AZ-700: Designing and Implementing Microsoft Azure Networking Solutions Topic 2
Question #: 19
Topic #: 1
You have an Azure subscription that contains the resources shown in the following table.
You create a virtual network named Vnet2 in the West US region.
You plan to enable peering between Vnet1 and Vnet2.
You need to ensure that the virtual machines connected to Vnet2 can connect to VM1 and VM2 via LB1.
What should you do?
A. From the Peerings settings of Vnet2, set Traffic forwarded from remote virtual network to Allow.
B. Change the Floating IP configurations of LB1.
C. From the Peerings settings of Vnet1, set Traffic forwarded from remote virtual network to Allow.
D. Change the SKU of LB1.
Selected Answer: D
Question #: 19
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 20
Topic #: 5
You have an Azure subscription that contains four virtual machines. The virtual machines host an app named App1.
You deploy an Azure Standard Load Balancer named LB1 to load balance incoming HTTPS requests to App1.
You need to reduce how long it takes for LB1 to stop sending App1 traffic to failed servers. The solution must minimize administrative effort.
What should you modify?
A. the Backend pools settings
B. the Diagnostic settings
C. the Load-balancing rules
D. the Health probes settings
Selected Answer: D
Question #: 20
Topic #: 2
You have a hub-and-spoke topology. The topology includes multiple on-premises locations that connect to a hub virtual network in Azure via ExpressRoute circuits.
You have an Azure Application Gateway named GW1 that provides a single point of ingress from the internet.
You plan to migrate the hub-and-spoke topology to Azure Virtual WAN.
You need to identify which changes must be applied to the existing topology. The solution must ensure that you maintain a single point of ingress from the internet.
Which three changes should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add user-defined routes.
B. Add virtual network peerings.
C. Replace the user-defined routes used by the current topology.
D. Create virtual network connections.
E. Remove the existing virtual network peerings.
F. Redeploy GW1.
Selected Answer: CDE
Question #: 20
Topic #: 4
You have an Azure subscription that contains a user named Admin1 and a resource group named RG1.
RG1 contains an Azure Network Watcher instance named NW1.
You need to ensure that Admin1 can place a lock on NW1. The solution must use the principle of least privilege.
Which role should you assign to Admin1?
A. User Access Administrator
B. Resource Policy Contributor
C. Network Contributor
D. Monitoring Contributor
Selected Answer: A
Question #: 21
Topic #: 2
You have an application named App1 that listens for incoming requests on a preconfigured group of 50 TCP ports and UDP ports.
You install App1 on 10 Azure virtual machines.
You need to implement load balancing for App1 across all the virtual machines. The solution must minimize the number of load balancing rules.
What should you include in the solution?
A. Azure Application Gateway V2 that has multiple listeners
B. Azure Standard Load Balancer that has Floating IP enabled
C. Azure Standard Load Balancer that has high availability (HA) ports enabled
D. Azure Application Gateway v2 that has multiple site hosting enabled
Selected Answer: C
Question #: 21
Topic #: 5
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the following subnets:
• AzureFirewallSubnet
• GatewaySubnet
• Subnet1
• Subnet2
• Subnet3
Subnet2 has a delegation to the Microsoft.Web/serverfarms service.
The subscription contains the resources shown in the following table.
You need to implement an Azure application gateway named AG1 that will be integrated with an Azure Web Application Firewall (WAF). AG1 will be used to publish VMSS1.
To which subnet should you connect AG1?
A. GatewaySubnet
B. AzureFirewallSubnet
C. Subnet2
D. Subnet1
E. Subnet3
Selected Answer: E
Question #: 21
Topic #: 4
You have a network security group named NSG1.
You need to enable network security group (NS) flow logs for NSG1. The solution must support retention policies.
What should you create first?
A. A standard general-purpose v2 Azure Storage account
B. An Azure Log Analytics workspace
C. A standard general-purpose v1 Azure Storage account
D. A premium Block blobs Azure Storage account
Selected Answer: A
Question #: 22
Topic #: 4
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
A. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
B. On FW1, create an outbound service tag rule for Azure Cloud.
C. Deploy a NAT gateway.
D. Deploy an application security group that allows outbound traffic to 1688.
Selected Answer: D
Question #: 22
Topic #: 3
You have a website that uses an FQDN of www.contoso.com. The DNS record for www. contoso.com resolves to an on-premises web server.
You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an Azure Front Door instance named
ContosoFD1.
You build the website on Web1.
You plan to configure ContosoFD1 to publish the website for testing.
When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message shown in the exhibit. (Click the Exhibit tab.)
You need to test the website and ContosoFD1 without affecting user access to the on-premises web server.
Which record should you create in the contoso.com DNS domain?
A. a CNAME record that maps afdverify.www.contoso.com to ContosoFD1.azurefd.net
B. a CNAME record that maps www.contoso.com to ContosoFD1.azurefd.net
C. a CNAME record that maps afdverify.www.contoso.com to afdverify.ContosoFD1.azurefd.net
D. a CNAME record that maps www.contoso.com to Web1.contoso.com
Selected Answer: C
Question #: 22
Topic #: 5
You have an Azure virtual network named VNet1 that contains the subnets shown in the following table.
You need to deploy an Azure application gateway named AppGW1 to VNet1.
To where can you deploy AppGW1?
A. GatewaySubnet only
B. Subnet2 only
C. Subnet1 or Subnet2 only
D. Subnet2 or GatewaySubnet only
E. Subnet1, Subnet2, and GatewaySubnet
Selected Answer: B
Question #: 23
Topic #: 4
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual machine named VM1 and an Azure firewall named FW1.
You have an Azure Firewall Policy named FP1 that is associated to FW1.
You need to ensure that RDP requests to the public IP address of FW1 route to VM1.
What should you configure on FP1?
A. a network rule
B. URL filtering
C. a DNAT rule
D. an application rule
Selected Answer: C
Question #: 23
Topic #: 3
You have the Azure load balancer shown in the Load Balancer exhibit.
LB2 has the backend pools shown in the Backend Pools exhibit.
You need to ensure that LB2 distributes traffic to all the members of VMSS1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a network interface to VMSS1.
B. Add a load balancing rule.
C. Configure a health probe.
D. Add a public IP address to each member of VMSS1.
Selected Answer: BC
Question #: 24
Topic #: 5
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
A. Deploy a NAT gateway.
B. Deploy an Azure Standard Load Balancer that has an outbound NAT rule.
C. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
Selected Answer: C
Question #: 24
Topic #: 3
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ Two subnets named subnet1 and AzureFirewallSubnet
✑ A public Azure Firewall named FW1
✑ A route table named RT1 that is associated to Subnet 1
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet 1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
A. On FW1, configure a DNAT rule for port 1688.
B. Deploy an application security group that allows outbound traffic to 1688.
C. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
D. On FW1, create an outbound service tag rule for Azure Cloud.
Selected Answer: C
Question #: 24
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You resize the gateway of Vnet1 to a larger SKU.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 25
Topic #: 2
You have an Azure subscription that contains the virtual networks shown in the following table.
You plan to deploy an Azure firewall named AF1 to RG1 in the West US Azure region.
To which virtual networks can you deploy AF1?
A. Vnet1 and Vnet4 only
B. Vnet1, Vnet2, Vnet3, and Vnet4
C. Vnet1 only
D. Vnet1 and Vnet2 only
E. Vnet1, Vnet2, and Vnet4 only
Selected Answer: C
Question #: 25
Topic #: 3
You have an Azure Front Door instance that has a single frontend named Frontend1 and an Azure Web Application Firewall (WAF) policy named Policy1. Policy1 redirects requests that have a header containing “string1” to https://www.contoso.com/redirect1. Policy1 is associated to Frontend1.
You need to configure additional redirection settings. Requests to Frontend1 that have a header containing “string2” must be redirected to https:// www.contoso.com/redirect2.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a custom rule.
B. Create a policy.
C. Create a frontend host.
D. Configure a managed rule.
E. Add a custom rule to Policy1.
F. Create an association.
Selected Answer: ABF
Question #: 25
Topic #: 4
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
A. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
B. On FW1, create an outbound service tag rule for Azure Cloud.
C. Deploy a NAT gateway.
D. On FW1, configure a DNAT rule for port 1688.
Selected Answer: A
Question #: 25
Topic #: 1
You have an Azure subscription that contains a virtual network named VNet1 and the virtual machines shown in the following table.
All the virtual machines are connected to Vnet1.
You need to ensure that the applications hosted on the virtual machines can be accessed from the internet. The solution must ensure that the virtual machines share a single public IP address.
What should you use?
A. an internal load balancer
B. Azure Application Gateway
C. a NAT gateway
D. a public load balancer
Selected Answer: D
Question #: 26
Topic #: 5
Your on-premises network contains a DNS server named Server1.
You have an Azure subscription that contains the resources shown in the following table.
The on-premises network is connected to VNet1 by using a Site-to-Site (S2S) VPN.
You need to ensure that Server1 can resolve the DNS name of storage1. The solution must minimize costs and administrative effort.
What should you use?
A. Azure DNS Private Resolver
B. an Azure public DNS zone
C. an Azure Private DNS zone
D. an Azure virtual machine that hosts a DNS service
Selected Answer: A
Question #: 26
Topic #: 1
Case Study –
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study –
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview –
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows 10 devices.
Existing Environment –
Hybrid Environment –
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment –
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly.
Azure Network Diagram –
Requirements –
Business Requirements –
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Virtual Networking Requirements –
Litware identifies the following virtual networking requirements:
• Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
• Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
• Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
• Minimize the size of the subnets allocated to platform-managed services.
• Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Hybrid Networking Requirements –
Litware identifies the following hybrid networking requirements:
• Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
• Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
• The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
• Traffic between Vnet2 and Vnet3 must be routed through Vnet1.
PaaS Networking Requirements –
Litware identifies the following networking requirements for platform as a service (PaaS):
• The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
• The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements.
Which two actions should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. On the peering from Vnet1, select Allow for Traffic forwarded from remote virtual network.
B. On the peerings from Vnet2 and Vnet3, select Allow for Traffic forwarded from remote virtual network.
C. On the peering from Vnet1, select Use the remote virtual network’s gateway or Route Server.
D. On the peering from Vnet1, select Allow for Traffic to remote virtual network.
E. On the peerings from Vnet2 and Vnet3, select Use the remote virtual network’s gateway or Route Server.
Selected Answer: BE
Question #: 26
Topic #: 3
You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.
You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.
Which routing method should you use?
A. geographic
B. weighted
C. priority
D. performance
Selected Answer: D
Question #: 27
Topic #: 3
Your company has offices in London, Tokyo, and New York.
The company has a web app named App1 that has the Azure Traffic Manager profile shown in the following table.
In Asia, you plan to deploy an additional endpoint that will host an updated version of App1.
You need to route 10 percent of the traffic from the Tokyo office to the new endpoint during testing.
What should you configure in Traffic Manager?
A. two profiles and five endpoints
B. two profiles and four endpoints
C. three profiles and four endpoints
D. one profile and five endpoints
Selected Answer: B
Question #: 27
Topic #: 2
Your company has four branch offices and an Azure subscription. The subscription contains an Azure VPN gateway named GW1.
The branch offices are configured as shown in the following table.
The branch office routers provide internet connectivity and Site-to-Site VPN connections to GW1.
The users in Branch1 report that they can connect to internet resources, but cannot access Azure resources.
You need to ensure that the Branch1 users can connect to the Azure resources. The solution must meet the following requirements:
• Minimize downtime for all users.
• Minimize administrative effort.
What should you do first?
A. Recreate LNG1.
B. Reset RTR1.
C. Reset Connection1.
D. Reset GW1.
Selected Answer: C
Question #: 27
Topic #: 5
You have an Azure Private Link service named PL1 that uses an Azure load balancer named LB1.
You need to ensure that PL1 can support a higher volume of outbound traffic.
What should you do?
A. Increase the number of frontend IP configurations for LB1.
B. Increase the number of NAT IP addresses assigned to PL1.
C. Deploy an Azure Application Gateway v2 instance to the source NAT subnet.
D. Redeploy LB1 with a different SKU.
Selected Answer: C
Question #: 28
Topic #: 5
You have an on-premises network named Site1.
You have an Azure subscription that contains a virtual network named VNet1 and a storage account named storage1.
Site1 and VNet1 are connected by using a Site-to-Site (S2S) VPN.
You need to ensure that the servers in Site1 can connect to storage1 by using the S2S VPN. The solution must minimize administrative effort.
What should you create on VNet1?
A. an Azure application gateway
B. an Azure Private Link service
C. a service endpoint
D. a private endpoint
Selected Answer: D
Question #: 29
Topic #: 1
You have three on-premises networks.
You have an Azure subscription that contains a Basic Azure virtual WAN. The virtual WAN contains a single virtual hub and a virtual network gateway that is limited to a throughput of 1 Gbps.
The on-premises networks connect to the virtual WAN by using Site-to-Site (S2S) VPN connections.
You need to increase the throughput of the virtual WAN to 3 Gbps. The solution must minimize administrative effort.
What should you do?
A. Upgrade the virtual WAN to the Standard SKU.
B. Add an additional VPN gateway to the Azure subscription.
C. Create an additional virtual hub.
D. Increase the number of gateway scale units.
Selected Answer: D
Question #: 29
Topic #: 2
You have an Azure subscription that contains the resources shown in the following table.
You plan to deploy an Azure Virtual Network NAT gateway named Gateway1. The solution must meet the following requirements:
• VM1 will access the internet by using its public IP address.
• VM2 will access the internet by using its public IP address.
• Administrative effort must be minimized.
You need to ensure that you can deploy Gateway1 to Vnet1.
What is the minimum number of subnets required on Vnet1?
A. 2
B. 3
C. 4
D. 5
Selected Answer: C
Question #: 29
Topic #: 4
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains 20 subnets and 500 virtual machines. Each subnet contains a virtual machine that runs network monitoring software.
You have a network security group (NSG) named NSG1 associated to each subnet.
When a new subnet is created in Vnet1 an automated process creates an additional network monitoring virtual machine in the subnet and links the subnet to NSG1.
You need to create an inbound security rule in NSG1 that will allow connections to the network monitoring virtual machines from an IP address of 131.107.1.15. The solution must meet the following requirements:
• Ensure that only the monitoring virtual machines receive a connection from 131.1071.15.
• Minimize changes to NSG1 when a new subnet is created.
What should you use as the destination in the inbound security rule?
A. an application security group
B. a service tag
C. a virtual network
D. an IP address
Selected Answer: A
Question #: 30
Topic #: 1
You have 10 on-premises networks that are connected by using a 3rd party Software Defined Wide Area Network (SD-WAN) solution. You have an Azure subscription that contains five virtual networks.
You plan to connect the Azure virtual networks and the on-premises networks by using an Azure Virtual WAN with a single virtual WAN hub.
You need to ensure that the Azure Virtual WAN can act as a node in the 3rd party SD-WAN solution.
What should you include in the solution?
A. An Azure Virtual WAN ExpressRoute gateway
B. A Network Virtual Appliance (NVA)
C. A Site to site gateway (VPN gateway)
D. A Point to site gateway (User VPN gateway)
Selected Answer: B
Question #: 30
Topic #: 4
You have an Azure subscription that contains the resources shown in the following table.
Subnet1 contains three virtual machines that host an app named App1. App1 is accessed by using the SFTP protocol.
From NSG1, you configure an inbound security rule named Rule2 that allows inbound SFTP connections to ASG1.
You need to ensure that the inbound SFTP connections are managed by using ASG1. The solution must minimize administrative effort.
What should you do?
A. From NSG1, modify the priority of Rule2.
B. From each virtual machine, associate the network interface to ASG1.
C. From Subnet1, create a subnet delegation.
D. From ASG1, modify the role assignments.
Selected Answer: B
Question #: 30
Topic #: 3
You have an Azure application gateway configured for a single website that is available at https://www.contoso.com.
The application gateway contains one backend pool and one rule. The backend pool contains two backend servers. Each backend server has an additional website that is available on port 8080.
You need to ensure that if port 8080 is unavailable on a backend server, all the traffic for https://www.contoso.com is redirected to the other backend server.
What should you do?
A. Create a health probe
B. Add a new rule
C. Change the port on the listener
D. Add a new listener
Selected Answer: A
Question #: 31
Topic #: 2
Your company has five offices. Each office has a firewall device and a local internet connection. The offices connect to a third-party SD-WAN.
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual network gateway named Gateway1. Each office connects to Gateway1 by using a Site-to-Site VPN connection.
You need to replace the third-party SD-WAN with an Azure Virtual WAN.
What should you include in the solution?
A. Delete Gateway1.
B. Create new Point-to-Site (P2S) VPN connections on the firewall devices.
C. Create an Azure Traffic Manager profile.
D. Enable active-active mode on Gateway1.
Selected Answer: A
Question #: 31
Topic #: 3
You have an Azure subscription that contains the following resources:
• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
A. On FW1, create an outbound service tag rule for AzureCloud.
B. Add an internet route to RT1 for the Azure Key Management Service (KMS).
C. On FW1, configure a DNAT rule for port 1688.
D. Deploy an Azure Standard Load Balancer that has an outbound NAT rule.
Selected Answer: B
Question #: 31
Topic #: 4
You have an Azure subscription that contains the resources shown in the following table.
Users on HP1 connect to App1 by using a URL of https://app1.contoso.com.
You need to ensure that the IDPS on FW1 can identify security threats in the connections from HP1 to Server1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable TLS inspection for FW1.
B. Import a server certificate to KV1.
C. Enable threat intelligence for FW1.
D. Add an application group to HP1.
E. Add a secured virtual network to FW1.
Selected Answer: AB
Question #: 32
Topic #: 1
You have an on-premises datacenter and an Azure subscription.
You plan to implement ExpressRoute FastPath.
You need to create an ExpressRoute gateway. The solution must minimize downtime if a single Azure datacenter fails.
Which SKU should you use?
A. ErGw1AZ
B. High performance
C. Ultra performance
D. ErGw3AZ
E. ErGw2AZ
Selected Answer: C
Question #: 32
Topic #: 3
You have an Azure subscription.
You plan to implement Azure Virtual WAN as shown in the following exhibit.
What is the minimum number of route tables that you should create?
A. 1
B. 2
C. 4
D. 6
Selected Answer: B
Question #: 32
Topic #: 2
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
A. internal load balancers
B. Azure DDoS Protection for virtual networks
C. service endpoint policies
D. service endpoints
Selected Answer: A
Question #: 33
Topic #: 2
You have an Azure subscription mat contains tour virtual networks named VNet1, VNet2, VNet3, and VNet4.
You plan to deploy a hub and spoke topology by using virtual network peering.
You need to configure VNet1 as the hub network. The solution must meet the following requirements:
• Support transitive routing between spokes.
• Maximize network throughput.
What should you include in the solution?
A. Azure VPN Gateway
B. Azure Route Server
C. Azure Private Link
D. Azure Firewall
Selected Answer: D
Question #: 33
Topic #: 3
You have an internal Basic Azure Load Balancer named LB1 that has two frontend IP addresses. The backend pool of LB1 contains two Azure virtual machines named VM1 and VM2.
You need to configure the rules on LB1 as shown in the following table.
What should you do for each rule?
A. Enable Floating IP.
B. Disable Floating IP.
C. Set Session persistence to Enabled.
D. Set Session persistence to Disabled.
Selected Answer: A
Question #: 34
Topic #: 1
You have an Azure subscription that contains an ExpressRoute Standard gateway named GW1.
You need to upgrade GW1 to support ExpressRoute FastPath. The solution must minimize downtime.
Which SKU should you use?
A. Ultra performance
B. ErGw3AZ
C. ErGw2AZ
D. High performance
Selected Answer: A
Question #: 34
Topic #: 3
Your company has 40 branch offices that are linked by using a Software-Defined Wide Area Network (SD-WAN). The SD-WAN uses BGP.
You have an Azure subscription that contains 20 virtual networks configured as a hub and spoke topology. The topology contains a hub virtual network named Vnet1.
The virtual networks connect to the SD-WAN by using a network virtual appliance (NVA) in Vnet1.
You need to ensure that BGP route advertisements will propagate between the virtual networks and the SD-WAN. The solution must minimize administrative effort.
What should you implement?
A. An Azure VPN Gateway that has BGP enabled
B. a NAT gateway
C. Azure Traffic Manager
D. Azure Route Server
Selected Answer: D
Question #: 37
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an Azure Web Application Firewall (WAF) policy named WAF1. AFD1 is associated with WAF1.
You need to configure a rate limit for incoming requests to AFD1.
Solution: You configure a managed rule for WAF1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 37
Topic #: 2
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
A. internal load balancers
B. Azure DDoS Protection for virtual networks
C. service endpoint policies
D. service endpoints