Microsoft AZ-700 Free Practice Exam & Test Training
Microsoft AZ-700 Free Practice Exam & Test Training
Microsoft AZ-700 Free Practice Exam & Test Training
com
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
https://www.itexams.com/exam/AZ-700?viewall=1 1/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
HOTSPOT -
You need to recommend a configuration for the ExpressRoute connection from the Boston datacenter. The solution must meet the hybrid networking
requirements and business requirements.
https://www.itexams.com/exam/AZ-700?viewall=1 2/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
What should you recommend? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
Question
2 (
Testlet 2
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.
Existing Environment -
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table
https://www.itexams.com/exam/AZ-700?viewall=1 3/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the
internet. The firewall on each virtual machine allows ICMP traffic.
An application security group named ASG1 is associated to the network interface of VM1.
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
The Azure subscription contains additional resources as shown in the following table.
Requirements -
https://www.itexams.com/exam/AZ-700?viewall=1 4/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
You need to configure GW1 to meet the network security requirements for the P2S VPN users.
Which Tunnel type should you select in the Point-to-site configuration settings of GW1?
Answer :
D
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
Question
3 (
Question Set 1
)
Your company has a single on-premises datacenter in Washington DC. The East US Azure region has a peering location in Washington DC.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
A. ExpressRoute Local
B. ExpressRoute Direct
C. ExpressRoute Premium
D. ExpressRoute Standard
Answer :
A
Reference:
https://azure.microsoft.com/en-us/pricing/details/expressroute/
Question
4 (
Question Set 1
)
You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN.
Which additional service should you deploy to support the VPN authentication?
https://www.itexams.com/exam/AZ-700?viewall=1 5/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
B
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
Question
5 (
Question Set 1
)
You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure.
Which two Azure resources should you configure? Each correct answer presents a part of the solution. (Choose two.)
Answer :
AD
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/bgp-howto
Question
6 (
Question Set 1
)
You fail to establish a Site-to-Site VPN connection between your companyג€™s main office and an Azure virtual network.
You need to troubleshoot what prevents you from establishing the IPsec tunnel.
A. IKEDiagnosticLog
B. RouteDiagnosticLog
C. GatewayDiagnosticLog
D. TunnelDiagnosticLog
Answer :
A
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics
Question
7 (
Question Set 1
)
You have an Azure virtual network and an on-premises datacenter.
You are planning a Site-to-Site VPN connection between the datacenter and the virtual network.
Which two resources should you include in your plan? Each correct answer presents part of the solution.
A. a user-defined route
B. a virtual network gateway
C. Azure Firewall
D. Azure Web Application Firewall (WAF)
E. an on-premises data gateway
F. an Azure application gateway
G. a local network gateway
Answer :
BG
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Question
8 (
Question Set 1
)
HOTSPOT -
You need to connect an on-premises network and an Azure environment. The solution must use ExpressRoute and support failing over to a Site-to-Site VPN connection if there is an ExpressRoute failure.
What should you configure? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 6/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
Question
9 (
Question Set 1
)
https://www.itexams.com/exam/AZ-700?viewall=1 7/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.
The departments at the company use the Azure subscriptions as shown in the following table.
All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.
You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.
A. 1
B. 2
C. 3
D. 4
E. 5
Answer :
A
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction
Question
10 (
Question Set 1
)
Your company has offices in New York and Amsterdam. The company has an Azure subscription. Both offices connect to Azure by using a Site-to-Site VPN connection.
The office in Amsterdam uses resources in the North Europe Azure region. The office in New York uses resources in the East US Azure region.
You need to implement ExpressRoute circuits to connect each office to the nearest Azure region. Once the ExpressRoute circuits are connected, the on-premises computers in the Amsterdam office must be able to
connect to the on-premises servers in the New York office by using the ExpressRoute circuits.
Which ExpressRoute option should you use?
A. ExpressRoute FastPath
B. ExpressRoute Global Reach
C. ExpressRoute Direct
D. ExpressRoute Local
Answer :
B
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-global-reach
Question
11 (
Question Set 1
)
HOTSPOT -
You have an Azure subscription that contains a single virtual network and a virtual network gateway.
You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).
What should you configure? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 8/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
1. Locate the Directory ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page.
2. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
3. Sign in to the Azure portal as a user that is assigned the Global administrator role.
4. Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser.
https://www.itexams.com/exam/AZ-700?viewall=1 9/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
7. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
Question
12 (
Question Set 1
)
HOTSPOT -
You have the hybrid network shown in the Network Diagram exhibit.
When you connect to your VNet using Point-to-Site, you have a choice of which protocol to use. The protocol you use determines the authentication options
that are available to you. If you want to use Azure Active Directory authentication, you can do so when using the OpenVPN protocol.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
https://www.itexams.com/exam/AZ-700?viewall=1 10/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You have a peering connection between Vnet1 and Vnet2 as shown in the Peering-Vnet1-Vnet2 exhibit.
You have a peering connection between Vnet1 and Vnet3 as shown in the Peering-Vnet1-Vnet3 exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 11/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 12/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
Box 1: Yes -
Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes.
Box 2: No -
No Virtual Gateway is used.
Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway
transit works with virtual network peering.
In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway,
including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks.
Box 3: No -
https://www.itexams.com/exam/AZ-700?viewall=1 13/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
Question
13 (
Question Set 1
)
HOTSPOT -
You have virtual network peering between Vnet1 and Vnet2. You have virtual network peering between Vnet4 and Vnet5. The virtual network peering is
configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 14/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
Box 1: Yes -
Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Gateway transit is a peering property that lets one virtual network use the
VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity.
The following diagram shows how gateway transit works with virtual network peering.
In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway,
including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks.
In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways
in every spoke virtual network.
Box 2: Yes -
Box 3: No -
VM2 can reach VM4 through GW1, but not VM5 as VNEt1 does not use remote Gateways.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit https://docs.microsoft.com/en-us/azure/virtual-network/virtual-
network-troubleshoot-peering-issues
Question
14 (
Question Set 1
)
HOTSPOT -
You have an Azure subscription that contains the ExpressRoute circuits shown in the following table.
You need to ensure that all the data sent between the datacenters is routed via the ExpressRoute circuits. The solution must minimize costs.
How should you configure the network? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 15/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
ExpressRoute Global Reach is the service where if you have two datacenters, which are located at different geo-locations and both are connected to Microsoft
Azure via Express Route then these two datacenters can also connect to each other securely via Microsoft's backbone.
Incorrect:
FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual
network, bypassing the gateway.
Box 2: Private -
With ExpressRoute Global Reach, you can link ExpressRoute circuits together to make a private network between your on-premises networks.
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-global-reach
Question
15 (
Question Set 1
)
You have an Azure virtual network named Vnet1 and an on-premises network. The on-premises network has policy-based VPN devices.
In Vnet1, you deploy a virtual network gateway named GW1 that uses a SKU of VpnGw1 and is route-based.
You have a Site-to-Site VPN connection for GW1 as shown in the following exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 16/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to ensure that the on-premises network can connect to the route-based GW1.
Answer :
B
Explanation:
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. BGP enables the Azure VPN Gateways and your on-premises
VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also
enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.
Incorrect:
Not C: A VPN gateway must have a Public IP address. Verify that you have an externally facing public IPv4 address for your VPN device.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli
Question
16 (
Testlet 3
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 17/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
Requirements -
https://www.itexams.com/exam/AZ-700?viewall=1 18/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
DRAG DROP -
You need to prepare Vnet1 for the deployment of an ExpressRoute gateway. The solution must meet the hybrid connectivity requirements and the business
requirements.
Which three actions should you perform in sequence for Vnet1? To answer, move the appropriate actions from the list of actions to the answer.
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 19/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Explanation:
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Note -
The Basic gateway SKU does not support IKEv2 or RADIUS authentication. If you plan on having Mac clients connect to your virtual network, do not use the
Basic
SKU.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the
VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We [Microsoft] recommend that you create a
gateway subnet that uses a /27 or /28.
It's best to specify /27 or larger (/26,/25 etc.). This allows enough IP addresses for future changes, such as adding an ExpressRoute gateway.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Question
17 (
Testlet 3
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly
https://www.itexams.com/exam/AZ-700?viewall=1 20/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
communicate directly.
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements.
Which two actions should you include in the solution? Each correct answer presents part of the solution.
A O th i f V t l t All t t it
https://www.itexams.com/exam/AZ-700?viewall=1 21/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
A. On the peering from Vnet1, select Allow gateway transit.
B. On the peerings from Vnet2 and Vnet3, select Use remote gateways.
C. On the peerings from Vnet2 and Vnet3, select Allow gateway transit.
D. On the peering from Vnet1, select Use remote gateways.
E. On the peering from Vnet1, select Allow forwarded traffic.
Answer :
AB
Explanation:
Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Gateway transit is a peering property that lets one virtual network use the
VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway transit works with virtual network peering.
In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway,
including S2S, P2S, and VNet-to-VNet connections,
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
Question
18 (
Testlet 3
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 22/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
https://www.itexams.com/exam/AZ-700?viewall=1 23/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
HOTSPOT -
You need to implement a P2S VPN for the users in the branch office. The solution must meet the hybrid networking requirements.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
Question
19 (
Testlet 4
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.
Existing Environment -
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 24/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the
internet. The firewall on each virtual machine allows ICMP traffic.
An application security group named ASG1 is associated to the network interface of VM1.
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 25/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The Azure subscription contains additional resources as shown in the following table.
Requirements -
Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 26/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
Box 1: No -
Zone2.contoso.com is not linked to any virtual networks. Therefore, no VMs are able to resolve names in the zone.
Box 2: Yes -
VM4 is in VNet3. Zone1.contoso.com has a link to VNet3 and auto-registration is enabled on the link.
Box3: No -
VNet3 is linked to zone1.contoso.com and auto-registration is enabled on the link. A virtual network can only have one registration zone. You can link zone2.contoso.com to VNet3 but you wonג€™t be able to enable
auto-registration on the link.
Question
20 (
Testlet 4
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.
Existing Environment -
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 27/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the
internet. The firewall on each virtual machine allows ICMP traffic.
An application security group named ASG1 is associated to the network interface of VM1.
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
The Azure subscription contains additional resources as shown in the following table.
Requirements -
https://www.itexams.com/exam/AZ-700?viewall=1 28/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
HOTSPOT -
Which virtual machines can VM1 and VM4 ping successfully? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 29/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
21 (
Testlet 4
)
Explanation:
Box 1: VM2, VM3 and VM4.
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
There are no NSGs blocking outbound ICMP from VNet1. There are no NSGs blocking inbound ICMP to VNet1/Subnet2, VNet2 or VNet3. Therefore, VM1 can ping VM2 in VNet1/Subnet2, VM3 in VNet2 and VM4 in
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
VNet3.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
Box 2:
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
VM4 is in VNet3. VNet3 is peered with VNet1 and VNet2. There are no NSGs blocking outbound ICMP from VNet3. There are no NSGs blocking inbound ICMP to VNet1/Subnet1, VNet1/Subnet2 or VNet2 from
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
VNet3 (NSG10 blocks inbound ICMP from VNet4 but not from VNet3). Therefore, VM4 can ping VM1 in VNet1/
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.
Existing Environment -
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the
https://www.itexams.com/exam/AZ-700?viewall=1 30/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
An application security group named ASG1 is associated to the network interface of VM1.
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
The Azure subscription contains additional resources as shown in the following table.
Requirements -
Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 31/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
C eate a SG a ed SG 0 t at be assoc ated to et /Sub et a d a e t e custo bou d secu ty u es s o t e o o g tab e.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
What should you implement to meet the virtual network requirements for the virtual machines that connect to Vnet4 and Vnet5?
A. a private endpoint
B. a routing table
C. a service endpoint
D. a private link service
E. a virtual network peering
Answer :
E
Explanation:
There is no virtual network peering between VM4ג€™s VNet (VNet3) and VM5ג€™s VNet (VNet4). To enable the VMs to communicate over the Microsoft backbone network a VNet peering is required between VNet3
and VNet4.
Question
22 (
Question Set 2
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
A. Yes
B. No
Answer :
B
Explanation:
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Question
23 (
Question Set 2
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
A. Yes
B. No
Answer :
B
Explanation:
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Question
24 (
Question Set 2
)
HOTSPOT -
https://www.itexams.com/exam/AZ-700?viewall=1 32/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 33/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
25 (
Question Set 2
)
You plan to deploy Azure virtual network.
Which three types of resources require a dedicated subnet? Each correct answer presents a complete solution.
A. Azure Bastion
B. Azure Active Directory Domain Services (Azure AD DS)
C. Azure Private Link
D. Azure Application Gateway v2
E. VPN gateway
Answer :
ADE
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit?toc=/azure/virtual-network/toc.json
Question
26 (
Question Set 2
)
HOTSPOT -
You have an Azure private DNS zone named contoso.com that is linked to the virtual networks shown in the following table.
✑ Name: VM1
IP address: 10.1.10.9 -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 34/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Explanation:
Box 1: No -
The manual DNS record will overwrite the auto-registered DNS record so VM1 will resolve to 10.1.10.9.
Box 2: No -
The DNS record for VM1 is now a manually created record rather than an auto-registered record. Only auto-registered DNS records are deleted when a VM is deleted.
Box 3: No -
This answer depends on how the IP address is changed. To change the IP address of a VM manually, you would need to select ג€˜Staticג€™ as the IP address assignment. In this case, the DNS record will not be
updated because only DHCP assigned IP addresses are auto-registered.
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-faq-private
Question
27 (
Question Set 2
)
HOTSPOT -
Your company has an Azure virtual network named Vnet1 that uses an IP address space of 192.168.0.0/20. Vnet1 contains a subnet named Subnet1 that uses an
You create an IPv6 address range to Vnet1 by using a CIDR suffix of /48.
You need to enable the virtual machines on Subnet1 to communicate with each other by using IPv6 addresses assigned by the company. The solution must minimize the number of additional IPv4 addresses.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
Reference:
https://www.itexams.com/exam/AZ-700?viewall=1 35/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
e e e ce:
https://docs.microsoft.com/en-us/azure/virtual-network/ipv6-overview https://docs.microsoft.com/en-us/azure/virtual-network/ipv6-add-to-existing-vnet-powershell
Question
28 (
Question Set 2
)
HOTSPOT -
You need to deploy a virtual WAN hub that meets the following requirements:
✑ Supports 10 sites that will connect to the virtual WAN hub by using a Site-to-Site VPN connection
✑ Supports 8 Gbps of ExpressRoute traffic
✑ Minimizes costs
What should you configure? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
Question
29 (
Question Set 2
)
DRAG DROP -
You have an Azure subscription that contains the resources shown in the following table.
The IP Addresses settings for Vnet1 are configured as shown in the exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 36/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to ensure that you can integrate WebApp1 and Vnet1.
Which three actions should you perform in sequence before you can integrate WebApp1 and Vnet1? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#gateway-required-vnet-integration
https://www.itexams.com/exam/AZ-700?viewall=1 37/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
30 (
Question Set 2
)
DRAG DROP -
You have Azure virtual networks named Hub1 and Spoke1. Hub1 connects to an on-premises network by using a Site-to-Site VPN connection.
You need to ensure that a virtual machine connected to Spoke1 can connect to the on-premises network through Hub1.
How should you complete the PowerShell script? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering
Question
31 (
Question Set 2
)
DRAG DROP -
You have three on-premises sites. Each site has a third-party VPN device.
You have an Azure virtual WAN named VWAN1 that has a hub named Hub1. Hub1 connects two of the three on-premises sites by using a Site-to-Site VPN connection.
You need to connect the third site to the other two sites by using Hub1.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
https://www.itexams.com/exam/AZ-700?viewall=1 38/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal
Question
32 (
Question Set 2
)
HOTSPOT -
You are planning an Azure solution that will contain the following types of resources in a single Azure region:
✑ Virtual machine
✑ Azure App Service
App Service and SQL Managed Instance will be delegated to create resources in virtual networks.
You need to identify how many virtual networks and subnets are required for the solution. The solution must minimize costs to transfer data between virtual networks.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 39/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network
Question
33 (
Question Set 2
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
A. Yes
B. No
Answer :
A
Explanation:
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Question
34 (
Question Set 2
)
You have an Azure virtual network named Vnet1 that hosts an Azure firewall named FW1 and 150 virtual machines. Vnet1 is linked to a private DNS zone named contoso.com. All the virtual machines have their name
registered in the contoso.com zone.
You need to ensure that on-premises DNS servers can resolve the names in the contoso.com zone.
Which two actions should you perform? Each correct answer presents part of the solution.
Answer :
CD
Reference:
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder https://azure.microsoft.com/en-gb/blog/new-enhanced-dns-features-in-azure-firewall-
now-generally-available/
Question
35 (
Question Set 2
)
You are planning the IP addressing for the subnets in Azure virtual networks.
https://www.itexams.com/exam/AZ-700?viewall=1 40/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
A
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
Question
36 (
Question Set 2
)
HOTSPOT -
You are evaluating Virtual WAN Basic and Virtual WAN Standard.
Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 41/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
37 (
Question Set 2
)
HOTSPOT -
You have an Azure subscription that contains two virtual networks named Vnet1 and Vnet2.
You register a public DNS zone named fabrikam.com. The zone is configured as shown in the Public DNS Zone exhibit.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
https://www.itexams.com/exam/AZ-700?viewall=1 42/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You have a private DNS zone named fabrikam.com. The zone is configured as shown in the Private DNS Zone exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 43/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You have a virtual network link configured as shown in the Virtual Network Link exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 44/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Explanation:
Box 1: Yes -
DNS queries from the internet use the public DNS zone. In the public DNS zone, www.fabrikam.com is a CNAME record that resolves to appservice1.fabrikam.com which resolves to 131.107.1.1.
Box 2: No -
DNS queries from the internet use the public DNS zone. There is no DNS record for server1.fabrikam.com in the public DNS zone.
Box 3: No -
The private DNS zone is linked to VNet1, not VNet2. Therefore, resources in VNet2 cannot query the private DNS zone.
Question
38 (
Question Set 2
)
https://www.itexams.com/exam/AZ-700?viewall=1 45/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
HOTSPOT -
You have two Azure virtual networks named VNet1 and VNet2 in an Azure region that has three availability zones.
You deploy 12 virtual machines to each virtual network, deploying four virtual machines per zone. The virtual machines in VNet1 host an app named App1. The virtual machines in VNet2 host an app named App2.
You plan to use Azure Virtual Network NAT to implement outbound connectivity for App1 and App2.
You need to identify the minimum number of subnets and Virtual Network NAT instances required to meet the following requirements:
✑ A failure of two zones must NOT affect the availability of either App1 or App2.
✑ A failure of two zones must NOT affect the outbound connectivity of either App1 or App2.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview
Question
39 (
Question Set 2
)
HOTSPOT -
https://www.itexams.com/exam/AZ-700?viewall=1 46/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to ensure that WebApp1 can access the virtual machines deployed to Vnet1\Subnet1 and Vnet2\Subnet1. The solution must minimize costs.
What should you create in each virtual network? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
Explanation:
Regional virtual network integration: When you connect to virtual networks in the same region, you must have a dedicated subnet in the virtual network you're integrating with.
B A VPN
https://www.itexams.com/exam/AZ-700?viewall=1 47/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Box 2: A VPN gateway -
Gateway-required virtual network integration: When you connect directly to virtual networks in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway created in
the target virtual network.
Note: If your app is in an App Service Environment, it's already in a virtual network and doesn't require use of the VNet integration feature to reach resources in the same virtual network.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
Question
40 (
Question Set 2
)
HOTSPOT -
You have the Azure App Service app shown in the App Service exhibit.
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 48/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 49/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
Box 1: Yes -
The integration subnet can be used by only one App Service plan.
Box 2: No -
No Private Endpoint connections defined.
When regional virtual network integration is enabled, your app makes outbound calls through your virtual network. The outbound addresses that are listed in the app properties portal are the addresses still used by
your app. However, if your outbound call is to a virtual machine or private endpoint in the integration virtual network or peered virtual network, the outbound address will be an address from the integration subnet.
Box 3: Yes -
Apps in App Service are hosted on worker roles. Regional virtual network integration works by mounting virtual interfaces to the worker roles with addresses in the delegated subnet. Because the from address is in
your virtual network, it can access most things in or through your virtual network like a VM in your virtual network would.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
Question
41 (
Question Set 2
)
You have a hub-and-spoke topology. The topology includes multiple on-premises locations that connect to a hub virtual network in Azure via ExpressRoute circuits.
You have an Azure Application Gateway named GW1 that provides a single point of ingress from the internet.
You need to identify which changes must be applied to the existing topology. The solution must ensure that you maintain a single point of ingress from the internet.
Which three changes should you include in the solution? Each correct answer presents part of the solution.
Answer :
CDE
Explanation:
Step 1. (E) Delete the existing peering connections from Spoke virtual networks to the old customer-managed hub. Access to applications in spoke virtual networks is unavailable until steps 1-3 are complete.
Step 2. (D) Connect the spoke virtual networks to the Virtual WAN hub via VNet connections.
Step 3. (C) Remove any user-defined routes (UDR) previously used within spoke virtual networks for spoke-to-spoke communications. This path is now enabled by dynamic routing available within the Virtual WAN
hub.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology
Question
42 (
Question Set 2
)
You have an application named App1 that listens for incoming requests on a preconfigured group of 50 TCP ports and UDP ports.
You need to implement load balancing for App1 across all the virtual machines. The solution must minimize the number of load balancing rules.
Answer :
A
Explanation:
Azure Application Gateway is limited to 100 active listeners that are routing traffic. Active listeners = total number of listeners - listeners not active.
If a default configuration inside a routing rule is set to route traffic (for example, it has a listener, a backend pool, and HTTP settings) then that also counts as a listener.
Note: Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.
Application Gateway can make routing decisions based on additional attributes of an HTTP request, for example URI path or host headers. This type of routing is known as application layer (OSI layer 7) load
balancing.
https://www.itexams.com/exam/AZ-700?viewall=1 50/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
g
Incorrect:
Not B: Floating IP. Some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool.
Not D: Multiple site hosting enables you to configure more than one web application on the same port of application gateways using public-facing listeners. It allows you to configure a more efficient topology for your
deployments by adding up to 100+ websites to one application gateway. Each website can be directed to its own backend pool.
Reference:
https://github.com/MicrosoftDocs/azure-docs/blob/main/includes/application-gateway-limits.md
Question
43 (
Question Set 2
)
DRAG DROP -
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer :
Explanation:
1. Go to the Azure portal to create a DNS zone. Search for and select DNS zones.
3. On the Create DNS zone page, enter the following values, and then select Create.
Before you can delegate your DNS zone to Azure DNS, you need to know the name servers for your zone. Azure DNS gives name servers from a pool each time
a zone is created.
With the DNS zone created, in the Azure portal Favorites pane, select All resources. On the All resources page, select your DNS zone. If the subscription you've
selected already has several resources in it, you can enter your domain name in the Filter by name box to easily access the application gateway.
Retrieve the name servers from the DNS zone page In this example the zone contoso net has been assigned name servers ns1-01 azure-dns com ns2-
https://www.itexams.com/exam/AZ-700?viewall=1 51/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Retrieve the name servers from the DNS zone page. In this example, the zone contoso.net has been assigned name servers ns1 01.azure dns.com, ns2
Azure DNS automatically creates authoritative NS records in your zone for the assigned name servers.
Once the DNS zone gets created and you have the name servers, you'll need to update the parent domain with the Azure DNS name servers.
Each registrar has its own DNS management tools to change the name server records for a domain.
1. In the registrar's DNS management page, edit the NS records and replace the NS records with the Azure DNS name servers.
2. When you delegate a domain to Azure DNS, you must use the name servers that Azure DNS provides. Use all four name servers, regardless of the name of
your domain. Domain delegation doesn't require a name server to use the same top-level domain as your domain.
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
Question
44 (
Question Set 2
)
HOTSPOT -
You have the network topology shown in the Topology exhibit. (Click the Topology tab.)
https://www.itexams.com/exam/AZ-700?viewall=1 52/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You have the Azure firewall shown in the Firewall1 exhibit. (Click the Firewall1 tab.)
You have the route table shown in the RouteTable1 exhibit. (Click the RouteTable1 tab.)
https://www.itexams.com/exam/AZ-700?viewall=1 53/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Explanation:
Box 1: Yes -
Resources in Subnet1 will use the Route2 and its Next hop ID address to the Firewall to reach the Internet.
Box 2: Yes -
Box 3: No -
Resources in Subnet2 can only reach resources in Subnet1, as gateway transit for virtual network peering has not been configured.
Reference:
h d f l k l k d h d f
https://www.itexams.com/exam/AZ-700?viewall=1 54/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
Question
45 (
Question Set 2
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
A. Yes
B. No
Answer :
B
Explanation:
The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Question
46 (
Question Set 2
)
You have an Azure subscription that contains the virtual networks shown in the following table.
You plan to deploy an Azure firewall named AF1 to RG1 in the West US Azure region.
Answer :
C
Explanation:
No. Vnet2: Same Resource Group but different VNET and different region. Must be in the same region.
No. Vnet3: Different VNET, different region. Must be in the same region.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/networking/guide/well-architected-framework-azure-firewall
Question
47 (
Testlet 5
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
https://www.itexams.com/exam/AZ-700?viewall=1 55/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
https://www.itexams.com/exam/AZ-700?viewall=1 56/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
g q
Litware identifies the following virtual networking requirements:
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
You need to configure the default route on Vnet2 and Vnet3. The solution must meet the virtual networking requirements.
A. route filters
B. BGP route exchange
C. a user-defined route assigned to GatewaySubnet in Vnet1
D. a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3
Answer :
B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Question
48 (
Testlet 5
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 57/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
DRAG DROP -
You need to implement outbound connectivity for VMScaleSet1. The solution must meet the virtual networking requirements and the business requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
https://www.itexams.com/exam/AZ-700?viewall=1 58/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/skus
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#outboundrules
Question
49 (
Testlet 6
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.
Existing Environment -
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 59/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the
internet. The firewall on each virtual machine allows ICMP traffic.
An application security group named ASG1 is associated to the network interface of VM1.
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
The Azure subscription contains additional resources as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 60/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Requirements -
Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
HOTSPOT -
What should you include in a custom route that is linked to Subnet2? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 61/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Question
50 (
Question Set 3
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
https://www.itexams.com/exam/AZ-700?viewall=1 62/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to ensure that the URL is accessible through the application gateway from any IP address.
A. Yes
B. No
Answer :
B
Explanation:
The log shows that WAF rule with ruleId 920300 was trigged. Instead we should disable the WAF rule that has a ruleId 920300.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
Question
51 (
Question Set 3
)
HOTSPOT -
You have an Azure subscription that contains the route tables and routes shown in the following table.
The subscription contains the virtual machines shown in the following table.
The subscription contains the local network gateways shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 63/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Question
52 (
Question Set 3
)
You have an Azure subscription that contains the public IP addresses shown in the following table.
Which public IP addresses can be used as the public IP address for NAT1?
A. IP3 only
B. IP5 only
C. IP2 and IP4 only
D. IP1, IP3 and IP5 only
E. IP3 and IP5 only
Answer :
A
https://www.itexams.com/exam/AZ-700?viewall=1 64/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Explanation:
Only static IPv4 addresses in the Standard SKU are supported. IPv6 doesnג€™t support NAT.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview
Question
53 (
Question Set 3
)
You have an Azure application gateway named AGW1 that has a routing rule named Rule1. Rule 1 directs traffic for http://www.contoso.com to a backend pool named Pool1. Pool1 targets an Azure virtual machine
scale set named VMSS1.
You need to configure AGW1 to direct all traffic for http://www.adatum.com to VMSS2.
The solution must ensure that requests to http://www.contoso.com continue to be directed to Pool1.
Which three actions should you perform? Each correct answer presents part of the solution.
Answer :
ADE
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview
Question
54 (
Question Set 3
)
HOTSPOT -
You have an Azure Traffic Manager parent profile named TM1. TM1 has two child profiles named TM2 and TM3.
TM1 uses the performance traffic-routing method and has the endpoints shown in the following table.
TM2 uses the weighted traffic-routing method with MinChildEndpoint = 2 and has the endpoints shown in the following table.
TM3 uses priority traffic-routing method and has the endpoints shown in the following table.
The App2, App4, and App6 endpoints have a degraded monitoring status.
To which endpoint is traffic directed? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 65/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-nested-profiles
Question
55 (
Question Set 3
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
https://www.itexams.com/exam/AZ-700?viewall=1 66/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to ensure that the URL is accessible through the application gateway from any IP address.
A. Yes
B. No
Answer :
B
Explanation:
The log shows that WAF rule with ruleId 920300 was trigged. Instead we should disable the WAF rule that has a ruleId 920300.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
Question
56 (
Question Set 3
)
HOTSPOT -
You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com.
Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 67/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-route-matching
Question
57 (
Question Set 3
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
https://www.itexams.com/exam/AZ-700?viewall=1 68/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to ensure that the URL is accessible through the application gateway.
Solution: You disable the WAF rule that has a ruleId 920300.
A. Yes
B. No
Answer :
A
Explanation:
The log shows that WAF rule with ruleId 920300 was trigged. We should disable the WAF rule that has a ruleId 920300.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
Question
58 (
Question Set 3
)
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com.
You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a certificate from an allowed certification authority
(CA).
Answer :
C
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https
Question
59 (
Question Set 3
)
You have an Azure application gateway for a web app named App1. The application gateway allows end-to-end encryption.
You need to ensure that the application gateway can provide end-to-end encryption for App1.
Answer :
D
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/end-to-end-ssl-portal
Question
60 (
Question Set 3
)
https://www.itexams.com/exam/AZ-700?viewall=1
69/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
HOTSPOT -
You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2.
https://www.itexams.com/exam/AZ-700?viewall=1 70/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Explanation:
https://www.itexams.com/exam/AZ-700?viewall=1 71/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Box 1: No -
VM1 is in Zone2 whereas the NAT Gateway is in Zone1. The VM would need to be in the same zone as the NAT Gateway to be able to use it. Therefore, VM1 cannot use the NAT gateway.
Box 2: Yes -
Box 3: No -
The NAT gateway does not have a single public IP address, it has an IP prefix which means more than one IP address. The VMs the use the NAT Gateway can use different public IP addresses contained within the IP
prefix.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource
Question
61 (
Question Set 3
)
You have an Azure application gateway named AppGW1 that balances requests to a web app named App1.
You need to modify the server variables in the response header of App1.
A. HTTP settings
B. rewrites
C. rules
D. listeners
Answer :
B
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url
Question
62 (
Question Set 3
)
You have an Azure Virtual Desktop deployment that has 500 session hosts.
During peak business hours, some users report that they cannot access internet resources. In Azure Monitor, you discover many failed SNAT connections.
Answer :
B
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource
Question
63 (
Question Set 3
)
You have an Azure subscription that contains the public IPv4 addresses shown in the following table.
You plan to create a load balancer named LB1 that will have the following settings:
✑ Name: LB1
✑ Location: West US
✑ Type: Public
✑ SKU: Standard
Answer :
F
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address
https://www.itexams.com/exam/AZ-700?viewall=1 72/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
64 (
Question Set 3
)
You have the Azure environment shown in the exhibit.
Basic Load Balancer uses a public IP address. VM1 and VM2 are in the backend pool.
NAT Gateway uses a public IP address named IP3 that is associated to SubnetA.
VNet1 has a virtual network gateway that has a public IP address named IP4.
When initiating outbound traffic to the internet from VM1, which public address is used?
A. IP1
B. IP2
C. IP3
D. IP4
Answer :
A
Question
65 (
Question Set 3
)
You are configuring two network virtual appliances (NVAs) in an Azure virtual network. The NVAs will be used to inspect all the traffic within the virtual network.
You need to provide high availability for the NVAs. The solution must minimize administrative effort.
Answer :
A
Reference:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha?tabs=cli
Question
66 (
Question Set 3
)
You have five virtual machines that run Windows Server. Each virtual machine hosts a different web app.
You plan to use an Azure application gateway to provide access to each web app by using a hostname of www.contoso.com and a different URL path for each web app, for example: https://www.contoso.com/app1.
You need to control the flow of traffic based on the URL path.
A. HTTP settings
B. listeners
C. rules
D. rewrites
https://www.itexams.com/exam/AZ-700?viewall=1 73/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
C
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/url-route-overview
Question
67 (
Question Set 3
)
You plan to publish a website that will use an FQDN of www.contoso.com. The website will be hosted by using the Azure App Service apps shown in the following table.
You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com between AS1 and AS2.
You create a Traffic Manager profile named TMprofile1. TMprofile1 uses the weighted traffic-routing method.
You need to ensure that Traffic Manager routes traffic for www.contoso.com.
Answer :
C
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/quickstart-create-traffic-manager-profile https://docs.microsoft.com/en-us/azure/app-service/configure-domain-traffic-manager
Question
68 (
Question Set 3
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway from any IP address.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
A. Yes
B. No
A B
https://www.itexams.com/exam/AZ-700?viewall=1 74/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
B
Explanation:
The log shows that WAF rule with ruleId 920300 was trigged. Instead we should disable the WAF rule that has a ruleId 920300.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
Question
69 (
Question Set 3
)
HOTSPOT -
Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.
The development department at the company is creating an application named App1. Every 10 minutes, App1 will use a list of endpoints and connect to the first available endpoint.
You plan to use Azure Traffic Manager to maintain the list of endpoints.
You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.
What should you configure? To answer, select the appropriate options in the answer area.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-endpoint-types
https://www.itexams.com/exam/AZ-700?viewall=1 75/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
70 (
Question Set 3
)
DRAG DROP -
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com.
You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#associate-the-custom-domain-with-your-front-door https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door
Question
71 (
Question Set 3
)
You have a website that uses an FQDN of www.contoso.com. The DNS record for www. contoso.com resolves to an on-premises web server.
You plan to migrate the website to an Azure web app named Web1. The website on Web1 will be published by using an Azure Front Door instance named
ContosoFD1.
When you attempt to configure a custom domain for www.contoso.com on ContosoFD1, you receive the error message shown in the exhibit. (Click the Exhibit tab.)
https://www.itexams.com/exam/AZ-700?viewall=1 76/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to test the website and ContosoFD1 without affecting user access to the on-premises web server.
Answer :
C
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#map-the-temporary-afdverify-subdomain
Question
72 (
Question Set 3
)
You have the Azure load balancer shown in the Load Balancer exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 77/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
LB2 has the backend pools shown in the Backend Pools exhibit.
You need to ensure that LB2 distributes traffic to all the members of VMSS1.
Which two actions should you perform? Each correct answer presents part of the solution.
Answer :
BC
Reference:
https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-balancer-standard
Question
73 (
Question Set 3
)
You have an Azure subscription that contains the following resources:
After deploying 10 servers that run Windows Server to Subnet 1, you discover that none of the virtual machines were activated.
Answer :
C
Explanation:
Cause -
The Azure Windows VMs need to connect to the Azure KMS server for Windows activation. The activation requires that the activation request come from an Azure public IP address.
To resolve this problem, use the Azure custom route to route activation traffic to the Azure KMS server.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activation
Question
74 (
Question Set 3
)
https://www.itexams.com/exam/AZ-700?viewall=1 78/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You have an Azure Front Door instance that has a single frontend named Frontend1 and an Azure Web Application Firewall (WAF) policy named Policy1. Policy1 redirects requests that have a header containing
"string1" to https://www.contoso.com/redirect1. Policy1 is associated to Frontend1.
You need to configure additional redirection settings. Requests to Frontend1 that have a header containing "string2" must be redirected to https:// www.contoso.com/redirect2.
Which three actions should you perform? Each correct answer presents part of the solution.
Answer :
CEF
Explanation:
managed rule sets that are a collection of Azure-managed pre-configured set of rules.
You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.
A web application delivered by Front Door can have only one WAF policy associated with it at a time.
In the Association tab of the Create a WAF policy page, select + Associate a Front Door profile, enter the following settings, and then select Add:
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview https://docs.microsoft.com/en-us/azure/web-application-
firewall/afds/waf-front-door-create-portal
Question
75 (
Question Set 3
)
You have 10 Azure App Service instances. Each instance hosts the same web app. Each instance is in a different Azure region.
You need to configure Azure Traffic Manager to direct users to the instance that has the lowest latency.
A. geographic
B. weighted
C. priority
D. performance
Answer :
D
Explanation:
Select Performance routing when you have endpoints in different geographic locations and you want end users to use the "closest" endpoint for the lowest network latency.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods
Question
76 (
Question Set 3
)
Your company has offices in London, Tokyo, and New York.
The company has a web app named App1 that has the Azure Traffic Manager profile shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 79/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
In Asia, you plan to deploy an additional endpoint that will host an updated version of App1.
You need to route 10 percent of the traffic from the Tokyo office to the new endpoint during testing.
What should you configure in Traffic Manager?
Answer :
B
Explanation:
Need two profiles. Add one Child profile using Weighted routing. One additional trial endpoint, to the existing three, for the Child Profile is needed.
Note 1: Each Traffic Manager profile specifies a single traffic-routing method. However, there are scenarios that require more sophisticated traffic routing than the routing provided by a single Traffic Manager profile.
You can nest Traffic Manager profiles to combine the benefits of more than one traffic-routing method.
Note 2: Weighted routing: Select Weighted routing when you want to distribute traffic across a set of endpoints based on their weight. Set the weight the same to distribute evenly across all endpoints.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-nested-profiles https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods
Question
77 (
Question Set 3
)
HOTSPOT -
You configure a route table named RT1 that has the routes shown in the following table.
You have an Azure virtual network named Vnet1 that has the subnets shown in the following table.
Vnet1 connects to an ExpressRoute circuit. The on-premises router advertises the following routes:
✑ 0.0.0.0/0
✑ 10.0.0.0/16
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 80/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Explanation:
Box 1: Yes -
NVA1 with IP (NVA-network virtual appliance) 192.168.0.4 is on the DMZ subnet. It will use route 10.0.0.0/16 to the on-premises network.
Question
78 (
Question Set 3
)
Box 2: No -
VM2 has IP address 192.168.2.4 and is on the BackEnd subnet. VM2 will not use the RT1 route table, and will not reach the on-premises network through NVA1.
HOTSPOT -
You have
Box 3: Yesan
-
Azure subscription. The subscription contains virtual machines that host websites as shown in the following table.
VM1 with IP address 192.168.1.4 is on the FrontEnd subnet, and will use the RT1 routing table. It will use Route2 and Next Hop IP address 192.168.0.4, IP address of NVA1, to reach VM2.
You have the Azure Traffic Manager profiles shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 81/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Explanation:
Box 1: No -
VM1, which is hosting site1.contoso.com, is located in East US. The VM1 endpoint status is degraded. Endpoint monitoring health checks are failing. The endpoint isn't included in DNS responses and doesn't receive
traffic.
When an endpoint has a Degraded status, it's no longer returned in response to DNS queries. Instead, an alternative endpoint is chosen and returned. The traffic- routing method configured in the profile determines
how the alternative endpoint is chosen.
Priority. Endpoints form a prioritized list. The first available endpoint on the list is always returned. If an endpoint status is Degraded, then the next available endpoint is returned.
Box 2: No -
VM3, which is hosting site2.contoso.com, is located in in East US. The VM3 endpoint status is CheckingEndpoint. The endpoint is monitored, but the results of the first probe haven't been received yet.
CheckingEndpoint is a temporary state that usually occurs immediately after adding or enabling an endpoint in the profile. An endpoint in this state is included in DNS responses and can receive traffic.
Question
79
Box 3: No -
(
Question Set 3
)
VM3, which is hosting site2.contoso.com, is located in in East US. The VM1 endpoint status is CheckingEndpoint, which is OK (see above).
User will connect
You have an Azuretoapplication
site2.contoso.com, not to site2.japan.contoso.com
Reference:
The application gateway contains one backend pool and one rule. The backend pool contains two backend servers. Each backend server has an additional website that is available on port 8080.
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring
You need to ensure that if port 8080 is unavailable on a backend server, all the traffic for https://www.contoso.com is redirected to the other backend server.
Answer :
A
Explanation:
By default, Azure Application Gateway probes backend servers to check their health status and to check whether they're ready to serve requests. Users can also create custom probes to mention the host name, the path
to be probed, and the status codes to be accepted as Healthy. In each case, if the backend server doesn't respond successfully, Application Gateway marks the server as Unhealthy and stops forwarding requests to the
server. After the server starts responding successfully, Application Gateway resumes forwarding the requests.
Note: The default probe request is sent in the format of <protocol>://127.0.0.1:<port>/. For example, http://127.0.0.1:80 for an http probe on port 80. Only HTTP status codes of 200 through 399 are considered
healthy. The protocol and destination port are inherited from the HTTP settings. If you want Application Gateway to probe on a different protocol, host name, or path and to recognize a different status code as
Healthy, configure a custom probe and associate it with the HTTP settings.
Reference:
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting
Question
80 (
Testlet 7
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.
Existing Environment -
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 82/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the
internet. The firewall on each virtual machine allows ICMP traffic.
An application security group named ASG1 is associated to the network interface of VM1.
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
The Azure subscription contains additional resources as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 83/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Requirements -
Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
HOTSPOT -
You create NSG10 and NSG11 to meet the network security requirements.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Explanation:
https://www.itexams.com/exam/AZ-700?viewall=1 84/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Box 1: No -
NSG10 which is attached to VM1ג€™s subnet blocks RDP (port TCP 3389) to ג€˜Anyג€™ which means the port is blocked to all destinations.
Box 2: Yes -
NSG10 blocks ICMP from VNet4 (source 10.10.0.0/16) but it is not blocked from VM2ג€™s subnet (VNet1/Subnet2).
Box 3: No -
NSG11 blocks RDP (port TCP 3389) destined for ג€˜VirtualNetworkג€™. VirtualNetwork is a service tag and means the address space of the virtual network (VNet1) which in this case is 10.1.0.0/16. Therefore, RDP
traffic from subnet2 to anywhere else in VNet1 is blocked.
Question
81 (
Testlet 8
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
https://www.itexams.com/exam/AZ-700?viewall=1 85/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
HOTSPOT -
You need to restrict traffic from VMScaleSet1 to VMScaleSet2. The solution must meet the virtual networking requirements.
What is the minimum number of custom NSG rules and NSG assignments required? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 86/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
The minimum requirement is one NSG. You could attach the NSG to VMScaleSet1 and restrict outbound traffic, or you could attach the NSG to VMScaleSet2 and restrict inbound traffic. Either way you would need
two custom NSG rules.
With the NSG attached to VMScaleSet2, you would need to create a custom rule blocking all traffic from VMScaleSet1. Then you would need to create another custom rule with a higher priority than the first rule that
allows traffic on port 443.
The default rules in the NSG will allow all other traffic to VMScaleSet2.
Question
82 (
Question Set 4
)
You have an Azure virtual machine named VM1.
You need to capture all the network traffic of VM1 by using Azure Network Watcher.
Answer :
D
Explanation:
Once your packet capture session has completed, the capture file is uploaded to blob storage or to a local file on the virtual machine. The storage location of the packet capture is defined during creation of the packet
capture.
Reference:
https://docs microsoft com/en us/azure/network watcher/network watcher packet capture manage portal
https://www.itexams.com/exam/AZ-700?viewall=1 87/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal
Question
83 (
Question Set 4
)
You have an Azure virtual network that contains the subnets shown in the following table.
You deploy an Azure firewall to AzureFirewallSubnet. You route all traffic from Subnet2 through the firewall.
You need to ensure that all the hosts on Subnet2 can access an external site located at https://*.contoso.com.
Answer :
D
Reference:
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
Question
84 (
Question Set 4
)
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance.
✑ Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute.
Answer :
A
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview
Question
85 (
Question Set 4
)
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
Which two resources should you create? Each correct answer presents part of the solution. (Choose two.)
Answer :
BC
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
Question
86 (
Question Set 4
)
HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table.
Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule:
✑ Priority: 100
✑ Port: Any
https://www.itexams.com/exam/AZ-700?viewall=1 88/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
✑ Port: Any
✑ Protocol: Any
✑ Source: Any
✑ Destination: Storage
✑ Action: Deny
✑ Name: Private1
✑ Resource: storage1
✑ Subnet: Subnet1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy
Question
87 (
Question Set 4
)
HOTSPOT -
https://www.itexams.com/exam/AZ-700?viewall=1 89/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 90/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
88 (
Question Set 4
)
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
A. Azure Monitor
B. IP flow verify
C. Connection Monitor
Explanation:
D.
BoxAzure
1:
Internet Analyzer
If forced tunneling was enabled, the Firewall Subnet would be named AzureFirewallManagementSubnet. Forced tunneling can only be enabled during the creation of the firewall. It cannot be enabled after the firewall
has been deployed.
Box 2:
The ג€Visit Azure Firewall Manager to configure and manage this firewallג€ link in the exhibit shows that the firewall is managed by Azure Firewall Manager.
Answer :
C
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor
Question
89 (
Question Set 4
)
You have an Azure subscription that contains the following resources:
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
Answer :
B
Reference:
https://ryanmangansitblog.com/2020/05/11/firewall-considerations-windows-virtual-desktop-wvd/
Question
90 (
Question Set 4
)
HOTSPOT -
You have an Azure application gateway named AppGW1 that provides access to the following hosts:
✑ www.adatum.com
✑ www.contoso.com
✑ www.fabrikam.com
You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 91/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/per-site-policies
Question
91 (
Question Set 4
)
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
A. a service tag
B. a service endpoint policy
C. a subnet delegation
D. an application security group
Answer :
A
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-portal
https://www.itexams.com/exam/AZ-700?viewall=1 92/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
92 (
Question Set 4
)
Your company has offices in Montreal, Seattle, and Paris. The outbound traffic from each office originates from a specific public IP address.
You create an Azure Front Door instance named FD1 that has Azure Web Application Firewall (WAF) enabled. You configure a WAF policy named Policy1 that has a rule named Rule1. Rule1 applies a rate limit of 100
requests for traffic that originates from the office in Montreal.
You need to apply a rate limit of 100 requests for traffic that originates from each office.
Answer :
C
Question
93 (
Question Set 4
)
You have an Azure virtual network named Vnet1.
You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region. The virtual machines must be prevented from accessing any Azure Storage resources.
Which two outbound network security group (NSG) rules should you create? Each correct answer presents part of the solution.
Answer :
BD
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
Question
94 (
Question Set 4
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You configure the firewall on storage1 to only accept connections from Vnet1.
A. Yes
B. No
Answer :
B
Question
95 (
Question Set 4
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG) and associate the NSG to Subnet1.
A. Yes
B. No
Answer :
B
Question
96 (
Question Set 4
)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
b d b
https://www.itexams.com/exam/AZ-700?viewall=1 93/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
A subnet named Subnet1 in Vnet1 -
You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts.
Solution: You create a network security group (NSG). You configure a service tag for Microsoft.Storage and link the tag to Subnet1.
Does this meet the goal?
A. Yes
B. No
Answer :
B
Question
97 (
Question Set 4
)
You need to use Traffic Analytics to monitor the usage of applications deployed to Azure virtual machines.
Answer :
A
Explanation:
Network Watcher: A regional service that enables you to monitor and diagnose conditions at a network scenario level in Azure. You can turn NSG flow logs on and off with Network Watcher.
Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG.
It is vital to monitor, manage, and know your own network for uncompromised security, compliance, and performance.
Common use cases include Network Monitoring: Identify unknown or undesired traffic. Monitor traffic levels and bandwidth consumption. Filter flow logs by IP and port to understand application behavior.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
Question
98 (
Question Set 4
)
HOTSPOT -
You have an Azure subscription that contains the virtual machines shown in the following table.
You need to block traffic from SQL Server 2019 to IIS by using application security groups. The solution must minimize administrative effort.
How should you configure the application security groups? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 94/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
Box 1: 2 -
All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.
We need one application security group for each of the two virtual networks.
Box 2: 3 -
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups
Question
99 (
Question Set 4
)
HOTSPOT -
You have an Azure virtual network that contains the subnets shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 95/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You have the Azure virtual machines shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Explanation:
Box 1: Yes -
VM3 is Subnet2. NSG2 applies. The default rule will allow communication.
Box 2: No -
VM1 & VM2 is in Subnet1. NSG1 applies. Only traffic on ports 80 and 443 will be allowed. Connection on port 9090 will be denied.
Note: Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule,
processing stops. As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
Box 3: No -
VM1 is in Subnet1. NSG1 applies. Only traffic on ports 80 and 443 will be allowed. Connection on port 9090 will be denied.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Question
100 (
Question Set 4
)
You have the Azure virtual networks shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 96/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
You need to check latency between the resources by using connection monitors in Azure Network Watcher.
What is the minimum number of connection monitors that you must create?
A. 1
B. 2
C. 3
D. 4
E. 5
Answer :
C
Explanation:
In the Region UK West region we have one single virtual machine VM2.
In the Region East US region we have two virtual machines VM1 & VM3, and App1.
Connection monitor resource: A region-specific Azure resource. All the following entities are properties of a connection monitor resource.
Endpoint: A source or destination that participates in connectivity checks. Examples of endpoints include Azure VMs, on-premises agents, URLs, and IP addresses.
Reference:
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
Question
101 (
Testlet 9
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.
Existing Environment -
Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.
The Azure subscription contains the virtual networks shown in the following table.
The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.
https://www.itexams.com/exam/AZ-700?viewall=1 97/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the
internet. The firewall on each virtual machine allows ICMP traffic.
An application security group named ASG1 is associated to the network interface of VM1.
The Azure subscription contains the Azure private DNS zones shown in the following table.
Zone1.contoso.com has the virtual network links shown in the following table.
The Azure subscription contains additional resources as shown in the following table.
Requirements -
https://www.itexams.com/exam/AZ-700?viewall=1 98/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.
Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.
Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.
HOTSPOT -
In which NSGs can you use ASG1 and to which virtual machine network interfaces can you associate ASG1? To answer, select the appropriate options in the
answer area.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 99/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
102 (
Testlet 10
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
https://www.itexams.com/exam/AZ-700?viewall=1 100/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
You need to provide access to storage1. The solution must meet the PaaS networking requirements and the business requirements.
A. a private endpoint
B. Azure Traffic Manager
C. Azure Front Door
D. a service endpoint
Answer :
D
https://www.itexams.com/exam/AZ-700?viewall=1 101/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
103 (
Testlet 10
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
https://www.itexams.com/exam/AZ-700?viewall=1 102/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
You need to provide access to storage2. The solution must meet the PaaS networking requirements and the business requirements.
A. a private endpoint
B. Azure Firewall
C. Azure Front Door
D. a service endpoint
Answer :
D
Reference:
https://www.itexams.com/exam/AZ-700?viewall=1 103/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Question
104 (
Testlet 10
)
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must
manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about
the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows
10 devices.
Existing Environment -
Hybrid Environment -
The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.
All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.
Azure Environment -
Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.
A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.
There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot
communicate directly.
https://www.itexams.com/exam/AZ-700?viewall=1 104/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Requirements -
Business Requirements -
Litware wants to minimize costs whenever possible, as long as all other requirements are met.
Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.
Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.
Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.
Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.
The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Litware identifies the following networking requirements for platform as a service (PaaS):
The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
HOTSPOT -
You need to implement name resolution for the cloud.litwareinc.com. The solution must meet the networking requirements.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
https://www.itexams.com/exam/AZ-700?viewall=1 105/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-autoregistration https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Question
105 (
Question Set 5
)
You have the Azure resources shown in the following table.
You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint.
You need to ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region.
Answer :
B
Explanation:
The Azure storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints.
Note: By default, service endpoints work between virtual networks and service instances in the same Azure region. When using service endpoints with Azure
Storage, service endpoints also work between virtual networks and service instances in a paired region.
Reference:
https://www.itexams.com/exam/AZ-700?viewall=1 106/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
Question
106 (
Question Set 5
)
HOTSPOT -
You have the Azure App Service app shown in the App Service exhibit.
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit.
The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 107/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Question
107 (
Question Set 5
)
DRAG DROP -
You have an Azure virtual network named Vnet1 that connects to an on-premises network.
You have an Azure Storage account named storageaccount1 that contains blob storage.
You need to configure a private endpoint for the blob storage. The solution must meet the following requirements:
✑ Ensure that all on-premises users can access storageaccount1 through the private endpoint.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
https://www.itexams.com/exam/AZ-700?viewall=1 108/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Answer :
Explanation:
168.63.129.16 is the IP address of Azure DNS which hosts Azure Private DNS zones. It is only accessible from within a VNet which is why we need to forward on-prem DNS requests to the VM running DNS in the
VNet. The VM will then forward the request to Azure DNS for the IP of the storage account private endpoint.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
Question
108 (
Question Set 5
)
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
Answer :
D
Reference:
https://www.itexams.com/exam/AZ-700?viewall=1 109/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Question
109 (
Question Set 5
)
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources:
You create a private endpoint for App1. The record for the endpoint is registered automatically in Azure DNS.
You need to provide a developer with the name that is registered in Azure DNS for the private endpoint.
A. app1.contoso.onmicrosoft.com
B. app1.private.contoso.com
C. app1.privatelink.azurewebsites.net
D. app1.contoso.com
Answer :
C
Question
110 (
Question Set 5
)
You have Azure App Service apps in the West US Azure region as shown in the following table.
You need to ensure that all the apps can access the resources in a virtual network named VNet1 without forwarding traffic through the internet.
A. 0
B. 1
C. 3
D. 4
E. 6
Answer :
C
Explanation:
One integration subnet is required per App Service Plan regardless of how many apps are running in the App Service Plan.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration
Question
111 (
Question Set 5
)
HOTSPOT -
You have the Azure environment shown in the Azure Environment exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 110/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
The settings for each subnet are shown in the following table.
The Firewalls and virtual networks settings for storage1 are configured as shown in the Storage1 exhibit.
https://www.itexams.com/exam/AZ-700?viewall=1 111/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 112/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Question
112 (
Question Set 5
)
DRAG DROP -
You have two Azure subscriptions named Subscription1 and Subscription2. Subscription1 contains a virtual network named Vnet1. Vnet1 contains an application server. Subscription2 contains a virtual network
named Vnet2.
You need to provide the virtual machines in Vnet2 with access to the application server in Vnet1 by using a private endpoint.
Explanation:
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Box 1: Yes -
Box 2: No -
The firewall does not allow VNet1\Subnet2 through the service endpoint.
Box 3: No -
The firewall allows 132.124.53.0/26 which means it allows all IP addresses between 132.124.53.0 and 132.124.53.63. The public IP of VM3 is 132.124.53.76 which is outside the allowed range.
Answer :
https://www.itexams.com/exam/AZ-700?viewall=1 113/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
Explanation:
Configure your application to run behind a standard load balancer in your virtual network.
Step 2: In Subscription 1, create a private link service and attach the service to the frontend IP configuration of the load balancer.
Step 3: In Subscription 2, create a private endpoint by using the private link service.
Private Link service can be accessed from approved private endpoints in any public region. The private endpoint can be reached from the same virtual network, regionally peered VNets, globally peered VNets and on
premises using private VPN or ExpressRoute connections.
Question
113 (
Question Set 5
)
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources:
✑ Virtual
Step machines on Vnet1
4: In Subscription1, acceptthat
thecannot
privatecommunicate outside the
endpoint connection virtual network
request.
You needconnections
Network to ensure that
canthe
bevirtual machines
initiated only byon Vnet1
clients canare
that access webapp1
connecting by using
to the a URL
private of https://www.private.contoso.com.
endpoint.
Which two actions should you perform? Each correct answer presents part of the solution.
Not:
NOTE: Each
Incorrect: correct
Enable selection
virtual is worth
network onebetween
peering point.
Vnet1 and Vnet2.
Reference:
Answer :
EF
Explanation:
E: You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
When you use Private Endpoint for Web App, the requested URL must match the name of your Web App. When you deploy a Private Endpoint, we update the
https://www.itexams.com/exam/AZ-700?viewall=1 114/115
27/09/22, 10:08 Microsoft AZ-700 Free Practice Exam & Test Training - ITExams.com
When you use Private Endpoint for Web App, the requested URL must match the name of your Web App. When you deploy a Private Endpoint, we update the
DNS entry to point to the canonical name mywebapp.privatelink.azurewebsites.net. For example, the name resolution will be (Name, Type, Value): mywebapp.azurewebsites.net CNAME
mywebapp.privatelink.azurewebsites.net
Reference:
https://docs.microsoft.com/en-us/azure/app-service/networking/private-endpoint
Question
114 (
Question Set 5
)
You have an Azure Front Door instance named FD1 that is protected by using Azure Web Application Firewall (WAF).
FD1 uses a frontend hast named app1.contoso.com to provide access to Azure web apps hosted in the East US Azure region and the West US Azure region.
You need to configure FD1 to block requests to app1.contoso.com from all countries other than the United States.
Answer :
A
https://www.itexams.com/exam/AZ-700?viewall=1 115/115