Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
ServiceNow®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-700

AZ-700: Designing and Implementing Microsoft Azure Networking Solutions
Free Practice Exam Questions (page: 13)
Updated On: 2-Jan-2026

Page 13 of 75
PDF with 369 Questions
View Related Case Study

You have an on-premises datacenter named DC1 that contains two routers.

You have an Azure subscription. The subscription contains a virtual network named VNet1 and a zone- redundant ExpressRoute virtual network gateway named GW1 that uses the ErGw3Az SKU. GW1 is attached to VNet1

DC1 is connected to VNet1 by using an ExpressRoute Standard circuit named Circuit1. The DC1 routers are configured as endpoints for Circuit1. Circuit1 traffic traverses two physical links.

During a link outage, the connection takes three minutes to fail over.

You need to ensure that failovers between the links take less than one second.

What should you do?

  1. For Circuit1, select FastPath.
  2. On the routers, configure Bidirectional Forwarding Detection (BFD).
  3. For GW1, change SKU to UltraPerformance.
  4. For GW1, set Active-active mode to Enabled.

Answer(s): B

Explanation:

To decrease failover time in an ExpressRoute setup with two physical links and routers configured as endpoints, you should implement Bidirectional Forwarding Detection (BFD) and potentially adjust BGP timers.
BFD provides faster link failure detection than relying solely on BGP timers, while adjusting BGP timers can further optimize failover speed.
Implement BFD:
What it is: BFD is a protocol designed for rapid link failure detection.
How it helps: BFD works by sending small, frequent keep-alive messages between routers on both sides of the connection. If a certain number of these messages are not received within a specified time (the BFD interval), the link is considered down, triggering a failover much faster than relying solely on BGP's idle timeout.
Implementation: Enable BFD on your on-premises routers and ensure it's configured correctly with appropriate timers.


Reference:

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-bfd



View Related Case Study

You need to configure APPGW1 to support end-to-end encryption. The solution must meet the security requirements.

What should you do?

  1. From the SSL settings, upload a TLS client certificate that is issued by the internal root CA and includes the full certificate chain.
  2. From the Backend settings, upload the internal root CA certificate.
  3. From the SSL settings, upload a TLS client certificate that is issued by the internal root CA.
  4. From the Backend settings, upload a wildcard TLS certificate that has a private key issued by the internal root CA.

Answer(s): D

Explanation:

Scenario:
APPGW1 is an Application Gateway
Proseware identifies the following security requirements:
* Ensure that all connections routed via APPGW1 use end-to-end encryption.
Note: End-to-end TLS encryption
You may not want unencrypted communication to the backend servers. You may have security requirements, compliance requirements, or the application may only accept a secure connection. Azure Application Gateway has end-to-end TLS encryption to support these requirements.
For end-to-end TLS encryption, the back end must be explicitly allowed by the application gateway. Upload the public certificate of the backend servers to the application gateway. Adding the certificate ensures that the application gateway only communicates with known backend instances. This further secures the end-to-end communication.
Configure end to end TLS by using Application Gateway with PowerShell Apply a new certificate if the backend certificate is expired Use this procedure to apply a new certificate if the backend certificate is expired.
1. Retrieve the application gateway to update.
$gw = Get-AzApplicationGateway -Name AdatumAppGateway -ResourceGroupName AdatumAppGatewayRG
2. Add the new certificate resource from the .cer file, which contains the public key of the certificate and can also be the same certificate added to the listener for TLS termination at the application gateway.
Add-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw -Name 'NewCert' -CertificateFile "appgw_NewCert.cer"
3. Get the new authentication certificate object into a variable (TypeName:
Microsoft.Azure.Commands.Network.Models.PSApplicationGatewayAuthenticationCertificate).
$AuthCert = Get-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw -Name NewCert
4. Assign the new certificate into the BackendHttp Setting and refer it with the $AuthCert variable. (Specify the HTTP setting name that you want to change.)
$out= Set-AzApplicationGatewayBackendHttpSetting -ApplicationGateway $gw -Name "HTTP1" -Port 443 - Protocol "Https" -CookieBasedAffinity Disabled -AuthenticationCertificates $Authcert


Reference:

https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell



View Related Case Study

HOTSPOT (Drag and Drop is not supported)

You are configuring the DNS forwarding ruleset for DNSRS1.

You need to configure the destination IP address for azure.proseware.com and for corp.proseware.com. The solution must meet the general requirements.

Which IP addresses should you configure for each namespace? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: 192.168.0.100
Azure.proseware.com

NYCDNS1 is a DNS Server with IP address of 192.168.0.100.

Incorrect:
* The first IP address of the Outbound endpoint subnet of PRDNS1 Outbound endpoints
Outbound endpoints egress from Azure and can be linked to DNS Forwarding Rulesets.

Outbound endpoints are also part of the private virtual network address space where the private resolver is deployed. An outbound endpoint is associated with a subnet, but isn't provisioned with an IP address like the inbound endpoint. No other resources can exist in the same subnet with the outbound endpoint

Box 2: The first IP address of the inbound endpoint subnet of PRDNS1 Corp.proseware.com

Note: Inbound endpoints
As the name suggests, inbound endpoints ingress to Azure. Inbound endpoints provide an IP address to forward DNS queries from on-premises and other locations outside your virtual network. DNS queries sent to the inbound endpoint are resolved using Azure DNS. Private DNS zones that are linked to the virtual network where the inbound endpoint is provisioned are resolved by the inbound endpoint.

