CCNA Secure networking Questions

75 of 237 questions · Page 1/4 · Secure networking · Answers revealed

1
MCQeasy

You need to restrict access to an Azure Storage account so that only traffic from a specific virtual network is allowed. What should you configure?

A.Azure Firewall application rule
B.Storage account firewall and virtual network settings
C.Private endpoint connection
D.Network security group (NSG) on the subnet
AnswerB

You can add a rule to allow access only from a specific VNet.

Why this answer

Option C is correct because Azure Storage firewalls and virtual networks allow you to restrict access to specific VNets. Option A is wrong because NSGs apply to subnets, not to storage accounts directly. Option B is wrong because Azure Firewall is for network traffic filtering, not for storage access control.

Option D is wrong because private endpoints provide private connectivity but do not restrict access by default.

2
MCQhard

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

A.The NVA's private IP address is not reachable from VNet-B
B.VNet peering system routes override user-defined routes
C.The UDR must be applied to the gateway subnet of VNet-B
D.The NVA network interface does not have IP forwarding enabled
AnswerD

IP forwarding must be enabled on the NVA's NIC for it to forward traffic destined to other IPs. Without it, the NVA will drop the traffic, and the peering path remains active.

Why this answer

Option D is correct because a network virtual appliance (NVA) requires IP forwarding to be enabled on its network interface to forward traffic not destined for itself. Without this setting, the NVA drops packets that arrive with a destination IP other than its own, causing the traffic to bypass the NVA and follow the default VNet peering route. Enabling IP forwarding allows the NVA to act as a router and forward traffic between VNets as specified by the user-defined route.

Exam trap

The trap here is that candidates often assume a UDR alone is sufficient to force traffic through an NVA, overlooking the mandatory IP forwarding setting on the NVA's NIC, which is a common misconfiguration in Azure networking.

How to eliminate wrong answers

Option A is wrong because if the NVA's private IP were unreachable from VNet-B, the traffic would fail entirely, not bypass the NVA; the issue is that the NVA receives but drops the traffic. Option B is wrong because user-defined routes (UDRs) override VNet peering system routes for traffic within the same virtual network or between peered VNets when the next hop is explicitly set; system routes are only used when no UDR matches. Option C is wrong because the UDR must be applied to the subnet containing the source VMs in VNet-B, not the gateway subnet, which is used for VPN/ExpressRoute traffic, not for VNet peering traffic.

3
MCQeasy

A company has several critical applications deployed in an Azure virtual network. The security team wants to protect the virtual network against Distributed Denial-of-Service (DDoS) attacks by enabling automatic attack mitigation, adaptive tuning, and access to DDoS Rapid Response Support. Which DDoS Protection tier should they enable for the virtual network?

A.DDoS Protection Basic (Free)
B.DDoS Protection Standard
C.DDoS Protection Premium
D.DDoS Protection Advanced
AnswerB

Standard includes adaptive tuning, comprehensive attack mitigation, real-time telemetry, and access to DDoS Rapid Response Support for an additional cost.

Why this answer

DDoS Protection Standard is the correct tier because it provides automatic attack mitigation, adaptive tuning based on traffic patterns, and access to DDoS Rapid Response Support (DRRS) for Azure virtual networks. The Basic tier only offers always-on traffic monitoring and basic mitigation without adaptive tuning or DRRS, while Premium and Advanced are not valid Azure DDoS Protection tiers.

Exam trap

The trap here is that candidates may confuse the non-existent 'Premium' or 'Advanced' tiers with the actual Standard tier, or assume the free Basic tier includes advanced features like adaptive tuning and DRRS, which are exclusive to the paid Standard tier.

How to eliminate wrong answers

Option A is wrong because DDoS Protection Basic is free but only provides always-on traffic monitoring and basic mitigation based on Azure's global network capacity; it does not include adaptive tuning or DDoS Rapid Response Support. Option C is wrong because DDoS Protection Premium is not a valid Azure DDoS Protection tier; Azure offers only Basic and Standard tiers. Option D is wrong because DDoS Protection Advanced is not a valid Azure DDoS Protection tier; the correct name for the paid tier is DDoS Protection Standard.

4
MCQeasy

You need to securely connect two Azure virtual networks in the same region to allow VM-to-VM communication using private IP addresses. The solution must minimize latency and administrative overhead. What should you use?

A.VNet peering
B.Azure VPN Gateway
C.Azure Front Door
D.ExpressRoute
AnswerA

Direct, low-latency, simple.

Why this answer

Option C is correct because VNet peering provides low-latency, private IP connectivity between VNets in the same region with minimal configuration. Option A is wrong because VPN gateway adds latency. Option B is wrong because ExpressRoute is for on-premises.

Option D is wrong because Azure Front Door is for global HTTP(S) load balancing.

5
MCQhard

Your on-premises network is connected to Azure via a Site-to-Site VPN. You have a production virtual network (VNet1) and a development VNet (VNet2) in the same region. VNet1 has a network virtual appliance (NVA) from the Azure Marketplace. You need to ensure that traffic from VNet2 to an on-premises server is inspected by the NVA in VNet1. Which routing configuration should you implement?

A.Add a user-defined route (UDR) to the gateway subnet of VNet2 with destination 0.0.0.0/0 and next hop set to the private IP of the NVA in VNet1.
B.Configure Azure Route Server on VNet1 and enable VNet peering between VNet1 and VNet2.
C.Create a forced tunneling configuration on the VPN gateway to send all traffic to the NVA.
D.Peer VNet1 and VNet2 and use Azure Firewall in VNet1 as the next hop for all traffic.
AnswerA

A UDR on VNet2's gateway subnet can redirect all internet-bound or on-premises traffic to the NVA via VNet peering, ensuring inspection.

Why this answer

Option C is correct because user-defined routes (UDRs) with the NVA as next hop are needed to redirect traffic. Forcing tunnel via Azure Firewall is not specified, and Azure Route Server doesn't force traffic through an NVA. VPN gateway can't forward to NVA directly.

6
MCQeasy

You manage a multi-tier application in Azure with a web tier, application tier, and database tier. The web tier must be accessible from the internet, but the application and database tiers must only be accessible from the web tier. Which Azure networking feature should you use to isolate the tiers?

A.Virtual network peering between tiers.
B.Azure Firewall with application rules.
C.Network security groups (NSGs) on each subnet.
D.Application security groups (ASGs) within the same subnet.
AnswerC

NSGs allow you to define rules to permit or deny traffic between subnets, effectively isolating tiers.

Why this answer

Option A is correct because network security groups (NSGs) can be applied to subnets to control inbound and outbound traffic between tiers. The other options either don't provide isolation (VNet peering) or are not cost-effective (Azure Firewall for simple rules).

7
MCQeasy

You need to securely connect an on-premises network to an Azure virtual network. The connection must use the internet and provide authenticated and encrypted communication. Which Azure service should you use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Application Gateway
D.Azure Virtual WAN
AnswerA

Azure VPN Gateway enables site-to-site VPN over the internet with encryption and authentication.

Why this answer

Azure VPN Gateway provides site-to-site VPN connections over the internet with IPsec/IKE encryption, meeting the requirements for authenticated and encrypted communication.

8
MCQmedium

A company is setting up a site-to-site VPN between an on-premises network and an Azure virtual network using an Azure VPN gateway. The security policy mandates that the VPN tunnel must use the strongest available encryption and authentication. Which IPsec/IKE parameter combination should they configure on both sides?

A.IKEv2 with AES256
B.IKEv1 with DES
C.IKEv2 with 3DES
D.IKEv1 with AES128
AnswerA

This combination offers the strongest encryption and key exchange protocol supported by Azure VPN Gateway.

Why this answer

Option A is correct because IKEv2 is the most secure and modern IPsec/IKE protocol, supporting stronger encryption algorithms like AES256. AES256 provides the highest level of encryption strength among the options, meeting the mandate for the strongest available encryption and authentication. IKEv2 also offers improved resilience and security features over IKEv1, such as built-in NAT traversal and mobility support.

Exam trap

The trap here is that candidates often assume IKEv2 is always the best choice regardless of the encryption algorithm, but the question specifically requires the strongest encryption, so AES256 is mandatory, not just IKEv2.

How to eliminate wrong answers

Option B is wrong because IKEv1 is an older, less secure protocol that lacks support for modern encryption algorithms, and DES is a weak, deprecated encryption standard (56-bit key) that is easily broken. Option C is wrong because while IKEv2 is secure, 3DES is a legacy encryption algorithm (168-bit effective key strength) that is considered weak and is not recommended for strong security; AES256 is far superior. Option D is wrong because IKEv1 is outdated and AES128, while better than DES or 3DES, does not provide the strongest encryption available; AES256 is required for the highest security.

9
MCQmedium

A company has an Azure virtual network with two subnets: App and Data. The App subnet hosts web servers, and the Data subnet hosts SQL databases. Security policy requires that only HTTPS traffic from the App subnet is allowed to the Data subnet, and all other inbound traffic to the Data subnet must be blocked. The solution must use a single network security group (NSG) associated to the Data subnet. Which NSG inbound rule configuration meets the requirement?

A.Allow HTTPS from App subnet priority 100, then Deny All priority 200
B.Deny All priority 100, then Allow HTTPS from App subnet priority 200
C.Allow HTTPS from App subnet priority 100, and Deny All from any source priority 100 (duplicate priority)
D.Allow HTTPS from App subnet priority 100, no other rules
AnswerA

Correct. The Allow rule has higher priority (100) than the Deny All rule (200), so HTTPS from App subnet is allowed and all other traffic is blocked.

Why this answer

Option A is correct because NSG rules are evaluated in priority order, with lower numbers processed first. By placing the Allow HTTPS rule at priority 100, it matches and permits traffic from the App subnet to the Data subnet. The subsequent Deny All rule at priority 200 then blocks all other inbound traffic, satisfying the security policy with a single NSG on the Data subnet.

Exam trap

The trap here is that candidates may think a Deny All rule is unnecessary because NSGs have an implicit deny at the end, but the explicit Deny All at a lower priority ensures that any traffic not matching the Allow rule is explicitly blocked, which is required by the policy and avoids reliance on the implicit default.

How to eliminate wrong answers

Option B is wrong because the Deny All rule at priority 100 would block all inbound traffic, including HTTPS from the App subnet, before the Allow rule at priority 200 is ever evaluated, making the Allow rule ineffective. Option C is wrong because duplicate priority values (100) are not allowed in NSG rules; Azure requires unique priority numbers, and even if allowed, the order of evaluation would be ambiguous. Option D is wrong because without a Deny All rule, any traffic not matching the Allow HTTPS rule (e.g., other protocols or sources) would be permitted by the default implicit deny, but the requirement explicitly states all other inbound traffic must be blocked, and the implicit deny only applies after all explicit rules; however, the explicit Deny All ensures no unintended traffic is allowed, which is necessary for strict compliance.

