Designing and Implementing Microsoft Azure Networking Solutions 온라인 연습
최종 업데이트 시간: 2025년06월22일
당신은 온라인 연습 문제를 통해 Microsoft AZ-700 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 AZ-700 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 59개의 시험 문제와 답을 포함하십시오.
/ 10
Question No : 1
You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe Azure region.
You deploy an Azure App Service app named App1 to the West Europe region.
You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs.
What should you do first?
정답: Explanation:
To provide an Azure App Service app with access to the resources in an Azure virtual network, while minimizing costs, the first step you should take is:
B. Create a new subnet.
Here's why this is the best option among the given choices:
A. Create a private link: Azure Private Link is a service that enables you to access Azure service resources securely from a virtual network. While it is a valid way to provide secure access, it is not necessarily the most cost-effective option, especially if you just need to integrate with Azure App Service.
B. Create a new subnet: Azure App Service can integrate with an Azure virtual network by using a feature called VNet Integration. To set up VNet Integration, you need to have a dedicated subnet within your Azure VNet where the app will be injected. This is usually the most cost-effective option because it doesn't require the creation of additional resources like a NAT gateway or virtual network gateway.
C. Create a NAT gateway: A NAT gateway is used to provide outbound connectivity for virtual machines in your virtual network. It's not required for enabling access to an App Service.
D. Create a gateway subnet and deploy a virtual network gateway: This is typically used for cross-premises connectivity, such as connecting an Azure VNet to an on-premises network. It is a more expensive option compared to VNet Integration and is not necessary if you are only connecting App Service to a VNet.
Therefore, the first step you should take to provide App1 with access to the resources in Vnet1 is to create a new subnet for VNet Integration with Azure App Service, which is the most cost-effective solution that aligns with the requirement.
Question No : 2
DRAG DROP
You have an Azure virtual network named Vnet1 that connects to an on-premises network.
You have an Azure Storage account named storageaccount1 that contains blob storage.
You need to configure a private endpoint for the blob storage.
The solution must meet the following requirements:
✑ Ensure that all on-premises users can access storageaccount1 through the private endpoint.
✑ Prevent access to storageaccount1 from being interrupted.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
정답:
Explanation:
Question No : 3
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated to a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly.
Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service.
You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB.
What should you include in the solution?
You have an Azure subscription that contains the following resources:
✑ A virtual network named Vnet1
✑ Two subnets named subnet1 and AzureFirewallSubnet
✑ A public Azure Firewall named FW1
✑ A route table named RT1 that is associated to Subnet1
✑ A rule routing of 0.0.0.0/0 to FW1 in RT1
After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.
You need to ensure that the virtual machines can be activated.
What should you do?
정답: Explanation:
To ensure that the virtual machines can be activated, you need to allow outbound traffic to the Azure Key Management Service (KMS) for activation. The KMS uses the TCP port 1688 for activation services.
The virtual machines in Subnet1 are routing all their traffic (0.0.0.0/0) to the Azure Firewall FW1 based on the rule in the route table RT1. Therefore, you need to configure FW1 to allow traffic to KMS for activation.
The best option here would be:
C. On FW1, configure a DNAT rule for port 1688.
This DNAT rule will translate the destination for outbound traffic on port 1688 to the correct KMS endpoint for activation. It's important to note that while DNAT is typically used for inbound connections, Azure Firewall rules can also be used to ensure proper handling of outbound traffic to specific public services.
Options A and B are not relevant in this context because:
A. Application security groups (ASGs) are used to group together VMs and define network security policies based on those groups. However, in this scenario, the issue is not with grouping the VMs but rather allowing traffic through the firewall to the KMS service.
B. Deploying an Azure Standard Load Balancer with an outbound NAT rule is not necessary since you already have a firewall in place that can be configured to allow the required outbound traffic.
Option D, adding an internet route to RT1 for the Azure Key Management Service (KMS), is not the correct approach because the route table already contains a default route (0.0.0.0/0) that sends all traffic to FW1. The key is to configure FW1 to allow traffic to KMS.
Question No : 5
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
What should you use?
HOTSPOT
You have an Azure firewall shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
정답:
Explanation:
Box 1:
If forced tunneling was enabled, the Firewall Subnet would be named AzureFirewallManagementSubnet. Forced tunneling can only be enabled during the creation of the firewall. It cannot be enabled after the firewall has been deployed.
Box 2:
The “Visit Azure Firewall Manager to configure and manage this firewall” link in the exhibit shows that the firewall is managed by Azure Firewall Manager.
Question No : 7
HOTSPOT
You have an Azure subscription that contains the virtual machines shown in the following table.
Subnet1 and Subnet2 are associated to a network security group (NSG) named NSG1 that has the following outbound rule:
✑ Priority: 100
✑ Port: Any
✑ Protocol: Any
✑ Source: Any
✑ Destination: Storage
✑ Action: Deny
You create a private endpoint that has the following settings:
✑ Name: Private1
✑ Resource type: Microsoft.Storage/storageAccounts
✑ Resource: storage1
✑ Target sub-resource: blob
✑ Virtual network: Vnet1
✑ Subnet: Subnet1
For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
정답:
Explanation:
Yes, Yes, Yes
NSG rules applied to the subnet hosting the private endpoint are not applied to the private endpoint. So the NSG1 doesn't limit storage access from either VM1 or VM2. https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#network-security-group-rules-for-subnets-with-private-endpoints
Question No : 8
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. NOTE: Each correct answer selection is worth one point. (Choose two.)
정답: Explanation:
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
A storage acccount is used to store network security group flow logs.
A Log Analytics workspace is used by Traffic Analytics to store the aggregated and indexed data that is then used to generate the analytics.
https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics#enable-flow-log-settings
Question No : 9
You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance.
You need to configure the policy to meet the following requirements:
✑ Log all connections from Australia.
✑ Deny all connections from New Zealand.
✑ Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute.
What is the minimum number of objects you should create?
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24.
Does this meet the goal?
정답: Explanation:
The parameter here should be RemoteAddr not Request header. https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview#match-variable-required
Question No : 11
You plan to publish a website that will use an FQDN of www.contoso.com.
The website will be hosted by using the Azure App Service apps shown in the following table.
You plan to use Azure Traffic Manager to manage the routing of traffic for www.contoso.com between AS1 and AS2.
You need to ensure that Traffic Manager routes traffic for www.contoso.com.
Which DNS record should you create?
You have the Azure environment shown in the exhibit.
VM1 is a virtual machine that has an instance-level public IP address (ILPIP).
Basic Load Balancer uses a public IP address. VM1 and VM2 are in the backend pool.
NAT Gateway uses a public IP address named IP3 that is associated to Subnet A.
VNet1 has a virtual network gateway that has a public IP address named IP4.
When initiating outbound traffic to the internet from VM1, which public address is used?
A. IP1
B. IP2
C. IP3
D. IP4
정답: A
Question No : 13
HOTSPOT
You have an Azure virtual network named Vnet1 that contains two subnets named Subnet1 and Subnet2.
You have the NAT gateway shown in the NATgateway1 exhibit.
You have the virtual machine shown in the VM1 exhibit.
Subnet1 is configured as shown in the Subnet1 exhibit.
For each of the following statements, select Yes of the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
정답:
Explanation:
Box 1: No
VM1 is in Zone2 whereas the NAT Gateway is in Zone1. The VM would need to be in the same zone as the NAT Gateway to be able to use it. Therefore, VM1 cannot use the NAT gateway.
Box 2: Yes
NATgateway1 is configured in the settings for Subnet2.
Box 3: No
The NAT gateway does not have a single public IP address, it has an IP prefix which means more than one IP address. The VMs the use the NAT Gateway can use different public IP addresses contained within the IP prefix.
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource
Question No : 14
You have an Azure subscription that contains an Azure App Service app. The app uses a URL of https://www.contoso.com.
You need to use a custom domain on Azure Front Door for www.contoso.com. The custom domain must use a certificate from an allowed certification authority (CA).
What should you include in the solution?
HOTSPOT
You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com.
You have the routing rules shown in the following table.
Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point
