AZ-700試験無料問題集「Microsoft Designing and Implementing Microsoft Azure Networking Solutions 認定」
You are planning an Azure deployment that will contain three virtual networks in the East US Azure region as shown in the following table.
A Site-to-Site VPN will connect Vnet1 to your company's on-premises network.
You need to recommend a solution that ensures that the virtual machines on all the virtual networks can communicate with the on-premises network- The solution must minimize costs.
What should you recommend for Vnet2 and Vnet3?
A Site-to-Site VPN will connect Vnet1 to your company's on-premises network.
You need to recommend a solution that ensures that the virtual machines on all the virtual networks can communicate with the on-premises network- The solution must minimize costs.
What should you recommend for Vnet2 and Vnet3?
正解:A
解答を投票する
Your company has a single on-premises datacenter in New York. The East US Azure region has a peering location in New York.
The company only has Azure resources in the East US region.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
Which type of ExpressRoute circuits should you create?
The company only has Azure resources in the East US region.
You need to implement ExpressRoute to support up to 1 Gbps. You must use only ExpressRoute Unlimited data plans. The solution must minimize costs.
Which type of ExpressRoute circuits should you create?
正解:A
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
SIMULATION
Task 10
You plan to deploy several virtual machines to subnet1-2.
You need to prevent all Azure hosts outside of subnetl-2 from connecting to TCP port 5585 on hosts on subnet1-2. The solution must minimize administrative effort.
Task 10
You plan to deploy several virtual machines to subnet1-2.
You need to prevent all Azure hosts outside of subnetl-2 from connecting to TCP port 5585 on hosts on subnet1-2. The solution must minimize administrative effort.
正解:
See the Explanation below for step by step instructions
Explanation:
To prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, you can use a Network Security Group (NSG). This solution is straightforward and minimizes administrative effort.
Step-by-Step Solution
Step 1: Create a Network Security Group (NSG)
Navigate to the Azure Portal.
Search for "Network security groups" and select it.
Click on "Create".
Enter the following details:
Subscription: Select your subscription.
Resource Group: Select an existing resource group or create a new one.
Name: Enter a name for the NSG (e.g., NSG-Subnet1-2).
Region: Select the region where your virtual network is located.
Click on "Review + create" and then "Create".
Step 2: Create an Inbound Security Rule
Navigate to the newly created NSG.
Select "Inbound security rules" from the left-hand menu.
Click on "Add" to create a new rule.
Enter the following details:
Source: Select Service Tag.
Source Service Tag: Select VirtualNetwork.
Source port ranges: Leave as *.
Destination: Select IP Addresses.
Destination IP addresses/CIDR ranges: Enter the IP range of subnet1-2 (e.g., 10.1.2.0/24).
Destination port ranges: Enter 5585.
Protocol: Select TCP.
Action: Select Deny.
Priority: Enter a priority value (e.g., 100).
Name: Enter a name for the rule (e.g., Deny-TCP-5585).
Click on "Add" to create the rule.
Step 3: Associate the NSG with Subnet1-2
Navigate to the virtual network that contains subnet1-2.
Select "Subnets" from the left-hand menu.
Select subnet1-2 from the list of subnets.
Click on "Network security group".
Select the NSG you created (NSG-Subnet1-2).
Click on "Save".
Explanation:
Network Security Group (NSG): NSGs are used to filter network traffic to and from Azure resources in an Azure virtual network. They contain security rules that allow or deny inbound and outbound traffic based on source and destination IP addresses, port, and protocol1.
Inbound Security Rule: By creating a rule that denies traffic on TCP port 5585 from any source outside of subnet1-2, you ensure that only hosts within subnet1-2 can connect to this port.
Association with Subnet: Associating the NSG with subnet1-2 ensures that the security rules are applied to all resources within this subnet.
By following these steps, you can effectively prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, while minimizing administrative effort.
Explanation:
To prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, you can use a Network Security Group (NSG). This solution is straightforward and minimizes administrative effort.
Step-by-Step Solution
Step 1: Create a Network Security Group (NSG)
Navigate to the Azure Portal.
Search for "Network security groups" and select it.
Click on "Create".
Enter the following details:
Subscription: Select your subscription.
Resource Group: Select an existing resource group or create a new one.
Name: Enter a name for the NSG (e.g., NSG-Subnet1-2).
Region: Select the region where your virtual network is located.
Click on "Review + create" and then "Create".
Step 2: Create an Inbound Security Rule
Navigate to the newly created NSG.
Select "Inbound security rules" from the left-hand menu.
Click on "Add" to create a new rule.
Enter the following details:
Source: Select Service Tag.
Source Service Tag: Select VirtualNetwork.
Source port ranges: Leave as *.
Destination: Select IP Addresses.
Destination IP addresses/CIDR ranges: Enter the IP range of subnet1-2 (e.g., 10.1.2.0/24).
Destination port ranges: Enter 5585.
Protocol: Select TCP.
Action: Select Deny.
Priority: Enter a priority value (e.g., 100).
Name: Enter a name for the rule (e.g., Deny-TCP-5585).
Click on "Add" to create the rule.
Step 3: Associate the NSG with Subnet1-2
Navigate to the virtual network that contains subnet1-2.
Select "Subnets" from the left-hand menu.
Select subnet1-2 from the list of subnets.
Click on "Network security group".
Select the NSG you created (NSG-Subnet1-2).
Click on "Save".
Explanation:
Network Security Group (NSG): NSGs are used to filter network traffic to and from Azure resources in an Azure virtual network. They contain security rules that allow or deny inbound and outbound traffic based on source and destination IP addresses, port, and protocol1.
Inbound Security Rule: By creating a rule that denies traffic on TCP port 5585 from any source outside of subnet1-2, you ensure that only hosts within subnet1-2 can connect to this port.
Association with Subnet: Associating the NSG with subnet1-2 ensures that the security rules are applied to all resources within this subnet.
By following these steps, you can effectively prevent all Azure hosts outside of subnet1-2 from connecting to TCP port 5585 on hosts within subnet1-2, while minimizing administrative effort.
You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure.
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
What should you use?
You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine.
What should you use?
正解:C
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You enable BGP on the gateway of Vnet1.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have two Azure virtual networks named Vnet1 and Vnet2.
You have a Windows 10 device named Client1 that connects to Vnet1 by using a Point-to-Site (P2S) IKEv2 VPN.
You implement virtual network peering between Vnet1 and Vnet2. Vnet1 allows gateway transit. Vnet2 can use the remote gateway.
You discover that Client1 cannot communicate with Vnet2.
You need to ensure that Client1 can communicate with Vnet2.
Solution: You enable BGP on the gateway of Vnet1.
Does this meet the goal?
正解:A
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
SIMULATION
Task 4
You need to ensure that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name storage34280945.pnvatelinlcblob.core.windows.net.
Task 4
You need to ensure that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name storage34280945.pnvatelinlcblob.core.windows.net.
正解:
See the Explanation below for step by step instructions
Explanation:
Here are the steps and explanations for ensuring that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name stor-age34280945.pnvatelinlcblob.core.windows.net:
To allow access from a specific IP address range, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.
On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.
Under Firewall, select Add rule, and then enter 10.1.1.0/24 as the IP address or range. You can also enter an optional rule name and description1. This will allow access from any IP address in the 10.1.1.0/24 range.
Select Save to apply your changes1.
To map a custom domain name to your storage account, you need to create a CNAME record with your domain provider that points to your storage account endpoint2. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name.
Sign in to your domain registrar's website, and then go to the page for managing DNS settings2.
Create a CNAME record with the following information2:
Source domain name: stor-age34280945.pnvatelinlcblob.core.windows.net
Destination domain name: stor-age34280945.pnvatelinlcblob.core.windows.net Save your changes and wait for the DNS propagation to take effect2.
To register the custom domain name with Azure, you need to go back to the Azure portal and select your storage account. Then select Custom domain under Blob service2.
On the Custom domain page, enter stor-age34280945.pnvatelinlcblob.core.windows.net as the custom domain name and select Save2.
Explanation:
Here are the steps and explanations for ensuring that connections to the storage34280945 storage account can be made by using an IP address in the 10.1.1.0/24 range and the name stor-age34280945.pnvatelinlcblob.core.windows.net:
To allow access from a specific IP address range, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.
On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.
Under Firewall, select Add rule, and then enter 10.1.1.0/24 as the IP address or range. You can also enter an optional rule name and description1. This will allow access from any IP address in the 10.1.1.0/24 range.
Select Save to apply your changes1.
To map a custom domain name to your storage account, you need to create a CNAME record with your domain provider that points to your storage account endpoint2. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name.
Sign in to your domain registrar's website, and then go to the page for managing DNS settings2.
Create a CNAME record with the following information2:
Source domain name: stor-age34280945.pnvatelinlcblob.core.windows.net
Destination domain name: stor-age34280945.pnvatelinlcblob.core.windows.net Save your changes and wait for the DNS propagation to take effect2.
To register the custom domain name with Azure, you need to go back to the Azure portal and select your storage account. Then select Custom domain under Blob service2.
On the Custom domain page, enter stor-age34280945.pnvatelinlcblob.core.windows.net as the custom domain name and select Save2.
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains the resources shown in the following table.
You need to publish App1 by using AG1 and a URL of https://app1.contoso.com. The solution must meet the following requirements:
* TLS connections must terminate on AG1.
* Minimize the number of targets in the backend pool of AG1.
* Minimize the number of deployed copies of the SSL certificate of App1.
How many locations should you import to the certificate, and how many targets should you add to the backend pool of AG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to publish App1 by using AG1 and a URL of https://app1.contoso.com. The solution must meet the following requirements:
* TLS connections must terminate on AG1.
* Minimize the number of targets in the backend pool of AG1.
* Minimize the number of deployed copies of the SSL certificate of App1.
How many locations should you import to the certificate, and how many targets should you add to the backend pool of AG1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
You have an Azure Front Door instance named FrontDoor1.
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com.
You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You deploy two instances of an Azure web app to different Azure regions.
You plan to provide access to the web app through FrontDoor1 by using the name app1.contoso.com.
You need to ensure that FrontDoor1 is the entry point for requests that use app1.contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
正解:
1 - Add a CNAME record to DNS.
2 - Add a custom domain to FrontDoor1.
3 - Add a routing rule to FrontDoor1.
SIMULATION
Task 2
You need to create an Azure Firewall instance named FW1 that meets the following requirements:
* Has an IP address from the address range of 10.1.255.0/24
* Uses a new Premium firewall policy named FW-pohcy1
* Routes traffic directly to the internet
Task 2
You need to create an Azure Firewall instance named FW1 that meets the following requirements:
* Has an IP address from the address range of 10.1.255.0/24
* Uses a new Premium firewall policy named FW-pohcy1
* Routes traffic directly to the internet
正解:
See the Explanation below for step by step instructions
Explanation:
To create an Azure Firewall instance, you need to go to the Azure portal and select Create a resource. Type firewall in the search box and press Enter. Select Firewall and then select Create1.
To assign an IP address from the address range of 10.1.255.0/24 to the firewall, you need to select a public IP address that belongs to that range. You can either create a new public IP address or use an existing one1.
To use a new Premium firewall policy named FW-policy1, you need to select Premium as the Firewall tier and create a new policy with the name FW-policy12. A Premium firewall policy allows you to configure advanced features such as TLS Inspection, IDPS, URL Filtering, and Web Categories3.
To route traffic directly to the internet, you need to enable SNAT (Source Network Address Translation) for the firewall. SNAT allows the firewall to use its public IP address as the source address for outbound traffic4.
Explanation:
To create an Azure Firewall instance, you need to go to the Azure portal and select Create a resource. Type firewall in the search box and press Enter. Select Firewall and then select Create1.
