AZ-500 · topic practice

Secure networking practice questions

Use this page to practise Secure networking questions for this certification. Focus on how the exam tests secure networking in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Secure networking

What the exam tests

What to know about Secure networking

Secure networking questions on this certification test your ability to deploy and manage secure networking concepts in scenario-based situations.

Core Secure networking concepts and how they apply in real-world cloud scenarios.

How to deploy secure networking correctly and verify the outcome.

Troubleshooting secure networking issues by interpreting error output and system state.

Cloud best practices and Secure networking design trade-offs tested by this certification.

Watch out for

Common Secure networking exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Secure networking questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Review the full subnetting walkthrough →

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

Question 2hardmultiple choice
Read the full VPN explanation →

Your company has an Azure subscription with a hub-spoke network topology. The hub contains an Azure Firewall and a VPN gateway for on-premises connectivity. The spoke virtual network hosts a critical application. You need to ensure that all outbound traffic from the spoke to the internet and on-premises networks flows through the Azure Firewall. You configure a user-defined route (UDR) on the spoke subnet with the default route (0.0.0.0/0) pointing to the Azure Firewall private IP. However, traffic to on-premises still bypasses the firewall. What is the most likely cause?

Question 3hardmultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network that uses Azure Firewall as the central traffic inspection point. They have a spoke VNet peered to the hub VNet. The spoke VNet contains a subnet with virtual machines. The security team wants to ensure that all outbound traffic from those virtual machines to the internet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) to the Azure Firewall's private IP. However, traffic from the VMs is still going directly to the internet. What is the most likely cause?

Question 4hardmultiple choice
Review the full subnetting walkthrough →

A company has a hub-spoke network topology with Azure Firewall deployed in the hub virtual network. Spoke virtual networks are peered to the hub. The security team needs to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall private IP address. However, traffic from spoke VMs is still bypassing the firewall and going directly to the internet. What is the most likely reason?

Question 5hardmultiple choice
Review the full subnetting walkthrough →

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. They configure a user-defined route (UDR) on the subnet in VNet-B with the destination address space of VNet-A (10.0.0.0/16) and the next hop set to the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes a direct path. What is the most likely cause?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Azure virtual network with a subnet that hosts Azure virtual machines. They want to restrict access to an Azure SQL Database so that only traffic originating from that specific subnet is allowed. They have enabled a service endpoint for Microsoft.Sql on the subnet and configured the SQL server firewall to allow only that subnet's virtual network rule. However, connections from the VMs to the SQL database are failing with an authorization error. What is the most likely cause?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

Question 10hardmultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network (VNet) with multiple subnets. They deploy Azure Firewall in a hub VNet and peer spoke VNets. They want to force-tunnel all outbound traffic from a specific spoke subnet to the firewall for inspection. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

Your company has two Azure virtual networks: VNet-A (10.0.0.0/16) and VNet-B (10.1.0.0/16). They are connected via VNet peering. You deploy a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic between the VNets. You configure a user-defined route (UDR) on the subnet in VNet-B that points the address space of VNet-A (10.0.0.0/16) to the next hop as the private IP of the NVA. However, traffic from VNet-B to VNet-A still bypasses the NVA and takes the direct peered path. What is the most likely cause?

Question 12hardmultiple choice
Read the full VPN explanation →

A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?

Question 13mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a hub-spoke network topology with Azure Firewall in the hub virtual network. Spoke virtual networks are peered to the hub. They want to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

Question 14mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet that hosts a web application. They need to allow inbound HTTP (port 80) and HTTPS (port 443) traffic from a specific source IP range (203.0.113.0/24) to the web servers. Additionally, they need to allow inbound RDP (port 3389) traffic from a management subnet (10.0.1.0/24). They want to block all other inbound traffic. They are using a network security group (NSG) associated with the subnet. What is the minimum number of inbound security rules required?

Question 15hardmultiple choice
Review the full routing breakdown →

A company has an Azure SQL Database with a private endpoint connection. The database is accessed from on-premises via ExpressRoute and from other Azure virtual networks (VNets) via VNet peering. The security team wants to ensure that all queries from both on-premises and peered VNets go through the private endpoint and NEVER use the public endpoint, even as a fallback. Which additional configuration is required to enforce this?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a global web application on Azure App Service instances deployed in multiple Azure regions. They want to protect the application from common web attacks such as SQL injection and cross-site scripting (XSS) using a centralized set of managed rules that can be automatically updated. They also need to improve performance by terminating traffic at the nearest point of presence (POP) to end users. Which Azure service should they deploy in front of the App Service?

Question 17mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with two subnets: App and Data. The App subnet hosts web servers, and the Data subnet hosts SQL databases. Security policy requires that only HTTPS traffic from the App subnet is allowed to the Data subnet, and all other inbound traffic to the Data subnet must be blocked. The solution must use a single network security group (NSG) associated to the Data subnet. Which NSG inbound rule configuration meets the requirement?

Question 18mediummultiple choice
Review the full subnetting walkthrough →

A company deploys Azure Firewall in a hub VNet to inspect all outbound traffic from a spoke VNet. They enable VNet peering between the hub and spoke. They create a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP as the next hop, and associate it with the spoke subnets. However, outbound traffic from the spoke subnets is still going directly to the internet, bypassing the firewall. What is the most likely cause?

Question 19mediummultiple choice
Review the full subnetting walkthrough →

A company has an Azure virtual network with a subnet hosting internal web applications. The security team needs to allow inbound HTTPS traffic only from the company's corporate network IP range (203.0.113.0/24). All other inbound traffic must be denied. They want to use a network security group (NSG) associated with the subnet. Which inbound security rule configuration meets this requirement?

Question 20easymultiple choice
Review the full subnetting walkthrough →

A company deploys multiple Azure virtual machines across several subnets in a virtual network. The VMs are grouped by application tiers: web, application, and database. The security team wants to apply network security group (NSG) rules that target all VMs in a specific tier, and they need a way to easily add or remove VMs from these groups without updating NSG rules. Which Azure feature should they use to define these logical VM groups?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Secure networking sessions

Start a Secure networking only practice session

Every question in these sessions is drawn from the Secure networking domain — nothing else.

Related practice questions

Related AZ-500 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-500 exam test about Secure networking?
Secure networking questions on this certification test your ability to deploy and manage secure networking concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Secure networking questions in a focused session?
Yes — the session launcher on this page draws every question from the Secure networking domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-500 topics?
Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.