Home Guides Blogs Your Exams Certifications

    Exam: AZ-700: Azure Network Engineer Associate

    Total Questions: 210
    Page of

    Your company has a single on-premises datacenter in Washington DC. The East US Azure region has a peering location in Washington DC.
    The company only has Azure resources in the East US region.
    You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
    Which type of ExpressRoute circuits should you create?
    A. ExpressRoute Local
    B. ExpressRoute Direct
    C. ExpressRoute Premium
    D. ExpressRoute Standard
    Answer:A โœ… Explanation: You are required to: -Use ExpressRoute to connect an on-premises datacenter (in Washington DC) to Azure. -Use only Unlimited data plans. -Support up to 1 Gbps bandwidth. -Minimize costs. -All Azure resources are in the East US region. -Peering location is also in Washington DC, which matches the datacenter location. ๐ŸŸข Why ExpressRoute Local is the best choice: ExpressRoute Local allows connectivity to Azure regions within the same metro (peering) location. -Since both your on-premises datacenter and Azure East US region are in Washington DC, ExpressRoute Local is supported. -Local circuits do not charge for data transfer, which is especially cost-effective when using Unlimited data plans. -Supports up to 10 Gbps, so 1 Gbps is well within its capability. -Lowest cost among ExpressRoute options when the traffic stays within a single metro area.

    You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN.
    Users will authenticate by an on-premises Active Directory domain.
    Which additional service should you deploy to support the VPN authentication?
    A. an Azure key vault
    B. a RADIUS server
    C. a certification authority
    D. Azure Active Directory (Azure AD) Application Proxy
    Answer;B โœ… Explanation: -You are planning a Point-to-Site (P2S) VPN using OpenVPN protocol, and users must authenticate using an on-premises Active Directory (AD) domain. ๐Ÿ” Authentication Options for P2S VPN (OpenVPN): -When using OpenVPN for a P2S VPN, and the authentication needs to happen against on-premises Active Directory, the supported method is: -RADIUS authentication, with a RADIUS server that is integrated with the on-premises Active Directory. ๐Ÿ”ง Why RADIUS server is required: The RADIUS server acts as an intermediary that authenticates users against your on-prem AD. -Azure VPN Gateway can use the RADIUS protocol to pass user credentials to the on-premises RADIUS server. -The RADIUS server can use Network Policy Server (NPS) or similar software configured to communicate with Active Directory.

    You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure.
    Which two Azure resources should you configure? Each correct answer presents a part of the solution. (Choose two.)
    NOTE: Each correct selection is worth one point.
    A. a virtual network gateway
    B. Azure Application Gateway
    C. Azure Firewall
    D. a local network gateway
    E. Azure Front Door
    Answer:AD โœ… Explanation: -You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure. -Which two Azure resources should you configure? Each correct answer presents a part of the solution. -(Choose two.) -NOTE: Each correct selection is worth one point. A. a virtual network gateway B. Azure Application Gateway C. Azure Firewall D. a local network gateway E. Azure Front Door

    You fail to establish a Site-to-Site VPN connection between your company's main office and an Azure virtual network.
    You need to troubleshoot what prevents you from establishing the IPsec tunnel.
    Which diagnostic log should you review?
    A. IKEDiagnosticLog
    B. RouteDiagnosticLog
    C. GatewayDiagnosticLog
    D. TunnelDiagnosticLog
    Answer:A โœ… Explanation: -When troubleshooting a Site-to-Site (S2S) VPN connection that fails to establish the IPsec tunnel, you need to review logs related to the IKE (Internet Key Exchange) negotiation, which is responsible for establishing and securing the IPsec tunnel. ๐Ÿ” What is the IKEDiagnosticLog? -The IKEDiagnosticLog captures detailed logs of the IKE Phase 1 and Phase 2 negotiations, which are essential for establishing IPsec tunnels. -It includes information about: -Authentication issues -Mismatched encryption policies -Dead Peer Detection (DPD) responses -Negotiation failures -This log is specifically designed to help identify why a VPN connection fails during tunnel establishment.

    You have an Azure virtual network and an on-premises datacenter.
    You are planning a Site-to-Site VPN connection between the datacenter and the virtual network.
    Which two resources should you include in your plan? Each correct answer presents part of the solution.
    NOTE: Each correct selection is worth one point.

    A. a user-defined route
    B. a virtual network gateway
    C. Azure Firewall
    D. Azure Web Application Firewall (WAF)
    E. an on-premises data gateway
    F. an Azure application gateway
    G. a local network gateway
    Answer:BG โœ… Explanation: -To establish a Site-to-Site (S2S) VPN connection between an on-premises datacenter and an Azure virtual network, you need two critical components: 1. Virtual Network Gateway (B) Deployed in Azure. -It represents the VPN endpoint in the Azure Virtual Network. -Handles IPsec/IKE tunnel creation and encryption for the Azure side. 2. Local Network Gateway (G) Represents your on-premises VPN device or network in Azure. You define the on-premises public IP address and address prefixes (i.e., the IP ranges for your datacenter) in this resource.

    You need to connect an on-premises network and an Azure environment. The solution must use ExpressRoute and support failing over to a Site-to-Site VPN connection if there is an ExpressRoute failure.
    What should you configure? To answer, select the appropriate options in the answer area.
    NOTE: Each correct selection is worth one point.
    Hot Area:
    Question image
    Answer image

    Your company has an on-premises network and three Azure subscriptions named Subscription1, Subscription2, and Subscription3.
    The departments at the company use the Azure subscriptions as shown in the following table.

    All the resources in the subscriptions are in either the West US Azure region or the West US 2 Azure region.
    You plan to connect all the subscriptions to the on-premises network by using ExpressRoute.
    What is the minimum number of ExpressRoute circuits required?
    A. 1
    B. 2
    C. 3
    D. 4
    E. 5
    Question image
    A

    Your company has offices in New York and Amsterdam. The company has an Azure subscription. Both offices connect to Azure by using a Site-to-Site VPN connection.
    The office in Amsterdam uses resources in the North Europe Azure region. The office in New York uses resources in the East US Azure region.
    You need to implement ExpressRoute circuits to connect each office to the nearest Azure region. Once the ExpressRoute circuits are connected, the on-premises computers in the Amsterdam office must be able to
    connect to the on-premises servers in the New York office by using the ExpressRoute circuits.
    Which ExpressRoute option should you use?
    A. ExpressRoute FastPath
    B. ExpressRoute Global Reach
    C. ExpressRoute Direct
    D. ExpressRoute Local
    Answer:B โœ… Explanation: -Your scenario involves: -Two on-premises offices: Amsterdam and New York. -Each office connects to its nearest Azure region (North Europe for Amsterdam, East US for New York). -You plan to set up ExpressRoute circuits for both locations. -Your requirement: On-premises computers in Amsterdam must be able to connect to on-premises servers in New York via ExpressRoute, not just Azure. ๐Ÿ’ก Why ExpressRoute Global Reach is the correct option: ExpressRoute Global Reach allows you to connect two on-premises sites via Azureโ€™s backbone network, using your existing ExpressRoute circuits. -This means your Amsterdam and New York offices can communicate directly through Microsoftโ€™s global private network, even though they are connected to different Azure regions. -It's designed specifically for interconnecting multiple on-premises networks across geographies.

    You have an Azure subscription that contains a single virtual network and a virtual network gateway.
    You need to ensure that administrators can use Point-to-Site (P2S) VPN connections to access resources in the virtual network. The connections must be authenticated by Azure Active Directory (Azure AD).
    What should you configure? To answer, select the appropriate options in the answer area.
    NOTE: Each correct selection is worth one point.
    Hot Area:
    Question image
    Answer image

    You have on-premises datacenters in New York and Seattle.
    You have an Azure subscription that contains the ExpressRoute circuits shown in the following table.
    Question image
    Answer image
    Back View All Questions