Common Traps on Refer to the Exhibit Practice Questions
- ·Do not answer from memory before reading the topology or output.
- ·Check the exact device, interface, VLAN, route or service mentioned in the question.
- ·Look for small details: allowed VLANs, route preference, subnet masks, security rules and next-hop choices.
Sample Questions
Practice all 7 →A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?
Explanation: Disabling 'Virtual network gateway route propagation' prevents routes from the ExpressRoute gateway from being automatically added to the subnet's route table. However, the UDR with 0.0.0.0/0 only covers internet-bound traffic. Traffic destined to on-premises networks uses the specific prefix learned from ExpressRoute (e.g., 10.0.0.0/8). Even with propagation disabled, the route table does not have a route for that specific on-premises prefix. The 0.0.0.0/0 route is less specific, so traffic matching the on-premises prefix will not use it. To force on-premises traffic through the firewall, you must add an explicit UDR for the on-premises address prefix with next hop as the Azure Firewall. The Azure Firewall's location and route table association are not the issue here.
A company has a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for malicious content and require that the inspection is stateful. Which Azure-native service should they deploy in the hub virtual network to meet this requirement?
Explanation: Azure Firewall is a fully stateful firewall as a service that can inspect and filter traffic between virtual networks. It supports network and application rules, and can be deployed in a hub VNet to route inter-spoke traffic through it. NSGs on peering connections are not stateful for traffic across peering and cannot inspect application-layer content. Application Gateway with WAF is for web traffic only and requires a specific listener. DDoS Protection only mitigates volumetric attacks, not application-level filtering.
A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?
Explanation: For a user-defined route table to affect traffic from a subnet, it must be explicitly associated with that subnet. Simply creating the route table with the desired routes is insufficient; association is required. In many cases, administrators create the route table but forget to associate it with the subnet, causing the subnet to continue using system routes (which allow direct internet access). Option A is the most likely reason. Option B is incorrect because Azure Firewall does not require DNAT rules for outbound traffic. Option C (gateway transit) is for VPN gateway scenarios, not for Azure Firewall outbound routing. Option D is false because user-defined routes take precedence over system routes.
A company uses a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for security compliance. Which Azure-native service should be deployed in the hub virtual network to achieve this?
Explanation: Azure Firewall is a managed, cloud-based network security service that provides stateful inspection of traffic. By deploying Azure Firewall in the hub VNet and configuring user-defined routes (UDRs) on spoke subnets to route inter-spoke traffic through the firewall, you can inspect all traffic. Network Virtual Appliances (NVAs) are third-party solutions, not Azure-native. VPN gateways only handle encrypted connections to on-premises or other clouds, not traffic inspection between spokes. Load balancers distribute traffic but do not inspect or filter.
Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?
Explanation: When VNet peering is configured to use the hub's VPN gateway, the spoke VNet learns more specific routes for on-premises prefixes via BGP. These BGP routes have a smaller prefix than 0.0.0.0/0, so they take precedence over the UDR, causing traffic to bypass the firewall.
+2 more scenario questions available
Practice all Refer to the Exhibit Practice QuestionsRelated Topics
Frequently asked questions
How do "Refer to the Exhibit Practice Questions" appear on the real AZ-500?
Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer. These appear throughout the AZ-500 and require you to apply your knowledge, not just recall facts.
How many scenario questions are on the AZ-500 exam?
Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the AZ-500. Practicing each scenario type ensures you're ready for any format.
Are these AZ-500 scenario practice questions free?
Yes — all scenario practice on Courseiva is completely free. Sign up for a free account to track your progress and see which scenario types you've mastered.
Ready to practice this scenario type?
Launch a full Refer to the Exhibit Practice Questions session with instant scoring and detailed explanations.
Start Scenario Practice →