AZ-305 · topic practice

VPC Endpoint practice questions

Practise Microsoft Azure Solutions Architect Expert AZ-305 VPC Endpoint practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: VPC Endpoint

What the exam tests

What to know about VPC Endpoint

IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.

IPv6 address types and their scopes (link-local, global unicast, multicast, ULA).

SLAAC vs DHCPv6 vs stateful assignment.

Neighbor Discovery Protocol replacing ARP.

IPv6 routing differences and dual-stack coexistence.

Watch out for

Common VPC Endpoint exam traps

  • Link-local addresses are not routable beyond the local link.
  • SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
  • NDP uses ICMPv6, not ARP.
  • An IPv6 prefix is /64 for most host subnets, not /24.

Practice set

VPC Endpoint questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?

A company is designing hub-and-spoke networking. Spoke VNets must use a central Azure Firewall for outbound internet traffic. Which two configurations are required?

Question 3mediummultiple choice
Read the full VPC Endpoint explanation →

A company uses Microsoft Entra ID. They want to integrate their security operations with a third-party SIEM tool. They need to export all Microsoft Entra ID sign-in logs and audit logs to the SIEM for analysis. The solution should be automated and near real-time. Which Azure service should they configure?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A company deploys a containerized microservices application on Azure Kubernetes Service (AKS). They need to expose the application to the internet with TLS termination and provide a single endpoint for multiple services. The solution must also include a Web Application Firewall (WAF). Which Azure service should they use as the ingress controller?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must be isolated within the virtual network. The solution must provide SSL termination, web application firewall (WAF) capabilities, and URL-based routing. Which Azure service should they use to expose the web tier?

Question 6mediummultiple choice
Read the full VPC Endpoint explanation →

Your company uses Microsoft Entra ID to manage identities for 5,000 employees. You plan to implement Microsoft Entra ID Governance to automate the user provisioning lifecycle for a third-party SaaS application. The application supports SCIM 2.0. You need to ensure that user accounts are automatically created, updated, and disabled in the application based on changes in Entra ID. What should you do?

Which THREE of the following are requirements for using Azure SQL Database auto-failover groups? (Select three.)

Which THREE considerations are important when designing a storage solution for Azure Virtual Desktop (AVD) user profiles using FSLogix? (Choose three.)

Question 9hardmultiple choice
Read the full VPC Endpoint explanation →

You are reviewing a Bicep template that deploys two App Service Environments (ASE) and an Azure Traffic Manager profile. The exhibit shows the template snippet. What is the expected behavior when the primary ASE becomes unhealthy?

Exhibit

Refer to the exhibit.

```yaml
# Bicep template snippet
param primaryLocation string = 'eastus'
param secondaryLocation string = 'westus'

resource asePrimary 'Microsoft.Web/hostingEnvironments@2022-03-01' = {
  name: 'myAsePrimary'
  location: primaryLocation
  properties: {
    virtualNetwork: {
      id: primaryVnet.id
    }
  }
}

resource aseSecondary 'Microsoft.Web/hostingEnvironments@2022-03-01' = {
  name: 'myAseSecondary'
  location: secondaryLocation
  properties: {
    virtualNetwork: {
      id: secondaryVnet.id
    }
  }
}

resource tm 'Microsoft.Network/trafficManagerProfiles@2022-07-01' = {
  name: 'myTM'
  location: 'global'
  properties: {
    profileStatus: 'Enabled'
    trafficRoutingMethod: 'Priority'
    dnsConfig: {
      relativeName: 'myapp'
      ttl: 60
    }
    monitorConfig: {
      protocol: 'HTTPS'
      port: 443
      path: '/'
    }
    endpoints: [
      {
        name: 'primary-endpoint'
        type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
        properties: {
          targetResourceId: asePrimary.id
          endpointStatus: 'Enabled'
          priority: 1
        }
      }
      {
        name: 'secondary-endpoint'
        type: 'Microsoft.Network/trafficManagerProfiles/azureEndpoints'
        properties: {
          targetResourceId: aseSecondary.id
          endpointStatus: 'Enabled'
          priority: 2
        }
      }
    ]
  }
}
```
Question 10hardmultiple choice
Read the full DNS explanation →

A multinational corporation needs to design a global DNS solution for Azure resources. They require automatic failover across Azure regions and low-latency responses based on the client's geographic location. The solution must also support custom domains without exposing the underlying Azure public IP addresses. Which combination of Azure services should they use?

Question 11hardmultiple choice
Read the full VPC Endpoint explanation →

You are designing a networking solution for a multi-tier application in Azure. The front-end web tier must be accessible from the internet, while the back-end database tier must only be accessible from the web tier. You need to minimize management overhead and ensure that the back-end tier is not directly reachable from the internet. What should you use?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

You need to design a virtual network architecture for a three-tier application in Azure. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of Azure services should you use?

Which THREE of the following are valid methods to secure access to Azure Storage accounts? (Choose three.)

Question 14hardmultiple choice
Review the full subnetting walkthrough →

You are reviewing a network security group (NSG) rule for a subnet that hosts web servers. The subnet's address space is 10.0.1.0/24. What is the effect of this rule?

Exhibit

Refer to the exhibit.

```json
{
  "Name": "Allow specific traffic",
  "Priority": 100,
  "Direction": "Inbound",
  "Access": "Allow",
  "SourceAddressPrefixes": ["10.0.1.0/24"],
  "DestinationAddressPrefixes": ["*"],
  "DestinationPortRanges": ["80", "443"],
  "Protocol": "TCP"
}
```
Question 15hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a network architecture for a three-tier application hosted in Azure. The front-end tier must be accessible from the internet, the business tier must only communicate with the front-end tier, and the data tier must only communicate with the business tier. You need to minimize exposure and use Azure-native services. Which combination of services should you use?

Question 16hardmultiple choice
Read the full VPC Endpoint explanation →

You executed the above Azure CLI commands. The remote VNet (yourVNet) has address space 10.1.0.0/16. What is the result?

Network Topology
az network vnet createname myVNetresource-group myRGaddress-prefixname mySubnet2vnet-name myVNetname myPeeringsubnet-name mySubnetremote-vnet /subscriptions/.../resourceGroups/yourRG/providers/Microsoft.Network/virtualNetworks/yourVNetsubnet-prefixallow-vnet-accessRefer to the exhibit.```
Question 17easymultiple choice
Read the full NAT/PAT explanation →

A company is migrating on-premises applications to Azure. They require that all traffic between Azure resources and on-premises resources traverse a private connection. They also want to reduce the attack surface by eliminating exposure of management endpoints over the internet. Which solution should they implement?

Question 18easymultiple choice
Read the full VPC Endpoint explanation →

You need to design a networking solution for a multi-tier application that includes a web front-end, an API layer, and a database. The web and API tiers must be accessible from the internet, while the database tier must be isolated. What is the most secure and efficient design?

Question 19mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You are reviewing an ARM template that deploys a virtual network with two subnets. Subnet-b includes a delegation to Microsoft.Web/serverFarms. What is the purpose of this delegation?

Exhibit

{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Network/virtualNetworks",
          "apiVersion": "2021-02-01",
          "name": "vnet-01",
          "location": "[resourceGroup().location]",
          "properties": {
            "addressSpace": {
              "addressPrefixes": [
                "10.0.0.0/16"
              ]
            },
            "subnets": [
              {
                "name": "subnet-a",
                "properties": {
                  "addressPrefix": "10.0.0.0/24"
                }
              },
              {
                "name": "subnet-b",
                "properties": {
                  "addressPrefix": "10.0.1.0/24",
                  "delegations": [
                    {
                      "name": "delegation",
                      "properties": {
                        "serviceName": "Microsoft.Web/serverFarms"
                      }
                    }
                  ]
                }
              }
            ]
          }
        }
      ]
    },
    "parameters": {}
  }
}
Question 20hardmultiple choice
Review the full routing breakdown →

You are designing a network architecture for a multi-tier application. The front-end tier is an Azure Application Gateway that routes traffic to a web app on Azure App Service. The back-end tier is an Azure SQL Database. You need to ensure that all traffic between the Application Gateway and the web app remains within the Azure backbone network, and that the web app can only be accessed through the Application Gateway. What should you configure?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VPC Endpoint sessions

Start a VPC Endpoint only practice session

Every question in these sessions is drawn from the VPC Endpoint domain — nothing else.

Related practice questions

Related AZ-305 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-305 exam test about VPC Endpoint?
IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VPC Endpoint questions in a focused session?
Yes — the session launcher on this page draws every question from the VPC Endpoint domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-305 topics?
Use the topic links above to move to related areas, or go back to the AZ-305 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-305 exam covers. They are not copied from any real exam or dump site.