Microsoft AZ-700 Online Practice Questions and Exam Preparation

Microsoft AZ-700 Online Questions & Answers

• Question 141:

  DRAG DROP

  You have an Azure subscription that contains an Azure VPN gateway named GW1. GW1 provides Point-to-Site (P2S) VPN connectivity.

  Users connect to GW1 from a Windows 11 device by using an SSTP connection.

  You need to ensure that the P2S VPN connections support Azure AD authentication.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

  Select and Place:

  

  

• Question 142:

  You have an Azure subscription that contains two virtual networks named VritualNetwork1 and VritualNetwork2.

  You have a Windows 10 device that connects to VritualNetwork1 by using a Point-to-Site (P2S) IKEv2 VPN. You have implemented virtual network peering between VritualNetwork1 and VritualNetwork2.

  VritualNetwork1 allows gateway transit. VritualNetwork2 can use the remote gateway. You discover that you cannot communicate with VritualNetwork2 from Windows 10 device. You need to ensure that you can communicate with VritualNetwork2 from Windows 10 device.

  To achieve the requirement, you enable BGP on the gateway of VritualNetwork1.

  Did you achieve the requirement?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  The VPN client must be downloaded again if any changes are made to VNet peering or the network topology. If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

• Question 143:

  HOTSPOT

  You have an Azure subscription that is linked to a Microsoft Entra tenant. The subscription contains a virtual network named VNet1, a storage account named storage1, an Azure App Service app named App1, and an Azure SQL database named DB1. VNet1 contains two subnets named Subnet1 and Subnet2.

  Subnet1 and Subnet2 each has a subnet mask of 255.255.255.224.

  You plan to perform the following actions:

  1. On Subnet1, configure a service endpoint to connect to storage1 and a service endpoint to connect to the Microsoft Entra tenant.

  2. On Subnet2, configure a private endpoint to connect to App1 and a private endpoint to connect to DB1.

  How many IP addresses will be available on each subnet once the planned actions are complete? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: 27 On Subnet1, configure a service endpoint to connect to storage1 and a service endpoint to connect to the Microsoft Entra tenant.

  Service endpoints does not consume IP addresses in the subnet of a virtual network. Five IP addresses are used by Azure.

  Remaining: 32-5 -> 27

  Note: Azure reserves five IP addresses within each subnet. Factor in those addresses when you're sizing virtual networks and encompassed subnets.

  Note 2: Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

  Box 2: 25 On Subnet2, configure a private endpoint to connect to App1 and a private endpoint to connect to DB1.

  Two private endpoints IP addresses will be used. Five IP addresses are used by Azure.

  Remaining: 32-2-5 -> 25

  Note: A private endpoint is a network interface that uses a private IP address from your virtual network.

  This network interface connects you privately and securely to a service that's powered by Azure Private Link. By enabling a private endpoint, you're bringing the service into your virtual network. The service could be an Azure service such as: Azure Storage Azure Cosmos DB Azure SQL Database Your own service, using Private Link service.

  References:

  https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing

  https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

  https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

• Question 144:

  You have an Azure subscription.

  You plan to implement Azure Virtual WAN as shown in the following exhibit.

  

  What is the minimum number of route tables that you should create?

  A. 1
  B. 2
  C. 4
  D. 6
  B. 2

  ---

  Explanation

  Consider the following when configuring Virtual WAN routing:

  * All branch connections (Point-to-site, Site-to-site, and ExpressRoute) need to be associated to the Default route table. That way, all branches will learn the same prefixes.

  * Etc.

  Note: The routing capabilities in a virtual hub are provided by a router that manages all routing between gateways using Border Gateway Protocol (BGP). A virtual hub can contain multiple gateways such as a Site-to-site VPN gateway, ExpressRoute gateway, Point-to-site gateway, Azure Firewall. This router also provides transit connectivity between virtual networks that connect to a virtual hub and can support up to an aggregate throughput of 50 Gbps. These routing capabilities apply to Standard Virtual WAN customers.

  References:

  https://learn.microsoft.com/en-us/azure/virtual-wan/about-virtual-hub-routing

• Question 145:

  HOTSPOT

  You have an Azure subscription. The subscription contains an Azure application gateway that has the following configurations:

  1. Name: AppGW1

  2. Tier: Standard V2

  3. Autoscaling: Disabled.

  You create a Microsoft Entra user named User1.

  You need to ensure that User1 can change the tier of AppGW1. The solution must use the principle of least privilege.

  Which role should you assign to User1, and to which tiers can AppGW1 be changed? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Network Contributor Network Contributor Let's you manage networks, but not access to them.

  Allowed actions include: Microsoft.Resources/deployments/* Create and manage a deployment

  Incorrect:

  1. Cloud Device Administrator Users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.

  2. Owner - too many permissions Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.

  Box 2: WAF V2 only Upgrade Application Gateway Standard v2 to Application Gateway WAF v2

  1. Locate the Application Gateway in the Azure portal. Select the Application Gateway and the select Configuration from the Settings menu on the left side.

