Free AZ-700 Practice Test

Correct Answer: Network Watcher

Explanation:
Network Watcher provides advanced diagnostics such as packet capture, connection troubleshooting, and topology views. It is specifically designed for network troubleshooting, whereas Azure Monitor provides broader telemetry and metrics.

Correct Answer: Traffic Manager

Explanation:
Traffic Manager uses DNS-based routing to direct clients to the closest or healthiest endpoint based on policies such as geographic routing or performance. It operates globally and does not handle traffic directly, unlike Application Gateway.

Correct Answer: Private Endpoint

Explanation:
Private Endpoints provide private IP addresses within a VNet for accessing Azure PaaS services. This ensures traffic remains within the private network and prevents exposure to the public internet, significantly improving security.

Correct Answer: User-defined route

Explanation:
User-defined routes allow custom routing paths in Azure. By defining a route that sends traffic to an NVA, all outbound traffic from the subnet can be inspected or filtered before reaching its destination. NSGs control access but do not dictate routing paths.

Correct Answer: Azure Bastion

Explanation:
Azure Bastion provides secure RDP and SSH access directly through the Azure portal without requiring public IPs on virtual machines. This reduces the attack surface and eliminates the need to expose management ports to the internet.

Correct Answer: Azure DDoS Protection

Explanation:
Azure DDoS Protection provides automatic detection and mitigation of distributed denial-of-service attacks. It safeguards public endpoints by absorbing and filtering malicious traffic before it reaches resources. Monitoring tools like Network Watcher only observe traffic and do not mitigate attacks.

Correct Answer: Application Gateway

Explanation:
Application Gateway operates at Layer 7 and supports advanced routing features such as URL-based routing, host-based routing, and SSL termination. Layer 4 solutions like Azure Load Balancer cannot inspect HTTP requests to make routing decisions.

Correct Answer: ExpressRoute

Explanation:
ExpressRoute provides a private, dedicated connection between on-premises infrastructure and Azure datacenters. Unlike VPN Gateway, which uses encrypted tunnels over the internet, ExpressRoute ensures higher reliability, lower latency, and increased security by avoiding the public internet entirely.

Correct Answer: Network Security Group

Explanation:
NSGs allow fine-grained filtering of inbound and outbound traffic using rules based on IP, port, and protocol. By creating an allow rule for HTTPS and denying everything else, traffic can be tightly controlled. Other services like load balancers do not enforce security policies at this level.

Correct Answer: VNet peering

Explanation:
VNet peering allows direct private connectivity between VNets over Microsoft’s backbone network, eliminating the need for gateways and reducing latency. Unlike VPN or ExpressRoute, it does not require additional infrastructure or encryption overhead. This makes it the most efficient and cost-effective solution for intra-Azure communication.

Correct Answer: Create a private endpoint within the required subnet

Explanation:
Private Endpoints fully remove public exposure by assigning private IPs. Service endpoints still allow public endpoint exposure. NSGs cannot secure the service itself.

Correct Answer: Deploy Azure Bastion within the virtual network

Explanation:
Azure Bastion enables secure browser-based access without exposing ports. This reduces attack surface significantly. Other options still expose or depend on external access methods.

Correct Answer: Create NSG rules allowing HTTPS from defined source range

Explanation:
NSGs can filter inbound traffic by IP and port efficiently. This provides a direct solution without extra infrastructure. Other options introduce unnecessary complexity.

Correct Answer: Configure global VNet peering between the virtual networks

Explanation:
Global VNet peering uses Microsoft’s backbone for private communication. It avoids gateways and reduces latency. VPN and ExpressRoute add complexity and unnecessary overhead here.

Correct Answer: Apply route tables directing traffic to the hub appliance

Explanation:
User-defined routes ensure all outbound traffic is forced through the firewall. Without UDRs, traffic may take default system routes and bypass inspection. Peering settings alone do not enforce traffic flow direction.

Correct Answer: Peering missing on one VNet side

Explanation:
VNet peering must be configured in both directions. If one side is missing, connectivity fails. DNS and NSGs would not cause intermittent peering failure specifically.

Correct Answer: Private DNS zones with VNet links

Explanation:
Private DNS zones provide centralized name resolution across VNets. Linking VNets ensures seamless communication. Other options do not provide internal DNS resolution.

Correct Answer: Front Door with global routing enabled

Explanation:
Front Door uses Anycast and edge routing to minimize latency. It directs users to the nearest healthy endpoint. Traffic Manager relies on DNS and reacts more slowly.

Correct Answer: Private endpoints for API services

Explanation:
Private Endpoints restrict access to internal networks using private IPs. This ensures APIs are not publicly exposed. NSGs cannot fully prevent public endpoint access.

Correct Answer: Apply route tables sending traffic to firewall

Explanation:
User-defined routes enforce traffic flow through the firewall. Without them, Azure may use default system routes that bypass inspection. Peering and NSGs do not enforce routing paths.

Correct Answer: BGP on both connections

Explanation:
BGP enables dynamic route updates and failover. When one path fails, routes automatically adjust. Static routes cannot adapt dynamically.

Correct Answer: Private DNS zones linked to VNets

Explanation:
Private DNS zones provide centralized name resolution. Linking VNets ensures consistent DNS behavior. Custom DNS servers increase complexity and maintenance.

Correct Answer: Global VNet peering between VNets

Explanation:
Global VNet peering provides private connectivity over Microsoft’s backbone. It avoids gateway overhead and reduces latency. VPN and ExpressRoute are unnecessary here.

Correct Answer: Private endpoints for API resources

Explanation:
Private Endpoints ensure APIs are accessible only via private IPs. This prevents public exposure entirely. NSGs cannot disable public endpoints at the service level.

Correct Answer: Route tables pointing to firewall

Explanation:
User-defined routes override default system routing and force traffic through the firewall. Without them, Azure may route traffic directly to the internet. NSGs filter traffic but do not control routing paths.

Correct Answer: BGP

Explanation:

• BGP (Correct): Dynamically exchanges routes and adapts to failures.
• Static routes: Require manual updates and do not fail over automatically.
• NSG rules: Do not influence routing.
• Traffic Manager: DNS-based routing only.
• Private endpoints: Not related to routing.

Correct Answer: Subnet delegation

Explanation:

• Subnet delegation (Correct): Restricts a subnet to specific Azure services.
• NSG rules: Control traffic, not deployment.
• Route tables: Affect routing only.
• Firewall policies: Control traffic, not resource types.
• Private endpoints: Do not restrict deployments.

Correct Answer: Azure Front Door

Explanation:

• Azure Front Door (Correct): Provides global routing, edge presence, and SSL termination.
• Traffic Manager: DNS-based and does not terminate SSL.
• Application Gateway: Regional service, not global edge.
• Load Balancer: Layer 4 only.
• Azure Firewall: Does not provide global routing.

Correct Answer: User-defined route

Explanation:

• User-defined route (Correct): Directs traffic to a specified next hop such as an NVA.
• NSG rules: Filter traffic but do not control routing paths.
• Private endpoints: Used for PaaS access, not routing.
• Traffic Manager: DNS-based and unrelated.
• Public IP assignment: Does not affect routing behavior.

Correct Answer: Connection Monitor

Explanation:

• Connection Monitor (Correct): Provides continuous latency and connectivity tracking without requiring agents.
• NSG flow logs: Show traffic patterns but not latency measurements.
• Packet capture: Provides detailed snapshots, not ongoing monitoring.
• Azure Monitor metrics: General metrics, not specific connection paths.
• Traffic Manager diagnostics: Not designed for internal latency monitoring.

Correct Answer: Application Gateway

Explanation:

• Application Gateway (Correct): Supports Layer 7 routing, header inspection, and path-based routing.
• Azure Load Balancer: Operates at Layer 4 and cannot inspect HTTP traffic.
• Traffic Manager: DNS-based routing only.
• Azure Firewall: Inspects traffic but does not perform application routing.
• NAT Gateway: Handles outbound connectivity only.

Correct Answer: Private Endpoints

Explanation:

• Private Endpoints (Correct): These provide private IP access and remove public exposure completely.
• Service Endpoints: These keep traffic on Azure’s backbone but still use public endpoints.
• NSG outbound rules: NSGs cannot eliminate public access to a service.
• Route tables: Routing does not affect service exposure.
• Traffic Manager: This is unrelated to access control.

Correct Answer: Apply NSG rules to both subnets

Explanation:

• Apply NSG rules to both subnets (Correct): NSGs allow filtering by port and protocol without changing routing behavior.
• Configure route tables for filtering: Route tables do not filter traffic.
• Deploy Azure Firewall between subnets: This works but is excessive for simple port filtering.
• Use Private Endpoints for communication: Private Endpoints are for accessing PaaS services, not subnet filtering.
• Configure Traffic Manager policies: Traffic Manager does not control internal subnet traffic.

Correct Answer: Associate NAT Gateway with the subnet

Explanation:

• Associate NAT Gateway with the subnet (Correct): NAT Gateway provides a stable outbound IP for all resources in the subnet and scales automatically.
• Assign a public IP to each virtual machine: This creates management overhead and does not scale efficiently.
• Configure Azure Firewall outbound rules: Firewall can provide outbound access, but it is more complex and costly for this requirement.
• Use load balancer outbound rules: These are limited and less flexible compared to NAT Gateway.
• Configure route tables for internet access: Route tables control direction, not outbound IP assignment.

Correct Answer: Configure VNet peering between required VNets

Explanation:

• Configure VNet peering between required VNets (Correct): Peering is non-transitive and must be explicitly configured, which matches the requirement for controlled connectivity.
• Deploy VPN Gateway connections between VNets: This would work but introduces unnecessary overhead compared to native peering.
• Use Azure Virtual WAN for connectivity: This centralizes routing but removes the requirement for explicit pairwise control.
• Configure route tables for traffic control: Route tables do not establish connectivity, only influence paths.
• Use Traffic Manager for routing decisions: Traffic Manager is DNS-based and does not provide private VNet connectivity.