Common Traps on Refer to the Exhibit Practice Questions
- ·Do not answer from memory before reading the topology or output.
- ·Check the exact device, interface, VLAN, route or service mentioned in the question.
- ·Look for small details: allowed VLANs, route preference, subnet masks, security rules and next-hop choices.
Sample Questions
Practice all 7 →A company has a hub-spoke network topology in Azure. They have multiple spoke VNets connected to a hub VNet via peering. They need to ensure that all east-west traffic between spoke VNets goes through a network virtual appliance (NVA) in the hub for inspection. Additionally, all outbound internet traffic from spoke VMs must use a single public IP address. What should they configure?
Explanation: To route east-west traffic through the NVA, you need to configure user-defined routes (UDRs) in each spoke VNet that point the traffic destined for other spoke VNet address spaces to the NVA's IP address. You also must enable 'Allow forwarded traffic' on the VNet peering connection from the hub to the spokes so that the NVA can forward traffic. For outbound internet traffic, you can deploy Azure Firewall in the hub and configure a default route (0.0.0.0/0) in the spokes pointing to Azure Firewall (or the NVA if it also does NAT). Azure Firewall can provide a single public IP for all outbound traffic. Option D correctly describes these components. Option A uses NAT gateway which works for outbound but does not route east-west traffic through the NVA. Option B mentions Azure Firewall for outbound but lacks the specific route configuration for east-west. Option C assumes gateway transit, but NVA is not a VPN gateway.
A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?
Explanation: User-defined routes (UDRs) on the spoke subnets can force traffic destined for other spokes to go through the NVA in the hub. The UDR sets the next hop to the private IP address of the NVA, ensuring inspection.
A company has multiple Azure VNets deployed in a hub-spoke topology. They want to inspect all outbound internet traffic from spoke VMs using a central firewall and ensure that traffic from all VNets goes through the firewall before reaching the internet. They also need to log all outbound connections. Which architecture should they implement?
Explanation: The recommended architecture is to deploy Azure Firewall in the hub VNet and configure forced tunneling for all spoke VNets to route internet-bound traffic through the firewall. This is achieved by creating a route table in each spoke with a default route (0.0.0.0/0) pointing to the firewall's private IP. The firewall can then inspect and log traffic. Deploying NVAs in each spoke is costly and complex. Azure Application Gateway is not a firewall. Forced tunneling in Azure typically requires a route table with a next hop of a virtual appliance.
A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?
Explanation: Azure Virtual WAN with a secured virtual hub provides a managed hub-and-spoke architecture with automatic routing. It handles transitive routing between spokes and on-premises without manual route tables or user-defined routes. VNet peering with UDRs and Route Server requires significant manual configuration. A single VNet does not scale across regions. Azure Firewall requires custom route propagation.
A company has multiple on-premises sites and Azure VNets in different regions. They need to connect all networks with a single mesh topology, ensuring that any network can communicate with any other network directly. They also want to minimize administrative overhead. Which Azure service should they use?
Explanation: Azure Virtual WAN (vWAN) is a networking service that provides a hub-and-spoke or full mesh architecture with built-in SD-WAN capabilities, simplifying connectivity between branches, VNets, and on-premises. It handles routing automatically and reduces administrative overhead. VPN Gateway would require multiple site-to-site connections and user-defined routes. ExpressRoute provides dedicated private connections but not a mesh topology. Peering Service is not a mesh connectivity solution.
+2 more scenario questions available
Practice all Refer to the Exhibit Practice QuestionsRelated Topics
Frequently asked questions
How do "Refer to the Exhibit Practice Questions" appear on the real AZ-305?
Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer. These appear throughout the AZ-305 and require you to apply your knowledge, not just recall facts.
How many scenario questions are on the AZ-305 exam?
Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the AZ-305. Practicing each scenario type ensures you're ready for any format.
Are these AZ-305 scenario practice questions free?
Yes — all scenario practice on Courseiva is completely free. Sign up for a free account to track your progress and see which scenario types you've mastered.
Ready to practice this scenario type?
Launch a full Refer to the Exhibit Practice Questions session with instant scoring and detailed explanations.
Start Scenario Practice →