  2. Under Tier, select WAF V2.

  3. Select Save to complete the upgrade from Application Gateway Standard to Application Gateway WAF.

  

  References:

  https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

  https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

  https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/upgrade-ag-waf-policy

• Question 146:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.

  You configure the application gateway to direct traffic to the URL of the application gateway.

  You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

  

  You need to ensure that the URL is accessible through the application gateway.

  Solution: You disable the WAF rule that has a ruleld of 920300.

  Does this meet the goal?

  A. Yes
  B. No
  A. Yes

• Question 147:

  HOTSPOT

  You have an Azure subscription that contains the virtual machines shown in the following table.

  

  Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule:

  Priority: 100

  Port: Any

  Protocol: Any

  Source: Any

  Destination: Storage

  Action: Deny

  You create a private endpoint that has the following settings:

  Name: Private1

  Resource type: Microsoft.Storage/storageAccounts Resource: storage1 Target sub-resource: blob Virtual network: Vnet1 Subnet: Subnet1

  For each of the following statements, select Yes of the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  References:

  https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy

• Question 148:

  You have an internal Basic Azure Load Balancer named LB1 that has two frontend IP addresses. The backend pool of LB1 contains two Azure virtual machines named VM1 and VM2.

  You need to configure the rules on LB1 as shown in the following table.

  

  What should you do for each rule?

  A. Enable Floating IP.
  B. Disable Floating IP.
  C. Set Session persistence to Enabled.
  D. Set Session persistence to Disabled.
  A. Enable Floating IP.

  ---

  Explanation

  Azure Load Balancer Floating IP configuration

  Floating IP

  Some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool. Common examples of port reuse include:

  clustering for high availability network virtual appliances exposing multiple TLS endpoints without re-encryption.

  If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.

  In the diagrams below, you see how IP address mapping works before and after enabling

  Floating IP:

  

  

  Note: Azure Load Balancer supports rules to configure traffic to the backend pool.

  There are four types of rules:

  * Load-balancing rules - A load balancer rule is used to define how incoming traffic is distributed to the all the instances within the backend pool. A load-balancing rule maps a given frontend IP configuration and port to multiple backend IP addresses and ports.

  * High availability ports

  * Inbound NAT rule

  * Outbound NAT rule

  References:

  https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-floating-ip

  https://learn.microsoft.com/en-us/azure/load-balancer/manage-rules-how-to

• Question 149:

  SIMULATION

  

  Username and password

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click on the username below.

  To enter your password, place your cursor in the Enter password box and click on the password below.

  Azure Username: [email protected] Azure Password: xxxxxxxxxx

  If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 12345678

  You need to ensure that hosts on VNET2 can access hosts on both VNET1 and VNET3. The solution must prevent hosts on VNET1 and VNET3 from communicating through VNET2.

  To complete this task, sign in to the Azure portal.

  A. See explanation below.
  B. Placeholder
  C. Placeholder
  D. Placeholder
  A. See explanation below.

  ---

  Explanation

  We use VNET2 as hub, and VNET1 and VNET3 as spokes.

  The spoke virtual networks peer with the hub and can be used to isolate workloads.

  A hub-spoke topology can be used without a gateway if you don't need cross-premises network connectivity.

  Peer virtual networks

  Step 1: In the search box at the top of the Azure portal, look for VNET2. When VNET2 appears in the search results, select it.

  Step 2: Under Settings, select Peerings, and then select + Add, as shown in the following picture:

  

  Step 3: Enter or select the following information, accept the defaults for the remaining settings, and then select Add.

  * Virtual network - Select VNET1 for the name of the remote virtual network.

  Step 4: In the Peerings page, the Peering status is Connected, as shown in the following picture:

  

  Step 5: Repeat steps 1 to 4, but in Step 3 add VNET3 instead of VNET1.

  References:

  https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke

• Question 150:

  You have an Azure virtual network named Vnet1 and an on-premises network.

  The on-premises network has policy-based VPN devices. In Vnet1, you deploy a virtual network gateway named GW1 that uses a SKU of VpnGw1 and is route-based.

  You have a Site-to-Site VPN connection for GW1 as shown in the following exhibit.

  

  You need to ensure that the on-premises network can connect to the route-based GW1.

  What should you do before you create the connection?

  A. Set Connection Mode to ResponderOnly.
  B. Set BGP to Enabled.
  C. Set Use Azure Private IP Address to Enabled.
  D. Set IPsec / IKE policy to Custom.
  D. Set IPsec / IKE policy to Custom.

  ---

  Explanation

  BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. BGP enables the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.

  Incorrect:

  Not C: A VPN gateway must have a Public IP address. Verify that you have an externally facing public IPv4 address for your VPN device.

  References:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli