microsoft az-700 practice test
Designing and Implementing Microsoft Azure Networking Solutions
Note: Test Case questions are at the end of the exam
Question 1 Topic 4, Mixed Questions
HOTSPOT
You have the Azure environment shown in the Azure Environment exhibit.
The settings for each subnet are shown in the following table.
The Firewalls and virtual networks settings for storage1 are configured as shown in the Storage1 exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Box 1: Yes
The firewall allows VNet1\Subnet1 through the service endpoint.
Box 2: No
The firewall does not allow VNet1\Subnet2 through the service endpoint.
Box 3: No
The firewall allows 132.124.53.0/26 which means it allows all IP addresses between 132.124.53.0 and 132.124.53.63. The
public IP of VM3 is 132.124.53.76 which is outside the allowed range.
Question 2 Topic 4, Mixed Questions
You have Azure App Service apps in the West US Azure region as shown in the following table.
You need to ensure that all the apps can access the resources in a virtual network named Vnet1 without forwarding traffic
through the internet.
How many integration subnets should you create?
- A. 0
- B. 1
- C. 3
- D. 4
- E. 6
Answer:
C
Explanation:
One integration subnet is required per App Service Plan regardless of how many apps are running in the App Service Plan.
Reference: https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
Question 3 Topic 4, Mixed Questions
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named
contoso.onmicrosoft.com. The subscription contains the following resources:
An Azure App Service app named App1
An Azure DNS zone named contoso.com
An Azure private DNS zone named private.contoso.com A virtual network named Vnet1
You create a private endpoint for App1. The record for the endpoint is registered automatically in Azure DNS.
You need to provide a developer with the name that is registered in Azure DNS for the private endpoint.
What should you provide?
- A. app1.contoso.onmicrosoft.com
- B. app1.private.contoso.com
- C. app1.privatelink.azurewebsites.net
- D. app1.contoso.com
Answer:
C
Question 4 Topic 4, Mixed Questions
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe Azure region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
What should you do first?
- A. Create a private link.
- B. Create a new subnet.
- C. Create a NAT gateway.
- D. Create a gateway subnet and deploy a virtual network gateway.
Answer:
D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Question 5 Topic 4, Mixed Questions
DRAG DROP
You have an Azure virtual network named Vnet1 that connects to an on-premises network.
You have an Azure Storage account named storageaccount1 that contains blob storage.
You need to configure a private endpoint for the blob storage. The solution must meet the following requirements:
Ensure that all on-premises users can access storageaccount1 through the private endpoint. Prevent access to
storageaccount1 from being interrupted.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:
Answer:
Explanation:
168.63.129.16 is the IP address of Azure DNS which hosts Azure Private DNS zones. It is only accessible from within a
VNet which is why we need to forward on-prem DNS requests to the VM running DNS in the VNet. The VM will then forward
the request to Azure DNS for the IP of the storage account private endpoint.
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
Question 6 Topic 4, Mixed Questions
HOTSPOT
You have the Azure App Service app shown in the App Service exhibit.
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit.
The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit.
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Question 7 Topic 4, Mixed Questions
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a
unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in
the review screen.
You have an Azure subscription that contains the following resources:
A virtual network named Vnet1
A subnet named Subnet1 in Vnet1
A virtual machine named VM1 that connects to Subnet1
Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG). You configure a service tag for Microsoft.Storage and link the tag to
Subnet1.
Does this meet the goal?
- A. Yes
- B. No
Answer:
B
Question 8 Topic 4, Mixed Questions
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a
unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in
the review screen.
You have an Azure subscription that contains the following resources:
A virtual network named Vnet1
A subnet named Subnet1 in Vnet1
A virtual machine named VM1 that connects to Subnet1
Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1.
Does this meet the goal?
- A. Yes
- B. No
Answer:
B
Question 9 Topic 4, Mixed Questions
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a
unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in
the review screen.
You have an Azure subscription that contains the following resources:
A virtual network named Vnet1
A subnet named Subnet1 in Vnet1
A virtual machine named VM1 that connects to Subnet1
Three storage accounts named storage1, storage2, and storage3
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You configure the firewall on storage1 to only accept connections from Vnet1.
Does this meet the goal?
- A. Yes
- B. No
Answer:
B
Question 10 Topic 4, Mixed Questions
You have an Azure virtual network named Vnet1.
You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure
region. The virtual machines must be prevented from accessing any Azure Storage resources.
Which two outbound network security group (NSG) rules should you create? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
- A. a deny rule that has a source of VirtualNetwork and a destination of Sql
- B. an allow rule that has the IP address range of Vnet1 as the source and destination of Sql.EastUS
- C. a deny rule that has a source of VirtualNetwork and a destination of 168.63.129.0/24
- D. a deny rule that has the IP address range of Vnet1 as the source and destination of Storage
Answer:
B D
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
Question 11 Topic 4, Mixed Questions
Your company has offices in Montreal, Seattle, and Paris. The outbound traffic from each office originates from a specific
public IP address.
You create an Azure Front Door instance named FD1 that has Azure Web Application Firewall (WAF) enabled. You
configure a WAF policy named Policy1 that has a rule named Rule1. Rule1 applies a rate limit of 100 requests for traffic that
originates from the office in Montreal.
You need to apply a rate limit of 100 requests for traffic that originates from each office.
What should you do?
- A. Modify the rate limit threshold of Rule1.
- B. Create two additional associations.
- C. Modify the conditions of Rule1.
- D. Modify the rule type of Rule1.
Answer:
C
Question 12 Topic 4, Mixed Questions
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security
group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
What should you include in the solution?
- A. a service tag
- B. a service endpoint policy
- C. a subnet delegation
- D. an application security group
Answer:
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-service-endpoint-policies-portal
Question 13 Topic 4, Mixed Questions
HOTSPOT
You have an Azure application gateway named AppGW1 that provides access to the following hosts:
www.adatum.com www.contoso.com www.fabrikam.com
AppGW1 has the listeners shown in the following table.
You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following table.
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies
Question 14 Topic 4, Mixed Questions
You have an Azure subscription that contains the following resources:
A virtual network named Vnet1
Two subnets named subnet1 and AzureFirewallSubnet A public Azure Firewall named FW1
A route table named RT1 that is associated to Subnet1 A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were
activated.
You need to ensure that the virtual machines can be activated.
What should you do?
- A. On FW1, create an outbound service tag rule for AzureCloud.
- B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
- C. Deploy a NAT gateway.
- D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
Answer:
B
Explanation:
Reference: https://ryanmangansitblog.com/2020/05/11/firewall-considerations-windows-virtual-desktop-wvd/
Question 15 Topic 4, Mixed Questions
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-
premises virtual machine.
What should you use?
- A. Azure Monitor
- B. IP flow verify
- C. Connection Monitor
- D. Azure Internet Analyzer
Answer:
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor