Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Secure networking practice sets

AZ-500 Secure networking • Complete Question Bank

AZ-500 Secure networking — All Questions With Answers

Complete AZ-500 Secure networking question bank — all 0 questions with answers and detailed explanations.

237
Questions
Free
No signup
Certifications/AZ-500/Practice Test/Secure networking/All Questions
Question 1hardmultiple choice
Review the full subnetting walkthrough →

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

Question 2hardmultiple choice
Read the full VPN explanation →

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

Question 3hardmultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

Question 4hardmultiple choice
Review the full subnetting walkthrough →

A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?

Question 5hardmultiple choice
Review the full subnetting walkthrough →

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Azure virtual network with a subnet that hosts Azure virtual machines. They want to restrict access to an Azure SQL Database so that only traffic originating from that specific subnet is allowed. They have enabled a service endpoint for Microsoft.Sql on the subnet and configured the SQL server firewall to allow only that subnet's virtual network rule. However, connections from the VMs to the SQL database are failing with an authorization error. What is the most likely cause?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

Question 10hardmultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network (VNet) with multiple subnets. They deploy Azure Firewall in a hub VNet and peer spoke VNets. They want to force-tunnel all outbound traffic from a specific spoke subnet to the firewall for inspection. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

Your company has two Azure virtual networks: VNet-A (10.0.0.0/16) and VNet-B (10.1.0.0/16). They are connected via VNet peering. You deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. You configure a user-defined route (UDR) on the subnet in VNet-B that points the address space of VNet-A (10.0.0.0/16) to the next hop as the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes the direct peered path. What is the most likely cause?

Question 12hardmultiple choice
Read the full VPN explanation →

A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?

Question 13mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a hub-spoke network topology with Azure Firewall in the hub virtual network. Spoke virtual networks are peered to the hub. They want to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Question 14mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that hosts a web application. They need to allow inbound HTTP (port 80) and HTTPS (port 443) traffic from a specific source IP range (203.0.113.0/24) to the web servers. Additionally, they need to allow inbound RDP (port 3389) traffic from a management subnet (10.0.1.0/24). They want to block all other inbound traffic. They are using a network security group (NSG) associated with the subnet. What is the minimum number of inbound security rules required?

Question 15hardmultiple choice
Review the full routing breakdown →

A company has an Azure SQL Database with a private endpoint connection. The database is accessed from on-premises via ExpressRoute and from other Azure virtual networks (VNets) via VNet peering. The security team wants to ensure that all queries from both on-premises and peered VNets go through the private endpoint and NEVER use the public endpoint, even as a fallback. Which additional configuration is required to enforce this?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a global web application on Azure App Service instances deployed in multiple Azure regions. They want to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS) using a centralized set of managed rules that can be automatically updated. They also need to improve performance by terminating traffic at the nearest point of presence (POP) to end users. Which Azure service should they deploy in front of the App Service?

Question 17mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with two subnets: App and Data. The App subnet hosts web servers, and the Data subnet hosts SQL databases. Security policy requires that only HTTPS traffic from the App subnet is allowed to the Data subnet, and all other inbound traffic to the Data subnet must be blocked. The solution must use a single network security group (NSG) associated to the Data subnet. Which NSG inbound rule configuration meets the requirement?

Question 18mediummultiple choice
Review the full subnetting walkthrough →

A company deploys Azure Firewall in a hub VNet to inspect all outbound traffic from a spoke VNet. They enable VNet peering between the hub and spoke. They create a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP as the next hop, and associate it with the spoke subnets. However, outbound traffic from the spoke subnets is still going directly to the internet, bypassing the firewall. What is the most likely cause?

Question 19mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet hosting internal web applications. The security team needs to allow inbound HTTPS traffic only from the company's corporate network IP range (203.0.113.0/24). All other inbound traffic must be denied. They want to use a network security group (NSG) associated with the subnet. Which inbound security rule configuration meets this requirement?

Question 20easymultiple choice
Review the full subnetting walkthrough →

A company deploys multiple Azure virtual machines across several subnets in a virtual network. The VMs are grouped by application tiers: web, application, and database. The security team wants to apply network security group (NSG) rules that target all VMs in a specific tier, and they need a way to easily add or remove VMs from these groups without updating NSG rules. Which Azure feature should they use to define these logical VM groups?

Question 21mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that contains virtual machines. They have deployed Azure Firewall in a hub VNet and peered the spoke VNet to the hub. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

Question 22mediummultiple choice
Review the full routing breakdown →

A company has a hub-spoke network topology in Azure. The spoke virtual networks contain Azure virtual machines that need to access the internet. The security team requires that all outbound internet traffic from the spoke VMs passes through the Azure Firewall deployed in the hub virtual network for inspection and logging. Which configuration should be implemented to ensure this traffic is routed through the firewall?

Question 23mediummultiple choice
Read the full Secure networking explanation →

A company has two application tiers: web servers and application servers. They want to allow traffic from the web servers to the application servers on port 8080, but only for a specific set of web servers. They have deployed the web servers in an Availability Set and want to use a single NSG rule to allow traffic from any web server that is part of that application tier. Which component should they use?

Question 24mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet hosting web servers. The security policy requires that all inbound HTTP traffic must be sourced from a specific IP address range (203.0.113.0/24). All other inbound traffic must be denied. The subnet is associated with a network security group (NSG). Which set of inbound rules should they configure?

Question 25mediummultiple choice
Read the full DNS explanation →

A company uses Azure Firewall to filter outbound traffic. They want to ensure that all DNS queries from virtual machines in a spoke VNet are routed through the Azure Firewall for logging and inspection. They have already configured the firewall to use a custom DNS server. Which additional Azure Firewall feature must be enabled to ensure that the VMs use the firewall as a DNS proxy?

Question 26hardmultiple choice
Read the full VPN explanation →

A company wants to deploy an Azure VPN Gateway in active-active mode to ensure high availability for their site-to-site VPN connection. They have two on-premises VPN devices, each with a distinct public IP address. What is the minimum configuration required for the Azure VPN Gateway to utilize both on-premises devices?

Question 27mediummultiple choice
Read the full Secure networking explanation →

A company has several Azure virtual machines (VMs) in a VNet that host a legacy application. IT support staff need to perform remote administration using RDP. The security team wants to avoid exposing the VMs to the public internet and also enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions. Which Azure service should they deploy to meet these requirements?

Question 28easymultiple choice
Read the full Secure networking explanation →

A company has multiple on-premises web applications that need to be securely published for remote employees. The company uses Azure AD for identity management and wants to apply Conditional Access policies, including multi-factor authentication, to these applications. The security team wants to avoid exposing the on-premises infrastructure to the internet directly. Which Azure service should they deploy to meet these requirements?

Question 29hardmultiple choice
Read the full NAT/PAT explanation →

A company has a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for malicious content and require that the inspection is stateful. Which Azure-native service should they deploy in the hub virtual network to meet this requirement?

Question 30mediummultiple choice
Read the full Secure networking explanation →

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks. The application consists of a single App Service instance. Which Azure DDoS Protection tier should they enable to meet this requirement while minimizing cost?

Question 31mediummultiple choice
Read the full Secure networking explanation →

A company uses Azure Front Door to accelerate and secure its public web application. The security team wants to limit the number of requests from a single client IP address to 100 per minute to prevent a single user from overwhelming the backend. Which configuration should they add to the Web Application Firewall (WAF) policy associated with the Front Door?

Question 32mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that hosts a web application. They want to allow inbound HTTPS traffic from any source on the internet (0.0.0.0/0) and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required to achieve this?

Question 33easymultiple choice
Read the full DNS explanation →

A company has Azure virtual machines that need to download updates from specific external websites (e.g., *.microsoft.com and *.windowsupdate.com). The security team wants to centrally manage and allow outbound HTTPS traffic only to these FQDNs, while blocking all other outbound internet access. Which Azure networking service should they deploy to achieve this?

Question 34easymultiple choice
Read the full Secure networking explanation →

You have an Azure virtual machine that hosts a web application on port 443 and a management interface on port 8443. You need to allow inbound HTTPS traffic from the internet to port 443, and allow inbound traffic on port 8443 only from the company's office public IP range (203.0.113.0/24). You want to use a managed service that provides basic DDoS protection at no additional cost. What should you use?

Question 35easymultiple choice
Read the full DNS explanation →

A company deploys Azure Firewall to inspect and control outbound traffic from a virtual network. The security team wants to allow outbound HTTPS traffic only to specific FQDNs such as *.microsoft.com and *.windowsupdate.com, while blocking all other outbound internet access. Which type of rule should they configure in Azure Firewall to achieve this filtering?

Question 36easymultiple choice
Read the full VPN explanation →

A company deploys Azure virtual machines in a virtual network. A security policy requires that only Remote Desktop Protocol (RDP) traffic from the corporate VPN's public IP address (203.0.113.0/26) is allowed. All other inbound RDP traffic must be denied. Which configuration should be applied to the network security group (NSG) associated with the VM subnet?

Question 37easymultiple choice
Read the full Secure networking explanation →

A security administrator is troubleshooting network connectivity to an Azure virtual machine. The VM is behind a network security group (NSG) that has a deny-all inbound rule as the default. The administrator wants to quickly verify whether a specific TCP packet on port 3389 from their client IP (203.0.113.50) would be allowed or blocked by the NSG. Which Azure Network Watcher tool should they use?

Question 38easymultiple choice
Read the full NAT/PAT explanation →

A security team needs to analyze network traffic to and from Azure virtual machines to investigate a potential security incident. They want to capture information such as source IP, destination IP, port, and protocol. Which Azure service should they enable on the network security groups (NSGs) associated with the virtual machine subnets?

Question 39mediummultiple choice
Read the full DNS explanation →

A company has an Azure virtual network with multiple subnets hosting different application tiers. They need to inspect and filter all outbound traffic from VMs to the internet, and they must be able to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they deploy?

Question 40mediummultiple choice
Read the full VPN explanation →

A company is setting up a site-to-site VPN between an on-premises network and an Azure virtual network using an Azure VPN gateway. The security policy mandates that the VPN tunnel must use the strongest available encryption and authentication. Which IPsec/IKE parameter combination should they configure on both sides?

Question 41easymultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that hosts a public web application. They want to allow inbound HTTPS traffic (port 443) only from the source IP range 203.0.113.0/24, and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required in the NSG to achieve this?

Question 42mediummultiple choice
Review the full subnetting walkthrough →

A virtual network has a Frontend subnet (web servers) and a Backend subnet (Azure SQL Database). The security team requires that no internet traffic can reach the Backend subnet directly, but the Frontend subnet must be able to communicate with the Backend subnet on port 1433. Which solution should they implement?

Question 43hardmultiple choice
Read the full VPN explanation →

A company has virtual networks in East US and West US connected via global VNet peering. The security policy requires that all traffic between the peered VNets be encrypted using IPsec. Which action should the company take to meet this requirement?

Question 44easymultiple choice
Read the full Secure networking explanation →

A company has several critical applications deployed in an Azure virtual network. The security team wants to protect the virtual network against Distributed Denial-of-Service (DDoS) attacks by enabling automatic attack mitigation, adaptive tuning, and access to DDoS Rapid Response Support. Which DDoS Protection tier should they enable for the virtual network?

Question 45mediummultiple choice
Read the full Secure networking explanation →

A company has two Azure virtual networks in different Azure regions that need to communicate with each other. The security policy mandates that all inter-region traffic must be encrypted over the public internet. Which connectivity solution should the company implement to meet this requirement?

Question 46easymultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with two subnets: Frontend and Backend. They deploy a network virtual appliance (NVA) in a subnet named NVA_Subnet. They want to route all traffic from the Frontend subnet to the Backend subnet through the NVA for inspection. What is the minimum number of route tables required to achieve this traffic steering?

Question 47hardmultiple choice
Read the full Secure networking explanation →

A company has multiple Azure virtual networks connected via VNet peering. They want to ensure that all traffic between the peered VNets is encrypted and that no traffic can bypass the encryption. Which configuration is required?

Question 48easymultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that hosts a web application. The security team wants to allow inbound HTTPS traffic (port 443) from the internet to the web servers, but block all other inbound traffic. They have a network security group (NSG) associated with the subnet. What is the minimal set of inbound rules required?

Question 49easymultiple choice
Read the full DNS explanation →

A company has an Azure virtual network with multiple subnets hosting different tiers of an application. The security team requires inspection of all traffic between subnets for malicious patterns and the ability to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they implement?

Question 50easymultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a single subnet that hosts web servers. The security team needs to allow inbound HTTPS traffic from the internet to the web servers, but block all other inbound traffic. They want to use a single Azure resource to accomplish this at the subnet level. Which resource should they configure?

Question 51mediummultiple choice
Review the full subnetting walkthrough →

An organization has deployed Azure Firewall and wants to inspect all outbound traffic from a virtual network (VNet) to the internet. The VNet already contains subnets with workloads. What is the required networking configuration to force traffic through Azure Firewall?

Question 52easymultiple choice
Read the full DNS explanation →

Your company uses Azure Firewall to protect a virtual network. The security team needs to allow outbound HTTPS traffic from a specific subnet to a set of FQDNs, such as '*.contoso.com', while blocking all other outbound traffic. Which type of Azure Firewall rule should they configure?

Question 53easymultiple choice
Review the full subnetting walkthrough →

A company has a virtual network with a subnet hosting Azure VMs. They want to restrict all inbound traffic to only allow HTTPS (port 443) from the internet, but also allow SSH (port 22) only from a specific management IP address range (e.g., 203.0.113.0/24). Which Azure service should they use to achieve this filtering?

Question 54easymultiple choice
Read the full Secure networking explanation →

You have an Azure virtual machine that hosts a web application. You need to allow inbound HTTP (80) and HTTPS (443) traffic from the internet to this VM only. You also need to allow outbound traffic to the internet from the VM. You want to use a managed Azure service with minimal configuration. What should you use?

Question 55easymultiple choice
Review the full subnetting walkthrough →

A company has a virtual network in Azure with a subnet that hosts a web application. They want to allow inbound HTTPS traffic only from a specific source IP range (198.51.100.0/24). They are using Network Security Groups (NSGs) associated with the subnet. What is the minimal set of inbound security rules required?

Question 56mediummultiple choice
Read the full NAT/PAT explanation →

A company uses a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for security compliance. Which Azure-native service should be deployed in the hub virtual network to achieve this?

Question 57mediummultiple choice
Read the full DNS explanation →

A company has an Azure virtual network with multiple subnets. They want to centrally inspect and log all outbound traffic to the internet. They also need to allow or deny traffic based on domain names (FQDNs). Which Azure resource should they deploy?

Question 58easymultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with subnets SubnetA and SubnetB. They deploy a network virtual appliance (NVA) in a subnet called NVA_Subnet. They want all traffic between SubnetA and SubnetB to be routed through the NVA for inspection. What is the minimum number of route tables and routes required?

Question 59mediummultiple choice
Read the full Secure networking explanation →

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks and have a single web application. Which Azure DDoS Protection tier should they use?

Question 60easymultiple choice
Read the full VPN explanation →

A company has established a site-to-site VPN connection between its on-premises network and an Azure virtual network using an Azure VPN gateway. The security team wants to confirm that all traffic crossing the VPN tunnel is encrypted. Which protocol does the Azure VPN gateway use to encrypt the data?

Question 61mediummultiple choice
Read the full Secure networking explanation →

A company deploys a web application on Azure VMs behind an Azure Load Balancer (Standard SKU). They want to protect the application from common web attacks like SQL injection and cross-site scripting. Which Azure service should they enable?

Question 62mediummultiple choice
Review the full subnetting walkthrough →

A storage account should be reachable only from a specific subnet over the Microsoft backbone, while keeping the public endpoint firewall restricted. Which feature should be used?

Question 63hardmulti select
Read the full Secure networking explanation →

A web app uses Azure App Service and must access Azure SQL over a private IP without exposing SQL to the public internet. Which two components are required?

Question 64mediummultiple choice
Review the full subnetting walkthrough →

Traffic from a spoke VNet must reach the internet through a firewall in the hub VNet. What routing configuration is required on the spoke subnets?

Question 65hardmultiple choice
Read the full Secure networking explanation →

An Application Gateway WAF blocks legitimate requests because a managed rule detects a known false positive. The team wants to keep the rule set enabled. What should they configure?

Question 66hardmulti select
Read the full Secure networking explanation →

An Azure SQL Database must be accessed privately from workloads in a VNet and should not allow public network access. Which two configurations are required?

Question 67mediummulti select
Read the full Secure networking explanation →

A hub-and-spoke Azure network uses Azure Firewall for egress inspection. Which two settings are typically required on spoke workloads?

Question 68hardmulti select
Read the full Secure networking explanation →

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?

Question 69mediummulti select
Read the full Secure networking explanation →

You are planning a network security strategy for a multi-tier application deployed on Azure virtual machines. You need to ensure that traffic between the web tier and the application tier is encrypted and that the application tier is not directly accessible from the internet. Which three of the following should you implement? (Choose three.)

Question 70mediummulti select
Read the full Secure networking explanation →

Your company has deployed an Azure Firewall in a hub virtual network to inspect traffic from spoke virtual networks. You need to ensure that all outbound traffic from a spoke virtual network to the internet is forced through the Azure Firewall. Which three of the following actions are required? (Choose three.)

Question 71mediummulti select
Read the full Secure networking explanation →

You are designing a secure hybrid network that connects an on-premises datacenter to Azure. The solution must provide high availability and encrypt all traffic between the two sites. Which three of the following should you consider? (Choose three.)

Question 72mediummulti select
Read the full Secure networking explanation →

You are securing an Azure Kubernetes Service (AKS) cluster. You need to restrict network traffic between pods and to external services using Azure network policies. Which three of the following options are valid considerations or steps? (Choose three.)

Question 73mediummulti select
Read the full Secure networking explanation →

You are a security engineer for a company that uses Azure. You need to secure network connectivity between on-premises resources and Azure virtual networks (VNets) while minimizing exposure to the public internet. Which four of the following options are valid methods to achieve this? (Choose all that apply. There are four correct answers.)

Question 74mediumdrag order
Read the full Secure networking explanation →

Drag and drop the steps to create an Azure Key Vault firewall rule to allow access from a specific virtual network into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 75mediumdrag order
Read the full Secure networking explanation →

Drag and drop the steps to configure Azure AD Conditional Access policy to require MFA for all users into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 76mediumdrag order
Read the full Secure networking explanation →

Drag and drop the steps to configure network security group (NSG) flow logs for a virtual network into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 77mediummatching
Read the full Secure networking explanation →

Match each Azure policy effect to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents resource creation or update that violates policy

Creates a warning event in activity log but allows request

Adds additional fields to the resource during creation or update

Adds, updates, or removes properties on a resource

Policy rule is ignored (used for testing)

Question 78mediummatching
Read the full Secure networking explanation →

Match each Azure network security component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic at subnet or NIC level

Groups VMs by application workload for rule application

Protects against distributed denial-of-service attacks

Secure RDP/SSH access to VMs without public IP

Extends VNet identity to Azure services over optimized route

Question 79mediummatching
Read the full Secure networking explanation →

Match each Azure Sentinel feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ingest logs from various sources

Define conditions to generate alerts

Visualize data with interactive dashboards

Group related alerts for investigation

Automate response actions using Logic Apps

Question 80mediummultiple choice
Read the full Secure networking explanation →

You are designing network security for a hybrid application that uses Azure Front Door and Azure Application Gateway. The application must block malicious requests at the edge before they reach the backend. You need to implement Web Application Firewall (WAF) protection with the lowest latency and the ability to inspect traffic at the application layer. Which solution should you use?

Question 81hardmulti select
Read the full Secure networking explanation →

Your company has an Azure subscription with multiple virtual networks (VNets) connected via VNet peering. You need to filter traffic between VNets based on source IP addresses and ports. You want a managed solution that provides stateful inspection and centralized logging. Which TWO solutions meet the requirements?

Question 82easymultiple choice
Read the full Secure networking explanation →

You have an Azure virtual machine that hosts a custom web application. You need to restrict inbound internet traffic to only HTTPS (port 443) from any source. Which Azure resource should you configure?

Question 83hardmultiple choice
Read the full Secure networking explanation →

You are troubleshooting connectivity between two Azure virtual machines in different VNets that are peered. VM1 (10.0.1.4) cannot reach VM2 (10.0.2.4) on port 80. Both VNets have NSGs allowing HTTP traffic from each other's IP ranges. The VNet peering is in 'Connected' state. You verify that the VMs' operating system firewalls allow HTTP. What is the most likely cause of the connectivity issue?

Question 84mediummultiple choice
Read the full Secure networking explanation →

You need to secure outbound traffic from an Azure virtual network to the internet. All outbound traffic must be inspected by a firewall and logged. You also need to ensure that traffic to known malicious IP addresses is blocked. Which solution should you implement?

Question 85easymulti select
Read the full Secure networking explanation →

You are configuring network security for a multi-tier application in Azure. The web tier must accept HTTPS traffic from the internet. The application tier should only accept traffic from the web tier. The data tier should only accept traffic from the application tier. Which THREE Azure features should you use to implement this?

Question 86easymultiple choice
Read the full NAT/PAT explanation →

You are analyzing network traffic patterns. You have configured NSG flow logs with Traffic Analytics as shown in the exhibit. You need to identify which virtual machines are communicating with a specific malicious IP address. Which tool should you use to query the flow log data?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "format": "Json",
    "networkWatcherResourceGroupName": "NetworkWatcherRG",
    "storageAccount": {
      "id": "/subscriptions/.../resourceGroups/NetworkWatcherRG/providers/Microsoft.Storage/storageAccounts/flowlogs"
    },
    "enabled": true,
    "retentionPolicy": {
      "days": 30,
      "enabled": true
    },
    "trafficAnalytics": {
      "enabled": true,
      "workspaceId": "/subscriptions/.../resourceGroups/LogAnalytics/providers/Microsoft.OperationalInsights/workspaces/LAWS1"
    }
  }
}
```
Question 87hardmultiple choice
Review the full subnetting walkthrough →

Your organization has multiple Azure subscriptions connected via a hub-spoke topology using Azure Firewall in the hub. You need to ensure that traffic between spoke VNets is routed through the firewall for inspection. You configure user-defined routes (UDRs) on the spoke subnets. However, traffic between spokes is still bypassing the firewall. What is the most likely reason?

Question 88mediummultiple choice
Review the full subnetting walkthrough →

You are an Azure security engineer. Your team has assigned the Azure Policy shown in the exhibit. A developer creates a new virtual network with a subnet that does not have a Network Security Group (NSG) associated. What will happen when the policy is evaluated?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks"
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "Microsoft.Network/virtualNetworks/subnets",
          "existenceCondition": {
            "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup",
            "exists": "false"
          }
        }
      }
    },
    "parameters": {}
  }
}
```
Question 89mediummulti select
Read the full Secure networking explanation →

You are designing a secure network for an e-commerce application in Azure. The application consists of web servers, application servers, and database servers. You need to ensure that inbound traffic is filtered at multiple layers. Which THREE Azure services should you use to implement defense in depth for network security?

Question 90hardmultiple choice
Read the full NAT/PAT explanation →

You are troubleshooting an Azure virtual machine that cannot access the internet. The VM is in a subnet with a route table that has a default route (0.0.0.0/0) with next hop 'Virtual appliance' pointing to the private IP of an Azure Firewall. The Azure Firewall has a DNAT rule to allow outbound traffic. You verify that the VM's NSG allows outbound traffic. What is the most likely cause of the issue?

Question 91mediummultiple choice
Review the full subnetting walkthrough →

You are reviewing an NSG rule as shown in the exhibit. This rule is applied to a subnet containing web servers. What is the security implication of this rule?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "protocol": "Any",
    "sourceAddresses": ["*"],
    "destinationAddresses": ["*"],
    "destinationPorts": ["*"],
    "sourcePorts": ["*"],
    "access": "Allow",
    "priority": 100,
    "direction": "Inbound",
    "ruleType": "BasicRule"
  }
}
```
Question 92easymultiple choice
Read the full NAT/PAT explanation →

You need to provide secure remote administration access to Azure virtual machines in a production environment. You want to eliminate public RDP/SSH endpoints and provide just-in-time access. Which Azure service should you use?

Question 93hardmultiple choice
Read the full Secure networking explanation →

You have an Azure Kubernetes Service (AKS) cluster that needs to restrict egress traffic to specific Azure services (e.g., Azure Container Registry, Azure Monitor). You want a managed solution that allows you to define FQDN-based rules. Which Azure service should you use?

Question 94mediummultiple choice
Read the full VPN explanation →

You are configuring a site-to-site VPN connection between your on-premises network and Azure. You need to ensure that traffic between the networks is encrypted and authenticated. Which Azure service should you use?

Question 95mediummultiple choice
Read the full Secure networking explanation →

A company uses Azure Firewall to filter outbound traffic from a virtual network. The security team notices that traffic to a specific external IP address is being allowed despite a deny rule. What is the most likely cause?

Question 96hardmultiple choice
Read the full Secure networking explanation →

Your organization has deployed Azure Front Door Premium with Web Application Firewall (WAF) policy in front of an Azure App Service. You need to ensure that only traffic from Azure Front Door is allowed to reach the App Service, and all other traffic is blocked. Which configuration should you implement?

Question 97easymultiple choice
Read the full Secure networking explanation →

You need to securely connect an on-premises network to an Azure virtual network. The connection must use the internet and provide authenticated and encrypted communication. Which Azure service should you use?

Question 98hardmultiple choice
Read the full Secure networking explanation →

A company has deployed Azure Firewall in a hub virtual network with forced tunneling enabled. Spoke virtual networks are peered to the hub. The security team reports that outbound traffic from the spoke VMs is bypassing the firewall. What is the most likely reason?

Question 99mediummultiple choice
Read the full Secure networking explanation →

You are designing a network security strategy for a multi-tier application. The web tier must be accessible from the internet, but the application and database tiers must only be accessible from the web tier. Which Azure solution should you use to isolate the tiers?

Question 100mediummultiple choice
Read the full Secure networking explanation →

A company uses Azure Bastion to provide secure RDP and SSH access to Azure VMs without public IPs. Recently, a security audit recommended logging all connections to Bastion. What should you enable?

Question 101easymultiple choice
Read the full Secure networking explanation →

Your organization has multiple Azure subscriptions and wants to centrally manage Azure Firewall policies across all subscriptions. What should you use?

Question 102hardmultiple choice
Read the full DNS explanation →

A company plans to use Azure Private Endpoint to securely connect to an Azure SQL Database from an on-premises network via ExpressRoute. The private endpoint is deployed in a hub virtual network. The on-premises network is connected to the hub via ExpressRoute. What additional configuration is needed to ensure on-premises clients can resolve the private endpoint's DNS name?

Question 103easymultiple choice
Read the full Secure networking explanation →

You need to filter inbound internet traffic to an Azure web application based on source IP address and geographic location. Which Azure service should you use?

Question 104hardmulti select
Read the full Secure networking explanation →

Which TWO actions should you take to secure traffic between Azure virtual networks using VNet peering? (Choose two.)

Question 105mediummulti select
Read the full Secure networking explanation →

Which THREE components are required to implement Azure Virtual WAN with secured virtual hub? (Choose three.)

Question 106easymulti select
Read the full Secure networking explanation →

Which TWO Azure services can be used to distribute incoming traffic across multiple virtual machines in a backend pool while providing layer 7 load balancing? (Choose two.)

Question 107mediummultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. You are reviewing an Azure Firewall policy rule. The rule is intended to allow traffic from the 10.0.0.0/16 network to *.contoso.com on HTTPS. However, the rule is not working as expected. What is the most likely issue?

Exhibit

{
  "properties": {
    "policy": {
      "rules": [
        {
          "name": "AllowInternal",
          "ruleType": "ApplicationRule",
          "protocols": [
            {
              "protocolType": "Https",
              "port": 443
            }
          ],
          "targetFqdns": [
            "*.contoso.com"
          ],
          "sourceAddresses": [
            "10.0.0.0/16"
          ],
          "destinationAddresses": [
            "172.16.0.0/12"
          ]
        }
      ]
    }
  }
}
Question 108hardmultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. A security administrator runs the Azure CLI commands to create a VM with a single NIC and applies an NSG rule to deny outbound TCP traffic to the Internet on ports 80 and 443. However, the VM can still access websites on the Internet. What is the most likely reason?

Network Topology
subnet $(az network vnet subnet showaz network vnet createname VNet1resource-group RG1address-prefixname NIC1name Subnet1vnet-name VNet1query id -o tsv)name NSG1nsg-name NSG1priority 100network-security-group NSG1subnet-name Subnet1az network nic createaz network nic updateprivate-ip-addressaz network nsg createname DenyInternetdirection Outboundsubnet-prefixaccess Denyprotocol Tcpdestination-address-prefixes Internetdestination-port-ranges 80 443Refer to the exhibit.Azure CLI command output:```
Question 109easymultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. You run the KQL query in Microsoft Sentinel to investigate denied application rule traffic through Azure Firewall. The query returns no results, but you know that application rules are being applied and some traffic is being denied. What is the most likely cause?

Exhibit

Refer to the exhibit.

KQL query in Microsoft Sentinel:
```
AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| where OperationName == "AzureFirewallApplicationRuleHit"
| where msg_s contains "Deny"
| project TimeGenerated, msg_s
| take 10
```
Question 110mediummultiple choice
Read the full Secure networking explanation →

A company uses Azure Firewall to inspect traffic between a spoke VNet hosting a web application and a hub VNet hosting a SQL database. The web application fails to connect to the database after a recent network topology change. You verify that the Azure Firewall rules allow the traffic. Which Azure Network Watcher feature should you use to identify the root cause?

Question 111hardmultiple choice
Read the full NAT/PAT explanation →

Your organization is deploying a multi-region application using Azure Front Door to distribute traffic. You need to ensure that only traffic from Azure Front Door can reach the backend origins (App Services) and that no direct internet traffic bypasses Front Door. What combination of steps should you take?

Question 112easymultiple choice
Read the full VPN explanation →

You are designing a hub-spoke network topology in Azure. The hub VNet contains Azure Firewall and a VPN gateway. Spoke VNets need to communicate with each other and with on-premises network through the hub. Which peering configuration is required to allow spoke-to-spoke communication via the hub?

Question 113mediummultiple choice
Review the full routing breakdown →

Your company uses Azure Virtual WAN with a secured virtual hub (Azure Firewall). You have branch offices connected via ExpressRoute. You need to ensure that traffic from a branch to a VNet in the same region is inspected by the firewall. You configure the default route (0.0.0.0/0) advertisement from the hub to the branch, but the traffic is not being inspected. What is the most likely reason?

Question 114hardmultiple choice
Read the full DNS explanation →

You deploy Azure Private Link for an Azure SQL Database. You create a private endpoint in VNet1 and configure a private DNS zone 'privatelink.database.windows.net' linked to VNet1. Clients in VNet2 (peered to VNet1) can resolve the SQL server FQDN to the private IP, but connections fail. What is the most likely cause?

Question 115easymultiple choice
Read the full NAT/PAT explanation →

You need to block outbound internet access from all VMs in a VNet except for specific allowed destinations (e.g., Microsoft updates). You cannot use a third-party NVA. Which Azure service should you use to meet this requirement?

Question 116mediummultiple choice
Read the full Secure networking explanation →

You have an Azure Web Application Firewall (WAF) policy associated with an Azure Front Door instance. You want to block requests from a specific country (e.g., Country X) unless the request includes a valid API key. How should you configure this?

Question 117hardmultiple choice
Read the full NAT/PAT explanation →

You have a hub-spoke network with Azure Firewall in the hub. Spoke VNet1 contains a VM that needs to communicate with a VM in Spoke VNet2. Both spoke VNets are peered to the hub. You configure Azure Firewall DNAT rules to forward traffic to specific VMs, but the communication fails. You verify that the firewall rules allow the traffic and that the VMs can reach each other's private IPs if the firewall is bypassed. What is the most likely issue?

Question 118mediummultiple choice
Read the full Secure networking explanation →

You configure Azure Bastion to allow secure RDP access to VMs in a VNet. However, users report that they cannot connect to a specific VM, while other VMs in the same VNet are accessible. The VM is running and has a public IP. What is the most likely cause?

Question 119mediummulti select
Read the full Secure networking explanation →

You are designing network security for a multi-tier application with web, app, and data tiers. The web tier must be accessible from the internet, the app tier only from the web tier, and the data tier only from the app tier. You plan to use Azure Firewall in a hub VNet and peer the application VNet to the hub. Which TWO configurations are necessary to achieve this segmentation?

Question 120hardmulti select
Review the full routing breakdown →

Your company uses ExpressRoute to connect on-premises to Azure. You need to ensure that only traffic from the on-premises network can reach a specific Azure App Service, and all other internet traffic to that App Service must be blocked. You also want to avoid exposing the App Service's public endpoint. Which THREE actions should you take?

Question 121easymulti select
Read the full Secure networking explanation →

You are configuring Azure DDoS Network Protection for your VNet. Which TWO benefits does enabling DDoS Protection Standard provide?

Question 122mediummultiple choice
Read the full Secure networking explanation →

You are designing network security for a multi-tier application deployed in Azure. The application consists of a front-end web tier, a middle-tier API, and a back-end database. All tiers must be isolated from the internet except the front-end, which must accept HTTPS traffic from the internet. You need to ensure that no traffic can bypass the network security controls. What should you implement?

Question 123hardmultiple choice
Review the full routing breakdown →

Your company has deployed Azure Virtual WAN with secured virtual hubs. You need to enforce that all traffic between on-premises sites and Azure virtual networks (VNets) passes through the Azure Firewall in the hub. You have configured routing accordingly. However, traffic from an on-premises site to a VNet is still bypassing the firewall. What is the most likely cause?

Question 124easymultiple choice
Read the full Secure networking explanation →

You are configuring Azure Private Link for a SQL Database. You want to ensure that all traffic from your virtual network to the SQL Database stays within the Microsoft Azure backbone network. What is the primary benefit of using Azure Private Link over a service endpoint?

Question 125mediummultiple choice
Read the full Secure networking explanation →

You have an Azure Application Gateway v2 with WAF policy in prevention mode to protect a web app. Users report that legitimate requests are being blocked. You review the WAF logs and see many false positives. You need to resolve this while maintaining security. What should you do?

Question 126hardmultiple choice
Review the full routing breakdown →

Your organization has multiple Azure subscriptions that need to connect to a shared on-premises data center via ExpressRoute. You plan to use Azure Virtual WAN with secured hubs. Each subscription contains VNets that must communicate with on-premises and with each other through the hub. You need to ensure that traffic between VNets in different subscriptions is routed through the Azure Firewall. What configuration is required?

Question 127easymultiple choice
Read the full Secure networking explanation →

You need to allow a specific IP address (203.0.113.5) to access an Azure Storage account over the internet. All other internet traffic must be denied. You have enabled the storage account firewall. What should you configure?

Question 128mediummulti select
Read the full Secure networking explanation →

Which TWO configurations are required to enable Azure Bastion to connect to a virtual machine without a public IP address?

Question 129hardmulti select
Read the full Secure networking explanation →

Which THREE benefits does Azure DDoS Protection Standard provide over Basic?

Question 130easymulti select
Read the full Secure networking explanation →

Which TWO actions can be taken using Azure Network Watcher?

Question 131mediummultiple choice
Review the full routing breakdown →

You need to design a network security solution for a hub-spoke topology. The hub contains Azure Firewall and Azure Bastion. Spoke VNets contain application workloads. You need to ensure that all traffic from the spokes to the internet is routed through the Azure Firewall. What should you configure?

Question 132hardmultiple choice
Read the full Secure networking explanation →

Your company uses Azure Firewall Premium with TLS inspection to filter outbound traffic from Azure VMs. Users report that some websites are not loading. You have configured the firewall to inspect traffic to *.microsoft.com. What is the most likely cause of the issue?

Question 133easymultiple choice
Read the full VPN explanation →

You need to allow an Azure VM to access an on-premises SQL Server database securely. The on-premises network is connected to Azure via a site-to-site VPN. You want to minimize latency and avoid traversing the internet. What should you use?

Question 134mediummultiple choice
Read the full Secure networking explanation →

You are designing a network security solution for a multi-tier application running in Azure. The front-end VMs must only accept traffic from Azure Front Door. Back-end VMs must only accept traffic from the front-end tier. You plan to use NSGs and ASGs. Which configuration should you use to meet these requirements with minimal administrative overhead?

Question 135easymultiple choice
Read the full VPN explanation →

Your company has an Azure subscription with multiple VNets. You need to securely connect an on-premises data center to Azure using a site-to-site VPN. The on-premises VPN device does not support IKEv2. Which VPN gateway SKU should you select to ensure compatibility?

Question 136hardmultiple choice
Read the full DNS explanation →

You are troubleshooting connectivity issues from an Azure VM to an on-premises server. The VM is in a VNet that uses a custom DNS server. The on-premises network is connected via ExpressRoute. You can ping the on-premises server by IP address but not by name. What is the most likely cause?

Question 137easymultiple choice
Read the full Secure networking explanation →

You need to secure traffic between two VNets in different Azure regions. The VNets contain virtual machines that must communicate over private IP addresses. Which Azure service should you use?

Question 138mediummultiple choice
Read the full Secure networking explanation →

Your company has an Azure subscription with several VNets. You deploy Azure Firewall in a hub VNet. You need to ensure that all traffic from spoke VNets to the internet goes through the firewall. What should you configure?

Question 139hardmultiple choice
Read the full Secure networking explanation →

You are designing a network security strategy for an Azure Kubernetes Service (AKS) cluster. You need to restrict egress traffic from the cluster to only allow connections to specific Azure services (e.g., Microsoft Container Registry, Azure Key Vault). The solution must minimize administrative overhead. What should you use?

Question 140easymultiple choice
Read the full Secure networking explanation →

You need to provide secure remote access to Azure virtual machines for developers without exposing public IP addresses. The solution must authenticate users via Microsoft Entra ID and support multifactor authentication. Which service should you use?

Question 141mediummultiple choice
Read the full Secure networking explanation →

You have an Azure subscription with multiple VNets connected via VNet peering. You need to ensure that traffic between VNets is encrypted. What should you do?

Question 142hardmultiple choice
Read the full VPN explanation →

You are troubleshooting connectivity from an on-premises network to an Azure VM. The connection uses a site-to-site VPN. The VM can be pinged from on-premises, but an application running on the VM cannot connect to an on-premises database server. The database server's firewall is configured to allow connections from the Azure VPN gateway public IP. What is the most likely cause of the issue?

Question 143mediummulti select
Read the full Secure networking explanation →

You are designing network security for a three-tier application. You need to isolate each tier (web, application, data) and control traffic between them. Which TWO Azure services should you use to achieve this? (Choose two.)

Question 144hardmulti select
Read the full Secure networking explanation →

You need to monitor network traffic to detect anomalies and potential security threats. Which THREE Azure services can you use to achieve this? (Choose three.)

Question 145easymulti select
Review the full routing breakdown →

You are designing a hub-and-spoke network topology with Azure Firewall in the hub VNet. Which TWO components are essential for routing traffic from spoke VNets through the firewall? (Choose two.)

Question 146mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. You are reviewing an NSG rule configuration for a subnet. The source subnet is 10.0.0.0/24 and the destination subnet is 10.0.1.0/24. What is the effect of this rule?

Exhibit

{
  "name": "AllowSSHOnly",
  "properties": {
    "protocol": "Tcp",
    "sourcePortRange": "*",
    "destinationPortRange": "22",
    "sourceAddressPrefix": "10.0.0.0/24",
    "destinationAddressPrefix": "10.0.1.0/24",
    "access": "Allow",
    "priority": 100,
    "direction": "Inbound"
  }
}
Question 147hardmultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. You have an Azure Firewall policy with the shown rules. Traffic from 10.0.0.0/8 to www.google.com on HTTPS (443) is being blocked. What is the most likely reason?

Exhibit

{
  "properties": {
    "type": "Microsoft.Network/azureFirewalls",
    "sku": {
      "name": "AZFW_VNet",
      "tier": "Standard"
    },
    "applicationRuleCollections": [
      {
        "properties": {
          "priority": 200,
          "action": {
            "type": "Allow"
          },
          "rules": [
            {
              "name": "AllowGoogle",
              "protocols": [
                {
                  "protocolType": "Https",
                  "port": 443
                }
              ],
              "sourceAddresses": ["10.0.0.0/8"],
              "targetFqdns": ["*.google.com"]
            }
          ]
        }
      }
    ],
    "networkRuleCollections": [
      {
        "properties": {
          "priority": 100,
          "action": {
            "type": "Deny"
          },
          "rules": [
            {
              "name": "DenyAll",
              "protocols": ["Any"],
              "sourceAddresses": ["*"],
              "destinationAddresses": ["*"],
              "destinationPorts": ["*"]
            }
          ]
        }
      }
    ]
  }
}
Question 148easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You have a VNet with two subnets, each with a different NSG. Both NSGs have default rules. What is the default connectivity between VMs in subnetA and subnetB?

Exhibit

{
  "properties": {
    "addressSpace": {
      "addressPrefixes": ["10.0.0.0/16"]
    },
    "subnets": [
      {
        "name": "subnetA",
        "properties": {
          "addressPrefix": "10.0.1.0/24",
          "networkSecurityGroup": {
            "id": "/subscriptions/.../nsgA"
          }
        }
      },
      {
        "name": "subnetB",
        "properties": {
          "addressPrefix": "10.0.2.0/24",
          "networkSecurityGroup": {
            "id": "/subscriptions/.../nsgB"
          }
        }
      }
    ]
  }
}
Question 149mediummultiple choice
Read the full VPN explanation →

Your company has a hub-and-spoke network topology in Azure. The hub virtual network contains an Azure Firewall and a VPN gateway. Spoke virtual networks are peered to the hub. You need to ensure that all outbound traffic from spoke VMs to the internet is routed through the Azure Firewall. What should you configure on the spoke virtual networks?

Question 150easymultiple choice
Read the full Secure networking explanation →

You are designing a secure network architecture for a three-tier application. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. Which Azure service should you use to isolate the tiers most securely?

Question 151hardmultiple choice
Read the full Secure networking explanation →

Your company has multiple Azure subscriptions managed through Azure Firewall Manager. You need to deploy Azure Firewall policies that apply to all subscriptions in a region. What is the most efficient way to manage this?

Question 152easymultiple choice
Review the full subnetting walkthrough →

You need to block inbound traffic from the internet to a specific subnet except for TCP port 443. Which Azure service should you use?

Question 153mediummultiple choice
Read the full VPN explanation →

Your organization has a hybrid network with an Azure VPN gateway connecting to an on-premises site. You need to ensure that traffic between Azure and on-premises is encrypted and authenticated. Which protocol should the VPN gateway use?

Question 154hardmultiple choice
Read the full DNS explanation →

You have an Azure application that uses a private endpoint for Azure SQL Database. Users report intermittent connectivity failures. You need to diagnose whether the private endpoint DNS resolution is working correctly. Which tool should you use?

Question 155easymultiple choice
Read the full Secure networking explanation →

You need to restrict access to an Azure Storage account so that only traffic from a specific virtual network is allowed. What should you configure?

Question 156mediummultiple choice
Read the full Secure networking explanation →

Your company deploys a web application in an Azure App Service that needs to securely connect to an Azure SQL Database. You want to avoid exposing the database to the public internet. What is the recommended approach?

Question 157hardmultiple choice
Read the full VPN explanation →

You have an Azure Kubernetes Service (AKS) cluster that needs to communicate with an on-premises database over a site-to-site VPN. The AKS cluster is in a spoke VNet, and the VPN gateway is in the hub VNet. You configure VNet peering between hub and spoke. However, pods cannot reach the on-premises database. What is the most likely cause?

Question 158mediummulti select
Read the full Secure networking explanation →

Which TWO Azure services can be used to filter inbound internet traffic to a virtual network? (Choose two.)

Question 159hardmulti select
Read the full Secure networking explanation →

Which THREE are best practices for securing network traffic in Azure? (Choose three.)

Question 160easymulti select
Read the full VPN explanation →

Which TWO are valid connection methods for Azure VPN Gateway? (Choose two.)

Question 161easymultiple choice
Read the full Secure networking explanation →

You need to restrict access to a web app hosted on Azure App Service so that only traffic from a specific virtual network (VNet) is allowed. Which Azure service should you configure?

Question 162mediummulti select
Read the full Secure networking explanation →

Your company has a hub-spoke network topology in Azure. The hub VNet contains an Azure Firewall. Spoke VNets are peered to the hub. You need to ensure that all outbound traffic from virtual machines in a spoke VNet passes through the Azure Firewall for inspection. Which two configurations are required? (Choose two.)

Question 163hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The JSON snippet shows a network rule from an Azure Firewall policy. You have a subnet with IP range 10.0.1.0/24 that needs to connect to Azure SQL Database in Southeast Asia. However, connections are failing. What is the most likely reason?

Exhibit

{
  "properties": {
    "priority": 100,
    "ruleCollectionType": "FilteringRuleCollection",
    "ruleType": "NetworkRule",
    "rules": [
      {
        "name": "AllowSQL",
        "protocols": ["TCP"],
        "sourceAddresses": ["10.0.1.0/24"],
        "destinationAddresses": ["AzureCloud.southeastasia"],
        "destinationPorts": ["1433"]
      }
    ]
  }
}
Question 164easymultiple choice
Read the full VPN explanation →

You need to securely connect an on-premises network to Azure over the internet with encrypted traffic. The connection must be site-to-site and use IPsec. Which Azure service should you use?

Question 165mediummultiple choice
Read the full NAT/PAT explanation →

Your company uses Azure Firewall Premium. You need to inspect outbound traffic for malware using signature-based detection. Which feature should you enable?

Question 166hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The JSON shows an NSG associated with a subnet. The subnet contains a web server. Users report they cannot access the web server on port 443 (HTTPS). What is the most likely cause?

Exhibit

{
  "properties": {
    "networkSecurityGroup": {
      "id": "/subscriptions/.../resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/nsg-web"
    },
    "networkSecurityGroupRules": [
      {
        "name": "AllowHTTP",
        "properties": {
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "destinationPortRange": "80",
          "sourceAddressPrefix": "Internet",
          "destinationAddressPrefix": "*",
          "access": "Allow",
          "priority": 100,
          "direction": "Inbound"
        }
      },
      {
        "name": "AllowHTTPS",
        "properties": {
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "destinationPortRange": "443",
          "sourceAddressPrefix": "Internet",
          "destinationAddressPrefix": "*",
          "access": "Allow",
          "priority": 110,
          "direction": "Inbound"
        }
      },
      {
        "name": "DenyAll",
        "properties": {
          "protocol": "*",
          "sourcePortRange": "*",
          "destinationPortRange": "*",
          "sourceAddressPrefix": "*",
          "destinationAddressPrefix": "*",
          "access": "Deny",
          "priority": 200,
          "direction": "Inbound"
        }
      }
    ]
  }
}
Question 167easymultiple choice
Read the full Secure networking explanation →

You need to provide secure remote access to Azure virtual machines without assigning them public IP addresses. Which Azure service should you use?

Question 168mediummultiple choice
Read the full Secure networking explanation →

Your organization uses Azure Virtual Network Manager (AVNM) to manage network groups. You need to ensure that all virtual networks in a network group are automatically peered with a hub VNet. Which AVNM configuration should you use?

Question 169hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The JSON shows an Azure Policy initiative assignment. You have a subnet that needs to allow private endpoints. You created a Private Endpoint but it fails to provision. What is the most likely reason?

Exhibit

{
  "properties": {
    "isEnabled": true,
    "mode": "Prevent",
    "targetResources": [
      "Microsoft.Network/virtualNetworks"
    ],
    "conditions": [
      {
        "field": "Microsoft.Network/virtualNetworks/subnets/properties/privateEndpointNetworkPolicies",
        "equals": "Disabled"
      }
    ]
  }
}
Question 170easymultiple choice
Read the full Secure networking explanation →

You need to distribute incoming internet traffic across multiple Azure virtual machines in the same region. The solution must provide layer 7 load balancing and SSL offloading. Which Azure service should you use?

Question 171mediummulti select
Read the full Secure networking explanation →

You are designing a network security solution for a multi-tier application. The web tier must be accessible from the internet, but the application and database tiers must be isolated. Which TWO configurations should you implement?

Question 172hardmulti select
Read the full Secure networking explanation →

You need to monitor and log network traffic between Azure VMs for security analysis. Which THREE components should you enable?

Question 173easymulti select
Read the full VPN explanation →

You need to secure traffic between an on-premises network and Azure using a VPN connection. Which TWO configurations are required?

Question 174mediummultiple choice
Read the full Secure networking explanation →

Your organization uses Azure Private Link to access Azure SQL Database privately from a VNet. You need to ensure that only your VNet can access the private endpoint. What should you configure?

Question 175hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The JSON shows an NSG rule set applied to a subnet. The subnet contains a web server that should be accessible from the internet on port 443. Users report they cannot connect. What is the most likely cause?

Exhibit

{
  "properties": {
    "rules": [
      {
        "name": "AllowVNetInbound",
        "direction": "Inbound",
        "priority": 100,
        "sourceAddressPrefixes": ["VirtualNetwork"],
        "destinationAddressPrefixes": ["VirtualNetwork"],
        "access": "Allow",
        "protocol": "*",
        "sourcePortRange": "*",
        "destinationPortRange": "*"
      },
      {
        "name": "DenyInternetInbound",
        "direction": "Inbound",
        "priority": 200,
        "sourceAddressPrefixes": ["Internet"],
        "destinationAddressPrefixes": ["*"],
        "access": "Deny",
        "protocol": "*",
        "sourcePortRange": "*",
        "destinationPortRange": "*"
      }
    ]
  }
}
Question 176mediummultiple choice
Review the full subnetting walkthrough →

Your organization has an Azure virtual network with a subnet hosting a SQL Managed Instance. You need to ensure that only traffic from Azure services (like Azure Data Factory) can reach the SQL Managed Instance, but you must not allow any public internet traffic. What is the most secure configuration?

Question 177easymultiple choice
Read the full Secure networking explanation →

You are designing a hub-spoke network topology in Azure. You need to ensure that all traffic between spokes is inspected by a network virtual appliance (NVA) deployed in the hub. What should you configure?

Question 178hardmultiple choice
Read the full Secure networking explanation →

Your company uses Azure Front Door to globally distribute traffic to a web app. You need to ensure that only traffic from Front Door can reach the web app, and all other traffic is blocked. The web app is behind an Azure Application Gateway. What is the most secure and reliable configuration?

Question 179mediummulti select
Read the full Secure networking explanation →

Which TWO of the following are valid methods to secure outbound traffic from an Azure virtual network to the internet?

Question 180hardmulti select
Read the full Secure networking explanation →

Which THREE of the following are required to enable network traffic flow between two peered Azure virtual networks in different Azure regions?

Question 181easymulti select
Read the full Secure networking explanation →

Which TWO of the following are supported ways to connect an on-premises network to Azure?

Question 182hardmultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. You have an Azure Application Gateway WAF policy with the above JSON configuration. A user from IP address 10.1.2.3 reports they cannot access the web application. What is the most likely cause?

Exhibit

{
  "properties": {
    "format": "Json",
    "rules": [
      {
        "name": "BlockHighRiskIPs",
        "priority": 100,
        "ruleType": "MatchRule",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "RemoteAddr"
              }
            ],
            "operator": "IPMatch",
            "negationCondition": false,
            "matchValues": [
              "10.0.0.0/8",
              "172.16.0.0/12",
              "192.168.0.0/16"
            ]
          }
        ],
        "action": "Block"
      }
    ]
  }
}
Question 183mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. You run the PowerShell command above and get the output: Access: Allow, SourceAddressPrefix: *, DestinationAddressPrefix: VirtualNetwork, DestinationPortRange: 22, Protocol: TCP, Priority: 100. A security audit requires that SSH access be restricted to only the management subnet (10.0.1.0/24). What should you do?

Exhibit

Get-AzNetworkSecurityGroup -Name 'WebNSG' -ResourceGroupName 'ProdRG' | Get-AzNetworkSecurityRuleConfig -Name 'AllowSSH' | Format-List
Question 184easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You deploy the Azure Firewall using the ARM template snippet above. A user from the 10.0.1.0/24 subnet reports they cannot access https://portal.azure.com. All other internet access is blocked. What is the most likely reason?

Exhibit

resource firewall 'Microsoft.Network/azureFirewalls@2023-11-01' = {
  name: 'hub-firewall'
  location: resourceGroup().location
  properties: {
    sku: { name: 'AZFW_VNet', tier: 'Standard' }
    applicationRuleCollections: [
      {
        name: 'AllowMicrosoft'
        priority: 110
        action: { type: 'Allow' }
        rules: [
          {
            name: 'AllowAzurePortal'
            sourceAddresses: [ '10.0.0.0/8' ]
            protocols: [ { protocolType: 'Https', port: 443 } ]
            targetFqdns: [ '*.portal.azure.com' ]
          }
        ]
      }
    ]
  }
}
Question 185mediummultiple choice
Review the full routing breakdown →

Your company has a hub-spoke network in Azure. The hub contains an Azure Firewall. Spoke VNets have a route table with a default route (0.0.0.0/0) pointing to the firewall. You need to ensure that traffic from the spokes to an Azure SQL Database (with service endpoint enabled) bypasses the firewall for lower latency. What should you do?

Question 186hardmultiple choice
Read the full Secure networking explanation →

You have an Azure Kubernetes Service (AKS) cluster with Azure CNI networking. You need to restrict egress traffic from pods to only allow connections to specific Azure services (e.g., Azure Container Registry). The cluster does not use Azure Firewall. What is the most efficient method?

Question 187easymultiple choice
Read the full Secure networking explanation →

You need to securely connect two Azure virtual networks in the same region to allow VM-to-VM communication using private IP addresses. The solution must minimize latency and administrative overhead. What should you use?

Question 188mediummultiple choice
Read the full VPN explanation →

Your organization uses Azure Virtual WAN. You need to secure traffic between a spoke VNet and an on-premises site that connects via a Virtual WAN VPN gateway. What is the best way to inspect traffic?

Question 189hardmultiple choice
Read the full NAT/PAT explanation →

You have an Azure subscription with multiple VNets connected via VNet peering. You need to audit all network traffic between two specific VNets for compliance. The solution must capture traffic metadata (source/destination IP, ports, protocol) without affecting performance. What should you use?

Question 190mediummultiple choice
Review the full subnetting walkthrough →

You are designing a network security solution for a multi-tier application in Azure. The web tier must be accessible from the internet, the application tier only from the web tier, and the database tier only from the application tier. All tiers are in different subnets of the same VNet. What is the minimum configuration?

Question 191mediummultiple choice
Read the full Secure networking explanation →

A company has a hub-spoke network topology in Azure. The hub virtual network contains an Azure Firewall. Spoke virtual networks are peered to the hub. The security team wants to inspect all traffic between virtual machines in different spoke virtual networks. What is the minimum configuration required?

Question 192hardmultiple choice
Read the full Secure networking explanation →

Your organization uses Azure Front Door (AFD) with WAF policy to protect a web application. Recently, a DDoS attack targeted the application endpoint. You need to mitigate the attack while minimizing latency for legitimate users. What should you do?

Question 193easymultiple choice
Read the full Secure networking explanation →

You are designing a secure network for a three-tier application. The web tier must be accessible from the internet on port 443. The application tier should only be reachable from the web tier. The database tier should only be reachable from the application tier. Which Azure service should you use to enforce these restrictions?

Question 194mediummultiple choice
Read the full Secure networking explanation →

A company uses Azure Virtual WAN with secured virtual hubs. The security team wants to ensure that all traffic from branch offices to Azure resources is inspected by the Azure Firewall in the secured hub. What configuration is needed?

Question 195hardmultiple choice
Read the full Secure networking explanation →

You are troubleshooting connectivity between two Azure VMs in the same virtual network. VM1 can ping VM2, but VM1's application cannot connect to VM2's application on port 8080. Both VMs have NSGs that allow inbound traffic on port 8080. What is the most likely cause?

Question 196easymultiple choice
Read the full Secure networking explanation →

Your organization needs to securely connect an on-premises data center to Azure for disaster recovery. The connection must be encrypted and use the public internet. Which Azure service should you use?

Question 197mediummultiple choice
Read the full Secure networking explanation →

You manage multiple Azure subscriptions with VNets that need to communicate with each other. You want to centrally manage and enforce security policies across all VNets. Which Azure service should you use?

Question 198hardmultiple choice
Read the full Secure networking explanation →

A company uses Azure Kubernetes Service (AKS) with a private cluster. Developers need to access the Kubernetes API server from their on-premises workstations without exposing it to the internet. What is the most secure solution?

Question 199mediummultiple choice
Review the full subnetting walkthrough →

You need to allow inbound HTTP traffic from the internet to a specific VM in a VNet. The VM is in a subnet with an NSG. What is the correct way to configure access?

Question 200mediummulti select
Read the full Secure networking explanation →

Which TWO actions should you take to secure a virtual network in Azure? (Choose two.)

Question 201hardmulti select
Review the full routing breakdown →

Which THREE components are required to implement a secure hybrid network that connects on-premises to Azure using ExpressRoute? (Choose three.)

Question 202easymulti select
Read the full Secure networking explanation →

Which TWO services can be used to filter traffic between virtual networks in Azure? (Choose two.)

Question 203hardmultiple choice
Review the full routing breakdown →

You are the security engineer for a financial services company that has multiple Azure subscriptions. The company uses Azure Virtual WAN with a secured hub containing Azure Firewall. Recently, the compliance team identified that traffic between two spoke virtual networks (SpokeA and SpokeB) is bypassing the firewall. Investigation shows that SpokeA and SpokeB are directly peered and have not been routed through the hub. The requirement is that all inter-spoke traffic must be inspected by Azure Firewall. You need to enforce this without disrupting existing applications. Also, the company uses Azure Firewall Manager for policy management and wants to use Azure Policy to prevent future direct peering. What should you do first?

Question 204mediummultiple choice
Read the full Secure networking explanation →

Your organization has deployed a multi-region web application using Azure Front Door with WAF policies. The backend origins are Azure App Services in two regions. Recently, a security audit revealed that the WAF is not blocking certain SQL injection attacks. You have identified that the WAF policy is configured in 'Detection' mode instead of 'Prevention' mode. However, the application team is concerned that changing to 'Prevention' mode might block legitimate traffic. You need to switch to 'Prevention' mode while minimizing false positives. Additionally, you want to ensure that any blocked requests are logged for analysis. What should you do?

Question 205easymultiple choice
Read the full NAT/PAT explanation →

A small business has a single Azure subscription with one virtual network containing two subnets: 'Frontend' for web servers and 'Backend' for database servers. The web servers need to access the internet to download updates, but the database servers must not have any outbound internet access. The business also needs to allow remote administration of the web servers from the internet via RDP (port 3389) but only from the IT department's public IP range (203.0.113.0/24). You need to configure network security to meet these requirements using Azure-native services. What should you do?

Question 206mediummultiple choice
Read the full Secure networking explanation →

You are deploying a web application in Azure that must be accessible only from your corporate network via HTTPS. You have an Azure Application Gateway with a Web Application Firewall (WAF) policy. Your corporate network uses public IP addresses from a specific range. Which configuration should you use to restrict access?

Question 207hardmultiple choice
Read the full VPN explanation →

Your on-premises network is connected to Azure via a Site-to-Site VPN. You have a production virtual network (VNet1) and a development VNet (VNet2) in the same region. VNet1 has a network virtual appliance (NVA) from the Azure Marketplace. You need to ensure that traffic from VNet2 to an on-premises server is inspected by the NVA in VNet1. Which routing configuration should you implement?

Question 208easymultiple choice
Read the full Secure networking explanation →

You manage a multi-tier application in Azure with a web tier, application tier, and database tier. The web tier must be accessible from the internet, but the application and database tiers must only be accessible from the web tier. Which Azure networking feature should you use to isolate the tiers?

Question 209mediummultiple choice
Read the full Secure networking explanation →

You have an Azure subscription with multiple virtual networks. You need to centrally manage and enforce security policies for all outbound traffic from virtual machines to the internet. The solution must be able to inspect traffic and log all connections. What should you deploy?

Question 210hardmultiple choice
Review the full subnetting walkthrough →

Your company has a hub-and-spoke network topology in Azure. The hub contains an Azure Firewall, and spokes are peered to the hub. You need to ensure that all traffic from spoke virtual machines to the internet goes through the Azure Firewall. You configured the firewall as a next hop in user-defined routes (UDRs) on the spoke subnets. However, some traffic is bypassing the firewall. What is the most likely cause?

Question 211easymultiple choice
Read the full Secure networking explanation →

You need to provide secure remote access to Azure virtual machines for administrators without exposing them to the public internet. The solution must use a single entry point and support Azure Active Directory (now Microsoft Entra ID) authentication. Which Azure service should you use?

Question 212mediummultiple choice
Review the full routing breakdown →

You have an Azure subscription with a virtual network (VNet1) that hosts a SQL Managed Instance. You need to connect from an on-premises application to the SQL Managed Instance using a private IP address, with minimal latency and without traversing the public internet. The on-premises network has a high-speed ExpressRoute connection to Microsoft. What should you configure?

Question 213hardmulti select
Read the full Secure networking explanation →

You are designing a secure network architecture for a multi-region application. You need to ensure that traffic between virtual networks in different Azure regions is encrypted and uses the Microsoft backbone network, and you must minimize latency. Which TWO configurations should you implement?

Question 214mediummulti select
Read the full Secure networking explanation →

You have an Azure virtual network that hosts a critical application. You need to protect the virtual network from DDoS attacks. Which THREE actions should you take to implement a defense-in-depth approach?

Question 215mediummulti select
Read the full Secure networking explanation →

You are planning a migration of on-premises servers to Azure. You need to ensure that the Azure virtual network can communicate with the on-premises network securely and with high bandwidth. The on-premises network has a 1 Gbps internet connection. Which TWO options meet the requirements?

Question 216hardmultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. You are evaluating an Azure Policy definition. What is the effect of this policy when assigned to a subscription?

Exhibit

{
  "properties": {
    "format": "JSON",
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks"
      },
      "then": {
        "effect": "deny",
        "details": {
          "field": "Microsoft.Network/virtualNetworks/subnets",
          "exists": true
        }
      }
    }
  }
}
Question 217mediummultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. You ran the PowerShell command shown. Which statement about the network interface is true?

Exhibit

PS C:\> Get-AzNetworkInterface -Name 'nic-web-01' -ResourceGroupName 'RG-Prod' | Select-Object -ExpandProperty IpConfigurations

Name        : ipconfig1
PrivateIpAddress : 10.0.1.4
PublicIpAddress  : 
Primary     : True
Subnet      : /subscriptions/.../subnets/web
ApplicationSecurityGroups : []
LoadBalancerBackendAddressPools : []
Question 218hardmultiple choice
Review the full subnetting walkthrough →

Your company, Contoso Ltd., has a hybrid network with an on-premises data center in Chicago and an Azure subscription with a single virtual network (VNet1) in the East US region. VNet1 has multiple subnets: Web, App, and Data. The Web subnet hosts a load-balanced web application accessible from the internet via a public IP. The App subnet contains application servers that communicate with an on-premises database server in Chicago. The Data subnet contains Azure SQL databases. You have an ExpressRoute circuit connecting Chicago to East US with private peering. Recently, the security team discovered that some traffic from the App subnet to the on-premises database is bypassing the ExpressRoute and traversing the internet, causing latency and security concerns. You must ensure all traffic between VNet1 and the on-premises network uses the ExpressRoute connection. Additionally, you need to restrict inbound internet traffic to only the Web subnet, and all outbound internet traffic from the App and Data subnets must be inspected by an Azure Firewall deployed in a new subnet called AzureFirewallSubnet in VNet1. You have the following requirements: 1. All traffic to/from on-premises must use ExpressRoute. 2. Only the Web subnet should be directly accessible from the internet. 3. Outbound internet traffic from App and Data subnets must be routed through Azure Firewall. 4. Minimize management overhead. Which of the following is the most appropriate course of action?

