User Account Shopping Cart
Practice Exams:
View All

AZ-700 Microsoft Practice Test Questions and Exam Dumps

Question No 1: 

Your company operates a single on-premises data center located in Washington DC.
All your Azure resources are deployed exclusively in the East US region, which conveniently has an ExpressRoute peering location in Washington DC.

You are tasked with implementing an ExpressRoute connection to Azure with the following requirements:

  • The solution must support up to 1 Gbps bandwidth.

  • You must use the ExpressRoute Unlimited Data Plan.

  • Minimize overall costs while fulfilling the above requirements.

Given this, what type of ExpressRoute circuit should you choose?

A. ExpressRoute Local
B. ExpressRoute Direct
C. ExpressRoute Premium
D. ExpressRoute Standard

Correct Answer: A. ExpressRoute Local

Explanation:

ExpressRoute allows for a private, dedicated connection between your on-premises infrastructure and Microsoft Azure. There are multiple circuit types—Local, Standard, and Premium—each offering different capabilities and pricing.

In this case, the scenario describes:

  • A local data center in Washington DC.

  • Azure resources hosted exclusively in the East US region.

  • A goal to support 1 Gbps throughput.

  • A requirement to minimize costs while using the Unlimited Data Plan.

Let’s analyze the circuit types:

ExpressRoute Local:

  • Designed for low-latency, cost-effective connectivity between on-premises networks and a single Azure region near the circuit’s peering location.

  • No data transfer costs are incurred, as traffic is confined to the associated Azure region (in this case, East US).

  • Perfect for scenarios where both the on-premises infrastructure and Azure region are co-located with the ExpressRoute peering location (Washington DC in this case).

  • Meets the bandwidth and unlimited plan requirements.

ExpressRoute Standard:

  • Supports access to any Azure region within a geopolitical area (e.g., within the US).

  • More expensive than Local circuits.

  • Not needed here since the company uses only one region (East US).

ExpressRoute Premium:

  • Allows global connectivity across Azure regions worldwide.

  • Significantly more expensive.

  • Overkill for a setup limited to one region.

ExpressRoute Direct:

  • Provides dual 10 Gbps or 100 Gbps connectivity, designed for very high throughput.

  • Far beyond the required 1 Gbps bandwidth and not cost-effective for this use case.

Given the on-premises location (Washington DC), Azure region (East US), peering location (Washington DC), and the cost-saving requirement, the ExpressRoute Local circuit is the most appropriate and cost-effective solution.Would you like a diagram showing how ExpressRoute Local works?

Question No 2: 

You are designing a Point-to-Site (P2S) VPN connection in Azure that uses the OpenVPN protocol.The company requires that users authenticate using their on-premises Active Directory domain credentials when connecting through the VPN.To enable this authentication mechanism, you need to determine which additional component or service must be deployed to support this integration.

What should you deploy?

A. An Azure Key Vault
B. A RADIUS Server
C. A Certification Authority
D. Azure Active Directory (Azure AD) Application Proxy

Correct Answer: B. A RADIUS Server

Explanation:

When configuring Point-to-Site (P2S) VPNs in Azure, you can choose between different authentication methods such as:

  • Azure certificate authentication,

  • Azure Active Directory (Azure AD) authentication,

  • RADIUS (Remote Authentication Dial-In User Service) authentication.

In this scenario, you are required to:

  • Use OpenVPN as the tunnel protocol (which is supported for P2S).

  • Authenticate users using on-premises Active Directory credentials.

Why RADIUS?

  • RADIUS acts as an intermediary authentication system that connects Azure VPN Gateway with your on-premises Active Directory.

  • When a user connects via VPN, their credentials are passed from the VPN client to the Azure VPN Gateway, which forwards them to the RADIUS server.

  • The RADIUS server then authenticates the credentials against the on-premises Active Directory.

This setup allows domain-joined user credentials to be used for VPN logins, even though Azure VPN Gateway is a cloud service.

Why not the other options?

  • Azure Key Vault:
    Used for securely storing secrets, certificates, and keys, but it doesn’t handle authentication.

  • Certification Authority:
    Required for certificate-based authentication, not password-based Active Directory credentials.

  • Azure AD Application Proxy:
    Provides secure remote access to on-prem web apps. It is unrelated to VPN authentication.

For a Point-to-Site VPN using OpenVPN where authentication must be done via on-premises Active Directory, a RADIUS server must be deployed to bridge Azure and the on-premises AD environment.

Question No 3:

You are tasked with configuring BGP (Border Gateway Protocol) for a Site-to-Site VPN connection between your datacenter and Azure. The connection will allow seamless communication between the two locations using dynamic routing.

Which two Azure resources should be configured to establish a Site-to-Site VPN connection with BGP? Each correct answer contributes to the solution.

Choose two:

A. a virtual network gateway
B. Azure Application Gateway
C. Azure Firewall
D. a local network gateway
E. Azure Front Door

Correct Answers: A. a virtual network gateway and D. a local network gateway

Explanation:

To establish a Site-to-Site VPN with BGP (Border Gateway Protocol) between an on-premises datacenter and Azure, two key resources are required to ensure that dynamic routing is configured and the VPN tunnel can be successfully established.

1. Virtual Network Gateway (A)

The Virtual Network Gateway is a critical component in Azure that allows communication between the on-premises network and the Azure virtual network. It provides a secure, encrypted tunnel for traffic flowing between the two networks. For BGP routing, this gateway needs to be configured to support dynamic routing. The Azure VPN Gateway uses BGP to automatically exchange routing information with the on-premises network, which helps in dynamically adjusting routes based on network conditions.

  • BGP Role: BGP enables dynamic routing and allows the gateway to advertise the best possible route to the remote site.

  • VPN Gateway Type: For Site-to-Site connections with BGP, you should use the Route-based VPN gateway in Azure.

2. Local Network Gateway (D)

The Local Network Gateway represents the on-premises network in Azure. It includes the on-premises VPN device's public IP address and the address ranges of the on-premises network. Configuring a local network gateway allows the Azure VPN Gateway to establish a connection with the on-premises network.

  • BGP Configuration: BGP must be configured between the local network gateway and the virtual network gateway, allowing routing information to be exchanged dynamically.

  • VPN Tunnel Role: It essentially acts as the counterpart of the Azure VPN gateway, enabling secure communication and BGP routing between the two networks.

Why the Other Options Are Incorrect:

  • B. Azure Application Gateway – This is used for web traffic load balancing and application-level routing. It does not play a role in Site-to-Site VPNs or BGP configuration.

  • C. Azure Firewall – Azure Firewall is a security service, but it does not manage VPN tunnels or BGP.

  • E. Azure Front Door – This is a global load balancer and web application accelerator, not relevant for VPN or BGP configuration.

To successfully configure BGP for a Site-to-Site VPN connection, you need to configure both a virtual network gateway (A) and a local network gateway (D) to allow the exchange of routing information between Azure and your on-premises network.

Question No 4:

You have configured a Site-to-Site VPN connection between your company's main office and an Azure virtual network. However, the VPN tunnel is not establishing as expected.

To troubleshoot the issue preventing the establishment of the IPsec tunnel for the Site-to-Site VPN, which diagnostic log should you review?

A. IKEDiagnosticLog
B. RouteDiagnosticLog
C. GatewayDiagnosticLog
D. TunnelDiagnosticLog

Correct Answer: D. TunnelDiagnosticLog

Explanation:

When troubleshooting an IPsec VPN tunnel that is failing to establish, the most relevant log to review is the TunnelDiagnosticLog. This log provides insights into the status and potential issues related to the IPsec and IKE (Internet Key Exchange) phases of the VPN connection process.

1. TunnelDiagnosticLog (D)

The TunnelDiagnosticLog is specifically designed to capture information related to the IPsec tunnel and its various components. It helps in diagnosing issues such as:

  • Tunnel initiation failures

  • Authentication issues

  • Encryption mismatches

  • Connection timeouts

This log provides a detailed view of the communication between the Azure VPN Gateway and the on-premises VPN device. It can help identify if the tunnel negotiation is failing due to configuration mismatches, incorrect pre-shared keys, or network connectivity issues.

  • What it contains: Information on the health of the tunnel, the phase (1 or 2) of the IPsec negotiation, and any errors that might indicate where the issue lies.

2. Other Diagnostic Logs:

While the other logs can be useful in certain scenarios, they do not directly address the issues surrounding the establishment of an IPsec tunnel:

  • A. IKEDiagnosticLog – This log provides insights into the IKE (Internet Key Exchange) phase of VPN establishment but is less detailed for diagnosing tunnel-specific issues like connectivity or encryption mismatches.

  • B. RouteDiagnosticLog – This log deals with route-based diagnostics but does not provide detailed information on tunnel establishment.

  • C. GatewayDiagnosticLog – This log focuses on the gateway’s overall status and operational health but lacks the level of detail needed to troubleshoot specific tunnel establishment issues.

To troubleshoot the IPsec tunnel establishment issue for a Site-to-Site VPN, you should review the TunnelDiagnosticLog (D). This log provides the most detailed information on the state of the VPN tunnel and helps pinpoint the root cause of the issue.

