- A
Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy.
Azure virtual network encryption (currently in preview) encrypts all traffic between VNets using IPsec. Enabling it on both sides ensures traffic is encrypted.
- B
Deploy an Azure VPN Gateway in each VNet and create a site-to-site VPN connection between them.
Why wrong: This would create encrypted tunnels, but it introduces additional cost and complexity. Also, the connection would be through the gateways, not directly between VNets. It may not cover all traffic if there are multiple spoke VNets.
- C
Configure a network security group (NSG) rule on each subnet to deny traffic that is not IPsec encapsulated.
Why wrong: NSGs work at layer 3/4 and cannot inspect IPsec encapsulation. This is not feasible.
- D
Enable 'Allow gateway transit' on VNet-A and 'Use remote virtual network gateways' on VNet-B, and then create a VPN gateway in VNet-A.
Why wrong: This configuration enables transitive routing via a gateway, but does not encrypt the traffic between the VNets over peering. The gateway would only encrypt traffic going through it, but traffic between the VNets may still use the peering direct path unencrypted.
Quick Answer
The correct answer is to enable Azure virtual network encryption on both VNets and configure the encryption policy. This is required because Azure Virtual Network Encryption operates at the infrastructure level, encrypting all traffic between peered VNets using IPsec without needing a VPN gateway, and it enforces encryption so no traffic can bypass it. The 'Use remote virtual network gateways' setting only permits transit routing through a remote gateway, but it does not encrypt traffic itself, which is why unencrypted traffic persists. On the AZ-500 exam, this question tests your understanding of platform-level encryption versus gateway-based solutions, and a common trap is confusing gateway settings with actual encryption enforcement. Remember: gateway settings enable routing, not encryption—think of VNet encryption as a mandatory "encrypt-all" switch at the network fabric layer. A useful memory tip is "Gateways route, encryption encrypts—enable VNet encryption to lock the pipe."
AZ-500 Secure networking Practice Question
This AZ-500 practice question tests your understanding of secure networking. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: azure virtual network encryption encrypts VNet peering traffic.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy.
Option A is correct because Azure Virtual Network Encryption provides a platform-level encryption mechanism that encrypts all traffic between virtual networks, including VNet peering traffic, without requiring a VPN gateway. Enabling this feature on both VNets and configuring the encryption policy ensures that all inter-VNet traffic is encrypted using IPsec, and since it is enforced at the infrastructure level, no traffic can bypass the encryption. The 'Use remote virtual network gateways' setting alone does not encrypt traffic; it only allows a VNet to use a remote gateway for transit routing.
Key principle: Azure virtual network encryption encrypts VNet peering traffic.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy.
Why this is correct
Azure virtual network encryption (currently in preview) encrypts all traffic between VNets using IPsec. Enabling it on both sides ensures traffic is encrypted.
Related concept
Azure virtual network encryption encrypts VNet peering traffic.
- ✗
Deploy an Azure VPN Gateway in each VNet and create a site-to-site VPN connection between them.
Why it's wrong here
This would create encrypted tunnels, but it introduces additional cost and complexity. Also, the connection would be through the gateways, not directly between VNets. It may not cover all traffic if there are multiple spoke VNets.
- ✗
Configure a network security group (NSG) rule on each subnet to deny traffic that is not IPsec encapsulated.
Why it's wrong here
NSGs work at layer 3/4 and cannot inspect IPsec encapsulation. This is not feasible.
- ✗
Enable 'Allow gateway transit' on VNet-A and 'Use remote virtual network gateways' on VNet-B, and then create a VPN gateway in VNet-A.
Why it's wrong here
This configuration enables transitive routing via a gateway, but does not encrypt the traffic between the VNets over peering. The gateway would only encrypt traffic going through it, but traffic between the VNets may still use the peering direct path unencrypted.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume that enabling 'Use remote virtual network gateways' on VNet peering automatically encrypts traffic, when in fact it only allows gateway transit and does not provide any encryption; the real solution is Azure Virtual Network Encryption, which is a separate feature that must be explicitly enabled.
Detailed technical explanation
How to think about this question
Azure Virtual Network Encryption uses the IEEE 802.1AE MAC Security (MACsec) standard to encrypt traffic at the data link layer, which is transparent to applications and requires no changes to virtual machines. This encryption is applied to all traffic within and between encrypted VNets, including VNet peering, and is enforced by the Azure fabric controller, ensuring that even if a misconfiguration allows a direct peering path, the traffic is still encrypted. In contrast, VPN gateways operate at the network layer (IPsec) and require explicit routing to direct traffic through the gateway, which can be bypassed if the peering route is preferred.
KKey Concepts to Remember
- Azure virtual network encryption encrypts VNet peering traffic.
- It uses IPsec to secure data in transit between peered VNets.
- This feature must be enabled on both peered VNets.
- It provides native, managed encryption without requiring VPN gateways for peering.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Azure virtual network encryption encrypts VNet peering traffic.
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
What to study next
Got this wrong? Here's your next step.
Review azure virtual network encryption encrypts VNet peering traffic., then practise related AZ-500 questions on the same topic to reinforce the concept.
- →
Secure networking — study guide chapter
Learn the concepts, then practise the questions
- →
Secure networking practice questions
Targeted practice on this topic area only
- →
All AZ-500 questions
1,000 questions across all exam domains
- →
Microsoft Azure Security Engineer Associate AZ-500 study guide
Full concept coverage aligned to exam objectives
- →
AZ-500 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-500 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Secure identity and access practice questions
Practise AZ-500 questions linked to Secure identity and access.
Secure compute, storage, and databases practice questions
Practise AZ-500 questions linked to Secure compute, storage, and databases.
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel practice questions
Practise AZ-500 questions linked to Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel.
Manage identity and access practice questions
Practise AZ-500 questions linked to Manage identity and access.
Secure networking practice questions
Practise AZ-500 questions linked to Secure networking.
AZ-500 fundamentals practice questions
Practise AZ-500 questions linked to AZ-500 fundamentals.
AZ-500 scenario practice questions
Practise AZ-500 questions linked to AZ-500 scenario.
AZ-500 troubleshooting practice questions
Practise AZ-500 questions linked to AZ-500 troubleshooting.
Practice this exam
Start a free AZ-500 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-500 question test?
Secure networking — This question tests Secure networking — Azure virtual network encryption encrypts VNet peering traffic..
What is the correct answer to this question?
The correct answer is: Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy. — Option A is correct because Azure Virtual Network Encryption provides a platform-level encryption mechanism that encrypts all traffic between virtual networks, including VNet peering traffic, without requiring a VPN gateway. Enabling this feature on both VNets and configuring the encryption policy ensures that all inter-VNet traffic is encrypted using IPsec, and since it is enforced at the infrastructure level, no traffic can bypass the encryption. The 'Use remote virtual network gateways' setting alone does not encrypt traffic; it only allows a VNet to use a remote gateway for transit routing.
What should I do if I get this AZ-500 question wrong?
Review azure virtual network encryption encrypts VNet peering traffic., then practise related AZ-500 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Azure virtual network encryption encrypts VNet peering traffic.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
1 more ways this is tested on AZ-500
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company has multiple Azure virtual networks connected via VNet peering. They want to ensure that all traffic between the peered VNets is encrypted and that no traffic can bypass the encryption. Which configuration is required?
hard- A.Enable Service Endpoint Policies
- ✓ B.Use VPN Gateway with IPsec between VNets
- C.VNet peering does not support encryption; use Global VNet peering
- D.Enable Azure Firewall
Why B: VNet peering does not encrypt traffic between virtual networks by default. To enforce encryption for all traffic, you must use a VPN Gateway with IPsec/IKE policy configured between the peered VNets. This ensures that all traffic crossing the peering is encrypted and that no unencrypted path exists, meeting the requirement that no traffic can bypass encryption.
Last reviewed: Jun 11, 2026
This AZ-500 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-500 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.