QUESTION: 41 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

View Related Case Study

HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains the virtual networks shown in the following table.

You have devices that run either Windows or macOS. The devices connect to VGW1 by using the OpenVPN protocol.

Which virtual networks can each device access? To answer, select the appropriate options in the answer area.

Note: Each correct answer is worth one point.

Hot Area:

See Explanation section for answer.

Answer(s): A

Explanation:

Box 1: VNet1 VNet2, and VNet3
Windows

Note 1: About Point-to-Site VPN routing
Azure Point-to-Site VPN routing behavior is dependent on the client OS, the protocol used for the VPN connection, and how the virtual networks (VNets) are connected to each other.

Multiple peered VNets
In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 is peered with VNet2. VNet 2 is peered with VNet3. VNet1 is peered with VNet4. There is no direct peering between VNet1 and VNet3. VNet1 has "Allow gateway transit" and VNet2 and VNet4 have "Use remote gateways" enabled.

Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet peering or the network topology. Non-Windows clients can access directly peered VNets. Access isn't transitive and is limited to only directly peered VNets.

Note 2:
Can I configure a point-to-site client to connect to multiple virtual networks at the same time? Yes, point-to-site client connections to a virtual network gateway that is deployed in a VNet that is peered with other VNets may have access to other peered VNets. point-to-site clients will be able to connect to peered VNets as long as the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features.

Box 2: VNet1 and VNet2 only.
macOS

Reference:

https://learn.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing

Show Answer Next Question

QUESTION: 42 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

View Related Case Study

You have an Azure subscription that contains the resources shown in the following table.

You plan to deploy an Azure Virtual Network NAT gateway named Gateway1. The solution must meet the following requirements:

VM1 will access the internet by using its public IP address.

VM2 will access the internet by using its public IP address.

Administrative effort must be minimized.

You need to ensure that you can deploy Gateway1 to Vnet1.

What is the minimum number of subnets that Vnet1 must have?

Answer(s): C

Show Answer Next Question

QUESTION: 43 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

View Related Case Study

DRAG DROP (Drag and Drop is not supported)

You have 100 on-premises servers with IP addresses from the 10.0.0.0/24 IP address space.

You have an Azure subscription that contains a virtual network named VNet1, an Azure VPN gateway named VGW1, and 100 virtual machines. VNet1 has an IP address space of 10.0.0.0/22. VGW1 uses the VpnGw1 SKU.

You need to ensure that the Azure virtual machines and the on-premises servers can communicate by using VGW1. The solution must minimize administrative effort.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

See Explanation section for answer.

Answer(s): A

Explanation:

Create a site-to-site VPN connection

Step 1: Resize VNet1
For the extended network in step 4 we need to take some action. The address space are overlapping, but they are of different size. Need to increase to size of VNet1 to match the on-premises 10.0.0.0/24 IP address space.

Step 2: On VGW1, create a local gateway
Create a local network gateway
The local network gateway is a specific object deployed to Azure that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the on-premises VPN device to which you create a connection. You also specify the IP address prefixes that are routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

Step 3: On VGW1, add a connection.

Step 4: Configure an Azure extended network
Extend your on-premises subnets into Azure using extended network for Azure

Extended network for Azure enables you to stretch an on-premises subnet into Azure to let on-premises virtual machines keep their original on-premises private IP addresses when migrating to Azure.

The network is extended using a bidirectional VXLAN tunnel between two Windows Server 2019 VMs acting as virtual appliances, one running on-premises and the other running in Azure, each also connected to the subnet to be extended. Each subnet that you are going to extend requires one pair of appliances.

Incorrect:
* Resize VGW1

No need to resize VGW1.
VpnGw1, Supported Number of VMs in the Virtual Network: 450

Reference:

https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-extended- network

Show Answer Next Question

QUESTION: 44 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

View Related Case Study

DRAG DROP (Drag and Drop is not supported)

You have a computer named CLIENT1 that runs Windows 11 and has the Azure VPN Client installed.

You have an Azure virtual network gateway named VPNGW1.

You need to ensure that you can connect CLIENT1 to VPNGW1. The solution must support Microsoft Entra authentication.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

See Explanation section for answer.

Answer(s): A

Explanation:

Step 1: From the Azure portal, authorize the Azure VPN application Configure P2S VPN Gateway for Microsoft Entra ID authentication

Authorize the Azure VPN application
1. Sign in to the Azure portal as a user that is assigned the Global administrator role.

2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles.

3. Etc.

Step 2: From the Azure portal, configure the tunnel type and authentication type for VPNGW1.
Configure the VPN gateway
1. Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page.

2. If you don't already have a functioning point-to-site environment, follow the instruction to create one. [Skip]

3. Go to the virtual network gateway. In the left pane, click Point-to-site configuration.

Configure the following values:

Address pool: client address pool
Tunnel type: OpenVPN (SSL) [Step 2]
Authentication type: Microsoft Entra ID [Step 2]

* Details omitted*

4. Once you finish configuring settings, click Save at the top of the page.

Step 3: From the Azure portal, download the Azure VPN Client profile configuration package to CLIENT1.

Download the Azure VPN Client profile configuration package
In this section, you generate and download the Azure VPN Client profile configuration package. This package contains the settings that you can use to configure the Azure VPN Client profile on client computers.

1. At the top of the Point-to-site configuration page, click Download VPN client. It takes a few minutes for the client configuration package to generate.

2. Your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.

3. Extract the downloaded zip file.

4. Browse to the unzipped "AzureVPN" folder.

5. Make a note of the location of the "azurevpnconfig.xml" file. The azurevpnconfig.xml contains the setting for the VPN connection. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Microsoft Entra ID credentials to connect successfully.

Step 4: To CLIENT1, import the Azurevpnconfig.xml file.
After you obtain the VPN client profile configuration package, extract the zip file. The file contains the following folders:

AzureVPN: The AzureVPN folder contains the Azurevpnconfig.xml file that is used to configure the Azure VPN Client.
Generic: The generic folder contains the public server certificate and the VpnSettings.xml file. The VpnSettings.xml file contains information needed to configure a generic client.

Import client profile configuration settings
When your P2S configuration specifies Microsoft Entra ID authentication, the VPN client profile configuration settings are contained in the azurevpnconfig.xml file. This file is located in the AzureVPN folder of the VPN client profile configuration package.

1. On the page, select Import.

2. Browse to the Azure VPN Client profile configuration folder that you extracted. In the AzureVPN folder, select azurevpnconfig.xml. With the file selected, select Open.

3. Change the name of the Connection name (optional). In this example, you'll notice that the Audience value shown is the new Azure Public value associated to the Microsoft-registered Azure VPN Client App ID. The value in this field must match the value that your P2S VPN gateway is configured to use.

4. Click Save to save the connection profile.

5. In the left pane, select the connection profile that you want to use. Then click Connect to initiate the connection.

6. Authenticate using your credentials, if prompted.

7. Once connected, the icon turns green and shows Connected.

Reference:

https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-vpn-client-windows

Show Answer Next Question

QUESTION: 45 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

View Related Case Study

HOTSPOT (Drag and Drop is not supported)

You have an on-premises server named Server1 that runs Windows Server and has the DNS Server role installed.

You have an Azure subscription that contains two virtual networks named VNet1 and VNet2. VNet1 contains an Azure Firewall instance named FW1. VNet1 peers with VNet2.

The on-premises network is connected to VNet1 by using ExpressRoute. The on-premises network is inaccessible from VNet2.

You need to ensure that virtual machines connected to VNet2 use Server1 to perform name resolution. The solution must minimize administrative effort.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct answer is worth one point.

Hot Area:

See Explanation section for answer.

Answer(s): A

Explanation:

Box 1: A custom DNS server
On VNet1, configure:

Hybrid DNS resolution
This article provides guidance on how to configure hybrid DNS resolution by using an Azure DNS Private Resolver with a DNS forwarding ruleset. In this scenario, your Azure DNS resources are connected to an on- premises network using a VPN or ExpressRoute connection.

Azure DNS Private Resolver
The Azure DNS Private Resolver is a service that can resolve on-premises DNS queries for Azure DNS private zones. Previously, it was necessary to deploy a VM-based custom DNS resolver, or use non-Microsoft DNS, DHCP, and IPAM (DDI) solutions to perform this function.

Box 2: The private IP address of FW1
On VNET2, set DNS to:

Gateways and on-premises connectivity
Each virtual network, including a peered virtual network, can have its own gateway. A virtual network can use its gateway to connect to an on-premises network. You can also configure virtual network-to-virtual network connections by using gateways, even for peered virtual networks.

When you configure both options for virtual network interconnectivity, the traffic between the virtual networks flows through the peering configuration. The traffic uses the Azure backbone.

You can also configure the gateway in the peered virtual network as a transit point to an on-premises network. In this case, the virtual network that is using a remote gateway can't have its own gateway. A virtual network could have only one gateway, the gateway should be either local or remote gateway in the peered virtual network as shown in the following diagram:

Reference:

https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Show Answer Next Question

Free Microsoft AZ-700 Exam Questions

QUESTION: 41 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

Explanation:

Reference:

QUESTION: 42 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

QUESTION: 43 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

Explanation:

Reference:

QUESTION: 44 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

Explanation:

Reference:

QUESTION: 45 Exam Topic: Design, implement, and manage connectivity services (Testlet 3)

Explanation:

Reference:

AZ-700 Exam Discussions & Posts