Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›AZ-500›Objectives›Secure networking
Objective 2.0

Secure networking

AZ-500 Practice Questions

Use this page to practise Secure networking questions for this certification. Focus on how the exam tests secure networking in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

AZ-500 Secure networking — Key Topics

Secure networking questions on this certification test your ability to deploy and manage secure networking concepts in scenario-based situations.

  • Core Secure networking concepts and how they apply in real-world cloud scenarios.
  • How to deploy secure networking correctly and verify the outcome.
  • Troubleshooting secure networking issues by interpreting error output and system state.
  • Cloud best practices and Secure networking design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Secure networking

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

AZ-500 Secure networking — Practice Questions

30 questions from this objective

Question 2hardmultiple choice
Review the full subnetting walkthrough →

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

Question 3hardmultiple choice
Read the full VPN explanation →

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

Question 4hardmultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

Question 5hardmultiple choice
Review the full subnetting walkthrough →

A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?

Question 6hardmultiple choice
Review the full subnetting walkthrough →

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

Question 7hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Azure virtual network with a subnet that hosts Azure virtual machines. They want to restrict access to an Azure SQL Database so that only traffic originating from that specific subnet is allowed. They have enabled a service endpoint for Microsoft.Sql on the subnet and configured the SQL server firewall to allow only that subnet's virtual network rule. However, connections from the VMs to the SQL database are failing with an authorization error. What is the most likely cause?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

Question 11hardmultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network (VNet) with multiple subnets. They deploy Azure Firewall in a hub VNet and peer spoke VNets. They want to force-tunnel all outbound traffic from a specific spoke subnet to the firewall for inspection. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Question 12mediummultiple choice
Read the full NAT/PAT explanation →

Your company has two Azure virtual networks: VNet-A (10.0.0.0/16) and VNet-B (10.1.0.0/16). They are connected via VNet peering. You deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. You configure a user-defined route (UDR) on the subnet in VNet-B that points the address space of VNet-A (10.0.0.0/16) to the next hop as the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes the direct peered path. What is the most likely cause?

Question 13hardmultiple choice
Read the full VPN explanation →

A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?

Question 14mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a hub-spoke network topology with Azure Firewall in the hub virtual network. Spoke virtual networks are peered to the hub. They want to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Question 15mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that hosts a web application. They need to allow inbound HTTP (port 80) and HTTPS (port 443) traffic from a specific source IP range (203.0.113.0/24) to the web servers. Additionally, they need to allow inbound RDP (port 3389) traffic from a management subnet (10.0.1.0/24). They want to block all other inbound traffic. They are using a network security group (NSG) associated with the subnet. What is the minimum number of inbound security rules required?

Question 16hardmultiple choice
Review the full routing breakdown →

A company has an Azure SQL Database with a private endpoint connection. The database is accessed from on-premises via ExpressRoute and from other Azure virtual networks (VNets) via VNet peering. The security team wants to ensure that all queries from both on-premises and peered VNets go through the private endpoint and NEVER use the public endpoint, even as a fallback. Which additional configuration is required to enforce this?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a global web application on Azure App Service instances deployed in multiple Azure regions. They want to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS) using a centralized set of managed rules that can be automatically updated. They also need to improve performance by terminating traffic at the nearest point of presence (POP) to end users. Which Azure service should they deploy in front of the App Service?

Question 18mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with two subnets: App and Data. The App subnet hosts web servers, and the Data subnet hosts SQL databases. Security policy requires that only HTTPS traffic from the App subnet is allowed to the Data subnet, and all other inbound traffic to the Data subnet must be blocked. The solution must use a single network security group (NSG) associated to the Data subnet. Which NSG inbound rule configuration meets the requirement?

Question 19mediummultiple choice
Review the full subnetting walkthrough →

A company deploys Azure Firewall in a hub VNet to inspect all outbound traffic from a spoke VNet. They enable VNet peering between the hub and spoke. They create a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP as the next hop, and associate it with the spoke subnets. However, outbound traffic from the spoke subnets is still going directly to the internet, bypassing the firewall. What is the most likely cause?

Question 20mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet hosting internal web applications. The security team needs to allow inbound HTTPS traffic only from the company's corporate network IP range (203.0.113.0/24). All other inbound traffic must be denied. They want to use a network security group (NSG) associated with the subnet. Which inbound security rule configuration meets this requirement?

Question 21easymultiple choice
Review the full subnetting walkthrough →

A company deploys multiple Azure virtual machines across several subnets in a virtual network. The VMs are grouped by application tiers: web, application, and database. The security team wants to apply network security group (NSG) rules that target all VMs in a specific tier, and they need a way to easily add or remove VMs from these groups without updating NSG rules. Which Azure feature should they use to define these logical VM groups?

Question 22mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that contains virtual machines. They have deployed Azure Firewall in a hub VNet and peered the spoke VNet to the hub. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

Question 23mediummultiple choice
Review the full routing breakdown →

A company has a hub-spoke network topology in Azure. The spoke virtual networks contain Azure virtual machines that need to access the internet. The security team requires that all outbound internet traffic from the spoke VMs passes through the Azure Firewall deployed in the hub virtual network for inspection and logging. Which configuration should be implemented to ensure this traffic is routed through the firewall?

Question 24mediummultiple choice
Full question →

A company has two application tiers: web servers and application servers. They want to allow traffic from the web servers to the application servers on port 8080, but only for a specific set of web servers. They have deployed the web servers in an Availability Set and want to use a single NSG rule to allow traffic from any web server that is part of that application tier. Which component should they use?

Question 25mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet hosting web servers. The security policy requires that all inbound HTTP traffic must be sourced from a specific IP address range (203.0.113.0/24). All other inbound traffic must be denied. The subnet is associated with a network security group (NSG). Which set of inbound rules should they configure?

Question 26mediummultiple choice
Read the full DNS explanation →

A company uses Azure Firewall to filter outbound traffic. They want to ensure that all DNS queries from virtual machines in a spoke VNet are routed through the Azure Firewall for logging and inspection. They have already configured the firewall to use a custom DNS server. Which additional Azure Firewall feature must be enabled to ensure that the VMs use the firewall as a DNS proxy?

Question 27hardmultiple choice
Read the full VPN explanation →

A company wants to deploy an Azure VPN Gateway in active-active mode to ensure high availability for their site-to-site VPN connection. They have two on-premises VPN devices, each with a distinct public IP address. What is the minimum configuration required for the Azure VPN Gateway to utilize both on-premises devices?

Question 28mediummultiple choice
Full question →

A company has several Azure virtual machines (VMs) in a VNet that host a legacy application. IT support staff need to perform remote administration using RDP. The security team wants to avoid exposing the VMs to the public internet and also enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions. Which Azure service should they deploy to meet these requirements?

Question 29easymultiple choice
Full question →

A company has multiple on-premises web applications that need to be securely published for remote employees. The company uses Azure AD for identity management and wants to apply Conditional Access policies, including multi-factor authentication, to these applications. The security team wants to avoid exposing the on-premises infrastructure to the internet directly. Which Azure service should they deploy to meet these requirements?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A company has a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for malicious content and require that the inspection is stateful. Which Azure-native service should they deploy in the hub virtual network to meet this requirement?

Question 31mediummultiple choice
Full question →

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks. The application consists of a single App Service instance. Which Azure DDoS Protection tier should they enable to meet this requirement while minimizing cost?

More Secure networking questions available in the full practice test.

Continue Practising →
←

Previous objective

Manage identity and access

All AZ-500 Objectives

  • 1.Manage identity and access
  • 2.Secure networking