Free Microsoft Azure AZ-700 Actual Exam Questions

B imo, rewrites are designed for modifying headers and URL parts in responses. HTTP settings control backend connections but don’t typically alter response headers directly.

B vs A? Rewrites handle header changes, HTTP settings focus more on backend communication.

Option B makes the most sense here. NAT Gateway is mostly about managing outbound connections and doesn’t provide the kind of threat protection or traffic inspection needed to change Hub1’s security status to Secured. The question hints that securing the hub usually involves deploying a firewall or similar security appliance, which NAT Gateway doesn’t do. So just adding NAT Gateway isn’t enough to meet the requirement.

B imo, NAT Gateway mainly deals with outbound connectivity and doesn’t impact the security status of the hub. The “Secured” status typically requires a firewall like Azure Firewall or a security appliance integrated into the hub to inspect and control traffic. Just adding NAT Gateway won’t change that flag.

It’s D, because allowing traffic forwarding on Vnet1’s peering is key for load balancer traffic.

Option C makes sense since only a Standard SKU LB supports cross-region peering, so upgrading LB1 is necessary. Also, the peering settings on Vnet1 probably need updating to allow traffic forwarding, making D relevant too.

Maybe B, since AppGW requires a dedicated subnet and GatewaySubnet is for VPN/ExpressRoute.

Maybe D. Azure Application Gateway needs to be deployed in a dedicated subnet, but it doesn’t have to be the GatewaySubnet specifically reserved for VPN or ExpressRoute gateways. From what I remember, Application Gateway can go into either the GatewaySubnet or another subnet like Subnet2, as long as the subnet has enough IPs. Subnet1 might be too small or not suitable. So options that allow both GatewaySubnet and Subnet2 seem more flexible here.

C assigning a user-defined route on Vnet1’s GatewaySubnet lets Vnet2 and Vnet3 use its gateway properly.

It’s C for me. Since you want the default route on Vnet2 and Vnet3 to point through Vnet1’s gateway, assigning a user-defined route to the GatewaySubnet in Vnet1 that directs traffic accordingly makes sense. D seems off because GatewaySubnet in Vnet2 and Vnet3 likely can’t have custom routes applied, as others mentioned. BGP is great for dynamic routing, but if the question expects a manual default route setup, then C fits better here. Route filters (A) don’t really configure default routes, so that leaves C as the most reasonable choice.

Looks like the key here is controlling traffic specifically from Tokyo. Using two profiles (option D) sounds right since one can handle global routing and the other can manage the new endpoint traffic split for Tokyo. Also, having five endpoints total fits since you’re adding a new one in Asia. One profile might not give precise control over just Tokyo's traffic, so D makes more sense to me.

B tbh. Since you need to split traffic specifically for Tokyo, it makes sense to have two profiles: one handling global routing and another dedicated to Asia or Tokyo endpoints. That way, you can control the 10% test traffic separately without messing with other regions. Four endpoints split between the two profiles sounds about right, given the existing endpoints plus the new one in Asia. One profile might get messy trying to manage weighted routing across all locations for a precise 10% in just Tokyo.

Not just bandwidth, but the global reach of Premium is crucial here. Since VNets span US and Europe, only one Premium circuit (B) can connect all without multiple expensive circuits.

This is tricky, but I think it has to be B. One Premium circuit covers global connectivity, so it can link the US and European VNets plus the office in one go, which keeps costs down versus multiple circuits. Standard circuits wouldn’t span those regions. Also, since the bandwidth cap is 1 Gbps total, a single circuit should handle it without needing to split. So, one Premium circuit makes the most sense here.

A/B? You need at least one subnet for the NAT gateway and one for both VMs if they can share a subnet. Separate subnets for each VM aren’t strictly needed unless isolation is required.

Maybe B. One subnet for the NAT gateway, one for VM1, and one for VM2 to keep their public IPs separate and minimize admin effort. That fits the requirement better than just two subnets.

It’s C because the public load balancer allows multiple VMs to share one public IP for inbound internet traffic, unlike NAT gateway or internal load balancer which don’t expose VMs publicly.

Option C works since it lets multiple VMs share one public IP for inbound traffic.

It’s D. Each session has both inbound and outbound traffic, and since each RDP and SSH session uses a unique source port, that means Traffic Analytics will log both directions separately. So for 5 sessions, you get 10 flow entries total. Counting only one direction or aggregating by session wouldn’t capture the full picture here.

D, since each session is bidirectional and has unique ports, doubling the count.

B, since only application rules let you filter traffic by FQDN directly.

It’s B. Application rules are designed to filter based on FQDNs, which fits perfectly since you need to filter traffic targeting SQLDB1 by its domain name. Network rules generally filter by IPs and ports, so they won’t work well here for FQDN filtering. Plus, DNAT is for inbound translation, not filtering outbound traffic by domain. Infrastructure rules aren’t related to this scenario either. So even if the SKU isn’t specified, the question’s focus on FQDN strongly points to application rules.

D imo. Azure Route Server makes BGP route sharing seamless between your VNets and the SD-WAN via the NVA without having to manage individual BGP sessions on multiple VPN gateways. Since the question mentions minimizing admin effort, Route Server fits best because it automates route propagation. A could work but managing 40 branches plus 20 VNets with individual VPN gateways sounds like a nightmare. B and C don’t handle routing in this context, so they can be ruled out pretty quickly.

I’m thinking option A could be tricky since you'd have to manage BGP sessions on each VPN gateway, which might increase admin overhead. Does the NVA even support direct BGP peering with Route Server in option D?

Option A looks off because the BGP peer IP in the connection doesn’t match what's set in the local network gateway. That usually stops BGP from forming properly.

Also thinking option B should be No since for BGP to work, both sides need to agree on the ASN, and here they are different. That mismatch usually breaks BGP route propagation.

Application rules are best for filtering by FQDN, while Network rules allow control of TCP traffic by source IP. This matches the need to filter destination domains and source-based TCP traffic separately.

Application rules for FQDN and Network rules for TCP by source IP makes sense here.

I agree statement 1 is a yes because the default route clearly points to the firewall IP, which means it acts as the next hop for outbound traffic. For statement 2, I’d say no since there’s no indication that all inbound traffic from the internet is forced through the firewall—only outbound seems covered. Also, statement 3 should be no because the route table doesn’t show any specific routes for internal subnet-to-subnet traffic through the firewall or anywhere else. The routing is mostly about outbound internet traffic here.

I think the key is how the firewall IP is set as the next hop for 0.0.0.0/0 in the route table, so that means all outbound traffic will go through the firewall, confirming statement 1. For statement 2, since there’s no route targeting Azure services specifically, it shouldn’t be yes. Also, statement 3 looks off because there’s no user-defined route for the subnet to communicate outside via anything but the firewall, so no direct routing without firewall involvement.