Microsoft Azure Network Engineer Associate · Difficulty

Hard AZ-700 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 17 hard questions available — no sign-up, always free.

Question 1 of 17

Contoso deploys a single Azure Firewall (Standard SKU) with a firewall policy. The policy contains a network rule collection that allows outbound TCP traffic on port 443 to a specific server IP, and an application rule collection that denies HTTPS access to the FQDN 'downloads.contoso-partner.com' (which resolves to that same server IP). A VM behind the firewall initiates an HTTPS session to https://downloads.contoso-partner.com. What is the result?

Reviewed for accuracy · Report an issue
Question 2 of 17

Your company deploys an Azure Firewall inside a Virtual WAN secured hub using Firewall Manager. The security team requires that all internet-bound traffic from the firewall itself be forced-tunneled through an on-premises appliance over ExpressRoute for centralized egress inspection. During design, you discover this requirement cannot be met with the current architecture. What is the correct explanation?

Reviewed for accuracy · Report an issue
Question 3 of 17

Your company deploys Azure Route Server in a hub VNet to exchange routes with a third-party SD-WAN NVA. Several spoke VNets are peered to the hub. Workloads in the spokes must automatically learn the on-premises branch routes that the NVA advertises to Route Server, without configuring user-defined routes in each spoke. When you configure the VNet peering between the hub and each spoke, which setting must you enable on the peering so the spokes receive the branch routes learned by Route Server?

Reviewed for accuracy · Report an issue
Question 4 of 17

Your company runs several Azure VNets and an on-premises data center connected via ExpressRoute. Azure-hosted VMs must resolve records in a private DNS zone (azure.contoso.com) linked to the hub VNet, and on-premises servers must resolve those same Azure private DNS records. Additionally, Azure VMs must resolve on-premises Active Directory names (corp.contoso.com) hosted on on-premises DNS servers. You want a fully managed solution that avoids deploying and maintaining DNS forwarder VMs. What should you implement?

Reviewed for accuracy · Report an issue
Question 5 of 17

Contoso has an ExpressRoute circuit with private peering connecting their on-premises datacenter to an Azure virtual network. A new compliance requirement mandates that all traffic traversing the ExpressRoute connection between on-premises and Azure must be encrypted, while continuing to use the existing ExpressRoute circuit as the transport path. Which solution meets this requirement with the least additional cost and complexity?

Reviewed for accuracy · Report an issue
Question 6 of 17

You are designing outbound internet connectivity for workloads spread across three subnets in a zone-redundant Azure region. The security team requires all outbound SNAT to use a predictable set of static public IPs, and the architecture must survive the failure of a single availability zone. You plan to use Azure NAT Gateway. Which deployment approach correctly meets both the static-IP and zone-resilience requirements?

Reviewed for accuracy · Report an issue
Question 7 of 17

A VM in the subnet 'AppSubnet' can no longer reach an external HTTPS endpoint (port 443), and the application team reports intermittent failures. You need to identify whether the traffic is being blocked and, if so, precisely which network security rule or user-defined route is responsible for dropping the packets between the VM and the destination. Which Azure Network Watcher capability should you use?

Reviewed for accuracy · Report an issue
Question 8 of 17

You deploy Azure Bastion into a dedicated AzureBastionSubnet to provide secure RDP/SSH access to VMs in a hub VNet. Your security team requires an NSG on AzureBastionSubnet to satisfy compliance. After associating the NSG, users can no longer connect through Bastion. Which set of outbound rules must the NSG allow to restore Bastion functionality while keeping the NSG in place?

Reviewed for accuracy · Report an issue
Question 9 of 17

Contoso hosts an internal application that must reach an Azure Storage account exclusively over a private connection. They have created a private endpoint for the storage account (blob subresource) in a hub VNet. On-premises servers connect to Azure through an ExpressRoute private peering circuit. From on-premises, application servers currently fail to connect to the storage account, and nslookup for the storage FQDN still returns a public IP address. What must Contoso do so that on-premises servers resolve the storage FQDN to the private endpoint's private IP?

