Online Access Free AZ-700 Exam Questions

No.# D. Set IPsec / IKE policy to Custom.

In order to ensure that the on-premises network can connect to the route-based virtual network gateway, you need to set the IPsec / IKE policy to Custom. The default policy settings for a virtual network gateway are not compatible with policy-based VPN devices. By setting the IPsec / IKE policy to Custom, you can configure the policy to match the requirements of the on-premises VPN devices.

Option A, "Set Connection Mode to ResponderOnly," is not a valid option for a route-based VPN gateway.

Option B, "Set BGP to Enabled," is not necessary to enable connectivity between a route-based gateway and a policy-based VPN device.

Option C, "Set Use Azure Private IP Address to Enabled," is not relevant to this scenario. This setting is used to specify whether the virtual network gateway should use a private or public IP address for the VPN connection.

No.# typo* i meant C

No.# 3 Backend Pools | 3 Rules

I believe this is a Classic Front Door question. The first reference link provides an overview of classic routing. The questions shows we have a single frontend (contoso.azurefd.net) and there are three paths - /uk, /us, and /images.

The second link shows the three paths would each be a separate rule.

Regarding the number of backend pools, the question states, "...must be routed to [App1uk or App1us]" for the two App Services. The third link does not indicate there is a way to route traffic to a specific app service based on location. However, if we put each app service in its own backend pool, we can have the path rule route to the correct App Service everytime. The Latency routing logic is fine for storage accounts, but not the App Services based on the question requirements.

References
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-routing-architecture?pivots=front-door-classic
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-route-matching?pivots=front-door-classic#frontend-host-matching
https://learn.microsoft.com/en-us/azure/frontdoor/routing-methods...

No.# all GW types and Bastion must have dedicated subnets

No.# Answer seems correct,
Y - it will go through VA which is firewall
Y - there is a peering, so subnet and subnet2 can communicate
N - there is no route for subnet 2 through VA/firewall

No.# The correct answer is route based and two virtual network gateways - one for ExpressRoute connection (ExpressRoute virtual network gateway) and the second for the VPN connection (VPN virtual network gateway).
Check the architecture and read the description at the source.
Source: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/expressroute-vpn-failover

No.# Answer is 1 STD VWAN + 2 vHUBS and 4 VPNGWY and ER GWY

1 Standard VWAN as it will cross region support and hence connect both regions

2 vHUBS - each region will require one

4 Gateways - Most people i witnessed get this one wrong even in other questions that related to VPN, one MUST know when you create ER or S2S connection, the gateway for ER and S2S are different and hence you need to create one for each - so here 1 for ER and 1 for S2S in each region so total is 4

No.# 1 group: Multi-region active/active deployment: Create a single origin group. Within that origin group, create an origin for each of the App Service apps.
2 origins: Your App Service app might be configured to scale out across worker instances, but from Front Door's perspective there's a single origin.

https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq

No.# A. a route table associated to Subnet1 -1 and Subnet2-1

No.# Tested
NSG1, NSG2, and NSG5 only : ASG and NSG must be in the same region
VM2 only : network interfaces attached to an ASG must be in the same vNet.
https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups

No.# ou can share an ExpressRoute circuit across multiple subscriptions.
The circuit owner is the administrator/coadministrator of the subscription in which the ExpressRoute circuit is created. The circuit owner can authorize administrators/coadministrators of other subscriptions, referred to as circuit users, to use the dedicated circuit that they own. Circuit users who are authorized to use the organization's ExpressRoute circuit can link the virtual network in their subscription to the ExpressRoute circuit after they're authorized.

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-linkvnet-classic#administration

Sub1 : An ExpressRoute circuit connection authorization
Sub2 : An ExpressRoute circuit connection

No.# Answer is B.

The Connection Monitor is established per region.
And depending on the region we can connect multiple VMS, VMSS, endpoints and on-premises devices. Since, we have two regions only, we will need to Connection Monitors

No.# Select Performance routing when you have endpoints in different geographic locations and you want end users to use the "closest" endpoint for the lowest network latency.

elect Geographic routing to direct users to specific endpoints (Azure, External, or Nested) based on where their DNS queries originate from geographically. With this routing method, it enables you to be in compliance with scenarios such as data sovereignty mandates, localization of content & user experience and measuring traffic from different regions.

No.# Virtual Wan requires a Wan Hub Gateway, so Gateway1 should be deleted (after the new gateway is connected).

https://learn.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology#step-5-transition-connectivity-to-virtual-wan-hub

No.# : A Secret in Azure Key Vault + FD93.azurefd.net

Source: https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https

No.# Y,N,Y,
https://learn.microsoft.com/en-us/azure/private-link/create-private-link-service-portal
https://learn.microsoft.com/en-us/azure/private-link/private-link-overview

No.# The correct answers are:

A. an allow rule that has the IP address range of Vnet1 as the source and destination of Sq1.EastUS
D. a deny rule that has the IP address range of Vnet1 as the source and destination of Storage

Explanation:

A. This allow rule will permit the virtual machines in Vnet1 to access the Azure SQL resources in the East US region. The source and destination of the rule should be the IP address range of Vnet1, which will allow the VMs to communicate with the SQL resources.

D. This deny rule will prevent the virtual machines in Vnet1 from accessing any Azure Storage resources. The source and destination of the rule should be the IP address range of Vnet1, which will block the VMs from communicating with the Storage resources.

B. This deny rule is not necessary, as the default behavior of an NSG is to deny any traffic that is not explicitly allowed. There is no need to create a separate deny rule for the VirtualNetwork source and Sq1 destination.

C. This deny rule is not relevant to the given scenario, as it would block access to the 168.63.129.0/24 IP address range, which is used for internal Azure infrastructure purposes and not related to the requirement of restricting access to Azure Storage resources.

Therefore, the two outbound NSG rules that should be created are the allow rule for Vnet1 to Sq1.EastUS (A) and the deny rule for Vnet1 to Storage (D).

Citations:
[1] https://learn.microsoft.com/en-us/sql/relational-databases/security/ledger/ledger-nsg-policies-configure?view=sql-server-ver16
[2] https://learn.microsoft.com/en-us/azure/azure-sql/database/vnet-service-endpoint-rule-overview?view=azuresql
[3] https://www.cloudbolt.io/azure-costs/azure-nsg/
[4] https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
[5] https://www.site24x7.com/learn/azure-network-security-groups.html...

No.# The correct answer is: B. Create a new subnet. Explanation:

Create a New Subnet First: The question states that Vnet1 currently has "one subnet". To provide App1 with access to the resources in Vnet1, a new subnet needs to be created within Vnet1 first.
Subnet is Required for Private Link: The search results indicate that to use a private link, a private endpoint needs to be created in a subnet within the virtual network. Therefore, creating a new subnet is a necessary first step before configuring the private link.

No.# To configure the LNG1 (Local Network Gateway) in this scenario, you should follow these steps:

Specify the on-premises network address space:
The on-premises network contains two subnets: Subnet1 (192.168.10.0/24) and Subnet2 (192.168.20.0/24).
You should configure the LNG1 local network gateway with the combined address space of these two subnets, which is 192.168.10.0/23.
Specify the on-premises gateway IP address:
The on-premises network contains a firewall named FW1 that uses a public IP address of 131.107.100.200.
You should configure the LNG1 local network gateway with the public IP address of the FW1 firewall, which is 131.107.100.200.

No.# disassciate pip1...
change pip sku to standard
associate pip1..