AZ-700 — Designing and Implementing Microsoft Azure Networking Solutions Study Guide

You need to design a network topology for a multi-region Azure deployment where applications in different regions must communicate securely. Which service should you implement to connect virtual networks across regions?

• A Azure Bastion
• B Site-to-Site VPN Gateway
• C Virtual Network Peering ✓ Correct
• D Azure ExpressRoute Direct

An organization requires guaranteed bandwidth and low latency for hybrid cloud connectivity between their on-premises data center and Azure. Which solution best meets these requirements?

• A Azure Firewall with custom routes
• B Virtual Network Peering with forced tunneling
• C Point-to-Site VPN connection
• D Azure ExpressRoute ✓ Correct

You are implementing Azure Application Gateway for load balancing. Which feature allows you to route requests to different backend pools based on the URL path?

• A Multi-site routing
• B Host-based routing
• C Protocol-based routing
• D Path-based routing ✓ Correct

You need to implement a solution that prevents DDoS attacks on your Azure resources while filtering traffic based on application-layer content. What is the recommended approach?

• A Implement Azure Firewall Manager exclusively
• B Use only Azure DDoS Protection Standard
• C Combine Azure DDoS Protection with Azure Web Application Firewall ✓ Correct
• D Use Network Security Groups with priority-based rules

During a network design review, you discover that multiple subnets need to communicate with an on-premises network through a single gateway resource. Which routing configuration should you implement?

• A User-defined routes in subnet route tables with the gateway as the next hop ✓ Correct
• B Enable virtual network peering without route tables
• C Configure Border Gateway Protocol redistribution on all subnets
• D Static routes in each subnet route table pointing to the gateway

Your organization uses Azure ExpressRoute with BGP for dynamic routing. A secondary ExpressRoute circuit fails, and traffic should automatically failover. What feature enables this automatic failover?

• A ExpressRoute Premium with traffic recovery
• B ExpressRoute Redundancy with Active-Active BGP configuration ✓ Correct
• C ExpressRoute Direct with circuit failover
• D ExpressRoute Local with automatic path selection

You are designing a solution where Azure VMs must access Azure Storage without traffic traversing the public internet. Which networking feature should you implement?

• A Azure Firewall with destination NAT rules
• B Virtual Network NAT gateway for outbound connectivity
• C Azure Private Link with private endpoints ✓ Correct
• D Service endpoints with network security groups

When configuring Azure Firewall, you need to allow HTTP traffic only to specific domains while blocking all other domains. Which rule type should you use?

• A Custom rule with regular expression matching
• B NAT rule with protocol mapping
• C Application rule with HTTP protocol and FQDN filtering ✓ Correct
• D Network rule with destination port 80

You must design a network where east-west traffic between virtual networks is monitored and logged. What Azure service provides traffic analytics and visualization for this scenario?

• A Network Watcher Traffic Analytics ✓ Correct
• B Azure Log Analytics for NSG flow logs
• C Azure Monitor with VM Insights
• D Azure Security Center network recommendations

Your organization requires that all outbound traffic from VMs in a subnet goes through a centralized proxy for inspection. Which Azure service should you implement?

• A User-defined routes with Azure Firewall as the next hop ✓ Correct
• B Network Security Groups with outbound rules
• C Azure NAT Gateway for the subnet
• D Azure Load Balancer with NAT rules

When designing a highly available Azure Load Balancer solution, which configuration ensures that backend VMs are removed from the load-balancing pool if they become unhealthy?

• A Set the load balancer to drain mode automatically
• B Configure connection draining with a timeout value
• C Enable sticky sessions on the frontend configuration
• D Configure a health probe with appropriate probe interval and unhealthy threshold ✓ Correct

You are implementing Azure Front Door for global load balancing and DDoS protection. What is the primary advantage of using Front Door instead of Application Gateway for multi-region deployments?

• A Application Gateway can only handle HTTP/HTTPS while Front Door handles all protocols
• B Front Door operates at Layer 7 and provides global load balancing across regions ✓ Correct
• C Application Gateway requires manual failover while Front Door is fully automatic
• D Front Door provides better cost efficiency than Application Gateway

In a network design, you need to restrict outbound traffic from a VM to only specific Azure services. Which solution is most appropriate?

• A Private endpoints for each service with UDRs
• B Service endpoints combined with NSG outbound rules
• C Network Security Groups with service tags ✓ Correct
• D Azure Firewall Premium with application rules

You need to monitor network traffic at the packet level for troubleshooting connectivity issues between VMs. Which Azure Network Watcher feature should you use?

• A Packet capture ✓ Correct
• B Network performance monitor
• C Connection troubleshoot
• D Topology view

An organization wants to ensure that their ExpressRoute circuit maintains connectivity during maintenance. What is the recommended architecture?

• A One primary and one backup Site-to-Site VPN connection
• B Two ExpressRoute circuits from the same peering location in active-active configuration ✓ Correct
• C ExpressRoute circuit with redundant local gateways
• D Single ExpressRoute circuit with automatic recovery

You are designing a network where traffic between subnets must be inspected by a firewall appliance before reaching its destination. What routing configuration supports this design?

• A Use virtual network peering with transitive routing
• B Configure user-defined routes with the firewall appliance as the next hop ✓ Correct
• C Enable VNet service endpoints on all subnets
• D Enable forced tunneling on the VPN gateway

Your organization uses multiple Azure subscriptions across different regions. You need to enforce consistent network security policies across all subscriptions. What Azure service enables this?

• A Azure Policy for network security compliance and governance ✓ Correct
• B Management groups with custom policy assignments
• C Azure Blueprints with network templates only
• D Azure Resource Manager with role-based access control

When implementing Azure Application Gateway with multiple backend pools, you need to route traffic based on the hostname in the HTTP header. What routing rule should you configure?

• A Protocol-based routing rule
• B Priority-based routing rule
• C Path-based routing rule
• D Host-based routing rule ✓ Correct

You need to implement a solution where private on-premises servers are accessible from Azure VMs without exposing them to the internet. Which Azure service is most suitable?

• A Azure Private Link for private connectivity to on-premises services
• B Site-to-Site VPN with NSGs and UDRs for traffic control ✓ Correct
• C ExpressRoute with BGP route filtering
• D Azure Bastion for secure RDP/SSH access

During a network audit, you discover that Network Security Groups are not logging denied connections. What configuration change is required to capture this traffic?

• A Configure diagnostic settings for the NSG in Azure Monitor
• B Configure Azure Firewall diagnostic logs instead
• C Enable Flow Logs on the NSG with traffic analytics enabled ✓ Correct
• D Enable packet capture on all associated VMs

You are designing a network solution where Azure VMs need to access an on-premises database through a private, encrypted connection with guaranteed bandwidth. Which combination of services should you implement?

• A Site-to-Site VPN with IPSec encryption and redundant circuits
• B ExpressRoute for connectivity and private endpoints for database access ✓ Correct
• C Point-to-Site VPN and Azure ExpressRoute with BGP
• D ExpressRoute and Private Link endpoints for the database

A company wants to implement network segmentation in Azure using a hub-and-spoke topology. Which Azure service acts as the hub for centralized traffic filtering?

• A Azure Virtual WAN
• B Azure Firewall in the hub VNet ✓ Correct
• C Azure Load Balancer
• D Azure Application Gateway

You need to automatically scale your load balancer backend pool based on application demand. However, Application Gateway does not support this directly. What complementary Azure service should you use?

• A Azure VM Scale Sets with custom rules and Network Watcher alerts
• B Combine Application Gateway with Virtual Machine Scale Sets for autoscaling ✓ Correct
• C Use Azure Functions to manage backend pool membership dynamically
• D Azure Autoscale with custom metrics from Application Insights

Your organization requires end-to-end encryption for traffic between on-premises and Azure, including encryption at rest for stored data. What is the most comprehensive solution?

• A Azure ExpressRoute Direct with customer-managed encryption keys
• B Private endpoints with TLS termination and customer-managed keys for storage
• C ExpressRoute with MACSec and Storage Service Encryption ✓ Correct
• D Site-to-Site VPN with Azure Disk Encryption and Storage Service Encryption

When configuring an Azure VPN Gateway, you need to ensure that clients can connect from anywhere using client certificates for authentication. Which VPN type should you implement?

• A VPN with password-based RADIUS authentication
• B ExpressRoute with BGP peering
• C Site-to-Site VPN with IKEv2 protocol
• D Point-to-Site VPN with certificate-based authentication ✓ Correct

You need to design a virtual network for a multi-tier application in Azure. The application requires isolation between development, staging, and production environments. Which approach provides the best network isolation?

• A Use a single virtual network with multiple subnets separated by network security groups
• B Deploy all environments in the same subnet with different IP address ranges
• C Implement separate virtual networks with controlled peering and network security groups ✓ Correct
• D Create separate virtual networks for each environment with no peering

What is the maximum number of private IP addresses you can assign to a single network interface in Azure?

• A 1
• B 4
• C 256 ✓ Correct
• D Unlimited within the subnet range

You are implementing Azure ExpressRoute for your organization. Which of the following best describes the relationship between ExpressRoute circuits and peering?

• A A single circuit can support multiple peering types (Azure private, Azure public, and Microsoft peering) simultaneously ✓ Correct
• B One circuit can support only one type of peering configuration
• C Peering must be configured at the circuit level before any connectivity is established
• D Each peering type requires a separate ExpressRoute circuit

Your organization needs to connect multiple on-premises locations to Azure using VPN gateways. You want to ensure high availability. Which configuration is most appropriate?

• A Deploy VPN gateways in active-passive mode using the VpnGw1 SKU
• B Deploy a single VPN gateway with standard SKU across all locations
• C Deploy VPN gateways in active-active mode using a high-performance SKU with redundant connections ✓ Correct
• D Deploy multiple VPN gateways in the same region for load distribution

You need to implement network segmentation in Azure using Azure Firewall. Which statement accurately describes Azure Firewall's capabilities?

• A Azure Firewall requires separate instances for inbound and outbound traffic filtering
• B Azure Firewall operates only at the network interface level and cannot filter traffic between subnets
• C Azure Firewall can operate in both hub-and-spoke and traditional perimeter network architectures ✓ Correct
• D Azure Firewall supports stateless filtering only

When configuring Application Gateway for your web applications, you need to route requests to different backend pools based on URL path. Which feature enables this functionality?

• A Session affinity
• B Path-based routing rules ✓ Correct
• C Hostname-based routing
• D HTTP header-based routing

You are designing a network architecture that requires filtering traffic between virtual networks within the same region. The solution must support granular control at the subnet level and integrate with existing security policies. What should you implement?

• A Azure Firewall between all virtual networks
• B Network Security Groups (NSGs) on subnets and network interfaces ✓ Correct
• C User-defined routes to block traffic between subnets
• D Virtual network peering with access control lists

What is the primary advantage of using Azure Load Balancer's Standard SKU over the Basic SKU?

• A Standard SKU is less expensive and recommended for production workloads
• B Standard SKU supports only IPv4 while Basic supports both IPv4 and IPv6
• C Standard SKU includes built-in DDoS protection, availability zones support, and HA ports configuration ✓ Correct
• D Standard SKU supports more backend pool members

You need to implement a hybrid network solution where on-premises users require seamless access to Azure resources. The solution must support point-to-site VPN connectivity. Which gateway SKU supports this requirement?

• A Basic SKU only
• B Standard SKU with additional configuration
• C VpnGw1, VpnGw2, VpnGw3, and VpnGw4 SKUs support point-to-site connections ✓ Correct
• D ExpressRoute gateway only

Your organization is implementing Azure Private Link for accessing Azure PaaS services securely. Which of the following statements is correct regarding Private Link?

• A Private Link creates private endpoints that map to Azure services using private IP addresses within your virtual network ✓ Correct
• B Private Link is only available for Azure storage and cannot be used with other PaaS services
• C Private Link requires ExpressRoute and cannot work with site-to-site VPN
• D Private Link uses public endpoints and relies on firewall rules for security

You are troubleshooting connectivity issues between two virtual networks in different Azure regions that are peered together. The VMs can reach each other, but traffic is being dropped. Where should you check first?

• A The Azure Firewall rules in the hub virtual network
• B Application-level security software on each VM
• C The virtual network peering bandwidth limits
• D Network Security Groups and User-Defined Routes associated with the subnets ✓ Correct

When designing a multi-region Azure deployment, you need to ensure low-latency access to resources. Which service should you implement to intelligently route traffic based on geography and endpoint health?

• A Azure Load Balancer
• B Application Gateway
• C Azure Traffic Manager ✓ Correct
• D Azure Front Door

You need to configure a VPN connection to Azure that supports both site-to-site and point-to-site scenarios. The on-premises network uses a dynamic public IP address. Which VPN type and authentication method should you use?