Reviewed for accuracy · Report an issue
Question 10 of 17

Your company hosts a general-purpose v2 storage account named 'salesdata'. You create a private endpoint for the blob sub-resource in a spoke VNet, approve the connection, and configure the private DNS zone integration correctly. Application VMs in the spoke VNet can resolve the storage account FQDN to the private IP address, but they still receive '403 Authorization Failure' errors when accessing blobs. The storage account's networking firewall is set to 'Enabled from selected virtual networks and IP addresses' with no networks or IPs added. What should you do to allow access while keeping the account private?

Reviewed for accuracy · Report an issue
Question 11 of 17

Your company operates a SaaS platform behind an Azure Standard internal Load Balancer. You publish it through a Private Link service so that customer tenants can connect via private endpoints. As the number of customer connections grows, some new private endpoint connections begin to fail while existing ones remain healthy. You confirm the Private Link service is configured with a single subnet for NAT IP allocation. What is the most likely cause and the correct remediation?

Reviewed for accuracy · Report an issue
Question 12 of 17

Your company hosts a multi-tier application behind a Standard internal Load Balancer in a VNet. You want to offer this application privately to several customer Azure tenants using Azure Private Link Service so that consumers connect via private endpoints without VNet peering. During setup, you must specify a NAT IP configuration for the Private Link service. What is the primary purpose of the NAT subnet you designate for the Private Link service?

Reviewed for accuracy · Report an issue
Question 13 of 17

Your company operates a multi-tenant SaaS platform behind a Standard internal Load Balancer. You expose it to customers through an Azure Private Link service. The application team reports that all incoming requests appear to originate from the Private Link service NAT IP addresses, but they need to capture the true source IP of each consumer connection for per-tenant auditing. What should you do on the Private Link service to make the original consumer source information available to the backend application?

Reviewed for accuracy · Report an issue
Question 14 of 17

Your company deploys an Azure Route Server in a hub VNet to exchange routes dynamically with two SD-WAN NVAs, each connected to a different on-premises branch via BGP. You notice that traffic from Branch A is being routed through Azure to reach Branch B, consuming hub bandwidth. Security policy requires branches to communicate only over their private WAN, never transiting Azure. What should you configure on the Azure Route Server to prevent this transit behavior?

Reviewed for accuracy · Report an issue
Question 15 of 17

Your company runs a business-critical workload in Azure that requires a highly available site-to-site VPN connection to the on-premises data center. The on-premises edge consists of two independent VPN devices, each with its own public IP address. You must design the Azure VPN gateway so that a failure of a single Azure gateway instance OR a single on-premises VPN device does not interrupt connectivity. Which design should you implement?

Reviewed for accuracy · Report an issue
Question 16 of 17

Your company establishes a site-to-site VPN between an Azure route-based VPN gateway (VpnGw2) and an on-premises firewall. The connection reaches the 'Connecting' state but never becomes 'Connected'. Azure diagnostic logs show that IKE Phase 1 negotiation repeatedly fails. You confirm the shared key matches on both sides and the on-premises public IP is correctly set in the local network gateway. The on-premises firewall administrator reports the tunnel is configured for IKEv1 with a policy-based (all-or-nothing) traffic selector. What is the MOST likely cause of the failure?

Reviewed for accuracy · Report an issue
Question 17 of 17

Contoso runs three VNets (Prod-A, Prod-B, Prod-C) that must all communicate directly with each other. A network engineer configures a mesh network group in Azure Virtual Network Manager and deploys the connectivity configuration. Afterward, VMs in Prod-A can reach Prod-B and Prod-C, but a subnet named 'AzureFirewallSubnet' in Prod-C is unexpectedly participating in the mesh. The engineer wants the mesh to apply to all current and future VNets added to the group, without manually editing membership each time. Which combination best meets these requirements?

Reviewed for accuracy · Report an issue