CCNA Implement and Manage Virtual Networking Questions

63 of 288 questions · Page 4/4 · Implement and Manage Virtual Networking · Answers revealed

226
MCQeasy

An NSG on a subnet has these inbound rules: Deny-All-Inbound at priority 100 and Allow-RDP-from-AdminSubnet at priority 200. Administrators on AdminSubnet still cannot RDP to a VM in the subnet. What should the network administrator change?

A.Delete the deny rule so only the allow rule remains.
B.Move the allow rule to a lower priority number than 100.
C.Change the VM to a different availability zone.
D.Create a private endpoint for the VM.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. The allow rule must be evaluated before the deny rule.

Why this answer

The NSG rules are evaluated in priority order, with lower numbers having higher precedence. The Deny-All-Inbound rule at priority 100 blocks all traffic, including RDP from AdminSubnet, before the Allow-RDP-from-AdminSubnet rule at priority 200 is evaluated. To allow RDP traffic, the allow rule must have a lower priority number (e.g., 90) than the deny rule (100), ensuring it is evaluated first and permits the traffic before the deny rule blocks it.

Exam trap

The trap here is that candidates assume allow rules override deny rules regardless of priority, but Azure NSGs use priority-based evaluation where the first matching rule (lowest priority number) wins, so a higher-priority deny rule will block traffic even if a lower-priority allow rule exists.

How to eliminate wrong answers

Option A is wrong because deleting the deny rule would remove all inbound traffic blocking, exposing the subnet to unrestricted inbound access, which is a security risk and not a targeted fix for the RDP issue. Option C is wrong because changing the VM to a different availability zone does not affect NSG rule evaluation or priority; availability zones are for fault tolerance, not network security rule processing. Option D is wrong because a private endpoint is used for secure access to Azure PaaS services (e.g., Storage, SQL) over a private IP, not for enabling RDP to a VM; it does not alter NSG rule priority or allow RDP traffic.

227
Multi-Selectmedium

Your company has two Azure virtual networks in the same region: VNetA (10.0.0.0/16) and VNetB (10.1.0.0/16). You need to enable communication between resources in VNetA and VNetB while ensuring that traffic is encrypted and passes over the Microsoft backbone network. Which three of the following must be configured? (Choose three.)

Select 3 answers
.Establish a site-to-site VPN connection between the two virtual networks.
.Configure virtual network peering between VNetA and VNetB.
.Enable 'Allow gateway transit' on both virtual networks.
.Verify that the virtual network address spaces do not overlap.
.Create a private endpoint for each resource that needs to communicate.
.Ensure that the virtual networks are in the same Azure region.

Why this answer

Virtual network peering is required to enable direct connectivity between VNetA and VNetB, allowing resources in both networks to communicate over the Microsoft backbone network. Verifying that the address spaces do not overlap (10.0.0.0/16 and 10.1.0.0/16) is a prerequisite for successful peering, as overlapping ranges would cause routing conflicts. Ensuring the virtual networks are in the same Azure region is necessary because standard virtual network peering only works within the same region; global peering would be required for cross-region connectivity, but the question specifies the same region.

Exam trap

The trap here is that candidates often confuse virtual network peering with site-to-site VPN or gateway transit, mistakenly thinking encryption or gateway configuration is required for intra-region peering, when in fact peering itself uses the Microsoft backbone and is inherently secure without additional VPN setup.

228
MCQmedium

Two VNets are peered. AppVNet contains VMs that access a private endpoint in DataVNet successfully by IP, but name resolution fails for the storage FQDN. The private DNS zone is linked only to DataVNet. What should you do?

A.Create another peering connection from AppVNet to DataVNet.
B.Add a virtual network link from the private DNS zone to AppVNet.
C.Create a public DNS zone with the same name as the private zone.
D.Assign a public IP address to the private endpoint.
AnswerB

Private endpoint name resolution depends on the private DNS zone being linked to the VNet where the clients reside. Because AppVNet is not linked to the zone, its VMs cannot resolve the private endpoint FQDN even though IP connectivity exists. Adding a virtual network link from the private DNS zone to AppVNet makes the private records available to those clients.

Why this answer

The private DNS zone is linked only to DataVNet, so VMs in AppVNet cannot resolve the storage FQDN even though IP connectivity works via the VNet peering. By adding a virtual network link from the private DNS zone to AppVNet, you enable DNS resolution for the private endpoint's FQDN across the peered VNet. This is required because private DNS zones are scoped to the VNets they are linked to, and peering alone does not propagate DNS resolution.

Exam trap

The trap here is that candidates assume VNet peering automatically extends DNS resolution for private endpoints, but peering only provides IP connectivity—DNS resolution requires explicit virtual network links to the private DNS zone.

How to eliminate wrong answers

Option A is wrong because a VNet peering already exists between AppVNet and DataVNet (IP connectivity works), so creating another peering does not address DNS resolution. Option C is wrong because creating a public DNS zone with the same name would conflict with the private zone and is unnecessary; the private endpoint requires private DNS resolution, not public. Option D is wrong because assigning a public IP to the private endpoint defeats its purpose (private connectivity) and does not resolve the FQDN within the private DNS zone.

229
MCQmedium

A storage account is accessed from a VM in VNet A through a private endpoint. A VM in peered VNet B can connect to the storage account by IP, but when it uses the storage account name, it resolves to the public endpoint. What should the administrator configure?

A.Enable a service endpoint on VNet B for Microsoft.Storage.
B.Link the private DNS zone for the storage account to VNet B.
C.Assign the VM in VNet B a managed identity.
D.Create a route table that points storage traffic to the private endpoint subnet.
AnswerB

The name resolution problem indicates that VNet B does not know to resolve the storage FQDN to the private endpoint address. Linking the correct private DNS zone to VNet B lets machines in that network resolve the name to the private IP instead of the public endpoint. This is a common requirement when private endpoints are accessed from peered networks or additional VNets.

Why this answer

The VM in VNet B can reach the storage account by IP because the private endpoint is accessible over the VNet peering, but DNS resolution still returns the public IP because the private DNS zone (privatelink.blob.core.windows.net) is not linked to VNet B. By linking the private DNS zone to VNet B, the VM will resolve the storage account name to the private endpoint IP, ensuring connectivity over the Microsoft backbone instead of the public internet.

Exam trap

The trap here is that candidates assume VNet peering automatically provides DNS resolution for private endpoints, but the private DNS zone must be explicitly linked to each peered VNet for name resolution to work.

How to eliminate wrong answers

Option A is wrong because a service endpoint would expose the storage account to VNet B via its public endpoint, not the private endpoint, and would not fix DNS resolution to the private IP; it also bypasses the private endpoint's isolation benefits. Option C is wrong because a managed identity provides authentication (Azure AD tokens) but does not affect DNS resolution or network routing to the private endpoint. Option D is wrong because a route table can direct traffic to the private endpoint subnet, but without proper DNS resolution, the VM will still attempt to connect to the public IP, and the route table cannot override DNS behavior.

230
MCQmedium

Based on the exhibit, what should the administrator change so the web tier can reach the database tier on TCP 443 without opening the subnet more broadly?

A.Move the allow rule for WebTierASG to a priority lower than 100.
B.Delete the deny rule because default rules already block unwanted traffic.
C.Change the deny rule source from VirtualNetwork to Internet.
D.Change the default inbound rule to AllowVnetInBound.
AnswerA

The allow rule must be evaluated before the broader deny rule so the intended traffic is permitted.

Why this answer

Option A is correct because the administrator must ensure the allow rule for WebTierASG is evaluated before the deny-all rule. In Azure Network Security Groups (NSGs), rules are processed in priority order (lower numbers first). The current deny rule at priority 100 blocks all traffic from VirtualNetwork, including TCP 443 from the web tier.

By moving the allow rule to a priority lower than 100 (e.g., 90), it will be evaluated first, permitting TCP 443 traffic from WebTierASG to the database tier, while the deny rule still blocks all other traffic from the virtual network.

Exam trap

The trap here is that candidates often assume default rules block unwanted traffic, but Azure NSG default rules are permissive for virtual network traffic, so an explicit deny rule is necessary to restrict access, and priority order must be managed carefully to ensure allow rules are evaluated before deny rules.

How to eliminate wrong answers

Option B is wrong because default rules in Azure NSGs only allow inbound traffic from within the virtual network and Azure load balancer; they do not block unwanted traffic by default—they are permissive, and a deny rule is required to explicitly block traffic. Option C is wrong because changing the deny rule source from VirtualNetwork to Internet would block all internet traffic but still allow all virtual network traffic (including unwanted traffic), which does not solve the requirement to restrict access to only the web tier. Option D is wrong because changing the default inbound rule 'AllowVnetInBound' to a deny rule would block all virtual network traffic, including the desired TCP 443 traffic from the web tier, and default rules cannot be modified (only overridden with higher-priority custom rules).

231
MCQhard

Two virtual machines named VM-Web01 and VM-Web02 host the same public web application. Users on the internet must connect through a single public IP address, and incoming requests should be distributed across both VMs. What should you deploy?

A.An internal load balancer
B.A public load balancer
C.A private DNS zone
D.A Recovery Services vault
AnswerB

This fits the requirement for a single public IP and traffic distribution.

Why this answer

A public load balancer (Azure Load Balancer with a public frontend IP) is required because it provides a single public IP address for internet clients and distributes incoming traffic across the backend VMs (VM-Web01 and VM-Web02) using a configured load-balancing rule. This ensures high availability and scalability for the web application.

Exam trap

The trap here is that candidates often confuse an internal load balancer with a public load balancer, mistakenly thinking any load balancer can provide internet-facing access, but only a public load balancer exposes a public IP address for external clients.

How to eliminate wrong answers

Option A is wrong because an internal load balancer uses a private IP address from the virtual network, which is not accessible from the internet, so it cannot provide a single public IP for external users. Option C is wrong because a private DNS zone is used for name resolution within a virtual network, not for distributing incoming traffic or providing a public IP address. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery (Azure Backup and Site Recovery), not for load balancing or public IP addressing.

232
MCQmedium

Two application VNets are deployed in different Azure regions. Each VNet uses a unique, non-overlapping address space. The application teams want private IP connectivity over the Microsoft backbone with the lowest possible latency between the regions. Which design should the administrator choose?

A.Global VNet peering.
B.A site-to-site VPN between the two VNets.
C.Azure Traffic Manager with two public endpoints.
D.A service endpoint for each application subnet.
AnswerA

Global VNet peering is the correct choice for private connectivity between VNets in different Azure regions. It keeps traffic on the Microsoft backbone, uses private IP addressing, and avoids the added latency and overhead of an external VPN tunnel. Because the VNets already have non-overlapping address spaces, they meet the peering prerequisites. This design is commonly used when multiple regional workloads need fast, private communication without introducing a gateway-based path.

Why this answer

Global VNet peering provides direct, private IP connectivity between two VNets in different Azure regions over the Microsoft backbone, ensuring the lowest possible latency by bypassing the public internet and any intermediate gateways. It uses the Azure infrastructure to route traffic efficiently between the peered VNets, meeting the requirement for private, low-latency communication.

Exam trap

The trap here is that candidates often confuse site-to-site VPN (Option B) as a private connectivity method, overlooking that its encryption overhead and gateway processing introduce higher latency compared to the direct, unencrypted path of Global VNet peering.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN between the two VNets introduces additional latency due to encryption/decryption overhead and traffic traversing a VPN gateway, which is not the lowest-latency option compared to direct peering. Option C is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that directs public endpoints, not a private connectivity solution; it does not provide private IP connectivity between VNets. Option D is wrong because a service endpoint provides private connectivity from a VNet to specific Azure PaaS services (e.g., Azure Storage) over the Microsoft backbone, but it does not enable private IP connectivity between two application VNets.

233
MCQmedium

A subnet has these inbound NSG rules: Rule 100 denies TCP 3389 from Internet, Rule 200 allows TCP 3389 from 10.0.0.0/8, and Rule 300 allows TCP 3389 from AzureLoadBalancer. An administrator in 10.20.5.4 cannot RDP to a VM in the subnet. Why is the connection denied?

