Secure networking

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

A company has an Azure virtual network with a subnet that hosts Azure virtual machines. They want to restrict access to an Azure SQL Database so that only traffic originating from that specific subnet is allowed. They have enabled a service endpoint for Microsoft.Sql on the subnet and configured the SQL server firewall to allow only that subnet's virtual network rule. However, connections from the VMs to the SQL database are failing with an authorization error. What is the most likely cause?

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

A company has an Azure virtual network (VNet) with multiple subnets. They deploy Azure Firewall in a hub VNet and peer spoke VNets. They want to force-tunnel all outbound traffic from a specific spoke subnet to the firewall for inspection. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Your company has two Azure virtual networks: VNet-A (10.0.0.0/16) and VNet-B (10.1.0.0/16). They are connected via VNet peering. You deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. You configure a user-defined route (UDR) on the subnet in VNet-B that points the address space of VNet-A (10.0.0.0/16) to the next hop as the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes the direct peered path. What is the most likely cause?

A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?

A company is designing a hub-spoke network topology with Azure Firewall in the hub virtual network. Spoke virtual networks are peered to the hub. They want to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

A company has an Azure virtual network with a subnet that hosts a web application. They need to allow inbound HTTP (port 80) and HTTPS (port 443) traffic from a specific source IP range (203.0.113.0/24) to the web servers. Additionally, they need to allow inbound RDP (port 3389) traffic from a management subnet (10.0.1.0/24). They want to block all other inbound traffic. They are using a network security group (NSG) associated with the subnet. What is the minimum number of inbound security rules required?

A company has an Azure SQL Database with a private endpoint connection. The database is accessed from on-premises via ExpressRoute and from other Azure virtual networks (VNets) via VNet peering. The security team wants to ensure that all queries from both on-premises and peered VNets go through the private endpoint and NEVER use the public endpoint, even as a fallback. Which additional configuration is required to enforce this?

A company runs a global web application on Azure App Service instances deployed in multiple Azure regions. They want to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS) using a centralized set of managed rules that can be automatically updated. They also need to improve performance by terminating traffic at the nearest point of presence (POP) to end users. Which Azure service should they deploy in front of the App Service?

A company has an Azure virtual network with two subnets: App and Data. The App subnet hosts web servers, and the Data subnet hosts SQL databases. Security policy requires that only HTTPS traffic from the App subnet is allowed to the Data subnet, and all other inbound traffic to the Data subnet must be blocked. The solution must use a single network security group (NSG) associated to the Data subnet. Which NSG inbound rule configuration meets the requirement?

A company deploys Azure Firewall in a hub VNet to inspect all outbound traffic from a spoke VNet. They enable VNet peering between the hub and spoke. They create a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP as the next hop, and associate it with the spoke subnets. However, outbound traffic from the spoke subnets is still going directly to the internet, bypassing the firewall. What is the most likely cause?

A company has an Azure virtual network with a subnet hosting internal web applications. The security team needs to allow inbound HTTPS traffic only from the company's corporate network IP range (203.0.113.0/24). All other inbound traffic must be denied. They want to use a network security group (NSG) associated with the subnet. Which inbound security rule configuration meets this requirement?

A company deploys multiple Azure virtual machines across several subnets in a virtual network. The VMs are grouped by application tiers: web, application, and database. The security team wants to apply network security group (NSG) rules that target all VMs in a specific tier, and they need a way to easily add or remove VMs from these groups without updating NSG rules. Which Azure feature should they use to define these logical VM groups?

A company has an Azure virtual network with a subnet that contains virtual machines. They have deployed Azure Firewall in a hub VNet and peered the spoke VNet to the hub. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

A company has a hub-spoke network topology in Azure. The spoke virtual networks contain Azure virtual machines that need to access the internet. The security team requires that all outbound internet traffic from the spoke VMs passes through the Azure Firewall deployed in the hub virtual network for inspection and logging. Which configuration should be implemented to ensure this traffic is routed through the firewall?

A company has two application tiers: web servers and application servers. They want to allow traffic from the web servers to the application servers on port 8080, but only for a specific set of web servers. They have deployed the web servers in an Availability Set and want to use a single NSG rule to allow traffic from any web server that is part of that application tier. Which component should they use?

A company has an Azure virtual network with a subnet hosting web servers. The security policy requires that all inbound HTTP traffic must be sourced from a specific IP address range (203.0.113.0/24). All other inbound traffic must be denied. The subnet is associated with a network security group (NSG). Which set of inbound rules should they configure?

A company uses Azure Firewall to filter outbound traffic. They want to ensure that all DNS queries from virtual machines in a spoke VNet are routed through the Azure Firewall for logging and inspection. They have already configured the firewall to use a custom DNS server. Which additional Azure Firewall feature must be enabled to ensure that the VMs use the firewall as a DNS proxy?

A company wants to deploy an Azure VPN Gateway in active-active mode to ensure high availability for their site-to-site VPN connection. They have two on-premises VPN devices, each with a distinct public IP address. What is the minimum configuration required for the Azure VPN Gateway to utilize both on-premises devices?

A company has several Azure virtual machines (VMs) in a VNet that host a legacy application. IT support staff need to perform remote administration using RDP. The security team wants to avoid exposing the VMs to the public internet and also enforce Azure Multi-Factor Authentication (MFA) for all RDP sessions. Which Azure service should they deploy to meet these requirements?

A company has multiple on-premises web applications that need to be securely published for remote employees. The company uses Azure AD for identity management and wants to apply Conditional Access policies, including multi-factor authentication, to these applications. The security team wants to avoid exposing the on-premises infrastructure to the internet directly. Which Azure service should they deploy to meet these requirements?

A company has a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for malicious content and require that the inspection is stateful. Which Azure-native service should they deploy in the hub virtual network to meet this requirement?

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks. The application consists of a single App Service instance. Which Azure DDoS Protection tier should they enable to meet this requirement while minimizing cost?

A company uses Azure Front Door to accelerate and secure its public web application. The security team wants to limit the number of requests from a single client IP address to 100 per minute to prevent a single user from overwhelming the backend. Which configuration should they add to the Web Application Firewall (WAF) policy associated with the Front Door?

A company has an Azure virtual network with a subnet that hosts a web application. They want to allow inbound HTTPS traffic from any source on the internet (0.0.0.0/0) and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required to achieve this?

A company has Azure virtual machines that need to download updates from specific external websites (e.g., *.microsoft.com and *.windowsupdate.com). The security team wants to centrally manage and allow outbound HTTPS traffic only to these FQDNs, while blocking all other outbound internet access. Which Azure networking service should they deploy to achieve this?

You have an Azure virtual machine that hosts a web application on port 443 and a management interface on port 8443. You need to allow inbound HTTPS traffic from the internet to port 443, and allow inbound traffic on port 8443 only from the company's office public IP range (203.0.113.0/24). You want to use a managed service that provides basic DDoS protection at no additional cost. What should you use?

A company deploys Azure Firewall to inspect and control outbound traffic from a virtual network. The security team wants to allow outbound HTTPS traffic only to specific FQDNs such as *.microsoft.com and *.windowsupdate.com, while blocking all other outbound internet access. Which type of rule should they configure in Azure Firewall to achieve this filtering?

A company deploys Azure virtual machines in a virtual network. A security policy requires that only Remote Desktop Protocol (RDP) traffic from the corporate VPN's public IP address (203.0.113.0/26) is allowed. All other inbound RDP traffic must be denied. Which configuration should be applied to the network security group (NSG) associated with the VM subnet?

A security administrator is troubleshooting network connectivity to an Azure virtual machine. The VM is behind a network security group (NSG) that has a deny-all inbound rule as the default. The administrator wants to quickly verify whether a specific TCP packet on port 3389 from their client IP (203.0.113.50) would be allowed or blocked by the NSG. Which Azure Network Watcher tool should they use?

A security team needs to analyze network traffic to and from Azure virtual machines to investigate a potential security incident. They want to capture information such as source IP, destination IP, port, and protocol. Which Azure service should they enable on the network security groups (NSGs) associated with the virtual machine subnets?

A company has an Azure virtual network with multiple subnets hosting different application tiers. They need to inspect and filter all outbound traffic from VMs to the internet, and they must be able to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they deploy?

A company is setting up a site-to-site VPN between an on-premises network and an Azure virtual network using an Azure VPN gateway. The security policy mandates that the VPN tunnel must use the strongest available encryption and authentication. Which IPsec/IKE parameter combination should they configure on both sides?

A company has an Azure virtual network with a subnet that hosts a public web application. They want to allow inbound HTTPS traffic (port 443) only from the source IP range 203.0.113.0/24, and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required in the NSG to achieve this?

A virtual network has a Frontend subnet (web servers) and a Backend subnet (Azure SQL Database). The security team requires that no internet traffic can reach the Backend subnet directly, but the Frontend subnet must be able to communicate with the Backend subnet on port 1433. Which solution should they implement?

A company has virtual networks in East US and West US connected via global VNet peering. The security policy requires that all traffic between the peered VNets be encrypted using IPsec. Which action should the company take to meet this requirement?

A company has several critical applications deployed in an Azure virtual network. The security team wants to protect the virtual network against Distributed Denial-of-Service (DDoS) attacks by enabling automatic attack mitigation, adaptive tuning, and access to DDoS Rapid Response Support. Which DDoS Protection tier should they enable for the virtual network?

A company has two Azure virtual networks in different Azure regions that need to communicate with each other. The security policy mandates that all inter-region traffic must be encrypted over the public internet. Which connectivity solution should the company implement to meet this requirement?

A company has an Azure virtual network with two subnets: Frontend and Backend. They deploy a network virtual appliance (NVA) in a subnet named NVA_Subnet. They want to route all traffic from the Frontend subnet to the Backend subnet through the NVA for inspection. What is the minimum number of route tables required to achieve this traffic steering?

A company has multiple Azure virtual networks connected via VNet peering. They want to ensure that all traffic between the peered VNets is encrypted and that no traffic can bypass the encryption. Which configuration is required?

A company has an Azure virtual network with a subnet that hosts a web application. The security team wants to allow inbound HTTPS traffic (port 443) from the internet to the web servers, but block all other inbound traffic. They have a network security group (NSG) associated with the subnet. What is the minimal set of inbound rules required?

A company has an Azure virtual network with multiple subnets hosting different tiers of an application. The security team requires inspection of all traffic between subnets for malicious patterns and the ability to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they implement?

A company has an Azure virtual network with a single subnet that hosts web servers. The security team needs to allow inbound HTTPS traffic from the internet to the web servers, but block all other inbound traffic. They want to use a single Azure resource to accomplish this at the subnet level. Which resource should they configure?

An organization has deployed Azure Firewall and wants to inspect all outbound traffic from a virtual network (VNet) to the internet. The VNet already contains subnets with workloads. What is the required networking configuration to force traffic through Azure Firewall?

Your company uses Azure Firewall to protect a virtual network. The security team needs to allow outbound HTTPS traffic from a specific subnet to a set of FQDNs, such as '*.contoso.com', while blocking all other outbound traffic. Which type of Azure Firewall rule should they configure?

A company has a virtual network with a subnet hosting Azure VMs. They want to restrict all inbound traffic to only allow HTTPS (port 443) from the internet, but also allow SSH (port 22) only from a specific management IP address range (e.g., 203.0.113.0/24). Which Azure service should they use to achieve this filtering?

You have an Azure virtual machine that hosts a web application. You need to allow inbound HTTP (80) and HTTPS (443) traffic from the internet to this VM only. You also need to allow outbound traffic to the internet from the VM. You want to use a managed Azure service with minimal configuration. What should you use?

A company has a virtual network in Azure with a subnet that hosts a web application. They want to allow inbound HTTPS traffic only from a specific source IP range (198.51.100.0/24). They are using Network Security Groups (NSGs) associated with the subnet. What is the minimal set of inbound security rules required?

A company uses a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for security compliance. Which Azure-native service should be deployed in the hub virtual network to achieve this?

A company has an Azure virtual network with multiple subnets. They want to centrally inspect and log all outbound traffic to the internet. They also need to allow or deny traffic based on domain names (FQDNs). Which Azure resource should they deploy?

A company has an Azure virtual network with subnets SubnetA and SubnetB. They deploy a network virtual appliance (NVA) in a subnet called NVA_Subnet. They want all traffic between SubnetA and SubnetB to be routed through the NVA for inspection. What is the minimum number of route tables and routes required?

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks and have a single web application. Which Azure DDoS Protection tier should they use?

A company has established a site-to-site VPN connection between its on-premises network and an Azure virtual network using an Azure VPN gateway. The security team wants to confirm that all traffic crossing the VPN tunnel is encrypted. Which protocol does the Azure VPN gateway use to encrypt the data?

A company deploys a web application on Azure VMs behind an Azure Load Balancer (Standard SKU). They want to protect the application from common web attacks like SQL injection and cross-site scripting. Which Azure service should they enable?

A storage account should be reachable only from a specific subnet over the Microsoft backbone, while keeping the public endpoint firewall restricted. Which feature should be used?

A web app uses Azure App Service and must access Azure SQL over a private IP without exposing SQL to the public internet. Which two components are required?

Traffic from a spoke VNet must reach the internet through a firewall in the hub VNet. What routing configuration is required on the spoke subnets?

An Application Gateway WAF blocks legitimate requests because a managed rule detects a known false positive. The team wants to keep the rule set enabled. What should they configure?

An Azure SQL Database must be accessed privately from workloads in a VNet and should not allow public network access. Which two configurations are required?

A hub-and-spoke Azure network uses Azure Firewall for egress inspection. Which two settings are typically required on spoke workloads?

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?