To assign an IP address from the address range of 10.1.255.0/24 to the firewall, you need to select a public IP address that belongs to that range. You can either create a new public IP address or use an existing one1.
To use a new Premium firewall policy named FW-policy1, you need to select Premium as the Firewall tier and create a new policy with the name FW-policy12. A Premium firewall policy allows you to configure advanced features such as TLS Inspection, IDPS, URL Filtering, and Web Categories3.
To route traffic directly to the internet, you need to enable SNAT (Source Network Address Translation) for the firewall. SNAT allows the firewall to use its public IP address as the source address for outbound traffic4.
You plan to implement an Azure virtual network that will contain 10 virtual subnets. The subnets will use IPv6 addresses. Each subnet will host up to 200 load-balanced virtual machines.
You need to recommend which subnet mask size to use for the virtual subnets.
What should you recommend?
You need to recommend which subnet mask size to use for the virtual subnets.
What should you recommend?
正解:C
解答を投票する
You have two Azure virtual networks named VNet1 and VNet2 that are peered with each other. VNet1 hosts 10 virtual machines that contain web servers. VNet2 hosts five virtual machines that contain database servers.
You need to configure a security solution that meets the following requirements:
* Ensures that the database servers can accept connections only from the web servers
* Ensures that the web servers can initiate connections only to the database servers
* Ensures that all network security groups (NSGs) are associated only with subnets
* Use application security groups to implement the solution
What is the minimum number of application security groups required?
You need to configure a security solution that meets the following requirements:
* Ensures that the database servers can accept connections only from the web servers
* Ensures that the web servers can initiate connections only to the database servers
* Ensures that all network security groups (NSGs) are associated only with subnets
* Use application security groups to implement the solution
What is the minimum number of application security groups required?
正解:B
解答を投票する
You have an Azure environment shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
正解:
Reference:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit?toc=/azure/virtual-network/toc.json
https://docs.microsoft.com/en-ca/azure/virtual-network/ip-services/ipv6-overview#capabilities
Your on-premises network contains an Active Directory Domain Services {AD DS) domain named contoso.com that has an internal certification authority (CA).
You have an Azure subscription.
You deploy an Azure application gateway named AppGwy1 and perform the following actions:
* Configure an HTTP listener.
* Associate a routing rule with the listener.
You need to configure AppGwy1 to perform mutual authentication for requests from domain-joined computers to contoso.com.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You have an Azure subscription.
You deploy an Azure application gateway named AppGwy1 and perform the following actions:
* Configure an HTTP listener.
* Associate a routing rule with the listener.
You need to configure AppGwy1 to perform mutual authentication for requests from domain-joined computers to contoso.com.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
正解:
1 - From AppGwy1, create a frontend IP configuration.
2 - From AppGwy1, create an SSL profile.
3 - From an on-premises computer, upload a certificate to AppGwy1.
4 - From AppGwy1, add an HTTP listener and associate the listener to the SSL profile.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You disable the WAF rule that has a ruleld of 920300.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled.
You configure the application gateway to direct traffic to the URL of the application gateway.
You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.
You need to ensure that the URL is accessible through the application gateway.
Solution: You disable the WAF rule that has a ruleld of 920300.
Does this meet the goal?
正解:B
解答を投票する
You have an on-premises network named Site1.
You have an Azure subscription that contains a storage account named storage1 and a virtual network named VNet1. VNet1 contains a subnet named Subnet1. A private endpoint for storage1 is connected to Subnet1 Site1 is connected to VNet1 by using a Site-to-Site (S2S) VPN.
You need to control access to storage1 from Site1 by using network security groups (NSGs).
What should you do first?
You have an Azure subscription that contains a storage account named storage1 and a virtual network named VNet1. VNet1 contains a subnet named Subnet1. A private endpoint for storage1 is connected to Subnet1 Site1 is connected to VNet1 by using a Site-to-Site (S2S) VPN.
You need to control access to storage1 from Site1 by using network security groups (NSGs).
What should you do first?
正解:A
解答を投票する