Microsoft AZ-700 Online Practice
Questions and Exam Preparation
AZ-700 Exam Details
Exam Code
:AZ-700
Exam Name
:Designing and Implementing Microsoft Azure Networking Solutions
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:452 Q&As
Last Updated
:Jul 08, 2026
Microsoft AZ-700 Online Questions &
Answers
Question 81:
You have an Azure environment.
You need to create a private connection between Azure PaaS and hosted services.
Which Azure Service should you deploy?
A. Azure Private Link B. Azure Service Endpoint C. Azure NaaS (network as a service)
A. Azure Private Link
Explanation
Correct Answer(s):
Azure Private Link Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Azure Service Endpoint - Azure Service Endpoint provides secure and direct connectivity to Azure PaaS services over an optimized route over the Azure backbone network.
Azure NaaS (network as a service) - There is no such service as Azure NaaS.
Question 82:
HOTSPOT
You have an Azure subscription that contains the virtual networks shown in the following table.
You have devices that run either Windows or macOS. The devices connect to VGW1 by using the OpenVPN protocol.
Which virtual networks can each device access? To answer, select the appropriate options in the answer area.
NOTE: Each correct answer is worth one point.
Box 1: VNet1 VNet2, and VNet3 Windows
Note 1: About Point-to-Site VPN routing Azure Point-to-Site VPN routing behavior is dependent on the client OS, the protocol used for the VPN connection, and how the virtual networks (VNets) are connected to each other.
Multiple peered VNets In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 is peered with VNet2. VNet 2 is peered with VNet3. VNet1 is peered with VNet4. There is no direct peering between VNet1 and VNet3. VNet1 has "Allow gateway transit" and VNet2 and VNet4 have "Use remote gateways" enabled.
Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet peering or the network topology. Non-Windows clients can access directly peered VNets. Access isn't transitive and is limited to only directly peered VNets.
Note 2: Can I configure a point-to-site client to connect to multiple virtual networks at the same time? Yes, point-to-site client connections to a virtual network gateway that is deployed in a VNet that is peered with other VNets may have access to other peered VNets. point-to-site clients will be able to connect to peered VNets as long as the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features.
You have an Azure subscription that contains a virtual network named VNet1 and a storage account named storage1.
Site1 and VNet1 are connected by using a Site-to-Site (S2S) VPN.
You need to ensure that the servers in Site1 can connect to storage1 by using the S2S VPN. The solution must minimize administrative effort.
What should you create on VNet1?
A. an Azure application gateway B. an Azure Private Link service C. a service endpoint D. a private endpoint
D. a private endpoint
Question 84:
HOTSPOT
You have two Azure App Service instances that host the web apps shown the following table.
You deploy an Azure 2 that has one public frontend IP address and two backend pools.
You need to publish all the web apps to the application gateway. Requests must be routed based on the HTTP host headers.
What is the minimum number of listeners and routing rules you should configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: 2
Listeners
One listener for As1.contoso.com, and one listener for As2.contoso.com.
Note: Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool. For example, three domains, contoso.com, fabrikam.com, and adatum.com, point to the IP address of the application gateway. You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.
You can also define wildcard host names in a multi-site listener and up to 5 host names per listener.
Box 2: 2
Routing rules
Application Gateway request routing rules
Rule type
When you create a rule, you choose between basic and path-based.
* Choose basic if you want to forward all requests on the associated listener (for example, blog.contoso.com/*) to a single backend pool.
* Choose path-based if you want to route requests from specific URL paths to specific backend pools. The path pattern is applied only to the path of the URL, not to its query parameters.
Associated backend pool
Associate to the rule the backend pool that contains the backend targets that serve requests that the listener receives.
* For a basic rule, only one backend pool is allowed. All requests on the associated listener are forwarded to that backend pool.
* For a path-based rule, add multiple backend pools that correspond to each URL path. The requests that match the URL path that's entered are forwarded to the corresponding backend pool. Also, add a default backend pool. Requests that don't match any URL path in the rule are forwarded to that pool.
You have deployed a virtual named VM1 that connects over port number 4444 to an application named App1.
App1 is hosted in your on-premises environment.
You discover that VM1 is not able to connect to App1.
You need to verify whether the issue relates to the network security groups.
What should you use?
A. Diagnostic settings in Azure Monitor B. Diagnose and solve problems in Traffic Manager Profiles C. The security recommendations in Azure Advisor D. IP flow verify in Azure Network Watcher
D. IP flow verify in Azure Network Watcher
Explanation
Correct Answer(s):
IP flow verify in Azure Network Watcher - IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned.
While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
Diagnostic settings in Azure Monitor Diagnostic settings are used to define the type of metric and log data to send to the destinations.
Diagnose and solve problems in Traffic Manager Profiles Not a valid option. Traffic manager is not used in the scenario given in the question.
The security recommendations in Azure Advisor - The Advisor dashboard displays personalized recommendations for all your subscriptions. You can get security recommendations from the Security tab on the Advisor dashboard.
This does not provide the packet drop or traffic flow logs.
Question 88:
HOTSPOT
You have an Azure subscription that contains a virtual machine named VM1 and a virtual network named Vnet1. Vnet1 contains three subnets named Subnet1, Subnet2 and GatewaySubnet. VM1 is connected to Subnet 1.
You plan to deploy a new virtual machine named VM2 that will perform network traffic routing and inspection.
You need to ensure that all the traffic from VM1 to the internet will be routed through VM2.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 89:
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains 20 subnets and 500 virtual machines. Each subnet contains a virtual machine that runs network monitoring software.
You have a network security group (NSG) named NSG1 associated to each subnet.
When a new subnet is created in Vnet1 an automated process creates an additional network monitoring virtual machine in the subnet and links the subnet to NSG1.
You need to create an inbound security rule in NSG1 that will allow connections to the network monitoring virtual machines from an IP address of 131.107.1.15. The solution must meet the following requirements:
1. Ensure that only the monitoring virtual machines receive a connection from 131.1071.15.
2. Minimize changes to NSG1 when a new subnet is created.
What should you use as the destination in the inbound security rule?
A. an application security group B. a service tag C. a virtual network D. an IP address
A. an application security group
Explanation
Application security groups
Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses.
Incorrect:
Not B: The network monitoring software is not an Azure service so service tags cannot be used.
Not D: Requires maintenance of explicit IP addresses.
Note: You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Security rules
A network security group contains zero, or as many rules as desired, within Azure subscription limits. Each rule specifies the following properties:
* Source or destination
Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. If you specify an address for an Azure resource, specify the private IP address assigned to the resource.
* Etc.
* Service tags
A service tag represents a group of IP address prefixes from a given Azure service. It helps to minimize the complexity of frequent updates on network security rules.
You have the network security groups (NSGs) shown in the following table.
In NSG1, you create inbound rules as shown in the following table.
You have the Azure virtual machines shown in the following table.
NSG2 has only the default rules configured.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
You have an Azure virtual network that contains the subnets shown in the following table.
1. VM3 is attached to subnet; which has default outband connection. However, VM1 has NSG that denies traffic in any ports except 80 and 443 from any IP address. But, communication from Virtual network is set to Deny so, the answer here is NO
2. VM1 and VM2 belongs to the same subnet 1 and each of them has default Outbound policy rule that will allow the traffic but Inbound is restricted for any port except 80 and 443. So, answer here is NO
3. VM1 cancommunicate to VM3 due that there is no restriction in Outbbound policy for NGSG1 and no restrictions for NSG2 inbound. So, answer here is YES.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-700 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.