Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-500TopicsSecure networking
Free · No Signup RequiredMicrosoft · AZ-500

AZ-500 Secure networking Practice Questions

20+ practice questions focused on Secure networking — one of the most tested topics on the Microsoft Azure Security Engineer Associate AZ-500 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Secure networking Practice

Exam Domains

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networkingAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Secure networking Questions

Practice all 20+ →
1.

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

A.The Azure Firewall is not in the same region as the spoke.
B.The ExpressRoute gateway's BGP routes are still overriding the UDR because gateway propagation is not fully disabled.
C.The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
D.The route table is not associated with the spoke subnet.

Explanation: The user-defined route (UDR) with 0.0.0.0/0 only covers traffic destined for the internet. Traffic to on-premises networks has a more specific destination prefix (e.g., 10.0.0.0/8). Without an explicit route for that on-premises prefix pointing to the Azure Firewall, the system uses the more specific route learned via ExpressRoute BGP, which directs traffic to the ExpressRoute gateway instead of the firewall. Disabling 'Virtual network gateway route propagation' prevents BGP routes from being added to the route table, but it does not remove existing learned routes; however, the core issue is the lack of a specific UDR for the on-premises prefix.

2.

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

A.The on-premises traffic uses a more specific route learned via BGP from the VPN gateway, which overrides the UDR
B.The UDR must be applied to the subnet that hosts the Azure Firewall
C.The spoke subnet does not have 'GatewaySubnet' route propagation enabled
D.The Azure Firewall is not configured with a route to the on-premises network

Explanation: The most likely cause is that the on-premises traffic uses a more specific route learned via BGP from the VPN gateway, which overrides the user-defined route (UDR). In Azure, when a UDR and a BGP-propagated route both match traffic, the route with the most specific prefix (longest prefix match) wins. Since on-premises networks are typically advertised with specific IP prefixes (e.g., 10.0.0.0/16) rather than 0.0.0.0/0, the BGP-learned routes take precedence, causing traffic to bypass the Azure Firewall.

3.

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

A.The route table is not associated to the subnet.
B.The Azure Firewall is not configured with a default route.
C.The virtual machines have public IP addresses assigned.
D.The VNet peering is not configured properly.

Explanation: When a virtual machine in Azure has a public IP address assigned, Azure's default routing logic gives it a 'default outbound access' path that bypasses any user-defined route (UDR) pointing to the Azure Firewall. This is because Azure prefers the host's public IP route over a UDR for internet-bound traffic, unless the VM is explicitly configured to use a NAT gateway or Azure Firewall as the next hop. Therefore, even with the route table correctly associated, the VM will send traffic directly to the internet via its public IP.

4.

A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?

A.The route table is not associated with the spoke subnet.
B.Azure Firewall is not configured with DNAT rules for outbound traffic.
C.The spoke VNet peering does not allow gateway transit.
D.The route table has a higher priority than system routes.

Explanation: The most likely reason is that the route table containing the default route (0.0.0.0/0) pointing to the Azure Firewall private IP has not been associated with the spoke subnet. Without this association, the subnet continues to use system routes, which include a default route to the internet via the Azure default gateway, allowing traffic to bypass the firewall. Associating the route table with the subnet is a required step to override the system default route.

5.

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

A.The NVA's network interface must have 'IP forwarding' enabled.
B.The VNet peering is not configured to allow traffic from VNet-B to route through VNet-A.
C.The route table is not associated with the subnet in VNet-B.
D.The NVA does not have a public IP address.

Explanation: The most likely cause is that IP forwarding is disabled on the NVA's network interface. Even with a correct user-defined route (UDR) pointing 0.0.0.0/0 traffic to the NVA's private IP, Azure will drop packets destined to the NVA unless the NIC is configured to accept and forward traffic not addressed to itself. Enabling IP forwarding allows the NVA to act as a router, processing and forwarding packets between VNets.

+15 more Secure networking questions available

Practice all Secure networking questions

How to master Secure networking for AZ-500

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Secure networking. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Secure networking questions on the AZ-500 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many AZ-500 Secure networking questions are on the real exam?

The exact number varies per candidate. Secure networking is tested as part of the Microsoft Azure Security Engineer Associate AZ-500 blueprint. Practicing with targeted Secure networking questions ensures you can handle any format or difficulty that appears.

Are these AZ-500 Secure networking practice questions free?

Yes. Courseiva provides free AZ-500 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Secure networking one of the harder AZ-500 topics?

Difficulty is subjective, but Secure networking is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Secure networking practice session with instant scoring and detailed explanations.

Start Secure networking Practice →

Topic Info

Topic

Secure networking

Exam

AZ-500

Questions available

20+