View AZ-700 Exam Questions

Q: 1

You have a hybrid environment that uses ExpressRoute to connect an on-premises network and Azure. You need to log the uptime and the latency of the connection periodically by using an Azure virtual machine and an on-premises virtual machine. What should you use?

Options

Discussion

Mia E. Feb 24, 2026 3:05 pm

Option C but only because Connection Monitor can actually track both latency and uptime across ExpressRoute hops. If this was just about internet endpoints, D might make sense. Anyone see docs saying otherwise?

Ishaan A. Feb 27, 2026 9:24 pm

Don’t think A works here. C is designed to actually monitor connectivity and latency between Azure and on-prem via ExpressRoute. Azure Monitor just pulls logs and basic metrics, not real path testing. Makes sense to me, but let me know if you read it differently.

Parker Feb 19, 2026 12:24 am

Yep, has to be C. Only Connection Monitor checks both uptime and latency across hybrid, especially with ExpressRoute. Azure Monitor is more for collecting generic metrics, it won't test the actual network path. That's how I see it, but happy to hear other thoughts if someone disagrees.

Kevin B. Mar 5, 2026 5:06 pm

C is right. Only Connection Monitor can do end-to-end uptime and latency checks between Azure VMs and on-prem via ExpressRoute. A looks tempting but Azure Monitor doesn't test the network connection itself, just aggregates metrics. Pretty sure this is a common trap on practice tests.

Adam Feb 19, 2026 2:54 pm

Is the requirement to monitor just ExpressRoute or all network links? If it’s only ExpressRoute, that could affect which option fits.

Ethan P. Feb 14, 2026 4:48 pm

Nah, I don't think Azure Monitor (A) is enough for this one. C is the right pick here because Connection Monitor is designed specifically to track uptime and latency between Azure and on-prem, especially over ExpressRoute. Option A's a common trap since it's more about resource metrics, not network paths.

CalmArchitect6633 Mar 4, 2026 1:21 pm

Every freakin Azure networking question lately wants Connection Monitor. C, since it tracks uptime and latency between Azure and on-prem, exactly what they're asking for. Pretty sure that's what you'd see on practice tests.

LunaH Mar 3, 2026 10:48 am

Maybe C, had something like this in a mock and Connection Monitor was the right call.

Ravi F. Feb 18, 2026 7:02 pm

C/D? If internet-facing endpoints, D could fit, but hybrid with ExpressRoute sounds like C is expected.

Olivia L. Mar 3, 2026 4:13 pm

C here, since Connection Monitor is built for checking both uptime and latency between Azure and on-prem across ExpressRoute. Azure Monitor doesn't do network-level checks like this. Pretty sure that's what the question wants, but open to corrections.

Be respectful. No spam.

Correct Answer:

Explanation

Connection Monitor, a feature within Azure Network Watcher, is the specific tool designed for this purpose. It provides end-to-end monitoring of network connections between various endpoints, including Azure virtual machines and on-premises machines connected via ExpressRoute. It allows for the creation of tests that periodically check for reachability, which tracks uptime, and measure round-trip time, which tracks latency. The results are stored in a Log Analytics workspace, enabling historical analysis and alerting, perfectly matching the scenario's requirements.

Why Incorrect

A. Azure Monitor is the overarching monitoring platform in Azure, but Connection Monitor is the specific, purpose-built tool within it for monitoring network connectivity and latency.

B. IP flow verify is a diagnostic tool in Network Watcher used to verify if network traffic is allowed or denied by Network Security Group (NSG) rules, not for monitoring uptime or latency.

D. Azure Internet Analyzer is used to compare the performance of internet-facing services from an end-user perspective, not for monitoring private, hybrid connections like ExpressRoute.

References

1. Microsoft Documentation | Azure Network Watcher | What is Connection Monitor?: "Connection Monitor provides unified

end-to-end connection monitoring in Azure Network Watcher... You can monitor connectivity between... Azure virtual machines (VMs)... and on-premises machines... It helps you detect connectivity issues and identify the reason for them. Supported capabilities include... Monitoring for changes in reachability and for measuring network latency and packet loss over time."

2. Microsoft Documentation | Azure Network Watcher | Monitor network connectivity by using Connection Monitor: Under the "Create a connection monitor" section

the steps detail how to select source and destination endpoints

which can be Azure VMs and on-premises machines. The "Test configurations" section describes setting up protocols and thresholds for success

which directly relates to uptime and latency checks.

3. Microsoft Documentation | Azure Network Watcher | Introduction to IP flow verify: "IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information is useful when you're diagnosing if a network security group (NSG) rule is blocking ingress or egress traffic to or from a VM." This confirms its role as a security rule diagnostic tool.

4. Microsoft Documentation | Azure Internet Analyzer | What is Internet Analyzer?: "Internet Analyzer is a client-side measurement service that enables you to test how networking infrastructure changes will impact your customers' performance. Whether you're migrating from on-premises to Azure or evaluating a new Azure service

Internet Analyzer allows you to learn from your users' data..." This highlights its focus on public

internet-based performance testing.

Q: 2

You have an Azure subscription that contains the resources shown in the following table.

