ExamGecko
Search Search Login
Home Home / Microsoft / AZ-700

Microsoft AZ-700 Practice Test - Questions Answers, Page 24

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

HOTSPOT You have an Azure subscription that contains the route tables and routes shown in the following table. The subscription contains the subnets shown in the following table. The subscription contains the virtual machines shown in the following table. There is a Site-to-Site VPN connection to each local network gateway. For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
HOTSPOT You have art Azure subscription that contains the resources shown in the following table. You need to restrict access to storage1 and sqI1 by using service endpoints. The solution must meet the following requirements: * Allow access from Subnet1 to SQIDB1 * Implement service endpoint policies to restrict access to supported resources. * Allow access from Subnet1 to storage1 and the read-only replica of storage1 in the paired Azure region. What is the minimum number of service endpoints and service endpoint policies you should create? To answer, select the appropriate options m the answer area. NOTE: Each correct selection is worth one point.
You have two Azure App Service instances that host the web apps shown the following table. You deploy an Azure application gateway that has one public frontend IP address and two backend pools. You need to publish all the web apps to the application gateway. Requests must be routed based on the HTTP host headers. What is the minimum number of listeners and routing rules you should configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2. You have the NAT gateway shown in the NATgateway1 exhibit, (Click the NATgateway1 tab) You have the virtual machine shown in the VM1 exhibit, (Click the VM1 tab) Subnet1 is configured as shown in the Subnet1 exhibit, (Click the Subnet1 tab) For each of the following statements, select Yes if the statement is true. Otherwise, select No
HOTSPOT You have an Azure subscription that contains an app named Appl. App1 is hosted on the Azure App Service instances shown in the following table. You need to implement Azure Traffic Manager to meet the following requirements: • App1 traffic must be assigned equally to each App Service instance in each Azure region. • App1 traffic from North Europe must be routed to the Appl instances in the North Europe region. • App1 traffic from North America must be routed to the Appl instances in the East US Azure region.
You have an Azure subscription that contains a user named Admin1 and a resource group named RG1. RG1 contains an Azure Network Watcher instance named NW1. You need to ensure that Admin1 can place a lock on NW1. The solution must use the principle of least privilege. Which role should you assign to Admin1?
HOTSPOT You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2. You have the NAT gateway shown in the NATgateway1 exhibit. You have the virtual machine shown in the VM1 exhibit. Subnet1 is configured as shown in the Subnet1 exhibit. For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements. Which two actions should you include in the solution? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
You need to configure the default route in Vnet2 and Vnet3. The solution must meet the virtual networking requirements. What should you use to configure the default route?
You need to configure the default route on Vnet2 and Vnet3. The solution must meet the virtual networking requirements. What should you use to configure the default route?

Question 231

Report
Export
Collapse

SIMULATION

Task 6

You have two servers that are each hosted by a separate service provider in New York and Germany. The server hosted in New York is accessible by using a host name of ny.contoso.com. The server hosted in Germany is accessible by using a host name of de.contoso.com.

You need to provide a single host name to access both servers. The solution must ensure that traffic originating from Germany is routed to de contoso.com. All other traffic must be routed to ny.contoso.com.

A.
See the Explanation below for step by step instructions
A.
See the Explanation below for step by step instructions
Answers
Suggested answer: A

Explanation:

To provide a single host name that routes traffic based on the origin, you can useAzure Traffic Manager. This service allows you to route traffic to different endpoints based on various routing methods, including geographic routing.

Step-by-Step Solution

Step 1: Create a Traffic Manager Profile

Navigate to the Azure Portal.

Search for ''Traffic Manager profiles''and select it.

Click on ''Create''.

Enter the following details:

Name: Enter a name for the Traffic Manager profile (e.g.,ContosoTrafficManager).

Routing method: SelectGeographic.

Subscription: Select your subscription.

Resource group: Select an existing resource group or create a new one.

Resource group location: Choose a location (this does not affect the routing).

Click on ''Create''.

Step 2: Configure Endpoints

Navigate to the newly created Traffic Manager profile.

Select ''Endpoints''from the left-hand menu.

Click on ''Add''to add a new endpoint.

Enter the following details:

Type: SelectExternal endpoint.

Name: Enter a name for the endpoint (e.g.,NewYorkEndpoint).

FQDN: Enterny.contoso.com.

Geographic region: Select''World''(this will be adjusted later).

Click on ''Add''to save the endpoint.

Repeat the processto add the second endpoint:

Type: SelectExternal endpoint.

Name: Enter a name for the endpoint (e.g.,GermanyEndpoint).

FQDN: Enterde.contoso.com.

Geographic region: SelectEurope.

Step 3: Adjust Geographic Routing

Navigate to the Traffic Manager profile.

Select ''Configuration''from the left-hand menu.

Under ''Geographic routing'', adjust the regions:

For theGermanyEndpoint, ensure that the geographic region is set toEurope.

For theNewYorkEndpoint, ensure that the geographic region is set toWorld(excluding Europe).

Step 4: Test the Configuration

Use a DNS query toolto test the routing.

From a location in Germany, query the Traffic Manager profile's DNS name and ensure it resolves tode.contoso.com.

From a location outside Europe, query the Traffic Manager profile's DNS name and ensure it resolves tony.contoso.com.

Explanation:

Azure Traffic Manager: This service uses DNS to direct client requests to the most appropriate endpoint based on the routing method you choose. Geographic routing ensures that traffic is directed based on the origin of the request.

Geographic Routing: This method allows you to route traffic based on the geographic location of the DNS query origin, ensuring that users are directed to the nearest or most appropriate endpoint.

By following these steps, you can provide a single host name that routes traffic tode.contoso.comfor users in Germany and tony.contoso.comfor users from other locations, ensuring efficient and appropriate traffic management.

Question 232

Report
Export
Collapse

SIMULATION

Task 7

You plan to deploy 100 virtual machines to subnet4-1. The virtual machines will NOT be assigned a public IP address. The virtual machines will call the same API. which is hosted by a third party. The virtual machines will make more than 10,000 calls per minute to the API.

You need to minimize the risk of SNAT port exhaustion. The solution must minimize administrative effort.

A.
See the Explanation below for step by step instructions
A.
See the Explanation below for step by step instructions
Answers
Suggested answer: A

Explanation:

To minimize the risk of SNAT port exhaustion for your 100 virtual machines in subnet4-1, while ensuring minimal administrative effort, you can use anAzure NAT Gateway. This service provides scalable and resilient outbound connectivity for virtual networks, dynamically allocating SNAT ports to avoid exhaustion.

Step-by-Step Solution

Step 1: Create a NAT Gateway

Navigate to the Azure Portal.

Search for ''NAT gateways''and select it.

Click on ''Create''.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the NAT gateway (e.g.,NATGateway-Subnet4-1).

Region: Select the region where your virtual network is located.

Click on ''Next: Outbound IP''.

Step 2: Configure Outbound IP Addresses

Choose whether to use existing public IP addresses or create new ones.

If creating new ones, click on''Add new''and configure the new public IP addresses.

Click on ''Next: Subnet''.

Step 3: Associate the NAT Gateway with Subnet4-1

Click on ''Associate subnet''.

Select the virtual networkthat contains subnet4-1.

Select subnet4-1from the list of subnets.

Click on ''OK''.

Step 4: Review and Create

Review your settingsto ensure everything is correct.

Click on ''Review + create''and then''Create''.

Explanation:

Azure NAT Gateway: This service provides outbound connectivity for virtual networks, dynamically allocating SNAT ports across all VM instances within a subnet.This dynamic allocation helps prevent SNAT port exhaustion, especially in scenarios with high outbound connection volumes12.

Dynamic SNAT Port Allocation: Unlike static allocation methods, NAT Gateway dynamically allocates SNAT ports based on demand, ensuring efficient use of available ports and reducing the risk of exhaustion2.

By following these steps, you can ensure that your 100 virtual machines in subnet4-1 can make the necessary API calls without running into SNAT port exhaustion, all while minimizing administrative effort.

Question 233

Report
Export
Collapse

SIMULATION

Task 8

You plan to deploy an appliance to subnet3-2- The appliance will perform packet inspection and will have an IP address of 10.3.2.100.

You need to ensure that all traffic to the internet from subnet3-1 is forwarded to the appliance for inspection.

A.
See the Explanation below for step by step instructions
A.
See the Explanation below for step by step instructions
Answers
Suggested answer: A

Explanation:

To ensure that all traffic to the internet from subnet3-1 is forwarded to the appliance in subnet3-2 for packet inspection, you can useUser-Defined Routes (UDRs)to direct the traffic. Here's how you can do it:

Step-by-Step Solution

Step 1: Create a Route Table

Navigate to the Azure Portal.

Search for ''Route tables''and select it.

Click on ''Create''.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the route table (e.g.,RouteTable-Subnet3-1).

Region: Select the region where your virtual network is located.

Click on ''Review + create''and then''Create''.

Step 2: Add a Route to the Route Table

Navigate to the newly created route table.

Select ''Routes''from the left-hand menu.

Click on ''Add''to create a new route.

Enter the following details:

Route name: Enter a name for the route (e.g.,RouteToAppliance).

Address prefix: Enter0.0.0.0/0to route all internet traffic.

Next hop type: SelectVirtual appliance.

Next hop address: Enter the IP address of the appliance (10.3.2.100).

Click on ''OK''to add the route.

Step 3: Associate the Route Table with Subnet3-1

Navigate to the route table.

Select ''Subnets''from the left-hand menu.

Click on ''Associate''.

Select the virtual networkthat contains subnet3-1.

Select subnet3-1from the list of subnets.

Click on ''OK''.

Explanation:

User-Defined Routes (UDRs): These allow you to control the routing of traffic within your virtual network.By defining a route that directs all internet-bound traffic to the appliance, you ensure that the traffic is inspected before it reaches the internet1.

Virtual Appliance: This is a network appliance that performs specific functions, such as packet inspection, and is treated as a next hop in the routing table2.

Route Table Association: Associating the route table with subnet3-1 ensures that all traffic from this subnet follows the defined routes.

By following these steps, you can ensure that all internet-bound traffic from subnet3-1 is forwarded to the appliance in subnet3-2 for inspection, thereby enhancing your network security.

Question 234

Report
Export
Collapse

SIMULATION

Task 9

You plan to use VNET4 for an Azure API Management implementation.

You need to configure a policy that can be used by an Azure application gateway to protect against known web attack vectors. The policy must only allow requests that originate from IP addresses in Canada. You do NOT need to create the application gateway to complete this task.

A.
See the Explanation below for step by step instructions
A.
See the Explanation below for step by step instructions
Answers
Suggested answer: A

Explanation:

To configure a policy in Azure API Management that can be used by an Azure Application Gateway to protect against known web attack vectors and only allow requests from IP addresses in Canada, follow these steps:

Step-by-Step Solution

Step 1: Create or Access Your API Management Instance

Navigate to the Azure Portal.

Search for ''API Management services''and select your API Management instance.

Step 2: Configure the Policy

In the API Management instance, go to the''APIs''section.

Select the APIyou want to apply the policy to.

Go to the ''Design'' tab.

Select ''All operations''if you want to apply the policy to all operations, or select a specific operation.

Step 3: Add the Inbound Policy

In the Inbound processing section, click on''+ Add policy''.

Select ''IP filter''from the list of policies.

Add the IP address ranges for Canada. You can find the IP ranges for Canada from a reliable source or use a service that provides this information.

Here is an example of the XML configuration for the policy:

<inbound>

<ip-filter action='allow'>

<!-- Add other Canadian IP ranges as needed -->

</ip-filter>

<ip-filter action='deny'>

</ip-filter>

</inbound>

Save the policyto apply the changes.

Explanation:

IP Filter Policy: This policy allows you to filter incoming requests based on their IP addresses. By specifying the IP ranges for Canada, you ensure that only requests originating from these IPs are allowed.

Inbound Processing: Applying the policy in the inbound section ensures that the requests are filtered before they reach your API.

By following these steps, you can configure a policy in Azure API Management that restricts access to your API to only those requests originating from IP addresses in Canada, thereby enhancing security and compliance

Question 235

Report
Export
Collapse

SIMULATION

Task 10

You plan to deploy several virtual machines to subnet1-2.

You need to prevent all Azure hosts outside of subnetl-2 from connecting to TCP port 5585 on hosts on subnet1-2. The solution must minimize administrative effort.

A.
See the Explanation below for step by step instructions
A.
See the Explanation below for step by step instructions
Answers
Suggested answer: A

Explanation:

To prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, you can use aNetwork Security Group (NSG). This solution is straightforward and minimizes administrative effort.

Step-by-Step Solution

Step 1: Create a Network Security Group (NSG)

Navigate to the Azure Portal.

Search for ''Network security groups''and select it.

Click on ''Create''.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the NSG (e.g.,NSG-Subnet1-2).

Region: Select the region where your virtual network is located.

Click on ''Review + create''and then''Create''.

Step 2: Create an Inbound Security Rule

Navigate to the newly created NSG.

Select ''Inbound security rules''from the left-hand menu.

Click on ''Add''to create a new rule.

Enter the following details:

Source: SelectService Tag.

Source Service Tag: SelectVirtualNetwork.

Source port ranges: Leave as*.

Destination: SelectIP Addresses.

Destination IP addresses/CIDR ranges: Enter the IP range of subnet1-2 (e.g.,10.1.2.0/24).

Destination port ranges: Enter5585.

Protocol: SelectTCP.

Action: SelectDeny.

Priority: Enter a priority value (e.g.,100).

Name: Enter a name for the rule (e.g.,Deny-TCP-5585).

Click on ''Add''to create the rule.

Step 3: Associate the NSG with Subnet1-2

Navigate to the virtual networkthat contains subnet1-2.

Select ''Subnets''from the left-hand menu.

Select subnet1-2from the list of subnets.

Click on ''Network security group''.

Select the NSGyou created (NSG-Subnet1-2).

Click on ''Save''.

Explanation:

Network Security Group (NSG): NSGs are used to filter network traffic to and from Azure resources in an Azure virtual network.They contain security rules that allow or deny inbound and outbound traffic based on source and destination IP addresses, port, and protocol1.

Inbound Security Rule: By creating a rule that denies traffic on TCP port 5585 from any source outside of subnet1-2, you ensure that only hosts within subnet1-2 can connect to this port.

Association with Subnet: Associating the NSG with subnet1-2 ensures that the security rules are applied to all resources within this subnet.

By following these steps, you can effectively prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, while minimizing administrative effort.

Question 236

Report
Export
Collapse

SIMULATION

Task 11

You need to ensure that only hosts on VNET1 can access the slcnage42150372 storage account. The solution must ensure that access occurs over the Azure backbone network.

A.
See the Explanation below for step by step instructions
A.
See the Explanation below for step by step instructions
Answers
Suggested answer: A

Explanation:

To ensure that only hosts on VNET1 can access theslcnage42150372storage account and that access occurs over the Azure backbone network, you can useAzure Private Endpoints. This method secures the connection by assigning a private IP address from your virtual network to the storage account, ensuring that traffic does not traverse the public internet.

Step-by-Step Solution

Step 1: Create a Private Endpoint for the Storage Account

Navigate to the Azure Portal.

Search for ''Storage accounts''and select theslcnage42150372storage account.

In the storage account blade, select''Networking''under the ''Security + networking'' section.

Under ''Private endpoint connections'', click on''Add private endpoint''.

Enter the following details:

Name: Enter a name for the private endpoint (e.g.,PrivateEndpoint-VNET1).

Region: Select the same region as your virtual network (VNET1).

Click on ''Next: Resource''.

Step 2: Configure the Resource

Select ''Target sub-resource'': Choose the storage service you want to connect to (e.g.,blob,file,queue,table).

Click on ''Next: Virtual network''.

Step 3: Select the Virtual Network and Subnet

Select the virtual network: Choose VNET1.

Select the subnet: Choose the appropriate subnet within VNET1.

Click on ''Next: Configuration''.

Step 4: Configure DNS Integration (Optional)

Configure DNS settingsif needed to ensure proper name resolution within your virtual network.

Click on ''Next: Tags'', add any tags if necessary, and then click on''Review + create''.

Review your settingsand click on''Create''.

Step 5: Restrict Public Network Access

Navigate back to the storage account.

Select ''Networking''under the ''Security + networking'' section.

Under ''Firewalls and virtual networks'', select''Selected networks''.

Ensure that only VNET1 is listedunder the virtual networks section.

Click on ''Save''.

Explanation:

Private Endpoints: These provide secure connectivity to Azure services by assigning a private IP address from your VNet to the service, ensuring that traffic stays within the Azure backbone network12.

Firewall and Virtual Networks: Configuring the storage account to allow access only from selected networks (VNET1) ensures that no other network can access the storage account3.

By following these steps, you can ensure that only hosts on VNET1 can access theslcnage42150372storage account, and that all access occurs over the secure Azure backbone network.


Total 236 questions
Go to page: of 24
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms