microsoft az-700 practice test
Designing and Implementing Microsoft Azure Networking Solutions
Note: Test Case questions are at the end of the exam
Last exam update: Jul 20 ,2024
Question 1 Topic 4, Mixed Questions
Your company has offices in Montreal, Seattle, and Paris. The outbound traffic from each office originates from a specific
public IP address.
You create an Azure Front Door instance named FD1 that has Azure Web Application Firewall (WAF) enabled. You
configure a WAF policy named Policy1 that has a rule named Rule1. Rule1 applies a rate limit of 100 requests for traffic that
originates from the office in Montreal.
You need to apply a rate limit of 100 requests for traffic that originates from each office.
What should you do?
- A. Modify the rate limit threshold of Rule1.
- B. Create two additional associations.
- C. Modify the conditions of Rule1.
- D. Modify the rule type of Rule1.
Answer:
C
Question 2 Topic 4, Mixed Questions
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security
group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
What should you include in the solution?
- A. a service tag
- B. a service endpoint policy
- C. a subnet delegation
- D. an application security group
Answer:
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview https://docs.microsoft.com/en-
us/azure/virtual-network/virtual-network-service-endpoint-policies-portal
Question 3 Topic 4, Mixed Questions
HOTSPOT
You have an Azure application gateway named AppGW1 that provides access to the following hosts:
www.adatum.com www.contoso.com www.fabrikam.com
AppGW1 has the listeners shown in the following table.
You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following table.
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies
Question 4 Topic 4, Mixed Questions
You have an Azure subscription that contains the following resources:
A virtual network named Vnet1
Two subnets named subnet1 and AzureFirewallSubnet A public Azure Firewall named FW1
A route table named RT1 that is associated to Subnet1 A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were
activated.
You need to ensure that the virtual machines can be activated.
What should you do?
- A. On FW1, create an outbound service tag rule for AzureCloud.
- B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
- C. Deploy a NAT gateway.
- D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
Answer:
B
Explanation:
Reference: https://ryanmangansitblog.com/2020/05/11/firewall-considerations-windows-virtual-desktop-wvd/
Question 5 Topic 4, Mixed Questions
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-
premises virtual machine.
What should you use?
- A. Azure Monitor
- B. IP flow verify
- C. Connection Monitor
- D. Azure Internet Analyzer
Answer:
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
Question 6 Topic 4, Mixed Questions
HOTSPOT
You have an Azure firewall shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in
the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Box 1:
If forced tunneling was enabled, the Firewall Subnet would be named AzureFirewallManagementSubnet. Forced tunneling
can only be enabled during the creation of the firewall. It cannot be enabled after the firewall has been deployed.
Box 2:
The Visit Azure Firewall Manager to configure and manage this firewall link in the exhibit shows that the firewall is managed
by Azure Firewall Manager.
Question 7 Topic 4, Mixed Questions
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following table.
Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule:
Priority: 100
Port: Any
Protocol: Any
Source: Any
Destination: Storage Action: Deny
You create a private endpoint that has the following settings:
Name: Private1
Resource type: Microsoft.Storage/storageAccounts
Resource: storage1
Target sub-resource: blob
Virtual network: Vnet1 Subnet: Subnet1
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy
Question 8 Topic 4, Mixed Questions
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. (Choose two.) NOTE: Each
correct answer selection is worth one point.
- A. an Azure Monitor workbook
- B. a Log Analytics workspace
- C. a storage account
- D. an Azure Sentinel workspace
- E. an Azure Monitor data collection rule
Answer:
B C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
Question 9 Topic 4, Mixed Questions
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door
instance.
You need to configure the policy to meet the following requirements:
Log all connections from Australia.
Deny all connections from New Zealand.
Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one
minute.
What is the minimum number of objects you should create?
- A. three custom rules that each has one condition
- B. one custom rule that has three conditions
- C. one custom rule that has one condition
- D. one rule that has two conditions and another rule that has one condition
Answer:
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
Question 10 Topic 4, Mixed Questions
You have an Azure virtual network that contains the subnets shown in the following table.
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall.
You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com.
What should you do?
- A. In a firewall policy, create a DNAT rule.
- B. Create a network security group (NSG) and associate the NSG to Subnet2.
- C. In a firewall policy, create a network rule.
- D. In a firewall policy, create an application rule.
Answer:
D
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
Question 11 Topic 4, Mixed Questions
HOTSPOT
You need to restrict traffic from VMScaleSet1 to VMScaleSet2. The solution must meet the virtual networking requirements.
What is the minimum number of custom NSG rules and NSG assignments required? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Box 2: One NSG
The minimum requirement is one NSG. You could attach the NSG to VMScaleSet1 and restrict outbound traffic, or you could
attach the NSG to VMScaleSet2 and restrict inbound traffic. Either way you would need two custom NSG rules.
Box 1: Two custom rules
With the NSG attached to VMScaleSet2, you would need to create a custom rule blocking all traffic from VMScaleSet1. Then
you would need to create another custom rule with a higher priority than the first rule that allows traffic on port 443.
The default rules in the NSG will allow all other traffic to VMScaleSet2.
Question 12 Topic 4, Mixed Questions
HOTSPOT
You create NSG10 and NSG11 to meet the network security requirements.
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Box 1: No
NSG10 which is attached to VM1s subnet blocks RDP (port TCP 3389) to Any which means the port is blocked to all
destinations.
Box 2: Yes
NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2s subnet (VNet1/Subnet2).
Box 3: No
NSG11 blocks RDP (port TCP 3389) destined for VirtualNetwork. VirtualNetwork is a service tag and means the address
space of the virtual network (VNet1) which in this case is 10.1.0.0/16. Therefore, RDP traffic from subnet2 to anywhere else
in VNet1 is blocked.
Question 13 Topic 4, Mixed Questions
You have the Azure load balancer shown in the Load Balancer exhibit.
LB2 has the backend pools shown in the Backend Pools exhibit.
You need to ensure that LB2 distributes traffic to all the members of VMSS1.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. Add a network interface to VMSS1.
- B. Add a load balancing rule.
- C. Configure a health probe.
- D. Add a public IP address to each member of VMSS1.
Answer:
B C
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-
load-balancer-standard
Question 14 Topic 4, Mixed Questions
You have a website that uses an FQDN of www.contoso.com. The DNS record for www. contoso.com resolves to an on-
premises web server.
You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an
Azure Front Door instance named ContosoFD1.
You build the website on Web1.
You plan to configure ContosoFD1 to publish the website for testing.
When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message
shown in the exhibit. (Click the Exhibit tab.) You need to test the website and ContosoFD1 without affecting user access to
the on-premises web server.
Which record should you create in the contoso.com DNS domain?
- A. a CNAME record that maps afdverify.www.contoso.com to ContosoFD1.azurefd.net
- B. a CNAME record that maps www.contoso.com to ContosoFD1.azurefd.net
- C. a CNAME record that maps afdverify.www.contoso.com to afdverify.ContosoFD1.azurefd.net
- D. a CNAME record that maps www.contoso.com to Web1.contoso.com
Answer:
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#map-the-temporary-afdverify-
subdomain
Question 15 Topic 4, Mixed Questions
DRAG DROP
You have an Azure Front Door instance named FrontDoor1.
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com.
You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:
Answer:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#associate-the-custom-domain-with-your-front-
door https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door