You plan to deploy an Azure Virtual Network NAT gateway named Gateway 1. The solution must meet the following requirements: • VM1 will access the internet by using its public IP address. • VM2 will access the internet by using its public IP address. • Administrative effort must be minimized. You need to ensure that you can deploy Gateway1 to Vnet1. What is the minimal number of subnets that Vnet1 must have?

Options

Discussion

Sean Feb 28, 2026 9:44 pm

Option C

Quinn S. Mar 5, 2026 1:40 pm

Option C is it. B's a trap since each VM that needs to keep its public IP for outbound can't be in a NAT subnet, so you need separate subnets plus the required GatewaySubnet. Definitely four here, not three.

Drew M. Mar 2, 2026 2:01 am

C . Each VM with public IP needs its own subnet to avoid NAT override, then an extra subnet for the NAT gateway and another for GatewaySubnet. Four total, not less. Let me know if I missed something.

SteadyCandidate7098 Feb 28, 2026 12:13 pm

Yeah, that lines up for me too. C

Meera S. Feb 18, 2026 5:43 pm

I don't think it's B, since VM1 and VM2 can't share a NAT subnet if they need separate public IP outbound. C.

Sofia Feb 25, 2026 12:43 am

C not 100% sure but that's what fits the NAT and public IP setup best. Anyone see another way?

Neha O. Feb 23, 2026 4:34 pm

Probably C here. VM1 and VM2 each need their own subnets to keep their public IP outbound, plus a subnet for NAT and the required GatewaySubnet. Minimal config with 4 subnets total.

Daniel P. Feb 27, 2026 9:34 am

C vs B here. Azure NAT gateway grabs all outbound from any subnet it's attached to, so VM1 and VM2 can't be in the NAT subnet or they'll lose their public IP outbound. That makes it a minimum of 4 subnets unless the two VMs could safely share, which isn't allowed by the requirements. Let me know if I missed something.

RowanH Feb 27, 2026 3:23 pm

C tbh, but only because Azure NAT will intercept outbound traffic unless the VM is in its own subnet away from the NAT gateway. If VM1 and VM2 could safely share a subnet, maybe you could do it in 3, but the requirement usually means 4.

Morgan S. Mar 4, 2026 2:13 am

C Agreed, you need 4 subnets to satisfy the NAT and public IP requirements for both VMs.

Be respectful. No spam.

Correct Answer:

Explanation

When a NAT gateway is associated with a subnet, it performs SNAT for every VM in that subnet and supersedes any instance-level public IP that the VMs may have. Therefore, to let VM1 and VM2 continue to use their own public IPs for outbound traffic, they must each reside in subnets that are not associated with Gateway1.

Gateway1 itself must be linked to (at least) one other workload subnet to provide NAT for the remaining resources.

Because Vnet1 already contains the mandatory GatewaySubnet that hosts the existing virtual network gateway, the minimum subnet count becomes:

• GatewaySubnet (VPN gateway)

• Subnet-VM1 (no NAT)

• Subnet-VM2 (no NAT)

• NATed-Subnet (associated with Gateway1)

Total = 4 subnets.

Why Incorrect

A. 2 Cannot separate VM traffic from NAT traffic and still accommodate the required GatewaySubnet.

B. 3 One subnet would still be shared, forcing a VM to lose its instance-level public IP for outbound flows.

D. 5 Works, but exceeds the minimum; the requirement is to find the least number.

References

1. Microsoft Azure Virtual Network NAT – Limitations: “NAT gateway supersedes any instance-level public IP…” (docs.microsoft.com

Virtual Network NAT overview

section ‘Limitations’

para 3).

2. Microsoft VPN Gateway Documentation – “The virtual network gateway must be deployed in a dedicated subnet named GatewaySubnet.” (docs.microsoft.com

About VPN gateway settings

section ‘GatewaySubnet’).

3. Microsoft Learn Tutorial – Configure NAT gateway: association to individual subnets only; multiple subnets can exist in the same VNet (docs.microsoft.com

Quickstart: Create NAT gateway

step 6).

Q: 3

You need to use Traffic Analytics to monitor the usage of applications deployed to Azure virtual machines. Which Azure Network Watcher feature should you implement first?

Options

Correct Answer:

Explanation

Traffic Analytics is a cloud-native solution that ingests and analyzes Network Security Group (NSG) flow logs. It provides rich visualizations and insights into traffic patterns, malicious flows, and security threats within your Azure environment. To use Traffic Analytics, you must first enable NSG flow logs for the network security groups associated with the virtual machines you wish to monitor. The flow logs serve as the raw data source that Traffic Analytics processes. Therefore, implementing NSG flow logs is the foundational and mandatory first step.

Why Incorrect

A. Connection monitor: This feature tests connectivity and measures latency between endpoints. It is not the data source for Traffic Analytics.

B. Packet capture: This is a diagnostic tool for capturing detailed network packet data for a limited time, used for deep-dive troubleshooting, not for continuous, aggregated analysis.

D. IP flow verify: This is a diagnostic tool used to verify if a specific traffic flow is allowed or denied by NSG rules, not a continuous logging mechanism.

References

1. Microsoft Learn

Azure Network Watcher documentation

"Traffic analytics": Under the "Prerequisites" section

it explicitly states

"To use traffic analytics

you need... A network security group (NSG) enabled for flow logging...". This confirms that NSG flow logs are a direct prerequisite.

Source: Microsoft Corporation. (2023). Traffic analytics. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites

2. Microsoft Learn

Azure Network Watcher documentation

"Introduction to flow logging for network security groups": This document describes how NSG flow logs work and their purpose. The "Traffic Analytics" section highlights that "Traffic analytics is a native Azure service that uses the NSG flow logs to provide deep visibility of your network traffic."

Source: Microsoft Corporation. (2023). Introduction to flow logging for network security groups. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#traffic-analytics

3. Microsoft Learn

Azure Network Watcher documentation

"Tutorial: Log network traffic to and from a virtual machine using the Azure portal": This tutorial guides the user through the process. Step 1 is "Enable NSG flow log

" and a later step is "Enable Traffic Analytics

" demonstrating the required sequence.

Source: Microsoft Corporation. (2023). Tutorial: Log network traffic to and from a virtual machine using the Azure portal. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal (See sections "Enable NSG flow log" and "Enable Traffic Analytics").

Q: 4

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure application gateway that has Azure Web Application Firewall (WAF) enabled. You configure the application gateway to direct traffic to the URL of the application gateway. You attempt to access the URL and receive an HTTP 403 error. You view the diagnostics log and discover the following error.

You need to ensure that the URL is accessible through the application gateway. Solution: You create a WAF policy exclusion for request headers that contain 137.135.10.24. Does this meet the goal?

Options

Discussion

Maya H. Feb 17, 2026 5:44 pm

Can Microsoft make these WAF config questions any less clear? Anyway, it's got to be B since the log flagged the ARGS value, not the header. Header exclusion won't bypass a block on request arguments. Someone correct me if I'm missing a subtlety.

Ryan P. Feb 15, 2026 3:08 am

Maybe B based on what I've seen in the official guide and some Microsoft practice sets.

Anita Feb 18, 2026 11:42 pm

Pretty sure it's B. Excluding headers won't help if WAF flagged ARGS. Needs to match the component where block happened, right?

Chris Feb 19, 2026 12:31 am

I think A. Header exclusion should work since the solution targets requests from that IP, unless I’m missing something about ARGS.

Taylor V. Feb 19, 2026 12:41 am

Yeah, it's B here. The log flagged the request argument, not the header, so a header exclusion won't fix the issue. Pretty sure you need to set the exclusion for ARGS. Correct me if I'm wrong.

Quinn X. Mar 4, 2026 1:19 pm

B , since the WAF is flagging ARGS, not headers. Header exclusion's a common trap here.

Sara T. Mar 1, 2026 8:27 pm

B for this. The WAF log shows ARGS got flagged (which means request params), so making a header exclusion won't un-block it. You'd need to target the same field the alert triggered on. Correct me if I'm missing something but pretty confident here.

Sean L. Feb 20, 2026 1:30 pm

Option B here. Had something like this in a mock, header exclusions don't cover ARGS so the request will still get blocked. You need to match the part WAF flagged, I think.

Nina Feb 28, 2026 7:33 pm

B tbh. Header exclusions don’t stop WAF if it blocks ARGS. Unless that log says header, this can’t work.

Aisha P. Feb 25, 2026 3:39 pm

I get why you'd think A works, but the header exclusion doesn't fix an ARGS match. Still, I'm picking A here.

Be respectful. No spam.

Correct Answer:

Explanation

The diagnostic log indicates that the Web Application Firewall (WAF) blocked the request due to rule 942440, which detected a potential SQL Injection attack. The Matched Data field shows the pattern 1=1 was found within ARGS:text. The term ARGS refers to the request arguments, such as query string parameters or the request body.

The proposed solution is to create an exclusion for request headers. This solution is incorrect because the WAF detected the pattern in the request arguments, not the headers. An exclusion rule must target the specific attribute where the false positive occurs. Therefore, this solution will not prevent the WAF from blocking the request.

Why Incorrect

A. Yes: This is incorrect because the proposed exclusion targets the wrong request attribute (headers). The block is occurring in the request arguments, so the solution will be ineffective.

References

1. Microsoft Learn

Azure Web Application Firewall (WAF) exclusion lists on Azure Application Gateway. This document details the request attributes that can be excluded. It explicitly lists "Request arg name" as a match variable

which would be the correct attribute to target in this scenario

not "Request header name".

Reference: In the "Exclusion attributes" section

see the table listing the supported "Match variable" values.

2. Microsoft Learn

Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway. This guide explains how to interpret WAF logs. The details.data field shows what was matched in the request

and the log entry in the question clearly states the match was in ARGS:text

confirming the issue is in the request arguments.

Reference: See the "Understanding WAF logs" section for descriptions of log fields like matchedDatas and detailsdatas.

3. OWASP

Core Rule Set Project. The rule ID 942440 corresponds to the OWASP ModSecurity Core Rule Set (CRS) rule for "SQL Injection Attack: SQL Tautology Detected." This rule specifically inspects request arguments and other locations for common SQL injection patterns like 1=1.

Reference: OWASP CRS documentation for rule 942440 in the REQUEST-942-APPLICATION-ATTACK-SQLI.conf file.

Q: 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the following resources: * A virtual network named Vnet1 * A subnet named Subnet1 in Vnet1 * A virtual machine named VM1 that connects to Subnet1 * Three storage accounts named storage1, storage2. and storage3 You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts. Solution: You create a network security group (NSG). You configure a service tag for MicrosoftStorage and link the tag to Subnet1. Does this meet the goal?

Options

Discussion

Amelia F. Feb 27, 2026 2:56 am

Option B, check Microsoft docs or do a quick lab to see how NSG service tags actually work.

NathanR Mar 4, 2026 10:08 am

Not A, B here. Service tag for Microsoft.Storage applies to all storage accounts in the region, so you can't restrict VM1 just to storage1 with an NSG this way. You'll need more specific controls. Let me know if anyone got it working differently.

Olivia R. Feb 28, 2026 6:04 pm

Official docs and practice tests cover scenarios like this. B

Morgan N. Mar 6, 2026 3:15 am

B The NSG service tag hits all storage in the region, not just one account.

Ishaan V. Feb 14, 2026 12:22 pm

B tbh. Saw a similar question on a practice test and official docs back this up. The NSG service tag is too broad, so not enough for only storage1. Recommend checking the official exam guide for networking scenarios.

Ryan Feb 21, 2026 10:53 pm

Not quite, it's B. Using the Microsoft.Storage service tag in an NSG will allow VM1 access to all storage accounts in that region, not just storage1. This question tries to trip you up there. Pretty sure you'd need storage account firewall restrictions as well to hit the goal. Anyone disagree?

Jamie V. Mar 6, 2026 12:07 pm

Its B. The Microsoft.Storage tag is a trap, lets through all storage accounts not just storage1.

Zoe Feb 23, 2026 10:16 am

B here. NSG with the Microsoft.Storage tag lets VM1 reach all storage accounts, not just storage1. To lock it down to one, you'd need storage firewall rules too. Anyone see a way around that?

Ishaan E. Mar 1, 2026 5:13 am

B tbh, NSG with Microsoft.Storage tag isn't enough for just one storage account.

Jordan G. Mar 2, 2026 4:36 am

That's a common catch on these. Service tag for Microsoft.Storage isn’t granular, so it can't just limit to storage1. Pretty sure B fits unless the NSG had IPs or storage1 firewall rules in place. Disagree?

Be respectful. No spam.

Correct Answer:

Explanation

The proposed solution is incorrect because it uses a service tag for Microsoft.Storage. A service tag represents a group of public IP address prefixes for an entire Azure service within a region, not for a specific resource instance. Using this service tag in a Network Security Group (NSG) rule would either allow or deny traffic to all Azure Storage accounts in that region. It cannot differentiate between storage1, storage2, and storage3. Therefore, it is impossible to meet the goal of allowing access to only storage1 while blocking others using this method. The correct approach would involve using a Virtual Network service endpoint for Microsoft.Storage on Subnet1 and then configuring the firewall on storage1 to allow traffic from that specific subnet.

Why Incorrect

A. Yes: This is incorrect. The solution fails because a service tag is too broad and applies to the entire Azure Storage service, not a single, specific storage account.

References

1. Microsoft Learn

Azure virtual network service tags. "A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change." This confirms that a service tag is a collection of prefixes for a service

not a specific instance. See the section "What is a service tag?".

2. Microsoft Learn

Network security groups. "You can use service tags in the source and destination fields of a security rule." This document confirms how service tags are used in NSGs but also implicitly shows that the destination is a service

not a specific resource. See the section "Security rules".

3. Microsoft Learn

Virtual Network service endpoints. "Endpoints allow you to secure your critical Azure service resources to only your virtual networks... You can secure Azure service resources to your virtual network by adding a virtual network rule to the resources. This provides improved security by fully removing public internet access to resources and allowing traffic only from your virtual network." This describes the correct mechanism for achieving the goal stated in the question. See the section "Key benefits".

Q: 6

You have an Azure virtual network named Vnet1 that hosts an Azure firewall named FW1 and 150 virtual machines. Vnet1 is linked to a private DNS zone named contoso.com. All the virtual machines have their name registered in the contoso.com zone. Vnet1 connects to an on-premises datacenter by using ExpressRoute. You need to ensure that on-premises DNS servers can resolve the names in the contoso.com zone. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options

Discussion

Ajay J. Feb 23, 2026 12:18 pm

Probably A and D. Using the firewall as a DNS proxy then forwarding from on-prem to FW1 lets you resolve private zone names across ExpressRoute. B looks like a trap since 168.63.129.16 isn't reachable from outside Azure VNet. Disagree?

Jamie I. Feb 15, 2026 6:11 am

C/D? I'd lean A and D since on-prem DNS can't hit 168.63.129.16 directly. Enabling DNS proxy on FW1 and forwarding queries from on-prem to the firewall handles private zone lookups. Not 100% but that's how I've seen it set up in hybrid environments.

