AZ-700 Assessment
Microsoft Azure Network Engineer Associate
In your MSCloudExplorers Azure environment, you create a route table named MSCE-RouteTable1 and configure it with several custom routes.
To which Azure resource can you associate MSCE-RouteTable1?
Subnet
Virtual Network
Virtual Network Gateway
Network Interface (NIC)
Reveal Solution
Correct Answer: Subnet
Explanation:
In Azure, route tables like MSCE-RouteTable1 can only be associated with a subnet. This allows Azure to apply the defined routes to all network traffic flowing in and out of that subnet. They cannot be directly associated with the entire virtual network, network interfaces, or virtual network gateways.
Your organization, MSCloudExplorers, has an on-premises network connected to an Azure virtual network using a Site-to-Site VPN connection.
You are planning to enable dynamic route exchange between your on-premises environment and Azure.
Which routing protocol should you use to support this configuration?
BGP (Border Gateway Protocol)
IGRP (Interior Gateway Routing Protocol)
OSPF (Open Shortest Path First)
RIP (Routing Information Protocol)
Reveal Solution
Correct Answer: BGP (Border Gateway Protocol)
Explanation:
Azure supports BGP for dynamic route exchange over Site-to-Site VPNs and ExpressRoute connections. Protocols like IGRP, OSPF, and RIP are not supported for direct integration with Azure routing.
Your organization, MSCloudExplorers, has an Azure subscription that includes a virtual network named MSCE-VNet1. A virtual machine named MSCE-VM1 is connected to MSCE-VNet1.
You plan to deploy an Azure NAT gateway named MSCE-NAT1 using an ARM template. The goal is to allow MSCE-VM1 to access the internet through MSCE-NAT1.
What must you do before you can deploy and associate MSCE-NAT1 successfully?
Associate a route table to the subnet of MSCE-VNet1
Associate an IPv6 address space to the subnet of MSCE-VNet1
Create a public IP address that is set to the Standard SKU
Create a virtual network gateway in MSCE-VNet1
Reveal Solution
Correct Answer: Create a public IP address that is set to the Standard SKU.
Explanation:
To use Azure NAT Gateway, you must first create a Public IP address or Public IP prefix that uses the Standard SKU. This IP address is required for outbound internet connectivity.
The NAT gateway does not require a route table or virtual network gateway, and it only supports IPv4—so IPv6 space is not needed.
In your MSCloudExplorers Azure environment, you have:
A virtual network named MSCE-VNet1
A Windows 11 endpoint named MSCE-Client01
You plan to configure a Point-to-Site (P2S) VPN connection between MSCE-Client01 and MSCE-VNet1.
To meet security and identity requirements, you want to use Microsoft Entra ID authentication for the VPN connection.
Which VPN tunnel type should you configure to support Microsoft Entra authentication?
IKEv2 VPN
OpenVPN
PPTP
SSTP
Reveal Solution
Correct Answer: OpenVPN
Explanation:
Only the OpenVPN tunnel type supports Microsoft Entra ID (formerly Azure AD) authentication for Point-to-Site VPN connections.
Other tunnel types like IKEv2, PPTP, and SSTP do not support Entra ID-based authentication.
Your organization, MSCloudExplorers, is planning to deploy a Virtual WAN hub in its Azure subscription.
You need to define a private address space for the hub during creation.
What is the minimum size of the private IP address range required to successfully create a Virtual WAN hub?
/23
/24
/27
/29
Reveal Solution
Correct Answer: /24
Explanation:
To deploy an Azure Virtual WAN hub, the private address space assigned to the hub must be at least /24. This subnet size ensures there are enough IP addresses to support the hub’s internal components and routing infrastructure. Smaller subnets (like /27 or /29) are not sufficient.
Your organization, MSCloudExplorers, has an Azure subscription with a virtual network named MSCE-VNet1, which includes the following subnets:
Prod-Subnet – hosts virtual machines running production workloads
Dev-Subnet – hosts virtual machines for development purposes
You are tasked with connecting your on-premises network to MSCE-VNet1.
What should you create first to enable this connectivity?
A NAT gateway
A route table
An additional subnet
A virtual network gateway
Reveal Solution
Correct Answer: an additional subnet
Explanation:
To establish site-to-site or point-to-site VPN connectivity between your on-premises environment and an Azure virtual network, the first step is to create a virtual network gateway. This gateway enables encrypted traffic between Azure and your on-premises network.
Other options like NAT gateways and route tables are not used to initiate connectivity.
Your organization, MSCloudExplorers, has an Azure subscription with a virtual network named MSCE-VNet1.
You also have an on-premises network that includes:
An Active Directory domain
A Windows 11 device named MSCE-Client01
You plan to configure a Point-to-Site (P2S) VPN connection between MSCE-Client01 and MSCE-VNet1.
To meet authentication requirements, you want to use Active Directory Domain Services (AD DS)-based authentication for the VPN.
What should you do to support this configuration?
Deploy an on-premises RADIUS server
Deploy on-premises Active Directory Certificate Services (AD CS)
Modify the properties of MSCE-Client01 in Active Directory
Install a mobileconfig profile on the client computers
Reveal Solution
Correct Answer: Deploy an on-premises RADIUS server.
Explanation:
To use Active Directory Domain Services (AD DS) for authenticating Point-to-Site VPN users, you must deploy a RADIUS server on-premises. Azure VPN Gateway integrates with this RADIUS server to authenticate VPN clients against your on-premises AD.
Options like AD CS and modifying client properties are not sufficient on their own, and mobileconfig profiles are used mainly for Apple devices with OpenVPN, not for AD-based authentication.
Your organization, MSCloudExplorers, has an Azure subscription.
You are planning to implement ExpressRoute FastPath to optimize routing for high-throughput, low-latency connections.
You need to deploy a VPN gateway that supports FastPath, while also minimizing costs.
Which gateway SKU should you choose?
ErGw1AZ
ErGw2AZ
High Performance
Ultra-Performance
Reveal Solution
Correct Answer: ErGw2AZ.
Explanation:
ExpressRoute FastPath is supported with the ErGw2AZ and ErGw3AZ SKUs. These are ExpressRoute Gateway SKUs, not VPN SKUs like High Performance or Ultra-Performance (which apply to VPN Gateway scenarios).
Among the supported SKUs, ErGw2AZ is the most cost-effective option for enabling FastPath.
Your organization, MSCloudExplorers, has two ExpressRoute circuits with the Standard SKU, both configured to use Microsoft peering:
One circuit connects your Boston datacenter to the East US Azure region.
The other circuit connects your London datacenter to the West Europe Azure region.
You want to enable ExpressRoute Global Reach to connect both datacenters through Azure’s backbone network.
What must you do first to enable this configuration?
Configure private peering on both circuits
Configure public peering on both circuits
Increase the provisioned bandwidth to 10 Gbps
Upgrade the circuits to the Premium SKU
Reveal Solution
Correct Answer: Upgrade the circuits to the Premium SKU.
Explanation:
ExpressRoute Global Reach requires the circuits to be configured with the Premium SKU, which extends connectivity across geographic regions.
Standard SKU circuits support Microsoft peering and private connectivity within a region but do not allow interconnection between geographically dispersed datacenters.
Peering type or bandwidth size does not satisfy the Global Reach requirement.
Your organization, MSCloudExplorers, plans to provision an ExpressRoute circuit in Boston, United States.
You want to ensure that this circuit can be used to connect to all Azure public regions, while keeping costs as low as possible.
Which ExpressRoute offering should you choose?
ExpressRoute Direct
Local SKU
Premium SKU
Standard SKU
Reveal Solution
Correct Answer: Premium SKU
Explanation:
To connect to all Azure public regions from a single ExpressRoute circuit, you must use the Premium SKU.
The Standard SKU only allows connectivity within the same geopolitical region.
Local SKU restricts access to the local Azure region only.
ExpressRoute Direct is used for direct 100 Gbps or 10 Gbps connections but doesn’t inherently expand regional access like the Premium SKU does.
The Premium SKU enables global reach across all public regions, making it the correct choice for this scenario.
Your organization, MSCloudExplorers, has three pairs of Azure virtual machines (VMs). Each pair is deployed in a different availability zone within the same Azure region.
You need to:
Expose per-zone load-balanced endpoints
Integrate them with Azure Traffic Manager
Ensure all six VMs are accessible through a single DNS name
Which type of Azure Load Balancer should you deploy for each zone?
Private Zonal
Private Zone-Redundant
Public Zonal
Public Zone-Redundant
Reveal Solution
Correct Answer: Public Zonal
Explanation:
To achieve per-zone load-balanced endpoints, you must use a Public Zonal Azure Load Balancer. This allows you to assign each load balancer to a specific availability zone.
Then, you can register each endpoint with Azure Traffic Manager, which provides DNS-based global distribution using health probes.
A Public Zone-Redundant balancer spans zones rather than keeping endpoints per-zone, and Private balancers are not suitable for internet-facing scenarios.
Your organization, MSCloudExplorers, is using an Azure Traffic Manager profile configured with the Priority routing method.
You want to ensure that if the primary endpoint fails, Traffic Manager quickly stops sending traffic to that endpoint and redirects it to the backup.
Which Traffic Manager profile setting should you configure to achieve this?
Select only one answer.
Custom Header settings
Minimum child endpoints
Priority
TTL
Reveal Solution
Correct Answer: TTL (Time-to-Live)
Explanation:
The TTL (Time-To-Live) setting controls how long DNS responses from Traffic Manager are cached by clients and DNS resolvers.
By setting a lower TTL, Traffic Manager can redirect traffic to healthy endpoints faster when a failure is detected, reducing downtime.
Custom Headers are used for health probes,
Minimum child endpoints apply to nested profiles,
Priority defines endpoint order but does not control failover timing.
Your organization, MSCloudExplorers, has an Azure subscription with the following resources:
A virtual machine named MSCE-VM1, deployed in Availability Zone 1
A virtual machine named MSCE-VM2, deployed in Availability Zone 2
A virtual network named MSCE-VNet1, to which both VMs are connected
A Public IP address named MSCE-IP1
An Azure Load Balancer named MSCE-LB1, configured with VM1 and VM2 in its back-end pool
You need to ensure that traffic from the internet can reach VM1 and VM2 through MSCE-LB1.
Which Azure resource should you provision to enable this access?
Application Security Group
Availability Set
NAT Gateway
Network Security Group
Reveal Solution
Correct Answer: Network Security Group
Explanation:
To allow internet traffic to reach VMs through a Public Load Balancer, you need to ensure that inbound traffic is permitted by the Network Security Group (NSG) associated with the VMs’ NICs or subnet.
NSGs control access to VM traffic.
Application Security Groups help group VMs for NSG rules but don’t allow traffic on their own.
Availability Sets are for high availability, not connectivity.
NAT Gateway is used for outbound internet access, not inbound.
Your organization, MSCloudExplorers, has an Azure subscription.
You are planning to deploy an Azure Application Gateway (Standard v2 SKU) using PowerShell.
Which additional Azure resource must you create to support the deployment?
A Network Security Group
A Public IP Address
A Web Application Firewall
An Application Security Group
Reveal Solution
Correct Answer: a Public IP address
Explanation:
When deploying an Application Gateway Standard v2, you must associate it with a Public IP address (or a private IP if deploying internally). This IP address allows the gateway to receive inbound traffic.
NSGs and ASGs are optional and not required for deployment.
Web Application Firewall (WAF) is a feature available in the WAF SKU, not required for Standard v2.
Your organization, MSCloudExplorers, plans to implement Azure Front Door to route traffic to multiple internet-facing web applications hosted in Azure.
As part of this setup, you need to configure health probes for the backend endpoints. The health probe requests must return the full response including the message body from each web app.
Which HTTP method should you recommend for the health probes?
CONNECT
GET
HEAD
TRACE
Reveal Solution
Correct Answer: GET
Explanation:
To retrieve the full HTTP response including the message body, you should use the GET method.
HEAD only returns headers (no body).
TRACE and CONNECT are used for diagnostic or tunneling purposes and are not suitable or supported for health probes.
Azure Front Door supports GET and HEAD, but GET is required when you want to verify content returned by the backend app.
Your organization, MSCloudExplorers, has an Azure subscription that includes an Azure Front Door instance named FDoor1.
You plan to add a Rules Engine configuration named Rule1 to control URL-based request handling.
What is the most granular part of an incoming URL request that can be automatically modified using Rule1?
Destination host
Destination path
Protocol
Query string
Reveal Solution
Correct Answer: Query string
Explanation:
The Azure Front Door Rules Engine allows you to perform actions like modifying query strings, which is the most granular component of an incoming URL that can be changed.
While you can route or redirect based on host, path, or protocol, the query string provides field-level control, allowing additions, removals, or rewrites of specific parameters in the request URL.
Your organization, MSCloudExplorers, has an Azure subscription where you’ve deployed a Web Application Firewall (WAF) on Azure Front Door, and associated it with all your Front Door profiles.
You want to ensure that the WAF actively blocks attempts to exploit common web vulnerabilities such as SQL injection and cross-site scripting (XSS).
Which WAF policy setting should you configure to achieve this?
Access control (IAM)
Custom rules
Policy mode
Managed rules
Reveal Solution
Correct Answer: Managed rules
Explanation:
Managed rules in Azure WAF are predefined security rulesets maintained by Microsoft that automatically detect and block known vulnerabilities such as SQL injection, XSS, and other OWASP Top 10 threats.
Policy mode controls whether the WAF is in Detection or Prevention mode, but doesn’t define what to block.
Custom rules are for defining your own logic, not for covering known vulnerability patterns.
Access control (IAM) is for RBAC, not related to WAF protection.
.
Your organization, MSCloudExplorers, has an Azure subscription that includes a Network Security Group (NSG) named NSG1.
You plan to add a security rule named Rule1 to block inbound traffic on TCP port 3389 (RDP).
You want to make sure that Rule1 takes precedence and cannot be overridden by any other user-defined rule in the NSG.
Which priority value should you assign to Rule1?
1
100
4096
65500
Reveal Solution
Correct Answer: 100
Explanation:
In Azure Network Security Groups (NSG), priority defines the order in which security rules are applied, with a lower number representing a higher priority. When you need to ensure that a security rule cannot be overridden by any other rule, you should assign it the lowest possible priority value, which is 1.
Your organization, MSCloudExplorers, has an Azure subscription that includes:
An Azure Firewall named FW1
A virtual machine named VM1, which is assigned only a private IP address
You need to allow DNS requests from VM1 to an external internet-based DNS service (e.g., 8.8.8.8) by configuring the minimum necessary access (principle of least privilege).
Which type of Azure Firewall rule should you create?
Application Rule
DNAT Rule
Network Rule
SNAT Rule
Reveal Solution
Correct Answer: Network Rule
Explanation:
To allow outbound DNS traffic (UDP port 53) from a private VM to an internet DNS server, you should use a Network rule in Azure Firewall.
Application rules are used for HTTP/HTTPS/SNI traffic.
DNAT rules handle inbound connections from the internet.
SNAT is automatically applied by Azure Firewall for outbound traffic and doesn’t require manual configuration.
Using a Network Rule targeting UDP port 53 ensures precise and minimal access—matching the principle of least privilege.
Your organization, MSCloudExplorers, has an Azure subscription that includes the following resources:
A virtual network named VNet1
An Azure Storage account named storage1, which is configured with a private endpoint
A Windows Server VM named VM1, connected to VNet1, and running a DNS server for the domain
contoso.local
You need to ensure that all Azure VMs in VNet1 can access storage1 over its private endpoint, using its private DNS name.
The solution should minimize disruption to the current DNS resolution for other Azure services.
What should you do?
Modify the DNS settings of the network interfaces for all Azure VMs
Modify the DNS settings of VNet1
On VM1, configure 8.8.8.8 as a DNS forwarder
On VM1, configure 168.63.129.16 as a DNS forwarder
Reveal Solution
Correct Answer: On VM1, configure 168.63.129.16 as a forwarder
Explanation:
To resolve Azure private endpoint DNS zones like those for storage1, your custom DNS server (VM1) must forward unresolved DNS queries to Azure’s internal DNS IP address: 168.63.129.16.
