Az-700

Ace your homework & exams now with Quizwiz!

Which three methods can resources deployed in virtual networks use to resolve domain names to internal IP addresses?

1. Azure DNS private zones 2. Azure-provided name resolution 3. Name resolution that uses your own DNS server (which might forward queries to the Azure-provided DNS servers)

You have an Azure virtual network named Vnet1 that connects to an on-premises network. You have an Azure Storage account named storageaccount1 that contains blob storage. You need to configure a private endpoint for the blob storage. The solution must meet the following requirements: Ensure that all on-premises users can access storageaccount1 through the private endpoint. Prevent access to storageaccount1 from being interrupted. Which four actions should you perform in sequence?

1. Configure a private endpoint on storagaccount1 and disable public access to the account 2. Deploy a VM to a subnet in Vnet1 3. Install the DNS Server role and configure the forwarding of blob.core.windows.net to 168.63.129.16 4. Configure on-premises DNS server to forward blob.core.windows.net to the virtual machine 168.63.129.16 is the IP address of Azure DNS which hosts Azure Private DNS zones. It is only accessible from within a VNet which is why we need to forward on-prem DNS requests to the VM running DNS in the VNet. The VM will then forward the request to Azure DNS for the IP of the storage account private endpoint.

When planning to implement virtual networks, what should you consider?

1. Subnetting - Ensure non-overlapping address spaces. Make sure your VNet address space (CIDR block) does not overlap with your organization's other network ranges. 2. Security Isolation - Is any security isolation required? 3. IP Address Limitation - Do you need to mitigate any IP addressing limitations? 4. Hybrid Connectivity - Will there be connections between Azure VNets and on-premises networks? 5. Administrative Isolation - Is there any isolation required for administrative purposes? 6. Are you using any Azure services that create their own VNets?

8 Non-routebale address spaces

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 224.0.0.0/4 (Multicast) 255.255.255.255/32 (Broadcast) 127.0.0.0/8 (Loopback) 169.254.0.0/16 (Link-local) 168.63.129.16/32 (Internal DNS)

How do VNets Communication with the internet?

All resources in a VNet can communicate outbound to the internet, by default. You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. You can also use public IP or public Load Balancer to manage your outbound connections.

Gateway Transit

Allows peered virtual networks to use the Azure VPN gateway in the hub virtual network

You plan to deploy Azure virtual network. You need to design the subnets. Which three types of resources require a dedicated subnet? Each correct answer presents a complete solution.

Azure Bastion Azure Application Gateway v2 VPN gateway

How do you route network traffic on Azure?

Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. You can implement route tables or border gateway protocol (BGP) routes to override the default routes Azure creates.

What's the main difference between the basic and standard azure virtual WAN?

Basic only supports S2S VPN while Standard has additional support for Express Route, P2S VPN, Inter-hub and VNet-to-VNet transitive connectivity through the virtual hub

You have an Azure virtual network named Vnet1 that has one subnet. Vnet1 is in the West Europe Azure region. You deploy an Azure App Service app named App1 to the West Europe region. You need to provide App1 with access to the resources in Vnet1. The solution must minimize costs. What should you do first?

Create a new subnet. resources are in the same region (Regional VNet Integration), new subnet does not incur the cost. The VPN Gateway solution incurs a cost (Gateway-required VNet Integration...When you connect directly to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet.)

How would you implement automatic DNS name registration in a Private DNS zone?

Create virtual network link to private DNS zone. The Azure DNS private zones auto registration feature manages DNS records for virtual machines deployed in a virtual network. When you link a virtual network with a private DNS zone with this setting enabled. A record and a PTR record are created. DNS records for newly deployed virtual machines are also automatically created in the linked private DNS zone. When a virtual machine gets deleted, any associated DNS records also get deleted from the private DNS zone. To enable auto registration, select the checkbox for "Enable auto registration" when you create the virtual network link.

How would you implement name resolution of a private DNS zone's records from an on-prem location?

Deploy a VM configured as a DNS server to Vnet1 Forward queries to a customer-managed DNS proxy server in the corresponding virtual network, the proxy server forwards queries to Azure for resolution.

How do you filter network traffic on Azure?

You can filter network traffic between subnets using any combination of network security groups and network virtual appliances like firewalls, gateways, proxies, and Network Address Translation (NAT) services.

What is one way to know when force tunneling is enabled on a firewall from the azure portal config page?

If force tunneled was enabled, the Firewall Subnet would be named AzureFireWallManamentSubnet. Forced tunneling can only be enabled during the creation of the firewall. It cannot be enabled after the firewall has been deployed.

You have two subnets AzureFWSubnet and Subnet2. You deploy an Azure firewall to AzureFWSubnet. You route all traffic from Subnet2 through the firewall. You need to ensure that all the hosts on Subnet2 can access an external site located at HTTPS:// *.contoso.com. What should you do?

In a firewall policy, create an application rule

BastionHost

provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. With this, your virtual machines do not need a public IP address.

You have an Azure subscription that contains the following resources: A virtual network named Vnet1 Two subnets named subnet1 and AzureFirewallSubnet A public Azure Firewall named FW1 A route table named RT1 that is associated to Subnet1 A rule routing of 0.0.0.0/0 to FW1 in RT1 After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated. You need to ensure that the virtual machines can be activated. What should you do?

On FW1, create an outbound network rule that allows traffic to the Azure Key Management Service (KMS). All outbound traffic is directed through the Firewall by the routing table. Therefore you need a rule that explicitly states traffic is allowed to the Azure KMS.

Which Tunnel type should you select in the Point-to-site (P2S) VPN configuration settings of a virtual network gateway that must use Azure Active Directory (Azure AD) authentication for users

OpenVPN (SSL)

How do you know when an Azure firewall is being managed by Azure Firewall Manager?

The "Visit Azure Firewall manager to configure and manage this firewall" link will be in the firewall config page and will let you know the firewall has management by Azure Firewall Manager enabled

You fail to establish a Site-to-Site VPN connection between your company's main office and an Azure virtual network. You need to troubleshoot what prevents you from establishing the IPsec tunnel. Which diagnostic log should you review?

The IKEDiagnosticLog table offers verbose debug logging for IKE/IPsec. This is very useful to review when troubleshooting disconnections, or failure to connect VPN scenarios.

You have two Azure virtual networks named Vnet1 and Vnet2. You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN. You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway. You discover that Client1 cannot communicate with Vnet2. You need to ensure that Client1 can communicate with Vnet2 Solution: You enable BGP on the gateway of Vnet1. Does this meet the goal?

The VPN client must be downloaded again if any changes are made to VNet peering or the network topology.

You have two scale sets within the same subnet and you need to restrict traffic from scaleset1 to scalset2 two? What are the minimum number of custom NSG rules and NSG assignments required?

The minimum requirement is one NSG. You could attach the NSG to VMScaleSet1 and restrict outbound traffic, or you could attach the NSG to VMScaleSet2 and restrict inbound traffic.

How do Azure resource communicate with each other?

There are three key mechanisms through which Azure resource can communicate: VNets, VNet service endpoints and VNet peering. VNets can connect VMs, ASE, AKS, and VMSS. You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts.

How do Vnets communicate with on-Prem resources?

You can connect your on-premises computers and networks to a virtual network using Point-to-site virtual private network (VPN), Site-to-site VPN, Azure ExpressRoute

What does it mean to configure per-site WAF policies?

When associated with your Application Gateway, the policies and all the settings are reflected globally. So, if you have five sites behind your WAF, all five sites are protected by the same WAF Policy. This is great if you need the same security settings for every site. But you can also apply WAF policies to individual listeners to allow for site-specific WAF configuration. By applying WAF policies to a listener, you can configure WAF settings for individual sites without the changes affecting every site.

Can you add address spaces after creating a virtual network?

Yes

You have an Azure subscription that contains multiple virtual machines in the West US Azure region. You need to use Traffic Analytics. Which two resources should you create? Each correct answer presents part of the solution.

a Log Analytics workspace and a storage account

You are planning an Azure Point-to-Site (P2S) VPN that will use OpenVPN. Users will authenticate by an on-premises Active Directory domain. Which additional service should you deploy to support the VPN authentication?

a RADIUS server

You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 is associated with a network security group (NSG) named NSG1. NSG1 blocks all outbound traffic that is not allowed explicitly. Subnet1 contains virtual machines that must communicate with the Azure Cosmos DB service. You need to create an outbound security rule in NSG1 to enable the virtual machines to connect to Azure Cosmos DB. What should you include in the solution?

a service tag A service tag represents a group of IP address prefixes from a given Azure service. You can use service tags to define network access controls on network security groups or Azure Firewall. In this case, an example service tag would be "AzureCosmosDB" which block or allows outbound traffic. In this case, it allows traffic to the cosmos DB instance.

You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure. Which two Azure resources should you configure? Each correct answer presents a part of the solution.

a virtual network gateway and a local network gateway

Network Security Groups

an Azure resource that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.

FastPath

an azure express route feature that is only available in the Ultra Performance SKU/ErGw3Az gateway type. the feature enables the network traffic from your on-premises network to bypass the virtual network gateway to improve performance

You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com. The subscription contains the following resources: An Azure App Service app named App1 An Azure DNS zone named contoso.com An Azure private DNS zone named private.contoso.com A virtual network named Vnet1 You create a private endpoint for App1. The record for the endpoint is registered automatically in Azure DNS. You need to provide a developer with the name that is registered in Azure DNS for the private endpoint. What should you provide?

app1.privatelink.azurewebsites.net

Capabilities of Azure Virtual Networks

enable resources in Azure to securely communicate with each other, the internet, and on-premises networks

Azure Availability Zones

made up of one or more datacenters equipped with independent power, cooling, and networking

Azure Firewall

managed cloud-based network security service that protects your Azure Virtual Network resources

Azure Virtual Networks (VNets)

the fundamental building block of your private network in Azure. enable you to build complex virtual networks that are similar to an on-premises network, with additional benefits of Azure infrastructure such as scale, availability, and isolation. Each one you create has its own CIDR block and can be linked to others and on-premises networks as long as the CIDR blocks do not overlap. You also have control of DNS server settings f and segmentation into subnets.

You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated with an Azure Front Door instance. You need to configure the policy to meet the following requirements: Log all connections from Australia. Deny all connections from New Zealand. Deny all further connections from a network of 31.107.100.0/24 if there are more than 100 connections during one minute. What is the minimum number of objects you should create?

three custom rules that each has one condition

Azure reserves 5 IP addresses within each subnet, which are they and why?

x.x.x.0: Network address x.x.x.1: Reserved by Azure for the default gateway x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space x.x.x.255: Network broadcast address


Related study sets

mastering a&p 2 ch. 25 group 4 modules 25.9-25.10 DSM

View Set

APWH, Unit 4 Test, My AP Practice

View Set

Astronomy 100g Midterm 2 & 3/ Final Flashcards (Lectures 12- 40)

View Set

Chapter 5.5 1,2,3,4, and 5.6 1,2 and 3

View Set

Les nombres de 0 à 100 (en français de France et en français de Suisse)

View Set