Neha P. Feb 20, 2026 6:20 am

B/D? Seen a similar question in the official practice set, and they mention Azure DNS plus enabling DNS proxy on the firewall. Worth double-checking with MS docs or the exam ref though.

Ishaan Feb 28, 2026 2:29 pm

A and D

Parker A. Feb 21, 2026 6:16 pm

Definitely seen similar cases in labs, A and D. Azure docs plus practice test cover this setup.

Chloe Q. Feb 21, 2026 8:59 am

Is there a reason why B wouldn’t be viable if the Azure-provided DNS IP is supposed to resolve private zones? I get that 168.63.129.16 isn’t reachable from on-prem directly, but docs mention it as the resolver inside Azure. Would setting up forwarders still fail for hybrid?

Reese M. Feb 23, 2026 4:54 am

Option A and D but if Azure Firewall DNS proxy isn’t enabled, on-prem wouldn’t resolve private records.

Ethan V. Feb 27, 2026 4:09 am

Why wouldn't B work here? Isn't 168.63.129.16 only accessible inside Azure, not from on-prem?

Sanjay Feb 17, 2026 1:00 am

A and D make sense here. You need FW1 to act as the DNS proxy so on-prem DNS can forward requests to Azure for contoso.com private zone records. Pretty sure B wouldn't work since Azure-provided DNS is only reachable inside VNet. Someone correct me if I'm missing something.

Priya R. Feb 21, 2026 3:07 am

A and D, saw similar on exam reports, FW1 DNS proxy plus pointing on-prem forwarders to it covers private zone names.

Be respectful. No spam.

Correct Answer:

A, D

Explanation

To enable on-premises DNS servers to resolve hostnames within an Azure private DNS zone, a DNS forwarder or proxy within the Azure VNet is required. Azure Firewall can fulfill this role. The solution involves two steps:

1. Enable the DNS Proxy feature on the Azure Firewall (FW1). This configures the firewall to listen for DNS queries on its private IP address and forward them to the Azure-provided DNS service, which can resolve records in the linked private zone.

2. Configure the on-premises DNS servers with a conditional forwarder for the contoso.com zone. This forwarder must point to the private IP address of the Azure Firewall (FW1), ensuring that queries for contoso.com are sent to the firewall's DNS proxy for resolution.

Why Incorrect

B. The IP address 168.63.129.16 is a virtual IP for Azure platform resources and is not routable or reachable directly from an on-premises network.

C. Modifying the VNet's DNS settings affects name resolution for VMs inside the VNet, but it does not establish the required forwarding path from on-premises.

E. Configuring a custom DNS server on the firewall would bypass the Azure-provided DNS needed to resolve the private zone, unless that custom server was also configured to forward to Azure.

References

1. Microsoft Learn. (2023). Azure Firewall DNS settings. "To use DNS proxy for on-premises networks

configure on-premises DNS servers to forward queries to the firewall's private IP address." and "When you enable DNS Proxy... Azure Firewall... process and forward DNS queries from a Virtual Network(s) to your desired DNS server." This document directly supports enabling the proxy (D) and configuring on-premises forwarders to the firewall's IP (A).

Source: https://learn.microsoft.com/en-us/azure/firewall/dns-settings

2. Microsoft Learn. (2023). Azure Private DNS scenarios. Under the section "On-premises workloads using a DNS forwarder

" the document explains the architectural pattern: "To resolve records from a private DNS zone from on-premises

you need to deploy a DNS forwarder in the virtual network... You can then create a conditional forwarder on your on-premises DNS server that points to the forwarder in Azure." Azure Firewall's DNS proxy feature serves as this forwarder.

Source: https://learn.microsoft.com/en-us/azure/dns/private-dns-scenarios

3. Microsoft Learn. (2023). What is IP address 168.63.129.16?. "The IP address 168.63.129.16 is used in all regions and all national clouds. Microsoft owns this special public IP address... The IP address can't be accessed from outside Azure." This confirms that on-premises servers cannot forward queries directly to this address

invalidating option B.

Source: https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16

Q: 7

You have an Azure Web Application Firewall (WAF) policy in prevention mode that is associated to an Azure Front Door instance. You need to configure the policy to meet the following requirements: Log all connections from Australia. Deny all connections from New Zealand. Deny all further connections from a network of 131.107.100.0/24 if there are more than 100 connections during one minute. What is the minimum number of objects you should create?

Options

Discussion

QuietCandidate581 Feb 28, 2026 1:37 pm

Its A, since you can’t mix different actions like Log and Block in a single WAF rule. I get why B looks tempting but it’s a trick option here. Seen something similar on practice tests, agree?

Ava S. Feb 23, 2026 8:03 pm

Why does Microsoft always split up rule types so much? I picked D since you could technically combine two actions as conditions (like block + log) in a single rule, then have another for the rate limit. But maybe I'm missing something with Azure's WAF limits here, not 100% sure.

Leo G. Feb 16, 2026 12:05 am

C seems right-one rule with a condition per network. Rules can be chained, so why not combine?

Maya U. Feb 19, 2026 9:55 pm

Seen this on a few practice sets, it's A. Official docs and some labs drill in that log, block, and rate limit each need their own custom rule object in Azure WAF.

