CCNA Secure Networking Questions

75 of 237 questions · Page 2/4 · Secure Networking topic · Answers revealed

76
MCQmedium

You are deploying a web application in Azure that must be accessible only from your corporate network via HTTPS. You have an Azure Application Gateway with a Web Application Firewall (WAF) policy. Your corporate network uses public IP addresses from a specific range. Which configuration should you use to restrict access?

A.Configure a WAF policy with a custom rule to allow traffic only from the corporate IP range and deny all other traffic.
B.Create a network security group (NSG) on the subnet hosting the application gateway and allow only the corporate IP range.
C.Use Azure Front Door with a WAF policy and geo-filtering to allow only your country.
D.Set up a private endpoint for the application gateway and disable public access.
AnswerA

WAF custom rules can be used to whitelist source IP ranges, effectively restricting access to only the corporate network.

Why this answer

Option B is correct because Azure Application Gateway supports IP-based access control through WAF policies or network security groups. The other options either don't apply at the application gateway level or use incorrect methods.

77
Drag & Dropmedium

Drag and drop the steps to configure Azure AD Conditional Access policy to require MFA for all users into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Conditional Access policies require defining users and access controls before enabling.

78
MCQhard

Refer to the exhibit. You have an Azure Application Gateway WAF policy with the above JSON configuration. A user from IP address 10.1.2.3 reports they cannot access the web application. What is the most likely cause?

A.The WAF policy is in prevention mode and detected a SQL injection.
B.The WAF policy is set to detection mode and logs the request.
C.The custom rule is disabled due to a syntax error.
D.The custom rule blocks all private IP addresses.
AnswerD

Rule blocks RFC 1918 addresses including 10.0.0.0/8.

Why this answer

Option D is correct because the WAF policy blocks traffic from private IP ranges (RFC 1918). The user's IP is in the 10.0.0.0/8 range, so it is blocked. Option A is wrong because the rule is custom.

Option B is wrong because the action is Block, not redirect. Option C is wrong because the rule is not disabled.

79
Multi-Selecteasy

Which TWO are valid connection methods for Azure VPN Gateway? (Choose two.)

Select 2 answers
A.Point-to-Site
B.VNet-to-VNet
C.Site-to-Site
D.Azure Bastion
E.ExpressRoute
AnswersA, C

Connects individual clients to VNet via SSTP or IKEv2.

Why this answer

Point-to-Site (P2S) is a valid connection method for Azure VPN Gateway because it allows individual client computers to connect securely to an Azure virtual network from anywhere using the SSTP, IKEv2, or OpenVPN protocols. This method is ideal for remote workers who need encrypted access without requiring a site-level VPN device.

Exam trap

The trap here is that candidates often confuse VNet-to-VNet as a distinct connection method when it is actually a specific use case of Site-to-Site, and they may also mistakenly think Azure Bastion or ExpressRoute are VPN gateway connection types when they are separate Azure services with different purposes.

80
MCQmedium

A company runs a public-facing web application on Azure App Service in the West US region. They want to protect against network-layer (Layer 3/4) DDoS attacks. The application consists of a single App Service instance. Which Azure DDoS Protection tier should they enable to meet this requirement while minimizing cost?

A.Basic
B.Standard
C.Premium
D.No protection is needed because Azure App Service is inherently protected against DDoS attacks.
AnswerA

DDoS Protection Basic is free and automatically included for all Azure resources. It provides protection against common network-layer attacks, making it the simplest and most cost-effective choice for a single web application.

Why this answer

Azure DDoS Protection Basic is automatically enabled at no additional cost for all Azure services, including App Service. It provides always-on traffic monitoring and real-time mitigation of common network-layer (Layer 3/4) attacks, such as SYN floods, UDP floods, and reflection attacks, which meets the requirement to protect the public-facing web application. Since the company wants to minimize cost and only needs Layer 3/4 protection for a single App Service instance, the Basic tier is sufficient.

Exam trap

The trap here is that candidates often assume Azure App Service has no built-in DDoS protection and that they must purchase a paid tier, but Azure DDoS Protection Basic is automatically enabled and free, making it the correct choice for cost-effective Layer 3/4 protection.

How to eliminate wrong answers

Option B is wrong because Azure DDoS Protection Standard is a paid tier that provides enhanced mitigation capabilities, including adaptive tuning, attack analytics, and protection for virtual networks, but it is not required for a single App Service instance and would incur unnecessary cost. Option C is wrong because Azure DDoS Protection does not have a Premium tier; the only two tiers are Basic and Standard. Option D is wrong because while Azure App Service benefits from the always-on Basic DDoS protection, it is not inherently protected beyond that baseline; the statement that 'no protection is needed' is misleading because Basic protection is already active and meets the requirement, but the option implies no protection exists, which is incorrect.

81
MCQeasy

A company has an Azure virtual network with subnets SubnetA and SubnetB. They deploy a network virtual appliance (NVA) in a subnet called NVA_Subnet. They want all traffic between SubnetA and SubnetB to be routed through the NVA for inspection. What is the minimum number of route tables and routes required?

A.One route table with a route for each subnet via the NVA
B.Two route tables, each with a route to the other subnet via the NVA
C.No route tables needed; enable IP forwarding on the NVA
D.One route table with a single default route (0.0.0.0/0) via the NVA
AnswerB

Each subnet requires its own route table with a custom route that directs traffic destined for the other subnet to the NVA. This ensures all inter-subnet traffic is inspected.

Why this answer

Option B is correct because Azure route tables are associated with subnets, not the virtual network as a whole. To force traffic between SubnetA and SubnetB through the NVA, you need two separate route tables: one for SubnetA with a route to SubnetB's address space with the next hop set to the NVA's private IP, and one for SubnetB with a route to SubnetA's address space with the next hop set to the NVA's private IP. This ensures bidirectional traffic is inspected.

Exam trap

The trap here is that candidates assume a single route table can be applied to multiple subnets or that a default route (0.0.0.0/0) will force inter-subnet traffic through the NVA, when in fact Azure requires explicit routes for each subnet's destination address space and separate route table associations per subnet.

How to eliminate wrong answers

Option A is wrong because a single route table cannot be associated with both subnets simultaneously; each subnet can have only one route table, and a single route table with routes for both subnets would require associating it with both subnets, which is not possible in Azure. Option C is wrong because IP forwarding on the NVA is necessary but not sufficient; without custom routes, Azure's default system routes would allow direct communication between SubnetA and SubnetB, bypassing the NVA. Option D is wrong because a default route (0.0.0.0/0) via the NVA would send all internet-bound traffic through the NVA, not specifically traffic between the two subnets, and would not force inter-subnet traffic through the NVA unless the subnets' address spaces are also covered by the default route, which is not the intended design.

82
MCQhard

Refer to the exhibit. The JSON shows an NSG rule set applied to a subnet. The subnet contains a web server that should be accessible from the internet on port 443. Users report they cannot connect. What is the most likely cause?

A.There is no rule allowing HTTPS traffic
B.The 'AllowVNetInbound' rule allows traffic from the internet
C.The 'DenyInternetInbound' rule has a lower priority than 'AllowVNetInbound'
D.The 'DenyInternetInbound' rule blocks all internet traffic
AnswerD

This rule denies all inbound traffic from the Internet, so HTTPS is blocked.

Why this answer

Option B is correct because the 'DenyInternetInbound' rule denies all inbound traffic from the Internet, including HTTPS. Although there is an 'AllowVNetInbound' rule, it only allows traffic from within the VNet. No rule allows internet traffic.

Option A is wrong because the 'AllowVNetInbound' rule does not allow internet traffic. Option C is wrong because there is no explicit rule for port 443. Option D is wrong because the Deny rule has higher priority (200 > 100, so lower priority) but still applies if no allow rule matches.

Since no allow rule matches internet traffic, the Deny rule blocks it.

83
MCQhard

Your organization has multiple Azure subscriptions connected via a hub-spoke topology using Azure Firewall in the hub. You need to ensure that traffic between spoke VNets is routed through the firewall for inspection. You configure user-defined routes (UDRs) on the spoke subnets. However, traffic between spokes is still bypassing the firewall. What is the most likely reason?

A.Azure Firewall does not support traffic between spoke VNets.
B.The UDR on the firewall subnet does not include the spoke address spaces.
C.The 'Allow gateway transit' setting is disabled on the spoke peering.
D.The 'Use remote gateway' setting is disabled on the spoke VNet peering.
AnswerD

Spoke VNets must use remote gateway to route traffic through the hub firewall.

Why this answer

Option D is correct because for VNet peering, the 'Use remote gateway' setting on the spoke peering must be enabled to route traffic through the hub firewall. Without this, peered traffic may bypass the firewall. Option A is wrong because Azure Firewall can handle traffic between spokes.

Option B is wrong because 'Allow gateway transit' is needed on the hub side. Option C is wrong because the firewall subnet does not need a UDR for spoke-to-spoke traffic; the spokes' UDRs point to the firewall's private IP.

84
Multi-Selectmedium

You have an Azure virtual network that hosts a critical application. You need to protect the virtual network from DDoS attacks. Which THREE actions should you take to implement a defense-in-depth approach?

Select 3 answers
A.Configure network security groups (NSGs) with deny-all inbound rules by default, then allow only necessary traffic.
B.Use Azure Private Endpoints for all Azure services to remove public endpoints.
C.Use Azure Web Application Firewall (WAF) on Application Gateway to protect web applications.
D.Deploy Azure Firewall with threat intelligence-based filtering.
E.Enable Azure DDoS Network Protection on the virtual network.
AnswersA, C, E

NSGs reduce attack surface by blocking unwanted traffic.

Why this answer

Options A, C, and D are correct. Azure DDoS Network Protection provides mitigation at the network layer. NSGs filter unwanted traffic, and WAF protects web applications.

Azure Firewall is for general traffic inspection, not specifically DDoS. Private endpoints help with exposure but not DDoS.

85
MCQeasy

Your organization needs to securely connect an on-premises data center to Azure for disaster recovery. The connection must be encrypted and use the public internet. Which Azure service should you use?

A.Azure Front Door.
B.Azure ExpressRoute with private peering.
C.Azure VPN Gateway.
D.Azure DNS.
AnswerC

VPN Gateway provides encrypted site-to-site VPN over the internet.

Why this answer

Option D is correct because Azure VPN Gateway supports site-to-site VPN connections over the internet. Option A is wrong because Azure ExpressRoute uses private connections, not the internet. Option B is wrong because Azure Front Door is for web applications.

Option C is wrong because Azure DNS is for domain name resolution.

86
MCQhard

You are designing a network security strategy for an Azure Kubernetes Service (AKS) cluster. You need to restrict egress traffic from the cluster to only allow connections to specific Azure services (e.g., Microsoft Container Registry, Azure Key Vault). The solution must minimize administrative overhead. What should you use?

A.Configure Azure Policy to deny egress to non-approved destinations.
B.Deploy Azure Firewall and use FQDN tags to allow traffic to Azure services.
C.Use Kubernetes network policies for egress.
D.Define NSG rules to allow outbound traffic to the service IP ranges.
AnswerB

FQDN tags simplify allowing traffic to popular Azure services without managing IPs.

Why this answer

Option D is correct because Azure Firewall with FQDN tags can allow traffic to Azure services by tag, simplifying management. Option A is wrong because NSGs do not support allowlisting by FQDN. Option B is wrong because AKS does not natively support network policies for egress to Azure services.

Option C is wrong because Azure Policy can audit but not enforce egress rules.

87
MCQeasy

A company deploys Azure Firewall to inspect and control outbound traffic from a virtual network. The security team wants to allow outbound HTTPS traffic only to specific FQDNs such as *.microsoft.com and *.windowsupdate.com, while blocking all other outbound internet access. Which type of rule should they configure in Azure Firewall to achieve this filtering?

A.Network Rule
B.Application Rule
C.NAT Rule
D.DNAT Rule
AnswerB

Application rules are designed to filter outbound traffic based on FQDNs, making them the correct choice for allowing traffic only to specific domains like *.microsoft.com.

Why this answer

Azure Firewall uses Application Rules to filter outbound traffic based on fully qualified domain names (FQDNs) for HTTP/HTTPS protocols. Since the requirement is to allow HTTPS traffic to specific FQDNs like *.microsoft.com and *.windowsupdate.com, an Application Rule is the correct choice because it can inspect the TLS Server Name Indication (SNI) extension to match the target FQDN, enabling granular allow/deny decisions for web traffic.

Exam trap

The trap here is that candidates often confuse Network Rules with Application Rules, mistakenly thinking that port 443 and IP addresses can achieve FQDN-based filtering, but Network Rules lack the ability to inspect the application layer (FQDN) and can only filter by IP/port, which is insufficient for domain-specific allowlisting.

How to eliminate wrong answers

Option A is wrong because Network Rules filter traffic based on source/destination IP addresses, ports, and protocols (TCP/UDP), not FQDNs, so they cannot selectively allow HTTPS to specific domain names. Option C is wrong because NAT Rules (Destination Network Address Translation) are used to translate inbound traffic to internal resources, not to filter outbound traffic. Option D is wrong because DNAT Rules are synonymous with NAT Rules in Azure Firewall and serve the same inbound translation purpose, not outbound FQDN filtering.

88
Drag & Dropmedium

Drag and drop the steps to create an Azure Key Vault firewall rule to allow access from a specific virtual network into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The firewall configuration is under networking, and you must add the virtual network to allow traffic.

89
Multi-Selecteasy

You are configuring network security for a multi-tier application in Azure. The web tier must accept HTTPS traffic from the internet. The application tier should only accept traffic from the web tier. The data tier should only accept traffic from the application tier. Which THREE Azure features should you use to implement this?

Select 3 answers
A.Azure Firewall
B.Application Security Groups (ASGs)
C.Azure Front Door
D.Azure Traffic Manager
E.Network Security Groups (NSGs)
AnswersA, B, E

Azure Firewall provides centralized logging and can be used for additional filtering.

Why this answer

Option A is correct because NSGs provide inbound/outbound filtering for subnets or NICs. Option B is correct because ASGs allow you to group VMs and reference them in NSG rules, simplifying rule creation. Option C is correct because Azure Firewall can be used for centralized logging and additional filtering.

Option D is wrong because Azure Front Door is for global load balancing, not internal traffic segmentation. Option E is wrong because Azure Traffic Manager is for DNS-based traffic routing.

90
MCQmedium

You have an Azure Web Application Firewall (WAF) policy associated with an Azure Front Door instance. You want to block requests from a specific country (e.g., Country X) unless the request includes a valid API key. How should you configure this?

A.Use a geo-match custom rule to allow all countries except Country X, and use a rate limit rule to block Country X.
B.Configure IP restriction on the origin to block Country X IPs.
C.Configure the WAF policy to use 'Prevention' mode and add a managed rule set that includes the country block.
D.Use a geo-match custom rule to block Country X, and create a separate custom rule with higher priority to allow traffic from Country X if the request contains the API key header.
AnswerD

This order ensures that requests with the API key bypass the block. The allow rule must have a higher priority than the block rule.

Why this answer

WAF custom rules can use conditions like 'Geo Match' to block traffic from a country, and then use 'Rate Limit' or 'Match Condition' to allow if a header matches. The correct approach is to create a custom rule that blocks traffic from Country X, and then create a higher-priority rule that allows traffic from Country X if it contains the API key header.

91
MCQhard

A company wants to deploy an Azure VPN Gateway in active-active mode to ensure high availability for their site-to-site VPN connection. They have two on-premises VPN devices, each with a distinct public IP address. What is the minimum configuration required for the Azure VPN Gateway to utilize both on-premises devices?

A.Create two local network gateways, each with one on-premises public IP, and connect each to a different IP of the VPN gateway.
B.Create one local network gateway that includes both on-premises IP addresses and enable BGP on the connection.
C.Use active-passive mode and configure a second VPN gateway in the same virtual network.
D.Deploy two separate VPN gateways in different Azure regions.
AnswerA

This configuration allows the active-active gateway to route traffic through both on-premises devices.

Why this answer

Option A is correct because active-active mode requires two distinct IP addresses on the Azure VPN gateway, and each on-premises VPN device must be represented by its own local network gateway. By creating two local network gateways (one per on-premises public IP) and connecting each to a different Azure VPN gateway IP, you establish two independent IPsec tunnels, achieving high availability. This configuration ensures that if one on-premises device or one Azure instance fails, traffic can still flow through the other tunnel.

Exam trap

The trap here is that candidates often think a single local network gateway can hold multiple on-premises IPs or that BGP alone can handle dual tunnels, but Azure requires a separate local network gateway per on-premises device to establish distinct IPsec SAs in active-active mode.

How to eliminate wrong answers

Option B is wrong because a single local network gateway can only define one on-premises public IP address; including both IPs in one gateway is not supported, and enabling BGP does not solve the need for separate tunnels to each on-premises device. Option C is wrong because active-passive mode uses only one active tunnel at a time, so it cannot utilize both on-premises devices simultaneously; deploying a second VPN gateway in the same VNet is not a valid configuration (only one gateway per VNet is allowed). Option D is wrong because deploying two VPN gateways in different Azure regions creates a multi-region disaster recovery setup, not an active-active site-to-site VPN within a single region, and it does not leverage both on-premises devices for the same connection.

92
Multi-Selectmedium

You are planning a migration of on-premises servers to Azure. You need to ensure that the Azure virtual network can communicate with the on-premises network securely and with high bandwidth. The on-premises network has a 1 Gbps internet connection. Which TWO options meet the requirements?

Select 2 answers
A.Site-to-site VPN over the internet.
B.Point-to-site VPN from on-premises to Azure.
C.Azure Firewall with forced tunneling.
D.VNet peering between on-premises and Azure.
E.Azure ExpressRoute with private peering.
AnswersA, E

S2S VPN provides encrypted connectivity over the internet, though bandwidth is limited to the internet connection speed.

Why this answer

Options A and D are correct. ExpressRoute provides high bandwidth and private connectivity. Site-to-site VPN over the internet is secure but limited by internet bandwidth.

Point-to-site is for individual clients. VNet peering is Azure-to-Azure. Azure Firewall is not a connectivity method.

93
MCQeasy

You need to allow a specific IP address (203.0.113.5) to access an Azure Storage account over the internet. All other internet traffic must be denied. You have enabled the storage account firewall. What should you configure?

A.Create a private endpoint for the storage account.
B.Add the IP address to the firewall rules of the storage account.
C.Configure an NSG on the subnet to allow the IP address.
D.Add a service endpoint for Microsoft.Storage to the subnet.
AnswerB

Storage account firewall supports IP-based access rules.

Why this answer

Option C is correct because storage account firewall allows you to whitelist specific IP addresses. Option A is wrong because service endpoints are for VNet access, not specific IPs. Option B is wrong because NSGs apply to the subnet, not the storage account.

Option D is wrong because Private Link is for private connectivity, not IP whitelisting.

94
Multi-Selectmedium

Which TWO Azure services can be used to filter inbound internet traffic to a virtual network? (Choose two.)

Select 2 answers
A.Azure Firewall
B.Azure Bastion
C.Azure Front Door
D.Network security group (NSG)
AnswersA, D

Stateful firewall for inbound and outbound traffic.

Why this answer

Options A and C are correct. NSGs filter traffic at the subnet/NIC level. Azure Firewall provides centralized filtering.

Option B is wrong because Azure Front Door is a global load balancer. Option D is wrong because VPN gateway encrypts traffic but does not filter. Option E is wrong because Azure Bastion is a jump server.

95
MCQmedium

A company has two application tiers: web servers and application servers. They want to allow traffic from the web servers to the application servers on port 8080, but only for a specific set of web servers. They have deployed the web servers in an Availability Set and want to use a single NSG rule to allow traffic from any web server that is part of that application tier. Which component should they use?

A.Application security group
B.Service tag
C.Source IP address range
D.Virtual network peering
AnswerA

Correct. An ASG can be used as the source in an NSG rule to represent a group of VMs.

Why this answer

An Application Security Group (ASG) allows you to group virtual machines logically by their application roles (e.g., web servers) and then use that ASG as the source in a single NSG rule. Since the web servers are in an Availability Set, you can assign the same ASG to their NICs, and the NSG rule will dynamically include all current and future VMs in that ASG. This meets the requirement to allow traffic from any web server in that tier to the application servers on port 8080 without maintaining individual IP addresses.

Exam trap

The trap here is that candidates often confuse Application Security Groups with Network Security Groups themselves, or mistakenly think Service Tags can be used to group custom sets of VMs, when in fact Service Tags are only for Azure services or broad network scopes.

How to eliminate wrong answers

Option B is wrong because a Service Tag (e.g., 'VirtualNetwork') represents a predefined group of IP addresses from Azure services or the entire virtual network, not a custom set of specific VMs like the web servers in an Availability Set. Option C is wrong because using a Source IP address range would require you to list the individual private IPs of each web server, which is not dynamic and would break the requirement to use a single rule for any web server in the tier. Option D is wrong because Virtual Network Peering connects two virtual networks at the network layer, but it does not provide granular control to filter traffic from a specific subset of VMs within a peered network; it simply enables connectivity between the entire VNets.

96
Multi-Selecthard

Which THREE are best practices for securing network traffic in Azure? (Choose three.)

Select 3 answers
A.Use private endpoints for Azure services
B.Assign public IP addresses to every VM
C.Allow direct outbound internet access from VMs
D.Implement just-in-time (JIT) VM access
E.Use service tags in NSG rules
AnswersA, D, E

Keeps traffic within Microsoft backbone.

Why this answer

Private endpoints assign a private IP address from your virtual network to an Azure service (e.g., Azure Storage, SQL Database), effectively bringing the service into your VNet. This ensures traffic to the service traverses the Microsoft backbone network rather than the public internet, eliminating data exposure to the public endpoint and reducing the attack surface. It is a core network segmentation best practice for securing PaaS resources.

Exam trap

The trap here is that candidates often confuse 'just-in-time VM access' (which controls RDP/SSH access) with network traffic security, but it is indeed a best practice for reducing the attack surface of management ports, so it is correct; the real distractors are the obviously insecure options B and C that test your understanding of exposure minimization.

97
MCQeasy

You need to filter inbound internet traffic to an Azure web application based on source IP address and geographic location. Which Azure service should you use?

A.Network Security Group
B.Azure Web Application Firewall (WAF) on Azure Front Door
C.Azure DDoS Protection
D.Azure Firewall
AnswerB

WAF on Front Door allows geo-filtering and IP-based access control via custom rules.

Why this answer

Azure Web Application Firewall (WAF) on Azure Front Door or Application Gateway can filter traffic based on source IP and geo-location using custom rules. WAF provides layer 7 protection.

98
MCQmedium

You are designing network security for a hybrid application that uses Azure Front Door and Azure Application Gateway. The application must block malicious requests at the edge before they reach the backend. You need to implement Web Application Firewall (WAF) protection with the lowest latency and the ability to inspect traffic at the application layer. Which solution should you use?

A.Enable Azure DDoS Protection on the virtual network.
B.Apply WAF policy on Azure Application Gateway only.
C.Apply WAF policy on Azure Front Door.
D.Use Azure Firewall with threat intelligence-based filtering.
AnswerC

WAF on Front Door inspects traffic at the edge, blocking malicious requests before they reach the gateway, with low latency.

Why this answer

Option B is correct because WAF policy on Azure Front Door operates at the edge, inspecting traffic at the application layer (HTTP/HTTPS) before it reaches the Application Gateway, providing the lowest latency and early threat blocking. Option A is wrong because WAF on Application Gateway inspects traffic after it passes Front Door, adding latency. Option C is wrong because Azure Firewall is a stateful firewall that operates at layers 3-7 but is not optimized for application-layer inspection like WAF.

Option D is wrong because DDoS Protection protects against volumetric attacks, not application-layer threats.

99
MCQhard

A company has two Azure virtual networks, VNet-A and VNet-B, connected via VNet peering. They want all traffic between the VNets to be inspected by a network virtual appliance (NVA) deployed in a subnet in VNet-A. They have configured a user-defined route (UDR) on the subnet in VNet-B that points the destination address space of VNet-A to the private IP of the NVA. However, traffic between the VNets is still not passing through the NVA. What is the most likely cause?

A.The UDR is not associated with the subnet in VNet-B.
B.The NVA's network interface (NIC) does not have IP forwarding enabled.
C.The VNet peering connection is not in a 'Connected' state.
D.The NVA is deployed in the same subnet as the source VMs.
AnswerB

IP forwarding must be enabled on the NVA's NIC so that the NVA can accept packets not addressed to itself and forward them. This is a common configuration step that is often missed.

Why this answer

The most likely cause is that the NVA's network interface (NIC) does not have IP forwarding enabled. Even with a correctly configured UDR on VNet-B pointing traffic to the NVA's private IP, the NVA will drop any traffic not destined for its own IP unless IP forwarding is enabled on its NIC. This setting allows the NVA to accept packets with a destination other than itself and forward them based on its routing table, which is essential for traffic inspection scenarios.

Exam trap

The trap here is that candidates often focus on UDR configuration or peering state, overlooking the critical NIC-level IP forwarding setting that is required for any NVA to function as a transit hop in Azure.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that a UDR has been configured on the subnet in VNet-B, implying it is associated; if it were not associated, the UDR would have no effect, but the core issue here is the NVA's inability to forward traffic. Option C is wrong because if the VNet peering were not in a 'Connected' state, no traffic would flow between the VNets at all, but the question indicates traffic is still passing (just not through the NVA), so peering is functional. Option D is wrong because the NVA being in the same subnet as source VMs does not inherently prevent traffic inspection; UDRs can still direct traffic to the NVA, but the NVA's NIC must have IP forwarding enabled to process and forward that traffic.

100
Multi-Selecthard

A web app uses Azure App Service and must access Azure SQL over a private IP without exposing SQL to the public internet. Which two components are required?

Select 2 answers
A.Private Endpoint for Azure SQL
B.Inbound NAT rule on Azure Load Balancer
C.DDoS Protection Basic only
D.Private DNS configuration for the privatelink SQL zone
AnswersA, D

Correct for the stated requirement.

Why this answer

A is correct because a Private Endpoint for Azure SQL assigns a private IP from your virtual network to the Azure SQL logical server, allowing the App Service to connect over a private IP without exposing the database to the public internet. This is the core component that brings the Azure SQL service into your virtual network privately.

Exam trap

The trap here is that candidates often think a Load Balancer or DDoS protection is needed for private connectivity, but the actual requirement is a Private Endpoint paired with proper Private DNS resolution to avoid public internet exposure.

101
MCQhard

A company has multiple Azure virtual networks connected via VNet peering. They want to ensure that all traffic between the peered VNets is encrypted and that no traffic can bypass the encryption. Which configuration is required?

A.Enable Service Endpoint Policies
B.Use VPN Gateway with IPsec between VNets
C.VNet peering does not support encryption; use Global VNet peering
D.Enable Azure Firewall
AnswerB

Correct. A VPN Gateway configured with IPsec tunnel provides encrypted communication between VNets, ensuring data is encrypted in transit.

Why this answer

VNet peering does not encrypt traffic between virtual networks by default. To enforce encryption for all traffic, you must use a VPN Gateway with IPsec/IKE policy configured between the peered VNets. This ensures that all traffic crossing the peering is encrypted and that no unencrypted path exists, meeting the requirement that no traffic can bypass encryption.

Exam trap

The trap here is that candidates assume VNet peering inherently encrypts traffic because it uses Microsoft's private backbone, but Azure does not enable encryption by default on peering; you must explicitly configure VPN Gateway with IPsec to achieve encrypted transit.

How to eliminate wrong answers

Option A is wrong because Service Endpoint Policies control access to Azure PaaS services (e.g., Storage, SQL) from specific subnets, not encryption of traffic between peered VNets. Option C is wrong because VNet peering does support encryption when combined with VPN Gateway IPsec; Global VNet peering extends peering across regions but still does not encrypt traffic by default. Option D is wrong because Azure Firewall provides network-level filtering and logging but does not encrypt traffic between VNets; it can inspect but not enforce encryption of transit traffic.

102
MCQhard

A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?

A.Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy.
B.Deploy an Azure VPN Gateway in each VNet and create a site-to-site VPN connection between them.
C.Configure a network security group (NSG) rule on each subnet to deny traffic that is not IPsec encapsulated.
D.Enable 'Allow gateway transit' on VNet-A and 'Use remote virtual network gateways' on VNet-B, and then create a VPN gateway in VNet-A.
AnswerA

Azure virtual network encryption (currently in preview) encrypts all traffic between VNets using IPsec. Enabling it on both sides ensures traffic is encrypted.

Why this answer

Option A is correct because Azure Virtual Network Encryption provides a platform-level encryption mechanism that encrypts all traffic between virtual networks, including VNet peering traffic, without requiring a VPN gateway. Enabling this feature on both VNets and configuring the encryption policy ensures that all inter-VNet traffic is encrypted using IPsec, and since it is enforced at the infrastructure level, no traffic can bypass the encryption. The 'Use remote virtual network gateways' setting alone does not encrypt traffic; it only allows a VNet to use a remote gateway for transit routing.

Exam trap

The trap here is that candidates often assume that enabling 'Use remote virtual network gateways' on VNet peering automatically encrypts traffic, when in fact it only allows gateway transit and does not provide any encryption; the real solution is Azure Virtual Network Encryption, which is a separate feature that must be explicitly enabled.

How to eliminate wrong answers

Option B is wrong because deploying Azure VPN Gateways and creating a site-to-site VPN connection would encrypt traffic between the VNets, but it does not prevent unencrypted traffic from flowing through the VNet peering if the peering is still active; the question requires that no traffic can bypass encryption, and a VPN gateway does not disable the existing peering path. Option C is wrong because NSG rules operate at the network layer and cannot inspect or enforce IPsec encapsulation; they can only filter based on IP addresses, ports, and protocols, not the presence of IPsec headers, so they cannot ensure that all traffic is encrypted. Option D is wrong because enabling 'Allow gateway transit' and 'Use remote virtual network gateways' allows a VNet to use a VPN gateway in another VNet for outbound connectivity, but it does not encrypt traffic between the VNets themselves; the peering traffic remains unencrypted unless Azure Virtual Network Encryption or a direct VPN connection is configured.

103
Multi-Selectmedium

Which TWO actions should you take to secure a virtual network in Azure? (Choose two.)

Select 2 answers
A.Apply network security groups (NSGs) to subnets.
B.Configure Azure DNS zones.
C.Deploy Azure Bastion for VM access.
D.Implement Azure Firewall for perimeter control.
E.Set up Azure Monitor alerts.
AnswersA, D

NSGs filter traffic at the subnet/NIC level.

Why this answer

Options A and D are correct because NSGs and Azure Firewall are key network security controls. Option B is wrong because Azure DNS does not secure the network. Option C is wrong because Azure Bastion is for secure access, not network security.

Option E is wrong because Azure Monitor is for monitoring, not security.

104
MCQmedium

Your organization has deployed a multi-region web application using Azure Front Door with WAF policies. The backend origins are Azure App Services in two regions. Recently, a security audit revealed that the WAF is not blocking certain SQL injection attacks. You have identified that the WAF policy is configured in 'Detection' mode instead of 'Prevention' mode. However, the application team is concerned that changing to 'Prevention' mode might block legitimate traffic. You need to switch to 'Prevention' mode while minimizing false positives. Additionally, you want to ensure that any blocked requests are logged for analysis. What should you do?

A.Change the WAF policy to Prevention mode and enable logging.
B.Use the WAF policy's Bot Protection rule set and Prevention mode.
C.Enable rate limiting in the WAF policy and switch to Prevention mode.
D.Create a custom WAF policy with SQL injection rules in Prevention mode, and enable diagnostic logs.
AnswerD

Custom rules allow tuning to reduce false positives, and logs capture blocked requests.

Why this answer

Option D is correct because using a WAF policy with prevention mode and custom rules for the SQL injection signatures allows fine-tuning, and enabling diagnostic logs captures blocked requests. Option A is wrong because rate limiting does not address SQL injection. Option B is wrong because changing mode without custom rules may cause false positives.

Option C is wrong because Bot Protection does not address SQL injection.

105
Multi-Selecthard

Your company has an Azure subscription with multiple virtual networks (VNets) connected via VNet peering. You need to filter traffic between VNets based on source IP addresses and ports. You want a managed solution that provides stateful inspection and centralized logging. Which TWO solutions meet the requirements?

Select 2 answers
A.Azure Firewall
B.Network Security Groups (NSGs)
C.Azure VPN Gateway
D.Network Virtual Appliance (NVA) from a partner
E.Azure Front Door
AnswersA, D

Azure Firewall is a managed, stateful firewall with centralized logging and network filtering.

Why this answer

Option A is correct because Azure Firewall provides stateful inspection, network filtering based on IP/port, and centralized logging. Option C is correct because Network Virtual Appliances (NVAs) from partners can provide similar capabilities. Option B is wrong because NSGs are stateful but not managed centrally for cross-VNet traffic.

Option D is wrong because Azure Front Door is a global load balancer, not for VNet-to-VNet filtering. Option E is wrong because VPN Gateway is for encrypted connectivity, not filtering.

106
MCQeasy

A company deploys Azure virtual machines in a virtual network. A security policy requires that only Remote Desktop Protocol (RDP) traffic from the corporate VPN's public IP address (203.0.113.0/26) is allowed. All other inbound RDP traffic must be denied. Which configuration should be applied to the network security group (NSG) associated with the VM subnet?

A.Add an inbound rule to allow RDP from the Internet and a deny rule for RDP from the corporate IP.
B.Add an inbound rule to deny RDP from the corporate IP and a default deny all inbound.
C.Add an inbound rule to allow RDP from the corporate IP range, and add a default deny rule for all other inbound RDP traffic.
D.No additional rules are needed because the default NSG rules already deny RDP.
AnswerC

This correctly allows RDP from the corporate IP and denies RDP from all other sources. The deny rule should have a higher priority number (lower priority) than the allow rule.

Why this answer

Option C is correct because the requirement is to allow RDP (TCP port 3389) only from the corporate VPN's public IP range (203.0.113.0/26) and deny all other inbound RDP traffic. An NSG processes rules in priority order; by adding an inbound allow rule for the corporate IP range with a high priority (e.g., 100) and relying on the default deny rule (which denies all inbound traffic not explicitly allowed), only RDP from the specified range is permitted. This matches the security policy precisely.

Exam trap

The trap here is that candidates often forget that NSGs have default rules that allow inbound traffic from the virtual network and Azure load balancer, and they mistakenly think a default deny rule already blocks all RDP, when in fact you must explicitly allow the specific source IP and rely on the default deny to block everything else.

How to eliminate wrong answers

Option A is wrong because it allows RDP from the Internet (which violates the policy) and then denies RDP from the corporate IP (which would block the allowed traffic). Option B is wrong because it denies RDP from the corporate IP (the only source that should be allowed) and relies on a default deny all inbound, which would block all RDP traffic entirely. Option D is wrong because the default NSG rules allow inbound RDP from the virtual network and Azure load balancer, but not from the Internet; they do not restrict RDP to a specific public IP range, so additional rules are required.

107
MCQmedium

Your organization has deployed Azure Firewall in a hub-and-spoke network topology. You have configured forced tunneling so that all internet-bound traffic from the spoke virtual networks is routed through the Azure Firewall. Recently, a critical application in a spoke virtual network is experiencing intermittent connectivity failures to an external partner service. The partner service requires that traffic originate from a specific public IP address. You have configured Azure Firewall with a public IP address and have set up DNAT rules to allow inbound traffic. However, the outbound traffic from the application is still using the spoke's default outbound access via SNAT. You need to ensure that all outbound traffic from the application uses the Azure Firewall's public IP address. What should you do?

A.Disable SNAT on the Azure Firewall for the application's public IP range.
B.Add a user-defined route (UDR) on the application's subnet with 0.0.0.0/0 next hop to Azure Firewall.
C.Modify the Azure Firewall policy to enable forced tunneling.
D.Configure Azure Firewall as a next hop for the virtual network gateway in the hub.
AnswerB

This ensures all internet-bound traffic from the application subnet is routed through Azure Firewall, using its public IP.

Why this answer

Forced tunneling ensures that all internet-bound traffic is routed through the firewall. Option A is correct because a user-defined route (UDR) on the application's subnet with 0.0.0.0/0 next hop to Azure Firewall enforces that traffic goes through the firewall, thus using its public IP. Option B configures Azure Firewall as a next hop for the spoke gateway, which is not needed.

Option C is not directly related to routing. Option D incorrectly suggests disabling SNAT, which would cause traffic to use the spoke's original IP, not the firewall's.

108
MCQhard

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

A.The Azure Firewall is not in the same region as the spoke.
B.The ExpressRoute gateway's BGP routes are still overriding the UDR because gateway propagation is not fully disabled.
C.The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
D.The route table is not associated with the spoke subnet.
AnswerC

The 0.0.0.0/0 UDR only applies to traffic with no more specific match. On-premises traffic has a specific address prefix. To route it through the firewall, you must add a UDR with that specific prefix and the next hop as the firewall.

Why this answer

The user-defined route (UDR) with 0.0.0.0/0 only covers traffic destined for the internet. Traffic to on-premises networks has a more specific destination prefix (e.g., 10.0.0.0/8). Without an explicit route for that on-premises prefix pointing to the Azure Firewall, the system uses the more specific route learned via ExpressRoute BGP, which directs traffic to the ExpressRoute gateway instead of the firewall.

Disabling 'Virtual network gateway route propagation' prevents BGP routes from being added to the route table, but it does not remove existing learned routes; however, the core issue is the lack of a specific UDR for the on-premises prefix.

Exam trap

The trap here is that candidates assume the 0.0.0.0/0 route covers all traffic, but Azure's routing logic uses the most specific prefix match, so on-premises traffic with a specific prefix will match a BGP-learned route instead of the default UDR.

How to eliminate wrong answers

Option A is wrong because Azure Firewall can be in a different region from the spoke; routing is based on the next hop IP, not region proximity. Option B is wrong because disabling 'Virtual network gateway route propagation' on the spoke subnet prevents BGP routes from being added to the route table; if propagation is disabled, BGP routes do not override the UDR. Option D is wrong because the scenario states they configured a UDR on the spoke subnet, implying the route table is associated; if it were not associated, the UDR would have no effect, but the question indicates the UDR is configured, so association is assumed.

109
MCQmedium

A company is designing a hub-spoke network topology with Azure Firewall in the hub virtual network. Spoke virtual networks are peered to the hub. They want to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

A.The Azure Firewall is in a different region than the spoke VNet.
B.The route table is not associated to the spoke subnet.
C.The Azure Firewall does not have the correct network and application rules configured.
D.The spoke VNet has the 'Use remote virtual network gateways' setting disabled.
AnswerB

A route table must be explicitly associated to a subnet for its routes to be effective. Without association, the default system routes are used, and traffic bypasses the firewall.

Why this answer

The most likely cause is that the route table with the default route (0.0.0.0/0) pointing to the Azure Firewall's private IP has not been associated to the spoke subnet. Without this association, the route table is not applied to the subnet's traffic, so the default system route (which directs internet traffic directly to the internet) remains in effect, bypassing the firewall. Associating the route table to the subnet is a required step for user-defined routes (UDRs) to influence traffic flow.

Exam trap

The trap here is that candidates often assume creating a route table and adding a default route is sufficient, overlooking the critical step of associating the route table to the subnet, which is a distinct configuration action in the Azure portal or CLI.

How to eliminate wrong answers

Option A is wrong because Azure Firewall can be in a different region than the spoke VNet and still function correctly; cross-region peering supports traffic routing through the firewall as long as the route table is properly associated. Option C is wrong because network and application rules on the firewall control which traffic is allowed or denied, but they do not affect whether traffic is routed to the firewall in the first place; the routing issue occurs before the firewall inspects packets. Option D is wrong because the 'Use remote virtual network gateways' setting is relevant only for VPN/ExpressRoute gateway transit scenarios, not for routing traffic to an Azure Firewall via a UDR.

110
MCQmedium

A company uses Azure Firewall to filter outbound traffic. They want to ensure that all DNS queries from virtual machines in a spoke VNet are routed through the Azure Firewall for logging and inspection. They have already configured the firewall to use a custom DNS server. Which additional Azure Firewall feature must be enabled to ensure that the VMs use the firewall as a DNS proxy?

A.Enable DNS proxy on the firewall policy
B.Configure a DNS forwarding rule
C.Enable Threat Intelligence DNS logging
D.Create a NAT rule for DNS traffic
AnswerA

Correct. DNS proxy enables the firewall to act as a DNS proxy, accepting DNS queries from VMs and forwarding them to the configured DNS server.

Why this answer

Option A is correct because enabling DNS proxy on the Azure Firewall policy allows the firewall to act as a DNS proxy for the virtual machines in the spoke VNet. When DNS proxy is enabled, the firewall listens on port 53 and forwards DNS queries from the VMs to the configured custom DNS server, ensuring all DNS traffic is logged and inspected. This is required even after setting a custom DNS server on the firewall, as the VMs must be configured to use the firewall's private IP address as their DNS server, and the proxy handles the forwarding.

Exam trap

The trap here is that candidates often confuse enabling DNS proxy with simply configuring a custom DNS server on the firewall, or they think that a NAT rule or forwarding rule alone will route DNS traffic through the firewall, but without the DNS proxy feature, the firewall does not listen on port 53 and cannot intercept DNS queries from VMs.

How to eliminate wrong answers

Option B is wrong because configuring a DNS forwarding rule is used to forward specific DNS queries to different DNS servers based on domain names, but it does not enable the firewall to act as a DNS proxy for all VM DNS traffic; the VMs still need to point to the firewall's IP, and the proxy feature must be enabled. Option C is wrong because enabling Threat Intelligence DNS logging only logs DNS queries that match threat intelligence indicators, but it does not route or proxy DNS traffic through the firewall; it is a logging feature, not a routing mechanism. Option D is wrong because creating a NAT rule for DNS traffic would translate the destination IP of DNS queries, but it does not make the firewall a DNS proxy; the VMs would still need to send DNS queries directly to the firewall's IP, and without DNS proxy, the firewall does not listen on port 53 for DNS queries.

111
MCQhard

Your organization has multiple Azure subscriptions that need to connect to a shared on-premises data center via ExpressRoute. You plan to use Azure Virtual WAN with secured hubs. Each subscription contains VNets that must communicate with on-premises and with each other through the hub. You need to ensure that traffic between VNets in different subscriptions is routed through the Azure Firewall. What configuration is required?

A.Connect each VNet to the same Virtual WAN hub and enable inter-hub routing with Azure Firewall inspection.
B.Establish VNet peering between VNets in different subscriptions and use NSGs to filter traffic.
C.Create a site-to-site VPN between the VNets and force traffic through a VPN Gateway.
D.Use Azure Firewall Manager to deploy firewalls in each VNet and route traffic between VNets through them.
AnswerA

Virtual WAN hubs can route traffic through Azure Firewall for inspection.

