Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Microsoft
  3. AZ-700

Microsoft AZ-700 Exam (page: 3)
Microsoft Designing and Implementing Azure Networking Solutions
Updated on: 12-Feb-2026

Viewing Page 3 of 48
AZ-700 PDF 369 Questions

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an Azure virtual network named Vnet1 and an on-premises network. The on-premises network has policy-based VPN devices.

In Vnet1, you deploy a virtual network gateway named GW1 that uses a SKU of VpnGw1 and is route-based.

You have a Site-to-Site VPN connection for GW1 as shown in the following exhibit.



You need to ensure that the on-premises network can connect to the route-based GW1.

What should you do before you create the connection?

  1. Set Connection Mode to ResponderOnly.
  2. Set BGP to Enabled.
  3. Set Use Azure Private IP Address to Enabled.
  4. Set IPsec / IKE policy to Custom.

Answer(s): D




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

HOTSPOT (Drag and Drop is not supported)

Your on-premises network contains a VPN device.

You have an Azure subscription that contains a virtual network and a virtual network gateway.

You need to create a Site-to-Site VPN connection that has a custom cryptographic policy.

How should you complete the PowerShell script? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: New-AzIpsecPolicy
Configure IPsec/IKE policy for S2S (Site-to-Site) VPN or VNet-to-VNet connections Create a S2S VPN connection with an IPsec/IKE policy

1. Create an IPsec/IKE policy
The following sample script creates an IPsec/IKE policy with the following algorithms and parameters:

IKEv2: AES256, SHA384, DHGroup24
IPsec: AES256, SHA256, PFS None, SA Lifetime 14400 seconds & 102400000KB

$ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA3

2. Create the S2S VPN connection with the IPsec/IKE policy
Create an S2S VPN connection and apply the IPsec/IKE policy created earlier.

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 $lng6 = Get-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroup

Box 2: New-AzVirtualNetworkGatewayConnection


Reference:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

HOTSPOT (Drag and Drop is not supported)

You have an Azure virtual network and an on-premises datacenter that connect by using a Site-to-Site VPN tunnel.

You need to ensure that all traffic from the virtual network to the internet is routed through the datacenter.

How should you complete the PowerShell script to configure forced tunneling? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Get-AzLocalNetworkGateway
See step 5 below.

Configure forced tunneling
1. Create a resource group.
New-AzResourceGroup -Name 'ForcedTunneling' -Location 'North Europe'

2. Create a virtual network and specify subnets.

3. Create the local network gateways.
Example:
$lng1 = New-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "ForcedTunneling" - Location "North Europe" -GatewayIpAddress "111.111.111.111" -AddressPrefix "192.168.1.0/24"

4. Create the virtual network gateway.

5. Assign a default site to the virtual network gateway. The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so take care to configure this setting properly.

$LocalGateway = Get-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "ForcedTunneling"
$VirtualGateway = Get-AzVirtualNetworkGateway -Name "Gateway1" -ResourceGroupName "ForcedTunneling"
Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

6. Establish the Site-to-Site VPN connections.
Details omitted.

Box 2: Set-AzVirtualNetworkGatewayDefaultSite


Reference:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You are planning an Azure deployment that will contain three virtual networks in the East US Azure region as shown in the following table.



A Site-to-Site VPN will connect Vnet1 to your company's on-premises network.

You need to recommend a solution that ensures that the virtual machines on all the virtual networks can communicate with the on-premises network. The solution must minimize costs.

What should you recommend for Vnet2 and Vnet3?

  1. VNet-to-VNet VPN connections
  2. peering
  3. service endpoints
  4. route tables

Answer(s): B

Explanation:

Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.


Reference:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

Your company has an office in New York.

The company has an Azure subscription that contains the virtual networks shown in the following table.



You need to connect the virtual networks to the office by using ExpressRoute. The solution must meet the following requirements:

The connection must have up to 1 Gbps of bandwidth.

The office must have access to all the virtual networks.

Costs must be minimized.

How many ExpressRoute circuits should be provisioned, and which ExpressRoute SKU should you enable?

  1. one ExpressRoute Premium circuit
  2. two ExpressRoute Premium circuits
  3. four ExpressRoute Standard circuits
  4. one ExpressRoute Standard circuit

Answer(s): A

Explanation:

One SKU Premium required.
Azure ExpressRoute offers three different circuit SKUs, known as Local, Standard, and Premium, which provide varying degrees of connectivity scope.
Standard: a Standard SKU ExpressRoute circuit provides connectivity to resources in all Azure regions in a geopolitical area. Under this scenario, the on-premises network in London can connect to resources and access Azure's cloud services hosted in regions such as West Europe (Amsterdam, Netherlands) and France Central (Paris, France) through ExpressRoute
Premium: a Premium SKU ExpressRoute circuit facilitates connectivity to resources and cloud services globally across all Azure regions. Specifically, this global connectivity is delivered over the Microsoft core network. In this case, the on-premises network in London can link a virtual network created in West Europe (Amsterdam, Netherlands) to an Azure ExpressRoute circuit created in Japan East (Tokyo, Japan)


Reference:

https://dgtlinfra.com/azure-expressroute-benefits-pricing-providers-locations/




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an Azure subscription that contains a virtual network.

You plan to deploy an Azure VPN gateway and 90 Site-to-Site VPN connections. The solution must meet the following requirements:

Ensure that the Site-to-Site VPN connections remain available if an Azure datacenter fails.

Minimize costs.

Which gateway SKU should you specify?

  1. VpnGw1AZ
  2. VpnGw2AZ
  3. VpnGw4AZ
  4. VpnGw5AZ

Answer(s): C

Explanation:

VpnGw4AZ supports 90 Site-to-Site VPN connections at a lower cost than VpnGw5AZ.
VpnGw1AZ, VpnGw2AZ, and VpnGw4AZ supports max 30.
Gateway SKUs by tunnel, connection, and throughput


Reference:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an Azure subscription that contains the resources shown in the following table.



You create a virtual network named Vnet2 in the West US region.

You plan to enable peering between Vnet1 and Vnet2.

You need to ensure that the virtual machines connected to Vnet2 can connect to VM1 and VM2 via LB1.

What should you do?

  1. From the Peerings settings of Vnet2, set Traffic forwarded from remote virtual network to Allow.
  2. Change the Floating IP configurations of LB1.
  3. From the Peerings settings of Vnet1, set Traffic forwarded from remote virtual network to Allow.
  4. Change the SKU of LB1.

Answer(s): D

Explanation:

What are the constraints related to Global VNet Peering and Load Balancers? If the two virtual networks in two different regions are peered over Global VNet Peering, you cannot connect to resources that are behind a Basic Load Balancer through the Front End IP of the Load Balancer. This restriction does not exist for a Standard Load Balancer.
Note: The following resources can use Basic Load Balancers which means you cannot reach them through the Load Balancer's Front End IP over Global VNet Peering. You can however use Global VNet peering to reach the resources directly through their private VNet IPs, if permitted.
VMs behind Basic Load Balancers
Virtual machine scale sets with Basic Load Balancers
Redis Cache
Application Gateway (v1) SKU
Service Fabric
API Management (stv1)
Active Directory Domain Service (ADDS)
Logic Apps
HDInsight
Azure Batch
App Service Environment
You can connect to these resources via ExpressRoute or VNet-to-VNet through VNet Gateways.


Reference:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-are-the- constraints-related-to-global-vnet-peering-and-load-balancers




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

DRAG DROP (Drag and Drop is not supported)

Your on-premises network contains an Active Directory Domain Services (AD DS) domain named contoso.com that has an internal certification authority (CA).

You have an Azure subscription.

You deploy an Azure application gateway named AppGwy1 and perform the following actions:

Configure an HTTP listener

Associate a routing rule with the listener

You need to configure AppGwy1 to perform mutual authentication for requests from domain-joined computers to contoso.com.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Step 1: From AppGw1, create a frontend IP configuration

Step 2: From AppGw1, create an SSL profile
Set up a listener-specific SSL policy.

To set up a listener-specific SSL policy, you'll need to first go to the SSL settings tab in the Portal and create a new SSL profile.
When you create an SSL profile, you'll see two tabs: Client Authentication and SSL Policy. The SSL Policy tab is to configure a listener-specific SSL policy. The Client Authentication tab is where to upload a client certificate(s) for mutual authentication. (Step 3)

Step 3: From an on-premises computer, upload a certificate to Appgwy1.
Configure mutual authentication
To configure an existing Application Gateway with mutual authentication, you'll need to first go to the SSL settings tab in the Portal and create a new SSL profile. (Step 2)

When you create an SSL profile, you'll see two tabs: Client Authentication and SSL Policy. The Client Authentication tab is where you'll upload your client certificate(s).

Step 4: From AppGw1, add an HTTP listener and associate the listener to the SSL profile Now that we've created an SSL profile with a listener-specific SSL policy, we need to associate the SSL profile to the listener to put the listener-specific policy in action.

1. Navigate to your existing Application Gateway. If you just completed the steps above, you don't need to do anything here.

2. Select Listeners from the left-side menu.

3. Click on Add listener if you don't already have an HTTPS listener set up. If you already have an HTTPS listener, click on it from the list.

4. Fill out the Listener name, Frontend IP, Port, Protocol, and other HTTPS Settings to fit your requirements.
(Frontend IP created in Step 1)

5. Check the Enable SSL Profile checkbox so that you can select which SSL Profile to associate with the listener.

6. Select the SSL profile you created from the dropdown list.

7. Etc.


Reference:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-listener-specific-ssl- policy https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-portal



Viewing Page 3 of 48



Share your comments for Microsoft AZ-700 exam with other users:

Thor 10/21/2025 5:16:29 AM

Anyone used this dump recently?
NEW ZEALAND


Jayant 11/2/2023 3:15:00 AM

thanks for az 700 dumps
Anonymous


Rond65 8/22/2023 4:39:00 PM

question #3 refers to vnet4 and vnet5. however, there is no vnet5 listed in the case study (testlet 2).
UNITED STATES


Thembelani 5/30/2023 2:17:00 AM

i am writing this exam tomorrow and have dumps
Anonymous


Thembelani 5/30/2023 2:47:00 AM

excellent material
Anonymous


Thembelani 5/30/2023 2:40:00 AM

does this exam have lab sections?
Anonymous


Thembelani 5/30/2023 2:22:00 AM

anyone who wrote this exam recently
Anonymous


Thembelani 5/30/2023 2:45:00 AM

need this dumps
Anonymous