AZ-700 Microsoft Designing and Implementing Microsoft Azure Networking Solutions Free Practice Exam Questions (2025 Updated)

Here are the steps and explanations for ensuring that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name stor-age34280945.pnvatelinlcblob.core.windows.net:

To allow access from a specific IP address range, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.

On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.

Under Firewall, select Add rule, and then enter 10.1.1.0/24 as the IP address or range. You can also enter an optional rule name and description1. This will allow access from any IP address in the 10.1.1.0/24 range.

Select Save to apply your changes1.

To map a custom domain name to your storage account, you need to create a CNAME record with your domain provider that points to your storage account endpoint2. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name.

Sign in to your domain registrar’s website, and then go to the page for managing DNS settings2.

Create a CNAME record with the following information2:

Source domain name: stor-age34280945.pnvatelinlcblob.core.windows.net

Destination domain name: stor-age34280945.pnvatelinlcblob.core.windows.net

Save your changes and wait for the DNS propagation to take effect2.

To register the custom domain name with Azure, you need to go back to the Azure portal and select your storage account. Then select Custom domain under Blob service2.

On the Custom domain page, enter stor-age34280945.pnvatelinlcblob.core.windows.net as the custom domain name and select Save2.

To create an Azure Firewall instance, you need to go to the Azure portal and select Create a resource. Type firewall in the search box and press Enter. Select Firewall and then select Create1.

To assign an IP address from the address range of 10.1.255.0/24 to the firewall, you need to select a public IP address that belongs to that range. You can either create a new public IP address or use an existing one1.

To use a new Premium firewall policy named FW-policy1, you need to select Premium as the Firewall tier and create a new policy with the name FW-policy12. A Premium firewall policy allows you to configure advanced features such as TLS Inspection, IDPS, URL Filtering, and Web Categories3.

To route traffic directly to the internet, you need to enable SNAT (Source Network Address Translation) for the firewall. SNAT allows the firewall to use its public IP address as the source address for outbound traffic4.

To deploy Azure virtual machines to the France Central region and ensure they are in a network segment with an IP address range of 10.5.1.0/24, follow these steps:

Step-by-Step Solution

Step 1: Create a Virtual Network in France Central

Navigate to the Azure Portal.

Search for “Virtual networks” in the search bar and select it.

Click on “Create”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the virtual network (e.g., VNet-FranceCentral).

Region: Select France Central.

Click on “Next: IP Addresses”.

Step 2: Configure the Address Space and Subnet

In the IP Addresses tab, enter the address space as 10.5.1.0/24.

Click on “Add subnet”.

Enter the following details:

Subnet name: Enter a name for the subnet (e.g., Subnet-1).

Subnet address range: Enter 10.5.1.0/24.

Click on “Add”.

Click on “Review + create” and then “Create”.

Step 3: Deploy Virtual Machines to the Virtual Network

Navigate to the Azure Portal.

Search for “Virtual machines” in the search bar and select it.

Click on “Create” and then “Azure virtual machine”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select the same resource group used for the virtual network.

Virtual machine name: Enter a name for the VM.

Region: Select France Central.

Image: Select the desired OS image.

Size: Select the appropriate VM size.

Click on “Next: Disks”, configure the disks as needed, and then click on “Next: Networking”.

In the Networking tab, select the virtual network (VNet-FranceCentral) and subnet (Subnet-1) created earlier.

Complete the remaining configuration steps and click on “Review + create” and then “Create”.

Explanation

Virtual Network: A virtual network in Azure allows you to create a logically isolated network that can host your Azure resources.

Address Space: The address space 10.5.1.0/24 ensures that the VMs are in a specific network segment.

Subnet: Subnets allow you to segment the virtual network into smaller, manageable sections.

Region: Deploying the virtual network and VMs in the France Central region ensures that the resources are physically located in that region.

By following these steps, you can ensure that your Azure virtual machines in the France Central region are deployed within the specified IP address range of 10.5.1.0/24.

Here are the steps and explanations for creating the object that will provide the IP addressing configuration of the on-premises network to the Site-to-Site VPN:

The object that you need to create is called a local network gateway. A local network gateway represents your on-premises network and VPN device in Azure. It contains the public IP address of your VPN device and the address prefixes of your on-premises network that you want to connect to the Azure virtual network1.

To create a local network gateway, you need to go to the Azure portal and select Create a resource. Search for local network gateway, select Local network gateway, then select Create2.

On the Create local network gateway page, enter or select the following information and accept the defaults for the remaining settings:

Name: Type a unique name for your local network gateway.

IP address: Type the public IP address of your VPN device, which is 131.107.50.60 in this case.

Address space: Type the internal address range of your on-premises network, which is 10.10.0.0/16 in this case.

Subscription: Select your subscription name.

Resource group: Select your resource group name.

Location: Select the same region as your virtual network.

Select Review + create and then select Create to create your local network gateway2.

To archive all the metrics of VNET1 to an existing storage account, you can use Azure Monitor’s diagnostic settings. Here’s how you can do it:

Step-by-Step Solution

Step 1: Navigate to VNET1 in the Azure Portal

Open the Azure Portal.

Search for “Virtual networks” and select VNET1 from the list.

Step 2: Configure Diagnostic Settings

In the VNET1 blade, select “Diagnostic settings” under the “Monitoring” section.

Click on “Add diagnostic setting”.

Step 3: Set Up the Diagnostic Setting

Enter a name for the diagnostic setting (e.g., VNET1-Metrics-Archive).

Select the metrics you want to archive. You can choose from various metrics like TotalBytesReceived, TotalBytesSent, etc.

Under “Destination details”, select “Archive to a storage account”.

Choose the existing storage account where you want to archive the metrics.

Configure the retention period if needed.

Step 4: Save the Configuration

Review your settings to ensure everything is correct.

Click on “Save” to apply the diagnostic setting.

Explanation

Diagnostic Settings: These allow you to collect and route metrics and logs from your Azure resources to various destinations, including storage accounts, Log Analytics workspaces, and Event Hubs.

Metrics: Metrics provide numerical data about the performance and health of your resources. Archiving these metrics helps in long-term analysis and compliance.

Storage Account: Using an existing storage account ensures that the metrics are stored securely and can be accessed for future analysis.

By following these steps, you can ensure that all the metrics of VNET1 are archived to your existing storage account, enabling you to monitor and analyze the performance and health of your virtual network over time.

To ensure that all traffic to the internet from subnet3-1 is forwarded to the appliance in subnet3-2 for packet inspection, you can use User-Defined Routes (UDRs) to direct the traffic. Here’s how you can do it:

Navigate to the Azure Portal.

Search for “Route tables” and select it.

Click on “Create”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the route table (e.g., RouteTable-Subnet3-1).

Region: Select the region where your virtual network is located.

Click on “Review + create” and then “Create”.

Navigate to the newly created route table.

Select “Routes” from the left-hand menu.

Click on “Add” to create a new route.

Enter the following details:

Route name: Enter a name for the route (e.g., RouteToAppliance).

Address prefix: Enter 0.0.0.0/0 to route all internet traffic.

Next hop type: Select Virtual appliance.

Next hop address: Enter the IP address of the appliance (10.3.2.100).

Click on “OK” to add the route.

Navigate to the route table.

Select “Subnets” from the left-hand menu.

Click on “Associate”.

Select the virtual network that contains subnet3-1.

Select subnet3-1 from the list of subnets.

Click on “OK”.

User-Defined Routes (UDRs): These allow you to control the routing of traffic within your virtual network. By defining a route that directs all internet-bound traffic to the appliance, you ensure that the traffic is inspected before it reaches the internet1.

Virtual Appliance: This is a network appliance that performs specific functions, such as packet inspection, and is treated as a next hop in the routing table2.

Route Table Association: Associating the route table with subnet3-1 ensures that all traffic from this subnet follows the defined routes.

Step-by-Step SolutionStep 1: Create a Route TableStep 2: Add a Route to the Route TableStep 3: Associate the Route Table with Subnet3-1ExplanationBy following these steps, you can ensure that all internet-bound traffic from subnet3-1 is forwarded to the appliance in subnet3-2 for inspection, thereby enhancing your network security.

To achieve the task of ensuring that virtual machines on VNET1 and VNET2 are included automatically in a DNS zone named contoso.azure, and that they can resolve the names of the virtual machines on either virtual network, you can follow these steps:

Step-by-Step Solution

Step 1: Create a Private DNS Zone

Navigate to the Azure Portal.

Search for “Private DNS zones” in the search bar and select it.

Click on “Create”.

Enter the DNS zone name as contoso.azure.

Select the appropriate subscription and resource group.

Click on “Review + create” and then “Create”.

Step 2: Link VNET1 and VNET2 to the DNS Zone

Go to the newly created DNS zone (contoso.azure).

Select “Virtual network links” from the left-hand menu.

Click on “Add”.

Enter a name for the link (e.g., VNET1-link).

Select the subscription and virtual network (VNET1).

Enable auto-registration to ensure that VMs are automatically registered in the DNS zone.

Click on “OK”.

Repeat the process for VNET2.

Step 3: Configure DNS Settings for VNET1 and VNET2

Navigate to VNET1 in the Azure Portal.

Select “DNS servers” under the “Settings” section.

Ensure that the DNS server is set to “Default (Azure-provided)”.

Repeat the process for VNET2.

Step 4: Verify Name Resolution

Deploy a virtual machine in VNET1 and another in VNET2.

Connect to the virtual machines using Remote Desktop Protocol (RDP) or Secure Shell (SSH).

Test name resolution by pinging the VM in VNET2 from the VM in VNET1 using its hostname (e.g., ping .contoso.azure).

Explanation

Private DNS Zone: This allows you to manage and resolve domain names in a private network without exposing them to the public internet.

Virtual Network Links: Linking VNET1 and VNET2 to the DNS zone ensures that VMs in these networks can register their DNS records automatically.

Auto-registration: This feature automatically registers the DNS records of VMs in the linked virtual networks, simplifying management.

DNS Settings: Using Azure-provided DNS ensures that the VMs can resolve each other’s names without additional configuration.

By following these steps, you ensure that virtual machines on VNET1 and VNET2 are included automatically in the DNS zone contoso.azure and can resolve each other’s names seamlessly.

To prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, you can use a Network Security Group (NSG). This solution is straightforward and minimizes administrative effort.

Step-by-Step Solution

Step 1: Create a Network Security Group (NSG)

Navigate to the Azure Portal.

Search for “Network security groups” and select it.

Click on “Create”.

Enter the following details:

Subscription: Select your subscription.

Resource Group: Select an existing resource group or create a new one.

Name: Enter a name for the NSG (e.g., NSG-Subnet1-2).

Region: Select the region where your virtual network is located.

Click on “Review + create” and then “Create”.

Step 2: Create an Inbound Security Rule

Navigate to the newly created NSG.

Select “Inbound security rules” from the left-hand menu.

Click on “Add” to create a new rule.

Enter the following details:

Source: Select Service Tag.

Source Service Tag: Select VirtualNetwork.

Source port ranges: Leave as *.

Destination: Select IP Addresses.

Destination IP addresses/CIDR ranges: Enter the IP range of subnet1-2 (e.g., 10.1.2.0/24).

Destination port ranges: Enter 5585.

Protocol: Select TCP.

Action: Select Deny.

Priority: Enter a priority value (e.g., 100).

Name: Enter a name for the rule (e.g., Deny-TCP-5585).

Click on “Add” to create the rule.

Step 3: Associate the NSG with Subnet1-2

Navigate to the virtual network that contains subnet1-2.

Select “Subnets” from the left-hand menu.

Select subnet1-2 from the list of subnets.

Click on “Network security group”.

Select the NSG you created (NSG-Subnet1-2).

Click on “Save”.

Explanation

Network Security Group (NSG): NSGs are used to filter network traffic to and from Azure resources in an Azure virtual network. They contain security rules that allow or deny inbound and outbound traffic based on source and destination IP addresses, port, and protocol1.

Inbound Security Rule: By creating a rule that denies traffic on TCP port 5585 from any source outside of subnet1-2, you ensure that only hosts within subnet1-2 can connect to this port.

Association with Subnet: Associating the NSG with subnet1-2 ensures that the security rules are applied to all resources within this subnet.

By following these steps, you can effectively prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, while minimizing administrative effort.

Here are the steps and explanations for ensuring that requests for wwwjelecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net:

To use a custom domain with your Azure Front Door, you need to create a CNAME record with your domain provider that points to the Front Door default frontend host. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name1.

To create a CNAME record, you need to sign in to your domain registrar’s website and go to the page for managing DNS settings1.

Create a CNAME record with the following information1:

Source domain name: wwwjelecloud.com

Destination domain name: frontdoor1.azurefd.net

Save your changes and wait for the DNS propagation to take effect1.

To verify the custom domain, you need to go to the Azure portal and select your Front Door profile. Then select Domains under Settings and select Add2.

On the Add a domain page, select Non-Azure validated domain as the Domain type and enter wwwjelecloud.com as the Domain name. Then select Add2.

On the Domains page, select wwwjelecloud.com and select Verify. This will check if the CNAME record is correctly configured2.

Once the domain is verified, you can associate it with your Front Door endpoint. On the Domains page, select wwwjelecloud.com and select Associate endpoint. Then select your Front Door endpoint from the drop-down list and select Associate2.

NGS1 only

VM2, VM3, VM4 and VM5