Design and implement application delivery services
Drill 20 practice questions focused entirely on Design and implement application delivery services for the Microsoft AZ-700 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your company runs a web application behind an Azure Application Gateway v2 (Standard_v2). Traffic is highly variable, spiking during business hours and dropping to almost nothing overnight. Management requires that the gateway automatically add and remove capacity based on load to minimize cost, while guaranteeing that at least a baseline amount of compute is always available to handle a sudden burst without a cold-start delay. You are configuring the autoscaling settings. Which configuration meets these requirements?
Your company runs a web tier across a VM Scale Set and a set of on-premises IIS servers reachable over an ExpressRoute private connection. You must front both groups with a single Azure Application Gateway v2 so requests can be distributed to either the cloud or on-premises servers. When configuring the backend pool for this deployment, which approach correctly targets both sets of servers?
Your company hosts a legacy web application behind an Azure Application Gateway v2. The application stores session state locally in memory on each backend VM rather than in a shared store. Users report that they are intermittently logged out and their shopping carts are lost as they navigate the site. You confirm the backend pool has three healthy VMs and that health probes are passing. You must ensure a user's requests are consistently sent to the same backend VM for the duration of their session, with minimal changes to the application. What should you configure?
Your company runs a web application behind an Azure Application Gateway v2. The backend pool contains three VMs that host an API. The application's health endpoint at /api/health returns an HTTP 200 status but includes a JSON body, and under a partial failure it returns HTTP 503. Recently, the Application Gateway marked all backend servers as unhealthy even though the site returned HTTP 200, because the health endpoint responded with a 200 status but a body of '{"status":"degraded"}'. You need the probe to consider a backend healthy ONLY when it returns HTTP 200 and the response body contains the text 'healthy'. What should you configure?
Your company runs a stateful web application behind an Azure Application Gateway v2. During deployments, backend VMs in the pool are removed and replaced, and users report that in-flight requests fail with connection errors whenever a backend instance is deregistered. You must ensure that existing requests to a backend server are allowed to complete gracefully before the server is removed from rotation, without dropping active sessions. Which Application Gateway configuration should you enable?
Your company hosts an e-commerce site behind an Azure Application Gateway v2. Security requires that all client traffic use HTTPS. Currently the gateway has an HTTPS listener on port 443 with a valid certificate and a routing rule pointing to the backend pool. However, users who type the site name in a browser arrive on HTTP port 80 and receive an error because no listener handles that traffic. You must ensure that any request arriving on HTTP is automatically sent to the HTTPS version of the same URL, without changing the backend. What should you configure?
Your company runs Azure Application Gateway v2 with a single public frontend IP on port 443. You have configured three multi-site listeners that use overlapping host name patterns: one listener matches 'shop.contoso.com', another matches '*.contoso.com', and a third matches '*.com'. During testing, requests to 'shop.contoso.com' are intermittently routed to the wrong backend pool. You must ensure requests to 'shop.contoso.com' are always handled by its dedicated listener without removing the wildcard listeners. What should you do?
Your company hosts two web applications, shop.contoso.com and portal.contoso.com, behind a single Azure Application Gateway v2. Both applications share the same public IP and port 443 but must route to different backend pools based on the requested domain name. Traffic for shop.contoso.com must go to the retail backend pool and traffic for portal.contoso.com must go to the internal-services backend pool. Which Application Gateway configuration achieves this?
Your company hosts two public web applications, shop.contoso.com and portal.contoso.com, behind a single Azure Application Gateway v2. Both must be reachable over HTTPS on TCP port 443 using the same public frontend IP, and each site must present its own dedicated TLS certificate to clients. What is the minimum configuration you must implement to satisfy this requirement?
A financial services company runs an Azure Application Gateway v2 in front of a REST API used by partner organizations. Compliance requires that only partner client applications presenting a valid client certificate issued by an approved certificate authority be allowed to connect; any request without a trusted client certificate must be rejected at the gateway. Which Application Gateway configuration meets this requirement?
Your company runs a web application behind an Azure Application Gateway v2 (Standard_v2). During a security audit, penetration testers report that backend responses expose a 'Server' HTTP response header that reveals the underlying web server product and version. Developers cannot modify the backend application in the near term. Security requires that this header be stripped before responses reach clients, with no impact to existing listeners or routing. What should you configure on the Application Gateway?
Your company runs a web application behind Azure Application Gateway v2. The backend application generates absolute redirect URLs (HTTP 302 responses with a Location header) using its internal hostname 'app-internal.contoso.local', which is what it receives in the incoming Host header because the HTTP settings override the hostname to the backend pool member's name. Users report that after login, they are redirected to a broken internal URL instead of the public site 'www.contoso.com'. You must ensure redirects point to the correct public hostname without modifying the backend application. What should you configure on the Application Gateway?
Your company runs a web application behind an Azure Application Gateway v2. Compliance requires that traffic remain encrypted from the client all the way to the backend servers (end-to-end TLS), not just to the Application Gateway. The backend pool consists of two VMs presenting certificates signed by your organization's private (internal) certificate authority. After configuring an HTTPS backend HTTP setting, the backend health shows 'Unknown' and requests fail. What must you configure so that the Application Gateway can establish trusted TLS connections to the backends?
Contoso hosts a single web application behind Azure Application Gateway v2. The application serves static images from URLs beginning with /images/* and API calls from URLs beginning with /api/*. The team wants requests to /images/* to be sent to a backend pool of storage-optimized VMs, requests to /api/* to be sent to a backend pool of compute-optimized VMs, and all other requests to a default backend pool. All requests arrive on the same listener (HTTPS, same hostname). What should you configure to route the traffic correctly?
Your company hosts a product catalog on Azure Front Door Standard. The origin serves personalized responses that differ based on the 'region' query string parameter (for example, ?region=us and ?region=eu return different pricing). Users report that visitors in Europe sometimes see US pricing. Investigation shows Front Door is caching responses and serving the same cached object regardless of the query string. Which configuration change on the route should you make to fix this while still benefiting from caching?
Your company hosts a marketing site behind Azure Front Door Standard. Legal requires that any request to the legacy path '/promo/*' be permanently sent to '/campaigns/*' on the same host, while preserving the original query string, and that browsers cache the redirect. You must implement this using Front Door's Rules Engine without changing any origin configuration. Which action should you configure in the rule?
Your company hosts a web application on an Azure App Service (Premium v3) that is currently accessible over the public internet. You are deploying Azure Front Door in front of the application and must ensure that the App Service origin can only be reached through Front Door, with traffic never traversing the public internet between Front Door and the origin. You want to avoid managing NSGs, service tags, or IP allow-lists on the origin. Which approach meets these requirements?
Your company hosts a global e-commerce web application. You must deliver it through Azure Front Door with the following requirements: a managed Web Application Firewall (WAF) with bot protection managed rule sets, private connectivity to origins hosted on Azure App Service using Private Link, and custom rules-engine actions to rewrite request URLs. You want to minimize cost while still meeting every requirement. Which Azure Front Door tier should you deploy?
Your company runs a public-facing web application behind a Standard public Load Balancer. The security team has purchased a third-party firewall NVA appliance and requires that all inbound and outbound traffic to the application be inspected transparently, without changing the application's public IP address or reconfiguring the existing frontend. The NVA must be inserted into the traffic path while preserving the original source and destination IP addresses. Which Azure solution should you implement?
Your company runs an identical stateless API deployment behind a Standard public Load Balancer in both East US and West Europe. You need a single, static anycast IP address that automatically routes client TCP connections to the closest healthy regional deployment and provides failover if an entire region becomes unavailable. The solution must operate at Layer 4 and require minimal changes to the existing regional load balancers. What should you deploy?
More AZ-700 practice
Keep going with the other Microsoft Azure Network Engineer Associate domains, or take a full timed mock exam.
← Back to AZ-700 overview