Question No 5:

You are planning to establish a Site-to-Site VPN connection between your on-premises datacenter and an Azure virtual network.

Which two resources should you include in your plan for configuring the Site-to-Site VPN connection? Each correct answer is a necessary part of the solution.

Choose two:

A. a user-defined route
B. a virtual network gateway
C. Azure Firewall
D. Azure Web Application Firewall (WAF)
E. an on-premises data gateway
F. an Azure application gateway
G. a local network gateway

Correct Answers: B. a virtual network gateway and G. a local network gateway

Explanation:

To establish a Site-to-Site VPN connection between your on-premises datacenter and an Azure virtual network, two critical resources need to be set up to ensure secure communication between the networks.

1. Virtual Network Gateway (B)

The virtual network gateway is the central component of any Site-to-Site VPN configuration in Azure. It is responsible for managing the VPN connection between the Azure virtual network and the on-premises network. The virtual network gateway facilitates secure communication by establishing an encrypted VPN tunnel.

  • Key Role: The virtual network gateway ensures that the on-premises datacenter can securely connect to Azure through the VPN tunnel.

  • VPN Types: For Site-to-Site VPN, the Route-based VPN gateway is typically used.

2. Local Network Gateway (G)

The local network gateway represents the on-premises network in Azure. It contains details such as the IP address of the on-premises VPN device and the address ranges of the on-premises network. The Azure VPN gateway uses this information to establish the connection.

  • Key Role: The local network gateway enables Azure to connect with your on-premises network securely, allowing data to flow between the two.

3. Other Resources and Why They Are Incorrect:

  • A. User-defined route – While user-defined routes are important for directing traffic, they are not mandatory for establishing a Site-to-Site VPN.

  • C. Azure Firewall – While Azure Firewall is useful for network security, it does not directly facilitate VPN connections.

  • D. Azure Web Application Firewall (WAF) – This is for web application security and is not required for VPN connections.

  • E. On-premises data gateway – This is not needed for Site-to-Site VPNs; it is used for data movement in hybrid data integration scenarios.

  • F. Azure Application Gateway – This is a web traffic load balancer and does not play a role in establishing Site-to-Site VPN connections.

To establish a Site-to-Site VPN connection, you need to configure both a virtual network gateway (B) and a local network gateway (G). These resources ensure that Azure and your on-premises network can securely communicate over the VPN.

Question No 6:

Your company has an on-premises network and three Azure subscriptions: Subscription1, Subscription2, and Subscription3. Each subscription is used by a different department, and all resources within these subscriptions are located in either the West US Azure region or the West US 2 Azure region.

You are tasked with connecting all three subscriptions to the on-premises network using ExpressRoute.

What is the minimum number of ExpressRoute circuits required to achieve this connectivity?

A. 1
B. 2
C. 3
D. 4
E. 5

Correct Answer: B. 2

Explanation:

When connecting multiple Azure subscriptions and regions to your on-premises network, ExpressRoute is often the solution. However, the number of circuits required depends on several factors such as region availability, subscription setup, and whether you're utilizing ExpressRoute global reach or a more localized setup.

Key Concepts:

  1. ExpressRoute Circuit: An ExpressRoute circuit provides a private, dedicated connection between an on-premises network and Azure. The circuit can be connected to one or multiple subscriptions, depending on the network configuration.

  2. Azure Subscription and Regions: Azure subscriptions can span multiple regions, and resources in those regions can be connected using a single ExpressRoute circuit if the circuit is correctly configured. However, if resources are spread across different regions (for example, West US and West US 2), and the subscriptions are isolated (meaning they cannot share the same ExpressRoute circuit), separate circuits may be needed.

Solution Breakdown:

  1. Subscription 1: Resources are likely located in West US or West US 2. Since both of these regions are relatively close geographically, it’s possible to use one ExpressRoute circuit for all resources in this subscription, even if they span multiple regions, as long as the ExpressRoute provider supports that configuration.

  2. Subscription 2 and Subscription 3: Similarly, these subscriptions have resources in West US or West US 2, and they could share the same ExpressRoute circuit as long as their resources span the same region pairs.

  3. Regions and Connectivity: Azure’s ExpressRoute Global Reach allows circuits in one region to connect to resources in another region, enabling all subscriptions and regions to be connected via one ExpressRoute circuit if they are in the same geo-location pair (West US and West US 2, for example). If the regions are separate geographically (even though both are in the West US region group), you may need two circuits for redundancy and fault tolerance.

Why 2 Circuits?

Since there are three subscriptions with resources spread across two regions (West US and West US 2), two circuits are typically required:

  • One ExpressRoute circuit for all resources in the West US region.

