Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Implement and Manage Virtual Networking practice sets

AZ-104 Implement and Manage Virtual Networking • Complete Question Bank

AZ-104 Implement and Manage Virtual Networking — All Questions With Answers

Complete AZ-104 Implement and Manage Virtual Networking question bank — all 0 questions with answers and detailed explanations.

288
Questions
Free
No signup
Certifications/AZ-104/Practice Test/Implement and Manage Virtual Networking/All Questions
Question 1mediummultiple choice
Review the full routing breakdown →

A network team wants all routers to send log messages to a centralized server at 192.0.2.50. Which command should be added to the router configuration?

Exhibit

Goal: Centralized logging server = 192.0.2.50
Question 2hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Which statement best explains the value of enabling both centralized logging and strong access controls on network devices?

Question 3mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Which statement best explains why centralized logging is valuable in security operations?

Question 4mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Why is centralized logging especially helpful during incident investigation?

Question 5mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Why is centralized logging especially useful during security investigations?

Question 6mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Why is centralized logging valuable during security incident response?

Question 7mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

An operations team wants device-generated log messages collected centrally so engineers can review interface changes, warnings, and errors from one place. Which technology is most directly associated with that goal?

Question 8mediummulti select
Read the full DHCP explanation →

Which two statements accurately describe the value of centralized DHCP in enterprise networks?

Question 9hardmultiple choice
Read the full DHCP explanation →

A network team centralizes DHCP in a data center. Users in a remote branch stop receiving addresses after the branch router is replaced. Which missing configuration on the branch gateway is the strongest suspect?

Question 10mediummulti select
Read the full NAT/PAT explanation →

A network team wants reliable time, name resolution, centralized logs, and visibility into traffic patterns. Which two services directly match those goals?

Question 11mediummultiple choice
Review the full routing breakdown →

A network engineer wants device logs from routers and switches sent to a central server for long-term retention and analysis. Which service should be configured?

Question 12easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A switch administrator wants log entries from multiple devices to be collected on one central server for later review. Which service should be configured?

Question 13mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Exhibit: A network engineer wants a subscription-based mechanism to stream operational updates from devices as values change, instead of polling over and over. Which approach best fits?

Exhibit

collector: 10.10.10.50
subscription: interface-counters
mode: periodic 1000ms
encoding: GPB
Question 14mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You deploy a private endpoint for an Azure Storage account. Virtual machines in VNet-App must resolve the storage account name to the private IP address of the endpoint instead of the public endpoint. What should you configure?

Question 15hardmultiple choice
Review the full subnetting walkthrough →

VM-Web01 is connected to Subnet-Web in VNet-Prod. Users on the internet cannot access the website hosted on TCP port 443. You confirm that VM-Web01 has a public IP address and the web service is running. You need to allow inbound HTTPS traffic with the least administrative effort. What should you do?

Question 16mediummultiple choice
Review the full subnetting walkthrough →

A subnet contains several application servers. You need to allow inbound TCP 3389 only from a management subnet named Subnet-Mgmt and deny RDP from all other sources. What should you do?

Question 17hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Two virtual machines named VM-Web01 and VM-Web02 host the same public web application. Users on the internet must connect through a single public IP address, and incoming requests should be distributed across both VMs. What should you deploy?

Question 18hardmultiple choice
Review the full subnetting walkthrough →

Your company deploys a network virtual appliance (NVA) in a hub subnet. All outbound internet traffic from Subnet-App in a spoke VNet must pass through the NVA for inspection. What should you configure on Subnet-App?

Question 19mediummultiple choice
Read the full VPN explanation →

You have two virtual networks named VNet-Hub and VNet-Spoke1 in the same Azure region. Resources in the two VNets must communicate privately over the Microsoft backbone without using a VPN gateway. What should you configure?

Question 20hardmultiple choice
Review the full subnetting walkthrough →

Traffic from Subnet-App to the internet is being routed through a virtual appliance unexpectedly. You need to identify which route is being applied to the network interface of VM-App01. Which Azure feature should you use?

Question 21mediummultiple choice
Read the full VPN explanation →

You have two virtual networks in the same Azure region named VNet-App and VNet-DB. Resources in the two networks must communicate privately over the Azure backbone without using VPN gateways. What should you configure?

Question 22mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You need to allow RDP access from the internet to a Windows VM named VM-Admin01 in Azure. The VM already has a public IP address. Which additional configuration is required?

Question 23hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You have an Azure load balancer in front of two virtual machines. The load balancer reports both instances as unavailable even though the VMs are running. What is the most likely cause?

Question 24hardmultiple choice
Review the full subnetting walkthrough →

A subnet contains two NSGs: one associated with the subnet and one associated with the NIC of VM-App03. You need to determine whether inbound TCP 3389 from the internet is allowed. What is the correct interpretation?

Question 25hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You create a private endpoint for an Azure Storage account and disable public network access on the account. A VM in a peered VNet cannot reach the storage account by name. The private endpoint resides in VNet-App. What is the most likely missing configuration?

Question 26mediummultiple choice
Read the full NAT/PAT explanation →

You need to expose a web application running on several VMs and distribute traffic across them based on HTTP request attributes such as URL path. Which service should you use?

Question 27mediummultiple choice
Read the full VPN explanation →

VNet-Hub and VNet-Spoke1 are in the same region and subscription. Resources in the two VNets must communicate over the Microsoft backbone without using a VPN gateway. What should you configure?

Question 28mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You need to connect VNet-Hub and VNet-Spoke so that resources in both virtual networks can communicate privately over the Microsoft backbone. Both virtual networks are in the same region. What should you configure?

Question 29hardmultiple choice
Review the full routing breakdown →

Traffic from VM-App01 is unexpectedly reaching the internet through a network virtual appliance. You need to determine which route is currently applied to the virtual machine network interface. Which Azure tool should you use?

Question 30hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A Windows VM in Azure has a public IP address, but administrators on the internet cannot connect by using Remote Desktop. You confirm that the VM is running and the guest firewall allows RDP. What is the most likely Azure-side cause?

Question 31mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You create a private endpoint for an Azure SQL Database server. Virtual machines in VNet-Prod must resolve the server name to the private IP address of the endpoint. What should you configure?

Question 32hardmultiple choice
Review the full routing breakdown →

Traffic from VM-App01 is unexpectedly reaching the internet through a virtual appliance. You need to see which routes are currently applied to the VM network interface. Which Azure tool should you use?

Question 33mediummultiple choice
Review the full subnetting walkthrough →

You need to control inbound and outbound traffic to resources in a subnet by allowing or denying traffic based on IP address, port, and protocol. Which Azure feature should you use?

Question 34mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You create a private endpoint for an Azure Storage account. Virtual machines in VNet-App must resolve the storage account name to the private IP address of the endpoint. What should you configure?

Question 35hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Users on the internet cannot access an HTTPS website hosted on VM-Web01. The VM has a public IP address, the web service is running, and the guest OS firewall allows TCP 443. What is the most likely Azure-side issue?

Question 36hardmultiple choice
Read the full NAT/PAT explanation →

Traffic from VM-App01 is taking an unexpected path to the internet through a network virtual appliance. You need to determine which routes are actually applied to the VM network interface. Which Azure feature should you use?

Question 37mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

You create a private endpoint for an Azure Storage account. Virtual machines in VNet-Prod must resolve the storage account name to the private IP address of that endpoint. Which Azure feature should you configure?

Question 38hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Users on the internet cannot reach an HTTPS application hosted on VM-Web01. The VM has a public IP address, the application is listening on TCP port 443, and the guest OS firewall allows the traffic. What is the most likely Azure-side cause?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

You need to allow or deny traffic to and from resources in an Azure subnet based on source IP address, destination port, and protocol. Which Azure feature should you use?

Question 40mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, which network feature should you use so only the subnet can reach the storage account while still using the public endpoint?

Exhibit

Storage account: reportsa
Public network access: Enabled
Selected networks: none
VM subnet: app-subnet
Requirement notes:
- Keep the storage account on its public endpoint.
- Permit only workloads in app-subnet to reach the account.
- Do not assign static public IP addresses to the VMs.
Question 41hardmulti select
Review the full subnetting walkthrough →

A VM in subnet S1 has two network security groups applied: one at the subnet and one directly on the NIC. The subnet NSG contains DenyAllInbound at priority 100 and AllowHTTPSFromOffice at priority 200. The NIC NSG contains AllowHTTPSFromOffice at priority 150 and no deny rules. Office users still cannot reach the VM on TCP 443. Which two statements are correct? Select two.

Question 42mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A workload in a VNet must connect to Azure SQL Database over a private IP address, and the database must not be reachable through its public endpoint. Users should still connect by using the normal server name. What should you configure?

Question 43hardmulti select
Read the full NAT/PAT explanation →

A subnet has a route table with these user-defined routes: 10.10.0.0/16 to Virtual appliance, 10.10.5.0/24 to Virtual network gateway, and 10.10.5.128/25 to Virtual network. The subnet is attached to a VM that sends traffic to several destinations. Which three next-hop decisions are correct? Select three.

Question 44mediummultiple choice
Read the full VPN explanation →

A subnet has a user-defined route for 0.0.0.0/0 that sends all outbound traffic to a virtual appliance. Traffic to 10.20.4.12 must instead go directly to an Azure VPN gateway. What should you configure?

Question 45mediummultiple choice
Review the full subnetting walkthrough →

A subnet has an NSG with these inbound rules: priority 200 DenyAllInbound and priority 300 AllowHTTPSFromInternet. A VM in the subnet is still unreachable on TCP 443 from the internet. What should you do to make HTTPS work while keeping the deny rule in place?

Question 46hardmulti select
Read the full Implement and Manage Virtual Networking explanation →

A Windows VM in VNet-App must access an Azure Files share over a private IP address. The storage account must not be reachable through its public endpoint, and the VM should resolve the file share name without custom host-file entries. Which three actions are required? Select three.

Question 47mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Two virtual networks were created in different subscriptions. VNet-A uses 10.4.0.0/16 and VNet-B uses 10.4.128.0/17. You try to create peering between them, but Azure rejects the request. What is the best fix?

Question 48mediummultiple choice
Review the full routing breakdown →

A route table contains these entries: 10.0.0.0/8 with next hop Virtual appliance, and 10.1.1.0/24 with next hop Virtual network gateway. Which next hop will Azure use for traffic to 10.1.1.5?

Question 49mediummultiple choice
Read the full VPN explanation →

A hub VNet already has a VPN gateway connected to on-premises. A spoke VNet in the same region must reach on-premises networks through that existing gateway, and you do not want to deploy a separate VPN gateway in the spoke. What peering settings should you use?

Question 50hardmulti select
Read the full Implement and Manage Virtual Networking explanation →

Two virtual networks are in different subscriptions. VNet-A uses 10.20.0.0/16 and VNet-B uses 10.20.128.0/17. A design review also states that traffic between two spoke VNets should flow through a hub VNet instead of directly between spokes. Which two statements are correct? Select two.

Question 51hardmulti select
Read the full VPN explanation →

A company wants encrypted connectivity between its on-premises network and an Azure VNet. The organization has one edge VPN device at headquarters, and the Azure design must support a classic site-to-site tunnel rather than individual user VPN connections. Which three prerequisites are required? Select three.

Question 52mediummultiple choice
Read the full VPN explanation →

An internal line-of-business application runs on two VMs in Azure. Users connect only from a peered virtual network and from on-premises through VPN. The application must not be reachable from the internet, but traffic should be balanced across the two VMs. Which configuration should you choose?

Question 53hardmulti select
Read the full DNS explanation →

A VM in VNet-Prod must connect to Azure SQL Database over a private IP address. The SQL server must not be reachable through its public endpoint, and the VM should resolve the server name automatically without manual DNS entries. Which three actions are required? Select three.

Question 54mediummultiple choice
Read the full DNS explanation →

An application VM in a subnet without a public IP must access Azure Blob Storage. The storage account must not be reachable from the public internet, and DNS resolution should stay inside the virtual network. What should you implement?

Question 55mediummultiple choice
Review the full subnetting walkthrough →

You removed public IP addresses from a backend subnet containing 20 VMs. The VMs still need outbound internet access for updates, and the organization wants all outbound traffic to appear from one predictable public IP. No inbound publishing is required. Which Azure service should you use?

Question 56mediummultiple choice
Read the full NAT/PAT explanation →

A subnet contains 15 backend VMs that only need outbound internet access for patching and package downloads. Security wants all outbound connections to use one static public IP address, and no VM should have a public IP assigned directly. What should you configure?

Question 57mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, which change should you make so the VM reaches the blob service over a private IP address?

Exhibit

vm-app01 in subnet appsubnet
nslookup mystorageacct.blob.core.windows.net
Server: 168.63.129.16
Name: mystorageacct.blob.core.windows.net
Address: 20.62.14.8
Storage account settings:
Public network access: Disabled
Private endpoint connections: None
Business requirement: the VM must reach the blob service over a private IP address.
Question 58mediummultiple choice
Review the full subnetting walkthrough →

A VM in Azure cannot accept RDP connections from your office public IP. The subnet NSG already has an inbound deny-all rule at priority 200, and you added an allow rule for TCP 3389 from 198.51.100.25/32 at priority 300. What should you do to allow the connection?

Question 59mediummultiple choice
Review the full subnetting walkthrough →

A VM in a subnet must access an Azure Storage account without creating a private endpoint. The organization is fine with the storage account remaining on its public endpoint, but traffic should stay on the Azure backbone rather than the public internet. Which feature should you use?

Question 60mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A VM in a virtual network must access an Azure Storage account over a private IP address, and the storage account's public endpoint must be disabled. Name resolution from the VM should resolve the storage name to the private IP. Which configuration should you use?

Question 61hardmulti select
Review the full subnetting walkthrough →

A backend subnet contains 18 Linux VMs that must install updates from the internet. Security requires all outbound traffic to use one static public IP, and none of the VMs may have their own public IP addresses. Which two changes meet the requirement? Select two.

Question 62mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A contractor working from home needs temporary access to internal Azure resources. There is no on-premises network to connect, and you do not want to expose the resources publicly. Which connectivity option should you deploy?

Question 63mediummultiple choice
Review the full subnetting walkthrough →

You need to allow SSH access to only one Linux VM in a subnet that contains several application servers. The other VMs in the subnet must remain inaccessible from the internet. What is the best configuration?

Question 64mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Your company has an on-premises office network that needs encrypted connectivity to an Azure virtual network. In addition, traveling users need secure access from their laptops when they are away from the office. Which Azure design best meets both requirements?

Question 65mediummatching
Read the full Implement and Manage Virtual Networking explanation →

A team is troubleshooting inbound access to Azure VMs. Match each NSG concept on the left with the most accurate behavior or troubleshooting implication on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The priority 100 rule is evaluated first, so it wins if both rules match the same traffic.

It controls traffic entering the subnet or NIC from another network location.

It filters traffic for a single VM and can be used in addition to a subnet NSG.

It matches any ephemeral source port and does not limit the sender's port selection.

It allows only HTTPS traffic that uses TCP and the specified destination port.

Question 66mediummultiple choice
Review the full subnetting walkthrough →

A route table contains a user-defined route for 172.16.0.0/16 to a virtual appliance. The ExpressRoute circuit advertises 172.16.10.0/24. A VM in the subnet sends traffic to 172.16.10.20. Which route does Azure use?

Question 67mediummultiple choice
Review the full subnetting walkthrough →

A VM subnet has an NSG with these custom rules: - Inbound priority 100: Allow TCP 443 from Internet - Outbound priority 100: Deny Any to Internet The VM hosts an app that must download updates from an HTTPS repository on the Internet. The downloads fail. What change should be made?

Question 68mediummultiple choice
Review the full subnetting walkthrough →

An NSG is associated with a subnet. It contains these inbound rules: - Priority 100: Deny TCP 443 from Internet to Any - Priority 200: Allow TCP 443 from 203.0.113.0/24 to Any A tester at 203.0.113.10 browses to the VM's HTTPS endpoint in that subnet. What happens?

Question 69mediummultiple choice
Review the full subnetting walkthrough →

A route table on a subnet contains this user-defined route: - 0.0.0.0/0 -> Virtual appliance 10.0.0.4 The subnet is peered to another VNet with address space 10.2.0.0/16. A VM in the subnet sends traffic to 10.2.2.7, and Network Watcher shows the next hop as Virtual network peering instead of the appliance. What explains this result?

Question 70mediummultiple choice
Read the full DNS explanation →

Two VNets are peered. AppVNet contains VMs that access a private endpoint in DataVNet successfully by IP, but name resolution fails for the storage FQDN. The private DNS zone is linked only to DataVNet. What should you do?

Question 71mediummultiple choice
Review the full subnetting walkthrough →

A security team requires all outbound internet traffic from a workload subnet to pass through an NVA at 10.1.4.4. The subnet is already associated with an NSG that allows the traffic. Which UDR should the administrator add to the route table for that subnet?

Question 72mediummultiple choice
Review the full subnetting walkthrough →

An administrator plans to peer VNet-A with VNet-B so two application tiers can communicate over private IPs. VNet-A uses 10.20.0.0/16. VNet-B currently uses 10.20.1.0/24, and both VNets already contain subnets that must remain intact. The peering operation fails. What should the administrator do first?

Question 73mediummultiple choice
Read the full NAT/PAT explanation →

A VM in subnet S1 must accept RDP only from the administrator workstation at 203.0.113.25. The subnet NSG has a custom inbound deny-all rule at priority 200 and a custom allow-RDP rule at priority 300 for source 203.0.113.25, destination Any, TCP 3389. RDP is still blocked from the workstation. What should the administrator change?

Question 74easymultiple choice
Review the full subnetting walkthrough →

A workload subnet must send all outbound internet traffic through a network virtual appliance at 10.4.2.4. What should the administrator configure?

Question 75mediummultiple choice
Read the full VPN explanation →

A branch office uses an on-premises firewall that supports IPsec/IKE and has a stable public IP. The office needs always-on private connectivity to an Azure VNet over the internet. Which Azure component should the administrator deploy?

Question 76easymultiple choice
Review the full subnetting walkthrough →

A subnet has an NSG with a custom inbound deny-all rule at priority 200. You need to allow HTTPS traffic to a VM in that subnet from any source. Which action should you take?

Question 77mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A payroll application in a VNet must access an Azure Storage account containing confidential blobs. The security team requires the storage account to be reachable only over a private IP, and public network access must be disabled. Which feature should the administrator implement?

Question 78mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A team deployed a private endpoint for an Azure Storage account in VNet-A. The private endpoint is healthy, but VMs in VNet-A still resolve the storage account name to the public IP address. What should the administrator configure next?

Question 79easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company wants to peer two Azure virtual networks so that workloads can communicate privately. VNet-A uses 10.10.0.0/16. VNet-B is being designed now. Which address space should be chosen for VNet-B?

Question 80mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Two application VNets are deployed in different Azure regions. Each VNet uses a unique, non-overlapping address space. The application teams want private IP connectivity over the Microsoft backbone with the lowest possible latency between the regions. Which design should the administrator choose?

Question 81mediummultiple choice
Review the full routing breakdown →

A public web application runs on two Windows Server VMs in Azure. Users connect through a single public IP on TCP 443, and the solution must distribute traffic only to healthy VMs without requiring Layer 7 features such as URL-based routing. Which Azure service should the administrator deploy?

Question 82mediummultiple choice
Read the full DNS explanation →

A company has a hub virtual network that contains a custom DNS server at 10.20.0.4. A new spoke virtual network is peered to the hub. VMs in the spoke can reach other resources in Azure, but they cannot resolve internal names such as app01.corp.local. What should the administrator configure to fix name resolution for the spoke VMs?

Question 83mediummultiple choice
Read the full VPN explanation →

An on-premises application connects to Azure through an existing site-to-site VPN. The application must access an Azure Storage account, public network access on the storage account is disabled, and the company does not want the storage account exposed through a public endpoint. Which solution should the administrator implement?

Question 84mediummultiple choice
Read the full VPN explanation →

A hub VNet has a VPN gateway connected to on-premises networks. A new spoke VNet must reach on-premises resources through the existing hub gateway without deploying another gateway. What peering configuration should the administrator use?

Question 85mediummultiple choice
Review the full subnetting walkthrough →

An application in a subnet must access an Azure Storage account over a private IP. The storage account must not be reachable through its public endpoint, and access should be limited to that subnet only. Which configuration should the administrator implement?

Question 86mediummultiple choice
Read the full NAT/PAT explanation →

A web workload in a subnet must use a NAT gateway for outbound internet traffic so the source IP is stable. The subnet currently has a route table with a 0.0.0.0/0 user-defined route to a virtual appliance. What should the administrator change?

Question 87mediummultiple choice
Read the full NAT/PAT explanation →

An organization has an Azure Storage account that must be reachable from Azure VMs and from an on-premises application. Internet access to the storage account must be disabled, and the service should be accessible only over private IP paths. Which solution best meets the requirement?

Question 88mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A branch office with a static public IP needs encrypted connectivity to an Azure virtual network so users can access private Azure VMs and internal services. The connection should support a site-to-site design and not rely on public IPs for the Azure resources themselves. Which service should the administrator deploy?

Question 89mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company created a new spoke virtual network with the address space 10.40.1.0/24. The existing hub virtual network already uses 10.40.0.0/16. The administrator must peer the two VNets so resources can communicate normally. What must be changed before peering can succeed?

Question 90mediummultiple choice
Read the full DNS explanation →

A hub-and-spoke environment uses a DNS server VM in the hub VNet at 10.8.0.4 to resolve internal names such as app01.corp.local. The spoke VNet can reach hub VMs by IP after peering, but name resolution still fails from the spoke. What should the administrator configure so VMs in the spoke use the hub DNS server?

Question 91mediummultiple choice
Review the full subnetting walkthrough →

A security team requires all outbound traffic from a subnet to pass through an Azure Firewall at 10.1.0.4, including internet-bound traffic from the VMs. What should the administrator configure?

Question 92mediummultiple choice
Read the full NAT/PAT explanation →

A subnet is associated with a NAT gateway, but its route table also contains a 0.0.0.0/0 route to a virtual appliance at 10.2.0.4. The business wants all outbound internet traffic from the VMs to use one static public IP, and inspection by the appliance is no longer required. What should the administrator change?

Question 93mediummultiple choice
Read the full NAT/PAT explanation →

An application subnet has a network security group with these inbound rules: Allow-Web-From-Internet at priority 200, Allow-App-From-Web at priority 300, and Deny-All-Inbound at priority 250. The web tier must reach the app tier on TCP 8080, but traffic is being denied. The administrator confirms the source and destination IPs are correct. What is the best fix?

Question 94mediummultiple choice
Review the full subnetting walkthrough →

A web tier and an app tier run in separate subnets. Each VM NIC is placed in an application security group named WebASG or AppASG. The administrator must allow only the web tier to reach the app tier on TCP port 8443 and block all other inbound traffic to the app tier. Which NSG rule should be created on the app subnet?

Question 95easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, HTTPS traffic from the admin workstation is still being blocked. What change should the administrator make?

Exhibit

Inbound NSG rules on AppSubnet:
Priority 200  Deny-All-Inbound      Any      Any      Any      Any    Deny
Priority 250  Allow-HTTPS-Admin     TCP      203.0.113.20/32   Any   443    Allow
Priority 300  Allow-HTTPS-Internet  TCP      Internet          Any   443    Allow
Test source IP: 203.0.113.20
Observed result: TCP 443 denied
Question 96mediummultiple choice
Read the full VPN explanation →

An on-premises application connected through a site-to-site VPN must read data from an Azure Storage account. Public network access is disabled on the storage account, and the storage service must be reachable only by a private IP address inside Azure. Which solution should the administrator implement?

Question 97easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, which Azure connectivity option should the administrator use for the branch office?

Exhibit

Branch office details:
- One edge firewall/router with public IP 203.0.113.50
- Users must reach private Azure VMs and internal services
- Traffic must be encrypted over the internet
- No per-user tunnel setup is desired
Question 98mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A three-tier application uses separate web and app VMs that are scaled in and out regularly. The administrator must allow only the web tier to connect to the app tier on TCP 8080 without continually updating IP addresses. What should be configured in the NSG rule?

Question 99easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, what should the administrator do so the hub and spoke can be peered successfully?

Exhibit

Hub VNet address space: 10.20.0.0/16
Spoke VNet address space: 10.20.1.0/24
Planned action: Create VNet peering between Hub and Spoke
Portal message: The address spaces overlap and cannot be peered.
Question 100mediummultiple choice
Review the full subnetting walkthrough →

Two VM scale sets named Web and App run in separate subnets. The App subnet NSG already contains Deny-All-Inbound at priority 300. The business wants only the Web tier to connect to the App tier on TCP 8443, and any new scale-out instances must be included automatically. What should the administrator add?

Question 101mediummultiple choice
Read the full VPN explanation →

A subnet must send traffic to on-premises networks through a VPN gateway, but internet-bound traffic should use the Azure platform's normal outbound path and not be forced through a virtual appliance. The administrator wants to avoid creating a 0.0.0.0/0 user-defined route. Which design meets the requirement?

Question 102mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A web tier and an app tier run on separate Azure VMs in the same region. Each VM's NIC is added to an application security group named WebASG or AppASG. The administrator must allow only the web tier to connect to the app tier on TCP 8443, and future VM scale-outs must be included automatically. Which NSG rule should be created?

Question 103mediummultiple choice
Review the full subnetting walkthrough →

An administrator is troubleshooting inbound HTTPS to a VM. The subnet NSG has these custom rules: Deny-Internet-Inbound at priority 150, Allow-HTTPS-Admin at priority 200, and the default deny rules remain in place. The administrator’s client is on the internet and should be able to reach the VM on TCP 443. What change will fix the problem?

Question 104mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

After a private endpoint for an Azure Blob Storage account is created, VMs in the same VNet still resolve the storage name to the public IP address. The administrator wants the name to resolve to the private endpoint address instead. What should be configured?

Question 105mediummultiple choice
Review the full subnetting walkthrough →

A company has a virtual machine in a subnet that must access an Azure Storage account. The storage account should remain reachable through its public endpoint, but access must be limited to that subnet, and the traffic should stay on the Azure backbone rather than the internet. Which feature should the administrator configure on the subnet?

Question 106mediummultiple choice
Read the full DNS explanation →

A spoke VM can connect to a hub VM by IP address after peering is configured, but it cannot resolve internal host names such as app01.corp.local. The hub has a DNS server at 10.50.1.4 that hosts those records. What should the administrator configure so the spoke VMs use that DNS server?

Question 107mediummultiple choice
Review the full subnetting walkthrough →

An NSG attached to a subnet contains these inbound rules: Deny-All-Inbound at priority 200, Allow-HTTPS-Admin at priority 250 from 203.0.113.20/32, and Allow-HTTPS-Internet at priority 300. A VM in the subnet cannot receive HTTPS from the admin workstation even though the source IP is correct. What should the administrator change?

Question 108easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, what inbound NSG rule should the administrator add to allow only the web tier to reach the app tier on TCP 8080?

Exhibit

Application security groups:
- WebASG contains the web VM NICs
- AppASG contains the app VM NICs
App subnet NSG rules:
- Priority 300: Deny-All-Inbound | Source: Any | Destination: Any | Port: Any | Action: Deny
No allow rule exists for web-to-app traffic.
Question 109mediummultiple choice
Read the full DNS explanation →

Two VNets are peered successfully, and a VM in the spoke can reach a private endpoint in the hub by IP address. However, the VM cannot resolve the storage account name to the private endpoint FQDN. The private DNS zone is linked only to the hub VNet. What should the administrator do?

Question 110easymultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, which subnet prefix should be used for Subnet A so it can support about 30 VM NICs?

Exhibit

Planned VNet address space: 10.70.0.0/16
Subnet A requirement: about 30 VM NICs
Subnet B requirement: about 8 VM NICs and one future jump box
Azure reserves 5 IP addresses in each subnet
Question 111mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A team is creating a new spoke VNet that will later be peered to an existing hub VNet and connected to on-premises networks. The proposed address space for the spoke is 10.60.1.0/24. The hub already uses 10.60.0.0/16. What should the administrator do before deploying the spoke?

Question 112easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, the administrator cannot create VNet peering between the hub and spoke networks. What should be changed?

Exhibit

HubVNet address space: 10.40.0.0/16
SpokeVNet address space: 10.40.1.0/24
Peering status: Failed
Error: Virtual network address space overlaps with another peered network
Question 113mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company wants to peer a new spoke virtual network with an existing hub VNet. The hub uses 10.20.0.0/16. The spoke was created with 10.20.1.0/24 because that range was still available in the IPAM spreadsheet. VNet peering creation fails. What should the administrator do first?

Question 114mediummultiple choice
Read the full VPN explanation →

A subnet uses a route table with gateway route propagation disabled so internet-bound traffic can be forced through a network virtual appliance. After the change, VMs in the subnet can no longer reach servers in the on-premises network 172.16.0.0/16 over the VPN gateway. What should the administrator add to the route table?

Question 115mediummultiple choice
Read the full NAT/PAT explanation →

A subnet has a NAT gateway attached, but outbound internet traffic from the VMs is still leaving through a network virtual appliance. The subnet's route table includes a user-defined route for 0.0.0.0/0 with the next hop set to Virtual appliance. The business wants internet traffic to use the NAT gateway while keeping any required specific routes to on-premises networks. What should the administrator do?

Question 116mediummultiple choice
Read the full NAT/PAT explanation →

A subnet has a route table with a 0.0.0.0/0 user-defined route to an on-premises virtual appliance. The business now wants Azure VM outbound internet traffic to use a NAT gateway so the public source IP stays consistent, and the firewall appliance is no longer required for internet egress. What should the administrator do?

Question 117hardmultiple choice
Read the full DNS explanation →

Based on the exhibit, what should the administrator configure so the VM in the spoke VNet can resolve internal hostnames that are hosted on the DNS server in the hub VNet?

The team has already verified that IP connectivity between the spoke VM and the hub VM works.

Exhibit

Topology summary:
- HubVNet: 10.40.0.0/16
  - VM dns01: 10.40.0.4
  - DNS service on dns01 hosts the zone corp.contoso.local
  - HubVNet DNS servers: 10.40.0.4
- SpokeVNet: 10.41.0.0/16
  - Peered with HubVNet
  - Allow virtual network access: Enabled
  - Allow forwarded traffic: Enabled
  - DNS servers: Azure-provided
- Test results from app01 in SpokeVNet:
  - ping 10.40.1.10  => success
  - nslookup web01.corp.contoso.local => NXDOMAIN
  - nslookup www.microsoft.com => success
Question 118easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, why is the administrator's HTTPS test still being denied, and what should be changed?

Exhibit

Inbound NSG rules for Subnet-Prod:
Priority 200: Deny-HTTPS-Internet | Source: Internet | Destination: Any | Port: 443 | Action: Deny
Priority 250: Allow-HTTPS-Admin | Source: 203.0.113.20/32 | Destination: Any | Port: 443 | Action: Allow
Observed result: Traffic from 203.0.113.20 to the VM on TCP 443 is blocked.
Question 119easymultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, what should the administrator create so the storage account is reachable only by private IP from AppSubnet?

Exhibit

Requirement summary:
- Storage account: contosostore
- Public network access: Disabled
- AppSubnet VMs must reach the storage account by private IP
- DNS for privatelink.blob.core.windows.net is already configured
Question 120mediummultiple choice
Read the full NAT/PAT explanation →

A subnet is associated with a NAT gateway, but outbound traffic from the VMs still leaves through a network virtual appliance because the subnet has a user-defined route for 0.0.0.0/0 with next hop type Virtual appliance. The workload must use the NAT gateway for internet-bound traffic while keeping more specific routes intact. What should the administrator change?

Question 121mediummultiple choice
Review the full subnetting walkthrough →

A subnet NSG contains these inbound rules: Deny-All-Inbound at priority 300, Allow-HTTPS-From-Bastion at priority 200, and Allow-HTTPS-From-AdminIP at priority 350. An administrator expects a management workstation on the internet to connect to a VM over TCP 443, but the connection is blocked. What is the most likely reason?

Question 122easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, VM name resolution works for IP addresses but fails for internal hostnames. What should the administrator configure on the spoke VNet?

Exhibit

Hub VNet DNS server: 10.20.0.4
Spoke VNet DNS server setting: Azure-provided
Test from spoke VM:
  ping 10.20.0.4   Success
  nslookup app01.corp.local   Server failed to find app01.corp.local: NXDOMAIN
Hub and spoke are already peered.
Question 123mediummultiple choice
Read the full DNS explanation →

A company has a hub virtual network with a DNS server VM at 10.50.0.4 that hosts internal names such as app01.corp.local. A spoke virtual network is already peered to the hub. VMs in the spoke can reach resources in the hub by IP address, but they cannot resolve the internal host names. The company wants to keep DNS centralized and avoid deploying another DNS server in the spoke. What should the administrator configure?

Question 124mediummultiple choice
Review the full routing breakdown →

A branch office with a fixed public IP needs encrypted access to private Azure virtual machines and internal services in a VNet. Traffic must travel across the public internet in an encrypted tunnel, and the connection should use a route-based design. What should the administrator deploy in Azure?

Question 125easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, what is the best change so the VNet peering can be created successfully?

Exhibit

VNet-A address space: 10.0.0.0/16
VNet-B address space: 10.0.1.0/24
Attempt to peer VNet-A and VNet-B:
Status: Failed
Error: Address space overlap detected

Requirement: Both VNets must remain connected, but the address spaces must not overlap.
Question 126hardmulti select
Review the full subnetting walkthrough →

An application in AppSubnet must access an Azure Storage account over the public endpoint, but only traffic from that subnet should be allowed, and the traffic should stay on the Microsoft backbone. The administrator does not want to create a private IP for the service. Which two actions should be taken? Select two.

Question 127mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A team manages 20 web VMs and 15 app VMs that scale independently. The administrator needs an NSG rule that allows only the web tier to reach the app tier on TCP 8443, and future VM additions must be included automatically without editing IP addresses. What should the administrator use in the NSG rule?

Question 128mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

An administrator creates a new spoke virtual network with address space 10.100.1.0/24 and tries to peer it to an existing hub virtual network that already uses 10.100.0.0/16. The peering fails. The business wants private connectivity between the hub and spoke. What action should the administrator take first?

Question 129easymultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, what should the administrator create so VMs in AppSubnet can access the storage account over a private IP address?

Exhibit

Storage account: stprod01
Networking:
- Public network access: Disabled
- Private endpoint connections: None
- Allowed virtual networks: None

VNet: AppVNet
Subnet: AppSubnet 10.50.1.0/24
Requirement: "Azure VMs in AppSubnet must reach the storage account without using the public endpoint."
Question 130mediummultiple choice
Read the full NAT/PAT explanation →

A subnet has a user-defined route for 0.0.0.0/0 that sends all outbound traffic to a network virtual appliance for inspection. The business now attaches a NAT gateway to the subnet and wants internet-bound traffic to use the NAT gateway's public IP, while traffic to private corporate prefixes should still go to the appliance. What should the administrator change?

Question 131mediummultiple choice
Read the full DNS explanation →

A development team runs Windows and Linux VMs in a single Azure subnet. The VMs must access an Azure Storage account, and the security team wants to restrict the storage account so only that subnet can reach it. The team does not want to create a private IP for the storage account or change DNS records. What should the administrator configure?

Question 132mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company has a hub VNet and two peered spoke VNets, AppSpoke and DataSpoke. Both spokes can reach on-premises networks through the hub gateway. The app VM in AppSpoke must connect privately to the data VM in DataSpoke without using the internet or sending traffic on-premises first. What should the administrator do?

Question 133easymultiple choice
Review the full subnetting walkthrough →

A storage account must be reachable only from resources in one Azure subnet, and traffic must use a private IP rather than the public endpoint. Which configuration should the administrator implement?

Question 134mediummultiple choice
Read the full VPN explanation →

Remote administrators work from home laptops and need secure access to Azure VMs in a virtual network. There is no branch office device to configure, and each administrator should connect individually using Azure-side VPN authentication. Which option should be implemented?

Question 135easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, what configuration should the administrator change so VMs in the spoke can resolve internal names from the hub?

Exhibit

Hub VNet:
- DNS server VM: 10.50.0.4
Spoke VNet:
- Default DNS setting: Azure-provided
Observed behavior:
- VM in spoke can ping hub VM by IP address
- nslookup app01.corp.local returns NXDOMAIN
Question 136easymultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what should the administrator change so outbound internet traffic uses the NAT gateway?

Exhibit

Subnet-Web configuration:
- NAT gateway: nat-web
- Route table association: rt-web
Route table rt-web:
- 0.0.0.0/0 -> Virtual appliance 10.1.0.4
- 10.1.0.0/16 -> Virtual network
Observed issue: Internet-bound traffic still exits through the virtual appliance.
Question 137mediummultiple choice
Read the full NAT/PAT explanation →

A subnet is connected to a NAT gateway, but outbound connections to a public software update site are still leaving through a network virtual appliance. The route table contains a 0.0.0.0/0 user-defined route to the appliance, and the business wants the NAT gateway to handle internet traffic while preserving private routes to the appliance. What is the best fix?

Question 138mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A branch office has a single edge device with a static public IP and must connect securely to Azure so users can reach private VMs in a virtual network. The company wants traffic encrypted across the internet and does not need point-to-site access from individual laptops. Which solution should the administrator deploy?

Question 139mediummultiple choice
Review the full subnetting walkthrough →

A three-tier application uses separate web and app VMs. The requirement is to allow only the web tier to reach the app tier on TCP 8080. The app subnet NSG already contains a DenyAllInbound rule at priority 200. What should the administrator do?

Question 140mediummultiple choice
Review the full subnetting walkthrough →

A company plans a new spoke virtual network that must be peered to an existing hub VNet using 10.0.0.0/16. The spoke will need two subnets: one sized for about 120 VMs and another for about 40 VMs. The new address space must not overlap the hub or the on-premises range 10.1.0.0/16. Which VNet address space is the best choice?

Question 141hardmulti select
Review the full subnetting walkthrough →

A storage account already has a private endpoint for Blob service in a VNet. Virtual machines in AppSubnet still resolve the account name to the public endpoint, so traffic never reaches the private IP. Which two actions should the administrator take? Select two.

Question 142mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

An administrator added an NSG rule named Allow-Admin-HTTPS with priority 250 to permit inbound TCP 443 from a single public IP. The NSG also contains a Deny-All-Inbound rule with priority 200. The administrator still cannot connect to the VM over HTTPS from the allowed IP. What should be changed to resolve the issue?

Question 143mediummultiple choice
Review the full subnetting walkthrough →

A storage account must be reachable only from resources in a specific Azure subnet, and connections must not use the public endpoint. Which option should the administrator configure?

Question 144easymulti select
Read the full Implement and Manage Virtual Networking explanation →

A storage account should use a private IP address inside a virtual network, and workloads in that VNet must resolve the storage name to the private address. Which two items are required? Select two.

Question 145mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account must be reachable only from one Azure virtual network. The team wants the storage service to have a private IP in that VNet, public network access disabled, and name resolution to work without using the public endpoint. What should the administrator configure?

Question 146hardmultiple choice
Read the full DNS explanation →

A storage account must be reachable only from workloads in one Azure subnet. The team wants to keep using the storage account's public FQDN, avoid creating a private IP address in the virtual network, and avoid managing private DNS zones. What should the administrator configure?

Question 147mediummultiple choice
Read the full VPN explanation →

A company is building a hub-and-spoke Azure network. The hub VNet already uses 10.50.0.0/16. A new spoke VNet will later be peered to the hub and connected to on-premises through VPN. What is the most important planning step before creating the peering?

Question 148hardmultiple choice
Review the full subnetting walkthrough →

A web tier and a backend tier are deployed in separate subnets. Backend VMs are rebuilt regularly, so their private IP addresses change. The web tier must reach the backend on TCP 8443, and administrators do not want to update NSG rules whenever a backend VM is replaced. What should be used in the NSG rule?

Question 149mediummultiple choice
Read the full VPN explanation →

A subnet already has a user-defined default route (0.0.0.0/0) that sends all outbound traffic to a network virtual appliance. The administrator now needs traffic to the on-premises network 10.50.0.0/16 to use the VPN gateway instead of the appliance. What should be added to the route table?

Question 150mediummultiple choice
Review the full subnetting walkthrough →

A backend VM must accept TCP 8443 only from the web tier. The subnet NSG already has a deny-all inbound rule at priority 200. The administrator adds an allow rule for the web tier at priority 300, but the connection still fails. What should be changed?

Question 151mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, which subnet prefix is the smallest that can support the planned resources in Azure?

Exhibit

Subnet design notes: 28 VM NICs; 4 private endpoints; 2 internal load balancer frontend IP configurations; 5 additional IPs reserved for short-term growth.
Question 152mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company is creating a new spoke virtual network that will be peered to an existing hub VNet. The hub uses 10.40.0.0/16, and an on-premises network already uses 10.41.0.0/16. The spoke must support about 120 endpoints now and should allow room for growth. Which address space should you assign to the new spoke VNet?

Question 153mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, what next hop will the VM use when it sends traffic to 10.30.5.10?

Exhibit

Effective routes on NIC vm-app01:

Address prefix     Next hop type              Source
10.20.0.0/16       Virtual network            System
10.30.0.0/16       Virtual network gateway    BGP
0.0.0.0/0          Virtual appliance          User

The VM is in 10.20.0.0/16 and is connected to a VPN gateway that advertises 10.30.0.0/16.
Question 154mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A VM in VNet A can reach a storage account through a private endpoint, but when the VM resolves the storage account name it still gets the public IP address. What should you configure so name resolution returns the private endpoint address?

Question 155mediummultiple choice
Review the full routing breakdown →

A company already uses the address space 10.20.0.0/16 for a hub virtual network and 10.21.0.0/16 on-premises. A new spoke virtual network will be peered to the hub and may later connect to the on-premises network. Which address space should the administrator choose for the spoke to avoid future routing conflicts?

Question 156hardmultiple choice
Read the full DNS explanation →

A storage account must be reachable only from a single subnet. The team wants to keep the storage public endpoint in place, avoid a private endpoint, and avoid managing any custom DNS records. Which change best meets the requirement?

Question 157hardmultiple choice
Read the full NAT/PAT explanation →

A subnet NSG contains these inbound rules: Priority 100 denies TCP 8443 from VirtualNetwork to any destination, Priority 110 allows TCP 8443 from AzureLoadBalancer to any destination, and Priority 200 allows TCP 8443 from ASG-Web to ASG-App. The app VM NIC has no additional inbound rules. Web servers are members of ASG-Web and the app VM is a member of ASG-App. The web tier still cannot connect to TCP 8443. What should the administrator change?

Question 158mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A VM cannot connect to another VM on TCP 1433. You need to determine whether an NSG is blocking the flow and identify which rule applies. Which Network Watcher tool should you use?

Question 159mediummultiple choice
Review the full routing breakdown →

A VM sends traffic to 172.16.5.10, but the administrator suspects the traffic is taking an unexpected next hop. They want to see the effective route table applied to the VM NIC, including system routes, user-defined routes, and propagated routes. Which Network Watcher tool should be used?

Question 160mediummultiple choice
Review the full subnetting walkthrough →

A subnet has a user-defined route for 0.0.0.0/0 that sends traffic to a network virtual appliance at 10.10.1.4. The VM in the subnet still reaches an Azure Storage account using the public endpoint, but the administrator expected all outbound traffic to go through the NVA. What is the most likely reason?

Question 161mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, which Network Watcher tool should the administrator use to identify the exact NSG rule that is blocking TCP 1433 traffic?

Exhibit

Troubleshooting summary: VM1 to VM2 on TCP 1433 shows Status = Blocked; connection troubleshooting reports that the destination is reachable at the route level; the administrator needs the specific allow or deny rule name.
Question 162hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, what should the administrator change to allow only the web tier to reach the app tier on TCP 8443?

Exhibit

NSG: nsg-app
Inbound security rules:
- Priority 100  Deny   TCP 8443   Source: VirtualNetwork   Destination: AppTier-ASG
- Priority 200  Allow  TCP 8443   Source: WebTier-ASG      Destination: AppTier-ASG
- Priority 300  Allow  TCP 443    Source: VirtualNetwork   Destination: AppTier-ASG

ASG membership:
- VM-Web1 is in WebTier-ASG
- VM-App1 is in AppTier-ASG

Observed result:
- VM-Web1 cannot connect to VM-App1 on TCP 8443
Question 163easymulti select
Read the full Implement and Manage Virtual Networking explanation →

Which two statements about application security groups and service tags are correct? Select two.

Question 164mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company wants to peer a new spoke virtual network to an existing hub VNet. The hub uses 10.40.0.0/16, and the new spoke was created with 10.40.128.0/17 because that range seemed available in the branch office plan. Peering creation fails. What should the administrator do?

Question 165hardmultiple choice
Read the full DNS explanation →

A storage account has a blob private endpoint in VNet-A. A VM in peered VNet-B can reach the storage account by private IP, but name resolution for the storage account still returns the public IP address. The private DNS zone privatelink.blob.core.windows.net is already linked only to VNet-A. What should the administrator do next?

Question 166hardmultiple choice
Review the full subnetting walkthrough →

You are planning a subnet for an application tier in a new spoke virtual network. The subnet must support 34 VM NICs, 5 private endpoints, and 6 extra IP addresses for short-term scale-out during maintenance windows. Azure reserves 5 IP addresses in every subnet. What is the smallest subnet prefix that meets the requirement?

Question 167hardmultiple choice
Read the full VPN explanation →

Third-party support engineers connect from the public internet and need browser-based RDP and SSH access to Azure VMs that have only private IPs. The security team will not allow public IPs on the VMs, inbound 3389 or 22 from the internet, or a client VPN on each laptop. What should you deploy?

Question 168hardmultiple choice
Review the full subnetting walkthrough →

A subnet has a user-defined route for 0.0.0.0/0 that sends traffic to a network virtual appliance at 10.1.0.4. The same virtual network is peered to a hub VNet that has a system route for 10.50.16.0/20. A VM in the subnet sends traffic to 10.50.18.25. Which next hop will Azure use?

Question 169mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account must be reachable only from a single Azure VNet. The team wants the storage account to have a private IP in that VNet and wants to disable public network access. Which solution should the administrator implement?

Question 170mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A private endpoint was created for Azure SQL Database in VNet A. A VM in peered VNet B can reach other resources, but it resolves the SQL server name to the public IP and connection attempts fail because public network access is disabled. What is the best fix?

Question 171easymulti select
Read the full Implement and Manage Virtual Networking explanation →

A new spoke virtual network will peer with an existing hub that uses 10.10.0.0/16 and an on-premises network that uses 10.20.0.0/16. Which two address spaces could you assign to the new spoke without overlapping those ranges? Select two.

Question 172mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, which address space can you assign to the new spoke virtual network so it can be peered to the hub and later connected to on-premises without an IP overlap?

Exhibit

Existing address spaces:
- Hub virtual network: 10.50.0.0/16
- On-premises network: 10.51.0.0/16

New spoke virtual network requirements:
- Must be peered to the hub
- May later connect to on-premises through VPN
- Must not overlap with any existing network range
Question 173mediummultiple choice
Read the full VPN explanation →

Administrators need to connect to Windows and Linux VMs from the Azure portal using a browser. The VMs do not have public IP addresses, and the security team does not want a VPN client installed on admin laptops. Which service should be deployed?

Question 174mediummultiple choice
Review the full subnetting walkthrough →

A VM in a subnet has both a subnet-level NSG and a NIC-level NSG. The subnet NSG allows inbound TCP 22 from the VirtualNetwork service tag, but the NIC NSG denies inbound TCP 22 from the same source. An administrator says the subnet rule should be enough because it allows the traffic. What is the actual behavior?

Question 175mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, what should the administrator do so VM-B resolves the storage account name to the private IP address?

Exhibit

From VM-B in VNet-B: nslookup mystorage.blob.core.windows.net returns 20.52.10.7; the storage account has a private endpoint in VNet-A at 10.4.1.5; the private DNS zone privatelink.blob.core.windows.net is linked only to VNet-A.
Question 176hardmultiple choice
Review the full subnetting walkthrough →

After a user-defined route and VNet peering were added, a VM in a spoke subnet still does not reach 10.20.4.8 as expected. You need to confirm which route Azure will actually select on that VM's NIC, including any propagated routes and the route that wins. Which Network Watcher tool should you use?

Question 177mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, why is TCP 8443 traffic from the web tier still denied to the app tier, and what should you do to allow only the web tier?

Exhibit

Inbound NSG rules on the app subnet:
Priority 100  Deny   TCP 8443  Source: VirtualNetwork   Destination: Any
Priority 110  Allow  TCP 8443  Source: AzureLoadBalancer Destination: Any
Priority 200  Deny   Any       Source: Any              Destination: Any

The web tier and app tier are in the same virtual network. The app tier uses application security group ASG-App. The web tier uses application security group ASG-Web.
Question 178mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, which feature should be enabled on the subnet so the storage account remains reachable through its public endpoint but only from that subnet?

Exhibit

Storage access requirement: the public endpoint must stay enabled; access must be limited to one Azure subnet; no private IP should be created in the virtual network; administrators do not want a private DNS zone.
Question 179mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, which Azure service should you deploy to provide browser-based administrative access to the VM without assigning it a public IP address?

Exhibit

Topology:
- Internet users sign in to the Azure portal
- Management connection must be initiated from a browser
- The target Windows VM has no public IP address
- The security team does not allow a VPN client on administrator laptops
- RDP must remain off the public Internet
Question 180easymulti select
Read the full Implement and Manage Virtual Networking explanation →

Which two Network Watcher tools can help you diagnose whether a VM can reach another address and whether a specific flow is allowed or denied? Select two.

Question 181hardmultiple choice
Read the full NAT/PAT explanation →

A backend VM belongs to AppASG and listens on TCP 8443. The subnet NSG has a deny rule at priority 200 that blocks TCP 8443 from VirtualNetwork to any destination. The backend VM's NIC NSG has an allow rule at priority 100 for TCP 8443 from WebASG to AppASG. Web VMs in WebASG still cannot connect. What should you change to allow only the web tier while keeping other virtual network traffic blocked?

Question 182mediummultiple choice
Review the full subnetting walkthrough →

A web application runs on three VMs in a backend subnet. The backend team wants the load balancer in the frontend tier to reach the VMs on TCP 8443, and they want the rule to keep working even if the backend VM IP addresses change. What should you use in the NSG rule?

Question 183mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A backend tier runs on three Azure VMs. The VMs are rebuilt frequently and receive new private IP addresses during redeployment. The administrator must allow inbound TCP 1433 from the app tier without rewriting the NSG rule each time the backend VMs change. What should be used?

Question 184hardmultiple choice
Read the full VPN explanation →

A spoke subnet has a user-defined route for 10.60.0.0/16 that sends traffic to a virtual appliance at 10.1.0.4. The same subnet also learns a propagated route for 10.60.0.0/16 from a VPN gateway. A VM in the subnet sends traffic to 10.60.7.25. Which next hop will Azure use?

Question 185mediummultiple choice
Review the full subnetting walkthrough →

A team is creating a subnet for 48 small Linux VMs, two internal load balancer frontend IPs, and one Azure Bastion host. Azure reserves five IP addresses in every subnet. Which subnet prefix is the smallest that will still meet the requirement?

Question 186hardmultiple choice
Review the full subnetting walkthrough →

A team is creating a new workload subnet in a spoke virtual network. The subnet must support 41 VM NICs, 2 internal load balancer frontend IP configurations, 3 private endpoint IPs, and 4 spare IPs for near-term growth. Azure reserves 5 IP addresses in every subnet. What is the smallest IPv4 subnet size that satisfies the requirement?

Question 187easymulti select
Read the full Implement and Manage Virtual Networking explanation →

A company wants an Azure Storage account to be reachable privately from a virtual network. Which two statements about a private endpoint are correct? Select two.

Question 188mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account must be reachable only from resources in a single VNet. The team wants the storage service to use a private IP address inside that VNet and wants to disable public network access. Which feature should be configured?

Question 189mediummultiple choice
Review the full subnetting walkthrough →

A VM in a subnet cannot connect to another VM on TCP 1433. The administrator wants to confirm whether an NSG rule is blocking the flow and which rule is responsible. Which Network Watcher feature should be used?

Question 190mediummultiple choice
Read the full DNS explanation →

A storage account must be reachable only from one subnet. The team does not want to deploy a private endpoint or manage private DNS zones, and they are acceptable with the storage account continuing to use its public endpoint. Which feature should be configured on the subnet?

Question 191mediummultiple choice
Read the full VPN explanation →

A VM has both a default route from a VPN gateway and a user-defined route to an on-premises firewall. Traffic is still not reaching the expected next hop. The administrator wants to see the exact routes currently applied to the VM NIC. Which tool should be used?

Question 192mediummultiple choice
Review the full subnetting walkthrough →

A subnet has an NSG with an inbound allow rule for TCP 3389 at priority 200 and an inbound deny rule for Internet traffic at priority 100. An administrator still cannot RDP to a virtual machine in the subnet from home. What is the most likely reason?

Question 193mediummultiple choice
Read the full NAT/PAT explanation →

An operations team wants all internet-bound traffic from a workload subnet to pass through a network virtual appliance at 10.1.0.4 for inspection. Which next hop type should be used in a user-defined route for destination 0.0.0.0/0?

Question 194mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account is accessed from a VM in VNet A through a private endpoint. A VM in peered VNet B can connect to the storage account by IP, but when it uses the storage account name, it resolves to the public endpoint. What should the administrator configure?

Question 195mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, what should the administrator change so the web tier can reach the database tier on TCP 443 without opening the subnet more broadly?

Exhibit

NSG: App-NSG inbound rules; Priority 100: Deny TCP 443, Source=VirtualNetwork, Destination=Any; Priority 110: Allow TCP 443, Source=WebTierASG, Destination=DbTierASG; Priority 200: Allow TCP 443, Source=AzureLoadBalancer, Destination=Any; Default rule: DenyAllInBound.
Question 196mediummultiple choice
Review the full subnetting walkthrough →

A subnet has these inbound NSG rules: Rule 100 denies TCP 3389 from Internet, Rule 200 allows TCP 3389 from 10.0.0.0/8, and Rule 300 allows TCP 3389 from AzureLoadBalancer. An administrator in 10.20.5.4 cannot RDP to a VM in the subnet. Why is the connection denied?

Question 197mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, which feature should you enable so the subnet can access the storage account without creating a private IP address in the VNet?

Exhibit

Storage account access requirements:
- Access should be limited to subnet AppSubnet
- The storage account should keep using its public endpoint
- No private endpoint should be created
- No private DNS zone should be managed
- The workload is allowed to use Azure platform integration features
Question 198mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A web application on a VM is failing on TCP 8443. The administrator wants to capture packets on the VM NIC to inspect retransmissions and handshake details after the test run. Which Network Watcher capability should be used?

Question 199easymulti select
Review the full routing breakdown →

Which two statements about Azure route tables and user-defined routes are correct? Select two.

Question 200mediummultiple choice
Read the full VPN explanation →

A company has 25 remote employees who need to connect from their laptops to Azure VMs that have only private IP addresses. No on-premises VPN appliance exists, and the VMs must not be assigned public IP addresses. Which solution should the administrator deploy?

Question 201mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, which subnet prefix should you create for the workload subnet so it has enough usable IP addresses for all listed resources?

Exhibit

Workload subnet requirements:
- 41 VM NICs
- 2 internal load balancer frontend IP configurations
- 3 private endpoint IPs
- 1 Azure Bastion host
- Azure reserves 5 IP addresses in every subnet

Planned subnet must be a single subnet in one virtual network.
Question 202easymultiple choice
Review the full subnetting walkthrough →

A storage account should accept traffic only from one subnet, but the team does not want to create a private IP address for the service in the virtual network. What should they enable?

Question 203mediummultiple choice
Read the full NAT/PAT explanation →

A team manages three backend servers in one subnet. The servers are replaced periodically, so their private IP addresses change. The NSG must allow inbound traffic from the web tier without updating individual IP addresses each time. Which destination object should be used in the NSG rule?

Question 204hardmultiple choice
Review the full subnetting walkthrough →

Your hub virtual network uses 10.40.0.0/16 and the corporate on-premises network uses 10.41.0.0/16. A new spoke VNet must be peered to the hub now and connected to on-premises later. It needs a workload subnet for about 180 hosts and a management subnet for about 50 hosts. Which address space is the best choice for the new spoke?

Question 205mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account has a private endpoint in VNet A. A VM in peered VNet B can reach the storage account by private IP, but when the VM resolves the storage account name it still gets the public IP address. What should be configured so the name resolves to the private IP from VNet B?

Question 206mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

An on-premises datacenter must reach private IP addresses in Azure over an encrypted site-to-site tunnel. The Azure VMs must not have public IP addresses, and the connection should use the company's existing edge device. Which Azure component should be deployed?

Question 207easymulti select
Read the full Implement and Manage Virtual Networking explanation →

Which two statements about network security group processing are correct? Select two.

Question 208mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, which Network Watcher tool should you use to determine whether an NSG allows or denies TCP 1433 traffic and which rule is responsible?

Exhibit

Troubleshooting notes:
- Source VM: vm-app01
- Destination VM: vm-sql01
- Port: TCP 1433
- Symptom: Connection times out
- Goal: Verify whether the packet is allowed or denied by NSG rules and identify the rule name
- Need a point-in-time check from the VM NIC perspective
Question 209hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A VM named VM1 cannot establish TCP 1433 connectivity to VM2. The administrator wants to test the exact flow, confirm whether an NSG allows or denies it, and identify the rule that applies if the flow is blocked. Which Network Watcher tool should be used?

Question 210hardmultiple choice
Read the full NAT/PAT explanation →

A VM in VNet B can reach a blob storage account through a private endpoint that was created in peered VNet A. The storage FQDN still resolves to the public IP when queried from VNet B, so the VM does not use the private path. What should the administrator change?

Question 211easymultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, the web tier can reach the API subnet by name, but the traffic is still blocked. What should the administrator do?

Exhibit

NSG rule summary:
Rule 1: Allow-Web-To-Api, Source=ASG-Web, Destination=ASG-Api, Port=8443, Action=Allow, Priority=300
ASG membership:
- WebVM01 NIC = ASG-Web
- WebVM02 NIC = ASG-Web
- ApiVM01 NIC = none
- ApiVM02 NIC = none
Observed result: Connections from WebVM01 to ApiVM01 on TCP 8443 fail.
Question 212mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account has public network access disabled. A VM in a virtual network must access blob data privately, and the application must resolve the storage endpoint name to a private IP address. What should the administrator deploy?

Question 213mediummulti select
Read the full Implement and Manage Virtual Networking explanation →

A VNet peering attempt between VNet-A and VNet-B fails because both VNets include 10.40.0.0/16. VNet-B hosts active workloads, so the team wants to readdress it without downtime. Which two actions should the administrator take? Select two.

Question 214hardmultiple choice
Review the full subnetting walkthrough →

An NSG rule allows TCP 8443 from ASG-Web to ASG-Api on the API subnet. The web VM NIC is already in ASG-Web, but the API VM was only placed in the subnet and not added to ASG-Api. Traffic still fails. What is the best fix?

Question 215mediummultiple choice
Read the full VPN explanation →

Based on the exhibit, a site-to-site VPN gateway deployment fails. What prerequisite should the administrator provide so the gateway can be created successfully?

Exhibit

Gateway deployment validation output:
GatewaySubnet: Present
Gateway type: VPN
VPN type: Route-based
Validation error: A public IP address resource must be specified for the gateway.
Current gateway configuration: No public IP attached.
Question 216hardmultiple choice
Review the full subnetting walkthrough →

A VM in AppSubnet must reach a database VM in DbSubnet on TCP 1433. AppSubnet's NSG has an outbound deny rule for TCP 1433 to Any at priority 200. DbSubnet's NSG has an inbound allow rule for TCP 1433 from ASG-App to ASG-Db at priority 300. Both NICs are in the correct application security groups. Connectivity tests fail. What should the administrator change?

Question 217mediummultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, a help desk engineer cannot RDP from an approved admin subnet to a VM in Azure. What change should the administrator make so the connection is allowed?

Exhibit

Subnet NSG inbound rules:
Priority 100  Deny-RDP-All      Source: Any              Destination: Any              Protocol: TCP  Port: 3389
Priority 200  Allow-RDP-Admin   Source: 192.168.10.0/24  Destination: Any              Protocol: TCP  Port: 3389
Priority 65000 AllowVNetInBound Source: VirtualNetwork    Destination: VirtualNetwork    Protocol: Any  Port: *
Client IP: 192.168.10.25
Symptom: RDP times out before the logon prompt appears.
Question 218mediummultiple choice
Review the full subnetting walkthrough →

An administrator creates a route table with a UDR for 10.20.0.0/16 and next hop type Virtual appliance. A VM in the subnet still does not send that traffic to the appliance. The route table contents are correct. What should be checked first?

Question 219easymultiple choice
Review the full subnetting walkthrough →

Based on the exhibit, administrators can reach a web server from the approved subnet, but connections still fail. What is the most likely reason?

Exhibit

Inbound NSG rules on subnet AppSubnet:
1. Priority 100: Deny-HTTPS, Source=Any, Destination=Any, Port=443, Action=Deny
2. Priority 200: Allow-HTTPS-Admins, Source=10.10.1.0/24, Destination=Any, Port=443, Action=Allow
Observed result: Admins from 10.10.1.25 cannot open the site on TCP 443.
Question 220easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, which next hop will Azure use for traffic from the VM to 10.50.1.20?

Exhibit

Effective routes for Subnet-Apps:
0.0.0.0/0 -> Virtual appliance 10.1.1.4
10.50.1.0/24 -> Internet
10.0.0.0/8 -> Virtual network
Observed destination: 10.50.1.20
Question 221mediummulti select
Read the full Implement and Manage Virtual Networking explanation →

Backend VMs are rebuilt often and get new private IP addresses. Frontend VMs must reach them only on TCP 8443, and the rule should keep working after rebuilds. Which two actions should the administrator take? Select two.

Question 222mediummultiple choice
Read the full DNS explanation →

An existing application in AppSubnet1 must access an Azure Storage account. The team does not want to add a private endpoint or change DNS records, but they do want to allow access only from AppSubnet1. Which configuration should the administrator use?

Question 223mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Two application teams created separate VNets for independent workloads. VNet-A uses 10.40.0.0/16 and VNet-B uses 10.40.128.0/17. The teams want to peer the VNets so both apps can communicate privately. What should the administrator do first?

Question 224mediummulti select
Read the full Implement and Manage Virtual Networking explanation →

An app on a VM must connect to Azure SQL Database without using the public endpoint. The database name must resolve to a private IP inside the VNet, and public network access should be disabled. Which two actions should the administrator take? Select two.

Question 225mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, web servers can reach a backend VM only after it is added to a specific group. What should the administrator change to allow the traffic to match the existing NSG rule?

Exhibit

NSG rule on ApiSubnet:
Priority 200  Allow-WebToApi  Source: ASG-Web  Destination: ASG-Api  Protocol: TCP  Port: 8443
Priority 300  Deny-All-Other  Source: Any      Destination: Any      Protocol: Any  Port: *
VM inventory:
web01 NIC: Member of ASG-Web
api01 NIC: Not a member of ASG-Api
Symptom: TCP 8443 connections from web01 to api01 are denied.
Question 226mediummultiple choice
Read the full DNS explanation →

An application running on a VM in a subnet must access an Azure Storage account. The security team wants the storage account to accept traffic only from that subnet, but they do not want a private IP address in the VNet and they do not want to change DNS records. What should the administrator configure?

Question 227easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A team manages many application VMs and backend VMs. The VM IP addresses change whenever they are rebuilt, but the same traffic rule must always allow the app tier to reach the backend tier on TCP 8443. What should the administrator use in the NSG rule?

Question 228easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Two application teams created separate virtual networks so their workloads can communicate through VNet peering. VNet-A uses 10.20.0.0/16. VNet-B was created with 10.20.128.0/17. The peering request fails during validation. What is the best fix?

Question 229mediummulti select
Review the full subnetting walkthrough →

A storage account must remain on its public endpoint, but only one Azure subnet named AppSubnet should be allowed to access it from Azure. No private IP is required. Which two actions should the administrator take? Select two.

Question 230mediummulti select
Review the full subnetting walkthrough →

A subnet already has a 0.0.0.0/0 route that sends traffic to a virtual appliance at 10.1.1.4. One server in that subnet must reach 172.16.1.0/24 directly through the Internet, while all other traffic should still use the appliance. Which two actions are required? Select two.

Question 231mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A web app running on an Azure VM must connect to an Azure SQL Database instance. The security team requires the database to be reachable through a private IP inside the VNet, and the application should keep using the normal SQL server name without any connection string change. What should the administrator implement?

Question 232mediummultiple choice
Read the full VPN explanation →

A hub VNet already has a VPN gateway connected to on-premises. A new spoke VNet must reach on-premises through the hub gateway and should not deploy its own gateway. What configuration should be enabled on the peering?

Question 233easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, two development virtual networks must be peered so the workloads can exchange traffic directly. What should the administrator do first?

Exhibit

VNet-DevA address space: 10.20.0.0/16
VNet-DevB address space: 10.20.128.0/17
Peering status: Not created
Deployment note: The peering wizard returns an address space overlap error.
Question 234easymultiple choice
Read the full NAT/PAT explanation →

A VM in a subnet must send traffic to 172.16.0.0/16 through a network virtual appliance, but all other destinations should continue using the default Azure system routes. What should the administrator add to the subnet route table?

Question 235mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Backend virtual machines are rebuilt frequently and often receive different private IP addresses. An administrator must allow the frontend tier to reach the backend tier on TCP 8443 without editing NSG rules every time the backend IP changes. What should the administrator use in the NSG rule?

Question 236mediummultiple choice
Read the full VPN explanation →

An administrator is deploying a new VPN gateway in an existing VNet. The GatewaySubnet currently uses a /28 range, and the deployment fails because the selected gateway configuration does not have enough available IP addresses. What is the best action?

Question 237mediummultiple choice
Review the full subnetting walkthrough →

A company has frontend and backend VMs in the same subnet. Security rules must allow the frontend tier to reach only the backend tier on TCP 443, without assigning rules to individual VM IP addresses. What should the administrator use in the NSG rule?

Question 238mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A VM-based application must connect to Azure SQL Database over a private IP inside the VNet. The SQL server name must resolve to that private IP, and public network access must remain disabled. What should the administrator deploy?

Question 239mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A web app in VNet1 must access a storage account by using a private IP address, and the storage account has public network access disabled. The app resolves the storage FQDN from inside the VNet. What should you deploy?

Question 240easymultiple choice
Read the full Implement and Manage Virtual Networking explanation →

An administrator needs two non-overlapping VNets in the same region to communicate directly over private IP addresses without deploying a gateway. What should be configured?

Question 241easymulti select
Review the full subnetting walkthrough →

A team wants an Azure VM in a subnet to reach a storage account securely without opening the account to the entire internet. Which two configuration choices can be used to achieve this? Select two.

Question 242mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account has public network access disabled. An application runs on a VM in a VNet and must access the storage account over a private IP address. The team also wants the storage name to resolve to a private address inside the VNet without changing application code. What should the administrator create?

Question 243mediummultiple choice
Read the full NAT/PAT explanation →

A VM in a spoke subnet must send all traffic destined for 172.16.0.0/12 to a firewall appliance at 10.1.1.4. All other destinations should continue to use Azure system routes. Which user-defined route should the administrator add to the subnet route table?

Question 244hardmultiple choice
Read the full DNS explanation →

A storage account must remain reachable through its public endpoint for an on-premises integration server, but only one Azure subnet should be allowed to access it from Azure. The team does not want private endpoints or DNS changes. What should the administrator configure?

Question 245mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A hub VNet is peered to two spoke VNets. The spokes can reach the hub, but they cannot communicate with each other through the hub. The administrator wants centralized inspection in the hub. What should be deployed and configured?

Question 246mediummultiple choice
Review the full subnetting walkthrough →

Frontend VMs in one subnet must reach backend VMs on TCP 8443. The backend VMs are rebuilt frequently, so their private IP addresses change often. The administrator wants to avoid updating NSG rules every time the backend IPs change. What should be used in the NSG rule?

Question 247mediummultiple choice
Review the full subnetting walkthrough →

A Linux VM in a subnet must accept SSH only from the corporate admin subnet 10.8.4.0/24. The subnet NSG currently has an Allow-SSH rule for Any at priority 300 and a Deny-SSH rule for Any at priority 200. Administrators from 10.8.4.0/24 still cannot connect. What change should the administrator make?

Question 248mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account has public network access disabled. An app in a VNet must read and write blobs privately, and the team wants the blob endpoint name to resolve to a private IP without exposing the service publicly. What should the administrator configure?

Question 249mediummultiple choice
Read the full VPN explanation →

An administrator is deploying a site-to-site VPN gateway in an existing VNet. The GatewaySubnet already exists, but deployment validation fails because the gateway has no public-facing IP resource. Which configuration is required?

Question 250easymulti select
Read the full Implement and Manage Virtual Networking explanation →

An app must resolve a storage account name to the private IP address created by a private endpoint. Which two actions are required? Select two.

Question 251hardmultiple choice
Review the full subnetting walkthrough →

A company has VNet-A with address space 10.20.0.0/16 and active workloads in several subnets. The team must peer VNet-A with VNet-B, but VNet-B currently uses 10.20.128.0/17 and cannot be rebuilt from scratch. What should the administrator do first to make peering possible without interrupting current workloads?

Question 252easymultiple choice
Read the full VPN explanation →

Based on the exhibit, the VPN gateway deployment fails during validation. What resource is missing?

Exhibit

Azure portal validation output:
Resource group: rg-network
Virtual network: vnet-hub
Subnet: GatewaySubnet exists
Error: The virtual network gateway requires a public IP address to terminate VPN connections.
Question 253mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company merged with another business, and two Azure virtual networks need to be peered for shared application access. One VNet uses 10.20.0.0/16 and the other uses 10.20.128.0/17. The administrator must make the peering work with minimal operational complexity. What should be done first?

Question 254mediummultiple choice
Review the full subnetting walkthrough →

A subnet uses a user-defined route that sends 0.0.0.0/0 to a firewall appliance. One server in the subnet must download updates directly from 40.90.10.25 over the Internet, while all other outbound traffic should continue through the firewall. What is the best change?

Question 255easymultiple choice
Read the full VPN explanation →

Based on the exhibit, the spoke virtual network must use the hub's existing VPN gateway to reach on-premises networks. Which peering setting should be enabled on the spoke-to-hub peering?

Exhibit

Hub-and-spoke topology:
- Hub VNet contains an active VPN gateway.
- Spoke VNet has no gateway.
- Requirement: Spoke resources must route on-premises traffic through the hub gateway.
- Current spoke-to-hub peering settings: Allow virtual network access = Enabled, Use remote gateways = Disabled.
Question 256mediummultiple choice
Review the full subnetting walkthrough →

An NSG outbound rule allows TCP 8443 traffic from ASG-Web to ASG-Api. The web VM NIC is in ASG-Web, but the API VM NICs were deployed into the correct subnet and never added to ASG-Api. The traffic still fails. What should the administrator do?

Question 257mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A company needs to peer VNet-Prod, which uses 10.30.0.0/16, with VNet-Shared, which uses 10.30.64.0/18. The peering creation fails with an address-space overlap error. The team can renumber the shared environment, but they do not want to change any addresses in VNet-Prod. What should the administrator do before retrying the peering?

Question 258mediummulti select
Read the full VPN explanation →

An administrator is preparing an Azure site-to-site VPN gateway deployment for an existing VNet. Which two prerequisites must be in place for the gateway to deploy successfully? Select two.

Question 259mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

An app running on an Azure VM must access Azure SQL Database over a private IP inside the VNet. The team also wants the SQL server name to resolve to that private address without using custom host-file entries. What should be configured?

Question 260mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A VM has an NSG with these inbound rules: Deny-RDP at priority 100 for TCP 3389 from Any, and Allow-RDP-Admins at priority 200 for TCP 3389 from 10.8.1.0/24. Admins from 10.8.1.0/24 still cannot connect by RDP. What change fixes access while keeping all other sources blocked?

Question 261mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

A storage account has public network access disabled. A VM in VNet-App can reach a private endpoint for the account, but the storage name still resolves to the public IP address from the VM, and connections are denied. What should the administrator configure?

Question 262mediummultiple choice
Read the full VPN explanation →

An administrator is deploying a site-to-site VPN gateway in Azure. The GatewaySubnet already exists, but the deployment fails because no public-facing address is available for the gateway. What is required for the gateway to deploy and accept the on-premises connection?

Question 263mediummultiple choice
Read the full DNS explanation →

A team wants one subnet to access an existing Storage account over its public endpoint. They do not want a private IP for the account or any DNS changes, but they want to block access from all other subnets. What should the administrator configure?

Question 264mediummultiple choice
Review the full subnetting walkthrough →

A subnet has an NSG with these inbound rules: priority 100 denies TCP 443 from Any, and priority 200 allows TCP 443 from an Application Security Group named WebFrontEnd. A backend VM in the subnet still does not accept traffic from the frontend tier. What should the administrator change?

Question 265easymultiple choice
Read the full VPN explanation →

An administrator is deploying a site-to-site VPN gateway in Azure. Which resource must be attached to the gateway so it can receive encrypted connections from the on-premises VPN device?

Question 266mediummulti select
Review the full subnetting walkthrough →

A web tier and API tier run in different subnets. The API subnet NSG currently has Deny-8443 from Any at priority 200 and Allow-8443-WebToApi from ASG-Web to ASG-Api at priority 300. Web requests on TCP 8443 are failing. Which two changes should the administrator make? Select two.

Question 267hardmatching
Read the full Implement and Manage Virtual Networking explanation →

Match each network design requirement or limitation on the left with the best Azure behavior or corrective action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The address spaces overlap, so one range must be changed before peering can be created.

Create VNet peering; it provides private connectivity without a VPN gateway.

Enable gateway transit on the hub peering and use remote gateways on the spoke peering.

VNet peering is not transitive, so A must be connected to C directly or routed through an appliance.

Create a new non-overlapping address space and migrate workloads before removing the old range.

Question 268hardmultiple choice
Read the full Implement and Manage Virtual Networking explanation →

An application in a VNet must access an Azure Storage account over a private IP address. Public network access is disabled on the storage account, and the app must resolve the normal blob FQDN to that private address only from within the VNet. What should the administrator configure?

Question 269mediummultiple choice
Review the full subnetting walkthrough →

An application subnet has an NSG outbound rule Deny-HTTPS at priority 200 for TCP 443 to Any. A second outbound rule Allow-HTTPS-API at priority 300 permits TCP 443 from ASG-Web to ASG-Api. Web servers can reach other ports but not the API. What change should the administrator make?

Question 270hardmultiple choice
Review the full subnetting walkthrough →

A subnet has a user-defined route for 10.0.0.0/8 with next hop Virtual appliance 10.1.1.4. The VNet is peered with VNet-Shared, whose address space is 10.12.0.0/16. A VM in the subnet sends traffic to 10.12.4.25. Which next hop will Azure use?

Question 271hardmatching
Read the full Implement and Manage Virtual Networking explanation →

Match each NSG or ASG scenario to the most accurate Azure security behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The priority 200 deny is evaluated first and blocks the flow.

The destination NIC must be added to ASG-Api for the rule to match.

The service tag does not represent the workstation's IP; a rule for the real source or a VPN path is needed.

NSGs are stateful, so the return traffic is allowed automatically.

The lower-number deny rule wins because NSGs stop at the first matching rule.

Question 272mediummultiple choice
Read the full VPN explanation →

A VM in a subnet must send traffic to 10.50.0.0/16 through an on-premises VPN gateway, while all other destinations should use the Internet. Which route should be added to the subnet's route table?

Question 273easymultiple choice
Review the full subnetting walkthrough →

An NSG on a subnet has these inbound rules: Deny-All-Inbound at priority 100 and Allow-RDP-from-AdminSubnet at priority 200. Administrators on AdminSubnet still cannot RDP to a VM in the subnet. What should the network administrator change?

Question 274mediummultiple choice
Read the full Implement and Manage Virtual Networking explanation →

Based on the exhibit, an administrator is trying to peer two VNets so workloads can communicate privately. The peering creation fails. What should the administrator do first?

Exhibit

VNet-Prod address space: 10.40.0.0/16
VNet-Shared address space: 10.40.128.0/17
Operation result: Create peering failed
Error: Address space overlap detected between the selected virtual networks.
Question 275mediummultiple choice
Review the full subnetting walkthrough →

A subnet has a route table with these user-defined routes: 172.16.0.0/16 -> Virtual appliance 10.1.1.4 and 172.16.1.0/24 -> Internet. A VM in the subnet sends traffic to 172.16.1.20. Which next hop is used?

Question 276mediummultiple choice
Review the full subnetting walkthrough →

A subnet NSG contains a deny inbound rule for TCP 3389 from Any at priority 100 and an allow inbound rule for TCP 3389 from 10.4.1.0/24 at priority 200. Admin workstations in 10.4.1.0/24 cannot connect by RDP. What change should the administrator make?

Question 277mediummultiple choice
Read the full VPN explanation →

An administrator is deploying a site-to-site VPN gateway in the Azure portal. The deployment fails validation because the gateway does not have a public-facing address to terminate the tunnel. What must be created and associated with the VPN gateway?

Question 278hardmatching
Review the full routing breakdown →

Match each routing situation to the next-hop or route-selection behavior Azure will use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Add a more specific /32 UDR for that public IP with next hop Internet.

The system route for the peered VNet prefix is more specific than the /8 UDR, so it wins unless a longer UDR is added.

The /24 route wins because Azure chooses the longest matching prefix.

Only resources in Subnet-A are affected; other subnets keep their own system or custom routes.

The /32 host route takes precedence over the broader prefix.

Question 279easymultiple choice
Review the full subnetting walkthrough →

A subnet NSG contains a deny RDP rule from Any at priority 200. The administrator must allow RDP from 10.8.0.0/24 to the virtual machines in that subnet. What should the administrator do?

Question 280hardmatching
Read the full DNS explanation →

Match each storage or PaaS access requirement to the correct Azure networking approach or DNS action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Create a private endpoint and link the correct private DNS zone to the VNet.

Use a service endpoint on the subnet and allow that subnet in the storage account network rules.

The private DNS zone is missing, not linked to the VNet, or the record has not been populated.

Use a service endpoint with a network rule on the SQL server.

Use the storage firewall with a virtual network rule for AppSubnet; if the on-premises source also needs access, allow its public IP separately. No private endpoint is required.

Question 281hardmultiple choice
Read the full VPN explanation →

An administrator is deploying a route-based site-to-site VPN gateway. The GatewaySubnet already exists, but validation fails because the public IP configuration is incompatible with the chosen gateway. Which public IP setup is required for the gateway?

Question 282mediummultiple choice
Read the full VPN explanation →

An administrator is deploying an Azure VPN gateway for a site-to-site connection. The deployment fails because required network resources are missing. Which configuration is required before the gateway can be created?

Question 283mediummulti select
Review the full subnetting walkthrough →

You are designing an Azure virtual network for a three-tier application. The frontend, application, and database tiers each require their own subnet. You need to ensure that the frontend tier can communicate with the application tier, but the database tier must be isolated from direct inbound traffic from the internet. Which three of the following actions should you include in your design? (Choose three.)

Question 284mediummulti select
Read the full Implement and Manage Virtual Networking explanation →

Your company has two Azure virtual networks in the same region: VNetA (10.0.0.0/16) and VNetB (10.1.0.0/16). You need to enable communication between resources in VNetA and VNetB while ensuring that traffic is encrypted and passes over the Microsoft backbone network. Which three of the following must be configured? (Choose three.)

Question 285mediummulti select
Review the full subnetting walkthrough →

You manage an Azure virtual network with multiple subnets, including a subnet named 'AppSubnet' that hosts critical application servers. You need to monitor and log network traffic to and from AppSubnet for security analysis. The solution must capture all flow logs without impacting application performance. Which three of the following should you implement? (Choose three.)

Question 286mediummulti select
Read the full Implement and Manage Virtual Networking explanation →

You are designing a virtual networking solution for a critical application deployed across multiple Azure regions. You need to ensure secure, high-performance, and resilient connectivity between the virtual networks. Which four of the following options should you consider? (Choose four.)

Question 287mediumdrag order
Read the full Implement and Manage Virtual Networking explanation →

Order the steps to recover an Azure VM using Azure Backup.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 288mediumdrag order
Read the full Implement and Manage Virtual Networking explanation →

Arrange the steps to deploy an Azure Policy that enforces tagging on resources.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-104 Practice Test 1 — 10 Questions→AZ-104 Practice Test 2 — 10 Questions→AZ-104 Practice Test 3 — 10 Questions→AZ-104 Practice Test 4 — 10 Questions→AZ-104 Practice Test 5 — 10 Questions→AZ-104 Practice Exam 1 — 20 Questions→AZ-104 Practice Exam 2 — 20 Questions→AZ-104 Practice Exam 3 — 20 Questions→AZ-104 Practice Exam 4 — 20 Questions→Free AZ-104 Practice Test 1 — 30 Questions→Free AZ-104 Practice Test 2 — 30 Questions→Free AZ-104 Practice Test 3 — 30 Questions→AZ-104 Practice Questions 1 — 50 Questions→AZ-104 Practice Questions 2 — 50 Questions→AZ-104 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage Azure Identities and GovernanceImplement and Manage StorageDeploy and Manage Azure ComputeImplement and Manage Virtual NetworkingMonitor and Maintain Azure Resources

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Implement and Manage Virtual Networking setsAll Implement and Manage Virtual Networking questionsAZ-104 Practice Hub