Microsoft Microsoft Certifications AZ-700 Questions & Answers

• Question 31:

  HOTSPOT

  You have the network security groups (NSGs) shown in the following table.

  

  In NSG1, you create inbound rules as shown in the following table.

  

  You have the Azure virtual machines shown in the following table.

  

  NSG2 has only the default rules configured.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  You have an Azure virtual network that contains the subnets shown in the following table.

  Hot Area:

  

  Correct Answer:

  

  1.

  VM3 is attached to subnet; which has default outband connection. However, VM1 has NSG that denies traffic in any ports except 80 and 443 from any IP address. But, communication from Virtual network is set to Deny so, the answer here is NO

  2.

  VM1 and VM2 belongs to the same subnet 1 and each of them has default Outbound policy rule that will allow the traffic but Inbound is restricted for any port except 80 and 443. So, answer here is NO

  3.

  VM1 cancommunicate to VM3 due that there is no restriction in Outbbound policy for NGSG1 and no restrictions for NSG2 inbound. So, answer here is YES.

• Question 32:

  HOTSPOT

  You have an Azure subscription that contains a single virtual network and a virtual network gateway.

  You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).

  What should you configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: An enterprise application

  Enable Azure AD authentication on the VPN gateway:

  1.

  Locate the Directory ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page.

  2.

  Under your Azure AD, in Enterprise applications, you see Azure VPN listed. Copy the Directory ID.

  3.

  Sign in to the Azure portal as a user that is assigned the Global administrator role.

  4.

  Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser.

  5.

  Select the Global Admin account if prompted.

  6. Select Accept when prompted.

  

  7. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.

  Box 2: Open VPN (SSL)

  When you connect to your VNet using Point-to-Site, you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you want to use Azure Active Directory authentication,

  you can do so when using the OpenVPN protocol.

  Reference:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant

• Question 33:

  HOTSPOT

  You have the Azure environment shown in the exhibit.

  

  You have virtual network peering between Vnet1 and Vnet2. You have virtual network peering between Vnet4 and Vnet5. The virtual network peering is configured as shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the

  peered virtual network for cross-premises or VNet-to-VNet connectivity.

  The following diagram shows how gateway transit works with virtual network peering.

  

  In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual

  networks.

  In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network.

  Box 2: Yes

  VM2 uses the remote gateway GW1 to reach VM4.

  Box 3: Yes

  Select Block all traffic to the remote virtual network if you don't want traffic to flow to the peered virtual network by default. You can select this setting if you have peering between two virtual networks but occasionally want to disable default

  traffic flow between the two. You may find enabling/disabling is more convenient than deleting and re-creating peerings. When this setting is selected, traffic doesn't flow between the peered virtual networks by default; however, traffic may still

  flow if explicitly allowed through a network security group rule that includes the appropriate IP addresses or application security groups.

  Reference:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

  https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues

• Question 34:

  HOTSPOT

  You have the hybrid network shown in the Network Diagram exhibit.

  

  You have a peering connection between Vnet1 and Vnet2 as shown in the Peering-Vnet1-Vnet2 exhibit.

  

  You have a peering connection between Vnet1 and Vnet3 as shown in the Peering-Vnet1-Vnet3 exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes.

  Box 2: No No Virtual Gateway is used. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway transit works with virtual network peering.

  

  In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual

  networks.

  Box 3: No

  No Virtual Gateway is used.

  Reference:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

• Question 35:

  HOTSPOT

  You have two Azure App Service instances that host the web apps shown the following table.

  

  You deploy an Azure 2 that has one public frontend IP address and two backend pools.

  You need to publish all the web apps to the application gateway. Requests must be routed based on the HTTP host headers.

  What is the minimum number of listeners and routing rules you should configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: 2 Listeners

  One listener for As1.contoso.com, and one listener for As2.contoso.com.

  Note: Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool. For example, three domains, contoso.com, fabrikam.com, and adatum.com, point to the IP address of the application gateway. You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.

  You can also define wildcard host names in a multi-site listener and up to 5 host names per listener.

  Box 2: 2 Routing rules

  Application Gateway request routing rules Rule type When you create a rule, you choose between basic and path-based.

  *

  Choose basic if you want to forward all requests on the associated listener (for example, blog.contoso.com/*) to a single backend pool.

  *

  Choose path-based if you want to route requests from specific URL paths to specific backend pools. The path pattern is applied only to the path of the URL, not to its query parameters.

  Associated backend pool

  Associate to the rule the backend pool that contains the backend targets that serve requests that the listener receives.

  *

  For a basic rule, only one backend pool is allowed. All requests on the associated listener are forwarded to that backend pool.

  *

  For a path-based rule, add multiple backend pools that correspond to each URL path. The requests that match the URL path that's entered are forwarded to the corresponding backend pool. Also, add a default backend pool. Requests that

  don't match any URL path in the rule are forwarded to that pool.

  Reference: https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview

• Question 36:

  HOTSPOT

  Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.

  The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint.

  You plan to use Azure Traffic Manager to maintain the list of endpoints.

  You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.

  What should you configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types

• Question 37:

  HOTSPOT

  You have the Azure environment shown in the Azure Environment exhibit.

  

  The settings for each subnet are shown in the following table.

  

  The Firewalls and virtual networks settings for storage1 are configured as shown in the Storage1 exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  The firewall allows VNet1\Subnet1 through the service endpoint.

  Box 2: No

  The firewall does not allow VNet1\Subnet2 through the service endpoint.

  Box 3: No

  The firewall allows 132.124.53.0/26 which means it allows all IP addresses between 132.124.53.0 and 132.124.53.63. The public IP of VM3 is 132.124.53.76 which is outside the allowed range.

• Question 38:

  HOTSPOT

  You have two Azure virtual networks named Vnet1 and Vnet2 in an Azure region that has three availability zones.

  You deploy 12 virtual machines to each virtual network, deploying four virtual machines per zone. The virtual machines in Vnet1 host an app named App1. The virtual machines in Vnet2 host an app named App2.

  You plan to use Azure Virtual Network NAT to implement outbound connectivity for App1 and App2.

  You need to identify the minimum number of subnets and Virtual Network NAT instances required to meet the following requirements:

  1.

  A failure of two zones must NOT affect the availability of either App1 or App2.

  2.

  A failure of two zones must NOT affect the outbound connectivity of either App1 or App2.

  What should you identify? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  6 Subnets and 6 GW

  https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-availability-zones#zonal-nat-gateway-resource-for-each-zone-in-a-region-to-create-zone-resiliency

  "The pattern you want to use for zone isolation is creating a "zonal stack" per availability zone. This "zonal stack" consists of virtual machine instances, a NAT gateway resource with public IP addresses or prefix on a subnet all in the same

  zone.

  Failure of outbound connectivity due to a zone outage is isolated to the specific zone affected. The outage won't affect the other zonal stacks where other NAT gateways are deployed with their own subnets and zonal public IPs."

• Question 39:

  HOTSPOT

  You have an Azure subscription.

  You have the on-premises sites shown the following table.

  

  You plan to deploy Azure Virtual WAN.

  You are evaluating Virtual WAN Basic and Virtual WAN Standard.

  Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

• Question 40:

  HOTSPOT

  You have an Azure subscription that contains two virtual networks named Vnet1 and Vnet2.

  You register a public DNS zone named fabrikam.com. The zone is configured as shown in the Public DNS Zone exhibit.

  

  You have a private DNS zone named fabrikam.com. The zone is configured as shown in the Private DNS Zone exhibit.

  

  You have a virtual network link configured as shown in the Virtual Network Link exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  DNS queries from the internet use the public DNS zone. In the public DNS zone, www.fabrikam.com is a CNAME record that resolves to appservice1.fabrikam.com which resolves to 131.107.1.1.

  Box 2: No

  DNS queries from the internet use the public DNS zone. There is no DNS record for server1.fabrikam.com in the public DNS zone.

  Box 3: No

  The private DNS zone is linked to VNet1, not VNet2. Therefore, resources in VNet2 cannot query the private DNS zone.