based LBs

  Box 2: Yes

  VM4 and VM3 are both in Vnet2.

  Lb2 is also in Vnet2. Lb2 is an internal load balancer. VM3 is in the backend pool of Lb2. Rule is TCP port 1433, backend port 1433.

  Note: Public Load Balancers are used to load balance internet traffic to your VMs. An internal (or private) load balancer is used where private IPs are needed at the frontend only. Internal load balancers are used to load balance traffic inside a

  virtual network.

  Box 3: Yes

  VM1 is in the backend pool of Lb1. Lb1 is a public load balancer.

  Rule is TCP port 80, backend port 80.

  Note: A public load balancer can provide outbound connections for virtual machines (VMs) inside your virtual network. These connections are accomplished by translating their private IP addresses to public IP addresses. Public Load

  Balancers are used to load balance internet traffic to your VMs.

  Reference: https://learn.microsoft.com/en-us/azure/load-balancer/backend-pool-management

  https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

• Question 22:

  HOTSPOT

  You have the hybrid network shown in the Network Diagram exhibit.

  

  You have a peering connection between Vnet1 and Vnet2 as shown in the Peering-Vnet1-Vnet2 exhibit.

  

  You have a peering connection between Vnet1 and Vnet3 as shown in the Peering-Vnet1-Vnet3 exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes.

  Box 2: No No Virtual Gateway is used. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway transit works with virtual network peering.

  

  In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual

  networks.

  Box 3: No

  No Virtual Gateway is used.

  Reference:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

• Question 23:

  HOTSPOT

  You have two Azure App Service instances that host the web apps shown the following table.

  

  You deploy an Azure 2 that has one public frontend IP address and two backend pools.

  You need to publish all the web apps to the application gateway. Requests must be routed based on the HTTP host headers.

  What is the minimum number of listeners and routing rules you should configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: 2 Listeners

  One listener for As1.contoso.com, and one listener for As2.contoso.com.

  Note: Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool. For example, three domains, contoso.com, fabrikam.com, and adatum.com, point to the IP address of the application gateway. You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.

  You can also define wildcard host names in a multi-site listener and up to 5 host names per listener.

  Box 2: 2 Routing rules

  Application Gateway request routing rules Rule type When you create a rule, you choose between basic and path-based.

  *

  Choose basic if you want to forward all requests on the associated listener (for example, blog.contoso.com/*) to a single backend pool.

  *

  Choose path-based if you want to route requests from specific URL paths to specific backend pools. The path pattern is applied only to the path of the URL, not to its query parameters.

  Associated backend pool

  Associate to the rule the backend pool that contains the backend targets that serve requests that the listener receives.

  *

  For a basic rule, only one backend pool is allowed. All requests on the associated listener are forwarded to that backend pool.

  *

  For a path-based rule, add multiple backend pools that correspond to each URL path. The requests that match the URL path that's entered are forwarded to the corresponding backend pool. Also, add a default backend pool. Requests that

  don't match any URL path in the rule are forwarded to that pool.

  Reference: https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview

• Question 24:

  HOTSPOT

  You have an Azure subscription that contains the virtual machines shown in the following table.

  

  VNet1 and VNet2 are NOT connected to each other.

  You need to block traffic from SQL Server 2019 to IIS by using application security groups. The solution must minimize administrative effort.

  How should you configure the application security groups? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: 2

  All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.

  We need one application security group for each of the two virtual networks.

  Box 2: 3

  One network assignment in VNet1. Two network assignments in VNET2.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups

• Question 25:

  HOTSPOT

  You have an Azure subscription. The subscription contains virtual machines that host websites as shown in the following table.

  

  You have the Azure Traffic Manager profiles shown in the following table.

  

  You have the endpoints shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  VM1, which is hosting site1.contoso.com, is located in East US. The VM1 endpoint status is degraded. Endpoint monitoring health checks are failing. The endpoint isn't included in DNS responses and doesn't receive traffic.

  When an endpoint has a Degraded status, it's no longer returned in response to DNS queries. Instead, an alternative endpoint is chosen and returned. The traffic-routing method configured in the profile determines how the alternative

  endpoint is chosen.

  Priority. Endpoints form a prioritized list. The first available endpoint on the list is always returned. If an endpoint status is Degraded, then the next available endpoint is returned.

  The user will connect to site2.us.contoso.com instead.

  Box 2: No

  VM3, which is hosting site2.contoso.com, is located in in East US. The VM3 endpoint status is CheckingEndpoint. The endpoint is monitored, but the results of the first probe haven't been received yet. CheckingEndpoint is a temporary state

  that usually occurs immediately after adding or enabling an endpoint in the profile. An endpoint in this state is included in DNS responses and can receive traffic.

  User will connect to site2.contoso.com, not to site2.uk.contoso.com

  Box 3: No

  VM3, which is hosting site2.contoso.com, is located in in East US. The VM1 endpoint status is CheckingEndpoint, which is OK (see above).

  User will connect to site2.contoso.com, not to site2.japan.contoso.com

  Reference:

  https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring

• Question 26:

  HOTSPOT

  You have an Azure subscription that contains the resources shown in the following table.

  

  The virtual network topology is shown in the following exhibit.

  

  Firewall1 is configured as shown in following exhibit.

  

  FirewallPolicy1 contains the following rules:

  1.

  Allow outbound traffic from Vnet1 and Vnet2 to the internet.

  2.

  Allow any traffic between Vnet1 and Vnet2.

  No custom private endpoints. service endpoints. routing tables, or network security groups (NSGs) were created. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Y - You need to add User Defined Route to the Firewall Appliance from the subnets (https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal)

  N - The firewall is not a VPN Gateway, and we do not have any connection with On-Premises here (https://learn.microsoft.com/en-us/answers/questions/516530/how-to-set-up-a-multi-spoke-virtual-network-in-azu)

  Y - Azure Firewall can filter by web categories (https://learn.microsoft.com/en-us/azure/firewall/web-categories)

• Question 27:

  HOTSPOT

  You have two Azure subscriptions named Subscription1 and Subscription2. There are no connections between the virtual networks in two subscriptions.

  You configure a private link service as shown in the privatelinkservice1 exhibit. (Click the privatelinkservice1 tab.)

  

  You create a load balancer name in Subscription1 and configure the backend pool shown in the lb1 exhibit. (Click tie 1b1 tab.)

  

  You create a private endpoint in Subscription2 as shown in the privateendpoint4 exhibit. (Click the privateendpoint4)

  

  For each of the following statements, select YES if the statement is true. Otherwise. select No.

  Hot Area:

  

  Correct Answer:

  

• Question 28:

  You have the Azure App Service app shown below.

  

  The VNet Integration settings for as123 are configured as shown below.

  

  The Private Endpoint connections settings for as123 are configured as shown below.

  

  Select Yes of the below statement is true. Otherwise, select No.

  Hot Area:

  

  Correct Answer:

  

• Question 29:

  HOTSPOT

  You have the network topology shown in the Topology exhibit. (Click the Topology tab.)

  

  You have the Azure firewall shown in the Firewall 1 exhibit. (Click the Firewall tab.)

  

  You have the route table shown in the RouteTable1 exhibit. (Click the RouteTable1 tab.)

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  Resources in Subnet1 will use the Route2 and its Next hop ID address to the Firewall to reach the Internet.

  Box 2: Yes

  Yes, with network network peering.

  Box 3: No

  Resources in Subnet2 can only reach resources in Subnet1, as gateway transit for virtual network peering has not been configured.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

• Question 30:

  HOTSPOT

  You configure a route table named RT1 that has the routes shown in the following table.

  

  You have an Azure virtual network named Vnet1 that has the subnets shown in the following table.

  

  You have the resources shown in the following table.

  

  Vnet1 connects to an ExpressRoute circuit. The on-premises router advertises the following routes:

  1.

  0.0.0.0/0

  2.

  10.0.0.0/16

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  NVA1 with IP (NVA-network virtual appliance) 192.168.0.4 is on the DMZ subnet. It will use route 10.0.0.0/16 to the on-premises network.

  Box 2: No

  VM2 has IP address 192.168.2.4 and is on the BackEnd subnet. VM2 will not use the RT1 route table, and will not reach the on-premises network through NVA1.

  Box 3: Yes

  VM1 with IP address 192.168.1.4 is on the FrontEnd subnet, and will use the RT1 routing table. It will use Route2 and Next Hop IP address 192.168.0.4, IP address of NVA1, to reach VM2.