Pass Microsoft AZ-700 Exam in First Attempt Easily
Latest Microsoft AZ-700 Practice Test Questions, Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Check our Last Week Results!
- Premium File 224 Questions & Answers
Last Update: Sep 24, 2023
- Training Course 64 Lectures
- Study Guide 762 Pages
Download Free Microsoft AZ-700 Exam Dumps, Practice Test
Free VCE files for Microsoft AZ-700 certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest AZ-700 Designing and Implementing Microsoft Azure Networking Solutions certification exam practice test questions and answers and sign up for free on Exam-Labs.
Microsoft AZ-700 Practice Test Questions, Microsoft AZ-700 Exam dumps
Basics of Networking in the Cloud
1. Introduction to Networking
Of these topics, such as Azure Global Network, some are not specifically going to be on the exam. But I'm trying to come at this as somebody who might have as much networking experience as you do but might not be as familiar with the Microsoft Azure environment. And so, how does Azure networking work? So first, before we get started with anything, you're going to hear some terms in this course. And I wanted to make sure that we were clear because it doesn't, again, specifically cover some of this. You might see that I always have to choose an Azure subscription every time I create a resource. While the Azure subscription is basically the billing unit within Microsoft Azure, all resources must have a subscription. And at the end of the month, that's who the bill goes to and whose credit card gets charged. So whenever you see a subscription, is it really just who's paying? The other thing that we'll see is resource groups.
Now in this course, I tend to use the same resource group over and over. I'm just doing that out of convenience. But it's just an organisational structure. It's just a folder. And as you're creating resources, you put them into a resource group, which makes it easy to clean it up after. You can just delete the resource group, and it will delete all of the resources inside of it. You can also do some security and Azure policy-related things. We don't get into it in this course, but whenever you see talk about "resource groups," it's just a folder, like a file folder or an operating system. And finally, we don't really cover security per se on this exam, not in terms of identity, security, and permissions. So this isn't a security exam, it's a networking exam. Now, of course, there are so many Azure resources around security, including the firewall, which we'll get into, but we're covering networking security, not security security.and that's a different exam.
There's an AZ 500 exam for that, and some of those SC series exams. So let's get into: what is the Azure Global Network? So now this is a real physical network. It is actually one of the largest networks in the world. Microsoft claims there's 165 miles of fiberoptic cable and undersea cable, and it just wraps the world several times in physical networking. Microsoft divides the world up into geographies, and they divide the geographies up into regions. There are currently 61 regions, but they are constantly introducing and announcing new future regions. and so this number tends to change. Each region is made up of a number of data centers. And so we're well into the 100-plus range in terms of physical buildings. So consider the data center to be the building, the security surrounding it, the electricity and Internet, and the cooling into that center. And each region has multiple of those. And if you add it all up, there are seven things called points of presence, which are like the edge locations of the network. They're not data centers. They are not places where you can deploy stuff. But if you are connecting to Azure—let's say you're building an Azure Express route connection—you can connect into a point of presence that might be closer to your physical office or to your datacenter than an actual Microsoft region. And when I'm talking about this network of 1650 miles of cable, this isn't the Internet, right? This is a private company that spent billions of dollars building a private network. Some of Microsoft's most popular services, such as Xbox and Skype, and all of their websites, Bing, and things like that, run off of this network. So they're actually.
2. Virtual Networks and Subnets
After all that, we talked about the Azure global network. Now we're getting into the virtualization of it. and that's called a virtual network. And that's something that I can create, and we will create it relatively shortly. So you create an Azure virtual network. It is a virtual representation of a physical network. A virtual network must be subdivided into what are called subnets. The minimum number of subnets that you can have is one. The virtual network handles DHCP services. So if you create a resource on a subnet, that subnet will assign an IP address to that resource in its range that's been provided to it. And we are going to talk about the security of these networks because, obviously, you're going to have multiple networks and you don't want the security to be wide open and you don't want the Internet to be able to connect to any network. So we're going to talk about NSG, which is the access control list within Azure. Now, oftentimes when we're talking about resources on a network, we're talking about servers. And in the case of the cloud, we're talking about virtual machines. So virtual machines are just Windows or Linux machines running in the cloud.
Virtualized, all virtual machines must be part of a network, and in fact, they're attached to a subnet, not to the virtual network level. And just like with physical hardware, virtual machines can have multiple network interface cards. And so technically, VMs can belong to multiple subnets. So if you do create multiple net cards on the same VM, you can assign them to different subnets. The ultimate virtual network, the top level part of this, has an address block, and we'll see that in the next video. We create our first virtual network and assign it an address block. It's pretty easy to add additional addresses and address blocks to this. All subnets also have an address block that has to be a subdivision or a subset of that larger block. So you can think of that as the reason it's called a subnet, as you're dividing up the larger virtual network into smaller networks. And one thing that takes getting used to if you're not familiar with it is this CIDR notation for IP addresses. Now, I've made a super simplified diagram of what a virtual network looks like. It's got the Internet at the top. We got the Azure Global Network, which we talked about under Azure Infrastructure. The dotted line represents the virtual network, the VNet.
And the solid black line represents the subnet called "front and subnet." And in this particular case, we only have one virtual machine running. And so this is really the simplest networking diagram that we could have. Perhaps we should remove the network security group, NSG, so that there is no security on this. but that's as simple as you can get for a network in Azure. Now, we can quickly get more complicated if we start adding more than one subnet. So we've got the front-end subnet and the back-end subnet. We start adding multiple virtual machines, load balancers, and standalone machines to handle certain services. We haven't even added in virtual network gateways, firewalls, and things like that into this. So this is sort of still a pretty simplistic diagram, but again, it represents how your virtual network can be structured when you break it out into subnets, and your subnets contain the resources. Coming up, we're going to start playing with this. We're going to get into the Azure Portal, and we will start to create our first virtual network and subnet and add some machines to that. So we're going to have some fun. see you soon.
3. DEMO: Create an Azure Virtual Network
So we're going to start the first section of this course on the absolute basics of networking. And to do that, we're going to create a virtual network inside of the Azure Portal. If you want to follow along, I do encourage you. I think the learning by doing. Doing is probably one of the smartest approaches to something like cloud computing, where it's very easy to create resources, delete them, and then have that experience of seeing the screens and what it's asking you, and really thinking about what that means. So we're going to go into the Azure Portal. A green plus sign indicates the creation of a resource wherever you see it. You can also find it here on the homepage. And instead of trying to create a virtual machine and have that virtual network created as part of that, let's start by creating an empty virtual network. Now, there's no charge for it. There are limits to how many virtual networks you can create. You can't create an unlimited number of virtual networks, but we could create one at least. And it's not going to cost you anything until you start adding resources to it. So when you get into this, you get into a Tabbed Wizard format here, and the first question you're going to have to answer is: What subscription? Now I have multiple subscriptions. Both are pay as you go.
In this case, you might have a free subscription, an enterprise subscription, some other type, or a dozen or so different options in here. So choose your subscription according to where you want your virtual network to go. Like I said, there's no cost, but all resources need to be part of a subscription. And we're also going to put this into a resource group. And so for the purpose of this video, I'm going to create a resource called the AZ 700 Course. And I'll even rename the virtual network. the same AZ 700 course. Now, the location is important because you're going to want to put your resources in the same physical location as your virtual network. And so when you do create your West US Virtual Network, you're going to then have to create West US Virtual Machines to put on that network, et cetera. location of the network is relevant. I'm going to leave it as WestUS for the purpose of this demo. Now, the IP address range—this is one of the first things you're going to have to plan in terms of how many addresses you need to reserve for your virtual network and then making sure that your other resources aren't overlapping in terms of their IP addresses.
Now, you'll notice that the default that they're giving us here is a 100-A block in the traditional sense. Actually, I guess with the 16 it's more like a B block. So it's giving us a B block here for the address. That means I can remove my cursor, and we can see that it's suggesting a range of 100 to 10 (295-5255). So there are 65,000 addresses. Now I should probably mention the reserved addresses at this point. Now, if you don't mind, I'll flip over to the Azure documentation to specify. So any address that ends in ".0" is reserved. You can't use that. That is sort of the network address. Anything in Point One is sort of a default gateway for that subnet. Two and three are also reserved. and also the final address, point 255. So we have five addresses within each subnet that are reserved for various Azure services. So that's how we get Let's try this in terms of a 28-block; we can see that a 28-block goes from zero to 15. But in this case with the reservations, it's counting the zero, the one, the two, and the three. And so there are actually fewer available addresses. There are only twelve addresses. in this case. There is not a lack of addresses. You don't have to restrict your VNETs to very few, even though you think you could only have a few IPS and a few resources on this network.
There is no reason to limit your network to a small number of IP addresses when there are an unlimited number, or nearly an unlimited number, available. Because these are private IP addresses, these numbers are not available from the public Internet. If we flip back to the documentation one more time, we can see that there are some recommended ranges. So these are recommended by the IETF for private, non-routable spaces. That means that it is impossible to send traffic from the Internet over routers to these addresses. They can be used internally to refer to the same network or in interconnected networks, but they are not accessible via the public internet. And so you end up with literally hundreds of thousands and millions of available addresses. You can use any address space you wish, even public Internet spaces, but then you're going to basically be blocking yourself off from being able to access that. So if you try to use a public IP address, that's still treated as a private address, so don't do it. Keep yourself generally within the ten-dot range. Maybe you want to go into 172 or 192 ranges, but ten dots seems to be the standard.
So I'm going to choose 824 address space, and we can see that gives me 256 addresses minus 5251 effective addresses. Microsoft Azure does support IPV6, and so if I want to give myself an IPV6 space, I can. Of course, I'd have to configure all of the other resources, such as VNETs and load balancers, to use IPV6, but this is possible. Now the other concept that we'll get into is the concept of a subnet. This IP address space is for the entire virtual network, but you do have to have at least one subnet, and a subnet is where resources live. So you could create a default subnet, and it could take up the entire reserved address space. I'll just put that there, 100 00:24, and that's going to basically leave no additional addresses for additional subnets. We'll talk about this and other ways of getting at the Nets and service endpoints in another video. So I could do that, or I could give myself a smaller window, let's say 26. And then what I'm getting is that I'm leaving room for other subnets. Subnets can't talk to each other unless you unlock that. In a network security group, there's an enforcement of security between subnets. We're going to pause this video; it's long enough, obviously, and we'll come back and talk about the next tab, which is security.
4. DEMO: Azure Virtual Network Security Tab
Alright, we're going to move on to the security tab. Now when you create a virtual network, you have the option of adding security devices to that network to protect that network. These devices include a firewall, a Bastian host, and tools to enable DDoS protection at an enhanced level. So the basic DDoS protection is free, and if you want to pay for additional protection, there is a standard level. And so when you do create a firewall, for instance, it's going to create a new subnet just for the firewall. Same with Bastian. When you create a new Bastian service, then it's going to create a new Bastian subnet, right? So these things don't live on the same virtual network as your other devices and resources, they have their own. So in this particular case, we are going to cover these topics in this course, but at this current time, we're not going to create any of them. We're not going to cover tags too much in this course. just have to say it's metadata for resources at the network level. It might not be as relevant, but if you do create servers and web apps and things, you may want to know who created them. So you want to give it a name.
You may want to understand where the billing gets assigned within your organization. Have this concept of development and production in mind so you know which resources belong to which environment. Resource groups are a little bit better for this, but this is a metadata concept. Finally, we can get to the review screen. So we haven't actually created it yet until we click the "Create" button. Before I go any further, I should mention the concept of Arm templates. It's a JSON file that's going to contain all of this set-up that we can automate. And so there is no concept of automation or Arm templates on this exam. So we're not going to cover this in this course. so I'm going to click the Create button. And this is pretty fast because, when you provision a new network, it's really just database entries in a table inside of Microsoft. Microsoft has its own physical network, and it's all fairly sophisticated compared to Microsoft's internal network. And when you are creating this virtual network, you're not actually deploying anything; you're literally just adding some entries into some routing tables within Microsoft.
So it's no surprise that this took 7 seconds to execute because you're not actually creating new resources, you're just defining virtual resources. So while we're here, let's go into the resource. Now there are no devices connected to it, but we can see the address space that we decided and the location that we decided in the resource group that we defined. If we go under subnets, we should see the default subnet in that address space that we've identified. We have an empty virtual network not costingus anything, no devices attached to it. If we ever wanted to return to this, we can go back to the homepage, and if I start typing "virtual," you'll see networks come up in the results. Then we're going to see our AZ 700 course in thiscase VNet listed and we can always get back into it. So that's basically our working virtual network. If we ever want to delete just the network, clicking the delete button here on the homepage will affect that. And we can always delete resources in AMASS by clicking the Delete Resource group. Deleting a resource group will delete all of the resources inside that group, which could include web apps, virtual machines, firewalls, and everything else. So that is why we would like to put our testing resources in their own resource group. makes it very easy to clean it up by deleting the whole resource group. We won't do that here because we've got more to do. But this is our first step in creating an empty virtual network.
1. Introduction to Site-to-Site VPNs
Alright, so in this next section of the course, we're going to get into the exam objectives in terms of managing hybrid networking. And the first sub-topic under that has to do with site-to-site VPN. Site-to-site VPNs are the concept of connecting your corporate network to a Microsoft Azure network, and they would essentially exist on the same network and be able to communicate with each other over a secure connection. Site-to-site VPNs require devices called network gateways, and they basically sit on both ends of the connection. So in order to get your corporate network to connect to an Azure Virtual Network, you're going to need a network gateway on the Azure side, and you're going to need a network gateway on your corporate side. Now here is an example network diagram. We have a virtual network called VNet, one that exists.
It has to see the following network ranges. You're going to have a network gateway, and there's an actual virtual network gateway that we have to install. You're going to have a secure connection to two on-premises locations, and those locations are going to have to have a hardware device installed in order to make this connection. It is an encrypted connection. So it does travel over the public Internet, but it's encrypted at both ends. The VPN devices are the ones that do the encryption. And so a message can travel from one on premises website Sorry, but one on-premises server or workstation can go into Azure and travel normally, and the devices will handle the encryption and decryption. So as I mentioned in a previous video, to add a virtual private network, or VPN, you do need to have a specific subnet for the gateway. You can go under the "Virtual Network Subnet" and you'll see there's a button that says "Gateway Subnet." And so we can create a specific name, and it can't be any other name. You can see that it is reserving the fewest IP addresses possible, which are 16 or eleven usable addresses on our 100 subnet range. And so it's taking up the next available space within our virtual network.
Now we don't have any gateways created, route tables, or anything like that. So at this point, we could just create the subnet and then go elsewhere to create the VPN device. I'll do that. Like I said, creating the subnet doesn't take much time, but creating the device itself does take some time. So now let's go under resources and we enter the VPN. We're going to enter a gateway. And if I do a search on Gateway, there are a lot of third-party products. I'm going to filter this on Microsoft, and we can see Virtual Network Gateway down here.
We probably could have saved ourselves some time by just entering the Virtual Network Gateway, but this is a VPN device and it's used for either point-to-site or site-to-site VPN connections. so I'm going to click Create. Now it is going to go on to our subscription. We're going to basically have to choose the virtual network, and it will pick the resource group to put that in. So we have to be in the same region. So to start off with, we were in the West US, and then we could pick the AZ 700 course in the Virtual Network, and it's going to be put into the same resource group as the Virtual Network to give this a name. So I'm going to call this a two-S VPN. Now there are two types of private network gateways. The most common type of what we're discussing in this video is virtual private networks.
This is another way to connect your corporate network to Microsoft Azure over the public Internet. The result of Express Route is similar, but it uses a private network. And so you're going to need to have a relationship with an Internet Exchange Provider, and you'll have to have a private connection from your office to that Exchange Provider. You still need a device on your side, but by going from a network to an exchange provider into Azure all over private lines, your traffic does not actually travel over the open Internet. And that's an additional layer of security, even though it is encrypted. We'll talk more about the Express route when we're into that section. There aren't two major types of VPNs. In the next video, we'll talk about these two types, which one you should choose, and which one is better for your situation.
2. Virtual Network Gateway SKUs
So let's talk about the VPN type. Now the choice here is going to depend, first of all, on the device that you have first of all. So if you have a physical hardware device in your corporate network that only supports one of these, then that kind of makes your decision for you. Now, policy-based routing is also called static routing. Basically, you are going to define an access list in the VPN configuration, and that's going to allow traffic to travel from your network into Azure. So you're basically defining the policies like an NSG, which I haven't talked about yet, but you're going to basically make an access control list to allow the policies. Route-based is called "dynamic routing," and that means basically that the devices themselves keep themselves updated when it comes to the routing.
So device number one says what it supports, and device number two says what it supports, and you can have like a wildcard, and you can do some more flexible stuff in a route-based architecture. So this is the more modern approach. If you want to say this is the more traditional approach, the legacy approach, And again it depends on the device that you have. might support both, or might support one but not the other. Now that we have the SKU for the virtual network gateway device in the cloud, there's going to be some implications here, and if we open it up, we can see there are a lot of choices. There's the basic skew, and then there's this cryptically named VPN GW 1234 and 5. So again, there are some implications in terms of the SKU that you choose. So let's flip over to the Azure documentation once again, and we can see that there's just a lot of SKUs, and in actual fact, we didn't even see that there's this generation one and generation two selector, and also, depending on the region that you're in, you also have the ability to have availability zones, which makes it more complicated. So we can see that the basic skew, and I'm going to zoom in a little bit on this, the basic skew supports for site to site VPNs a maximum of ten tunnels. And this is essentially from networking here to networking there. That's one tunnel. If you want to add additional tunnels over the same devices—that's additional tunnels as you go from the basic to the higher levels—then you can see that you can have up to 30 tunnels over a single network connection.
We got the availability zone SKUs as well, up to 30 tunnels and all the way up to network 85. The maximum number of sites per site is kept at 34. The real implication here is on the point-to-site side, where you may have people connecting to your Azure gateway from home or from remote devices, and then you're seeing significant increases in the number of supported people, generation one versus generation 250,000, 5000, or 10,000 people, but you still have the maximum of 30 networks, or tunnels, that you need to have. Now there is a note here about virtual land, which allows sites to communicate with each other. So from site one to site two, you can use that if you need more than 30. Now let's flip over to the pricing section to see the real differences between the different SKUs (gateway 1234 and 5). I'm going to go to the pricing page, and we'll look at the various options. There is now a significant price difference between the Basic at $26 per month and the VPN Gateway Five at $2,600 per month. But here's where we can see how it affects the site to site.
We have bandwidth estimates here. So the basic is 100 megabits, and the higher you go, the faster you get connections between your home network and Microsoft Azure. We can also see there are ten tunnels included in the price that you pay, and you're going to pay extra for more than ten tunnels. So these are the SKUs. I think for the purposes of this demo, we can just use the Basic Gateway. We don't really need speed for this demo. We don't need multiple tunnels, and the points where the site limits are are fine. So I'm going to choose the Basic Gateway. So I go here, and I choose basic. Now, Basic is a legacy scheme, so there is no generation two for Basic. But that's okay. We're associating it with this virtual network that we previously created. It's going on its own subnet, the gateway subnet. And these network gateways, they said, do travel over the open Internet even though they're encrypted.
But you're going to need to create a public IP address. So I can call this my Azurenet gateway IP, and it's going to go and check to see that the address name in your resource group is unique. And because it's your own, it should be fine. And so we're going to get an IP address associated with this. Now there are two optional modes here. There's something called "active mode," and that is more of a backup strategy where you're having basically two connections between your home gateway device and Azure. And so if any one of the connections goes down, then you are fine. You've basically got a secondary connection that's active. So it's almost like redundancy. and the other is the BGP border gateway protocol. And again, this is going to be a route-based VPN. And so basically, having your VPNs publish the routes that they support And when you start chaining your networks together in a hub-and-spoke type of model, maybe you want each hub to publish what networks it supports. And then the spoke supports all networks, and then the routers can figure out how best to publish traffic. We'll leave both of these disabled for now, with tags. We're not going to set any, but we can review and create. Now, it does take a while for a network gateway to be created. I think in the past I've seen it take ten minutes, so when I click the Create button, this is going to take some time. And remember, we're paying by the hour here, so as soon as you create this basic skew, that's $26 a month, almost a dollar a day. So you don't necessarily want to leave this running on your PayPal account while you're playing with it too much. So we'll create this, and we'll remember to delete it before we go away for the day.
3. Local Network Gateway
Alright, so after some time, our Virtual Network Gateway was created. In fact, we can go up to the resource group and look at the deployments. We can look at the Virtual Network Gateway deployment, and we can see that it took around 40 minutes. So it does take a little bit of time. We can see that our basic virtual network gateway was created, and it does have a public IP address. Now in order for us to turn this into a site-to-site VPN, we're going to have to use a component within Azure called a local network gateway. So the local network gateway represents our on-premises gateway within the cloud. It's almost like a proxy. So I'm going to go back up to the source group, and I'm going to say create. And we're going to look for local network gateways. So this is really just a representation of our on-premise gateway.
All right? So in terms of creating our local network gateway, we can call this our headquarters. We're going to use an IP address as our headquarters. Now in terms of providing the IP address, this is basically where our VPN device is located. So like I said, you need a physical device on premises. It's going to have an IP address allocated by your Internet service provider. We can just provide a fake number for now because we don't have an actual physical device that we're setting up. The only thing we need to do then is specify some IP address ranges for our local network that don't overlap with the network that we created in the cloud. Remember, our virtual network is in the 100 space. And so what we need to do is then create a network space that is out of that space, and I can create a 24x7 network representing my on-premises environment.
Again, it doesn't clash with the virtual network space that we have in the cloud. This is the border gateway protocol. We won't set that up right now. And it's going to set this up in our resource group, in our subscription, and in our location. And again, this is just a proxy representation of our on-prem stuff. So we can just hit "Create." Now at this point, we are going to need to set up our VPN. So we go back to our Virtual Network Gateway, where we can enter connections, and this is where we would go to create that virtual private network between our on-premises location and Azure. We can give this a name; we can call it the VPN headquarters VPN.
And this is actually a site-to-site to site set up. We're using our virtual network gateway that we created, and we just created the local network gateway. Now you're going to have to create a pre-shared key so that you can set up your VPN on both sides. similar to connecting Bluetooth, right? You're going to have some type of password, like a Scott password, and you're going to put this here and put this in your VPN hardware as well, and they would have that pre-shared key. You may want to do something a bit more complicated than that.
Obviously. Now, the protocol you're using, I assume you'd prefer to use Version 2 of this similar protocol, and everything is predetermined. So we could then go and set up our network device that's on our local network, again with this information to point to the public IP address of the virtual network gateway. And at this point, we would have a site-to-site VPN. Now, granted, it's a little hard to demonstrate without a VPN device to play with. What we're going to do is try the VNet, and then you can connect to different virtual networks using the gateways to simulate this type of connection, I guess.
Microsoft AZ-700 Exam Dumps, Microsoft AZ-700 Practice Test Questions and Answers
Do you have questions about our AZ-700 Designing and Implementing Microsoft Azure Networking Solutions practice test questions and answers or any of our products? If you are not clear about our Microsoft AZ-700 exam practice test questions, you can read the FAQ below.
Purchase Microsoft AZ-700 Exam Training Products Individually