  • Another ExpressRoute circuit for resources in the West US 2 region.

This ensures connectivity to all subscriptions, offers fault tolerance, and avoids potential single points of failure.

In this scenario, you need a minimum of 2 ExpressRoute circuits to connect all three subscriptions to the on-premises network, considering both redundancy and regional connectivity.

Question No 7:

Your company operates offices in New York and Amsterdam. The company has an Azure subscription, and both offices are connected to Azure through Site-to-Site VPN connections.

  • The Amsterdam office uses Azure resources located in the North Europe Azure region.

  • The New York office uses Azure resources located in the East US Azure region.

You now need to implement ExpressRoute circuits to connect each office to the nearest Azure region. Once the ExpressRoute circuits are established, you want the on-premises computers in the Amsterdam office to be able to communicate with the on-premises servers in the New York office using the ExpressRoute circuits.

Which ExpressRoute option should you choose to achieve this inter-office connectivity?

A. ExpressRoute FastPath
B. ExpressRoute Global Reach
C. ExpressRoute Direct
D. ExpressRoute Local

Correct Answer: B. ExpressRoute Global Reach

Explanation:

In this scenario, the company is using Site-to-Site VPN connections for basic connectivity between the offices and Azure. Now, the company wants to implement ExpressRoute circuits for a more reliable, dedicated, and private connection between the on-premises offices and Azure regions. The objective is also to facilitate communication between the Amsterdam office (connected to North Europe Azure region) and the New York office (connected to East US Azure region) via the ExpressRoute circuits.

To address this requirement, let’s first break down the different ExpressRoute options:

A. ExpressRoute FastPath:

  • Purpose: FastPath is a feature within ExpressRoute that optimizes traffic flow by bypassing the Azure VPN gateway and routing traffic directly through the ExpressRoute circuit.

  • Limitations: FastPath is used for improving performance within a specific ExpressRoute circuit (e.g., between on-premises and Azure), but it does not facilitate inter-office communication across multiple locations. FastPath only affects traffic that is directly related to the resources in the connected Azure region.

  • Why it’s not the best option: This option doesn’t provide any mechanism for connecting the Amsterdam office to the New York office. It is not designed for cross-office, inter-location connectivity.

B. ExpressRoute Global Reach:

  • Purpose: ExpressRoute Global Reach is a feature that allows different ExpressRoute circuits to be connected globally, enabling communication between on-premises locations connected to different ExpressRoute circuits.

  • How it works: Once ExpressRoute Global Reach is implemented, it enables cross-premises communication. In this scenario, it will allow the Amsterdam office (connected to the North Europe region) to communicate with the New York office (connected to the East US region) through the ExpressRoute circuits, without routing traffic over the public internet.

  • Why this is the best option: Since you want to establish connectivity between the two on-premises offices using ExpressRoute, Global Reach is the ideal solution. It will enable private, reliable communication between the offices in Amsterdam and New York over the ExpressRoute network.

C. ExpressRoute Direct:

  • Purpose: ExpressRoute Direct provides high-throughput connectivity options (10 Gbps or 100 Gbps) for organizations with specific requirements for very high-speed, private connections. It typically connects on-premises environments to Azure via dedicated physical connections at Azure's data centers.

  • Limitations: While Direct can be used to connect an office directly to Azure, it doesn’t solve the problem of connecting two different on-premises locations (i.e., Amsterdam to New York) through the Azure backbone. It’s designed more for direct, high-bandwidth access to Azure, not for cross-office interconnectivity.

  • Why it’s not the best option: ExpressRoute Direct does not provide cross-premises communication features. This option would be more suitable if you needed extremely high-bandwidth connections for a single office but does not help in this case where the goal is to connect two offices via the ExpressRoute network.

D. ExpressRoute Local:

  • Purpose: ExpressRoute Local provides private connections to specific Azure regions. It is ideal for cases where you want to connect to a single Azure region and minimize costs by limiting the circuit to that region.

  • Limitations: This option only helps connect on-premises networks to a specific Azure region. It does not help in connecting two separate on-premises locations through ExpressRoute.

  • Why it’s not the best option: Although Local could help connect the Amsterdam office to the North Europe region and the New York office to the East US region, it does not address the need for cross-office communication between the two locations. ExpressRoute Local is not designed for inter-office connections.

The correct choice to meet the company's needs for cross-office connectivity through ExpressRoute is ExpressRoute Global Reach. This option enables communication between on-premises locations connected to different ExpressRoute circuits (such as Amsterdam and New York offices). It offers a secure, reliable, and private connection between the offices over the Azure backbone, ensuring that traffic is not routed over the public internet.

Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.