Microsoft AZ-700 Online Practice Questions and Exam Preparation

Microsoft AZ-700 Online Questions & Answers

• Question 311:

  You have an on-premises network.

  You have an Azure subscription that includes a virtual network named VNet1 and a private Azure Kubernetes Service (AKS) cluster named AKS1. VNet1 is connected to your on-premises environment via an Azure ExpressRoute circuit.

  AKS1 is connected to VNet1.

  You need to implement an off-cluster ingress controller for AKS1. The solution must provide connectivity from the on-premises environment to containerized workloads hosted on AKS1.

  Which Azure service should you use?

  A. Azure Application Gateway
  B. Azure Front Door
  C. Azure Traffic Manager
  D. Azure Load Balancer
  A. Azure Application Gateway

  ---

  Explanation

  Traffic from application users to the cluster Incoming (ingress) controllers can be used to expose applications running in the AKS clusters.

  Ingress controllers can expose applications and APIs with a public or a private IP address.

  Application traffic can come from either on-premises or the public internet. The following picture describes an example where an Azure Application Gateway is configured to reverse-proxy connections to the clusters both from on-premises and from the public internet.

  Traffic from on-premises follows the flow of the numbered blue callouts in the previous diagram.

  1. The client will resolve the FQDN assigned to the application, either using the DNS servers deployed in the connectivity subscription or on-premises DNS servers.

  2. After resolving the application FQDN to an IP address (the private IP address of the application gateway), traffic is routed through a VPN or ExpressRoute gateway.

  3. Routing in the gateway subnet is configured to send the request to the web application firewall.

  4. The web application firewall sends valid requests to the workload running in the AKS cluster.

  The Azure Application Gateway in this example can be deployed in the same subscription as the AKS cluster, since its configuration is closely related to the workloads deployed in AKS and is therefore managed by the same application team.

  Incorrect:

  * Azure Front Door, Azure Traffic Manager

  Clients from the public internet resolve the DNS name for the application using Azure Traffic Manager.

  Alternatively, other global load-balancing technologies like Azure Front Door can be used.

  References:

  https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/aks/network-topology-and-connectivity

• Question 312:

  DRAG DROP

  You have an Azure subscription that contains a virtual network named Vnet1 and an Azure SQL database named SQL1. SQL1 has a private endpoint on Vnet1.

  You have a partner company named Fabrikam, Inc. Fabrikam has an Azure subscription that contains a virtual network named Vnet2 and a virtual machine named VM1. VM1 is connected to Vnet2.

  You need to provide VM1 with access to SQL1 by using an Azure Private Link service.

  What should you implement on each virtual network? To answer, drag the appropriate resources to the correct virtual networks. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  

• Question 313:

  You have an Azure subscription that contains two virtual networks named VritualNetwork1 and VritualNetwork2.

  You have a Windows 10 device that connects to VritualNetwork1 by using a Point-to-Site (P2S) IKEv2 VPN. You have implemented virtual network peering between VritualNetwork1 and VritualNetwork2.

  VritualNetwork1 allows gateway transit. VritualNetwork2 can use the remote gateway. You discover that you cannot communicate with VritualNetwork2 from the Windows 10 device. You need to ensure that you can communicate with VritualNetwork2 from the Windows 10 device.

  To achieve the requirement, you download and reinstall the VPN client configuration.

  Did you achieve the requirement?

  A. Yes
  B. No
  A. Yes

  ---

  Explanation

  The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.

  If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be

  applied to the client.

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

• Question 314:

  SIMULATION

  

  Username and password

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click on the username below.

  To enter your password, place your cursor in the Enter password box and click on the password below.

  Azure Username: [email protected] Azure Password: xxxxxxxxxx

  If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 12345678

  You are planning security for Azure Front Door.

  You need to create a rule that can be applied to Front Door hosts. The rule must prevent hosts in Japan from making more than 50 requests per minute. You do NOT need to associate the rule to a Front Door instance to complete this task.

  To complete this task, sign in to the Azure portal.

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  See explanation below.

  

  Configure a Web Application Firewall rate-limit rule.

  The Azure Web Application Firewall rate-limit rule for Azure Front Door controls the number of requests allowed from a particular source IP address to the application during a rate-limit duration.

  Stage 1: Create a policy First, create a basic WAF policy

  Step 1: On the upper left side of the portal, select Create a resource. Search for WAF, select Web Application Firewall, then select Create.

  Step 2: On Create a WAF policy page, Basics tab, enter

  Step 3: Select Review + create, then select Create.

  Stage 2: Create a rate-limit rule Step 1: Select Custom rules > Add custom rule.

  

  Step 2: Enter the information required to create a rate-limit rule:

  Custom rule name: Enter the name of the custom rule, such as rateLimitRule. Rule type: Select Rate limit.

  Priority: Enter the priority of the rule, such as 1. Rate limit duration: Select 1 minute. Rate limit threshold (requests): Enter 50

  Step 3: In Conditions, enter the information required to specify a match condition to identify requests. For Match type, select Geo location, for Value select JP (for Japan).

  Match type:

  Geo Location. Operation: Select is. Match values: JP

  Note: To create a geo-filtering custom rule in the Azure portal, select Geo location as the Match Type, and then select the country/region or countries/regions you want to allow/block from your application.

  

  Step 4: For Action, select Block. Rate-limit rules only support Log and Block actions. Allow isn't supported.

  Step 5: Select Add.

  Step 6: Select Save.

  References:

  https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag

  https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-configure

  https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/geomatch-custom-rules

• Question 315:

  You have an Azure subscription that contains a virtual machine named VM1 and a network security group (NSG) named NSG1. NSG1 has the default rules configured. VM1 runs Windows Server 2022 and contains a single NIC named NIC1. NIC1 is associated with NSG1.

  You need to prevent access to the Azure Instance Metadata Service (IMDS) REST API on VM1. The solution must minimize administrative effort.

  What should you add to NSG1?

  A. an outbound rule that blocks traffic to an IP address
  B. an outbound rule that blocks traffic to a service tag
  C. an inbound and outbound rule that blocks traffic to an application security group.
  D. an inbound rule that blocks traffic to an IP address
  B. an outbound rule that blocks traffic to a service tag

• Question 316:

  HOTSPOT

  You plan to implement an Azure Virtual WAN named VWAN1 that will contain a hub named Hub1. VWAN1 will include the virtual networks shown in the following table.

  

  You need to ensure that hosts connected to VNet1 can communicate with hosts connected to VNet3.

  How should you configure the routing tables for VWAN1? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 317:

  You have an on-premises server named Server1 that runs Windows Server.

  You have an Azure subscription that contains a virtual network named VNet1.

  You plan to connect Server1 to VNet1 by using Azure Network Adapter.

  You need to minimize how long it takes to deploy the adapter to Server1.

  What should you create first?

  A. an Azure VPN gateway
  B. a route server
  C. a private endpoint
  D. an Azure Bastion host
  A. an Azure VPN gateway

• Question 318:

  You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual machine named VM1 and an Azure firewall named FW1.

  You have an Azure Firewall Policy named FP1 that is associated to FW1.

  You need to ensure that RDP requests to the public IP address of FW1 route to VM1.

  What should you configure on FP1?

  A. a network rule
  B. URL filtering
  C. a DNAT rule
  D. an application rule
  C. a DNAT rule

  ---

  Explanation

  You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic.

  Note: Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.

  There are three types of rule collections:

  Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.

  Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.

  NAT rules: Configure DNAT rules to allow incoming Internet connections.

  References:

  https://learn.microsoft.com/en-us/azure/firewall/firewall-faq

  https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat

• Question 319:

  HOTSPOT

  You have the hybrid network shown in the Network Diagram exhibit.

  

  You have a peering connection between Vnet1 and Vnet2 as shown in the Peering-Vnet1-Vnet2 exhibit.

  

  You have a peering connection between Vnet1 and Vnet3 as shown in the Peering-Vnet1-Vnet3 exhibit.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Yes

  Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes.

  Box 2: No

  No Virtual Gateway is used.

  Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway transit works with virtual network peering.

  

  In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks.

  Box 3: No

  No Virtual Gateway is used.

  References:

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

• Question 320:

  You have an Azure Private Link service named PL1 that uses an Azure load balancer named LB1.

  You need to ensure that PL1 can support a higher volume of outbound traffic.

  What should you do?

  A. Increase the number of frontend IP configurations for LB1.
  B. Increase the number of NAT IP addresses assigned to PL1.
  C. Deploy an Azure Application Gateway v2 instance to the source NAT subnet.
  D. Redeploy LB1 with a different SKU.
  B. Increase the number of NAT IP addresses assigned to PL1.

  ---

  Explanation

  Since the question ask for outbound traffic: Each NAT IP provides 64k TCP connections (64k ports) per VM behind the Standard Load Balancer. In order to scale and add more connections, you can either add new NAT IPs or add more VMs behind the Standard Load Balancer. Doing so will scale the port availability and allow for more connections.

  Connections will be distributed across NAT IPs and VMs behind the Standard Load Balancer.

  https://learn.microsoft.com/en-us/azure/private-link/private-link-faq#what-is-the-nat--network-address-translation--ip-configuration-used-in-private-link-service--how-can-i-scale-in-terms-of-available-ports-and-connections--