Free Sample — 15 Practice Questions
Preview 15 of 341 questions from the AZ-700 exam.
Try before you buy — purchase the full study guide for all 341 questions with answers and explanations.
Question 367
DRAG DROP -
You have Azure virtual networks named Hub1 and Spoke1. Hub1 connects to an on-premises network by using a Site-to-Site VPN connection.
You are implementing peering between Hub1 and Spoke1.
You need to ensure that a virtual machine connected to Spoke1 can connect to the on-premises network through Hub1.
How should you complete the PowerShell script? To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Show Answer
Correct Answer: -AllowGatewayTransit
-UseRemoteGateways
Explanation:
For hub-and-spoke with on-premises connectivity, the hub VNet peering must allow gateway transit so spokes can use its VPN gateway. The spoke VNet peering must use remote gateways to route traffic through the hub’s gateway to on‑premises.
Question 342
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com.
You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a certificate from an allowed certification authority
(CA).
What should you include in the solution?
A. an enterprise application in Azure Active Directory (Azure AD)
B. Active Directory Certificate Services (AD CS)
C. Azure Key Vault
D. Azure Application Gateway
Show Answer
Correct Answer: C
Explanation:
To use a custom domain with Azure Front Door and ensure HTTPS using a certificate issued by an allowed certification authority, you must supply your own certificate. Azure Front Door requires customer-provided certificates to be stored securely in Azure Key Vault, from where Front Door can access them. Azure Key Vault is the supported service for storing and managing SSL/TLS certificates for Azure Front Door custom domains.
Question 200
You have an Azure virtual network named VNet1 that contains the subnets shown in the following table.
You need to deploy an Azure application gateway named AppGW1 to VNet1.
To where can you deploy AppGW1?
A. GatewaySubnet only
B. Subnet2 only
C. Subnet1 or Subnet2 only
D. Subnet2 or GatewaySubnet only
E. Subnet1, Subnet2, and GatewaySubnet
Show Answer
Correct Answer: B
Explanation:
An Azure Application Gateway must be deployed into a dedicated subnet that contains only Application Gateway resources. It cannot be deployed into a GatewaySubnet (reserved for VPN/ExpressRoute gateways) or into a subnet that already hosts other resources. Among the listed subnets, Subnet2 is the only subnet that is empty and not named GatewaySubnet, so AppGW1 can be deployed only to Subnet2.
Question 15
DRAG DROP -
Case Study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview -
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.
NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.
The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.
The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.
HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
• Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.
• Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.
• Deploy Azure Virtual Network Manager and implement the following rules:
- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
• Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.
• Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.
• Deploy a gateway load balancer named LBGW1 to HubVNet.
• Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and NVA2.
• Ensure that all the traffic to App2 is processed by using FD1.
Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
• Minimize the complexity of the Azure Virtual Network Manager deployment.
• Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.
• Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S) VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
• Whenever possible, use the internal CA.
• Ensure that all connections routed via APPGW1 use end-to-end encryption.
• Ensure that user connections to Azure-hosted apps use end-to-end encryption.
• Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.
• Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.
• Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
• Minimize the IP address space required to deploy platform-managed resources to the virtual networks.
• From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
• Whenever possible, minimize administrative effort.
You need to deploy Azure Virtual Network Manager. The solution must support the planned changes and meet the connectivity requirements.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Show Answer
Correct Answer: Create an Azure Virtual Network Manager instance.
Create a single network group that has Member type set to Virtual network.
Create a security admin configuration that has a single rule collection.
Perform a single deployment to apply the security admin configuration.
Explanation:
Azure Virtual Network Manager must exist before defining scope and policies. A single network group with virtual network members minimizes complexity while covering HubVNet and SpokeVNet. Both required security rules can be included in one rule collection within a single security admin configuration. One deployment enforces the configuration and ensures security admin rules take precedence over NSGs.
Question 213
HOTSPOT
-
You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2. Both subnets contain virtual machines.
You create a NAT gateway named NATgateway1 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: both Subnet1 and Subnet2
16 IP addresses
Explanation:
An Azure NAT Gateway can be associated with multiple subnets within the same virtual network. The configured public IP prefix is /28, which provides 2^(32−28) = 16 public IP addresses.
Question 171
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains a subnet named Subnet1.
You deploy an instance of Azure Application Gateway v2 named AppGw1 to Subnet1. You create a network security group (NSG) named NSG1 and link NSG1 to Subnet1.
You need to ensure that AppGw1 will only load balance traffic that originates from VNet1. The solution must minimize the impact on the functionality of AppGw1.
What should you add to NSG1?
A. an outbound rule that has a priority of 4096 and blocks all internet traffic
B. an inbound rule that has a priority of 4096 and blocks all internet traffic
C. an inbound rule that has a priority of 100 and blocks all internet traffic
D. an outbound rule that has a priority 100 and blocks all internet traffic
Show Answer
Correct Answer: B
Explanation:
To ensure Application Gateway v2 only load-balances traffic originating from VNet1, you must restrict inbound traffic on the subnet. Blocking Internet-sourced traffic is therefore an inbound concern, not outbound.
Using a low-priority (high number) rule such as 4096 to block all Internet traffic aligns with NSG best practice: general deny rules should have lower precedence so that required Azure platform traffic (for example, AzureLoadBalancer health probes and any future explicit allow rules from VNet address spaces) is not inadvertently blocked. A high-priority deny rule (for example priority 100) could break Application Gateway functionality.
Thus, an inbound rule with priority 4096 that blocks all Internet traffic meets the requirement while minimizing impact on AppGw1.
Question 88
DRAG DROP
-
You have a computer named CLIENT1 that runs Windows 11 and has the Azure VPN Client installed.
You have an Azure virtual network gateway named VPNGW1.
You need to ensure that you can connect CLIENT1 to VPNGW1. The solution must support Microsoft Entra authentication.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer are and arrange them in the correct order.
Show Answer
Correct Answer: From the Azure portal, configure the tunnel type and authentication type for VPNGW1.
From the Azure portal, authorize the Azure VPN application.
From the Azure portal, download the Azure VPN Client profile configuration package to CLIENT1.
To CLIENT1, import the Azurevpnconfig.xml file.
Explanation:
Microsoft Entra ID authentication for Point-to-Site requires the Azure VPN Client with OpenVPN. The gateway must be configured first, the Azure VPN app authorized in Entra ID, then the client profile downloaded and the azurevpnconfig.xml imported on Windows.
Question 61
HOTSPOT -
You have an Azure subscription that contains two virtual machines.
You monitor traffic between the virtual machines by using NSG flow logs.
You have a network security group (NSG) flow log that has the following entries.
1493763938,185.170.185.105,10.2.0.4,35370,23,T,I,A,B,,,,
1493695838,185.170.185.105,10.2.0.4,35370,23,T,I,A,C,200,500,100,300
1493696138,185.170.185.105,10.2.0.4,35370,23,T,I,A,E,1000,6000,500,1200
You need to identify the following metrics from the log entries:
• The total number of packets transferred between the virtual machines
• The total amount of bytes transferred between the virtual machines
What should you identity? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: A
Explanation:
Only the flow records with state C (Continue) and E (End) contain packet and byte counters. In each of those records, the last four fields represent packets_tx, bytes_tx, packets_rx, and bytes_rx. Summing both directions:
Packets = (200 + 100) from C + (1000 + 500) from E = 1,800 packets.
Bytes = (500 + 300) from C + (6000 + 1200) from E = 8,000 bytes.
The initial A (Begin) record has no counters and is not included.
Question 241
You are planning an Azure deployment that will contain three virtual networks in the East US Azure region as shown in the following table.
A Site-to-Site VPN will connect Vnet1 to your company’s on-premises network.
You need to recommend a solution that ensures that the virtual machines on all the virtual networks can communicate with the on-premises network. The solution must minimize costs.
What should you recommend for Vnet2 and Vnet3?
A. VNet-to-VNet VPN connections
B. peering
C. service endpoints
D. route tables
Show Answer
Correct Answer: B
Explanation:
Use VNet peering to connect Vnet2 and Vnet3 to Vnet1, which already has the Site-to-Site VPN gateway to the on-premises network. With gateway transit enabled on Vnet1 and remote gateways allowed on the peerings, traffic from Vnet2 and Vnet3 can reach on-premises through the existing VPN gateway. This avoids deploying additional VPN gateways, minimizing cost. Other options either require extra gateways (VNet-to-VNet VPN), do not provide connectivity (service endpoints), or only influence routing without creating connectivity (route tables).
Question 149
HOTSPOT -
You have an Azure subscription that contains 10 virtual machines. The virtual machines are assigned private IP addresses. The subscription contains the resources shown in the following table.
You need to configure FWPolicy1 to meet the following requirements:
• Allow incoming connections to the virtual machines from the internet on port 4567.
• Block outbound connections from the virtual machines to an FQDN of *.fabrikam.com.
What should you configure in FWPolicy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: To allow inbound connections:
A network rule
To block outbound connections:
An application rule
Explanation:
Inbound internet traffic on a specific TCP port (4567) to multiple VMs/subnets is filtered at L3/L4, which is handled by a network rule (DNAT is only required when translating to a specific private IP).
Blocking traffic to an FQDN (*.fabrikam.com) requires L7 inspection, which is done with an application rule.
Question 57
You have an on-premises network named Site1.
You have an Azure subscription that contains a storage account named storage1 and a virtual network named VNet1. VNet1 contains a subnet named Subnet1. A private endpoint for storage1 is connected to Subnet1. Site1 is connected to VNet1 by using a Site-to-Site (S2S) VPN.
You need to control access to storage1 from Site1 by using network security groups (NSGs),
What should you do first?
A. Configure a network policy for private endpoints on Subnet1.
B. Create a subnet delegation on Subnet1.
C. Associate a route table with Subnet1.
D. Associate a NAT gateway with Subnet1.
Show Answer
Correct Answer: A
Explanation:
To control traffic to a private endpoint using NSGs, you must first enable network policies for private endpoints on the subnet. By default, private endpoints have network policies (NSGs/UDRs) disabled on the subnet, so NSG rules are not enforced. Configuring the network policy for private endpoints on Subnet1 allows NSG rules to control access from Site1 over the S2S VPN.
Question 72
DRAG DROP -
You have an Azure subscription that contains two virtual networks named VNet1 and VNet2.
You plan to deploy the resources shown in the following table.
You need to deploy two load balancers to manage the traffic for VMSS1, VM1, and VM2. The solution must meet the following requirements:
• Either VM1 or VM2 must inspect all the traffic from the internet to App1.
• All user connections from the internet to App1 must be load balanced.
• Costs must be minimized.
Which load balancer SKU should you include in the solution? To answer, drag the appropriate SKUs to the correct resources. Each SKU may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: A
Explanation:
To meet the requirements, App1 traffic from the internet must be load balanced and chained through an inspection tier. This requires an internet-facing Standard Load Balancer for VMSS1 (to support scalability and integration with Gateway Load Balancer) and a Gateway Load Balancer in front of VM1 and VM2, which act as traffic inspection NVAs. Basic Load Balancer does not support gateway chaining or cross-scenario requirements. This combination also minimizes cost while meeting functionality.
Question 147
You are planning the IP addressing for the subnets in Azure virtual networks.
Which type of resource requires IP addresses in the subnets?
A. Azure Virtual Network NAT
B. service endpoint policies
C. internal load balancers
D. virtual network peering
Show Answer
Correct Answer: C
Explanation:
Internal load balancers require one or more private IP addresses that are allocated from the subnet in which the load balancer is deployed. The other options (Azure Virtual Network NAT, service endpoint policies, and virtual network peering) do not consume IP addresses from the subnet address space.
Question 230
You have an Azure subscription mat contains tour virtual networks named VNet1, VNet2, VNet3, and VNet4.
You plan to deploy a hub and spoke topology by using virtual network peering.
You need to configure VNet1 as the hub network. The solution must meet the following requirements:
• Support transitive routing between spokes.
• Maximize network throughput.
What should you include in the solution?
A. Azure VPN Gateway
B. Azure Route Server
C. Azure Private Link
D. Azure Firewall
Show Answer
Correct Answer: D
Explanation:
Native VNet peering does not support transitive routing between spokes. To enable spoke-to-spoke traffic via a hub, you need a routing component (an NVA). Both a VPN gateway and Azure Firewall can provide this, but the requirement is to maximize network throughput. Azure Firewall supports very high, scalable throughput (tens of Gbps depending on SKU) and is commonly used as the hub NVA for transitive routing using UDRs, whereas VPN gateways have significantly lower throughput limits and higher latency. Therefore, Azure Firewall best meets both requirements.
Question 239
You have an internal Basic Azure Load Balancer named LB1 that has two frontend IP addresses. The backend pool of LB1 contains two Azure virtual machines named VM1 and VM2.
You need to configure the rules on LB1 as shown in the following table.
What should you do for each rule?
A. Enable Floating IP.
B. Disable Floating IP.
C. Set Session persistence to Enabled.
D. Set Session persistence to Disabled.
Show Answer
Correct Answer: A
Explanation:
To configure multiple load‑balancing rules on the same Azure Load Balancer that reuse the same backend port across different frontend IP addresses, Floating IP (also called Direct Server Return) must be enabled. This allows the backend VMs (VM1 and VM2) to listen on the same port for multiple frontend configurations. Without Floating IP, Azure Load Balancer does not allow backend port reuse across rules. Session persistence settings are not relevant to enabling port reuse in this scenario.