CCNA Design security for infrastructure Questions

32 questions · Design security for infrastructure · All types, answers revealed

1
Multi-Selecthard

Which THREE components are required to implement a secure hybrid network with Azure using a site-to-site VPN?

Select 3 answers
A.Public IP address for the VPN device
B.ExpressRoute circuit
C.VPN gateway (route-based)
D.Virtual network gateway
E.Local network gateway
AnswersC, D, E

Required for the Azure side of the VPN connection.

Why this answer

A route-based VPN gateway (option C) is required for site-to-site VPN connections because it uses dynamic routing (BGP) and supports IKEv2, enabling automatic failover and policy-based traffic selectors. This is essential for secure hybrid networking as it allows Azure to route traffic to on-premises networks via the VPN tunnel without static route limitations.

Exam trap

The trap here is that candidates confuse the VPN gateway (the Azure resource) with the Virtual Network Gateway (the parent resource type), or mistakenly think a public IP is a separate component when it is actually a property of the VPN gateway, leading them to select option A instead of recognizing that the three required components are the VPN gateway, Virtual Network Gateway, and Local Network Gateway.

2
MCQmedium

Refer to the exhibit. A network policy is applied in the production namespace. What is the effect on the webapp pod's ability to reach external services?

A.Ingress traffic is blocked
B.The pod can only communicate with kube-dns
C.The pod can communicate with any service
D.All egress traffic except to kube-dns is denied
AnswerD

The policy denies egress by default except for DNS.

Why this answer

Option D is correct because the network policy in the exhibit defines an egress rule that only allows traffic to kube-dns (port 53, UDP) and denies all other egress traffic by default. Since no other egress rules are specified, the webapp pod cannot reach any external services except the cluster's DNS resolver.

Exam trap

The trap here is that candidates often assume a network policy only affects ingress traffic or that a single egress rule allows all traffic, but in Kubernetes, any egress rule in a policy triggers a default-deny for all other egress traffic unless explicitly allowed.

How to eliminate wrong answers

Option A is wrong because the policy does not restrict ingress traffic; it only defines egress rules, so ingress traffic is unaffected. Option B is wrong because the pod can communicate with kube-dns, but the policy does not restrict communication to only kube-dns; it denies all other egress traffic, meaning the pod cannot reach any other service, including external ones. Option C is wrong because the policy explicitly denies all egress traffic except to kube-dns, so the pod cannot communicate with any arbitrary service.

3
MCQhard

A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?

A.Assign the cluster-admin ClusterRole to the developers
B.Create a custom ClusterRole with rules for pods and services, then bind it to the developer group with a ClusterRoleBinding
C.Create a RoleBinding in each namespace for developers
D.Use Azure RBAC to grant Contributor role on the AKS cluster
AnswerB

This grants cluster-wide but limited access to only specified resources.

Why this answer

Option B is correct because Kubernetes RBAC allows fine-grained authorization. A custom ClusterRole can define rules for pods and services (core API group resources), and a ClusterRoleBinding binds it to the developer group across all namespaces. This grants the required permissions without allowing modifications to cluster-level resources like nodes or namespaces, which are not included in the custom role's rules.

Exam trap

The trap here is that candidates often confuse namespace-scoped RoleBindings with cluster-scoped ClusterRoleBindings, or mistakenly think that Azure RBAC's Contributor role provides the same granularity as Kubernetes RBAC, when in fact it grants overly broad permissions that include cluster-level modifications.

How to eliminate wrong answers

Option A is wrong because the cluster-admin ClusterRole grants superuser access to all resources, including cluster-level resources like nodes and namespaces, which violates the restriction. Option C is wrong because a RoleBinding in each namespace only grants permissions within that specific namespace, but the requirement is to allow developers to create and manage pods and services across all namespaces (or at least without namespace restriction), and it does not prevent cluster-level access if a ClusterRoleBinding is also present; however, the core issue is that RoleBindings are namespace-scoped and would require manual creation per namespace, which is less efficient and does not inherently restrict cluster-level resources. Option D is wrong because Azure RBAC's Contributor role on the AKS cluster grants broad management permissions that include the ability to modify cluster-level resources and even delete the cluster, far exceeding the required scope.

4
MCQeasy

A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?

A.Azure Bastion
B.Azure AD Application Proxy
C.AVD Gateway service
D.Session host configuration
AnswerC

The gateway uses reverse connect for outbound connections.

Why this answer

The AVD Gateway service is the correct component because it establishes a reverse connect transport, where the session host initiates an outbound connection to the gateway over HTTPS (port 443). This eliminates the need for any inbound firewall rules to the session hosts, as user connections are relayed through the gateway without directly exposing the session hosts to the internet.

Exam trap

The trap here is that candidates often confuse Azure Bastion's secure RDP access with AVD's reverse connect, but Bastion still requires inbound connectivity to the bastion host and does not provide the same outbound-only connection model that eliminates inbound firewall rules for session hosts.

How to eliminate wrong answers

Option A is wrong because Azure Bastion provides secure RDP/SSH access to VMs via the Azure portal using a bastion host, but it does not use a reverse connect protocol for AVD; it relies on inbound connections through a separate subnet. Option B is wrong because Azure AD Application Proxy is designed for publishing on-premises web apps with pre-authentication, not for brokering AVD connections; it lacks the specific reverse connect transport and session management capabilities required for AVD. Option D is wrong because the session host configuration (e.g., VM settings, RDP properties) controls local session behavior but does not handle the network-level reverse connect protocol; the gateway service is the infrastructure component that enables this.

5
Drag & Dropmedium

Order the steps to deploy Azure Firewall with forced tunneling in a hub virtual network.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forced tunneling requires a route table directing traffic, then firewall deployment and rule configuration.

6
MCQhard

You are a cybersecurity architect for a multinational corporation that is migrating its on-premises workloads to Azure. The environment includes 500 virtual machines across multiple subscriptions, managed through Azure Policy and Azure Blueprints. The security team has reported that some VMs are not receiving the latest security updates despite being configured for automatic updates via the Azure Update Management solution. Additionally, you have noticed that some VMs are missing the Azure Monitor agent, which is required for security monitoring. The company uses Azure Security Center (now Defender for Cloud) with the standard tier enabled. You need to ensure that all VMs are compliant with the company's security baseline, which requires: (1) all VMs must have the Azure Monitor agent installed, (2) all VMs must be enrolled in the Update Management solution, and (3) all VMs must be protected by Microsoft Defender for Cloud. What should you do to enforce compliance and remediate non-compliant VMs?

A.Use Azure Policy with built-in initiatives such as 'Enable Azure Monitor for VMs' and 'Configure machines to automatically install updates' and assign them to all subscriptions
B.Create a new Azure Blueprint that includes the required configurations and assign it to all subscriptions
C.Use Azure Automation to run scripts that install the agent and enable updates on all VMs
D.Configure Microsoft Defender for Cloud to automatically install the Azure Monitor agent and enable updates
AnswerA

Azure Policy can audit and automatically remediate non-compliant VMs using DeployIfNotExists effects.

Why this answer

Option A is correct because Azure Policy with built-in initiatives like 'Enable Azure Monitor for VMs' and 'Configure machines to automatically install updates' provides a declarative, scalable, and continuous compliance enforcement mechanism. These initiatives automatically remediate non-compliant VMs by deploying the required agents and configurations across all subscriptions, ensuring all three security baseline requirements are met without manual intervention.

Exam trap

The trap here is that candidates confuse Azure Blueprints (which only apply at deployment) with Azure Policy (which provides continuous compliance enforcement and auto-remediation), leading them to choose Blueprints as a one-time fix instead of the ongoing policy-based solution.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints are used for creating a repeatable set of Azure resources and policies at deployment time, but they do not continuously remediate existing non-compliant VMs; once assigned, they lack the ongoing compliance enforcement and auto-remediation capabilities of Azure Policy. Option C is wrong because using Azure Automation to run scripts is a reactive, manual approach that does not provide continuous compliance monitoring or automatic remediation for new or existing VMs, and it cannot enforce the security baseline at scale across multiple subscriptions. Option D is wrong because Microsoft Defender for Cloud can detect missing agents and updates but does not automatically install the Azure Monitor agent or enable Update Management; it relies on Azure Policy for deployment and remediation of these configurations.

7
Matchingmedium

Match each security operations tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Security information and event management

Extended detection and response (XDR)

Cloud security posture management

Identity risk detection and remediation

Data governance and compliance

Why these pairings

These tools form the Microsoft security operations stack.

8
Matchingmedium

Match each Azure network security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful packet filtering at subnet or NIC

Managed, cloud-native firewall with threat intelligence

Protects web apps from common exploits

Always-on traffic monitoring and mitigation

Access PaaS services over private endpoint

Why these pairings

These are key network security controls in Azure.

9
MCQhard

A company deploys Azure Bastion in a VNet. They want to allow a security engineer to connect to a Windows VM in a peered VNet using Azure Bastion. The engineer can see the VM in the portal but cannot connect. Which configuration is most likely missing?

A.The Azure Bastion subnet size is /28.
B.The peered VNet does not have 'Allow Azure Bastion Communication' enabled on the peering connection.
C.The VM's subnet does not have an inbound NSG rule allowing RDP (3389) from the Azure Bastion subnet.
D.The VM does not have Azure AD authentication enabled.
AnswerB

This setting must be enabled on both sides of the peering for Bastion to connect to VMs in the peered VNet.

Why this answer

Azure Bastion requires the 'Allow Azure Bastion Communication' setting to be enabled on the peering connection for the peered VNet. Without this, the Bastion service cannot route traffic to the target VM in the peered VNet, even though the VM is visible in the portal. This setting allows the Bastion's control plane and data plane to communicate across the peering link.

Exam trap

The trap here is that candidates assume NSG rules on the VM subnet are the primary blocker, but Azure Bastion's peering requirement is a distinct, often-missed setting that controls cross-VNet connectivity.

How to eliminate wrong answers

Option A is wrong because a /28 subnet size is the minimum required for Azure Bastion and is not a connectivity issue; the engineer can see the VM, indicating the Bastion is deployed correctly. Option C is wrong because Azure Bastion uses its own private IPs (from the AzureBastionSubnet) to connect to VMs, and NSG rules on the VM's subnet are not required—Bastion bypasses them via the service's built-in network hardening. Option D is wrong because Azure AD authentication is optional for RDP connections via Bastion; the default username/password or certificate-based authentication works without Azure AD.

10
MCQmedium

You are a security architect for a healthcare organization that is deploying a new application on Azure. The application consists of a web frontend (Azure App Service), an API layer (Azure Functions), and a database (Azure SQL Database). The organization requires that all data be encrypted at rest and in transit. Additionally, they need to ensure that only authenticated and authorized users can access the API, and that the database is accessible only from the API layer. The organization also wants to use managed identities to avoid storing credentials. You have deployed the resources. Now you need to configure the security settings. What should you do to meet the requirements?

A.Enable App Service Authentication with Azure AD, configure the API to use API keys, and enable Always Encrypted on SQL
B.Enable HTTPS-only on App Service, enable Azure SQL Database transparent data encryption, configure Azure AD authentication for SQL, and set the SQL firewall to allow Azure services
C.Enable HTTPS-only on App Service, enable Azure SQL Database firewall to allow the API's public IP, and use SQL authentication
D.Use Azure Front Door with WAF, store connection strings in Azure Key Vault, and enable Azure SQL Database auditing
AnswerB

HTTPS encrypts in transit, TDE encrypts at rest, Azure AD auth provides authorization, and firewall restricts access.

Why this answer

Option B is correct because it meets all requirements: HTTPS-only ensures encryption in transit for the web frontend; Azure SQL Database TDE provides encryption at rest by default; configuring Azure AD authentication for SQL eliminates stored credentials and supports managed identities; and setting the SQL firewall to 'Allow Azure services' restricts database access to Azure resources, including the API layer, without exposing a public IP.

Exam trap

The trap here is that candidates often confuse 'Allow Azure services' with allowing all traffic from the internet, when in fact it only permits connections originating from Azure datacenters, and they may overlook that Azure AD authentication with managed identities eliminates the need for stored credentials.

How to eliminate wrong answers

Option A is wrong because API keys are not a secure authentication method for APIs (they can be easily compromised and lack identity binding), and Always Encrypted on SQL is not necessary when TDE meets the encryption-at-rest requirement and adds complexity. Option C is wrong because allowing the API's public IP in the SQL firewall exposes the database to potential external attacks, and using SQL authentication with stored credentials violates the requirement to avoid storing credentials. Option D is wrong because Azure Front Door with WAF is a web application firewall and does not directly address encryption at rest or in transit for the database, and SQL auditing is a logging feature, not a security control for access or encryption.

11
Drag & Dropmedium

Order the steps to configure Azure Key Vault firewall and virtual network service endpoints.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key Vault network restrictions require adding allowed networks and saving.

12
Multi-Selecteasy

Which TWO of the following are valid methods to secure traffic between on-premises and Azure?

Select 2 answers
A.Azure Front Door
B.ExpressRoute with MACsec
C.Azure Traffic Manager
D.Azure CDN
E.Site-to-Site VPN
AnswersB, E

MACsec provides encryption on ExpressRoute.

Why this answer

ExpressRoute with MACsec provides encryption at Layer 2 using the IEEE 802.1AE standard, securing traffic between on-premises and Azure over a private connection without traversing the public internet. Site-to-Site VPN uses IPsec (IKEv1/IKEv2) to encrypt traffic over the public internet, establishing a secure tunnel between the on-premises VPN device and Azure VPN Gateway. Both are valid methods for securing traffic, with ExpressRoute+MACsec offering lower latency and higher throughput for private connectivity.

Exam trap

The trap here is that candidates often confuse Azure Front Door or Traffic Manager as security solutions because they offer TLS termination or DDoS protection, but neither provides encrypted site-to-site connectivity between on-premises and Azure; they are traffic routing and acceleration services, not VPN or private connection methods.

13
MCQeasy

A company uses Azure Policy to enforce that all storage accounts must have HTTPS traffic only. They assign a built-in policy to audit this setting. A developer creates a new storage account with HTTP enabled, and the policy reports it as non-compliant. What should the company do to automatically remediate this violation?

A.Enable Azure Security Center's just-in-time access for storage accounts.
B.Change the policy effect to 'Deny' to prevent creation of non-compliant storage accounts.
C.Ask the developer to manually enable HTTPS-only on the storage account.
D.Create a new policy assignment with a 'deployIfNotExists' effect that enables HTTPS-only.
AnswerD

This automatically remediates non-compliant accounts.

Why this answer

Option D is correct because the 'deployIfNotExists' effect in Azure Policy can automatically remediate non-compliant resources by deploying a configuration (such as enabling HTTPS-only) when the policy detects a violation. This effect runs a remediation task that modifies the resource to meet the policy requirement, eliminating the need for manual intervention. In this scenario, it would automatically enable HTTPS traffic on the storage account, bringing it into compliance.

Exam trap

The trap here is that candidates often confuse the 'Deny' effect (which only blocks new non-compliant resources) with 'deployIfNotExists' (which remediates existing non-compliant resources), leading them to choose Option B instead of D.

How to eliminate wrong answers

Option A is wrong because Azure Security Center's just-in-time (JIT) access is a feature for managing virtual machine access, not for enforcing storage account HTTPS settings. Option B is wrong because changing the policy effect to 'Deny' would prevent creation of new non-compliant storage accounts but would not remediate the already existing non-compliant account; it only blocks future violations. Option C is wrong because asking the developer to manually enable HTTPS-only is a manual workaround that does not leverage Azure Policy's automated remediation capabilities, and it does not scale or enforce consistency across the environment.

14
Multi-Selecthard

You are designing a network security strategy for a multicloud environment that includes Azure and Amazon Web Services (AWS). The company requires that all traffic between the two clouds be encrypted and inspected for threats. You need to recommend a solution that meets the following requirements: - Minimize latency. - Use Microsoft-provided security services where possible. - Ensure traffic is inspected at Layers 3-7. Which TWO options should you include in your design?

Select 2 answers
A.Azure Virtual WAN with a secured hub that includes Azure Firewall and Firewall Manager.
B.Azure Firewall with forced tunneling to an on-premises inspection appliance.
C.Azure Policy with built-in network security policies.
D.Azure Front Door Premium with Web Application Firewall (WAF) policy.
E.AWS Transit Gateway with AWS Network Firewall for inspection.
AnswersA, E

Virtual WAN provides global transit and Azure Firewall provides L3-7 inspection.

Why this answer

Azure Virtual WAN with a secured hub integrates Azure Firewall and Firewall Manager to provide a centralized, Microsoft-managed inspection point for traffic between Azure and AWS. This design minimizes latency by routing inter-cloud traffic through Microsoft's global backbone rather than over the public internet, and it supports Layer 3-7 inspection via Azure Firewall's application and network rules, meeting all requirements.

Exam trap

The trap here is that candidates may confuse Azure Front Door (a global load balancer and WAF for web traffic) with a general-purpose inter-cloud inspection solution, overlooking that it only handles HTTP/HTTPS and cannot inspect non-web protocols or traffic between cloud networks.

15
MCQmedium

You are designing a security strategy for a hybrid identity infrastructure that uses Microsoft Entra ID. The company requires that all administrative access to on-premises servers be secured using least-privilege principles and just-in-time (JIT) access. You plan to implement Microsoft Entra Privileged Identity Management (PIM) for Azure resources, but on-premises servers are not Azure resources. Which solution should you use to provide JIT access to on-premises servers?

