Design and implement Azure network security services
Drill 20 practice questions focused entirely on Design and implement Azure network security services for the Microsoft AZ-700 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Contoso runs a three-tier application in a single subnet: 6 web VMs, 4 application VMs, and 3 database VMs. Security requires that only web VMs can reach the application VMs on TCP 8080, and only application VMs can reach the database VMs on TCP 1433. The subnet may grow with additional VMs of each tier over time. You must minimize the number of NSG rules and avoid maintaining explicit IP address lists as VMs are added. What should you implement?
Your company deploys Azure Firewall Standard to control outbound traffic from a spoke virtual network. Server administrators report that Windows Update fails on all VMs because outbound HTTP/HTTPS is denied by default. The Microsoft-hosted update endpoints span many changing FQDNs and CDNs. You must allow Windows Update traffic with the least administrative effort and without manually maintaining a list of URLs. What should you configure?
Your company is deploying Azure Firewall to protect a small branch-office virtual network that expects a peak throughput of roughly 200 Mbps and around 40 concurrent users. Management wants the lowest-cost firewall SKU that still supports built-in threat intelligence in alert mode. However, the security team notes that the deployment must include a specific companion component for the control plane to function. Which SKU should you choose, and what additional resource is mandatory for it?
Your company deploys an Azure Firewall (Standard SKU) in a hub virtual network. A web server running on a VM in a spoke VNet has the private IP 10.1.2.10 and listens on TCP 8080. You need to publish this server to the internet so that external clients can reach it via the firewall's public IP on TCP 443, with the firewall translating the traffic to the internal address and port. Which type of Azure Firewall rule should you configure?
Your company runs an Azure Firewall Premium with a firewall policy that contains dozens of network and application rules. Several rules reference the same set of 40 on-premises subnet CIDRs as their source, and this list changes about twice a month. Each time it changes, an engineer must manually edit every affected rule, which is error-prone. You need to centralize this address list so a single update propagates to all rules that use it, while keeping the change scoped to the firewall configuration. What should you implement?
Contoso manages security for multiple Azure Firewall instances using Azure Firewall Manager. The security team creates a parent firewall policy named 'Corp-Base' that contains rule collection groups blocking known malicious FQDNs and enforcing threat intelligence. Regional teams need their own policies that add region-specific application rules but must not be able to remove or override the corporate blocking rules. You need to design the policy structure so that regional policies automatically include all Corp-Base rules while allowing regional additions. What should you do?
Contoso deploys a single Azure Firewall (Standard SKU) with a firewall policy. The policy contains a network rule collection that allows outbound TCP traffic on port 443 to a specific server IP, and an application rule collection that denies HTTPS access to the FQDN 'downloads.contoso-partner.com' (which resolves to that same server IP). A VM behind the firewall initiates an HTTPS session to https://downloads.contoso-partner.com. What is the result?
Your company runs a secured hub in Azure Virtual WAN protected by Azure Firewall Premium. The security team wants to consolidate all firewall configuration for five regional hubs into a single, centrally managed policy while still allowing each hub to have region-specific network rules that override the shared baseline. Which Firewall Manager configuration approach meets these requirements with the least administrative effort?
Your company uses Azure Firewall Premium managed by a single Azure Firewall Policy. Within that policy you have two rule collection groups: 'BaselineRules' (priority 200) containing a network rule collection that denies all traffic to 10.50.0.0/16, and 'AppRules' (priority 300) containing a network rule collection that allows TCP 443 from the workload subnet to 10.50.10.5. Users report that HTTPS connections to 10.50.10.5 are being dropped. You must allow this specific traffic while keeping the broad deny in place for the rest of the range. What should you do?
Your company deploys an Azure Firewall Premium instance to inspect outbound HTTPS traffic from application servers. You configure a firewall policy with TLS inspection enabled on an application rule collection. The intermediate CA certificate must be presented by the firewall to clients so it can decrypt and re-encrypt sessions. What must you configure so the firewall can perform TLS inspection?
Your company runs a hub-and-spoke topology with an Azure Firewall Standard in the hub, managed through an Azure Firewall Policy. Security requires that outbound HTTP/HTTPS traffic from all spoke workloads be blocked to any website categorized as 'Gambling' or 'Social Networking', while allowing all other web browsing. You must implement this with the least administrative effort and without manually maintaining lists of FQDNs. What should you configure?
Your company deploys Azure Firewall to protect a hub virtual network. Security requirements now mandate that the firewall must decrypt outbound TLS traffic to inspect payloads for malware signatures and must actively block traffic matching known intrusion signatures. The current deployment uses the Standard SKU. What must you do to meet both requirements?
Your company deploys an Azure Firewall inside a Virtual WAN secured hub using Firewall Manager. The security team requires that all internet-bound traffic from the firewall itself be forced-tunneled through an on-premises appliance over ExpressRoute for centralized egress inspection. During design, you discover this requirement cannot be met with the current architecture. What is the correct explanation?
Your company is deploying Azure Firewall to protect a hub virtual network. Security requirements state that all outbound TLS traffic from application servers must be decrypted and inspected for malware, and the firewall must use a signature-based intrusion detection and prevention system (IDPS) that can block known malicious network patterns. The solution should minimize cost while meeting these requirements. Which Azure Firewall SKU should you deploy?
Contoso deploys an Azure Firewall Standard SKU in its hub virtual network. The security team wants the firewall to automatically block outbound traffic to and inbound traffic from known malicious IP addresses and domains published by Microsoft threat feeds, without manually maintaining rule collections. During a maintenance window they also want to be notified about matches but avoid dropping the traffic while they validate the impact. What should they configure to meet the maintenance-window requirement first, then the production requirement?
A support engineer reports that an application server VM (private IP 10.2.1.10) cannot receive inbound HTTPS (TCP 443) connections from an on-premises client (203.0.113.25). The VM has an NSG on its subnet and a second NSG on its network interface. You need to quickly determine whether an NSG rule is blocking the traffic and, if so, which specific rule and which NSG is responsible — without capturing packets or installing agents. Which Azure Network Watcher tool should you use?
Contoso runs a three-tier application in a single virtual network. The web tier VMs must accept inbound HTTPS from the internet, and the app tier VMs must accept inbound TCP 8443 only from the web tier VMs. New web and app VMs are provisioned frequently by an autoscale process, and their private IP addresses change each time. You must design NSG rules that stay accurate as VMs are added or removed, without editing rules on each scaling event. What should you implement?
You deploy Azure Bastion into a dedicated AzureBastionSubnet to provide secure RDP/SSH access to VMs in a hub VNet. Your security team requires an NSG on AzureBastionSubnet to satisfy compliance. After associating the NSG, users can no longer connect through Bastion. Which set of outbound rules must the NSG allow to restore Bastion functionality while keeping the NSG in place?
Your company runs a hub-spoke topology in Azure. You must enable virtual network flow logs on a spoke VNet named spoke-prod-vnet to capture traffic metadata for compliance auditing and later analysis with Traffic Analytics. Before you can create the flow log resource, which prerequisite must be in place in the same region as the VNet?
Your organization has 40 virtual networks, each containing multiple subnets with NSGs applied at both the subnet and NIC levels. Management wants comprehensive traffic logging with the least administrative overhead, and Microsoft has announced the retirement of the older logging feature. You need to enable flow logging so that a single log target automatically captures traffic for all current and future subnets in each virtual network without configuring logs per NSG. What should you configure?
More AZ-700 practice
Keep going with the other Microsoft Azure Network Engineer Associate domains, or take a full timed mock exam.
← Back to AZ-700 overview