CCNA AZ Networking Questions

75 of 288 questions · Page 1/4 · AZ Networking topic · Answers revealed

1
MCQeasy

Based on the exhibit, the web tier can reach the API subnet by name, but the traffic is still blocked. What should the administrator do?

A.Add the API VM NICs to the destination application security group.
B.Increase the priority number of the allow rule so it is evaluated earlier.
C.Replace the ASG with a service endpoint on the API subnet.
D.Remove the web VMs from ASG-Web because ASGs block traffic by default.
AnswerA

The allow rule is written for ASG-Api as the destination, but the exhibit shows that no API NICs are currently members of that ASG. Because NSG rules only match when both source and destination ASG membership is present, traffic will be blocked until the API VM NICs are added to ASG-Api.

Why this answer

The correct answer is A because the web tier can resolve the API subnet's name, but traffic is still blocked. This indicates that the network security group (NSG) rules are not correctly configured to allow traffic from the web VMs (in ASG-Web) to the API VMs (in ASG-API). By adding the API VM NICs to the destination application security group (ASG), the NSG rule that references ASG-API as the destination will match the API VMs, allowing the traffic.

Without this, the NSG rule may be referencing an empty or incorrect destination, causing the traffic to be denied by the default deny rule.

Exam trap

The trap here is that candidates often confuse name resolution with network connectivity, assuming that if a VM can resolve another VM's name via DNS, traffic must be allowed, but NSG rules are evaluated independently of DNS resolution.

How to eliminate wrong answers

Option B is wrong because increasing the priority number (making it a higher value) actually causes the rule to be evaluated later, not earlier; lower priority numbers are evaluated first. Option C is wrong because a service endpoint is used to secure Azure service traffic (e.g., to Azure Storage or SQL Database) to a virtual network, not to allow traffic between subnets or VMs within the same virtual network. Option D is wrong because ASGs do not block traffic by default; they are logical groupings used in NSG rules to define source or destination, and removing VMs from ASG-Web would not resolve the connectivity issue—it would break the existing allow rule that references ASG-Web as the source.

2
Multi-Selecteasy

A storage account should use a private IP address inside a virtual network, and workloads in that VNet must resolve the storage name to the private address. Which two items are required? Select two.

Select 2 answers
A.Create a private endpoint for the storage account in the virtual network so the service gets a private IP.
B.Create and link the appropriate private DNS zone so the storage account name resolves to the private IP.
C.Enable a service endpoint on the subnet, because service endpoints create a private IP for the storage service.
D.Assign a Reader role on the storage account, because RBAC determines the private address used by clients.
E.Disable the storage account firewall, because private endpoints only work when the public endpoint is open.
AnswersA, B

A private endpoint places the storage service on a private IP address inside the VNet.

Why this answer

Option A is correct because a private endpoint assigns a private IP address from the virtual network to the storage account, enabling secure, direct connectivity over the Microsoft backbone without traversing the public internet. This is achieved by creating a network interface in the VNet that receives a private IP from the subnet range, which then routes traffic to the storage service via a private link.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide a private IP, when in fact only private endpoints assign a private IP from the VNet, while service endpoints merely route traffic over the Microsoft backbone using the service's public IP.

3
MCQmedium

A storage account has public network access disabled. A VM in a virtual network must access blob data privately, and the application must resolve the storage endpoint name to a private IP address. What should the administrator deploy?

A.A service endpoint for Microsoft.Storage and a custom hosts file entry on the VM
B.A private endpoint for the storage account plus a private DNS zone linked to the virtual network
C.Allow trusted Microsoft services and keep using the public endpoint
D.A route table that sends traffic for the storage account's public IP to the VPN gateway
AnswerB

A private endpoint places the storage service on a private IP address inside the VNet, which satisfies the private access requirement. A private DNS zone is then needed so the storage account name resolves to that private IP address from within the virtual network. Together, they provide secure, private connectivity with proper name resolution.

Why this answer

A private endpoint assigns the storage account a private IP from the VM's virtual network, enabling direct, secure access over the Microsoft backbone. A private DNS zone linked to the virtual network ensures the storage endpoint name (e.g., mystorageaccount.blob.core.windows.net) resolves to that private IP, meeting the requirement for private name resolution without relying on public DNS or hosts file entries.

Exam trap

The trap here is that candidates confuse service endpoints (which provide source IP preservation but no private IP) with private endpoints (which provide a true private IP and private DNS resolution), leading them to choose Option A or C.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not provide a private IP address; it routes traffic over the Microsoft backbone but still uses the public endpoint's DNS name, requiring a custom hosts file entry that is brittle and not scalable. Option C is wrong because 'Allow trusted Microsoft services' bypasses the firewall for specific Azure services but still uses the public endpoint, not a private IP, and does not resolve the name privately. Option D is wrong because a route table cannot change DNS resolution; it only controls traffic routing, and sending traffic to a VPN gateway does not assign a private IP to the storage endpoint or resolve its name privately.

4
MCQmedium

A security team requires all outbound internet traffic from a workload subnet to pass through an NVA at 10.1.4.4. The subnet is already associated with an NSG that allows the traffic. Which UDR should the administrator add to the route table for that subnet?

A.Destination 10.1.4.4/32 with next hop type Internet.
B.Destination 0.0.0.0/0 with next hop type Virtual appliance and next hop IP 10.1.4.4.
C.Destination 0.0.0.0/0 with next hop type Virtual network gateway.
D.Destination 10.1.4.0/24 with next hop type None.
AnswerB

To force all internet-bound traffic through a network virtual appliance, the route table needs a default route that matches 0.0.0.0/0 and sends traffic to the appliance's private IP. The next hop type must be Virtual appliance, and the next hop IP should be 10.1.4.4. This overrides Azure's default system route for internet traffic from that subnet, while still allowing NSG rules to control whether the traffic is permitted.

Why this answer

Option B is correct because a User Defined Route (UDR) with destination 0.0.0.0/0 and next hop type 'Virtual appliance' forces all outbound internet traffic from the subnet to be forwarded to the NVA at 10.1.4.4 for inspection. The 0.0.0.0/0 prefix matches all internet-bound traffic, and the 'Virtual appliance' next hop type enables routing to a private IP address within the virtual network, overriding the default system route that would otherwise send traffic directly to the Internet.

Exam trap

The trap here is that candidates often confuse the 'Virtual appliance' next hop type with 'Virtual network gateway' or mistakenly think a specific destination like the NVA's IP is needed, rather than understanding that 0.0.0.0/0 is required to capture all outbound internet traffic.

How to eliminate wrong answers

Option A is wrong because a destination of 10.1.4.4/32 with next hop type 'Internet' would only route traffic destined to the NVA itself out to the internet, not all outbound traffic through the NVA. Option C is wrong because next hop type 'Virtual network gateway' is used for site-to-site VPN or ExpressRoute traffic, not for forcing traffic through an NVA; it would send internet-bound traffic to the gateway instead of the NVA. Option D is wrong because destination 10.1.4.0/24 with next hop type 'None' would blackhole traffic to the NVA's subnet, preventing any traffic from reaching the NVA, and it does not affect outbound internet traffic.

5
Multi-Selectmedium

A VNet peering attempt between VNet-A and VNet-B fails because both VNets include 10.40.0.0/16. VNet-B hosts active workloads, so the team wants to readdress it without downtime. Which two actions should the administrator take? Select two.

Select 2 answers
A.Add a new non-overlapping address space to VNet-B.
B.Migrate the workloads and subnets in VNet-B to the new address space before removing the overlapping range.
C.Enable gateway transit on both VNets to bypass the overlap check.
D.Create a private endpoint in VNet-A so the peering can use private connectivity.
E.Associate a route table with VNet-B to force Azure to accept the peering.
AnswersA, B

This gives VNet-B a range that does not conflict with VNet-A, which is required for peering.

Why this answer

Option A is correct because adding a new non-overlapping address space to VNet-B resolves the IP address overlap that prevents VNet peering. Azure VNet peering requires that the address spaces of both VNets do not overlap; overlapping ranges cause the peering to fail. By adding a new range (e.g., 10.41.0.0/16) to VNet-B, the administrator introduces a non-conflicting address space that can be used for peering while the existing overlapping range remains active for workloads.

Exam trap

The trap here is that candidates may think gateway transit or route tables can override the address space overlap requirement, but Azure strictly enforces non-overlapping address spaces for VNet peering, and only address space modification resolves the conflict.

6
MCQhard

Traffic from VM-App01 is taking an unexpected path to the internet through a network virtual appliance. You need to determine which routes are actually applied to the VM network interface. Which Azure feature should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Policy compliance
D.The subscription activity log
AnswerA

Effective routes display the route entries that are actively applied to the NIC.

Why this answer

Effective routes for a network interface show the actual routes applied to the VM's NIC after combining all route sources (system routes, BGP, and user-defined routes). This allows you to verify whether traffic is being forced through the NVA or taking an unexpected path, by inspecting the next hop type and IP address for the 0.0.0.0/0 route.

Exam trap

The trap here is that candidates confuse 'effective routes' with 'NSG flow logs' because both involve network troubleshooting, but effective routes solve routing-path issues while flow logs solve firewall/security-rule issues.

How to eliminate wrong answers

Option B is wrong because NSG flow logs record allowed/denied traffic flows and throughput data, not the routing table applied to the NIC. Option C is wrong because Azure Policy compliance checks whether resources meet organizational rules (e.g., requiring a specific tag), not the actual routing configuration. Option D is wrong because the subscription activity log tracks control-plane operations (e.g., creating a VM), not data-plane routing decisions.

7
MCQhard

An NSG rule allows TCP 8443 from ASG-Web to ASG-Api on the API subnet. The web VM NIC is already in ASG-Web, but the API VM was only placed in the subnet and not added to ASG-Api. Traffic still fails. What is the best fix?

A.Add the API VM's NIC to ASG-Api so the NSG rule can match the destination NIC.
B.Add ASG-Api to the API subnet because ASGs are inherited from subnet membership.
C.Lower the rule priority number on the web subnet to make source traffic more specific.
D.Create a user-defined route from AppSubnet to API subnet to bypass the NSG.
AnswerA

Application security groups are assigned to NICs, not to subnets. If the destination NIC is not in ASG-Api, the rule that references ASG-Api never matches, even if the VM sits in the right subnet. Adding the API NIC to the correct ASG allows the NSG rule to evaluate as intended and is the cleanest fix for the blocked 8443 traffic.

Why this answer

The NSG rule specifies ASG-Api as the destination, but NSGs evaluate traffic based on the NIC membership in an ASG, not the subnet. Since the API VM's NIC is not added to ASG-Api, the rule cannot match the destination, so traffic is dropped by default (implicit deny). Adding the NIC to ASG-Api allows the NSG rule to correctly identify the destination and permit TCP 8443 traffic.

Exam trap

The trap here is that candidates assume subnet membership automatically applies ASG rules, but ASGs require explicit NIC association, and NSG rules with ASG destinations will not match VMs that are only in the subnet.

How to eliminate wrong answers

Option B is wrong because ASGs are not inherited from subnet membership; they are explicit groupings of NICs, and placing an ASG on a subnet does not automatically add VMs to that ASG. Option C is wrong because lowering the rule priority number (making it higher priority) does not fix the destination mismatch—the rule still won't match the API VM's NIC if it's not in ASG-Api. Option D is wrong because user-defined routes (UDRs) control traffic routing, not NSG rule evaluation; they cannot bypass NSG filtering, and the issue is a missing destination match, not a routing problem.

8
MCQmedium

You deploy a private endpoint for an Azure Storage account. Virtual machines in VNet-App must resolve the storage account name to the private IP address of the endpoint instead of the public endpoint. What should you configure?

A.A network security group on the subnet.
B.A private DNS zone linked to VNet-App.
C.A public DNS zone for the storage account name.
D.A user-defined route table on the subnet.
AnswerB

This enables name resolution of the service to the private endpoint address from resources in the linked VNet.

Why this answer

Option B is correct because a private endpoint requires DNS resolution to map the storage account's fully qualified domain name (FQDN) to its private IP address. By creating a private DNS zone (privatelink.blob.core.windows.net) and linking it to VNet-App, Azure automatically creates an A-record pointing to the private endpoint's IP, ensuring VMs resolve the storage account name privately instead of via the public endpoint.

Exam trap

The trap here is that candidates confuse network-level controls (NSGs, route tables) with DNS resolution, assuming that restricting traffic or routing will force private IP usage, when in fact DNS configuration is the critical missing piece for name resolution.

How to eliminate wrong answers

Option A is wrong because a network security group (NSG) filters traffic at the subnet or NIC level but does not influence DNS resolution or name-to-IP mapping. Option C is wrong because a public DNS zone would publish the storage account's public IP, not the private IP, and is not used for private endpoint resolution within a virtual network. Option D is wrong because a user-defined route (UDR) table controls traffic forwarding paths but cannot change how a hostname is resolved to an IP address; DNS resolution is a separate layer.

9
MCQmedium

Based on the exhibit, which network feature should you use so only the subnet can reach the storage account while still using the public endpoint?

A.Create a private endpoint and disable the storage account public endpoint.
B.Enable a service endpoint on app-subnet and allow that subnet on the storage firewall.
C.Add a NAT gateway to app-subnet and use the NAT public IP for firewall rules.
D.Peer app-subnet with a new VNet and access the storage account through peering.
AnswerB

A service endpoint is the correct choice when you want the storage account to remain on its public endpoint but only allow traffic from a specific subnet. It extends the subnet identity to the service without requiring static public IP addresses on the VMs.

Why this answer

Option B is correct because enabling a service endpoint on the app-subnet allows traffic from that subnet to reach the storage account over the Azure backbone network while still using the public endpoint. By then adding the subnet to the storage account firewall, you restrict access to only that subnet, ensuring no other internet traffic can reach the storage account. This approach leverages the public endpoint but with subnet-level access control, meeting the requirement.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking that only private endpoints can provide secure access, but service endpoints allow subnet-specific access while keeping the public endpoint enabled.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint and disabling the public endpoint would remove public endpoint access entirely, which contradicts the requirement to 'still use the public endpoint'. Option C is wrong because adding a NAT gateway to the app-subnet would only change the source IP of outbound traffic, but the storage firewall would need to allow that specific NAT public IP, not the subnet; this does not restrict access to only the subnet and still relies on IP-based rules rather than subnet-level identity. Option D is wrong because peering app-subnet with a new VNet does not inherently provide access to the storage account; you would still need to configure routing or service endpoints/private endpoints, and peering alone does not enforce subnet-only access while using the public endpoint.

10
MCQmedium

Based on the exhibit, a site-to-site VPN gateway deployment fails. What prerequisite should the administrator provide so the gateway can be created successfully?

A.A public IP address resource that will be associated with the VPN gateway.
B.A NAT gateway on the GatewaySubnet to translate tunnel traffic.
C.A private endpoint in the GatewaySubnet for tunnel termination.
D.A network security group that allows inbound TCP 443 to the subnet.
AnswerA

Azure VPN gateways need a public-facing IP resource so the gateway can accept encrypted tunnels from the on-premises device. The exhibit shows the gateway subnet is already present, but no public IP was attached. Creating and associating the public IP resource satisfies the deployment prerequisite.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address resource to be associated with it for the tunnel to be established. The VPN gateway uses this public IP as the endpoint for on-premises VPN devices to connect to over the internet. Without a public IP, the gateway cannot be provisioned because it has no routable external address for IPsec/IKE negotiation.

Exam trap

The trap here is that candidates often confuse the prerequisite for a VPN gateway with that of an Azure Firewall or NAT gateway, mistakenly thinking a NAT gateway or NSG is required, when in fact only a public IP is mandatory for the VPN gateway to function.

How to eliminate wrong answers

Option B is wrong because a NAT gateway is used for outbound internet connectivity from a virtual network, not for translating tunnel traffic in a site-to-site VPN; the VPN gateway handles its own IPsec encapsulation. Option C is wrong because a private endpoint is used for secure access to Azure PaaS services over a private IP, not for terminating VPN tunnels; VPN tunnels terminate on the gateway's public IP. Option D is wrong because a network security group (NSG) on the GatewaySubnet is not required for VPN gateway creation; in fact, NSGs on the GatewaySubnet are not supported and will cause deployment failures.

11
MCQhard

A VM in AppSubnet must reach a database VM in DbSubnet on TCP 1433. AppSubnet's NSG has an outbound deny rule for TCP 1433 to Any at priority 200. DbSubnet's NSG has an inbound allow rule for TCP 1433 from ASG-App to ASG-Db at priority 300. Both NICs are in the correct application security groups. Connectivity tests fail. What should the administrator change?

A.Remove the inbound allow rule from DbSubnet so the default rules can take over.
B.Move the inbound allow rule on DbSubnet to priority 100 so it is evaluated sooner.
C.Create an outbound allow rule on AppSubnet with a lower priority number than 200 for TCP 1433 to ASG-Db.
D.Assign the database VM NIC to ASG-App so the destination rule matches a broader group.
AnswerC

NSG evaluation is priority-based and stateful, but an outbound deny still blocks the initial connection. A higher-priority outbound allow on the source subnet must match before the deny rule. Because the destination rule already allows the traffic, adding or moving the source-side allow above priority 200 resolves the failure without changing the application subnets or ASG design.

Why this answer

Option C is correct because the AppSubnet's NSG has an outbound deny rule for TCP 1433 to Any at priority 200, which blocks all outbound traffic on that port regardless of destination. To allow the VM in AppSubnet to reach the database VM in DbSubnet, an outbound allow rule must be created with a lower priority number (e.g., 100) so it is evaluated before the deny rule. This rule should specify the destination as ASG-Db (the application security group of the database VM) to precisely permit the required traffic.

Exam trap

The trap here is that candidates often focus on the inbound rule on the destination subnet, overlooking the outbound deny rule on the source subnet that blocks traffic before it can even reach the destination NSG.

How to eliminate wrong answers

Option A is wrong because removing the inbound allow rule from DbSubnet would not help; default rules allow inbound traffic only if it is part of a response to an outbound allow, but the outbound traffic is blocked, so no response would be allowed. Option B is wrong because moving the inbound allow rule on DbSubnet to a higher priority does not address the outbound deny on AppSubnet; the traffic is blocked before it even reaches DbSubnet's NSG. Option D is wrong because assigning the database VM NIC to ASG-App would not match the destination rule (which expects ASG-Db) and would not resolve the outbound block; it would also misconfigure the security group membership.

12
MCQhard

Traffic from VM-App01 is unexpectedly reaching the internet through a virtual appliance. You need to see which routes are currently applied to the VM network interface. Which Azure tool should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Policy compliance
D.Activity log
AnswerA

Effective routes display the routing entries currently applied to the NIC.

Why this answer

Effective routes for the network interface shows the actual, evaluated routes applied to a specific VM NIC, including system routes, BGP-advertised routes, and user-defined routes (UDRs). This tool resolves the order of route preference (longest prefix match) and confirms whether traffic is being forced through a virtual appliance (e.g., via a UDR with next hop type VirtualAppliance). It directly answers why VM-App01's traffic is reaching the internet unexpectedly.

Exam trap

The trap here is that candidates confuse NSG flow logs (which show traffic flows) with effective routes (which show routing decisions), leading them to pick NSG flow logs when the question asks about the path traffic takes, not whether it is allowed or denied.

How to eliminate wrong answers

Option B is wrong because NSG flow logs record allowed/denied traffic flows (source/destination IP, port, protocol) but do not show routing decisions or the next hop path. Option C is wrong because Azure Policy compliance checks whether resources meet defined policies (e.g., tagging, allowed SKUs) and has no visibility into network routing tables or effective routes. Option D is wrong because the Activity log tracks control-plane operations (e.g., creating a VM, modifying a route table) but does not show the data-plane routing state currently applied to a NIC.

13
MCQmedium

A storage account must be reachable only from one Azure virtual network. The team wants the storage service to have a private IP in that VNet, public network access disabled, and name resolution to work without using the public endpoint. What should the administrator configure?

A.A service endpoint on the subnet and a storage firewall rule
B.A private endpoint and a private DNS zone linked to the VNet
C.A public IP address and IP-based firewall exceptions
D.A shared access signature and blob container ACLs
AnswerB

A private endpoint places a private IP address for the storage service in the VNet, and the private DNS zone ensures the service name resolves to that private IP. Together, they provide private access while allowing public network access to be disabled.

Why this answer

A private endpoint assigns the storage account a private IP from the VNet's address space, making it reachable only within that VNet. Disabling public network access ensures no traffic can reach the storage account via its public endpoint. A private DNS zone linked to the VNet enables name resolution to resolve the storage account's FQDN to the private IP without using the public endpoint.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming a service endpoint provides a private IP and disables public access, when in fact it only routes traffic over the Microsoft backbone while still using the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and the storage account still uses its public endpoint, which contradicts the requirement for a private IP and disabled public network access. Option C is wrong because a public IP address and IP-based firewall exceptions still rely on the public endpoint, which must be disabled per the requirement, and this does not provide a private IP within the VNet. Option D is wrong because a shared access signature and blob container ACLs control access at the data level, not network-level connectivity, and do not provide a private IP or disable public network access.

14
MCQhard

A storage account must be reachable only from workloads in one Azure subnet. The team wants to keep using the storage account's public FQDN, avoid creating a private IP address in the virtual network, and avoid managing private DNS zones. What should the administrator configure?

A.A private endpoint for the storage account
B.A service endpoint on the subnet and a storage firewall rule for that subnet
C.An NSG rule that allows TCP 443 to the storage account
D.An application security group tied to the storage account
AnswerB

A service endpoint keeps the public endpoint in place while extending the subnet's identity to the storage service. Combined with a storage firewall rule that allows only that subnet, it restricts access without assigning a private IP or requiring private DNS management. This exactly matches the stated design goals.

Why this answer

A service endpoint on the subnet and a storage firewall rule for that subnet is correct because it allows the storage account to be reachable only from workloads in one Azure subnet while still using the storage account's public FQDN. Service endpoints extend the virtual network identity to the storage account over the Microsoft backbone, and the firewall rule restricts access to that specific subnet. This avoids creating a private IP address in the virtual network and eliminates the need to manage private DNS zones, as the public endpoint is retained.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that only private endpoints can restrict access to a single subnet, but service endpoints combined with a storage firewall rule achieve the same goal without private IPs or DNS management.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account within the virtual network, which contradicts the requirement to avoid creating a private IP address and managing private DNS zones. Option C is wrong because an NSG rule allowing TCP 443 to the storage account only controls traffic at the subnet level but does not restrict access to the storage account's firewall; the storage account would still be reachable from any public IP unless a firewall rule is configured. Option D is wrong because an application security group is used to group virtual machines for network security policy application, not to restrict access to a storage account; it cannot be tied to a storage account or enforce subnet-specific access.

15
MCQmedium

A company is building a hub-and-spoke Azure network. The hub VNet already uses 10.50.0.0/16. A new spoke VNet will later be peered to the hub and connected to on-premises through VPN. What is the most important planning step before creating the peering?

A.Reuse 10.50.0.0/16 in the spoke so routing to the hub is simpler.
B.Choose a non-overlapping address space for the spoke and reserve room for future subnets.
C.Create a route table first so peering can learn the spoke routes.
D.Enable a service endpoint to allow the spoke to communicate with the hub.
AnswerB

A spoke VNet must not overlap with the hub or any other connected network. Reserving space for future subnets is also good planning because it reduces redesign later when the environment grows.

Why this answer

Option B is correct because Azure VNet peering requires non-overlapping address spaces to establish connectivity. If the spoke uses the same address space as the hub (10.50.0.0/16), routing conflicts will occur, and the peering will fail or cause unpredictable traffic behavior. Additionally, reserving room for future subnets ensures the spoke can scale without needing to re-architect the network.

Exam trap

The trap here is that candidates often think reusing the same address space simplifies routing (Option A), but Azure explicitly forbids overlapping address spaces for VNet peering, making non-overlapping address planning the critical first step.

How to eliminate wrong answers

Option A is wrong because reusing 10.50.0.0/16 in the spoke would create overlapping address spaces with the hub, which is not allowed for VNet peering; Azure will reject the peering or cause routing loops. Option C is wrong because route tables are not required for peering to learn spoke routes; VNet peering automatically exchanges routes between peered VNets when 'Allow gateway transit' or 'Use remote gateways' is configured, but a route table is not a prerequisite. Option D is wrong because service endpoints are used to secure Azure service access to a VNet, not to enable communication between peered VNets; peering itself handles inter-VNet connectivity.

16
MCQmedium

A company has a hub virtual network that contains a custom DNS server at 10.20.0.4. A new spoke virtual network is peered to the hub. VMs in the spoke can reach other resources in Azure, but they cannot resolve internal names such as app01.corp.local. What should the administrator configure to fix name resolution for the spoke VMs?

A.Add a user-defined route that sends DNS traffic to the hub virtual network.
B.Set the spoke virtual network's custom DNS server to 10.20.0.4.
C.Create an NSG rule that allows UDP port 53 from the spoke subnet to the hub subnet.
D.Enable gateway transit on the hub peering so name resolution flows through the VPN gateway.
AnswerB

This directs VMs in the spoke to query the hub DNS server for internal names. In a hub-and-spoke design, peering alone does not make Azure use a custom DNS server automatically. Configuring the spoke VNet to use 10.20.0.4 ensures clients send DNS queries to the server that already hosts the corporate zone records.

Why this answer

Option B is correct because the spoke virtual network must be configured to use the hub's custom DNS server (10.20.0.4) as its own DNS server. Azure virtual networks do not automatically inherit DNS settings from a peered hub; each virtual network must explicitly specify its DNS server. By setting the spoke's custom DNS server to 10.20.0.4, VMs in the spoke will send DNS queries to that server, enabling resolution of internal names like app01.corp.local.

Exam trap

The trap here is that candidates often confuse DNS resolution with network connectivity (NSG rules or UDRs) or assume that VNet peering automatically propagates DNS settings, when in fact each VNet must be explicitly configured with its own DNS server.

How to eliminate wrong answers

Option A is wrong because user-defined routes (UDRs) control traffic forwarding based on IP destination, not DNS resolution; DNS queries are sent to the configured DNS server IP, and a UDR cannot redirect DNS traffic to a different server without breaking standard DNS behavior. Option C is wrong because NSG rules control inbound/outbound traffic at the network layer, but the spoke VMs are already able to reach the hub DNS server (since they can reach other Azure resources); the issue is that the spoke VMs are not configured to use that DNS server, not that traffic is blocked. Option D is wrong because gateway transit is used to allow a spoke to use a hub's VPN gateway for connectivity to on-premises networks, not for DNS resolution; it does not affect how VMs resolve internal DNS names.

17
MCQmedium

An on-premises application connects to Azure through an existing site-to-site VPN. The application must access an Azure Storage account, public network access on the storage account is disabled, and the company does not want the storage account exposed through a public endpoint. Which solution should the administrator implement?

A.Create a private endpoint for the storage account in a VNet reachable over the VPN and configure private DNS.
B.Enable a service endpoint on the on-premises network and allow the storage account firewall to trust it.
C.Generate a shared access signature and use it from the on-premises application.
D.Associate a NAT gateway with the on-premises VPN connection.
AnswerA

A private endpoint gives the storage account a private IP in a VNet, and that private address can be reached from on-premises over the existing VPN. Because public network access is disabled, this is the correct design for private-only access. Private DNS ensures the application resolves the storage name to the private IP rather than the public endpoint.

Why this answer

A private endpoint assigns the storage account a private IP from a VNet that is reachable over the site-to-site VPN, effectively bringing the storage account into the on-premises network without exposing a public endpoint. Private DNS zones ensure that the storage account's FQDN resolves to the private IP, enabling seamless connectivity from on-premises while public network access remains disabled.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming that enabling a service endpoint on the VNet and trusting it in the firewall will allow on-premises traffic, but service endpoints do not provide private IP connectivity and still require the public endpoint to be enabled.

How to eliminate wrong answers

Option B is wrong because service endpoints extend Azure service connectivity to a VNet, not to an on-premises network; they require the storage account's firewall to allow traffic from the VNet, but the on-premises traffic must first enter that VNet, and service endpoints do not provide a private IP or eliminate public endpoint exposure. Option C is wrong because a shared access signature (SAS) still requires the storage account's public endpoint to be accessible; since public network access is disabled, the SAS token cannot be used to reach the storage account. Option D is wrong because a NAT gateway is used to provide outbound internet connectivity for resources in a subnet, not to enable inbound private connectivity from on-premises over a VPN; it does not affect how the storage account is accessed.

18
MCQmedium

You create a private endpoint for an Azure Storage account. Virtual machines in VNet-Prod must resolve the storage account name to the private IP address of that endpoint. Which Azure feature should you configure?

A.A private DNS zone linked to VNet-Prod
B.A user-defined route
C.An Azure Firewall policy
D.A Recovery Services vault
AnswerA

A private DNS zone provides the required name resolution for the private endpoint.

Why this answer

A private endpoint uses a private IP address from the VNet, but DNS resolution must be explicitly configured to map the storage account's FQDN to that private IP. By creating a private DNS zone (privatelink.blob.core.windows.net) linked to VNet-Prod, Azure automatically creates an A record for the private endpoint IP, enabling VMs to resolve the storage account name to the private IP instead of the public IP.

Exam trap

The trap here is that candidates confuse network-level traffic control (UDRs or firewalls) with DNS resolution, assuming that routing or filtering traffic is sufficient to force private connectivity, when in fact DNS must be explicitly configured to resolve to the private IP.

How to eliminate wrong answers

Option B is wrong because a user-defined route (UDR) controls network traffic flow (next hop) and does not affect DNS resolution or name-to-IP mapping. Option C is wrong because an Azure Firewall policy defines filtering and threat protection rules for network traffic, not DNS record management or private endpoint resolution. Option D is wrong because a Recovery Services vault is used for backup and disaster recovery (Azure Backup, Site Recovery) and has no role in DNS configuration or private endpoint connectivity.

19
MCQmedium

Based on the exhibit, a help desk engineer cannot RDP from an approved admin subnet to a VM in Azure. What change should the administrator make so the connection is allowed?

A.Change the deny rule to use UDP instead of TCP.
B.Move Allow-RDP-Admin to a priority lower than 100.
C.Add the VM NIC to an application security group and leave the rules unchanged.
D.Delete the default AllowVNetInBound rule.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. Because the deny rule at priority 100 matches first, the allow rule at 200 never takes effect. Moving the allow rule to a smaller number than 100 lets the approved subnet match the permit rule before the deny rule is evaluated.

Why this answer

The exhibit shows a deny rule with priority 100 that blocks all inbound traffic from the approved admin subnet, and an allow rule for RDP with a priority lower than 100 (e.g., 200). Since Azure Network Security Group (NSG) rules are evaluated in priority order (lowest number first), the deny rule at priority 100 is evaluated before the allow rule at a lower priority, thus blocking the RDP connection. To allow the RDP traffic, the administrator must move the Allow-RDP-Admin rule to a priority lower than 100 (e.g., 90) so it is evaluated before the deny rule.

Exam trap

The trap here is that candidates assume allow rules always override deny rules, but in Azure NSGs, the rule with the lowest priority number (highest precedence) wins, regardless of whether it is an allow or deny rule.

How to eliminate wrong answers

Option A is wrong because changing the deny rule from TCP to UDP would not resolve the issue; RDP uses TCP (port 3389), and the deny rule would still block TCP traffic, while UDP is irrelevant for RDP. Option C is wrong because adding the VM NIC to an application security group (ASG) does not override the explicit deny rule at priority 100; the deny rule still applies to the subnet and will block traffic regardless of ASG membership. Option D is wrong because deleting the default AllowVNetInBound rule is unnecessary and would break other intra-VNet traffic; the issue is the explicit deny rule, not the default allow rule.

20
MCQmedium

An administrator plans to peer VNet-A with VNet-B so two application tiers can communicate over private IPs. VNet-A uses 10.20.0.0/16. VNet-B currently uses 10.20.1.0/24, and both VNets already contain subnets that must remain intact. The peering operation fails. What should the administrator do first?

A.Add a route table to VNet-B so traffic can bypass the overlap.
B.Change VNet-B to a non-overlapping address space before creating the peering.
C.Create a network security group rule to allow all traffic between the VNets.
D.Enable gateway transit on VNet-A so the address conflict is ignored.
AnswerB

Azure VNet peering requires that the peered VNets use non-overlapping IP address ranges. Because VNet-B overlaps with VNet-A, the peering cannot be created successfully until one side is renumbered. The safest first step is to plan and apply a new, unique CIDR block for VNet-B that does not conflict with any existing subnet or on-premises range. Once the address spaces are non-overlapping, peering can be created and private connectivity can work as intended.

Why this answer

VNet peering in Azure requires that the address spaces of the peered VNets do not overlap. VNet-A uses 10.20.0.0/16 and VNet-B uses 10.20.1.0/24, which is a subset of VNet-A's range, creating a direct overlap. The peering operation fails because Azure cannot route traffic correctly when address spaces conflict.

The first step must be to change VNet-B's address space to a non-overlapping range (e.g., 10.21.0.0/16) before attempting to create the peering.

Exam trap

The trap here is that candidates often think they can use route tables or NSG rules to work around the overlap, but Azure enforces non-overlapping address spaces at the peering creation stage, making any post-creation workaround impossible.

How to eliminate wrong answers

Option A is wrong because adding a route table does not resolve the fundamental address space overlap; Azure blocks peering creation when address spaces overlap, and route tables cannot bypass this validation. Option C is wrong because network security group rules control traffic filtering, not address space conflicts; the peering creation itself fails before any traffic can flow. Option D is wrong because gateway transit is used to route traffic through a hub VNet's VPN gateway, not to ignore address conflicts; overlapping address spaces are not allowed regardless of gateway settings.

21
Multi-Selecthard

A VM in subnet S1 has two network security groups applied: one at the subnet and one directly on the NIC. The subnet NSG contains DenyAllInbound at priority 100 and AllowHTTPSFromOffice at priority 200. The NIC NSG contains AllowHTTPSFromOffice at priority 150 and no deny rules. Office users still cannot reach the VM on TCP 443. Which two statements are correct? Select two.

Select 2 answers
A.The subnet-level deny rule is evaluated before the later allow rule because lower priority numbers are processed first.
B.The NIC allow rule can override a deny decision already made by the subnet NSG.
C.Both the subnet NSG and the NIC NSG are evaluated, and a deny in either one blocks the packet.
D.The allow rule must use a private IP source range because public source ranges are not valid in NSG rules.
E.A user-defined route with next hop Internet would bypass the NSG deny and restore access.
AnswersA, C

NSG rules are processed in ascending priority order, so a lower number is evaluated before a higher number.

Why this answer

Option A is correct because Azure Network Security Groups (NSGs) process rules in order of priority, with lower numbers evaluated first. The subnet NSG's DenyAllInbound rule at priority 100 is evaluated before the AllowHTTPSFromOffice rule at priority 200, resulting in an immediate deny for all inbound traffic, including HTTPS from the office. Since the subnet NSG denies the traffic at priority 100, the NIC NSG's allow rule at priority 150 is never reached, as the packet is already blocked.

Exam trap

The trap here is that candidates often assume NIC-level rules can override subnet-level rules due to a misconception about rule precedence, but Azure applies both NSGs cumulatively, and a deny at any level blocks the traffic, so the subnet's lower-priority deny rule takes effect before the NIC's allow rule is evaluated.

22
MCQmedium

A hub VNet has a VPN gateway connected to on-premises networks. A new spoke VNet must reach on-premises resources through the existing hub gateway without deploying another gateway. What peering configuration should the administrator use?

A.Enable forwarded traffic on both peerings and create a route table in the spoke.
B.Enable gateway transit on the hub peering and use remote gateways on the spoke peering.
C.Deploy a private endpoint in the spoke for each on-premises subnet.
D.Create a service endpoint on the spoke subnet for Microsoft.Network.
AnswerB

This is the standard configuration for letting a spoke VNet use an existing hub VPN gateway. The hub side must allow gateway transit, and the spoke side must be configured to use the remote gateway. Together, these settings let the spoke inherit on-premises connectivity through the hub without deploying a separate gateway.

Why this answer

Option B is correct because it enables the hub VNet's VPN gateway to be shared with the spoke VNet without deploying a separate gateway. 'Gateway transit' on the hub peering allows the hub to advertise routes from its VPN gateway to the spoke, while 'Use remote gateways' on the spoke peering allows the spoke to use the hub's gateway for outbound traffic to on-premises. This configuration ensures the spoke can reach on-premises resources through the hub's VPN tunnel.

Exam trap

The trap here is that candidates often confuse 'forwarded traffic' with 'gateway transit' — forwarded traffic only allows traffic to pass through a VNet (e.g., from a network virtual appliance), but it does not enable the use of a VPN gateway in the peered VNet, which requires the specific gateway transit setting.

How to eliminate wrong answers

Option A is wrong because enabling forwarded traffic on both peerings only allows traffic to pass through the hub from the spoke, but without gateway transit, the spoke cannot use the hub's VPN gateway; a route table in the spoke alone does not enable gateway functionality. Option C is wrong because a private endpoint is used for secure access to Azure PaaS services (e.g., Azure SQL, Storage) over a private IP, not for routing traffic to on-premises networks through a VPN gateway. Option D is wrong because a service endpoint for Microsoft.Network extends the spoke's VNet identity to Azure services, but it does not provide connectivity to on-premises networks via a VPN gateway.

23
MCQmedium

An application in a subnet must access an Azure Storage account over a private IP. The storage account must not be reachable through its public endpoint, and access should be limited to that subnet only. Which configuration should the administrator implement?

A.Create a service endpoint for Microsoft.Storage on the subnet and keep the public endpoint enabled.
B.Create a private endpoint in the subnet and disable public network access on the storage account.
C.Use a shared access signature token and leave network settings unchanged.
D.Associate the storage account with a NAT gateway to control inbound access.
AnswerB

A private endpoint places a private IP address for the storage account into the VNet, so traffic stays on the private network path. Disabling public network access ensures the account cannot be reached through its public endpoint. Together, these settings meet both requirements: private IP access and subnet-scoped connectivity.

Why this answer

Option B is correct because a private endpoint assigns a private IP from the subnet to the storage account, effectively bringing the service into the virtual network. Disabling public network access ensures the storage account is only reachable via that private endpoint, meeting the requirement to block public endpoint access and limit access to the specific subnet.

Exam trap

The trap here is confusing service endpoints (which still use the public endpoint) with private endpoints (which provide a private IP and can disable public access), leading candidates to choose Option A thinking it provides private connectivity.

How to eliminate wrong answers

Option A is wrong because a service endpoint keeps the public endpoint enabled and only adds a route to the storage account's public IPs, which does not satisfy the requirement to make the storage account unreachable through its public endpoint. Option C is wrong because a shared access signature (SAS) token provides time-limited access via the public endpoint, but it does not restrict access to a specific subnet or disable the public endpoint. Option D is wrong because a NAT gateway controls outbound traffic from the subnet to the internet, not inbound access to the storage account, and does not provide private connectivity or disable the public endpoint.

24
MCQmedium

A web workload in a subnet must use a NAT gateway for outbound internet traffic so the source IP is stable. The subnet currently has a route table with a 0.0.0.0/0 user-defined route to a virtual appliance. What should the administrator change?

A.Add an NSG outbound allow rule for TCP 80 and TCP 443.
B.Remove or replace the 0.0.0.0/0 UDR to the virtual appliance and associate the NAT gateway with the subnet.
C.Create a private endpoint for the web workload.
D.Enable VNet peering to a hub network with a firewall.
AnswerB

A NAT gateway provides stable outbound internet connectivity only when traffic follows the normal internet path from the subnet. The custom default route to a virtual appliance forces traffic away from that path, so the NAT gateway is bypassed. Removing or replacing the forced-tunnel route and then attaching the NAT gateway to the subnet allows outbound internet traffic to use the NAT gateway’s public IPs.

Why this answer

The current route table has a 0.0.0.0/0 user-defined route (UDR) pointing to a virtual appliance, which forces all outbound traffic through that appliance. To use a NAT gateway for outbound internet traffic with a stable source IP, the administrator must remove or replace that UDR (so the default route no longer points to the appliance) and associate the NAT gateway with the subnet. The NAT gateway automatically creates a default route (0.0.0.0/0) with a next hop of 'Internet', overriding the appliance route, ensuring traffic egresses via the NAT gateway's public IP.

Exam trap

The trap here is that candidates often think adding a NAT gateway automatically overrides existing UDRs, but in Azure, user-defined routes have higher priority than system routes (including those from NAT gateways), so the existing UDR must be explicitly removed or modified for the NAT gateway to handle outbound traffic.

How to eliminate wrong answers

Option A is wrong because adding an NSG outbound allow rule for TCP 80 and TCP 443 does not change the routing path; traffic would still be forced through the virtual appliance due to the existing UDR, and the NAT gateway would not be used. Option C is wrong because a private endpoint is used for inbound access to Azure PaaS services over a private IP, not for outbound internet traffic with a stable source IP. Option D is wrong because enabling VNet peering to a hub network with a firewall does not remove the existing UDR to the virtual appliance; the peering would still route traffic through the appliance unless the UDR is modified, and it does not directly provide a stable source IP via a NAT gateway.

25
MCQmedium

An administrator creates a route table with a UDR for 10.20.0.0/16 and next hop type Virtual appliance. A VM in the subnet still does not send that traffic to the appliance. The route table contents are correct. What should be checked first?

A.Whether the NSG has an outbound deny rule for port 80.
B.Whether the route table is associated with the correct subnet.
C.Whether the VM uses a managed identity.
D.Whether the virtual machine is in an availability set.
AnswerB

A route table only affects traffic for the subnet to which it is associated. If the table exists and the route is correct but traffic still follows another path, the first thing to verify is that the VM's subnet is actually linked to that route table. Without that association, the UDR is never applied, even though the route definition itself looks valid.

Why this answer

The most common reason a UDR fails to take effect is that the route table is not associated with the subnet containing the VM. Even if the route table contents are correct, the VM's traffic will follow default system routes unless the route table is explicitly linked to the subnet. Association is a required step to override Azure's default routing behavior.

Exam trap

The trap here is that candidates often focus on the route table contents being correct and overlook the critical step of associating the route table with the subnet, assuming that creating the route table is sufficient to apply it.

How to eliminate wrong answers

Option A is wrong because an NSG outbound deny rule for port 80 would block traffic based on port, not prevent the UDR from being applied; the UDR controls routing, not firewall filtering. Option C is wrong because a managed identity is an Azure AD authentication mechanism for accessing Azure resources and has no impact on network routing or UDR enforcement. Option D is wrong because an availability set is a high-availability configuration for VMs across fault domains and update domains; it does not influence route table association or traffic forwarding.

26
Multi-Selectmedium

Which two statements accurately describe the value of centralized DHCP in enterprise networks?

Select 2 answers
A.It can reduce the need to maintain separate DHCP servers in every subnet or site.
B.It can make address-policy changes easier to manage from a central location.
C.It removes the need for relay across Layer 3 boundaries.
D.It eliminates the need for default gateways.
E.It is useful only on wireless networks.
AnswersA, B

This is correct because centralization can simplify service management.

Why this answer

Centralized DHCP can simplify operations by keeping address assignment services in a more controlled central location rather than distributing separate servers everywhere. In practical terms, this can reduce administration overhead and make policy changes easier. The tradeoff is that Layer 3 boundaries must then be handled properly so client requests can still reach the server.

This is why DHCP relay becomes important in many campus and branch designs.

Why the other options are wrong

C

This option is wrong because centralized DHCP can still require DHCP relay agents to forward requests across Layer 3 boundaries, especially when clients and servers are on different subnets.

D

This option is wrong because centralized DHCP does not eliminate the need for default gateways; devices still require a default gateway to communicate outside their local subnet regardless of DHCP configuration.

E

This option is wrong because centralized DHCP is beneficial for both wired and wireless networks, not limited to just wireless environments. Centralized DHCP can manage IP addresses across all types of network infrastructures.

27
MCQmedium

Why is centralized logging especially helpful during incident investigation?

A.It helps investigators analyze related events from multiple devices in one place.
B.It guarantees that no attack can ever succeed.
C.It replaces the need for access control.
D.It forces all devices to use the same VLAN.
AnswerA

This is correct because centralized collection improves visibility and correlation.

Why this answer

Centralized logging aggregates logs from multiple sources (servers, firewalls, applications) into a single repository, enabling investigators to correlate events across devices during an incident. This eliminates the need to manually access each device's local logs, speeding up root cause analysis and providing a unified timeline of activities.

Exam trap

The trap here is that candidates may confuse centralized logging with a security control that prevents attacks, rather than recognizing it as a detective and forensic tool for post-incident analysis.

Why the other options are wrong

B

Option B is incorrect because centralized logging does not guarantee the prevention of attacks; it merely provides a means to analyze and respond to incidents after they occur. Security measures must be implemented to prevent attacks, which is outside the scope of logging.

C

Access control is a separate security measure that governs who can view or manipulate logs; centralized logging does not eliminate the need for such controls. Therefore, this option incorrectly suggests that centralized logging alone suffices for security management.

D

This option is wrong because forcing all devices to use the same VLAN does not inherently improve logging capabilities or facilitate incident investigation. Centralized logging focuses on aggregating logs, not on network segmentation.

28
MCQeasy

Based on the exhibit, administrators can reach a web server from the approved subnet, but connections still fail. What is the most likely reason?

A.The allow rule is blocked because inbound rules are evaluated from highest priority number to lowest.
B.The deny rule has a higher priority and matches the traffic before the allow rule.
C.The destination port must be changed to 80 because NSGs cannot allow TCP 443.
D.The subnet requires a route table before HTTPS can be permitted.
AnswerB

Azure NSG evaluation uses the lowest priority number first. In the exhibit, the deny rule at priority 100 matches TCP 443 from Any, so it blocks the traffic before the later allow rule at priority 200 is considered. To fix the issue, the allow rule must be placed above the deny rule or the deny rule must be narrowed.

Why this answer

Network Security Groups (NSGs) evaluate rules in order of priority, where a lower priority number (e.g., 100) is evaluated before a higher number (e.g., 200). If a deny rule with a higher priority (lower number) matches the traffic before the allow rule, the traffic is blocked. In this scenario, the deny rule (priority 100) matches the source subnet and destination port 443 before the allow rule (priority 200) can permit it, causing connections to fail.

Exam trap

The trap here is that candidates often assume NSG rules are evaluated in the order they appear in the portal (top-to-bottom) or that allow rules override deny rules regardless of priority, but Azure explicitly uses the priority number to determine evaluation order, and a higher-priority deny rule will block traffic even if a lower-priority allow rule exists.

How to eliminate wrong answers

Option A is wrong because inbound rules are evaluated from lowest priority number to highest (i.e., highest priority first), not from highest to lowest. Option C is wrong because NSGs can allow TCP 443 (HTTPS) just as they can allow TCP 80 (HTTP); there is no restriction that prevents port 443 from being used. Option D is wrong because a route table is not required to permit HTTPS traffic; NSGs control traffic flow at the network interface or subnet level, and routing is handled separately by Azure's default routes or user-defined routes.

29
MCQmedium

A VM in subnet S1 must accept RDP only from the administrator workstation at 203.0.113.25. The subnet NSG has a custom inbound deny-all rule at priority 200 and a custom allow-RDP rule at priority 300 for source 203.0.113.25, destination Any, TCP 3389. RDP is still blocked from the workstation. What should the administrator change?

A.Move the allow-RDP rule to a lower priority number than 200.
B.Change the allow rule from inbound to outbound traffic.
C.Change the protocol from TCP to Any on the deny-all rule.
D.Attach a user-defined route so the workstation can reach the VM directly.
AnswerA

NSG rules are processed in priority order, where lower numbers are evaluated first. Because the deny-all rule at priority 200 is hit before the allow rule at 300, the RDP traffic is denied before it can match the allow entry. Moving the allow rule to a number lower than 200, such as 100, ensures the authorized workstation is permitted while the later deny-all rule still blocks everyone else.

Why this answer

Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. The deny-all rule at priority 200 is evaluated before the allow-RDP rule at priority 300, so the deny rule blocks the RDP traffic before the allow rule can be applied. To allow RDP from the workstation, the allow-RDP rule must have a lower priority number (e.g., 100) than the deny-all rule, ensuring it is evaluated first.

Exam trap

The trap here is that candidates often assume rules are evaluated in the order they appear in the portal (top to bottom) or that a more specific rule (allow-RDP) overrides a general rule (deny-all), but Azure NSGs strictly use numeric priority, not specificity or order of creation.

How to eliminate wrong answers

Option B is wrong because the allow rule must be inbound (for incoming RDP traffic to the VM), not outbound; outbound rules control traffic leaving the subnet, which is irrelevant for accepting RDP connections. Option C is wrong because changing the protocol from TCP to Any on the deny-all rule would still block RDP (TCP 3389) and would not resolve the priority issue; it would also unnecessarily block all other protocols. Option D is wrong because a user-defined route (UDR) controls network traffic routing, not NSG rule evaluation; the workstation can already reach the VM via the default route, and the issue is purely an NSG priority conflict.

30
MCQmedium

An organization has an Azure Storage account that must be reachable from Azure VMs and from an on-premises application. Internet access to the storage account must be disabled, and the service should be accessible only over private IP paths. Which solution best meets the requirement?

A.Enable a service endpoint on the Azure VNet and keep the storage account public endpoint enabled.
B.Use a private endpoint for the storage account and connect on-premises through a site-to-site VPN or ExpressRoute path.
C.Use VNet peering only and leave the storage account firewall open to selected public IPs.
D.Assign a public IP address to the storage account and restrict access with an NSG.
AnswerB

A private endpoint gives the storage account a private IP in a VNet, which keeps traffic off the public internet. Because the on-premises application also needs access, the on-premises network must have private connectivity to that VNet, typically through a site-to-site VPN gateway or ExpressRoute. This design satisfies both private access and the no-public-access requirement.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP address from the Azure VNet, making it accessible over a private IP path. On-premises connectivity is achieved via a site-to-site VPN or ExpressRoute, which extends the private network. This configuration disables internet access by blocking the public endpoint, meeting the requirement to disable internet access.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking service endpoints also provide private-only access, but service endpoints still use the public endpoint and do not block internet access by default.

How to eliminate wrong answers

Option A is wrong because enabling a service endpoint keeps the storage account's public endpoint enabled, which still allows internet access to the storage account, violating the requirement to disable internet access. Option C is wrong because VNet peering only connects Azure VNets, not on-premises networks, and leaving the storage account firewall open to selected public IPs still exposes the storage account to the internet, failing the requirement. Option D is wrong because assigning a public IP address to a storage account is not possible; storage accounts use a public endpoint by default, and NSGs cannot be applied directly to a storage account, only to subnets or NICs, so this does not disable internet access.

31
MCQeasy

Based on the exhibit, which next hop will Azure use for traffic from the VM to 10.50.1.20?

A.Virtual appliance 10.1.1.4, because all traffic always follows the default route.
B.Internet, because the /24 route is more specific than the default route.
C.Virtual network, because private IP addresses always stay inside Azure.
D.No route is selected, so the packet is dropped before leaving the subnet.
AnswerB

Azure uses longest-prefix match when selecting a route. The destination 10.50.1.20 falls within 10.50.1.0/24, which is more specific than the 0.0.0.0/0 default route. Therefore, the Internet next hop is chosen instead of the virtual appliance.

Why this answer

Option B is correct because Azure uses the most specific route (longest prefix match) to determine next hop. The route for 10.50.1.0/24 with next hop Internet is more specific than the default route 0.0.0.0/0, so traffic to 10.50.1.20 will be forwarded to the Internet, not the virtual appliance.

Exam trap

The trap here is that candidates assume private IP traffic always stays within Azure or follows the default route, but Azure prioritizes more specific routes regardless of IP address range.

How to eliminate wrong answers

Option A is wrong because Azure does not always follow the default route; it uses the longest prefix match, so the /24 route takes precedence over the default route. Option C is wrong because private IP addresses can be routed outside the virtual network if a more specific route (e.g., to the Internet) exists; Azure does not force traffic to stay inside the virtual network. Option D is wrong because a route is selected (the /24 route to the Internet), so the packet is not dropped.

32
MCQmedium

A branch office with a static public IP needs encrypted connectivity to an Azure virtual network so users can access private Azure VMs and internal services. The connection should support a site-to-site design and not rely on public IPs for the Azure resources themselves. Which service should the administrator deploy?

A.Azure VNet peering
B.Service endpoint
C.VPN gateway with a site-to-site connection
D.Azure Front Door
AnswerC

A VPN gateway is the standard Azure service for encrypted site-to-site connectivity between an on-premises network and an Azure VNet. It allows branch users to reach private IPs in Azure without exposing the VMs to the internet. Because the branch has a static public IP, it can terminate a reliable site-to-site tunnel to the Azure VPN gateway.

Why this answer

A VPN gateway with a site-to-site connection (option C) is the correct choice because it provides encrypted connectivity over the public internet between an on-premises branch office with a static public IP and an Azure virtual network. This design uses IPsec/IKE (RFC 4301) to secure traffic, and Azure resources remain private within the VNet, not requiring public IPs. The site-to-site connection establishes a tunnel from the on-premises VPN device to the Azure VPN gateway, enabling users to access private VMs and services securely.

Exam trap

The trap here is that candidates often confuse site-to-site VPN with VNet peering or service endpoints, mistakenly thinking those can provide encrypted on-premises connectivity, but they lack the necessary IPsec tunnel and on-premises-to-Azure routing capabilities.

How to eliminate wrong answers

Option A is wrong because Azure VNet peering connects two VNets within Azure, not an on-premises branch office to Azure, and it does not provide encrypted connectivity over the internet. Option B is wrong because a service endpoint extends a VNet's private address space to Azure PaaS services (e.g., Storage, SQL) but does not create an encrypted tunnel for on-premises users to access private VMs or internal services. Option D is wrong because Azure Front Door is a global load balancer and application delivery service for HTTP/HTTPS traffic, not a site-to-site VPN solution, and it does not provide encrypted connectivity for private VMs or internal services without public exposure.

33
MCQhard

A web tier and a backend tier are deployed in separate subnets. Backend VMs are rebuilt regularly, so their private IP addresses change. The web tier must reach the backend on TCP 8443, and administrators do not want to update NSG rules whenever a backend VM is replaced. What should be used in the NSG rule?

A.The backend subnet CIDR, because subnet ranges never change during VM rebuilds.
B.The AzureLoadBalancer service tag, because it identifies internal traffic between tiers.
C.Application security groups for both tiers, because they track the VMs even when IP addresses change.
D.A user-defined route to the backend subnet, because route tables follow the VM even if the IP changes.
AnswerC

Application security groups let you group NICs by application role instead of by changing IP addresses. By referencing ASG-Web as the source and ASG-Backend as the destination, the NSG rule stays stable when backend VMs are rebuilt or NICs are replaced. This is the most maintainable option for tier-based filtering on a fixed port.

Why this answer

Option C is correct because Application Security Groups (ASGs) allow you to group VMs logically and reference them in NSG rules. When backend VMs are rebuilt and their private IPs change, the ASG membership (based on the VM's NIC configuration) remains intact, so the NSG rule continues to apply without manual updates. This decouples security rules from dynamic IP addresses.

Exam trap

The trap here is that candidates confuse service tags (which identify Azure services) with ASGs (which identify application tiers), or they assume subnet CIDRs are always the best choice despite the requirement for dynamic IP handling.

How to eliminate wrong answers

Option A is wrong because while the backend subnet CIDR is static, using it in the NSG rule would allow traffic from any VM in that subnet, not just the intended backend VMs, and it does not leverage the dynamic tracking that ASGs provide. Option B is wrong because the AzureLoadBalancer service tag identifies traffic from Azure's load balancer health probes, not general inter-tier traffic between web and backend VMs. Option D is wrong because a user-defined route (UDR) controls traffic routing (next hop), not firewall rules; UDRs do not filter traffic or adapt to changing IPs for NSG purposes.

34
Multi-Selectmedium

Backend VMs are rebuilt often and get new private IP addresses. Frontend VMs must reach them only on TCP 8443, and the rule should keep working after rebuilds. Which two actions should the administrator take? Select two.

Select 2 answers
A.Place the backend NICs in an ASG named ASG-Backend.
B.Create an NSG rule that allows TCP 8443 from ASG-Front to ASG-Backend.
C.Create a static route for the backend subnet to preserve the same IPs.
D.Use a service endpoint between the two subnets.
E.Add a load balancer health probe rule on TCP 8443 only.
AnswersA, B

ASG membership follows the NIC, so the rule still matches even when the VM IP changes.

Why this answer

Option A is correct because an Application Security Group (ASG) allows you to group backend VMs by their NICs, regardless of their private IP addresses. When backend VMs are rebuilt and receive new IPs, the ASG membership remains intact, so NSG rules referencing the ASG continue to work without manual updates. This decouples security rules from dynamic IP addresses.

Exam trap

The trap here is that candidates often confuse Application Security Groups with Network Security Groups (NSGs) or think that static routes or service endpoints can solve dynamic IP addressing, when in fact ASGs are the correct Azure feature for grouping VMs by function regardless of IP changes.

35
MCQmedium

A company created a new spoke virtual network with the address space 10.40.1.0/24. The existing hub virtual network already uses 10.40.0.0/16. The administrator must peer the two VNets so resources can communicate normally. What must be changed before peering can succeed?

A.Create a route table on the spoke subnet before adding the peering.
B.Change the spoke VNet address space to a range that does not overlap the hub.
C.Enable gateway transit on the hub peering to permit overlapping spaces.
D.Add an NSG rule that allows traffic between the hub and spoke address spaces.
AnswerB

Azure virtual network peering requires non-overlapping IP address spaces on both sides. Because the spoke is using 10.40.1.0/24, which sits inside the hub's 10.40.0.0/16 range, peering cannot be created successfully. The administrator must renumber the spoke to a unique range before attempting the peering, then update any dependent subnet and DNS settings as needed.

Why this answer

Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. The hub VNet uses 10.40.0.0/16, which includes the spoke's 10.40.1.0/24 range. Overlapping address spaces prevent successful peering because Azure cannot route traffic correctly between overlapping IP ranges.

Therefore, the spoke VNet address space must be changed to a non-overlapping range before peering can succeed.

Exam trap

The trap here is that candidates often confuse overlapping address spaces with connectivity issues that can be fixed by routing or security rules, but Azure strictly prohibits overlapping address spaces for VNet peering at the control plane level.

How to eliminate wrong answers

Option A is wrong because creating a route table on the spoke subnet does not resolve the fundamental address overlap issue; route tables control traffic flow within a VNet but cannot override the peering requirement for non-overlapping address spaces. Option C is wrong because gateway transit allows a spoke VNet to use the hub's VPN/ExpressRoute gateway, but it does not permit overlapping address spaces; Azure still enforces non-overlapping address spaces for peering regardless of gateway transit settings. Option D is wrong because NSG rules filter traffic at the subnet or NIC level but cannot fix the underlying routing conflict caused by overlapping IP ranges; peering itself will fail before any NSG rules come into effect.

36
MCQmedium

A subnet already has a user-defined default route (0.0.0.0/0) that sends all outbound traffic to a network virtual appliance. The administrator now needs traffic to the on-premises network 10.50.0.0/16 to use the VPN gateway instead of the appliance. What should be added to the route table?

A.Remove the default route so the system route to the VPN gateway is used
B.Add a user-defined route for 10.50.0.0/16 with next hop type Virtual network gateway
C.Change the subnet address space to a smaller CIDR block
D.Enable a service endpoint for the on-premises prefix
AnswerB

A more specific prefix takes precedence over the broader default route. By adding a route for 10.50.0.0/16 that points to the virtual network gateway, traffic to the on-premises network follows the gateway while all other destinations can still follow the default route to the appliance.

Why this answer

Option B is correct because adding a user-defined route (UDR) for the specific prefix 10.50.0.0/16 with next hop type 'Virtual network gateway' creates a more specific route (longest prefix match) than the existing default route (0.0.0.0/0). This ensures traffic destined for the on-premises network is forwarded to the VPN gateway instead of the network virtual appliance, while all other outbound traffic continues to use the appliance.

Exam trap

The trap here is that candidates assume removing the default route is necessary to force traffic through the VPN gateway, but they overlook that a more specific UDR for the on-premises prefix can coexist with the default route, allowing both paths to function correctly.

How to eliminate wrong answers

Option A is wrong because removing the default route would break all outbound traffic not destined for the on-premises network, as the system route for the VPN gateway only applies to traffic matching the gateway's advertised prefixes (e.g., 10.50.0.0/16) and does not replace the default route for internet-bound traffic. Option C is wrong because changing the subnet address space does not affect routing decisions for traffic to the on-premises network; routing is based on destination prefixes, not subnet size. Option D is wrong because service endpoints are used to secure Azure service traffic (e.g., to Azure Storage or SQL) to a virtual network, not to route traffic to on-premises networks over a VPN gateway.

37
MCQmedium

An existing application in AppSubnet1 must access an Azure Storage account. The team does not want to add a private endpoint or change DNS records, but they do want to allow access only from AppSubnet1. Which configuration should the administrator use?

A.Enable the Microsoft.Storage service endpoint on AppSubnet1 and restrict the storage account to selected virtual networks.
B.Create a private endpoint and remove all public network access from the storage account.
C.Add a network security group rule that allows outbound TCP 443 to the storage account.
D.Enable peering between AppSubnet1 and the storage account network.
AnswerA

A service endpoint lets traffic from the subnet reach the storage account over the Azure backbone while the storage firewall can allow only that subnet. This matches the requirement to avoid private endpoints and DNS changes. The access is still limited to the approved subnet identity, which is what the storage firewall evaluates.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet1 allows traffic from that subnet to be routed directly to the Azure Storage service over the Azure backbone network, bypassing the internet. By then restricting the storage account's firewall to 'selected virtual networks' and adding AppSubnet1's virtual network and subnet, access is limited exclusively to that subnet without needing a private endpoint or DNS changes.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both require DNS changes, or they mistakenly think NSG rules alone can restrict inbound access to a PaaS service, when in fact the storage account firewall must be explicitly configured to accept traffic only from the specified subnet.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint requires adding a private IP to the storage account and modifying DNS records (either via Azure Private DNS or custom DNS), which the team explicitly wants to avoid. Option C is wrong because an NSG rule allowing outbound TCP 443 to the storage account does not restrict inbound access from AppSubnet1; it only controls outbound traffic from the subnet, and the storage account's public endpoint would still be reachable from any source unless the firewall is configured. Option D is wrong because VNet peering connects virtual networks, not subnets to storage accounts, and storage accounts are not part of a VNet; peering does not provide subnet-level access control to PaaS services.

