Microsoft Azure AZ-700 Exam Questions 2025

1. Microsoft Learn, Azure VPN Gateway documentation, "Gateway subnet" section. It states, "For the most future-proof configuration, we recommend that you create a gateway subnet of /27 or larger (/27, /26, /25 etc.)." This directly supports the selection of /27 for the IPv4 subnet.

2. Microsoft Learn, "Overview of IPv6 for Azure Virtual Network," Subnetting section. The documentation explicitly states, "The IPv6 subnet size must be /64." This confirms the mandatory prefix length for all IPv6 subnets in an Azure VNet.

3. Microsoft Learn, "Virtual network and subnets," Subnets section. This document explains that a virtual network is segmented into one or more subnets, and each subnet must have a unique address range specified in CIDR format. This provides the foundational context for the subnetting decisions in the question.

The core issue is the IP address space overlap between the on-premises Subnet1 (10.1.1.0/24) and the Azure Subnet4 (10.1.1.0/24). A standard Site-to-Site (S2S) VPN cannot route traffic between networks with identical address ranges.

The intended solution is to use Azure Extended Network, a feature designed specifically to stretch an on-premises subnet into Azure, creating a single Layer 2 network segment. This allows virtual machines in Azure to have IP addresses from the on-premises subnet and communicate as if they were on the local network.

1. On Server1 (On-premises): To enable Azure Extended Network, a gateway virtual machine must be deployed in the on-premises environment. The option Deploy the On-Premises Extended-Network Gateway appliance directly corresponds to this requirement. Server1, as an on-premises Windows Server, would act as the host for this gateway.
2. On VM2 (Azure): When an Azure VM joins an extended network, its default gateway is reconfigured to point to the on-premises gateway. While this enables communication with the on-premises network, it can isolate the VM from other subnets within its own Azure VNet (like Subnet3). To resolve this, VM2 needs advanced routing capabilities. By deploying the Routing and Remote Access service (RRAS), VM2 can be configured to act as a router. This allows for the creation of static routes to properly direct traffic to both the on-premises network and other Azure resources, overcoming the routing limitations.

Azure Extended Network Documentation (Microsoft Learn): This document explains the feature and its architecture. It explicitly states the need for a gateway VM on-premises to stretch the network.

Reference: Microsoft Corporation. (2023). "Stretch an on-premises subnet into Azure using extended network for Azure". Microsoft Learn. Section: "How it works".

Routing and Remote Access Service (RRAS) Documentation (Microsoft Learn): This documentation details how RRAS turns a Windows Server into a software router, capable of managing complex traffic flows with static routes, which is what is needed on VM2 to handle the new routing complexity.

Reference: Microsoft Corporation. (2021). "Routing and Remote Access Service (RRAS)". Microsoft Learn. Section: "Software-defined networking (SDN) router".

A. Yes: This is incorrect. Azure WAF protects web applications and does not fulfill the specific requirement of deploying a network firewall within the Virtual WAN hub to change its status to "Secured."

1. Microsoft Learn | Azure Firewall Manager | What is a secured virtual hub?

Section: "What is a secured virtual hub?"

Content: "A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection." This document explicitly states that a hub becomes "secured" by integrating security services like Azure Firewall via Firewall Manager.

2. Microsoft Learn | Azure Web Application Firewall | What is Azure Web Application Firewall?

Section: "Overview"

Content: "Azure Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) service from Microsoft." This reference clarifies that WAF's purpose and deployment model are distinct from securing a Virtual WAN hub's infrastructure.

3. Microsoft Learn | Azure Virtual WAN | Create a secured virtual hub using Azure portal

Section: "Prerequisites" and "Create a secured virtual hub"

Content: The tutorial steps demonstrate that creating a secured virtual hub involves selecting the "Include gateway" option and then configuring Azure Firewall within the hub's settings. This confirms that Azure Firewall is the required component, not WAF.

The scenario requires a load-balanced solution for an application (App1) deployed across virtual machines in two different Azure regions (West Europe and East US). A key requirement is that the application must remain available even if an entire Azure region fails.

To meet this requirement for high availability across regions, a global load balancing solution is necessary. The Azure Cross-region Load Balancer is specifically designed for this purpose.

The architecture for a cross-region load balancer consists of:

1. A single cross-region load balancer with a static, global anycast public IP address to act as the primary entry point for traffic.
2. A backend pool for the cross-region load balancer that contains the front-end configurations of regional load balancers.

In this case, one regional load balancer is needed in the West Europe region to manage traffic for VM1 and VM2, and a second regional load balancer is needed in the East US region for VM3 and VM4. This results in a total of one cross-region load balancer and two regional load balancers.

Regarding the SKU, the cross-region load balancer functionality is only available with the Standard SKU. Furthermore, any regional load balancers added to the backend pool of a cross-region load balancer must also be of the Standard SKU. The Basic SKU does not support cross-region deployments and lacks the necessary availability features.

Microsoft Azure Documentation, "What is Cross-region Load Balancer?". Microsoft Learn, Retrieved September 19, 2025.

Section: Why use Cross-region load balancer?: "Cross-region load balancer provides a static global anycast public IP address for your multi-region application...If a region fails, you can direct traffic to the next closest healthy region."

Section: Architecture: "The backend pool of a cross-region load balancer contains one or more regional load balancers."

Section: Cross-region load balancer and regional load balancer: "A cross-region load balancer is a Standard SKU public load balancer...The regional load balancers you add to the backend of the cross-region load balancer must be a Standard SKU load balancer."

Microsoft Azure Documentation, "Azure Load Balancer SKUs". Microsoft Learn, Retrieved September 19, 2025.

Table: SKU comparison: This table explicitly states that the Basic SKU has "No SLA" and is not recommended for production workloads, while the Standard SKU has a 99.99% SLA and supports features like Availability Zones, which are critical for high-availability scenarios. It also notes that cross-region load balancing is a feature of the Standard SKU.

A. The load balancer SKU (Standard is required for Private Link) does not control the dedicated outbound NAT capacity of the Private Link service itself.

C. An Azure Application Gateway is a Layer 7 web traffic load balancer and is not used to scale the outbound NAT of a Layer 4 Private Link service.

D. Frontend IP configurations on the load balancer are for receiving inbound traffic, not for scaling the Private Link service's outbound NAT capabilities.

1. Microsoft Learn | What is Azure Private Link service?: Under the section "Source Network Address Translation (SNAT)", it states, "To scale, add more NAT IP addresses to your Private Link service. Each new NAT IP address adds 64,000 more available SNAT ports."

2. Microsoft Learn | Troubleshoot Azure Private Link service connectivity problems: In the section "Private Link service has SNAT port exhaustion", the recommended solution is: "The Private Link service has up to 8 NAT IPs that can be used for SNAT. Each NAT IP can assign 64k ports. Add more NAT IPs to the Private Link service to avoid SNAT port exhaustion."

A. Subnet2: This subnet is delegated to the Microsoft.Web/serverfarms service and cannot be used for deploying an Application Gateway.

B. Subnet1: This subnet already contains the VMSS1 resource. An Application Gateway requires its own dedicated subnet.

D. AzureFirewallSubnet: This is a reserved subnet name and can only be used for deploying an Azure Firewall.

E. GatewaySubnet: This is a reserved subnet name and can only be used for deploying virtual network gateways (VPN or ExpressRoute).

1. Microsoft Learn | Azure Application Gateway infrastructure configuration | Subnet: "The application gateway needs a dedicated subnet. The subnet can contain only application gateways. No other resources are allowed in the subnet."

2. Microsoft Learn | What is subnet delegation? | Constraints on delegation: "You can't deploy resources from different services into a delegated subnet." This rule disqualifies Subnet2.

3. Microsoft Learn | GatewaySubnet: "When you create a virtual network gateway, you must specify the gateway subnet that you want to deploy it to... Don't deploy any other resources (for example, VMs) to the gateway subnet." This rule disqualifies GatewaySubnet.

4. Microsoft Learn | Azure Firewall FAQ | Why does Azure Firewall need a dedicated subnet?: "Azure Firewall must be deployed in a dedicated subnet. It can't be deployed in a subnet with other resources. The name of this subnet must be AzureFirewallSubnet." This rule disqualifies AzureFirewallSubnet.

This sequence correctly establishes a new, private traffic path from Azure Front Door (FD1) to the App Service (App1) before redirecting live user traffic, which is crucial for minimizing downtime.

1. Configure FD1 to use Private Link: The first step is to configure the origin group in the Azure Front Door Premium instance to connect to the App Service origin using the Azure Private Link service. This action initiates a request to create a private endpoint connection on the App Service.
2. Approve the connection on App1: The private endpoint connection created by Front Door will be in a "Pending" state. You must navigate to the App Service's networking settings and approve this pending connection. This completes the setup of the secure, private path between Front Door and the App Service. At this stage, the new path is operational, but user traffic is still going directly to App1.
3. Change the DNS record: The final step is to perform the traffic cutover. By changing the public DNS CNAME record for app1.contoso.com to point to the FQDN of the Front Door instance (FD1), you redirect all user traffic to flow through Front Door. Since the private backend connection is already established, there is no interruption in service.

This order ensures the new infrastructure is fully functional before it receives live traffic, fulfilling the requirement to minimize downtime.

Microsoft Learn, Azure Front Door Documentation: The official documentation on securing origin with Private Link in Azure Front Door Premium outlines this exact procedure. It specifies that you first enable Private Link on the Front Door origin, which creates a pending private endpoint connection that must then be approved on the origin resource.

Reference: Secure your Origin with Private Link in Azure Front Door Premium. See the sections "Enable Private Link to an App service" and "Approve the private endpoint connection from the web app." This guide confirms the sequence of enabling the service in Front Door first, followed by approving the connection on the App Service.

Microsoft Learn, Tutorial: Connect to a web app using an Azure Private Endpoint: This tutorial provides general information on private endpoints for web apps. It explains that "When you create a private endpoint... a connection approval workflow is required." This supports the necessity of the approval step after the connection is initiated.

Reference: Connect to a web app using an Azure Private Endpoint. Refer to the "Create a private endpoint" section, which details the approval process.

A. AZFWThreatlnte1: This table stores threat intelligence logs specifically for the Azure Firewall service, not for WAF on Azure Front Door.

C. SecurityDetection: This table is used by Microsoft Defender for Cloud to store security alerts and detections, not the raw request logs needed for rate analysis.

D. AGWFirewallLogs: This is a resource-specific table for logs from WAF on Azure Application Gateway (AGW), not Azure Front Door.

1. Microsoft Learn, Azure Web Application Firewall documentation. "Azure Web Application Firewall monitoring and logging". This document explicitly states, "Log Analytics logs are stored in the AzureDiagnostics table." It also provides a sample query for WAF logs that queries the AzureDiagnostics table.

Reference: Section "Logs and metrics", Paragraph 2.

2. Microsoft Learn, Azure Front Door documentation. "Data reference for monitoring Azure Front Door". This page details the schema for Azure Front Door logs sent to Log Analytics. For the FrontdoorWebApplicationFirewallLog category, it lists the columns available in the AzureDiagnostics table, including clientIps, which is essential for the task described.

Reference: Section "AzureDiagnostics table", Subsection "FrontdoorWebApplicationFirewallLog".

3. Microsoft Learn, Azure Firewall documentation. "Azure Firewall logs and metrics". This document describes the tables used for Azure Firewall logging, confirming that AZFWThreatIntel is for threat intelligence logs from Azure Firewall.

Reference: Section "Log Analytics tables", Row "AZFWThreatIntel".

4. Microsoft Learn, Azure Application Gateway documentation. "Resource logs for Azure Application Gateway". This source details the logging options for Application Gateway, specifying that AGWFirewallLogs is the resource-specific table for its WAF logs.

Reference: Section "Resource-specific tables", Table "Resource-specific".

A. 1 – A single plan cannot be linked to virtual networks in two different Azure AD tenants.

C. 3 – No technical or billing requirement forces a third plan; tenants, not regions or subscriptions, dictate the minimum.

D. 6 – One plan per virtual network is unnecessary; multiple VNets in the same tenant can share a single plan.

1. Microsoft Azure documentation, “DDoS protection plans – associate or dissociate a virtual network,” learn.microsoft.com/en-us/azure/ddos-protection/manage-ddos-protection?tabs=azure-portal#associate-a-virtual-network (see “All virtual networks must belong to subscriptions that are associated with the same Azure Active Directory tenant”).

2. Microsoft Azure documentation, “Azure DDoS Protection Standard overview,” learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview#pricing (section “Billing and limits” – fixed monthly charge per plan; plan can protect multiple VNets).

3. Microsoft Azure documentation, “Best practices for Azure DDoS Protection,” learn.microsoft.com/en-us/azure/ddos-protection/ddos-best-practices (paragraph “Reuse existing plans across virtual networks in the same tenant”).

To enable communication from VNet1 to VNet3, traffic must be routed through the Network Virtual Appliance (NVA) located in VNet2.

1. Traffic originating from VNet1 arrives at the virtual hub (Hub1) via its connection, Conn1.
2. The hub must have a route to direct traffic destined for VNet3's address space (10.2.3.0/24) to the NVA's IP address (10.2.0.5).
3. This is achieved by adding a static route to the hub's routing table. The Default route table is used by all connected VNets by default. Therefore, the static route (10.2.3.0/24 -> 10.2.0.5) must be added to it.
4. The "Route table for Conn1" represents the routing context for that specific connection. It must also contain this route to ensure traffic from VNet1 is forwarded correctly. Since the other options are invalid or would bypass the NVA, the same static route is the only correct choice.

Microsoft Docs, Azure Virtual WAN: "How to configure virtual hub routing". This document explains how to add static routes to a virtual hub's route table. In the section "To add/update a static route," it specifies that the "Next hop IP address" should be the IP address of the NVA.

Microsoft Docs, Azure Virtual WAN Scenarios: "Route traffic through an NVA". This official documentation describes the exact scenario presented. It confirms that to route traffic from a spoke VNet to another network via an NVA, a static route must be configured on the virtual hub's route table. The route's destination prefix is the target network (10.2.3.0/24), and the next hop is the IP address of the NVA (10.2.0.5) in the connected VNet.