This allows your DNS server to handle internal name resolution (like contoso.local) and resolve Azure-specific names (like the private endpoint of storage1) without interfering with existing resolution paths.
Modifying individual NICs (A) is tedious and not scalable
Changing VNet DNS settings (B) would override DNS for all resources and could break internal resolution
Forwarding to 8.8.8.8 (C) won’t resolve Azure private DNS zones
Your organization, MSCloudExplorers, has an Azure subscription with the following resources:
A virtual network named VNet1
A storage account named storage1, configured with a private endpoint
A Windows Server VM named VM1, running a DNS server for contoso.local, connected to VNet1
Your on-premises datacenter is connected to VNet1 via ExpressRoute
You need to ensure that on-premises DNS servers can resolve the name of storage1 to the private IP address of its private endpoint in Azure.
What has to be set up on the on-site DNS servers?
Add VM1 as a conditional forwarder
Add 8.8.8.8 as a forwarder
Add 168.63.129.16 as a conditional forwarder
Add 168.63.129.16 as a forwarder
Reveal Solution
Correct Answer: Add VM1 as a conditional forwarder.
Explanation:
To resolve private endpoint DNS names (like storage1.privatelink.blob.core.windows.net) from on-premises, you need to forward those specific DNS zones to a DNS server that can resolve them within Azure — in this case, VM1.
VM1 can resolve Azure private DNS zones because it’s connected to the virtual network and properly configured.
168.63.129.16 is only accessible within Azure, so it can’t be used directly by on-premises servers.
8.8.8.8 (Google DNS) does not resolve private Azure DNS records.
Your organization, MSCloudExplorers, has an Azure subscription that includes a virtual network named VNet1.
You plan to add a service endpoint (such as for Azure Storage or SQL) to one of the subnets within VNet1 to enable secure, direct access to the Azure service.
Which Azure CLI command should you use to add the service endpoint to a subnet?
az network service-endpoint policy createaz network service-endpoint policy updateaz network vnet subnet createaz network vnet subnet update
Reveal Solution
Correct Answer: az network vnet subnet update.
Explanation:
To add a service endpoint to an existing subnet in Azure using the CLI, you use the az network vnet subnet update command and specify the --service-endpoints parameter.
The
createcommand (C) is for new subnets.Options A and B are for service endpoint policies, which are separate from enabling service endpoints on a subnet.
.
You are preparing to enable NSG flow logs using Azure Network Watcher to monitor traffic flowing through your network security groups.
Before enabling the flow logs, you need to provision a required Azure resource to store the log data.
Which Azure resource should you provision first?
Key Vault
Route Table
Service Endpoint Policy
Storage Account
Reveal Solution
Correct Answer: Storage Account
Explanation:
NSG flow logs store their log files in an Azure Storage Account. You must provision the storage account before enabling the logs in Network Watcher.
Key Vault is unrelated to logging.
Route Tables and Service Endpoint Policies are used for routing and access control, not log storage.
You’re troubleshooting a connectivity issue in an Azure virtual network, caused by misconfigured user-defined routes (UDRs).
You want to identify where traffic from a specific VM is being routed and minimize administrative effort while diagnosing the problem.
Which Azure Network Watcher tool should you use?
Network Topology
Next Hop
Packet Capture
Verify IP Flow
Reveal Solution
Correct Answer: Next Hop
Explanation:
The Next Hop tool in Azure Network Watcher helps determine the next hop in the routing path for a given VM and destination IP. It’s ideal for quickly identifying issues with user-defined routes, such as incorrect forwarding or unreachable destinations.
Network Topology gives a visual overview but doesn’t show route paths.
Packet Capture is more advanced and used for deep traffic inspection, not route diagnostics.
Verify IP Flow checks if traffic is allowed or denied, but doesn’t show routing details.
We’d love your feedback!
Share your thoughts on the Renewal Test and help us improve by reporting any inaccurate answers.
🔗 Explore more Renewal Tests at mscloudexplorers.com/learn
📘 Discover more Microsoft 365 & Intune-related blogs at mscloudexplorers.com/blog
🔔 Follow us on LinkedIn for regular updates, tips, and community insights.
