AZ-700 無料問題集「Microsoft Designing and Implementing Microsoft Azure Networking Solutions」
You have an Azure subscription. The subscription contains a locally-redundant storage 1LRS) account named stoiage1 that is deployed to the US East Azure region and has a Microsoft Storage service endpoint.
You set Redundancy for storage 1 to Read-access geo-redundant storage (RA-GRS) You need to ensure that the contents of storage1 will be accessible by using a service endpoint in a paired region. The solution must minimize administrative effort What should you do first?
You set Redundancy for storage 1 to Read-access geo-redundant storage (RA-GRS) You need to ensure that the contents of storage1 will be accessible by using a service endpoint in a paired region. The solution must minimize administrative effort What should you do first?
正解:B
解答を投票する
You need to plan the deployment of LBGW1. The solution must support the planned changes.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
You have an Azure subscription that contains two virtual networks named Vnet1 and Vnet2.
You register a public DNS zone named fabrikam.com. The zone is configured as shown in the Public DNS Zone exhibit.
You have a private DNS zone named fabrikam.com. The zone is configured as shown in the Private DNS Zone exhibit.
You have a virtual network link configured as shown in the Virtual Network Link exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
You register a public DNS zone named fabrikam.com. The zone is configured as shown in the Public DNS Zone exhibit.
You have a private DNS zone named fabrikam.com. The zone is configured as shown in the Private DNS Zone exhibit.
You have a virtual network link configured as shown in the Virtual Network Link exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Box 1: Yes
DNS queries from the internet use the public DNS zone. In the public DNS zone, www.fabrikam.com is a CNAME record that resolves to appservice1.fabrikam.com which resolves to 131.107.1.1.
Box 2: No
DNS queries from the internet use the public DNS zone. There is no DNS record for server1.fabrikam.com in the public DNS zone.
Box 3: No
The private DNS zone is linked to VNet1, not VNet2. Therefore, resources in VNet2 cannot query the private DNS zone.
You have the Azure subscriptions shown in the following table.
Each virtual network contains 20 internet-accessible resources that are assigned public IP addresses.
You need to implement Azure DDoS Network Protection to protect the resources. The solution must minimize costs.
What is the minimum number of DDoS Network Protection plans you should deploy?
Each virtual network contains 20 internet-accessible resources that are assigned public IP addresses.
You need to implement Azure DDoS Network Protection to protect the resources. The solution must minimize costs.
What is the minimum number of DDoS Network Protection plans you should deploy?
正解:C
解答を投票する
You have an Azure Front Door instance that provides access to a web app. The web app uses a hostname of www.contoso.com.
You have the routing rules shown in the following table.
Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
You have the routing rules shown in the following table.
Which rule will apply to each incoming request? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-route-matching
You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant named Tenant1. Sub1 contains an Azure VPN gateway named VNetGW1.
You manually register the Azure VPN Client in Tenant1.
You need to configure VNetGW1 to support the Microsoft Entra authentication of Point-to-Site (P2S) VPN connections. The solution must ensure that users can establish P2S VPN connections by using the Azure VPN Client.
To what should you set Tenant and Issuer in the Point-to-site configuration settings of VNetGW1?
To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You manually register the Azure VPN Client in Tenant1.
You need to configure VNetGW1 to support the Microsoft Entra authentication of Point-to-Site (P2S) VPN connections. The solution must ensure that users can establish P2S VPN connections by using the Azure VPN Client.
To what should you set Tenant and Issuer in the Point-to-site configuration settings of VNetGW1?
To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You enable BGP on the gateway of Vnet1.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You enable BGP on the gateway of Vnet1.
Does this meet the goal?
正解:B
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have an Azure subscription.
You plan 10 implement an Azure application gateway named AGW1.
You need to implement an external TLS certificate store for AGW1. The solution must meet the following requirements:
* Keys must be stored by using the highest possible security.
* Administrative effort must be minimized.
Which type of certificate store should you use, and which type of identity should you use to access the store?
To answer, select the appropriate options in the answer area.
NOTE: Each correct answer is worth one point.
You plan 10 implement an Azure application gateway named AGW1.
You need to implement an external TLS certificate store for AGW1. The solution must meet the following requirements:
* Keys must be stored by using the highest possible security.
* Administrative effort must be minimized.
Which type of certificate store should you use, and which type of identity should you use to access the store?
To answer, select the appropriate options in the answer area.
NOTE: Each correct answer is worth one point.
正解:
Explanation:
Task 4
You need to ensure that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name storage34280945.pnvatelinlcblob.core.windows.net.
You need to ensure that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name storage34280945.pnvatelinlcblob.core.windows.net.
正解:
See the Explanation below for step by step instructions.
Explanation:
Here are the steps and explanations for ensuring that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name stor-age34280945.pnvatelinlcblob.core.
windows.net:
* To allow access from a specific IP address range, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.
* On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.
* Under Firewall, select Add rule, and then enter 10.1.1.0/24 as the IP address or range. You can also enter an optional rule name and description1. This will allow access from any IP address in the 10.1.1.0
/24 range.
* Select Save to apply your changes1.
* To map a custom domain name to your storage account, you need to create a CNAME record with your domain provider that points to your storage account endpoint2. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name.
* Sign in to your domain registrar's website, and then go to the page for managing DNS settings2.
* Create a CNAME record with the following information2:
* Source domain name: stor-age34280945.pnvatelinlcblob.core.windows.net
* Destination domain name: stor-age34280945.pnvatelinlcblob.core.windows.net
* Save your changes and wait for the DNS propagation to take effect2.
* To register the custom domain name with Azure, you need to go back to the Azure portal and select your storage account. Then select Custom domain under Blob service2.
* On the Custom domain page, enter stor-age34280945.pnvatelinlcblob.core.windows.net as the custom domain name and select Save2.
Explanation:
Here are the steps and explanations for ensuring that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name stor-age34280945.pnvatelinlcblob.core.
windows.net:
* To allow access from a specific IP address range, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.
* On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.
* Under Firewall, select Add rule, and then enter 10.1.1.0/24 as the IP address or range. You can also enter an optional rule name and description1. This will allow access from any IP address in the 10.1.1.0
/24 range.
* Select Save to apply your changes1.
* To map a custom domain name to your storage account, you need to create a CNAME record with your domain provider that points to your storage account endpoint2. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name.
* Sign in to your domain registrar's website, and then go to the page for managing DNS settings2.
* Create a CNAME record with the following information2:
* Source domain name: stor-age34280945.pnvatelinlcblob.core.windows.net
* Destination domain name: stor-age34280945.pnvatelinlcblob.core.windows.net
* Save your changes and wait for the DNS propagation to take effect2.
* To register the custom domain name with Azure, you need to go back to the Azure portal and select your storage account. Then select Custom domain under Blob service2.
* On the Custom domain page, enter stor-age34280945.pnvatelinlcblob.core.windows.net as the custom domain name and select Save2.
Your company has five offices. Each office has a firewall device and a local internet connection. The offices connect to a third-party SD-WAN.
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual network gateway named Gateway1. Each office connects to Gateway1 by using a Site-to-Site VPN connection.
You need to replace the third-party SD-WAN with an Azure Virtual WAN. What should you include in the solution?
You have an Azure subscription that contains a virtual network named Vnet1. Vnet1 contains a virtual network gateway named Gateway1. Each office connects to Gateway1 by using a Site-to-Site VPN connection.
You need to replace the third-party SD-WAN with an Azure Virtual WAN. What should you include in the solution?
正解:B
解答を投票する
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains an Azure Virtual Desktop host pool named Pool1.
You need to implement Azure Firewall and TLS inspection for all the outbound traffic from Pool1.
Which two resources should you configure? Each correct answer present part of the solution.
NOTE: Each correct answer is worth one point
You need to implement Azure Firewall and TLS inspection for all the outbound traffic from Pool1.
Which two resources should you configure? Each correct answer present part of the solution.
NOTE: Each correct answer is worth one point
正解:A、D
解答を投票する
You need to implement a P2S VPN for the users in the branch office. The solution must meet the hybrid networking requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
You have an Azure private DNS zone named contoso.com that is linked to the virtual networks shown in the following table.
The links have auto registration enabled.
You create the virtual machines shown in the following table.
You manually add the following entry to the contoso.com zone:
* Name: VM1
* IP address: 10.1.10.9
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
The links have auto registration enabled.
You create the virtual machines shown in the following table.
You manually add the following entry to the contoso.com zone:
* Name: VM1
* IP address: 10.1.10.9
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Box 1: No
The manual DNS record will overwrite the auto-registered DNS record so VM1 will resolve to 10.1.10.9.
Box 2: No
The DNS record for VM1 is now a manually created record rather than an auto-registered record. Only auto- registered DNS records are deleted when a VM is deleted.
Box 3: No
This answer depends on how the IP address is changed. To change the IP address of a VM manually, you would need to select 'Static' as the IP address assignment. In this case, the DNS record will not be updated because only DHCP assigned IP addresses are auto-registered.
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-faq-private