Question 219mediummultiple choice
Read the full VPN explanation →

You are a security engineer at Fabrikam Inc. The company has an Azure subscription with a single virtual network (VNet1) that contains a production workload. The network is connected to an on-premises data center via a site-to-site VPN. The security team requires that all Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines in VNet1 must be brokered through Azure Bastion. Additionally, the team wants to ensure that no public IP addresses are assigned to any virtual machines in the production environment. Currently, there are several VMs with public IPs. You need to implement the requirements with minimal downtime. The solution must also ensure that administrators can access the VMs using Azure Bastion without any additional client software. What should you do?

Question 220easymultiple choice
Review the full subnetting walkthrough →

You have an Azure virtual network (VNet1) with two subnets: SubnetA and SubnetB. SubnetA hosts web servers that must be accessible from the internet. SubnetB hosts application servers that should only be accessible from SubnetA. You need to configure network security groups (NSGs) to enforce this traffic flow. The solution must allow HTTP and HTTPS traffic from the internet to SubnetA, and allow only traffic from SubnetA to SubnetB. All other inbound traffic should be denied. What is the most efficient way to configure the NSGs?

Question 221hardmultiple choice
Review the full subnetting walkthrough →

You are a security engineer for Contoso. The company uses Azure Firewall for all inbound and outbound traffic. To prevent misconfiguration, you assign the Azure Policy shown in the exhibit at the management group scope. After assignment, a network administrator reports that they cannot create a new subnet in an existing virtual network. The subnet creation fails with a 'deny' policy error. You need to allow subnet creation while still blocking NSG rule changes. What should you do?

Exhibit

Refer to the exhibit.
```json
{
    "properties": {
        "policyRule": {
            "if": {
                "anyOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
                    },
                    {
                        "field": "type",
                        "equals": "Microsoft.Network/virtualNetworks/subnets"
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        },
        "parameters": {},
        "displayName": "Block NSG rules and subnet changes"
    }
}
```
Question 222mediummultiple choice
Read the full NAT/PAT explanation →

Your organization has deployed Azure Firewall in a hub-and-spoke network topology. You have configured forced tunneling so that all internet-bound traffic from the spoke virtual networks is routed through the Azure Firewall. Recently, a critical application in a spoke virtual network is experiencing intermittent connectivity failures to an external partner service. The partner service requires that traffic originate from a specific public IP address. You have configured Azure Firewall with a public IP address and have set up DNAT rules to allow inbound traffic. However, the outbound traffic from the application is still using the spoke's default outbound access via SNAT. You need to ensure that all outbound traffic from the application uses the Azure Firewall's public IP address. What should you do?

Question 223hardmulti select
Read the full Secure networking explanation →

You are responsible for securing a multi-region Azure environment. The environment includes virtual networks in three regions: East US, West Europe, and Southeast Asia. You need to ensure that all traffic between these virtual networks is encrypted and travels over the Microsoft backbone network. Additionally, you must minimize latency for cross-region traffic. Which TWO configurations should you implement? (Choose two.)

Question 224easymulti select
Read the full VPN explanation →

Your company has a single Azure subscription with a hub-and-spoke network topology. The hub virtual network contains Azure Firewall and a VPN gateway for hybrid connectivity. You need to ensure that all traffic from the spoke virtual networks to on-premises is inspected by the Azure Firewall. Which THREE actions should you take? (Choose three.)

Question 225easymultiple choice
Read the full Secure networking explanation →

You are designing a network security strategy for a new application that will be hosted on Azure Virtual Machines. The application must be accessible from the internet on TCP port 443. You need to minimize the attack surface and ensure that only legitimate traffic reaches the virtual machines. Which Azure service should you deploy in front of the virtual machines?

Question 226hardmultiple choice
Review the full routing breakdown →

Your organization has a Microsoft Entra ID tenant and uses Azure Virtual Desktop (AVD). You need to ensure that AVD session hosts in a virtual network can access on-premises resources securely without exposing the session hosts to the internet. The on-premises network is connected to Azure via ExpressRoute. All AVD traffic should be routed through the ExpressRoute connection. You have already deployed a reverse connect transport for AVD. What else should you configure to meet the requirements?

Question 227mediummulti select
Review the full subnetting walkthrough →

You are a security engineer for a large enterprise. The company uses Azure Firewall Premium to inspect traffic. You need to enable TLS inspection for outbound HTTPS traffic from a subnet containing line-of-business applications. Which TWO configurations are required to accomplish this? (Choose two.)

Question 228mediummultiple choice
Read the full Secure networking explanation →

Your company has deployed Azure Kubernetes Service (AKS) in a virtual network. The AKS cluster needs to pull images from a private Azure Container Registry (ACR) that has a private endpoint configured. The virtual network where AKS is deployed is peered to the ACR's virtual network. You have configured the AKS cluster to use managed identity for authentication to ACR. However, the AKS cluster is unable to pull images from the ACR. You need to resolve the connectivity issue without exposing the ACR to the internet. What should you do?

Question 229easymultiple choice
Review the full subnetting walkthrough →

Your organization uses Microsoft Sentinel for security monitoring. You have configured data connectors to collect logs from Azure Firewall and Windows Event logs from virtual machines. You need to ensure that network traffic from a specific subnet is not sent to Microsoft Sentinel due to privacy regulations. What should you do?

Question 230hardmultiple choice
Read the full Secure networking explanation →

You are a security architect for a global company. The company uses Azure Front Door to publish web applications. You need to ensure that only traffic from Azure Front Door's backend IP ranges can reach the origin servers. The origin servers are behind Azure Application Gateway. You have already configured Access Restrictions on the Application Gateway to allow only Azure Front Door's backend IP ranges. However, you discover that the Application Gateway is still receiving traffic from other sources. You need to implement a defense-in-depth approach to ensure only Azure Front Door traffic reaches the origin. What should you do?

Question 231mediummultiple choice
Read the full VPN explanation →

A company has a hub-and-spoke network topology in Azure. The hub virtual network contains an Azure Firewall and a VPN gateway. Spoke virtual networks are peered to the hub. The security team wants to ensure that all outbound internet traffic from VMs in the spokes flows through the Azure Firewall. What should be configured?

Question 232hardmultiple choice
Read the full Secure networking explanation →

A company uses Azure Front Door (AFD) with WAF policy in front of a web application. The security team notices that some requests from a specific IP range are being blocked incorrectly. The WAF policy uses custom rules. The team wants to allow a specific IP range while still having the WAF inspect other traffic. What is the most efficient way to configure this?

Question 233easymultiple choice
Read the full Secure networking explanation →

You are designing network security for a multi-tier application. The web tier must be accessible from the internet, but the database tier must only be accessible from the web tier. Both tiers are in the same virtual network. Which Azure service should you use to restrict traffic between the tiers?

Question 234mediummultiple choice
Read the full Secure networking explanation →

A company is deploying Azure Bastion to provide secure RDP/SSH access to VMs in a virtual network. The security requirement is that all administrative access must be logged and audited. What additional configuration is needed to meet this requirement?

Question 235hardmulti select
Read the full Secure networking explanation →

A company uses Azure Firewall Premium to inspect outbound traffic. They want to deploy a web application that must comply with the Payment Card Industry Data Security Standard (PCI DSS). Which TWO capabilities should be enabled to meet PCI DSS requirements for network security?

Question 236mediummultiple choice
Read the full Secure networking explanation →

Refer to the exhibit. An Azure Firewall Policy snippet is shown. A security administrator deploys this policy to the Azure Firewall. However, they receive reports that some VMs can still access the internet. What is the most likely reason?

Exhibit

{
  "properties": {
    "rules": [
      {
        "name": "DenyInternetAccess",
        "description": "Deny outbound internet access for all VMs.",
        "ruleType": "FirewallPolicyRuleCollectionGroup",
        "ruleCollections": [
          {
            "ruleCollectionType": "FirewallPolicyFilterRuleCollection",
            "name": "DefaultFilterRuleCollection",
            "priority": 200,
            "action": {
              "type": "Deny"
            },
            "rules": [
              {
                "name": "DenyInternet",
                "protocols": [
                  "Any"
                ],
                "sourceAddresses": [
                  "*"
                ],
                "destinationAddresses": [
                  "Internet"
                ],
                "destinationPorts": [
                  "*"
                ]
              }
            ]
          }
        ]
      }
    ]
  }
}
Question 237mediummultiple choice
Read the full NAT/PAT explanation →

You are a security engineer for a large enterprise that uses Azure Virtual WAN with multiple ExpressRoute circuits connecting on-premises data centers to Azure. The company has recently acquired a subsidiary that uses a different Azure tenant. The subsidiary has its own virtual networks and wants to connect to the parent company's Azure Virtual WAN to share resources. The security requirement is that traffic must be encrypted over the public internet, and the connection must be established without any on-premises hardware. You need to recommend a solution to securely connect the subsidiary's Azure virtual network to the parent's Virtual WAN. The solution should minimize administrative overhead and use Azure-native services.

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-500 Practice Test 1 — 10 Questions→AZ-500 Practice Test 2 — 10 Questions→AZ-500 Practice Test 3 — 10 Questions→AZ-500 Practice Test 4 — 10 Questions→AZ-500 Practice Test 5 — 10 Questions→AZ-500 Practice Exam 1 — 20 Questions→AZ-500 Practice Exam 2 — 20 Questions→AZ-500 Practice Exam 3 — 20 Questions→AZ-500 Practice Exam 4 — 20 Questions→Free AZ-500 Practice Test 1 — 30 Questions→Free AZ-500 Practice Test 2 — 30 Questions→Free AZ-500 Practice Test 3 — 30 Questions→AZ-500 Practice Questions 1 — 50 Questions→AZ-500 Practice Questions 2 — 50 Questions→AZ-500 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networking

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Secure networking setsAll Secure networking questionsAZ-500 Practice Hub