38
MCQmedium

A workload in a VNet must connect to Azure SQL Database over a private IP address, and the database must not be reachable through its public endpoint. Users should still connect by using the normal server name. What should you configure?

A.A service endpoint on the subnet and a public firewall rule on the SQL server.
B.A private endpoint for Azure SQL Database and a private DNS zone linked to the VNet.
C.A network security group rule that denies all public internet traffic to the subnet.
D.A NAT gateway on the subnet so the SQL connection uses a private source address.
AnswerB

A private endpoint assigns a private IP from the VNet to the Azure SQL resource, which keeps traffic off the public endpoint. Linking the appropriate private DNS zone to the VNet ensures the normal server name resolves to the private IP. This gives private connectivity and keeps application configuration simple.

Why this answer

Option B is correct because a private endpoint assigns Azure SQL Database a private IP address from the VNet, making it accessible over a private connection. By creating a private DNS zone linked to the VNet, the normal server name resolves to that private IP, allowing users to connect without using the public endpoint. This configuration ensures the database is not reachable via its public endpoint while maintaining name-based connectivity.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, assuming a service endpoint alone provides private IP connectivity, when in fact it only provides source network identity and does not remove public endpoint exposure.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends the VNet identity to the SQL service but does not assign a private IP; the database remains reachable via its public endpoint, and a public firewall rule would still allow public access. Option C is wrong because an NSG rule denying all public internet traffic to the subnet does not prevent the SQL database from being accessed via its public endpoint from outside the subnet; it only controls traffic within the subnet. Option D is wrong because a NAT gateway provides outbound connectivity with a private source address but does not enable inbound private connectivity to Azure SQL Database; the database would still be accessed via its public endpoint.

39
MCQmedium

Two application teams created separate VNets for independent workloads. VNet-A uses 10.40.0.0/16 and VNet-B uses 10.40.128.0/17. The teams want to peer the VNets so both apps can communicate privately. What should the administrator do first?

A.Create the peering now and add a route table to one VNet later.
B.Renumber one VNet so its address space no longer overlaps before creating the peering.
C.Add an NSG rule that allows traffic between the two address ranges.
D.Enable gateway transit on both VNets so overlapping ranges can route through a shared gateway.
AnswerB

Azure VNet peering requires non-overlapping address spaces. The administrator must change one network to a unique prefix before attempting the peering. Route tables, NSGs, and DNS settings do not solve the fundamental address conflict.

Why this answer

B is correct because Azure VNet peering requires non-overlapping address spaces. VNet-A (10.40.0.0/16) and VNet-B (10.40.128.0/17) overlap, as 10.40.128.0/17 is a subset of 10.40.0.0/16. Before peering can be established, one VNet must be renumbered to eliminate the overlap; otherwise, the peering creation will fail with an error indicating overlapping address spaces.

Exam trap

The trap here is that candidates assume overlapping ranges can be handled with routing or filtering (NSGs, route tables, or gateways), but Azure VNet peering strictly requires non-overlapping address spaces and will reject the peering creation outright.

How to eliminate wrong answers

Option A is wrong because creating the peering now will fail immediately due to overlapping address spaces; adding a route table later does not resolve the fundamental conflict. Option C is wrong because NSG rules control traffic filtering, not address space overlap; overlapping ranges prevent peering from being established at all, regardless of NSG configuration. Option D is wrong because gateway transit does not resolve overlapping address spaces; it allows a peered VNet to use a VPN gateway, but the underlying address space conflict still prevents peering from being created.

40
MCQeasy

A workload subnet must send all outbound internet traffic through a network virtual appliance at 10.4.2.4. What should the administrator configure?

A.An NSG rule that allows outbound traffic to 10.4.2.4.
B.A route table with a user-defined route sending 0.0.0.0/0 to 10.4.2.4.
C.A private DNS zone for the subnet.
D.A service endpoint for the virtual network.
AnswerB

A default route in a user-defined route table forces all internet-bound traffic to the appliance as the next hop.

Why this answer

Option B is correct because a user-defined route (UDR) with a destination of 0.0.0.0/0 and a next hop of Virtual Appliance (10.4.2.4) overrides the default system route for internet traffic, forcing all outbound traffic from the subnet to be forwarded to the network virtual appliance (NVA) for inspection or NAT. This is the standard method to implement forced tunneling or centralized internet egress in Azure.

Exam trap

The trap here is that candidates confuse NSG rules with routing: an NSG can block or allow traffic, but it cannot change the path traffic takes, so they incorrectly choose Option A thinking a permit rule will force traffic through the appliance.

How to eliminate wrong answers

Option A is wrong because an NSG rule controls traffic that is allowed or denied at the subnet or NIC level, but it does not change the routing path; traffic to 10.4.2.4 would still use the default route unless a UDR is applied. Option C is wrong because a private DNS zone is used for custom domain name resolution within a virtual network, not for controlling outbound internet traffic routing. Option D is wrong because a service endpoint provides direct, optimized connectivity to Azure PaaS services (e.g., Azure Storage, SQL Database) over the Azure backbone, but it does not redirect general internet traffic through an NVA.

41
Multi-Selectmedium

An app on a VM must connect to Azure SQL Database without using the public endpoint. The database name must resolve to a private IP inside the VNet, and public network access should be disabled. Which two actions should the administrator take? Select two.

Select 2 answers
A.Create a private endpoint for the Azure SQL server in the VNet.
B.Link the private DNS zone for the SQL private link domain to the VNet.
C.Enable a service endpoint for Microsoft.Sql on the subnet.
D.Grant the VM's managed identity Reader on the SQL server.
E.Keep public network access enabled and restrict the firewall to the VNet.
AnswersA, B

A private endpoint gives the SQL service a private IP address inside the VNet for private access.

Why this answer

Option A is correct because a private endpoint assigns the Azure SQL Database server a private IP address from the VNet, allowing the VM to connect without using the public endpoint. This ensures traffic stays within the Microsoft backbone and the database name resolves to a private IP inside the VNet.

Exam trap

The trap here is confusing service endpoints with private endpoints: service endpoints keep the public endpoint active and only add a network-level route, while private endpoints completely remove public exposure by assigning a private IP and requiring DNS reconfiguration.

42
MCQmedium

A hub-and-spoke environment uses a DNS server VM in the hub VNet at 10.8.0.4 to resolve internal names such as app01.corp.local. The spoke VNet can reach hub VMs by IP after peering, but name resolution still fails from the spoke. What should the administrator configure so VMs in the spoke use the hub DNS server?

A.Add an inbound NSG rule on the spoke subnet to allow UDP and TCP 53 to 10.8.0.4.
B.Configure the spoke VNet to use 10.8.0.4 as a custom DNS server.
C.Create a service endpoint for Microsoft.Storage on the spoke subnet.
D.Add a user-defined route for 10.8.0.4/32 pointing to the virtual network gateway.
AnswerB

A spoke VNet can inherit DNS behavior from a custom DNS setting on the VNet itself. Once the spoke VNet is configured to use 10.8.0.4, its VMs will send name-resolution queries to the hub DNS server over the peering connection. This is the right fix when direct IP connectivity works but internal names do not resolve.

Why this answer

Option B is correct because in Azure, a spoke VNet must explicitly be configured with a custom DNS server address to use a non-default DNS resolver. By setting the spoke VNet's DNS server to 10.8.0.4, all VMs in the spoke will send their DNS queries to that hub VM, resolving internal names like app01.corp.local. Without this configuration, the spoke VNet uses Azure-provided DNS, which cannot resolve custom private DNS zones hosted on the hub VM.

Exam trap

The trap here is that candidates assume VNet peering automatically forwards DNS queries to the hub's DNS server, but peering only provides IP-level connectivity, not DNS configuration; the spoke VNet must be explicitly set to use the custom DNS server address.

How to eliminate wrong answers

Option A is wrong because an NSG rule on the spoke subnet is unnecessary; the hub DNS server VM already accepts inbound traffic on UDP/TCP 53 from peered VNets by default, and NSGs do not control DNS server assignment. Option C is wrong because a service endpoint for Microsoft.Storage is used to secure Azure Storage access to a VNet, not to configure DNS resolution or forward queries to a custom DNS server. Option D is wrong because a user-defined route for 10.8.0.4/32 pointing to the virtual network gateway is irrelevant; DNS traffic to the hub VM uses the peering connection, not a gateway, and UDRs do not change the DNS server configuration of the spoke VNet.

43
MCQmedium

A backend VM must accept TCP 8443 only from the web tier. The subnet NSG already has a deny-all inbound rule at priority 200. The administrator adds an allow rule for the web tier at priority 300, but the connection still fails. What should be changed?

A.Change the allow rule to a lower priority number than 200.
B.Change the allow rule protocol from TCP to Any.
C.Move the VM to a different subnet so the rule can apply.
D.Add a route table entry for TCP 8443 to bypass the NSG.
AnswerA

NSG rules are processed in priority order, where the lowest number wins. The allow rule must be evaluated before the deny-all rule to permit the traffic.

Why this answer

Azure Network Security Groups (NSGs) process rules in priority order, with lower numbers evaluated first. The existing deny-all inbound rule at priority 200 is evaluated before the new allow rule at priority 300, so the deny rule blocks the traffic before the allow rule can be considered. To permit TCP 8443 from the web tier, the allow rule must have a priority number lower than 200 (e.g., 100) so it is evaluated first and allows the traffic.

Exam trap

The trap here is that candidates often assume higher priority numbers (like 300) override lower numbers (like 200), but in Azure NSGs, lower priority numbers are evaluated first, so a deny rule with a lower number will block traffic before a higher-numbered allow rule is ever checked.

How to eliminate wrong answers

Option B is wrong because changing the protocol from TCP to Any does not resolve the priority ordering issue; the deny rule at priority 200 would still block all inbound traffic regardless of protocol. Option C is wrong because moving the VM to a different subnet does not change the fact that the subnet's NSG still has a deny-all rule at priority 200 that would block the traffic; the NSG is applied at the subnet level, not per VM. Option D is wrong because route tables control traffic routing (next hop) and cannot bypass NSG rules; NSGs are stateful firewalls that are evaluated independently of routing, and a route table entry cannot override an NSG deny rule.

44
MCQmedium

A security team requires all outbound traffic from a subnet to pass through an Azure Firewall at 10.1.0.4, including internet-bound traffic from the VMs. What should the administrator configure?

A.Assign a NAT gateway to the subnet and leave the default routing in place.
B.Create a route table with a 0.0.0.0/0 route to 10.1.0.4 and associate it with the subnet.
C.Enable service endpoints for the subnet so outbound traffic stays private.
D.Deploy a public IP on each VM and use NSG rules to inspect the traffic.
AnswerB

Forced tunneling is implemented with a user-defined route that sends the default route to a virtual appliance. By creating a 0.0.0.0/0 UDR that points to the Azure Firewall’s private IP and associating that route table with the subnet, all outbound traffic is steered through the firewall. This is the standard design when the firewall must inspect internet-bound traffic.

Why this answer

Option B is correct because creating a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP (10.1.0.4) and associating it with the subnet forces all outbound traffic, including internet-bound traffic, to be routed through the firewall. This ensures the firewall can inspect and control all egress traffic as required by the security team.

Exam trap

The trap here is that candidates often confuse NAT gateways or service endpoints as solutions for routing traffic through a firewall, but neither provides the forced routing and inspection required; only a UDR with a default route to the firewall's private IP achieves this.

How to eliminate wrong answers

Option A is wrong because a NAT gateway provides outbound connectivity with source network address translation but does not route traffic through a firewall for inspection; it bypasses the firewall entirely. Option C is wrong because service endpoints enable private access to Azure services over the Microsoft backbone, not internet-bound traffic, and do not route traffic through a firewall. Option D is wrong because assigning public IPs to VMs and using NSG rules allows direct outbound internet access without firewall inspection; NSGs are stateful packet filters, not a routing or inspection solution like Azure Firewall.

45
MCQmedium

Based on the exhibit, web servers can reach a backend VM only after it is added to a specific group. What should the administrator change to allow the traffic to match the existing NSG rule?

A.Add api01's NIC to ASG-Api.
B.Move the deny rule to priority 100.
C.Change the source of the allow rule from ASG-Web to VirtualNetwork.
D.Place api01 in the same subnet as web01.
AnswerA

The NSG rule is already written to permit traffic from ASG-Web to ASG-Api on TCP 8443. The backend NIC is not in the destination ASG, so the allow rule never matches. Adding api01 to ASG-Api makes the existing rule effective without broadening access to the entire subnet.

Why this answer

The exhibit shows that the NSG rule allows traffic from ASG-Web to ASG-Api. Since web01 is in ASG-Web, traffic from web01 to api01 is only permitted if api01 is a member of ASG-Api. Adding api01's NIC to ASG-Api ensures the destination matches the NSG rule, allowing the traffic.

Exam trap

The trap here is that candidates may think subnet placement or rule priority is the issue, but the core concept is that ASG membership must match the rule's destination to allow traffic.

How to eliminate wrong answers

Option B is wrong because moving the deny rule to priority 100 would block all traffic, including the desired traffic from web01 to api01, as it would be evaluated before the allow rule. Option C is wrong because changing the source from ASG-Web to VirtualNetwork would allow traffic from any resource in the virtual network, not just web servers, which is overly permissive and does not address the specific requirement of matching the existing rule. Option D is wrong because placing api01 in the same subnet as web01 does not affect NSG rule matching; NSG rules are evaluated based on the NIC's application security group membership, not subnet placement.

46
MCQmedium

An application running on a VM in a subnet must access an Azure Storage account. The security team wants the storage account to accept traffic only from that subnet, but they do not want a private IP address in the VNet and they do not want to change DNS records. What should the administrator configure?

A.Create a private endpoint and a private DNS zone for the storage account.
B.Enable a service endpoint for Microsoft.Storage on the subnet and restrict the storage firewall to that subnet.
C.Allow access only from the VM public IP address.
D.Place the storage account in the same resource group as the VM.
AnswerB

A service endpoint extends the subnet identity to the Azure Storage service without creating a private IP address in the VNet. It also avoids DNS changes because clients continue to use the normal public endpoint name, while the storage firewall can be configured to allow only the selected subnet. This matches the requirement for subnet-only access while keeping the service on its public endpoint architecture.

Why this answer

Option B is correct because a service endpoint for Microsoft.Storage allows the subnet to send traffic to the storage account over the Azure backbone network using the storage account's public endpoint, without requiring a private IP address or DNS changes. The storage firewall then restricts access to only that subnet's traffic, meeting the security team's requirements.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that any restriction to a VNet requires a private IP address, but service endpoints achieve subnet-level restriction using the public endpoint without private IPs or DNS changes.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address to the storage account within the VNet, which violates the requirement to not use a private IP address, and it also requires a private DNS zone to resolve the storage account's FQDN to that private IP, which the team does not want. Option C is wrong because allowing access only from the VM's public IP address does not restrict traffic to the subnet; the VM's public IP can change (e.g., if the VM is deallocated) and does not represent the subnet, plus it exposes the storage account to the internet from that IP. Option D is wrong because placing the storage account in the same resource group as the VM has no effect on network access control; resource groups are logical containers and do not enforce network security.

47
MCQmedium

Based on the exhibit, which subnet prefix is the smallest that can support the planned resources in Azure?

A./27
B./26
C./25
D./24
AnswerB

A /26 provides 64 addresses, which is enough after Azure reserves five addresses.

Why this answer

The subnet prefix /26 provides 64 IP addresses per subnet (2^(32-26) = 64), of which 59 are usable after Azure reserves 5 addresses (first 4 and last 1). The planned resources require 50 IP addresses, so /26 is the smallest prefix that meets this requirement without waste. A /27 would only provide 32 total addresses (27 usable), which is insufficient.

Exam trap

The trap here is that candidates often forget Azure reserves 5 IP addresses per subnet (not just 3 like on-premises) and incorrectly calculate usable addresses, leading them to choose /27 thinking 32 addresses are enough when only 27 are usable.

How to eliminate wrong answers

Option A (/27) is wrong because it provides only 32 total IP addresses (27 usable after Azure reservations), which cannot support the 50 required IP addresses. Option C (/25) is wrong because while it provides 128 total IP addresses (123 usable), it is larger than necessary and not the smallest prefix that meets the requirement. Option D (/24) is wrong because it provides 256 total IP addresses (251 usable), which is far larger than needed and not the smallest possible prefix.

48
MCQhard

Traffic from Subnet-App to the internet is being routed through a virtual appliance unexpectedly. You need to identify which route is being applied to the network interface of VM-App01. Which Azure feature should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Policy compliance
D.The subscription activity log
AnswerA

Effective routes display the actual routing behavior applied to the VM NIC.

Why this answer

Effective routes for the network interface (NIC) shows the actual routes applied to a specific VM's NIC after evaluating all route tables, virtual network gateway routes, and BGP routes. Since traffic from Subnet-App to the internet is unexpectedly going through a virtual appliance, you need to see which route (e.g., a user-defined route with next hop type VirtualAppliance or VirtualNetworkGateway) is being selected based on the longest prefix match. This tool directly displays the effective next hop for each destination prefix, allowing you to identify the misconfigured route causing the traffic to be redirected.

Exam trap

The trap here is that candidates confuse NSG flow logs (which show traffic filtering) with effective routes (which show routing decisions), leading them to pick NSG flow logs when the question is about path selection rather than security rule evaluation.

How to eliminate wrong answers

Option B (NSG flow logs) is wrong because NSG flow logs record allowed or denied traffic flows based on network security group rules, not the routing path or next hop decisions; they cannot show which route is applied. Option C (Azure Policy compliance) is wrong because Azure Policy evaluates resource compliance against defined policies (e.g., tagging, allowed locations), not the effective routing configuration of a NIC. Option D (The subscription activity log) is wrong because the activity log tracks control-plane operations (e.g., creating a route table), not the data-plane routing state or the effective routes currently applied to a NIC.

49
MCQmedium

A route table contains a user-defined route for 172.16.0.0/16 to a virtual appliance. The ExpressRoute circuit advertises 172.16.10.0/24. A VM in the subnet sends traffic to 172.16.10.20. Which route does Azure use?

A.The user-defined route, because UDRs always beat BGP routes.
B.The BGP route, because it has the more specific prefix length.
C.The system route to the virtual network, because system routes are preferred over learned routes.
D.No route is chosen because Azure does not support overlapping prefixes.
AnswerB

Azure route selection uses longest-prefix match before considering route source precedence. The BGP route for 172.16.10.0/24 is more specific than the UDR for 172.16.0.0/16, so the /24 route is selected for traffic to 172.16.10.20. Source precedence only matters when multiple routes have the same prefix length.

Why this answer

Azure uses the most specific prefix match to determine the next hop. The BGP route for 172.16.10.0/24 has a longer prefix length (24) than the user-defined route for 172.16.0.0/16 (16), so the BGP route is preferred regardless of route source priority. This follows the longest prefix match (LPM) algorithm, which overrides the default preference order of UDRs over BGP routes.

Exam trap

The trap here is that candidates assume UDRs always override BGP routes, but Azure applies longest prefix match first, so a more specific BGP route will be used over a less specific UDR.

How to eliminate wrong answers

Option A is wrong because UDRs do not always beat BGP routes; the longest prefix match (LPM) takes precedence over route source priority, so a more specific BGP route (e.g., /24) will be chosen over a less specific UDR (e.g., /16). Option C is wrong because system routes are only used when no user-defined or BGP route matches; here, both a UDR and a BGP route exist, and the more specific BGP route is selected. Option D is wrong because Azure supports overlapping prefixes; it resolves conflicts using LPM, not by discarding traffic.

50
MCQmedium

A company is creating a new spoke virtual network that will be peered to an existing hub VNet. The hub uses 10.40.0.0/16, and an on-premises network already uses 10.41.0.0/16. The spoke must support about 120 endpoints now and should allow room for growth. Which address space should you assign to the new spoke VNet?

A.10.40.64.0/25
B.10.42.0.0/24
C.10.41.128.0/24
D.192.168.10.0/26
AnswerB

This is a non-overlapping private range that is large enough for the current requirement and leaves room for adding more subnets later.

Why this answer

Option B (10.42.0.0/24) is correct because it provides 256 IP addresses (251 usable) for the spoke, which exceeds the requirement of ~120 endpoints with room for growth, and it does not overlap with the hub VNet (10.40.0.0/16) or the on-premises network (10.41.0.0/16). This ensures successful VNet peering without IP address conflicts.

Exam trap

The trap here is that candidates often overlook the on-premises address space (10.41.0.0/16) and mistakenly choose an overlapping range like 10.41.128.0/24, assuming only the hub VNet's address space must be avoided.

How to eliminate wrong answers

Option A is wrong because 10.40.64.0/25 falls within the hub VNet's 10.40.0.0/16 range, causing an IP address overlap that would prevent VNet peering. Option C is wrong because 10.41.128.0/24 falls within the on-premises network's 10.41.0.0/16 range, creating a conflict with the existing on-premises address space. Option D is wrong because 192.168.10.0/26 provides only 64 IP addresses (62 usable), which is insufficient for the required 120 endpoints and future growth.

51
Multi-Selectmedium

You are designing an Azure virtual network for a three-tier application. The frontend, application, and database tiers each require their own subnet. You need to ensure that the frontend tier can communicate with the application tier, but the database tier must be isolated from direct inbound traffic from the internet. Which three of the following actions should you include in your design? (Choose three.)

Select 3 answers
.Assign a network security group (NSG) to the database subnet that denies all inbound traffic from the internet.
.Create a single virtual network with three subnets: frontend, application, and database.
.Configure a virtual network peering to connect the frontend and database subnets.
.Use Azure Firewall to inspect traffic between the frontend and application tiers.
.Route traffic from the application tier to the database tier using a user-defined route (UDR) pointing to the Azure Firewall.
.Place all three tiers in the same virtual network using separate subnets.

Why this answer

Assigning a network security group (NSG) to the database subnet that denies all inbound traffic from the internet is correct because NSGs act as a distributed, stateful firewall at the subnet or NIC level. By default, NSGs allow all inbound traffic from within the virtual network, so you must explicitly add a deny rule for internet traffic (source 'Internet') to isolate the database tier. This ensures the database subnet is protected from direct inbound internet traffic while still allowing traffic from the application tier via the default allow rule for virtual network traffic.

Exam trap

The trap here is that candidates often think they need to create separate virtual networks or use complex routing/firewall rules for isolation, when in fact a single VNet with subnets and an NSG on the database subnet is sufficient to meet the requirement of isolating the database from the internet while allowing frontend-to-application communication.

52
MCQhard

Users on the internet cannot reach an HTTPS application hosted on VM-Web01. The VM has a public IP address, the application is listening on TCP port 443, and the guest OS firewall allows the traffic. What is the most likely Azure-side cause?

A.The NSG blocks inbound TCP 443
B.The VM uses Premium SSD
C.Azure Backup is not enabled
D.The storage account uses GRS
AnswerA

A missing allow rule or an explicit deny rule in the NSG will block internet access to the web application.

Why this answer

The most likely Azure-side cause is that a Network Security Group (NSG) associated with the VM's subnet or NIC is blocking inbound TCP port 443. Even if the VM has a public IP, the application is listening, and the guest OS firewall allows traffic, an NSG rule denying inbound HTTPS traffic will prevent external users from reaching the application. NSGs act as a distributed firewall filtering traffic at the Azure network layer before it reaches the VM.

Exam trap

The trap here is that candidates often focus on the VM's guest OS firewall or public IP configuration, overlooking the NSG as the first line of defense in Azure's network security model.

How to eliminate wrong answers

Option B is wrong because Premium SSD affects disk performance and IOPS, not network connectivity or firewall rules. Option C is wrong because Azure Backup is a data protection service that does not influence inbound network traffic or port accessibility. Option D is wrong because storage account replication (GRS) is unrelated to VM networking; it controls data redundancy for blob storage, not network traffic to a VM.

53
MCQeasy

A team manages many application VMs and backend VMs. The VM IP addresses change whenever they are rebuilt, but the same traffic rule must always allow the app tier to reach the backend tier on TCP 8443. What should the administrator use in the NSG rule?

A.Static private IP addresses for each virtual machine.
B.Application Security Groups for the app and backend VMs.
C.A user-defined route between the app and backend subnets.
D.An availability set for each tier.
AnswerB

ASGs let you group VMs by function and reference those groups in NSG rules, so IP changes do not require rule updates.

Why this answer

Application Security Groups (ASGs) allow you to group VMs logically and reference them directly in NSG rules without relying on static IP addresses. Since the VM IPs change on rebuild, ASGs ensure the NSG rule for TCP 8443 always applies to the correct app and backend tiers, regardless of IP changes.

Exam trap

The trap here is that candidates often default to static IPs (Option A) for consistency, overlooking that ASGs provide a dynamic, IP-agnostic solution that directly addresses the rebuild scenario.

How to eliminate wrong answers

Option A is wrong because static private IP addresses would require manual reconfiguration after each rebuild and do not scale, whereas the question specifically states IPs change on rebuild. Option C is wrong because user-defined routes (UDRs) control traffic routing between subnets, not firewall rules for specific ports like TCP 8443; NSGs handle port-based access control. Option D is wrong because an availability set provides high availability through fault and update domains but does not influence NSG rule matching or IP addressing for traffic filtering.

54
MCQeasy

Two application teams created separate virtual networks so their workloads can communicate through VNet peering. VNet-A uses 10.20.0.0/16. VNet-B was created with 10.20.128.0/17. The peering request fails during validation. What is the best fix?

A.Add an NSG rule to allow traffic between the two VNets.
B.Change one VNet to use a non-overlapping address space.
C.Create a private endpoint in each VNet.
D.Attach a route table to both subnets.
AnswerB

VNet peering requires non-overlapping IP ranges. Readdressing one VNet removes the conflict and allows peering to be created.

Why this answer

VNet peering requires that the address spaces of the peered virtual networks do not overlap. VNet-A uses 10.20.0.0/16, which includes the entire range from 10.20.0.0 to 10.20.255.255. VNet-B uses 10.20.128.0/17, which is a subset of VNet-A's range (10.20.128.0 to 10.20.255.255).

This overlap causes the peering validation to fail because Azure cannot route traffic between overlapping address spaces. Changing one VNet to a non-overlapping address space resolves the conflict.

Exam trap

The trap here is that candidates may think NSG rules or route tables can fix connectivity issues between peered VNets, but the peering validation itself fails due to overlapping address spaces, which is a fundamental design constraint that cannot be overridden by network security or routing policies.

How to eliminate wrong answers

Option A is wrong because NSG rules control traffic filtering at the subnet or NIC level, but they cannot resolve an address space overlap; peering itself fails before any traffic flows. Option C is wrong because private endpoints are used to securely connect to Azure PaaS services over a private IP, not to enable VNet peering between overlapping address spaces. Option D is wrong because route tables (UDRs) define custom routes for traffic within a VNet, but they cannot override the fundamental requirement that peered VNets must have non-overlapping address spaces.

55
MCQhard

A subnet contains two NSGs: one associated with the subnet and one associated with the NIC of VM-App03. You need to determine whether inbound TCP 3389 from the internet is allowed. What is the correct interpretation?

A.The NIC NSG always overrides the subnet NSG.
B.Inbound traffic is allowed as long as one NSG has an allow rule.
C.The effective rules are determined by evaluating both NSGs together, and a deny in either applicable path can block access.
D.Subnet NSGs apply only to outbound traffic.
AnswerC

This reflects how effective NSG rules are evaluated for a VM NIC and its subnet.

Why this answer

When a subnet NSG and a NIC NSG are both applied, Azure evaluates the effective rules by combining both NSGs. Inbound traffic must be allowed by both NSGs along the traffic path; if either NSG has a deny rule that matches the traffic (e.g., a default deny rule for inbound internet traffic), the traffic is blocked. Option C correctly states that a deny in either applicable path can block access, which is the fundamental behavior of NSG evaluation in Azure.

Exam trap

The trap here is that candidates often assume the NIC NSG overrides the subnet NSG (Option A) or that an allow in one NSG is sufficient (Option B), but Azure requires both NSGs to permit the traffic for it to be allowed.

How to eliminate wrong answers

Option A is wrong because the NIC NSG does not always override the subnet NSG; instead, both NSGs are evaluated, and the most restrictive rule applies (a deny in either NSG blocks traffic). Option B is wrong because inbound traffic is not allowed as long as one NSG has an allow rule; both NSGs must allow the traffic, and a deny in either NSG overrides any allow. Option D is wrong because subnet NSGs apply to both inbound and outbound traffic, not just outbound traffic; they filter traffic at the subnet level for all resources within that subnet.

56
Multi-Selectmedium

A storage account must remain on its public endpoint, but only one Azure subnet named AppSubnet should be allowed to access it from Azure. No private IP is required. Which two actions should the administrator take? Select two.

Select 2 answers
A.Enable the Microsoft.Storage service endpoint on AppSubnet.
B.Configure the storage account networking firewall to allow the selected virtual network and subnet.
C.Create a private endpoint and disable public network access.
D.Link a private DNS zone to AppSubnet.
E.Assign the Reader RBAC role to AppSubnet.
AnswersA, B

The service endpoint lets Azure identify traffic from that subnet when it reaches the storage service.

Why this answer

Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to the storage account over the Azure backbone network, using the public endpoint while restricting access to only that subnet. Option B is correct because configuring the storage account's networking firewall to allow the selected virtual network and subnet explicitly permits traffic from AppSubnet while blocking all other public access, meeting the requirement to keep the public endpoint but limit access to one subnet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that restricting access to a single subnet requires a private IP and disabling public access, when in fact service endpoints achieve the same goal without changing the endpoint type.

57
MCQmedium

A branch office uses an on-premises firewall that supports IPsec/IKE and has a stable public IP. The office needs always-on private connectivity to an Azure VNet over the internet. Which Azure component should the administrator deploy?

A.A site-to-site connection using Azure VPN Gateway.
B.VNet peering between the branch office and the Azure VNet.
C.Azure Bastion in the target VNet.
D.A private endpoint for the Azure VNet.
AnswerA

A site-to-site VPN with Azure VPN Gateway is designed for permanent encrypted connectivity between an on-premises network and an Azure VNet. The branch firewall can establish an IPsec/IKE tunnel to the gateway using its public IP, which matches the scenario. This approach provides private connectivity across the internet without exposing the workload directly to public endpoints. It is the standard choice for hybrid network connectivity when ExpressRoute is not required.

Why this answer

A site-to-site VPN connection using Azure VPN Gateway is the correct choice because it provides always-on, encrypted connectivity over the internet between an on-premises network with a stable public IP and an Azure VNet. Azure VPN Gateway supports IPsec/IKE protocols, which are compatible with the branch office's firewall, enabling a secure tunnel that meets the requirement for private connectivity.

Exam trap

The trap here is that candidates often confuse VNet peering (which only works between Azure VNets) with site-to-site VPN connectivity, or they mistakenly think Azure Bastion or private endpoints can provide network-level connectivity to on-premises networks.

How to eliminate wrong answers

Option B is wrong because VNet peering connects two Azure VNets within the Azure backbone, not an on-premises network to an Azure VNet; it cannot extend to a branch office over the internet. Option C is wrong because Azure Bastion provides secure RDP/SSH access to Azure VMs without exposing public IPs, but it does not establish network connectivity between an on-premises network and an Azure VNet. Option D is wrong because a private endpoint enables private access to Azure PaaS services from within a VNet, not site-to-site connectivity between an on-premises network and an Azure VNet.

58
MCQmedium

A subnet is associated with a NAT gateway, but its route table also contains a 0.0.0.0/0 route to a virtual appliance at 10.2.0.4. The business wants all outbound internet traffic from the VMs to use one static public IP, and inspection by the appliance is no longer required. What should the administrator change?

A.Add a public IP address directly to each virtual machine NIC.
B.Remove the 0.0.0.0/0 user-defined route from the subnet.
C.Enable service endpoints for the subnet.
D.Change the NAT gateway to a zone-redundant SKU.
AnswerB

The default route to the virtual appliance forces all internet-bound traffic away from the subnet's NAT gateway. Because NAT gateway only handles outbound traffic that is not sent to another next hop, the UDR prevents the NAT gateway from being used. Removing the default route allows the subnet to use the NAT gateway's static public IP for outbound internet connections while keeping routing simple.

Why this answer

The correct answer is B because removing the 0.0.0.0/0 user-defined route (UDR) from the subnet's route table will allow the NAT gateway to handle all outbound internet traffic. The NAT gateway provides a single static public IP for outbound traffic, and since inspection by the virtual appliance is no longer required, the conflicting UDR that directs traffic to the appliance must be deleted. This ensures that the subnet's default route points to the NAT gateway, which uses Source Network Address Translation (SNAT) to translate private IPs to the static public IP.

Exam trap

The trap here is that candidates often think adding a public IP to VMs (Option A) is simpler or that service endpoints (Option C) can replace a NAT gateway for general internet access, but they fail to recognize that the existing UDR is the direct conflict preventing the NAT gateway from being the default route for outbound traffic.

How to eliminate wrong answers

Option A is wrong because adding a public IP directly to each VM NIC would bypass the NAT gateway, resulting in multiple public IPs and failing the requirement for a single static public IP; it also introduces security risks and management overhead. Option C is wrong because service endpoints provide secure, direct connectivity to Azure PaaS services over the Azure backbone, not outbound internet traffic, and they do not provide a static public IP for general internet access. Option D is wrong because changing the NAT gateway to a zone-redundant SKU improves availability but does not resolve the routing conflict caused by the 0.0.0.0/0 UDR pointing to the virtual appliance.

59
MCQeasy

A subnet has an NSG with a custom inbound deny-all rule at priority 200. You need to allow HTTPS traffic to a VM in that subnet from any source. Which action should you take?

A.Create an inbound allow rule for TCP 443 with priority 300.
B.Create an inbound allow rule for TCP 443 with priority 100.
C.Change the deny-all rule to outbound instead of inbound.
D.Add a route table entry for port 443 traffic to the VM subnet.
AnswerB

A smaller priority number is evaluated first, so a priority 100 allow rule will match before the deny-all rule.

Why this answer

NSG rules are evaluated in priority order, with lower numbers evaluated first. The existing deny-all rule at priority 200 blocks all inbound traffic. To allow HTTPS (TCP 443) before the deny rule is evaluated, you must create an allow rule with a priority lower than 200, such as priority 100.

This ensures the allow rule is processed first, permitting the traffic.

Exam trap

The trap here is that candidates often think higher priority numbers (like 300) are evaluated first, or they confuse NSG rule priority with route table priority, leading them to choose a higher priority number or a route table entry instead of a lower priority allow rule.

How to eliminate wrong answers

Option A is wrong because a priority of 300 is higher than the deny-all rule's priority of 200, meaning the deny rule will be evaluated first and block the HTTPS traffic before the allow rule is reached. Option C is wrong because changing the deny rule to outbound would not affect inbound HTTPS traffic; the inbound deny-all rule would still block it. Option D is wrong because route tables control the path traffic takes through the virtual network, not whether traffic is permitted or denied; NSGs are the firewall that filters traffic.

60
Multi-Selecthard

A subnet has a route table with these user-defined routes: 10.10.0.0/16 to Virtual appliance, 10.10.5.0/24 to Virtual network gateway, and 10.10.5.128/25 to Virtual network. The subnet is attached to a VM that sends traffic to several destinations. Which three next-hop decisions are correct? Select three.

Select 3 answers
A.Traffic to 10.10.5.9 uses Virtual network gateway.
B.Traffic to 10.10.5.200 uses Virtual network.
C.Traffic to 10.10.8.4 uses Virtual appliance.
D.Traffic to 10.10.5.9 uses Virtual appliance.
E.Traffic to 8.8.8.8 uses Virtual appliance.
AnswersA, B, C

The /24 route is more specific than the broader /16 route, so it wins for 10.10.5.9.

Why this answer

Option A is correct because the route table uses longest prefix match. The destination 10.10.5.9 falls within the 10.10.5.0/24 range, which has a more specific prefix (24 bits) than 10.10.0.0/16 (16 bits). The user-defined route for 10.10.5.0/24 specifies a next hop of Virtual network gateway, so traffic to 10.10.5.9 is forwarded to the gateway.

Exam trap

The trap here is that candidates often assume a broader route (like 10.10.0.0/16 to Virtual appliance) applies to all subnets, forgetting that more specific user-defined routes (like 10.10.5.0/24 to Virtual network gateway) take precedence via longest prefix match, and that public IPs like 8.8.8.8 are not matched by private address space routes.

61
Multi-Selectmedium

A subnet already has a 0.0.0.0/0 route that sends traffic to a virtual appliance at 10.1.1.4. One server in that subnet must reach 172.16.1.0/24 directly through the Internet, while all other traffic should still use the appliance. Which two actions are required? Select two.

Select 2 answers
A.Add a more specific user-defined route for 172.16.1.0/24 with next hop type Internet.
B.Associate the route table with the subnet that contains the server.
C.Create an NSG rule that allows outbound Internet traffic.
D.Enable a service endpoint for the Internet destination.
E.Change the subnet address space to a smaller CIDR.
AnswersA, B

A longer prefix beats the broader 0.0.0.0/0 route, so only that destination uses the Internet path.

Why this answer

A is correct because a more specific user-defined route (UDR) for 172.16.1.0/24 with next hop type Internet overrides the existing 0.0.0.0/0 route that points to the virtual appliance. Azure uses longest prefix match, so the /24 route takes precedence for traffic to that destination, sending it directly to the Internet instead of through the appliance.

Exam trap

The trap here is that candidates often think an NSG rule is needed to allow outbound Internet traffic, but Azure VMs have default outbound connectivity via SNAT, so the routing decision (UDR) is the only missing piece, not a firewall rule.

62
Multi-Selectmedium

You are designing a virtual networking solution for a critical application deployed across multiple Azure regions. You need to ensure secure, high-performance, and resilient connectivity between the virtual networks. Which four of the following options should you consider? (Choose four.)

Select 4 answers
.Use VNet peering with Gateway Transit to connect the virtual networks.
.Configure Azure VPN Gateway with active-active mode to provide high availability for site-to-site connections.
.Implement Azure Private Link to expose the application's backend service securely over the Microsoft backbone network.
.Deploy Azure Virtual Network Manager to dynamically manage and enforce connectivity rules across multiple virtual networks.
.Use Azure ExpressRoute with FastPath enabled to reduce latency and improve data throughput between the virtual networks.
.Create a single VNet spanning multiple regions using a large contiguous address space to simplify routing.

Why this answer

VNet peering with Gateway Transit is correct because it allows virtual networks to connect through a shared VPN gateway, enabling secure and efficient cross-region communication without deploying separate gateways. This approach leverages the Azure backbone for low-latency, high-bandwidth connectivity while maintaining isolation and control over routing policies.

Exam trap

The trap here is that candidates often confuse ExpressRoute as a solution for VNet-to-VNet connectivity, but ExpressRoute is strictly for hybrid connectivity between on-premises and Azure, not for inter-VNet traffic within Azure.

63
MCQmedium

Based on the exhibit, what next hop will the VM use when it sends traffic to 10.30.5.10?

A.Virtual appliance at the user-defined next hop
B.Virtual network gateway
C.Internet
D.Virtual network
AnswerB

The BGP route to 10.30.0.0/16 is the most specific matching route and therefore takes precedence.

Why this answer

The VM's effective route table shows a route for 10.30.5.0/24 with a next hop type of 'Virtual network gateway'. Since 10.30.5.10 falls within this prefix, the VM will use the virtual network gateway as the next hop. This overrides the default virtual network (local) route because it is a more specific prefix match.

Exam trap

The trap here is that candidates assume traffic to an IP within the virtual network's address space (10.0.0.0/16) will always use the 'Virtual network' next hop, but a more specific route (e.g., 10.30.5.0/24) with a different next hop type overrides it, leading to an incorrect choice of Option D.

How to eliminate wrong answers

Option A is wrong because the exhibit does not show any user-defined route (UDR) with a next hop of 'Virtual appliance' for the 10.30.5.0/24 prefix; the next hop type is explicitly 'Virtual network gateway'. Option C is wrong because the route for 10.30.5.0/24 does not have a next hop of 'Internet'; the default 0.0.0.0/0 route points to the Internet, but the more specific 10.30.5.0/24 route takes precedence. Option D is wrong because the default virtual network route (10.0.0.0/16) would use 'Virtual network' as next hop, but the more specific 10.30.5.0/24 route overrides it with a 'Virtual network gateway' next hop.

64
MCQmedium

An application subnet has a network security group with these inbound rules: Allow-Web-From-Internet at priority 200, Allow-App-From-Web at priority 300, and Deny-All-Inbound at priority 250. The web tier must reach the app tier on TCP 8080, but traffic is being denied. The administrator confirms the source and destination IPs are correct. What is the best fix?

A.Delete the Deny-All-Inbound rule because default NSG rules will allow the traffic.
B.Change the Allow-App-From-Web rule to a lower priority number than 250.
C.Add a route table entry for TCP 8080 traffic to bypass the NSG.
D.Move the Allow-Web-From-Internet rule to priority 400.
AnswerB

NSG rules are processed in priority order, and the lowest number wins. Because Deny-All-Inbound at 250 is evaluated before the allow rule at 300, it blocks the traffic first. Moving the allow rule to a lower number than 250 lets the permitted web-to-app traffic match before the deny rule is applied.

Why this answer

The Deny-All-Inbound rule at priority 250 is evaluated before the Allow-App-From-Web rule at priority 300 because lower priority numbers are processed first. To allow web-to-app traffic on TCP 8080, the Allow-App-From-Web rule must have a lower priority number (e.g., 240) than the Deny-All-Inbound rule so it is evaluated and applied first, permitting the traffic before the deny rule blocks it.

Exam trap

The trap here is that candidates assume all rules are evaluated and the most specific rule wins, but in Azure NSGs, priority order (numerical value) strictly determines evaluation sequence, not specificity or rule type.

How to eliminate wrong answers

Option A is wrong because default NSG rules (e.g., AllowVNetInBound) only allow traffic within the virtual network and do not override explicit deny rules; deleting the Deny-All-Inbound rule would leave no explicit deny, but the default rules would not automatically allow TCP 8080 from the internet to the app subnet. Option C is wrong because route tables control traffic routing at Layer 3 (IP forwarding) and cannot bypass NSG rules, which are stateful packet filters applied at the subnet or NIC level. Option D is wrong because moving the Allow-Web-From-Internet rule to a higher priority number (400) does not affect the conflict between the Allow-App-From-Web and Deny-All-Inbound rules; the web-to-app traffic is still denied by the higher-priority deny rule.

65
MCQmedium

A web app running on an Azure VM must connect to an Azure SQL Database instance. The security team requires the database to be reachable through a private IP inside the VNet, and the application should keep using the normal SQL server name without any connection string change. What should the administrator implement?

A.A service endpoint on the subnet and a firewall rule on the SQL server.
B.A private endpoint for Azure SQL and the corresponding private DNS zone linked to the VNet.
C.A public endpoint with selected network access and a network security group on the VM subnet.
D.A virtual network peering connection to the SQL service subnet.
AnswerB

A private endpoint gives the SQL service a private IP address inside the VNet, and the private DNS zone allows the standard SQL name to resolve to that address. This meets both requirements: private network access and no connection string change. It is the correct Azure Private Link pattern for secure PaaS access.

Why this answer

Option B is correct because a private endpoint assigns Azure SQL Database a private IP from the VNet, making it reachable via a private IP while preserving the normal SQL server FQDN. The corresponding private DNS zone (privatelink.database.windows.net) linked to the VNet ensures that DNS resolution of the SQL server name resolves to the private IP, so no connection string changes are needed. This meets the security requirement of private IP reachability and the application requirement of unchanged connection strings.

Exam trap

The trap here is that candidates confuse service endpoints (which still use public IPs) with private endpoints (which use private IPs), leading them to choose Option A, thinking it provides private IP connectivity when it only provides source subnet restriction via the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint exposes the SQL server to the subnet via its public endpoint, not a private IP, and requires a firewall rule to allow traffic from the subnet, which does not satisfy the 'private IP inside the VNet' requirement. Option C is wrong because a public endpoint with selected network access still uses a public IP, not a private IP, and a network security group on the VM subnet does not change the SQL server's public endpoint nature. Option D is wrong because virtual network peering connects VNets, but Azure SQL Database is a PaaS service, not a service subnet, so peering does not provide a private IP for the database.

66
MCQmedium

A subnet has a user-defined route for 0.0.0.0/0 that sends all outbound traffic to a virtual appliance. Traffic to 10.20.4.12 must instead go directly to an Azure VPN gateway. What should you configure?

A.Add a network security group rule that allows traffic to 10.20.4.12.
B.Add a more specific UDR for 10.20.4.0/24 that uses the virtual network gateway next hop.
C.Increase the priority of the 0.0.0.0/0 route so it is preferred less often.
D.Remove the VPN gateway association from the virtual network.
AnswerB

Azure uses longest-prefix match, so the more specific route overrides the broader 0.0.0.0/0 entry.

Why this answer

Option B is correct because User-Defined Routes (UDRs) use the longest prefix match to determine the next hop. The existing 0.0.0.0/0 route sends all outbound traffic to a virtual appliance, but adding a more specific route for 10.20.4.0/24 with a next hop of the virtual network gateway (VPN gateway) overrides the default route for that subnet, directing traffic to 10.20.4.12 through the VPN gateway.

Exam trap

The trap here is that candidates confuse NSG rules with routing decisions, thinking that allowing traffic in an NSG will change the path it takes, when in fact NSGs only filter traffic and do not influence the next hop.

How to eliminate wrong answers

Option A is wrong because network security group (NSG) rules control inbound and outbound traffic filtering (allow/deny based on IP, port, protocol), not routing decisions; they cannot change the path traffic takes. Option C is wrong because UDR priority is based on prefix length (more specific prefix wins), not a numeric priority value; increasing the priority of the 0.0.0.0/0 route does not affect its preference over a more specific route. Option D is wrong because removing the VPN gateway association from the virtual network would break all VPN connectivity, not just the traffic to 10.20.4.12, and does not solve the routing requirement.

67
MCQmedium

A hub VNet already has a VPN gateway connected to on-premises. A new spoke VNet must reach on-premises through the hub gateway and should not deploy its own gateway. What configuration should be enabled on the peering?

A.Enable gateway transit on the hub peering and Use remote gateways on the spoke peering.
B.Create a service endpoint from the spoke to the hub.
C.Add a default route to Internet in the spoke subnet.
D.Enable accelerated networking on the spoke subnet.
AnswerA

This is the correct hub-and-spoke configuration when only the hub should own the VPN gateway. Gateway transit allows the hub to share its gateway with peered VNets, and the spoke must be configured to use the remote gateway. Together, these settings let the spoke route on-premises traffic through the hub gateway without deploying another gateway or duplicating connectivity infrastructure.

Why this answer

Option A is correct because enabling 'Use remote gateways' on the spoke VNet peering and 'Allow gateway transit' on the hub VNet peering allows the spoke VNet to route traffic to on-premises through the hub's VPN gateway without deploying its own gateway. This configuration leverages BGP routes (if the VPN gateway is route-based) to propagate on-premises prefixes to the spoke, enabling transitive routing across the peering.

Exam trap

The trap here is that candidates often confuse 'gateway transit' with simply enabling peering, forgetting that both the hub's 'Allow gateway transit' and the spoke's 'Use remote gateways' must be explicitly set, and that the spoke cannot have its own gateway (otherwise the setting is blocked).

How to eliminate wrong answers

Option B is wrong because a service endpoint provides private connectivity to Azure PaaS services (e.g., Azure Storage) via the Azure backbone, not to on-premises networks through a VPN gateway. Option C is wrong because adding a default route (0.0.0.0/0) to the spoke subnet would force all internet-bound traffic through that route, but it does not enable connectivity to on-premises via the hub gateway; it would likely break routing unless properly configured with a next hop to the hub. Option D is wrong because accelerated networking improves network performance (SR-IOV) for VMs, but it has no role in enabling transitive routing or gateway transit between peered VNets.

68
MCQmedium

A subnet has an NSG with these inbound rules: priority 200 DenyAllInbound and priority 300 AllowHTTPSFromInternet. A VM in the subnet is still unreachable on TCP 443 from the internet. What should you do to make HTTPS work while keeping the deny rule in place?

A.Move the allow HTTPS rule to a lower priority number such as 100 so it is evaluated before the deny rule.
B.Create the same allow rule on the NIC-level NSG at priority 300 and leave the subnet NSG unchanged.
C.Change the deny rule to protocol Any and keep the same priority so Azure evaluates the allow rule first.
D.Add a route table entry for TCP 443 traffic so Azure sends it directly to the VM.
AnswerA

NSG rules are processed in order of priority, and the lowest number wins. Because the deny rule at 200 is evaluated before the allow rule at 300, HTTPS is blocked. Moving the allow rule to a lower priority number lets it match first while keeping the deny rule for all other inbound traffic.

Why this answer

Option A is correct because NSG rules are evaluated in priority order, with lower numbers evaluated first. Moving the allow HTTPS rule to priority 100 ensures it is processed before the DenyAllInbound rule at priority 200, allowing TCP 443 traffic from the internet while the deny rule remains in place for all other inbound traffic.

Exam trap

The trap here is that candidates often think NSG rules are evaluated based on specificity (e.g., more specific rules override broader ones) rather than strictly by priority number, leading them to believe a higher-priority allow rule can override a lower-priority deny rule.

How to eliminate wrong answers

Option B is wrong because NIC-level NSG rules are evaluated after subnet-level NSG rules; if the subnet NSG denies all inbound traffic, the NIC-level allow rule will never be reached. Option C is wrong because changing the deny rule to protocol Any does not affect evaluation order—Azure always evaluates rules by priority number, not by protocol specificity; the deny rule at priority 200 will still block HTTPS before the allow rule at priority 300 is evaluated. Option D is wrong because route tables control traffic routing, not traffic filtering; a route table entry cannot bypass NSG rules, which are stateful firewall rules that must explicitly allow traffic.

69
MCQmedium

A VM subnet has an NSG with these custom rules: - Inbound priority 100: Allow TCP 443 from Internet - Outbound priority 100: Deny Any to Internet The VM hosts an app that must download updates from an HTTPS repository on the Internet. The downloads fail. What change should be made?

A.Add another inbound allow rule for TCP 443 from the repository address.
B.Add an outbound allow rule for TCP 443 to Internet or the repository service tag.
C.Change the inbound allow rule to priority 50.
D.Remove the VM's public IP address.
AnswerB

The VM is initiating outbound HTTPS sessions, so the outbound direction must permit TCP 443. Because a deny-all outbound rule is blocking traffic to Internet, the fix is to add a higher-priority outbound allow rule that matches the repository destination, such as Internet or a specific service tag. Inbound HTTPS rules do not help traffic leaving the VM.

Why this answer

The VM's outbound traffic is blocked by the default outbound deny rule (priority 100). Since the app needs to download updates from an HTTPS repository (TCP 443), an outbound allow rule for TCP 443 to the Internet or the repository service tag is required. Inbound rules do not affect outbound traffic, so the existing inbound allow rule is irrelevant to the download failure.

Exam trap

The trap here is that candidates often focus on inbound rules because the NSG has an inbound allow rule, but the real issue is that outbound traffic is explicitly denied, and they forget that NSGs are stateful only for traffic that matches an allow rule, not for all traffic.

How to eliminate wrong answers

Option A is wrong because inbound rules control traffic entering the VM, not traffic leaving it; the download failure is due to blocked outbound traffic, so adding another inbound rule does not help. Option C is wrong because changing the priority of the inbound rule does not affect outbound traffic; the outbound deny rule remains in effect. Option D is wrong because removing the VM's public IP address would prevent any inbound or outbound Internet connectivity, making the problem worse, and the issue is specifically about outbound traffic being denied.

70
MCQmedium

A web tier and an app tier run in separate subnets. Each VM NIC is placed in an application security group named WebASG or AppASG. The administrator must allow only the web tier to reach the app tier on TCP port 8443 and block all other inbound traffic to the app tier. Which NSG rule should be created on the app subnet?

A.Allow TCP 8443 from WebASG to AppASG with a priority lower number than the deny rule.
B.Allow TCP 8443 from the entire virtual network to the app subnet with a lower priority than the deny rule.
C.Allow UDP 8443 from WebASG to AppASG with any priority below 65000.
D.Allow TCP 8443 from WebASG to AppASG with a priority higher number than the deny rule.
AnswerA

This is the most precise approach because it targets the source and destination groups instead of broad IP ranges. The rule must use a lower priority number than the deny-all rule so it is evaluated first. That lets only the web tier reach the app tier on TCP 8443 while preserving the block on all other inbound traffic.

Why this answer

Option A is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. By placing an Allow rule for TCP 8443 from WebASG to AppASG with a lower priority number than a subsequent Deny-All rule, only traffic from the web tier is permitted, and all other inbound traffic to the app subnet is blocked. This leverages application security groups (ASGs) to define fine-grained, role-based network security policies without relying on IP addresses.

Exam trap

The trap here is that candidates often confuse priority numbering—thinking a higher number means higher priority—or mistakenly assume that allowing traffic from the entire virtual network is sufficient, overlooking the need to restrict the source to only the web tier via ASGs.

How to eliminate wrong answers

Option B is wrong because allowing TCP 8443 from the entire virtual network would permit traffic from any subnet (including the app subnet itself and any other subnets), not just the web tier, violating the requirement to restrict access solely to the web tier. Option C is wrong because the requirement specifies TCP port 8443, not UDP; using UDP would not match the intended protocol and would fail to allow the required traffic. Option D is wrong because a priority with a higher number (lower priority) than the deny rule means the deny rule would be evaluated first, blocking all traffic including the desired web-to-app traffic before the allow rule is ever considered.

71
MCQmedium

Exhibit: A network engineer wants a subscription-based mechanism to stream operational updates from devices as values change, instead of polling over and over. Which approach best fits?

A.Model-driven telemetry
B.TFTP backup
C.Port security sticky learning
D.VTP pruning
AnswerA

Telemetry streaming is built for near-real-time updates without constant polling.

Why this answer

Model-driven telemetry uses a subscription-based push model to stream operational data from network devices to a collector as values change, eliminating the need for repeated polling. This approach reduces bandwidth and CPU overhead by delivering only relevant updates in real time, which aligns with the requirement for a subscription-based mechanism.

Exam trap

The trap here is that candidates may confuse TFTP backup with a streaming mechanism because both involve data transfer, but TFTP is a pull-based file transfer protocol, not a subscription-based push model for operational updates.

How to eliminate wrong answers

Option B is wrong because TFTP backup is a file transfer protocol used for backing up configuration files or images, not for streaming operational updates. Option C is wrong because port security sticky learning is a switch feature that dynamically learns and secures MAC addresses on a port, unrelated to streaming telemetry. Option D is wrong because VTP pruning is a VLAN Trunking Protocol feature that reduces unnecessary broadcast traffic on trunk links, not a mechanism for streaming operational data.

72
MCQeasy

Based on the exhibit, HTTPS traffic from the admin workstation is still being blocked. What change should the administrator make?

A.Delete the Deny-All-Inbound rule.
B.Change Allow-HTTPS-Admin to priority 100.
C.Change Allow-HTTPS-Admin protocol from TCP to Any.
D.Move the allow rule to outbound traffic.
AnswerB

NSG rules are evaluated from the lowest priority number to the highest. In the exhibit, the deny rule at priority 200 is matched before the allow rule at 250, so traffic is blocked. Moving the admin allow rule to a lower number such as 100 makes it evaluate first and permits the HTTPS test traffic.

Why this answer

The Deny-All-Inbound rule has a default priority of 65000, which is higher (lower priority) than the Allow-HTTPS-Admin rule at priority 200. Since Azure Network Security Group (NSG) rules are evaluated in priority order (lowest number = highest priority), the Deny-All-Inbound rule is evaluated first and blocks all traffic, including HTTPS from the admin workstation. By changing Allow-HTTPS-Admin to priority 100, it will be evaluated before the Deny-All-Inbound rule, allowing HTTPS traffic to pass.

Exam trap

The trap here is that candidates often think deleting the deny rule is the solution, but the real issue is the priority order of rules in an NSG, not the existence of the deny rule itself.

How to eliminate wrong answers

Option A is wrong because deleting the Deny-All-Inbound rule would remove the default security boundary, exposing the resource to all inbound traffic, which is not a best practice and does not address the priority ordering issue. Option C is wrong because changing the protocol from TCP to Any would not resolve the blocking issue; the problem is the rule evaluation order, not the protocol specificity, and HTTPS requires TCP port 443. Option D is wrong because moving the allow rule to outbound traffic would not affect inbound HTTPS traffic; inbound and outbound rules are separate, and the blocking occurs on the inbound path.

73
MCQmedium

Why is centralized logging especially useful during security investigations?

A.It makes related events from multiple devices easier to review and correlate.
B.It guarantees that attacks cannot succeed.
C.It replaces the need for authentication and authorization.
D.It forces all devices to use the same VLAN.
AnswerA

This is correct because centralized visibility is the main investigative benefit.

Why this answer

Centralized logging aggregates logs from multiple sources (e.g., firewalls, servers, Azure Network Watcher) into a single repository, such as Azure Log Analytics. During security investigations, this enables security analysts to correlate events across devices (e.g., matching a suspicious IP address in firewall logs with authentication failures in domain controller logs) without manually connecting to each device. This correlation is critical for reconstructing attack timelines and identifying lateral movement, which is impossible with siloed logs.

Exam trap

The trap here is that candidates confuse centralized logging with a security control that prevents attacks, rather than recognizing it as a detective tool for post-incident analysis and correlation.

Why the other options are wrong

B

This option is incorrect because centralized logging does not prevent attacks; it merely provides a means to analyze and respond to them after they occur. Security measures must be implemented to actually prevent attacks from succeeding.

C

This option is wrong because centralized logging does not eliminate the need for authentication and authorization; rather, it complements these security measures by providing a way to analyze logs from authenticated users and authorized actions.

D

This option is wrong because forcing all devices to use the same VLAN does not directly relate to centralized logging or its benefits during security investigations. VLANs are primarily about network segmentation, not log aggregation or analysis.

74
MCQmedium

An on-premises application connected through a site-to-site VPN must read data from an Azure Storage account. Public network access is disabled on the storage account, and the storage service must be reachable only by a private IP address inside Azure. Which solution should the administrator implement?

A.Enable a service endpoint on the on-premises network.
B.Create a private endpoint for the storage account in an Azure VNet.
C.Peer the on-premises network directly to the storage account.
D.Use a shared access signature and leave public network access enabled.
AnswerB

A private endpoint assigns the storage account a private IP address in a chosen Azure VNet, allowing access over private connectivity instead of the public internet. Because the on-premises application already reaches Azure through a site-to-site VPN, it can use that private path to access the endpoint when DNS is configured correctly. This meets the requirement to keep public access disabled while exposing the service privately.

Why this answer

A private endpoint assigns the storage account a private IP address from an Azure VNet, allowing the on-premises application to connect over the site-to-site VPN using that private IP. This ensures the storage service is reachable only within Azure's private network, even with public network access disabled. The private endpoint uses Azure Private Link to securely expose the storage account into the VNet, making it accessible via the VPN without traversing the public internet.

Exam trap

The trap here is confusing service endpoints with private endpoints: candidates often choose service endpoints because they also provide secure connectivity, but service endpoints do not assign a private IP and require public network access to be enabled, making them unsuitable when the requirement is to use only a private IP address.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address; it extends the storage account's public endpoint to a VNet subnet via Azure backbone, but the storage account still uses a public IP and public network access must be enabled, which contradicts the requirement. Option C is wrong because VNet peering connects two Azure VNets, not an on-premises network to a storage account; on-premises connectivity requires a VPN or ExpressRoute, and peering does not involve storage accounts directly. Option D is wrong because it leaves public network access enabled, violating the requirement that the storage service must be reachable only by a private IP address inside Azure; a SAS token does not change the network accessibility.

75
MCQmedium

A VM in VNet A can reach a storage account through a private endpoint, but when the VM resolves the storage account name it still gets the public IP address. What should you configure so name resolution returns the private endpoint address?

A.A user-defined route to the storage private endpoint
B.The private DNS zone linked to the VNet
C.A resource lock on the storage account
D.A managed identity for the VM
AnswerB

Linking the private DNS zone makes the storage name resolve to the private endpoint address.

Why this answer

When a private endpoint is created for a storage account, the DNS configuration must be updated so that the storage account's fully qualified domain name resolves to the private endpoint's private IP address instead of the public IP. Linking a private DNS zone (privatelink.blob.core.windows.net) to the virtual network and configuring a virtual network link ensures that the VM's DNS queries for the storage account are answered with the private endpoint IP. Without this, the VM continues to use the public IP from public DNS.

Exam trap

The trap here is that candidates confuse network-level routing (UDRs) with DNS resolution, assuming that directing traffic to the private endpoint IP via a route will fix name resolution, when in fact DNS must be explicitly configured to return the private IP.

How to eliminate wrong answers

Option A is wrong because a user-defined route (UDR) controls network traffic flow (next hop) and does not affect DNS name resolution; it cannot change what IP address a name resolves to. Option C is wrong because a resource lock prevents accidental deletion or modification of the storage account but has no impact on DNS resolution or private endpoint connectivity. Option D is wrong because a managed identity provides the VM with an Azure AD identity for authentication to Azure services, not for DNS name resolution or private endpoint routing.

Page 1 of 4 · 288 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Networking questions.