Microsoft AZ-700 Online Practice Questions and Exam Preparation

Microsoft AZ-700 Online Questions & Answers

• Question 241:

  HOTSPOT

  You have the Azure environment shown in the exhibit.

  

  You have virtual network peering between Vnet1 and Vnet2. You have virtual network peering between Vnet4 and Vnet5. The virtual network peering is configured as shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  

  

  ---

  Box 1: Yes

  Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity.

  The following diagram shows how gateway transit works with virtual network peering.

  

  In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks.

  In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network.

  Box 2: Yes

  VM2 uses the remote gateway GW1 to reach VM4.

  Box 3: Yes

  Select Block all traffic to the remote virtual network if you don't want traffic to flow to the peered virtual network by default. You can select this setting if you have peering between two virtual networks but occasionally want to disable default traffic flow between the two. You may find enabling/disabling is more convenient than deleting and re-creating peerings. When this setting is selected, traffic doesn't flow between the peered virtual networks by default; however, traffic may still flow if explicitly allowed through a network security group rule that includes the appropriate IP addresses or application security groups.

  References:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

  https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues

• Question 242:

  You have the Azure subscriptions shown in the following table.

  

  Each virtual network contains 20 internet-accessible resources that are assigned public IP addresses.

  You need to implement Azure DDoS Network Protection to protect the resources. The solution must minimize costs.

  What is the minimum number of DDoS Network Protection plans you should deploy?

  A. 1
  B. 2
  C. 3
  D. 6
  B. 2

• Question 243:

  HOTSPOT

  You have an Azure subscription.

  You plan 10 implement an Azure application gateway named AGW1.

  You need to implement an external TLS certificate store for AGW1. The solution must meet the following requirements:

  1. Keys must be stored by using the highest possible security.

  2. Administrative effort must be minimized.

  Which type of certificate store should you use, and which type of identity should you use to access the store? To answer, select the appropriate options in the answer area.

  NOTE: Each correct answer is worth one point.

  

  

• Question 244:

  You have an Azure subscription that contains the following resources:

  1. A virtual network named Vnet1

  2. Two subnets named subnet1 and AzureFirewallSubnet

  3. A public Azure Firewall named FW1

  4. A route table named RT1 that is associated to Subnet1

  5. A rule routing of 0.0.0.0/0 to FW1 in RT1

  After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.

  You need to ensure that the virtual machines can be activated.

  What should you do?

  A. On FW1, create an outbound service tag rule for AzureCloud.
  B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
  C. On FW1, configure a DNAT rule for port 1688.
  D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
  B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).

  ---

  Explanation

  Troubleshoot Azure Windows virtual machine activation problems

  Solution

  Step 1 Configure the appropriate KMS client setup key Step 2 Verify the connectivity between the VM and Azure KMS service.

  This includes: make sure that the outbound network traffic to KMS endpoint with 1688 port is not blocked by the firewall in the VM.

  Note:

  Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines Azure uses different endpoints for KMS (Key Management Services) activation depending on the cloud region where the VM resides.

  Symptom

  When you try to activate an Azure Windows VM, you receive an error message resembles the following sample:

  Error: 0xC004F074 The Software LicensingService reported that the computer could not be activated. No Key ManagementService (KMS) could be contacted. Please see the Application Event Log for additional information.

  Cause

  Generally, Azure VM activation issues occur if the Windows VM is not configured by using the appropriate KMS client setup key, or the Windows VM has a connectivity problem to the Azure KMS service (kms.core.windows.net, port 1688).

  References:

  https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems

  https://learn.microsoft.com/en-us/azure/firewall/overview

• Question 245:

  HOTSPOT

  You have an Azure subscription that contains the resources shown in the following table:

  

  Each quarter, you deploy five new virtual machines to host App1.

  You need to add a rule to NSG1 to ensure that the virtual machines that host App1 can connect to SQL1 and SQL2. The solution must follow the principle of least privilege and minimize administrative effort.

  How should you configure the source property and the destination property for the rule? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: 10.1.0.0/16 Source:

  Question: You need to add a rule to NSG1 to ensure that the virtual machines that host App1 can connect to SQL1 and SQL2.

  App1 is hosted in the 10.1.0.0/16 address space.

  Box 2:

  ASG1 Destination:

  SQL1 and SQL2 are connect to Subnet1. Subnet1 has an IP address space of 10.0.1.0/24. NSG1 denies traffic between Subnet1 and Subnet2, so using 10.0.1.0/24 as destination will not work. ASG1 contains

  SQL1 and SQL2. Use ASG1 as destionation.

  Note: Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.

  References:

  https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups

• Question 246:

  You have an on-premises network named Site1.

  You have an Azure subscription that contains a storage account named storage1 and a virtual network named VNet1.

  VNet1 contains a subnet named Subnet1. A private endpoint for storage1 is connected to Subnet1 Site1 is connected to VNet1 by using a Site-to-Site (S2S) VPN.

  You need to control access to storage1 from Site1 by using network security groups (NSGs).

  What should you do first?

  A. Associate a route table with Subnet1.
  B. Associate a NAT gateway with Subnet1.
  C. Configure a network policy for private endpoints on Subnet1.
  D. Create a subnet delegation on Subnet1.
  C. Configure a network policy for private endpoints on Subnet1.

• Question 247:

  HOTSPOT

  You are planning an Azure Front Door deployment that will contain the resources shown in the following table.

  

  Users will connect to the App Service through Front Door by using a URL of https://www.fabrikarn.com.Youobtainacertificateforthehostnameofwww.fabfikam.com.YouneedtoconfigureaDNSrecordforwww.fabrikam.comanduploadthecertificatetoAzure.Whatshouldyoudo?Toanswer,selecttheappropriateoptionsintheanswerarea.NOTE:Eachcorrectselectionisworthonepoint.

  

  

  ---

  Box 1: A secret in Azure Key Vault Azure Front Door supports Azure-managed certificates and customer-managed certificates.

  If you already have a certificate, you can upload it to your key vault. Otherwise, create a new certificate directly through Azure Key Vault from one of the partner certificate authorities (CAs) that Azure Key Vault integrates with.

  Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets.

  Box 2: FD93.azurefd.net

  Update your domain's DNS settings to point to your Front Door service's DNS endpoint. This will typically involve creating a CNAME record that maps your custom domain to the Front Door service endpoint, which will be in the form "yourfrontdoordns.azurefd.net".

  References:

  https://www.c-sharpcorner.com/article/how-to-configure-front-door-for-an-azure-app/

  https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain

• Question 248:

  Which virtual machines can VM4 ping successfully?

  A. VM3 only
  B. VM1 and VM3 only
  C. VM1, VM2 and VM3 only
  D. VM1, VM2, VM3 and VM5
  C. VM1, VM2 and VM3 only

  ---

  Explanation

  VM4 is in VNet3.

  VNet3 is peered with VNet1 and VNet2.

  There is no NSG rule blocking outbound ICMP from VNet3.

  There are no NSG rule blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or VNet2 from VNet3.

  NSG10 blocks inbound ICMP from VNet4 (Source IP address is 10.10.0.0/16).

  Therefore, VM4 can ping VM1 in VNet1/Subnet1, VM2 in VNet1/Subnet2 and VM3 in VNet2.

• Question 249:

  You have an Azure subscription that contains a virtual network named VNet1 and the resources shown in the following table.

  

  You need to implement a solution for the traffic originating from VNet1. The solution must meet the following requirements:

  1. Perform transparent proxying to external web servers.

  2. Inspect all outbound TLS traffic.

  3. Minimize costs.

  Which resource should you include in the solution?

  A. FW2
  B. AG1
  C. FD1
  D. FW1
  D. FW1

• Question 250:

  DRAG DROP

  You have an Azure subscription that contains a virtual machine named VM1. VM1 contains a NIC named NIC1 and a public IP address named PIP1. PIP1 is assigned to NIC1.

  You plan to deploy four Network Virtual Appliances (NVAs).

  You need to ensure that all the inbound traffic from the internet to PIP1 is inspected by the NVAs. The solution must ensure that the NVA deployment is highly available.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place: