7.3. Practice Questions
These questions mirror the AZ-700 exam's style: scenario-based, requiring you to apply concepts rather than recall definitions. Think of each question as a mini troubleshooting exercise—you're not just identifying the right answer, you're demonstrating that you understand why it's right and why the others fall short.
đź’ˇ First Principle: Exam questions test decision-making, not memorization. The scenario provides constraints (cost, latency, security, scale), and your job is to match those constraints to the Azure service designed for that purpose.
What separates passing from failing:
- Reading requirements carefully—missing "minimum latency" vs "lowest cost" changes the answer completely
- Knowing the limits and differences between similar services (Load Balancer vs App Gateway, Private Endpoint vs Service Endpoint)
- Understanding what breaks when requirements aren't met—not just what works
Work through these questions, read the rationales even for questions you get right, and identify patterns in how Microsoft frames networking decisions.
Domain 1: Core Networking Infrastructure
Q1. A company is planning their Azure network. They have on-premises networks using 10.0.0.0/8 and need VNets in three Azure regions. Which address range should they use for Azure VNets?
A. 10.100.0.0/16, 10.101.0.0/16, 10.102.0.0/16
B. 172.16.0.0/16, 172.17.0.0/16, 172.18.0.0/16
C. 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24
D. 10.0.0.0/16 for each region
Answer: B
Rationale: On-premises uses 10.0.0.0/8, so using any 10.x address risks overlap. 172.16.0.0/12 is available for Azure. Option C provides too few addresses (/24 = 256). Option D would overlap with on-premises.
Q2. A VM in a VNet needs to resolve contoso.database.windows.net to a private IP after you created a Private Endpoint. The VM still resolves to the public IP. What should you configure?
A. Custom DNS server on the VNet
B. Private DNS zone linked to the VNet
C. DNS forwarder in the same subnet
D. Azure DNS Private Resolver
Answer: B
Rationale: Private Endpoints require Private DNS zones (privatelink.database.windows.net) linked to the VNet for proper resolution. Custom DNS servers would need to forward to Azure DNS. A forwarder alone doesn't create the DNS records.
Q3. You have a hub VNet (10.0.0.0/16) with a VPN Gateway and spoke VNets (10.1.0.0/16, 10.2.0.0/16) peered to the hub. On-premises clients can reach the hub but not the spokes. What's missing?
A. Gateway transit on hub peerings
B. User-defined routes in the hub
C. BGP on the VPN Gateway
D. "Use remote gateway" on spoke peerings
Answer: A and D (both required)
Rationale: Gateway transit requires enabling "Allow gateway transit" on the hub side AND "Use remote gateway" on the spoke side. Without both, spokes can't use the hub's gateway for on-premises connectivity.
Domain 2: Connectivity Services
Q4. An organization needs 5 Gbps connectivity to Azure with guaranteed latency and cannot use the public internet. Which solution meets these requirements?
A. VPN Gateway VpnGw5 with 5 tunnels
B. ExpressRoute Standard 5 Gbps
C. Virtual WAN with multiple hubs
D. Multiple VPN connections aggregated
Answer: B
Rationale: ExpressRoute provides private connectivity (not internet). VPN travels over internet. Virtual WAN uses VPN or ExpressRoute for connectivity. Multiple VPN connections don't guarantee latency.
Q5. A company has ExpressRoute with Azure private peering. They need to access Microsoft 365 over ExpressRoute. What additional configuration is required?
A. Enable Microsoft peering
B. Configure route filters
C. Both A and B
D. Microsoft 365 automatically uses private peering
Answer: C
Rationale: Microsoft 365 requires Microsoft peering (not private peering) AND route filters to select the Microsoft 365 BGP communities. Private peering is only for Azure VNet resources.
Domain 3: Application Delivery Services
Q6. A web application deployed in East US experiences slow performance for users in Europe. Traffic is currently served by a public Load Balancer. Which service provides the best improvement?
A. Azure Front Door
B. Regional Application Gateway
C. Traffic Manager with Performance routing
D. Cross-region Load Balancer
Answer: A
Rationale: Front Door provides global load balancing with edge POPs worldwide, accelerating traffic to the origin. Traffic Manager only does DNS-based routing (users still connect to the regional endpoint). Cross-region Load Balancer is Layer 4 only.
Q7. An application needs URL-based routing (/api/* to container backend, /web/* to VM backend) with SSL termination and WAF. Which service should you use?
A. Azure Load Balancer
B. Azure Application Gateway with WAF
C. Azure Traffic Manager
D. Azure Front Door Standard
Answer: B
Rationale: Application Gateway provides URL-based routing, SSL termination, and WAF (v2 SKU). Load Balancer is Layer 4 (no URL routing). Traffic Manager is DNS-only. Front Door Standard doesn't include WAF (Premium does, but Application Gateway is simpler for regional requirements).
Domain 4: Private Access
Q8. After deploying Private Endpoints for Azure Storage, you need on-premises clients to resolve the storage account to its private IP. What should you implement?
A. Service Endpoint on the on-premises network
B. DNS forwarder in Azure that forwards to Azure DNS
C. Azure DNS Private Resolver with inbound endpoint
D. Both B and C would work
Answer: D
Rationale: Both approaches work. B uses a traditional DNS forwarder VM that conditionally forwards Azure DNS queries to 168.63.129.16. C uses the managed DNS Private Resolver service. On-premises DNS must be configured to forward to either solution.
Domain 5: Network Security
Q9. A subnet has an NSG that allows HTTPS (443) inbound from the internet. A VM in the subnet also has an NIC-level NSG. Users cannot connect to the VM on port 443. What's the most likely cause?
A. The subnet NSG is blocking traffic
B. The NIC-level NSG doesn't allow port 443
C. Azure Firewall is blocking traffic
D. The VM doesn't have a public IP
Answer: B
Rationale: Both subnet and NIC NSGs are evaluated—traffic must be allowed by BOTH. Since subnet NSG allows 443, the NIC-level NSG must also allow it. Option A contradicts the scenario. C would require explicit mention of Firewall. D would prevent any inbound internet access.
Q10. A company needs centralized security with FQDN filtering, TLS inspection, and threat intelligence for traffic between spokes and to the internet. Which solution should you recommend?
A. NSGs on each subnet
B. Azure Firewall Standard
C. Azure Firewall Premium
D. WAF on Application Gateway
Answer: C
Rationale: TLS inspection requires Azure Firewall Premium. Standard has FQDN filtering and threat intelligence but not TLS inspection. NSGs don't provide FQDN or TLS inspection. WAF is for web traffic only, not general network security.
