Question 434 of 1,000
Secure networkinghardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to enable Azure virtual network encryption on both VNets and configure the encryption policy. This is required because Azure Virtual Network Encryption operates at the infrastructure level, encrypting all traffic between peered VNets using IPsec without needing a VPN gateway, and it enforces encryption so no traffic can bypass it. The 'Use remote virtual network gateways' setting only permits transit routing through a remote gateway, but it does not encrypt traffic itself, which is why unencrypted traffic persists. On the AZ-500 exam, this question tests your understanding of platform-level encryption versus gateway-based solutions, and a common trap is confusing gateway settings with actual encryption enforcement. Remember: gateway settings enable routing, not encryption—think of VNet encryption as a mandatory "encrypt-all" switch at the network fabric layer. A useful memory tip is "Gateways route, encryption encrypts—enable VNet encryption to lock the pipe."

AZ-500 Secure networking Practice Question

This AZ-500 practice question tests your understanding of secure networking. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: azure virtual network encryption encrypts VNet peering traffic.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company has two Azure virtual networks (VNet-A and VNet-B) connected via VNet peering. They need to ensure that all traffic between the two VNets is encrypted using IPsec and that no traffic can bypass the encryption. The security team has enabled the 'Use remote virtual network gateways' setting on the peering. However, traffic is still flowing unencrypted. What additional configuration is required to enforce encryption for all traffic between the VNets?

Question 1hardmultiple choice
Read the full VPN explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy.

Option A is correct because Azure Virtual Network Encryption provides a platform-level encryption mechanism that encrypts all traffic between virtual networks, including VNet peering traffic, without requiring a VPN gateway. Enabling this feature on both VNets and configuring the encryption policy ensures that all inter-VNet traffic is encrypted using IPsec, and since it is enforced at the infrastructure level, no traffic can bypass the encryption. The 'Use remote virtual network gateways' setting alone does not encrypt traffic; it only allows a VNet to use a remote gateway for transit routing.

Key principle: Azure virtual network encryption encrypts VNet peering traffic.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy.

    Why this is correct

    Azure virtual network encryption (currently in preview) encrypts all traffic between VNets using IPsec. Enabling it on both sides ensures traffic is encrypted.

    Related concept

    Azure virtual network encryption encrypts VNet peering traffic.

  • Deploy an Azure VPN Gateway in each VNet and create a site-to-site VPN connection between them.

    Why it's wrong here

    This would create encrypted tunnels, but it introduces additional cost and complexity. Also, the connection would be through the gateways, not directly between VNets. It may not cover all traffic if there are multiple spoke VNets.

  • Configure a network security group (NSG) rule on each subnet to deny traffic that is not IPsec encapsulated.

    Why it's wrong here

    NSGs work at layer 3/4 and cannot inspect IPsec encapsulation. This is not feasible.

  • Enable 'Allow gateway transit' on VNet-A and 'Use remote virtual network gateways' on VNet-B, and then create a VPN gateway in VNet-A.

    Why it's wrong here

    This configuration enables transitive routing via a gateway, but does not encrypt the traffic between the VNets over peering. The gateway would only encrypt traffic going through it, but traffic between the VNets may still use the peering direct path unencrypted.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume that enabling 'Use remote virtual network gateways' on VNet peering automatically encrypts traffic, when in fact it only allows gateway transit and does not provide any encryption; the real solution is Azure Virtual Network Encryption, which is a separate feature that must be explicitly enabled.

Detailed technical explanation

How to think about this question

Azure Virtual Network Encryption uses the IEEE 802.1AE MAC Security (MACsec) standard to encrypt traffic at the data link layer, which is transparent to applications and requires no changes to virtual machines. This encryption is applied to all traffic within and between encrypted VNets, including VNet peering, and is enforced by the Azure fabric controller, ensuring that even if a misconfiguration allows a direct peering path, the traffic is still encrypted. In contrast, VPN gateways operate at the network layer (IPsec) and require explicit routing to direct traffic through the gateway, which can be bypassed if the peering route is preferred.

KKey Concepts to Remember

  • Azure virtual network encryption encrypts VNet peering traffic.
  • It uses IPsec to secure data in transit between peered VNets.
  • This feature must be enabled on both peered VNets.
  • It provides native, managed encryption without requiring VPN gateways for peering.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Azure virtual network encryption encrypts VNet peering traffic.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Review azure virtual network encryption encrypts VNet peering traffic., then practise related AZ-500 questions on the same topic to reinforce the concept.

Related practice questions

Related AZ-500 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-500 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-500 question test?

Secure networking — This question tests Secure networking — Azure virtual network encryption encrypts VNet peering traffic..

What is the correct answer to this question?

The correct answer is: Enable 'Azure virtual network encryption' on both VNets and configure the encryption policy. — Option A is correct because Azure Virtual Network Encryption provides a platform-level encryption mechanism that encrypts all traffic between virtual networks, including VNet peering traffic, without requiring a VPN gateway. Enabling this feature on both VNets and configuring the encryption policy ensures that all inter-VNet traffic is encrypted using IPsec, and since it is enforced at the infrastructure level, no traffic can bypass the encryption. The 'Use remote virtual network gateways' setting alone does not encrypt traffic; it only allows a VNet to use a remote gateway for transit routing.

What should I do if I get this AZ-500 question wrong?

Review azure virtual network encryption encrypts VNet peering traffic., then practise related AZ-500 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Azure virtual network encryption encrypts VNet peering traffic.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on AZ-500

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company has multiple Azure virtual networks connected via VNet peering. They want to ensure that all traffic between the peered VNets is encrypted and that no traffic can bypass the encryption. Which configuration is required?

hard
  • A.Enable Service Endpoint Policies
  • B.Use VPN Gateway with IPsec between VNets
  • C.VNet peering does not support encryption; use Global VNet peering
  • D.Enable Azure Firewall

Why B: VNet peering does not encrypt traffic between virtual networks by default. To enforce encryption for all traffic, you must use a VPN Gateway with IPsec/IKE policy configured between the peered VNets. This ensures that all traffic crossing the peering is encrypted and that no unencrypted path exists, meeting the requirement that no traffic can bypass encryption.

Keep practising

More AZ-500 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-500 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-500 exam.