Why this answer

Option B is correct because Virtual WAN inter-hub routing can inspect traffic if the hubs are secured with Azure Firewall, and routing policies can force traffic through the firewall. Option A is wrong because VNet peering bypasses the firewall. Option C is wrong because NSGs do not provide centralized inspection.

Option D is wrong because VPN Gateway is not needed for inter-subscription traffic.

112
MCQmedium

Your company uses Azure Firewall Premium. You need to inspect outbound traffic for malware using signature-based detection. Which feature should you enable?

A.Web categories
B.URL filtering
C.Threat intelligence-based filtering
D.Intrusion Detection and Prevention System (IDPS)
AnswerD

IDPS provides signature-based detection for malware and exploits.

Why this answer

Option D is correct because Azure Firewall Premium includes IDPS with signature-based detection for malware. Option A is wrong because threat intelligence filtering is for known malicious IPs/domains, not file-based malware. Option B is wrong because URL filtering is for categorizing URLs.

Option C is wrong because web categories are for content filtering.

113
MCQeasy

You are analyzing network traffic patterns. You have configured NSG flow logs with Traffic Analytics as shown in the exhibit. You need to identify which virtual machines are communicating with a specific malicious IP address. Which tool should you use to query the flow log data?

A.Azure Storage Explorer
B.Log Analytics workspace using KQL queries
C.Azure Monitor Metrics Explorer
D.Network Watcher Topology
AnswerB

Traffic Analytics sends flow logs to Log Analytics, which can be queried with KQL to find traffic to a specific IP.

Why this answer

Option B is correct because Traffic Analytics stores flow log data in a Log Analytics workspace, which can be queried using KQL (Kusto Query Language) to identify traffic to a specific IP. Option A is wrong because Azure Monitor Metrics does not contain flow log details. Option C is wrong because Azure Network Watcher's topology view is for visualizing network resources, not querying flow logs.

Option D is wrong because Azure Storage Explorer can view raw logs but is not optimized for querying.

114
MCQmedium

Your company deploys a web application in an Azure App Service that needs to securely connect to an Azure SQL Database. You want to avoid exposing the database to the public internet. What is the recommended approach?

A.Configure the SQL database firewall to allow only the App Service outbound IP
B.Use Azure Firewall to block outbound traffic to the database
C.Create an NSG on the database subnet to deny internet traffic
D.Use a private endpoint for the SQL database and VNet integration for the App Service
AnswerD

This keeps traffic within the Microsoft backbone and avoids public exposure.

Why this answer

Option D is correct because a private endpoint assigns a private IP to the database within the VNet, and the App Service can connect via VNet integration. Option A is wrong because NSGs on the database subnet do not prevent internet exposure if the database has a public endpoint. Option B is wrong because Azure Firewall can filter but the database still has a public endpoint.

Option C is wrong because the SQL firewall allows public IPs but is less secure.

115
MCQeasy

You are designing a network security strategy for a new application that will be hosted on Azure Virtual Machines. The application must be accessible from the internet on TCP port 443. You need to minimize the attack surface and ensure that only legitimate traffic reaches the virtual machines. Which Azure service should you deploy in front of the virtual machines?

A.Azure Front Door with WAF.
B.Azure Firewall.
C.Network Security Group (NSG) on the subnet.
D.Azure Application Gateway with Web Application Firewall (WAF).
AnswerD

Provides Layer 7 protection and WAF to filter malicious traffic.

Why this answer

Option A is correct: Azure Application Gateway with Web Application Firewall (WAF) provides Layer 7 load balancing and WAF capabilities to protect against web attacks. Option B is incorrect because Network Security Groups are not deployed in front of VMs as a service; they are applied at the subnet or NIC level. Option C is incorrect because Azure Firewall is a stateful firewall but lacks WAF capabilities for web-specific threats.

Option D is incorrect because Azure Front Door is a global load balancer, but for a single region, Application Gateway is more appropriate for minimizing attack surface with WAF.

116
MCQmedium

You are configuring a site-to-site VPN connection between your on-premises network and Azure. You need to ensure that traffic between the networks is encrypted and authenticated. Which Azure service should you use?

A.Azure Virtual WAN
B.Azure ExpressRoute
C.Azure Firewall
D.Azure VPN Gateway
AnswerD

VPN Gateway provides encrypted IPsec tunnels for site-to-site connectivity.

Why this answer

Option B is correct because Azure VPN Gateway provides encrypted and authenticated site-to-site VPN connections using IPsec. Option A is wrong because Azure ExpressRoute provides private connectivity but does not encrypt traffic by default. Option C is wrong because Azure Firewall is a network firewall, not a VPN gateway.

Option D is wrong because Azure Virtual WAN can include VPN capabilities but is a broader service.

117
MCQeasy

You need to provide secure remote access to Azure virtual machines for administrators without exposing them to the public internet. The solution must use a single entry point and support Azure Active Directory (now Microsoft Entra ID) authentication. Which Azure service should you use?

A.Azure Bastion.
B.Just-in-time (JIT) VM access with Microsoft Defender for Cloud.
C.Azure Front Door with private endpoints.
D.Azure VPN Gateway with point-to-site VPN.
AnswerA

Azure Bastion is a fully managed service that provides secure and seamless RDP/SSH access to VMs via the portal, using Entra ID authentication.

Why this answer

Option A is correct because Azure Bastion provides secure RDP/SSH access to VMs directly from the Azure portal, without public IPs, and supports Entra ID authentication. The other options either expose VMs or don't provide a single entry point.

118
MCQeasy

You have an Azure virtual network (VNet1) with two subnets: SubnetA and SubnetB. SubnetA hosts web servers that must be accessible from the internet. SubnetB hosts application servers that should only be accessible from SubnetA. You need to configure network security groups (NSGs) to enforce this traffic flow. The solution must allow HTTP and HTTPS traffic from the internet to SubnetA, and allow only traffic from SubnetA to SubnetB. All other inbound traffic should be denied. What is the most efficient way to configure the NSGs?

A.Apply an NSG to SubnetA with inbound rules allowing HTTP/HTTPS from Internet, and apply a separate NSG to SubnetB with inbound rules allowing only traffic from SubnetA.
B.Apply one NSG to both subnets with rules allowing HTTP/HTTPS from internet, and allow traffic from SubnetA to SubnetB.
C.Use application security groups (ASGs) on the web servers and application servers, and configure NSG rules referencing the ASGs.
D.Deploy Azure Firewall in the virtual network and configure application rules to allow HTTP/HTTPS to SubnetA and traffic to SubnetB.
AnswerA

Separate NSGs provide clear isolation and are efficient.

Why this answer

Option B is correct. Apply an NSG to SubnetA with rules allowing HTTP/HTTPS from internet and deny all other inbound. Apply an NSG to SubnetB with a rule allowing traffic from SubnetA and deny all other inbound.

This is efficient and meets requirements. Option A is inefficient because rules on SubnetB would still allow traffic from internet if not denied. Option C is incorrect because ASGs alone don't filter traffic.

Option D is incorrect because Azure Firewall is overkill.

119
MCQmedium

You have an Azure subscription with multiple virtual networks. You need to centrally manage and enforce security policies for all outbound traffic from virtual machines to the internet. The solution must be able to inspect traffic and log all connections. What should you deploy?

A.Azure Firewall in a hub virtual network.
B.Network security groups (NSGs) on all subnets.
C.Azure Application Gateway with WAF.
D.Azure VPN Gateway with forced tunneling.
AnswerA

Azure Firewall is a managed, cloud-based firewall service that provides outbound traffic inspection and logging.

Why this answer

Option B is correct because Azure Firewall provides centralized outbound traffic management, inspection, and logging. NSGs don't inspect traffic, and Application Gateway is for inbound web traffic. VPN gateway is for site-to-site connectivity.

120
MCQeasy

A company has Azure virtual machines that need to download updates from specific external websites (e.g., *.microsoft.com and *.windowsupdate.com). The security team wants to centrally manage and allow outbound HTTPS traffic only to these FQDNs, while blocking all other outbound internet access. Which Azure networking service should they deploy to achieve this?

A.Azure Firewall
B.Azure Application Gateway
C.Azure Front Door
D.Azure VPN Gateway
AnswerA

Azure Firewall provides application rules that allow or deny outbound traffic based on FQDNs, making it the correct choice for this requirement.

Why this answer

Azure Firewall is a managed, cloud-native network security service that can centrally enforce outbound FQDN-based rules. It allows you to create application rules that permit HTTPS traffic to specific FQDNs (e.g., *.microsoft.com) while blocking all other outbound internet access, meeting the security team's requirement for granular, centralized control.

Exam trap

The trap here is that candidates often confuse Azure Firewall with Azure Application Gateway, mistakenly thinking the latter can filter outbound traffic, but Application Gateway is strictly an inbound reverse proxy and cannot enforce outbound FQDN rules.

How to eliminate wrong answers

Option B (Azure Application Gateway) is wrong because it is a Layer 7 load balancer designed for inbound HTTP/HTTPS traffic routing and Web Application Firewall (WAF) protection, not for centrally controlling outbound traffic to specific FQDNs. Option C (Azure Front Door) is wrong because it is a global load balancer and application delivery controller for inbound traffic, optimizing performance and providing WAF, but it does not manage outbound traffic from virtual networks. Option D (Azure VPN Gateway) is wrong because it establishes encrypted tunnels between on-premises networks and Azure, or between VNets, and does not provide FQDN-based filtering or internet traffic control.

121
MCQhard

A company has a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for malicious content and require that the inspection is stateful. Which Azure-native service should they deploy in the hub virtual network to meet this requirement?

A.Azure Firewall
B.Network Security Groups (NSG) on the peering connections
C.Azure Application Gateway with WAF
D.Azure DDoS Protection Standard
AnswerA

Azure Firewall provides stateful inspection and can filter traffic between spoke VNets when configured as a hub. It supports network and application rules, including threat intelligence-based filtering.

Why this answer

Azure Firewall is the correct choice because it is a fully stateful, managed firewall service that can inspect and filter traffic at Layers 3–7. In a hub-spoke topology, deploying Azure Firewall in the hub virtual network allows it to centrally inspect all traffic flowing between spoke virtual networks via forced tunneling (user-defined routes) or through the hub's network virtual appliance, meeting the requirement for stateful inspection of inter-spoke traffic.

Exam trap

The trap here is that candidates often confuse NSGs as stateful (they are stateless) or assume Azure Firewall is only for internet-bound traffic, missing that it can also inspect east-west traffic between spoke VNets via forced tunneling.

How to eliminate wrong answers

Option B is wrong because Network Security Groups (NSGs) are stateless (they do not track connection state) and cannot be applied directly to peering connections; they are applied to subnets or NICs and lack advanced inspection capabilities like intrusion detection. Option C is wrong because Azure Application Gateway with WAF is a Layer 7 load balancer focused on HTTP/HTTPS traffic and does not provide stateful inspection of all network traffic (e.g., non-web protocols) between spoke VNets. Option D is wrong because Azure DDoS Protection Standard is a mitigation service for volumetric DDoS attacks, not a stateful firewall for inspecting and filtering inter-spoke traffic.

122
MCQmedium

You need to secure outbound traffic from an Azure virtual network to the internet. All outbound traffic must be inspected by a firewall and logged. You also need to ensure that traffic to known malicious IP addresses is blocked. Which solution should you implement?

A.Use Network Security Groups (NSGs) with default outbound deny rules.
B.Deploy Azure Front Door with WAF policy.
C.Enable Azure DDoS Protection on the virtual network.
D.Configure Azure Firewall with threat intelligence-based filtering and route all outbound traffic through it.
AnswerD

Azure Firewall can inspect, log, and block malicious outbound traffic based on threat intelligence.

Why this answer

Option A is correct because Azure Firewall provides outbound traffic inspection, logging, and threat intelligence-based filtering to block known malicious IPs. Option B is wrong because NSGs do not have threat intelligence filtering and are not designed for centralized logging of all outbound traffic. Option C is wrong because Azure Front Door is for inbound HTTP/HTTPS traffic.

Option D is wrong because Azure DDoS Protection is for inbound volumetric attacks.

123
Multi-Selecthard

A company uses Azure Firewall Premium to inspect outbound traffic. They want to deploy a web application that must comply with the Payment Card Industry Data Security Standard (PCI DSS). Which TWO capabilities should be enabled to meet PCI DSS requirements for network security?

Select 2 answers
A.Intrusion Detection and Prevention System (IDPS)
B.TLS inspection
C.URL filtering
D.DNS proxy
AnswersA, B

PCI DSS requires a network intrusion detection/prevention system.

Why this answer

Options A and D are correct. TLS inspection allows the firewall to decrypt and inspect HTTPS traffic, which is often required for compliance. IDPS provides signature-based detection of threats, meeting the requirement for intrusion detection/prevention.

Option B is wrong because DNS proxy is not a PCI DSS requirement. Option C is wrong because URL filtering is about web categories, not specifically required by PCI DSS. Option E is wrong because SNAT is a function of NAT, not a compliance feature.

124
MCQmedium

You are an Azure security engineer. Your team has assigned the Azure Policy shown in the exhibit. A developer creates a new virtual network with a subnet that does not have a Network Security Group (NSG) associated. What will happen when the policy is evaluated?

A.A default NSG is automatically associated with the subnet.
B.The virtual network creation fails because a subnet lacks an NSG.
C.The virtual network is created, but the subnet is denied.
D.The virtual network is created, and a non-compliant alert is generated.
AnswerB

The deny effect prevents the deployment of the virtual network.

Why this answer

Option C is correct because the policy denies the creation of a virtual network if any subnet does not have an NSG associated. The existenceCondition checks that for each subnet, an NSG exists; if false, the deny effect is triggered, and the virtual network creation fails. Option A is wrong because the policy does not audit; it denies.

Option B is wrong because the policy denies the entire virtual network deployment. Option D is wrong because the policy does not create an NSG automatically.

125
MCQhard

Refer to the exhibit. A security administrator runs the Azure CLI commands to create a VM with a single NIC and applies an NSG rule to deny outbound TCP traffic to the Internet on ports 80 and 443. However, the VM can still access websites on the Internet. What is the most likely reason?

A.The NSG rule uses the 'Internet' service tag incorrectly; it should specify an IP range.
B.The NSG is not associated with the NIC because the command did not specify the NIC correctly.
C.The NSG rule is applied at the NIC level, but the subnet's NSG (if any) has a default outbound allow rule that takes precedence.
D.The NSG rule should be an inbound rule to block outbound traffic.
AnswerC

If the subnet has no NSG, the default outbound allow rule permits traffic, and the NIC NSG rule is not evaluated because the first match (subnet default allow) applies.

Why this answer

The NSG rule denies traffic to 'Internet' service tag, but the NIC is attached to a subnet that may also have an NSG that allows outbound traffic. Additionally, the rule specifies 'Tcp' protocol with ports 80 and 443, but HTTPS uses TCP port 443. The rule should block it.

However, Azure VMs have a default outbound access via SNAT; if the VM is using a public IP or has a default route, the NSG should block. The most likely issue is that the NSG is applied to the NIC but not to the subnet, and the subnet's default NSG (or lack thereof) allows traffic. But the commands show NSG applied to NIC.

Another possibility: the rule priority is 100, but maybe there is a higher priority allow rule? The commands do not show any allow rule. Actually, the problem may be that the NSG rule's protocol is 'Tcp' but the outbound traffic might be using UDP? Unlikely. The correct answer is that the NSG is not associated with the subnet; NIC-level NSG works, but the rule's destination is 'Internet' tag, which should work.

The most plausible answer is that the VM has a public IP and the NSG rule is outbound, but maybe the VM is using a different port (e.g., 443 is blocked but 80 is allowed? No). Wait, the commands do not create a VM; they create a NIC and NSG, but the NIC is not attached to a VM? Actually, the commands create a VNet, subnet, NIC, NSG, and attach NSG to NIC. They do not create a VM.

But the stem says 'creates a VM with a single NIC' assuming the NIC is used for a VM. The real issue: the NSG rule denies TCP to Internet on ports 80 and 443, but the VM may be using a different protocol (e.g., HTTP/HTTPS uses TCP). The most likely reason: the NSG is applied at the NIC level, but the subnet may have a separate NSG that allows the traffic, and NSG rules are evaluated at both levels (subnet first, then NIC).

If the subnet NSG allows, the traffic is allowed. The commands do not apply an NSG to the subnet. Therefore, the default subnet NSG (if any) or no NSG on subnet means no filtering at subnet level.

However, the NIC NSG should still block. Actually, Azure NSG evaluation: subnet NSG is evaluated first, then NIC NSG. If subnet NSG has no rule, it defaults to allow all.

So the traffic would be allowed by subnet NSG default allow, and then NIC NSG denies, but the overall is deny? Actually, security rules are evaluated and the first match applies. If subnet NSG has no rule (default deny inbound, default allow outbound), the default outbound allow would match and allow the traffic before the NIC NSG rule is evaluated. That's the catch: default outbound allow in subnet NSG lets traffic out, and the NIC NSG deny rule is not evaluated because a match already occurred.

So the correct answer is that the subnet has no NSG, and its default outbound rule allows all traffic.

126
MCQmedium

Refer to the exhibit. You are reviewing an NSG rule configuration for a subnet. The source subnet is 10.0.0.0/24 and the destination subnet is 10.0.1.0/24. What is the effect of this rule?

A.Allows outbound SSH traffic from 10.0.1.0/24 to 10.0.0.0/24.
B.Blocks inbound SSH traffic from 10.0.0.0/24 to 10.0.1.0/24.
C.Allows all inbound traffic from 10.0.0.0/24 to 10.0.1.0/24.
D.Allows inbound SSH traffic from 10.0.0.0/24 to 10.0.1.0/24.
AnswerD

The rule explicitly allows SSH from the source to the destination.

Why this answer

Option A is correct because the rule allows inbound TCP traffic on port 22 from source range 10.0.0.0/24 to destination range 10.0.1.0/24. Option B is wrong because the rule allows inbound, not outbound. Option C is wrong because the rule allows SSH, not blocks.

Option D is wrong because the rule is specific to port 22.

127
Multi-Selecteasy

Your company has a single Azure subscription with a hub-and-spoke network topology. The hub virtual network contains Azure Firewall and a VPN gateway for hybrid connectivity. You need to ensure that all traffic from the spoke virtual networks to on-premises is inspected by the Azure Firewall. Which THREE actions should you take? (Choose three.)

Select 3 answers
A.Enable BGP on the Azure VPN gateway and advertise routes to the on-premises network.
B.Configure Azure Firewall with a route to the VPN gateway for on-premises traffic.
C.In the hub virtual network, set 'Use remote gateways' on the peering connection to the spoke.
D.Configure user-defined routes (UDRs) in each spoke subnet with 0.0.0.0/0 next hop to Azure Firewall, and include on-premises prefixes with next hop to Azure Firewall.
E.In the spoke virtual network, set 'Gateway transit' on the peering connection to the hub.
AnswersB, D, E

The firewall needs a route to forward traffic to the VPN gateway.

Why this answer

Option A is correct: UDRs force spoke traffic to the firewall. Option B is correct: The firewall must be configured to route traffic to the VPN gateway. Option C is correct: Propagating gateway routes ensures the route table includes routes from the VPN gateway.

Option D is incorrect because VNet peering does not inspect traffic. Option E is incorrect because BGP does not force traffic through the firewall.

128
MCQmedium

Your company has an Azure subscription with several VNets. You deploy Azure Firewall in a hub VNet. You need to ensure that all traffic from spoke VNets to the internet goes through the firewall. What should you configure?

A.Configure forced tunneling on the spoke VNet gateways.
B.Enable VNet peering to the hub VNet.
C.Apply an Azure Firewall policy that denies internet access for spoke VNets.
D.Create a route table with a default route (0.0.0.0/0) to the Azure Firewall private IP and associate it with the spoke subnets.
AnswerD

UDRs override Azure's default routing to force traffic through the firewall.

Why this answer

Option A is correct because a User-Defined Route (UDR) with next hop type VirtualAppliance and the firewall's private IP forces traffic to the firewall. Option B is wrong because forced tunneling is a VPN configuration. Option C is wrong because Azure Firewall policies define rules, not routing.

Option D is wrong because VNet peering does not route traffic; it provides connectivity.

129
MCQhard

Your organization is deploying a multi-region application using Azure Front Door to distribute traffic. You need to ensure that only traffic from Azure Front Door can reach the backend origins (App Services) and that no direct internet traffic bypasses Front Door. What combination of steps should you take?

A.Configure App Service Access Restrictions to deny all public traffic and enable Azure Front Door private link.
B.Configure Azure Front Door to use a custom domain and enable Azure WAF on Front Door.
C.Configure App Service Access Restrictions to allow only the 'AzureFrontDoor.Backend' service tag.
D.Configure App Service Access Restrictions to allow only the Azure Front Door backend IP ranges and validate the X-Azure-FDID header.
AnswerD

This ensures only traffic from your Front Door instance (checked via header) and from Front Door IP ranges is allowed.

Why this answer

Azure Front Door uses a set of backend IP ranges. By configuring Access Restrictions on App Service to allow only those IP ranges and enabling the 'X-Azure-FDID' header check, you ensure only Front Door traffic is accepted. Disabling public access entirely would break Front Door's ability to reach the backend.

130
MCQmedium

You are designing a network security solution for a multi-tier application in Azure. The web tier must be accessible from the internet, the application tier only from the web tier, and the database tier only from the application tier. All tiers are in different subnets of the same VNet. What is the minimum configuration?

A.Use service endpoints for each tier.
B.Create separate VNets for each tier and use VNet peering.
C.Deploy Azure Firewall in the VNet and route all traffic through it.
D.Configure NSGs on each subnet with appropriate allow rules.
AnswerD

NSGs can filter traffic between subnets.