A.Install Azure Arc agents on the on-premises servers and use Azure Policy to enforce JIT access.
B.Deploy Windows Admin Center and integrate with Microsoft Entra ID for authentication.
C.Configure Azure Bastion to connect to on-premises servers via a site-to-site VPN.
D.Use Microsoft Entra Privileged Identity Management (PIM) for Groups to manage membership of an on-premises Active Directory group that has administrative privileges on the servers.
AnswerD

PIM for Groups can be used to manage on-premises AD group membership, enabling JIT access to on-premises servers.

Why this answer

Option D is correct because Microsoft Entra PIM for Groups allows you to manage just-in-time membership of an on-premises Active Directory group that is synced via Microsoft Entra Connect. When a user activates their membership in PIM, the group membership change is written back to on-premises AD via group writeback, granting temporary administrative privileges on the target servers. This extends PIM's JIT capabilities to non-Azure resources without requiring the servers to be Azure Arc-enabled.

Exam trap

The trap here is that candidates assume JIT access requires the target resource to be an Azure resource, overlooking that PIM for Groups with group writeback can extend JIT to on-premises Active Directory groups, which then control access to on-premises servers.

How to eliminate wrong answers

Option A is wrong because Azure Arc agents enable Azure Policy and guest configuration, but Azure Policy cannot enforce JIT access to on-premises servers—JIT is a PIM feature for Azure resources, not a policy effect. Option B is wrong because Windows Admin Center provides a management interface but does not natively support JIT or PIM-based activation; it relies on existing credentials and does not enforce time-bound, approved access. Option C is wrong because Azure Bastion is a PaaS service for secure RDP/SSH connectivity to Azure VMs only; it cannot be used to connect to on-premises servers even with a site-to-site VPN, as Bastion does not support hybrid network targets.

16
MCQhard

A large enterprise is designing a secure infrastructure for a multi-region application deployment. They have a hub-spoke topology in two Azure regions (East US and West US) with VNet peering between the hubs. Each region has a shared services spoke containing Azure AD Domain Services (AAD DS) and management jump boxes. Application spokes in each region host VMs that need to authenticate to the local AAD DS. The company mandates that all traffic between regions must traverse a network virtual appliance (NVA) for inspection, except for Azure management traffic. They also require that all outbound internet traffic from application VMs goes through a single Azure Firewall in the East US hub. They have deployed ExpressRoute to on-premises. Currently, application VMs in West US cannot authenticate to the local AAD DS. What is the most likely cause?

A.The Azure Firewall in East US is not configured to allow traffic from West US to AAD DS.
B.The VNet peering between East and West US hubs is not properly configured with 'Allow forwarded traffic' enabled.
C.The ExpressRoute circuit is down, causing traffic to be routed over the internet.
D.The route table for the West US application spoke has a default route (0.0.0.0/0) pointing to the NVA, causing traffic to AAD DS to be sent across regions.
AnswerD

This forces traffic to the NVA, which may route it out of region or cause asymmetric routing.

Why this answer

The most likely cause is that the route table for the West US application spoke has a default route (0.0.0.0/0) pointing to the NVA. This forces all outbound traffic, including traffic destined for the local AAD DS (which resides in the same region's shared services spoke), to be routed through the NVA and potentially across regions via the hub peering, rather than staying within the local VNet. Since AAD DS requires low-latency, direct connectivity within the same region, this misrouting prevents authentication.

Exam trap

The trap here is that candidates often assume the Azure Firewall or VNet peering is misconfigured, but the real issue is a routing override that forces local traffic through a non-local path, a classic 'asymmetric routing' or 'forced tunneling' pitfall in multi-region hub-spoke topologies.

How to eliminate wrong answers

Option A is wrong because the Azure Firewall in East US only inspects outbound internet traffic from application VMs; it does not handle intra-region traffic between West US application VMs and West US AAD DS, so its configuration is irrelevant to this issue. Option B is wrong because VNet peering between hubs is used for inter-region traffic, but the problem is that traffic is being forced across regions unnecessarily; the peering itself is likely functional, but the routing misdirects traffic. Option C is wrong because ExpressRoute is used for on-premises connectivity, not for Azure-to-Azure traffic between regions or within a region; its status does not affect local AAD DS authentication.

17
MCQhard

A company uses Azure Policy to enforce compliance. They want to automatically remediate non-compliant resources by deploying a custom template. Which effect should they use in the policy definition?

A.DeployIfNotExists
B.Audit
C.Disabled
D.Deny
AnswerA

DeployIfNotExists triggers deployment of a template when a resource is non-compliant.

Why this answer

The DeployIfNotExists effect is correct because it allows Azure Policy to automatically remediate non-compliant resources by deploying a custom ARM template when the resource is found to be non-compliant. This effect is specifically designed for automatic remediation scenarios, as it triggers a deployment to bring the resource into compliance without manual intervention.

Exam trap

The trap here is that candidates often confuse DeployIfNotExists with Deny, thinking that blocking non-compliant resources is sufficient for remediation, but Deny only prevents future non-compliance and does not fix existing resources.

How to eliminate wrong answers

Option B (Audit) is wrong because it only logs non-compliance events without any remediation action, so it cannot automatically fix resources. Option C (Disabled) is wrong because it disables the policy entirely, preventing any evaluation or remediation. Option D (Deny) is wrong because it blocks the creation or update of non-compliant resources but does not remediate already existing non-compliant resources, which is required for automatic remediation.

18
Multi-Selectmedium

Which TWO of the following are true about Azure DDoS Protection?

Select 2 answers
A.It automatically blocks all traffic during an attack
B.It protects VMs from internal traffic attacks
C.It can be used to protect against application-layer attacks when combined with WAF
D.It provides cost protection through service credits
E.It provides a monthly allowance of attacks
AnswersC, D

Together with WAF, it can mitigate application-layer DDoS.

Why this answer

Option C is correct because Azure DDoS Protection operates at Layers 3 and 4 of the OSI model, but when combined with Azure Application Gateway WAF (Web Application Firewall), it can also mitigate application-layer (Layer 7) attacks such as SQL injection or cross-site scripting. The WAF inspects HTTP/HTTPS traffic and blocks malicious payloads, while Azure DDoS Protection handles volumetric attacks, providing a layered defense.

Exam trap

The trap here is that candidates often assume Azure DDoS Protection alone handles all layers, including Layer 7, but it only covers Layers 3 and 4 natively, requiring WAF integration for application-layer protection.

19
MCQmedium

A company uses Azure Firewall to inspect outbound traffic from a hub virtual network. They need to ensure that traffic from a spoke virtual network to a specific SaaS application (api.contoso.com) bypasses the firewall for performance reasons. What is the most efficient way to achieve this?

A.Configure an application rule in Azure Firewall with a 'Bypass' action for api.contoso.com.
B.Add a user-defined route (UDR) in the spoke virtual network's route table with destination api.contoso.com and next hop type 'Internet'.
C.Enable service endpoints for Microsoft.Storage in the spoke subnet.
D.Create a network rule in Azure Firewall to allow traffic to api.contoso.com and deny all other traffic.
AnswerB

This bypasses the firewall by routing traffic directly to the internet.

Why this answer

Option B is correct because adding a user-defined route (UDR) with destination api.contoso.com and next hop type 'Internet' in the spoke virtual network's route table forces traffic destined for that FQDN to bypass the Azure Firewall and go directly to the internet. This is the most efficient approach as it avoids firewall inspection for performance-sensitive traffic without requiring any firewall rule changes.

Exam trap

The trap here is that candidates assume Azure Firewall can be configured to 'bypass' itself via a rule action, but Azure Firewall rules only allow or deny traffic—they cannot redirect traffic away from the firewall; only UDRs can change the next hop to bypass the firewall entirely.

How to eliminate wrong answers

Option A is wrong because Azure Firewall application rules do not support a 'Bypass' action; they only support 'Allow' or 'Deny' actions, so you cannot configure a rule to selectively skip firewall inspection. Option C is wrong because service endpoints are designed for private access to Azure PaaS services (like Microsoft.Storage) over the Azure backbone, not for bypassing firewall inspection for a third-party SaaS application like api.contoso.com. Option D is wrong because creating a network rule to allow traffic to api.contoso.com still forces traffic through the firewall, which defeats the requirement to bypass it for performance reasons; network rules also cannot use FQDNs as destinations (they require IP addresses or CIDR ranges).

20
MCQhard

Your organization, Contoso Ltd., is migrating its on-premises workloads to Azure. The environment includes 200 virtual machines (VMs) running Windows Server and 50 VMs running Linux. You are responsible for designing the security infrastructure. The company has the following requirements: 1) All VMs must be protected against malware. 2) Security updates must be applied automatically to Windows VMs within 24 hours of release. 3) Linux VMs must receive critical security patches within 48 hours. 4) A central dashboard must provide visibility into the security posture of all VMs. 5) All VMs must be onboarded to Microsoft Defender for Cloud to enable advanced threat protection. 6) The solution must minimize administrative overhead. You have implemented the following: - All VMs are enrolled in Microsoft Defender for Cloud with the enhanced security features enabled. - Azure Update Manager is configured to schedule updates. - Microsoft Defender for Endpoint is installed on all Windows VMs. However, after a month, the security team reports that: - 50 Windows VMs did not receive security updates within 24 hours. - 10 Linux VMs have not received any patches. - The central dashboard shows that 30 VMs are not reporting their security status. - A malware outbreak occurred on 5 Windows VMs that were not protected by Defender for Endpoint. You need to identify the most likely root cause and recommend a corrective action.

A.Onboard the VMs to Azure Arc and enable the Azure Update Manager on all VMs via Arc.
B.Implement Azure Policy to enforce that all VMs have the 'Deploy default Microsoft IaaS anti-malware extension for Windows' policy assigned and create a remediation task.
C.Configure Microsoft Entra Privileged Identity Management (PIM) to require approval for update deployments.
D.Review the network security groups (NSGs) and firewall rules to ensure outbound connectivity to the required Microsoft endpoints for Microsoft Defender for Endpoint and Windows Update.
AnswerD

Network connectivity is required for VMs to receive updates and communicate with Defender for Endpoint.

Why this answer

The correct answer is D because the symptoms—VMs missing updates, not reporting status, and lacking Defender for Endpoint protection—point to a connectivity failure. Microsoft Defender for Endpoint and Windows Update require outbound connectivity to specific Microsoft endpoints (e.g., *.endpoint.microsoft.com, *.update.microsoft.com). Without this, VMs cannot receive updates, report security posture, or download Defender definitions, directly explaining all reported issues.

Exam trap

The trap here is that candidates often focus on configuration or policy gaps (like missing extensions or update schedules) instead of recognizing that all symptoms—missing updates, no reporting, and unprotected VMs—stem from a single underlying network connectivity issue.

How to eliminate wrong answers

Option A is wrong because Azure Arc is used to manage non-Azure machines; all VMs are already in Azure, so onboarding to Arc adds unnecessary complexity and does not address the root cause of connectivity or missing Defender protection. Option B is wrong because the 'Deploy default Microsoft IaaS anti-malware extension for Windows' policy deploys the legacy Microsoft Antimalware extension, not Microsoft Defender for Endpoint, and does not solve the update or reporting failures. Option C is wrong because Microsoft Entra PIM controls privileged access and approval workflows for role assignments, not update deployment scheduling or connectivity; it does not fix missing patches or Defender protection.

21
MCQmedium

A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?

A.Deploy Azure Firewall and use application rules
B.Use Network Security Groups (NSGs) on each subnet
C.Use VNet peering with route tables
D.Use Azure Web Application Firewall (WAF)
AnswerA

Azure Firewall can filter based on FQDNs and IPs, providing secure inter-tier communication.

Why this answer

Azure Firewall with application rules (FQDN-based) provides the most secure and granular control for east-west traffic between tiers. It can inspect and filter traffic at Layer 7 (application layer) using TLS inspection, ensuring only allowed application protocols (e.g., HTTPS) and specific FQDNs are permitted, while blocking all other traffic. This meets the requirement for private IP communication and enforces a zero-trust model between tiers.

Exam trap

The trap here is that candidates often assume NSGs are sufficient for all internal traffic filtering, but they lack Layer 7 inspection and FQDN filtering, which are critical for a secure three-tier isolation in a zero-trust design.

How to eliminate wrong answers

Option B is wrong because Network Security Groups (NSGs) operate at Layer 3/4 (network/transport) and cannot perform application-layer inspection or FQDN filtering, making them insufficient for enforcing application-level restrictions between tiers. Option C is wrong because VNet peering with route tables only controls routing paths, not traffic filtering; it does not block or allow specific traffic between tiers, so it cannot enforce the required communication restrictions. Option D is wrong because Azure Web Application Firewall (WAF) is designed to protect inbound web traffic from the internet to the web tier, not to control east-west traffic between internal tiers (web-to-app or app-to-data).

22
MCQeasy

A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?

A.Enable password hash synchronization
B.Configure the synchronization interval for directory changes
C.Install Azure AD Application Proxy
D.Enable password writeback
AnswerB

Azure AD Connect syncs changes every 30 minutes by default.

Why this answer

Option B is correct because Azure AD Connect's default synchronization cycle for directory changes is 30 minutes. By configuring the synchronization interval (via the Azure AD Connect scheduler or PowerShell), you can ensure that disabled on-premises accounts are reflected in Azure AD within that timeframe. This setting directly controls how frequently Azure AD Connect processes and synchronizes changes from the on-premises Active Directory to Azure AD.

Exam trap

The trap here is that candidates confuse account status synchronization (which relies on the sync interval) with password-related features like password hash sync or writeback, assuming they also propagate account state changes.

How to eliminate wrong answers

Option A is wrong because password hash synchronization only synchronizes password hashes for authentication, not account status (enabled/disabled). Option C is wrong because Azure AD Application Proxy provides secure remote access to on-premises web applications and has no role in synchronizing user account states. Option D is wrong because password writeback enables password changes from Azure AD to on-premises AD, not the synchronization of account disabled status.

23
MCQmedium

A company is deploying Azure SQL Database with Azure Active Directory authentication for their application. They want to ensure that only specific Azure AD users can access the database, and that these users are authenticated at the database level. What should they do?

A.Create a server-level login for each user
B.Assign the Azure AD admin to the SQL server
C.Configure firewall rules to allow specific IPs
D.Create contained database users mapped to Azure AD identities
AnswerD

Contained users authenticate at the database level and are mapped to Azure AD users.

Why this answer

Option D is correct because contained database users in Azure SQL Database are authenticated directly at the database level using Azure AD identities, without requiring a server-level login. This allows you to grant access to specific Azure AD users or groups while enforcing authentication within the database itself, aligning with the requirement for database-level authentication.

Exam trap

The trap here is that candidates often confuse server-level Azure AD admin assignment (which enables Azure AD authentication at the server level) with the ability to control specific user access at the database level, leading them to select Option B instead of understanding that contained database users are required for granular, database-scoped authentication.

How to eliminate wrong answers

Option A is wrong because server-level logins are SQL Server authentication principals that exist at the server scope, not Azure AD identities, and they require a login to be created in the master database, which does not meet the requirement for Azure AD authentication at the database level. Option B is wrong because assigning an Azure AD admin to the SQL server grants that user or group full administrative access to the server, not the ability to restrict specific users at the database level; it is a prerequisite for Azure AD authentication but does not by itself control database-level access. Option C is wrong because firewall rules control network access by IP address, not user authentication; they are a separate security layer that allows or blocks connections from specific IP ranges but do not authenticate individual Azure AD users.

24
MCQhard

Refer to the exhibit. An Azure policy is defined as shown. Which resources will be audited?

A.All Azure resources that are not compliant
B.All virtual machines with unmanaged disks
C.Virtual machines with Standard_LRS managed disks
D.Virtual machines with Premium_LRS managed disks and disk size 1024 GB
AnswerC

Standard_LRS is not Premium_LRS, so it matches the notEquals condition.

Why this answer

The Azure policy definition in the exhibit uses the 'auditIfNotExists' effect with a condition that checks if the 'Microsoft.Compute/virtualMachines' resource type has a 'Microsoft.Compute/disks' resource of type 'Standard_LRS' associated. This means the policy audits virtual machines that do NOT have a managed disk of type Standard_LRS, effectively auditing VMs with unmanaged disks or other managed disk SKUs. Option C is correct because the policy specifically targets virtual machines with Standard_LRS managed disks for audit, as the condition evaluates to true when the disk type is Standard_LRS, triggering the audit effect.

Exam trap

Microsoft often tests the nuance of 'auditIfNotExists' vs. 'audit' effects, where candidates mistakenly think the policy audits all non-compliant resources or unmanaged disks, but the policy actually audits only when the specified condition (Standard_LRS disk exists) is true, not when it is false.

How to eliminate wrong answers

Option A is wrong because the policy is scoped to virtual machines and their associated disks, not all Azure resources; it does not audit general non-compliance across resource types. Option B is wrong because the policy audits virtual machines that have Standard_LRS managed disks, not unmanaged disks; unmanaged disks would not match the 'Microsoft.Compute/disks' resource type with a managed disk SKU, so they would not trigger the audit. Option D is wrong because the policy does not include a condition on disk size; it only checks for the presence of a Standard_LRS managed disk, so a Premium_LRS disk of any size would not be audited.

25
MCQhard

A company is designing a secure hybrid network architecture. They have an on-premises network connected to Azure via ExpressRoute and a site-to-site VPN as backup. They want to ensure that traffic from Azure to on-premises always uses ExpressRoute when available, but automatically fails over to VPN if ExpressRoute goes down. Which configuration should they implement?

A.Configure the VPN to have a lower BGP weight than ExpressRoute.
B.Use both connections in active-active mode with BGP and rely on ECMP.
C.Disable BGP on the VPN connection and use static routes with a higher metric for the VPN.
D.Configure BGP on both connections and assign a higher local preference (e.g., 200) to routes learned via ExpressRoute.
AnswerD

Higher local preference makes ExpressRoute routes preferred; if ExpressRoute fails, VPN routes will be used.

Why this answer

Option D is correct because BGP local preference is an attribute used to influence outbound traffic from an AS. By assigning a higher local preference (e.g., 200) to routes learned via ExpressRoute, Azure will prefer those routes over VPN routes (which default to local preference 100). This ensures that traffic from Azure to on-premises uses ExpressRoute when available, and automatically fails over to the VPN if the ExpressRoute BGP session drops, as the VPN routes will then be selected.

Exam trap

The trap here is that candidates often confuse BGP weight (Cisco-proprietary, local to a router) with local preference (standard, AS-wide), and incorrectly assume that lowering weight on the VPN would achieve the same result as raising local preference on ExpressRoute, but Azure does not support Cisco weight and local preference is the correct attribute for influencing outbound traffic from Azure to on-premises.

How to eliminate wrong answers

Option A is wrong because BGP weight is a Cisco-proprietary attribute that influences inbound traffic on a single router, not outbound traffic from Azure; Azure does not use Cisco weight, and lowering VPN weight would not reliably force ExpressRoute preference. Option B is wrong because active-active mode with ECMP would load-balance traffic across both connections simultaneously, not provide a primary/backup failover where ExpressRoute is always preferred. Option C is wrong because disabling BGP on the VPN connection and using static routes with a higher metric would work for simple failover, but it prevents dynamic route propagation and failover detection; BGP provides faster convergence and automatic route withdrawal, which is critical for reliable failover.

26
MCQeasy

A company uses Azure Front Door to load balance traffic across two origin servers in different Azure regions. They notice that failover is not working when one origin becomes unhealthy. What is the most likely cause?

A.Both origins are in the same region.
B.Caching is enabled on the Front Door profile.
C.Session affinity is enabled.
D.The health probe path is set to an incorrect endpoint on the origin servers.
AnswerD

An incorrect health probe path can cause Front Door to consider the origin healthy when it is not, or vice versa.

Why this answer

The most likely cause is that the health probe path is set to an incorrect endpoint on the origin servers. Azure Front Door uses health probes to determine the health of each origin; if the probe path does not return a 200 OK status (e.g., it points to a missing page or a resource that doesn't exist), Front Door will mark that origin as unhealthy and stop routing traffic to it. Since failover is not occurring, the healthy origin is not being detected as healthy, or the unhealthy origin is not being detected as unhealthy, which directly prevents proper failover.

Exam trap

The trap here is that candidates often assume failover issues are caused by regional or caching settings, but the real culprit is almost always a misconfigured health probe path that prevents Front Door from accurately assessing origin health.

How to eliminate wrong answers

Option A is wrong because both origins being in the same region would not prevent failover; Azure Front Door can still load balance and failover between origins in the same region as long as they are configured as separate backends. Option B is wrong because caching on Front Door does not affect health probe logic or failover behavior; caching only stores responses to improve performance, not influence routing decisions. Option C is wrong because session affinity (sticky sessions) only ensures a client is routed to the same backend for the duration of a session; it does not disable failover—if the backend becomes unhealthy, Front Door will still failover to a healthy backend, though the session may be lost.

27
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster?

Select 2 answers
A.Enable Azure AD integration for Kubernetes RBAC.
B.Disable HTTP application routing.
C.Use pod identity to access Azure resources.
D.Enable Azure Firewall to restrict outbound traffic.
E.Use a service principal for AKS cluster authentication and store the secret in a Kubernetes secret.
AnswersA, C

Provides identity-based access control.

Why this answer

Option A is correct because integrating Azure AD with AKS enables Kubernetes RBAC to use Azure AD identities for authentication and authorization. This allows you to grant granular permissions to users, groups, or service principals based on their Azure AD roles, eliminating the need for static Kubernetes secrets and providing centralized identity management.

Exam trap

The trap here is that candidates often confuse optional security features (like disabling HTTP routing or enabling Azure Firewall) with mandatory actions, or they mistakenly believe that storing service principal secrets in Kubernetes secrets is acceptable, when Azure AD integration provides a far more secure and manageable approach.

28
Multi-Selecthard

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS)?

Select 3 answers
A.Enable Azure Policy for AKS
B.Integrate Azure AD for Kubernetes RBAC
C.Use network policies to control pod-to-pod communication
D.Store secrets in Kubernetes secrets
E.Allow all node pools to communicate freely
AnswersA, B, C

Azure Policy enforces security standards on AKS.

Why this answer

A is correct because Azure Policy for AKS enforces organizational standards and assesses compliance at scale by applying built-in policies that restrict privileged containers, require pod security standards, and enforce HTTPS ingress. This reduces the attack surface and ensures clusters adhere to security baselines without manual intervention.

Exam trap

The trap here is that candidates often assume Kubernetes secrets are secure by default, but the exam tests awareness that they lack encryption at rest and proper access controls, making Azure Key Vault or external secrets stores the recommended approach.

29
MCQhard

An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?

A.Deploy Azure Arc on each EC2 instance
B.Use AWS Systems Manager to push Defender workload
C.Set up the AWS connector in Defender for Cloud
D.Configure AWS Config rules to report to Defender
AnswerC

The connector automatically discovers and monitors EC2 instances.

Why this answer

Option C is correct because the AWS connector in Microsoft Defender for Cloud is the native integration that enables automatic discovery and onboarding of AWS resources, including EC2 instances, into Defender for Cloud. Once configured, the connector uses AWS IAM roles and APIs to continuously sync EC2 inventory and apply Defender plans (e.g., Defender for Servers) without requiring manual agent installation on each instance.

Exam trap

The trap here is that candidates confuse the AWS connector (a cloud-to-cloud integration) with Azure Arc (a hybrid management tool), assuming Arc is required for any non-Azure workload, when in fact the connector handles automatic onboarding without per-instance configuration.

How to eliminate wrong answers

Option A is wrong because deploying Azure Arc on each EC2 instance is an alternative method for managing non-Azure servers, but it is not the automatic onboarding mechanism for Defender for Cloud; it requires manual installation and does not leverage the native AWS connector. Option B is wrong because AWS Systems Manager is an AWS-native management service and cannot directly push Defender workloads; Defender for Cloud relies on its own agents (e.g., Azure Monitor Agent or Microsoft Defender for Endpoint) deployed via the AWS connector integration, not via Systems Manager. Option D is wrong because AWS Config rules are used for compliance auditing and resource configuration tracking, not for onboarding EC2 instances to Defender for Cloud; they lack the capability to install security agents or enable Defender plans.

30
MCQmedium

A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?

A.Use VPN Gateway over ExpressRoute
B.Use ExpressRoute Direct with BGP
C.Use ExpressRoute with MACsec
D.Use Azure Firewall to inspect ExpressRoute traffic
AnswerC

MACsec enables encryption and authentication on ExpressRoute circuits.

Why this answer

Option C is correct because MACsec (IEEE 802.1AE) provides Layer 2 encryption and authentication for traffic traversing ExpressRoute Direct ports, ensuring that all data between on-premises and Azure is encrypted at the physical link level. This meets the requirement for both encryption and authentication without relying on higher-layer protocols like IPsec, which would add overhead and complexity.

Exam trap

The trap here is that candidates often confuse encryption at Layer 3 (IPsec) with encryption at Layer 2 (MACsec), assuming a VPN Gateway is required for encryption, when ExpressRoute Direct with MACsec provides native encryption without the performance penalty of a VPN overlay.

How to eliminate wrong answers

Option A is wrong because VPN Gateway over ExpressRoute uses IPsec tunnels, which encrypt traffic but add latency and complexity, and the question specifically asks for encryption and authentication at the infrastructure layer, not a VPN overlay. Option B is wrong because ExpressRoute Direct with BGP provides dedicated bandwidth and dynamic routing but does not include any encryption or authentication of the data plane traffic. Option D is wrong because Azure Firewall inspects traffic at Layers 3-7 but does not provide encryption or authentication for the traffic itself; it only filters and logs it.

31
MCQmedium

A company deploys a three-tier application with web servers, application servers, and database servers in a VNet. They need to ensure that web servers can only communicate with application servers on port 443, and application servers can only communicate with database servers on port 1433. Web servers should not be able to communicate with database servers. What is the most secure and efficient way to implement this?

A.Place each tier in a separate subnet, and create NSGs on each subnet with appropriate inbound and outbound rules.
B.Use Azure Firewall to inspect all traffic between tiers.
C.Use Application Security Groups (ASGs) to group VMs, but do not create NSGs.
D.Place all tiers in the same subnet, and use a single NSG with rules to allow and deny traffic.
AnswerA

This provides network segmentation and granular control.

Why this answer

Option A is correct because placing each tier in a separate subnet and applying Network Security Groups (NSGs) with specific inbound and outbound rules provides network segmentation and granular traffic control. NSGs are stateful, so you can define rules that allow web servers to initiate outbound traffic to application servers on port 443 and application servers to initiate outbound traffic to database servers on port 1433, while implicitly denying all other cross-tier communication (including web-to-database). This approach is both secure and efficient as it uses native Azure constructs without additional cost or complexity.

Exam trap

The trap here is that candidates often overlook that NSGs do not filter traffic between resources within the same subnet, leading them to choose Option D, which would fail to isolate the tiers.

How to eliminate wrong answers

Option B is wrong because Azure Firewall is a managed, stateful firewall as a service that introduces additional cost and latency; while it can inspect traffic, it is overkill for this simple east-west traffic control and less efficient than NSGs for subnet-level segmentation. Option C is wrong because Application Security Groups (ASGs) alone cannot enforce network rules; they are logical groupings that must be referenced in NSG rules to actually allow or deny traffic, so without NSGs, no traffic filtering occurs. Option D is wrong because placing all tiers in the same subnet with a single NSG would allow intra-subnet traffic to bypass NSG rules (NSGs do not filter traffic within the same subnet), making it impossible to prevent web servers from communicating directly with database servers.

32
MCQeasy

Refer to the exhibit. You are reviewing an Azure Policy definition that will be assigned to a subscription containing production virtual machines. The policy is intended to enforce security best practices for disk encryption. What is the effect of this policy?

A.The policy denies deployment of virtual machines using Standard_LRS or StandardSSD_LRS managed disks.
B.The policy modifies existing virtual machines to change their disk type to Premium_LRS.
C.The policy allows deployment of virtual machines only if they use Standard_LRS or StandardSSD_LRS disks.
D.The policy audits virtual machines to ensure they have Azure Disk Encryption enabled.
AnswerA

The policy uses the 'deny' effect to block VMs with those disk types.

Why this answer

The policy uses the 'deny' effect with a condition that checks if the 'Microsoft.Compute/disks/sku.name' property is not equal to 'Premium_LRS'. This means any virtual machine deployment that uses Standard_LRS or StandardSSD_LRS managed disks will be denied, enforcing the use of Premium_LRS disks for production VMs to meet security best practices for disk encryption.

Exam trap

Microsoft often tests the distinction between 'deny', 'audit', and 'modify' effects, and the trap here is assuming that a policy that checks disk SKU is related to encryption (ADE) rather than disk performance or redundancy, leading candidates to select the audit option D.

How to eliminate wrong answers

Option B is wrong because the policy uses the 'deny' effect, not 'modify' or 'deployIfNotExists', so it cannot change existing disks; it only blocks new deployments that don't meet the condition. Option C is wrong because the condition denies disks that are not Premium_LRS, so it does not allow Standard_LRS or StandardSSD_LRS disks; it explicitly blocks them. Option D is wrong because the policy checks the disk SKU type, not Azure Disk Encryption (ADE) enablement; auditing for ADE would require a different policy definition with a condition on encryption settings.

Ready to test yourself?

Try a timed practice session using only Design security for infrastructure questions.