Microsoft AZ-700 Online Practice Questions and Exam Preparation

Microsoft AZ-700 Online Questions & Answers

• Question 231:

  SIMULATION

  

  Username and password

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click on the username below.

  To enter your password, place your cursor in the Enter password box and click on the password below.

  Azure Username: [email protected] Azure Password: xxxxxxxxxx

  If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 12345678

  You plan to deploy two DNS servers to subnet2-1. Each server will host a DNS zone for fabrikam,com. The DNS zones will contain records from the on-premises network only. The IP address of the DNS servers will be 10.2.1.4 and 10.2.1.5.

  You need to ensure that virtual machines on VNET2 can resolve the names of the on-premises servers in fabrikam.com.

  To complete this task, sign in to the Azure portal.

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  Azure DNS Private Resolver

  The Azure DNS Private Resolver is a service that can resolve on-premises DNS queries for Azure DNS private zones. Previously, it was necessary to deploy a VM-based custom DNS resolver, or use non-Microsoft DNS, DHCP, and IPAM (DDI) solutions to perform this function.

  Create a DNS resolver inside the virtual network

  Step 1: In the Azure portal, search for DNS Private Resolvers.

  Step 2: Select DNS Private Resolvers, select Create, and then on the Basics tab for Create a DNS Private Resolver, enter the following:

  1. Subscription

  2. Resource group

  3. Name: Enter a name for your DNS resolver (e.g., mydnsresolver)

  4. Region: Choose the region you used for the VNET2 virtual network

  5. Virtual Network: Select VNET2

  Don't create the DNS resolver yet.

  

  Add rules to the forwarding ruleset

  Add two new conditional forwarding rules to the ruleset.

  Step 3: On the myruleset | Rules page, select Add, and enter the following rule data:

  1. Rule Name: Internal

  2. Domain Name: internal.fabrikam.com (fabrikam.com domain in the question)

  3. Rule State: Enabled

  4. Under Destination IP address, enter 10.2.1.4, and then select Add

  The question has the IP address of the DNS servers as 10.2.1.4 and 10.2.1.5.

  Step 4: On the myruleset | Rules page, select Add, and enter the following rule data:

  1. Rule Name: Internal

  2. Domain Name: internal.fabrikam.com (fabrikam.com domain in the question)

  3. Rule State: Enabled

  4. Under Destination IP address, enter 10.2.1.5, and then select Add

  References:

  https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-get-started-portal

• Question 232:

  You are planning the IP addressing for the subnets in Azure virtual networks.

  Which type of resource requires IP addresses in the subnets?

  A. internal load balancers
  B. Azure DDoS Protection for virtual networks
  C. service endpoint policies
  D. service endpoints
  A. internal load balancers

  ---

  Explanation

  During the creation of the load balancer, you'll configure:

  Frontend IP address

  Backend pool

  Inbound load-balancing rules

  When you create an internal load balancer, a virtual network is configured as the network for the load balancer.

  A private IP address in the virtual network is configured as the frontend for the load balancer. The frontend IP address can be Static or Dynamic.

  Incorrect:

  * service endpoints

  A service endpoint is created in a virtual subnet, but there is no IP address defined for the Service endpoint.

  Service endpoints are a way for Azure DevOps to connect to external systems or services. They're a bundle of properties securely stored by Azure DevOps, which includes but isn't limited to the following properties:

  Service name

  Description

  Server URL

  Certificates or tokens

  User names and passwords

  * service endpoint policies

  Service Endpoint Policy object, example.

  "serviceEndpointPolicyDefinitions": [

  {

  "description": null,

  "name": "MySEP-Definition",

  "resourceGroup": "MySEPDeployment",

  "service": "Microsoft.Storage",

  "serviceResources": [

  "/subscriptions/subscriptionID/resourceGroups/MySEPDeployment/providers/Microsoft.Storage/

  storageAccounts/mystgacc"

  ], "type": "Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions"

  }

  ]

  References:

  https://learn.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-internal-portal

  https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

• Question 233:

  HOTSPOT

  You have an on-premises network.

  You have an Azure subscription that contains the resources shown in the following table.

  

  You need to implement an ExpressRoute circuit to access the resources in the subscription. The solution must ensure that the on-premises network connects to the Azure resources by using the ExpressRoute circuit.

  Which type of peering should you use for each connection? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Private peering

  Azure Private Peering. One goal of implementing ExpressRoute is to connect on-premises networks with remote Azure networks. Private peering connects an on-premises network with Azure Cloud services such as virtual networks and resources connected to those virtual networks. Azure private peering makes the Azure networks a trusted extension of the core, on-premises network.

  Note: In order for you to successfully establish private peering connectivity from on-premises to the ExpressRoute circuit, you'll need to engage your service provider with the circuit service key.

  Incorrect:

  * Public peering, Microsoft peering

  Note that if the ExpressRoute circuit is unavailable, the VPN route will handle only private peering connections. Public peering and Microsoft peering connections pass over the Internet.

  * Public Peering.

  It's not really an option because public peering is depreciated for all new ExpressRoute circuits. We won't go into details on public peering because it's depreciated, but it's worth mentioning if you ever run into it on older ExpressRoute circuits.

  Box 2: Microsoft peering

  Microsoft peering connection on-premises networks to Microsoft 365 and Azure PaaS services, Office products for example.

  Azure SQL Database is a fully managed platform as a service (PaaS) database engine that handles most of the database management functions such as upgrading, patching, backups, and monitoring without user involvement.

  References:

  https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/expressroute-vpn-failover

  https://cloudacademy.com/course/implementing-azure-expressroute-2168/choosing-between-private-peering-microsoft-peering-or-both

  https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview

• Question 234:

  You have an Azure subscription that contains the resources shown in the following table.

  

  Gateway1 provides access to App1 by using a URL of https://app1.contoso.com.

  You create a new web app named App2.

  You need to configure Gateway1 to enable access to App2 by using a URL of https://app2.contoso.com.Thesolutionmustminimizeadministrativeeffort.

  What should you configure on Gateway1?

  A. a backend pool and a routing rule
  B. a listener and a routing rule
  C. a listener, a backend pool, and a routing rule
  D. a listener and a backend pool
  C. a listener, a backend pool, and a routing rule

• Question 235:

  SIMULATION

  

  Username and password

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click on the username below.

  To enter your password, place your cursor in the Enter password box and click on the password below.

  Azure Username: [email protected] Azure Password: xxxxxxxxxx

  If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 12345678

  You need to ensure that virtual machines on VNET1 and VNET2 are included automatically in a DNS zone named contoso.azure. The solution must ensure that the virtual machines on VNET1 and VNET2 can resolve the names of the virtual machines on either virtual network.

  To complete this task, sign in to the Azure portal.

  A. See explanation below.
  B. Placeholder
  C. Placeholder
  D. Placeholder
  A. See explanation below.

  ---

  Explanation

  What is the auto registration feature in Azure DNS private zones?

  The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you link a virtual network with a private DNS zone with this setting enabled, a DNS record gets created for each virtual machine deployed in the virtual network.

  For each virtual machine, an A record and a PTR record are created. DNS records for newly deployed virtual machines are also automatically created in the linked private DNS zone. When a virtual machine gets deleted, any associated DNS records also get deleted from the private DNS zone.

  Step 1: Locate the DNS zone contosoazure

  Step 2: On the left pane, select Virtual network links.

  Step 3: Select Add.

  

  Step 4: Type myLink for the Link name.

  Step 5: For Virtual network, select VNET1.

  Step 6: Select the Enable auto registration check box.

  To enable auto registration, select the checkbox for "Enable auto registration" when you create the virtual network link.

  Step 7: Select OK.

  Step 8: Repeat procedure for VNET2.

  References:

  https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration

  https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal#link-the-virtual-network

• Question 236:

  You have an Azure subscription that contains a virtual network named VNet1.

  VNet1 contains a subnet named Subnet1.

  You plan to add a private endpoint to Subnet1.

  You need to ensure that you can route traffic between the private endpoint and the Azure Private Link service by using a user-defined route.

  What should you do first on Subnet1?

  A. Enable network policy.
  B. Enable delegation.
  C. Create a service endpoint.
  D. Provision a Standard Azure load balancer.
  B. Enable delegation.

• Question 237:

  HOTSPOT

  You have an on-premises VPN appliance named GW1.

  You have an Azure subscription that contains an Azure VPN gateway named VPNGW1. VPNGW1 connects to GW1.

  You need to modify the IKEv2 encryption algorithm used by VPNGW1 and GW1.

  Which PowerShell cmdlet should you run? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: New-AzipsecTrafficSelectorPolicy To configure the use of IKEv2 encryption

  The New-AzTrafficSelectorPolicy cmdlet creates a traffic selector policy proposal to be used in a virtual network gateway connection.

  Example $trafficSelectorPolicy = New-AzIpsecTrafficSelectorPolicy -LocalAddressRange ("10.10.10.0/24",

  "20.20.20.0/24") -RemoteAddressRange ("30.30.30.0/24", "40.40.40.0/24") New-

  AzVirtualNetworkGatewayConnection -ResourceGroupName $rgname -name $vnetConnectionName - location $location -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localnetGateway -

  ConnectionType IPsec -RoutingWeight 3 -SharedKey $sharedKey -UsePolicyBasedTrafficSelectors $true -

  TrafficSelectorPolicy ($trafficSelectorPolicy)

  Creates an instance of a traffic selector policy and adds it as a parameter when creating a virtual network gateway connection with an IKEv2 protocol.

  Incorrect:

  1. New-AzipsecPolicy The New-AzIpsecPolicy cmdlet creates an IPSec policy proposal to be used in a virtual network gateway connection.

  Example $ipsecPolicy = New-AzIpsecPolicy -SALifeTimeSeconds 1000 -SADataSizeKilobytes 2000 - IpsecEncryption "GCMAES256" -IpsecIntegrity "GCMAES256" -IkeEncryption "AES256" -IkeIntegrity "SHA256" -DhGroup "DHGroup14" -PfsGroup "PFS2048" New-AzVirtualNetworkGatewayConnection - ResourceGroupName $rgname -name $vnetConnectionName -location $location - VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localnetGateway -ConnectionType IPsec -RoutingWeight 3 -SharedKey $sharedKey -UsePolicyBasedTrafficSelectors $true -IpsecPolicies

  $ipsecPolicy

  Creating an IPSec policy to be used for a new virtual network gateway connection.

  1. Set-AzFirewallPolicy The Set-AzFirewallPolicy cmdlet updates an Azure Firewall Policy.

  Example Set-AzFirewallPolicy -InputObject $fp

  This example sets the firewall policy with the new firewall policy value

  Box 2: Set-AzVirtualNetworkGatewayConnection To apply the new policy

  The Set-AzVirtualNetworkGatewayConnection cmdlet configures a virtual network gateway connection.

  References:

  https://learn.microsoft.com/en-us/powershell/module/az.network/new-azipsectrafficselectorpolicy

  https://learn.microsoft.com/en-us/powershell/module/az.network/set-azvirtualnetworkgatewayconnection

• Question 238:

  Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.

  The departments at the company use the Azure subscriptions as shown in the following table.

  

  All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.

  You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.

  What is the minimum number of ExpressRoute circuits required?

  A. 1
  B. 2
  C. 3
  D. 4
  E. 5
  A. 1

  ---

  Explanation

  References:

  https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction

• Question 239:

  DRAG DROP

  You register a DNS domain with a third-party registrar.

  You need to host the DNS zone on Azure.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  Step 1: Create a public DNS zone.

  Create a DNS zone 1. Go to the Azure portal to create a DNS zone. Search for and select DNS zones.

  

  2. Select Create DNS zone.

  3. On the Create DNS zone page, enter the following values, and then select Create.

  Step 2: Identify the FQDNs of the name servers.

  Retrieve name servers.

  Before you can delegate your DNS zone to Azure DNS, you need to know the name servers for your zone.

  Azure DNS gives name servers from a pool each time a zone is created.

  With the DNS zone created, in the Azure portal Favorites pane, select All resources. On the All resources page, select your DNS zone. If the subscription you've selected already has several resources in it, you can enter your domain name in the Filter by name box to easily access the application gateway.

  Retrieve the name servers from the DNS zone page. In this example, the zone contoso.net has been assigned name servers ns1-01.azure-dns.com, ns2-01.azure-dns.net, *ns3-01.azure-dns.org, and ns4- 01.azure-dns.info:

  

  Azure DNS automatically creates authoritative NS records in your zone for the assigned name servers.

  Step 3: Modify the NS records for the domain.

  Delegate the domain

  Once the DNS zone gets created and you have the name servers, you'll need to update the parent domain with the Azure DNS name servers.

  Each registrar has its own DNS management tools to change the name server records for a domain.

  1. In the registrar's DNS management page, edit the NS records and replace the NS records with the Azure DNS name servers.

  2. When you delegate a domain to Azure DNS, you must use the name servers that Azure DNS provides.

  Use all four name servers, regardless of the name of your domain. Domain delegation doesn't require a name server to use the same top-level domain as your domain.

  References:

  https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

• Question 240:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.

  You configure the application gateway to direct traffic to the URL of the application gateway.

  You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

  

  You need to ensure that the URL is accessible through the application gateway.

  Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  The parameter here should be RemoteAddr not Request header.

  https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variable-required