ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-700 All Questions

View all questions & answers for the AZ-700 exam
Go to Exam

Exam AZ-700 topic 2 question 57 discussion

Actual exam question from Microsoft's AZ-700
Question #: 57
Topic #: 2
[All AZ-700 Questions]

HOTSPOT
-


Case Study
-

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.


To start the case study
-
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.


Overview
-

Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.

Contoso recently purchased an Azure subscription and is performing its first pilot project in Azure.


Existing Environment
-


Azure Network Infrastructure
-

Contoso has an Azure Active Directory (Azure AD) tenant named contoso.com.

The Azure subscription contains the virtual networks shown in the following table.



Vnet1 contains a virtual network gateway named GW1.


Azure Virtual Machines
-

The Azure subscription contains virtual machines that run Windows Server 2019 as shown in the following table.



The NSGs are associated to the network interfaces on the virtual machines. Each NSG has one custom security rule that allows RDP connections from the internet. The firewall on each virtual machine allows ICMP traffic.

An application security group named ASG1 is associated to the network interface of VM1.

Azure Network Infrastructure Diagram




Azure Private DNS Zones
-

The Azure subscription contains the Azure private DNS zones shown in the following table.



Zone1.contoso.com has the virtual network links shown in the following table.




Other Azure Resources
-

The Azure subscription contains additional resources as shown in the following table.




Requirements
-


Virtual Network Requirements
-

Contoso has the following virtual network requirements:

• Create a virtual network named Vnet6 in West US that will contain the following resources and configurations:
o Two container groups that connect to Vnet6
o Three virtual machines that connect to Vnet6
o Allow VPN connections to be established to Vnet6
o Allow the resources in Vnet6 to access KeyVault1, DB1, and Vnet1 over the Microsoft backbone network.
• The virtual machines in Vnet4 and Vnet5 must be able to communicate over the Microsoft backbone network.
• A virtual machine named VM-Analyze will be deployed to Subnet1. VM-Analyze must inspect the outbound network traffic from Subnet2 to the internet.


Network Security Requirements
-

Contoso has the following network security requirements:

• Configure Azure Active Directory (Azure AD) authentication for Point-to-Site (P2S) VPN users.
• Enable NSG flow logs for NSG3 and NSG4.
• Create an NSG named NSG10 that will be associated to Vnet1/Subnet1 and will have the custom inbound security rules shown in the following table.

• Create an NSG named NSG11 that will be associated to Vnet1/Subnet2 and will have the custom outbound security rules shown in the following table.


You are implementing the virtual network requirements for Vnet6.

What is the minimum number of subnets and service endpoints you should create? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by ironbornson at Aug. 11, 2023, 9:12 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ironbornson
Highly Voted 1 year, 9 months ago
My take is answer is correct because: A-3 subnets for: subnet1 for the 3+1 VM, subnet2 as per requirements, GatewaySubnet for VPN B-Two service endpoints for keyvault and DB1, VNET1 conection can use peering
upvoted 17 times
c2e9cb4
1 year, 4 months ago
Thinks should be 2 subnets not 3 since subnet2 is on vnet1
upvoted 3 times
...
...
rga91
Highly Voted 1 year, 8 months ago
I think the answer should be: A- 4 subnets. 1 Gateway Subnet, a dedicated subnet for DB1, a dedicated subnet for container instances, a default subnet for the VMs. Please check the following link to see what services need a dedicated subnet: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services#services-that-can-be-deployed-into-a-virtual-network B- Two service endpoints, one for keyvault and another for DB1
upvoted 10 times
xRiot007
1 month ago
You do not need a dedicated subnet for DB1, because DB1 is not part of the VNet.
upvoted 1 times
...
galahad
1 year, 3 months ago
I agree the Container Group Instance will need its own Subnet.
upvoted 1 times
Feliphus
6 months, 1 week ago
What is a "Container Group" ? If it means Azure Container Instance (ACI), it has to run in its own subnet, then you need two subnets for the "Container Group". Then, the answer for first question is 4
upvoted 1 times
...
...
rga91
1 year, 8 months ago
Correction: since we are not using a vnet integration with the DB (VNET and DB are in the same region), no dedicated subnet is required for the DB. So only 3 subnets are needed. Please check the image in the link (the example is ith a storage account): https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 11 times
...
...
bobothewiseman
Most Recent 3 months, 2 weeks ago
Its 4 subnets and 2 SE 1. Gateway Subnet: 2. Container Instances 3. VM 4. DB1
upvoted 1 times
bobothewiseman
3 months ago
I was wrong! 3 subnets and 2 SE Vnet integration is not in use. The ACI subnet is not required
upvoted 1 times
...
...
bewavos102
5 months, 2 weeks ago
Answer is correct. For Vnet6, you need a minimum of 3 subnets: - One for the container groups - One for the virtual machines - One for a GatewaySubnet for the VPN gateway to establish VPN connections. Container groups and VMs can't share a subnet due to networking conflicts since Azure Container Instances (ACI) requires its own subnet. Then, you need a minimum of 2 private endpoints: - One for KeyVault1 - One for DB1 Not sure why people are mentioning subnet2, is on a completely different virtual network (vnet1). Not sure why people are mentioning DB1 as in Vnet6 that requires a subnet. Is outside Vnet6, otherwise what would be the purpose for a private endpoint.
upvoted 3 times
Knight_Of_Peace
4 months, 1 week ago
Thanks Bewavos102. Container groups and VMs can't share a subnet due to networking conflicts since Azure Container Instances (ACI) requires its own subnet. Ref: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-virtual-network-concepts#:~:text=Subnet%20(delegated),the%20operation%20fails. Also, you can use one Subnet for both Container Groups as confirmed in the following diagram: Ref: https://learn.microsoft.com/en-us/azure/container-instances/container-instances-virtual-network-concepts#:~:text=The%20following%20diagram%20depicts%20several%20container%20groups%20deployed%20to%20a%20subnet%20delegated%20to%20Azure%20Container%20Instances.%20Once%20you%20deploy%20one%20container%20group%20to%20a%20subnet%2C%20you%20can%20deploy%20more%20container%20groups%20to%20it%20by%20specifying%20the%20same%20network%20profile. So, 3 subnets
upvoted 1 times
...
...
bp_a_user
1 year, 7 months ago
I would say 0 service endpoints: private endpoints could be used for both, key vault and azure sql db
upvoted 3 times
xRiot007
1 month ago
Could be, but not in this context. Here we have to use service endpoints. One for DB and one for KW
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago