AZ-700: Designing and Implementing Microsoft Azure Networking Solutions Part 6
Question #: 41
Topic #: 5
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources:
✑ An Azure App Service app named App1
✑ An Azure DNS zone named contoso.com
✑ An Azure private DNS zone named private.contoso.com
✑ A virtual network named Vnet1
You create a private endpoint for App1. The record for the endpoint is registered automatically in Azure DNS.
You need to provide a developer with the name that is registered in Azure DNS for the private endpoint.
What should you provide?
A. app1.contoso.onmicrosoft.com
B. app1.private.contoso.com
C. app1.privatelink.azurewebsites.net
D. app1.contoso.com
Selected Answer: C
Question #: 42
Topic #: 1
You have an Azure virtual network and an on-premises datacenter.
You are planning a Site-to-Site VPN connection between the datacenter and the virtual network.
Which two resources should you include in your plan? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a user-defined route
B. a virtual network gateway
C. Azure Firewall
D. Azure Web Application Firewall (WAF)
E. an on-premises data gateway
F. an Azure application gateway
G. a local network gateway
Selected Answer: BG
Question #: 43
Topic #: 4
HOTSPOT –
You have an Azure firewall shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 44
Topic #: 1
HOTSPOT –
You need to connect an on-premises network and an Azure environment. The solution must use ExpressRoute and support failing over to a Site-to-Site VPN connection if there is an ExpressRoute failure.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 45
Topic #: 2
HOTSPOT –
Your company has an Azure virtual network named Vnet1 that uses an IP address space of 192.168.0.0/20. Vnet1 contains a subnet named Subnet1 that uses an
IP address space of 192.168.0.0/24.
You create an IPv6 address range to Vnet1 by using a CIDR suffix of /48.
You need to enable the virtual machines on Subnet1 to communicate with each other by using IPv6 addresses assigned by the company. The solution must minimize the number of additional IPv4 addresses.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 46
Topic #: 5
You have Azure App Service apps in the West US Azure region as shown in the following table.
You need to ensure that all the apps can access the resources in a virtual network named VNet1 without forwarding traffic through the internet.
How many integration subnets should you create?
A. 0
B. 1
C. 3
D. 4
E. 6
Selected Answer: C
Question #: 47
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You add a rewrite rule for the host header.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 48
Topic #: 5
HOTSPOT –
You have the Azure environment shown in the Azure Environment exhibit.
The settings for each subnet are shown in the following table.
The Firewalls and virtual networks settings for storage1 are configured as shown in the Storage1 exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 49
Topic #: 2
HOTSPOT –
You plan to deploy Azure Virtual WAN.
You need to deploy a virtual WAN hub that meets the following requirements:
✑ Supports 10 sites that will connect to the virtual WAN hub by using a Site-to-Site VPN connection
✑ Supports 8 Gbps of ExpressRoute traffic
✑ Minimizes costs
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 50
Topic #: 3
HOTSPOT –
You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com.
You have the routing rules shown in the following table.
Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Hot Area:
Suggestion Answer:
Question #: 51
Topic #: 1
Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.
The departments at the company use the Azure subscriptions as shown in the following table.
All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.
You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.
What is the minimum number of ExpressRoute circuits required?
A. 1
B. 2
C. 3
D. 4
E. 5
Selected Answer: A
Question #: 52
Topic #: 4
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
What should you use?
A. Azure Monitor
B. IP flow verify
C. Connection Monitor
D. Azure Internet Analyzer
Selected Answer: C
Question #: 53
Topic #: 2
DRAG DROP –
You have an Azure subscription that contains the resources shown in the following table.
The IP Addresses settings for Vnet1 are configured as shown in the exhibit.
You need to ensure that you can integrate WebApp1 and Vnet1.
Which three actions should you perform in sequence before you can integrate WebApp1 and Vnet1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 54
Topic #: 5
DRAG DROP –
You have two Azure subscriptions named Subscription1 and Subscription2. Subscription1 contains a virtual network named Vnet1. Vnet1 contains an application server. Subscription2 contains a virtual network named Vnet2.
You need to provide the virtual machines in Vnet2 with access to the application server in Vnet1 by using a private endpoint.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 55
Topic #: 1
Your company has offices in New York and Amsterdam. The company has an Azure subscription. Both offices connect to Azure by using a Site-to-Site VPN connection.
The office in Amsterdam uses resources in the North Europe Azure region. The office in New York uses resources in the East US Azure region.
You need to implement ExpressRoute circuits to connect each office to the nearest Azure region. Once the ExpressRoute circuits are connected, the on-premises computers in the Amsterdam office must be able to connect to the on-premises servers in the New York office by using the ExpressRoute circuits.
Which ExpressRoute option should you use?
A. ExpressRoute FastPath
B. ExpressRoute Global Reach
C. ExpressRoute Direct
D. ExpressRoute Local
Selected Answer: B
Question #: 56
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You disable the WAF rule that has a ruleId 920300.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 57
Topic #: 4
HOTSPOT –
You have an Azure application gateway named AppGW1 that provides access to the following hosts:
✑ www.adatum.com
✑ www.contoso.com
✑ www.fabrikam.com
AppGW1 has the listeners shown in the following table.
You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 58
Topic #: 2
DRAG DROP –
You have Azure virtual networks named Hub1 and Spoke1. Hub1 connects to an on-premises network by using a Site-to-Site VPN connection.
You are implementing peering between Hub1 and Spoke1.
You need to ensure that a virtual machine connected to Spoke1 can connect to the on-premises network through Hub1.
How should you complete the PowerShell script? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Suggestion Answer:
Question #: 59
Topic #: 1
HOTSPOT –
You have an Azure subscription that contains a single virtual network and a virtual network gateway.
You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 60
Topic #: 5
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources:
✑ A virtual network named Vnet1
✑ An App Service plan named ASP1
✑ An Azure App Service named webapp1
An Azure private DNS zone named private.contoso.com
✑ Virtual machines on Vnet1 that cannot communicate outside the virtual network
You need to ensure that the virtual machines on Vnet1 can access webapp1 by using a URL of https://www.private.contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a CNAME record that maps www.private.contoso.com to webapp1.contoso.onmicrosoft.com.
B. Create a CNAME record that maps www.private.contoso.com to webapp1.private.contoso.com.
C. Create a service endpoint for webapp1.
D. Register an enterprise application in Azure AD for webapp1.
E. Create a private endpoint for webapp1.
F. Create a CNAME record that maps www.private.contoso.com to webapp1.privatelink.azurewebsites.net.
Selected Answer: EF
Question #: 61
Topic #: 3
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com.
You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a certificate from an allowed certification authority
(CA).
What should you include in the solution?
A. an enterprise application in Azure Active Directory (Azure AD)
B. Active Directory Certificate Services (AD CS)
C. Azure Key Vault
D. Azure Application Gateway
Selected Answer: C
Question #: 62
Topic #: 2
DRAG DROP –
You have three on-premises sites. Each site has a third-party VPN device.
You have an Azure virtual WAN named VWAN1 that has a hub named Hub1. Hub1 connects two of the three on-premises sites by using a Site-to-Site VPN connection.
You need to connect the third site to the other two sites by using Hub1.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 63
Topic #: 1
HOTSPOT –
You have the hybrid network shown in the Network Diagram exhibit.
You have a peering connection between Vnet1 and Vnet2 as shown in the Peering-Vnet1-Vnet2 exhibit.
You have a peering connection between Vnet1 and Vnet3 as shown in the Peering-Vnet1-Vnet3 exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 64
Topic #: 4
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
What should you include in the solution?
A. a service tag
B. a service endpoint policy
C. a subnet delegation
D. an application security group
Selected Answer: B
Question #: 65
Topic #: 3
You have an Azure application gateway for a web app named App1. The application gateway allows end-to-end encryption.
You configure the listener for HTTPS by uploading an enterprise-signed certificate.
You need to ensure that the application gateway can provide end-to-end encryption for App1.
What should you do?
A. Increase the Unhealthy threshold setting in the custom probe.
B. Enable the SSL profile to the listener.
C. Set Listener type to Multi site.
D. Upload the public key certificate to the HTTP settings.
Selected Answer: D
Question #: 66
Topic #: 5
You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF).
FD1 uses a frontend hast named app1.contoso.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region.
You need to configure FD1 to block requests to app1.contoso.com from all countries other than the United States.
What should you include in the WAF policy?
A. a custom rule that uses a match rule
B. a frontend hast association
C. a custom rule that uses a rate limit rule
D. a managed rule set
Selected Answer: A
Question #: 67
Topic #: 1
HOTSPOT –
You have the Azure environment shown in the exhibit.
You have virtual network peering between Vnet1 and Vnet2. You have virtual network peering between Vnet4 and Vnet5. The virtual network peering is configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Suggestion Answer:
Question #: 68
Topic #: 3
HOTSPOT –
You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2.
You have the NAT gateway shown in the NATgateway1 exhibit.
You have the virtual machine shown in the VM1 exhibit.
Subnet1 is configured as shown in the Subnet1 exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 69
Topic #: 2
HOTSPOT –
You are planning an Azure solution that will contain the following types of resources in a single Azure region:
✑ Virtual machine
✑ Azure App Service
✑ Virtual Network gateway
✑ Azure SQL Managed Instance
App Service and SQL Managed Instance will be delegated to create resources in virtual networks.
You need to identify how many virtual networks and subnets are required for the solution. The solution must minimize costs to transfer data between virtual networks.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 70
Topic #: 4
Your company has offices in Montreal, Seattle, and Paris. The outbound traffic from each office originates from a specific public IP address.
You create an Azure Front Door instance named FD1 that has Azure Web Application Firewall (WAF) enabled. You configure a WAF policy named Policy1 that has a rule named Rule1. Rule1 applies a rate limit of 100 requests for traffic that originates from the office in Montreal.
You need to apply a rate limit of 100 requests for traffic that originates from each office.
What should you do?
A. Modify the rate limit threshold of Rule1.
B. Create two additional associations.
C. Modify the conditions of Rule1.
D. Modify the rule type of Rule1.
Selected Answer: C
Question #: 71
Topic #: 5
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
A. Azure DDoS Protection for virtual networks
B. private endpoints
C. Azure Virtual Network NAT
D. service endpoint policies
Selected Answer: B
Question #: 72
Topic #: 1
HOTSPOT –
You have on-premises datacenters in New York and Seattle.
You have an Azure subscription that contains the ExpressRoute circuits shown in the following table.
You need to ensure that all the data sent between the datacenters is routed via the ExpressRoute circuits. The solution must minimize costs.
How should you configure the network? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 73
Topic #: 4
You have an Azure virtual network named Vnet1.
You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region. The virtual machines must be prevented from accessing any Azure Storage resources.
Which two outbound network security group (NSG) rules should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a deny rule that has a source of VirtualNetwork and a destination of Sql
B. an allow rule that has the IP address range of Vnet1 as the source and destination of Sql.EastUS
C. a deny rule that has a source of VirtualNetwork and a destination of 168.63.129.0/24
D. a deny rule that has the IP address range of Vnet1 as the source and destination of Storage
Selected Answer: BD
Question #: 74
Topic #: 5
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that the apps hosted on VM1 can resolve the IP address of the private endpoint for azsql1.database.windows.net.
What should you create first?
A. a public DNS zone named database.windows.net
B. a private DNS zone named database.windows.net
C. a public DNS zone named privatelink.database.windows.net
D. a private DNS zone named privatelink.database.windows.net
Selected Answer: D
Question #: 75
Topic #: 3
You have an Azure application gateway named AppGW1 that balances requests to a web app named App1.
You need to modify the server variables in the response header of App1.
What should you configure on AppGW1?
A. HTTP settings
B. rewrites
C. rules
D. listeners
Selected Answer: B
Question #: 76
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You download and reinstall the VPN client configuration.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 77
Topic #: 5
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that VM1 and VM2 can connect only to storage1. The solution must meet the following requirements:
• Prevent VM1 and VM2 from accessing any other storage accounts
• Ensure that storage1 is accessible from the internet.
What should you use?
A. a network security group (NSG)
B. a service endpoint policy
C. a private link
D. a private endpoint
Selected Answer: B
Question #: 78
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ A subnet named Subnet1 in Vnet1
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You configure the firewall on storage1 to only accept connections from Vnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 79
Topic #: 1
You have an Azure virtual network named Vnet1 and an on-premises network. The on-premises network has policy-based VPN devices.
In Vnet1, you deploy a virtual network gateway named GW1 that uses a SKU of VpnGw1 and is route-based.
You have a Site-to-Site VPN connection for GW1 as shown in the following exhibit.
You need to ensure that the on-premises network can connect to the route-based GW1.
What should you do before you create the connection?
A. Set Connection Mode to ResponderOnly.
B. Set BGP to Enabled.
C. Set Use Azure Private IP Address to Enabled.
D. Set IPsec / IKE policy to Custom.
Selected Answer: D
Question #: 80
Topic #: 3
You have an Azure Virtual Desktop deployment that has 500 session hosts.
All outbound traffic to the internet uses a NAT gateway.
During peak business hours, some users report that they cannot access internet resources. In Azure Monitor, you discover many failed SNAT connections.
You need to increase the available SNAT connections.
What should you do?
A. Bind the NAT gateway to another subnet.
B. Add a public IP address.
C. Deploy Azure Standard Load Balancer that has outbound rules.
Selected Answer: B
