AZ-700 Exam Questions | Q&A Explained in Detail | Design & Implement Azure Networking Solutions

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and how are you doing guys in this video we will go through 20 sample questions and answer them in detail to help you prepare for the az700 designing and implementing microsoft azure networking solutions exam i will leave a link in the description for the entire ac700 practice test i've also compiled the az700 study guide on my website be sure to check that for your exam preparation please subscribe to my channel as this really helps me to continue making such videos and in case if you don't see tests for any microsoft certification on my channel please leave a comment i will create a video on that so let's get started you are a system administrator and you need to create and set the ipsec ike policy on a side to side vpn connection the following are the steps not necessarily in the right sequence to create and update the policy arrange these steps in the right sequence to create a site-to-site vpn connection and set the ipsec ike policy first create a v-net and an azure virtual network gateway this gateway connects azure vnet to your on-premises network through a site-to-site vpn connection so step 2 comes first next create a local network gateway in azure that represents the vpn device in your on-premises network here you specify the ip address of the on-premises device to which you will create a connection and also the address prefixes located on your on-premises network so step one comes next once you have both the gateways you are ready to create a connection next you configure an ipsec ike policy by selecting an algorithm and setting different parameters within the vpn connection object that ultimately connects your local network and azure vnet using the ipsec protocol next is step 3 finally you create this connection object with the ipsec policy which is step 4. by looking at the steps in the portal you might be tempted to swap steps 3 and 4 since you create the ipsec policy within the vpn connection but while creating the objects via powershell or any other command line tool you would first create the ipsec policy and then use this policy while creating the side-to-side vpn connection so the order is b a c d e option a is the correct choice you decide to create a point-to-site vpn connection to connect you to your virtual network from home in this case point to site vpn can use any of the following protocols except point to site vpn uses one of these protocols like the openvpn which is a tls based vpn protocol that connects devices across all platforms like windows android ios and linux then there is the sstp which is also a tls based vpn protocol supported only for the windows devices finally we have ike version 2 for mac devices you can also verify this by trying to configure a point-to-side vpn connection in the virtual network gateway for tunnel type we have only openvpn sstp and ikv2 and there are some other combinations of these protocols as seen in the previous question ipsec protocol is used by the site-to-site vpn it is not used by point-to-side connections option c is the correct answer an express route circuit denotes the logical connectivity between ms cloud services and on-premises infrastructure via a connectivity provider which of the following statements are true about express route circuits when you create an express route object in azure you can see that a service key is associated with it also called the s key this is a unique key for the express route circuit so option b is one of the correct answer choices and so is option e which just states the same thing in different words and you can enable peering or routing domains on the express route circuit like azure public azure private and microsoft to enable secure access of azure and microsoft 365 services from the customer network you can enable either just one or all three pairings on the express route circuit so option d which says that there is a one-to-one mapping between express route circuits and routing domains is incorrect and so is option c which says that you can enable just two pairings per express route circuit finally express route circuits do not map to a physical entity so option a is also a correct choice while accomplishing your task you need to centrally develop enforce and log applications and network connectivity policies across virtual networks and subscriptions which of the following services would you use option a is incorrect azure front door is a layer 7 load balancing solution for web applications it is related to improving performance of your app and not to network connectivity policies option c is incorrect too azure private link allows you to access azure pass services like azure storage and sql database over a private endpoint in your virtual network this service simply connects your vnet to azure services without the need for a public ip option d is incorrect too azure dns offers name resolution with the help of microsoft azure infrastructure option e is also an incorrect choice azure ddos protection offers protection against ddos threats option b is the correct answer using azure firewall you can create enforce and log application and network connectivity policies across virtual networks and subscriptions the domain name system resolves or translates a service name to an ip address which of the following record types can't be used by azure private dns well azure private dns supports all common dns record types like a record which points a domain to a ipv4 address and aaa record which points a domain to a ipv6 address and other records like mail records and text records but a a is not a record type in fact if you analyze the dns packet structure the label a a is one of the flag fields in the dns query header it stands for authoritative answer which specifies whether the responding name server is an authority for the domain name in question for example if i do a ns lookup for my domain reviews.com i get a non-authoritative answer which means that the response came from a name server that is considered non-authoritative for my domain so option c is connect even aaa is not a type of record and i have not seen where this is used in the dns world in case you know please let me know in the comment section for this question though option d is also a correct choice you can use virtual network pairing to seamlessly connect two or more virtual networks in azure which of the following benefits would you get using the virtual network pairing select all that are applicable virtual network pairing enables you to seamlessly connect two or more virtual networks in azure both networks appear as one so peering provides a low latency high bandwidth connection between resources in different virtual networks so option b is incorrect and option a is one of the correct choices when you pair two virtual networks there is absolutely no downtime to resources in either virtual network during the pairing process or after the pairing is created so option c which talks about downtime to resources in virtual network is also incorrect and option e is a correct choice as that's exactly the reason why we peer to virtual networks to let resources in different networks communicate with each other finally you can pair virtual networks across deployment models either the azure resource manager model or the classic deployment model across azure subscriptions across azure regions and across azure 80 tenants so option d is also a correct choice basic and standard are two types of virtual vans both vans support different configurations from the given options select the configuration that's available for a basic virtual van azure virtual van lets you connect your branch offices your data centers your remote users your company headquarters with azure virtual networks via a site to site point to site and express route connections but not all configurations are available with a basic virtual van here i have already created a basic virtual van and when i create a new hub it lets me create a gateway for side to side connectivity but not for point-to-side or express route connectivity you need to upgrade the virtual van to a standard tier if you need those configurations option d is the correct choice while working on azure powershell some of the values mentioned in the instructions are getting failed one of your friends suggests you ensure that you have installed the latest version to avoid such issues which of the following command leds would you use to find the versions of azure powershell that have been installed on your computer all azure powershell commandlets follow this standard naming convention which is verb hyphen noun where the verb describes the action to be performed and the noun describes the resource type and these are the commonly used verbs in azure command let's to view information about the powershell version used use the verb get retrieve is not a verb used in powershell command lets so options c and d are incorrect to view the powershell version installed use the command get module list available az option a is the correct choice while working as a network administrator you need to do dns based global routing well let's stop reading this question here of all the load balancing options in azure dns based load balancing means it most probably is azure traffic manager a listener is considered a logical entity responsible for checking the incoming connection request with the help of the protocol host port and ip address when you decide to create a new listener you have to choose between basic or multi-site scenario is you want the incoming request to be forwarded to a different backend pool depending upon the host names or the host header solution is you choose a basic listener is this the right choice well a listener is a logical entity that checks for connection requires from the incoming traffic to the application gateway there are several parts in a gateway architecture like front and ip listener rule and a backend pool so before answering this question let's go to azure portal to understand the role of azure listeners when you create an application gateway you define a front end where the gateway receives the traffic and a backend pool where the traffic is routed to in between them you create routing rules a routing rule sends traffic from a given frontend ip to one or more backend targets and a routing rule contains two parts a listener and a backend target the role of a listener is to listen on the specified port and the ip address if the criteria that you define here is made for any listener the application gateway will apply this routing rule and route the traffic to the specified backend target but when you define a listener there is a setting called listener type which can be either basic or multi-site if you are hosting just a single site behind an application gateway choose a basic listener in this case all requests are forwarded to the same backend pool on the other hand if you want to configure multiple web applications behind the application gateway choose a multi-site listener application gateway relies on http headers to host more than one website on the same public ip address and port so if you want the incoming request to be forwarded to different backend pools depending on the host editor so that you can host more than one website you should choose a listener of type multi-site in the given scenario using a basic listener does not solve the problem option no is the correct choice you address your team about various azure load balancing services which of the following statements would you use to describe the azure front door load balancing service check this table which guides us how to choose a load balancing solution based on these two parameters as your front door provides a global load balancing solution which means they distribute traffic across different azure regions regional load balancers distribute traffic within virtual networks in a region and azure friend door operates at the layer 7 which means they accept http or https traffic which also means that they are intended for use with web applications on the other hand traffic manager and azure load balancer handle non-https traffic and are recommended for non-web workloads given this understanding we need to look for an option that is suitable for load balancing web applications globally option a is incorrect although the service operates globally it is a dns based load balancer of all the four load balancing solutions in azure only traffic manager is dns based as for each dns query received traffic manager uses dns to direct client request to the appropriate endpoint option b talks about layer 7 application delivery controller it describes application gateway option c talks about layer 4 of the osi model for tcp and udp protocols so this statement describes azure load balancer option d says that it is a global load balancing solution with layer 7 capabilities this statement perfectly describes azure front door and is the correct answer to this question also search for load balancing help me to service in azure where we will re-verify our understanding from earlier discussion dns based is traffic manager layer 4 is azure load balancer layer 7 means it is either of these two options but generally front door operates at the global level further only front door provides site acceleration service which you can verify from the service comparison table there are six traffic routing methods in azure traffic manager to control traffic to different endpoints which routing method would you use when you have endpoints in various geographic locations and you want to ensure that end users utilize the closest end point for the lowest network latency these are the six different traffic routing methods in traffic manager so right away options b and d are incorrect in priority traffic routing method the traffic manager profile contains a list of endpoints with priority values by default traffic manager sends all traffic to the highest priority endpoint if the highest priority endpoint is not available then it routes the traffic to the next highest priority endpoint this method enables us to implement a failover pattern and it doesn't address network latency option a is incorrect in a weighted traffic routing method instead of priority values weights are assigned to each endpoint for each dns query the traffic manager chooses an endpoint based on the relative distribution of weights assigned for example if endpoint a is assigned a weight of 70 and endpoint b is assigned a weight of 30 then traffic manager routes request to endpoint a 70 percent of the time even this option is incorrect what we need is a solution that takes into account the geographic location of the user and directing to the end point nearest to the user that's exactly what performance traffic routing method does in this method the traffic manager maintains a latency table to track the round trip time between ip address ranges and each azure data center for example if the user comes from this ip address range then traffic manager exactly knows which endpoint is closest to the user in terms of latency and so it directs the user to that endpoint option c is the correct answer virtual network nat uses outbound only internet connectivity for virtual networks which of the following statements are true about nat well a nat translates a private ip address to a public ip address so multiple devices in your private network can access the internet through a single public ip address nat enhances security for private networks by keeping internal addressing private from the external network to answer the given question let's try creating a nat gateway in azure nat is generally associated to a subnet in a v-net and can be used by all compute resources in that subnet so let's select a virtual network and a subnet to associate with the nat gateway before proceeding further look at the information here it says that subnets with any of these resources are incompatible and cannot be used to associate with a net gateway for example subnets with ipv6 address space nat supports only ipv4 and not ipv6 address spacing so option c is a correct choice and option b is incorrect further nat is not compatible with basic resources like a basic skew load balancer or a basic skew public ip address but compatible with their corresponding standard schemes so option a is incorrect because it says that nat is incompatible with load balancer resources as we just learned nat is only incompatible with basic skew load balancer and not just any load balancer so let's proceed to create the net gateway once created let's go to the subnet section and try to associate subnets from other virtual networks to this nat gateway just observe that first the previous subnet is disassociated and then the new subnet from another v-net is associated which means you can only associate subnets from a single virtual network to an ad gateway but within a single v-net you can associate more than one subnet to the net gateway so nat cannot span multiple virtual networks option e is a correct choice and option d is incorrect you protect your azure virtual network resources using azure firewall but there are a number of different issues with the firewall for the issue threat intelligence alerts make it mask how can you mitigate the issue each option represents the complete solution select all that are applicable well to begin with azure firewall provides threat intelligence based filtering which alerts or denies traffic from malicious ip addresses and domains you can set the threat intelligence mode to either alert only in which case it just alerts you about the malicious traffic or alert and deny in which case it alerts you and blocks the traffic before using azure firewall be aware of some limitations or known issues of the service and one such issue discussed in the question is that the threat intelligence alerts provided by azure firewall make it masked by network rules with destination ports 80 or 443 if you have configured the threat intelligence alerts to alert only mode microsoft offers two different solutions to fix this issue first solution is to update the threat intelligence mode to alert and deny the second solution is to create an outbound filtering for 80 and 443 using application rules options b and c are the correct answers if the first network interface allocated to an application security group is in a particular virtual network then all subsequent network interfaces allocated to the same application security group must exist in the same unit is this statement true well application security groups enable us to group vms in a v-net according to their application rules for example here these three application security groups group the nine vms according to the roles that they perform you can use them in a single role in nsd to block traffic from any of the web server vms to the db server vms rather than creating multiple rules with static ip addresses of individual vms coming back to the question to test the given statement i created two vms in two different virtual networks my vm one in my vnet one and my vm two in my winner two for my vm one i already associated its network interface to an application security group let's associate the network interface for my vm 2 which is in a different virtual network to the same application security group the interface says that the application security group cannot be used because this network interface doesn't exist in the same vnet that the first network interface assigned to the application security group is in so the given statement is true the question is long-winded and it basically asks what is the powershell command you would use to configure a security policy on a resource group that contains azure front door profile azure powershell commands come in the form verb hyphen noun and nouns in azure powershell always start with the prefix az so option d is incorrect as the noun starts with the prefix azure configure means to setup to build and so on so the command should start with the verb new and not set option b is also incorrect the question talks about a security policy with respect to azure front door option c doesn't give any indication of what kind of policy it is option a looks like the most suitable choice with azure friend door you can configure a web application firewall policy or a vaf policy to protect your application against common exploits and vulnerabilities like sql injection with the help of powershell you need to retrieve or get an existing workspace in a resource group which of the following commandlets would you use as already discussed in one of the earlier questions retrieve is not a verb used in powershell commandlets option c is incorrect and the verb new creates a resource we don't use the verb new to retrieve a resource option e is also incorrect in this question workspace refers to a log analytics workspace so clearly option a is incorrect as it tries to retrieve a network security group to retrieve the information about a workspace use the command get a z operational insights workspace option b is the correct answer azure private endpoint acts as a network interface to connect you to a service powered by azure private link in a private and secure manner being the private link resource owner or in other words owner of these past services which of the following actions can he perform over a private endpoint connection azure private link enables you to access past services like azure storage and sql database over a private endpoint in your virtual network all the traffic between your v-net and the pass service travels over the microsoft backbone network so you don't have to expose the pass service to the internet since you consume the pass service from uvnet you are the service consumer and the provider of the past services is the service provider or he is also known as the private link resource owner since he owns the resources have a look at this approval workflow of how a private link connection is negotiated between the consumer side and the provider side after a service consumer creates a private endpoint in his vnet he sends a request to the service provider the service provider or the resource owner can then either review approve reject or delete a private endpoint connection option e is the correct answer you can get the current service tag and range information by downloading the json file or programmatically adding it as part of your on-premises firewall configuration which of the following can be used to programmatically retrieve the current list of service stacks a service stack is used to create inbound or outbound security rules in a network security group a service tag is a predefined identifier that represents a group of ip addresses used by azure services for example the service tag storage dot australia central represents ip address ranges used by azure storage in the australia central region rather than using individual ip addresses use service tags for easy maintenance of network security rules microsoft automatically updates the service tags as the underlying ip addresses change you can programmatically retrieve the current list of service tags together with ip address range details with either rest powershell or azure cli option d is the correct choice here is an example of how we can use powershell to view all the ip address prefixes used by azure storage regional v-net integration enables connecting to a v-net in the same region with no need for a gateway while using v-net integration with v-nets in the same region which of the below azure networking features would you use to block outbound traffic well app service v-net integration has two different variations regional v-net integration where you connect the app to the virtual network in the same region and cross region v-net integration where you connect the app to a virtual network in other regions you don't have to worry about the inbound traffic to the app from the v-net as v-net integration only gives your app access to v-net resources but it doesn't grant inbound private access to your app from the v-net and you can block this outbound traffic from your app to v-net with an nsd that's placed on the integration subnet option e is the correct choice option a is incorrect because although you can place a route table on the integration subnet a route table just routes the traffic and it does not filter or block the v-net traffic other options like front door and traffic manager do not make sense as they are not placed on a subnet once you are done let's submit the test and verify the performance so if you are preparing for the az700 designing and implementing microsoft azure networking solutions exam check the description for the link to the entire practice test that cover the length and breadth of all the objectives in the exam also check out my youtube channel i have already covered the sample exam questions for other microsoft certifications and in case if you don't find them for any azure certification i will be happy to create a video on that as always share the video and please do subscribe to my youtube channel because more videos are on the way thank you
Info
Channel: R A V I K I R A N S
Views: 321
Rating: undefined out of 5
Keywords: az-700, az-700 exam questions, az-700 practice test, az-700 Q&A, az-700 azure networking
Id: J9JpDZ0SYfA
Channel Id: undefined
Length: 31min 57sec (1917 seconds)
Published: Sun Nov 28 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.