CCNA Secure networking Questions

12 of 237 questions · Page 4/4 · Secure networking · Answers revealed

226
MCQeasy

You are designing a hub-spoke network topology in Azure. You need to ensure that all traffic between spokes is inspected by a network virtual appliance (NVA) deployed in the hub. What should you configure?

A.Create user-defined routes (UDRs) in each spoke pointing to the NVA's IP address.
B.Deploy Azure Firewall in the hub.
C.Configure VNet peering between all spokes.
D.Use a VPN gateway to route traffic through the hub.
AnswerA

UDRs force traffic to the NVA for inspection.

Why this answer

Option D is correct because the NVA in the hub can be used as a next hop for inter-spoke traffic via user-defined routes. Option A is wrong because VNet peering does not inspect traffic. Option B is wrong because Azure Firewall is a managed service, not an NVA (though it could inspect, the question specifically says NVA).

Option C is wrong because VPN gateway does not inspect traffic.

227
MCQmedium

Your company uses Azure Virtual WAN with a secured virtual hub (Azure Firewall). You have branch offices connected via ExpressRoute. You need to ensure that traffic from a branch to a VNet in the same region is inspected by the firewall. You configure the default route (0.0.0.0/0) advertisement from the hub to the branch, but the traffic is not being inspected. What is the most likely reason?

A.The 'Inter-hub' setting is disabled.
B.The branch does not have a route table associated with the connection.
C.Routing intent for private traffic is not enabled.
D.The VNet has a network virtual appliance (NVA) that overrides the firewall.
AnswerC

Routing intent must be configured to force private traffic (including branch-to-VNet) through the firewall.

Why this answer

Azure Virtual WAN secures traffic via routing intent. If routing intent is not configured, the firewall may not be in the path. The default route advertisement might direct traffic to the hub, but without routing intent, the firewall won't inspect inter-VNet or branch-to-VNet traffic; it only inspects internet-bound traffic.

228
MCQhard

You have a hub-spoke network with Azure Firewall in the hub. Spoke VNet1 contains a VM that needs to communicate with a VM in Spoke VNet2. Both spoke VNets are peered to the hub. You configure Azure Firewall DNAT rules to forward traffic to specific VMs, but the communication fails. You verify that the firewall rules allow the traffic and that the VMs can reach each other's private IPs if the firewall is bypassed. What is the most likely issue?

A.The spoke VNets have overlapping IP address spaces.
B.The firewall's Threat Intelligence mode is blocking the traffic.
C.The firewall's Outbound SNAT is disabled for the spoke VNet ranges.
D.Azure Firewall does not support DNAT between spoke VNets.
AnswerC

Without SNAT, the source IP remains the original VM IP; return traffic may not go through the firewall, breaking flow.

Why this answer

When using DNAT, the firewall changes the destination IP and port. For return traffic, the firewall must perform SNAT (source NAT) to ensure the return traffic goes back through the firewall. If SNAT is not enabled (or disabled), the return traffic may go directly from the destination VM to the source VM's private IP, bypassing the firewall and causing asymmetric routing.

229
MCQmedium

You are reviewing an NSG rule as shown in the exhibit. This rule is applied to a subnet containing web servers. What is the security implication of this rule?

A.It restricts inbound traffic to TCP only.
B.It allows all inbound traffic, creating a security risk.
C.It blocks all inbound traffic except HTTP.
D.It restricts inbound traffic to HTTP only.
AnswerB

The rule allows any inbound traffic from any source, which is insecure.

Why this answer

Option B is correct because the rule allows all inbound traffic from any source to any destination port and IP, which is overly permissive and exposes the subnet to potential attacks. Option A is wrong because the rule allows all traffic, not just HTTP. Option C is wrong because the rule allows inbound traffic, not outbound.

Option D is wrong because the rule does not specify a protocol; 'Any' includes all protocols.

230
Multi-Selecthard

You are responsible for securing a multi-region Azure environment. The environment includes virtual networks in three regions: East US, West Europe, and Southeast Asia. You need to ensure that all traffic between these virtual networks is encrypted and travels over the Microsoft backbone network. Additionally, you must minimize latency for cross-region traffic. Which TWO configurations should you implement? (Choose two.)

Select 2 answers
A.Enable global VNet peering on the peering connections.
B.Set up ExpressRoute circuits from each region to Microsoft.
C.Deploy Azure Firewall in each virtual network and route traffic through it.
D.Deploy Azure VPN Gateway in each virtual network and configure site-to-site VPN connections.
E.Configure VNet peering between each pair of virtual networks.
AnswersA, E

Global VNet peering enables peering across regions over the Microsoft backbone.

Why this answer

Option A is correct: VNet peering connects virtual networks over the Microsoft backbone. Option D is correct: Global VNet peering allows peering across regions and uses the Microsoft backbone. Option B is incorrect because Azure VPN Gateway encrypts traffic but does not use the Microsoft backbone (it uses the internet).

Option C is incorrect because ExpressRoute connects on-premises, not VNets. Option E is incorrect because Azure Firewall does not provide cross-region connectivity.

231
MCQhard

Your company has deployed Azure Virtual WAN with secured virtual hubs. You need to enforce that all traffic between on-premises sites and Azure virtual networks (VNets) passes through the Azure Firewall in the hub. You have configured routing accordingly. However, traffic from an on-premises site to a VNet is still bypassing the firewall. What is the most likely cause?

A.The on-premises site has forced tunneling enabled.
B.The virtual network (spoke) is propagating the default route (0.0.0.0/0) learned from the hub via BGP, causing traffic to be sent directly to the on-premises network.
C.The Azure Firewall is deployed in a separate spoke VNet instead of the hub.
D.The Azure Firewall is not in the same virtual hub as the VPN gateway.
AnswerB

When a VNet learns a default route from the hub, it may route traffic to on-premises directly via the VPN gateway instead of the firewall.

Why this answer

Option B is correct because propagating the default route (0.0.0.0/0) from the hub to the VNet can cause the VNet to route traffic directly to the on-premises site via the VPN/ExpressRoute gateway, bypassing the firewall. Option A is wrong because disabling BGP would break connectivity. Option C is wrong because the firewall should be in the hub, not a spoke.

Option D is wrong because forced tunneling is for outbound internet traffic, not for on-premises traffic.

232
Multi-Selecthard

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?

Select 2 answers
A.Application Gateway WAF or Azure Front Door WAF
B.Azure Automation State Configuration
C.Azure DDoS Protection on the virtual network where applicable
D.Azure Files premium tier
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because both Azure Application Gateway WAF and Azure Front Door WAF provide managed rule sets (e.g., OWASP Core Rule Set 3.2) that protect against common web vulnerabilities such as SQL injection and cross-site scripting. Option C is correct because Azure DDoS Protection, when enabled on the virtual network hosting the application, mitigates network-layer DDoS attacks (e.g., SYN floods, UDP floods) by leveraging Azure's global infrastructure to absorb and scrub attack traffic.

Exam trap

The trap here is that candidates may confuse Azure Automation State Configuration (a DevOps tool) with a security service, or assume Azure Files premium tier offers built-in attack protection, when in fact only WAF and DDoS Protection directly address the specified OWASP and DDoS threats.

233
MCQhard

Your company uses Azure Front Door to globally distribute traffic to a web app. You need to ensure that only traffic from Front Door can reach the web app, and all other traffic is blocked. The web app is behind an Azure Application Gateway. What is the most secure and reliable configuration?

A.Place the web app behind a private endpoint and connect Front Door via private link.
B.Use an NSG on the Application Gateway subnet with a deny-all rule and allow the AzureFrontDoor.Backend service tag.
C.Configure an NSG on the Application Gateway subnet to allow traffic only from the Front Door backend IP ranges.
D.Restrict the Application Gateway to only accept traffic from the Front Door frontend IP.
AnswerC

Front Door publishes backend IP ranges that can be used in NSGs.

Why this answer

Option D is correct because Front Door's backend IP ranges are documented and can be used in an NSG to allow only Front Door traffic. Option A is wrong because the Application Gateway's frontend IP is not static and can change. Option B is wrong because Front Door's service tag is AzureFrontDoor.Backend, but the question requires using the Application Gateway, and the service tag might not be sufficient for the application gateway's backend.

Option C is wrong because private endpoints are for PaaS, not for Application Gateway.

234
Multi-Selectmedium

You are planning a network security strategy for a multi-tier application deployed on Azure virtual machines. You need to ensure that traffic between the web tier and the application tier is encrypted and that the application tier is not directly accessible from the internet. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Deploy an Azure Application Gateway with SSL/TLS termination in front of the web tier.
.Configure a network security group (NSG) on the application tier subnet to deny all inbound traffic from the internet.
.Enable end-to-end TLS encryption between the web tier and the application tier using certificates.
.Use Azure Front Door to route traffic between the web tier and the application tier.
.Assign public IP addresses to the application tier virtual machines for monitoring purposes.
.Configure a site-to-site VPN between the web tier and the application tier subnets.

Why this answer

Deploying an Azure Application Gateway with SSL/TLS termination in front of the web tier ensures that incoming client traffic is encrypted at the edge, and the gateway can then forward traffic to the web tier. Configuring an NSG on the application tier subnet to deny all inbound traffic from the internet directly protects the application tier from external access. Enabling end-to-end TLS encryption between the web tier and the application tier using certificates ensures that traffic within the virtual network remains encrypted, meeting the requirement for encrypted inter-tier communication.

Exam trap

The trap here is that candidates often confuse Azure Front Door (a global service) with Azure Application Gateway (a regional service) and incorrectly assume Front Door can handle internal tier routing, or they think a site-to-site VPN is needed for intra-VNet encryption when end-to-end TLS is the correct approach.

235
MCQeasy

A company has multiple on-premises web applications that need to be securely published for remote employees. The company uses Azure AD for identity management and wants to apply Conditional Access policies, including multi-factor authentication, to these applications. The security team wants to avoid exposing the on-premises infrastructure to the internet directly. Which Azure service should they deploy to meet these requirements?

A.Azure Application Gateway
B.Azure Front Door
C.Azure AD Application Proxy
D.Azure VPN Gateway
AnswerC

Azure AD Application Proxy publishes on-premises web applications externally with Azure AD pre-authentication, allowing integration with Conditional Access policies and MFA without exposing the on-premises network.

Why this answer

Azure AD Application Proxy is the correct service because it provides secure remote access to on-premises web applications without requiring a VPN or opening inbound firewall ports. It integrates natively with Azure AD, enabling Conditional Access policies such as multi-factor authentication (MFA) to be applied to these applications. The service works by establishing an outbound-only connection from the on-premises Application Proxy connector to Azure AD, ensuring the on-premises infrastructure is never directly exposed to the internet.

Exam trap

The trap here is that candidates often confuse Azure AD Application Proxy with Azure Application Gateway or Azure Front Door, assuming any reverse proxy can secure on-premises apps, but only Application Proxy uses an outbound-only connector that keeps the internal network completely hidden from the internet.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a layer 7 load balancer and web application firewall (WAF) that typically requires the backend applications to be internet-facing or accessible via a public IP, which violates the requirement to avoid direct internet exposure. Option B is wrong because Azure Front Door is a global load balancer and content delivery network (CDN) that also requires the backend to be publicly reachable or connected via private link, but it does not provide the outbound-only connector model needed to keep on-premises infrastructure hidden. Option D is wrong because Azure VPN Gateway creates a site-to-site or point-to-site VPN tunnel, which exposes the on-premises network to the internet via the VPN endpoint and does not natively integrate with Azure AD Conditional Access or MFA for individual web applications.

236
MCQeasy

You need to allow an Azure VM to access an on-premises SQL Server database securely. The on-premises network is connected to Azure via a site-to-site VPN. You want to minimize latency and avoid traversing the internet. What should you use?

A.Service endpoint for SQL.
B.Azure Private Link.
C.VNet peering.
D.Site-to-site VPN connection.
AnswerD

A site-to-site VPN connects on-premises to Azure over an encrypted tunnel.

Why this answer

Option D is correct. A site-to-site VPN creates an encrypted tunnel over the internet, but it is not as low-latency as ExpressRoute. However, among the options, it is the only one that provides connectivity without traversing the public internet (the VPN tunnel is encrypted, but it still uses the internet).

Actually, the best answer is ExpressRoute, but it's not listed. Option A is wrong because Private Link requires the SQL Server to be in Azure. Option B is wrong because VNet peering is for Azure VNets.

Option C is wrong because service endpoints are for Azure services. Since site-to-site VPN is the only option that connects on-premises to Azure, it is the correct choice.

237
MCQhard

You are troubleshooting connectivity from an on-premises network to an Azure VM. The connection uses a site-to-site VPN. The VM can be pinged from on-premises, but an application running on the VM cannot connect to an on-premises database server. The database server's firewall is configured to allow connections from the Azure VPN gateway public IP. What is the most likely cause of the issue?

A.An NSG on the VM's subnet is blocking outbound traffic.
B.The VPN tunnel is not established.
C.The effective routes on the VM are misconfigured.
D.The on-premises firewall is allowing the wrong IP address. The Azure VPN gateway's private IP should be allowed.
AnswerD

Azure VPN gateway uses its private IP for traffic to on-premises, not the public IP.

Why this answer

Option C is correct because traffic from Azure to on-premises uses the VPN gateway's private IP from the gateway subnet, not its public IP. The on-premises firewall should allow the VPN gateway's private IP address range. Option A is wrong because the VPN tunnel is established.

Option B is wrong because NSG rules affect traffic within Azure, not outbound to on-premises. Option D is wrong because route tables could affect routing but the database is on-premises.

← PreviousPage 4 of 4 · 237 questions total

Ready to test yourself?

Try a timed practice session using only Secure networking questions.