Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Microsoft
  3. AZ-700

Microsoft Designing and Implementing Azure Networking Solutions AZ-700 Exam Questions in PDF

Free Microsoft AZ-700 Dumps Questions (page: 7)

AZ-700 PDF — 379 Questions

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an on-premises network.

You have an Azure subscription that contains a virtual network.

You have an ExpressRoute service provider.

You plan to connect the Azure virtual network and the on-premises network by using an ExpressRoute circuit.

You create a new ExpressRoute circuit.

You need to provision the new circuit.

Which information should you provide to the service provider?

  1. the IKEv2 shared key
  2. the certificate
  3. the public IP address
  4. the service key

Answer(s): D

Explanation:

ExpressRoute circuit
Ensure that your organization has met the ExpressRoute prerequisite requirements for connecting to Azure.
If you haven't already done so, add a subnet named GatewaySubnet to your Azure VNet and create an ExpressRoute virtual network gateway using the Azure VPN gateway service.
Create an ExpressRoute circuit as follows:
1. Run the following PowerShell command:
New-AzExpressRouteCircuit -Name <<circuit-name>> -ResourceGroupName <<resource-group>> -Location
2. Send the ServiceKey for the new circuit to the service provider.
3. Wait for the provider to provision the circuit. To verify the provisioning state of a circuit, run the following PowerShell command:
Get-AzExpressRouteCircuit -Name <<circuit-name>> -ResourceGroupName <<resource-group>>

The Provisioning state field in the Service Provider section of the output will change from NotProvisioned to Provisioned when the circuit is ready.
4. Etc.


Reference:

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/expressroute




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an on-premises server named Server1 that runs Windows Server.

You have an Azure subscription that contains a virtual network named VNet1.

You plan to connect Server1 to VNet1 by using Azure Network Adapter.

You need to minimize how long it takes to deploy the adapter to Server1.

What should you create first?

  1. a route server
  2. an Azure Bastion host
  3. a private endpoint
  4. an Azure VPN gateway

Answer(s): D

Explanation:

Windows Server, Use Azure Network Adapter to connect a server to an Azure Virtual Network Windows Admin Center and Azure Network Adapter provide a one-click experience to connect the server with your virtual network using a Point-to-Site VPN connection. The process automates configuring the virtual network gateway and the on-premises VPN client.
If there is no existing Azure Virtual Network gateway, Windows Admin Center creates one for you. The setup process can take up to 25 minutes. After the Azure Network Adapter is created, you can start to access VMs in the virtual network directly from your server.
Note: A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.


Reference:

https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/use-azure-network- adapter




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription. The subscription contains 500 virtual machines that run either Windows 11 or Linux.

You need to identify which Linux virtual machines are accessible from the internet. The solution must minimize administrative effort.

What should you use, and what should you configure? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Cloud Security Explorer in Microsoft Defender for Cloud Use

Microsoft Defender for Cloud, Build queries with cloud security explorer With the cloud security explorer, you can query all of your security issues and environment context such as assets inventory, exposure to internet, permissions, and lateral movement between resources and across multiple clouds (Azure AWS, and GCP).¨

Box 2: Agentless scanning for machines in Microsoft Defender for Cloud Configure
Microsoft Defender for Cloud improves compute posture for Azure, AWS and GCP environments with machine scanning. For requirements and support, see the compute support matrix in Defender for Cloud.

Agentless scanning for virtual machines (VM) provides:

*-> Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management. Deep analysis of operating system configuration and other machine meta data. Vulnerability assessment using Defender Vulnerability Management. Secret scanning to locate plain text secrets in your compute environment. Threat detection with agentless malware scanning, using Microsoft Defender Antivirus.

Incorrect:

* A discovery group in Microsoft Defender External Attack Surface Management (Defender EASM) Discovered assets are indexed and classified in your Defender EASM Inventory, providing a dynamic record of all web infrastructure under the organization's management. Assets are categorized as recent (currently active) or historic, and can include web applications, third party dependencies, and other asset connections.

Discovery groups
Custom discoveries are organized into discovery groups. They're independent seed clusters that comprise a single discovery run and operate on their own recurrence schedules. You organize your discovery groups to delineate assets in whatever way best benefits your company and workflows. Common options include organizing by the responsible team or business unit, brands, or subsidiaries.

* An inventory filter in Microsoft Defender External Attack Surface Management (Defender EASM) Defender EASM inventory filters
Filtering helps you find specific subsets of inventory assets based on selected parameters. This article outlines each filter and operator and provides guidance on input options that yield the best results. It also explains how to save queries for easy accessibility to the filtered results.


Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-manage-cloud-security-explorer https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-agentless-data-collection https://learn.microsoft.com/en-us/azure/external-attack-surface-management/inventory-filters




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an instance of Azure Web Application Firewall (WAF) on Azure Front Door.

You plan to create a WAF rule that will block high rates of requests from a single IP address.

You need to query Log Analytics to identify the optimal threshold for the rule.

Which table should you query in Log Analytics?

  1. AZFWThreatIntel
  2. AzureDiagnostics
  3. SecurityDetection
  4. AGWFirewallLogs

Answer(s): B

Explanation:

Queries for the AzureDiagnostics table
Examples:
[Azure Front Door Standard/Premium] Unique IP request count
Show unique IP request count.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog" | summarize dcount(clientIp_s) by bin(TimeGenerated, 1h)
| render timechart
[Azure Front Door Standard/Premium] Firewall request count by host, path, rule, and action Count firewall processed requests by host, path, rule, and action taken. Summarize request count by host, path, rule, and action.

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog" | extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s, ResourceId
| order by RequestCount desc


Reference:

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/queries/azurediagnostics




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

DRAG DROP (Drag and Drop is not supported)

Your on-premises network contains two subnets named Subnet and Subnet2. Subnet2 contains a Hyper-V host that contains two virtual machines named VM1 and VM2. VM1 and VM2 are connected to Subnet2.

You have an Azure virtual network named VNet1 that contains GatewaySubnet and a subnet named VSubnet1. VNet1 is connected to the on-premises network by using a Site-to-Site (S2S) VPN connection.

You plan to migrate VM1 to VNet1 and maintain the existing IP address of VM1. VM2 will remain on Subnet2.

You need to prepare the environment to ensure that VM1 can communicate with VM2 once the migration is complete.

Which five actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Extend your on-premises subnets into Azure using extended network for Azure Extended network for Azure enables you to stretch an on-premises subnet into Azure to let on-premises virtual machines keep their original on-premises private IP addresses when migrating to Azure.

The network is extended using a bidirectional VXLAN tunnel between two Windows Server 2019 VMs acting as virtual appliances, one running on-premises and the other running in Azure, each also connected to the subnet to be extended. Each subnet that you are going to extend requires one pair of appliances. Multiple subnets can be extended using multiple pairs.

Note
Extended network for Azure should only be used for machines that cannot have their IP address changed when migrating to Azure. It is always better to change the IP address and connect it to a subnet that wholly exists in Azure, if that is an option.

Step 1: To VNET1, add a subnet named VSubnet2 that uses the same address range as Subnet2.

Add

Configuration in Azure
Before you use Windows Admin Center, you must perform the following steps through the Azure Portal:

1. Create a Virtual network in Azure that contains at least two subnets, in addition to subnets required for your gateway connection. One of the subnets you create must use the same subnet CIDR as the on-premises subnet you want to extend [Step 1]. The subnet must be unique within your routing domain so that it does not overlap with any on-premises subnets.

2. Configure a virtual network gateway to use a site-to-site or ExpressRoute connection to connect the virtual network to your on-premises network.

Step 2: Deploy an Azure Virtual machine that runs Windows Server 2022 Azure Edition and has two NICs connected to VSubnet1 and VSubnet2.

3. Create a Windows Server 2022 Azure Edition VM in Azure that is capable of running nested virtualization. This is one of your two virtual appliances. Connect the primary network interface to the routable subnet, and the second network interface to the extended subnet. [Step 2]

Note
Extended network for Azure requires Windows Server 2022 Azure Edition for the VM that is running in Azure.

Step 3: Install the Hyper-V server role in the Azure virtual machine.
4. Start the VM, enable the Hyper-V role, and reboot. [Step 3]

5. Create two external virtual switches in the VM and connect one to each of the network interfaces. For example:

New-VMSwitch -Name "External" -AllowManagementOS $true -NetAdapterName "Ethernet" New-VMSwitch -Name "Extended" -AllowManagementOS $true -NetAdapterName "Ethernet 2"

Step 4: Create external Hyper-V virtual switches
On-premises configuration
You must also perform some manual configuration in your on-premises infrastructure, including creating a VM to serve as the on-premises virtual appliance:

1. Make sure the subnets are available on the physical machine where you will deploy the on-premises VM (virtual appliance). This includes the subnet you want to extend and a second subnet that is unique and doesn't overlap with any subnets in the Azure virtual network.

2. Create a Windows Server 2019 or 2022 VM on any hypervisor that supports nested virtualization. This is the on-premises virtual appliance. We recommend that you create this as a highly available VM in a cluster. Connect a virtual network adapter to the routable subnet and a second virtual network adapter to the extended subnet.

3. Start the VM, then run this command from a PowerShell session in the VM to enable the Hyper-V role, and restart the VM.

--> 4. Run the following commands in a PowerShell session in the VM to create two external virtual switches in the VM and connect one to each of the network interfaces: [Step 4]

New-VMSwitch -Name "External" -AllowManagementOS $true -NetAdapterName "Ethernet" New-VMSwitch -Name "Extended" -AllowManagementOS $true -NetAdapterName "Ethernet 2"

Step 5: Extend the IP address space of VNet1 to include the IP address range of Subnet2 VM1 is in Subnet2, not in Subnet1.

Deploy extended network for Azure

1. Click Set up to begin the configuration.

2. Click Next to proceed past the Overview.

3. On the Upload Package panel, you will need to download the extended network for Azure agent package and upload it to the virtual appliance. Follow the instructions on the panel.

4. Select the Subnet CIDR of the on-premises network that you want to extend. The list of subnets is read in from the virtual appliance. If you have not connected the virtual appliance to the correct set of subnets, you will not see the desired subnet CIDR in this list.

5. Click Next after selecting the Subnet CIDR.

6. Select the subscription, resource Group and virtual network that you are extending into:



7. The region (Azure location) and subnet are selected automatically. Select Next: Extended-Network Gateway Setup to proceed.

8. Etc.

Incorrect:
* Extend the IP address space of VNet1 to include the IP address range of Subnet1


Reference:

https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-extended- network




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an on-premises datacenter named Site1 that contains a firewall named FW1. FW1 connects to the internet.

You have an Azure subscription that contains the resources shown in the following table.



You plan to connect Site1 to Hub1 by using a site-to-site connection.

You need to configure the site-to-site connection to FW1.

What should you create in VWAN1?

  1. a VPN site
  2. a virtual network connection
  3. a network virtual appliance (NVA)
  4. a User VPN configuration

Answer(s): A

Explanation:

Create a site-to-site connection using Azure Virtual WAN



Create a site
In this section, you create a site. Sites correspond to your physical locations. Create as many sites as you need. These sites contain your on-premises VPN device endpoints.
For example, if you have a branch office in NY, a branch office in London, and a branch office in LA, you'd create three separate sites. You can create up to 1000 sites per virtual hub in a virtual WAN. If you have multiple virtual hubs, you can create 1000 per each virtual hub.
If you have a Virtual WAN partner CPE device, check with them to learn about their automation to Azure.
Typically, automation implies a simple click experience to export large-scale branch information into Azure, and setting up connectivity from the CPE to Azure Virtual WAN VPN gateway.


Reference:

https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

HOTSPOT (Drag and Drop is not supported)

You have an on-premises network.

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. VNet1 is peered with VNet2.

The on-premises network is connected to VNet1 by using an ExpressRoute circuit named Circuit1.

You need to recommend a solution to improve the routing performance between the on-premises network and the virtual networks. The solution must minimize costs.

Which configurations should you recommend? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: ExpressRoute Global Reach
Configure the ExpressRoute route to use:

For optimal routing performance when connecting an on-premises network to two peered Azure virtual networks via ExpressRoute, ExpressRoute Global Reach is the best suited option. This feature allows for seamless connectivity between on-premises networks connected to different ExpressRoute circuits, enabling efficient traffic flow between your on-premises network and both peered Azure VNets.

Box 2: Connect Vnet2 directly to Circuit1.
For the virtual networks:

With ExpressRoute Global Reach, two connections are needed when linking an on-premises network to two peered Azure virtual networks. Each connection is established between the on-premises network and a specific ExpressRoute circuit, which in turn is linked to a peered Azure virtual network.


Reference:

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-global-reach




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You have an on-premises datacenter named DC1 that contains two routers.

You have an Azure subscription. The subscription contains a virtual network named VNet1 and a zone- redundant ExpressRoute virtual network gateway named GW1 that uses the ErGw3Az SKU. GW1 is attached to VNet1

DC1 is connected to VNet1 by using an ExpressRoute Standard circuit named Circuit1. The DC1 routers are configured as endpoints for Circuit1. Circuit1 traffic traverses two physical links.

During a link outage, the connection takes three minutes to fail over.

You need to ensure that failovers between the links take less than one second.

What should you do?

  1. For Circuit1, select FastPath.
  2. On the routers, configure Bidirectional Forwarding Detection (BFD).
  3. For GW1, change SKU to UltraPerformance.
  4. For GW1, set Active-active mode to Enabled.

Answer(s): B

Explanation:

To decrease failover time in an ExpressRoute setup with two physical links and routers configured as endpoints, you should implement Bidirectional Forwarding Detection (BFD) and potentially adjust BGP timers.
BFD provides faster link failure detection than relying solely on BGP timers, while adjusting BGP timers can further optimize failover speed.
Implement BFD:
What it is: BFD is a protocol designed for rapid link failure detection.
How it helps: BFD works by sending small, frequent keep-alive messages between routers on both sides of the connection. If a certain number of these messages are not received within a specified time (the BFD interval), the link is considered down, triggering a failover much faster than relying solely on BGP's idle timeout.
Implementation: Enable BFD on your on-premises routers and ensure it's configured correctly with appropriate timers.


Reference:

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-bfd



Viewing page 7 of 48

Share your comments for Microsoft AZ-700 exam with other users:

T
Thor
10/21/2025 5:16:29 AM

Anyone used this dump recently?

NEW ZEALAND
J
Jayant
11/2/2023 3:15:00 AM

thanks for az 700 dumps

Anonymous
R
Rond65
8/22/2023 4:39:00 PM

question #3 refers to vnet4 and vnet5. however, there is no vnet5 listed in the case study (testlet 2).

UNITED STATES
T
Thembelani
5/30/2023 2:17:00 AM

i am writing this exam tomorrow and have dumps

Anonymous
T
Thembelani
5/30/2023 2:47:00 AM

excellent material

Anonymous
T
Thembelani
5/30/2023 2:40:00 AM

does this exam have lab sections?

Anonymous
T
Thembelani
5/30/2023 2:22:00 AM

anyone who wrote this exam recently

Anonymous
T
Thembelani
5/30/2023 2:45:00 AM

need this dumps

Anonymous
AI Tutor 👋 I’m here to help!