Why this answer

Option A is correct because NSGs on each subnet can control inbound traffic: allow internet to web, allow web to app, allow app to db. Option B is wrong because Azure Firewall is not required. Option C is wrong because VNet peering is not needed.

Option D is wrong because service endpoints are for Azure services.

131
MCQmedium

A company uses Azure Virtual WAN with secured virtual hubs. The security team wants to ensure that all traffic from branch offices to Azure resources is inspected by the Azure Firewall in the secured hub. What configuration is needed?

A.Add user-defined routes in each spoke pointing to the Azure Firewall.
B.Configure forced tunneling on the branch VPN devices to send all traffic to the hub.
C.Enable 'Inter-hub' and 'Branch-to-branch' traffic routing in the Virtual WAN settings.
D.Create a firewall policy in Azure Firewall Manager and associate it with the virtual hub.
AnswerC

These settings ensure all traffic flows through the secured hub.

Why this answer

Option C is correct because Virtual WAN automatically routes traffic through secured hubs when configured. Option A is wrong because Azure Firewall Manager is used to configure policies, not routing. Option B is wrong because forcing tunneling is for Azure VPN Gateway, not Virtual WAN.

Option D is wrong because UDRs are not needed in Virtual WAN.

132
MCQhard

A company uses Azure Front Door (AFD) with WAF policy in front of a web application. The security team notices that some requests from a specific IP range are being blocked incorrectly. The WAF policy uses custom rules. The team wants to allow a specific IP range while still having the WAF inspect other traffic. What is the most efficient way to configure this?

A.Add a custom rule with priority 100, action 'Block', and match condition for the IP range.
B.Create a custom rule with priority 1, action 'Allow', and match condition for the source IP range.
C.Add a rate limit rule that allows traffic from the IP range.
D.Disable the managed rule sets for the specific IP range using a geo-match condition.
AnswerB

A custom rule with higher priority (lower number) evaluates first and allows the traffic, skipping remaining rules.

Why this answer

Option A is correct because custom rules are evaluated before managed rule sets, and a rule with priority 1 and action 'Allow' for the IP range will allow that traffic, bypassing later rules (including managed rules). Option B is wrong because managed rule sets apply to all traffic after custom rules, so disabling them for that range is not granular. Option C is wrong because rate limiting is for limiting request rates, not for allowing specific IPs.

Option D is wrong because 'Block' action would block the IP range, not allow it.

133
MCQhard

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

A.The NVA's network interface must have 'IP forwarding' enabled.
B.The VNet peering is not configured to allow traffic from VNet-B to route through VNet-A.
C.The route table is not associated with the subnet in VNet-B.
D.The NVA does not have a public IP address.
AnswerA

IP forwarding allows the NVA to accept and forward traffic not destined to its own IP. Without it, the NVA drops the packets.

Why this answer

The most likely cause is that IP forwarding is disabled on the NVA's network interface. Even with a correct user-defined route (UDR) pointing 0.0.0.0/0 traffic to the NVA's private IP, Azure will drop packets destined to the NVA unless the NIC is configured to accept and forward traffic not addressed to itself. Enabling IP forwarding allows the NVA to act as a router, processing and forwarding packets between VNets.

Exam trap

The trap here is that candidates assume a UDR alone is sufficient to force traffic through an NVA, forgetting that the NVA's NIC must explicitly be configured to forward traffic not destined to itself.

How to eliminate wrong answers

Option B is wrong because VNet peering does not need a specific 'allow routing through' setting; peered VNets can route traffic between each other by default, and the UDR in VNet-B already directs traffic to the NVA in VNet-A. Option C is wrong because the question states the route table is associated with the subnet in VNet-B, so a missing association is not the issue. Option D is wrong because the NVA does not require a public IP address to inspect outbound traffic; it only needs a private IP to receive and forward traffic from VNet-B, and internet-bound traffic can be routed through the NVA without a public IP on the NVA itself.

134
MCQmedium

Your company has a hub-and-spoke network topology in Azure. The hub virtual network contains an Azure Firewall and a VPN gateway. Spoke virtual networks are peered to the hub. You need to ensure that all outbound traffic from spoke VMs to the internet is routed through the Azure Firewall. What should you configure on the spoke virtual networks?

A.Apply a network security group (NSG) to the spoke subnets with a deny rule for internet traffic
B.Configure VNet peering with 'Use remote gateway' enabled
C.Create a route table with a route for 0.0.0.0/0 pointing to the Azure Firewall private IP, and associate it with the spoke subnets
D.Configure the Azure Firewall to use forced tunneling
AnswerC

User-defined routes (UDRs) force traffic to the firewall for inspection.

Why this answer

Option C is correct because adding a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall as the next hop forces all outbound traffic through the firewall. Option A is wrong because VNet peering does not automatically route internet traffic through a firewall. Option B is wrong because NSGs can control inbound/outbound rules but cannot route traffic.

Option D is wrong because the firewall itself doesn't need a route table change.

135
MCQeasy

Your organization uses Microsoft Sentinel for security monitoring. You have configured data connectors to collect logs from Azure Firewall and Windows Event logs from virtual machines. You need to ensure that network traffic from a specific subnet is not sent to Microsoft Sentinel due to privacy regulations. What should you do?

A.Create an analytics rule to delete events from the subnet after ingestion.
B.Configure a network security group (NSG) to block traffic from the subnet to Microsoft Sentinel.
C.Create a workbook in Microsoft Sentinel that filters out the subnet data.
D.Modify the Azure Firewall data connector settings to exclude the subnet IP range.
AnswerD

This prevents logs from that subnet from being collected.

Why this answer

Option B is correct: Azure Policy can be used to audit or enforce resource configurations, but to prevent data from being sent to Sentinel, the best approach is to filter at the source using NSG flow logs or by not configuring the data connector for that subnet. However, the question asks for a direct action. Option B is correct because you can configure the Azure Firewall data connector to exclude certain IP ranges.

Option A is incorrect because network security groups do not filter logs to Sentinel. Option C is incorrect because workbook filters only affect visualization, not ingestion. Option D is incorrect because analytics rules do not affect ingestion.

136
MCQhard

You are troubleshooting connectivity between two Azure virtual machines in different VNets that are peered. VM1 (10.0.1.4) cannot reach VM2 (10.0.2.4) on port 80. Both VNets have NSGs allowing HTTP traffic from each other's IP ranges. The VNet peering is in 'Connected' state. You verify that the VMs' operating system firewalls allow HTTP. What is the most likely cause of the connectivity issue?

A.NSGs are not stateful and require explicit outbound rules.
B.The VNet peering status is disconnected.
C.Azure Firewall is blocking traffic between the VNets.
D.The NSG on VM2's subnet does not allow inbound traffic from VM1's VNet address space.
AnswerD

NSGs filter traffic even across peered VNets; you must allow the source IP range.

Why this answer

Option B is correct because VNet peering does not automatically allow traffic through the peer's NSG; you must explicitly configure NSG rules to allow traffic from the peered VNet's address space. Option A is wrong because the peering status is Connected, so it is not broken. Option C is wrong because NSGs are stateful, so return traffic is allowed automatically.

Option D is wrong because Azure Firewall might block traffic but is not mentioned in the scenario.

137
MCQmedium

A company deploys Azure Firewall in a hub VNet to inspect all outbound traffic from a spoke VNet. They enable VNet peering between the hub and spoke. They create a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP as the next hop, and associate it with the spoke subnets. However, outbound traffic from the spoke subnets is still going directly to the internet, bypassing the firewall. What is the most likely cause?

A.The route table's next hop type is not set to 'Virtual appliance'
B.The route table is not associated with the subnet
C.The hub-spoke peering is not configured correctly
D.Azure Firewall is in a different resource group
AnswerA

For user-defined routes that point to a virtual appliance like Azure Firewall, the next hop type must be 'Virtual appliance'. Setting it to 'Internet' or any other type causes traffic to bypass the firewall.

Why this answer

The most likely cause is that the route table's next hop type is not set to 'Virtual appliance'. When creating a custom route in Azure, the next hop type must be explicitly set to 'Virtual appliance' and the next hop address must be the firewall's private IP. If the next hop type is left as 'Internet' or another value, Azure will ignore the custom route and use the default system route for 0.0.0.0/0, which sends traffic directly to the internet without inspection.

Exam trap

The trap here is that candidates assume any custom route with a firewall IP will work, but Azure requires the next hop type to be explicitly set to 'Virtual appliance' to override the default system route for 0.0.0.0/0.

How to eliminate wrong answers

Option B is wrong because if the route table were not associated with the subnet, the custom route would not apply at all, and traffic would use the default system route—but the question states the route table is associated with the spoke subnets, so this is not the issue. Option C is wrong because VNet peering is correctly enabled between hub and spoke; peering configuration does not affect the next hop type of a route table, and traffic can still flow through the firewall if the route is correct. Option D is wrong because Azure Firewall can be in a different resource group without impacting routing; resource group placement has no effect on network traffic flow or route table functionality.

138
Multi-Selectmedium

You are designing a secure network for an e-commerce application in Azure. The application consists of web servers, application servers, and database servers. You need to ensure that inbound traffic is filtered at multiple layers. Which THREE Azure services should you use to implement defense in depth for network security?

Select 3 answers
A.Azure Application Gateway with WAF policy
B.Azure Front Door with WAF policy
C.Network Security Groups (NSGs)
D.Azure Bastion
E.Azure DNS
AnswersA, B, C

Provides application-layer filtering before web servers.

Why this answer

Option A is correct because Azure Front Door with WAF provides application-layer filtering at the edge. Option B is correct because Azure Application Gateway with WAF provides application-layer filtering before traffic reaches the web servers. Option C is correct because Network Security Groups (NSGs) provide network-layer filtering between tiers.

Option D is wrong because Azure Bastion is for management access, not traffic filtering. Option E is wrong because Azure DNS is for name resolution.

139
MCQmedium

A company uses Azure Firewall to filter outbound traffic from a virtual network. The security team notices that traffic to a specific external IP address is being allowed despite a deny rule. What is the most likely cause?

A.The Azure Firewall policy is not associated with the correct virtual network.
B.A network rule with a higher priority allows the traffic.
C.An application rule allows the traffic, which overrides the network deny rule.
D.The deny rule is configured with the wrong protocol (UDP instead of TCP).
AnswerC

Application rules take precedence over network rules. If an application rule allows the traffic, it overrides a network deny rule.

Why this answer

Application rules take precedence over network rules when both match the traffic. If an application rule allows the traffic, it will be permitted even if a network rule denies it.

140
Multi-Selectmedium

Which TWO configurations are required to enable Azure Bastion to connect to a virtual machine without a public IP address?

Select 2 answers
A.The virtual machine must have a public IP address.
B.The virtual network must have a subnet named AzureBastionSubnet.
C.The Bastion host must have a public IP address assigned.
D.The virtual machine must be in a subnet with an NSG that allows RDP/SSH from the Bastion subnet.
E.The virtual machine must have a private IP address.
AnswersB, E

Azure Bastion requires a dedicated subnet with this name.

Why this answer

Options A and D are correct. Azure Bastion requires a dedicated subnet named AzureBastionSubnet and the VM must have a private IP. Option B is wrong because Bastion does not require a public IP for the VM.

Option C is wrong because Bastion does not require an NSG on the VM's subnet. Option E is wrong because Bastion does not require a public IP on the Bastion host.

141
MCQmedium

Your organization uses Azure Virtual WAN. You need to secure traffic between a spoke VNet and an on-premises site that connects via a Virtual WAN VPN gateway. What is the best way to inspect traffic?

A.Deploy Azure Firewall in the spoke VNet.
B.Deploy a third-party NVA in the spoke VNet.
C.Apply NSG rules on the spoke subnet.
D.Use Azure Firewall Manager to deploy a secured virtual hub.
AnswerD

Firewall Manager integrates with Virtual WAN.

Why this answer

Option D is correct because Azure Firewall Manager can be used in Virtual WAN to secure hub traffic. Option A is wrong because NSG is not in the path. Option B is wrong because a separate NVA would require complex routing.

Option C is wrong because Azure Firewall in a spoke is not in the path.

142
MCQhard

Refer to the exhibit. You have an Azure Firewall policy with the shown rules. Traffic from 10.0.0.0/8 to www.google.com on HTTPS (443) is being blocked. What is the most likely reason?

A.The network rule collection with priority 100 denies all traffic, and it is evaluated before the application rule collection.
B.The application rule collection has an action of Deny.
C.The source address 10.0.0.0/8 is not included in the application rule.
D.The application rule collection does not allow *.google.com.
AnswerA

Network rules have higher priority than application rules when the action is Deny.

Why this answer

Option A is correct because network rules are evaluated before application rules, and the network rule collection with priority 100 denies all traffic. The application rule collection with priority 200 is never evaluated because the network rule denies first. Option B is wrong because the application rule allows *.google.com, but it is not reached.

Option C is wrong because the rule action is Allow, not Deny. Option D is wrong because the source address includes 10.0.0.0/8.

143
MCQhard

A company has an Azure SQL Database with a private endpoint connection. The database is accessed from on-premises via ExpressRoute and from other Azure virtual networks (VNets) via VNet peering. The security team wants to ensure that all queries from both on-premises and peered VNets go through the private endpoint and NEVER use the public endpoint, even as a fallback. Which additional configuration is required to enforce this?

A.Configure a Network Security Group (NSG) on the subnet hosting the private endpoint to deny outbound traffic to the public endpoint's IP addresses.
B.Enable Azure SQL Auditing and configure a log analytics workspace to monitor for public endpoint calls, then manually block them.
C.Disable public network access on the Azure SQL server.
D.Configure a service endpoint for Azure SQL on the VNet and associate a firewall rule allowing only the VNet traffic.
AnswerC

Correct. Disabling public network access on the SQL server blocks all traffic from the public internet, leaving only the private endpoint as the entry point. This ensures all traffic from on-premises and peered VNets must use the private endpoint.

Why this answer

Option C is correct because disabling public network access on the Azure SQL server explicitly blocks all traffic that does not originate from a private endpoint. This setting ensures that even if a client attempts to connect using the public endpoint (e.g., via a misconfigured connection string or DNS resolution fallback), the server will reject the connection. This is the only configuration that enforces the requirement that all queries—from on-premises via ExpressRoute or from peered VNets—must go through the private endpoint and never use the public endpoint.

Exam trap

The trap here is that candidates often confuse 'private endpoint' with 'service endpoint' or think that NSGs or monitoring can enforce private-only access, when in fact the only way to guarantee that no traffic uses the public endpoint is to disable public network access at the server level.

How to eliminate wrong answers

Option A is wrong because NSGs are not supported on subnets hosting private endpoints; Azure blocks NSG association on private endpoint subnets, and even if applied, an NSG cannot block outbound traffic from the private endpoint to the public endpoint because the private endpoint itself does not route traffic to the public IP—the issue is client-side DNS resolution. Option B is wrong because auditing and monitoring only detect public endpoint usage after the fact; they do not prevent the connection from using the public endpoint as a fallback, which violates the 'never use' requirement. Option D is wrong because service endpoints allow traffic from the VNet to the Azure SQL public endpoint, which is exactly what the security team wants to avoid; service endpoints do not enforce private endpoint usage and would permit public endpoint access from peered VNets.

144
Multi-Selecthard

Your company uses ExpressRoute to connect on-premises to Azure. You need to ensure that only traffic from the on-premises network can reach a specific Azure App Service, and all other internet traffic to that App Service must be blocked. You also want to avoid exposing the App Service's public endpoint. Which THREE actions should you take?

Select 2 answers
A.Configure an IP restriction on the App Service to allow only the on-premises public IP range.
B.Configure the App Service with a Private Endpoint.
C.Configure a Service Endpoint for App Service on the on-premises-connected subnet.
D.Upload a trusted root certificate to App Service to enforce client certificate authentication for on-premises clients.
E.Set the App Service's 'Public network access' to 'Disabled'.
AnswersB, E

Private Endpoint provides a private IP for the App Service within your VNet, accessible from on-premises via ExpressRoute.

Why this answer

To restrict access to only on-premises traffic without using the public endpoint, you can use an App Service Environment (ASE) with an internal load balancer, or use Private Endpoint. The combination of Private Endpoint, disabling public access, and restricting access to the ExpressRoute gateway IP range ensures only on-premises traffic can reach the app via Private Link.

145
MCQeasy

A company has established a site-to-site VPN connection between its on-premises network and an Azure virtual network using an Azure VPN gateway. The security team wants to confirm that all traffic crossing the VPN tunnel is encrypted. Which protocol does the Azure VPN gateway use to encrypt the data?

A.IPSec (Internet Protocol Security)
B.SSL (Secure Sockets Layer) / TLS (Transport Layer Security)
C.SSH (Secure Shell)
D.PGP (Pretty Good Privacy)
AnswerA

Azure VPN gateways use IPSec in tunnel mode with pre-shared key or certificate authentication to encrypt all traffic.

Why this answer

Azure VPN gateways use IPsec (Internet Protocol Security) in tunnel mode to encrypt all data traversing the site-to-site VPN tunnel. IPsec provides confidentiality, integrity, and authentication at the IP layer, ensuring that all traffic between the on-premises network and Azure virtual network is encrypted and secure.

Exam trap

The trap here is that candidates may confuse SSL/TLS-based VPNs (like OpenVPN) with IPsec-based site-to-site VPNs, but Azure VPN gateways exclusively use IPsec for site-to-site connections, not SSL/TLS.

How to eliminate wrong answers

Option B is wrong because SSL/TLS operates at the transport layer (Layer 4) and is used for securing web traffic (HTTPS), not for site-to-site VPN tunnels which require IP-layer encryption. Option C is wrong because SSH is a protocol for secure remote administration and file transfer, not for encrypting bulk network traffic across a VPN tunnel. Option D is wrong because PGP is an encryption program used for securing emails and files, not for network-layer VPN encryption.

146
MCQhard

You have an Azure Kubernetes Service (AKS) cluster that needs to restrict egress traffic to specific Azure services (e.g., Azure Container Registry, Azure Monitor). You want a managed solution that allows you to define FQDN-based rules. Which Azure service should you use?

A.Azure Application Gateway
B.Azure Front Door
C.Network Security Groups (NSGs)
D.Azure Firewall
AnswerD

Azure Firewall supports FQDN-based rules for outbound traffic.

Why this answer

Option B is correct because Azure Firewall supports FQDN-based rules for outbound traffic, which can be used to restrict egress from AKS. Option A is wrong because NSGs only support IP-based rules, not FQDNs. Option C is wrong because Azure Application Gateway is for inbound traffic.

Option D is wrong because Azure Front Door is for global load balancing.

147
Multi-Selecteasy

Which TWO Azure services can be used to distribute incoming traffic across multiple virtual machines in a backend pool while providing layer 7 load balancing? (Choose two.)

Select 2 answers
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure VPN Gateway
E.Azure Front Door
AnswersB, E

Application Gateway is a layer 7 load balancer with HTTP/HTTPS support.

Why this answer

Azure Application Gateway is a layer 7 load balancer that can distribute incoming traffic across multiple virtual machines in a backend pool based on HTTP/HTTPS attributes such as URL path, host headers, and cookies. It also provides SSL termination, Web Application Firewall (WAF), and session affinity, making it suitable for web application traffic.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (layer 4) with Azure Application Gateway (layer 7), assuming both can perform HTTP-based routing, but only Application Gateway can inspect and route based on application-layer data.

148
Multi-Selecthard

You need to monitor network traffic to detect anomalies and potential security threats. Which THREE Azure services can you use to achieve this? (Choose three.)

Select 3 answers
A.Microsoft Sentinel
B.Azure Monitor Metrics
C.Azure Firewall logs
D.Azure Policy
E.Azure Network Watcher
AnswersA, C, E

Sentinel can analyze network logs for threats.

Why this answer

Options A, B, and D are correct. Network Watcher provides traffic capture and flow logs. Azure Sentinel (now Microsoft Sentinel) can ingest network logs for threat detection.

Azure Firewall logs can be used for monitoring. Option C is wrong because Azure Policy is for compliance, not monitoring. Option E is wrong because Azure Monitor Metrics can monitor performance, not network traffic anomalies.

149
Multi-Selecteasy

You are configuring Azure DDoS Network Protection for your VNet. Which TWO benefits does enabling DDoS Protection Standard provide?

Select 2 answers
A.Integration with Azure Firewall for packet inspection.
B.Adaptive tuning to baseline traffic patterns.
C.Application-layer (Layer 7) protection via integrated WAF.
D.Vulnerability scanning for web applications.
E.Cost protection for scaled resources during an attack.
AnswersB, E

DDoS Protection Standard learns normal traffic patterns and adjusts thresholds automatically.

Why this answer

DDoS Protection Standard provides adaptive tuning based on traffic patterns and cost protection against scaled attacks. It does not offer a WAF (that's separate) nor does it monitor application-layer vulnerabilities; it focuses on network-layer DDoS attacks.

150
MCQhard

Refer to the exhibit. You are evaluating an Azure Policy definition. What is the effect of this policy when assigned to a subscription?

A.It audits virtual networks to ensure they have a network security group attached.
B.It denies the creation of any virtual network because it always has subnets.
C.It denies virtual networks that have any subnet with a service endpoint.
D.It denies the creation of virtual networks that do not have subnets.
AnswerB

A virtual network must have at least one subnet, so this policy would deny all virtual network creation.

Why this answer

The policy denies any virtual network that has any subnet defined. It checks if the 'subnets' field exists and denies if true. It does not check for specific subnet configurations like NSGs or service endpoints.

← PreviousPage 2 of 4 · 237 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure Networking questions.