AZ-700 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-700 Exam - Question 26

Case Study -

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Overview -

Litware, Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows 10 devices.

Existing Environment -

Hybrid Environment -

The on-premises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by using Azure AD Connect.

All offices connect to a virtual network named Vnet1 by using a Site-to-Site VPN connection.

Azure Environment -

Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table.

Exam AZ-700 Question 26

A diagram of the resource in the East US Azure region is shown in the Azure Network Diagram exhibit.

There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly.

Azure Network Diagram -

Exam AZ-700 Question 26

Requirements -

Business Requirements -

Litware wants to minimize costs whenever possible, as long as all other requirements are met.

Virtual Networking Requirements -

Litware identifies the following virtual networking requirements:

• Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit.

• Ensure that the records in the cloud.litwareinc.com can be resolved from the on-premises locations.

• Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone.

• Minimize the size of the subnets allocated to platform-managed services.

• Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only.

Hybrid Networking Requirements -

Litware identifies the following hybrid networking requirements:

• Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD.

• Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized.

• The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection.

• Traffic between Vnet2 and Vnet3 must be routed through Vnet1.

PaaS Networking Requirements -

Litware identifies the following networking requirements for platform as a service (PaaS):

• The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1.

• The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.

You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements.

Which two actions should you include in the solution? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Show Answer
Correct Answer: BE

To ensure that Vnet2 and Vnet3 can communicate while adhering to the business and virtual networking requirements, two actions must be taken. First, on the peerings from Vnet2 and Vnet3, you must select 'Allow for Traffic forwarded from remote virtual network.' This allows Vnet2 and Vnet3 to accept traffic that has been routed through Vnet1, which is necessary for the communication between these networks. Second, you need to select 'Use the remote virtual network's gateway or Route Server' for the peerings from Vnet2 and Vnet3. This action allows Vnet2 and Vnet3 to utilize the VPN Gateway present in Vnet1 for any traffic that needs to be routed through Vnet1, thereby facilitating smooth communication and meeting the stated requirements.

Discussion

12 comments
Sign in to comment
azure_doriOptions: BE
Aug 17, 2023

Here are my 2 cents about this question: 1. The correct answer is: BE. 2. The justification is as follows: - E IS obviously an answer because without it the requirements cannot be met. - D is NOT an answer, because: The case study says that "There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3." This means that "Traffic to remote virtual network" is already allowed for Vnet1<...>Vnet2 and Vnet1<...>. - C is a total nonsense. - B IS an answer, because Vnet1 contains the VPN gateway that forwards the traffic between Vnet2 and Vnet3. - A is NOT an answer, because Vnet2 and Vnet3 don't have VPN gateways so they cannot forward traffic to Vnet1. Documentation: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal#create-a-peering https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

derp12352
Aug 15, 2023

BE E is obvious. Vnet 2 and 3 need to use Vnet 1's virtual network gateway. A would allow Vnet1 to receive traffic from Vnet2 & Vnet3 that don't originate from those VNETs. Review the tooltips on the vnet peering page. It would read "This setting allows forwarded traffic from Vnet2/Vnet3 (traffic not originating from Vnet2/Vnet3) into Vnet1." You don't need that. What you do need to allow is the other way so we need B. Vnet2 and Vnet3 need to allow on premise traffic that comes over the peering connection from Vnet1.

Feliphus
Nov 17, 2024

IMHO You would B, if you would have another Vnets in cascade, for example, named Vnet2b or Vnet3b peered to Vnet2 or Vnet3 respectively

bp_a_user
Sep 30, 2023

The correct answer ist DE. " Select Allow gateway in 'vnet-1' to forward traffic to 'vnet-2' if you want vnet-2 to receive traffic from vnet-1's gateway/Route Server. vnet-1 must contain a gateway in order for this option to be enabled." " Select Enable 'vnet-1' to use 'vnet-2' remote gateway if you want vnet-1 to use vnet-2's gateway or Route Server. vnet-1 can only use a remote gateway or Route Server from one peering connection. vnet-2 has to have a gateway or Route Server in order for you to select this option. " from here https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering?tabs=peering-portal

bp_a_user
Sep 30, 2023

...and here a concrete example: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

bp_a_user
Sep 30, 2023

BE i mean

bp_a_user
Sep 30, 2023

BE i mean

SKachrooOptions: AE
Dec 20, 2023

A: will allow vnet 2 and 3 to send data to vent 1

Eddie_Sli
Jul 30, 2024

AE is the correct answer

bp_a_user
Sep 23, 2023

we have here a hub-spoke toplogy: why is no NAV/Firewall required?

bp_a_user
Sep 23, 2023

I mean NVA

hogehogehoge
Nov 2, 2023

I think this answer is correct. Because vnet1 transfer the traffic from vnet2 and vnet3 to Datacenter.

620b351
Sep 20, 2024

The correct answer is A & E.

LazylinuxOptions: BE
Nov 3, 2023

Agreed BE What we need is traffic to go from vnet2&3 to on-prem and come from on-prem to vnet2&3 hence B address allowing traffic from on-prem to reach vnet 2 and 3 E address allowing traffic to flow from vnet2&3 to on-prem

Feliphus
Nov 17, 2024

INHO, I propose this correct answer, you need A-D-E-F to allow the connection between Vnet2 and Vnet3. F is a new option to complete the answer - A. On the peering from Vnet1, select Allow for "Traffic forwarded" from remote virtual network. - D. On the peering from Vnet1, select Allow for "Traffic to" remote virtual network. - E. On the peerings from Vnet2 and Vnet3, select Use the "remote" virtual network's gateway or Route Server - F. On the peering from Vnet1, select Use "this" virtual network's Gateway or Route Server

1322d93Options: AE
Apr 9, 2025

what do they mean 'remote virtual network'? On premises?

Enarsi_GuruOptions: BE
Apr 19, 2025

Too much yapping and yet the question is so simple