AZ-700 無料問題集「Microsoft Designing and Implementing Microsoft Azure Networking Solutions」
Task 3
You plan to implement an Azure application gateway in the East US Azure region. The application gateway will have Web Application Firewall (WAF) enabled.
You need to create a policy that can be linked to the planned application gateway. The policy must block connections from IP addresses in the 131.107.150.0/24 range. You do NOT need to provision the application gateway to complete this task.
You plan to implement an Azure application gateway in the East US Azure region. The application gateway will have Web Application Firewall (WAF) enabled.
You need to create a policy that can be linked to the planned application gateway. The policy must block connections from IP addresses in the 131.107.150.0/24 range. You do NOT need to provision the application gateway to complete this task.
正解:
See the Explanation below for step by step instructions.
Explanation:
on:
Here are the steps and explanations for creating a policy that can be linked to the planned application gateway and block connections from IP addresses in the 131.107.150.0/24 range:
* To create a policy, you need to go to the Azure portal and select Create a resource. Search for WAF, select Web Application Firewall, then select Create1.
* On the Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:
* Policy for: Regional WAF (Application Gateway)
* Subscription: Select your subscription name
* Resource group: Select your resource group
* Policy name: Type a unique name for your WAF policy
* On the Custom rules tab, select Add a rule to create a custom rule that blocks connections from IP addresses in the 131.107.150.0/24 range2. Enter or select the following information for the custom rule:
* Rule name: Type a unique name for your custom rule
* Priority: Type a number that indicates the order of evaluation for this rule
* Rule type: Select Match rule
* Match variable: Select RemoteAddr
* Operator: Select IPMatch
* Match values: Type 131.107.150.0/24
* Action: Select Block
* On the Review + create tab, review your settings and select Create to create your WAF policy1.
* To link your policy to the planned application gateway, you need to go to the Application Gateway service in the Azure portal and select your application gateway3.
* On the Web application firewall tab, select your WAF policy from the drop-down list and select Save
Explanation:
on:
Here are the steps and explanations for creating a policy that can be linked to the planned application gateway and block connections from IP addresses in the 131.107.150.0/24 range:
* To create a policy, you need to go to the Azure portal and select Create a resource. Search for WAF, select Web Application Firewall, then select Create1.
* On the Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:
* Policy for: Regional WAF (Application Gateway)
* Subscription: Select your subscription name
* Resource group: Select your resource group
* Policy name: Type a unique name for your WAF policy
* On the Custom rules tab, select Add a rule to create a custom rule that blocks connections from IP addresses in the 131.107.150.0/24 range2. Enter or select the following information for the custom rule:
* Rule name: Type a unique name for your custom rule
* Priority: Type a number that indicates the order of evaluation for this rule
* Rule type: Select Match rule
* Match variable: Select RemoteAddr
* Operator: Select IPMatch
* Match values: Type 131.107.150.0/24
* Action: Select Block
* On the Review + create tab, review your settings and select Create to create your WAF policy1.
* To link your policy to the planned application gateway, you need to go to the Application Gateway service in the Azure portal and select your application gateway3.
* On the Web application firewall tab, select your WAF policy from the drop-down list and select Save
You have an Azure subscription.
You have the on-premises sites shown the following table.
You plan to deploy Azure Virtual WAN.
You are evaluating Virtual WAN Basic and Virtual WAN Standard.
Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You have the on-premises sites shown the following table.
You plan to deploy Azure Virtual WAN.
You are evaluating Virtual WAN Basic and Virtual WAN Standard.
Which type of Virtual WAN can you use for each site? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about
You have an on-premises network named Site1.
You have an Azure subscription that contains a virtual network named VNet1 and a storage account named storage1.
Site1 and VNet1 are connected by using a Site-to-Site (S2S) VPN.
You need to ensure that the servers in Site! can connect to storage! by using the S2S VPN The solution must minimize administrative effort.
What should you create on VNet1?
You have an Azure subscription that contains a virtual network named VNet1 and a storage account named storage1.
Site1 and VNet1 are connected by using a Site-to-Site (S2S) VPN.
You need to ensure that the servers in Site! can connect to storage! by using the S2S VPN The solution must minimize administrative effort.
What should you create on VNet1?
正解:A
解答を投票する
You have an Azure subscription that contains multiple virtual machines in the West US Azure region.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. (Choose two.) NOTE: Each correct answer selection is worth one point.
You need to use Traffic Analytics.
Which two resources should you create? Each correct answer presents part of the solution. (Choose two.) NOTE: Each correct answer selection is worth one point.
正解:A、C
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have on-premises datacenters in New York and Seattle.
You have an Azure subscription that contains the ExpressRoute circuits shown in the following table.
Name
Azure region
Datacenter
ERC1
East US
New Vork
ERC2
West US2
Seattle
You need to ensure that all the data sent between the datacenters is routed via the ExoressRoute circuits. The solution must minimize costs.
You have an Azure subscription that contains the ExpressRoute circuits shown in the following table.
Name
Azure region
Datacenter
ERC1
East US
New Vork
ERC2
West US2
Seattle
You need to ensure that all the data sent between the datacenters is routed via the ExoressRoute circuits. The solution must minimize costs.
正解:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains an Azure Virtual WAN named VWAN1. VWAN1 contains a hub named Hub1.
Hub1 has a security status of Unsecured.
You need to ensure that the security status of Hub1 is marked as Secured.
Solution: You implement Azure Web Application Firewall (WAF).
Does this meet the requirement?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains an Azure Virtual WAN named VWAN1. VWAN1 contains a hub named Hub1.
Hub1 has a security status of Unsecured.
You need to ensure that the security status of Hub1 is marked as Secured.
Solution: You implement Azure Web Application Firewall (WAF).
Does this meet the requirement?
正解:B
解答を投票する
You have the Azure subscriptions shown in the following table.
Each virtual network contains 20 internet-accessible resources that are assigned public IP addresses.
You need to implement Azure DDoS Network Protection to protect the resources. The solution must minimize costs.
What is the minimum number of DDoS Network Protection plans you should deploy?
Each virtual network contains 20 internet-accessible resources that are assigned public IP addresses.
You need to implement Azure DDoS Network Protection to protect the resources. The solution must minimize costs.
What is the minimum number of DDoS Network Protection plans you should deploy?
正解:C
解答を投票する
You have an Azure subscription that contains an Azure Front Door Premium profile named AFD1 and an Azure Web Application Firewall (WAF) policy named WAF1. AFD1 is associated with WAF1.
You need to configure a rate limit for incoming requests to AFD1.
Solution: You add a rule to the rule set of AFD1.
Does this meet the goal?
You need to configure a rate limit for incoming requests to AFD1.
Solution: You add a rule to the rule set of AFD1.
Does this meet the goal?
正解:A
解答を投票する
You have an Azure subscription that contains an Azure Firewall policy named FWPolicy1. You need to configure FWPolicy1 to meet the following requirements
* Allow traffic based on the FQDN of the destination.
* Allow TCP traffic based on the source.
Which types of rules should you use for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
* Allow traffic based on the FQDN of the destination.
* Allow TCP traffic based on the source.
Which types of rules should you use for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the resources shown in the following table.
You need to publish App1 by using AG1 and a URL of https://app1.contoso.com. The solution must meet the following requirements:
* TLS connections must terminate on AG1.
* Minimize the number of targets in the backend pool of AG1.
* Minimize the number of deployed copies of the SSL certificate of App1.
How many locations should you import to the certificate, and how many targets should you add to the backend pool of AG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to publish App1 by using AG1 and a URL of https://app1.contoso.com. The solution must meet the following requirements:
* TLS connections must terminate on AG1.
* Minimize the number of targets in the backend pool of AG1.
* Minimize the number of deployed copies of the SSL certificate of App1.
How many locations should you import to the certificate, and how many targets should you add to the backend pool of AG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
You plan to implement an Azure virtual network that will contain 10 virtual subnets. The subnets will use IPv6 addresses. Each subnet will host up to 200 load-balanced virtual machines.
You need to recommend which subnet mask size to use for the virtual subnets.
What should you recommend?
You need to recommend which subnet mask size to use for the virtual subnets.
What should you recommend?
正解:B
解答を投票する
You need to configure connectivity between NYCNet and SFONet. The solution must meet the connectivity requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
正解:
Explanation:
Task 10
You need to configure VNET1 to log all events and metrics. The solution must ensure that you can query the events and metrics directly from the Azure portal by using KQL.
You need to configure VNET1 to log all events and metrics. The solution must ensure that you can query the events and metrics directly from the Azure portal by using KQL.
正解:
See the Explanation below for step by step instructions.
Explanation:
Here are the steps and explanations for configuring VNET1 to log all events and metrics and query them by using KQL:
* To enable logging for VNET1, you need to create a diagnostic setting that collects the platform metrics and logs from the virtual network and routes them to one or more destinations. You can choose to send the data to a Log Analytics workspace, a storage account, an event hub, or a partner solution1.
* To create a diagnostic setting, you need to go to the Azure portal and select your virtual network. Then select Diagnostic settings under Monitoring and select + Add diagnostic setting1.
* On the Add diagnostic setting page, enter or select the following information:
* Diagnostic setting name: Type a unique name for your diagnostic setting.
* Destination details: Select the destination where you want to send the data. For example, you can select Send to Log Analytics workspace and choose your workspace from the list.
* Log: Select the categories of logs that you want to collect. For VNET1, you can select NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter as the log categories2.
* Metric: Select AllMetrics to collect all the platform metrics for VNET12.
* Select Save to create your diagnostic setting1.
* To query the events and metrics from the Azure portal by using KQL, you need to go to the Log Analytics workspace that you selected as the destination. Then select Logs under General and enter your KQL query in the query editor3.
* For example, you can use the following KQL query to get the top 10 network security group events for VNET1 in the last 24 hours:
NetworkSecurityGroupEvent
| where TimeGenerated > ago(24h)
| where ResourceId contains "VNET1"
| summarize count() by EventID
| top 10 by count_
Copy
* Select Run to execute your query and view the results in a table or a chart3.
Explanation:
Here are the steps and explanations for configuring VNET1 to log all events and metrics and query them by using KQL:
* To enable logging for VNET1, you need to create a diagnostic setting that collects the platform metrics and logs from the virtual network and routes them to one or more destinations. You can choose to send the data to a Log Analytics workspace, a storage account, an event hub, or a partner solution1.
* To create a diagnostic setting, you need to go to the Azure portal and select your virtual network. Then select Diagnostic settings under Monitoring and select + Add diagnostic setting1.
* On the Add diagnostic setting page, enter or select the following information:
* Diagnostic setting name: Type a unique name for your diagnostic setting.
* Destination details: Select the destination where you want to send the data. For example, you can select Send to Log Analytics workspace and choose your workspace from the list.
* Log: Select the categories of logs that you want to collect. For VNET1, you can select NetworkSecurityGroupEvent and NetworkSecurityGroupRuleCounter as the log categories2.
* Metric: Select AllMetrics to collect all the platform metrics for VNET12.
* Select Save to create your diagnostic setting1.
* To query the events and metrics from the Azure portal by using KQL, you need to go to the Log Analytics workspace that you selected as the destination. Then select Logs under General and enter your KQL query in the query editor3.
* For example, you can use the following KQL query to get the top 10 network security group events for VNET1 in the last 24 hours:
NetworkSecurityGroupEvent
| where TimeGenerated > ago(24h)
| where ResourceId contains "VNET1"
| summarize count() by EventID
| top 10 by count_
Copy
* Select Run to execute your query and view the results in a table or a chart3.
You have an Azure environment shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit?toc=/azure/virtual- network/toc.json
https://docs.microsoft.com/en-ca/azure/virtual-network/ip-services/ipv6-overview#capabilities
You have an Azure subscription that contains multiple virtual machine scale sets and multiple Azure load balancers. The load balancers balance traffic across the scale sets.
You plan to deploy Azure Front Door to load balance traffic across the load balancers.
You need to identify which Front Door SKU to configure, and what to use to route the traffic to the load balancers. The solution must minimize costs.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You plan to deploy Azure Front Door to load balance traffic across the load balancers.
You need to identify which Front Door SKU to configure, and what to use to route the traffic to the load balancers. The solution must minimize costs.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
You have an Azure application gateway named AppGw1.
You need to create a rewrite rule for AppGw1. The solution must rewrite the URL of requests from
https://www.contoso.com/fashion/shirts to ttps://www.contoso.com/buy.aspx?category- fashion&product=shirts.
How should you complete the rule? To answer NOTE: Each correct selection is worth one point appropriate options in the answer area.
You need to create a rewrite rule for AppGw1. The solution must rewrite the URL of requests from
https://www.contoso.com/fashion/shirts to ttps://www.contoso.com/buy.aspx?category- fashion&product=shirts.
How should you complete the rule? To answer NOTE: Each correct selection is worth one point appropriate options in the answer area.
正解:
You have an Azure Virtual Desktop deployment that has 500 session hosts.
All outbound traffic to the internet uses a NAT gateway.
During peak business hours, some users report that they cannot access internet resources. In Azure Monitor, you discover many failed SNAT connections.
You need to increase the available SNAT connections.
What should you do?
All outbound traffic to the internet uses a NAT gateway.
During peak business hours, some users report that they cannot access internet resources. In Azure Monitor, you discover many failed SNAT connections.
You need to increase the available SNAT connections.
What should you do?
正解:B
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have the Azure firewall shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