10
MCQmedium

A company is deploying Azure Bastion to provide secure RDP/SSH access to VMs in a virtual network. The security requirement is that all administrative access must be logged and audited. What additional configuration is needed to meet this requirement?

A.Enable NSG flow logs on the subnet containing the target VMs.
B.Enable diagnostic settings on Azure Bastion to send logs to a Log Analytics workspace.
C.Enable Azure Activity Log for the Bastion resource.
D.Configure diagnostic settings on the target VMs to send logs to Log Analytics.
AnswerB

Bastion diagnostics provide logs about user connections, including source IP, username, and session duration.

Why this answer

Option D is correct because Azure Bastion integrates with Azure Monitor to capture logs of connections (e.g., who connected, from where, and duration). Option A is wrong because NSG flow logs do not capture Bastion activity; they log traffic to/from VMs. Option B is wrong because Azure Activity Log captures management plane operations, not data plane RDP/SSH sessions.

Option C is wrong because enabling diagnostics on the VM itself would log OS-level events, but Bastion sessions are proxied; the VM logs would not include Bastion metadata.

11
MCQhard

Refer to the exhibit. The JSON snippet shows a network rule from an Azure Firewall policy. You have a subnet with IP range 10.0.1.0/24 that needs to connect to Azure SQL Database in Southeast Asia. However, connections are failing. What is the most likely reason?

A.The protocol should be UDP instead of TCP
B.The destination port should be 1434 instead of 1433
C.Network rules do not support service tags as destination addresses
D.The rule priority is too low and may be overridden
AnswerC

Network rules require explicit IP addresses; service tags are only supported in application rules or with certain features.

Why this answer

Option A is correct because the destination address 'AzureCloud.southeastasia' is a service tag, but Azure Firewall network rules require an IP address or CIDR, not service tags. Service tags are only supported in application rules (FQDN filtering) or when using Azure Firewall Premium with IDPS. Option B is wrong because the protocol TCP is correct for SQL.

Option C is wrong because the port 1433 is correct. Option D is wrong because the priority 100 is fine.

12
MCQmedium

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks and have a single web application. Which Azure DDoS Protection tier should they use?

A.DDoS Protection Basic (default)
B.DDoS Protection Standard
C.Azure Web Application Firewall (WAF) on Application Gateway
D.Azure Front Door with DDoS Protection Standard
AnswerA

DDoS Protection Basic is always on for all Azure resources and provides automatic detection and mitigation of common network-layer DDoS attacks. No configuration is needed, and it is adequate for a single web app.

Why this answer

DDoS Protection Basic is automatically enabled for all Azure resources at no additional cost, providing always-on traffic monitoring and real-time mitigation of common network-layer (Layer 3/4) attacks, such as SYN floods, UDP floods, and reflection attacks. Since the company has a single web application and only needs protection against Layer 3/4 DDoS attacks, the Basic tier is sufficient and requires no configuration or extra cost.

Exam trap

The trap here is that candidates often assume DDoS Protection Standard is always required for any DDoS protection, overlooking that Basic is automatically enabled and sufficient for Layer 3/4 attacks on a single resource, while Standard is an enhanced add-on for complex, multi-resource environments needing advanced features.

How to eliminate wrong answers

Option B is wrong because DDoS Protection Standard is a paid tier designed for larger, multi-resource deployments that require adaptive tuning, attack analytics, and SLA-backed mitigation; it is overkill and unnecessary for a single web application needing only basic Layer 3/4 protection. Option C is wrong because Azure Web Application Firewall (WAF) on Application Gateway operates at Layer 7 (application layer) to protect against HTTP-specific attacks like SQL injection and cross-site scripting, not Layer 3/4 DDoS attacks. Option D is wrong because Azure Front Door with DDoS Protection Standard combines global load balancing and WAF capabilities but still requires the Standard tier for enhanced DDoS protection, which is not needed for this single-app scenario and adds unnecessary complexity and cost.

13
MCQmedium

You are designing a network security solution for a multi-tier application running in Azure. The front-end VMs must only accept traffic from Azure Front Door. Back-end VMs must only accept traffic from the front-end tier. You plan to use NSGs and ASGs. Which configuration should you use to meet these requirements with minimal administrative overhead?

A.Create NSG rules that allow traffic from the Front Door service tag and from the front-end VM IP addresses.
B.Use service tags for Azure Front Door and for the front-end subnet.
C.Use VNet peering between the front-end and back-end subnets, and configure route tables.
D.Place front-end VMs in an ASG, back-end VMs in another ASG. Configure NSG rules referencing these ASGs.
AnswerD

ASGs simplify management by grouping VMs and referencing them in NSG rules.

Why this answer

Option C is correct because using Application Security Groups (ASGs) allows you to define network security policies based on application groups, and you can reference an ASG as the source or destination in NSG rules. By placing front-end VMs in an ASG and back-end VMs in another ASG, you can create NSG rules that restrict traffic accordingly. Option A is wrong because using individual VM IP addresses is not scalable.

Option B is wrong because service tags for Azure Front Door exist, but they don't cover front-end VMs. Option D is wrong because VNet peering alone does not provide traffic filtering.

14
MCQeasy

A company has an Azure virtual network with multiple subnets hosting different tiers of an application. The security team requires inspection of all traffic between subnets for malicious patterns and the ability to allow or deny traffic based on fully qualified domain names (FQDNs). Which Azure networking service should they implement?

A.Azure Network Security Group (NSG)
B.Azure Firewall
C.Azure Application Gateway
D.Azure VPN Gateway
AnswerB

Azure Firewall is a stateful firewall with application (FQDN) and network rules, enabling inspection and filtering of traffic between subnets.

Why this answer

Azure Firewall is a managed, cloud-based network security service that provides full Layer 3–7 inspection and can filter traffic based on FQDNs in network and application rules. It can inspect all traffic between subnets in a virtual network (via forced tunneling or routing) and supports threat intelligence-based filtering for malicious patterns, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates often confuse NSGs with Azure Firewall, assuming NSGs can filter based on FQDNs or inspect traffic for malicious patterns, but NSGs lack Layer 7 inspection and FQDN support, which are exclusive to Azure Firewall in this context.

How to eliminate wrong answers

Option A is wrong because Network Security Groups (NSGs) operate at Layers 3 and 4 only, filtering based on source/destination IP, port, and protocol; they cannot inspect traffic for malicious patterns or filter based on FQDNs. Option C is wrong because Azure Application Gateway is a Layer 7 load balancer with a Web Application Firewall (WAF) that inspects HTTP/HTTPS traffic for web application attacks, but it does not provide general inter-subnet traffic inspection or FQDN-based filtering for non-web protocols. Option D is wrong because Azure VPN Gateway is used for encrypted site-to-site or point-to-site connectivity over the public internet; it does not perform traffic inspection or FQDN-based filtering between subnets within a virtual network.

15
Matchingmedium

Match each Azure network security component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic at subnet or NIC level

Groups VMs by application workload for rule application

Protects against distributed denial-of-service attacks

Secure RDP/SSH access to VMs without public IP

Extends VNet identity to Azure services over optimized route

Why these pairings

These components secure network traffic in Azure.

16
MCQhard

Your company, Contoso Ltd., has a hybrid network with an on-premises data center in Chicago and an Azure subscription with a single virtual network (VNet1) in the East US region. VNet1 has multiple subnets: Web, App, and Data. The Web subnet hosts a load-balanced web application accessible from the internet via a public IP. The App subnet contains application servers that communicate with an on-premises database server in Chicago. The Data subnet contains Azure SQL databases. You have an ExpressRoute circuit connecting Chicago to East US with private peering. Recently, the security team discovered that some traffic from the App subnet to the on-premises database is bypassing the ExpressRoute and traversing the internet, causing latency and security concerns. You must ensure all traffic between VNet1 and the on-premises network uses the ExpressRoute connection. Additionally, you need to restrict inbound internet traffic to only the Web subnet, and all outbound internet traffic from the App and Data subnets must be inspected by an Azure Firewall deployed in a new subnet called AzureFirewallSubnet in VNet1. You have the following requirements: 1. All traffic to/from on-premises must use ExpressRoute. 2. Only the Web subnet should be directly accessible from the internet. 3. Outbound internet traffic from App and Data subnets must be routed through Azure Firewall. 4. Minimize management overhead. Which of the following is the most appropriate course of action?

A.Create a new Azure Firewall policy that blocks all outbound traffic except through ExpressRoute.
B.Add a user-defined route (UDR) to the App and Data subnets with destination 0.0.0.0/0 and next hop set to the Azure Firewall private IP. Ensure the route to on-premises via ExpressRoute is present (system route or UDR).
C.Remove the default 0.0.0.0/0 route from all subnets and add a route for on-premises via ExpressRoute.
D.Deploy a VPN Gateway and configure forced tunneling to send all traffic to on-premises for inspection.
AnswerB

UDR on App and Data subnets forces internet traffic through Azure Firewall; on-premises traffic uses ExpressRoute via system routes.

Why this answer

Option B is correct because system routes already have a 0.0.0.0/0 route to the internet, and a route to the on-premises network via ExpressRoute. To force all outbound internet traffic through Azure Firewall, you need a UDR on the App and Data subnets with next hop to the firewall. For on-premises traffic, the system route via ExpressRoute should be sufficient, but if traffic is bypassing, you may need to propagate more specific routes.

Option A is wrong because removing the 0.0.0.0/0 system route is not allowed. Option C is wrong because VPN Gateway adds complexity and cost. Option D is wrong because Azure Firewall alone does not enforce ExpressRoute usage.

17
MCQmedium

Your organization has an Azure virtual network with a subnet hosting a SQL Managed Instance. You need to ensure that only traffic from Azure services (like Azure Data Factory) can reach the SQL Managed Instance, but you must not allow any public internet traffic. What is the most secure configuration?

A.Enable a service endpoint for Microsoft.Sql on the subnet.
B.Create a private endpoint for the SQL Managed Instance.
C.Configure a network security group (NSG) with a deny-all inbound rule and an allow rule for the Azure Data Factory IP range.
D.Deploy Azure Firewall and create a rule to allow traffic from Azure Data Factory.
AnswerA

Service endpoints restrict traffic to Azure services only, blocking public internet.

Why this answer

Option B is correct because a service endpoint for Microsoft.Sql on the subnet allows only Azure service traffic to the SQL Managed Instance while blocking public internet traffic. Option A is wrong because NSG rules are limited and can be bypassed. Option C is wrong because a private endpoint is used for PaaS resources, not for SQL Managed Instance which is IaaS-based.

Option D is wrong because Azure Firewall would introduce complexity and potentially allow other traffic.

18
MCQeasy

You need to block inbound traffic from the internet to a specific subnet except for TCP port 443. Which Azure service should you use?

A.Azure Web Application Firewall (WAF)
B.Azure Firewall
C.Network security group (NSG)
D.Azure DDoS Protection
AnswerC

NSGs can filter inbound traffic based on port and source.

Why this answer

Option A is correct because NSGs can have inbound rules to allow or deny traffic by port. Option B is wrong because Azure Firewall is a network/application firewall but NSGs are simpler for subnet-level filtering. Option C is wrong because WAF is for HTTP/HTTPS at the application layer.

Option D is wrong because DDoS Protection does not filter by port.

19
MCQeasy

Refer to the exhibit. You have a VNet with two subnets, each with a different NSG. Both NSGs have default rules. What is the default connectivity between VMs in subnetA and subnetB?

A.Traffic is blocked by default.
B.Traffic is allowed only if the VNet has peering.
C.Traffic is allowed by default.
D.Traffic is allowed only if the subnets are in the same region.
AnswerC

Default rules permit all internal VNet traffic.

Why this answer

Option B is correct because by default, NSGs allow all traffic within a VNet, including between subnets. Option A is wrong because there is no default block. Option C is wrong because default rules allow traffic.

Option D is wrong because default rules allow traffic.

20
MCQeasy

You are designing a secure network architecture for a three-tier application. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. Which Azure service should you use to isolate the tiers most securely?

A.Azure Firewall with application rules
B.Azure Front Door with Web Application Firewall
C.Network security groups (NSGs) on subnets
D.VNet peering between tiers
AnswerC

NSGs allow fine-grained inbound/outbound rules between subnets.

Why this answer

Option A is correct because NSGs with subnet-level rules can restrict traffic between tiers. Option B is wrong because Azure Firewall is a centralized firewall, but for simple tier isolation, NSGs are more appropriate and cost-effective. Option C is wrong because VNet peering connects networks, not isolates tiers.

Option D is wrong because Azure Front Door is for global load balancing, not tier isolation.

21
MCQmedium

You configure Azure Bastion to allow secure RDP access to VMs in a VNet. However, users report that they cannot connect to a specific VM, while other VMs in the same VNet are accessible. The VM is running and has a public IP. What is the most likely cause?

A.The user does not have 'Reader' role on the VM.
B.The NSG on the VM's subnet does not allow inbound RDP from the AzureBastionSubnet.
C.The VM is located in a different region than the Bastion host.
D.The VM has a public IP assigned, which interferes with Bastion connectivity.
AnswerB

Bastion requires the NSG to allow inbound RDP from the Bastion subnet's address prefix.

Why this answer

Azure Bastion does not require a public IP on the target VM; it connects to the private IP. However, if the VM has a public IP, Bastion might still work, but the issue could be that the VM's RDP port (3389) is not open in the NSG for the Bastion subnet. Bastion uses a specific set of public IPs to connect, and the NSG on the VM's subnet must allow inbound RDP from the Bastion subnet.

22
MCQmedium

A company has an Azure virtual network with a subnet that hosts a web application. They want to allow inbound HTTPS traffic from any source on the internet (0.0.0.0/0) and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required to achieve this?

A.One inbound rule allowing HTTPS from Internet, and one inbound rule DenyAllInbound.
B.One inbound rule allowing HTTPS from Internet.
C.Two inbound rules: one allowing HTTPS from Internet, one allowing HTTP from Internet.
D.Two inbound rules: one allowing HTTPS from Internet, one allowing RDP from Internet.
AnswerB

The default NSG rules deny all inbound traffic; adding an allow rule for HTTPS is sufficient.

Why this answer

Option B is correct because an NSG includes a set of default security rules that already block all inbound traffic not explicitly allowed. By adding a single inbound rule that allows HTTPS (TCP port 443) from the Internet (0.0.0.0/0), the default deny rule (DenyAllInbound) will block all other inbound traffic. Therefore, only one custom inbound rule is required to achieve the stated goal.

Exam trap

The trap here is that candidates often forget about the default NSG rules, especially the 'DenyAllInbound' rule, and incorrectly assume they must add an explicit deny rule to block all other traffic.

How to eliminate wrong answers

Option A is wrong because it suggests adding an explicit DenyAllInbound rule, which is redundant since the default NSG rule already denies all inbound traffic not explicitly permitted. Option C is wrong because it includes an unnecessary rule allowing HTTP (TCP port 80), which is not required and would violate the requirement to block all other inbound traffic. Option D is wrong because it includes an unnecessary rule allowing RDP (TCP port 3389), which is not required and would also violate the requirement to block all other inbound traffic.

23
MCQeasy

You need to secure traffic between two VNets in different Azure regions. The VNets contain virtual machines that must communicate over private IP addresses. Which Azure service should you use?

A.Azure Firewall
B.VNet peering
C.Azure VPN Gateway
D.ExpressRoute
AnswerB

VNet peering allows private IP communication across regions.

Why this answer

Option C is correct because VNet peering enables connectivity between VNets over the Microsoft backbone network using private IP addresses. Option A is wrong because Azure VPN Gateway provides encrypted tunnels but uses public IPs for the gateway. Option B is wrong because ExpressRoute connects on-premises to Azure, not VNet-to-VNet.

Option D is wrong because Azure Firewall is a security service, not a connectivity service.

24
MCQhard

An Application Gateway WAF blocks legitimate requests because a managed rule detects a known false positive. The team wants to keep the rule set enabled. What should they configure?

A.A narrowly scoped WAF exclusion for the affected variable or rule
B.Disable WAF prevention mode for the entire gateway
C.Remove TLS from the listener
D.Move the application behind an internal load balancer only
AnswerA

Correct for the stated requirement.

Why this answer

A narrowly scoped WAF exclusion is the correct approach because it allows the team to keep the managed rule set enabled while preventing false positives. By configuring an exclusion for the specific variable (e.g., RequestHeaderNames, RequestCookieNames, RequestArgNames) or rule ID that triggers the false positive, the WAF will skip inspection on that particular element without weakening the overall security posture. This maintains protection against other threats while resolving the blocking of legitimate traffic.

Exam trap

The trap here is that candidates may think disabling prevention mode or removing TLS is a quick fix, but the correct solution requires a precise, rule-level exclusion to maintain security while addressing the false positive.

How to eliminate wrong answers

Option B is wrong because disabling WAF prevention mode for the entire gateway would switch the WAF to detection mode only, which logs alerts but does not block any malicious traffic, thereby removing protection entirely instead of targeting the false positive. Option C is wrong because removing TLS from the listener would expose traffic in plaintext, breaking encryption requirements and not addressing the WAF rule false positive issue. Option D is wrong because moving the application behind an internal load balancer only would restrict access to internal networks, which does not resolve the WAF false positive and may not be suitable for internet-facing applications.

25
MCQmedium

A company has a hub-and-spoke network topology in Azure. The hub virtual network contains an Azure Firewall and a VPN gateway. Spoke virtual networks are peered to the hub. The security team wants to ensure that all outbound internet traffic from VMs in the spokes flows through the Azure Firewall. What should be configured?

A.Create a route table with a default route (0.0.0.0/0) to the Azure Firewall private IP and associate it with the spoke subnets.
B.Configure forced tunneling on the VPN gateway to route all traffic through the Azure Firewall.
C.Create a route table with a default route to the VPN gateway and associate it with the hub subnet.
D.Configure an NSG on the spoke subnets with a rule that sends traffic to the Azure Firewall.
AnswerA

Route tables override the default system route and force traffic through the firewall.

Why this answer

Option B is correct because a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall as the next hop, applied to the subnets in the spoke VNets, forces all outbound traffic through the firewall. Option A is wrong because Azure Firewall does not support network security group (NSG) next hops. Option C is wrong because the route table must be associated with the spoke subnets, not the hub subnet.

Option D is wrong because VPN gateway does not filter traffic; Azure Firewall is needed.

26
MCQeasy

You need to securely connect an on-premises network to Azure over the internet with encrypted traffic. The connection must be site-to-site and use IPsec. Which Azure service should you use?

A.Azure VPN Gateway
B.Azure ExpressRoute
C.Azure Virtual WAN
D.Azure Bastion
AnswerA

VPN Gateway provides IPsec site-to-site VPN over the internet.

Why this answer

Option C is correct because Azure VPN Gateway supports site-to-site IPsec VPN connections. Option A is wrong because Azure ExpressRoute is a private dedicated connection, not over the internet. Option B is wrong because Azure Virtual WAN is a networking service that can include VPN but is more complex than needed.

Option D is wrong because Azure Bastion is for RDP/SSH to VMs without public IP.

27
MCQmedium

Your organization uses Azure Private Link to access Azure SQL Database privately from a VNet. You need to ensure that only your VNet can access the private endpoint. What should you configure?

A.Set the subnet's privateEndpointNetworkPolicies property to 'Disabled'
B.Associate a network security group to the private endpoint
C.Enable service endpoints on the subnet
D.Configure an application security group on the private endpoint
AnswerA

This allows the private endpoint to work correctly.

Why this answer

Option D is correct because the private endpoint's network policy, 'privateEndpointNetworkPolicies', must be set to 'Disabled' on the subnet to allow private endpoint traffic. Option A is wrong because application security groups are for VMs, not private endpoints. Option B is wrong because service endpoints are different.

Option C is wrong because the private endpoint itself does not have an NSG; the subnet NSG affects traffic.

28
MCQeasy

A company has a virtual network with a subnet hosting Azure VMs. They want to restrict all inbound traffic to only allow HTTPS (port 443) from the internet, but also allow SSH (port 22) only from a specific management IP address range (e.g., 203.0.113.0/24). Which Azure service should they use to achieve this filtering?

A.Azure Firewall
B.Network Security Group (NSG) rule
C.Azure DDoS Protection
D.Azure Bastion
AnswerB

NSG rules can be configured to allow inbound HTTPS (443) from any source and SSH (22) from the specific management IP range. NSGs provide basic stateful packet filtering at the subnet or NIC level.

Why this answer

A Network Security Group (NSG) rule is the correct choice because NSGs provide stateful, granular inbound and outbound filtering at the subnet or NIC level. You can create a rule to allow HTTPS (TCP/443) from any source (Internet) and a separate rule to allow SSH (TCP/22) only from the specific management IP range 203.0.113.0/24, while implicitly denying all other inbound traffic. NSGs are the native Azure service for this type of traffic filtering and do not require additional cost or deployment.

Exam trap

The trap here is that candidates often choose Azure Firewall because they think it is required for any IP-based filtering, but NSGs are the correct and simpler service for subnet-level inbound port and source IP filtering without needing a centralized firewall appliance.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a managed, centralized network security service used for advanced filtering across multiple VNets, outbound traffic inspection, and application rules, but it is overkill and more expensive for simple inbound port filtering on a single subnet; NSGs are the appropriate and simpler solution. Option C is wrong because Azure DDoS Protection is designed to protect against volumetric distributed denial-of-service attacks at the network layer, not to filter specific ports or IP addresses for legitimate traffic. Option D is wrong because Azure Bastion provides secure, browser-based RDP/SSH connectivity to VMs without exposing public IPs, but it does not filter inbound traffic to VMs; it replaces the need for SSH/RDP exposure entirely.

29
MCQhard

You are troubleshooting connectivity between two Azure VMs in the same virtual network. VM1 can ping VM2, but VM1's application cannot connect to VM2's application on port 8080. Both VMs have NSGs that allow inbound traffic on port 8080. What is the most likely cause?

A.The VNet is peered with another VNet that has a conflicting address space.
B.An Azure Load Balancer is directing traffic away from VM2.
C.The NSG on VM2's subnet has a deny rule for port 8080.
D.The guest OS firewall on VM2 is blocking inbound port 8080.
AnswerD

Guest OS firewall can block traffic even if NSGs allow.

Why this answer

Option B is correct because Windows Firewall runs inside the OS and can block application ports even if Azure NSGs allow traffic. Option A is wrong because ICMP (ping) works. Option C is wrong because NSGs allow the port.

Option D is wrong because a load balancer would not affect direct traffic.

30
MCQeasy

You are designing a secure network for a three-tier application. The web tier must be accessible from the internet on port 443. The application tier should only be reachable from the web tier. The database tier should only be reachable from the application tier. Which Azure service should you use to enforce these restrictions?

A.Azure VPN Gateway.
B.Network security groups (NSGs) on each subnet.
C.Azure Front Door.
D.Azure Firewall in the hub.
AnswerB

NSGs can restrict traffic based on source and destination IP/port.

Why this answer

Option A is correct because NSGs can be applied to subnets or NICs to control inbound/outbound traffic. Option B is wrong because Azure Firewall is a managed network security service typically used for perimeter traffic. Option C is wrong because a VPN gateway is for site-to-site connectivity.

Option D is wrong because Azure Front Door is a global load balancer.

31
MCQeasy

You have an Azure virtual machine that hosts a custom web application. You need to restrict inbound internet traffic to only HTTPS (port 443) from any source. Which Azure resource should you configure?

A.Application Security Group (ASG)
B.Azure Bastion
C.Azure Firewall
D.Network Security Group (NSG)
AnswerD

NSG with inbound rule allowing HTTPS from Internet blocks other traffic.

Why this answer

Option B is correct because a Network Security Group (NSG) with an inbound rule allowing HTTPS traffic from any source while denying all other traffic meets the requirement. Option A is wrong because Azure Firewall is overkill and more expensive for a single VM. Option C is wrong because Azure Bastion is for RDP/SSH access, not web traffic.

Option D is wrong because Application Security Groups (ASGs) are used to group VMs, not to define inbound rules directly.

32
MCQmedium

A company has an Azure virtual network with a subnet hosting web servers. The security policy requires that all inbound HTTP traffic must be sourced from a specific IP address range (203.0.113.0/24). All other inbound traffic must be denied. The subnet is associated with a network security group (NSG). Which set of inbound rules should they configure?

A.Allow HTTP from 203.0.113.0/24 (priority 100), then Deny all inbound (priority 200)
B.Deny all inbound (priority 100), then Allow HTTP from 203.0.113.0/24 (priority 200)
C.Allow HTTP from any (priority 100), then Deny all inbound (priority 200)
D.Only Allow HTTP from 203.0.113.0/24 (priority 100) with no explicit deny
AnswerA

Correct. The allow rule has a lower priority number (100) and is evaluated first. The subsequent deny-all rule (priority 200) blocks any traffic not matching the allow rule.

Why this answer

Option A is correct because NSG rules are evaluated in priority order (lowest number first). The Allow rule for HTTP from 203.0.113.0/24 at priority 100 permits the desired traffic, and the subsequent Deny all inbound rule at priority 200 blocks all other traffic, including HTTP from any other source. This satisfies the security policy of allowing only HTTP from the specified IP range and denying everything else.

Exam trap

The trap here is that candidates often think a single Allow rule with no explicit Deny is sufficient, forgetting that NSGs have default implicit allow rules (e.g., AllowVNetInBound) that would permit other traffic unless explicitly denied.

How to eliminate wrong answers

Option B is wrong because the Deny all inbound rule at priority 100 would block all traffic, including HTTP from 203.0.113.0/24, before the Allow rule at priority 200 is evaluated, resulting in no allowed traffic. Option C is wrong because allowing HTTP from any source at priority 100 permits inbound HTTP traffic from all IP addresses, violating the policy that restricts HTTP to only the 203.0.113.0/24 range. Option D is wrong because without an explicit Deny all inbound rule, any traffic not matching the Allow rule (e.g., HTTP from other IPs or other protocols) would be implicitly allowed by the default NSG rules, failing to deny all other inbound traffic as required.

33
MCQmedium

A company has an Azure virtual network with a subnet that hosts a web application. They need to allow inbound HTTP (port 80) and HTTPS (port 443) traffic from a specific source IP range (203.0.113.0/24) to the web servers. Additionally, they need to allow inbound RDP (port 3389) traffic from a management subnet (10.0.1.0/24). They want to block all other inbound traffic. They are using a network security group (NSG) associated with the subnet. What is the minimum number of inbound security rules required?

A.3
B.4
C.5
D.2
AnswerA

Three allow rules (HTTP, HTTPS, RDP) are sufficient. The default deny rule handles all other inbound traffic.

Why this answer

The correct answer is A (3 rules) because an NSG includes default rules that already block all inbound traffic by default. You only need explicit allow rules for the three permitted traffic types: HTTP (port 80) from 203.0.113.0/24, HTTPS (port 443) from 203.0.113.0/24, and RDP (port 3389) from 10.0.1.0/24. The default deny rule handles blocking all other traffic, so no additional deny rule is required.

Exam trap

The trap here is that candidates often think they need an explicit deny rule to block all other traffic, forgetting that the default 'DenyAllInBound' rule already accomplishes this, leading them to overcount the required rules.

How to eliminate wrong answers

Option B (4) is wrong because it assumes a separate deny-all rule is needed, but the default deny rule already blocks all unmatched traffic. Option C (5) is wrong because it might incorrectly count separate rules for HTTP and HTTPS plus an explicit deny rule, or mistakenly include a rule for the management subnet's outbound traffic. Option D (2) is wrong because it would require combining HTTP and HTTPS into a single rule, but NSG rules cannot have multiple destination ports in a single rule unless using a port range, and port 80 and 443 are not contiguous; thus, two separate rules are needed for HTTP and HTTPS, plus one for RDP, totaling three.

34
MCQhard

You are a security engineer for Contoso. The company uses Azure Firewall for all inbound and outbound traffic. To prevent misconfiguration, you assign the Azure Policy shown in the exhibit at the management group scope. After assignment, a network administrator reports that they cannot create a new subnet in an existing virtual network. The subnet creation fails with a 'deny' policy error. You need to allow subnet creation while still blocking NSG rule changes. What should you do?

A.Change the effect to 'audit' instead of 'deny'.
B.Modify the policy rule to remove the subnet condition from the anyOf array.
C.Add an exemption for the virtual network resource group.
D.Remove the policy assignment and create a custom role to block subnet creation.
AnswerB

Correct. Removing the subnet condition allows subnet creation while still blocking NSG rule changes.

Why this answer

The policy currently denies both NSG rule changes and subnet creation because the if condition uses anyOf. To allow subnet creation, you need to remove the subnet condition from the policy rule. Option A correctly updates the policy rule to only check for NSG security rules.

Option B would still deny subnet creation because the condition remains unchanged. Option C does not address the subnet issue. Option D removes the entire policy, which is too permissive.

35
MCQmedium

Refer to the exhibit. An Azure Firewall Policy snippet is shown. A security administrator deploys this policy to the Azure Firewall. However, they receive reports that some VMs can still access the internet. What is the most likely reason?

A.The destination "Internet" is not a valid service tag; it should be "*" for all destinations.
B.The action type "Deny" is misspelled; it should be "Deny".
C.The sourceAddresses field uses "*" which is not supported for outbound rules.
D.There is another rule collection with a higher priority that allows traffic.
AnswerD

Rule collections are evaluated in priority order; a higher priority allow rule can override a lower priority deny rule.

Why this answer

Option C is correct. In Azure Firewall Policy, rules within a rule collection are evaluated in priority order, but a rule collection group contains multiple rule collections. If there is another rule collection with a higher priority (lower number) that allows traffic, that rule will be evaluated first and the traffic will be allowed, bypassing the deny rule.

Additionally, the rule collection group itself must be assigned to the firewall policy. Option A is wrong because the source address "*" covers all VMs. Option B is wrong because the destination "Internet" is a valid service tag.

Option D is wrong because the rule explicitly uses the Deny action.

36
MCQmedium

A company has an Azure virtual network with a subnet hosting internal web applications. The security team needs to allow inbound HTTPS traffic only from the company's corporate network IP range (203.0.113.0/24). All other inbound traffic must be denied. They want to use a network security group (NSG) associated with the subnet. Which inbound security rule configuration meets this requirement?

A.One inbound rule: Allow HTTPS from 203.0.113.0/24 with priority 100. No other rules. Rely on the default deny-all rule.
B.Two inbound rules: Allow HTTPS from 203.0.113.0/24 with priority 100, and Deny All from Any with priority 110.
C.Two inbound rules: Deny All from Any with priority 100, and Allow HTTPS from 203.0.113.0/24 with priority 110.
D.One inbound rule: Deny All from Any with priority 100. No allow rules. Use application security groups.
AnswerB

The allow rule (priority 100) permits HTTPS from the corporate IP. The deny rule (priority 110) blocks all other inbound traffic. Since the deny rule has a lower priority number (higher priority) than any default rules, it effectively blocks everything except the allowed HTTPS traffic.

Why this answer

Option B is correct because NSGs process rules in priority order, and the default implicit deny rule only applies if no explicit rule matches. By placing an explicit 'Deny All from Any' rule with a higher priority number (110) after the explicit 'Allow HTTPS' rule (priority 100), traffic from 203.0.113.0/24 on HTTPS is allowed, and all other inbound traffic is explicitly denied, ensuring no unintended implicit allow or bypass.

Exam trap

The trap here is that candidates often assume the default deny rule is sufficient, but Azure explicitly requires an explicit deny rule to override the default implicit allow for outbound traffic or to ensure logging and control for inbound traffic, and they may misorder rules by placing the deny before the allow.

How to eliminate wrong answers

Option A is wrong because relying solely on the default deny-all rule leaves a gap: if any other rule (e.g., a future higher-priority allow rule) is added, it could inadvertently allow traffic; also, the default deny is implicit and does not provide explicit logging or control for all denied traffic. Option C is wrong because placing 'Deny All from Any' at priority 100 would block all traffic, including HTTPS from 203.0.113.0/24, before the allow rule at priority 110 is evaluated, resulting in no allowed HTTPS traffic. Option D is wrong because a single 'Deny All from Any' rule with no allow rule would block all inbound traffic, including the desired HTTPS traffic, and application security groups do not override the need for explicit allow rules.

37
Multi-Selecthard

Which THREE of the following are required to enable network traffic flow between two peered Azure virtual networks in different Azure regions?

Select 3 answers
A.Both VNets must have the Allow virtual network access setting enabled for the peering.
B.If using a network virtual appliance, the Allow forwarded traffic setting must be enabled.
C.Gateway transit must be enabled in at least one VNet.
D.An NSG rule must allow traffic between the VNets.
E.The address spaces of the VNets must not overlap.
AnswersA, B, E

Required for connectivity.

Why this answer

Options A, B, and D are correct. Global VNet peering requires both peerings to be enabled, non-overlapping address spaces, and the Allow forwarded traffic setting if using NVAs. Option C (Gateway transit) is optional and only needed if using a gateway.

Option E (NSG allow rules) is optional if default allow is used.

38
MCQhard

A company has an Azure virtual network (VNet) with multiple subnets. They deploy Azure Firewall in a hub VNet and peer spoke VNets. They want to force-tunnel all outbound traffic from a specific spoke subnet to the firewall for inspection. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

A.The Azure Firewall subnet is missing a route table entry for the 0.0.0.0/0 route
B.The route table on the spoke subnet has 'Propagate gateway routes' enabled, causing a conflicting route from the hub's VPN gateway
C.The VNet peering does not allow forwarded traffic from the spoke to the firewall
D.The Azure Firewall is not configured with the 'Allow outbound traffic' rule
AnswerB

When gateway propagation is enabled, any routes from the hub's VPN/ExpressRoute gateway are automatically added. These routes can override the custom 0.0.0.0/0 route, especially if the hub has a default route learned via VPN. Disabling propagation resolves the conflict.

Why this answer

Option B is correct because when 'Propagate gateway routes' is enabled on the spoke subnet's route table, the VNet peering with the hub (which may have a VPN or ExpressRoute gateway) injects a system route for 0.0.0.0/0 with a next hop of the virtual gateway. This system route has a lower (better) route preference than the user-defined route (UDR) pointing to the Azure Firewall, causing traffic to bypass the firewall and go directly to the gateway.

Exam trap

The trap here is that candidates assume a UDR always overrides system routes, but Azure's route selection logic gives system routes (including gateway-propagated routes) higher priority than UDRs for the 0.0.0.0/0 prefix.

How to eliminate wrong answers

Option A is wrong because the Azure Firewall subnet itself does not require a 0.0.0.0/0 route; the firewall handles routing internally, and adding such a route could actually break traffic inspection. Option C is wrong because VNet peering allows forwarded traffic by default; the issue is not peering configuration but conflicting routes. Option D is wrong because the firewall's 'Allow outbound traffic' rule is a network rule or application rule that permits traffic, but the problem here is that traffic never reaches the firewall due to routing, not that it is blocked by a missing rule.

39
MCQhard

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

A.The route table is not associated to the subnet.
B.The Azure Firewall is not configured with a default route.
C.The virtual machines have public IP addresses assigned.
D.The VNet peering is not configured properly.
AnswerC

When a VM has a public IP, Azure performs default outbound SNAT using that IP, bypassing the route table and the firewall.

Why this answer

When a virtual machine in Azure has a public IP address assigned, Azure's default routing logic gives it a 'default outbound access' path that bypasses any user-defined route (UDR) pointing to the Azure Firewall. This is because Azure prefers the host's public IP route over a UDR for internet-bound traffic, unless the VM is explicitly configured to use a NAT gateway or Azure Firewall as the next hop. Therefore, even with the route table correctly associated, the VM will send traffic directly to the internet via its public IP.

Exam trap

The trap here is that candidates assume a UDR with 0.0.0.0/0 to the firewall will always override all outbound traffic, but they overlook the special case where a VM with a public IP has a higher-priority system route that sends internet traffic directly out.

How to eliminate wrong answers

Option A is wrong because the question states the route table has been configured on the spoke subnet, and if it were not associated, the symptom would be no routing change at all, but the traffic is still going to the internet—indicating the route table is likely associated but overridden. Option B is wrong because the Azure Firewall does not need a default route on itself for the spoke VMs to route through it; the firewall's routing is handled by its own subnet's route table, and the issue is on the VM side, not the firewall. Option D is wrong because VNet peering is required for the spoke VNet to reach the hub VNet where the firewall resides, and if peering were misconfigured, the traffic would not reach the firewall at all, but the symptom here is that traffic goes directly to the internet, not that it fails to reach the firewall.

40
MCQeasy

A company deploys multiple Azure virtual machines across several subnets in a virtual network. The VMs are grouped by application tiers: web, application, and database. The security team wants to apply network security group (NSG) rules that target all VMs in a specific tier, and they need a way to easily add or remove VMs from these groups without updating NSG rules. Which Azure feature should they use to define these logical VM groups?

A.Network security group (NSG) with multiple IP address ranges.
B.Application Security Group (ASG).
C.Azure Resource Manager tags.
D.Virtual Network peering.
AnswerB

ASGs enable you to define logical groups of VMs based on their function. You can reference an ASG in NSG rules, and as VMs are added or removed from the ASG, the rule applies to the current members automatically.

Why this answer

Application Security Groups (ASGs) allow you to group VMs logically by application tier (e.g., web, application, database) without relying on IP addresses or subnet boundaries. NSG rules can reference ASGs as source or destination, so adding or removing a VM from an ASG automatically updates the effective security policy without modifying the NSG rules themselves.

Exam trap

The trap here is that candidates often confuse Azure Resource Manager tags with ASGs, thinking tags can be used in NSG rules, but NSG rules only support IP addresses, service tags, and application security groups, not tags.

How to eliminate wrong answers

Option A is wrong because NSGs with multiple IP address ranges require manual updates to the IP list whenever VMs are added or removed, which does not provide the dynamic, logical grouping the scenario requires. Option C is wrong because Azure Resource Manager tags are metadata labels that cannot be directly referenced in NSG rules; they are used for resource organization, cost tracking, and policy enforcement, not for defining network security group membership. Option D is wrong because Virtual Network peering connects separate virtual networks at the network layer and does not create logical groups of VMs within a single VNet or across subnets.

41
MCQhard

You are the security engineer for a financial services company that has multiple Azure subscriptions. The company uses Azure Virtual WAN with a secured hub containing Azure Firewall. Recently, the compliance team identified that traffic between two spoke virtual networks (SpokeA and SpokeB) is bypassing the firewall. Investigation shows that SpokeA and SpokeB are directly peered and have not been routed through the hub. The requirement is that all inter-spoke traffic must be inspected by Azure Firewall. You need to enforce this without disrupting existing applications. Also, the company uses Azure Firewall Manager for policy management and wants to use Azure Policy to prevent future direct peering. What should you do first?

A.Remove the VNet peering between SpokeA and SpokeB.
B.Disable 'Use remote virtual network gateways' on both spokes.
C.Create an Azure Policy to deny VNet peering between spokes.
D.Add a user-defined route in SpokeA and SpokeB pointing to the Azure Firewall for inter-spoke traffic.
AnswerA

Removing peering forces traffic through the Virtual WAN hub and firewall.

Why this answer

Option B is correct because the immediate issue is the direct peering bypassing the firewall. Removing the peering forces traffic to go through the hub via Virtual WAN routing. Option A is wrong because a UDR would not override the peering.

Option C is wrong because Azure Policy prevents future peering but does not fix existing. Option D is wrong because disabling routing would break connectivity.

42
Multi-Selecteasy

Which TWO of the following are supported ways to connect an on-premises network to Azure?

Select 2 answers
A.Azure Bastion
B.Azure ExpressRoute
C.Point-to-Site VPN
D.Site-to-Site VPN
E.Azure Front Door
AnswersB, D

Dedicated private connection.

Why this answer

Azure ExpressRoute (B) is correct because it provides a dedicated, private connection from an on-premises network to Azure, bypassing the public internet for enhanced reliability, lower latency, and higher security. Site-to-Site VPN (D) is correct because it uses IPsec/IKE to create an encrypted tunnel over the internet between an on-premises VPN device and an Azure VPN gateway, enabling secure hybrid connectivity. Both are explicitly supported methods for connecting on-premises networks to Azure.

Exam trap

The trap here is confusing Azure Bastion (a secure access service for VMs) with a network connectivity solution, or assuming Point-to-Site VPN can connect an entire on-premises network when it only supports individual client connections.

43
MCQeasy

A company has an Azure virtual network with a subnet that hosts a public web application. They want to allow inbound HTTPS traffic (port 443) only from the source IP range 203.0.113.0/24, and block all other inbound traffic. They associate a network security group (NSG) with the subnet. What is the minimum number of inbound security rules required in the NSG to achieve this?

A.0 (no additional rules needed because the default rules block all inbound traffic)
B.1
C.2 (one allow rule for HTTPS and one deny rule for all other traffic)
D.3 (one allow HTTPS, one allow for Azure Load Balancer health probes, and one deny all)
AnswerB

One allow rule for HTTPS from the specific IP range is sufficient. The default deny rule blocks all other traffic automatically.

Why this answer

Option B is correct because NSGs include default inbound rules that already block all inbound traffic not explicitly allowed. By adding a single inbound rule to allow HTTPS (port 443) from the source IP range 203.0.113.0/24, all other inbound traffic is implicitly denied by the default deny-all rule (rule 65000). No explicit deny rule is needed, and no additional rules for Azure Load Balancer health probes are required unless the application is behind a load balancer, which is not specified in the scenario.

Exam trap

The trap here is that candidates often think they need an explicit deny rule to block all other traffic, forgetting that NSGs have a built-in default deny-all rule that automatically handles this.

How to eliminate wrong answers

Option A is wrong because default rules do not block all inbound traffic; they allow traffic within the virtual network and from Azure load balancers, so additional rules are needed to restrict access to only the specified IP range. Option C is wrong because an explicit deny rule is unnecessary; the default deny-all rule (priority 65000) already blocks all traffic not matched by a higher-priority allow rule. Option D is wrong because Azure Load Balancer health probes are only relevant if a load balancer is used, and the scenario does not mention one; adding such a rule would be unnecessary and not the minimum.

44
MCQhard

Refer to the exhibit. The JSON shows an Azure Policy initiative assignment. You have a subnet that needs to allow private endpoints. You created a Private Endpoint but it fails to provision. What is the most likely reason?

A.The Private Endpoint requires a service endpoint to be configured
B.The subnet's privateEndpointNetworkPolicies property is set to 'Enabled' (default)
C.The policy is disabled
D.The policy is not assigned to the correct subscription
AnswerB

The policy mandates 'Disabled'; if it's 'Enabled', the policy denies the private endpoint creation.

Why this answer

Option A is correct because the policy requires that the subnet's 'privateEndpointNetworkPolicies' property is set to 'Disabled', but if it is not, the policy in 'Prevent' mode will deny the creation of the private endpoint. Option B is wrong because the policy applies to virtual networks, not just to the subscription level. Option C is wrong because the policy does not specify a service endpoint.

Option D is wrong because the policy is enabled.

45
MCQmedium

You have an Azure subscription with multiple VNets connected via VNet peering. You need to ensure that traffic between VNets is encrypted. What should you do?

A.Configure Azure Firewall to enforce encryption.
B.Apply NSGs to block unencrypted traffic.
C.No additional configuration is needed; VNet peering traffic is encrypted by default.
D.Deploy a VPN gateway in each VNet and configure site-to-site VPN connections.
AnswerC

Microsoft backbone encrypts all VNet peering traffic.

Why this answer

Option C is correct because VNet peering traffic over the Microsoft backbone is encrypted by default using MACsec. Option A is wrong because VPN gateways are not needed for VNet peering. Option B is wrong because NSGs do not encrypt traffic.

Option D is wrong because Azure Firewall does not encrypt traffic between VNets.

46
MCQmedium

A company uses Azure Bastion to provide secure RDP and SSH access to Azure VMs without public IPs. Recently, a security audit recommended logging all connections to Bastion. What should you enable?

A.Azure Monitor alerts for Bastion resource health
B.Azure Activity Logs for the Bastion resource
C.Network Security Group flow logs on the subnet containing Bastion
D.Diagnostic settings on the Bastion resource to stream Bastion logs to a Log Analytics workspace
AnswerD

Diagnostic settings enable collection of Bastion diagnostic logs, including connection events.

Why this answer

Azure Bastion integrates with Azure Diagnostic Logs to capture connection logs. Enabling diagnostic settings on the Bastion resource sends logs to a Log Analytics workspace, Storage account, or Event Hub.

47
MCQhard

Your organization uses Azure Front Door (AFD) with WAF policy to protect a web application. Recently, a DDoS attack targeted the application endpoint. You need to mitigate the attack while minimizing latency for legitimate users. What should you do?

A.Increase the rate limit threshold in the WAF policy.
B.Enable Azure DDoS Network Protection on the AFD origin and configure DDoS protection on AFD.
C.Migrate the application to Azure Application Gateway with WAF.
D.Disable caching in AFD to reduce resource consumption.
AnswerB

DDoS Network Protection and AFD's built-in mitigation work together to absorb attacks.

Why this answer

Option C is correct because Azure DDoS Network Protection combined with AFD's DDoS mitigation provides layered defense. Option A is wrong because rate limiting alone does not stop volumetric DDoS. Option B is wrong because moving to App Gateway does not improve latency.

Option D is wrong because disabling caching does not mitigate DDoS.

48
MCQmedium

A storage account should be reachable only from a specific subnet over the Microsoft backbone, while keeping the public endpoint firewall restricted. Which feature should be used?

A.Application Security Group
B.Azure Bastion
C.Service endpoint for Microsoft.Storage with storage firewall rules
D.Public IP prefix
AnswerC

Correct for the stated requirement.

Why this answer

A service endpoint for Microsoft.Storage extends your virtual network private address space and the identity of your VNet to the Azure Storage service over the Microsoft backbone. By combining the service endpoint with a storage firewall rule that restricts access to only that specific subnet, you ensure the storage account is reachable only from that subnet while keeping the public endpoint firewall restricted to deny all other traffic.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, but the question explicitly requires keeping the public endpoint firewall restricted, which is exactly what service endpoints support by allowing selective subnet access through firewall rules without creating a private IP connection.

How to eliminate wrong answers

Option A is wrong because an Application Security Group is a logical grouping of VMs based on application workloads for network security group filtering, not a mechanism to restrict storage account access to a specific subnet. Option B is wrong because Azure Bastion provides secure RDP/SSH connectivity to VMs directly in the Azure portal over SSL, without exposing public IPs, but it does not control access to storage accounts. Option D is wrong because a Public IP prefix reserves a contiguous range of public IP addresses for your Azure resources, but it does not restrict storage account access to a specific subnet or enforce routing over the Microsoft backbone.

49
MCQeasy

You have an Azure virtual machine that hosts a web application. You need to allow inbound HTTP (80) and HTTPS (443) traffic from the internet to this VM only. You also need to allow outbound traffic to the internet from the VM. You want to use a managed Azure service with minimal configuration. What should you use?

A.Azure Application Gateway
B.Azure Firewall
C.Network Security Group (NSG)
D.Azure Bastion
AnswerC

An NSG attached to the VM's subnet or NIC can allow inbound HTTP/HTTPS and default outbound internet access. It is simple, managed, and cost-effective.

Why this answer

A Network Security Group (NSG) is the correct choice because it is a managed Azure service that provides a stateful, layer-3/4 firewall for filtering inbound and outbound traffic to a virtual machine. With minimal configuration, you can create inbound rules to allow HTTP (TCP/80) and HTTPS (TCP/443) from the internet (source 'Internet' or 'Any') and an outbound rule to allow all traffic to the internet (default outbound rule already allows this). NSGs are directly associated with a VM's subnet or network interface, making them the simplest managed solution for this scenario.

Exam trap

The trap here is that candidates often overthink and choose Azure Firewall or Application Gateway for simple traffic filtering, forgetting that an NSG is the most lightweight, cost-effective, and minimal-configuration managed service for basic inbound/outbound access control on a single VM.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a layer-7 load balancer and web application firewall (WAF) that requires additional configuration for routing rules, health probes, and SSL termination; it is overkill for simply allowing inbound HTTP/HTTPS and outbound internet traffic to a single VM. Option B is wrong because Azure Firewall is a fully managed, centralized network security service designed for hub-and-spoke topologies and enterprise-level traffic inspection, not for minimal configuration on a single VM; it introduces unnecessary complexity and cost. Option D is wrong because Azure Bastion is a managed service for secure RDP/SSH access to VMs via the Azure portal, not for allowing HTTP/HTTPS inbound traffic or general outbound internet traffic.

50
MCQhard

Your organization has deployed Azure Front Door Premium with Web Application Firewall (WAF) policy in front of an Azure App Service. You need to ensure that only traffic from Azure Front Door is allowed to reach the App Service, and all other traffic is blocked. Which configuration should you implement?

A.Configure IP restrictions on the App Service to allow only the Azure Front Door service tag AzureFrontDoor.Backend.
B.Configure the App Service to require client certificates and configure Azure Front Door to present a certificate.
C.Set the App Service access restrictions to deny all and then add a rule to allow the Azure Front Door service tag AzureFrontDoor.Frontend.
D.Configure a WAF policy to block all requests that do not contain the X-Azure-FDID header.
AnswerA

Using the service tag ensures only traffic from Azure Front Door's backend IP ranges is allowed, providing the primary restriction.

Why this answer

Restricting App Service access to only Azure Front Door's backend IP addresses using service tags (AzureFrontDoor.Backend) is the recommended approach. Additionally, configuring Azure Front Door to send the X-Azure-FDID header and validating it in the App Service provides an extra layer of security against spoofed traffic.

51
Multi-Selectmedium

A hub-and-spoke Azure network uses Azure Firewall for egress inspection. Which two settings are typically required on spoke workloads?

Select 2 answers
A.Public IP addresses on every VM
B.UDRs that send default traffic to the firewall next hop
C.NSG rules that allow all inbound internet traffic
D.DNS/routing design that prevents direct internet bypass
AnswersB, D

Correct for the stated requirement.

Why this answer

In a hub-and-spoke topology with Azure Firewall for egress inspection, spoke workloads must not be able to bypass the firewall. A User Defined Route (UDR) with address prefix 0.0.0.0/0 and next hop type VirtualAppliance pointing to the firewall's private IP forces all outbound traffic through the firewall. Additionally, DNS and routing design must prevent direct internet access—for example, by using Azure Private DNS zones or custom DNS servers that resolve only internal names, ensuring that no traffic can exit the spoke without firewall inspection.

Exam trap

The trap here is that candidates often think only a UDR is needed, forgetting that DNS and routing design must also prevent direct internet bypass—for example, if spoke VMs use Azure's default DNS (168.63.129.16), they can still resolve public names and potentially bypass the firewall via outbound UDP 53 traffic if not explicitly routed through the firewall.

52
MCQmedium

Your organization has a hybrid network with an Azure VPN gateway connecting to an on-premises site. You need to ensure that traffic between Azure and on-premises is encrypted and authenticated. Which protocol should the VPN gateway use?

A.SSL/TLS
B.IPsec
C.SSH
D.HTTPS
AnswerB

IPsec provides encryption and authentication for VPN tunnels.

Why this answer

Option B is correct because IPsec is the standard for VPN encryption and authentication. Option A is wrong because SSL/TLS is for web traffic, not site-to-site VPN. Option C is wrong because SSH is for remote administration.

Option D is wrong because HTTPS is application layer, not for network tunneling.

53
MCQmedium

A company has an Azure virtual network with a subnet that hosts Azure virtual machines. They want to restrict access to an Azure SQL Database so that only traffic originating from that specific subnet is allowed. They have enabled a service endpoint for Microsoft.Sql on the subnet and configured the SQL server firewall to allow only that subnet's virtual network rule. However, connections from the VMs to the SQL database are failing with an authorization error. What is the most likely cause?

A.The service endpoint for Microsoft.Sql was not enabled on the subnet before creating the firewall rule
B.The SQL server's firewall also has a rule allowing all Azure services, which overrides the VNet rule
C.The virtual machine's operating system firewall is blocking outbound traffic
D.The subnet's NSG is blocking outbound traffic to Azure SQL
AnswerA

The service endpoint must be enabled on the subnet before or concurrently with the firewall rule. If enabled after, the rule may not work until it is updated or re-created.

Why this answer

The most likely cause is that the service endpoint for Microsoft.Sql was not enabled on the subnet before the virtual network (VNet) firewall rule was created on the SQL server. When a VNet rule is added to the SQL server firewall, Azure validates that the specified subnet has a service endpoint for Microsoft.Sql enabled. If the endpoint is not enabled at the time the rule is created, the rule will be created but will not be effective, and traffic from the subnet will not be recognized as originating from the VNet, resulting in authorization errors.

The service endpoint must be enabled first to ensure the subnet's traffic is routed through the Azure backbone and correctly identified by the SQL server firewall.

Exam trap

The trap here is that candidates assume creating a VNet firewall rule is sufficient on its own, without realizing that the service endpoint must be enabled on the subnet first for the rule to be effective.

How to eliminate wrong answers

Option B is wrong because a firewall rule allowing all Azure services would permit traffic from any Azure IP range, but it does not override a more specific VNet rule; instead, the VNet rule would take precedence for matching traffic. Option C is wrong because the question states the error is an authorization error from the SQL database, not a connection timeout or unreachable host, which would be expected if the VM's OS firewall were blocking outbound traffic. Option D is wrong because a subnet NSG blocking outbound traffic to Azure SQL would typically result in a network-level timeout or unreachable error, not an SQL authorization error, and the NSG would need to explicitly deny outbound traffic to the SQL service tag for this to occur.

54
Multi-Selecthard

An Azure SQL Database must be accessed privately from workloads in a VNet and should not allow public network access. Which two configurations are required?

Select 2 answers
A.Create a Private Endpoint for the SQL server
B.Enable service endpoint only and leave public access open
C.Disable public network access or restrict firewall rules appropriately
D.Create an inbound NAT rule on Azure Load Balancer
AnswersA, C

Correct for the stated requirement.

Why this answer

A Private Endpoint assigns a private IP address from your VNet to the Azure SQL Database logical server, enabling traffic to reach the database entirely over the Microsoft backbone network without traversing the public internet. This is a fundamental requirement for private connectivity from workloads inside a VNet.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming a service endpoint alone provides private-only access, but it does not block public internet traffic unless public network access is also disabled.

55
MCQeasy

A security administrator is troubleshooting network connectivity to an Azure virtual machine. The VM is behind a network security group (NSG) that has a deny-all inbound rule as the default. The administrator wants to quickly verify whether a specific TCP packet on port 3389 from their client IP (203.0.113.50) would be allowed or blocked by the NSG. Which Azure Network Watcher tool should they use?

A.Network Performance Monitor.
B.IP flow verify.
C.Next hop.
D.NSG diagnostics (flow logs).
AnswerB

This tool simulates a packet and evaluates NSG rules to determine if the traffic is allowed or denied. It provides immediate feedback for troubleshooting NSG issues.

Why this answer

IP flow verify is the correct tool because it tests whether a specific packet (source IP, destination IP, protocol, port) is allowed or denied by an NSG or virtual network (VNet) route. In this scenario, the administrator needs to quickly validate inbound TCP traffic on port 3389 from client IP 203.0.113.50 to the VM, and IP flow verify provides a pass/fail result along with the exact rule that caused the outcome.

Exam trap

The trap here is that candidates often confuse NSG flow logs (which provide historical traffic data) with the real-time diagnostic capability of IP flow verify, leading them to select NSG diagnostics (flow logs) instead of the correct tool for on-demand packet testing.

How to eliminate wrong answers

Option A is wrong because Network Performance Monitor is a tool for monitoring network latency, packet loss, and performance between endpoints, not for testing NSG rule evaluation for a specific packet. Option C is wrong because Next hop shows the next hop type and IP address for traffic from a VM, but it does not evaluate NSG rules or indicate whether a packet is allowed or blocked. Option D is wrong because NSG diagnostics (flow logs) record information about IP traffic flowing through an NSG after the fact, but they are not designed for real-time, on-demand verification of a single packet's allow/deny status.

56
MCQhard

You deploy Azure Private Link for an Azure SQL Database. You create a private endpoint in VNet1 and configure a private DNS zone 'privatelink.database.windows.net' linked to VNet1. Clients in VNet2 (peered to VNet1) can resolve the SQL server FQDN to the private IP, but connections fail. What is the most likely cause?

A.Private endpoint is in a 'Failed' provisioning state.
B.VNet2 does not have a route to the private endpoint's subnet.
C.Azure SQL Database's firewall rules block traffic from the private endpoint.
D.The private DNS zone is not linked to VNet2.
AnswerD

For clients in a peered VNet to resolve the private endpoint's FQDN, the private DNS zone must be linked to that VNet or they must use a custom DNS that can resolve it.

Why this answer

Private DNS zones linked to VNet1 are not automatically resolvable from peered VNets unless the DNS zone is also linked to VNet2 or VNet2 is configured to use a custom DNS server that can resolve the zone. The clients in VNet2 may resolve to the private IP, but the firewall or NSG may block traffic. However, typical issue is DNS resolution not being propagated.

57
MCQhard

A company has deployed Azure Firewall in a hub virtual network with forced tunneling enabled. Spoke virtual networks are peered to the hub. The security team reports that outbound traffic from the spoke VMs is bypassing the firewall. What is the most likely reason?

A.The Azure Firewall policy has an allow-all network rule.
B.Azure Firewall is deployed in the same virtual network as the spoke VMs.
C.The spoke virtual networks are not peered to the hub.
D.The spoke subnets do not have a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall.
AnswerD

Without a UDR forcing traffic to the firewall, spoke VMs will use the default internet route, bypassing the firewall.

Why this answer

Forced tunneling (default route 0.0.0.0/0 to the firewall) must be set on the spoke subnets' route tables. If the spoke VMs' subnet does not have a route forcing traffic to the firewall, outbound traffic will use the default internet route instead.

58
MCQeasy

Your company uses Azure Firewall to protect a virtual network. The security team needs to allow outbound HTTPS traffic from a specific subnet to a set of FQDNs, such as '*.contoso.com', while blocking all other outbound traffic. Which type of Azure Firewall rule should they configure?

A.A network rule with destination port 443 and protocol TCP, and the destination IP address set to the resolved IPs of the FQDNs
B.An application rule with the 'Https' protocol and the target FQDNs set to '*.contoso.com'
C.A NAT rule that translates the source IP to a public IP and allows traffic to any destination on port 443
D.A DNAT rule that redirects outbound HTTPS traffic to an internal proxy server
AnswerB

Application rules are designed to allow or deny outbound traffic based on FQDNs. For HTTPS traffic, you can specify the target FQDNs and the protocol (Https). This is the correct configuration to allow traffic to specific domains while blocking others.

Why this answer

Option B is correct because Azure Firewall application rules are specifically designed to allow outbound HTTP/HTTPS traffic based on fully qualified domain names (FQDNs). By configuring an application rule with protocol 'Https' and target FQDNs set to '*.contoso.com', the firewall inspects the TLS Server Name Indication (SNI) extension to match the requested domain, allowing traffic only to the specified FQDNs while blocking all other outbound traffic.

Exam trap

The trap here is that candidates often confuse network rules (which filter by IP/port) with application rules (which filter by FQDN), leading them to choose Option A because they think resolved IPs are sufficient, ignoring the dynamic nature of FQDNs and the need for domain-level control.

How to eliminate wrong answers

Option A is wrong because network rules filter traffic based on source/destination IP addresses and ports, not FQDNs; using resolved IPs would break if the FQDNs resolve to dynamic IPs or multiple IPs, and it cannot enforce domain-level filtering. Option C is wrong because a NAT rule translates source IP addresses for outbound traffic but does not filter destinations; it would allow HTTPS traffic to any destination, not just '*.contoso.com'. Option D is wrong because a DNAT rule is used for inbound traffic (destination network address translation) to redirect incoming connections to an internal resource, not for outbound traffic filtering.

59
Multi-Selecteasy

You need to secure traffic between an on-premises network and Azure using a VPN connection. Which TWO configurations are required?

Select 2 answers
A.Create a virtual network gateway (VPN)
B.Deploy Azure Firewall
C.Assign a public IP to the local network gateway
D.Provision an ExpressRoute circuit
E.Create a local network gateway
AnswersA, E

A VPN gateway is the Azure-side endpoint.

Why this answer

Option A is correct because a VPN gateway is needed in Azure. Option C is correct because a local network gateway represents the on-premises device. Option B is wrong because ExpressRoute is a different service.

Option D is wrong because Azure Firewall is not required for VPN. Option E is wrong because a public IP on the VPN gateway is automatically assigned.

60
MCQhard

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

A.The NVA does not have IP forwarding enabled on its network interface
B.The UDR on VNet-B must also include a route for the default route (0.0.0.0/0) to force all traffic through the NVA
C.VNet peering does not support user-defined routes
D.The NVA must be deployed in the same subnet as the source VMs in VNet-B
AnswerA

When an NVA is used as a next hop in a route table, it must have IP forwarding enabled. Without it, the NVA drops packets that are not destined for its own IP, effectively preventing traffic from being routed through it.

Why this answer

The most likely cause is that the NVA's network interface does not have IP forwarding enabled. In Azure, a network interface must have the 'Enable IP forwarding' setting enabled to allow the NVA to receive traffic not destined to its own IP address and forward it to the intended destination. Without this setting, the NVA drops any traffic that is not addressed to its own IP, so even though the UDR on VNet-B directs traffic to the NVA's private IP, the NVA cannot forward it to VNet-A, and the traffic instead takes the direct VNet peering path.

Exam trap

The trap here is that candidates often assume that simply configuring a UDR is sufficient to force traffic through an NVA, overlooking the mandatory IP forwarding setting on the NVA's NIC, which is a distinct Azure-specific requirement not present in on-premises routing scenarios.

How to eliminate wrong answers

Option B is wrong because adding a default route (0.0.0.0/0) would force all internet-bound traffic through the NVA, but the issue is specifically about traffic between VNet-B and VNet-A address space (10.0.0.0/16), which is already covered by the existing UDR; the problem is not the scope of the route but the NVA's inability to forward traffic. Option C is wrong because VNet peering fully supports user-defined routes (UDRs) on subnets in peered virtual networks; UDRs are a fundamental mechanism to override default peering routes. Option D is wrong because the NVA does not need to be in the same subnet as the source VMs; it can be in a different subnet or even a different VNet (as in this hub-spoke design), as long as IP forwarding is enabled and the UDR points to its private IP.

61
MCQhard

A company uses Azure Kubernetes Service (AKS) with a private cluster. Developers need to access the Kubernetes API server from their on-premises workstations without exposing it to the internet. What is the most secure solution?

A.Use Azure Front Door with Private Link to access the API server.
B.Enable the API server public endpoint and restrict access to the on-premises public IP.
C.Deploy Azure Bastion in the AKS VNet and use a jump box VM to access the API server.
D.Create a site-to-site VPN from on-premises to the AKS VNet and allow access from the on-premises IP range.
AnswerC

Bastion provides secure, audited access without public exposure.

Why this answer

Option B is correct because Azure Bastion provides secure RDP/SSH access to VMs without public IPs, and can be used to access a jump box that can reach the API server. Option A is wrong because a VPN would expose the API server to the on-premises network. Option C is wrong because enabling a public endpoint defeats the private cluster purpose.

Option D is wrong because Azure Front Door is for web applications.

62
Multi-Selectmedium

Your company has a hub-spoke network topology in Azure. The hub VNet contains an Azure Firewall. Spoke VNets are peered to the hub. You need to ensure that all outbound traffic from virtual machines in a spoke VNet passes through the Azure Firewall for inspection. Which two configurations are required? (Choose two.)

Select 2 answers
A.Configure a DNAT rule on Azure Firewall to translate outbound traffic
B.Create a new VNet peering between the spoke and hub
C.Configure an application rule or network rule on Azure Firewall to allow outbound traffic
D.Enable forced tunneling on the spoke VNet
E.Add a route table to the spoke subnet with a 0.0.0.0/0 route to the Azure Firewall private IP
AnswersC, E

Firewall rules define what outbound traffic is permitted.

Why this answer

Option B is correct because a route table with a default route (0.0.0.0/0) to the Azure Firewall private IP must be associated with the spoke subnet. Option D is correct because the firewall must be configured to allow or deny outbound traffic. Option A is wrong because VNet peering is already in place; no additional peering is needed.

Option C is wrong because Azure Firewall doesn't require a public IP for outbound inspection if using private IP; also NAT rules are for inbound. Option E is wrong because forced tunneling is a different concept; the route table handles this.

63
MCQmedium

A company has two Azure virtual networks in different Azure regions that need to communicate with each other. The security policy mandates that all inter-region traffic must be encrypted over the public internet. Which connectivity solution should the company implement to meet this requirement?

A.VNet peering
B.Azure VPN Gateway (site-to-site connection)
C.Azure ExpressRoute
D.Azure Firewall
AnswerB

Azure VPN Gateway creates an encrypted IPSec tunnel over the public internet, ensuring data is encrypted in transit between the two VNets.

Why this answer

Azure VPN Gateway with a site-to-site (S2S) connection is the correct solution because it establishes an encrypted IPSec tunnel over the public internet between the two virtual networks. This meets the security mandate for encryption of inter-region traffic traversing the public internet, as IPSec provides confidentiality, integrity, and authentication at the network layer.

Exam trap

The trap here is that candidates often confuse VNet peering (which is private and free of charge within a region) as automatically encrypted, but it does not encrypt traffic over the public internet because it uses Azure's backbone; the question explicitly requires encryption over the public internet, which only a VPN gateway provides.

How to eliminate wrong answers

Option A is wrong because VNet peering uses the Microsoft backbone network, not the public internet, and traffic is not encrypted by default; it relies on Azure's private network infrastructure, which does not satisfy the 'encrypted over the public internet' requirement. Option C is wrong because Azure ExpressRoute uses a dedicated private connection that bypasses the public internet entirely, so it does not meet the 'over the public internet' condition, and encryption is optional (e.g., via MACsec or IPsec over ExpressRoute). Option D is wrong because Azure Firewall is a stateful network security service that filters and inspects traffic but does not provide site-to-site VPN connectivity or encryption between virtual networks; it can be used in conjunction with a VPN gateway but is not a connectivity solution itself.

64
Multi-Selecthard

Which THREE components are required to implement a secure hybrid network that connects on-premises to Azure using ExpressRoute? (Choose three.)

Select 3 answers
A.Virtual network gateway in Azure.
B.ExpressRoute circuit.
C.Azure Firewall.
D.Azure VPN Gateway for failover.
E.Azure Front Door.
AnswersA, B, D

Required to terminate ExpressRoute connection.

Why this answer

Options A, B, and E are correct. A VPN Gateway is needed for encrypted failover, ExpressRoute circuit provides private connectivity, and VNet peering is not required but commonly used. Option C is wrong because Azure Firewall is optional.

Option D is wrong because Azure Front Door is not needed.

65
MCQhard

Your company uses Azure Firewall Premium with TLS inspection to filter outbound traffic from Azure VMs. Users report that some websites are not loading. You have configured the firewall to inspect traffic to *.microsoft.com. What is the most likely cause of the issue?

A.The firewall rule for *.microsoft.com is misconfigured.
B.The firewall cannot inspect HTTPS traffic.
C.The firewall is blocking HTTP traffic.
D.The client does not trust the certificate presented by the firewall during TLS inspection.
AnswerD

TLS inspection uses a generated certificate that must be trusted by the client.

Why this answer

Option C is correct. TLS inspection requires the firewall to decrypt traffic; if the certificate chain is not trusted or the firewall generates a certificate that is not trusted by the client, the connection fails. Option A is wrong because the firewall can inspect HTTPS.

Option B is wrong because the rule allows the domain. Option D is wrong because the firewall does not block HTTP unless configured.

66
MCQmedium

Refer to the exhibit. You ran the PowerShell command shown. Which statement about the network interface is true?

A.The network interface is part of an availability set.
B.The network interface is associated with a public IP address.
C.The network interface is configured with application security groups.
D.The network interface is attached to a virtual machine that is not accessible from the internet.
AnswerD

Without a public IP, the VM is not directly reachable from the internet unless behind a load balancer.

Why this answer

The output shows an empty PublicIpAddress field and no application security groups or load balancer pools. The NIC is in subnet 'web' with private IP 10.0.1.4. It is not associated with a public IP.

67
MCQhard

You are troubleshooting an Azure virtual machine that cannot access the internet. The VM is in a subnet with a route table that has a default route (0.0.0.0/0) with next hop 'Virtual appliance' pointing to the private IP of an Azure Firewall. The Azure Firewall has a DNAT rule to allow outbound traffic. You verify that the VM's NSG allows outbound traffic. What is the most likely cause of the issue?

A.Azure Firewall does not support SNAT for outbound traffic.
B.The route table does not have a default route.
C.The VM's NSG is blocking outbound traffic.
D.The Azure Firewall does not have an allow rule for outbound internet traffic.
AnswerD

Azure Firewall denies all traffic by default; an allow rule must be configured for outbound internet.

Why this answer

Option A is correct because Azure Firewall must have the 'Allow traffic' property set to allow outbound traffic. By default, Azure Firewall blocks all traffic unless an allow rule is configured. Option B is wrong because the VM's NSG allows outbound traffic.

Option C is wrong because the route table exists and points to the firewall. Option D is wrong because Azure Firewall SNATs outbound traffic by default.

68
Multi-Selectmedium

Which THREE components are required to implement Azure Virtual WAN with secured virtual hub? (Choose three.)

Select 3 answers
A.Azure Firewall deployed in the virtual hub
B.ExpressRoute gateway in the virtual hub
C.Virtual hub
D.Network Virtual Appliance (NVA)
E.Virtual WAN resource
AnswersA, C, E

Azure Firewall provides security services in the secured virtual hub.

Why this answer

Azure Virtual WAN secured hub includes a virtual hub, Azure Firewall (for security), and VPN gateway (for connectivity). A Network Virtual Appliance (NVA) is not required as Azure Firewall is the native security service. ExpressRoute gateway is optional and not required for baseline secured hub.

69
MCQeasy

You need to provide secure remote access to Azure virtual machines for developers without exposing public IP addresses. The solution must authenticate users via Microsoft Entra ID and support multifactor authentication. Which service should you use?

A.Azure Front Door
B.Azure VPN Gateway
C.Azure Bastion
D.Azure Firewall
AnswerC

Azure Bastion provides secure, browser-based RDP/SSH without public IPs.

Why this answer

Option A is correct because Azure Bastion provides secure RDP/SSH access to VMs over TLS, with Microsoft Entra ID authentication and MFA support. Option B is wrong because Azure Front Door is a global load balancer. Option C is wrong because VPN Gateway requires public IPs and client VPN software.

Option D is wrong because Azure Firewall does not provide remote access to VMs.

70
Matchingmedium

Match each Azure Sentinel feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ingest logs from various sources

Define conditions to generate alerts

Visualize data with interactive dashboards

Group related alerts for investigation

Automate response actions using Logic Apps

Why these pairings

Azure Sentinel is a SIEM/SOAR solution for security operations.

71
Matchingmedium

Match each Azure policy effect to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents resource creation or update that violates policy

Creates a warning event in activity log but allows request

Adds additional fields to the resource during creation or update

Adds, updates, or removes properties on a resource

Policy rule is ignored (used for testing)

Why these pairings

Policy effects determine how compliance is enforced.

72
Multi-Selectmedium

You are a security engineer for a large enterprise. The company uses Azure Firewall Premium to inspect traffic. You need to enable TLS inspection for outbound HTTPS traffic from a subnet containing line-of-business applications. Which TWO configurations are required to accomplish this? (Choose two.)

Select 2 answers
A.Enable the TLS inspection feature in the Azure Firewall configuration.
B.Upload a trusted root certificate authority (CA) certificate to Azure Firewall.
C.Configure a custom DNS server on the Azure Firewall.
D.Disable SNAT on the Azure Firewall for the application subnet.
E.Create a firewall policy with a TLS inspection rule and associate it with the Azure Firewall.
AnswersB, E

Required for Azure Firewall to re-encrypt traffic after inspection.

Why this answer

Option A is correct: A root CA certificate must be uploaded to Azure Firewall for TLS inspection. Option B is correct: A firewall policy with TLS inspection rule must be created and associated. Option C is incorrect because TLS inspection does not require disabling SNAT.

Option D is incorrect because Azure Firewall does not support custom DNS for TLS inspection configuration. Option E is incorrect because the feature is not disabled by default; it requires explicit configuration.

73
Multi-Selectmedium

You are designing network security for a three-tier application. You need to isolate each tier (web, application, data) and control traffic between them. Which TWO Azure services should you use to achieve this? (Choose two.)

Select 2 answers
A.Network Security Groups (NSGs)
B.VNet peering
C.Azure Policy
D.Azure Firewall
E.Application Security Groups (ASGs)
AnswersA, E

NSGs filter traffic between subnets or NICs.

Why this answer

Options A and C are correct. NSGs provide traffic filtering at the subnet or NIC level. ASGs allow grouping of VMs and referencing them in NSG rules.

Option B is wrong because Azure Firewall is a centralized firewall, but for simple tier isolation, NSGs and ASGs suffice. Option D is wrong because VNet peering connects VNets, not tiers within a VNet. Option E is wrong because Azure Policy does not enforce network traffic rules.

74
Multi-Selecthard

You are designing a secure network architecture for a multi-region application. You need to ensure that traffic between virtual networks in different Azure regions is encrypted and uses the Microsoft backbone network, and you must minimize latency. Which TWO configurations should you implement?

Select 1 answer
A.Enable 'Gateway transit' on the peering to use a VPN gateway if needed, but not required for encryption.
B.Configure VNet peering between the virtual networks.
C.Use Azure ExpressRoute with Microsoft peering.
D.Deploy Azure VPN Gateway in each region and connect them via site-to-site VPN.
E.Place an Azure Firewall in each region to inspect cross-region traffic.
AnswersB

VNet peering connects VNets using the Microsoft backbone and can be enabled globally.

Why this answer

Options A and B are correct. VNet peering uses Microsoft backbone and supports encryption. Global VNet peering connects across regions.

Azure VPN Gateway would route over the internet, and ExpressRoute is an alternative but not required. Azure Firewall is for inspection, not connectivity.

75
Multi-Selectmedium

Which TWO of the following are valid methods to secure outbound traffic from an Azure virtual network to the internet?

Select 2 answers
A.Azure Firewall
B.Azure NAT Gateway
C.Private endpoints
D.Service endpoints
E.Azure VPN Gateway
AnswersA, B

Can inspect and control outbound traffic.

Why this answer

Azure Firewall is a fully managed, cloud-native network security service that provides stateful inspection of outbound traffic. It can enforce application and network rules based on FQDN, IP addresses, ports, and protocols, making it a valid method to secure outbound internet traffic from an Azure virtual network.

Exam trap

The trap here is that candidates often confuse Azure NAT Gateway (which only provides outbound SNAT without security filtering) with Azure Firewall (which provides both SNAT and stateful inspection), or mistakenly think Service endpoints or Private endpoints can control outbound internet traffic.

Page 1 of 4 · 237 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure networking questions.