Courseiva
AZ-500
Full test
hardmultiple choiceObjective-mapped

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

Question 1hardmultiple choice
Full question →

A company has two Azure virtual networks, VNet-A (hub) and VNet-B (spoke), connected via VNet peering. They deployed a network virtual appliance (NVA) in a subnet in VNet-A to inspect all traffic. They configured a user-defined route (UDR) on the subnet in VNet-B that points the VNet-A address space (10.0.0.0/16) to the private IP of the NVA. However, traffic initiated from VNet-B to VNet-A still takes a direct path and bypasses the NVA. What is the most likely cause?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Best answer

The NVA does not have IP forwarding enabled on its network interface

When an NVA is used as a next hop in a route table, it must have IP forwarding enabled. Without it, the NVA drops packets that are not destined for its own IP, effectively preventing traffic from being routed through it.

B

Distractor review

The UDR on VNet-B must also include a route for the default route (0.0.0.0/0) to force all traffic through the NVA

The scenario only concerns traffic between VNet-B and VNet-A. A default route is not required to force traffic between the two VNets through the NVA; the specific route for the VNet-A address space should be sufficient.

C

Distractor review

VNet peering does not support user-defined routes

VNet peering supports user-defined routes. You can apply UDRs to subnets in one VNet to control traffic to the peered VNet.

D

Distractor review

The NVA must be deployed in the same subnet as the source VMs in VNet-B

The NVA can be in a different VNet as long as routing is correctly configured. The issue is not about the NVA's location but about forwarding capabilities.

Common exam trap

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Technical deep dive

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Related practice questions

Related AZ-500 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

AZ-500 fundamentals practice questions

Practise AZ-500 questions linked to AZ-500 fundamentals.

AZ-500 scenario practice questions

Practise AZ-500 questions linked to AZ-500 scenario.

AZ-500 troubleshooting practice questions

Practise AZ-500 questions linked to AZ-500 troubleshooting.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?

Question 2

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?

Question 3

A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?

Question 4

A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?

Question 5

A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?

Question 6

A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?

FAQ

Questions learners often ask

What does this AZ-500 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: The NVA does not have IP forwarding enabled on its network interface — When using an NVA to inspect traffic between peered VNets, you need to ensure that both the source and return traffic go through the NVA. A common mistake is forgetting to configure IP forwarding on the NVA's network interface. Without IP forwarding, when the NVA receives a packet destined for an address other than itself, it drops the packet. The UDR on the spoke subnet directs traffic to the NVA's IP, but the NVA cannot forward that traffic unless IP forwarding is enabled on its NIC. Additionally, return traffic from the hub subnet needs another UDR pointing to the NVA for the spoke address space. The most likely single cause in this scenario is the lack of IP forwarding on the NVA.

What should I do if I get this AZ-500 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.