CCNA AZ Networking Questions

75 of 288 questions · Page 3/4 · AZ Networking topic · Answers revealed

151
Multi-Selectmedium

A network team wants reliable time, name resolution, centralized logs, and visibility into traffic patterns. Which two services directly match those goals?

Select 2 answers
A.NTP
B.NetFlow
AnswersA, B

NTP matches the reliable time requirement.

Why this answer

NTP (Network Time Protocol) is correct because it provides reliable time synchronization across network devices, which is essential for accurate log timestamps and security protocols. This directly matches the goal of reliable time.

Exam trap

The trap here is that candidates often confuse Syslog (which provides centralized logs) with NTP (which provides time synchronization), but the question specifically asks for 'reliable time' and 'visibility into traffic patterns' — Syslog does not provide time synchronization or traffic visibility, while NetFlow does provide traffic pattern analysis.

Why the other options are wrong

C

Syslog is primarily used for logging and monitoring system messages rather than providing reliable time, name resolution, or traffic visibility. While it contributes to centralized logs, it does not fulfill the other specified goals of the network team.

D

DHCP is primarily used for dynamically assigning IP addresses to devices on a network, which does not directly address the goals of reliable time, name resolution, centralized logs, or visibility into traffic patterns.

152
MCQmedium

Based on the exhibit, why is TCP 8443 traffic from the web tier still denied to the app tier, and what should you do to allow only the web tier?

A.Change the deny-all rule at priority 200 to allow TCP 8443 from ASG-Web.
B.Add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100.
C.Add a route table entry for 8443 traffic from the web tier to the app tier.
D.Remove the AzureLoadBalancer rule because it is overriding the web tier traffic.
AnswerB

An allow rule must be evaluated before the existing deny rule, and using ASGs limits access to the web tier.

Why this answer

Option B is correct because in Azure Network Security Groups (NSGs), rules are evaluated in priority order, with lower numbers evaluated first. The existing rule at priority 100 allows traffic from the web tier, but a subsequent deny-all rule at priority 200 blocks all traffic, including TCP 8443. To allow only the web tier, you must add an inbound allow rule for TCP 8443 from ASG-Web with a priority lower than 200 (e.g., 150) so it is evaluated before the deny-all rule, effectively permitting the desired traffic while still blocking other sources.

Exam trap

The trap here is that candidates often assume changing the deny-all rule is the simplest fix, but they overlook that it would open the port to all sources, not just the web tier, failing the specific requirement.

How to eliminate wrong answers

Option A is wrong because changing the deny-all rule at priority 200 to allow TCP 8443 would permit traffic from all sources, not just the web tier, violating the requirement to allow only the web tier. Option C is wrong because route tables control network traffic paths between subnets or virtual networks, not security filtering; NSGs are the correct mechanism to allow or deny traffic based on source, destination, and port. Option D is wrong because the AzureLoadBalancer rule is a default NSG rule that allows health probe traffic from Azure Load Balancer; it does not override or block web tier traffic, and removing it would break load balancer health monitoring.

153
MCQmedium

Based on the exhibit, which feature should be enabled on the subnet so the storage account remains reachable through its public endpoint but only from that subnet?

A.Private endpoint
B.Service endpoint
C.Azure Bastion
AnswerB

A service endpoint lets the subnet reach the service over Azure backbone without creating a private IP.

Why this answer

Service endpoints (B) extend the virtual network private address space and the identity of the VNet to Azure services over a direct connection. By enabling a Microsoft.Storage service endpoint on the subnet and configuring the storage account firewall to allow access only from that subnet's virtual network, the storage account remains reachable via its public endpoint but only from the specified subnet, without requiring a public IP on the subnet.

Exam trap

The trap here is that candidates often confuse private endpoints with service endpoints, mistakenly thinking a private endpoint is required for subnet-level access control, when in fact service endpoints achieve the same goal while preserving public endpoint accessibility.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP address from the subnet to the storage account, making it reachable only over the private endpoint and removing public endpoint access entirely, which contradicts the requirement to keep the public endpoint reachable. Option C is wrong because Azure Bastion provides secure RDP/SSH connectivity to virtual machines in the VNet via the Azure portal, not access to storage accounts or subnet-level network restrictions. Option D is wrong because a VPN Gateway extends on-premises networks to Azure over encrypted tunnels, but it does not restrict access to a storage account's public endpoint from a specific subnet; it would allow all traffic from the connected on-premises network.

154
MCQeasy

Based on the exhibit, why is the administrator's HTTPS test still being denied, and what should be changed?

A.Increase the deny rule priority number from 200 to 300.
B.Move Allow-HTTPS-Admin to a priority lower than 200.
C.Change Allow-HTTPS-Admin to use protocol Any.
D.Assign a public IP address to the VM.
AnswerB

NSG rules are processed from the lowest priority number upward. Because the deny rule is evaluated first, the admin allow rule never gets a chance. Moving the allow rule ahead of the deny rule lets only the admin IP reach HTTPS while everyone else remains blocked.

Why this answer

The administrator's HTTPS test is denied because Azure Network Security Groups (NSGs) process rules in priority order, from lowest to highest numeric value. The deny rule at priority 200 is evaluated before the allow rule at priority 300, so the HTTPS traffic is blocked. To allow HTTPS traffic, the allow rule must have a lower priority number (e.g., 100) than the deny rule, ensuring it is evaluated first.

Option B correctly identifies that moving Allow-HTTPS-Admin to a priority lower than 200 (i.e., a smaller number) will allow the traffic before the deny rule is applied.

Exam trap

The trap here is that candidates often confuse priority numbers, thinking a higher number means higher priority, when in fact lower numbers are evaluated first; this leads them to incorrectly choose increasing the deny rule's priority or other irrelevant changes.

How to eliminate wrong answers

Option A is wrong because increasing the deny rule's priority number from 200 to 300 would make it evaluated after the allow rule, but the deny rule would still block traffic if it matches; the correct fix is to change the allow rule's priority, not the deny rule's. Option C is wrong because changing Allow-HTTPS-Admin to use protocol 'Any' would not resolve the priority issue; the rule would still be evaluated after the deny rule at priority 200, and HTTPS traffic would still be denied. Option D is wrong because assigning a public IP address to the VM does not affect NSG rule evaluation; NSG rules filter traffic based on source/destination IPs and ports, not the presence of a public IP on the VM.

155
Multi-Selecteasy

An app must resolve a storage account name to the private IP address created by a private endpoint. Which two actions are required? Select two.

Select 2 answers
A.Create the private endpoint in the same virtual network as the app
B.Link the virtual network to the private DNS zone for the storage service
C.Enable a service endpoint on the subnet
D.Add a public DNS record pointing to the storage account
E.Turn on blob versioning
AnswersA, B

The private endpoint must exist in a VNet the workload can reach so it gets a private address.

Why this answer

Option A is correct because a private endpoint must be in the same virtual network as the app to provide a private IP address that the app can directly reach. Without this, the app cannot resolve the storage account name to the private IP, as the private endpoint's network interface is only accessible from within that VNet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, thinking a service endpoint alone provides private IP resolution, or they overlook the mandatory DNS zone link required for name resolution to the private IP.

156
MCQmedium

A route table on a subnet contains this user-defined route: - 0.0.0.0/0 -> Virtual appliance 10.0.0.4 The subnet is peered to another VNet with address space 10.2.0.0/16. A VM in the subnet sends traffic to 10.2.2.7, and Network Watcher shows the next hop as Virtual network peering instead of the appliance. What explains this result?

A.User-defined routes never apply to peered networks.
B.The peering route is more specific than the default route, so it is selected first.
C.NSG rules always override any route table entry.
D.Peering only works when both VNets are in the same region.
AnswerB

Azure uses the longest-prefix match first. The destination 10.2.2.7 falls within the peered VNet prefix 10.2.0.0/16, which is more specific than 0.0.0.0/0. A default route to a virtual appliance does not override a more specific route. To force traffic to the appliance, you need a matching UDR for the peered address range, not only a catch-all default route.

Why this answer

Azure uses the longest prefix match to determine the next hop for traffic. The user-defined route (UDR) for 0.0.0.0/0 is a default route, while the peering route for 10.2.0.0/16 is more specific. Since 10.2.2.7 falls within the 10.2.0.0/16 range, the peering route is preferred over the default route, directing traffic through the VNet peering instead of the virtual appliance.

Exam trap

The trap here is that candidates assume a default route (0.0.0.0/0) always forces all internet-bound or cross-VNet traffic through a virtual appliance, forgetting that more specific routes—such as those from VNet peering—override the default route based on prefix length.

How to eliminate wrong answers

Option A is wrong because user-defined routes do apply to peered networks; they are evaluated based on prefix specificity, and a more specific UDR can override peering. Option B is wrong because it is actually the correct answer. Option C is wrong because NSG rules filter traffic based on allowed/denied flows but do not determine the next hop; route tables control the path, and NSGs are evaluated after routing.

Option D is wrong because VNet peering works across regions (global peering) as long as both VNets are in the same Azure cloud; the question does not specify a regional restriction.

157
MCQmedium

Based on the exhibit, which Azure service should you deploy to provide browser-based administrative access to the VM without assigning it a public IP address?

A.Azure Bastion
B.Azure VPN Gateway
C.Public IP address on the VM
AnswerA

Azure Bastion provides secure RDP and SSH access from the portal over the browser without exposing a public IP.

Why this answer

Azure Bastion provides secure, seamless RDP/SSH connectivity to virtual machines directly in the Azure portal over TLS, without requiring a public IP address on the VM. It uses a hardened bastion host in your virtual network that brokers the connection, eliminating exposure of the VM to the internet.

Exam trap

The trap here is that candidates often confuse Azure Bastion with a VPN Gateway, thinking both provide secure remote access, but Bastion is specifically for browser-based administrative sessions without a public IP, while VPN Gateway extends the network for full client-to-site or site-to-site connectivity.

How to eliminate wrong answers

Option B (Azure VPN Gateway) is wrong because it establishes site-to-site or point-to-site encrypted tunnels for network-level connectivity, not browser-based administrative access; it still requires the VM to have a private IP and does not provide a portal-based RDP/SSH session. Option C (Public IP address on the VM) is wrong because it directly exposes the VM to the internet, which contradicts the requirement of no public IP; it also does not provide browser-based access by itself. Option D (Azure Load Balancer) is wrong because it distributes inbound traffic across multiple VMs for high availability and scaling, not for administrative access; it does not offer browser-based RDP/SSH connectivity.

158
MCQhard

VM-Web01 is connected to Subnet-Web in VNet-Prod. Users on the internet cannot access the website hosted on TCP port 443. You confirm that VM-Web01 has a public IP address and the web service is running. You need to allow inbound HTTPS traffic with the least administrative effort. What should you do?

A.Add an inbound NSG rule allowing TCP 443.
B.Create a user-defined route to the internet.
C.Configure VNet peering with another virtual network.
D.Create a private endpoint for VM-Web01.
AnswerA

This allows HTTPS traffic to reach the VM or subnet as required.

Why this answer

The VM has a public IP and the web service is running, but internet users cannot access it. The most common reason is that the Network Security Group (NSG) associated with the subnet or NIC is blocking inbound traffic. Adding an inbound NSG rule to allow TCP 443 is the least administrative effort to permit HTTPS traffic from the internet.

Exam trap

The trap here is that candidates may think a public IP alone is sufficient for internet access, forgetting that NSGs act as a stateful firewall that blocks all inbound traffic by default unless explicitly allowed.

How to eliminate wrong answers

Option B is wrong because a user-defined route (UDR) controls traffic leaving the subnet, not inbound access; it cannot allow inbound HTTPS traffic. Option C is wrong because VNet peering connects two virtual networks privately, but it does not provide internet-facing access to a VM. Option D is wrong because a private endpoint is used to securely access Azure PaaS services over a private IP, not to allow inbound internet traffic to a VM.

159
MCQhard

A company has VNet-A with address space 10.20.0.0/16 and active workloads in several subnets. The team must peer VNet-A with VNet-B, but VNet-B currently uses 10.20.128.0/17 and cannot be rebuilt from scratch. What should the administrator do first to make peering possible without interrupting current workloads?

A.Create the peering now and let Azure automatically route overlapping prefixes.
B.Add a new non-overlapping address space to VNet-B, create replacement subnets there, and migrate workloads gradually.
C.Attach a route table to VNet-B so traffic to VNet-A is forced through a firewall appliance.
D.Create a private endpoint between the two VNets so Azure ignores the overlap during connectivity checks.
AnswerB

A second non-overlapping range lets you prepare new subnets and move workloads before removing the conflicting range.

Why this answer

Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. VNet-A uses 10.20.0.0/16, which fully contains VNet-B's 10.20.128.0/17, creating an overlap. Since VNet-B cannot be rebuilt, the correct first step is to add a new non-overlapping address space (e.g., 10.30.0.0/16) to VNet-B, create subnets in that new range, migrate workloads gradually, and then remove the overlapping address space before establishing the peering.

This ensures no IP conflicts and avoids disrupting existing workloads.

Exam trap

The trap here is that candidates assume Azure can handle overlapping address spaces through routing tricks (like route tables or firewalls), but Azure VNet peering strictly prohibits any address overlap and will reject the peering request outright, forcing you to resolve the conflict by adding a non-overlapping address space and migrating workloads.

How to eliminate wrong answers

Option A is wrong because Azure does not automatically route overlapping prefixes; peering creation will fail with an error indicating overlapping address spaces, and even if forced, traffic routing would be ambiguous and unpredictable. Option C is wrong because attaching a route table with a firewall appliance does not resolve the fundamental address overlap; Azure still checks for overlapping address spaces at peering creation time and will reject the request regardless of routing policies. Option D is wrong because private endpoints are used for secure access to PaaS services over a private IP, not to bypass address space overlap checks; Azure still validates that the VNet address spaces do not overlap before allowing peering.

160
MCQeasy

A switch administrator wants log entries from multiple devices to be collected on one central server for later review. Which service should be configured?

A.DNS
B.NTP
D.SNMP trap suppression
AnswerC

Syslog centralizes device logging.

Why this answer

Syslog is the standard protocol (RFC 5424) used for collecting and centralizing log messages from network devices, servers, and other infrastructure components. By configuring each device to send syslog messages to a central syslog server, the administrator can aggregate logs for unified review, monitoring, and troubleshooting. This directly meets the requirement for centralized log collection.

Exam trap

The trap here is that candidates often confuse SNMP traps (which are event-driven alerts) with syslog (which is a log message transport protocol), leading them to incorrectly select SNMP-related options when the question explicitly asks for log collection.

Why the other options are wrong

A

DNS is primarily used for resolving domain names to IP addresses and does not facilitate the collection of log entries from multiple devices. Therefore, it cannot be configured for central log management.

B

NTP (Network Time Protocol) is primarily used for synchronizing the clocks of network devices and does not facilitate the collection of log entries from multiple devices. Therefore, it does not meet the requirement for central log collection.

D

SNMP trap suppression is not a logging service; it is used to limit the number of SNMP traps sent from devices to a management system. This option does not address the requirement for collecting log entries from multiple devices.

161
MCQeasy

Based on the exhibit, the VPN gateway deployment fails during validation. What resource is missing?

A.A public IP address resource associated with the VPN gateway.
B.A network security group attached to GatewaySubnet.
C.A route table with a default route to the on-premises network.
D.A private endpoint for the on-premises VPN device.
AnswerA

A VPN gateway needs a public IP resource so the on-premises VPN device can establish encrypted tunnels to Azure. The exhibit already has GatewaySubnet, so the missing piece is the public-facing IP on the gateway itself. Once that resource is created and attached during deployment, the gateway can be provisioned successfully.

Why this answer

A VPN gateway requires a dedicated public IP address resource to establish the IPsec tunnel with the on-premises VPN device. During validation, Azure checks that a public IP address is associated with the gateway; if missing, the deployment fails because the gateway cannot route traffic over the internet or terminate the VPN connection.

Exam trap

The trap here is that candidates often confuse the requirement for a public IP on the VPN gateway with the need for an NSG or route table on GatewaySubnet, but Azure explicitly blocks NSG association on GatewaySubnet and route tables are optional for site-to-site VPNs.

How to eliminate wrong answers

Option B is wrong because a network security group (NSG) is not required on GatewaySubnet; in fact, Microsoft recommends against attaching an NSG to GatewaySubnet as it can interfere with gateway control plane traffic. Option C is wrong because a route table with a default route (0.0.0.0/0) to the on-premises network is not a prerequisite for VPN gateway deployment; such a route is typically used for forced tunneling but is not required for gateway creation. Option D is wrong because a private endpoint is used for accessing Azure PaaS services privately over the Microsoft backbone network, not for connecting an on-premises VPN device to a VPN gateway; the gateway uses a public IP for the IPsec tunnel.

162
MCQmedium

A company merged with another business, and two Azure virtual networks need to be peered for shared application access. One VNet uses 10.20.0.0/16 and the other uses 10.20.128.0/17. The administrator must make the peering work with minimal operational complexity. What should be done first?

A.Create a route table on both VNets and point the overlapping prefixes to a virtual appliance.
B.Renumber one VNet to a non-overlapping address range before creating the peering.
C.Enable gateway transit on both VNets so overlapping ranges can be routed around.
D.Create a private endpoint in each VNet for the applications that need access.
AnswerB

Peering requires non-overlapping CIDR ranges, so one network must be redesigned first.

Why this answer

Azure VNet peering requires non-overlapping address spaces. The two VNets (10.20.0.0/16 and 10.20.128.0/17) overlap because 10.20.128.0/17 is a subset of 10.20.0.0/16. Peering will fail with an error about overlapping address ranges.

Renumbering one VNet to a non-overlapping range (e.g., 10.21.0.0/16) is the only way to satisfy the prerequisite for peering with minimal operational complexity.

Exam trap

The trap here is that candidates assume overlapping ranges can be handled with routing or network virtual appliances, but Azure VNet peering has a hard requirement for non-overlapping address spaces at creation time, and no post-peering configuration can override this.

How to eliminate wrong answers

Option A is wrong because creating route tables and pointing overlapping prefixes to a virtual appliance does not resolve the fundamental peering requirement that VNet address spaces must not overlap; Azure blocks peering creation entirely when ranges overlap, so no routing trick can bypass this. Option C is wrong because gateway transit is used to allow a peered VNet to use a VPN gateway in another VNet, not to resolve overlapping address spaces; overlapping ranges still prevent peering from being established. Option D is wrong because private endpoints provide private connectivity to Azure PaaS services, not to resolve overlapping VNet address spaces; they do not enable VNet peering when ranges conflict.

163
MCQmedium

An internal line-of-business application runs on two VMs in Azure. Users connect only from a peered virtual network and from on-premises through VPN. The application must not be reachable from the internet, but traffic should be balanced across the two VMs. Which configuration should you choose?

A.A public Standard Load Balancer with a public frontend IP.
B.A Standard Load Balancer with a private frontend IP.
C.A NAT gateway attached to the application subnet.
D.A network security group rule allowing TCP 443 from the internet.
AnswerB

A Standard Load Balancer with a private frontend provides load balancing only within the virtual network boundary, which fits an internal application. It can balance traffic from peered VNets or hybrid connections without assigning a public frontend. This is the appropriate pattern when the service must remain private but still needs distribution across backend VMs.

Why this answer

A Standard Load Balancer with a private frontend IP is correct because it distributes traffic to the two VMs using a private IP address that is only reachable from within the peered virtual network and the on-premises network via VPN. This configuration ensures the application is not exposed to the internet while still providing load balancing across the VMs.

Exam trap

The trap here is that candidates often assume a load balancer must have a public frontend IP to function, but Azure Standard Load Balancer fully supports private frontend IPs for internal load balancing without any internet exposure.

How to eliminate wrong answers

Option A is wrong because a public Standard Load Balancer with a public frontend IP would make the application reachable from the internet, violating the requirement that it must not be reachable from the internet. Option C is wrong because a NAT gateway provides outbound internet connectivity for VMs, not inbound load balancing, and it would not balance traffic across the two VMs. Option D is wrong because a network security group rule allowing TCP 443 from the internet would explicitly permit inbound internet traffic, directly contradicting the requirement that the application must not be reachable from the internet.

164
MCQmedium

A subnet uses a user-defined route that sends 0.0.0.0/0 to a firewall appliance. One server in the subnet must download updates directly from 40.90.10.25 over the Internet, while all other outbound traffic should continue through the firewall. What is the best change?

A.Remove the default route so all traffic uses the system routes.
B.Add a more specific /32 route for 40.90.10.25 with next hop type Internet.
C.Create a service endpoint for the server and the update site.
D.Attach a NAT gateway to the subnet so the server can bypass the firewall.
AnswerB

Azure uses longest-prefix matching when selecting routes. A specific /32 route for one destination is more specific than the broader 0.0.0.0/0 forced-tunnel route, so traffic to that IP can bypass the firewall and go directly to the Internet. This is the cleanest way to create a targeted exception without changing the behavior for all other outbound traffic from the subnet.

Why this answer

Option B is correct because adding a more specific /32 route for 40.90.10.25 with next hop type Internet overrides the default route (0.0.0.0/0) for traffic destined to that specific IP. User-defined routes (UDRs) follow the longest prefix match principle, so the /32 route takes precedence over the /0 route, allowing the server to reach the update site directly via the internet while all other outbound traffic continues through the firewall appliance.

Exam trap

The trap here is that candidates often think a NAT gateway or service endpoint can bypass a firewall for specific traffic, but they fail to understand that route precedence (longest prefix match) is the only way to override a default route for a specific destination in Azure.

How to eliminate wrong answers

Option A is wrong because removing the default route would break all outbound traffic that needs to go through the firewall, leaving the subnet with no path to the internet for other workloads. Option C is wrong because a service endpoint is used to securely connect to Azure PaaS services (like Azure Storage or SQL Database) over the Azure backbone, not to route traffic to a public IP address like 40.90.10.25 over the internet. Option D is wrong because attaching a NAT gateway to the subnet would translate the server's private IP to a public IP but would not bypass the firewall; the NAT gateway still uses the effective route table, and the default route to the firewall would still apply unless overridden by a more specific route.

165
Drag & Dropmedium

Arrange the steps to deploy an Azure Policy that enforces tagging on resources.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Go to Policy, create definition, define rule, assign, test.

166
MCQeasy

Based on the exhibit, the spoke virtual network must use the hub's existing VPN gateway to reach on-premises networks. Which peering setting should be enabled on the spoke-to-hub peering?

A.Allow forwarded traffic on the spoke peering.
B.Use remote gateways on the spoke peering.
C.Delete the peering and create a virtual network gateway in the spoke.
D.Enable service endpoints on the spoke subnet.
AnswerB

To let the spoke use the hub's VPN gateway, the spoke-to-hub peering must be configured with Use remote gateways enabled. This tells Azure that the spoke should send gateway-bound traffic through the remote VNet's gateway rather than deploying its own gateway. It is the required setting in a hub-and-spoke design with shared VPN connectivity.

Why this answer

Option B is correct because the 'Use remote gateways' setting on the spoke-to-hub peering allows the spoke virtual network to use the hub's existing VPN gateway for connectivity to on-premises networks. This setting forwards traffic from the spoke through the hub's gateway, enabling transitive routing without deploying a separate gateway in the spoke. It requires the hub-to-spoke peering to have 'Allow gateway transit' enabled.

Exam trap

The trap here is that candidates often confuse 'Allow forwarded traffic' with 'Use remote gateways', mistakenly thinking that enabling forwarded traffic alone is sufficient to route spoke traffic through the hub's VPN gateway, when in fact 'Use remote gateways' is the specific setting required for gateway transit.

How to eliminate wrong answers

Option A is wrong because 'Allow forwarded traffic' on the spoke peering only permits traffic from the hub to be forwarded to the spoke, but it does not enable the spoke to use the hub's VPN gateway; it is a prerequisite for gateway transit but not sufficient alone. Option C is wrong because deleting the peering and creating a virtual network gateway in the spoke would introduce unnecessary cost and complexity, contradicting the requirement to use the hub's existing VPN gateway. Option D is wrong because service endpoints provide secure access to Azure PaaS services (e.g., Storage, SQL) from the spoke subnet, but they have no role in routing traffic through a VPN gateway to on-premises networks.

167
Multi-Selecteasy

Which two Network Watcher tools can help you diagnose whether a VM can reach another address and whether a specific flow is allowed or denied? Select two.

Select 2 answers
A.Connection troubleshoot
B.IP flow verify
C.Packet capture
D.Effective routes
E.Network topology
AnswersA, B

Correct because Connection troubleshoot checks reachability from a source VM to a destination and reports blocking issues.

Why this answer

Connection Troubleshoot (A) is correct because it performs end-to-end connectivity checks between a source VM and a target (IP/FQDN/URL), testing latency, packet loss, and hop-by-hop routing. It also identifies whether the connection is blocked by NSG or firewall rules, making it ideal for diagnosing reachability and flow permission issues.

Exam trap

The trap here is that candidates often confuse 'Packet capture' with flow analysis, but Packet Capture only records traffic without evaluating Azure's NSG or routing policies, whereas IP Flow Verify explicitly checks rule evaluation.

168
MCQmedium

An NSG outbound rule allows TCP 8443 traffic from ASG-Web to ASG-Api. The web VM NIC is in ASG-Web, but the API VM NICs were deployed into the correct subnet and never added to ASG-Api. The traffic still fails. What should the administrator do?

A.Move the NSG to the web subnet so source membership is automatically detected.
B.Add the API VM NICs to ASG-Api.
C.Change the destination port to 443 because ASGs only work with common HTTPS traffic.
D.Create a service endpoint for the spoke subnet so the NSG rule becomes effective.
AnswerB

ASG-based NSG rules match the actual NIC memberships, so the destination VMs must be in ASG-Api.

Why this answer

The NSG rule references ASG-Api as the destination, but the API VM NICs were never added to that application security group. ASGs are logical groupings of VM NICs; a rule targeting an ASG only applies to NICs that are members of that ASG. Since the API NICs are not in ASG-Api, the rule does not match them, and traffic fails.

Adding the API VM NICs to ASG-Api resolves the issue by making them valid destinations for the rule.

Exam trap

The trap here is that candidates assume ASGs automatically include all VMs in the same subnet, but ASGs require explicit NIC membership and do not inherit subnet scope.

How to eliminate wrong answers

Option A is wrong because moving the NSG to the web subnet does not affect destination membership; ASG membership is based on NIC assignment, not subnet location, and the NSG is already associated with the subnet or NIC. Option C is wrong because ASGs have no port restrictions; they work with any TCP/UDP port, and changing to 443 would not fix the membership issue. Option D is wrong because service endpoints are used for secure access to Azure PaaS services (e.g., Storage, SQL) and have no bearing on NSG rule enforcement or ASG membership.

169
MCQmedium

A company needs to peer VNet-Prod, which uses 10.30.0.0/16, with VNet-Shared, which uses 10.30.64.0/18. The peering creation fails with an address-space overlap error. The team can renumber the shared environment, but they do not want to change any addresses in VNet-Prod. What should the administrator do before retrying the peering?

A.Add an NSG that allows traffic between the two VNets.
B.Reconfigure VNet-Shared to use a non-overlapping address range, then recreate its subnets and migrate workloads.
C.Rename VNet-Shared so Azure treats it as a different network.
D.Enable gateway transit on both VNets so Azure can route around the overlap.
AnswerB

Azure VNet peering requires the two address spaces to be unique and non-overlapping. If any prefix overlaps, the peering cannot be created. The correct fix is to renumber one VNet by introducing a different address range, rebuilding or moving subnets as needed, and then removing the conflicting range. This addresses the root cause instead of trying to work around it with security or routing settings.

Why this answer

VNet peering requires that the address spaces of the two VNets do not overlap. VNet-Prod uses 10.30.0.0/16, which includes the range 10.30.64.0/18 used by VNet-Shared, causing the overlap error. The only way to resolve this without changing VNet-Prod is to reconfigure VNet-Shared to use a non-overlapping address range, which involves deleting and recreating its subnets and migrating workloads, as stated in option B.

Exam trap

The trap here is that candidates may think gateway transit or NSGs can bypass address space overlap, but Azure strictly enforces non-overlapping address spaces for VNet peering, and no network feature can override this fundamental routing requirement.

How to eliminate wrong answers

Option A is wrong because NSGs filter traffic at the subnet or NIC level and do not resolve address space overlap, which is a fundamental routing conflict that prevents peering from being established. Option C is wrong because renaming a VNet does not change its address space; Azure identifies VNets by their resource ID and address prefixes, not by name. Option D is wrong because gateway transit is used to route traffic through a VPN gateway or ExpressRoute gateway, but it does not resolve overlapping address spaces; overlapping ranges still cause routing conflicts even with gateway transit enabled.

170
MCQmedium

You need to expose a web application running on several VMs and distribute traffic across them based on HTTP request attributes such as URL path. Which service should you use?

B.Azure Application Gateway
C.Traffic Manager
D.Network Watcher
AnswerB

Application Gateway supports Layer 7 features including path-based routing.

Why this answer

Azure Application Gateway is a Layer 7 load balancer that can route traffic based on HTTP request attributes such as URL path, host headers, or query strings. This allows you to distribute incoming web traffic across multiple VMs based on the specific URL path (e.g., /images to one backend pool, /api to another), which is exactly what the question requires.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (Layer 4) with Application Gateway (Layer 7), assuming any load balancer can route based on HTTP attributes, but only Application Gateway can inspect and route based on URL paths, host headers, or query strings.

How to eliminate wrong answers

Option A is wrong because Azure Load Balancer operates at Layer 4 (TCP/UDP) and cannot inspect HTTP request attributes like URL paths; it distributes traffic based on IP and port only. Option C is wrong because Traffic Manager is a DNS-based traffic router that directs clients to the nearest endpoint based on DNS resolution, not HTTP request attributes, and it does not inspect the URL path. Option D is wrong because Network Watcher is a monitoring and diagnostics service for network health, not a traffic distribution or load balancing service.

171
Multi-Selectmedium

An administrator is preparing an Azure site-to-site VPN gateway deployment for an existing VNet. Which two prerequisites must be in place for the gateway to deploy successfully? Select two.

Select 2 answers
A.A dedicated GatewaySubnet must exist in the VNet.
B.The gateway must have a public IP address resource assigned to it.
C.The VNet must already contain a private endpoint for on-premises connectivity.
D.A network security group must be attached to the GatewaySubnet.
E.The VNet must use a service endpoint for Microsoft.Network.
AnswersA, B

Azure requires a specific GatewaySubnet for the virtual network gateway resources and routing components.

Why this answer

Option A is correct because a dedicated GatewaySubnet is a mandatory requirement for deploying any Azure VPN gateway. This subnet must be named 'GatewaySubnet' and must have a minimum address prefix of /29 (though /27 is recommended) to accommodate the gateway VMs and future scaling. Without this subnet, the gateway creation will fail as Azure uses it to host the gateway VMs and route traffic.

Exam trap

The trap here is that candidates often confuse the GatewaySubnet requirement with optional components like NSGs or service endpoints, or mistakenly think a private endpoint is needed for on-premises connectivity, when in fact the two mandatory prerequisites are the GatewaySubnet and a public IP address resource.

172
MCQhard

A backend VM belongs to AppASG and listens on TCP 8443. The subnet NSG has a deny rule at priority 200 that blocks TCP 8443 from VirtualNetwork to any destination. The backend VM's NIC NSG has an allow rule at priority 100 for TCP 8443 from WebASG to AppASG. Web VMs in WebASG still cannot connect. What should you change to allow only the web tier while keeping other virtual network traffic blocked?

A.Move the NIC NSG allow rule to priority 50.
B.Add an allow rule in the subnet NSG at priority 150 for TCP 8443 from WebASG to AppASG.
C.Replace the subnet deny rule with a rule for the AzureLoadBalancer service tag.
D.Remove the backend VM from AppASG and allow traffic by subnet only.
AnswerB

This places a more specific allow ahead of the subnet deny, so only the intended tier is permitted.

Why this answer

In Azure, network security group (NSG) rules are evaluated in priority order, and subnet NSG rules are evaluated before NIC NSG rules for inbound traffic. The subnet NSG has a deny rule at priority 200 that blocks TCP 8443 from VirtualNetwork to any destination, which overrides the NIC NSG allow rule because the subnet deny is evaluated first. To allow traffic from WebASG to AppASG while still blocking other virtual network traffic, you must add an allow rule in the subnet NSG at a higher priority (e.g., 150) than the deny rule, explicitly permitting TCP 8443 from WebASG to AppASG.

Exam trap

The trap here is that candidates often assume NIC NSG rules can override subnet NSG rules due to higher priority, but in Azure, subnet NSG rules are evaluated before NIC NSG rules for inbound traffic, so a subnet deny will always block traffic regardless of NIC allow rules.

How to eliminate wrong answers

Option A is wrong because moving the NIC NSG allow rule to a higher priority (50) does not help; the subnet NSG deny rule at priority 200 is evaluated before the NIC NSG rules, so the deny still blocks the traffic regardless of NIC rule priority. Option C is wrong because replacing the subnet deny rule with a rule for the AzureLoadBalancer service tag would allow traffic from Azure Load Balancer, not from WebASG, and would not specifically permit the web tier traffic while blocking other virtual network traffic. Option D is wrong because removing the backend VM from AppASG and allowing traffic by subnet only would open up the subnet to all traffic on TCP 8443, violating the requirement to keep other virtual network traffic blocked.

173
MCQmedium

A web application runs on three VMs in a backend subnet. The backend team wants the load balancer in the frontend tier to reach the VMs on TCP 8443, and they want the rule to keep working even if the backend VM IP addresses change. What should you use in the NSG rule?

A.Use the individual private IP addresses of each backend VM as the source.
B.Use an application security group for the frontend tier as the source and another ASG for the backend tier as the destination.
C.Use the VirtualNetwork service tag for both source and destination.
D.Create a route table entry that sends TCP 8443 traffic to the backend subnet.
AnswerB

Application security groups let you reference groups of NICs instead of hard-coded IP addresses. That makes the NSG rule resilient when VMs are replaced or reimaged and their private IP addresses change. It also keeps the access model aligned to application tiers rather than infrastructure details, which is the preferred design for maintainable network security rules.

Why this answer

Option B is correct because Application Security Groups (ASGs) allow you to define network security rules based on logical groupings of VMs, regardless of their IP addresses. By using an ASG for the frontend tier as the source and another ASG for the backend tier as the destination, the NSG rule remains valid even if backend VM IP addresses change, as ASGs are dynamically updated. This meets the requirement for the load balancer in the frontend tier to reach backend VMs on TCP 8443 without hardcoding IP addresses.

Exam trap

The trap here is that candidates often confuse NSG rules with route tables, thinking a route table entry can control access (Option D), or they assume that using specific IP addresses (Option A) is acceptable despite the requirement for dynamic IP changes, missing the purpose of ASGs for logical grouping.

How to eliminate wrong answers

Option A is wrong because using individual private IP addresses as the source would require manual updates to the NSG rule whenever a backend VM's IP changes, violating the requirement for the rule to keep working automatically. Option C is wrong because the VirtualNetwork service tag includes all VNets and peered networks, which is too broad and does not specifically isolate the frontend-to-backend traffic on TCP 8443, potentially allowing unintended traffic. Option D is wrong because a route table entry controls traffic routing (next hop), not NSG filtering; it does not define which traffic is allowed or denied, and it cannot replace an NSG rule for access control.

174
MCQmedium

An app running on an Azure VM must access Azure SQL Database over a private IP inside the VNet. The team also wants the SQL server name to resolve to that private address without using custom host-file entries. What should be configured?

A.A service endpoint on the VM subnet and a firewall rule on Azure SQL Database.
B.A private endpoint for Azure SQL Database and a linked private DNS zone.
C.A public IP address on the VM and a SQL server firewall exception.
D.An NSG rule that allows outbound TCP 1433 to the SQL server.
AnswerB

A private endpoint places the service on a private IP in your virtual network, which satisfies the requirement for private network access. Linking the appropriate private DNS zone to the VNet lets the SQL server name resolve to that private IP automatically. This combination gives the application private connectivity and avoids manual host-file updates or reliance on public endpoints.

Why this answer

Option B is correct because a private endpoint assigns Azure SQL Database a private IP address from the VM's VNet, enabling traffic to stay within Microsoft's backbone. Linking a private DNS zone automatically resolves the SQL server's FQDN (e.g., server.database.windows.net) to that private IP, eliminating the need for custom host-file entries. This meets both requirements: private IP connectivity and DNS resolution without manual configuration.

Exam trap

The trap here is confusing service endpoints with private endpoints; candidates often think a service endpoint provides a private IP, but it only provides source VNet identity while the destination remains a public endpoint, failing the private IP and DNS resolution requirements.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends VNet identity to Azure SQL but does not provide a private IP; the SQL server's public endpoint is still used, and DNS resolution remains public. Option C is wrong because a public IP on the VM and a firewall exception still routes traffic over the internet, not a private IP inside the VNet, and does not resolve the SQL server name to a private address. Option D is wrong because an NSG rule allowing outbound TCP 1433 only controls firewall traffic; it does not assign a private IP to the SQL server or change DNS resolution.

175
MCQeasy

Based on the exhibit, what should the administrator create so the storage account is reachable only by private IP from AppSubnet?

A.A private endpoint in AppSubnet for the storage account.
B.A service endpoint on AppSubnet for Microsoft.Storage.
C.A user-defined route to the storage account public IP.
D.An application security group that contains the storage account.
AnswerA

A private endpoint gives the storage account a private IP address in the VNet, which is exactly what the requirement calls for. Because public network access is disabled and DNS is already configured, this completes the private-only access path.

Why this answer

A private endpoint assigns a private IP address from the AppSubnet to the storage account, making it reachable only via private IP within that subnet. This ensures all traffic to the storage account stays within the Microsoft Azure backbone network, eliminating public internet exposure. The private endpoint uses Azure Private Link to map the storage account's PaaS resource to a network interface in the virtual network.

Exam trap

The trap here is confusing service endpoints with private endpoints: service endpoints keep the public endpoint but restrict access via subnet firewall rules, while private endpoints assign a private IP and fully remove public exposure, which is required for reachability only by private IP.

How to eliminate wrong answers

Option B is wrong because a service endpoint on AppSubnet for Microsoft.Storage extends the storage account's public endpoint to the subnet but does not assign a private IP; traffic still uses the public endpoint's IP address, and the storage account remains publicly resolvable. Option C is wrong because a user-defined route to the storage account public IP would force traffic over the public internet via that IP, not restrict access to private IP only. Option D is wrong because an application security group is a logical grouping of VM NICs for network security rules, not a mechanism to make a storage account reachable by private IP.

176
MCQmedium

A VM has an NSG with these inbound rules: Deny-RDP at priority 100 for TCP 3389 from Any, and Allow-RDP-Admins at priority 200 for TCP 3389 from 10.8.1.0/24. Admins from 10.8.1.0/24 still cannot connect by RDP. What change fixes access while keeping all other sources blocked?

A.Change the deny rule to protocol Any so the allow rule will be evaluated first.
B.Add a UDR that sends TCP 3389 traffic to the VM subnet.
C.Move the allow rule to a lower priority number than 100.
D.Associate an application security group with the VM and keep the existing priorities.
AnswerC

NSG rules are evaluated in priority order, where the lowest number wins. Because the deny rule at priority 100 is matched before the allow rule at 200, the connection is blocked even for the admin subnet. Moving the allow rule to a priority such as 90 makes it the first matching rule, while the deny rule still blocks all other sources afterward.

Why this answer

C is correct because NSG rules are evaluated in priority order, with lower numbers evaluated first. The Deny-RDP rule at priority 100 is evaluated before the Allow-RDP-Admins rule at priority 200, so traffic from 10.8.1.0/24 is denied before the allow rule is reached. Moving the allow rule to a priority lower than 100 (e.g., 90) ensures it is evaluated first, allowing the admin traffic while the deny rule still blocks all other sources.

Exam trap

The trap here is that candidates often think changing the protocol or adding a route or ASG can override the priority-based evaluation order, but the core issue is simply that the deny rule has a lower priority number and is evaluated first.

How to eliminate wrong answers

Option A is wrong because changing the deny rule to protocol Any does not affect evaluation order; NSGs still evaluate rules by priority number, and the deny at priority 100 will still be evaluated before the allow at 200, regardless of protocol scope. Option B is wrong because a User Defined Route (UDR) controls traffic routing at Layer 3, not firewall filtering; it cannot override NSG rule evaluation, and adding a UDR would not change the order of NSG rule processing. Option D is wrong because associating an application security group (ASG) does not change rule priority; the deny rule at priority 100 still takes precedence over the allow rule at priority 200, so admins would still be blocked.

177
MCQmedium

A backend tier runs on three Azure VMs. The VMs are rebuilt frequently and receive new private IP addresses during redeployment. The administrator must allow inbound TCP 1433 from the app tier without rewriting the NSG rule each time the backend VMs change. What should be used?

A.Individual private IP addresses assigned directly in the NSG rule
B.An application security group referenced by the NSG rule
C.A service endpoint enabled on the subnet
D.A load balancer inbound NAT rule on port 1433
AnswerB

Application security groups let you group VMs logically and reference that group in NSG rules. When the backend VMs are rebuilt or their IPs change, the rule still applies as long as the NICs remain members of the ASG, which reduces manual maintenance.

Why this answer

An application security group (ASG) allows you to group VMs logically (e.g., by tier) and reference that group in a network security group (NSG) rule. When backend VMs are rebuilt and receive new private IPs, the ASG membership is automatically updated, so the NSG rule continues to apply without manual changes. This makes ASG the correct choice for dynamic environments where IP addresses change frequently.

Exam trap

The trap here is that candidates often confuse application security groups with network security groups or think that a load balancer or service endpoint can solve dynamic IP changes, but only ASGs provide a logical grouping that automatically follows VM IP changes without manual rule updates.

How to eliminate wrong answers

Option A is wrong because using individual private IP addresses in an NSG rule requires manual updates each time a backend VM is rebuilt and gets a new IP, which violates the requirement to avoid rewriting rules. Option C is wrong because a service endpoint extends a VNet to a specific Azure service (e.g., Azure SQL Database) and does not control inbound traffic between tiers within the same VNet; it is irrelevant for allowing TCP 1433 between app and backend VMs. Option D is wrong because a load balancer inbound NAT rule maps a frontend port to a specific backend VM's IP and port; it does not dynamically adapt to changing private IPs of multiple backend VMs and would require updating the NAT rule each time a VM is redeployed.

178
Multi-Selecthard

A VM in VNet-Prod must connect to Azure SQL Database over a private IP address. The SQL server must not be reachable through its public endpoint, and the VM should resolve the server name automatically without manual DNS entries. Which three actions are required? Select three.

Select 3 answers
A.Create a private endpoint for the Azure SQL server in VNet-Prod.
B.Create the private DNS zone privatelink.database.windows.net.
C.Link the private DNS zone to VNet-Prod.
D.Enable a service endpoint for Microsoft.Sql on the subnet instead of using a private endpoint.
E.Leave public network access enabled and add the VNet as an allowed firewall rule.
AnswersA, B, C

A private endpoint gives the SQL server a private IP address inside the virtual network.

Why this answer

Option A is correct because a private endpoint assigns a private IP address from VNet-Prod to the Azure SQL server, enabling connectivity over a private IP while blocking the public endpoint. This ensures the SQL server is not reachable through its public endpoint, meeting the requirement for private connectivity.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, not realizing that service endpoints do not provide a private IP or block public access, and that leaving public access enabled contradicts the requirement for private-only connectivity.

179
MCQmedium

A payroll application in a VNet must access an Azure Storage account containing confidential blobs. The security team requires the storage account to be reachable only over a private IP, and public network access must be disabled. Which feature should the administrator implement?

A.A service endpoint for Microsoft.Storage on the application subnet.
B.A private endpoint for the storage account in the VNet.
C.A shared access signature embedded in the application configuration.
D.A VPN gateway connection between the subnet and the storage account.
AnswerB

A private endpoint gives the storage account a private IP address from the VNet address space, allowing traffic to stay on private connectivity. This matches the requirement to disable public network access while still letting the application reach blob data. The private endpoint also integrates with DNS so the storage FQDN resolves to the private address. That design is the correct choice when access must be restricted to a private path only.

Why this answer

A private endpoint assigns the storage account a private IP address from the VNet, enabling secure access over a private connection while completely disabling public network access. This meets the security team's requirement because traffic never traverses the public internet, and the storage account's firewall can be configured to deny all public traffic.

Exam trap

The trap here is that candidates confuse service endpoints with private endpoints, not realizing that service endpoints still use the public endpoint and cannot disable public network access, whereas private endpoints provide a true private IP and full public access disablement.

How to eliminate wrong answers

Option A is wrong because a service endpoint exposes the storage account to the entire subnet via public IPs, not a private IP, and does not allow disabling public network access; it only routes traffic over the Microsoft backbone but still uses the storage account's public endpoint. Option C is wrong because a shared access signature (SAS) is a token for delegated access to storage resources, but it still requires the storage account to have public network access enabled and does not provide private IP connectivity. Option D is wrong because a VPN gateway connects on-premises networks or other VNets to the VNet, but it does not assign a private IP to the storage account within the VNet and still relies on the storage account's public endpoint for access.

180
MCQhard

A spoke subnet has a user-defined route for 10.60.0.0/16 that sends traffic to a virtual appliance at 10.1.0.4. The same subnet also learns a propagated route for 10.60.0.0/16 from a VPN gateway. A VM in the subnet sends traffic to 10.60.7.25. Which next hop will Azure use?

A.The virtual appliance at 10.1.0.4
B.The VPN gateway
C.The Internet
D.No next hop is available
AnswerA

A user-defined route with the same prefix takes precedence over a propagated route for that destination.

Why this answer

Azure uses the most specific route match, and user-defined routes (UDRs) take precedence over propagated routes (BGP) for the same prefix. Since the UDR for 10.60.0.0/16 with next hop 10.1.0.4 is more specific than the propagated route from the VPN gateway, traffic to 10.60.7.25 is forwarded to the virtual appliance.

Exam trap

The trap here is that candidates assume BGP-propagated routes always take precedence over UDRs, but Azure gives UDRs higher priority for the same prefix, and the longest prefix match rule is applied first.

How to eliminate wrong answers

Option B is wrong because propagated routes from a VPN gateway have a lower priority than user-defined routes for the same prefix; Azure uses the route with the longest prefix match and then the lowest administrative distance, where UDRs override BGP. Option C is wrong because there is no default route (0.0.0.0/0) or Internet next hop specified in the route table for this subnet, and the traffic matches a specific UDR. Option D is wrong because a valid next hop exists via the UDR; Azure will always use the most specific matching route, and if no route matches, it would fall back to the system default route, but here a match exists.

181
MCQmedium

A team is creating a subnet for 48 small Linux VMs, two internal load balancer frontend IPs, and one Azure Bastion host. Azure reserves five IP addresses in every subnet. Which subnet prefix is the smallest that will still meet the requirement?

A./27
B./26
C./25
D./28
AnswerB

A /26 provides 64 total addresses, and Azure reserves five, leaving 59 usable addresses. That is enough for 48 VMs, two load balancer frontend IPs, and one Bastion host.

Why this answer

The correct answer is /26 because it provides 64 total IP addresses, of which Azure reserves 5, leaving 59 usable IPs. This is the smallest prefix that accommodates the 48 VMs, 2 load balancer frontend IPs, and 1 Bastion host (total 51 required IPs). A /27 would only yield 32 total IPs (27 usable), which is insufficient.

Exam trap

The trap here is that candidates often forget Azure reserves 5 IPs per subnet and incorrectly calculate usable IPs as 2^(32-prefix) - 2 (like on-premises), leading them to choose /27 (thinking 30 usable IPs are enough) or /28 (thinking 14 usable IPs are enough).

How to eliminate wrong answers

Option A (/27) is wrong because it provides only 32 total IP addresses (27 usable after Azure reserves 5), which is insufficient for the 51 required IPs. Option C (/25) is wrong because while it provides 128 total IPs (123 usable), it is not the smallest prefix that meets the requirement; /26 is smaller and sufficient. Option D (/28) is wrong because it provides only 16 total IPs (11 usable), far below the 51 required.

182
MCQmedium

A team deployed a private endpoint for an Azure Storage account in VNet-A. The private endpoint is healthy, but VMs in VNet-A still resolve the storage account name to the public IP address. What should the administrator configure next?

A.Add a route table that sends storage traffic to the private endpoint.
B.Link the appropriate private DNS zone to VNet-A.
C.Create a network security group rule that allows outbound HTTPS.
D.Enable service endpoints for Microsoft.Storage on the subnet.
AnswerB

Private endpoints depend on DNS so client requests resolve the service name to the private IP rather than the public endpoint. If VMs in VNet-A still receive the public address, the private DNS zone is not linked or not configured correctly for that VNet. Linking the zone ensures the Azure-provided or custom DNS path returns the private endpoint address, allowing the workloads to reach the storage account privately as intended.

Why this answer

When a private endpoint is deployed, the storage account's FQDN must resolve to the private IP address within the virtual network. By default, Azure Private DNS zones (privatelink.blob.core.windows.net) are not automatically linked to the virtual network. Linking the private DNS zone to VNet-A enables DNS resolution of the storage account name to the private endpoint's IP address instead of the public IP.

Exam trap

The trap here is that candidates often confuse network-level controls (route tables, NSGs, service endpoints) with DNS resolution, assuming that a healthy private endpoint alone will automatically change how the storage account name is resolved.

How to eliminate wrong answers

Option A is wrong because route tables control network traffic flow at Layer 3, not DNS resolution; adding a route to the private endpoint's IP would not change how the storage account name is resolved. Option C is wrong because NSG rules control allowed or denied traffic based on IP addresses and ports, but they do not affect DNS resolution; outbound HTTPS is already typically allowed by default. Option D is wrong because service endpoints provide direct connectivity to Azure services over the Microsoft backbone but do not change DNS resolution behavior; they also do not replace the need for a private DNS zone when using private endpoints.

183
MCQhard

Traffic from VM-App01 is unexpectedly reaching the internet through a network virtual appliance. You need to determine which route is currently applied to the virtual machine network interface. Which Azure tool should you use?

A.Effective routes for the network interface
B.NSG flow logs
C.Azure Advisor recommendations
D.Diagnostic settings for the activity log
AnswerA

Effective routes reveal the current routing entries applied to the VM NIC.

Why this answer

Effective routes for the network interface show the actual routes applied to a VM's NIC, including system routes, BGP routes, and user-defined routes (UDRs). Since traffic is unexpectedly reaching the internet through an NVA, you need to verify which route (e.g., a UDR with next hop type VirtualAppliance) is currently active. This tool directly displays the effective route table for the specific NIC, allowing you to identify the misconfigured route.

Exam trap

The trap here is that candidates often confuse network security group (NSG) flow logs with routing diagnostics, but NSG flow logs only show traffic filtering decisions, not the path traffic takes based on routes.

How to eliminate wrong answers

Option B is wrong because NSG flow logs record allowed/denied traffic flows based on network security group rules, not routing decisions; they cannot show which route is applied to the NIC. Option C is wrong because Azure Advisor provides best-practice recommendations for reliability, security, and cost, but it does not display the effective routes for a specific VM NIC. Option D is wrong because diagnostic settings for the activity log capture control-plane events (e.g., resource creation or modification), not the data-plane routing state of a network interface.

184
MCQmedium

A subnet is associated with a NAT gateway, but outbound traffic from the VMs still leaves through a network virtual appliance because the subnet has a user-defined route for 0.0.0.0/0 with next hop type Virtual appliance. The workload must use the NAT gateway for internet-bound traffic while keeping more specific routes intact. What should the administrator change?

A.Disable the subnet's network security group so the NAT gateway can take effect.
B.Remove the 0.0.0.0/0 user-defined route from the subnet route table.
C.Enable gateway route propagation on the route table.
D.Attach a public IP address to each virtual machine NIC.
AnswerB

A default UDR to a virtual appliance overrides the system default route, so the NAT gateway never becomes the effective internet egress path. Removing that default route restores normal outbound routing, and the NAT gateway can then provide the public source IP for internet-bound traffic. More specific UDRs for private prefixes can remain in place.

Why this answer

The NAT gateway is designed to provide outbound connectivity for VMs in the subnet, but a user-defined route (UDR) for 0.0.0.0/0 with next hop type Virtual appliance overrides the default route to the NAT gateway. By removing that UDR, the subnet's default route reverts to the system route, which directs internet-bound traffic to the NAT gateway's public IP. More specific routes (e.g., to on-premises networks) remain intact because they are not affected by the removal of the 0.0.0.0/0 route.

Exam trap

The trap here is that candidates often think a NAT gateway requires a UDR to function, when in fact the NAT gateway works via the system default route and a UDR for 0.0.0.0/0 with a different next hop type will override it, breaking the NAT gateway's intended behavior.

How to eliminate wrong answers

Option A is wrong because disabling the network security group (NSG) does not affect routing; NSGs filter traffic based on rules but do not influence the path traffic takes to the internet. Option C is wrong because enabling gateway route propagation adds routes from a virtual network gateway (e.g., VPN/ExpressRoute) to the route table, but it does not remove or override the existing 0.0.0.0/0 UDR; the UDR still takes precedence over propagated routes. Option D is wrong because attaching a public IP to each VM NIC would give each VM its own outbound public IP, bypassing the NAT gateway entirely and defeating the purpose of using a shared NAT gateway for outbound traffic.

185
MCQmedium

A storage account has public network access disabled. A VM in VNet-App can reach a private endpoint for the account, but the storage name still resolves to the public IP address from the VM, and connections are denied. What should the administrator configure?

A.A service endpoint on the subnet so the storage account uses a private IP address.
B.A private DNS zone for the storage blob endpoint linked to VNet-App.
C.A storage account access key on the VM so the public endpoint will accept the connection.
D.A user-defined route sending storage traffic to the virtual network gateway.
AnswerB

Private DNS is needed so the blob FQDN resolves to the private endpoint IP inside the VNet.

Why this answer

When public network access is disabled on a storage account and a private endpoint is configured, the storage account's public DNS name must resolve to the private endpoint's private IP address within the virtual network. By default, the DNS name continues to resolve to the public IP address, causing connection failures. Linking a private DNS zone (privatelink.blob.core.windows.net) to VNet-App enables automatic resolution of the storage blob endpoint to the private IP address, allowing the VM to connect successfully.

Exam trap

The trap here is that candidates confuse service endpoints (which still use the public endpoint) with private endpoints (which use a private IP address), and assume that disabling public network access alone is sufficient without configuring DNS resolution to point to the private endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address to the storage account; it only allows the storage account to accept traffic from the subnet via its public endpoint, and public network access is disabled, so this would not work. Option C is wrong because the storage account access key is used for authentication, not for network connectivity; even with the correct key, the VM cannot reach the public endpoint when public network access is disabled. Option D is wrong because a user-defined route sending storage traffic to the virtual network gateway is unnecessary and does not change DNS resolution; the issue is DNS resolution, not routing.

186
MCQeasy

A company wants to peer two Azure virtual networks so that workloads can communicate privately. VNet-A uses 10.10.0.0/16. VNet-B is being designed now. Which address space should be chosen for VNet-B?

A.10.10.5.0/24, because it is a smaller subnet inside the same private range.
B.10.11.0.0/16, because it does not overlap and is still within a private IPv4 range.
C.10.10.0.0/24, because peering automatically separates overlapping subnets.
D.192.168.1.0/24, because peered networks must always use the 192.168.x.x range.
AnswerB

This is a non-overlapping private address space, which is required for VNet peering to work properly.

Why this answer

Option B is correct because VNet peering requires non-overlapping address spaces to enable direct private IP connectivity between resources. 10.11.0.0/16 is a unique private IPv4 range (RFC 1918) that does not overlap with VNet-A's 10.10.0.0/16, ensuring successful peering without routing conflicts.

Exam trap

The trap here is that candidates assume smaller subnets within the same larger range can be peered because they are 'different subnets,' but Azure VNet peering requires completely non-overlapping address spaces at the VNet level, not just at the subnet level.

How to eliminate wrong answers

Option A is wrong because 10.10.5.0/24 is a subnet within the 10.10.0.0/16 range, causing address overlap that prevents VNet peering from establishing direct routes. Option C is wrong because 10.10.0.0/24 is also a subset of VNet-A's address space, and peering does not automatically separate overlapping subnets—overlap leads to routing ambiguity and peering failure. Option D is wrong because peered networks are not required to use the 192.168.x.x range; any RFC 1918 private address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or public IPs can be used as long as they do not overlap.

187
MCQmedium

An administrator is deploying a site-to-site VPN gateway in Azure. The GatewaySubnet already exists, but the deployment fails because no public-facing address is available for the gateway. What is required for the gateway to deploy and accept the on-premises connection?

A.Assign a standard Load Balancer to the GatewaySubnet.
B.Create a private endpoint for the virtual network gateway.
C.Create and associate a public IP address with the VPN gateway.
D.Delegate the GatewaySubnet to Microsoft.Network/privateEndpoints.
AnswerC

A site-to-site VPN gateway needs a public IP address so the on-premises VPN device can establish and maintain the tunnel to Azure. The GatewaySubnet is the correct dedicated subnet, but it is not enough by itself. The gateway also requires a public-facing address resource assigned during deployment so it can receive VPN connections from outside Azure.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address to establish the encrypted tunnel with the on-premises VPN device. The public IP address is assigned to the gateway's frontend configuration, enabling it to send and receive IPsec/IKE traffic over the internet. Without this public-facing address, the gateway cannot be provisioned or accept the on-premises connection.

Exam trap

The trap here is that candidates may confuse the GatewaySubnet delegation requirement (which is already satisfied by default) with the need for a public IP address, or incorrectly think a Load Balancer or private endpoint can substitute for the public IP that is mandatory for site-to-site VPN connectivity.

How to eliminate wrong answers

Option A is wrong because a standard Load Balancer is not used with VPN gateways; VPN gateways use a dedicated public IP address for the IPsec tunnel, not a load balancer. Option B is wrong because a private endpoint is used to connect privately to Azure PaaS services (e.g., Storage, SQL) over a private IP, not to provide public connectivity for a VPN gateway. Option D is wrong because delegating the GatewaySubnet to Microsoft.Network/privateEndpoints is for private endpoints, not for VPN gateways; VPN gateways require the GatewaySubnet to be delegated to Microsoft.Network/virtualNetworkGateways.

188
MCQmedium

An application VM in a subnet without a public IP must access Azure Blob Storage. The storage account must not be reachable from the public internet, and DNS resolution should stay inside the virtual network. What should you implement?

A.Enable a service endpoint for Microsoft.Storage on the subnet and keep the public endpoint enabled.
B.Create a private endpoint for the storage account and link the appropriate private DNS zone.
C.Use a SAS token and allow access from any network for the storage account.
D.Assign a managed identity to the VM and remove all network restrictions from the storage account.
AnswerB

A private endpoint gives the storage service a private IP in the VNet, and private DNS keeps name resolution internal.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP from the VM's virtual network, making it reachable without public internet exposure. Linking the private DNS zone ensures that DNS resolution for the storage account (e.g., `mystorageaccount.blob.core.windows.net`) resolves to the private IP within the VNet, meeting both requirements.

Exam trap

The trap here is confusing service endpoints with private endpoints; service endpoints only secure traffic to the public endpoint via the VNet but do not remove public internet accessibility, whereas private endpoints fully isolate the resource within the VNet.

How to eliminate wrong answers

Option A is wrong because a service endpoint keeps the public endpoint enabled, meaning the storage account is still reachable from the public internet, which violates the requirement that the storage account must not be reachable from the public internet. Option C is wrong because a SAS token does not restrict network access; allowing access from any network exposes the storage account to the public internet, contradicting the requirement. Option D is wrong because removing all network restrictions from the storage account makes it publicly accessible, and a managed identity alone does not prevent public internet access.

189
MCQmedium

You removed public IP addresses from a backend subnet containing 20 VMs. The VMs still need outbound internet access for updates, and the organization wants all outbound traffic to appear from one predictable public IP. No inbound publishing is required. Which Azure service should you use?

A.A public load balancer with inbound NAT rules for each VM.
B.Azure NAT Gateway associated with the subnet.
C.A private load balancer with a backend pool of the VMs.
D.A VPN gateway connection to a remote network.
AnswerB

NAT Gateway provides outbound-only internet connectivity with a stable public IP or public IP prefix.

Why this answer

Azure NAT Gateway is the correct choice because it provides outbound-only internet connectivity for a subnet, translating all VM traffic to a single public IP address without requiring inbound NAT rules or a load balancer. It supports SNAT (Source Network Address Translation) for up to 64,000 concurrent flows per IP, meeting the requirement for predictable outbound IP and no inbound publishing.

Exam trap

The trap here is that candidates often confuse Azure NAT Gateway with a public load balancer for outbound traffic, mistakenly thinking inbound NAT rules are required for outbound connectivity, or assume a private load balancer can provide internet access via some indirect method.

How to eliminate wrong answers

Option A is wrong because a public load balancer with inbound NAT rules is designed for inbound traffic distribution and per-VM RDP/SSH access, not for providing a single outbound IP for all VMs; it would require separate public IPs or outbound rules, adding complexity and cost. Option C is wrong because a private load balancer only handles internal traffic within the virtual network and cannot provide outbound internet access or public IP translation. Option D is wrong because a VPN gateway connects to a remote network (e.g., on-premises) and does not provide direct outbound internet access; it would route traffic through the remote network, not to the internet from a single predictable public IP.

190
MCQmedium

A subnet NSG contains these inbound rules: Deny-All-Inbound at priority 300, Allow-HTTPS-From-Bastion at priority 200, and Allow-HTTPS-From-AdminIP at priority 350. An administrator expects a management workstation on the internet to connect to a VM over TCP 443, but the connection is blocked. What is the most likely reason?

A.NSG rules are evaluated from the highest priority number to the lowest priority number.
B.The deny rule at priority 300 is matched before the allow rule at priority 350.
C.Azure NSGs cannot allow inbound traffic from public IP addresses.
D.TCP 443 requires an application security group to be used as the source.
AnswerB

NSG rules are processed in ascending order, where the lowest priority number wins. In this case, Deny-All-Inbound at 300 is evaluated before the new allow rule at 350. Because the deny rule matches inbound traffic first, the packet is blocked and the later allow rule never gets a chance. The fix is to give the allow rule a lower number than 300 or otherwise narrow the deny rule.

Why this answer

NSG rules are evaluated in priority order, from the lowest priority number (highest priority) to the highest priority number (lowest priority). The Allow-HTTPS-From-AdminIP rule at priority 350 is evaluated after the Deny-All-Inbound rule at priority 300. Since the deny rule at priority 300 matches all inbound traffic before the allow rule at priority 350 is evaluated, the traffic is blocked.

The administrator's connection from the internet is denied because the deny rule with a lower priority number (300) takes precedence over the allow rule with a higher priority number (350).

Exam trap

The trap here is that candidates often confuse 'priority' with 'order of evaluation,' mistakenly thinking higher priority numbers are evaluated first, when in fact lower numbers (higher priority) are evaluated first, causing the deny rule to block traffic before the allow rule is checked.

How to eliminate wrong answers

Option A is wrong because NSG rules are evaluated from the lowest priority number (most specific/highest priority) to the highest priority number (least specific/lowest priority), not the reverse. Option C is wrong because Azure NSGs can allow inbound traffic from public IP addresses by specifying the public IP or a range as the source in an allow rule. Option D is wrong because TCP 443 does not require an application security group; ASGs are an optional feature for grouping VMs, not a requirement for allowing traffic on a specific port.

191
MCQmedium

A subnet contains 15 backend VMs that only need outbound internet access for patching and package downloads. Security wants all outbound connections to use one static public IP address, and no VM should have a public IP assigned directly. What should you configure?

A.A public Standard Load Balancer with outbound rules for the backend pool.
B.A NAT gateway associated with the subnet.
C.A public IP address on each virtual machine so all outbound traffic is traceable.
D.An internal load balancer with a private frontend IP.
AnswerB

A NAT gateway is designed for outbound-only connectivity from a subnet and provides a predictable public IP or prefix for SNAT. It satisfies the requirement for one static outbound address without assigning public IPs to individual VMs or exposing inbound access. This is the preferred Azure pattern for backend VMs that only need internet egress.

Why this answer

A NAT gateway is the correct choice because it provides outbound internet connectivity for all VMs in a subnet using a single static public IP address, without assigning public IPs to the VMs themselves. It handles source network address translation (SNAT) for outbound traffic, ensuring that all connections appear to originate from the configured public IP. This meets the security requirement of a single static IP for patching and package downloads.

Exam trap

The trap here is that candidates often confuse a NAT gateway with a load balancer, assuming a load balancer is needed for outbound traffic, but a load balancer is designed for inbound traffic distribution and does not provide outbound-only SNAT without additional rules or a separate NAT gateway.

How to eliminate wrong answers

Option A is wrong because a public Standard Load Balancer with outbound rules requires VMs to be in a backend pool and typically relies on default outbound access or a separate NAT gateway for SNAT; it does not natively provide a single static IP for all outbound traffic from a subnet without additional configuration, and it adds complexity and cost for a scenario that only needs outbound connectivity. Option C is wrong because assigning a public IP to each VM directly violates the security requirement that no VM should have a public IP assigned, and it also prevents using a single static IP for all outbound traffic. Option D is wrong because an internal load balancer with a private frontend IP cannot provide outbound internet access; it only handles traffic within the virtual network and does not perform SNAT to a public IP.

192
MCQmedium

Based on the exhibit, which change should you make so the VM reaches the blob service over a private IP address?

A.Enable a service endpoint on the subnet and keep the current DNS configuration.
B.Create a private endpoint for the storage account and link the appropriate private DNS zone.
C.Assign the VM a public IP address and allow it through the storage firewall.
D.Add the VM to a network security group that allows outbound TCP 443 to Azure Storage.
AnswerB

A private endpoint gives the storage service a private IP address inside the VNet, and private DNS ensures the blob name resolves to that private address. That directly matches the requirement to reach the service privately while keeping public network access disabled.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP address from the VM's virtual network, enabling direct connectivity over a private IP. Linking the private endpoint to a private DNS zone ensures that the storage account's FQDN resolves to the private IP instead of the public endpoint, meeting the requirement without exposing traffic to the internet.

Exam trap

The trap here is that candidates confuse service endpoints (which only provide firewall-level access via the public endpoint) with private endpoints (which provide a true private IP address and private DNS resolution), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because a service endpoint only extends the storage account's firewall rules to the subnet, but the storage account's FQDN still resolves to a public IP address, not a private IP. Option C is wrong because assigning the VM a public IP address and allowing it through the storage firewall still forces traffic over the public internet, not a private IP. Option D is wrong because adding the VM to an NSG that allows outbound TCP 443 to Azure Storage only controls firewall rules; it does not change the DNS resolution or routing to use a private IP address.

193
MCQmedium

You need to allow RDP access from the internet to a Windows VM named VM-Admin01 in Azure. The VM already has a public IP address. Which additional configuration is required?

A.A private DNS zone
B.An NSG rule allowing inbound TCP 3389
C.A user-defined route to Azure Monitor
D.A blob lifecycle management rule
AnswerB

RDP requires an inbound allow rule for TCP 3389.

Why this answer

An NSG (Network Security Group) rule allowing inbound TCP port 3389 is required to permit Remote Desktop Protocol (RDP) traffic from the internet to reach the Windows VM. Even though the VM has a public IP address, Azure NSGs act as a stateful firewall at the subnet or NIC level, and by default all inbound traffic is denied unless explicitly allowed. Without this rule, RDP connection attempts will be blocked.

Exam trap

The trap here is that candidates assume a public IP address alone is sufficient for inbound internet access, forgetting that Azure VMs are protected by a default-deny NSG that must explicitly allow inbound traffic like RDP.

How to eliminate wrong answers

Option A is wrong because a private DNS zone is used for resolving names within a virtual network (e.g., custom domain names) and has no role in allowing inbound RDP traffic from the internet. Option C is wrong because a user-defined route (UDR) controls network traffic flow between subnets or to virtual appliances, not firewall rules for inbound access; Azure Monitor is a monitoring service, not a routing destination. Option D is wrong because a blob lifecycle management rule is used to automate tiering or deletion of blobs in Azure Storage, and is irrelevant to VM network access.

194
MCQmedium

A team wants one subnet to access an existing Storage account over its public endpoint. They do not want a private IP for the account or any DNS changes, but they want to block access from all other subnets. What should the administrator configure?

A.Create a private endpoint and disable public network access on the storage account.
B.Enable a service endpoint on the subnet and add a virtual network rule on the storage account.
C.Assign the Storage Blob Data Reader role to the subnet.
D.Associate a route table with a default route to the storage account private IP.
AnswerB

Service endpoints preserve the public endpoint while restricting access to the selected subnet.

Why this answer

Option B is correct because a service endpoint extends the virtual network's identity to the Azure Storage service, allowing the subnet to access the storage account over its public endpoint without requiring a private IP or DNS changes. By enabling a service endpoint on the subnet and adding a virtual network rule on the storage account, you restrict access to only that subnet while blocking all other subnets, meeting the team's requirements.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that private endpoints are required for secure access, but the question explicitly states no private IP or DNS changes are desired, making service endpoints the correct choice.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint assigns a private IP to the storage account and disables public network access, which contradicts the requirement of using the public endpoint without private IP or DNS changes. Option C is wrong because assigning the Storage Blob Data Reader role to a subnet is not a valid Azure RBAC assignment; RBAC roles are assigned to security principals (users, groups, service principals), not to subnets, and it does not control network-level access. Option D is wrong because associating a route table with a default route to the storage account's private IP would require a private endpoint and would not block access from other subnets; it also does not leverage the public endpoint as required.

195
MCQhard

A network team centralizes DHCP in a data center. Users in a remote branch stop receiving addresses after the branch router is replaced. Which missing configuration on the branch gateway is the strongest suspect?

A.DHCP relay or helper configuration on the client-facing gateway interface
B.A spanning-tree priority change on the branch switch
C.A CAPWAP tunnel from the branch PCs to the data center
D.A voice VLAN configuration on the WAN interface
AnswerA

This is correct because centralized DHCP depends on the local gateway relaying the broadcast requests.

Why this answer

When a DHCP server is centralized in a data center, remote clients rely on the branch gateway to forward their broadcast DHCP requests as unicast to the server. This is achieved by configuring a DHCP relay agent (ip helper-address) on the client-facing interface of the branch router. Without this configuration, DHCP broadcasts are dropped at the router, and clients never receive IP addresses.

Exam trap

The trap here is that candidates may confuse DHCP relay with other broadcast-forwarding mechanisms or assume that DHCP works automatically across routers, forgetting that routers by default do not forward broadcasts unless explicitly configured with ip helper-address.

Why the other options are wrong

B

A spanning-tree priority change on the branch switch does not directly affect DHCP address allocation; it primarily influences the topology and path selection of the network. Since the issue is related to DHCP address assignment, this option is not relevant.

C

A CAPWAP tunnel is used for managing lightweight access points and does not directly relate to DHCP address assignment. Since the issue is with users not receiving DHCP addresses, a CAPWAP tunnel would not be the cause of the problem.

D

A voice VLAN configuration on the WAN interface is unrelated to DHCP address assignment issues, as voice VLANs are used for prioritizing voice traffic rather than facilitating DHCP communication.

196
MCQhard

A team is creating a new workload subnet in a spoke virtual network. The subnet must support 41 VM NICs, 2 internal load balancer frontend IP configurations, 3 private endpoint IPs, and 4 spare IPs for near-term growth. Azure reserves 5 IP addresses in every subnet. What is the smallest IPv4 subnet size that satisfies the requirement?

A./27, because 32 total addresses are enough for a small workload subnet.
B./26, because 64 total addresses provide enough usable IPs for the workload and growth.
C./25, because 128 total addresses are required once private endpoints are included.
D./28, because 16 total addresses are sufficient when load balancers are used.
AnswerB

A /26 contains 64 total addresses. After Azure reserves 5, 59 remain usable, which covers 41 VM NICs, 2 load balancer frontend IPs, 3 private endpoint IPs, and 4 spare addresses. This is the smallest subnet size that meets the stated requirement without wasting a larger block than necessary.

Why this answer

The total IP addresses required are 41 (VM NICs) + 2 (ILB frontends) + 3 (private endpoints) + 4 (spare) + 5 (Azure reserved) = 55 IPs. A /26 subnet provides 64 total addresses, of which 59 are usable (64 - 5 reserved), which meets the requirement. Option B is correct because /26 is the smallest subnet that provides enough usable IPs.

Exam trap

The trap here is that candidates often forget to include the 5 Azure-reserved IPs in their calculation, or they mistakenly think private endpoints or load balancer frontends do not consume subnet IPs, leading them to choose a smaller subnet like /27 or /28.

How to eliminate wrong answers

Option A is wrong because /27 provides only 32 total addresses (27 usable), which is insufficient for the 55 required IPs. Option C is wrong because /25 provides 128 total addresses (123 usable), which is larger than necessary and not the smallest subnet that satisfies the requirement. Option D is wrong because /28 provides only 16 total addresses (11 usable), which is far too small for the 55 required IPs, regardless of load balancer usage.

197
MCQhard

A Windows VM in Azure has a public IP address, but administrators on the internet cannot connect by using Remote Desktop. You confirm that the VM is running and the guest firewall allows RDP. What is the most likely Azure-side cause?

A.The NSG does not allow inbound TCP 3389
B.The storage account uses LRS
C.Azure Advisor is not enabled
D.The VM is in an availability set
AnswerA

An NSG deny or missing allow rule on TCP 3389 will block RDP access.

Why this answer

The most likely Azure-side cause is that a Network Security Group (NSG) associated with the VM's subnet or network interface is blocking inbound traffic on TCP port 3389 (RDP). Even if the VM is running and the guest OS firewall allows RDP, an NSG rule must explicitly permit inbound TCP 3389 from the internet (or a specific source) for Remote Desktop connections to succeed. Without such a rule, the NSG silently drops the packets before they reach the VM.

Exam trap

The trap here is that candidates often assume the guest OS firewall is the only barrier for RDP, overlooking that Azure's NSG acts as a separate, mandatory network-level filter that must explicitly allow inbound TCP 3389 from the internet.

How to eliminate wrong answers

Option B is wrong because the storage account's replication type (LRS, GRS, etc.) affects data durability and availability, not network connectivity or RDP access. Option C is wrong because Azure Advisor provides recommendations for best practices (cost, security, reliability) but does not control network traffic or firewall rules; enabling it has no impact on RDP connectivity. Option D is wrong because an availability set is a logical grouping for high availability of VMs within a region; it does not impose any network restrictions or block inbound RDP traffic.

198
Multi-Selecteasy

A company wants an Azure Storage account to be reachable privately from a virtual network. Which two statements about a private endpoint are correct? Select two.

Select 2 answers
A.The storage service gets a private IP address in the selected virtual network.
B.The virtual machine that reaches the service must have its own public IP address.
C.A private endpoint replaces the need for any DNS configuration.
D.A private DNS zone is commonly used so the service name resolves to the private IP.
E.A private endpoint and a service endpoint are the same feature.
AnswersA, D

Correct because a private endpoint creates a network interface in your virtual network and maps the Azure service to a private IP address there.

Why this answer

Option A is correct because a private endpoint assigns the Azure Storage service a private IP address from the subnet of the selected virtual network, effectively bringing the service into the VPC-like environment. This ensures that traffic to the storage account stays within the Microsoft backbone network and never traverses the public internet, meeting private connectivity requirements.

Exam trap

The trap here is that candidates often confuse private endpoints with service endpoints, thinking both provide a private IP address, but only private endpoints assign a private IP from the VNet, while service endpoints rely on public IPs with network security group (NSG) restrictions.

199
MCQeasy

Based on the exhibit, VM name resolution works for IP addresses but fails for internal hostnames. What should the administrator configure on the spoke VNet?

A.Keep Azure-provided DNS because the spoke can already reach the hub by IP.
B.Configure the spoke VNet to use 10.20.0.4 as a custom DNS server.
C.Create a private endpoint for app01.corp.local in the spoke VNet.
D.Enable a NAT gateway on the spoke subnet.
AnswerB

The exhibit shows the hub has a custom DNS server at 10.20.0.4, but the spoke is still using Azure-provided DNS. To resolve internal names such as app01.corp.local, the spoke VNet must point to the custom DNS server that knows that zone. After that change, VMs in the spoke can use the hub DNS service for name resolution.

Why this answer

The hub VNet uses a custom DNS server at 10.20.0.4 (likely a Windows Server with DNS role) that can resolve internal hostnames like app01.corp.local. The spoke VNet is currently using Azure-provided DNS, which cannot resolve custom private DNS zones. By configuring the spoke VNet to use 10.20.0.4 as a custom DNS server, the spoke VMs will forward DNS queries to the hub DNS server, enabling hostname resolution for internal resources.

Exam trap

The trap here is that candidates assume Azure-provided DNS can resolve custom hostnames across peered VNets, but it only resolves names within the same VNet unless a custom DNS server or Azure Private DNS Zone is configured.

How to eliminate wrong answers

Option A is wrong because Azure-provided DNS cannot resolve custom private DNS names like app01.corp.local; it only provides automatic hostname resolution for VMs within the same VNet. Option C is wrong because a private endpoint is used to securely access Azure PaaS services over a private IP, not to resolve internal hostnames across VNets. Option D is wrong because a NAT gateway provides outbound internet connectivity with source network address translation, not DNS resolution services.

200
MCQmedium

A company has a hub virtual network with a DNS server VM at 10.50.0.4 that hosts internal names such as app01.corp.local. A spoke virtual network is already peered to the hub. VMs in the spoke can reach resources in the hub by IP address, but they cannot resolve the internal host names. The company wants to keep DNS centralized and avoid deploying another DNS server in the spoke. What should the administrator configure?

A.Create a private DNS zone for corp.local and link it only to the spoke subnet.
B.Set the spoke virtual network to use 10.50.0.4 as a custom DNS server.
C.Add a user-defined route in the spoke to send DNS traffic to the hub VNet.
D.Enable gateway transit on the peering and set use remote gateways on the spoke.
AnswerB

Configuring the spoke VNet with the hub DNS server IP sends name-resolution requests to the centralized server. Because VNet peering already provides network connectivity, the spoke can query 10.50.0.4 directly for internal names without deploying a second DNS server.

Why this answer

Option B is correct because the spoke virtual network must be configured to use the hub DNS server (10.50.0.4) as a custom DNS server. This ensures that all VMs in the spoke send DNS queries to the hub server, which hosts the internal zone for corp.local. Since the hub and spoke are already peered, DNS traffic can flow over the peering connection without additional routing, keeping DNS centralized.

Exam trap

The trap here is that candidates often confuse DNS resolution with routing or gateway transit, thinking they need to add a UDR or enable gateway features to forward DNS queries, when the real fix is simply changing the DNS server setting on the spoke VNet to point to the hub's DNS server IP.

How to eliminate wrong answers

Option A is wrong because a private DNS zone for corp.local linked only to the spoke subnet would require deploying a separate DNS infrastructure in the spoke, contradicting the requirement to keep DNS centralized and avoid another DNS server. Option C is wrong because a user-defined route (UDR) to send DNS traffic to the hub VNet is unnecessary; DNS traffic already traverses the VNet peering by default, and the issue is the DNS server address configuration, not routing. Option D is wrong because enabling gateway transit and use remote gateways is for allowing the spoke to use the hub's VPN/ExpressRoute gateway for outbound connectivity, not for DNS resolution; it does not change the DNS server setting on the spoke VNet.

201
MCQmedium

A storage account must be reachable only from resources in a single VNet. The team wants the storage service to use a private IP address inside that VNet and wants to disable public network access. Which feature should be configured?

A.A service endpoint
B.A private endpoint
C.A network security group rule on the subnet
D.A storage account firewall IP allow rule
AnswerB

A private endpoint gives the storage service a private IP address in the selected VNet.

Why this answer

A private endpoint assigns the storage account a private IP address from the VNet's address space, effectively bringing the service into the VNet. It also disables public network access by default when configured with the 'Deny public network access' setting, ensuring the storage account is reachable only from within that VNet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide private IP addresses, but service endpoints only provide a direct route over the Microsoft backbone while still using the public endpoint.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP address to the storage account; it only extends the VNet's identity to the service over the public endpoint, and public network access remains enabled unless explicitly blocked by a firewall rule. Option C is wrong because an NSG rule on the subnet controls traffic to and from resources in that subnet but does not affect the storage account's public endpoint or assign it a private IP address. Option D is wrong because a storage account firewall IP allow rule only restricts access based on source IP addresses, still using the public endpoint and not providing a private IP address within the VNet.

202
MCQmedium

A subnet has an NSG with these inbound rules: priority 100 denies TCP 443 from Any, and priority 200 allows TCP 443 from an Application Security Group named WebFrontEnd. A backend VM in the subnet still does not accept traffic from the frontend tier. What should the administrator change?

A.Change the allow rule source from an Application Security Group to VirtualNetwork.
B.Move the allow rule to a lower priority number than the deny rule.
C.Attach a user-defined route to the subnet so traffic bypasses the NSG.
D.Place the backend VM in a different availability set so the rule is evaluated differently.
AnswerB

NSG rules are processed by priority, and the lowest number wins. Because the deny rule at priority 100 is evaluated before the allow rule at 200, the traffic is blocked. The administrator should make the allow rule a smaller number than the deny rule or remove the conflicting deny rule.

Why this answer

Network Security Group (NSG) rules are evaluated in priority order, with lower numbers evaluated first. Since the deny rule has priority 100 and the allow rule has priority 200, the deny rule is evaluated first and blocks TCP 443 traffic from any source, including the WebFrontEnd Application Security Group. To allow the frontend traffic, the allow rule must be moved to a lower priority number (e.g., 90) so it is evaluated before the deny rule.

Exam trap

The trap here is that candidates often assume allow rules override deny rules or that more specific rules (like those using Application Security Groups) take precedence regardless of priority, but in Azure NSGs, priority order strictly determines which rule is applied first.

How to eliminate wrong answers

Option A is wrong because changing the source from an Application Security Group to VirtualNetwork would allow traffic from any VM in the virtual network, not just the frontend tier, and would not resolve the priority conflict; the deny rule would still block the traffic. Option C is wrong because user-defined routes (UDRs) control traffic routing, not NSG rule evaluation; they cannot bypass NSG rules, as NSGs are always evaluated on traffic entering or leaving a subnet. Option D is wrong because availability sets are used for high availability of VMs and have no impact on NSG rule evaluation; NSG rules are evaluated per subnet or NIC, not per availability set.

203
MCQeasy

An administrator is deploying a site-to-site VPN gateway in Azure. Which resource must be attached to the gateway so it can receive encrypted connections from the on-premises VPN device?

A.A public IP address resource.
B.A private endpoint.
C.A service endpoint.
D.A network security group.
AnswerA

The VPN gateway needs a public-facing IP address so the on-premises VPN device can establish the encrypted tunnel.

Why this answer

A site-to-site VPN gateway in Azure requires a public IP address resource to be attached so that the on-premises VPN device can establish an encrypted IPsec/IKE tunnel to it. The public IP address provides the routable endpoint on the internet that the on-premises device connects to, and it is assigned to the gateway's front-end configuration. Without this public IP, the gateway cannot receive inbound encrypted traffic from the external network.

Exam trap

The trap here is that candidates confuse a VPN gateway's public IP requirement with private connectivity options like private endpoints or service endpoints, mistakenly thinking the gateway can operate within the virtual network's private IP space alone.

How to eliminate wrong answers

Option B is wrong because a private endpoint is used to securely connect to Azure PaaS services over a private IP address within a virtual network, not to receive encrypted connections from an on-premises VPN device. Option C is wrong because a service endpoint extends a virtual network's private address space to Azure PaaS services, but it does not provide a public-facing endpoint for VPN traffic. Option D is wrong because a network security group (NSG) filters traffic at the subnet or NIC level but does not provide the public IP address or routing capability required for a VPN gateway to accept site-to-site connections.

204
MCQmedium

A VM in a subnet cannot connect to another VM on TCP 1433. The administrator wants to confirm whether an NSG rule is blocking the flow and which rule is responsible. Which Network Watcher feature should be used?

A.Connection troubleshoot
B.IP flow verify
C.Packet capture
D.Effective routes
AnswerB

IP flow verify is designed to test whether a specific packet would be allowed or denied by the effective NSG rules on a VM NIC. It helps the administrator identify the rule name and direction that controls the flow. That makes it the best choice when the question is specifically about an NSG decision on a given source, destination, protocol, and port.

Why this answer

B is correct because IP flow verify is the Network Watcher feature specifically designed to test whether traffic is allowed or denied to or from a virtual machine. It checks the security rules (NSG and ASG) and returns which rule is blocking the flow, including the direction and priority. For a TCP 1433 connection failure, this tool directly identifies the blocking NSG rule.

Exam trap

The trap here is that candidates often confuse Connection troubleshoot (which tests end-to-end connectivity but does not identify the blocking rule) with IP flow verify, which is the precise tool for rule-level diagnosis.

How to eliminate wrong answers

Option A is wrong because Connection troubleshoot checks the end-to-end connectivity path and latency, but it does not pinpoint which specific NSG rule is blocking the traffic; it only reports that connectivity fails. Option C is wrong because Packet capture captures raw network packets for deep inspection, but it does not analyze NSG rules or identify which rule is blocking the flow; it requires manual analysis of captured data. Option D is wrong because Effective routes shows the effective routing table for a NIC, which affects path selection, not security rule evaluation; it cannot determine if an NSG rule is blocking TCP 1433.

205
Multi-Selectmedium

A web tier and API tier run in different subnets. The API subnet NSG currently has Deny-8443 from Any at priority 200 and Allow-8443-WebToApi from ASG-Web to ASG-Api at priority 300. Web requests on TCP 8443 are failing. Which two changes should the administrator make? Select two.

Select 2 answers
A.Move the allow rule to a higher priority number than 200.
B.Move the allow rule to a lower priority number than 200.
C.Ensure the web NICs are added to ASG-Web and the API NICs are added to ASG-Api.
D.Change the rule protocol from TCP to Any.
E.Attach a route table to the API subnet to override the deny behavior.
AnswersB, C

NSG rules are processed from lowest number to highest number, so the allow must be evaluated first.

Why this answer

B is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. The Deny-8443 rule at priority 200 is evaluated before the Allow-8443-WebToApi rule at priority 300, so the deny rule blocks the traffic. Moving the allow rule to a lower priority number (e.g., 100) ensures it is evaluated first, allowing the traffic.

C is correct because the allow rule uses application security groups (ASGs); if the web and API NICs are not assigned to the respective ASGs, the rule will not match any traffic, effectively making it a no-op.

Exam trap

The trap here is that candidates often forget that NSG rules are evaluated in priority order (lower number = higher priority) and that application security groups require explicit NIC assignment—they may assume the ASG rule works automatically or that changing the protocol or adding a route table can bypass a deny rule.

206
MCQmedium

A branch office with a fixed public IP needs encrypted access to private Azure virtual machines and internal services in a VNet. Traffic must travel across the public internet in an encrypted tunnel, and the connection should use a route-based design. What should the administrator deploy in Azure?

A.An Azure Virtual Network peering connection to the branch office network.
B.A VPN gateway with a site-to-site connection.
C.A service endpoint on the target subnet.
D.An Azure private endpoint for the virtual machines.
AnswerB

A site-to-site VPN gateway creates an encrypted tunnel from the branch office to Azure over the public internet. Because the branch has a static public IP and the requirement calls for route-based connectivity, this is the correct Azure networking service. Once deployed, the gateway can provide private access to VMs and internal services in the virtual network without exposing them directly to the internet.

Why this answer

A VPN gateway with a site-to-site connection is the correct choice because it establishes an encrypted IPSec tunnel over the public internet between the branch office's fixed public IP and Azure, using a route-based (IKEv2) configuration. This allows the branch office to securely access private Azure VMs and internal services in the VNet, meeting the requirement for encrypted traffic across the internet.

Exam trap

The trap here is that candidates often confuse Azure Virtual Network peering (which is for VNet-to-VNet connectivity within Azure) with site-to-site VPN (which is for on-premises to Azure connectivity), leading them to select option A incorrectly.

How to eliminate wrong answers

Option A is wrong because Azure Virtual Network peering connects two Azure VNets within the Azure backbone, not to an on-premises branch office over the public internet. Option C is wrong because a service endpoint provides secure access to Azure PaaS services (e.g., Azure Storage) from a VNet but does not create an encrypted tunnel for branch office connectivity to VMs or internal services. Option D is wrong because an Azure private endpoint assigns a private IP to a PaaS service within a VNet, enabling private access from the VNet, but it does not provide a site-to-site encrypted tunnel from an external branch office.

207
MCQhard

Which statement best explains the value of enabling both centralized logging and strong access controls on network devices?

A.Access controls reduce unauthorized use, and centralized logging improves visibility and investigation.
B.Both features do the exact same job, so using both is redundant.
C.Centralized logging removes the need for any authentication.
D.Strong access control makes log timestamps irrelevant.
AnswerA

This is correct because the two controls complement each other by combining prevention and monitoring.

Why this answer

Enabling centralized logging (e.g., syslog) on network devices provides a single, tamper-evident repository for all device events, which is critical for post-incident forensic analysis and compliance auditing. Strong access controls (e.g., RBAC, ACLs, 802.1X) directly prevent unauthorized configuration changes and network access, reducing the attack surface. Together, they form a defense-in-depth strategy: access controls block threats, while centralized logging captures evidence of any attempts or breaches for investigation.

Exam trap

The trap here is that candidates may think logging and access controls are interchangeable or redundant, when in fact they serve distinct layers of security—logging provides detective control, while access controls provide preventive control—and both are required for a complete security posture.

Why the other options are wrong

B

Option B is incorrect because centralized logging and strong access controls serve distinct purposes; access controls prevent unauthorized access, while centralized logging provides visibility into activities for auditing and troubleshooting.

C

This option is incorrect because centralized logging does not eliminate the need for authentication; rather, it complements access controls by providing a record of access attempts and activities. Authentication is still essential for securing access to network devices.

D

This option is wrong because strong access control does not make log timestamps irrelevant; rather, accurate timestamps are crucial for auditing and correlating events in security investigations.

208
MCQhard

Users on the internet cannot access an HTTPS website hosted on VM-Web01. The VM has a public IP address, the web service is running, and the guest OS firewall allows TCP 443. What is the most likely Azure-side issue?

A.The NSG does not allow inbound TCP 443
B.The VM uses managed disks
C.Azure Backup is not enabled
D.The storage account uses the Cool tier
AnswerA

A missing or denying NSG rule on TCP 443 would block internet access to the website.

Why this answer

The most likely Azure-side issue is that the Network Security Group (NSG) associated with the VM's subnet or NIC does not have an inbound rule allowing TCP 443. Even if the guest OS firewall permits HTTPS and the web service is running, the NSG acts as a distributed firewall that filters traffic at the Azure network boundary. Without an explicit inbound security rule for TCP 443, all HTTPS traffic from the internet is dropped before reaching the VM.

Exam trap

The trap here is that candidates often assume that because the guest OS firewall allows the port and the web service is running, the VM is fully accessible, overlooking the fact that Azure's NSG is an additional, mandatory layer of network filtering that must also permit the traffic.

How to eliminate wrong answers

Option B is wrong because managed disks are a storage management feature that does not affect network connectivity or firewall rules; they provide simplified disk management and improved reliability but have no impact on inbound traffic filtering. Option C is wrong because Azure Backup is a data protection service that backs up VM data and configurations; it does not control network access or firewall rules, so disabling or not enabling it would not block HTTPS traffic. Option D is wrong because the storage account access tier (Cool vs.

Hot) only affects blob storage costs and retrieval latency; it has no relevance to VM network security or inbound HTTPS access.

209
Matchinghard

Match each network design requirement or limitation on the left with the best Azure behavior or corrective action on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The address spaces overlap, so one range must be changed before peering can be created.

Create VNet peering; it provides private connectivity without a VPN gateway.

Enable gateway transit on the hub peering and use remote gateways on the spoke peering.

VNet peering is not transitive, so A must be connected to C directly or routed through an appliance.

Create a new non-overlapping address space and migrate workloads before removing the old range.

Why these pairings

High availability across regions uses multiple regions with Traffic Manager; latency-sensitive apps use performance routing; data residency is enforced via Azure Policy; non-production cost optimization uses Dev/Test pricing; disaster recovery with low RPO uses Site Recovery continuous replication; demand scaling uses autoscale.

210
MCQhard

An application in a VNet must access an Azure Storage account over a private IP address. Public network access is disabled on the storage account, and the app must resolve the normal blob FQDN to that private address only from within the VNet. What should the administrator configure?

A.A service endpoint on the subnet and a storage account firewall rule for the subnet.
B.A private endpoint for the blob service and a linked private DNS zone for the VNet.
C.Allow trusted Microsoft services on the storage account and keep the public endpoint enabled.
D.Create a public DNS record that maps the blob FQDN to the storage account's public IP address.
AnswerB

A private endpoint gives the storage service a private IP inside the VNet, which satisfies the private connectivity requirement. Linking the corresponding private DNS zone ensures the standard blob FQDN resolves to that private address for workloads in the VNet. That combination is the normal solution when public access is disabled and applications must keep using the service's standard name.

Why this answer

Option B is correct because a private endpoint assigns the storage account a private IP from the VNet, and linking a private DNS zone (e.g., `privatelink.blob.core.windows.net`) to the VNet ensures that the blob FQDN resolves to that private IP only from within the VNet. This meets the requirement of disabling public network access while providing private connectivity and DNS resolution.

Exam trap

The trap here is that candidates confuse service endpoints (which still use the public endpoint) with private endpoints (which provide a true private IP), and they overlook the critical requirement of disabling public network access, which makes service endpoints invalid.

How to eliminate wrong answers

Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only allows traffic from the subnet to the public endpoint via the Azure backbone, and with public network access disabled, the storage account firewall rule for the subnet would still block traffic. Option C is wrong because allowing trusted Microsoft services bypasses the firewall for specific Azure services but does not provide a private IP address or private DNS resolution; the public endpoint remains enabled, violating the requirement to disable public network access. Option D is wrong because creating a public DNS record mapping the blob FQDN to the storage account's public IP address would make the storage account accessible over the public internet, contradicting the requirement to disable public network access and use a private IP.

211
MCQeasy

Based on the exhibit, what is the best change so the VNet peering can be created successfully?

A.Change VNet-B to a non-overlapping address space, such as 10.1.0.0/24.
B.Add a route table to VNet-B before creating the peering.
C.Enable gateway transit on VNet-A.
D.Resize VNet-A to 10.0.0.0/15 so both VNets fit.
AnswerA

Azure VNet peering requires that the address spaces do not overlap. Changing VNet-B to a different range removes the conflict and allows peering to be created. The exact new range can vary, but it must not overlap with VNet-A’s 10.0.0.0/16 range.

Why this answer

VNet peering requires that the address spaces of the two virtual networks do not overlap. If VNet-A uses 10.0.0.0/16 and VNet-B also uses 10.0.0.0/16, they conflict, preventing peering. Changing VNet-B to a non-overlapping address space like 10.1.0.0/24 resolves this conflict, allowing the peering to be established.

Exam trap

The trap here is that candidates often confuse overlapping address spaces with routing issues, thinking that adding route tables or enabling gateway transit will fix the peering failure, when in fact the fundamental requirement is non-overlapping IP ranges.

How to eliminate wrong answers

Option B is wrong because adding a route table to VNet-B does not resolve overlapping address spaces; route tables control traffic flow within a VNet but do not affect the address space conflict that blocks peering. Option C is wrong because enabling gateway transit on VNet-A is used to allow a peered VNet to use VNet-A's VPN/ExpressRoute gateway, but it does not fix overlapping address spaces and is not a prerequisite for basic VNet peering. Option D is wrong because resizing VNet-A to 10.0.0.0/15 still overlaps with VNet-B's 10.0.0.0/16 address space (since 10.0.0.0/15 includes 10.0.0.0/16), and Azure does not allow overlapping address spaces in a peering relationship.

212
MCQmedium

A VM in Azure cannot accept RDP connections from your office public IP. The subnet NSG already has an inbound deny-all rule at priority 200, and you added an allow rule for TCP 3389 from 198.51.100.25/32 at priority 300. What should you do to allow the connection?

A.Change the source to Internet so the allow rule matches more traffic.
B.Create or move the allow rule to priority 100 so it is evaluated before the deny rule.
C.Change the protocol from TCP to Any to bypass the deny rule.
D.Assign a public IP directly to the VM to override the subnet NSG behavior.
AnswerB

NSG rules are processed in ascending priority order, so the allow must come before the deny-all rule.

Why this answer

Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. Since the deny-all rule at priority 200 is evaluated before the allow rule at priority 300, the deny rule blocks the RDP traffic. To allow the connection, the allow rule must be created or moved to a priority lower than 200 (e.g., 100) so it is evaluated first, permitting traffic from 198.51.100.25/32 on TCP 3389 before the deny rule is reached.

Exam trap

The trap here is that candidates mistakenly think adding a more specific allow rule at a higher priority number will override a broader deny rule, not realizing that NSG priority order (lower number = higher priority) determines which rule is evaluated first.

How to eliminate wrong answers

Option A is wrong because changing the source to 'Internet' would broaden the rule to allow RDP from any public IP, defeating the purpose of restricting access to your office IP and creating a security risk. Option C is wrong because changing the protocol to 'Any' does not bypass the priority order; the deny rule at priority 200 would still block all traffic, including any protocol, before the allow rule is evaluated. Option D is wrong because assigning a public IP to the VM does not override NSG behavior; NSGs are applied at the subnet or NIC level and are independent of the public IP assignment, so the deny rule would still block traffic.

213
Multi-Selecthard

An application in AppSubnet must access an Azure Storage account over the public endpoint, but only traffic from that subnet should be allowed, and the traffic should stay on the Microsoft backbone. The administrator does not want to create a private IP for the service. Which two actions should be taken? Select two.

Select 2 answers
A.Enable a service endpoint for Microsoft.Storage on AppSubnet.
B.Configure the storage account firewall to allow AppSubnet.
C.Create a private endpoint in AppSubnet.
D.Disable public network access on the storage account.
E.Assign a public IP address to the storage account.
AnswersA, B

A service endpoint extends the subnet identity to the storage service while still using the public endpoint path.

Why this answer

Enabling a service endpoint for Microsoft.Storage on AppSubnet (Option A) allows traffic from that subnet to reach the Azure Storage account over the Microsoft backbone, bypassing the public internet. This satisfies the requirement that traffic stays on the Microsoft backbone without needing a private IP for the service.

Exam trap

The trap here is confusing service endpoints (which use the public endpoint but keep traffic on the backbone) with private endpoints (which assign a private IP and require disabling public access), leading candidates to incorrectly select Option C or D.

214
MCQmedium

An application subnet has an NSG outbound rule Deny-HTTPS at priority 200 for TCP 443 to Any. A second outbound rule Allow-HTTPS-API at priority 300 permits TCP 443 from ASG-Web to ASG-Api. Web servers can reach other ports but not the API. What change should the administrator make?

A.Delete the deny rule so the allow rule can be evaluated.
B.Change the allow rule to a higher priority than 200, such as 100.
C.Change the destination from ASG-Api to the entire subnet address range.
D.Change the protocol from TCP to Any so the rule matches more traffic.
AnswerB

NSGs process the lowest priority number first. Moving the allow rule above the deny rule permits the traffic.

Why this answer

Option B is correct because NSG rules are evaluated in priority order, with lower numbers having higher precedence. The Deny-HTTPS rule at priority 200 blocks all outbound TCP 443 traffic, including traffic from ASG-Web to ASG-Api. To allow the specific traffic, the Allow-HTTPS-API rule must have a lower priority number (e.g., 100) so it is evaluated before the deny rule, permitting the desired traffic while the deny rule still blocks other outbound HTTPS traffic.

Exam trap

The trap here is that candidates often assume more specific rules (like those using application security groups) are evaluated before general deny rules, but in Azure NSGs, priority numbers alone determine evaluation order, not specificity.

How to eliminate wrong answers

Option A is wrong because deleting the deny rule would allow all outbound HTTPS traffic, which is overly permissive and not the intended change; the allow rule is never evaluated because the deny rule with a lower priority number (200) is processed first. Option C is wrong because changing the destination to the entire subnet address range would not resolve the priority issue; the allow rule would still be evaluated after the deny rule and thus never matched. Option D is wrong because changing the protocol to Any would make the rule match more traffic, but it does not change the priority order; the deny rule at priority 200 would still block the traffic before the allow rule at priority 300 is evaluated.

215
MCQmedium

A storage account must be reachable only from one subnet. The team does not want to deploy a private endpoint or manage private DNS zones, and they are acceptable with the storage account continuing to use its public endpoint. Which feature should be configured on the subnet?

A.A private endpoint for the storage account
B.A service endpoint for Microsoft.Storage
C.A route table with a default route to the storage account
D.An application security group containing the subnet
AnswerB

A service endpoint allows the selected subnet to access the storage service over the Azure backbone while the service keeps its public endpoint. It fits the requirement to avoid private DNS and private IP deployment.

Why this answer

Option B is correct because a service endpoint for Microsoft.Storage allows a subnet to restrict access to a storage account's public endpoint without deploying a private endpoint or managing private DNS zones. When enabled, Azure adds the subnet's identity to traffic from that subnet, and the storage account's firewall can be configured to allow only that specific subnet, keeping the public endpoint active.

Exam trap

The trap here is that candidates may confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private IP, when service endpoints achieve the same goal using the public endpoint with subnet-level firewall rules.

How to eliminate wrong answers

Option A is wrong because a private endpoint requires deploying a private IP in the virtual network and managing private DNS zones, which the team explicitly wants to avoid. Option C is wrong because a route table with a default route (0.0.0.0/0) to the storage account would force all internet-bound traffic through a network virtual appliance or similar, but it does not restrict access to the storage account from only one subnet; it affects routing, not access control. Option D is wrong because an application security group (ASG) is used to group virtual machines for network security group (NSG) rules, not to restrict access to a PaaS service like a storage account from a subnet.

216
MCQhard

A subnet has a user-defined route for 10.0.0.0/8 with next hop Virtual appliance 10.1.1.4. The VNet is peered with VNet-Shared, whose address space is 10.12.0.0/16. A VM in the subnet sends traffic to 10.12.4.25. Which next hop will Azure use?

A.Virtual appliance 10.1.1.4, because the user-defined route controls all 10.x.x.x traffic.
B.Internet, because traffic not explicitly matched by the UDR leaves through the default route.
C.None, because Azure cannot route to peered VNets when a UDR exists on the subnet.
D.VNet peering, because the peered VNet prefix is more specific than the broader UDR.
AnswerD

Azure uses longest-prefix match first. The peered VNet has a /16 route to 10.12.4.25, while the UDR only matches 10.0.0.0/8. The /16 system route is more specific, so the packet follows VNet peering rather than the virtual appliance. This is a common design trap when administrators expect every UDR to override all other routes.

Why this answer

Azure uses the most specific matching route to determine next hop. The user-defined route (UDR) for 10.0.0.0/8 has a broader prefix length (/8) than the VNet peering route for 10.12.0.0/16 (/16). Since 10.12.4.25 falls within the peered VNet's address space, the more specific /16 route from VNet peering takes precedence over the UDR, directing traffic through the peering connection.

Exam trap

The trap here is that candidates assume a user-defined route for a broad range (like 10.0.0.0/8) overrides all traffic to that range, forgetting that Azure's longest prefix match rule gives precedence to more specific routes, such as those from VNet peering.

How to eliminate wrong answers

Option A is wrong because Azure uses longest prefix match (most specific route), not the broadest; the UDR's /8 is less specific than the peering route's /16 for the destination 10.12.4.25. Option B is wrong because the default route (0.0.0.0/0) only applies when no other route matches; here, the peering route matches and is more specific than the UDR. Option C is wrong because Azure can route to peered VNets even when a UDR exists; the UDR does not block peering—it simply competes based on prefix specificity.

217
MCQmedium

A VM has both a default route from a VPN gateway and a user-defined route to an on-premises firewall. Traffic is still not reaching the expected next hop. The administrator wants to see the exact routes currently applied to the VM NIC. Which tool should be used?

A.Effective routes
B.IP flow verify
C.Packet capture
D.Connection troubleshoot
AnswerA

Effective routes show the actual routing table that Azure applies to a VM NIC, including system routes, UDRs, and routes learned from gateways. This is the best way to verify which next hop will be used after route selection logic is applied. It is especially helpful when a VPN gateway, UDR, or default Azure route creates an unexpected path and the administrator needs the exact active result rather than the intended configuration.

Why this answer

Effective routes is the correct tool because it displays the actual, consolidated routing table applied to a specific network interface, including user-defined routes (UDRs), BGP routes from the VPN gateway, and system default routes. When traffic fails to reach the expected next hop despite having both a VPN default route and a UDR, the administrator must verify which route is actually active and has the highest priority (based on prefix length and route preference). Effective routes shows the exact next-hop IP and route source for each prefix, allowing the administrator to confirm whether the UDR to the on-premises firewall is being honored or overridden.

Exam trap

The trap here is that candidates often confuse 'IP flow verify' (which tests connectivity) with 'Effective routes' (which shows the routing table), leading them to choose IP flow verify when the real need is to inspect the actual route selection logic applied to the NIC.

How to eliminate wrong answers

Option B (IP flow verify) is wrong because it tests connectivity by simulating a packet flow between source and destination IPs/ports, but it does not display the full routing table or the exact routes applied to the NIC. Option C (Packet capture) is wrong because it captures raw network traffic at the NIC level for deep packet inspection, but it does not show the routing table or the next-hop decisions made by the Azure platform. Option D (Connection troubleshoot) is wrong because it performs end-to-end connectivity checks and latency diagnostics, but it does not enumerate the effective routes or the specific next-hop configuration on the NIC.

218
MCQmedium

A subnet has an NSG with an inbound allow rule for TCP 3389 at priority 200 and an inbound deny rule for Internet traffic at priority 100. An administrator still cannot RDP to a virtual machine in the subnet from home. What is the most likely reason?

A.The allow rule is ignored because inbound rules cannot permit RDP.
B.The deny rule wins because lower priority numbers are processed first.
C.NSG rules apply only to outbound traffic, so inbound traffic is unaffected.
D.The subnet NSG is ignored whenever the VM has a public IP address.
AnswerB

Azure NSG rules are evaluated in priority order, and the lowest number is processed first. Because the deny rule has priority 100, it is evaluated before the allow rule at 200 and blocks the traffic.

Why this answer

In Azure Network Security Groups (NSGs), rules are processed in priority order, with lower numbers evaluated first. The deny rule for Internet traffic at priority 100 is processed before the allow rule for TCP 3389 at priority 200, so the deny rule blocks the inbound RDP connection from the internet. This is why the administrator cannot RDP from home.

Exam trap

The trap here is that candidates often assume a higher-priority allow rule can override a lower-priority deny rule, but in Azure NSGs, lower priority numbers are processed first, so a deny at priority 100 blocks traffic before an allow at priority 200 is even considered.

How to eliminate wrong answers

Option A is wrong because inbound NSG rules can permit RDP (TCP 3389) — there is no Azure restriction that prevents allowing RDP inbound. Option C is wrong because NSG rules apply to both inbound and outbound traffic; inbound rules specifically control traffic entering the subnet or NIC. Option D is wrong because a subnet NSG is still applied to traffic destined for a VM with a public IP address; the public IP does not bypass the NSG.

219
Matchinghard

Match each NSG or ASG scenario to the most accurate Azure security behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The priority 200 deny is evaluated first and blocks the flow.

The destination NIC must be added to ASG-Api for the rule to match.

The service tag does not represent the workstation's IP; a rule for the real source or a VPN path is needed.

NSGs are stateful, so the return traffic is allowed automatically.

The lower-number deny rule wins because NSGs stop at the first matching rule.

Why these pairings

NSGs filter traffic at subnet or NIC level, while ASGs group VMs for scalable rule application. Service tags simplify rules for Azure services.

220
MCQmedium

A network engineer wants device logs from routers and switches sent to a central server for long-term retention and analysis. Which service should be configured?

A.NTP
B.DNS
D.NetFlow
AnswerC

Syslog provides centralized event logging.

Why this answer

Syslog is the standard protocol for sending device logs (e.g., from routers and switches) to a central server for long-term retention and analysis. It operates over UDP port 514 (or TCP 6514 for reliable delivery) and allows network devices to forward event messages to a syslog collector, which can store, filter, and analyze them. This directly meets the requirement for centralized logging and analysis.

Exam trap

The trap here is confusing NetFlow with syslog — both involve network data, but NetFlow is for traffic flow statistics (e.g., who talked to whom, how much bandwidth), not for device event logs, so candidates often pick NetFlow thinking it covers 'analysis' without realizing it doesn't handle log messages.

Why the other options are wrong

A

NTP (Network Time Protocol) is used for synchronizing the clocks of network devices, not for collecting or sending logs. Therefore, it does not fulfill the requirement of sending device logs for analysis.

B

DNS (Domain Name System) is used for resolving domain names to IP addresses and does not facilitate the collection or centralization of device logs from routers and switches.

D

NetFlow is primarily used for monitoring and analyzing network traffic flows rather than collecting device logs. It does not provide the capability to send logs from routers and switches to a central server for retention and analysis.

221
MCQmedium

A team manages 20 web VMs and 15 app VMs that scale independently. The administrator needs an NSG rule that allows only the web tier to reach the app tier on TCP 8443, and future VM additions must be included automatically without editing IP addresses. What should the administrator use in the NSG rule?

A.A source application security group for the web tier and a destination application security group for the app tier.
B.A service endpoint on the subnet where the app VMs are deployed.
C.A user-defined route between the web subnet and app subnet.
D.A load balancer backend pool for both tiers.
AnswerA

Application security groups let you group VMs by function rather than by individual IP addresses. An NSG rule can reference a source ASG and a destination ASG, so newly added web or app VMs are automatically governed as long as they are added to the correct ASG. This is ideal for scalable tier-to-tier access control.

Why this answer

Application security groups (ASGs) allow you to define network security rules based on logical groupings of VMs, regardless of their IP addresses. By assigning the web tier VMs to a source ASG and the app tier VMs to a destination ASG, the NSG rule automatically includes any new VMs added to those groups, meeting the requirement for dynamic inclusion without manual IP edits.

Exam trap

The trap here is that candidates often confuse ASGs with network security groups (NSGs) themselves or think that service endpoints or UDRs can provide application-layer filtering, when in fact only ASGs enable IP-agnostic, dynamic grouping for NSG rules.

How to eliminate wrong answers

Option B is wrong because a service endpoint extends your virtual network to Azure services (e.g., Azure SQL, Storage) over a direct connection, not for VM-to-VM traffic filtering. Option C is wrong because a user-defined route (UDR) controls traffic routing between subnets, not access control; it cannot filter traffic based on protocol or port like an NSG rule. Option D is wrong because a load balancer backend pool distributes incoming traffic to VMs for load balancing and high availability, but it does not enforce network security rules or automatically include new VMs in access control policies.

222
MCQmedium

A VM in a subnet must send traffic to 10.50.0.0/16 through an on-premises VPN gateway, while all other destinations should use the Internet. Which route should be added to the subnet's route table?

A.Destination 10.50.0.0/16 with next hop type Virtual network gateway.
B.Destination 0.0.0.0/0 with next hop type Virtual network gateway.
C.Destination 10.50.0.0/16 with next hop type Service endpoint.
D.Destination 10.50.0.0/16 with next hop type Internet.
AnswerA

This specific route overrides the default system route only for the on-premises prefix.

Why this answer

Option A is correct because the VM needs to send traffic destined for 10.50.0.0/16 through the on-premises VPN gateway. Adding a user-defined route (UDR) with destination 10.50.0.0/16 and next hop type 'Virtual network gateway' forces that specific traffic to be routed over the VPN tunnel, while the default route (0.0.0.0/0) to the Internet remains unchanged, allowing all other traffic to egress via the Internet.

Exam trap

The trap here is that candidates often confuse the default route (0.0.0.0/0) with a specific destination route, mistakenly thinking that forcing all traffic through the VPN gateway is required, when only the specific on-premises network range needs to be routed that way.

How to eliminate wrong answers

Option B is wrong because setting destination 0.0.0.0/0 with next hop type Virtual network gateway would force all internet-bound traffic through the VPN gateway, which contradicts the requirement that all other destinations should use the Internet. Option C is wrong because Service endpoint next hop type is used for routing traffic to Azure service endpoints (e.g., Azure Storage, SQL) over the Microsoft backbone, not for directing traffic to an on-premises network via VPN. Option D is wrong because next hop type Internet would route 10.50.0.0/16 traffic to the public internet, which would not reach the on-premises network and would bypass the VPN gateway entirely.

223
MCQmedium

An operations team wants all internet-bound traffic from a workload subnet to pass through a network virtual appliance at 10.1.0.4 for inspection. Which next hop type should be used in a user-defined route for destination 0.0.0.0/0?

A.Internet
B.Virtual appliance
C.Virtual network gateway
D.None
AnswerB

Virtual appliance is the correct next hop when you want traffic sent to an NVA or firewall IP. Combined with a 0.0.0.0/0 route, it enables forced tunneling through the inspection device.

Why this answer

To force all internet-bound traffic from a subnet through a network virtual appliance (NVA) at 10.1.0.4, you must create a user-defined route (UDR) with destination 0.0.0.0/0 and next hop type 'Virtual appliance'. This directs traffic to the NVA's private IP for inspection, overriding Azure's default system route that would otherwise send 0.0.0.0/0 traffic directly to the Internet via the Azure backbone.

Exam trap

The trap here is that candidates often confuse 'Virtual appliance' with 'Virtual network gateway', mistakenly thinking a VPN gateway is required to route internet traffic, when in fact the NVA is a simple VM or firewall appliance with IP forwarding enabled.

How to eliminate wrong answers

Option A is wrong because 'Internet' as a next hop type would send traffic directly to the public internet without inspection, bypassing the NVA entirely. Option C is wrong because 'Virtual network gateway' is used for site-to-site VPN or ExpressRoute traffic, not for routing internet-bound traffic through an NVA. Option D is wrong because 'None' would drop all traffic matching the route, effectively blackholing internet-bound packets instead of forwarding them to the NVA.

224
MCQmedium

An administrator creates a new spoke virtual network with address space 10.100.1.0/24 and tries to peer it to an existing hub virtual network that already uses 10.100.0.0/16. The peering fails. The business wants private connectivity between the hub and spoke. What action should the administrator take first?

A.Add a route table to the spoke and point the default route to the hub.
B.Change the spoke VNet to a non-overlapping address range before attempting peering again.
C.Enable gateway transit on the hub and use the remote gateway from the spoke.
D.Deploy a private DNS zone and link it to both VNets.
AnswerB

Azure virtual network peering requires non-overlapping address spaces. The spoke currently sits inside the hub's 10.100.0.0/16 range, so the overlap must be removed first. After the address space is changed to a unique range, peering can succeed and private connectivity can be established.

Why this answer

VNet peering requires that the address spaces of the peered virtual networks do not overlap. The hub already uses 10.100.0.0/16, which includes the spoke's 10.100.1.0/24 range, causing a conflict. Changing the spoke to a non-overlapping address range, such as 10.200.1.0/24, resolves this and allows the peering to succeed.

Exam trap

The trap here is that candidates often assume routing or DNS configuration can fix peering failures, overlooking the fundamental requirement that VNet address spaces must not overlap.

How to eliminate wrong answers

Option A is wrong because adding a route table to the spoke does not resolve the fundamental address overlap issue; peering itself will still fail due to conflicting IP ranges. Option C is wrong because gateway transit is used for connecting on-premises networks or enabling spoke-to-spoke routing through the hub, but it does not fix overlapping address spaces required for peering. Option D is wrong because private DNS zones are for name resolution, not for resolving IP address conflicts that prevent VNet peering from being established.

225
MCQeasy

Based on the exhibit, what should the administrator create so VMs in AppSubnet can access the storage account over a private IP address?

A.A service endpoint for Microsoft.Storage on AppSubnet.
B.A private endpoint for the storage account in AppSubnet.
C.A site-to-site VPN gateway between AppVNet and the storage account.
D.An application security group for the storage account and subnet.
AnswerB

A private endpoint assigns the storage account a private IP address in the VNet, which is exactly what the exhibit requires. With public access disabled, the private endpoint is the correct way for the VMs to reach the storage service privately from AppSubnet.

Why this answer

A private endpoint assigns a private IP address from AppSubnet to the storage account, enabling VMs in that subnet to access the storage account over a private IP within the VNet. This eliminates exposure to the public internet and uses Azure Private Link for secure, direct connectivity.

Exam trap

The trap here is confusing service endpoints (which still use the public endpoint but with source subnet restriction) with private endpoints (which provide a true private IP address), leading candidates to incorrectly choose A when the question explicitly requires access over a private IP address.

How to eliminate wrong answers

Option A is wrong because a service endpoint for Microsoft.Storage on AppSubnet allows access to the storage account over the Azure backbone but still uses the storage account's public endpoint, not a private IP address from the subnet. Option C is wrong because a site-to-site VPN gateway connects on-premises networks to Azure VNets, not between a VNet and a PaaS service like a storage account. Option D is wrong because an application security group is a logical grouping of VMs for network security rules, not a mechanism to provide private IP connectivity to a storage account.

← PreviousPage 3 of 4 · 288 questions totalNext →

Ready to test yourself?

Try a timed practice session using only AZ Networking questions.