Courseiva
AZ-500
Full test
easymultiple choiceObjective-mapped

Your company uses Azure Firewall to protect a virtual network. The security team needs to allow outbound HTTPS traffic from a specific subnet to a set of FQDNs, such as '*.contoso.com', while blocking all other outbound traffic. Which type of Azure Firewall rule should they configure?

Question 1easymultiple choice
Full question →

Your company uses Azure Firewall to protect a virtual network. The security team needs to allow outbound HTTPS traffic from a specific subnet to a set of FQDNs, such as '*.contoso.com', while blocking all other outbound traffic. Which type of Azure Firewall rule should they configure?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

A network rule with destination port 443 and protocol TCP, and the destination IP address set to the resolved IPs of the FQDNs

Network rules filter traffic based on IP addresses and ports, but they do not support FQDN filtering. Using network rules would require you to manually track IP address changes, which is not practical.

B

Best answer

An application rule with the 'Https' protocol and the target FQDNs set to '*.contoso.com'

Application rules are designed to allow or deny outbound traffic based on FQDNs. For HTTPS traffic, you can specify the target FQDNs and the protocol (Https). This is the correct configuration to allow traffic to specific domains while blocking others.

C

Distractor review

A NAT rule that translates the source IP to a public IP and allows traffic to any destination on port 443

NAT rules are used to translate inbound traffic destinations; they do not control outbound traffic filtering based on FQDNs.

D

Distractor review

A DNAT rule that redirects outbound HTTPS traffic to an internal proxy server

DNAT rules are for inbound traffic. This does not filter outbound traffic to specific FQDNs.

Common exam trap

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Technical deep dive

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Related practice questions

Related AZ-500 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

AZ-500 fundamentals practice questions

Practise AZ-500 questions linked to AZ-500 fundamentals.

AZ-500 scenario practice questions

Practise AZ-500 questions linked to AZ-500 scenario.

AZ-500 troubleshooting practice questions

Practise AZ-500 questions linked to AZ-500 troubleshooting.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?

Question 2

A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?

Question 3

A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?

Question 4

A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?

Question 5

A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?

Question 6

A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?

FAQ

Questions learners often ask

What does this AZ-500 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: An application rule with the 'Https' protocol and the target FQDNs set to '*.contoso.com' — Azure Firewall supports network rules (based on IP address, port, and protocol) and application rules (based on FQDNs). To allow outbound HTTPS traffic to specific FQDNs, an application rule with the 'Https' protocol and the target FQDNs must be created. A network rule cannot filter by FQDN; it only filters by IP address and port. Therefore, the correct approach is to configure an application rule.

What should I do if I get this AZ-500 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.