• A Policy-based VPN with pre-shared key authentication
• B SSTP VPN with Microsoft Entra ID authentication
• C Route-based VPN with pre-shared key or certificate-based authentication ✓ Correct
• D OpenVPN protocol with RADIUS authentication

What is the correct order of steps when deploying Application Gateway with HTTPS listeners?

• A Create gateway, add listeners, configure SSL certificates, create rules
• B Create gateway, upload SSL certificates, create listeners, configure routing rules ✓ Correct
• C Upload SSL certificates, create gateway, create listeners, create rules
• D Create listeners, upload certificates, create backend pools, configure gateway

You are implementing network monitoring for an Azure environment with multiple virtual networks. Which tool provides the most comprehensive network diagnostics and topology visualization?

• A Azure Advisor recommendations
• B Network Watcher with topology view and connection troubleshooting ✓ Correct
• C Application Insights performance monitoring
• D Azure Monitor Logs with KQL queries

Your organization requires implementing a Web Application Firewall (WAF) to protect web applications from common exploits. Which Azure service offers integrated WAF capabilities?

• A Network Security Groups with custom rules
• B Azure Load Balancer with NSG rules
• C Application Gateway and Azure Front Door both support WAF ✓ Correct
• D Azure Firewall exclusively

When configuring a service endpoint for Azure Storage in a virtual network, what is the immediate benefit compared to using the public endpoint with firewall rules?

• A Traffic remains on the Azure backbone network and doesn't traverse the public internet ✓ Correct
• B Service endpoints provide encryption at rest for storage accounts
• C Service endpoints eliminate the need for storage account firewalls entirely
• D Service endpoints automatically enable Azure Backup for all storage accounts

You need to design a network for a containerized application running in Azure Kubernetes Service (AKS). Which network model provides the greatest control over IP addressing and networking policies?

• A Azure Container Networking Interface (CNI) with custom networking ✓ Correct
• B Host networking only
• C Overlay networks without subnet integration
• D Kubenet networking with default settings

What is a key limitation when using Network Security Groups compared to Azure Firewall?

• A NSGs operate at Layer 3/4 and cannot perform Layer 7 (application-level) filtering ✓ Correct
• B NSGs cannot filter traffic based on protocols
• C NSGs cannot be applied to virtual network gateways
• D NSGs do not support logging and monitoring capabilities

You are implementing a disaster recovery solution requiring failover between Azure regions. Which traffic management service provides the fastest failover capability with minimal DNS propagation delays?

• A Azure Traffic Manager with health probes
• B Application Gateway with cross-region replication
• C Azure Front Door with sub-second failover and global anycast ✓ Correct
• D Azure Load Balancer with cross-region configuration

When implementing DDoS protection for Azure resources, what is the primary difference between DDoS Protection Standard and Basic?

• A Basic provides automatic protection for all Azure resources at no cost; Standard requires explicit enablement and cost ✓ Correct
• B Standard provides Layer 3/4 DDoS mitigation with analytics; Basic provides no protection
• C Basic is limited to on-premises deployments; Standard applies to cloud resources
• D Basic requires third-party integration; Standard is fully integrated

You need to enable bidirectional communication between an on-premises network and Azure using ExpressRoute. Which routing configuration is required?

• A Configure OSPF instead of BGP for better security
• B Use default routes with manual IP routing only
• C Static routes are sufficient for all ExpressRoute scenarios
• D Configure BGP with AS numbers on both sides of the connection for dynamic routing ✓ Correct

Your organization has strict data residency requirements and must ensure all traffic between on-premises and Azure remains within a specific geographic region. Which combination of services best meets this requirement?

• A Site-to-site VPN with traffic forced through local region only
• B ExpressRoute with local peering and geo-pinned virtual network gateways
• C ExpressRoute direct with local peering combined with region-locked resource deployment ✓ Correct
• D Azure Virtual WAN with global transit capabilities

When configuring network interfaces with multiple IP addresses in Azure, which scenario requires using secondary IP configurations?

• A Implementing automatic failover between IP addresses
• B Load balancing traffic across multiple NICs on the same VM
• C Increasing the total bandwidth available to a single VM
• D Hosting multiple SSL websites on a single VM with individual certificates per IP ✓ Correct

You need to implement a solution that allows on-premises users to access Azure resources securely over the internet without requiring a dedicated WAN connection. Which solution should you implement?

