Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Microsoft
  3. AZ-700

Microsoft Designing and Implementing Azure Networking Solutions AZ-700 Exam Questions in PDF

Free Microsoft AZ-700 Dumps Questions (page: 8)

AZ-700 PDF — 379 Questions

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

You need to configure APPGW1 to support end-to-end encryption. The solution must meet the security requirements.

What should you do?

  1. From the SSL settings, upload a TLS client certificate that is issued by the internal root CA and includes the full certificate chain.
  2. From the Backend settings, upload the internal root CA certificate.
  3. From the SSL settings, upload a TLS client certificate that is issued by the internal root CA.
  4. From the Backend settings, upload a wildcard TLS certificate that has a private key issued by the internal root CA.

Answer(s): D

Explanation:

Scenario:
APPGW1 is an Application Gateway
Proseware identifies the following security requirements:
* Ensure that all connections routed via APPGW1 use end-to-end encryption.
Note: End-to-end TLS encryption
You may not want unencrypted communication to the backend servers. You may have security requirements, compliance requirements, or the application may only accept a secure connection. Azure Application Gateway has end-to-end TLS encryption to support these requirements.
For end-to-end TLS encryption, the back end must be explicitly allowed by the application gateway. Upload the public certificate of the backend servers to the application gateway. Adding the certificate ensures that the application gateway only communicates with known backend instances. This further secures the end-to-end communication.
Configure end to end TLS by using Application Gateway with PowerShell Apply a new certificate if the backend certificate is expired Use this procedure to apply a new certificate if the backend certificate is expired.
1. Retrieve the application gateway to update.
$gw = Get-AzApplicationGateway -Name AdatumAppGateway -ResourceGroupName AdatumAppGatewayRG
2. Add the new certificate resource from the .cer file, which contains the public key of the certificate and can also be the same certificate added to the listener for TLS termination at the application gateway.
Add-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw -Name 'NewCert' -CertificateFile "appgw_NewCert.cer"
3. Get the new authentication certificate object into a variable (TypeName:
Microsoft.Azure.Commands.Network.Models.PSApplicationGatewayAuthenticationCertificate).
$AuthCert = Get-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw -Name NewCert
4. Assign the new certificate into the BackendHttp Setting and refer it with the $AuthCert variable. (Specify the HTTP setting name that you want to change.)
$out= Set-AzApplicationGatewayBackendHttpSetting -ApplicationGateway $gw -Name "HTTP1" -Port 443 - Protocol "Https" -CookieBasedAffinity Disabled -AuthenticationCertificates $Authcert


Reference:

https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

HOTSPOT (Drag and Drop is not supported)

You are configuring the DNS forwarding ruleset for DNSRS1.

You need to configure the destination IP address for azure.proseware.com and for corp.proseware.com. The solution must meet the general requirements.

Which IP addresses should you configure for each namespace? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: 192.168.0.100
Azure.proseware.com

NYCDNS1 is a DNS Server with IP address of 192.168.0.100.

Incorrect:
* The first IP address of the Outbound endpoint subnet of PRDNS1 Outbound endpoints
Outbound endpoints egress from Azure and can be linked to DNS Forwarding Rulesets.

Outbound endpoints are also part of the private virtual network address space where the private resolver is deployed. An outbound endpoint is associated with a subnet, but isn't provisioned with an IP address like the inbound endpoint. No other resources can exist in the same subnet with the outbound endpoint

Box 2: The first IP address of the inbound endpoint subnet of PRDNS1 Corp.proseware.com

Note: Inbound endpoints
As the name suggests, inbound endpoints ingress to Azure. Inbound endpoints provide an IP address to forward DNS queries from on-premises and other locations outside your virtual network. DNS queries sent to the inbound endpoint are resolved using Azure DNS. Private DNS zones that are linked to the virtual network where the inbound endpoint is provisioned are resolved by the inbound endpoint.

The IP address associated with an inbound endpoint is always part of the private virtual network address space where the private resolver is deployed.

Static and dynamic endpoint IP addresses
The IP address assigned to an inbound endpoint can be static or dynamic. If you select static, you can't choose a reserved IP address in the subnet. If you choose a dynamic IP address, the fifth available IP address in the subnet is assigned. For example, 10.10.0.4 is the fifth IP address in the 10.10.0.0/28 subnet (.0, .1, .2, .3, .4). If the inbound endpoint is reprovisioned, this IP address could change, but normally the 5th IP address in the subnet is used again. The dynamic IP address does not change unless the inbound endpoint is reprovisioned.

Scenario:
Existing Environment. Hybrid Environment

Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.

Proseware plans to implement the following changes:

* Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.
* From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.


Reference:

https://learn.microsoft.com/en-us/azure/dns/private-resolver-endpoints-rulesets




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

HOTSPOT (Drag and Drop is not supported)

You need to configure connectivity between NYCNet and SFONet. The solution must meet the connectivity requirements.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Scenario:
NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.

Proseware identifies the following connectivity requirements:
Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Box 1: Configure a user-defined route (UDR)
For HubVNet

Custom routes
You create custom routes by either creating user-defined routes (UDRs) or exchanging BGP routes between your on-premises network gateway and an Azure virtual network gateway.

User-defined
To customize your traffic routes, you shouldn't modify the default routes. You should create custom or user- defined (static) routes, which override the Azure default system routes.

Box 2: Change the ASN number
For VPNGW1

Change the ASN number for HubVNet.

Scenario:
VPNGW1 is a Virtual network gateway in HubVNet.
Configuration: Active-passive resiliency, in Generation 2, VpnGw3 SKU that has the default ASN connected to SFONet.

Note: If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515. Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.

Incorrect:
* Resize the SKU
When you create a VPN Gateway virtual network gateway, you specify the gateway SKU that you want to use.

The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3 [this is the current SKU, which is fine], Standard, and HighPerformance VPN gateways. ExpressRoute-VPN Gateway coexist configurations aren't supported on the Basic SKU. The VpnType must be RouteBased.

* Configure active-active mode.
Azure VPN gateways can be configured as active-standby or active-active. To avoid interruptions, create your gateway in active-active mode, or switch an active-standby gateway to active-active.


Reference:

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.
Overview
Proseware, Inc. is a financial services company that has a main office in New York City and a branch office in San Francisco.
Existing Environment. Hybrid Environment
Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.
Proseware has an Azure subscription that is linked to proseware.com.
Proseware has an internal certification authority (CA).
Existing Environment. Network Infrastructure
The offices contain the resources shown in the following table.



NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
Existing Environment. Azure Resources
The Azure subscription contains the virtual networks and subnets shown in the following table.



The subscription contains four virtual machines named VM1, VM2, VM3, and VM4. VM1 and VM2 host an app named App1.
VM3 and VM4 host a web app named App2 that is accessed by using a FQDN of app2.proseware.com. Users access app2.proseware.com by using HTTP or HTTPS.
VM1, VM2, and VM4 are connected to SpokeVNet.
The subscription contains Application Gateway resources shown in the following table.



The subscription contains an Azure Front Door Standard profile named FD1. FD1 contains a single origin group that targets APPGW1 by using the default endpoint name.

HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.
Planned Changes and Requirements. Planned Changes
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Create a DNS forwarding ruleset named DNSRS1 and associate DNSRS1 with PRDNS1.

Deploy Azure Virtual Network Manager and implement the following rules:

- Allow inbound connections on TCP port 3389 from the on-premises networks to SUBNET-JUMPHOSTS.
- Block inbound connections on TCP port 80 from the internet to SpokeVNet.
Ensure that Azure Virtual Network Manager rules take precedence over conflicting NSG rules.

Deploy two network virtual appliances (NVAs) named NVA1 and NVA2 to HubVNet.

Deploy a gateway load balancer named LBGW1 to HubVNet.

Configure LBGW1 to inspect traffic on TCP ports 443, 1433, and 1434 from LBS1 by using NVA1 and

NVA2.
Ensure that all the traffic to App2 is processed by using FD1.

Planned Changes and Requirements. Connectivity requirements
Proseware identifies the following connectivity requirements:
Minimize the complexity of the Azure Virtual Network Manager deployment.

Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Ensure that remote users on Windows 11 devices can connect to HubVNet by using a Point-to-Site (P2S)

VPN and their proseware.com credentials.
Planned Changes and Requirements. Security requirements
Proseware identifies the following security requirements:
Whenever possible, use the internal CA.

Ensure that all connections routed via APPGW1 use end-to-end encryption.

Ensure that user connections to Azure-hosted apps use end-to-end encryption.

Ensure that all inbound internet traffic to app2.proseware.com is routed via FD1.

Prevent devices that connect to NYCNet from accessing Azure services that use private endpoints.

Enable the virtual machines that connect to HubVNet and SpokeVNet to access Azure services that use private endpoints.
Planned Changes and Requirements. General requirements
Proseware identifies the following general requirements:
Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.
Whenever possible, minimize administrative effort.

HOTSPOT (Drag and Drop is not supported)

You need to identify which IP address space to allocate for the planned deployment of PRDNS1 to HubVNet and SpokeVNet. The solution must meet the general requirements.

What should you identify for each virtual network? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: /28
HubVNet:

Use the minimum /28 address space

Scenario:
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Proseware identifies the following general requirements:
* Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

Note: Subnet restrictions
Subnets used for DNS resolver have the following limitations:

A subnet must be a minimum of /28 address space or a maximum of /24 address space. A /28 subnet is sufficient to accommodate current endpoint limits. A subnet size of /27 to /24 can provide flexibility if these limits change.

Box 2: No address space required
SpokeVNet

An endpoint does not use a subnet.

Azure DNS Private Resolver requires an Azure Virtual Network.
When you create an Azure DNS Private Resolver inside a virtual network, one or more inbound endpoints are established that can be used as the destination for DNS queries. The resolver's outbound endpoint processes DNS queries based on a DNS forwarding ruleset that you configure. DNS queries that are initiated in networks linked to a ruleset can be sent to other DNS servers.


Reference:

https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.

Overview

Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows 10 devices.

Existing Environment

Hybrid Environment

The on-premises network contains an Active Directory forest named litwareinc.com that syncs to a Microsoft Entra tenant named litwareinc.com by using Microsoft Entra Connect.

All the offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.

Azure Environment

Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Microsoft Entra tenant. Sub1 contains resources in the East US Azure region as shown in the following table.



A diagram of the resources in the East US Azure region is shown in the Azure Network Diagram exhibit.

There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly.

Azure Network Diagram



Requirements

Business Requirements

Litware wants to minimize costs whenever possible, as long as all other requirements are met.

Virtual Networking Requirements

Litware identifies the following virtual networking requirements:

Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com zone can be resolved from the on-premises locations.

Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.

Minimize the size of the subnets allocated to platform-managed services.

Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.

Hybrid Networking Requirements

Litware identifies the following hybrid networking requirements:

Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely.

Connections must be authenticated by Microsoft Entra ID.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.

The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Traffic between Vnet2 and Vnet3 must be routed through Vnet1.

PaaS Networking Requirements

Litware identifies the following networking requirements for platform as a service (PaaS):

The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.

DRAG DROP (Drag and Drop is not supported)

You need to prepare Vnet1 for the deployment of an ExpressRoute gateway. The solution must meet the hybrid connectivity requirements and the business requirements.

Which three actions should you perform in sequence for Vnet1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Step 1: Delete the VPN GW1.
The existing VPN GW1 GatewaySubnet is too small with /29.

Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely.
Connections must be authenticated by Microsoft Entra ID.
Litware wants to minimize costs whenever possible, as long as all other requirements are met.



Step 2: Create a VPN gateway by using Basic SKU.
Basic SKU is good enough.

Note
The Basic gateway SKU does not support IKEv2 or RADIUS authentication. If you plan on having Mac clients connect to your virtual network, do not use the Basic SKU.

Step 3: Set the subnet mask of Gateway Subnet to /27.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We [Microsoft] recommend that you create a gateway subnet that uses a /27 or /28.
It's best to specify /27 or larger (/26,/25 etc.). This allows enough IP addresses for future changes, such as adding an ExpressRoute gateway.


Reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.

Overview

Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows 10 devices.

Existing Environment

Hybrid Environment

The on-premises network contains an Active Directory forest named litwareinc.com that syncs to a Microsoft Entra tenant named litwareinc.com by using Microsoft Entra Connect.

All the offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.

Azure Environment

Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Microsoft Entra tenant. Sub1 contains resources in the East US Azure region as shown in the following table.



A diagram of the resources in the East US Azure region is shown in the Azure Network Diagram exhibit.

There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly.

Azure Network Diagram



Requirements

Business Requirements

Litware wants to minimize costs whenever possible, as long as all other requirements are met.

Virtual Networking Requirements

Litware identifies the following virtual networking requirements:

Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com zone can be resolved from the on-premises locations.

Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.

Minimize the size of the subnets allocated to platform-managed services.

Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.

Hybrid Networking Requirements

Litware identifies the following hybrid networking requirements:

Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely.

Connections must be authenticated by Microsoft Entra ID.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.

The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Traffic between Vnet2 and Vnet3 must be routed through Vnet1.

PaaS Networking Requirements

Litware identifies the following networking requirements for platform as a service (PaaS):

The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.

You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements.

Which two actions should you include in the solution? Each correct answer presents part of the solution.

Note: Each correct selection is worth one point.

  1. On the peering from Vnet1, select Allow gateway transit.
  2. On the peerings from Vnet2 and Vnet3, select Use remote gateways.
  3. On the peerings from Vnet2 and Vnet3, select Allow gateway transit.
  4. On the peering from Vnet1, select Use remote gateways.
  5. On the peering from Vnet1, select Allow forwarded traffic.

Answer(s): A,B

Explanation:

Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway transit works with virtual network peering.



In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM.
Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections,


Reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.

Overview

Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows 10 devices.

Existing Environment

Hybrid Environment

The on-premises network contains an Active Directory forest named litwareinc.com that syncs to a Microsoft Entra tenant named litwareinc.com by using Microsoft Entra Connect.

All the offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.

Azure Environment

Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Microsoft Entra tenant. Sub1 contains resources in the East US Azure region as shown in the following table.



A diagram of the resources in the East US Azure region is shown in the Azure Network Diagram exhibit.

There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly.

Azure Network Diagram



Requirements

Business Requirements

Litware wants to minimize costs whenever possible, as long as all other requirements are met.

Virtual Networking Requirements

Litware identifies the following virtual networking requirements:

Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.
Ensure that the records in the cloud.litwareinc.com zone can be resolved from the on-premises locations.

Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.

Minimize the size of the subnets allocated to platform-managed services.

Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.

Hybrid Networking Requirements

Litware identifies the following hybrid networking requirements:

Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely.

Connections must be authenticated by Microsoft Entra ID.
Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.

The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.
Traffic between Vnet2 and Vnet3 must be routed through Vnet1.

PaaS Networking Requirements

Litware identifies the following networking requirements for platform as a service (PaaS):

The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.
The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.

HOTSPOT (Drag and Drop is not supported)

You need to implement a P2S VPN for the users in the branch office. The solution must meet the hybrid networking requirements.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Reference:

https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant




Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements.
When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.

Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.

Existing Environment

Azure Network Infrastructure

Contoso has a Microsoft Entra tenant named contoso.com.

The Azure subscription contains the virtual networks shown in the following table.



Vnet1 contains a virtual network gateway named GW1.

Azure Virtual Machines

The Azure subscription contains virtual machines that run Windows Server 2022 as shown in the following table.



The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the internet. The firewall on each virtual machine allows ICMP traffic.

An application security group named ASG1 is associated to the network interface of VM1.

Azure Network Infrastructure Diagram



Azure Private DNS Zones

The Azure subscription contains the Azure private DNS zones shown in the following table.



Zone1.contoso.com has the virtual network links shown in the following table.



Other Azure Resources

The Azure subscription contains additional resources as shown in the following table.



Requirements

Virtual Network Requirements

Contoso has the following virtual network requirements:

Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
- Two container groups that connect to Vnet6
- Three virtual machines that connect to Vnet6
- Allow VPN connections to be established to Vnet6
- Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network. The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.

Network Security Requirements

Contoso has the following network security requirements:

Configure Microsoft Entra authentication for Point-to-Site (P2S) VPN users.

Enable NSG flow logs for NSG3 and NSG4.

Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.



Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.



HOTSPOT (Drag and Drop is not supported)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: No
Zone2.contoso.com is not linked to any virtual networks. Therefore, no VMs are able to resolve names in the zone.

Box 2: Yes
VM4 is in VNet3. Zone1.contoso.com has a link to VNet3 and auto-registration is enabled on the link.

Box3: No
VNet3 is linked to zone1.contoso.com and auto-registration is enabled on the link. A virtual network can only have one registration zone. You can link zone2.contoso.com to VNet3 but you won't be able to enable auto- registration on the link.



Viewing page 8 of 48

Share your comments for Microsoft AZ-700 exam with other users:

T
Thor
10/21/2025 5:16:29 AM

Anyone used this dump recently?

NEW ZEALAND
J
Jayant
11/2/2023 3:15:00 AM

thanks for az 700 dumps

Anonymous
R
Rond65
8/22/2023 4:39:00 PM

question #3 refers to vnet4 and vnet5. however, there is no vnet5 listed in the case study (testlet 2).

UNITED STATES
T
Thembelani
5/30/2023 2:17:00 AM

i am writing this exam tomorrow and have dumps

Anonymous
T
Thembelani
5/30/2023 2:47:00 AM

excellent material

Anonymous
T
Thembelani
5/30/2023 2:40:00 AM

does this exam have lab sections?

Anonymous
T
Thembelani
5/30/2023 2:22:00 AM

anyone who wrote this exam recently

Anonymous
T
Thembelani
5/30/2023 2:45:00 AM

need this dumps

Anonymous
AI Tutor 👋 I’m here to help!