10 05 2023
[May-2023]Exam Pass 100%!Braindump2go AZ-700 PDF and AZ-700 VCE Dumps AZ-700 204Q Instant Download[Q63-Q93]
May/2023 Latest Braindump2go AZ-700 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go AZ-700 Real Exam Questions!
QUESTION 63
You plan to publish a website that will use an FQDN of www.contoso.com. The website will be hosted by using the Azure App Service apps shown in the following table.
You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com between AS1 and AS2.
You need to ensure that Traffic Manager routes traffic for www.contoso.com.
Which DNS record should you create?
A. two A records that map www.contoso.com to 131.107.100.1 and 131.107.200.1
B. a CNAME record that maps www.contoso.com to TMprofile1.azurefd.net
C. a CNAME record that maps www.contoso.com to TMprofile1.trafficmanager.net
D. a TXT record that contains a strin
g of as1.contoso.com and as2.contoso.com in the details
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/traffic-manager/quickstart-create-traffic-manager-profile
https://docs.microsoft.com/en-us/azure/app-service/configure-domain-traffic-manager
QUESTION 64
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The log shows that WAF rule with ruleId 920300 was trigged. Instead we should disable the WAF rule that has a ruleId 920300.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot
QUESTION 65
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance.
You need to configure the policy to meet the following requirements:
– Log all connections from Australia.
– Deny all connections from New Zealand.
– Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute.
What is the minimum number of objects you should create?
A. three custom rules that each has one condition
B. one custom rule that has three conditions
C. one custom rule that has one condition
D. one rule that has two conditions and another rule that has one condition
Answer: A
Explanation:
Another concept to make use of in constructing effective Custom Rules is compound conditions. Rules can be created with a single condition, or you can add multiple conditions that must be satisfied to constitute a match. When adding multiple conditions, they are added as an AND statement, so all conditions must be met for the Action to take place. If you need to construct a rule with OR logic, it is best to create multiple rules with the same Action.
https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020
QUESTION 66
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. (Choose two.)
NOTE: Each correct answer selection is worth one point.
A. an Azure Monitor workbook
B. a Log Analytics workspace
C. a storage account
D. an Azure Sentinel workspace
E. an Azure Monitor data collection rule
Answer: BC
Explanation:
Traffic Analytics requires the following prerequisites:
A Network Watcher enabled subscription.
Network Security Group (NSG) flow logs enabled for the NSGs you want to monitor.
An Azure Storage account, to store raw flow logs.
An Azure Log Analytics workspace, with read and write access.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-
QUESTION 67
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
What should you use?
A. Azure Monitor
B. IP flow verify
C. Connection Monitor
D. Azure Internet Analyzer
Answer: C
Explanation:
Connection Monitor provides unified, end-to-end connection monitoring in Azure Network Watcher. The Connection Monitor feature supports hybrid and Azure cloud deployments. Network Watcher provides tools to monitor, diagnose, and view connectivity-related metrics for your Azure deployments.
https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview
QUESTION 68
You have an Azure subscription that contains the following resources:
– A virtual network named Vnet1
– Two subnets named subnet1 and AzureFirewallSubnet
– A public Azure Firewall named FW1
– A route table named RT1 that is associated to Subnet1
– A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
A. On FW1, create an outbound service tag rule for AzureCloud.
B. On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS).
C. Deploy a NAT gateway.
D. To Subnet1, associate a network security group (NSG) that allows outbound access to port 1688.
Answer: B
Explanation:
The Azure Windows VMs need to connect to the Azure KMS server for Windows activation. The activation requires that the activation request come from an Azure public IP address.
To resolve this problem, use the Azure custom route to route activation traffic to the Azure KMS server.
Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/custom-routes-enable-kms-activationwvd/
QUESTION 69
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
What should you include in the solution?
A. a service tag
B. a private endpoint
C. a subnet delegation
D. an application security group
Answer: A
Explanation:
What is service tag in Azure?
Image result for azure service tags
A service tag represents a group of IP address prefixes from a given Azure service. … You can use service tags to define network access controls on network security groups or Azure Firewall. Use service tags in place of specific IP addresses when you create security rules.
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
QUESTION 70
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe Azure region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
What should you do first?
A. Create a private link.
B. Create a new subnet.
C. Create a NAT gateway.
D. Create a gateway subnet and deploy a virtual network gateway.
Answer: B
Explanation:
Create a new subnet, since both Vnet and App Service are in the same region.
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#enable-vnet-integration
Regional VNet Integration = “If the VNet is in the same region, either create a new subnet or select an empty pre-existing subnet”
QUESTION 71
An ExpressRoute circuit denotes the logical connectivity between MS cloud services and on-premises infrastructure via a connectivity provider. Which of the following statement(s) is/are true about the ExpressRoute circuits?
A. ExpressRoute circuits don’t map to a physical entity
B. An ExpressRoute circuit can be uniquely recognized by a service key (s-key)
C. An ExpressRoute circuit can have one or a maximum of two peerings enabled per ExpressRoute circuit
D. There exists 1:1 mapping between ExpressRoute circuits and routing domains
E. There exists 1:1 mapping between ExpressRoute circuits and the S keys
Answer: ABE
Explanation:
It is possible to order several ExpressRoute circuits. Each circuit can exist in different or same regions which could be associated with various other connectivity providers.
Option A is correct. It is true that ExpressRoute circuits don’t map to a physical entity.
Option B is correct. It is true that an express route circuit can be uniquely recognized as an s-key, i.e., service key.
Option C is incorrect. There can be one, two, or all three peerings enabled for each ExpressRoute circuit.
Option D is incorrect. There exists 1:N mapping (where1 <= N <= 3) between routing domains and ExpressRoute circuits.
Option E is correct. It is true that there exists a 1:1 mapping between ExpressRoute circuits and the s-key.
Reference:
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-circuit-peerings?WT.mc_id=modinfra-33046-thmaure
QUESTION 72
While accomplishing your task, you need to centrally develop, enforce, and log applications and network connectivity policies across virtual networks and subscriptions. Which of the following services would you use?
A. Azure Front Door
B. Azure Firewall
C. Azure Private Link
D. Azure DNS
E. Azure DDoS Protection
Answer: B
Explanation:
Azure Firewall is one of the cloud-based, managed network security services which protects Azure Virtual Network resources. This service can be used to centrally create/develop, enforce, and log applications and network connectivity policies across virtual networks and subscriptions.
Option A is incorrect. Azure Front Door is an application delivery network that offers global load balancing and site acceleration services for web applications.
Option B is correct. Azure Firewall can be used centrally to create/develop, enforce, and log applications and network connectivity policies across virtual networks and subscriptions.
Option C is incorrect. Azure Private Link allows you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure-hosted customer-owned/partner services over a private endpoint in your virtual network.
Option D is incorrect. Azure DNS offers name resolution with the help of Microsoft Azure infrastructure.
Option E is incorrect. Azure DDoS Protection offers protection against DDoS threats.
Reference:
https://docs.microsoft.com/en-us/azure/networking/fundamentals/networking-overview?WT.mc_id=modinfra-33046-thmaure#firewall
QUESTION 73
The Domain Name System (DNS) resolves or translates a service name to an IP address.
Which of the following records types can’t be used by Azure Private DNS?
A. CNAME
B. A
C. AA
D. AAA
E. AAAA
F. PTR
Answer: CD
Explanation:
Azure Domain Name Service supports A, AAAA, MX, CNAME, PTR, SRV, SOA, and TXT records.
Option A is incorrect. CNAME is a valid DNS record type.
Option B is incorrect. A is a valid DNS record type.
Option C is correct. Azure DNS does not support AA type.
Option D is correct. Azure DNS does not support AAA type.
Option E is incorrect. Azure Domain Name Service supports A, AAAA, MX, CNAME, PTR, SRV, SOA, and TXT records.
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview?WT.mc_id=modinfra-33046-thmaure
QUESTION 74
You can use Virtual network peering to connect two or more Virtual Networks in Azure seamlessly.
Which of the following benefits would you get using the virtual network peering? (Choose three)
A. A high-bandwidth, low-latency connection between the resources in various virtual networks
B. A high-bandwidth, high-latency connection between the resources in various virtual networks
C. Significant downtime to resources in either virtual networks while developing the peering, or after the peering is developed.
