LATEST NEWS
Newsletter

Azure Network Engineer Associate Exam Renewal Assessment Solved (AZ-700)

MS Cloud Explorers > Blogs > Certifications > Azure Network Engineer Associate Exam Renewal Assessment Solved (AZ-700)
AZ-700, Azure Network Engineer

 

  • AZ-700 Assessment

  • Microsoft Azure Network Engineer Associate

Question 1 

You have an Azure subscription.

You create a route table named Route1 and add several routes to Route1.

To which Azure resource can you associate Route1?

  • Subnet
  • Virtual network
  • Virtual network gateway
  • Virtual network interface

Correct Answer: Subnet
Explanation:
Azure route tables, such as the one named Route1 in this case, can be associated with a subnet. When you associate a route table with a subnet, the routes in the route table apply to all network traffic originating from or destined for that subnet.

Question 2

You have an on-premises network connected to an Azure virtual network by using a Site-to-Site VPN.

You plan to implement route exchange between two networks.

You need to identify the protocol that should be used for your implementation.

Which protocol should you use?

  • BGP
  • IGRP
  • OSPF
  • RIP

Correct Answer: BGP (Border Gateway Protocol)
Explanation:
To enable route exchange between an on-premises network and an Azure virtual network over a Site-to-Site VPN, BGP is the protocol used. BGP allows dynamic routing, enabling Azure and the on-premises environment to exchange route information automatically. This eliminates the need for manually managing static routes and ensures routing tables are updated dynamically.

Question 3

You have an Azure subscription that includes a virtual network named VNet1. A virtual machine named VM1 is connected to VNet1.

You plan to deploy an Azure NAT gateway named NAT1 by using an ARM template. VM1 must be able to connect to the internet by using NAT1.

What should you do before you can implement NAT1?

  • Associate a route table to the subnet of VNet1.
  • Associate an IPv6 address space to the subnet of VNet1.
  • Create a public IP address that is set to the Standard SKU.
  • Create a virtual network gateway in VNet1.

Correct Answer: Create a public IP address that is set to the Standard SKU.
Explanation:
Before deploying an Azure NAT gateway (NAT1), you must create a public IP address or a public IP prefix in the Standard SKU. This public IP address is required because it serves as the external address for the NAT gateway, enabling outbound internet connectivity for the resources in the subnet.

Question 4

You have an Azure subscription that includes a virtual network named VNet1 and a Windows 11 device named Computer1.

You plan to use Point-to-Site VPN connectivity between Computer1 and VNet1.

You need to ensure that you can use Microsoft Entra authentication for the VPN connection.

Which tunnel type should you use to connect from Computer1 to VNet1?

  • IKEv2 VPN
  • OpenVPN
  • PPTP
  • SSTP

Correct Answer: OpenVPN
Explanation:
To use Microsoft Entra authentication (formerly Azure Active Directory authentication) for a Point-to-Site VPN, you must use the OpenVPN protocol. OpenVPN supports integration with Microsoft Entra ID for user authentication, enabling secure connections without requiring certificates or RADIUS authentication.

Question 5

You have an Azure subscription.

You plan to create virtual WAN hub.

What is the minimum size of the private address space required to create a hub?

  • /23
  • /24
  • /27
  • /29

Correct Answer: /24
Explanation:
When creating a virtual WAN hub in Azure, the private address space assigned to the hub must be a minimum of /24. This address space is used for internal operations within the hub, such as managing route tables and accommodating required IP ranges.

Question 6

You have an Azure subscription that includes a virtual network named VNet1. VNet1 contains the following subnets:

Subnet1, contains VMs that run production workloads.
Subnet2, contains VMs that host development workloads.
You need to connect your company’s on-premises network to VNet1.

What should you create first?

  • a NAT gateway
  • a route table
  • an additional subnet
  • an additional virtual network

Correct Answer: an additional subnet
Explanation:
To connect an on-premises network to an Azure virtual network (VNet1), you first need to create a dedicated subnet for the virtual network gateway. This gateway subnet is required because Azure uses it to host the resources and services needed to establish VPN connections, including Site-to-Site VPN.

Question 7

You have an Azure subscription that includes a virtual network named VNet1 and an on-premises network that includes an Active Directory domain and a Windows 11 device named Computer1.

You plan to provide Point-to-Site VPN connectivity between Computer1 and VNet1.

You need to ensure that you can use Active Directory Domain Services-based authentication for the VPN connection.

What should you do?

  • Deploy an on-premises RADIUS server.
  • Deploy on-premises Active Directory Certificate Services.
  • From Active Directory, modify the properties of Computer1.
  • Install mobileconfig on the client computers.

Correct Answer: Deploy an on-premises RADIUS server.
Explanation:
To use Active Directory Domain Services (AD DS)-based authentication for a Point-to-Site VPN connection in Azure, you must deploy a RADIUS server. The RADIUS server acts as an intermediary that validates authentication requests from the VPN client against the on-premises Active Directory.

Question 8

You have an Azure subscription.

You plan to implement ExpressRoute FastPath.

You need to deploy a VPN gateway that will support the planned implementation. The solution must minimize cost.

Which VPN gateway SKU should you deploy?

  • ErGw1AZ
  • ErGw2AZ
  • High Performance
  • Ultra-Performance

Correct Answer: ErGw1AZ.
Explanation:
To implement ExpressRoute FastPath, you must deploy an ExpressRoute gateway. Among the available gateway SKUs, ErGw1AZ (ExpressRoute Gateway 1, Zone Redundant) is the most cost-effective option that supports ExpressRoute connections, including FastPath.

FastPath is used to improve data path performance by bypassing the virtual network gateway for some traffic flows.

Question 9

You have two ExpressRoute Standard SKU circuits configured to use Microsoft peering. The first circuit connects a datacenter in Boston to the East US Azure region. The second circuit connects a datacenter in London to the West Europe Azure region.

You need to connect the two datacenters via ExpressRoute Global Reach.

What should you do first?

  • Configure private peering on both circuits.
  • Configure public peering on both circuits.
  • Increase the provisioned bandwidth to 10 Gbps.
  • Upgrade the circuits to the Premium SKU.

Correct Answer: Upgrade the circuits to the Premium SKU.
Explanation:
To enable ExpressRoute Global Reach, which connects on-premises networks across different geographical locations via Azure’s global network, the Premium SKU is required on both ExpressRoute circuits. The Premium SKU is mandatory for Global Reach because it extends the functionality of the circuits beyond their respective Azure regions.

Question 10

You plan to provision an ExpressRoute circuit in the city of Boston in the United States.

You need to ensure that you can use the circuit to connect to all Azure public regions. The solution must minimize cost.

What ExpressRoute offering should you use?

  • ExpressRoute Direct
  • Local SKU
  • Premium SKU
  • Standard SKU

Correct Answer: Premium SKU
Explanation:
To connect to all Azure public regions using an ExpressRoute circuit, you must use the Premium SKU. The Standard SKU only allows connectivity within a geographical zone (e.g., the East US Azure region for a circuit provisioned in Boston), while the Premium SKU extends connectivity to all Azure public regions globally.

Question 11

You have three pairs of Azure VMs. Each pair is deployed to a different availability zone in the same Azure region.

You need to implement per zone-load balanced endpoints and integrate them to Traffic Manager. The solution must provide connectivity to all 6 VMs via a single DNS name.

Which type of Azure Load Balancer should you use?

  • Private zonal
  • Private zone-redundant
  • Public zonal
  • Public zone-redundant

Correct Answer: Public zone-redundant

Explanation:
To implement per zone-load balanced endpoints and integrate them into Traffic Manager while ensuring that all 6 VMs are accessible via a single DNS name, the Public zone-redundant Load Balancer is the best choice.

  • Public zone-redundant Azure Load Balancer allows traffic to be distributed across availability zones for high availability, while the endpoints for the load balancer are exposed with a public IP.
  • The integration with Traffic Manager ensures that the traffic is balanced based on the proximity to the end-users and that the public IP addresses can remain consistent.

 

Question 12

You have an Azure Traffic Manager profile that uses the Priority routing method.

You need to ensure that if an endpoint fails, traffic manager stops directing requests to that the failed endpoint as soon as possible.

Which traffic manager profile configuration setting should you configure?

  • Select only one answer.
  • Custom Header settings
  • Minimum child endpoints
  • Priority
  • TTL

Correct Answer: TTL (Time-to-Live)

Explanation:
To ensure that Azure Traffic Manager stops directing traffic to a failed endpoint as soon as possible, you should configure the TTL (Time-to-Live) setting. TTL specifies how long DNS resolvers cache the Traffic Manager response. By reducing the TTL value, Traffic Manager can more quickly detect changes in endpoint status (e.g., when an endpoint fails) and stop routing traffic to that endpoint, since DNS resolvers will query Traffic Manager for updated routing information more frequently.

Question 13

You have an Azure subscription that includes the following Azure resources:

A VM named VM1 in an availability zone named Zone1.
A VM named VM2 in an availability zone named Zone2.
A virtual network named VNet1. VM1 and VM2 are connected to VNet1.
You create a public IP address named IP1 and a public Azure Load Balancer named LB1 that has VM1 and VM2 in a back-end pool.

You need to ensure that VM1 and VM2 are accessible via LB1.

Which Azure resource should you provision?

  • Application Security Group
  • Availability set
  • NAT Gateway
  • Network Security Group

Correct Answer: Network Security Group

Explanation:
To ensure that VM1 and VM2 are accessible via LB1 (Azure Load Balancer), you need to control the network security by provisioning a Network Security Group (NSG). NSGs allow you to configure rules that control inbound and outbound traffic to Azure resources such as Virtual Machines, and they are essential for securing VM access when connected through a Load Balancer.

Question 14

You have an Azure subscription.

You plan to deploy an Azure Application Gateway Standard v2 SKU by using PowerShell.

What additional Azure resource should you create?

  • a Network Security Group
  • a Public IP address
  • a Web Application Firewall
  • an Application Security Group

Correct Answer: a Public IP address

Explanation:
When deploying an Azure Application Gateway Standard v2 SKU, you must associate it with a Public IP address if it’s going to handle external (internet-facing) traffic. The Application Gateway uses the public IP address to serve traffic from clients to the backend servers behind the gateway.

Question 15

You have an Azure subscription.

You plan to implement Azure Front Door to route requests to Internet-facing web apps hosted in Azure.

You need to recommend an HTTP method to send the health probes of Azure Front Door. The solution must ensure that the response includes the message-body returned by each web app.

Which HTTP method should you recommend?

  • CONNECT
  • GET
  • HEAD
  • TRACE

Correct Answer: GET

Explanation:
For health probes in Azure Front Door, the GET HTTP method is the appropriate choice when you need the response to include the message-body returned by the web app. This allows Azure Front Door to inspect the content of the response, which can be essential for more detailed health checks that validate both the HTTP status code and the response body returned by the web app.

Question 16

You have an Azure subscription that includes an Azure Front Door named FDoor1.

You plan to add a rules engine name named Rule1 to FDoor1.

What is the most granular element of an incoming URL request that can be automatically replaced in Rule1?

  • Destination host
  • Destination path
  • Protocol
  • Query string

Correct Answer: Destination path

Explanation:
Azure Front Door’s Rules Engine allows you to configure custom rules for processing incoming URL requests. The most granular element of an incoming URL request that can be automatically replaced using the rules engine is the Destination path.

This means you can modify parts of the URL path (i.e., the specific route or endpoint requested) based on the conditions defined in the rules engine, such as altering certain URLs for redirects or re-routing traffic.

Question 17

You have an Azure subscription.

You deploy a Web Application Firewall (WAF) on Azure Front Door and associated each of the Front Door profiles.

You need to ensure that attempts to exploit common vulnerabilities are blocked by WAF.

What WAF policy setting should you configure?

  • Access control (IAM)
  • Custom rules
  • Policy mode
  • Managed rules

Correct Answer: Managed rules

Explanation:
To ensure that attempts to exploit common vulnerabilities are blocked by Azure’s Web Application Firewall (WAF) on Azure Front Door, you should configure Managed rules.

Managed rules in Azure WAF come pre-configured and are specifically designed to protect applications from common attacks and vulnerabilities, such as those listed in the OWASP Top 10 (e.g., SQL injection, cross-site scripting). By enabling Managed rules, Azure Front Door’s WAF can automatically apply a set of predefined security rules to protect your application from known threats.

Question 18

You have an Azure subscription that includes a network security group named NSG1.

You plan to add a security rule named Rule1 to block inbound connections on TCP port 3389 to NSG1.

You need to ensure that Rule1 cannot be overridden by any other security rule.

Which priority value should you assign to Rule1?

  • 1
  • 100
  • 4096
  • 65500

Correct Answer: 1

Explanation:
In Azure Network Security Groups (NSG), priority defines the order in which security rules are applied, with a lower number representing a higher priority. When you need to ensure that a security rule cannot be overridden by any other rule, you should assign it the lowest possible priority value, which is 1.

Question 19

You have an Azure subscription that includes an Azure Firewall named FW1 and an Azure VM named VM1. VM1 has only a private IP address.

You need to create a rule that allows DNS requests from VM1 to an internet-based DNS service. The solution must use the principle of least privilege.

Which rule type should you create?

  • Application
  • DNAT
  • Network
  • SNAT

Correct Answer: Network

Explanation:
To allow DNS requests from VM1, which has only a private IP address, to access an internet-based DNS service (using the principle of least privilege), you should create a Network rule in the Azure Firewall.

  • Network rules define traffic flows based on the network layer, such as protocols (e.g., UDP or TCP), IP address ranges, and ports. Since DNS typically uses UDP port 53 (or TCP in some cases), a Network rule is the correct choice to enable DNS traffic from VM1’s private IP to the public DNS server over the appropriate port.

Question 20

You have an Azure subscription that includes the following resources:

A virtual network named VNet1.
A storage account named storage1 that has a private endpoint.
A Windows Server VM named VM1 that is connected to VNet1. VM1 runs a DNS server for a domain named contoso.local.
You need to ensure that all Azure VMs in VNet1 can connect to storage1 by using the name over the private endpoint. The solution must minimize the impact on the existing name resolution of Azure VMs.

What should you do?

  • Modify DNS settings of network interfaces of all Azure VMs.
  • Modify the DNS settings of VNet1.
  • On VM1, configure 8.8.8.8 as a forwarder.
  • On VM1, configure 168.63.129.16 as a forwarder.

Correct Answer: Modify the DNS settings of VNet1.

Explanation:
To ensure that all Azure VMs in VNet1 can resolve the private endpoint for storage1 using its name, you should modify the DNS settings for the virtual network (VNet1). This allows VMs in the virtual network to resolve the private DNS name for resources like storage accounts that use private endpoints.

In this case, since storage1 is using a private endpoint, the DNS resolution for this endpoint must be handled through an Azure-specific mechanism to resolve the private IP address of the endpoint.

By modifying the DNS settings of the virtual network, Azure will automatically provide the DNS resolution for private endpoints, making the private endpoint address accessible to all VMs in VNet1 without causing disruption to other DNS settings.

Question 21

You have an Azure subscription that contains the following resources:

  • A virtual network named VNet1.
  • A storage account named storage1 that has a private endpoint.
  • A Windows Server VM named VM1 that is connected to VNet1. VM1 runs a DNS server for a domain named contoso.local.

Your on-premises datacenter is connected to VNet1 via ExpressRoute.

You need to ensure that on-premises DNS servers can resolve the name of storage1 to the IP address associated to the private endpoint.

What should you configure on the on-premises DNS servers?

  • Add VM1 as a conditional forwarder.
  • Add 8.8.8.8 as a forwarder.
  • Add 168.63.129.16 as a conditional forwarder.
  • Add 168.63.129.16 as a forwarder.

Correct Answer: Add 168.63.129.16 as a conditional forwarder.

Explanation:
To ensure that your on-premises DNS servers can resolve the name of storage1 to the IP address of the private endpoint, you need to configure the on-premises DNS servers to forward DNS requests for private endpoints to Azure DNS.

168.63.129.16 is the Azure DNS IP used by Azure to resolve internal private endpoints within the virtual network. By setting up a conditional forwarder on the on-premises DNS servers, you direct DNS queries for the domain associated with the private endpoint to Azure’s DNS infrastructure, which resolves the private endpoint IP addresses.

The conditional forwarder ensures that requests for private Azure resources are forwarded to Azure DNS, without impacting other general DNS queries that your on-premises DNS server handles.

Question 22

You have an Azure subscription that includes a virtual network named VNet1.

You plan to add a service endpoint on VNet1.

Which Azure CLI command should you use to create the service endpoint?

  • az network service-endpoint policy create
  • az network service-endpoint policy update
  • az network vnet subnet create
  • az network vnet subnet update

Correct Answer: az network vnet subnet update forwarder.

Explanation:

To add a service endpoint to a subnet in an Azure Virtual Network (VNet), you use the az network vnet subnet update command.

The service endpoint is associated with a subnet, and by updating the subnet with the necessary service endpoint configuration, you enable direct access to Azure services (like Azure Storage, Azure SQL, etc.) from within that subnet over the Azure backbone network.

Question 23

What Azure resource should you provision before you enable Network Watcher NSG flow logs?

  • key vault
  • route table
  • service endpoint policy
  • storage account

Correct Answer: storage account forwarder.

Explanation:
Before enabling Network Security Group (NSG) flow logs in Azure, you must provision a storage account. This storage account will store the log data generated by the NSG flow logs.

When NSG flow logs are enabled, the log data is saved in a storage account in the form of JSON files. You can later access and analyze these logs to monitor traffic flows to and from network resources, troubleshoot networking issues, and review security-related events.

 

Question 24

You need to resolve an issue caused by misconfigured user-defined routes in an Azure virtual network. The solution must minimize administrative effort.

Which Azure Network Watcher tool should you use?

  • Network Topology
  • Next Hop
  • Packet capture
  • Verify IP Flow

Correct Answer: Next Hop

Explanation:
The Next Hop tool in Azure Network Watcher allows you to diagnose routing issues by determining the next hop for traffic based on user-defined routes. This is particularly useful when you suspect that a misconfigured user-defined route (UDR) is causing network connectivity problems, as it can show you where traffic is being directed, helping you identify potential misconfigurations in your routing setup.

You can use the Next Hop tool to check if traffic destined for a specific destination IP will be routed correctly based on the current route table configuration.

 

We’d love your feedback!
Share your thoughts on the Renewal Test and help us improve by reporting any inaccurate answers.

🔗 Explore more Renewal Tests at mscloudexplorers.com/learn
📘 Discover more Microsoft 365 & Intune-related blogs at mscloudexplorers.com/blog
🔔 Follow us on LinkedIn for regular updates, tips, and community insights.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *