AZ-305 · topic practice

VPC practice questions

Practise Microsoft Azure Solutions Architect Expert AZ-305 VPC practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about VPC

VPC questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common VPC exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

VPC questions

16 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?

Question 2hardmulti select
Read the full VPC explanation →

A company is designing hub-and-spoke networking. Spoke VNets must use a central Azure Firewall for outbound internet traffic. Which two configurations are required?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on Azure VMs. The web tier must be accessible from the internet, while the application and database tiers must be isolated within the virtual network. The solution must provide SSL termination, web application firewall (WAF) capabilities, and URL-based routing. Which Azure service should they use to expose the web tier?

Question 4hardmultiple choice
Read the full VPC explanation →

You are designing a networking solution for a multi-tier application in Azure. The front-end web tier must be accessible from the internet, while the back-end database tier must only be accessible from the web tier. You need to minimize management overhead and ensure that the back-end tier is not directly reachable from the internet. What should you use?

Question 5easymultiple choice
Read the full NAT/PAT explanation →

You need to design a virtual network architecture for a three-tier application in Azure. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of Azure services should you use?

Question 6hardmultiple choice
Review the full subnetting walkthrough →

You are reviewing a network security group (NSG) rule for a subnet that hosts web servers. The subnet's address space is 10.0.1.0/24. What is the effect of this rule?

Exhibit

Refer to the exhibit.

```json
{
  "Name": "Allow specific traffic",
  "Priority": 100,
  "Direction": "Inbound",
  "Access": "Allow",
  "SourceAddressPrefixes": ["10.0.1.0/24"],
  "DestinationAddressPrefixes": ["*"],
  "DestinationPortRanges": ["80", "443"],
  "Protocol": "TCP"
}
```
Question 7hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a network architecture for a three-tier application hosted in Azure. The front-end tier must be accessible from the internet, the business tier must only communicate with the front-end tier, and the data tier must only communicate with the business tier. You need to minimize exposure and use Azure-native services. Which combination of services should you use?

Question 8hardmultiple choice
Read the full VPC explanation →

You executed the above Azure CLI commands. The remote VNet (yourVNet) has address space 10.1.0.0/16. What is the result?

Network Topology
az network vnet createname myVNetresource-group myRGaddress-prefixname mySubnet2vnet-name myVNetname myPeeringsubnet-name mySubnetremote-vnet /subscriptions/.../resourceGroups/yourRG/providers/Microsoft.Network/virtualNetworks/yourVNetsubnet-prefixallow-vnet-accessRefer to the exhibit.```
Question 9easymultiple choice
Read the full VPC explanation →

You need to design a networking solution for a multi-tier application that includes a web front-end, an API layer, and a database. The web and API tiers must be accessible from the internet, while the database tier must be isolated. What is the most secure and efficient design?

Question 10mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You are reviewing an ARM template that deploys a virtual network with two subnets. Subnet-b includes a delegation to Microsoft.Web/serverFarms. What is the purpose of this delegation?

Exhibit

{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
        {
          "type": "Microsoft.Network/virtualNetworks",
          "apiVersion": "2021-02-01",
          "name": "vnet-01",
          "location": "[resourceGroup().location]",
          "properties": {
            "addressSpace": {
              "addressPrefixes": [
                "10.0.0.0/16"
              ]
            },
            "subnets": [
              {
                "name": "subnet-a",
                "properties": {
                  "addressPrefix": "10.0.0.0/24"
                }
              },
              {
                "name": "subnet-b",
                "properties": {
                  "addressPrefix": "10.0.1.0/24",
                  "delegations": [
                    {
                      "name": "delegation",
                      "properties": {
                        "serviceName": "Microsoft.Web/serverFarms"
                      }
                    }
                  ]
                }
              }
            ]
          }
        }
      ]
    },
    "parameters": {}
  }
}
Question 11hardmultiple choice
Review the full routing breakdown →

You are designing a network architecture for a multi-tier application. The front-end tier is an Azure Application Gateway that routes traffic to a web app on Azure App Service. The back-end tier is an Azure SQL Database. You need to ensure that all traffic between the Application Gateway and the web app remains within the Azure backbone network, and that the web app can only be accessed through the Application Gateway. What should you configure?

Question 12mediummulti select
Read the full VPC explanation →

Which TWO of the following are valid considerations when designing a SQL Server Always On availability group in Azure VMs? (Choose two.)

Question 13mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. You have an Azure Storage account with the settings shown. A developer reports that they cannot access the storage account from their Azure VM that is connected to subnet-a. The VM's subnet ID matches the one in the rule. What is the most likely cause of the issue?

Exhibit

{
  "properties": {
    "sku": {
      "name": "Standard_GRS"
    },
    "kind": "StorageV2",
    "accessTier": "Hot",
    "supportsHttpsTrafficOnly": true,
    "networkRuleSet": {
      "defaultAction": "Deny",
      "virtualNetworkRules": [
        {
          "id": "/subscriptions/.../subnets/subnet-a",
          "action": "Allow"
        }
      ]
    }
  }
}
Question 14mediummultiple choice
Review the full routing breakdown →

Your company has a multi-region Azure deployment with virtual networks in East US and West Europe connected via a hub-and-spoke topology. You need to ensure that all traffic between the spokes is routed through a centralized firewall in the hub. The hub uses Azure Firewall. Currently, spoke-to-spoke traffic is not being inspected. What should you configure?

Question 15hardmultiple choice
Read the full VPC explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition that your team plans to assign. The policy is intended to deny the deployment of virtual networks and virtual machines if they do not have an NSG attached with a rule named containing 'Allow'. However, the policy is not working as expected. What is the most likely reason?

Exhibit

{
  "properties": {
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/virtualNetworks"
          },
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          }
        ]
      },
      "then": {
        "effect": "deny",
        "details": {
          "existenceCondition": {
            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
            "like": "*Allow*"
          }
        }
      }
    }
  }
}
Question 16mediummultiple choice
Review the full routing breakdown →

Your company has an Azure subscription that contains a hub virtual network and multiple spoke virtual networks connected via VNet peering. You need to ensure that all traffic between spokes is routed through a network virtual appliance (NVA) in the hub. The NVA is configured with IP forwarding enabled. What should you configure in the spoke virtual networks?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VPC sessions

Start a VPC only practice session

Every question in these sessions is drawn from the VPC domain — nothing else.

Related practice questions

Related AZ-305 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-305 exam test about VPC?
VPC questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VPC questions in a focused session?
Yes — the session launcher on this page draws every question from the VPC domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-305 topics?
Use the topic links above to move to related areas, or go back to the AZ-305 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-305 exam covers. They are not copied from any real exam or dump site.