D. The ability to peer virtual networks created through the Azure Resource Manager.
E. The capability for resources in a virtual network to communicate with resources in another virtual network.
Answer: ADE
Explanation:
The following are the benefits of using virtual network peering, whether global or local:
Option A is correct. Virtual network peering offers a high-bandwidth, low-latency connection between the resources in various virtual networks.
Option B is incorrect. The connection provided by virtual network peering is low-latency, not high latency.
Option C is incorrect. There is no downtime to resources in either virtual network while developing the peering, or after the peering is developed.
Option D is correct. Virtual network peering offers the capability to peer virtual networks created through the Azure Resource Manager.
Option E is correct. Azure Network Peering offers the capability for resources in a virtual network to communicate with resources in another virtual network.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview?WT.mc_id=modinfra-33046-thmaure
QUESTION 75
While working on Azure PowerShell, some of the values mentioned in the instructions are getting failed. One of your friends suggests you ensure that you have installed the latest version to avoid such issues. Which of the following cmdlets would you use to find the versions of Azure PowerShell that have been installed on your computer?
A. Get-Module -ListAvailable Az
B. Get-Module -AzList
C. Retrieve-Module -ListAvailable Az
D. Retrieve-Module -AzList
Answer: A
Explanation:
PowerShell cmdlets are updated regularly; if you have not installed the latest version or used the earlier versions, the values defined in the instructions might fail. You can run Get-Module -ListAvailable Az cmdlet to know the version of Azure PowerShell installed on your computer.
Option A is correct. Get-Module -ListAvailable Az is the right cmdlet to be used to know the version of Azure PowerShell installed on the system.
Option B is incorrect. Get-Module-AzList is not the right cmdlet.
Option C is incorrect. There is no command like Retrieve-Module -ListAvailable Az.
Option D is incorrect. There is no such cmdlet in Azure PowerShell.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/diagnose-network-routing-problem?WT.mc_id=modinfra-33046-thmaure
https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-radius-ps?WT.mc_id=modinfra-33046-thmaure
QUESTION 76
While working as a network administrator, you need to do DNS based global routing and don’t have requirements for TLS (Transport Layer Security) protocol termination (“SSL offload”), per-HTTPS/HTTP request or application-layer processing. Which of the following load balancing solutions would you use?
A. Application Gateway
B. Traffic Manager
C. Front Door
D. PowerShell
Answer: B
Explanation:
Azure Traffic Manager is a DNS-based traffic load balancing solution that allows optimal distribution of the traffic to services across global Azure regions, offering high responsiveness and availability.
Option A is incorrect. An application gateway is recommended for scenarios like if you need to load balance between your servers in a region at the application layer.
Option B is correct. For scenarios like the given one, a traffic manager suits the best.
Option C is incorrect. Front door suits scenarios like if you want to optimize the global routing of web traffic and improve top-tier end-users performance and reliability via quick global failover.
Option D is incorrect. PowerShell is not a load balancing option.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
QUESTION 77
You are the team leader and you are addressing your team about the load balancing and various Azure load balancing services.
Which of the following statements would you use to describe the Azure Front Door load balancing service?
A. a DNS-based traffic load balancing service that allows optimal distribution of the traffic to services across global Azure regions, offering high responsiveness and availability
B. load balancing option that offers application delivery controller (ADC) as a service, supporting different Layer 7 load balancing capabilities.
C. a high-performance and ultra low-latency Layer 4 load balancing service (inbound & outbound) for all TCP and UDP protocols.
D. An application delivery network that offers global load balancing and site acceleration services for web applications with its layer 7 capabilities
Answer: D
Explanation:
Azure Front Door is an application delivery network that offers global load balancing and site acceleration services for web applications. It provides Layer seven capabilities for applications such as SSL offload, fast failover, path-based routing, caching, etc. to enhance the performance and availability of applications.
Option A is incorrect. The given statement describes the Traffic Manager, not Front Door.
Option B is incorrect. The application gateway offers an application delivery controller (ADC) as a service, supporting different Layer 7 load balancing capabilities.