The IP address associated with an inbound endpoint is always part of the private virtual network address space where the private resolver is deployed.

Static and dynamic endpoint IP addresses
The IP address assigned to an inbound endpoint can be static or dynamic. If you select static, you can't choose a reserved IP address in the subnet. If you choose a dynamic IP address, the fifth available IP address in the subnet is assigned. For example, 10.10.0.4 is the fifth IP address in the 10.10.0.0/28 subnet (.0, .1, .2, .3, .4). If the inbound endpoint is reprovisioned, this IP address could change, but normally the 5th IP address in the subnet is used again. The dynamic IP address does not change unless the inbound endpoint is reprovisioned.

Scenario:
Existing Environment. Hybrid Environment

Proseware has an on-premises Active Directory Domain Services (AD DS) forest named corp.proseware.com that syncs with a Microsoft Entra tenant named proseware.com.

Proseware plans to implement the following changes:

* Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.
* From SpokeVNet, resolve name resolution requests for the azure.proseware.com namespace and the corp.proseware.com namespace by using PRDNS1.


Reference:

https://learn.microsoft.com/en-us/azure/dns/private-resolver-endpoints-rulesets



View Related Case Study

HOTSPOT (Drag and Drop is not supported)

You need to configure connectivity between NYCNet and SFONet. The solution must meet the connectivity requirements.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Scenario:
NYCNet connects to Azure by using an ExpressRoute circuit.
SFONet connects to Azure by using a Site-to-Site (S2S) VPN.
HubVNet connects to NYCNet by using an ExpressRoute gateway named ERGW1.

Proseware identifies the following connectivity requirements:
Route traffic between NYCNet and SFONet via the ExpressRoute circuit and the S2S VPN.

Box 1: Configure a user-defined route (UDR)
For HubVNet

Custom routes
You create custom routes by either creating user-defined routes (UDRs) or exchanging BGP routes between your on-premises network gateway and an Azure virtual network gateway.

User-defined
To customize your traffic routes, you shouldn't modify the default routes. You should create custom or user- defined (static) routes, which override the Azure default system routes.

Box 2: Change the ASN number
For VPNGW1

Change the ASN number for HubVNet.

Scenario:
VPNGW1 is a Virtual network gateway in HubVNet.
Configuration: Active-passive resiliency, in Generation 2, VpnGw3 SKU that has the default ASN connected to SFONet.

Note: If you want to use transit routing between ExpressRoute and VPN, the ASN of Azure VPN Gateway must be set to 65515. Azure VPN Gateway supports the BGP routing protocol. For ExpressRoute and Azure VPN to work together, you must keep the Autonomous System Number of your Azure VPN gateway at its default value, 65515. If you previously selected an ASN other than 65515 and you change the setting to 65515, you must reset the VPN gateway for the setting to take effect.

Incorrect:
* Resize the SKU
When you create a VPN Gateway virtual network gateway, you specify the gateway SKU that you want to use.

The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3 [this is the current SKU, which is fine], Standard, and HighPerformance VPN gateways. ExpressRoute-VPN Gateway coexist configurations aren't supported on the Basic SKU. The VpnType must be RouteBased.

* Configure active-active mode.
Azure VPN gateways can be configured as active-standby or active-active. To avoid interruptions, create your gateway in active-active mode, or switch an active-standby gateway to active-active.


Reference:

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways https://learn.microsoft.com/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview



View Related Case Study

HOTSPOT (Drag and Drop is not supported)

You need to identify which IP address space to allocate for the planned deployment of PRDNS1 to HubVNet and SpokeVNet. The solution must meet the general requirements.

What should you identify for each virtual network? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: /28
HubVNet:

Use the minimum /28 address space

Scenario:
Proseware plans to implement the following changes:
Deploy an Azure Private DNS Resolver named PRDNS1 to HubVNet and link PRDNS1 to SpokeVNet.

Proseware identifies the following general requirements:
* Minimize the IP address space required to deploy platform-managed resources to the virtual networks.

Note: Subnet restrictions
Subnets used for DNS resolver have the following limitations:

A subnet must be a minimum of /28 address space or a maximum of /24 address space. A /28 subnet is sufficient to accommodate current endpoint limits. A subnet size of /27 to /24 can provide flexibility if these limits change.

Box 2: No address space required
SpokeVNet

An endpoint does not use a subnet.

Azure DNS Private Resolver requires an Azure Virtual Network.
When you create an Azure DNS Private Resolver inside a virtual network, one or more inbound endpoints are established that can be used as the destination for DNS queries. The resolver's outbound endpoint processes DNS queries based on a DNS forwarding ruleset that you configure. DNS queries that are initiated in networks linked to a ruleset can be sent to other DNS servers.


Reference:

https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview



Viewing page 13 of 75
Viewing questions 61 - 65 out of 369 questions



Post your Comments and Discuss Microsoft AZ-700 exam prep with other Community members:

AZ-700 Exam Discussions & Posts