AZ-700 Exam Dumps - Microsoft Certified: Azure Network Engineer Associate Questions and Answers

Here are the steps and explanations for ensuring that hosts on VNET2 can access hosts on both VNET1 and VNET3, but hosts on VNET1 and VNET3 cannot communicate through VNET2:

To connect different virtual networks in Azure, you need to use virtual network peering. Virtual network peering allows you to create low-latency, high-bandwidth connections between virtual networks without using gateways or the internet1.

To create a virtual network peering, you need to go to the Azure portal and select your virtual network. Then select Peerings under Settings and select + Add2.

On the Add peering page, enter or select the following information:

Name: Type a unique name for the peering from the source virtual network to the destination virtual network.

Virtual network deployment model: Select Resource manager.

Subscription: Select the subscription that contains the destination virtual network.

Virtual network: Select the destination virtual network from the list or enter its resource ID.

Name of the peering from [destination virtual network] to [source virtual network]: Type a unique name for the peering from the destination virtual network to the source virtual network.

Configure virtual network access settings: Select Enabled to allow resources in both virtual networks to communicate with each other.

Allow forwarded traffic: Select Disabled to prevent traffic that originates from outside either of the peered virtual networks from being forwarded through either of them.

Allow gateway transit: Select Disabled to prevent either of the peered virtual networks from using a gateway in the other virtual network.

Use remote gateways: Select Disabled to prevent either of the peered virtual networks from using a gateway in the other virtual network as a transit point to another network.

Select Add to create the peering2.

Repeat the previous steps to create peerings between VNET2 and VNET1, and between VNET2 and VNET3. This will allow hosts on VNET2 to access hosts on both VNET1 and VNET3.

To prevent hosts on VNET1 and VNET3 from communicating through VNET2, you need to use network security groups (NSGs) to filter traffic between subnets. NSGs are rules that allow or deny inbound or outbound traffic based on source or destination IP address, port, or protocol3.

To create an NSG, you need to go to the Azure portal and select Create a resource. Search for network security group and select Network security group. Then select Create4.

On the Create a network security group page, enter or select the following information:

Subscription: Select your subscription name.

Resource group: Select your resource group name.

Name: Type a unique name for your NSG.

Region: Select the same region as your virtual networks.

Select Review + create and then select Create to create your NSG4.

To add rules to your NSG, you need to go to the Network security groups service in the Azure portal and select your NSG. Then select Inbound security rules or Outbound security rules under Settings and select + Add4.

On the Add inbound security rule page or Add outbound security rule page, enter or select the following information:

Source or Destination: Select CIDR block.

Source CIDR blocks or Destination CIDR blocks: Enter the IP address range of the source or destination subnet that you want to filter. For example, 10.0.1.0/24 for VNET1 subnet 1, 10.0.2.0/24 for VNET2 subnet 1, and 10.0.3.0/24 for VNET3 subnet 1.

Protocol: Select Any to apply the rule to any protocol.

Action: Select Deny to block traffic from or to the source or destination subnet.

Priority: Enter a number between 100 and 4096 that indicates the order of evaluation for this rule. Lower numbers have higher priority than higher numbers.

Name: Type a unique name for your rule.

Select Add to create your rule4.

Repeat the previous steps to create inbound and outbound rules for your NSG that deny traffic between VNET1 and VNET3 subnets. For example, you can create an inbound rule that denies traffic from 10.0.1.0/24 (VNET1 subnet 1) to 10.0.3.0/24 (VNET3 subnet 1), and an outbound rule that denies traffic from 10.0.3.0/24 (VNET3 subnet 1) to 10.0.1.0/24 (VNET1 subnet 1).

To associate your NSG with a subnet, you need to go to the Virtual networks service in the Azure portal and select your virtual network. Then select Subnets under Settings and select the subnet that you want to associate with your NSG5.

On the Edit subnet page, under Network security group, select your NSG from the drop-down list. Then select Save5.

Repeat the previous steps to associate your NSG with the subnets in VNET1 and VNET3 that you want to isolate from each other.

Here are the steps and explanations for ensuring that requests for wwwjelecloud.com from any of your Azure virtual networks resolve to frontdoor1.azurefd.net:

To use a custom domain with your Azure Front Door, you need to create a CNAME record with your domain provider that points to the Front Door default frontend host. A CNAME record is a type of DNS record that maps a source domain name to a destination domain name1.

To create a CNAME record, you need to sign in to your domain registrar’s website and go to the page for managing DNS settings1.

Create a CNAME record with the following information1:

Source domain name: wwwjelecloud.com

Destination domain name: frontdoor1.azurefd.net

Save your changes and wait for the DNS propagation to take effect1.

To verify the custom domain, you need to go to the Azure portal and select your Front Door profile. Then select Domains under Settings and select Add2.

On the Add a domain page, select Non-Azure validated domain as the Domain type and enter wwwjelecloud.com as the Domain name. Then select Add2.

On the Domains page, select wwwjelecloud.com and select Verify. This will check if the CNAME record is correctly configured2.

Once the domain is verified, you can associate it with your Front Door endpoint. On the Domains page, select wwwjelecloud.com and select Associate endpoint. Then select your Front Door endpoint from the drop-down list and select Associate2.

To ensure that hosts on VNET1 and VNET2 can communicate with minimal latency, you can use Virtual Network Peering. This method connects the two virtual networks directly through the Microsoft backbone network, ensuring low-latency and high-bandwidth communication.

Step-by-Step Solution

Step 1: Set Up Virtual Network Peering

Navigate to the Azure Portal.

Search for “Virtual networks” and select VNET1.

In the left-hand menu, select “Peerings” under the “Settings” section.

Click on “Add” to create a new peering.

Enter the following details:

Name: Enter a name for the peering (e.g., VNET1-to-VNET2).

Peer virtual network: Select VNET2.

Allow virtual network access: Ensure this is enabled.

Allow forwarded traffic: Enable if needed.

Allow gateway transit: Enable if needed.

Click on “Add”.

Step 2: Configure Peering on VNET2

Navigate to VNET2 in the Azure Portal.

In the left-hand menu, select “Peerings” under the “Settings” section.

Click on “Add” to create a new peering.

Enter the following details:

Name: Enter a name for the peering (e.g., VNET2-to-VNET1).

Peer virtual network: Select VNET1.

Allow virtual network access: Ensure this is enabled.

Allow forwarded traffic: Enable if needed.

Allow gateway transit: Enable if needed.

Click on “Add”.

Explanation

Virtual Network Peering: This feature connects two virtual networks in the same or different regions, allowing resources in both networks to communicate with each other as if they were part of the same network. The traffic between peered virtual networks uses the Microsoft backbone infrastructure, ensuring low latency and high bandwidth12.

Allow Virtual Network Access: This setting ensures that the virtual networks can communicate with each other.

Allow Forwarded Traffic: This setting allows traffic forwarded from a network security appliance in the peered virtual network.

Allow Gateway Transit: This setting allows the peered virtual network to use the gateway in the local virtual network.

By following these steps, you can ensure that hosts on VNET1 and VNET2 can communicate with minimal latency, leveraging the high-speed Microsoft backbone network.

on:

Here are the steps and explanations for creating a policy that can be linked to the planned application gateway and block connections from IP addresses in the 131.107.150.0/24 range:

To create a policy, you need to go to the Azure portal and select Create a resource. Search for WAF, select Web Application Firewall, then select Create1.

On the Create a WAF policy page, Basics tab, enter or select the following information and accept the defaults for the remaining settings:

Policy for: Regional WAF (Application Gateway)

Subscription: Select your subscription name

Resource group: Select your resource group

Policy name: Type a unique name for your WAF policy

On the Custom rules tab, select Add a rule to create a custom rule that blocks connections from IP addresses in the 131.107.150.0/24 range2. Enter or select the following information for the custom rule:

Rule name: Type a unique name for your custom rule

Priority: Type a number that indicates the order of evaluation for this rule

Rule type: Select Match rule

Match variable: Select RemoteAddr

Operator: Select IPMatch

Match values: Type 131.107.150.0/24

Action: Select Block

On the Review + create tab, review your settings and select Create to create your WAF policy1.

To link your policy to the planned application gateway, you need to go to the Application Gateway service in the Azure portal and select your application gateway3.

On the Web application firewall tab, select your WAF policy from the drop-down list and select Save

To archive all the metrics of VNET1 to an existing storage account, you can use Azure Monitor’s diagnostic settings. Here’s how you can do it:

Step-by-Step Solution

Step 1: Navigate to VNET1 in the Azure Portal

Open the Azure Portal.

Search for “Virtual networks” and select VNET1 from the list.

Step 2: Configure Diagnostic Settings

In the VNET1 blade, select “Diagnostic settings” under the “Monitoring” section.

Click on “Add diagnostic setting”.

Step 3: Set Up the Diagnostic Setting

Enter a name for the diagnostic setting (e.g., VNET1-Metrics-Archive).

Select the metrics you want to archive. You can choose from various metrics like TotalBytesReceived, TotalBytesSent, etc.

Under “Destination details”, select “Archive to a storage account”.

Choose the existing storage account where you want to archive the metrics.

Configure the retention period if needed.

Step 4: Save the Configuration

Review your settings to ensure everything is correct.

Click on “Save” to apply the diagnostic setting.

Explanation

Diagnostic Settings: These allow you to collect and route metrics and logs from your Azure resources to various destinations, including storage accounts, Log Analytics workspaces, and Event Hubs.

Metrics: Metrics provide numerical data about the performance and health of your resources. Archiving these metrics helps in long-term analysis and compliance.

Storage Account: Using an existing storage account ensures that the metrics are stored securely and can be accessed for future analysis.

By following these steps, you can ensure that all the metrics of VNET1 are archived to your existing storage account, enabling you to monitor and analyze the performance and health of your virtual network over time.

Here are the steps and explanations for ensuring that the storage34280945 storage account will only accept connections from hosts on VNET1:

To restrict network access to your storage account, you need to configure the Azure Storage firewall and virtual network settings for your storage account. You can do this in the Azure portal by selecting your storage account and then selecting Networking under Settings1.

On the Networking page, select Firewalls and virtual networks, and then select Selected networks under Allow access from1. This will block all access to your storage account except from the networks or resources that you specify.

Under Virtual networks, select + Add existing virtual network. Then select VNET1 from the list of virtual networks and select the subnet that contains the hosts that you want to allow access to your storage account1. This will enable a service endpoint for Storage in the subnet and configure a virtual network rule for that subnet through the Azure storage firewall2.

Select Add to add the virtual network and subnet to your storage account1.

Select Save to apply your changes1.

To provide a single host name that routes traffic based on the origin, you can use Azure Traffic Manager. This service allows you to route traffic to different endpoints based on various routing methods, including geographic routing.

Navigate to the Azure Portal.

Search for “Traffic Manager profiles” and select it.

Click on “Create”.

Enter the following details:

Name: Enter a name for the Traffic Manager profile (e.g., ContosoTrafficManager).

Routing method: Select Geographic.

Subscription: Select your subscription.

Resource group: Select an existing resource group or create a new one.

Resource group location: Choose a location (this does not affect the routing).

Click on “Create”.

Navigate to the newly created Traffic Manager profile.

Select “Endpoints” from the left-hand menu.

Click on “Add” to add a new endpoint.

Enter the following details:

Type: Select External endpoint.

Name: Enter a name for the endpoint (e.g., NewYorkEndpoint).

FQDN: Enter ny.contoso.com.

Geographic region: Select “World” (this will be adjusted later).

Click on “Add” to save the endpoint.

Repeat the process to add the second endpoint:

Type: Select External endpoint.

Name: Enter a name for the endpoint (e.g., GermanyEndpoint).

FQDN: Enter de.contoso.com.

Geographic region: Select Europe.

Navigate to the Traffic Manager profile.

Select “Configuration” from the left-hand menu.

Under “Geographic routing”, adjust the regions:

For the GermanyEndpoint, ensure that the geographic region is set to Europe.

For the NewYorkEndpoint, ensure that the geographic region is set to World (excluding Europe).

Use a DNS query tool to test the routing.

From a location in Germany, query the Traffic Manager profile’s DNS name and ensure it resolves to de.contoso.com.

From a location outside Europe, query the Traffic Manager profile’s DNS name and ensure it resolves to ny.contoso.com.

Azure Traffic Manager: This service uses DNS to direct client requests to the most appropriate endpoint based on the routing method you choose. Geographic routing ensures that traffic is directed based on the origin of the request.

Geographic Routing: This method allows you to route traffic based on the geographic location of the DNS query origin, ensuring that users are directed to the nearest or most appropriate endpoint.

Step-by-Step SolutionStep 1: Create a Traffic Manager ProfileStep 2: Configure EndpointsStep 3: Adjust Geographic RoutingStep 4: Test the ConfigurationExplanationBy following these steps, you can provide a single host name that routes traffic to de.contoso.com for users in Germany and to ny.contoso.com for users from other locations, ensuring efficient and appropriate traffic management.

To create an Azure Firewall instance, you need to go to the Azure portal and select Create a resource. Type firewall in the search box and press Enter. Select Firewall and then select Create1.

To assign an IP address from the address range of 10.1.255.0/24 to the firewall, you need to select a public IP address that belongs to that range. You can either create a new public IP address or use an existing one1.

To use a new Premium firewall policy named FW-policy1, you need to select Premium as the Firewall tier and create a new policy with the name FW-policy12. A Premium firewall policy allows you to configure advanced features such as TLS Inspection, IDPS, URL Filtering, and Web Categories3.

To route traffic directly to the internet, you need to enable SNAT (Source Network Address Translation) for the firewall. SNAT allows the firewall to use its public IP address as the source address for outbound traffic4.