A.The deny rule at priority 100 matches before the allow rule at priority 200.
B.The AzureLoadBalancer service tag blocks all other inbound traffic on that port.
C.The VM needs a public IP address for RDP to work from a private source.
D.NSG rules are processed by longest prefix match, so the /8 source loses to the /32 VM address.
AnswerA

NSG rules are evaluated in priority order, and the lowest number is processed first. Even though 10.20.5.4 is inside 10.0.0.0/8, the deny rule for Internet at priority 100 can still be the effective match if the packet is classified through a broader source condition that fits earlier evaluation logic in the rule set. The key lesson is that priority order determines which rule wins, not how desirable the allow rule looks later in the list.

Why this answer

Option A is correct because Network Security Group (NSG) rules are evaluated in priority order, from lowest number to highest. Rule 100 with priority 100 denies TCP port 3389 from the Internet source, which includes all IP addresses not explicitly part of Azure virtual networks, such as the 10.20.5.4 address (since it is not in the 10.0.0.0/8 range). The deny rule matches first, so the connection is blocked before the allow rule at priority 200 can be evaluated.

Exam trap

The trap here is that candidates often assume NSG rules are evaluated using longest prefix match (like routing tables) or that a more specific allow rule will override a broader deny rule, but in reality, NSG rules are evaluated strictly by priority number, and the first matching rule is applied regardless of specificity.

How to eliminate wrong answers

Option B is wrong because the AzureLoadBalancer service tag only allows traffic from the Azure load balancer health probes; it does not block other inbound traffic on that port. Option C is wrong because RDP from a private source (10.20.5.4) does not require a public IP address on the VM; a private IP is sufficient for internal connectivity. Option D is wrong because NSG rules do not use longest prefix match for rule evaluation; they are evaluated strictly by priority number, not by the specificity of the source or destination address.

234
MCQmedium

Based on the exhibit, an administrator is trying to peer two VNets so workloads can communicate privately. The peering creation fails. What should the administrator do first?

A.Create a user-defined route in VNet-Prod to force traffic through a firewall.
B.Readdress one of the VNets so the address spaces no longer overlap.
C.Enable gateway transit on both VNets and retry the peering.
D.Add an NSG rule that allows traffic from the other VNet.
AnswerB

Azure VNet peering requires non-overlapping address spaces. The correct first step is to change one VNet to a unique, non-conflicting prefix before attempting peering again. Once the overlap is removed, the peering can be created and traffic can flow privately between the networks.

Why this answer

VNet peering requires that the address spaces of the two virtual networks do not overlap. Overlapping address spaces cause routing conflicts and prevent the peering from being established. The administrator must readdress one of the VNets so their IP ranges are unique before retrying the peering.

Exam trap

The trap here is that candidates often focus on network security or traffic control (NSGs, UDRs, gateway transit) instead of recognizing that VNet peering has a strict prerequisite of non-overlapping address spaces, which is a common misconfiguration in real-world scenarios.

How to eliminate wrong answers

Option A is wrong because creating a user-defined route (UDR) to force traffic through a firewall does not resolve the underlying address space overlap; UDRs are used to control traffic flow, not to fix peering prerequisites. Option C is wrong because gateway transit is a feature that allows a peered VNet to use the other VNet's VPN/ExpressRoute gateway, but it does not address overlapping address spaces and is not required for basic VNet peering. Option D is wrong because adding an NSG rule to allow traffic from the other VNet is irrelevant when the peering itself fails due to overlapping address spaces; NSGs control traffic after peering is established, not the peering creation.

235
MCQmedium

A subnet has a route table with these user-defined routes: 172.16.0.0/16 -> Virtual appliance 10.1.1.4 and 172.16.1.0/24 -> Internet. A VM in the subnet sends traffic to 172.16.1.20. Which next hop is used?

A.Virtual appliance 10.1.1.4, because the broader route was added first.
B.Internet, because the most specific route prefix always wins.
C.Virtual network gateway, because all traffic to private IP addresses uses the gateway by default.
D.No next hop, because conflicting user-defined routes disable routing for that destination.
AnswerB

Azure chooses the longest matching prefix. The /24 route is more specific than the /16 route.

Why this answer

Azure route selection uses the longest prefix match (most specific route) to determine the next hop. The route 172.16.1.0/24 is more specific than 172.16.0.0/16, so traffic to 172.16.1.20 uses the Internet next hop, not the virtual appliance. This is consistent with how Azure evaluates user-defined routes (UDRs) and system routes.

Exam trap

The trap here is that candidates assume route priority is based on the order routes are added (first match wins) rather than the longest prefix match, leading them to incorrectly choose the virtual appliance route.

How to eliminate wrong answers

Option A is wrong because Azure does not use route creation order to resolve conflicts; it always uses the most specific prefix match, regardless of when the route was added. Option C is wrong because a virtual network gateway is only used for routes learned via BGP or as a default system route for gateway subnets, not for all private IP traffic; the explicit UDRs override any default behavior. Option D is wrong because conflicting UDRs do not disable routing; Azure selects the most specific matching route, and if no match exists, it falls back to system routes.

236
MCQmedium

A VM in a subnet must access an Azure Storage account without creating a private endpoint. The organization is fine with the storage account remaining on its public endpoint, but traffic should stay on the Azure backbone rather than the public internet. Which feature should you use?

A.A service endpoint for Microsoft.Storage on the subnet.
B.A private endpoint and a private DNS zone.
C.A NAT gateway attached to the subnet.
D.A VPN gateway connection to the storage account resource group.
AnswerA

A service endpoint extends the VNet identity to the supported Azure service and keeps traffic on the Microsoft backbone. It does not create a private IP or require DNS changes, which matches this requirement. The storage account can remain on its public endpoint while still accepting traffic only from the allowed subnet.

Why this answer

A service endpoint for Microsoft.Storage on the subnet extends the virtual network identity to the storage account, allowing traffic from the subnet to the storage account's public endpoint to traverse the Azure backbone network instead of the public internet. This meets the requirement of keeping traffic on the Azure backbone without creating a private endpoint, as service endpoints use the public endpoint but route traffic through Microsoft's network.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming both require private IPs, but service endpoints keep the public endpoint while routing traffic over the Azure backbone.

How to eliminate wrong answers

Option B is wrong because a private endpoint creates a private IP address in the subnet for the storage account, which the organization explicitly wants to avoid. Option C is wrong because a NAT gateway provides outbound internet connectivity for the subnet but does not route traffic to Azure Storage over the backbone; it still uses the public internet path. Option D is wrong because a VPN gateway connects on-premises networks to Azure, not a subnet to a storage account, and it does not affect routing between a VM and a storage account within Azure.

237
MCQmedium

A subnet has a user-defined route for 0.0.0.0/0 that sends all outbound traffic to a network virtual appliance for inspection. The business now attaches a NAT gateway to the subnet and wants internet-bound traffic to use the NAT gateway's public IP, while traffic to private corporate prefixes should still go to the appliance. What should the administrator change?

A.Leave the route table unchanged because the NAT gateway always overrides a default UDR.
B.Remove the 0.0.0.0/0 UDR and add only the specific private-prefix routes that must go to the appliance.
C.Disable source NAT on the network virtual appliance.
D.Create a private endpoint for internet traffic so outbound packets stay in Azure.
AnswerB

A NAT gateway provides outbound internet translation when the subnet uses the default internet route. If a 0.0.0.0/0 UDR sends traffic to an appliance, that route wins and the NAT gateway is bypassed. To meet both requirements, keep specific routes for corporate/private prefixes toward the appliance and let internet-bound traffic follow the system route, where the NAT gateway can provide stable outbound IPs.

Why this answer

The 0.0.0.0/0 user-defined route (UDR) sends all outbound traffic to the network virtual appliance (NVA). A NAT gateway provides outbound connectivity with a public IP, but it only takes effect when there is no explicit 0.0.0.0/0 route overriding it. By removing the 0.0.0.0/0 UDR and adding only specific private-prefix routes (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) pointing to the NVA, internet-bound traffic will use the NAT gateway (via its default route), while corporate traffic is still forced through the appliance.

Exam trap

The trap here is that candidates assume a NAT gateway automatically overrides any existing default route, but in Azure, a user-defined route (UDR) for 0.0.0.0/0 takes precedence over the NAT gateway's implicit default, so the UDR must be removed or made less specific to allow the NAT gateway to handle internet-bound traffic.

How to eliminate wrong answers

Option A is wrong because a NAT gateway does not override a UDR; the most specific route wins, and a 0.0.0.0/0 UDR will take precedence over the NAT gateway's implicit default, causing all traffic to still go to the NVA. Option C is wrong because disabling source NAT (SNAT) on the NVA would break its ability to forward traffic to the internet (if it were used), but the goal is to bypass the NVA for internet traffic entirely, not to modify its SNAT behavior. Option D is wrong because a private endpoint is used for inbound access to Azure PaaS services from a virtual network, not for outbound internet traffic; it does not provide a public IP or route internet-bound packets.

238
MCQmedium

A development team runs Windows and Linux VMs in a single Azure subnet. The VMs must access an Azure Storage account, and the security team wants to restrict the storage account so only that subnet can reach it. The team does not want to create a private IP for the storage account or change DNS records. What should the administrator configure?

A.A private endpoint for the storage account and a private DNS zone.
B.A service endpoint on the subnet and a storage account network rule allowing that subnet.
C.A site-to-site VPN between the subnet and the storage account.
D.A user-defined route that sends storage traffic to the default internet next hop.
AnswerB

Service endpoints extend the subnet identity to the Azure Storage service without assigning a private IP to the storage account. This allows the administrator to restrict access to the specific Azure subnet while keeping the service reachable through its normal public DNS name. It fits the requirement to avoid DNS changes and private IP creation.

Why this answer

Option B is correct because a service endpoint extends the subnet's identity to the storage account, allowing the storage firewall to accept traffic from that subnet without assigning a private IP. This meets the security requirement of restricting access to only that subnet while avoiding private IPs or DNS changes.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both require private IPs and DNS changes, but service endpoints operate at the network layer without altering the storage account's public endpoint.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP to the storage account and requires a private DNS zone to resolve the storage account's FQDN to that IP, which contradicts the requirement to avoid private IPs and DNS changes. Option C is wrong because a site-to-site VPN connects on-premises networks to Azure, not a subnet within Azure to an Azure service; it would add unnecessary complexity and does not restrict access at the subnet level. Option D is wrong because a user-defined route sending storage traffic to the default internet next hop does not enforce access control; it merely directs traffic and does not restrict which subnet can reach the storage account.

239
MCQmedium

Based on the exhibit, which feature should you enable so the subnet can access the storage account without creating a private IP address in the VNet?

A.Private endpoint
B.Service endpoint
C.VPN Gateway
D.Azure Firewall
AnswerB

A service endpoint allows the subnet to reach the storage service over its public endpoint while restricting access by VNet identity.

Why this answer

Service endpoints allow a subnet to securely and privately connect to Azure PaaS services (like Storage Accounts) over the Azure backbone network without requiring a private IP address in the VNet. They extend the VNet identity to the service, enabling access via the service's public endpoint while restricting traffic to the subnet. This matches the requirement exactly: no private IP is created in the VNet, and the storage account is accessed directly.

Exam trap

The trap here is that candidates confuse Private Endpoint (which creates a private IP) with Service Endpoint (which does not), often assuming any 'private' access requires a private IP, but Service Endpoint provides private access over the Microsoft backbone without allocating an IP in the VNet.

How to eliminate wrong answers

Option A is wrong because a Private Endpoint creates a private IP address in the VNet (a NIC with a private IP from the subnet) to access the storage account, which contradicts the requirement of not creating a private IP. Option C is wrong because a VPN Gateway establishes encrypted connectivity between on-premises networks and Azure VNets, not between a subnet and a PaaS service like a storage account. Option D is wrong because Azure Firewall is a managed network security service that filters traffic, but it does not provide direct, private access to a storage account without a private IP; it would still route traffic through the storage account's public endpoint unless combined with other features.

240
MCQmedium

A subnet NSG contains a deny inbound rule for TCP 3389 from Any at priority 100 and an allow inbound rule for TCP 3389 from 10.4.1.0/24 at priority 200. Admin workstations in 10.4.1.0/24 cannot connect by RDP. What change should the administrator make?

A.Replace the source IP range with an application security group in the allow rule.
B.Change the protocol from TCP to Any in the allow rule.
C.Lower the allow rule priority number so it is evaluated before the deny rule.
D.Add a user-defined route to the subnet so RDP traffic bypasses the NSG.
AnswerC

NSG rules are evaluated from lowest number to highest, so the allow must come first.

