60+ Azure AZ-700 Practice Questions | Free Azure Exam Dumps

The Microsoft Certified: Azure Network Engineer Associate (AZ-700) certification is essential for professionals tasked with designing, implementing, and maintaining Azure networking solutions. Success on this exam hinges on mastering complex concepts like routing, connectivity, security, and hybrid networking. To ensure you are truly ready for the deep technical scenarios, engaging with a robust, free Azure AZ-700 practice test is the single most effective preparation strategy.

Note: The full interactive practice test is available immediately at the bottom of this post.

The Critical Need for Verified AZ-700 Practice

The network is the foundation of every cloud solution. The AZ-700 exam tests practical, implementation-level knowledge. Reliance on unverified azure az-700 exam dumps can lead to critical knowledge gaps. Our free Microsoft Azure practice tests provide verified questions that mirror the real exam format, giving you the authoritative explanations needed to understand the mechanics of Azure networking components.

Below, we dissect high-priority topics you must master to pass the Network Engineer exam.

VNet Fundamentals: Planning and Addressing

Core networking principles, especially IP addressing, are heavily tested on the AZ-700. Precision in planning your Virtual Networks (VNets) is paramount.

Adhering to Private Addressing Standards

When planning the IP address space for any Azure VNet, it is mandatory to select ranges that are non-internet routable to avoid conflicts with public routing. The standard specification that defines these private addresses is RFC 1918. Using ranges like 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ensures your private cloud network remains isolated and secure.

Understanding Reserved IP Addresses

When you create a subnet, Azure automatically reserves a specific number of IP addresses for its own operational use. Specifically, five IP addresses are reserved within any Azure subnet. These are the network address, the default gateway address, two addresses for Azure DNS mapping, and the broadcast address. This reservation is a fundamental planning constraint that every network engineer must account for during subnet size calculations.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-subnet?tabs=azure-portal

Designing Secure and Highly Available Connectivity

Connectivity across regions, subscriptions, and hybrid environments forms the backbone of the Network Engineer role.

The Power of VNet Peering

VNet peering is the primary mechanism for connecting VNets within or across Azure regions. Its primary function is to enable low-latency, high-bandwidth communication between resources in different VNets using the dedicated Microsoft backbone network, bypassing the public internet entirely.

Centralized Hub-and-Spoke Routing

A common architectural pattern is the Hub-and-Spoke model. If you have a centralized Hub VNet containing a VPN gateway and multiple Spoke VNets needing to access your on-premises network, you must configure Gateway Transit on the peering connections. Gateway Transit allows the Spoke VNets to use the Hub VNet’s gateway for reaching remote networks, centralizing the gateway and simplifying management while saving costs.

Hybrid Connectivity via ExpressRoute

For establishing a private, high-bandwidth connection between your on-premises infrastructure and Azure, ExpressRoute is the superior service. ExpressRoute connections typically leverage Multiprotocol Label Switching (MPLS) connectivity provided by a network service provider, guaranteeing reliability and performance that standard VPNs cannot match.

https://learn.microsoft.com/en-us/azure/virtual-network

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction

Implementing Network Security and Traffic Control

A network engineer’s duty extends deep into the security layer, controlling traffic flow with precision.

Controlling Traffic with NSGs

Network Security Groups (NSGs) are the foundational element for controlling traffic at the network interface or subnet level. The rules in an NSG are processed by priority (lower numbers are processed first) and are stateless. This means you must explicitly create rules for both inbound and outbound traffic, ensuring complete control over both directions of communication.

Advanced Threat Protection with Azure Firewall

For centralized network security across multiple VNets and hybrid connections, Azure Firewall is the recommended service. Unlike NSGs, Azure Firewall is a managed, stateful firewall service that supports features such as FQDN (Fully Qualified Domain Name) filtering and Threat Intelligence-based filtering, providing a higher layer of defense for your entire environment.

Load Balancing Mechanisms

The AZ-700 requires a distinction between load balancing services. Azure Load Balancer operates at Layer 4 (TCP/UDP) and is focused on distributing traffic based on IP address and port number. In contrast, Application Gateway operates at Layer 7 (HTTP/HTTPS) and is mandatory when requirements include features like URL-path based routing, SSL/TLS termination, or Web Application Firewall (WAF) integration.

https://learn.microsoft.com/en-us/azure/security/fundamentals/network-overview

Conclusion

The Azure AZ-700 exam requires you to demonstrate mastery over the entire Azure networking stack—from foundational addressing to complex hybrid routing and security. By integrating our high-quality, verified practice tests into your study plan, you gain the confidence and practical knowledge required to succeed. Do not settle for guesswork or outdated azure az-700 exam dumps. Please do not forget to checkout other free Microsoft Azure Practice Tests on CertyBuddy.com: https://certybuddy.com/practice-tests/?vendor=azure

Take the next step today. Start mastering the core concepts and validate your expertise by tackling the full interactive quiz.

/69

AZ-700 Medium Difficulty Practice Test – Azure Networking Solutions (2025)

The name of the next hop type directly corresponds to the type of resource you are routing traffic to.

1 / 69

1. When creating a user-defined route (UDR) to force traffic through a Network Virtual Appliance (NVA), what should the ‘Next hop type’ be set to?

Virtual appliance

Internet

None

Virtual network gateway

Think about which VNet has the gateway and which VNet needs to use it.

2 / 69

2. A company has a hub-and-spoke network topology. Spoke VNets need to access an on-premises network via a VPN gateway located in the Hub VNet. What configuration is required on the peering connections?

Enable 'Use remote gateways' on both the Hub and Spoke VNet peering connections.

A VPN gateway must be deployed in each Spoke VNet to communicate with the on-premises network.

Enable 'Allow gateway transit' on both the Hub and Spoke VNet peering connections.

Enable 'Allow gateway transit' on the Hub VNet's peering and 'Use remote gateways' on the Spoke VNet's peering.

The Azure CLI uses a consistent verb for removal operations, and you often need a flag to skip confirmation prompts.

3 / 69

3. An Azure Administrator needs to delete a resource group named ‘CharisTechRG-C3’ and all the resources within it using the Azure CLI. What is the correct command?

az delete group –name CharisTechRG-C3

az group delete –name CharisTechRG-C3 –yes

az group remove –name CharisTechRG-C3

az resource delete –group CharisTechRG-C3

Think of the service that acts as a reverse proxy for web applications and provides features like SSL offloading and WAF, but is confined to one region.

4 / 69

4. Which Azure load balancing solution operates at Layer 7 and is designed for distributing traffic to web applications within a single Azure region?

Azure Application Gateway

Azure Traffic Manager

Azure Load Balancer

Azure Front Door

This SKU is the free, legacy option with significant functional limitations.

5 / 69

5. Which Azure Load Balancer SKU lacks a Service Level Agreement (SLA) and is intended only for simple, non-critical scenarios?

Global Tier SKU

Gateway SKU

Standard SKU

Basic SKU

Think about how you would deploy a third-party firewall or router into your Azure environment.

6 / 69

6. What is a Network Virtual Appliance (NVA) in the context of Azure networking?

A physical hardware device installed in an Azure datacenter for a customer's private use.

A virtual machine from the Azure Marketplace that provides networking functions like firewalling, WAN optimization, or routing.

A built-in Azure service for load balancing web traffic.

A Microsoft-managed service for DNS resolution.

Think about the main operational benefit of V2 that removes a major capacity planning burden from the administrator.

7 / 69

7. What is a key advantage of the Standard V2 and WAF V2 tiers of Azure Application Gateway over the V1 tiers?

They support URL-based routing.

They can be deployed into a VNet.

They support SSL offload.

They support autoscaling.

This rule set is named after the well-known open-source project that maintains it.

8 / 69

8. Which managed rule set for Azure WAF is based on the OWASP ModSecurity Core Rule Set (CRS) and can only be applied to an Azure Application Gateway?

Microsoft_BotManagerRuleSet

Microsoft_DefaultRuleSet

A custom rule set authored by the customer.

The OWASP Core Rule Set (CRS)

Consider what you must specify when you first create a Virtual Network in Azure.

9 / 69

9. An Azure VNet is considered what type of service in terms of its geographical scope?

A zonal service, as it is deployed to a single Availability Zone.

A regional service, as it is created within a specific Azure region.

A global service, as it can span multiple regions by default.

A non-regional service, as it is not pinned to any specific location.

Consider how you can make a public service endpoint aware of your private virtual network.

10 / 69

10. If your architecture requires inbound traffic from the internet for a storage account, but you want to restrict it to only VNets within your Azure environment, what feature would you use?

A SAS token with IP restrictions.

Azure VNet Integration with public endpoints.

A private endpoint exclusively.

A public endpoint with no firewall rules.

This feature is particularly useful when you need to filter outbound traffic based on fully qualified domain names (FQDNs) in network rules.

11 / 69

11. What is the primary function of the DNS Proxy feature in Azure Firewall?

To act as an intermediary for DNS requests, allowing the firewall to reliably translate FQDNs in network rules to IP addresses.

To provide a private DNS resolution service equivalent to Azure Private DNS Zone.

To block all DNS requests to external servers, forcing clients to use on-premises DNS.

To cache DNS responses, speeding up name resolution for all resources in the VNet.

Azure service limits are specific numbers defined in the documentation. This one is a round number in the low hundreds.

12 / 69

12. What is the maximum number of custom route tables that can be created per region per subscription as of early July 2022?

200

500

100

This tier provides resiliency against an entire region-wide outage for a public-facing application.

13 / 69

13. What is a key feature of the Azure Load Balancer’s ‘Global’ tier?

It distributes traffic across multiple Azure regions using a single, static frontend IP address.

It is designed for internal, private traffic between VNets in different regions.

It can load balance traffic between VMs in different Availability Zones within the same region.

It uses DNS to direct clients to the geographically closest endpoint.

Think about the three main parts of the traffic flow: what listens for traffic, what defines the backend connection, and where the traffic is sent.

14 / 69

14. Which component is NOT a part of a routing rule in an Azure Application Gateway?

Backend Pool

HTTP/HTTPS Listener

Backend Setting

Health Probe

This legacy SKU is not recommended for most new deployments due to its restricted feature set, especially for remote user access.

15 / 69

15. What is a limitation of the Basic SKU for Azure VPN Gateway?

It requires a dedicated subnet named 'VpnGatewaySubnet'.

It cannot be deployed in an active-passive configuration.

It does not support Site-to-Site (S2S) connections.

It has feature limitations, such as a lack of support for Point-to-Site (P2S) connections.

This is a specific, documented ‘blind spot’ for NSG flow logging related to a particular Azure service SKU.

16 / 69

16. What is a limitation of using NSG flow logging with an Application Gateway v2 SKU subnet?

Logs can only be sent to Azure Storage and not to a Log Analytics Workspace.

NSG flow logging is not supported and does not work properly for NSGs associated with an Application Gateway v2 subnet.

It requires a Premium SKU of Network Watcher to function.

It only logs allowed traffic but not denied traffic.

One parameter defines how often ‘hello’ messages are sent, and the other defines how long to wait for one before declaring a failure.

17 / 69

17. Which two BGP parameters are key for detecting link failures and initiating failover in an ExpressRoute connection?

Bandwidth and SKU

ASN and Peer IP

Keep-alive time and Holdtime

Route weight and Local preference

Configuring a service endpoint involves a change on both the network side and the resource side.

18 / 69

18. When enabling a service endpoint on a subnet for ‘Microsoft.Storage’, what is the second mandatory step to complete the configuration and grant access?

No second step is required; enabling the endpoint on the subnet automatically grants access.

Peer the VNet with another VNet that already has access.

Create a private endpoint for the storage account.

Configure the storage account's firewall to grant access to the specific VNet and subnet.

This type of redirect is important for SEO, as it tells search engines to update their index.

19 / 69

19. When configuring a redirection backend target in an Application Gateway, which redirection type sends an HTTP 301 response code, indicating a permanent move?

Temporary

See other

Permanent

Found

This service is often used for scenarios requiring guaranteed bandwidth and lower latency than an internet-based connection can provide.

20 / 69

20. Which Azure service provides a dedicated, private connection between your on-premises network and the Microsoft cloud, bypassing the public internet?

Azure Virtual WAN

Azure ExpressRoute

Azure VPN Gateway

Azure VNet Peering

This feature provides a historical record of network traffic that has been processed by your security rules.

21 / 69

21. What is a primary use case for NSG flow logs in Azure?

To visualize the network topology of a virtual network.

To provide real-time alerts for network intrusions.

To record all IP traffic flowing in and out of a Network Security Group for auditing, security analysis, and traffic monitoring.

To automatically remediate misconfigured NSG rules.

This SKU lacks an SLA and support for many modern connectivity scenarios.

22 / 69

22. Which Azure VPN Gateway SKU is considered a legacy option and is not recommended for new deployments due to its many feature limitations?

Basic

Standard

HighPerformance

VpnGw1AZ

Azure requires specific, reserved names for subnets hosting certain managed services. What is the name for the firewall’s subnet?

23 / 69

23. When deploying an Azure Firewall, it must be placed in a dedicated subnet. What must this subnet be named?

AzureFirewallSubnet

FirewallSubnet

AzureBastionSubnet

GatewaySubnet

Look for the service designed for large-scale, global transit networking with a managed hub.

24 / 69

24. Which Azure networking service simplifies complex network topologies by creating a Microsoft-managed hub-and-spoke architecture with built-in any-to-any connectivity?

Azure Load Balancer

Azure Virtual WAN (vWAN)

Azure Route Server

Azure VNet Peering

This feature creates a bridge between a code repository and the Azure deployment engine.

25 / 69

25. When deploying a resource using an Azure Resource Manager (ARM) template from a GitHub repository, what is the purpose of the ‘Deploy to Azure’ button?

It opens the GitHub repository in a web-based editor for modification.

It opens the Azure portal and loads the ARM template into a 'Custom Deployment' window, ready for parameter entry and deployment.

It validates the ARM template for syntax errors without deploying it.

It downloads the ARM template files to your local machine for deployment via PowerShell.

This timer is related to detecting a failure, not maintaining the connection during normal operation.

26 / 69

26. What is the function of the BGP ‘holdtime’ on Microsoft edge routers in an ExpressRoute connection?

The time it takes for traffic to failover to a secondary link after a failure is detected.

The maximum time a BGP session can remain active before it must be re-established.

The amount of time a router waits for a keep-alive message before considering the connection down.

The frequency at which keep-alive messages are sent to confirm the connection is active.

Consider the default route with the address prefix 0.0.0.0/0 that exists on every subnet.

27 / 69

27. Which statement accurately describes the default routing behavior for outbound traffic from a VM in an Azure subnet that does not have a UDR?

Traffic destined for the internet is sent directly to the internet via the Azure backbone.

All outbound traffic must be routed through an Azure Firewall.

All outbound traffic is blocked by default and must be explicitly allowed.

Outbound traffic is routed to a virtual network gateway if one exists.

This feature extends a subnet’s identity to a specific Azure service.

28 / 69

28. Which Azure networking feature provides optimized private connectivity to Azure PaaS services like Azure Storage directly from a VNet, without exposing the service to the public internet?

Service Endpoint

Azure Bastion

VNet Peering

Network Security Group (NSG)

This method doesn’t rely on a single rule match but rather on the total ‘riskiness’ of a request.

29 / 69

29. What happens when an Azure WAF policy uses anomaly scoring and a request matches multiple rules?

Only the rule with the highest priority that is matched determines the action.

The request is immediately blocked as soon as the first rule is matched.

The request is logged, but no blocking action is ever taken, as anomaly scoring is for monitoring only.

The WAF engine generates an anomaly score for each matched rule, and the cumulative score determines the final action (allow, block, log).

Consider the three primary functions of a firewall: filtering application traffic, filtering network traffic, and translating inbound traffic.

30 / 69

30. When creating an Azure Firewall Policy, which of the following is NOT a configurable rule type?

Routing rules

DNAT rules

Application rules

Network rules

This service helps integrate NVAs into your VNet’s routing fabric using a standard routing protocol.

31 / 69

31. What is the primary function of Azure Route Server?

It provides a secure RDP/SSH connection to virtual machines without a public IP.

It creates encrypted tunnels between on-premises networks and Azure.

It acts as a Layer 7 load balancer for web applications.

It simplifies dynamic routing between a Network Virtual Appliance (NVA) and a virtual network by establishing BGP peering.

Look for the service whose name directly reflects its purpose of defending against distributed denial-of-service attacks.

32 / 69

32. Which Azure service is designed to protect Azure resources from volumetric and protocol-based Layer 3 and Layer 4 DDoS attacks?

Azure Web Application Firewall (WAF)

Azure DDoS Protection

Network Security Groups (NSGs)

Azure Firewall

This type of attack targets the application layer (Layer 7), so you need a service that operates at that layer.

33 / 69

33. To protect a web application from a ‘Slowloris’ attack, which exploits weaknesses in the HTTP protocol, which Azure security service would be most effective?

A Network Security Group (NSG) with strict inbound rules.

Azure DDoS Protection Standard

Azure Firewall Premium with IDPS enabled.

Azure Web Application Firewall (WAF) on Application Gateway or Front Door.

This tool simulates a packet flow to check security rules without actually sending traffic.

34 / 69

34. Which Azure Network Watcher tool would you use to determine if a specific network traffic flow (based on source/destination IP, port, and protocol) is allowed or denied by a Network Security Group?

Packet Capture

Topology View

Connection Monitor

IP Flow Verify

Think about the scale of the connection: is it for a single user or a whole office?

35 / 69

35. What is the primary use case for a Point-to-Site (P2S) VPN connection in Azure?

Connecting an on-premises corporate network to an Azure VNet.

Connecting an entire branch office to an Azure Virtual WAN hub.

Connecting an individual client device, like a developer's laptop, to an Azure VNet.

Connecting two or more Azure VNets across different regions.

Consider how you would connect two separate virtual networks within Azure so they can communicate as if they were one.

36 / 69

36. What is the primary function of VNet peering in Azure?

To connect Azure VNets together, allowing resources to communicate privately over the Microsoft backbone network.

To connect an on-premises network securely to an Azure VNet over the public internet.

To enable transitive routing, allowing VNets connected to a central hub to communicate with each other automatically.

To create a dedicated, private physical connection between an on-premises datacenter and Azure.

Consider which port is used for secure web browsing and is rarely blocked.

37 / 69

37. When configuring a Point-to-Site (P2S) VPN, which tunnel type is often considered ‘firewall-friendly’ because it operates over TCP port 443?

OpenVPN (SSL-based)

IPsec

L2TP

IKEv2 VPN

Think about the most restrictive enforcement action a policy can take.

38 / 69

38. What is the result of applying a ‘Deny’ effect in an Azure Policy definition?

It prevents the creation or update of any resource that does not comply with the policy rule.

It modifies the properties of the resource during creation to make it compliant.

It automatically deploys a template to remediate the non-compliant resource.

It reports the non-compliant resource but allows its creation or update.

The Azure VPN gateway needs a stable network path to communicate with the authentication server.

39 / 69

39. When is it necessary to have an existing Site-to-Site VPN connection for RADIUS authentication to work with a P2S VPN?

When the RADIUS server is hosted on-premises.

Only when the RADIUS server is hosted in a different Azure region.

It is never required.

Only when using third-party MFA with RADIUS.

Consider the granularity of access: does the feature connect your VNet to an entire service, or to a single, specific instance of a service?

40 / 69

40. What is a key difference between a Service Endpoint and a Private Endpoint for accessing Azure PaaS services?

A Service Endpoint provides access to the entire PaaS service, secured by VNet rules, while a Private Endpoint maps a specific PaaS resource to a private IP within your VNet.

Private Endpoints can only be used for Azure SQL, while Service Endpoints work for all PaaS services.

Service Endpoints allow on-premises connectivity via VPN/ExpressRoute, but Private Endpoints do not.

Service Endpoints use public IPs from the VNet, while Private Endpoints use private IPs.

Consider the widespread adoption of this modern VPN protocol across major operating systems.

41 / 69

41. Which of the following client operating systems does NOT have a native, pre-installed client that supports the IKEv2 VPN tunnel type for P2S connections?

Windows 10

All of these have native IKEv2 clients

Linux (most distributions)

macOS

This type of DNS record is often used to store arbitrary text-based information for verification purposes.

42 / 69

42. To secure DNS queries and prevent spoofing for a custom domain on Azure Front Door, what type of DNS record must be manually or automatically created for domain validation?

An MX record for mail exchange validation.

An A record pointing to the Front Door's IP address.

A TXT record with a specific value provided by Azure.

A CNAME record pointing to the Front Door endpoint.

This is the managed PaaS offering for hosting private DNS records for your VNets.

43 / 69

43. Which Azure DNS option is used to provide name resolution for private virtual networks, allowing you to use your own custom domain names rather than the Azure-provided names?

Customer-managed DNS server

Azure Firewall DNS Proxy

Azure Private DNS Zone

Azure-provided DNS

Consider the SKU designed for regional, not global, connectivity.

44 / 69

44. If an organization only deploys resources into Azure regions within the same geographic area (e.g., only in North America), which ExpressRoute circuit SKU is likely the most cost-effective choice?

ExpressRoute Standard

ExpressRoute Direct

ExpressRoute Premium

ExpressRoute Local

Azure uses a specific, static public IP for platform-to-VM communication, which you must allow in your firewall rules.

45 / 69

45. What is the IP address used by Azure Standard Load Balancer health probes to check the availability of backend resources?

168.63.129.16

10.0.0.1

0.0.0.0

169.254.169.254

Focus on how data leaving Azure (egress) is charged in each model.

46 / 69

46. What is a key difference between the ‘Metered Data’ and ‘Unlimited Data’ billing models for an ExpressRoute circuit?

Metered Data supports lower bandwidth circuits, while Unlimited Data is required for circuits above 1 Gbps.

Metered Data has a fixed monthly fee plus a per-gigabyte charge for outbound data, while Unlimited Data includes all outbound data in its fixed monthly fee.

Metered Data has no monthly fee, while Unlimited Data does.

Metered Data charges for inbound data transfer, while Unlimited Data includes it for free.

This feature is often called ‘sticky sessions’ and is important for stateful applications.

47 / 69

47. In an Azure Standard Load Balancer, what feature ensures that subsequent requests from the same user are sent to the same backend resource?

Floating IP

Session Persistence

Health Probes

Outbound Rules

This type of rule is for port forwarding to a single destination, not for distributing traffic across a pool.

48 / 69

48. Which type of rule in an Azure Standard Load Balancer is used to allow external clients to access a specific internal resource, such as a single VM for remote management?

Load-balancing rules

Outbound rules

Health probe rules

Inbound Network Address Translation (NAT) rules

This option explicitly tells the routing fabric to send the matching traffic nowhere.

49 / 69

49. In a custom route table, you want to drop all traffic destined for a specific address prefix. What ‘Next hop type’ should you configure for this route?

None

VirtualAppliance

Internet

Virtual network

Microsoft reserves a small, specific range of ASNs for its internal use.

50 / 69

50. When establishing a BGP peering between Azure Route Server and an NVA, the ASN configured on the NVA must not be in which reserved range?

65515-65520

1-1024

64512-65534

0-15

This setting is used for load balancing traffic when multiple backends are considered equally important in terms of priority.

51 / 69

51. What is the purpose of the ‘Weight’ setting in an Azure Front Door origin group?

To distribute traffic among origins that have the same priority level.

To specify the health probe frequency; higher weight means more frequent checks.

To set the maximum number of concurrent connections an origin can receive.

To determine the failover order; origins with a lower weight are used first.

The Azure CLI command structure follows a pattern of `az

52 / 69

52. What is the correct syntax for a command to create a standard public IP resource using the Azure CLI?

az create public-ip –name MyPublicIP –group MyRG –sku Standard

az network public-ip create –name MyPublicIP –resource-group MyRG –version IPv4 –sku Standard

az network create public-ip –name MyPublicIP –resource-group MyRG –sku Basic

az network public-ip new –name MyPublicIP –resource-group MyRG –version IPv4 –sku Standard

This method is ideal when you want to have a primary service endpoint and one or more backup endpoints.

53 / 69

53. For which scenario would you choose the ‘Priority’ traffic-routing method in Azure Traffic Manager?

To direct users to the endpoint with the lowest network latency from their location.

To implement a primary/failover service model where all traffic goes to one endpoint unless it becomes unavailable.

To map users from specific geographic regions to designated endpoints.

To distribute traffic evenly across all available endpoints.

This setting is crucial when your backend application is configured to respond to a different domain name than the one exposed to the public.

54 / 69

54. Which component of Azure Front Door is responsible for specifying the host header value sent to the backend for each request?

Origin host header setting

Routing Rule

Frontend domain

Origin group

The address 0.0.0.0/0 is a common way to represent the ‘default’ path for all traffic.

55 / 69

55. In an Azure route table, what does a next hop type of ‘Internet’ signify for a route with the address prefix 0.0.0.0/0?

All traffic is routed to an on-premises network via a VPN gateway.

All traffic is blocked and dropped by default.

All traffic is routed to a specific Network Virtual Appliance (NVA) for inspection.

Traffic destined for addresses not specified in other routes is sent directly to the internet.

This is the more modern and comprehensive version of the network visualization tool.

56 / 69

56. In Azure Monitor, what tool provides a topology visualization that supports resources across multiple subscriptions, resource groups, and locations?

IP Flow Verify.

The legacy topology tool in Network Watcher.

Azure Monitor Network Insights.

Connection Monitor.

Think about the standards that define which IP addresses are reserved for private, internal network use.

57 / 69

57. When planning an Azure Virtual Network, which address space is highly recommended for use to avoid conflicts with public internet routing?

IP address ranges defined in RFC 1918.

IP address ranges provided by Azure during VNet creation.

The fc00::/7 address range for IPv4.

Any publicly routable IP address range not currently in use.

This architectural pattern resembles a wheel, with a central point of connectivity and multiple connected networks.

58 / 69

58. What is the recommended approach for designing a scalable and manageable network topology in Azure for a growing company?

A full mesh topology where every VNet is directly peered with every other VNet.

An isolated VNet for each application with no cross-VNet connectivity.

A flat network where all resources are in a single VNet.

A hub-and-spoke topology, with a central hub VNet for shared services and connectivity.

This SKU is required when your network needs to reach Azure resources on different continents.

59 / 69

59. When is it necessary to choose the ‘Premium’ SKU for an ExpressRoute circuit?

When you want to use the 'Unlimited Data' billing model.

When you require a bandwidth of 1 Gbps or higher.

When you need to connect to Azure regions within the same geopolitical area.

When you need global connectivity to Azure regions across different geopolitical areas.

This is a standard security prompt for the SSH protocol when connecting to a new server for the first time.

60 / 69

60. If you are connecting to a VM named WebVM using SSH from the Azure Cloud Shell, and you are prompted about the authenticity of the host, what should you type to proceed?

confirm

yes

Think about the public entry point for traffic into the Front Door service.

61 / 69

61. At which level can a WAF policy be associated with an Azure Front Door profile?

At the origin group level, protecting all origins in the group.

At the individual route path level, similar to Application Gateway.

At the profile level, applying to all domains within the profile.

At the Domain level, applying to a single domain or multiple domains in the profile.

This feature allows you to create broad rules to control internet access without listing every single website.

62 / 69

62. In the context of Azure Firewall rules, what is Web categorization filtering used for?

To filter traffic based on network-level FQDNs using DNS proxy.

To inspect encrypted TLS traffic for malicious content.

To allow or deny inbound web traffic based on the source IP address's geographic location.

To allow or block outgoing HTTP/HTTPS traffic based on website categories like 'social media' or 'gambling'.

This service works at the name resolution level, before any direct connection is made to a server.

63 / 69

63. How does Azure Traffic Manager primarily perform load balancing?

By routing traffic at the IP packet level based on network rules.

By using DNS to direct clients to the most appropriate service endpoint based on a selected traffic-routing method.

By creating a private connection between the client and the backend service.

By acting as a reverse proxy and inspecting HTTP traffic.

This virtual component lives inside your Azure VNet and terminates the ExpressRoute connection.

64 / 69

64. What is the function of an ExpressRoute gateway?

It is a managed firewall service for inspecting traffic coming through an ExpressRoute circuit.

It is a physical device installed at the on-premises location to connect to the provider network.

It is a service that connects an ExpressRoute circuit with an Azure VNet.

It is a billing construct used to measure data transfer over an ExpressRoute circuit.

This component is the ‘front door’ of the Application Gateway, waiting for client connections.

65 / 69

65. In an Azure Application Gateway, what is the role of an HTTP/HTTPS listener?

To receive incoming requests on a specified frontend IP, port, and protocol, and direct them to a routing rule.

To define the communication settings between the application gateway and the backend pool.

To check the health of backend pool endpoints.

To encrypt traffic between the Application Gateway and the backend servers.

This is a standard protocol for centralized authentication, authorization, and accounting management for users who connect and use a network service.

66 / 69

66. Which Azure VPN Gateway authentication method allows for integration with an Active Directory domain and third-party MFA by using an on-premises or Azure-hosted server?

RADIUS Authentication

Azure Active Directory Authentication

Azure Certificate Authentication

Pre-shared Key (IKEv2)

This number is like a unique ID for a network in the world of dynamic routing protocols.

67 / 69

67. When configuring BGP for an Azure VPN Gateway, what is the purpose of the Autonomous System Number (ASN)?

It is a unique public IP address assigned to the gateway.

It is a unique number that identifies the gateway in the BGP routing world, allowing it to exchange routes with other BGP peers.

It determines the bandwidth and performance SKU of the VPN gateway.

It is a pre-shared key used to encrypt the VPN tunnel.

Think about the addresses required for network protocol, gateway, DNS, and broadcast functions.

68 / 69

68. Within any Azure subnet, how many IP addresses are reserved by the platform for its own use?

None, all addresses in the subnet range are usable.

Only the first and last IP addresses.

Only the first IP address for the default gateway.

The first four and the last IP address.

This resource controls the next hop for packets leaving a subnet.

69 / 69

69. What is the purpose of an Azure Route Table?

To filter inbound and outbound traffic for a subnet.

To define how network traffic is directed from subnets to specific destinations.

To provide DNS name resolution for resources within a VNet.

To load balance traffic across multiple virtual machines.

Your score is