AZ-700 Question #1: Real Exam Question with Answer & Explanation

Question

Case Study 1 - Litware. Inc Overview Litware. Inc. is a financial company that has a main datacenter in Boston and 20 branch offices across the United States. Users have Android, iOS, and Windows 10 devices. Existing Environment: Hybrid Environment The on-prernises network contains an Active Directory forest named litwareinc.com that syncs to an Azure Active Directory (Azure AD) tenant named litwareinc.com by usinq Azure AD Connect. All the offices connect to a virtual network named Vnetl by using a Site-to-Site VPN connection. Azure Environment Litware has an Azure subscription named Sub1 that is linked to the litwareinc.com Azure AD tenant. Sub1 contains resources in the East US Azure region as shown in the following table. A diagram of the resource in the East US Azure region is shown in the Network Diagram exhibit. There is bidirectional peering between Vnet1 and Vnet2. There is bidirectional peering between Vnet1 and Vnet3. Currently, Vnet2 and Vnet3 cannot communicate directly. Azure Environment Diagram Requirements: Business Requirements Litware wants to minimize costs whenever possible, as long as all other requirements are met. Virtual Networking Requirements Litware identifies the following virtual networking requirements: - Direct the default route of 0.0.0.0/0 on Vnet2 and Vnet3 to the Boston datacenter over an ExpressRoute circuit. - Ensure that the records in the cloud.litwareinc.com zone can be resolved from the on-premises locations. - Automatically register the DNS names of Azure virtual machines to the cloud.litwareinc.com zone. - Minimize the size of the subnets allocated to platform-managed services. - Allow traffic from VMScaleSet1 to VMScaleSet2 on the TCP port 443 only. Hybrid Networking Requirements Litware identifies the following hybrid networking requirements: - Users must be able to connect to Vnet1 by using a Point-to-Site (P2S) VPN when working remotely. Connections must be authenticated by Azure AD. - Latency of the traffic between the Boston datacenter and all the virtual networks must be minimized. - The Boston datacenter must connect to the Azure virtual networks by using an ExpressRoute FastPath connection. - Traffic between Vnet2 and Vnet3 must be routed through Vnet1. PaaS Networking Requirements Litware identifies the following networking requirements for platform as a service (PaaS): - The storage1 account must be accessible from all on-premises locations without exposing the public endpoint of storage1. - The storage2 account must be accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2. You need to connect Vnet2 and Vnet3. The solution must meet the virtual networking requirements and the business requirements. Which two actions should you include in the solution? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options

• AOn the peerings from Vnet2 and Vnet3, select Use remote gateways.
• BOn the peering from Vnet1, select Allow forwarded traffic.
• COn the peering from Vnet1, select Use remote gateways.
• DOn the peering from Vnet1, select Allow gateway transit.
• EOn the peerings from Vnet2 and Vnet3, select Allow gateway transit.

Explanation

In a hub-and-spoke VNet topology, gateway transit requires a coordinated two-sided configuration. On the hub VNet (Vnet1, which contains the VPN gateway), the peering must have 'Allow gateway transit' enabled (D) - this authorizes the gateway to serve traffic on behalf of peered spoke networks. On each spoke VNet peering (Vnet2 and Vnet3), 'Use remote gateways' must be enabled (A) - this directs outbound traffic through Vnet1's gateway rather than requiring each spoke to have its own. Both settings must be configured together; enabling only one side has no effect. 'Allow forwarded traffic' (B) permits traffic that did not originate within the VNet to pass through, which is a separate concern. 'Allow gateway transit' on the spoke peerings (E) is incorrect because the gateway resides in Vnet1, not the spokes.

No community discussion yet for this question.