AZ-700: Designing and Implementing Microsoft Azure Networking Solutions Topic 1
Question #: 1
Topic #: 1
Your company has a single on-premises datacenter in Washington DC. The East US Azure region has a peering location in Washington DC.
The company only has Azure resources in the East US region.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
Which type of ExpressRoute circuits should you create?
A. ExpressRoute Local
B. ExpressRoute Direct
C. ExpressRoute Premium
D. ExpressRoute Standard
Selected Answer: A
Question #: 1
Topic #: 1
Your company has a single on-premises datacenter in Washington DC. The East US Azure region has a peering location in Washington DC.
The company only has Azure resources in the East US region.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
Which type of ExpressRoute circuits should you create?
A. ExpressRoute Local
B. ExpressRoute Direct
C. ExpressRoute Premium
D. ExpressRoute Standard
Selected Answer: A
Question #: 1
Topic #: 5
You have the Azure resources shown in the following table.
You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint.
You need to ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region.
What should you do first?
A. Fail over storage1 to the paired Azure region.
B. Configure the firewall settings for storage1.
C. Create a virtual network in the paired Azure region.
D. Create another service endpoint.
Selected Answer: C
Question #: 1
Topic #: 11
You need to configure the default route on Vnet2 and Vnet3. The solution must meet the virtual networking requirements.
What should you use to configure the default route?
A. route filters
B. BGP route exchange
C. a user-defined route assigned to GatewaySubnet in Vnet1
D. a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3
Selected Answer: B
Question #: 1
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You configure a custom cookie and an exclusion rule.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 1
Topic #: 8
You need to configure GW1 to meet the network security requirements for the P2S VPN users.
Which Tunnel type should you select in the Point-to-site configuration settings of GW1?
A. IKEv2 and OpenVPN (SSL)
B. IKEv2
C. IKEv2 and SSTP (SSL)
D. OpenVPN (SSL)
E. SSTP (SSL)
Selected Answer: D
Question #: 1
Topic #: 4
You have an Azure virtual machine named VM1.
You need to capture all the network traffic of VM1 by using Azure Network Watcher.
To which locations can the capture be written?
A. blob storage only
B. blob storage, a file path on VM1, and a premium storage account
C. a file path on VM1 only
D. blob storage and a file path on VM1 only
E. blob storage and a premium storage account only
F. a premium storage account only
Selected Answer: D
Question #: 1
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You reset the gateway of Vnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 1
Topic #: 7
You need to provide access to storage1. The solution must meet the PaaS networking requirements and the business requirements.
What should you include in the solution?
A. a private endpoint
B. Azure Traffic Manager
C. Azure Front Door
D. a service endpoint
Selected Answer: A
Question #: 2
Topic #: 1
You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN.
Users will authenticate by an on-premises Active Directory domain.
Which additional service should you deploy to support the VPN authentication?
A. an Azure key vault
B. a RADIUS server
C. a certification authority
D. Azure Active Directory (Azure AD) Application Proxy
Selected Answer: B
Question #: 2
Topic #: 7
You need to provide access to storage2. The solution must meet the PaaS networking requirements and the business requirements.
Which connectivity method should you use?
A. a private endpoint
B. Azure Firewall
C. Azure Front Door
D. a service endpoint
Selected Answer: A
Question #: 2
Topic #: 4
You have an Azure virtual network that contains the subnets shown in the following table.
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall.
You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com.
What should you do?
A. In a firewall policy, create a DNAT rule.
B. Create a network security group (NSG) and associate the NSG to Subnet2.
C. In a firewall policy, create a network rule.
D. In a firewall policy, create an application rule.
Selected Answer: D
Question #: 2
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You enable BGP on the gateway of Vnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 2
Topic #: 9
You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements.
Which two actions should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. On the peering from Vnet1, select Allow gateway transit.
B. On the peerings from Vnet2 and Vnet3, select Use remote gateways.
C. On the peerings from Vnet2 and Vnet3, select Allow gateway transit.
D. On the peering from Vnet1, select Use remote gateways.
E. On the peering from Vnet1, select Allow forwarded traffic.
Selected Answer: BE
Question #: 3
Topic #: 10
What should you implement to meet the virtual network requirements for the virtual machines that connect to Vnet4 and Vnet5?
A. a private endpoint
B. a routing table
C. a service endpoint
D. a private link service
E. a virtual network peering
Selected Answer: E
Question #: 3
Topic #: 4
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance.
You need to configure the policy to meet the following requirements:
✑ Log all connections from Australia.
✑ Deny all connections from New Zealand.
✑ Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute.
What is the minimum number of objects you should create?
A. three custom rules that each has one condition
B. one custom rule that has three conditions
C. one custom rule that has one condition
D. one rule that has two conditions and another rule that has one condition
Selected Answer: A
Question #: 3
Topic #: 1
You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure.
Which two Azure resources should you configure? Each correct answer presents a part of the solution. (Choose two.)
NOTE: Each correct selection is worth one point.
A. a virtual network gateway
B. Azure Application Gateway
C. Azure Firewall
D. a local network gateway
E. Azure Front Door
Selected Answer: AD
Question #: 3
Topic #: 3
You have an Azure subscription that contains the public IP addresses shown in the following table.
You plan to deploy a NAT gateway named NAT1.
Which public IP addresses can be used as the public IP address for NAT1?
A. IP3 only
B. IP5 only
C. IP2 and IP4 only
D. IP1, IP3 and IP5 only
E. IP3 and IP5 only
Selected Answer: A
Question #: 4
Topic #: 1
You fail to establish a Site-to-Site VPN connection between your company’s main office and an Azure virtual network.
You need to troubleshoot what prevents you from establishing the IPsec tunnel.
Which diagnostic log should you review?
A. IKEDiagnosticLog
B. RouteDiagnosticLog
C. GatewayDiagnosticLog
D. TunnelDiagnosticLog
Selected Answer: A
Question #: 4
Topic #: 4
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. (Choose two.)
NOTE: Each correct answer selection is worth one point.
A. an Azure Monitor workbook
B. a Log Analytics workspace
C. a storage account
D. an Azure Sentinel workspace
E. an Azure Monitor data collection rule
Selected Answer: BC
Question #: 4
Topic #: 2
You plan to deploy Azure virtual network.
You need to design the subnets.
Which three types of resources require a dedicated subnet? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Azure Bastion
B. Azure Active Directory Domain Services (Azure AD DS)
C. Azure Private Link
D. Azure Application Gateway v2
E. VPN gateway
Selected Answer: ADE
Question #: 4
Topic #: 3
You have an Azure application gateway named AGW1 that has a routing rule named Rule1. Rule 1 directs traffic for http://www.contoso.com to a backend pool named Pool1. Pool1 targets an Azure virtual machine scale set named VMSS1.
You deploy another virtual machine scale set named VMSS2.
You need to configure AGW1 to direct all traffic for http://www.adatum.com to VMSS2.
The solution must ensure that requests to http://www.contoso.com continue to be directed to Pool1.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a backend pool.
B. Modify an HTTP setting.
C. Add an HTTP setting.
D. Add a listener.
E. Add a rule.
Selected Answer: ADE
Question #: 4
Topic #: 5
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
What should you do first?
A. Create a private link.
B. Create a new subnet.
C. Create a NAT gateway.
D. Create a gateway subnet and deploy a virtual network gateway.
Selected Answer: B
Question #: 5
Topic #: 5
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources:
✑ An Azure App Service app named App1
✑ An Azure DNS zone named contoso.com
✑ An Azure private DNS zone named private.contoso.com
✑ A virtual network named Vnet1
You create a private endpoint for App1. The record for the endpoint is registered automatically in Azure DNS.
You need to provide a developer with the name that is registered in Azure DNS for the private endpoint.
What should you provide?
A. app1.contoso.onmicrosoft.com
B. app1.private.contoso.com
C. app1.privatelink.azurewebsites.net
D. app1.contoso.com
Selected Answer: C
Question #: 5
Topic #: 1
You have an Azure virtual network and an on-premises datacenter.
You are planning a Site-to-Site VPN connection between the datacenter and the virtual network.
Which two resources should you include in your plan? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a user-defined route
B. a virtual network gateway
C. Azure Firewall
D. Azure Web Application Firewall (WAF)
E. an on-premises data gateway
F. an Azure application gateway
G. a local network gateway
Selected Answer: BG
Question #: 6
Topic #: 5
You have Azure App Service apps in the West US Azure region as shown in the following table.
You need to ensure that all the apps can access the resources in a virtual network named VNet1 without forwarding traffic through the internet.
How many integration subnets should you create?
A. 0
B. 1
C. 3
D. 4
E. 6
Selected Answer: C
Question #: 6
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You add a rewrite rule for the host header.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 7
Topic #: 1
Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.
The departments at the company use the Azure subscriptions as shown in the following table.
All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.
You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.
What is the minimum number of ExpressRoute circuits required?
A. 1
B. 2
C. 3
D. 4
E. 5
Selected Answer: A
Question #: 7
Topic #: 4
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
What should you use?
A. Azure Monitor
B. IP flow verify
C. Connection Monitor
D. Azure Internet Analyzer
Selected Answer: C
Question #: 8
Topic #: 4
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ Two subnets named subnet1 and AzureFirewallSubnet
✑ A public Azure Firewall named FW1
✑ A route table named RT1 that is associated to Subnet1
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
A. On FW1, create an outbound service tag rule for AzureCloud.
B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
C. Deploy a NAT gateway.
D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
Selected Answer: B
Question #: 8
Topic #: 1
Your company has offices in New York and Amsterdam. The company has an Azure subscription. Both offices connect to Azure by using a Site-to-Site VPN connection.
The office in Amsterdam uses resources in the North Europe Azure region. The office in New York uses resources in the East US Azure region.
You need to implement ExpressRoute circuits to connect each office to the nearest Azure region. Once the ExpressRoute circuits are connected, the on-premises computers in the Amsterdam office must be able to connect to the on-premises servers in the New York office by using the ExpressRoute circuits.
Which ExpressRoute option should you use?
A. ExpressRoute FastPath
B. ExpressRoute Global Reach
C. ExpressRoute Direct
D. ExpressRoute Local
Selected Answer: B
Question #: 8
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You disable the WAF rule that has a ruleId 920300.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 9
Topic #: 5
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources:
✑ A virtual network named Vnet1
✑ An App Service plan named ASP1
✑ An Azure App Service named webapp1
An Azure private DNS zone named private.contoso.com
✑ Virtual machines on Vnet1 that cannot communicate outside the virtual network
You need to ensure that the virtual machines on Vnet1 can access webapp1 by using a URL of https://www.private.contoso.com.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a CNAME record that maps www.private.contoso.com to webapp1.contoso.onmicrosoft.com.
B. Create a CNAME record that maps www.private.contoso.com to webapp1.private.contoso.com.
C. Create a service endpoint for webapp1.
D. Register an enterprise application in Azure AD for webapp1.
E. Create a private endpoint for webapp1.
F. Create a CNAME record that maps www.private.contoso.com to webapp1.privatelink.azurewebsites.net.
Selected Answer: EF
Question #: 9
Topic #: 3
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com.
You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a certificate from an allowed certification authority
(CA).
What should you include in the solution?
A. an enterprise application in Azure Active Directory (Azure AD)
B. Active Directory Certificate Services (AD CS)
C. Azure Key Vault
D. Azure Application Gateway
Selected Answer: C
Question #: 10
Topic #: 4
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
What should you include in the solution?
A. a service tag
B. a service endpoint policy
C. a subnet delegation
D. an application security group
Selected Answer: A
Question #: 10
Topic #: 3
You have an Azure application gateway for a web app named App1. The application gateway allows end-to-end encryption.
You configure the listener for HTTPS by uploading an enterprise-signed certificate.
You need to ensure that the application gateway can provide end-to-end encryption for App1.
What should you do?
A. Increase the Unhealthy threshold setting in the custom probe.
B. Enable the SSL profile to the listener.
C. Set Listener type to Multi site.
D. Upload the public key certificate to the HTTP settings.
Selected Answer: D
Question #: 10
Topic #: 5
You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF).
FD1 uses a frontend hast named app1.contoso.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region.
You need to configure FD1 to block requests to app1.contoso.com from all countries other than the United States.
What should you include in the WAF policy?
A. a custom rule that uses a match rule
B. a frontend hast association
C. a custom rule that uses a rate limit rule
D. a managed rule set
Selected Answer: A
Question #: 11
Topic #: 4
Your company has offices in Montreal, Seattle, and Paris. The outbound traffic from each office originates from a specific public IP address.
You create an Azure Front Door instance named FD1 that has Azure Web Application Firewall (WAF) enabled. You configure a WAF policy named Policy1 that has a rule named Rule1. Rule1 applies a rate limit of 100 requests for traffic that originates from the office in Montreal.
You need to apply a rate limit of 100 requests for traffic that originates from each office.
What should you do?
A. Modify the rate limit threshold of Rule1.
B. Create two additional associations.
C. Modify the conditions of Rule1.
D. Modify the rule type of Rule1.
Selected Answer: C
Question #: 11
Topic #: 5
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
A. Azure DDoS Protection for virtual networks
B. private endpoints
C. Azure Virtual Network NAT
D. service endpoint policies
Selected Answer: B
Question #: 12
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You download and reinstall the VPN client configuration.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 12
Topic #: 4
You have an Azure virtual network named Vnet1.
You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region. The virtual machines must be prevented from accessing any Azure Storage resources.
Which two outbound network security group (NSG) rules should you create? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. a deny rule that has a source of VirtualNetwork and a destination of Sql
B. an allow rule that has the IP address range of Vnet1 as the source and destination of Sql.EastUS
C. a deny rule that has a source of VirtualNetwork and a destination of 168.63.129.0/24
D. a deny rule that has the IP address range of Vnet1 as the source and destination of Storage
Selected Answer: BD
Question #: 12
Topic #: 5
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that the apps hosted on VM1 can resolve the IP address of the private endpoint for azsql1.database.windows.net.
What should you create first?
A. a public DNS zone named database.windows.net
B. a private DNS zone named database.windows.net
C. a public DNS zone named privatelink.database.windows.net
D. a private DNS zone named privatelink.database.windows.net
Selected Answer: D
Question #: 12
Topic #: 3
You have an Azure application gateway named AppGW1 that balances requests to a web app named App1.
You need to modify the server variables in the response header of App1.
What should you configure on AppGW1?
A. HTTP settings
B. rewrites
C. rules
D. listeners
Selected Answer: B
Question #: 13
Topic #: 5
You have an Azure subscription that contains the resources shown in the following table.
You need to ensure that VM1 and VM2 can connect only to storage1. The solution must meet the following requirements:
• Prevent VM1 and VM2 from accessing any other storage accounts
• Ensure that storage1 is accessible from the internet.
What should you use?
A. a network security group (NSG)
B. a service endpoint policy
C. a private link
D. a private endpoint
Selected Answer: B
Question #: 13
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ A subnet named Subnet1 in Vnet1
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You configure the firewall on storage1 to only accept connections from Vnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 13
Topic #: 1
You have an Azure virtual network named Vnet1 and an on-premises network. The on-premises network has policy-based VPN devices.
In Vnet1, you deploy a virtual network gateway named GW1 that uses a SKU of VpnGw1 and is route-based.
You have a Site-to-Site VPN connection for GW1 as shown in the following exhibit.
You need to ensure that the on-premises network can connect to the route-based GW1.
What should you do before you create the connection?
A. Set Connection Mode to ResponderOnly.
B. Set BGP to Enabled.
C. Set Use Azure Private IP Address to Enabled.
D. Set IPsec / IKE policy to Custom.
Selected Answer: D
Question #: 13
Topic #: 3
You have an Azure Virtual Desktop deployment that has 500 session hosts.
All outbound traffic to the internet uses a NAT gateway.
During peak business hours, some users report that they cannot access internet resources. In Azure Monitor, you discover many failed SNAT connections.
You need to increase the available SNAT connections.
What should you do?
A. Bind the NAT gateway to another subnet.
B. Add a public IP address.
C. Deploy Azure Standard Load Balancer that has outbound rules.
Selected Answer: B
Question #: 13
Topic #: 2
You have an Azure virtual network named Vnet1 that hosts an Azure firewall named FW1 and 150 virtual machines. Vnet1 is linked to a private DNS zone named contoso.com. All the virtual machines have their name registered in the contoso.com zone.
Vnet1 connects to an on-premises datacenter by using ExpressRoute.
You need to ensure that on-premises DNS servers can resolve the names in the contoso.com zone.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Modify the DNS server settings of Vnet1.
B. For FW1, configure custom DNS server.
C. For FW1, enable DNS proxy.
D. On the on-premises DNS servers, configure forwarders that point to the frontend IP address of FW1.
E. On the on-premises DNS servers, configure forwarders that point to the Azure provided DNS service at 168.63.129.16.
Selected Answer: CD
Question #: 14
Topic #: 3
You have an Azure subscription that contains the public IPv4 addresses shown in the following table.
You plan to create a load balancer named LB1 that will have the following settings:
✑ Name: LB1
✑ Location: West US
✑ Type: Public
✑ SKU: Standard
Which public IPv4 addresses can be used by LB1?
A. IP1, IP3, IP4, and IP5 only
B. IP3 only
C. IP1 and IP3 only
D. IP2 only
E. IP1, IP2, IP3, IP4, and IP5
F. IP3 and IP5 only
Selected Answer: B
Question #: 14
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ A subnet named Subnet1 in Vnet1
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 14
Topic #: 2
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
A. internal load balancers
B. storage account
C. Azure Virtual Networks NAT
D. service endpoint policies
Selected Answer: A
Question #: 15
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
A subnet named Subnet1 in Vnet1 –
✑ A virtual machine named VM1 that connects to Subnet1
✑ Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG). You configure a service tag for Microsoft.Storage and link the tag to Subnet1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 15
Topic #: 3
You have the Azure environment shown in the exhibit.
VM1 is a virtual machine that has an instance-level public IP address (ILPIP).
Basic Load Balancer uses a public IP address. VM1 and VM2 are in the backend pool.
NAT Gateway uses a public IP address named IP3 that is associated to SubnetA.
VNet1 has a virtual network gateway that has a public IP address named IP4.
When initiating outbound traffic to the internet from VM1, which public address is used?
A. IP1
B. IP2
C. IP3
D. IP4
Selected Answer: C
Question #: 16
Topic #: 4
You need to use Traffic Analytics to monitor the usage of applications deployed to Azure virtual machines.
Which Azure Network Watcher feature should you implement first?
A. NSG flow logs
B. IP flow verify
C. Connection monitor
D. Packet capture
Selected Answer: A
Question #: 16
Topic #: 1
You are planning an Azure deployment that will contain three virtual networks in the East US Azure region as shown in the following table.
A Site-to-Site VPN will connect Vnet1 to your company’s on-premises network.
You need to recommend a solution that ensures that the virtual machines on all the virtual networks can communicate with the on-premises network. The solution must minimize costs.
What should you recommend for Vnet2 and Vnet3?
A. VNet-to-VNet VPN connections
B. peering
C. service endpoints
D. route tables
Selected Answer: B
Question #: 16
Topic #: 3
You are configuring two network virtual appliances (NVAs) in an Azure virtual network. The NVAs will be used to inspect all the traffic within the virtual network.
You need to provide high availability for the NVAs. The solution must minimize administrative effort.
What should you include in the solution?
A. Azure Standard Load Balancer
B. Azure Application Gateway
C. Azure Traffic Manager
D. Azure Front Door
Selected Answer: A
Question #: 17
Topic #: 1
Your company has an office in New York.
The company has an Azure subscription that contains the virtual networks shown in the following table.
You need to connect the virtual networks to the office by using ExpressRoute. The solution must meet the following requirements:
• The connection must have up to 1 Gbps of bandwidth.
• The office must have access to all the virtual networks.
• Costs must be minimized.
How many ExpressRoute circuits should be provisioned, and which ExpressRoute SKU should you enable?
A. one ExpressRoute Premium circuit
B. two ExpressRoute Premium circuits
C. four ExpressRoute Standard circuits
D. one ExpressRoute Standard circuit
Selected Answer: A
Question #: 17
Topic #: 3
You have five virtual machines that run Windows Server. Each virtual machine hosts a different web app.
You plan to use an Azure application gateway to provide access to each web app by using a hostname of www.contoso.com and a different URL path for each web app, for example: https://www.contoso.com/app1.
You need to control the flow of traffic based on the URL path.
What should you configure?
A. HTTP settings
B. listeners
C. rules
D. rewrites
Selected Answer: C
Question #: 18
Topic #: 5
You have an Azure subscription that contains an Azure Front Door named FD1.
You plan to deploy an app named App1 by using Azure App Service. Users will access App1 by using FD1.
You need to provide FD1 with access to App1. The solution must meet the following requirements:
• Ensure that users can only access App1 by using FD1.
• Ensure that users cannot access App1 directly from the internet.
What should you create for App1?
A. an access restriction
B. a private endpoint
C. a subnet delegation
D. a service endpoint
Selected Answer: A
Question #: 18
Topic #: 3
You plan to publish a website that will use an FQDN of www.contoso.com. The website will be hosted by using the Azure App Service apps shown in the following table.
You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com between AS1 and AS2.
You create a Traffic Manager profile named TMprofile1. TMprofile1 uses the weighted traffic-routing method.
You need to ensure that Traffic Manager routes traffic for www.contoso.com.
Which DNS record should you create?
A. two A records that map www.contoso.com to 131.107.100.1 and 131.107.200.1
B. a CNAME record that maps www.contoso.com to TMprofile1.azurefd.net
C. a CNAME record that maps www.contoso.com to TMprofile1.trafficmanager.net
D. a TXT record that contains a string of as1.contoso.com and as2.contoso.com in the details
Selected Answer: C
Question #: 18
Topic #: 1
You have an Azure subscription that contains a virtual network.
You plan to deploy an Azure VPN gateway and 90 Site-to-Site VPN connections. The solution must meet the following requirements:
• Ensure that the Site-to-Site VPN connections remain available if an Azure datacenter fails.
• Minimize costs.
Which gateway SKU should you specify?
A. VpnGw1AZ
B. VpnGw2AZ
C. VpnGw4AZ
D. VpnGw5AZ
Selected Answer: C
Question #: 19
Topic #: 4
You have the Azure virtual networks shown in the following table.
You have the Azure resources shown in the following table.
You need to check latency between the resources by using connection monitors in Azure Network Watcher.
What is the minimum number of connection monitors that you must create?
A. 1
B. 2
C. 3
D. 4
E. 5
Selected Answer: B