Microsoft Azure Network Engineer Associate · Difficulty

Medium AZ-700 practice questions

Applied — put a concept to work in a realistic situation. 134 medium questions available — no sign-up, always free.

Question 1 of 25

Your company runs a web application behind an Azure Application Gateway v2 (Standard_v2). Traffic is highly variable, spiking during business hours and dropping to almost nothing overnight. Management requires that the gateway automatically add and remove capacity based on load to minimize cost, while guaranteeing that at least a baseline amount of compute is always available to handle a sudden burst without a cold-start delay. You are configuring the autoscaling settings. Which configuration meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 25

Your company runs a web tier across a VM Scale Set and a set of on-premises IIS servers reachable over an ExpressRoute private connection. You must front both groups with a single Azure Application Gateway v2 so requests can be distributed to either the cloud or on-premises servers. When configuring the backend pool for this deployment, which approach correctly targets both sets of servers?

Reviewed for accuracy · Report an issue
Question 3 of 25

Your company hosts a legacy web application behind an Azure Application Gateway v2. The application stores session state locally in memory on each backend VM rather than in a shared store. Users report that they are intermittently logged out and their shopping carts are lost as they navigate the site. You confirm the backend pool has three healthy VMs and that health probes are passing. You must ensure a user's requests are consistently sent to the same backend VM for the duration of their session, with minimal changes to the application. What should you configure?

Reviewed for accuracy · Report an issue
Question 4 of 25

Your company runs a web application behind an Azure Application Gateway v2. The backend pool contains three VMs that host an API. The application's health endpoint at /api/health returns an HTTP 200 status but includes a JSON body, and under a partial failure it returns HTTP 503. Recently, the Application Gateway marked all backend servers as unhealthy even though the site returned HTTP 200, because the health endpoint responded with a 200 status but a body of '{"status":"degraded"}'. You need the probe to consider a backend healthy ONLY when it returns HTTP 200 and the response body contains the text 'healthy'. What should you configure?

Reviewed for accuracy · Report an issue
Question 5 of 25

Your company runs a stateful web application behind an Azure Application Gateway v2. During deployments, backend VMs in the pool are removed and replaced, and users report that in-flight requests fail with connection errors whenever a backend instance is deregistered. You must ensure that existing requests to a backend server are allowed to complete gracefully before the server is removed from rotation, without dropping active sessions. Which Application Gateway configuration should you enable?

Reviewed for accuracy · Report an issue
Question 6 of 25

Your company hosts an e-commerce site behind an Azure Application Gateway v2. Security requires that all client traffic use HTTPS. Currently the gateway has an HTTPS listener on port 443 with a valid certificate and a routing rule pointing to the backend pool. However, users who type the site name in a browser arrive on HTTP port 80 and receive an error because no listener handles that traffic. You must ensure that any request arriving on HTTP is automatically sent to the HTTPS version of the same URL, without changing the backend. What should you configure?

Reviewed for accuracy · Report an issue
Question 7 of 25

Your company runs Azure Application Gateway v2 with a single public frontend IP on port 443. You have configured three multi-site listeners that use overlapping host name patterns: one listener matches 'shop.contoso.com', another matches '*.contoso.com', and a third matches '*.com'. During testing, requests to 'shop.contoso.com' are intermittently routed to the wrong backend pool. You must ensure requests to 'shop.contoso.com' are always handled by its dedicated listener without removing the wildcard listeners. What should you do?

Reviewed for accuracy · Report an issue
Question 8 of 25

Your company hosts two web applications, shop.contoso.com and portal.contoso.com, behind a single Azure Application Gateway v2. Both applications share the same public IP and port 443 but must route to different backend pools based on the requested domain name. Traffic for shop.contoso.com must go to the retail backend pool and traffic for portal.contoso.com must go to the internal-services backend pool. Which Application Gateway configuration achieves this?

Reviewed for accuracy · Report an issue
Question 9 of 25

Your company hosts two public web applications, shop.contoso.com and portal.contoso.com, behind a single Azure Application Gateway v2. Both must be reachable over HTTPS on TCP port 443 using the same public frontend IP, and each site must present its own dedicated TLS certificate to clients. What is the minimum configuration you must implement to satisfy this requirement?

Reviewed for accuracy · Report an issue
Question 10 of 25

A financial services company runs an Azure Application Gateway v2 in front of a REST API used by partner organizations. Compliance requires that only partner client applications presenting a valid client certificate issued by an approved certificate authority be allowed to connect; any request without a trusted client certificate must be rejected at the gateway. Which Application Gateway configuration meets this requirement?

Reviewed for accuracy · Report an issue
Question 11 of 25

Your company runs a web application behind an Azure Application Gateway v2 (Standard_v2). During a security audit, penetration testers report that backend responses expose a 'Server' HTTP response header that reveals the underlying web server product and version. Developers cannot modify the backend application in the near term. Security requires that this header be stripped before responses reach clients, with no impact to existing listeners or routing. What should you configure on the Application Gateway?

Reviewed for accuracy · Report an issue
Question 12 of 25

Your company runs a web application behind Azure Application Gateway v2. The backend application generates absolute redirect URLs (HTTP 302 responses with a Location header) using its internal hostname 'app-internal.contoso.local', which is what it receives in the incoming Host header because the HTTP settings override the hostname to the backend pool member's name. Users report that after login, they are redirected to a broken internal URL instead of the public site 'www.contoso.com'. You must ensure redirects point to the correct public hostname without modifying the backend application. What should you configure on the Application Gateway?

Reviewed for accuracy · Report an issue
Question 13 of 25

Your company runs a web application behind an Azure Application Gateway v2. Compliance requires that traffic remain encrypted from the client all the way to the backend servers (end-to-end TLS), not just to the Application Gateway. The backend pool consists of two VMs presenting certificates signed by your organization's private (internal) certificate authority. After configuring an HTTPS backend HTTP setting, the backend health shows 'Unknown' and requests fail. What must you configure so that the Application Gateway can establish trusted TLS connections to the backends?

Reviewed for accuracy · Report an issue
Question 14 of 25

Contoso hosts a single web application behind Azure Application Gateway v2. The application serves static images from URLs beginning with /images/* and API calls from URLs beginning with /api/*. The team wants requests to /images/* to be sent to a backend pool of storage-optimized VMs, requests to /api/* to be sent to a backend pool of compute-optimized VMs, and all other requests to a default backend pool. All requests arrive on the same listener (HTTPS, same hostname). What should you configure to route the traffic correctly?

Reviewed for accuracy · Report an issue
Question 15 of 25

Contoso runs a three-tier application in a single subnet: 6 web VMs, 4 application VMs, and 3 database VMs. Security requires that only web VMs can reach the application VMs on TCP 8080, and only application VMs can reach the database VMs on TCP 1433. The subnet may grow with additional VMs of each tier over time. You must minimize the number of NSG rules and avoid maintaining explicit IP address lists as VMs are added. What should you implement?

Reviewed for accuracy · Report an issue
Question 16 of 25

Your company deploys Azure Bastion in a hub VNet to provide secure RDP/SSH access to VMs across peered spoke VNets. Administrators complain that they cannot connect to VMs from their local machines using the native Windows RDP client (mstsc), and they also cannot upload or download files during Bastion sessions. Your current deployment uses the Bastion Basic SKU. What must you do to enable both native client connectivity and file transfer?

Reviewed for accuracy · Report an issue
Question 17 of 25

Contoso runs an on-premises data center connected to an Azure hub VNet via ExpressRoute. On-premises servers must resolve records hosted in an Azure private DNS zone (contoso-internal.com) that is linked to the hub VNet. Contoso does not want to deploy and manage DNS server VMs in Azure. Which Azure DNS Private Resolver component must you deploy and reference so that on-premises DNS servers can forward queries into Azure and receive answers from the linked private DNS zone?

Reviewed for accuracy · Report an issue
Question 18 of 25

Contoso runs several VNets in Azure that must resolve names hosted on an on-premises Active Directory DNS server (contoso.local) reachable over an ExpressRoute circuit. You deploy an Azure DNS Private Resolver. You need Azure workloads to forward only queries for contoso.local to the on-premises DNS servers while all other queries continue to use Azure-provided DNS. What should you configure?

Reviewed for accuracy · Report an issue
Question 19 of 25

Your company deploys Azure Firewall Standard to control outbound traffic from a spoke virtual network. Server administrators report that Windows Update fails on all VMs because outbound HTTP/HTTPS is denied by default. The Microsoft-hosted update endpoints span many changing FQDNs and CDNs. You must allow Windows Update traffic with the least administrative effort and without manually maintaining a list of URLs. What should you configure?

Reviewed for accuracy · Report an issue
Question 20 of 25

Your company is deploying Azure Firewall to protect a small branch-office virtual network that expects a peak throughput of roughly 200 Mbps and around 40 concurrent users. Management wants the lowest-cost firewall SKU that still supports built-in threat intelligence in alert mode. However, the security team notes that the deployment must include a specific companion component for the control plane to function. Which SKU should you choose, and what additional resource is mandatory for it?

Reviewed for accuracy · Report an issue
Question 21 of 25

Your company deploys an Azure Firewall (Standard SKU) in a hub virtual network. A web server running on a VM in a spoke VNet has the private IP 10.1.2.10 and listens on TCP 8080. You need to publish this server to the internet so that external clients can reach it via the firewall's public IP on TCP 443, with the firewall translating the traffic to the internal address and port. Which type of Azure Firewall rule should you configure?

Reviewed for accuracy · Report an issue
Question 22 of 25

Your company runs an Azure Firewall Premium with a firewall policy that contains dozens of network and application rules. Several rules reference the same set of 40 on-premises subnet CIDRs as their source, and this list changes about twice a month. Each time it changes, an engineer must manually edit every affected rule, which is error-prone. You need to centralize this address list so a single update propagates to all rules that use it, while keeping the change scoped to the firewall configuration. What should you implement?

Reviewed for accuracy · Report an issue
Question 23 of 25

Contoso manages security for multiple Azure Firewall instances using Azure Firewall Manager. The security team creates a parent firewall policy named 'Corp-Base' that contains rule collection groups blocking known malicious FQDNs and enforcing threat intelligence. Regional teams need their own policies that add region-specific application rules but must not be able to remove or override the corporate blocking rules. You need to design the policy structure so that regional policies automatically include all Corp-Base rules while allowing regional additions. What should you do?

Reviewed for accuracy · Report an issue
Question 24 of 25

Your company runs a secured hub in Azure Virtual WAN protected by Azure Firewall Premium. The security team wants to consolidate all firewall configuration for five regional hubs into a single, centrally managed policy while still allowing each hub to have region-specific network rules that override the shared baseline. Which Firewall Manager configuration approach meets these requirements with the least administrative effort?

Reviewed for accuracy · Report an issue
Question 25 of 25

Your company uses Azure Firewall Premium managed by a single Azure Firewall Policy. Within that policy you have two rule collection groups: 'BaselineRules' (priority 200) containing a network rule collection that denies all traffic to 10.50.0.0/16, and 'AppRules' (priority 300) containing a network rule collection that allows TCP 443 from the workload subnet to 10.50.10.5. Users report that HTTPS connections to 10.50.10.5 are being dropped. You must allow this specific traffic while keeping the broad deny in place for the rest of the range. What should you do?

Reviewed for accuracy · Report an issue