Microsoft AZ-700 Online Practice Questions and Exam Preparation

Microsoft AZ-700 Online Questions & Answers

• Question 341:

  You have an Azure virtual network named Hub1.

  Hub1 connects to an on-premises network by using a Site-to-Site VPN connection.

  You created an Azure Virtual network named Spoke1.

  You are implementing peering between Hub1 and Spoke1.

  You need to ensure that a virtual machine connected to Spoke1 can connect to the on-premises network through Hub1.

  How should you complete the PowerShell script?

  

  A. Code Block1: -AllowForwardedTraffic
  B. Code Block1: -AllowGatewayTransit
  C. Code Block1: -UseRemoteGateways
  D. Code Block2: -AllowForwardedTraffic
  E. Code Block2: -AllowGatewayTransit
  F. Code Block2: -UseRemoteGateways
  B. Code Block1: -AllowGatewayTransit
  F. Code Block2: -UseRemoteGateways

  ---

  Explanation

  Virtual network peering is a non-transitive relationship between two virtual networks. You can configure spokes to use the hub gateway to communicate with remote networks. To allow gateway traffic to flow from spoke to hub and connect to remote networks, you must:

  Configure the peering connection in the hub to allow gateway transit.

  Configure the peering connection in each spoke to use remote gateways.

  Configure all peering connections to allow forwarded traffic.

  Below is the sample code.

  # Peer hub to spoke

  Add-AzVirtualNetworkPeering -Name HubtoSpoke -VirtualNetwork $VNetHub -RemoteVirtualNetworkId

  $VNetSpoke.Id -AllowGatewayTransit

  # Peer spoke to hub

  Add-AzVirtualNetworkPeering -Name SpoketoHub -VirtualNetwork $VNetSpoke -RemoteVirtualNetworkId

  $VNetHub.Id -AllowForwardedTraffic UseRemoteGateways

  https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps#peer-the-hub-and-spoke-virtual-networks

  https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering

  Wrong Answers:

  Code Block1: -AllowForwardedTraffic &

  Code Block2: -AllowForwardedTraffic

  Allow forwarded traffic is used if you require connectivity between spokes. You can create routes to forward traffic from the spoke to the firewall or network virtual appliance, which can then route to the second spoke.

• Question 342:

  SIMULATION

  

  Username and password

  Use the following login credentials as needed:

  To enter your username, place your cursor in the Sign in box and click on the username below.

  To enter your password, place your cursor in the Enter password box and click on the password below.

  Azure Username: [email protected] Azure Password: xxxxxxxxxx

  If the Azure portal does not load successfully in the browser, press CTRL-K to reload the portal in a new browser tab.

  The following information is for technical support purposes only:

  Lab Instance: 12345678

  You need to ensure that subnet3-2 can only access resources on subnet3-1.

  To complete this task, sign in to the Azure portal.

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  See explanation below.

  

  Azure network rules

  You can use a network security group to filter inbound and outbound network traffic to and from Azure resources in an Azure virtual network.

  Network security groups contain security rules that filter network traffic by IP address, port, and protocol. When a network security group is associated with a subnet, security rules are applied to resources deployed in that subnet.

  Stage 1: Create a network security group A network security group (NSG) secures network traffic in your virtual network.

  Step 1: In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

  Step 2: Select + Create.

  Step 3: On the Basics tab of Create network security group, enter or select something like this information Project details

  Subscription: Select your subscription. Resource group: Select test-rg. Instance details

  Name: Enter nsg-1.

  Location: Select East US 2.

  Step 4: Select Review + create.

  Step 5: Select Create.

  Stage 2 Associate network security group to subnet In this section, you associate the network security group with the subnet of the virtual network you created earlier.

  Step 1: In the search box at the top of the portal, enter Network security group. Select Network security groups in the search results.

  Step 2: Select nsg-1.

  Step 3: Select Subnets from the Settings section of nsg-1.

  Step 4: In the Subnets page, select +

  Associate:

  

  Step 5: Under Associate subnet, select vnet-1 (test-rg) for Virtual network.

  Step 6: Select subnet3-2 for Subnet, and then select OK.

  Stage 3: Create security rules

  Step 1: Select Outbound security rules from the Settings section of nsg-1.

  Step 2: In Outbound security rules page, select + Add.

  Step 3: Create a security rule that allows any ports, any protocol, to subnet3-1.

  Step 4: Select Add.

  References:

  https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic

• Question 343:

  You have an on-premises network.

  You have an Azure subscription that contains a virtual network.

  You have an ExpressRoute service provider.

  You plan to connect the Azure virtual network and the on-premises network by using an ExpressRoute circuit.

  You create a new ExpressRoute circuit.

  You need to provision the new circuit.

  Which information should you provide to the service provider?

  A. the IKEv2 shared key
  B. the certificate
  C. the public IP address
  D. the service key
  D. the service key

• Question 344:

  HOTSPOT

  Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.

  The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint.

  You plan to use Azure Traffic Manager to maintain the list of endpoints.

  You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.

  What should you configure? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  References:

  https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods

  https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types

• Question 345:

  You have an Azure subscription that contains an Azure Front Door named FD1. FD1 is configured as shown in the following exhibit.

  

  You need to enable Azure Private Link for FD1.

  What should you do first?

  A. Create an origin group.
  B. Add an endpoint.
  C. Change Pricing Tier to Azure Front Door Premium.
  D. Create a custom route.
  C. Change Pricing Tier to Azure Front Door Premium.

• Question 346:

  HOTSPOT

  You have the Azure resources shown in the following table.

  

  WebApp1 uses the Standard pricing tier.

  You need to ensure that WebApp1 can access the virtual machines deployed to Vnet1\Subnet1 and Vnet2

  \Subnet1. The solution must minimize costs.

  What should you create in each virtual network? To answer, select the appropriate options in the answer area.

  

  

  ---

  Box 1: An additional subnet Regional virtual network integration: When you connect to virtual networks in the same region, you must have a dedicated subnet in the virtual network you're integrating with.

  Box 2: A VPN gateway Gateway-required virtual network integration: When you connect directly to virtual networks in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway created in the target virtual network.

  Note: If your app is in an App Service Environment, it's already in a virtual network and doesn't require use of the VNet integration feature to reach resources in the same virtual network.

  References:

  https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration

• Question 347:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure subscription that contains the following resources:

  1. A virtual network named Vnet1

  2. A subnet named Subnet1 in Vnet1

  3. A virtual machine named VM1 that connects to Subnet1

  4. Three storage accounts named storage1, storage2, and storage3

  You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.

  Solution: You create a network security group (NSG). You configure a service tag for Microsoft.Storage and link the tag to Subnet1.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

• Question 348:

  DRAG DROP

  You have 100 on-premises servers with IP addresses from the 10.0.0.0/24 IP address space.

  You have an Azure subscription that contains a virtual network named VNet1, an Azure VPN gateway named VGW1, and 100 virtual machines. VNet1 has an IP address space of 10.0.0.0/22. VGW1 uses the VpnGw1 SKU.

  You need to ensure that the Azure virtual machines and the on-premises servers can communicate by using VGW1. The solution must minimize administrative effort.

  Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  To connect a virtual network in one subscription to an application hosted by a virtual machine scale set in a different subscription using Azure Private Link, you'll need to create a Private Link service in the subscription [Sub1] hosting the scale set and then create a Private Endpoint in the virtual network in the other subscription [Sub2]. This allows secure, private connections between the two without exposing the application to the public internet.

  Step 1: Configure DB1 to run behind a standard Azure Load Balancer Here's a step-by-step breakdown:

  1. Configure the Application and Load Balancer: Ensure your application is running behind a standard load balancer in the subscription hosting the virtual machine scale set. If you don't already have a load balancer set up, create one and configure it to direct traffic to your scale set's instances. This load balancer will be used by the Private Link service to expose your application. Step 2: In Sub1, create a Private Link service to reference the load balancer.

  1. Create the Private Link Service: In the subscription where the load balancer is located, create a Private

  Link service. When configuring the Private Link service, select the frontend IP configuration of your load balancer that you want to use for incoming traffic. Choose a subnet for the NAT IP addresses for the Private Link service. Azure documentation recommends at least eight NAT IP addresses for optimal performance.

  Step 3: In Sub2, create a private endpoint by using the Private Link service ID.

  1. Create a Private Endpoint: In the subscription containing the virtual network, create a Private Endpoint.

  During Private Endpoint creation, select the Private Link service you created in the other subscription. The Private Endpoint will be provisioned in a subnet of your virtual network. The Private Endpoint connection will initially be in a "Pending" state until it's approved by the service provider (the subscription hosting the Private Link service).

  Step 4: Approve the connection request.

  1. Approve the Private Endpoint Connection: In the subscription where the Private Link service is located, navigate to Private Endpoints and find the pending connection. Approve the connection request from the virtual network's subscription.

  1. Connect and Test

  References:

  https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview

• Question 349:

  Your on-premises network contains an SMB share named Share1. You have an Azure subscription that contains the following resources:

  1. A web app named webapp1

  2. A virtual network named VNET1

  3. You need to ensure that webapp1 can connect to Share1.

  What should you deploy?

  A. an Azure Application Gateway
  B. an Azure Active Directory (Azure AD) Application Proxy
  C. an Azure Virtual Network Gateway
  C. an Azure Virtual Network Gateway

  ---

  Explanation

  Correct Answer(s):

  an Azure Virtual Network Gateway - A Site-to-Site VPN gateway connection can be used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device, a VPN gateway, located on-premises that has an externally facing public IP address assigned to it.

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portalWrongAnswers:

  an Azure Application Gateway -- Azure Application Gateway is a web traffic load balancer. It does not provide connectivity to on-premises resources.

  an Azure Active Directory (Azure AD) Application Proxy -- Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications. It does not provide connectivity to on-premises file shares.

• Question 350:

  You have the Azure App Service app shown below.

  

  The VNet Integration settings for as123 are configured as shown below.

  

  The Private Endpoint connections settings for as123 are configured as shown below.

  

  Select Yes of the below statement is true. Otherwise, select No.