Microsoft AZ-700 Online Practice Questions and Exam Preparation

Microsoft AZ-700 Online Questions & Answers

• Question 121:

  You have an Azure subscription that contains the following resources:

  1. A virtual network named Vnet1

  2. Two subnets named subnet1 and AzureFirewallSubnet

  3. A public Azure Firewall named FW1

  4. A route table named RT1 that is associated to Subnet1

  5. A rule routing of 0.0.0.0/0 to FW1 in RT1

  After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.

  You need to ensure that the virtual machines can be activated.

  What should you do?

  A. On FW1, create an outbound service tag rule for AzureCloud.
  B. Add an internet route to RT1 for the Azure Key Management Service (KMS).
  C. On FW1, configure a DNAT rule for port 1688.
  D. Deploy a NAT gateway.
  B. Add an internet route to RT1 for the Azure Key Management Service (KMS).

  ---

  Explanation

  Troubleshoot Azure Windows virtual machine activation problems

  Cause

  Generally, Azure VM activation issues occur if the Windows VM is not configured by using the appropriate KMS client setup key, or the Windows VM has a connectivity problem to the Azure KMS service (kms.core.windows.net, port 1688).

  Incorrect:

  Not C: DNAT rules are for incoming traffic.

  Note: You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic.

  References:

  https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems

  https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat

• Question 122:

  HOTSPOT

  You have an Azure subscription that contains a virtual network named Vnetl. Vnetl has a /24 IPv4 address space.

  You need to subdivide Vnet1. The solution must maximize the number of usable subnets. What is the maximum number of IPv4 subnets you can create, and how many usable IP addresses will be available per subnet? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: 3

  Subnet address range: The range must be within the address space you entered for the virtual network.

  The smallest range you can specify is /29, which provides eight IP addresses for the subnet. Azure reserves the first and last address in each subnet for protocol conformance. Three more addresses are reserved for Azure service usage. As a result, a virtual network with a subnet address range of /29 has only three usable IP addresses.

  Box 2: 32

  We can make 32 /29 subnets of a /24 IPv4 address space.

  References:

  https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-network

• Question 123:

  You have an Azure Virtual Desktop deployment that has 500 session hosts.

  All outbound traffic to the internet uses a NAT gateway.

  Some users report that they cannot access internet resources during peak hours.

  In Azure Monitor, you discover many failed SNAT connections.

  You need to increase the available SNAT connections.

  What should you do?

  A. Bind the NAT gateway to another subnet.
  B. Add a public IP address.
  C. Deploy Azure Standard Load Balancer that has outbound rules.
  B. Add a public IP address.

  ---

  Explanation

  Correct Answer(s):

  Add a public IP address - A single NAT gateway resource supports from 64,000 up to 1 million concurrent flows. Each IP address provides 64,000 SNAT ports to the available inventory. You can use up to 16 IP addresses per NAT gateway resource.

  Frequently the root cause of SNAT exhaustion is an anti-pattern for how outbound connectivity is established, managed, or configurable timers changed from their default values.

  Steps

  1. Check if you have modified the default idle timeout to a value higher than 4 minutes.

  2. Investigate how your application is creating outbound connectivity (for example, code review or packet capture).

  3. Determine if this activity is expected behavior or whether the application is misbehaving. Use metrics in Azure Monitor to substantiate your findings. Use "Failed" category for SNAT Connections metric.

  4. Evaluate if appropriate patterns are followed.

  5. Evaluate if SNAT port exhaustion should be mitigated with additional IP addresses assigned to NAT gateway resource.

  https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/troubleshoot-nat#snat-exhaustion

  Wrong Answers:

  Bind the NAT gateway to another subnet Not a valid solution to mitigate the issue.

  Deploy Azure Standard Load Balancer that has outbound rules.

  This replaces the need for outbound rules for backend pool outbound SNAT.

• Question 124:

  SIMULATION

  

  Username and password

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click on the username below.

  To enter your password, place your cursor in the Enter password box and click on the password below.

  Azure Username: [email protected] Azure Password: xxxxxxxxxx

  If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 12345678

  You need to ensure that the storage34280945 storage account will only accept connections from hosts on VNET1.

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  See the explanation below for step-by-step instructions.

  Here are the steps and explanations for ensuring that the storage34280945 storage account will only accept connections from hosts on VNET1:

  Restrict Network Access:

  To restrict network access to your storage account, you need to configure the Azure Storage firewall and virtual network settings for your storage account.

  You can do this in the Azure portal by selecting your storage account and then choosing Networking under Settings.

  Configure Firewalls and Virtual Networks: On the Networking page, select Firewalls and virtual networks.

  Then select Selected networks under Allow access from.

  This setting will block all access to your storage account except from the networks or resources that you specify.

  Add Existing Virtual Network:

  Under Virtual networks, select + Add existing virtual network.

  Then select VNET1 from the list of virtual networks and choose the subnet that contains the hosts that you want to allow access to your storage account.

  This will enable a service endpoint for Storage in the subnet and configure a virtual network rule for that subnet through the Azure storage firewall.

  Add and Save Changes: Select Add to add the virtual network and subnet to your storage account.

  Click Save to apply your changes.

• Question 125:

  Your company has 40 branch offices that are linked by using a Software-Defined Wide Area Network (SD-WAN). The SD-WAN uses BGP.

  You have an Azure subscription that contains 20 virtual networks configured as a hub and spoke topology.

  The topology contains a hub virtual network named Vnet1.

  The virtual networks connect to the SD-WAN by using a network virtual appliance (NVA) in Vnet1.

  You need to ensure that BGP route advertisements will propagate between the virtual networks and the SD-WAN. The solution must minimize administrative effort.

  What should you implement?

  A. An Azure VPN Gateway that has BGP enabled
  B. a NAT gateway
  C. Azure Traffic Manager
  D. Azure Route Server
  D. Azure Route Server

  ---

  Explanation

  Update route tables by using Azure Route Server

  Use Azure Route Server to manage the dynamic routing between NVAs and virtual networks. Simplify NVA maintenance, and avoid manually updating route tables.

  Workflow

  * This hub-and-spoke architecture has a hub virtual network and one spoke virtual network. The hub virtual network has multiple subnets, each containing virtual machines (VMs).

  * The border gateway protocol (BGP) makes the exchange of IP addresses between on-premises and Azure components possible. This protocol directs packets between autonomous systems. Such systems are small networks or huge pools of routers that a single organization runs.

  * Etc.

  Components

  * Route Server simplifies dynamic routing between NVAs that support BGP and virtual networks. This service eliminates the administrative overhead of maintaining route tables.

  * Etc.

  References:

  https://learn.microsoft.com/en-us/azure/architecture/example-scenario/networking/manage-routing-azure-route-server

• Question 126:

  HOTSPOT

  You have an Azure subscription that contains 10 virtual machines. The virtual machines are assigned private IP addresses. The subscription contains the resources shown in the following table.

  

  You need to configure FWPolicy1 to meet the following requirements:

  1. Allow incoming connections to the virtual machines from the internet on port 4567.

  2. Block outbound connections from the virtual machines to an FQDN of *.fabrikam.com.

  What should you configure in FWPolicy1? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 127:

  Your company has an office in New York.

  The company has an Azure subscription that contains the virtual networks shown in the following table.

  

  You need to connect the virtual networks to the office by using ExpressRoute. The solution must meet the following requirements:

  1. The connection must have up to 1 Gbps of bandwidth.

  2. The office must have access to all the virtual networks.

  3. Costs must be minimized.

  How many ExpressRoute circuits should be provisioned, and which ExpressRoute SKU should you enable?

  A. one ExpressRoute Premium circuit
  B. two ExpressRoute Premium circuits
  C. four ExpressRoute Standard circuits
  D. one ExpressRoute Standard circuit
  A. one ExpressRoute Premium circuit

  ---

  Explanation

  One SKU Premium required.

  Azure ExpressRoute offers three different circuit SKUs, known as Local, Standard, and Premium, which provide varying degrees of connectivity scope.

  Standard: a Standard SKU ExpressRoute circuit provides connectivity to resources in all Azure regions in a geopolitical area. Under this scenario, the on-premises network in London can connect to resources and access Azure's cloud services hosted in regions such as West Europe (Amsterdam, Netherlands) and France Central (Paris, France) through ExpressRoute

  Premium: a Premium SKU ExpressRoute circuit facilitates connectivity to resources and cloud services globally across all Azure regions. Specifically, this global connectivity is delivered over the Microsoft core network. In this case, the on-premises network in London can link a virtual network created in West Europe (Amsterdam, Netherlands) to an Azure ExpressRoute circuit created in Japan East (Tokyo, Japan)

  References:

  https://dgtlinfra.com/azure-expressroute-benefits-pricing-providers-locations/

• Question 128:

  DRAG DROP

  You need to implement outbound connectivity for VMScaleSet1. The solution must meet the virtual networking requirements and the business requirements.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  References:

  https://docs.microsoft.com/en-us/azure/load-balancer/skus

  https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#outboundrules

• Question 129:

  You need to configure FD1 to provide user access to app2.proseware.com. The solution must meet the security requirements and the general requirements.

  What should you do first?

  A. Add a custom domain to FD1.
  B. Add a security policy to FD1.
  C. Request a certificate from a trusted root CA.
  D. Export the TLS certificate and the private key from App2.
  C. Request a certificate from a trusted root CA.

• Question 130:

  HOTSPOT

  You have an Azure subscription that contains the resources shown in the following table.

  

  Policy1 has the following settings:

  1. Service: Microsoft Storage

  2. Allowed Resources: storage1.

  Subnet1 has the following settings:

  1. Name: Subnet

  2. Subnet address range: 10.0.0.0/24

  3. NAT gateway: None

  4. Network security group: None

  5. Route table: None

  6. Service Endpoints.

  Services: Microsoft Storage

  Service endpoint policies: Policy1.

  7. Subnet delegation

  Delegate subnet to a service: None.

  Subnet2 has the following settings:

  1. Name: Subnet2

  2. Subnet address range: 10.0.1.0/24

  3. NAT gateway: None

  4. Network security group: None

  5. Route table: None

  6. Service Endpoints.

  Services: 0 selected

  7. Subnet Delegation

  Delegate subnet to a service: None.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Yes Yes-Devices on Subnet1 can access storage 1.

  Subnet1 is configured to use Policy1. Policy1 allows storage 1.

  Box 2: Yes Yes - Devices on Subnet2 can access storage 1.

  Subnet2 is not configued for any Service endpoints An Azure subnet can access an Azure Storage account even without explicitly configured service endpoints, but it will be through the storage account's public endpoint and over the public internet. Without service endpoints or private endpoints, the subnet's VMs will use their public IP addresses to communicate with the storage account.

  Box 3: No No - Devices on Subnet1 can access storage 2.

  Subnet1 is configured to use Policy1. Policy1 allows only storage 1.

  References:

  https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview