AZ-700: Designing and Implementing Microsoft Azure Networking Solutions Part 5
Question #: 1
Topic #: 13
HOTSPOT –
You create NSG10 and NSG11 to meet the network security requirements.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 2
Topic #: 15
HOTSPOT –
In which NSGs can you use ASG1 and to which virtual machine network interfaces can you associate ASG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 3
Topic #: 14
HOTSPOT –
You need to restrict traffic from VMScaleSet1 to VMScaleSet2. The solution must meet the virtual networking requirements.
What is the minimum number of custom NSG rules and NSG assignments required? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 4
Topic #: 6
HOTSPOT –
You need to recommend a configuration for the ExpressRoute connection from the Boston datacenter. The solution must meet the hybrid networking requirements and business requirements.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 5
Topic #: 12
HOTSPOT –
You are implementing the virtual network requirements for VM-Analyze.
What should you include in a custom route that is linked to Subnet2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 6
Topic #: 10
HOTSPOT –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 7
Topic #: 9
DRAG DROP –
You need to prepare Vnet1 for the deployment of an ExpressRoute gateway. The solution must meet the hybrid connectivity requirements and the business requirements.
Which three actions should you perform in sequence for Vnet1? To answer, move the appropriate actions from the list of actions to the answer.
Select and Place:
Suggestion Answer:
Question #: 8
Topic #: 5
You have the Azure resources shown in the following table.
You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint.
You need to ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region.
What should you do first?
A. Fail over storage1 to the paired Azure region.
B. Configure the firewall settings for storage1.
C. Create a virtual network in the paired Azure region.
D. Create another service endpoint.
Selected Answer: C
Question #: 9
Topic #: 1
Your company has a single on-premises datacenter in Washington DC. The East US Azure region has a peering location in Washington DC.
The company only has Azure resources in the East US region.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
Which type of ExpressRoute circuits should you create?
A. ExpressRoute Local
B. ExpressRoute Direct
C. ExpressRoute Premium
D. ExpressRoute Standard
Selected Answer: A
Question #: 10
Topic #: 4
Case Study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview –
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.
NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.
The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.
The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.
HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
• Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.
• Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.
• Deploy Azure Virtual Network Manager and implement the following rules:
– Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
– Block inbound connections on TCP port 80 from the internet to SpokeVNet.
• Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.
• Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.
• Deploy a gateway load balancer named LBGW1 to HubVNet.
• Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and NVA2.
• Ensure that all the traffic to App2 is processed by using FD1.
Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
• Minimize the complexity of the Azure Virtual Network Manager deployment.
• Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.
• Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S) VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
• Whenever possible, use the internal CA.
• Ensure that all connections routed via APPGW1 use end-to-end encryption.
• Ensure that user connections to Azure-hosted apps use end-to-end encryption.
• Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.
• Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.
• Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
• Minimize the IP address space required to deploy platform-managed resources to the virtual networks.
• From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
• Whenever possible, minimize administrative effort.
You need to configure a custom rule for APPGW1-WAFPolicy to allow only connections that originate from FD1. The solution must support the planned changes.
Which Match type and Match variable should you select?
A. Geo location and RemoteAddr
B. IP address and RemoteAddr
C. String and RequestCookies
D. String and RequestHeaders
Selected Answer: B
Question #: 11
Topic #: 8
You need to configure GW1 to meet the network security requirements for the P2S VPN users.
Which Tunnel type should you select in the Point-to-site configuration settings of GW1?
A. IKEv2 and OpenVPN (SSL)
B. IKEv2
C. IKEv2 and SSTP (SSL)
D. OpenVPN (SSL)
E. SSTP (SSL)
Selected Answer: D
Question #: 12
Topic #: 11
You need to configure the default route on Vnet2 and Vnet3. The solution must meet the virtual networking requirements.
What should you use to configure the default route?
A. route filters
B. BGP route exchange
C. a user-defined route assigned to GatewaySubnet in Vnet1
D. a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3
Selected Answer: B
Question #: 13
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You configure a custom cookie and an exclusion rule.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 14
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You reset the gateway of Vnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 15
Topic #: 7
You need to provide access to storage1. The solution must meet the PaaS networking requirements and the business requirements.
What should you include in the solution?
A. a private endpoint
B. Azure Traffic Manager
C. Azure Front Door
D. a service endpoint
Selected Answer: A
Question #: 16
Topic #: 3
HOTSPOT –
You have an Azure subscription that contains the route tables and routes shown in the following table.
The subscription contains the subnets shown in the following table.
The subscription contains the virtual machines shown in the following table.
The subscription contains the local network gateways shown in the following table.
There is a Site-to-Site VPN connection to each local network gateway.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 17
Topic #: 5
HOTSPOT –
You have the Azure App Service app shown in the App Service exhibit.
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit.
The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 18
Topic #: 10
HOTSPOT –
Which virtual machines can VM1 and VM4 ping successfully? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 19
Topic #: 11
DRAG DROP –
You need to implement outbound connectivity for VMScaleSet1. The solution must meet the virtual networking requirements and the business requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 20
Topic #: 1
You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN.
Users will authenticate by an on-premises Active Directory domain.
Which additional service should you deploy to support the VPN authentication?
A. an Azure key vault
B. a RADIUS server
C. a certification authority
D. Azure Active Directory (Azure AD) Application Proxy
Selected Answer: B
Question #: 21
Topic #: 4
You have an Azure virtual network that contains the subnets shown in the following table.
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall.
You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com.
What should you do?
A. In a firewall policy, create a DNAT rule.
B. Create a network security group (NSG) and associate the NSG to Subnet2.
C. In a firewall policy, create a network rule.
D. In a firewall policy, create an application rule.
Selected Answer: D
Question #: 22
Topic #: 9
You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements.
Which two actions should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. On the peering from Vnet1, select Allow gateway transit.
B. On the peerings from Vnet2 and Vnet3, select Use remote gateways.
C. On the peerings from Vnet2 and Vnet3, select Allow gateway transit.
D. On the peering from Vnet1, select Use remote gateways.
E. On the peering from Vnet1, select Allow forwarded traffic.
Selected Answer: AB
Question #: 23
Topic #: 7
You need to provide access to storage2. The solution must meet the PaaS networking requirements and the business requirements.
Which connectivity method should you use?
A. a private endpoint
B. Azure Firewall
C. Azure Front Door
D. a service endpoint
Selected Answer: A
Question #: 24
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You enable BGP on the gateway of Vnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 25
Topic #: 5
DRAG DROP –
You have an Azure virtual network named Vnet1 that connects to an on-premises network.
You have an Azure Storage account named storageaccount1 that contains blob storage.
You need to configure a private endpoint for the blob storage. The solution must meet the following requirements:
✑ Ensure that all on-premises users can access storageaccount1 through the private endpoint.
✑ Prevent access to storageaccount1 from being interrupted.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 26
Topic #: 9
HOTSPOT –
You need to implement a P2S VPN for the users in the branch office. The solution must meet the hybrid networking requirements.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Suggestion Answer:
Question #: 27
Topic #: 2
HOTSPOT –
You have the Azure environment shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 28
Topic #: 7
HOTSPOT –
You need to implement name resolution for the cloud.litwareinc.com. The solution must meet the networking requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 29
Topic #: 4
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance.
You need to configure the policy to meet the following requirements:
✑ Log all connections from Australia.
✑ Deny all connections from New Zealand.
✑ Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute.
What is the minimum number of objects you should create?
A. three custom rules that each has one condition
B. one custom rule that has three conditions
C. one custom rule that has one condition
D. one rule that has two conditions and another rule that has one condition
Selected Answer: A
Question #: 30
Topic #: 3
You have an Azure subscription that contains the public IP addresses shown in the following table.
You plan to deploy a NAT gateway named NAT1.
Which public IP addresses can be used as the public IP address for NAT1?
A. IP3 only
B. IP5 only
C. IP2 and IP4 only
D. IP1, IP3 and IP5 only
E. IP3 and IP5 only
Selected Answer: A
Question #: 31
Topic #: 10
What should you implement to meet the virtual network requirements for the virtual machines that connect to Vnet4 and Vnet5?
A. a private endpoint
B. a routing table
C. a service endpoint
D. a private link service
E. a virtual network peering
Selected Answer: E
Question #: 32
Topic #: 1
You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure.
Which two Azure resources should you configure? Each correct answer presents a part of the solution. (Choose two.)
NOTE: Each correct selection is worth one point.
A. a virtual network gateway
B. Azure Application Gateway
C. Azure Firewall
D. a local network gateway
E. Azure Front Door
Selected Answer: AD
Question #: 33
Topic #: 2
You plan to deploy Azure virtual network.
You need to design the subnets.
Which three types of resources require a dedicated subnet? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Bastion
B. Azure Active Directory Domain Services (Azure AD DS)
C. Azure Private Link
D. Azure Application Gateway v2
E. VPN gateway
Selected Answer: ADE
Question #: 34
Topic #: 1
You fail to establish a Site-to-Site VPN connection between your company’s main office and an Azure virtual network.
You need to troubleshoot what prevents you from establishing the IPsec tunnel.
Which diagnostic log should you review?
A. IKEDiagnosticLog
B. RouteDiagnosticLog
C. GatewayDiagnosticLog
D. TunnelDiagnosticLog
Selected Answer: A
Question #: 35
Topic #: 4
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. (Choose two.)
NOTE: Each correct answer selection is worth one point.
A. an Azure Monitor workbook
B. a Log Analytics workspace
C. a storage account
D. an Azure Sentinel workspace
E. an Azure Monitor data collection rule
Selected Answer: BC
Question #: 36
Topic #: 5
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
What should you do first?
A. Create a private link.
B. Create a new subnet.
C. Create a NAT gateway.
D. Create a gateway subnet and deploy a virtual network gateway.
Selected Answer: B
Question #: 37
Topic #: 3
You have an Azure application gateway named AGW1 that has a routing rule named Rule1. Rule 1 directs traffic for http://www.contoso.com to a backend pool named Pool1. Pool1 targets an Azure virtual machine scale set named VMSS1.
You deploy another virtual machine scale set named VMSS2.
You need to configure AGW1 to direct all traffic for http://www.adatum.com to VMSS2.
The solution must ensure that requests to http://www.contoso.com continue to be directed to Pool1.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a backend pool.
B. Modify an HTTP setting.
C. Add an HTTP setting.
D. Add a listener.
E. Add a rule.
Selected Answer: ADE
Question #: 38
Topic #: 4
HOTSPOT –
You have an Azure subscription that contains the virtual machines shown in the following table.
Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule:
✑ Priority: 100
✑ Port: Any
✑ Protocol: Any
✑ Source: Any
✑ Destination: Storage
✑ Action: Deny
You create a private endpoint that has the following settings:
✑ Name: Private1
✑ Resource type: Microsoft.Storage/storageAccounts
✑ Resource: storage1
✑ Target sub-resource: blob
✑ Virtual network: Vnet1
✑ Subnet: Subnet1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 39
Topic #: 2
HOTSPOT –
You have an Azure private DNS zone named contoso.com that is linked to the virtual networks shown in the following table.
The links have auto registration enabled.
You create the virtual machines shown in the following table.
You manually add the following entry to the contoso.com zone:
✑ Name: VM1
IP address: 10.1.10.9 –
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 40
Topic #: 3
HOTSPOT –
You have an Azure Traffic Manager parent profile named TM1. TM1 has two child profiles named TM2 and TM3.
TM1 uses the performance traffic-routing method and has the endpoints shown in the following table.
TM2 uses the weighted traffic-routing method with MinChildEndpoint = 2 and has the endpoints shown in the following table.
TM3 uses priority traffic-routing method and has the endpoints shown in the following table.
The App2, App4, and App6 endpoints have a degraded monitoring status.
To which endpoint is traffic directed? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Hot Area:
Suggestion Answer:
