AZ-700: Networking

Question 1

True or False: Virtual Networks cannot span across different regions or different subscriptions

Answer 1

True

Question 2

True or False: Virtual Networks span across all availability zones in a region

Answer 2

True

Question 3

True or False: Broadcast and Multicast are supported in an Azure virtual network

Answer 3

False

Question 4

True or False: IPv6 is always /64 CIDR in Azure Networking

Answer 4

True

Question 5

True or False: Subnets cannot span availability zones in a region

Answer 5

False, they span all of them just like the virtual networks

Question 6

How many IP addresses are “lost” when creating a subnet in Azure

Answer 6

5, you lose 1 to network, 1 to default GW, 2 to DNS, and 1 to broadcast

Question 7

Where are static IPs configured?

Answer 7

They are configured on a per resource level, not vnet.

Examples: done on the VM under its network interface

Question 8

True or False: you can bring your own individual public IPs into Azure

Answer 8

False, Azure has its own set of IPs you need a public ip prefix of atleast /24 to bring it into azure

Question 9

True or False: you can move Azure public IPs across regions

Answer 9

False, Azure IPs are per region

Question 10

What are the two SKUs for a public IP in Azure and what are the differences

Answer 10

Basic and Standard

Basic -
-Dynamic or Statically assigned
-Open by Default
-No Availability Zone support

Standard-
-Static only
-locked down by default
-Availability Zone support

Question 11

True or False: Load balancers and Public IPs need to have the same SKU tier

Answer 11

True

Question 12

What is the name for a contiguous block of public IPs

Answer 12

Public IP Prefix

Question 13

What is it called when you connect two unique Vnets in the same region

Answer 13

VNET Peering

Question 14

What is it called when you connect two unique Vnets in different regions

Answer 14

Global Vnet Peering

Question 15

True or False: you can peer Vnets across different vnet clouds (China, us gov, germany)

Answer 15

False

Question 16

True or False: 2 unpeered vnets can natively talk if they are peered to the same tertiary vnet

Answer 16

False, vnet peering is not transitive, you would have to peer the two vnets together or have an appliance ( such as a firewall) on the tertiary vnet to route traffic between them

Question 17

What are the two settings that need to be enable for a peered vnet to use the other peers gateway and what need to be enable on each

Answer 17

Allow gateway transit must be enabled on the “hub” vnet
Use remote gateway must be enabled on the vnet that needs to use the others gateway

Question 18

Can you use a remote gateway if there is already a gateway in the vnet

Answer 18

no

Question 19

Can you set the next “hop” in a route table to a different subnet or even network?

Answer 19

Yes

Question 20

Can you connect 2 vnets together without peering them? How would you do it?

Answer 20

Yes, with route tables or “user defined routing”

Question 21

What is the IP of Azure DNS

Answer 21

168.63.129.16

Question 22

What is an inbuilt option in Azure for custom DNS?

Answer 22

Azure private DNS Zone

Question 23

How many private DNS Zones can one Vnet have for registration?

Answer 23

1

Question 24

How would you be able to have more than one private dns for a vnet?

Answer 24

you can have one for registration and multiple (up to 1000) for resolution

Question 25

How many vnets are allowed per private dns zone that use that zone for Auto-registration?

Answer 25

100

Question 26

How many vnets are allowed per private dns zone that use that zone for resolution?

Answer 26

1000

Question 27

what are the two primary types of dns records added to an azure public dns zone

Answer 27

host and alias

Question 28

What is the first thing you create while making a STS VPN vnet?

Answer 28

Gateway subnet

Question 29

What is needed to configure a point to site VPN that connects to azure ad

Answer 29

Add an enterprise app to azure

Question 30

When using ExpressRoute all inbound traffic goes through what resource by default?

Answer 30

The ExpressRoute Gateway

Question 31

What is fastpath?

Answer 31

Fast Path is a way for inbound traffic to bypass the express route gateway and go straight to a resource

Question 32

Does fast path still require a gateway?

Answer 32

Yes, gateways are still required for things like BGP route propagation and it must be the highest SKU

Question 33

Does outbound express route traffic pass through the gateway?

Answer 33

No it goes straight to the MSEE

Question 34

How many vnet links are allowed per expressroute circuit?

Answer 34

10 for standard for all circuit sizes and it can be increased with premium add on

Question 35

Can you have both microsoft peering and private peering on the same ExpressRoute circuit?

Answer 35

Yes

Question 36

What is required to make microsoft peering “work” once enabled?

Answer 36

A route filter

Question 37

What protocol does a route filter use to advertise services?

Answer 37

BGP

Question 38

With a stardard ExpressRoute SKU what regions can you use?

Answer 38

Any in the same geopolitical region

Ex. North america to north america, asia to asia

Question 39

With a Premium ExpressRoute SKU what regions can you use?

Answer 39

All regions (Global)

Question 40

Do you pay based on ingress or egress?

Answer 40

egress

Question 41

What is another name for a “meet me”

Answer 41

peering point

Question 42

What ExpressRoute SKU provides local region only

Answer 42

Local SKU

Question 43

What is a faster alternative than having BGP detect a failure and do failover routing

Answer 43

BFD or Bidirectional Forwarding Detection

Question 44

What does BFD stand for?

Answer 44

Bi-Directional Forwarding Detection

Question 45

Is ExpressRoute an encrypted connection?

Answer 45

No

Question 46

What service would you use to encrypt an ExpressRoute-Direct connection inside the meet me

This is between the customer edge router and the MSEE

Answer 46

MACsec

This is not end to end, this is inside the meet me only

Question 47

What is an option for encrypting an express route connection

Answer 47

Site to Site VPN

Question 48

What is the service you would use to connect two sites in different geopolitical regions using expressroute

Answer 48

ExpressRoute Global Reach

Question 49

What is supported by the basic SKU of Azure Virtual WAN

Answer 49

S2S VPN only

Question 50

What layer is Azure Load Balancer?

Answer 50

Layer 4

Question 51

What is 5-Tuple

Answer 51

source IP address/port number, destination IP address/port number and the protocol in use

Question 52

What are the two types of load balancers

Answer 52

internal and external

Question 53

What is assigned to the front end of a load balancer

Answer 53

IP Address

Question 54

What are the two SKUs for a load balancer?

Answer 54

Basic and standard

Question 55

what is a 3-tuple

Answer 55

src ip
dest ip
protocol

Question 56

What are two of the load balancing distribution modes

Answer 56

hash based distribution ( Uses 5-tuple hash based distribution by default)

Session persistence - Session persistence is also known session affinity, source IP affinity, or client IP affinity. This distribution mode uses a two-tuple (source IP and destination IP) or three-tuple (source IP, destination IP, and protocol type) hash to route to backend instances. When using session persistence, connections from the same client go to the same backend instance within the backend pool.

Question 57

What layer is Azure App Gateway?

Answer 57

Layer 7 (HTTP/HTTPS)

Question 58

Is Azure App Gateway regional or global?

Answer 58

regional

Question 59

Is Azure Load Balancer regional or global?

Answer 59

Regional

Question 60

Can the web application firewall have a public ip, private, or both

Pick Two

Answer 60

Public or Both

Question 61

What layer is Azure Traffic Manager?

Answer 61

Layer 4

Question 62

Is Azure Traffic Manager regional or global?

Answer 62

Global

Question 63

What protocol does Azure Traffic Monitor primarily use?

Answer 63

DNS

Question 64

What is the setting needed for Azure Traffic Manager to work like a load balancer

Answer 64

The performance option will resolve the closest target to the requester favoring latency

Question 65

True or False: Azure Traffic Manager can resolve to both Azure Endpoints and External Enpoints such as FQDN or IP

Answer 65

True

Question 66

What is the layer 7, global load balancing solution?

Answer 66

Azure Front Door

Question 67

How does Azure Front Door provide load balancing

Answer 67

it gives an anycast ip address for all points of presence

Question 68

What is the name of the tool used to create inbound and outbound security rules for a vnet

Answer 68

Network Security Groups

Question 69

Is a network security group an edge device

Example: Like a firewall

Answer 69

no

Question 70

Is a network security group an edge device

Example: Like a firewall

Answer 70

no

Question 71

Where is a network security group enforced

Answer 71

at the VNET level

Question 72

Are network security groups regional or global

Answer 72

regional

Question 73

What does Virtual Network actually mean when it is applied in a nsg rule

Answer 73

It means all know ip space

(this would include peered vnets, S2S VPN, and anything else this virtual network would be “aware” of.)

Question 74

How does an application security group work in practice? What is it most similar to?

Answer 74

It is a tag you can use when making security rules

Question 75

What would you use to only allow traffic from one subnet of a vnet into a storage account?

Answer 75

A Service Endpoint: Storage

Question 76

What is an ip address from the network that represents a single instance of a service

Answer 76

Private endpoint

Question 77

Can each app in an app service plane have its own private endpoint

Answer 77

yes

Question 78

What is the minimum network size for Azure Firewall in CIDR

Answer 78

/26

it requires at least 64 addresses

Question 79

How many policies can be applied to one instance of azure firewall?

Answer 79

1

Question 80

What are the three types of rules for azure firewall

Answer 80

NAT rules
L4 Network Rules
Application rules (Layer 7)

Question 81

What is an alias DNS Record called?

Answer 81

CNAME

Question 82

What is an IPV4 DNS Record called?

Answer 82

A

Question 83

What is an IPV6 DNS Record called?

Answer 83

AAAA

Question 84

When configuring global peering, what changes will occur in the peered VNets

Answer 84

A peering entry is added to the routing table in each VNet

Question 85

Does a VPN gateway subnet need to be named GatewaySubnet?

Answer 85

Yes

Question 86

Is it okay to deploy other resources such as VMs in the gateway subnet?

Answer 86

No!!!

Question 87

What are the two things required for your on site VPN device to connect to the Azure VPN Gateway?

Answer 87

Shared Key and Public Ip of the Azure VPN Gateway

Question 88

What is the minimum address space to deploy a hub in azure

Answer 88

/24

Question 89

What does all traffic pass through in an azure virtual wan?

Answer 89

Hub gateway

Question 90

Can you use Virtual WAN to connect a VNet to a virtual hub in a different tenant?

Answer 90

Yes

Question 91

Where are NVAs deployed to in a virtual WAN?

Answer 91

Inside the Virtual WAN Hub

Question 92

How does the application gateway probe the health of something in its backend pool?

Answer 92

a HTTP GET request

Question 93

What is the frequency that azure application gateway probes for health?

Answer 93

30 seconds

Question 94

By default, an HTTP(S) response with status code between ___ and ___ is considered healthy for a probe.

Answer 94

200 and 399

Question 95

Front Door route rules determine whether the incoming request matches the routing rule and route traffic accordingly. What properties are matched?

Answer 95

HTTP protocols (HTTP/HTTPS), Hosts, and Paths.

Question 96

Which tool in Azure automatically collects, analyzes, and integrates log data from your Azure resources?

Answer 96

Microsoft Defender for Cloud

Question 97

If there is an NSG on the NIC and an NSG on the subent, what one gets processed first?

Answer 97

The one on the NIC

Question 98

Filtering of which direction of traffic does Azure Firewall support?

Answer 98

Inbound and Outbound

Question 99

What are the two modes that a WAF policy can use?

Answer 99

WAF policy can either be in Prevention mode or Detection mode.

Question 100

What are the two types of custom rule in a WAF policy?

Answer 100

Match rules and rate limit rules.

Question 101

To enable a Service Endpoint, you must do two things

Answer 101

Turn off public access to the service.
Add the Service Endpoint to a virtual network.

Question 102

What resource is associated with a Private Endpoint that contains the information to configure your Private Endpoint DNS?

Answer 102

The network interface

Question 103

What service allows you to view Network Topology, Next Hop, Verify IP Flow, Packet Captures, NSG Flow Logs, and more.

Answer 103

Azure Network Watcher

Question 104

Is Azure Network Watcher regional or global?

Answer 104

Regional

Question 105

True or False, Automatic registration only works for virtual machine network interfaces and only for the primary interface

Answer 105

True

Question 106

True or False, To manage a subdomain in a separate DNS zone, you need to create an PTR record that contains the name servers of the subdomain’s DNS zone.

Answer 106

False, it needs to be a NS record not PTR

Question 107

By default, an NSG will block traffic to the health service, what needs to be enabled to use the health service?

Answer 107

Adding an inbound rule with the GatewayManager service tag

Question 108

True or false, policy-based VPN gateway can only create one tunnel per gateway

Answer 108

True

Question 109

True or False, By default policy-based VPN has an idle timeout of 10 minutes

Answer 109

False, The timeout is 5 minutes

Question 110

What is the difference between Azure Front Door, Azure Front Door Standard, and Azure Front Door Premium?

Answer 110

Azure Front Door is the basic plan, Azure Front Door standard adds increased content deliver and performance, and Azure Front Door Premium adds increased security

Question 111

You can map a maximum of _____ Private Endpoint interfaces to the same Private Link resource

Answer 111

1000

Question 112

Do you need a load balancer for Azure Private Endpoint?

Answer 112

Yes

Question 113

Which SKU/s of load balancer work with private endpoint?

Answer 113

Only Standard

Question 114

In what order are Azure Firewall rules applied?

Answer 114

Threat intelligence>NAT>Network rules>Application>infrastructure rules

Question 115

Which Firewall Manager feature is available only on the secured virtual hub architecture?

Answer 115

Centralized route management

Question 116

True or False: You can implement a single instance of Firewall Manager for all Azure regions and subscriptions.

Answer 116

True

Question 117

What is the first step when you are setting up Azure DDoS Protection?

Answer 117

first step is to associate virtual networks or IP addresses to DDoS Protection

Question 118

Which Azure DDoS Protection service offers DDoS rapid response support?

Answer 118

Azure DDoS Network Protection

Question 119

Is a star topology and hub-and-spoke the same thing?

Answer 119

Yes

Question 120

Is a virtual WAN a star topology?

Answer 120

Yes

Question 121

Is a virtual WAN a spoke and hub topology?

Answer 121

Yes

Question 122

Is a virtual WAN a mesh topology?

Answer 122

No

Question 123

Is NAT mainly for inbound or outbound connections?

Answer 123

Outbound

Question 124

You plan to use Azure Virtual WAN and deploy a virtual WAN hub that meets the following requirements:

Supports 3 Gbps of point-to-site traffic
Minimizes costs.
You need to recommend how many scale units to use.

What should you recommend?

Answer 124

Scale units for VPN are in 500 Mbps increments, so to reach 3 Gbps, 6 units are required.

Question 125

You have an Azure subscription.

You deploy an Azure virtual WAN by using the Basic WAN type.

What should you include in the solution?

Answer 125

Basic virtual WAN only supports a S2S configuration

Question 126

What are the layer 7 rules for Azure Firewall called

Answer 126

Application Rules

Question 127

In a default route what are the first two routes that have the highest priority in order

Answer 127

Expressroute then gateway

Question 128

What is the prefix for local non routable ipv6 addresses

Answer 128

fd

Question 129

How many ip addresses can be assigned to one network interface

Answer 129

256

Question 130

How many S2S VPN connections can each SKU of route-based VPN gateways support?

Answer 130

Basic: 10 connections

VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ: 30 connections

VpnGw4, VpnGw5, VpnGw4AZ, VpnGw5AZ: 100 connections

Question 131

Which Express Route Gateway SKU supports FastPath?

Answer 131

Standard SKU/ERGw1Az FathPath:No Max Number of Circuit Connectionsz:4

High Perf SKU/ERGw2Az FathPath:No Max Number of Circuit Connections:8

Ultra Performance SKU/ErGw3Az FathPath:Yes Max Number of Circuit Connections:16

Question 132

Enabling Direct Server Return (DSR), known in Azure as Floating IP, involves creating what resource

Answer 132

It involves creating a loopback adapter on the virtual machine and assigning the loopback adapter the IP address of the frontend listener. This way, the virtual machines knows where to send the traffic back to for session affinity.

Question 133

If HA ports are required, which SKU/type is needed for Load Balancers

Answer 133

If HA ports are required, which are only supported on internal Azure Standard Load Balancers

Question 134

What do you get when upgrading from Azure Front Door Standard to Premium

Answer 134

Microsoft managed rule set, Bot protection, and Private link connection to origin

Question 135

What is the minimum address space when you use BYOIP?

In CIDR

Answer 135

/24

Question 136

What is the main benefit of express route local?

Answer 136

Free egress

Question 137

What SKU of expressroute do you need for Microsoft peering?

Answer 137

Premium

Question 138

What SKU of expressroute supports any region in the same geopolitical boundary?

Answer 138

Expressroute standard

Question 139

What SKU gateway is required for fast path?

Answer 139

Ultra performance/ErGw3Az (not high performance, high does not support fastpath)

Question 140

How would you connect two on prem sites with the microsoft backbone via expressroute?

Answer 140

Use expressroute global reach

Question 141

What tool shows NSGs associated with the virtual machines and the Network interfaces. This tool shows the NSGs that are in the flow of the traffic and blocks traffic flow.

Answer 141

Effective security rules

Question 142

What would be an easy way of allowing a Microsoft service such as windows update through the azure firewall

Answer 142

FQDN tag rule

Question 143

A ____ rule allows certain IPs (or all) to have a destination port/ IP.

Answer 143

DNAT

Question 144

What do you get with azure firewall premium vs standard

Answer 144

Premium gives you: TLS inspection, IDPS, URL filtering, Web categories

URL filtering is full path instead of just the FQDN included in standard

Question 145

What is the key difference between Service Endpoints and NSGs

Answer 145

NSGs are more focused towards traffic in and out of a vnet

Service endpints are required to lock down a service to specific subnets on specific vnets

Question 146

What resource allows you to make a specific subnet known to a specific Azure service and add an optimal path to service

Answer 146

Service Endpoint

Question 147

True or False

Service Endpoint Policies allow specific instances of services to be allowed from a virtual network which is not possible with NSG service tags

Answer 147

True

Question 148

True or False most services have a native firewall

Example: A Storage Account

Answer 148

True

Question 149

Do load balancers support auto-registration

Answer 149

no

Question 150

Can you use IPsec for azure p2s VPN?

Answer 150

No, you can use ikev2, sstp, and openvpn

Question 151

ExpressRoute circuits don’t map to any physical entities. A circuit is uniquely identified by a standard GUID called as a What?

Answer 151

service key (s-key).

Question 152

ExpressRoute circuits don’t map to any physical entities. A circuit is uniquely identified by a standard GUID called as a What?

Answer 152

service key (s-key).

Question 153

Max. # IPv4 prefixes supported per expressroute private peering

Answer 153

4,000 by default and 10,000 with premium

Question 154

Max. # IPv4 prefixes supported per expressroute Microsoft peering

Answer 154

200

Question 155

Can a NAT gateway span multiple virtual networks?

Answer 155

no

Question 156

Can a NAT gateway be associated to an IPv6 public IP address or IPv6 public IP prefix?

Answer 156

no ipv4 only

Question 157

True or False: A NAT gateway can be deployed in a gateway subnet.

Answer 157

False

You cannot deploy a NAT gateway in a gateway subnet

Question 158

Can you add network interfaces from different vnets to the same ASG?

Answer 158

No.

All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. You can’t add network interfaces from different virtual networks to the same application security group.

Question 159

What layer is DNS

Answer 159

layer 7

Question 160

Which type of vpn gateway does s2s vpn need when coexisting with expressroute

Answer 160

Only route-based VPN gateway is supported. You must use a route-based VPN gateway. You also can use a route-based VPN gateway with a VPN connection configured for ‘policy-based traffic selectors’ as described in Connect to multiple policy-based VPN devices.

Question 161

What service enables you to point a private IP to a specific service

Think pointing an ip to specifically the blob service on a storage acct.

Answer 161

Private Endpoint

Question 162

Can you have multiple private endpoints for the same instance of a service?

Answer 162

Yes

Question 163

Can private enpoints coexist with other resources such as VMs in the same subnet?

Answer 163

Yes

Question 164

Can you have multiple private endpoints in the same subnet?

Answer 164

Yes

Question 165

True or false: A private endpoint can’t connect to services that aren’t in the same subscription, region, or a AAD Tenant

Answer 165

False, private endpoints can connect to all of those

Question 166

True or false: a private endpoint has to be created in the same region as the vnet it will be put in to

Answer 166

True, the private endpoint and vnet must be in the same region

Question 167

How many subscriptions can be shared by 1 expressroute circuit?

Answer 167

1 expressroute circuit can be part of up to 10 azure subscriptions

Question 168

Does openvpn support ad authentication for a p2s vpn?

Answer 168

Yes

Question 169

What do you need to add when you want a private endpoint for a custom service?

Answer 169

You need to put a standard load balancer in front of the resources or resource that is hosting the custom service and add the private endpoint to the private endpoint service in front of the load balancer

Question 170

What is a local network gateway in Azure?

Answer 170

The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you’ll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

Question 171

What is the proper url to probe an active/passive gw

Answer 171

https://YourVirtualNetworkGatewayIP:8081/healthprobe

Question 172

What is the proper url to probe an active/active gw

Answer 172

https://YourVirtualNetworkGatewayIP2:8083/healthprobe

Question 173

True or false: The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.

Answer 173

True

Question 174

If you manually create a DNS entry and then delete the resource associated with the DNS record, does it also delete the DNS record?

Answer 174

No, only auto-registered DNS records are deleted when a VM is deleted

Question 175

How big are Express Route Scale Units in a virtual WAN?

Answer 175

2 Gbps each

Question 176

How big are Express Route Scale Units in a virtual WAN?

Answer 176

2 Gbps each

Question 177

Do DNS queries from the internet use the public dns or private?

Answer 177

Public

Question 178

When connecting a web application to a vnet in the same region using Regional virtual network integration, what is needed?

Answer 178

An additional subnet specifically for Regional virtual network integration

Question 179

Does an azure firewall need to be in the same region and resource group as a vnet

Answer 179

Yes

Question 180

How many ips would be in a public ip prefix of /28

Answer 180

16 addresses

Question 181

How are the subnet reservations in azure laid out?

Answer 181

They are always laid out in the following way
Example:
192.168.1.0 This value identifies the virtual network address.
192.168.1.1 Azure configures this address as the default gateway.
192.168.1.2 and 192.168.1.3 Azure maps these Azure DNS IP addresses to the virtual network space.
192.168.1.255 This value supplies the virtual network broadcast address.

Question 182

When does a dynamic IP address change?

1. In Azure, when a virtual machine is stopped and then restarted.
2. In the guest OS, when a virtual machine is rebooted or stopped.
3. Each time the virtual machine is accessed.

Answer 182

1. In Azure, when a virtual machine is stopped and then restarted.

Question 183

What happens to network traffic that doesn’t match any NSG rules?
1. It’s allowed by default.
2. It’s denied by default.
3. It’s postponed until the rules change.

Answer 183

2.It’s denied by default.

Question 184

When virtual networks are successfully peered, what’s the peering status for both virtual networks in the peering?

1. Initiated
2. Connected
3. Peered

Answer 184

2.Connected

Question 185

True or false: You can implement a public(external) or internal load balancer

Answer 185

True