Anita H. Feb 15, 2026 12:27 pm

Why not D? Mixing log and block in one rule looks possible at first, but Azure doesn't support it.

Riley V. Feb 17, 2026 9:06 am

C or D? If Azure changed so you could set different actions in the same rule with multiple conditions, B or D might be possible. But from what I remember, rate limiting can't be mixed with match rules, so leaning toward A still. Someone please correct me if I'm wrong.

Anita E. Feb 23, 2026 7:14 pm

Gotta be A. Each custom rule in Azure WAF can only have one action, so you need one for log, one for block, and one for rate limit. Makes sense based on how the portal works. If I missed something recent, let me know.

Sam V. Mar 3, 2026 8:30 pm

It’s A, and honestly Azure loves making this stuff more complicated than it should be. Each custom WAF rule can only have one action, so you need separate rules for logging (Australia), blocking (New Zealand), and rate limiting (the /24 net). Seen this on other practice sets, unless they’ve changed something recently. If someone’s got a different take let me know.

Daniel Mar 5, 2026 3:37 am

Actually, it's A. The trick is you can't combine Log and Block actions in one WAF custom rule, so B and D are tempting but wrong. Azure wants a separate rule per unique action. Seen this pattern on similar questions, correct me if I'm missing something.

Nina P. Feb 24, 2026 9:24 am

Option D makes sense if you could mix log and block actions in the same WAF rule, but that's not how Azure works right now. The trap is thinking you can combine them, like in B or D. I'm pretty sure A is right unless there's been a new Azure update I missed.

Be respectful. No spam.

Correct Answer:

Explanation

Each of the three requirements must be configured as a separate custom rule because a single rule can only have one action (Log, Block, Allow, or Redirect) and one rule type (MatchRule or RateLimitRule).

1. Log connections from Australia: This requires a MatchRule with a geo-location condition for Australia and the Log action.

2. Deny connections from New Zealand: This requires a separate MatchRule with a geo-location condition for New Zealand and the Block action.

3. Rate limit connections from 131.107.100.0/24: This requires a RateLimitRule, a distinct rule type, with an IP address condition and the Block action.

Since the actions and rule types are different, they cannot be combined, necessitating three distinct custom rules.

Why Incorrect

B. one custom rule that has three conditions: A single custom rule cannot have different actions (e.g., Log and Block) or be both a MatchRule and a RateLimitRule simultaneously.

C. one custom rule that has one condition: This is insufficient as it cannot address all three distinct requirements with their different actions and conditions.

D. one rule that has two conditions and another rule that has one condition: The requirements for Australia (Log) and New Zealand (Block) cannot be combined into a single rule because they require different actions.

References

1. Microsoft Learn

"Custom rules for Azure Web Application Firewall with Azure Front Door": This document outlines the components of a custom rule. Under the "Action" section

it specifies that a rule has a single action. It also describes the two "Rule types": MatchRule and RateLimitRule

confirming that rate limiting is a distinct rule type.

Reference: See sections "Custom rule components" and "Rule types".

2. Microsoft Learn

"Azure Web Application Firewall (WAF) with Front Door rate limiting": This document details the configuration of rate-limiting rules. It states

"Rate limiting rule is configured by using a custom rule in a WAF policy." This confirms that the rate-limiting requirement must be implemented as its own custom rule.

Reference: See the "Rate limiting custom rules" section.

3. Microsoft Learn

"Tutorial: Create a Web Application Firewall policy on Azure Front Door using the Azure portal": This tutorial demonstrates the process of creating custom rules. In the "Add custom rules" section

the user interface shows that for each rule

you must select a single "Action" from a dropdown list

reinforcing the one-action-per-rule principle.

Reference: See Step 3 under the "Add custom rules" section.

Q: 8

You plan to configure BGP for a Site-to-Site VPN connection between a datacenter and Azure. Which two Azure resources should you configure? Each correct answer presents a part of the solution. (Choose two.) NOTE: Each correct selection is worth one point.

Options

Discussion

QuickMentor6790 Mar 1, 2026 8:27 am

A/D. No explanation needed, these are the two required for BGP over S2S VPN with Azure.

Karan F. Mar 1, 2026 6:48 am

I think it's A and C. Virtual network gateway makes sense, plus Azure Firewall sometimes comes up in practice tests for routing scenarios. Not 100% though, so check the official guide if unsure.

Owen P. Mar 4, 2026 8:48 pm

Its A and D, I think? Virtual network gateway for Azure side, local network gateway for on-prem. Can someone confirm?

Aisha X. Feb 22, 2026 12:14 am

A and D. Saw similar in practice tests, you need both to enable S2S VPN with BGP in Azure. Pretty sure Application Gateway and Firewall aren't involved for this setup. Correct me if wrong.

Leo A. Feb 23, 2026 5:22 am

C and A tbh

Meera Mar 5, 2026 1:32 am

A and C. Virtual network gateway for sure, but Azure Firewall can do some routing stuff so went with C.

Quinn Feb 28, 2026 10:09 am

Hard to say, A and D, but technically if the exam meant "Azure-only resources," D might cause confusion since it just points at on-prem.

Owen B. Mar 5, 2026 9:50 pm

Option A and D. Virtual network gateway is for the Azure side and local network gateway defines on-prem peer info needed for BGP. I think that's what exam expects, but not 100% sure so open to being corrected.

Meera X. Mar 3, 2026 6:43 am

Its D and A for BGP with site-to-site VPN. Virtual network gateway is required in Azure for the VPN endpoint and BGP config, and local network gateway lets you define the on-prem peer details including ASN. Not totally sure if D is always counted as exclusively Azure but pretty sure both are expected here. Anyone see it different?

ThoughtfulLearner4864 Feb 27, 2026 4:33 pm

B , Application Gateway does some routing so maybe it needs to be configured in this setup depending on design.

Be respectful. No spam.

Correct Answer:

A, D

Explanation

To configure a Site-to-Site (S2S) VPN with BGP in Azure, two fundamental resources must be configured. The virtual network gateway is the VPN endpoint in Azure. BGP must be enabled on this gateway, and it is configured with an Azure Autonomous System Number (ASN). The local network gateway is an Azure resource that represents the on-premises VPN device and network. This resource holds the public IP of the on-premises device, the on-premises network address prefixes, and, critically for this scenario, the on-premises BGP peer IP address and ASN. Both resources are essential for establishing the connection and enabling dynamic route exchange via BGP.

Why Incorrect

B. Azure Application Gateway is a Layer 7 web traffic load balancer and is not involved in establishing network-level S2S VPN connections.

C. Azure Firewall is a network security service. While it can be used to inspect traffic, it is not a core component required to configure the BGP VPN connection itself.

E. Azure Front Door is a global application delivery and acceleration service that operates at the application layer, not the network layer required for S2S VPNs.

References

1. Microsoft Learn

Official Documentation. "About BGP with Azure VPN Gateway". In the "BGP configuration steps" section

the documentation explicitly outlines the two main steps: 1. "Enable BGP on your Azure VPN gateway..." and 2. "Create a Local Network Gateway with BGP parameters to represent your on-premises network." This confirms that both a virtual network gateway and a local network gateway are required.

2. Microsoft Learn

Official Documentation. "Configure BGP for a site-to-site VPN connection using the Azure portal". This tutorial is structured into two main parts for configuration: "Part 1: Configure BGP on the virtual network gateway" and "Part 2: Configure BGP on the local network gateway"

demonstrating that both resources are integral to the solution.

3. Microsoft Learn

Official Documentation. "Azure VPN Gateway FAQ". Under the "BGP" section

the FAQ "Do I need to assign an ASN to my local network gateway?" is answered with "You need to assign an ASN to your local network gateway only if you're using BGP to advertise routes to that on-premises site." This directly links the local network gateway to the BGP configuration.

Q: 9

You have an Azure subscription that contains a user named Admin1 and a resource group named RG1. RG1 contains an Azure Network Watcher instance named NW1. You need to ensure that Admin1 can place a lock on NW1. The solution must use the principle of least privilege. Which role should you assign to Admin1?

Options

Discussion

Ava V. Feb 19, 2026 7:51 am

A, not B. Network Contributor (B) looks tempting but it doesn't let you manage locks, that's a classic exam trap. From what I've seen in similar questions, User Access Administrator (A) is the least privilege option for locks specifically. If I'm missing something let me know.

Nora H. Feb 17, 2026 11:30 pm

Gotta be A here. User Access Administrator includes lock management without broader resource permissions, which fits the least privilege requirement. Network Contributor (B) can't manage locks. Pretty sure that's right but open if someone disagrees.

Ishaan I. Feb 27, 2026 7:01 am

Gotta agree with A, only User Access Administrator gives permissions for locks without over-provisioning. The others are too limited or unrelated. Unless something's changed in Azure roles lately, A's the safe bet here.

Morgan T. Mar 1, 2026 7:37 am

Maybe A, but if Admin1 already has RBAC-specific rights at a higher scope, wouldn't that change things? Pretty sure User Access Administrator is right for locks but only if it's narrow enough.

Liam K. Feb 28, 2026 1:54 pm

Its A for this, since User Access Administrator is the only listed role with just enough rights to put a lock on NW1. Network Contributor always sounds close but doesn't have lock permission I think. Agree?

Taylor P. Mar 4, 2026 2:39 pm

Noah X. Feb 25, 2026 9:53 pm

Argh, Microsoft and their RBAC roles again. It's A, User Access Administrator, since that's the least privilege role with lock management allowed without giving away full control.

Maya Y. Mar 5, 2026 8:37 am

Not B. Network Contributor lets you manage networks but doesn't give the lock permission, that's a common trap. A is the one that gives just enough to place locks from what I've seen in exam reports.

Kevin Mar 2, 2026 10:41 am

B not A. Network Contributor can manage networking but I think it covers locks too, so why not B?

Avery J. Feb 28, 2026 2:38 pm

A tbh

Be respectful. No spam.

Correct Answer:

Explanation

Creating or deleting a resource lock requires the permission Microsoft.Authorization/locks/, which is included in the Microsoft.Authorization//write action.

Among the built-in roles, Owner and User Access Administrator both contain Microsoft.Authorization//write, but Owner can modify or delete every resource in the scope, exceeding the required privileges.

User Access Administrator does not allow management of the resources themselves; it only lets the principal manage access control (RBAC) and locks. Therefore, assigning User Access Administrator on NW1 (or RG1) lets Admin1 place a lock while adhering to the principle of least privilege.

Why Incorrect

B. Network Contributor lacks Microsoft.Authorization/ permissions; it cannot create or delete locks.

C. Resource Policy Contributor is limited to policy resources (Microsoft.Authorization/policy); it has no lock permissions.

D. Monitoring Contributor grants rights to monitoring resources (metrics, alerts) only; it has no authorization or lock permissions.

References

1. Microsoft

“Azure built-in roles – User Access Administrator

” Microsoft Entra and RBAC documentation

section “Actions

” shows Microsoft.Authorization//write (including locks). https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#user-access-administrator

2. Microsoft

“Lock resources to prevent unexpected changes

” Azure Resource Manager docs

section “Required permissions

” para. 2: “You must have Microsoft.Authorization/locks/ permission

such as Owner or User Access Administrator.” https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources

3. Microsoft

“Azure built-in roles – Network Contributor

” same page

lists NotActions Microsoft.Authorization/

confirming no lock rights.

4. Microsoft

“Azure built-in roles – Resource Policy Contributor” and “Monitoring Contributor

” same page

list only policy- or monitor-related actions

not Microsoft.Authorization/locks/.

Q: 10

You are planning the IP addressing for the subnets in Azure virtual networks. Which type of resource requires IP addresses in the subnets?

Options

Discussion

Jason M. Feb 23, 2026 8:41 pm

C . Service endpoints need to be enabled per subnet and let traffic flow through the subnet, so I figured they'd require IPs too. Might be mixing up use with assignment though, anyone see it differently?

Ishaan Feb 26, 2026 6:23 pm

Had something like this in a mock, it's A.

CuriousDev6941 Feb 16, 2026 8:29 am

Guessing C, seen similar on some official practice sets but could be misremembering, maybe check the Azure docs to confirm.

LunaL Feb 24, 2026 12:18 pm

Its A for sure. Internal load balancers need to reserve an actual private IP from the subnet, unlike service endpoints or storage accounts. Saw similar phrasing on a practice set, pretty confident here. Disagree?

Neha Q. Feb 27, 2026 7:40 am

A , seen this in the exam dump.

Daniel F. Mar 5, 2026 11:38 am

I was thinking B makes sense here.

Karan N. Mar 5, 2026 12:13 am

Nah, storage accounts and service endpoints use subnet routing but don't actually require an IP from the subnet itself. It's got to be A, internal load balancers really need their own private IP. Trap could be B if you skim fast.

Luna O. Feb 18, 2026 9:18 am

Ravi K. Feb 26, 2026 12:01 am

Honestly B fits too

Skyler K. Mar 4, 2026 8:46 am

Maybe A. . Internal load balancers actually grab a private IP from the subnet, that's needed for their frontend. Storage accounts and endpoints don’t get addresses assigned inside the subnet, they’re just reachable over it. Seen this trip people up before.

Be respectful. No spam.

Correct Answer:

Explanation

An internal Azure Load Balancer is used to distribute traffic to resources inside a virtual network. To function, it requires a frontend IP configuration, which must be a private IP address allocated from the address space of a specific subnet within the virtual network. This private IP address serves as the destination for the traffic that the load balancer distributes. Other resources, like virtual machines or virtual machine scale sets, are then added to the backend pool of the load balancer.

Why Incorrect

B. storage account: A storage account itself does not reside in a subnet or consume an IP address from it. Connectivity can be enabled via a private endpoint, which is a network interface that gets an IP from the subnet, but the storage account resource is distinct.

C. service endpoints: A service endpoint is a feature enabled on a subnet to provide a direct, secure connection to Azure services over the Azure backbone. It does not consume any private IP addresses from the subnet's address range.

D. service endpoint policies: Service endpoint policies are applied to a subnet to filter egress traffic to specific Azure service instances over a service endpoint. They are a policy construct and do not require an IP address.

References

1. Microsoft Learn | Azure Load Balancer components: Under the "Frontend IP configuration" section

it states

"The IP address of your Azure Load Balancer. It's the point of contact for clients. ... For an internal load balancer

the frontend is a private IP address." This confirms the internal load balancer's frontend is an IP from the VNet.

2. Microsoft Learn | What is an internal load balancer?: In the "Frontend IP configuration" section

it details

"The private IP address is selected from a subnet of the virtual network where the load balancer is deployed." This explicitly links the required IP address to a subnet.

3. Microsoft Learn | Virtual Network service endpoints: In the "Key benefits" section

it clarifies that service endpoints allow VNet resources to connect to services without needing public IPs and that the connection is direct. It does not mention the consumption of private IPs by the endpoint itself.

4. Microsoft Learn | Use private endpoints for Azure Storage: This document explains

"A private endpoint is a network interface that uses a private IP address from your virtual network." This distinguishes the private endpoint (which gets an IP) from the storage account resource itself.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE