Practice Questions
Question (Page 2): AZ-700 Exam Question 1 Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error. You need to ensure that the URL is accessible through the application gateway. Solution: You create a WAF policy exclusion request headers that contain 137.135.10.24. Does this meet the goat?
A. No
B. Yes
Answers: 1
Explanation: Keywords: .
Question (Page 2): AZ-700 Exam Question 2 Which virtual machines can VM1 and VM4 ping successfully? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Keywords: .
Question (Page 2): AZ-700 Exam Question 3 You have the Azure resources shown in the following table. You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint. You need to ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region. What should you do first?
A. Create another service endpoint.
B. Fail over storage1 to the paired Azure region.
C. Configure the firewall settings for storage1.
D. Create a virtual network in the paired Azure region.
Answers: 3
Explanation: Keywords: .
Question (Page 2): AZ-700 Exam Question 4 You need to implement a P2S VPN for the users in the branch office. The solution must meet the hybrid networking requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Explanation Graphical user interface, text, application, email Description automatically generated Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant Keywords: .
Question (Page 2): AZ-700 Exam Question 5 Your on-premises network contains an Active Directory Domain Services {AD DS) domain named contoso.com that has an internal certification authority (CA). You have an Azure subscription. You deploy an Azure application gateway named AppGwy1 and perform the following actions: * Configure an HTTP listener. * Associate a routing rule with the listener. You need to configure AppGwy1 to perform mutual authentication for requests from domain-joined computers to contoso.com. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answers:
Explanation: 1 - From AppGwy1, create a fronted IP configuration. 2 - From AppGwy1, create an SSL profile. 3 - From an on-premises computer, upload a certificate to AppGwy1. 4 - From AppGwy1, add an HTTP listener and associate the listener to the SSL profile. Keywords: .
Question (Page 3): AZ-700 Exam Question 6 You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the resources shown in the following table. You need to publish App1 by using AG1 and a URL of https://app1.contoso.com. The solution must meet the following requirements: * TLS connections must terminate on AG1. * Minimize the number of targets in the backend pool of AG1. * Minimize the number of deployed copies of the SSL certificate of App1. How many locations should you import to the certificate, and how many targets should you add to the backend pool of AG1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Explanation Keywords: .
Question (Page 3): AZ-700 Exam Question 7 You have the Azure firewall shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Keywords: .
Question (Page 3): AZ-700 Exam Question 8 You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2. You have the NAT gateway shown in the NATgateway1 exhibit. You have the virtual machine shown in the VM1 exhibit. Subnet1 is configured as shown in the Subnet1 exhibit. For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Explanation Graphical user interface, text, application Description automatically generated Box 1: No VM1 is in Zone2 whereas the NAT Gateway is in Zone1. The VM would need to be in the same zone as the NAT Gateway to be able to use it. Therefore, VM1 cannot use the NAT gateway. Box 2: Yes NATgateway1 is configured in the settings for Subnet2. Box 3: No The NAT gateway does not have a single public IP address, it has an IP prefix which means more than one IP address. The VMs the use the NAT Gateway can use different public IP addresses contained within the IP prefix. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource Keywords: .
Question (Page 3): AZ-700 Exam Question 9 You have an on-premises DNS server named Server1 that hosts a primary DNS zone named fabrikam.com. You have an Azure subscription that contains the resources shown in the following table. Users on the on-premises network access resources on all the virtual networks by using a Site-to-Site (S2S) VPN. You need to deploy an Azure DNS Private Resolver solution that meets the following requirements: * Resources connected to the virtual networks must be able to resolve DNS names for fabrikam.com. * Server1 must be able to resolve the DNS names of the resources in contoso.com. * The solution must minimize costs and administrative effort. What is the minimum number of resolvers you should deploy?
A. 1
B. 3
C. 2
D. 4
Answers: 3
Explanation: Keywords: .
Question (Page 3): AZ-700 Exam Question 10 You have an Azure subscription that contains multiple virtual machines in the West US Azure region. You need to use Traffic Analytics. Which two resources should you create? Each correct answer presents part of the solution. (Choose two.) NOTE: Each correct answer selection is worth one point.
A. an Azure Monitor workbook
B. a Log Analytics workspace
C. a storage account
D. an Azure Sentinel workspace
Answers: 2,3
Explanation: Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics A storage acccount is used to store network security group flow logs. A Log Analytics workspace is used by Traffic Analytics to store the aggregated and indexed data that is then used to generate the analytics. https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#enable-flow-log-settings Keywords: .
Question (Page 4): AZ-700 Exam Question 11 You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com. You have the routing rules shown in the following table. Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point
Answers:
Explanation: Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-route-matching Keywords: .
Question (Page 4): AZ-700 Exam Question 12 Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have two Azure virtual networks named Vnet1 and Vnet2. You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN. You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway. You discover that Client1 cannot communicate with Vnet2. You need to ensure that Client1 can communicate with Vnet2. Solution: You reset the gateway of Vnet1. Does this meet the goal?
A. Yes
B. No
Answers: 2
Explanation: The VPN client must be downloaded again if any changes are made to VNet peering or the network topology. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing Keywords: .
Question (Page 4): AZ-700 Exam Question 13 You have an on-premises network named Site1. You have an Azure subscription that contains a storage account named storage1 and a virtual network named VNet1. VNet1 contains a subnet named Subnet1. A private endpoint for storage1 is connected to Subnet1 Site1 is connected to VNet1 by using a Site-to-Site (S2S) VPN. You need to control access to storage1 from Site1 by using network security groups (NSGs). What should you do first?
A. Configure a network policy for private endpoints on Subnet1.
B. Associate a NAT gateway with Subnet1.
C. Associate a route table with Subnet1.
D. Create a subnet delegation on Subnet1.
Answers: 3
Explanation: Keywords: .
Question (Page 4): AZ-700 Exam Question 14 Azure virtual networks in the East US Azure region as shown in the following table. The virtual networks are peered to one another. Each virtual network contains four subnets. You plan to deploy a virtual machine named VM1 that will inspect and route traffic between all the subnets on both the virtual networks. What is the minimum number of IP addresses that you must assign to VM1?
A. 1
B. 2
C. 4
D. 8
Answers: 2
Explanation: Topic 1, Contoso Case Study 2 Overview This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab. note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question. Existing Environment: Azure Network Infrastructure Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com. The Azure subscription contains the virtual networks shown in the following table. Vnet1 contains a virtual network gateway named GW1. Azure Virtual Machines The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table. The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the internet. The firewall on each virtual machine allows ICMP traffic. An application security group named ASG1 is associated to the network interface of VM1. Azure Private DNS Zones The Azure subscription contains the Azure private DNS zones shown in the following table. Zone1.contoso.com has the virtual network links shown in the following table. Other Azure Resources The Azure subscription contains additional resources as shown in the following table. Requirements: Virtual Network Requirements Contoso has the following virtual networks requirements: * Create a virtual network named Vnet6 in West US that will contain the following resources and configurations: Two container groups that connect to Vnet6 Three virtual machines that connect to Vnet6 Allow VPN connections to be established to Vnet6 Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network * The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network. * A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet. Network Security Requirements Contoso has the following network security requirements: * Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users. * Enable NSG flow logs for NSG3 and NSG4. * Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table. * Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table. Keywords: .
Question (Page 4): AZ-700 Exam Question 15 You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com. You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a certificate from an allowed certification authority (CA). What should you include in the solution?
A. an enterprise application in Azure Active Directory (Azure AD)
B. Active Directory Certificate Services (AD CS)
C. Azure Key Vault
D. Azure Application Gateway
Answers: 3
Explanation: Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https Keywords: .
Question (Page 5): AZ-700 Exam Question 16 You have the Azure resources shown in the following table. You need to link VNei2 to Circuit1 What should you create in each subscription? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Explanation Keywords: .
Question (Page 5): AZ-700 Exam Question 17 You have an Azure firewall shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Explanation Graphical user interface, text, application, email Description automatically generated Box 1: If forced tunneling was enabled, the Firewall Subnet would be named AzureFirewallManagementSubnet. Forced tunneling can only be enabled during the creation of the firewall. It cannot be enabled after the firewall has been deployed. Box 2: The "Visit Azure Firewall Manager to configure and manage this firewall" link in the exhibit shows that the firewall is managed by Azure Firewall Manager. Keywords: .
Question (Page 5): AZ-700 Exam Question 18 Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error. You need to ensure that the URL is accessible through the application gateway. Solution: You configure a custom cookie and an exclusion rule. Does this meet the goal?
A. Yes
B. No
Answers: 1
Explanation: Keywords: .
Question (Page 5): AZ-700 Exam Question 19 Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error. You need to ensure that the URL is accessible through the application gateway. Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24. Does this meet the goal?
A. Yes
B. No
Answers: 2
Explanation: Explanation The parameter here should be RemoteAddr not Request header. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variable- Keywords: .
Question (Page 5): AZ-700 Exam Question 20 You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2. Both subnets contain virtual machines. You create a NAT gateway named NATgateway1 as shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Answers:
Explanation: Explanation Keywords: .
Question (Page 6): AZ-700 Exam Question 21 You are configuring two network virtual appliances (NVAs) in an Azure virtual network. The NVAs will be used to inspect all the traffic within the virtual network. You need to provide high availability for the NVAs. The solution must minimize administrative effort. What should you include in the solution?
A. Azure Standard Load Balancer
B. Azure Traffic Manager
C. Azure Application Gateway
D. Azure Front Door
Answers: 1
Explanation: Reference: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha?tabs=cli Keywords: .
Question (Page 6): AZ-700 Exam Question 22 Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error. You need to ensure that the URL is accessible through the application gateway. Solution: You disable the WAF rule that has a ruleld of 920300. Does this meet the goal?
A. Yes
B. No
Answers: 1
Explanation: Keywords: .
Question (Page 6): AZ-700 Exam Question 23 You have an Azure subscription. The subscription contains virtual machines that host websites as shown in the following table. You have the Azure Traffic Manager profiles shown in the following table. You have the endpoints shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise select No. NOTE: Each connect selection is worth one point.
Answers:
Explanation: Explanation Keywords: .
Question (Page 6): AZ-700 Exam Question 24 You need to configure the default route in Vnet2 and Vnet3. The solution must meet the virtual networking requirements. What should you use to configure the default route?
A. a user-defined route assigned to GatewaySubnet in Vnet2 and Vnet3
B. a user-defined route assigned to GatewaySubnet in Vnet1
C. BGP route exchange
D. route filters
Answers: 3
Explanation: VNet 1 will get the default from BGP and propagate it to VNET 2 and 3 Keywords: .
Question (Page 6): AZ-700 Exam Question 25 Your company has offices in Montreal. Seattle, and Paris. The outbound traffic from each office originates from a specific public IP address. You create an Azure Front Door instance named FD1 that has Azure Web Application Firewall (WAF) enabled. You configure a WAF policy named Policy! that has a rule named Rule1. Rule1 applies a rate limit of 100 requests for traffic that originates from the office in Montreal. You need to apply a rate limit of 100 requests for traffic that originates from each office. What should you do?
A. Modify the conditions of Rule1.
B. Create two additional associations.
C. Modify the rule type of Rule1.
D. Modify the rate limit threshold of Rule1.
Answers: 1
Explanation: Reference: https://techcommunity.microsoft.com/t5/azure-network-security-blog/rate-limiting-feature-for-azure-waf-on-application-gateway-now/ba-p/3934957#:~:text=Rate%20limiting%20is%20configured%20using,and%20a%20group%20by%20variable. Keywords: .
Post a Comment