Microsoft AZ-700 Online Practice
Questions and Exam Preparation
AZ-700 Exam Details
Exam Code
:AZ-700
Exam Name
:Designing and Implementing Microsoft Azure Networking Solutions
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:452 Q&As
Last Updated
:Jul 08, 2026
Microsoft AZ-700 Online Questions &
Answers
Question 431:
You have two Azure virtual networks named VNet1 and VNet2.
VNet1 contains an Azure virtual machine named VM1.
VNet2 contains an Azure virtual machine named VM2.
VM1 hosts a frontend application that connects to VM2 to retrieve data. Users report that the frontend application is slower than usual. You need to view the average round-trip time (RTT) of the packets from
VM1 to VM2.
Which Azure Network Watcher feature should you use?
A. IP flow verify B. Connection troubleshoot C. Connection monitor D. NSG flow logs
C. Connection monitor
Explanation
Correct Answer(s):
Connection monitor - Connection Monitor provides you RTT values on a per-minute granularity. The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint.
IP flow verify - IP flow verify checks if a packet is allowed or denied to or from a virtual machine.
Connection troubleshoot -- Enable you to troubleshoot network performance and connectivity issues in Azure.
NSG flow logs - allows you to log information about IP traffic flowing through an NSG.
Question 432:
HOTSPOT
Which virtual machines can VM1 and VM4 ping successfully before NSG10 and NSG11 are created? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 433:
You have a web app named App1 that is hosted in on-premises servers and on four Azure virtual machines (VMs).
Each Azure region has one virtual machine.
You need to recommend a solution to ensure that users will always connect to the closest instance of App1.
The solution must prevent the users from attempting to connect to a failed instance of App1.
Which two possible should you recommendation achieve the goal?
A. Azure Front Door Service B. Azure Load Balancer C. round-robin DNS D. Azure Traffic Manager E. Azure Application Gateway
A. Azure Front Door Service D. Azure Traffic Manager
Explanation
Correct Answers:
Azure Front Door Service - Front Door is an application delivery network that provides global load balancing and site acceleration service for web applications. It offers Layer 7 capabilities for your application like SSL offload, path-based routing, fast failover, caching, etc. to improve performance and high-availability of your applications.
Azure Traffic Manager - Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness.
Azure Load Balancer - It is a regional load balancing solution.
round-robin DNS - Round-robin DNS is a load balancing technique where the balancing is done by a type of DNS server called an authoritative nameserver, rather than using a dedicated piece of load-balancing hardware.
Azure Application Gateway - It is a regional load balancing solution.
Question 434:
DRAG DROP
Your company, named Contoso, Ltd., has an Azure subscription that contains the resources shown in the following table.
You plan to deploy Azure Front Door. The solution must meet the following requirements:
1. Requests to a URL of https://contoso.azurefd.net/uk must be routed to App1uk.
2. Requests to a URL of https://contoso.azurefd.net/us must be routed to App1us.
3. Requests to a URL of https://contoso.azurefd.net/images must be routed to the storage account closest to the user.
What is the minimum number of backend pools and routing rules you should create? To answer, drag the appropriate number to the correct components. Each number may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Box 1: 2
One backend pool in East US, and One backend pool in UK West.
Note: The backend pool is a critical component of the load balancer. The backend pool defines the group of resources that will serve traffic for a given load-balancing rule.
Box 2: 2
One rule to handle: Requests to a URL of
https://contoso.azurefd.net/uk
must be routed to App1uk.
One rule to handle: Requests to a URL of
https://contoso.azurefd.net/us
must be routed to App1us.
The third requirement (Requests to a URL of
https://contoso.azurefd.net/images
must be routed to the storage account closest to the user) does not need any rule. Just need to set up latency routing.
Note:
Azure Front Door supports four different traffic routing methods to determine how your HTTP/HTTPS traffic is distributed between different origins. When user requests reach the Front Door edge locations, the configured routing method gets applied to ensure requests are forwarded to the best backend resource.
The four traffic routing methods are:
Latency: The latency-based routing ensures that requests are sent to the lowest latency origins acceptable within a sensitivity range. In other words, requests get sent to the nearest set of origins in respect to network latency.
You have an Azure subscription that contains the resources shown in the following table.
Users on HP1 connect to App1 by using a URL of https://app1.contoso.com.
You need to ensure that the IDPS on FW1 can identify security threats in the connections from HP1 to Server1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable TLS inspection for FW1. B. Import a server certificate to KV1. C. Enable threat intelligence for FW1. D. Add an application group to HP1. E. Add a secured virtual network to FW1.