Why this answer

The correct answer is C because NSG rules are evaluated in priority order, with lower numbers having higher priority. The deny rule at priority 100 blocks all TCP 3389 traffic from Any, and the allow rule at priority 200 is never reached. Lowering the allow rule's priority number (e.g., to 90) ensures it is evaluated before the deny rule, allowing RDP traffic from 10.4.1.0/24.

Exam trap

The trap here is that candidates often assume allow rules automatically override deny rules, but Azure NSGs use first-match evaluation based on priority numbers, not rule type.

How to eliminate wrong answers

Option A is wrong because replacing the source IP range with an application security group does not change the evaluation order; the deny rule at priority 100 would still block traffic before the allow rule is evaluated. Option B is wrong because changing the protocol from TCP to Any in the allow rule would not resolve the priority issue; the deny rule at priority 100 still blocks all TCP 3389 traffic, and the allow rule would only apply to non-TCP protocols, which is irrelevant for RDP. Option D is wrong because user-defined routes (UDRs) control traffic routing, not NSG rule evaluation; NSGs are stateful and apply to all traffic entering or leaving a subnet regardless of routing, so a UDR cannot bypass NSG rules.

241
MCQmedium

A company has a hub VNet and two peered spoke VNets, AppSpoke and DataSpoke. Both spokes can reach on-premises networks through the hub gateway. The app VM in AppSpoke must connect privately to the data VM in DataSpoke without using the internet or sending traffic on-premises first. What should the administrator do?

A.Add an NSG rule that allows traffic from AppSpoke to DataSpoke.
B.Enable gateway transit on both spoke peerings.
C.Create a direct VNet peering between AppSpoke and DataSpoke.
D.Add a user-defined route in AppSpoke pointing DataSpoke traffic to the hub gateway.
AnswerC

Azure VNet peering is not transitive. If two spoke VNets must communicate directly, they need a direct peering between them or another routing design such as an appliance. Because the requirement is simply private connectivity between the app and data VNets, direct peering is the simplest and correct fix. The existing hub peering does not provide that spoke-to-spoke path.

Why this answer

Option C is correct because a direct VNet peering between AppSpoke and DataSpoke establishes a private, low-latency connection between the two VNets without routing traffic through the hub gateway or on-premises networks. This satisfies the requirement for a private connection that does not use the internet or traverse on-premises, as VNet peering uses the Microsoft backbone infrastructure.

Exam trap

The trap here is that candidates often assume gateway transit (Option B) enables direct spoke-to-spoke communication, but it only allows spokes to use the hub’s gateway for on-premises connectivity, not for inter-spoke traffic without going through the hub.

How to eliminate wrong answers

Option A is wrong because NSG rules only filter traffic at the subnet or NIC level; they do not enable connectivity between VNets. Without a routing path, an NSG rule cannot allow traffic that has no route. Option B is wrong because enabling gateway transit on spoke peerings allows spokes to use the hub’s VPN gateway to reach on-premises networks, but it does not create a direct path between spokes; traffic would still flow through the hub, which may route it on-premises.

Option D is wrong because adding a user-defined route pointing DataSpoke traffic to the hub gateway forces traffic through the hub, which could then route it on-premises, violating the requirement to avoid sending traffic on-premises first.

242
MCQmedium

A web application on a VM is failing on TCP 8443. The administrator wants to capture packets on the VM NIC to inspect retransmissions and handshake details after the test run. Which Network Watcher capability should be used?

A.IP flow verify
B.Connection troubleshoot
C.Packet capture
D.Effective routes
AnswerC

Packet capture records network traffic on the VM NIC so the administrator can analyze the exchange later. It is the right choice when the problem may involve retransmissions, handshake failures, or other packet-level behavior rather than only a routing or NSG question.

Why this answer

Packet capture in Network Watcher allows you to capture network traffic to and from a VM, including TCP retransmissions and handshake details (SYN, SYN-ACK, ACK). This is the correct tool for inspecting raw packets after a test run to diagnose issues like failed connections on TCP 8443.

Exam trap

The trap here is that candidates confuse IP flow verify or Connection troubleshoot with packet capture, not realizing that only packet capture provides raw packet data for analyzing retransmissions and handshake details.

How to eliminate wrong answers

Option A is wrong because IP flow verify checks if traffic is allowed or denied by NSG rules for a specific 5-tuple, but it does not capture packets or inspect retransmissions or handshake details. Option B is wrong because Connection troubleshoot tests connectivity and latency between a VM and a destination, but it does not provide packet-level capture for post-run analysis of retransmissions or handshake details. Option D is wrong because Effective routes shows the effective routing table for a VM, which is useful for routing issues but irrelevant for inspecting packet retransmissions or TCP handshake details.

243
MCQmedium

An administrator is deploying a site-to-site VPN gateway in the Azure portal. The deployment fails validation because the gateway does not have a public-facing address to terminate the tunnel. What must be created and associated with the VPN gateway?

A.A load balancer frontend IP configuration in front of the gateway subnet.
B.A public IP address resource associated with the VPN gateway.
C.A NAT gateway attached to GatewaySubnet.
D.A private endpoint for the virtual network gateway resource.
AnswerB

Azure VPN gateways require a public IP address resource so the on-premises VPN device can establish the tunnel to a known public endpoint. The gateway is deployed in GatewaySubnet, and the public IP is attached as part of the gateway configuration. Without that resource, the VPN gateway cannot be created successfully.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address to terminate the IPSec tunnel from the on-premises device. The public IP address resource must be created and associated with the VPN gateway during deployment; without it, the gateway has no routable endpoint for the tunnel, causing validation to fail.

Exam trap

The trap here is that candidates often confuse the public IP requirement with other networking components like load balancers or NAT gateways, mistakenly thinking those can provide the necessary public endpoint for VPN tunnel termination.

How to eliminate wrong answers

Option A is wrong because a load balancer frontend IP configuration is used for distributing traffic to backend pools, not for terminating VPN tunnels; VPN gateways require a dedicated public IP, not a load balancer. Option C is wrong because a NAT gateway is used for outbound SNAT of virtual network traffic, not for providing a public endpoint for VPN tunnel termination; attaching a NAT gateway to GatewaySubnet does not satisfy the public IP requirement for the VPN gateway. Option D is wrong because a private endpoint is used to privately connect to Azure PaaS services over a private IP, not to provide a public-facing address; the VPN gateway needs a public IP, not a private endpoint.

244
MCQmedium

A VM in a virtual network must access an Azure Storage account over a private IP address, and the storage account's public endpoint must be disabled. Name resolution from the VM should resolve the storage name to the private IP. Which configuration should you use?

A.Service endpoint on the subnet plus public DNS, because the storage account will expose a private IP automatically.
B.Private endpoint with a private DNS zone linked to the virtual network.
C.Network security group rules only, because they can force traffic to use private addressing.
D.Storage account firewall rules with Allow trusted Microsoft services, because that gives a private address path.
AnswerB

A private endpoint places the storage service behind a private IP address in your virtual network, which is exactly what the scenario requires. Linking a private DNS zone ensures the storage account name resolves to that private IP from resources inside the VNet. Together, these settings provide private network access and allow you to disable the public endpoint safely.

Why this answer

Option B is correct because a private endpoint assigns a private IP from the virtual network to the storage account, effectively bringing the service into the VNet. By linking a private DNS zone to the virtual network, the VM's DNS resolution for the storage account name returns the private IP instead of the public endpoint, satisfying both the private connectivity and public endpoint disablement requirements.

Exam trap

The trap here is confusing service endpoints (which only provide source IP preservation and routing via the public endpoint) with private endpoints (which provide a true private IP and can disable the public endpoint), leading candidates to choose option A.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet's identity to the service, and the storage account still uses its public endpoint, which cannot be disabled in this configuration. Option C is wrong because NSG rules control traffic filtering, not IP address assignment or DNS resolution; they cannot force the storage account to use a private IP or disable its public endpoint. Option D is wrong because storage account firewall rules with 'Allow trusted Microsoft services' only permit specific traffic to the public endpoint, but do not provide a private IP path or disable the public endpoint; the VM would still resolve the storage name to the public IP.

245
Multi-Selecteasy

Which two statements about Azure route tables and user-defined routes are correct? Select two.

Select 2 answers
A.You can associate a route table with a subnet.
B.A user-defined route can send traffic to a virtual appliance as the next hop.
C.Route tables can be associated directly to a single virtual machine without using its subnet.
D.A user-defined route automatically overrides a network security group deny rule.
E.System routes are never used when a route table exists.
AnswersA, B

Correct because Azure attaches user-defined routes to subnets, not directly to individual virtual machines.

Why this answer

Option A is correct because route tables in Azure are associated at the subnet level, not directly to a virtual machine. This association allows the route table's user-defined routes (UDRs) to override system default routes for traffic leaving that subnet. The subnet must be in the same region as the route table, and a single route table can be associated with multiple subnets.

Exam trap

The trap here is that candidates often confuse the scope of route table association (subnet vs. VM) and assume UDRs can override NSG rules, when in fact routing and firewall filtering are separate layers in Azure's networking stack.

246
Matchinghard

Match each routing situation to the next-hop or route-selection behavior Azure will use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Add a more specific /32 UDR for that public IP with next hop Internet.

The system route for the peered VNet prefix is more specific than the /8 UDR, so it wins unless a longer UDR is added.

The /24 route wins because Azure chooses the longest matching prefix.

Only resources in Subnet-A are affected; other subnets keep their own system or custom routes.

The /32 host route takes precedence over the broader prefix.

Why these pairings

Azure routing uses system and user-defined routes. Next hop types determine where traffic goes: virtual appliance, VPN gateway, peering, local VNet, or internet. Route selection follows longest prefix match.

247
MCQmedium

A company has 25 remote employees who need to connect from their laptops to Azure VMs that have only private IP addresses. No on-premises VPN appliance exists, and the VMs must not be assigned public IP addresses. Which solution should the administrator deploy?

A.Site-to-site VPN Gateway
B.Point-to-site VPN Gateway
C.ExpressRoute circuit
D.Public load balancer with inbound NAT rules
AnswerB

Point-to-site VPN is designed for individual client devices connecting securely to Azure over encrypted tunnels without a branch appliance. It fits remote users who need access to private Azure resources.

Why this answer

A Point-to-Site (P2S) VPN Gateway is the correct solution because it allows individual remote clients (laptops) to establish a secure VPN connection from anywhere to Azure VMs with private IP addresses, without requiring a public IP on the VMs or an on-premises VPN appliance. P2S uses SSTP, IKEv2, or OpenVPN protocols to create a tunnel from each client to the Azure virtual network, enabling access to private resources.

Exam trap

The trap here is that candidates often confuse Point-to-Site with Site-to-Site VPN, assuming a Site-to-Site VPN can work without an on-premises VPN appliance, or they mistakenly think a public load balancer can provide private access without public IPs on the VMs.

How to eliminate wrong answers

Option A is wrong because a Site-to-Site VPN Gateway requires a VPN appliance on-premises with a public IP address, which the company does not have. Option C is wrong because an ExpressRoute circuit is a dedicated private connection between an on-premises network and Azure, requiring a physical or virtual router at the customer site, and it does not support individual remote client connections without additional VPN components. Option D is wrong because a Public load balancer with inbound NAT rules would require the VMs to have public IP addresses (or be behind a public IP) to receive traffic, which violates the requirement that VMs must not be assigned public IP addresses.

248
MCQeasy

A subnet NSG contains a deny RDP rule from Any at priority 200. The administrator must allow RDP from 10.8.0.0/24 to the virtual machines in that subnet. What should the administrator do?

A.Create an allow rule with a higher priority number than 200.
B.Create an allow rule with a lower priority number than 200.
C.Add a route table entry for TCP 3389.
D.Disable the default security rules on the NSG.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. The allow rule must come before the deny rule.

Why this answer

B is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. The existing deny rule at priority 200 blocks all RDP traffic. To allow RDP from 10.8.0.0/24, a new allow rule must be created with a priority lower than 200 (e.g., 150) so it is evaluated before the deny rule, permitting the specific traffic.

Exam trap

The trap here is that candidates often confuse priority numbers, thinking a higher number means higher priority, and incorrectly choose option A, or they mistakenly believe route tables can override NSG rules, leading them to option C.

How to eliminate wrong answers

Option A is wrong because a higher priority number (e.g., 300) means lower priority, so the deny rule at 200 would still be evaluated first and block the traffic. Option C is wrong because route tables control traffic routing between subnets or networks, not traffic filtering; NSGs are stateful firewalls that filter traffic based on rules, and adding a route table entry for TCP 3389 does not override NSG deny rules. Option D is wrong because disabling default security rules (e.g., AllowVNetInBound, DenyAllInBound) would remove baseline protections and is unnecessary; the solution is to add a specific allow rule with appropriate priority.

249
Multi-Selectmedium

You manage an Azure virtual network with multiple subnets, including a subnet named 'AppSubnet' that hosts critical application servers. You need to monitor and log network traffic to and from AppSubnet for security analysis. The solution must capture all flow logs without impacting application performance. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Enable Network Watcher flow logs for AppSubnet.
.Deploy a network virtual appliance (NVA) in a transit subnet and route all traffic through it.
.Store the flow logs in an Azure Storage account.
.Enable diagnostic settings on each virtual machine in AppSubnet to log network traffic.
.Configure a retention policy for the flow logs to manage storage costs.
.Install a third-party packet capture agent on each application server.

Why this answer

Network Watcher flow logs capture IP traffic flowing through a subnet, providing security analysis without impacting performance because they are processed by the Azure network fabric, not by the VMs. Storing logs in an Azure Storage account ensures durable, cost-effective retention. Configuring a retention policy is essential to manage storage costs and comply with data lifecycle requirements.

Exam trap

The trap here is that candidates often confuse VM-level diagnostic settings (which log guest OS metrics) with subnet-level flow logs, or they mistakenly believe that deploying an NVA is required for traffic monitoring, when in fact Azure's native Network Watcher flow logs provide a performance-neutral solution.

250
MCQhard

Your company deploys a network virtual appliance (NVA) in a hub subnet. All outbound internet traffic from Subnet-App in a spoke VNet must pass through the NVA for inspection. What should you configure on Subnet-App?

A.A private DNS zone
B.A user-defined route with a next hop of Virtual Appliance
C.A service endpoint for Microsoft.Storage
D.A NAT gateway on the NVA subnet only
AnswerB

This explicitly steers traffic from the subnet to the NVA for inspection.

Why this answer

A user-defined route (UDR) with a next hop of Virtual Appliance forces all outbound traffic from Subnet-App to be forwarded to the NVA for inspection. This overrides Azure's default system route for 0.0.0.0/0, which normally sends internet-bound traffic directly to the internet. By specifying the NVA's private IP as the next hop, you ensure traffic is routed through the hub subnet for inspection before leaving the network.

Exam trap

The trap here is that candidates often confuse a NAT gateway (which translates source IPs) with a route-based forced tunneling solution, or they assume a service endpoint can redirect traffic through an NVA, when in fact service endpoints bypass forced tunneling by design.

How to eliminate wrong answers

Option A is wrong because a private DNS zone is used for custom DNS resolution within a virtual network, not for routing traffic; it does not influence the path of outbound internet traffic. Option C is wrong because a service endpoint for Microsoft.Storage provides direct, optimized connectivity to Azure Storage over the Microsoft backbone, but it does not redirect traffic through an NVA; in fact, it bypasses forced tunneling. Option D is wrong because a NAT gateway on the NVA subnet only provides source network address translation for outbound traffic from that subnet, but it does not force traffic from Subnet-App to route through the NVA; it would only affect the NVA subnet's own outbound traffic.

251
MCQeasy

A storage account must be reachable only from resources in one Azure subnet, and traffic must use a private IP rather than the public endpoint. Which configuration should the administrator implement?

A.A service endpoint on the subnet
B.A private endpoint in the subnet
C.A shared access signature scoped to the subnet
D.Allow trusted Microsoft services on the storage firewall
AnswerB

A private endpoint gives the storage service a private IP in the subnet and removes reliance on the public endpoint.

Why this answer

A private endpoint assigns a private IP address from the subnet to the storage account, making it accessible only via that private IP within the virtual network. This ensures traffic never traverses the public endpoint, meeting both the reachability and private IP requirements.

Exam trap

The trap here is confusing service endpoints with private endpoints: both restrict access to a subnet, but only a private endpoint provides a private IP and fully removes traffic from the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends the public endpoint's route to the subnet but does not provide a private IP; traffic still uses the public endpoint. Option C is wrong because a shared access signature (SAS) is a delegation token for specific resources or operations, not a network access control mechanism, and cannot restrict access to a subnet. Option D is wrong because allowing trusted Microsoft services bypasses the firewall for specific Azure platform services, but does not restrict access to a single subnet or use a private IP.

252
MCQmedium

Remote administrators work from home laptops and need secure access to Azure VMs in a virtual network. There is no branch office device to configure, and each administrator should connect individually using Azure-side VPN authentication. Which option should be implemented?

A.VNet peering between the administrators' home networks and Azure.
B.A point-to-site VPN connection to an Azure VPN gateway.
C.An ExpressRoute circuit from each administrator's home internet connection.
D.A service endpoint enabled on the VM subnet.
AnswerB

Point-to-site VPN is designed for individual client devices such as administrator laptops. It does not require a branch router or firewall, and it provides encrypted access into the Azure virtual network over the internet. This matches the need for per-user remote access to Azure VMs without standing up an on-premises VPN device.

Why this answer

A point-to-site (P2S) VPN connection allows individual remote clients to connect securely to an Azure virtual network using an Azure VPN gateway. This solution requires no on-premises device, supports per-user authentication (e.g., Azure AD, certificate, or RADIUS), and is ideal for ad-hoc remote access from home laptops.

Exam trap

The trap here is that candidates confuse point-to-site VPN with site-to-site VPN or VNet peering, assuming any 'connection' between networks works, but only point-to-site supports individual client authentication without a branch device.

How to eliminate wrong answers

Option A is wrong because VNet peering connects two Azure virtual networks, not remote client devices; it cannot provide VPN access from home laptops. Option C is wrong because ExpressRoute requires a dedicated private connection from a physical location (e.g., branch office or co-location facility) and cannot be established from a home internet connection without a partner provider. Option D is wrong because a service endpoint only secures access to Azure PaaS services (e.g., Storage, SQL) from within a VNet; it does not provide remote VPN connectivity to VMs.

253
Drag & Dropmedium

Order the steps to recover an Azure VM using Azure Backup.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Go to vault, select VM, choose restore point, configure, and verify.

254
MCQmedium

You create a private endpoint for an Azure SQL Database server. Virtual machines in VNet-Prod must resolve the server name to the private IP address of the endpoint. What should you configure?

A.A private DNS zone linked to VNet-Prod
B.A user-defined route on the subnet
C.An additional public IP address
D.A Recovery Services vault
AnswerA

A private DNS zone provides the required name resolution to the private endpoint address.

Why this answer

A private endpoint uses a private IP address from your VNet, but DNS resolution must be configured to map the Azure SQL Database server name (e.g., `server.database.windows.net`) to that private IP. By creating a private DNS zone (privatelink.database.windows.net) and linking it to VNet-Prod, Azure automatically creates an A record for the private endpoint, ensuring VMs resolve the server name to the private IP instead of the public IP. This is the standard and required configuration for private endpoint name resolution.

Exam trap

The trap here is that candidates assume private endpoints automatically update DNS without additional configuration, but Azure requires a private DNS zone (or custom DNS server) to override public resolution—otherwise, the server name still resolves to the public IP.

How to eliminate wrong answers

Option B is wrong because a user-defined route (UDR) controls network traffic flow (next hop) and does not affect DNS resolution; it cannot map a hostname to an IP address. Option C is wrong because an additional public IP address is irrelevant—private endpoints use private IPs, and adding a public IP would not change DNS resolution behavior for VMs inside the VNet. Option D is wrong because a Recovery Services vault is used for Azure Backup and Site Recovery, not for DNS configuration or private endpoint connectivity.

255
MCQeasy

Based on the exhibit, what configuration should the administrator change so VMs in the spoke can resolve internal names from the hub?

A.Add a route table entry that points to the hub DNS server.
B.Set the spoke VNet custom DNS server to 10.50.0.4.
C.Enable a service endpoint for Microsoft.Storage on the spoke subnet.
D.Create a private endpoint for the spoke VM subnet.
AnswerB

The spoke is still using Azure-provided DNS, which cannot resolve the hub's internal records. Pointing the spoke VNet to the hub DNS server lets its VMs query the same internal namespace and resolve names correctly.

Why this answer

The hub VNet has a DNS server at 10.50.0.4 that is configured to resolve internal names. By setting the spoke VNet's custom DNS server to 10.50.0.4, VMs in the spoke will forward DNS queries to that server, enabling resolution of internal names from the hub. This overrides the default Azure-provided DNS and directs name resolution to the hub's DNS infrastructure.

Exam trap

The trap here is confusing network routing (route tables) with DNS resolution; candidates often think adding a route to the hub DNS server's IP will fix name resolution, but DNS queries are sent to the configured DNS server address, not routed based on destination IP.

How to eliminate wrong answers

Option A is wrong because adding a route table entry controls network traffic routing, not DNS resolution; it cannot direct DNS queries to a specific server. Option C is wrong because enabling a service endpoint for Microsoft.Storage allows private access to Azure Storage from the spoke subnet but does not affect DNS resolution for internal names. Option D is wrong because creating a private endpoint for the spoke VM subnet provides private connectivity to a specific Azure service (e.g., Storage, SQL) but does not configure DNS servers for the VNet.

256
Multi-Selecthard

A backend subnet contains 18 Linux VMs that must install updates from the internet. Security requires all outbound traffic to use one static public IP, and none of the VMs may have their own public IP addresses. Which two changes meet the requirement? Select two.

Select 2 answers
A.Associate a NAT gateway with the backend subnet and provide it with a public IP address or prefix.
B.Ensure the VMs do not have individual public IP addresses assigned.
C.Create a public load balancer and add the VMs to its backend pool.
D.Use a private endpoint for internet updates so outbound traffic remains private.
E.Attach a route table with 0.0.0.0/0 to Virtual network gateway.
AnswersA, B

NAT gateway gives the subnet a predictable outbound public IP without assigning public IPs to the VMs.

Why this answer

A NAT gateway provides outbound internet connectivity for VMs in a subnet while using a single static public IP address. By associating a NAT gateway with the backend subnet and assigning it a public IP, all outbound traffic from the 18 Linux VMs will source NAT to that static IP, meeting the security requirement without assigning public IPs to individual VMs.

Exam trap

The trap here is confusing a public load balancer (inbound) with a NAT gateway (outbound), or assuming a route table alone can provide internet access without a NAT device or Azure Firewall.

257
MCQeasy

Based on the exhibit, what should the administrator change so outbound internet traffic uses the NAT gateway?

A.Detach the subnet from the NAT gateway.
B.Remove the 0.0.0.0/0 user-defined route to the virtual appliance.
C.Change the route table source address to 10.1.0.4.
D.Enable a service endpoint on the subnet.
AnswerB

A user-defined default route overrides the subnet's normal internet egress behavior and sends traffic to the appliance instead. Removing that route lets the NAT gateway handle outbound connections from the subnet.

Why this answer

The correct answer is B because the user-defined route (UDR) with destination 0.0.0.0/0 pointing to the virtual appliance is overriding the default route to the NAT gateway. For outbound internet traffic to use the NAT gateway, the 0.0.0.0/0 route must point to the NAT gateway's private IP address or be removed entirely so the system route to the NAT gateway takes precedence. Removing this UDR allows the NAT gateway to handle all outbound traffic from the subnet.

Exam trap

The trap here is that candidates often assume a NAT gateway automatically handles all outbound traffic without considering that a conflicting user-defined route (0.0.0.0/0) to a virtual appliance will override the NAT gateway's default route, causing traffic to bypass the NAT gateway entirely.

How to eliminate wrong answers

Option A is wrong because detaching the subnet from the NAT gateway would prevent the NAT gateway from processing any outbound traffic from that subnet, which is the opposite of the desired outcome. Option C is wrong because changing the route table source address to 10.1.0.4 is not a valid configuration; route tables use destination prefixes, not source addresses, and this would not resolve the routing conflict. Option D is wrong because enabling a service endpoint on the subnet allows direct private connectivity to Azure PaaS services (e.g., Storage, SQL) but does not affect general outbound internet traffic routing to the NAT gateway.

258
MCQmedium

Based on the exhibit, which subnet prefix should you create for the workload subnet so it has enough usable IP addresses for all listed resources?

A./27
B./26
C./25
D./28
AnswerB

A /26 provides 64 total addresses and 59 usable addresses, which satisfies the requirement.

Why this answer

The workload subnet must support 30 VMs, 5 internal load balancer frontend IPs, and 5 backend pool instances, totaling 40 IP addresses. A /26 subnet provides 64 total IPs, with 62 usable (after reserving network and broadcast addresses), which is sufficient. Smaller prefixes like /27 (30 usable) or /28 (14 usable) lack capacity, while /25 (126 usable) is excessive and wastes IP space.

Exam trap

The trap here is that candidates often forget to count all resource types (VMs, load balancer frontends, backend pools) and mistakenly choose /27 based on VM count alone, overlooking the additional IP requirements from the load balancer components.

How to eliminate wrong answers

Option A is wrong because /27 provides only 30 usable IP addresses (32 total minus 2 reserved), which is insufficient for 40 required IPs. Option C is wrong because /25 provides 126 usable IP addresses, which far exceeds the requirement and wastes address space unnecessarily. Option D is wrong because /28 provides only 14 usable IP addresses (16 total minus 2 reserved), which is far too few for 40 IPs.

259
Matchinghard

Match each storage or PaaS access requirement to the correct Azure networking approach or DNS action.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Create a private endpoint and link the correct private DNS zone to the VNet.

Use a service endpoint on the subnet and allow that subnet in the storage account network rules.

The private DNS zone is missing, not linked to the VNet, or the record has not been populated.

Use a service endpoint with a network rule on the SQL server.

Use the storage firewall with a virtual network rule for AppSubnet; if the on-premises source also needs access, allow its public IP separately. No private endpoint is required.

Why these pairings

VPN and ExpressRoute provide private connectivity, Private Link ensures private IP access, and DNS CNAME records map custom domains to Azure endpoints.

260
MCQeasy

A storage account should accept traffic only from one subnet, but the team does not want to create a private IP address for the service in the virtual network. What should they enable?

A.Private endpoint, because it is the only way to allow one subnet.
B.Service endpoint, because it allows the subnet to access the storage service securely over the Azure backbone.
C.User-assigned managed identity, because it controls subnet access.
D.Blob soft delete, because it helps restrict where traffic comes from.
AnswerB

A service endpoint lets you restrict storage access to a specific subnet without creating a private IP for the service in the virtual network.

Why this answer

Service endpoints allow a subnet to access Azure PaaS services (like Storage) over the Azure backbone without requiring a private IP address. By enabling a Microsoft.Storage service endpoint on the subnet and configuring the storage account firewall to allow traffic only from that subnet, the team meets the requirement securely and cost-effectively.

Exam trap

The trap here is confusing private endpoints (which assign a private IP) with service endpoints (which do not), leading candidates to incorrectly choose private endpoint when the question explicitly prohibits creating a private IP address.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the service within the virtual network, which the team explicitly wants to avoid. Option C is wrong because a user-assigned managed identity controls authentication and authorization (who can access the resource), not network-level subnet access. Option D is wrong because blob soft delete is a data protection feature that recovers accidentally deleted blobs; it has no mechanism to restrict traffic sources.

261
MCQmedium

Which statement best explains why centralized logging is valuable in security operations?

A.It improves visibility by collecting events from multiple devices in one place for review and investigation.
B.It guarantees that no unauthorized action can occur.
C.It replaces the need for NTP and authentication.
D.It automatically assigns IP addresses to monitoring systems.
AnswerA

This is correct because centralized collection is the main value of centralized logging.

Why this answer

Centralized logging aggregates security events (e.g., Windows Event Log, syslog, Azure Activity Log) from multiple sources into a single repository like Azure Log Analytics or a SIEM. This consolidation enables security analysts to correlate events across devices, detect patterns indicative of attacks, and perform efficient forensic investigations without needing to access each device individually.

Exam trap

The trap here is that candidates may think centralized logging actively prevents security incidents (like a firewall or IDS), when in fact it is a passive detective control that improves visibility and post-incident analysis.

Why the other options are wrong

B

This option is wrong because centralized logging does not prevent unauthorized actions; it merely collects and stores logs for analysis. Security operations rely on other measures, such as access controls and monitoring, to prevent unauthorized activities.

C

This option is wrong because centralized logging does not replace the need for Network Time Protocol (NTP) or authentication; these are separate functions that ensure accurate time synchronization and secure access to systems, respectively.

D

This option is wrong because centralized logging does not involve the automatic assignment of IP addresses; it focuses on aggregating logs for analysis rather than managing network configurations.

262
MCQmedium

A subnet is connected to a NAT gateway, but outbound connections to a public software update site are still leaving through a network virtual appliance. The route table contains a 0.0.0.0/0 user-defined route to the appliance, and the business wants the NAT gateway to handle internet traffic while preserving private routes to the appliance. What is the best fix?

A.Increase the priority of the NSG rules on the subnet.
B.Remove the default UDR to the appliance and leave only the private-prefix routes in place.
C.Associate the NAT gateway with the virtual network instead of the subnet.
D.Enable service endpoints on the subnet to bypass the appliance.
AnswerB

The 0.0.0.0/0 UDR is forcing all outbound traffic to the appliance, which prevents the NAT gateway from handling internet destinations. Removing that default route lets Azure use the system internet route, where the NAT gateway can provide outbound SNAT. Specific routes for private prefixes can remain and continue to send internal traffic to the appliance.

Why this answer

The 0.0.0.0/0 user-defined route (UDR) to the network virtual appliance (NVA) has a higher priority than the NAT gateway's default route, so all internet-bound traffic is forced through the appliance. Removing that UDR while keeping private-prefix routes (e.g., 10.0.0.0/8) ensures that only private traffic uses the appliance, and internet traffic follows the NAT gateway's default route. This satisfies the business requirement of using the NAT gateway for internet traffic while preserving private routes through the NVA.

Exam trap

The trap here is that candidates assume a NAT gateway automatically overrides a 0.0.0.0/0 UDR, but in Azure, UDRs always take precedence over system routes, so the explicit route to the NVA must be removed to allow the NAT gateway to handle internet traffic.

How to eliminate wrong answers

Option A is wrong because NSG rules control inbound/outbound traffic filtering at Layer 4, not routing decisions; increasing their priority does not change which path traffic takes to reach the internet. Option C is wrong because NAT gateways are associated at the subnet level, not the virtual network level; associating with the VNet is not supported and would not resolve the routing conflict. Option D is wrong because service endpoints allow private access to Azure PaaS services over the Microsoft backbone, but they do not override a 0.0.0.0/0 UDR or redirect general internet traffic away from the NVA.

263
MCQmedium

A team manages three backend servers in one subnet. The servers are replaced periodically, so their private IP addresses change. The NSG must allow inbound traffic from the web tier without updating individual IP addresses each time. Which destination object should be used in the NSG rule?

A.Application security group
B.Service tag
C.Route table
D.Private endpoint
AnswerA

An application security group lets you group VMs by application role rather than by fixed IP address. NSG rules can reference the ASG so the rule continues to work even when the VM IPs change.

Why this answer

An Application Security Group (ASG) allows you to group backend servers logically, regardless of their private IP addresses, and reference that group as the destination in an NSG rule. When servers are replaced and their IPs change, the ASG membership is automatically updated, so the NSG rule continues to apply without manual intervention. This is the correct approach for dynamic workloads where IP addresses are not static.

Exam trap

The trap here is that candidates often confuse Application Security Groups with Network Security Groups themselves, or mistakenly think Service Tags can be used to group their own VMs, when Service Tags are only for Azure platform services or well-known IP ranges.

How to eliminate wrong answers

Option B is wrong because a Service Tag (e.g., AzureLoadBalancer, Internet) represents a predefined group of IP ranges for Azure services or the internet, not a dynamic group of your own VMs in a subnet. Option C is wrong because a Route Table controls network traffic routing (next hop decisions) at the subnet level, not inbound traffic filtering or destination grouping in NSG rules. Option D is wrong because a Private Endpoint is used to securely connect to Azure PaaS services over a private IP, not to group backend servers for NSG destination rules.

264
MCQmedium

A branch office has a single edge device with a static public IP and must connect securely to Azure so users can reach private VMs in a virtual network. The company wants traffic encrypted across the internet and does not need point-to-site access from individual laptops. Which solution should the administrator deploy?

A.A point-to-site VPN configuration for each user laptop.
B.A site-to-site VPN gateway connection.
C.A private endpoint to each virtual machine in Azure.
D.VNet peering between the branch and Azure.
AnswerB

Site-to-site VPN is the standard option for connecting an on-premises branch network to Azure through a VPN device or edge appliance. It uses the branch's static public IP, encrypts traffic over the internet, and allows users on the branch network to reach private Azure resources such as VMs inside the VNet.

Why this answer

A site-to-site VPN gateway connection (Option B) is correct because it creates an encrypted tunnel over the internet between the branch office's edge device with a static public IP and an Azure VPN gateway, allowing users to securely access private VMs in the virtual network. This solution meets the requirement for encrypted traffic across the internet without needing point-to-site access for individual laptops, as the entire branch network is connected via the VPN tunnel.

Exam trap

The trap here is that candidates often confuse private endpoints (Option C) with site-to-site VPNs, thinking private endpoints provide secure connectivity from on-premises, but private endpoints only work for PaaS services within Azure and do not create an encrypted tunnel from a branch office to VMs.

How to eliminate wrong answers

Option A is wrong because a point-to-site VPN configuration is designed for individual user laptops to connect remotely, not for a branch office with a single edge device, and the question explicitly states point-to-site access is not needed. Option C is wrong because a private endpoint is used to securely access Azure PaaS services (e.g., Azure Storage, SQL Database) over a private IP within the virtual network, not to connect a branch office to private VMs; it does not provide encrypted site-to-site connectivity over the internet. Option D is wrong because VNet peering connects two virtual networks within Azure or across regions, not a branch office on-premises network to Azure; it requires both sides to be Azure VNets and does not support on-premises connectivity.

265
MCQmedium

A three-tier application uses separate web and app VMs. The requirement is to allow only the web tier to reach the app tier on TCP 8080. The app subnet NSG already contains a DenyAllInbound rule at priority 200. What should the administrator do?

A.Create an inbound allow rule for the web ASG to the app ASG on TCP 8080 with priority 150.
B.Move the DenyAllInbound rule to priority 300 so all traffic is blocked first.
C.Add a user-defined route from the web subnet to the app subnet.
D.Associate the web and app NICs with the same application security group.
AnswerA

NSG rules are processed in priority order, where the lowest number wins. To permit only web-tier traffic to the app tier while preserving the deny rule, the allow rule must have a higher precedence than the DenyAllInbound entry. Using application security groups keeps the rule maintainable as VMs scale in or out, and the specific source, destination, and port limit access to exactly the required flow.

Why this answer

Option A is correct because the existing DenyAllInbound rule at priority 200 will block all traffic to the app subnet unless a higher-priority (lower number) allow rule is created. By creating an inbound allow rule for the web Application Security Group (ASG) to the app ASG on TCP 8080 with priority 150, the administrator ensures that traffic from the web tier is explicitly permitted before the deny rule is evaluated, satisfying the requirement.

Exam trap

The trap here is that candidates may think moving the deny rule to a higher priority number (lower priority) will fix the issue, but without an explicit allow rule, traffic remains blocked; or they may confuse user-defined routes (which control routing) with NSG rules (which control filtering).

How to eliminate wrong answers

Option B is wrong because moving the DenyAllInbound rule to priority 300 would make it lower priority, but it would still block all traffic after any higher-priority allow rules; however, this does not solve the problem because no allow rule exists for the web tier, so traffic would still be denied. Option C is wrong because a user-defined route (UDR) controls the next hop for traffic between subnets, not firewall filtering; it does not allow or deny traffic based on port or protocol, so it cannot permit TCP 8080. Option D is wrong because associating both NICs with the same ASG does not create any allow rule; ASGs are used to group VMs for NSG rule application, but without a corresponding allow rule in the NSG, traffic remains blocked by the DenyAllInbound rule.

266
MCQhard

An administrator is deploying a route-based site-to-site VPN gateway. The GatewaySubnet already exists, but validation fails because the public IP configuration is incompatible with the chosen gateway. Which public IP setup is required for the gateway?

A.A Basic SKU public IP with dynamic allocation.
B.A Basic SKU public IP with static allocation.
C.A Standard SKU public IP with static allocation.
D.A private IP address assigned directly from GatewaySubnet.
AnswerC

Azure VPN gateways require a Standard public IP configuration, and the address must be statically allocated. This is part of the gateway's external-facing connectivity requirement and is validated during deployment. If a Basic or dynamically assigned public IP is selected, gateway creation can fail even when GatewaySubnet already exists and is sized correctly.

Why this answer

For a route-based site-to-site VPN gateway in Azure, the gateway must use a Standard SKU public IP address with static allocation. This is because route-based VPN gateways require the public IP to be statically assigned and the Standard SKU provides the necessary features like availability zones and zone resiliency, which are not supported by the Basic SKU. The Basic SKU public IP is incompatible with route-based VPN gateways, and a private IP from the GatewaySubnet cannot serve as the public endpoint for the VPN connection.

Exam trap

The trap here is that candidates often assume any static public IP will work, overlooking the SKU requirement—Azure specifically mandates Standard SKU for route-based VPN gateways, and Basic SKU is only valid for policy-based gateways or other services like basic load balancers.

How to eliminate wrong answers

Option A is wrong because a Basic SKU public IP with dynamic allocation is not supported for route-based VPN gateways; dynamic allocation can cause the IP to change, breaking the VPN connection, and Basic SKU lacks zone resiliency. Option B is wrong because while static allocation is required, the Basic SKU public IP is still incompatible with route-based VPN gateways due to missing support for active-active mode and availability zones. Option D is wrong because a private IP address from the GatewaySubnet cannot be used as the public endpoint for a site-to-site VPN; the VPN gateway requires a public IP address to establish connectivity over the internet.

267
MCQhard

Your hub virtual network uses 10.40.0.0/16 and the corporate on-premises network uses 10.41.0.0/16. A new spoke VNet must be peered to the hub now and connected to on-premises later. It needs a workload subnet for about 180 hosts and a management subnet for about 50 hosts. Which address space is the best choice for the new spoke?

A.10.40.128.0/17
B.10.41.64.0/18
C.10.42.0.0/23
D.10.42.0.0/24
AnswerC

This avoids overlap and provides enough space to split into one /24 and one smaller subnet cleanly.

Why this answer

Option C (10.42.0.0/23) is correct because it provides 512 total IP addresses (510 usable), which is sufficient for the 180-host workload subnet and 50-host management subnet, while avoiding overlap with both the hub VNet (10.40.0.0/16) and the on-premises network (10.41.0.0/16). The /23 prefix allows splitting into two /24 subnets (e.g., 10.42.0.0/24 for workload and 10.42.1.0/24 for management), meeting the host requirements without wasting address space.

Exam trap

The trap here is that candidates often choose a /24 (Option D) thinking it is sufficient for 230 hosts, forgetting that Azure reserves 5 IPs per subnet and that two separate subnets are needed, making the /24 too small for both workload and management subnets combined.

How to eliminate wrong answers

Option A is wrong because 10.40.128.0/17 overlaps with the hub VNet's 10.40.0.0/16 address space, which would cause a peering conflict since Azure VNet peering requires non-overlapping address spaces. Option B is wrong because 10.41.64.0/18 overlaps with the on-premises network's 10.41.0.0/16, which would prevent future VPN/ExpressRoute connectivity due to overlapping IP ranges. Option D is wrong because 10.42.0.0/24 provides only 256 total IP addresses (251 usable after Azure reserved addresses), which is insufficient for 180 + 50 = 230 hosts, leaving no room for growth or subnetting.

268
MCQmedium

A public web application runs on two Windows Server VMs in Azure. Users connect through a single public IP on TCP 443, and the solution must distribute traffic only to healthy VMs without requiring Layer 7 features such as URL-based routing. Which Azure service should the administrator deploy?

A.Azure Application Gateway.
B.Azure Load Balancer Standard.
C.Azure Traffic Manager.
D.Azure Front Door.
AnswerB

A Standard Load Balancer is the right fit for distributing TCP 443 traffic to healthy backend VMs using a single public IP at Layer 4. It supports health probes and works well for internet-facing workloads that do not need application-level routing. Because the scenario specifically excludes Layer 7 features, the load balancer provides the simplest and most cost-effective design while still meeting availability and traffic distribution requirements.

Why this answer

Azure Load Balancer Standard is the correct choice because it operates at Layer 4 (TCP/UDP) and distributes incoming traffic across healthy VM instances based on a single public IP address and port (TCP 443). It performs health probes to ensure traffic is only sent to healthy backend VMs, and it does not require any Layer 7 features like URL-based routing, making it ideal for this scenario.

Exam trap

The trap here is that candidates often confuse Azure Application Gateway with Azure Load Balancer, assuming that any web traffic requires Layer 7 features, but the question explicitly states no Layer 7 features are needed, making the Layer 4 Load Balancer the correct and simpler choice.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a Layer 7 load balancer that provides URL-based routing, SSL termination, and web application firewall features, which are not required and add unnecessary complexity for simple TCP 443 traffic distribution. Option C is wrong because Azure Traffic Manager is a DNS-based traffic load balancer that routes traffic based on DNS resolution and does not distribute traffic directly to VMs via a single public IP; it operates at the DNS level, not at the network layer for real-time health-based distribution. Option D is wrong because Azure Front Door is a global Layer 7 load balancer and application delivery network that provides URL-based routing, SSL offload, and web application firewall capabilities, which are overkill for a simple Layer 4 load-balancing requirement and do not fit the constraint of avoiding Layer 7 features.

269
MCQmedium

A company plans a new spoke virtual network that must be peered to an existing hub VNet using 10.0.0.0/16. The spoke will need two subnets: one sized for about 120 VMs and another for about 40 VMs. The new address space must not overlap the hub or the on-premises range 10.1.0.0/16. Which VNet address space is the best choice?

A.10.0.1.0/24
B.10.1.0.0/22
C.10.2.0.0/22
D.10.0.0.0/24
AnswerC

This address space does not overlap the hub or on-premises ranges and is large enough to carve out two usable subnets for the workload. A /22 gives room for multiple subnets and future growth, which is important when planning a spoke that needs to host dozens or hundreds of VMs. It is a practical choice for peering compatibility and capacity.

Why this answer

Option C (10.2.0.0/22) is correct because it provides a non-overlapping address space with the hub VNet (10.0.0.0/16) and on-premises (10.1.0.0/16). The /22 prefix offers 1024 IP addresses, which is sufficient for subnets supporting 120 VMs and 40 VMs, while avoiding any overlap with the existing ranges.

Exam trap

The trap here is that candidates often overlook the hub VNet's address space (10.0.0.0/16) and incorrectly assume a smaller subnet like 10.0.1.0/24 is safe, not realizing it falls within the hub's larger CIDR range.

How to eliminate wrong answers

Option A is wrong because 10.0.1.0/24 overlaps with the hub VNet 10.0.0.0/16 (since 10.0.1.0 is within the 10.0.0.0/16 range), violating the non-overlap requirement. Option B is wrong because 10.1.0.0/22 overlaps with the on-premises range 10.1.0.0/16, which is explicitly prohibited. Option D is wrong because 10.0.0.0/24 overlaps with the hub VNet 10.0.0.0/16, and it is too small (only 256 addresses) to accommodate the required 160+ VMs across two subnets.

270
MCQmedium

A storage account has a private endpoint in VNet A. A VM in peered VNet B can reach the storage account by private IP, but when the VM resolves the storage account name it still gets the public IP address. What should be configured so the name resolves to the private IP from VNet B?

A.Create a new storage account in VNet B.
B.Link the private DNS zone for the storage service to VNet B.
C.Add an inbound NSG rule allowing DNS traffic from VNet B.
D.Replace the private endpoint with a service endpoint.
AnswerB

The private endpoint depends on DNS so clients resolve the service name to the private IP. Linking the private DNS zone to VNet B enables that name resolution from the peered network.

Why this answer

When a private endpoint is created in VNet A, a private DNS zone (e.g., `privatelink.blob.core.windows.net`) is automatically linked to VNet A, enabling name resolution to the private IP within that VNet. However, VNet B is peered but not linked to that private DNS zone, so VMs in VNet B continue to resolve the storage account name via public DNS, returning the public IP. By linking the private DNS zone to VNet B, the VM will resolve the storage account name to the private IP address of the private endpoint.

Exam trap

The trap here is that candidates assume peering automatically extends DNS resolution for private endpoints, but peering only provides network connectivity—DNS zone linking is a separate, required configuration step.

How to eliminate wrong answers

Option A is wrong because creating a new storage account in VNet B does not solve the DNS resolution issue; the VM in VNet B still needs to resolve the original storage account name to a private IP. Option C is wrong because NSG rules control network traffic filtering, not DNS resolution; DNS traffic is already allowed by default, and adding an inbound NSG rule for DNS does not change how the VM resolves the storage account name. Option D is wrong because replacing the private endpoint with a service endpoint would expose the storage account to the internet via a public IP (though restricted by service endpoint policies), and it does not provide private IP resolution across peered VNets; service endpoints do not use private DNS zones for name resolution.

271
MCQmedium

A contractor working from home needs temporary access to internal Azure resources. There is no on-premises network to connect, and you do not want to expose the resources publicly. Which connectivity option should you deploy?

A.Site-to-site VPN, because it is the standard option for any remote access.
B.Point-to-site VPN, because it connects an individual client to the virtual network.
C.VNet peering, because it can securely connect any remote device to Azure.
D.ExpressRoute, because it is the simplest option for temporary contractor access.
AnswerB

Point-to-site is designed for individual devices and provides private access without publishing the workload publicly.

Why this answer

A Point-to-Site (P2S) VPN is the correct choice because it allows an individual client computer to establish a secure, encrypted connection to an Azure virtual network over the public internet using SSTP, IKEv2, or OpenVPN protocols. This meets the requirement of temporary remote access without exposing resources publicly, as the connection is initiated from the client and authenticated via certificates or Azure AD.

Exam trap

The trap here is that candidates often confuse Point-to-Site VPN with Site-to-Site VPN, assuming any VPN requires a physical device on-premises, or they overcomplicate the solution by choosing ExpressRoute for its perceived security, ignoring the temporary and individual nature of the access requirement.

How to eliminate wrong answers

Option A is wrong because Site-to-Site VPN requires a VPN device on a local on-premises network to establish a persistent tunnel between two networks, which does not exist in this scenario. Option C is wrong because VNet peering connects two Azure virtual networks, not individual remote devices, and requires both VNets to be in Azure. Option D is wrong because ExpressRoute is a dedicated private connection between an on-premises network and Azure, which is complex, expensive, and unsuitable for temporary individual contractor access.

272
MCQmedium

Why is centralized logging valuable during security incident response?

A.It makes related events from many devices easier to collect and correlate.
B.It guarantees that attacks cannot succeed.
C.It replaces access control mechanisms.
D.It forces all systems to use one VLAN.
AnswerA

This is correct because centralized visibility is the main investigative benefit.

Why this answer

Centralized logging aggregates logs from multiple sources (e.g., Azure VMs, network security groups, Azure Firewall) into a single repository like Azure Log Analytics or Azure Sentinel. This correlation enables security analysts to identify patterns across devices, such as a chain of events from an initial breach to lateral movement, which is critical for incident response. Without centralization, manually correlating timestamps and log formats from disparate systems would be impractical during an active attack.

Exam trap

The trap here is that candidates may think centralized logging is a security control that prevents attacks (like a firewall or IDS), rather than recognizing it as a detective control that aids in post-incident analysis and correlation.

Why the other options are wrong

B

This option is wrong because centralized logging does not prevent attacks; it merely helps in detecting and analyzing them after they occur. Security measures must be implemented to actually prevent attacks from succeeding.

C

This option is wrong because centralized logging does not replace access control mechanisms; rather, it complements them by providing visibility into access attempts and security events. Access control mechanisms are essential for determining who can access what resources, independent of logging.

D

Option D is incorrect because centralized logging does not dictate network architecture or enforce VLAN configurations; it focuses on aggregating log data for analysis. Centralized logging can operate across different VLANs without forcing all systems into a single VLAN.

273
Multi-Selecthard

A storage account already has a private endpoint for Blob service in a VNet. Virtual machines in AppSubnet still resolve the account name to the public endpoint, so traffic never reaches the private IP. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a private DNS zone for privatelink.blob.core.windows.net.
B.Link the private DNS zone to the VNet used by AppSubnet.
C.Enable a service endpoint for Microsoft.Storage on the subnet.
D.Set the storage account firewall to Selected networks without a private endpoint.
E.Assign a static public IP to the private endpoint.
AnswersA, B

The private DNS zone maps the blob service name to the private endpoint namespace for name resolution.

Why this answer

Option A is correct because a private DNS zone for `privatelink.blob.core.windows.net` is required to override the default public DNS resolution for the storage account. When a private endpoint is created, the storage account's FQDN (e.g., `mystorageaccount.blob.core.windows.net`) must resolve to the private IP address of the endpoint within the VNet. Without this DNS zone, the VM in AppSubnet will continue to resolve the name to the public IP via Azure's public DNS servers, bypassing the private endpoint.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that enabling a service endpoint alone will redirect traffic to the private IP, when in fact DNS resolution must be explicitly configured via a private DNS zone.

274
MCQmedium

You have two virtual networks named VNet-Hub and VNet-Spoke1 in the same Azure region. Resources in the two VNets must communicate privately over the Microsoft backbone without using a VPN gateway. What should you configure?

A.VNet peering
B.A site-to-site VPN
C.A public load balancer
D.An NSG outbound deny rule
AnswerA

This is the direct and simplest solution for private VNet connectivity in Azure.

Why this answer

VNet peering enables direct, private connectivity between two virtual networks in the same Azure region using the Microsoft backbone infrastructure. It does not require a VPN gateway, public IP addresses, or any internet transit, making it the correct choice for private communication between VNet-Hub and VNet-Spoke1.

Exam trap

The trap here is that candidates often confuse VNet peering with VPN gateway-based solutions, assuming a VPN is required for private connectivity, but VNet peering directly meets the requirement without any gateway or public internet exposure.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN requires a VPN gateway in each VNet and tunnels traffic over the public internet, which violates the requirement to communicate privately over the Microsoft backbone without a VPN gateway. Option C is wrong because a public load balancer distributes inbound traffic from the internet to backend resources and does not provide private inter-VNet connectivity. Option D is wrong because an NSG outbound deny rule blocks all outbound traffic from a subnet or NIC, which would prevent any communication rather than enabling private connectivity.

275
MCQmedium

You need to allow or deny traffic to and from resources in an Azure subnet based on source IP address, destination port, and protocol. Which Azure feature should you use?

A.A network security group
B.A route table
C.A private DNS zone
D.Azure Advisor
AnswerA

NSGs are used to allow or deny network traffic by rule.

Why this answer

A network security group (NSG) is the correct Azure feature because it acts as a stateful, distributed firewall that filters traffic to and from Azure resources in a virtual network. NSGs contain security rules that allow or deny inbound and outbound traffic based on source/destination IP address, port, and protocol (TCP, UDP, or ICMP). This directly matches the requirement to control traffic based on source IP, destination port, and protocol.

Exam trap

The trap here is that candidates often confuse route tables (which control traffic paths) with NSGs (which control traffic permissions), especially when the question mentions 'allow or deny traffic'—route tables never deny traffic, they only redirect it.

How to eliminate wrong answers

Option B is wrong because a route table controls the next hop for network traffic (e.g., directing traffic through a firewall or VPN gateway) but does not filter traffic based on source IP, port, or protocol. Option C is wrong because a private DNS zone is used for custom domain name resolution within a virtual network, not for traffic filtering or access control. Option D is wrong because Azure Advisor provides recommendations for best practices in cost, security, reliability, and performance but does not enforce traffic rules or filter packets.

276
MCQmedium

An on-premises datacenter must reach private IP addresses in Azure over an encrypted site-to-site tunnel. The Azure VMs must not have public IP addresses, and the connection should use the company's existing edge device. Which Azure component should be deployed?

A.Azure Bastion
B.Azure VPN Gateway
C.Azure Route Server
D.A network security group with inbound allow rules
AnswerB

VPN Gateway terminates the encrypted site-to-site tunnel and enables private connectivity from on-premises to Azure VNets. It works with the on-premises edge device and allows access to Azure private IPs without assigning public IPs to the target VMs.

Why this answer

Azure VPN Gateway is the correct component because it provides an encrypted site-to-site IPsec/IKE tunnel between an on-premises network and Azure virtual networks. It supports policy-based or route-based VPNs, works with existing edge devices, and allows Azure VMs to remain without public IP addresses by routing traffic through the gateway's private IP space.

Exam trap

The trap here is confusing Azure Bastion (a secure access service) with a VPN gateway, because both involve 'secure connections' to Azure, but Bastion does not extend the on-premises network or support site-to-site tunneling.

How to eliminate wrong answers

Option A is wrong because Azure Bastion is a PaaS service that provides secure RDP/SSH access to VMs via the Azure portal over TLS, not a site-to-site VPN tunnel for private IP reachability. Option C is wrong because Azure Route Server is a managed service that enables dynamic route exchange between network virtual appliances (NVAs) and Azure virtual networks using BGP, but it does not terminate encrypted site-to-site tunnels. Option D is wrong because a network security group (NSG) is a stateful firewall that filters traffic at the subnet or NIC level with allow/deny rules; it cannot create or terminate encrypted VPN tunnels.

277
MCQmedium

An administrator added an NSG rule named Allow-Admin-HTTPS with priority 250 to permit inbound TCP 443 from a single public IP. The NSG also contains a Deny-All-Inbound rule with priority 200. The administrator still cannot connect to the VM over HTTPS from the allowed IP. What should be changed to resolve the issue?

A.Change the allow rule priority to a number lower than 200.
B.Change the deny rule priority to 65000 so it is evaluated first.
C.Convert the allow rule to an outbound rule instead of inbound.
D.Replace the NSG with a route table so HTTPS can pass through the subnet.
AnswerA

NSG rules are evaluated in ascending priority order, so the lower number is processed first. Because Deny-All-Inbound at 200 is taking effect before the allow rule at 250, the connection is blocked. Moving the allow rule to a priority such as 150 ensures the specific HTTPS exception is matched before the broad deny rule.

Why this answer

The Deny-All-Inbound rule with priority 200 is evaluated before the Allow-Admin-HTTPS rule with priority 250 because NSG rules are processed in order of ascending priority (lower numbers are evaluated first). Since the deny rule matches all inbound traffic, it blocks the HTTPS connection before the allow rule can be evaluated. To resolve this, the allow rule must have a priority lower than 200 (e.g., 150) so it is evaluated first and permits the traffic from the specified public IP.

Exam trap

The trap here is that candidates often assume higher priority numbers mean higher precedence, but in Azure NSGs, lower priority numbers are evaluated first, so a deny rule with a lower number will block traffic before a higher-numbered allow rule can permit it.

How to eliminate wrong answers

Option B is wrong because changing the deny rule priority to 65000 would make it evaluated last, which would not block the traffic but would also not fix the issue since the allow rule at priority 250 is still evaluated after the deny rule at 200; the correct fix is to lower the allow rule's priority. Option C is wrong because the HTTPS connection is inbound to the VM, so an outbound rule would not affect incoming traffic; NSG rules are directional and must match the traffic flow. Option D is wrong because a route table controls traffic routing (next hop) and does not filter traffic; NSGs are stateful firewalls that permit or deny traffic, and replacing the NSG with a route table would remove all filtering, not selectively allow HTTPS.

278
Multi-Selecteasy

Which two statements about network security group processing are correct? Select two.

Select 2 answers
A.NSG rules are evaluated starting with the lowest priority number.
B.An NSG can be linked only to a subnet, not to a network interface card.
C.A deny rule with a lower number can block traffic even if an allow rule exists later.
D.Azure ignores NSG rules whenever a route table is attached to the subnet.
E.Security rules are processed alphabetically by name.
AnswersA, C

Correct because Azure processes NSG rules in ascending priority order, so smaller numbers are checked first.

Why this answer

Option A is correct because NSG rules are processed in order of increasing priority number, meaning the rule with the lowest priority number (e.g., 100) is evaluated first. This ensures that more specific or critical rules can be applied before broader rules with higher priority numbers.

Exam trap

The trap here is that candidates often confuse NSG rule processing order with alphabetical or sequential naming, or mistakenly believe NSGs cannot be applied to NICs, leading them to select options B or E instead of the correct priority-based evaluation logic.

279
MCQmedium

Based on the exhibit, which Network Watcher tool should you use to determine whether an NSG allows or denies TCP 1433 traffic and which rule is responsible?

A.IP flow verify
B.Connection troubleshoot
C.Packet capture
D.Next hop
AnswerA

IP flow verify is built to test a specific source, destination, protocol, and port against NSG rules.

Why this answer

IP flow verify tests a specific source/destination IP, port, and protocol (TCP 1433) against the effective NSG rules to report whether traffic is allowed or denied, and it identifies the exact NSG rule (name and priority) responsible for that decision. This makes it the correct tool for determining NSG rule impact on a specific traffic flow.

Exam trap

The trap here is that candidates confuse 'Connection troubleshoot' (which tests end-to-end connectivity) with 'IP flow verify' (which specifically tests NSG rule evaluation), leading them to pick B because they think connectivity checks include rule analysis.

How to eliminate wrong answers

Option B (Connection troubleshoot) is wrong because it checks end-to-end connectivity (including routing and latency) but does not identify which specific NSG rule allows or denies traffic; it only reports connectivity success or failure. Option C (Packet capture) is wrong because it captures raw network packets for deep inspection but does not map packets to NSG rules or provide a rule-level allow/deny verdict. Option D (Next hop) is wrong because it identifies the next hop IP address and route type for a packet but does not evaluate NSG rules at all.

280
MCQmedium

A storage account must be reachable only from resources in a specific Azure subnet, and connections must not use the public endpoint. Which option should the administrator configure?

A.A service endpoint on the subnet, because it keeps traffic on the Azure backbone.
B.A private endpoint for the storage account in the subnet.
C.A NAT gateway attached to the subnet.
D.A storage firewall rule that allows all Azure services.
AnswerB

A private endpoint assigns the storage service a private IP address inside the selected virtual network subnet. Traffic then stays on private addressing instead of using the public endpoint, which is exactly what the requirement asks for. This also allows the administrator to restrict access to approved network locations while improving the security posture of the storage account.

Why this answer

A private endpoint assigns the storage account a private IP address from the subnet, effectively bringing the service into the virtual network. This ensures all traffic to the storage account stays within the Microsoft Azure backbone and never traverses the public internet, meeting the requirement that connections must not use the public endpoint.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming both provide the same level of isolation, but service endpoints still expose the public endpoint and do not give a private IP address.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and traffic still reaches the public endpoint of the storage account (though it stays on the Azure backbone). Option C is wrong because a NAT gateway provides outbound internet connectivity for resources in the subnet, not inbound private connectivity to a storage account. Option D is wrong because a storage firewall rule that allows all Azure services permits connections from any Azure region's public IP ranges, not only from the specific subnet, and still uses the public endpoint.

281
MCQmedium

You need to allow SSH access to only one Linux VM in a subnet that contains several application servers. The other VMs in the subnet must remain inaccessible from the internet. What is the best configuration?

A.Add an inbound allow rule on the subnet NSG for TCP 22 from your admin IP address.
B.Associate an NSG with the target VM's NIC and add an inbound allow rule for TCP 22 from your admin IP.
C.Create a public load balancer in front of the subnet and forward port 22 to the VM.
D.Enable a service endpoint on the subnet so SSH traffic is limited to that VM.
AnswerB

A NIC-level NSG can restrict access to a single VM without opening SSH for the rest of the subnet.

Why this answer

Option B is correct because Network Security Groups (NSGs) can be associated at the subnet or NIC level. By associating an NSG directly with the target VM's NIC and adding an inbound allow rule for TCP port 22 from your admin IP address, you restrict SSH access exclusively to that VM while leaving the other VMs in the subnet unaffected by the rule. This provides granular, host-level security without impacting the broader subnet traffic.

Exam trap

The trap here is that candidates often assume subnet-level NSG rules are sufficient for granular control, but they fail to recognize that a subnet NSG applies to all VMs in that subnet, whereas a NIC-level NSG provides per-VM isolation.

How to eliminate wrong answers

Option A is wrong because adding an inbound allow rule on the subnet NSG for TCP 22 from your admin IP address would allow SSH access to all VMs in the subnet, not just the target Linux VM, violating the requirement that other VMs remain inaccessible from the internet. Option C is wrong because creating a public load balancer and forwarding port 22 to the VM would expose the VM to internet traffic through the load balancer, but it does not inherently block SSH access to other VMs; additionally, load balancers are designed for distributing traffic across multiple VMs, not for restricting access to a single VM. Option D is wrong because service endpoints are used to secure Azure service resources (e.g., Azure Storage, SQL Database) to a virtual network, not to restrict SSH traffic to a specific VM; they do not filter inbound internet traffic to VMs.

282
MCQmedium

An administrator is deploying an Azure VPN gateway for a site-to-site connection. The deployment fails because required network resources are missing. Which configuration is required before the gateway can be created?

A.A subnet named GatewaySubnet and a public IP address for the VPN gateway.
B.A subnet named AzureBastionSubnet and a static private IP address.
C.A network security group attached directly to the virtual network gateway.
D.A load balancer with a public frontend to terminate the VPN connection.
AnswerA

Azure VPN gateways require a dedicated GatewaySubnet and a public IP for external reachability.

Why this answer

A VPN gateway in Azure requires a dedicated subnet named 'GatewaySubnet' to host the gateway instances, and a public IP address resource must be allocated to the gateway to establish the site-to-site VPN tunnel over the internet. Without these two prerequisites, the deployment will fail because the gateway cannot be provisioned or addressed externally.

Exam trap

The trap here is that candidates often confuse the required subnet name 'GatewaySubnet' with other special subnets like 'AzureBastionSubnet' or 'AzureFirewallSubnet', leading them to select an incorrect option that seems plausible but serves a different purpose.

How to eliminate wrong answers

Option B is wrong because 'AzureBastionSubnet' is used for Azure Bastion, not for a VPN gateway; the VPN gateway requires a subnet named 'GatewaySubnet' with a specific address range. Option C is wrong because a network security group (NSG) cannot be attached directly to a virtual network gateway; NSGs are applied to subnets or network interfaces, and attaching one to the gateway subnet can interfere with gateway traffic. Option D is wrong because a load balancer is not required for a VPN gateway; the VPN gateway itself handles tunnel termination and does not use a load balancer for site-to-site connections.

283
MCQhard

A VM named VM1 cannot establish TCP 1433 connectivity to VM2. The administrator wants to test the exact flow, confirm whether an NSG allows or denies it, and identify the rule that applies if the flow is blocked. Which Network Watcher tool should be used?

A.Effective routes, because it shows the exact NSG rule name for blocked traffic.
B.IP flow verify, because it evaluates the 5-tuple and reports the matching allow or deny rule.
C.Packet capture, because it automatically tells you which NSG rule denied the traffic.
D.Connection troubleshoot, because it only checks DNS name resolution.
AnswerB

IP flow verify is designed to test a specific source, destination, protocol, and port combination against NSG rules. It returns whether the flow is allowed or denied and identifies the rule that matched, which makes it the right tool when you need to prove whether TCP 1433 is blocked and why.

Why this answer

IP flow verify is the correct tool because it evaluates the 5-tuple (source IP, destination IP, source port, destination port, and protocol) against the effective Network Security Group (NSG) rules for a given virtual machine network interface. It explicitly reports whether the traffic is allowed or denied and, if denied, identifies the exact NSG rule (name and priority) that caused the denial. This directly meets the administrator's requirement to test the exact flow and identify the blocking rule.

Exam trap

The trap here is that candidates often confuse 'Connection troubleshoot' (which tests end-to-end connectivity and can indicate a block) with 'IP flow verify' (which explicitly identifies the exact NSG rule name that caused the denial), leading them to choose the less precise tool.

How to eliminate wrong answers

Option A is wrong because Effective routes show the learned routes (next hop types) for a VM, not NSG rule evaluation; they do not report NSG rule names for blocked traffic. Option C is wrong because Packet capture captures raw network packets for analysis but does not automatically interpret or report which NSG rule denied traffic; it requires manual inspection of the capture. Option D is wrong because Connection troubleshoot checks TCP connectivity and can identify issues like NSG blocking, but it does not explicitly report the exact NSG rule name that denied the traffic; IP flow verify is more precise for rule-level identification.

284
MCQhard

A VM in VNet B can reach a blob storage account through a private endpoint that was created in peered VNet A. The storage FQDN still resolves to the public IP when queried from VNet B, so the VM does not use the private path. What should the administrator change?

A.Add a service endpoint for Microsoft.Storage to VNet B
B.Link the private DNS zone used by the private endpoint to VNet B
C.Disable the storage account firewall completely
D.Move the storage account into VNet B
AnswerB

Private endpoint connectivity depends on DNS resolution returning the private IP address. In a peered virtual network, the DNS zone for the private endpoint must be linked so clients in VNet B resolve the storage name to the private address instead of the public one. Once that DNS path is corrected, traffic follows the private endpoint.

Why this answer

The private endpoint in VNet A creates a private IP for the storage account, but DNS resolution in VNet B still returns the public IP because the private DNS zone (privatelink.blob.core.windows.net) is not linked to VNet B. By linking the private DNS zone to VNet B, the VM will resolve the storage FQDN to the private IP, ensuring traffic uses the private endpoint path through the VNet peering.

Exam trap

The trap here is that candidates assume VNet peering automatically extends DNS resolution for private endpoints, but in reality, private DNS zones must be explicitly linked to each peered VNet to enable private IP resolution.

How to eliminate wrong answers

Option A is wrong because a service endpoint provides access to the storage account via its public IP over the Microsoft backbone, not a private IP, and does not change DNS resolution to use the private endpoint. Option C is wrong because disabling the storage account firewall would allow public internet access but does not force the VM to use the private endpoint path; DNS would still resolve to the public IP. Option D is wrong because moving the storage account into VNet B is unnecessary and would not resolve the DNS resolution issue; the private endpoint already exists in peered VNet A, and the correct fix is to link the private DNS zone to VNet B.

285
MCQmedium

Your company has an on-premises office network that needs encrypted connectivity to an Azure virtual network. In addition, traveling users need secure access from their laptops when they are away from the office. Which Azure design best meets both requirements?

A.Deploy a VPN gateway and configure both site-to-site and point-to-site connections.
B.Use VNet peering between the office network and Azure, then share the same connection with remote users.
C.Create a service endpoint to the virtual network and enable private access for laptops.
D.Deploy a NAT gateway and use it for secure office and laptop connectivity.
AnswerA

A VPN gateway supports both site-to-site tunnels for the office network and point-to-site access for individual users. This single design meets the hybrid branch requirement and the remote-user requirement without exposing the VNet directly to the internet. It is the standard Azure networking choice when you need encrypted connectivity from both networks and individual clients.

Why this answer

A VPN gateway supports both site-to-site (S2S) connections for the on-premises office network and point-to-site (P2S) connections for individual traveling users. The S2S connection uses IPsec/IKE to establish encrypted tunnels between the on-premises VPN device and the Azure VPN gateway, while the P2S connection uses SSTP, OpenVPN, or IKEv2 to allow remote laptops to connect securely from anywhere. This single gateway resource can handle both connection types simultaneously, meeting both requirements efficiently.

Exam trap

The trap here is that candidates confuse VNet peering (which only works between Azure VNets) with hybrid connectivity, or assume a single-purpose service like NAT gateway or service endpoint can replace a VPN gateway for encrypted remote access.

How to eliminate wrong answers

Option B is wrong because VNet peering connects two Azure virtual networks, not an on-premises network to Azure, and it does not provide encrypted connectivity or support remote user laptops. Option C is wrong because a service endpoint provides private connectivity from a virtual network to Azure PaaS services (e.g., Storage, SQL) but does not create an encrypted tunnel for on-premises or remote user access. Option D is wrong because a NAT gateway enables outbound internet connectivity for virtual network resources and does not support inbound encrypted site-to-site or point-to-site connections.

286
MCQmedium

VNet-Hub and VNet-Spoke1 are in the same region and subscription. Resources in the two VNets must communicate over the Microsoft backbone without using a VPN gateway. What should you configure?

A.VNet peering
B.A site-to-site VPN gateway in each VNet
C.A private endpoint
D.A service endpoint
AnswerA

Peering is the standard way to connect VNets privately over the Azure backbone.

Why this answer

VNet peering enables direct connectivity between two virtual networks in the same region and subscription over the Microsoft backbone, without requiring a VPN gateway or public internet. This is the correct solution because it provides low-latency, private communication using the Azure infrastructure, and it supports resources in both VNets to communicate as if they were on the same network.

Exam trap

The trap here is that candidates often confuse VNet peering with VPN gateways or service endpoints, mistakenly thinking a VPN gateway is required for cross-VNet communication or that service endpoints can connect VNets, when in fact VNet peering is the native, gateway-free solution for direct VNet-to-VNet connectivity within the same region.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN gateway would introduce a VPN tunnel over the public internet or ExpressRoute, which is unnecessary and contradicts the requirement to avoid a VPN gateway; it also incurs additional cost and latency. Option C is wrong because a private endpoint is used to securely access a specific Azure PaaS service (e.g., Azure SQL Database) from a VNet via a private IP, not to connect two VNets together. Option D is wrong because a service endpoint extends a VNet's identity to an Azure service over the Microsoft backbone but does not enable communication between two VNets; it only allows secure access from a VNet to a specific Azure service.

287
Matchingmedium

A team is troubleshooting inbound access to Azure VMs. Match each NSG concept on the left with the most accurate behavior or troubleshooting implication on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The priority 100 rule is evaluated first, so it wins if both rules match the same traffic.

It controls traffic entering the subnet or NIC from another network location.

It filters traffic for a single VM and can be used in addition to a subnet NSG.

It matches any ephemeral source port and does not limit the sender's port selection.

It allows only HTTPS traffic that uses TCP and the specified destination port.

Why these pairings

NSG is a distributed firewall; default inbound rule denies all; UDR overrides routes; ASG groups VMs; flow logs record traffic; service tags represent Azure IPs.

288
MCQhard

You have an Azure load balancer in front of two virtual machines. The load balancer reports both instances as unavailable even though the VMs are running. What is the most likely cause?

A.The health probe is failing.
B.The VMs are in an availability set.
C.The storage account uses the Cool tier.
D.The subscription has a budget alert.
AnswerA

A failed health probe causes the load balancer to mark backend instances as unavailable.

Why this answer

The health probe is the mechanism by which the Azure Load Balancer determines the availability of backend instances. If the probe is misconfigured (e.g., wrong port, protocol, path, or interval) or the backend VMs are not responding to the probe requests (e.g., firewall blocking the probe traffic or the application not listening on the specified port), the load balancer marks both instances as 'Unavailable' even though the VMs are running. This is the most common cause of backend pool unavailability.

Exam trap

The trap here is that candidates often assume 'VM is running' means it is automatically available to the load balancer, overlooking the critical role of the health probe configuration and the need for the probe traffic to be allowed by network security rules.

How to eliminate wrong answers

Option B is wrong because placing VMs in an availability set does not affect load balancer health probe status; availability sets provide high availability for VMs during planned or unplanned maintenance, but they do not interfere with the load balancer's ability to probe or route traffic. Option C is wrong because the storage account tier (Cool vs. Hot) is unrelated to load balancing or VM network connectivity; it only affects blob storage access costs and latency.

Option D is wrong because a subscription budget alert is a cost management feature that sends notifications when spending exceeds a threshold; it does not impact the operational state of the load balancer or its backend VMs.

← PreviousPage 4 of 4 · 288 questions total

Ready to test yourself?

Try a timed practice session using only Implement and Manage Virtual Networking questions.