Option C is incorrect. Azure Load Balancer is a high-performance and ultra low-latency Layer 4 load balancing service (inbound & outbound) for all TCP and UDP protocols.
Option D is correct. The given statement rightly describes the Azure Front Door.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview
QUESTION 78
There are 6 traffic-routing methods in Azure Traffic Manager to control network traffic routing to the different service endpoints.
Which Traffic manager routing method would you use when you are having endpoints in various geographic locations and you want to ensure that end users utilize the “closest” endpoint for the lowest network latency?
A. Priority
B. Network
C. Performance
D. Singlevalue
E. Weighted
Answer: C
Explanation:
Azure Traffic Manager supports the following traffic-routing methods:
Priority
Weighted
Performance
Multivalue
Geographic
Subnet
Performance Routing is recommended when there are endpoints in various geographic locations. You need end-users to utilize the “closest” endpoint for the minimum possible network latency.
Option A is incorrect. Priority traffic routing is recommended when you want to have a primary/main service endpoint for all traffic.
Option B is incorrect. The network is not a valid traffic routing method.
Option C is correct. Performance Routing is recommended when there are endpoints in various geographic locations. You need end-users to utilize the “closest” endpoint for the minimum possible network latency.
Option D is incorrect. Singlevalue is not a valid traffic routing method.
Option E is incorrect. Weighted routing is recommended when traffic is distributed all across a set of endpoints depending upon their weight.
Reference:
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods?WT.mc_id=modinfra-33046-thmaure
QUESTION 79
Virtual Network NAT (Network Address Translation) eases outbound-only Internet connectivity for virtual networks.
Which of the following statement(s) are true about NAT? (Choose two)
A. NAT has compatibility with standard SKU public IP and public IP prefix but not with load balancer resources.
B. NAT supports both IPv4 and IPv6 addresses.
C. NAT supports only IPv4 not IPv6.
D. NAT can span a number of virtual networks.
E. NAT can’t span many virtual networks.
Answer: CE
Explanation:
The important features of NAT are:
NAT has compatibility with standard SKU public IP, public IP prefix, as well as load balancer resources. But NAT is not compatible with basic resources, like basic load balancers or any products derived from them.
NAT supports the IPv4 address family. NAT doesn’t support IPv6 addresses. You cannot deploy NAT on a subnet with an IPv6 prefix.
NAT cannot span numerous virtual networks.
Option A is incorrect. NAT has compatibility with standard SKU public IP, public IP prefix, and also with load balancer resources.
Option B is incorrect. NAT supports the IPv4 address family. NAT doesn’t support IPv6 addresses. You can’t deploy NAT on a subnet with an IPv6 prefix.
Option C is correct. NAT supports only IPv4, not IPv6.
Option D is incorrect. NAT can’t span across multiple virtual networks.
Option E is correct. NAT can’t span many virtual networks.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview?WT.mc_id=modinfra-33046-thmaure
QUESTION 80
You decide to protect your Azure Virtual Network resources using Azure Firewall. But there are a number of different possible issues with the Firewall.
In case of the issue “Threat intelligence alerts may get masked”, how can you mitigate the issue? (Choose two)
A. use https as the port: protocol value
B. Create outbound filtering for 80/443 using application rules.
C. change the threat intelligence mode to Alert and Deny.
D. Use authenticated SMTP relay services
E. Use only IPv4 addresses.
Answer: BC
Explanation:
The mitigation strategy for the issue “Threat intelligence alerts may get masked” is: Create outbound filtering for 80/443 through application rules or modify the threat intelligence mode to Alert and Deny.
Option A is incorrect. Use https as the port: protocol value is the mitigation strategy for the issue “FQDN tags require a protocol: port to be set”.
Option B is correct. The given issue can be mitigated by creating outbound filtering for 80/443 using application rules.
Option C is correct. The given issue can be mitigated by changing the threat intelligence mode to Alert and Deny.
Option D is incorrect. Using authenticated SMTP relay services is not the right mitigation strategy.
Option E is incorrect. Using only IPv4 addresses is the mitigation strategy for the issue “IPv6 not currently supported”.
Reference:
https://docs.microsoft.com/en-us/azure/firewall/overview?WT.mc_id=modinfra-33046-thmaure
QUESTION 81
You need to configure a security policy. As a process, first you find the name for the resource group containing Front Door profile with the help of Get-AzResourceGroup. Now, which of the following cmdlet would you use to configure a security policy in the identified resource group?
A. New-AzFrontDoorWafPolicy
B. Set-AzFrontDoorWafPolicy
C. New-AzFrontDoorPolicry
D. New-AzureFrontDoorWafPolicy
Answer: A
Explanation:
New-AzFrontDoorWafPolicy cmdlet is used to configure a security policy with already created rules in the specific resource group containing the Front Door profile.
Option A is correct. New-AzFrontDoorWafPolicy is the right command.
Option B is incorrect. Set-AzFrontDoorWafPolicy is not the right command to configure the security policy.
Option C is incorrect. New-AzFrontDoorPolicy is not the right command.
Option D is incorrect. New-AzureFrontDoorWafPolicy is not a valid command in Azure PowerShell.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules-powershell?WT.mc_id=modinfra-33046-thmaure
QUESTION 82
With the help of PowerShell, you need to retrieve/get an existing workspace named internWorkspace in a resource group named internWorkspaces. Which of the following cmdlets would you use?
A. Get-AzNetworkSecurityGroup
B. Get-AzOperationalInsightsWorkspace
C. Retrieve-AzOperationalInsightsWorkspace
D. Get-AzWorkspace
E. New-AzOperationalInsightsWorkspace.
Answer: B
Explanation:
Explanation: An existing Log Analytics workspace can be retrieved with the Get-AzOperationalInsightsWorkspace cmdlet. For example, to retrieve/get an existing workspace named internWorkspace in a resource group named internWorkspaces, use the below-given command:
$Oms=Get-AzOperationalInsightsWorkspace `
-ResourceGroupName internWorkspaces `
-Name internWorkspace
Option A is incorrect. Get-AzNetworkSecurityGroup cmdlet is used to retrieve the network security group(NSG) for which you want to enable resource logging.
Option B is correct. An existing Log Analytics workspace can be retrieved with the Get-AzOperationalInsightsWorkspace cmdlet.
Option C is incorrect. Retrieve-AzOperationalInsightsWorkspace is not the right cmdlet.
Option D is incorrect. Get-AzWorkspace is not the right command to retrieve the existing log analytics workspace.
Option E is incorrect. The new-AzOperationalInsightsWorkspace cmdlet is used to create a new workspace.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log?WT.mc_id=modinfra-33046-thmaure
QUESTION 83
Azure Private Endpoint acts as a network interface to connect you to a service powered by Azure Private Link in a private and secure manner. Being the Private Link resource owner, which of the following actions can you perform over a private endpoint connection?
A. Reviewing all private endpoint connection details.
B. Approving a private endpoint connection.
C. Rejecting a private endpoint connection.
D. Deleting a private endpoint connection from any state.
E. All the above
Answer: E
Explanation:
The private link resource owner can perform the below-given actions over a private endpoint connection:
Option A is incorrect. Besides reviewing all private endpoint connection details, the private link resource owner can approve, reject, and even delete a private endpoint connection.
Option B is incorrect. Besides approving a private endpoint connection, the private link resource owner can review, reject, and even delete a private endpoint connection.
Option C is incorrect. A private link resource owner can review, approve, reject and even delete a private endpoint connection.
Option D is incorrect. Besides deleting a private endpoint connection, the private link resource owner can review, approve, or even reject a private endpoint connection.
Option E is correct. A private link resource owner can perform all the given actions.
References:
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview?WT.mc_id=modinfra-33046-thmaure
QUESTION 84
You can get the current service tag and range information by downloading the JSON file or programmatically adding it as part of your on-premises firewall configuration. Which of the following can be used to programmatically retrieve the current list of service tags?
A. REST
B. Azure PowerShell
C. Azure CLI
D. All of these
Answer: D
Explanation:
The current list of service tags along with IP address range details can be programmatically retrieved using:
REST
Azure PowerShell
Azure CLI
Option A is incorrect. The list of service tags can be retrieved using any REST, Azure PowerShell or Azure CLI.
Option B is incorrect. The list of service tags can be retrieved using any REST, Azure PowerShell or Azure CLI.
Option C is incorrect. The list of service tags can be retrieved using any REST, Azure PowerShell or Azure CLI.
Option D is correct. Any of the REST, Azure PowerShell or Azure CLI can be used to get the list of service tags.
Option E is incorrect. Any of the REST, Azure PowerShell or Azure CLI can be used to get the list of service tags.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview?WT.mc_id=modinfra-33046-thmaure
QUESTION 85
Regional VNet Integration enables connecting to a VNet in the same region with no need for a gateway. While using VNet Integration with VNets in the same region, which of the below Azure networking features would you use to block outbound traffic?
A. Route Tables(UDRs)
B. Domain Name Service
C. Traffic Manager
D. Front Door
E. Network security groups (NSGs)
Answer: E
Explanation:
Outbound traffic can be blocked with an NSG that is located on your integration subnet. Here, the inbound rules do not apply as VNet Integration can’t be used to support the inbound access to your application.
Option A is incorrect. A route table can be placed on the integration subnet to direct/deliver outbound traffic at desired locations.
Option B is incorrect. Azure DNS offers name resolution with the help of Microsoft Azure infrastructure and is not a related Azure Networking feature.
Option C is incorrect. Traffic Manager is a Load balancing solution.
Option D is incorrect. Front Door is also a load balancing solution.
Option E is correct. NSGs help in blocking outbound traffic.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet?WT.mc_id=modinfra-33046-thmaure
QUESTION 86
Hotspot Question
You have an Azure virtual network that contains the subnets shown in the following table.
In NSG1, you create inbound rules as shown in the following table.
NSG2 has only the default rules configured.
You have the Azure virtual machines shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: No
VM3 will be allowed to access VM1 on any port outbound on NSG2. VM3 will be blocked by NSG1 inbound since it is trying to access port 8080.
Box 2: No
VM1 and VM2 belongs to the same subnet 1 and each of them has default Outbound policy rule that will allow the traffic but Inbound is restricted for any port except 80 and 443.
Box 3: Yes
NSG2 has the default rules applied, it means that Subnet2 can accept traffic from any subnet within the VNET.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
QUESTION 87
Hotspot Question
You have an Azure application gateway named AppGW1 that provides access to the following hosts:
– www.adatum.com
– www.contoso.com
– www.fabrikam.com
AppGW1 has the listeners shown in the following table.
You create Azure Web Application Firewall (WAF) policies for AppGW1 as shown in the following table.
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Say your application gateway has a global policy applied to it. Then you apply a different policy to a listener on that application gateway. The listener’s policy now takes effect for just that listener. The application gateway’s global policy still applies to all other listeners and path-based rules that don’t have a specific policy assigned to them.
https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview#per-site-waf-policy
QUESTION 88
Hotspot Question
You need to connect an on-premises network and art Azure environment.
The solution must use ExpressRoute and support failing over to a Site-to Site VPN connection if there is an ExpressRoute failure.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
The answer is Route Based and 2 Virtual Network Gateways.
Both the Expressroute and VPN need distinct gateways identified by their SKU. You cannot have Expressroute on a VpnGw SKU. It must be on a dedicated ExpressRoute SKU gateway.
Both VPN Gateways will exist inside the same subnet but the connection are via 2 separate gateways.
This doc clearly shows the step of create 2 gateways.
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager
QUESTION 89
Hotspot Question
You have an Azure subscription that contains a single virtual network and a virtual network gateway.
You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network.
The connections must be authenticated by Azure Active Directory (Azure AD).
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: An enterprise application
Enable Azure AD authentication on the VPN gateway:
1. Locate the Directory ID of the directory that you want to use for authentication. It’s listed in the properties section of the Active Directory page.
2. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
Copy the Directory ID.
3. Sign in to the Azure portal as a user that is assigned the Global administrator role.
4. Next, give admin consent. Copy and paste the URL that pertains to your deployment location in the address bar of your browser.
5. Select the Global Admin account if prompted.
6. Select Accept when prompted.
7. Under your Azure AD, in Enterprise applications, you see Azure VPN listed.
Box 2: Open VPN (SSL)
When you connect to your VNet using Point-to-Site, you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you want to use Azure Active Directory authentication, you can do so when using the OpenVPN protocol.