• A Site-to-Site VPN gateway with IPSec encryption ✓ Correct
• B Azure ExpressRoute with private peering
• C Azure Virtual Network peering
• D Azure Bastion with public IP addresses

Your organization has multiple Azure Virtual Networks across different regions that need to communicate with each other privately. You want to minimize latency and avoid routing traffic through the public internet. What should you implement?

• A Azure ExpressRoute direct peering to each Virtual Network
• B Virtual Network peering with all Virtual Networks in the same region
• C Global Virtual Network peering between all Virtual Networks ✓ Correct
• D Site-to-Site VPN connections between each Virtual Network

You are configuring an Azure Application Gateway for a multi-tenant environment where different tenants need to be routed to different backend pools based on the hostname in the request. Which routing rule configuration is most appropriate?

• A Host-based routing rules with backend pools mapped to each tenant hostname ✓ Correct
• B Path-based routing rules directing requests to tenant-specific pools
• C HTTP settings with cookie-based affinity to distribute traffic evenly
• D Custom HTTP header routing with tenant identifiers

Your organization requires that all traffic destined for a specific Azure service endpoint must be routed through your network virtual appliance (NVA) for inspection. How should you configure this routing requirement?

• A Enable NSG flow logs to monitor traffic and manually redirect packets
• B Create a User Defined Route (UDR) with the service endpoint as the destination and the NVA as the next hop ✓ Correct
• C Create a route table with a catch-all route pointing to the NVA, then apply it to the subnet
• D Configure service endpoint policies on the subnet to force traffic through the NVA

You are implementing Azure DDoS Protection Standard for your public-facing web application. During a DDoS attack, you notice that legitimate traffic is also being dropped. What should you configure to improve this situation?

• A Implement Application Gateway with rate limiting rules to prevent traffic spikes
• B Increase the DDoS Protection threshold values in the protection policy
• C Disable DDoS Protection and implement Web Application Firewall (WAF) instead
• D Create custom DDoS protection policies with adaptive thresholds and adjust detection sensitivity ✓ Correct

Your organization needs to ensure that traffic between two Azure Virtual Networks is encrypted and uses private Microsoft backbone infrastructure rather than the public internet. You also need to support cross-region connectivity. Which Azure service best meets these requirements?

• A ExpressRoute with private peering for dedicated, encrypted connectivity ✓ Correct
• B ExpressRoute with Microsoft peering configured for private traffic
• C Site-to-Site VPN with BGP enabled for cross-region routing
• D Virtual Network peering with custom encryption settings

You are designing a highly available solution for an internal API that must be accessible only from within your Virtual Network. Multiple backend servers are distributed across three availability zones. Which Azure service should you use?

• A Application Gateway configured for internal traffic only
• B Azure Front Door with private link endpoints
• C Internal Load Balancer with zone-redundant configuration ✓ Correct
• D Public Load Balancer with NSG rules to restrict traffic

Your organization is migrating workloads to Azure and needs to maintain static outbound IP addresses for firewall rule management at their data centers. The solution must support high availability. What should you implement?

• A Implement a VPN gateway with static routing policies
• B Configure Azure NAT Gateway with a standard public IP address for the subnet ✓ Correct
• C Assign public IPs directly to each virtual machine and configure NSG rules
• D Use Application Gateway with multiple public IP addresses

You need to implement a solution that prevents unauthorized access to Azure SQL databases from the public internet while still allowing specific applications in your Virtual Network to connect. Which approach is most secure?

• A Use Virtual Network service endpoints with service endpoint policies
• B Configure an NSG on the subnet to allow port 1433 traffic only
• C Create a firewall rule allowing only the application subnet's IP range
• D Disable public endpoint and create a Private Endpoint in the Virtual Network with Private Link ✓ Correct

You are implementing Network Security Group (NSG) rules for a subnet that hosts both web servers and database servers. Traffic between web servers and database servers must be allowed, but database servers should not initiate connections to web servers. What is the most efficient way to implement this?

• A Create separate NSGs for each server type with directional rules allowing web-to-database traffic only
• B Create a single NSG with multiple rules specifying source and destination ports for each service tier
• C Use application security groups (ASGs) to group web and database servers, then create rules based on ASG membership ✓ Correct
• D Configure stateless rules at the NSG level that explicitly deny database-to-web traffic