A. Enable TLS inspection for FW1. B. Import a server certificate to KV1.
Explanation
A: TLS inspection
Azure Firewall Premium provides TLS inspection capability by decrypting the outbound traffic, inspecting it, processing it, and then re-encrypting the data and sending it to the destination. Azure Firewall Premium intercepts outbound HTTPS traffic and auto-generates a server certificate for the URL that you are trying to access. End-user browsers and the client applications must trust your organization's Root CA certificate or intermediate CA certificate for this procedure to work.
Why TLS inspection is important
Encrypted traffic has a security risk, as it can hide illegal user activity and malicious traffic. Azure Firewall without TLS inspection has no visibility into the data that flows in the encrypted TLS tunnel, and so it cannot provide full protection coverage for the outbound traffic.
How TLS inspection works in Azure Firewall Premium
TLS inspection is achieved by using an Intermediate CA certificate. An intermediate certificate works as a substitute of a root certificate. Intermediate certificates are also used as a stand-in for a root certificate by playing a "Chain of Trust" between an end entity certificate and a root.
B: How to Enable TLS Inspection in Azure Firewall Premium with auto-generate new certification feature in a POC environment:
1. Navigate to the Azure Firewall Premium Policy you want to enable TLS inspection.
2. From the left menu pane, Select - TLS Inspection - and click on the Enabled option.
3. In the Key Vault section, under Managed identity, select (New) Managed Identity Name.
The following new resources with a random name will be created Managed Identity Key Vault Self-signed Root CA certificate
4. Click on Save button at the bottom of the page to commit the changes.
5. Once saved, a new Managed identity and new Azure Key vault will be created along with a new root certificate (You can view the certificate under the certificates section).
6. Once you click on certificate, you will get an option to download the certificate in both PFX/PEM and CER format. Download the certificate in .CER format and copy it to the end user's machine from where you would like to access a secure public website.
7. Configure an Application Rule in the Azure firewall policy to allow the outbound web traffic from the end user's machine. Since TLS inspection is enabled in this outbound rule, all outbound traffic will be inspected by the Azure Firewall.
You can enable Threat intelligence-based filtering for your firewall to alert and deny traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team.
You have an Azure subscription that contains an Azure key vault named Vault1 and an app registration for an Azure AD app named App1.
You have a DNS domain named contoso.com that is hosted by a third-party DNS provider.
You plan to deploy App1 by using Azure App Service. App1 will have the following configurations:
1. App1 will be hosted across five App Service apps.
2. Users will access App1 by using a URL of https://app1.contoso.com.
3. The user traffic of App1 will be managed by using Azure Front Door.
4. The traffic between Front Door and the App Service apps will be sent by using HTTP.
5. App1 will be secured by using an SSL certificate from a third-party certificate authority (CA).
You need to support the Front Door deployment.
Which two DNS records should you create, and to where should you import the SSL certificate for App1?
To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 437:
You need to recommend a configuration for the ExpressRoute connection from the Boston datacenter. The solution must meet the hybrid networking requirements and business requirements.
What should you recommend minimizing latency of traffic to Vnet2?
A. Create a dedicated ExpressRoute circuit for Vnet2 B. Connect Vnet2 directly to the ExpressRoute circuit C. Configure gateway transit for the peering between Vnet1 and Vnet2
C. Configure gateway transit for the peering between Vnet1 and Vnet2
Explanation
Scenario:
Health Engine wants to minimize costs whenever possible, as long as all other requirements are met.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized. The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Gateway transit allows you to share an ExpressRoute or VPN gateway with all peered VNets and lets you manage the connectivity in one place. Sharing enables cost-savings and reduction in management overhead.
You have an Azure subscription that contains the resources is shown in the following table.
You need to ensure that the apps hosted on VM1 can resolve the IP address of the private endpoint for azsql1.database.windows.net.
What should you create first?
A. a public DNS zone named database.windows.net B. a private DNS zone named database.windows.net C. a public DNS zone named private link.database.windows.net D. a private DNS zone named private link.database.windows.net
D. a private DNS zone named private link.database.windows.net
Explanation
Azure Private Endpoint DNS configuration
You can use the following options to configure your DNS settings for private endpoints:
* Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
* Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
* Use your DNS forwarder (optional).
For Azure services, use the recommended zone names as described in the following table:
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-700 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.