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
QUESTION 90
Drag and Drop Question
You have two Azure subscriptions named Subscnption1 and Subscription2. Subscription1 contains a virtual network named Vnet1.
Vnet1 contains an application server. Subscription2 contains a virtual network named Vnet2.
You need to provide the virtual machines in Vnet2 with access to the application server in Vnet1 by using a private endpoint.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
Step 1: Deploy an Azure Load Balancer in front of the application server
Configure your application to run behind a standard load balancer in your virtual network.
Step 2: In Subscription 1, create a private link service and attach the service to the frontend IP configuration of the load balancer.
Create a Private Link Service referencing the load balancer above.
Step 3: In Subscription 2, create a private endpoint by using the private link service.
Private Link service can be accessed from approved private endpoints in any public region. The private endpoint can be reached from the same virtual network, regionally peered VNets, globally peered VNets and on premises using private VPN or ExpressRoute connections.
Step 4: In Subscription1, accept the private endpoint connection request.
Network connections can be initiated only by clients that are connecting to the private endpoint.
Not:
Incorrect: Enable virtual network peering between Vnet1 and Vnet2.
Reference:
https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview
QUESTION 91
Drag and Drop Question
You have an Azure subscription that contains the resources shown in the following table.
The IP Addresses settings for Vnet1 are configured as shown in the exhibit.
You need to ensure that you can integrate WebApp1 and Vnet1.
Which three actions should you perform in sequence before you can integrate WebApp1 and Vnet1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
Existing subnet space spans the entire address space of vnet, so it needs to be modified. Cross region vnet integration requires a vpn gateway and a point to site vpn connection. So you need to add the gateway, then configure the p2s to add address space.
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration#gateway-required-vnet-integration
QUESTION 92
Hotspot Question
You have the Azure App Service app shown in the App Service exhibit.
The VNet Integration settings for as12 are configured as shown in the Vnet Integration exhibit.
The Private Endpoint connections settings for as12 are configured as shown in the Private Endpoint connections exhibit.
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Yes
The integration subnet can be used by only one App Service plan.
Box 2: Yes
VNet integrated App Service uses IP from dedicated subnet to communicate resources in the VNet. ( vNet integration : outbound / private endpoint : inbound )
Box 3: No
There’s no private endpoint.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/overview-vnet-integration#how-regional-virtual-network-integration-works
QUESTION 93
Hotspot Question
Your company has 10 instances of a web service. Each instance is hosted in a different Azure region and is accessible through a public endpoint.
The development department at the company is creating an application named App1. Every 10 minutes. App1 will use a list of end points and connect to the first available endpoint.
You plan to use Azure Traffic Manager to maintain the list of endpoints.
You need to configure a Traffic Manager profile that will minimize the impact of DNS caching.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
A traffic manager Multivalue profile can have only endpoints of type “External”
Multivalue traffic-routing method
The Multivalue traffic-routing method allows you to get multiple healthy endpoints in a single DNS query response. This configuration enables the caller to do client-side retries with other endpoints in case a returned endpoint being unresponsive. This pattern can increase the availability of a service and reduce the latency associated with a new DNS query to obtain a healthy endpoint. MultiValue routing method works only if all the endpoints of type ‘External’ and are specified as IPv4 or IPv6 addresses. When a query is received for this profile, all healthy endpoints are returned and are subject to a configurable maximum return count.
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods#multivalue
Resources From:
1.2023 Latest Braindump2go AZ-700 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/az-700.html
2.2023 Latest Braindump2go AZ-700 PDF and AZ-700 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1xuVPtMrx8aw8ax3rN_fP_3svIStjrtvi?usp=sharing
3.2023 Free Braindump2go AZ-700 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/AZ-700-PDF-Dumps(63-93).pdf
Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!
[April-2023]Real Exam Questions-Braindump2go PL-500 PDF and VCE PL-500 110Q Download[Q44-Q75] [May-2023]100% Success-Braindump2go AZ-104 Dumps VCE AZ-104 643Q Instant Download[Q390-Q419]
Comments are currently closed.