Question 1mediummultiple choice
Full question →AZ-305 · topic practice
VPC Endpoint practice questions
Use this page to practise AZ-305 VPC Endpoint practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about VPC Endpoint
IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
IPv6 address types and their scopes (link-local, global unicast, multicast, ULA).
SLAAC vs DHCPv6 vs stateful assignment.
Neighbor Discovery Protocol replacing ARP.
IPv6 routing differences and dual-stack coexistence.
Practice set
VPC Endpoint questions
20 questions · select your answer, then reveal the explanation
Question 2mediummulti select
Full question →A hub-and-spoke Azure network must centralize outbound inspection and still allow spokes to resolve private endpoint DNS names. Which two components are commonly required? (Choose 2.)
Question 3easymultiple choice
Full question →A company has deployed Azure virtual machines without public IP addresses. They need to provide secure RDP and SSH access to these VMs for administrators from the corporate network (on-premises). The solution must integrate with Microsoft Entra ID for authentication and support multi-factor authentication (MFA). It must not require any public endpoint exposure on the VMs. Which Azure service should they use?
Question 4hardmultiple choice
Full question →A business-critical App Service application must survive a full regional outage. The recovery design should fail over automatically based on endpoint health and avoid DNS-cache delay where possible. Which service should front the regional deployments?
Question 5mediummultiple choice
Full question →A company deploys a containerized microservices application on Azure Kubernetes Service (AKS). They need to expose the application to the internet with TLS termination and provide a single endpoint for multiple services. The solution must also include a Web Application Firewall (WAF). Which Azure service should they use as the ingress controller?
Question 6hardmultiple choice
Full question →A company has a hub-spoke network topology in Azure. They have multiple spoke VNets connected to a hub VNet via peering. They need to ensure that all east-west traffic between spoke VNets goes through a network virtual appliance (NVA) in the hub for inspection. Additionally, all outbound internet traffic from spoke VMs must use a single public IP address. What should they configure?
Question 7easymultiple choice
Full question →A company deploys a web application in two Azure regions for high availability. They need to automatically direct users to the nearest healthy region based on geographic location and endpoint health. Which Azure service should they use?
Question 8hardmultiple choice
Full question →A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?
Question 9mediummultiple choice
Full question →A company has Azure virtual networks (VNets) in three different Azure regions and an on-premises data center connected via ExpressRoute. They need to connect all VNets to each other and to on-premises over the Microsoft global backbone. They also require centralized management of routing and the ability to enforce security policies such as forced tunneling for internet-bound traffic. Which Azure service should they use?
Question 10hardmultiple choice
Full question →A company has multiple Azure VNets deployed in a hub-spoke topology. They want to inspect all outbound internet traffic from spoke VMs using a central firewall and ensure that traffic from all VNets goes through the firewall before reaching the internet. They also need to log all outbound connections. Which architecture should they implement?
Question 11easymultiple choice
Full question →A company is designing a virtual network architecture for a three-tier application (web, application, database). They want network isolation between tiers and secure access from the internet to the web tier only. Which Azure networking solution should they use?
Question 12mediummultiple choice
Full question →A company plans to deploy multiple virtual machines (VMs) across two Azure regions for high availability. The VMs will host a stateless web application that must be accessible via a single DNS endpoint. The solution must automatically route traffic to the nearest region with available capacity and provide failover if a region becomes unhealthy. Which Azure service should they use to meet these requirements?
Question 13hardmultiple choice
Full question →A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?
Question 14hardmultiple choice
Full question →A company has multiple Azure virtual networks (VNets) spread across three Azure regions (West US, East US, and West Europe). They also have an on-premises network connected to East US via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. They require centralized management of routing and the ability to enforce security policies such as forcing all internet-bound traffic from any VNet to pass through a central firewall in East US. Which Azure solution should they implement?
Question 15easymultiple choice
Full question →A company has an Azure API Management instance deployed in the internal virtual network (VNet) mode. They want to securely expose their backend APIs to external partners over the internet. External partners need to authenticate using OAuth2 tokens. The company also wants to enforce rate limits (throttling) per subscription, cache responses, and enable CORS. Which Azure service should they use to expose the APIs?
Question 16mediummultiple choice
Full question →A company has an Azure SQL Database that they need to access from an on-premises data center over ExpressRoute. They want to use a private IP address to connect to the database, ensuring traffic never traverses the public internet. Which Azure service should they use?
Question 17hardmultiple choice
Full question →A company runs a multi-tier application on Azure virtual machines (VMs) in the West US region. The application consists of a web tier, an application tier, and a database tier. They need to implement a disaster recovery plan to a secondary region (East US) with a recovery point objective (RPO) of 5 minutes and a recovery time objective (RTO) of 15 minutes. The VMs must be recovered in the correct order: database tier first, then application tier, then web tier. The company also wants to test the recovery process periodically without affecting production. They need to ensure that after failover, the VMs retain their IP addresses to minimize DNS propagation delays. Which combination of Azure Site Recovery features should they use?
Question 18hardmultiple choice
Full question →A global e-commerce company deploys its web application on Azure Kubernetes Service (AKS) clusters in multiple Azure regions. They need a single global endpoint for users, with SSL offloading, web application firewall (WAF) protection, and URL path-based routing to the nearest healthy AKS cluster. Which Azure service should they use?
Question 19hardmultiple choice
Full question →A global company is deploying a microservices application on AKS clusters in multiple Azure regions. They need to provide a single endpoint for users worldwide with SSL offloading, web application firewall, and URL path-based routing to the nearest healthy AKS cluster. They also need global load balancing with automatic failover. Which Azure service should they use?
Question 20easymultiple choice
Full question →A company is deploying a web application that must be accessible from the internet. The application is hosted on Azure virtual machines in a virtual network. The solution must provide SSL termination, web application firewall (WAF) protection, and URL path-based routing (e.g., /api/* to one backend pool, /app/* to another). The web tier must not be directly exposed to the internet. Which Azure load balancing solution should they use?
Watch out for
Common VPC Endpoint exam traps
- ▸Link-local addresses are not routable beyond the local link.
- ▸SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
- ▸NDP uses ICMPv6, not ARP.
- ▸An IPv6 prefix is /64 for most host subnets, not /24.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused VPC Endpoint sessions
Start a VPC Endpoint only practice session
Every question in these sessions is drawn from the VPC Endpoint domain — nothing else.
Related practice questions
Related AZ-305 topic practice pages
Move into related areas when this topic feels solid.
SAA-C03 VPC practice questions
Practise AZ-305 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise AZ-305 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise AZ-305 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise AZ-305 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise AZ-305 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise AZ-305 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise AZ-305 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise AZ-305 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise AZ-305 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise AZ-305 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise AZ-305 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise AZ-305 questions linked to SAA-C03 cost optimization questions.
Frequently asked questions
- What does the AZ-305 exam test about VPC Endpoint?
- IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just VPC Endpoint questions in a focused session?
- Yes — the session launcher on this page draws every question from the VPC Endpoint domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other AZ-305 topics?
- Use the topic links above to move to related areas, or go back to the AZ-305 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the AZ-305 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeExam traps to avoid
- ▸Link-local addresses are not routable beyond the local link.
- ▸SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
- ▸NDP uses ICMPv6, not ARP.
- ▸An IPv6 prefix is /64 for most host subnets, not /24.