AZ-700 Online Practice Questions and Answers

Correct Answer: AD

Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/bgp-howto

Correct Answer: C

Reference: https://docs.microsoft.com/en-us/azure/application-gateway/url-route-overview

Correct Answer: BD

Reference: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

Correct Answer: A

The rules are same for all virtual machines, so one NSG should suffice the requirement.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Correct Answer: B

Priority settings can be any number between 100 and 65000. With 100 being the highest priority.

Correct Answer: D

VM2 is in VNET2. VNET2 is peered with VNET1. So, VM2 can connect to VM1.

VM2 is in VNET2. VNET2 is peered with VNET1 with gateway transit enabled. So, VM2 can connect to on-premises datacenter.

VM2 is in VNET2. VNET2 is peered with VNET3. So, VM2 can connect to VM3.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit?toc=/azure/virtual- network/toc.json

Correct Answer: C

Correct Answer(s):

Connection monitor - Connection Monitor provides you RTT values on a per-minute granularity. The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology

changes between the VM and the endpoint.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview#monitoring

Wrong Answers:

IP flow verify - IP flow verify checks if a packet is allowed or denied to or from a virtual machine.

Connection troubleshoot -- Enable you to troubleshoot network performance and connectivity issues in Azure.

NSG flow logs - allows you to log information about IP traffic flowing through an NSG.

Correct Answer: BF

Virtual network peering is a non-transitive relationship between two virtual networks. You can configure spokes to use the hub gateway to communicate with remote networks. To allow gateway traffic to flow from spoke to hub and connect to

remote networks, you must:

Configure the peering connection in the hub to allow gateway transit.

Configure the peering connection in each spoke to use remote gateways.

Configure all peering connections to allow forwarded traffic.

Below is the sample code.

# Peer hub to spoke

Add-AzVirtualNetworkPeering -Name HubtoSpoke -VirtualNetwork $VNetHub -RemoteVirtualNetworkId $VNetSpoke.Id -AllowGatewayTransit

# Peer spoke to hub

Add-AzVirtualNetworkPeering -Name SpoketoHub -VirtualNetwork $VNetSpoke -RemoteVirtualNetworkId $VNetHub.Id -AllowForwardedTraffic UseRemoteGateways

https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps#peer-the-hub-and-spoke-virtual-networks https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub- spoke?tabs=cli#virtual-networkpeering

Wrong Answers:

Code Block1: -AllowForwardedTraffic and Code Block2: -AllowForwardedTraffic

Allow forwarded traffic is used if you require connectivity between spokes. You can create routes to forward traffic from the spoke to the firewall or network virtual appliance, which can then route to the second spoke.

Correct Answer: D

Azure Load Balancer rules require a health probe to detect the endpoint status. The configuration of the health probe and probe responses determines which backend pool instances will receive new connections. Use health probes to detect

the failure of an application. Generate a custom response to a health probe. Use the health probe for flow control to manage load or planned downtime. When a health probe fails, the load balancer will stop sending new connections to the

respective unhealthy instance. Outbound connectivity isn't affected, only inbound.

Add a TCP health probe

In this example, you'll create a TCP health probe to monitor port 80.

1.

Sign in to the Azure portal.

2.

In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

3.

Select myLoadBalancer or your load balancer.

4.

In the load balancer page, select Health probes in Settings.

5.

Select + Add in Health probes to add a probe.

6.

Etc.

Reference: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview https://learn.microsoft.com/en-us/azure/load-balancer/manage-probes-how-to

Correct Answer: AB

Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway transit works with virtual network peering.

In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections,

Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

Correct Answer: A

NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network. Once NAT gateway is associated to a subnet, NAT provides source network address translation (SNAT) for that subnet. NAT gateway

specifies which static IP addresses virtual machines use when creating outbound flows.

Plan:

Stage 1: Create a NAT gateway

Stage 2: Edit subnet subnet3-2 and link it to the NAT gateway

Stage 1: Create a NAT gateway

Step 1: Sign in to the Azure portal.

Step 2: In the search box at the top of the portal, enter NAT gateway. Select NAT gateways in the search results.

Step 3: Select + Create.

Step 4: In Create network address translation (NAT) gateway, enter or select this information in the Basics tab:

* NAT gateway name: Enter myNATgateway

Step 5: Select the Outbound IP tab, or select the Next: Outbound IP button at the bottom of the page.

Step 6: In the Outbound IP tab, enter or select the following information:

Public IP addresses - Select Create a new public IP address.

In Name, enter myPublicIP.

Select OK.

Step 7: Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

Step 8: Select Create.

Stage 2: Edit subnet subnet3-2 and link it to the NAT gateway

Change subnet settings

Step 1: Go to the Azure portal to view your virtual networks. Search for and select Virtual networks.

Step 2: Select the name of the virtual network containing the subnet you want to change.

Step 3: From Settings, select Subnets.

Step 4: In the list of subnets, select the subnet you want to change settings for. Here choose subnet3-2 connect.

Step 5: In the subnet page, change the NAT Gateway to myNATgateway (the one we created in Stage 1).

Step 6: Select Save.

Reference:

https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/quickstart-create-nat-gateway-portal

Correct Answer: A

Azure Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats.

You can restrict access to your web applications by country/region.

Plan:

Stage 1: Create a WAF policy Stage 2: Create a custom WAF Geo location rule that blocks all traffic outside Canada Stage 3: Create a custom WAF Geo location rule that allows traffic from Canada

First, create a basic WAF policy with a managed Default Rule Set (DRS) using the Azure portal.

Step 1: On the upper left side of the portal, select Create a resource. Search for WAF, select Web Application Firewall, then select Create.

Step 2: On Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:

* details omitted *

Step 3: On the Association tab, select Add association, then select one of the following settings:

Application Gateway: Select the application gateway, and then select Add.

HTTP Listener: Select the application gateway, select the listeners, then select Add.

Route Path: Select the application gateway, select the listener, select the routing rule, and then select Add.

Step 4: Select Review + create, then select Create.

Stage 2: Create a custom WAF Geo location rule that blocks all traffic outside Canada Configure WAF rules When you create a WAF policy, by default it is in Detection mode. In Detection mode, WAF doesn't block any requests. Instead, the matching WAF rules are logged in the WAF logs. To see WAF in action, you can change the mode settings to Prevention. In Prevention mode, matching rules defined in the CRS Ruleset you selected are blocked and/or logged in the WAF logs.

Custom rules

Step 5: To create a custom rule, select Add custom rule under the Custom rules tab. This opens the custom rule configuration page.

Step 6: To create a geo-filtering custom rule in the Azure portal, simply select Geo location as the Match Type, and then select the country/region or countries/regions you want to allow/block from your application. Step 7: Select Add Custom rule

Step 8: Select Geo location

Create your Custom Rule with an appropriate name and priority, then choose ‘Geo location’ from the Match type drop down as above. Next, you’ll want to ensure you choose RemoteAddr as the match variable, and decide what logic you want to apply. By logic I mean the pattern that will fire the rule. In this example, I want all traffic except Ireland blocked. So I will choose the Operation ‘Is not’, then location Ireland, then Deny. If I wanted all traffic allowed and Ireland blocked, I would simply choose the Operation ‘Is’. I recommend figuring out your pattern then working your way through the final section of the CR.

Step 9: Set Match variable to Canada, choose IS NOT, Choose country Canada, and finally Then: Deny traffic.

Step 10: Repeat steps 5 to 9 but instead use: Operation: IS Country/Region: Canada Then: Allow traffic

Stage 3: Create a custom WAF Geo location rule that allows traffic from Canada

Step 11: Finish the creation of the policy. Click Review+Create

Reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-drs https://wedoazure.ie/2021/08/09/how-to-enable-web-application-firewall-geomatch-custom-rules/ https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/create-waf-policy-ag

Correct Answer:

Box 1: Global Reach

ExpressRoute Global Reach is the service where if you have two datacenters, which are located at different geo-locations and both are connected to Microsoft Azure via Express Route then these two datacenters can also connect to each

other securely via Microsoft's backbone.

Incorrect:

FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the gateway.

Box 2: Private

With ExpressRoute Global Reach, you can link ExpressRoute circuits together to make a private network between your on-premises networks.

Reference:

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-global-reach

Correct Answer:

Correct Answer:

Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#associate-the-custom-domain-with-your-front-door https://docs.microsoft.com/en-us/azure/frontdoor/quickstart-create-front-door