50 VMware Certified Advanced Professional - Network Virtualization Deploy Practice Questions: Question Bank 2025

An administrator is preparing an NSX-T design and wants to ensure management-plane services (such as API/UI access and policy configuration) remain available if a node fails. Which deployment approach best meets this requirement?

A team needs a Layer 3 gateway for multiple overlay segments and wants distributed routing for east-west traffic between those segments on ESXi hosts. Which component provides this function?

An organization wants to enforce zero-trust controls between workloads within the same segment, using rules based on workload identity rather than IP addresses. Which NSX-T feature best meets this requirement?

After deploying NSX-T, an administrator needs to confirm that an ESXi host is prepared for transport node operations and is successfully participating in the overlay. Where should the administrator verify this status first?

A company has a requirement to extend a VLAN-backed network to an overlay segment so that a set of legacy physical servers can communicate with NSX overlay workloads at Layer 2. Which NSX-T capability should be used?

A security team requests that only approved administrative sources can access NSX Manager and that the enforcement should occur as close to the NSX management interface as possible. Which approach is most appropriate?

An administrator creates a new overlay segment, but VMs connected to it cannot communicate across hosts. The physical network team confirms the underlay supports jumbo frames and that MTU is consistently set end-to-end. What is the MOST likely NSX-side cause?

A company needs to advertise only selected Tier-1 connected segment networks to the physical network while keeping other application segments internal. Which design best satisfies this requirement?

A customer requires stateful firewalling and NAT for north-south traffic with high availability. They deploy an Edge cluster but notice traffic is not using the Edge nodes for these services. Which configuration element is required to ensure services are hosted on Edge nodes?

Users report intermittent connectivity from overlay workloads to an external network. Pings succeed, but TCP sessions frequently reset. The administrator suspects asymmetric routing between the NSX Tier-0 and the upstream physical network. Which NSX-side configuration is MOST likely to resolve this while maintaining dynamic routing?

An administrator is preparing an NSX-T deployment and must decide where to place the NSX Edge nodes. The primary goal is to centralize North-South connectivity for multiple overlay segments and provide a single point for external routing. Which design best meets this requirement?

A network engineer must connect a new workload segment to the physical network using BGP. The requirement is to advertise multiple overlay subnets to upstream routers while keeping the configuration centralized. Which component should be configured to establish BGP sessions with the physical network?

A security team wants to restrict access to a set of web VMs so that only HTTPS is allowed from a specific group of application VMs. They want rules that follow workloads even if IP addresses change. Which approach is most appropriate?

After migrating a VLAN-backed segment to an overlay segment, VMs on the overlay can communicate with each other but cannot reach the external network. The Tier-1 Gateway is connected to a Tier-0 Gateway. Which missing item is the MOST likely cause?

A customer needs to provide Internet access for workloads while minimizing inbound exposure. The design calls for source NAT (SNAT) for outbound traffic and no inbound DNAT. Where should the NAT policy be configured for best practice in NSX-T?

An administrator is troubleshooting intermittent packet loss between two VMs on different overlay segments connected to the same Tier-1 Gateway. The issue appears only when the VMs are on different ESXi hosts. Which NSX-T data-plane mechanism is MOST relevant to investigate first?

A team wants to enforce application-level access to a set of internal web services (HTTP/HTTPS) without deploying third-party appliances. The requirement includes Layer 7 URL/path-based routing to different backend pools. Which NSX-T feature best fits this use case?

A vSphere cluster is prepared as a transport node profile is applied. Later, the administrator realizes the wrong uplink profile (MTU and teaming) was used for the hosts. What is the recommended way to correct the uplink profile while minimizing configuration drift?

A customer requires East-West firewall policy to be enforced even when a VM is moved to a different segment within the same application. They want a policy model based on workload identity (such as tags) and need to reduce the number of rules as the environment grows. Which approach should be used?

During a planned maintenance window, an Edge node hosting Tier-0 services is rebooted. After the reboot, some North-South traffic fails until manual intervention. The design goal is to maintain stateful services availability during Edge failures/restarts. What design change most directly addresses this requirement?

An administrator is preparing an NSX-T environment for a disaster recovery (DR) site. The DR requirement is to keep the same IP addressing for workloads after failover and minimize routing changes upstream. Which NSX-T feature best meets this requirement?

A team wants to enforce identical security policy across two vSphere clusters managed by the same NSX Manager. They also want rules to automatically apply to new VMs based on OS type. Which approach is most appropriate?

After deploying a new overlay segment, VMs on two different ESXi hosts cannot reach each other. The segment status shows "No Transport Nodes." What is the most likely cause?

An organization requires web tier VMs to allow inbound HTTPS from the internet, but the same web VMs must not initiate any outbound connections except to a specific internal logging service. Where should these controls be primarily enforced for best practice?

A customer needs to advertise only a subset of overlay segment routes to the physical network to limit route table growth, while still allowing full connectivity inside NSX. Which design is most appropriate?

An administrator deploys an NSX Edge Cluster for north-south traffic. The uplinks are connected to a physical leaf pair. Intermittently, BGP sessions flap, and packet captures show occasional asymmetric paths. Which configuration is most likely to stabilize routing and reduce asymmetry?

Security needs to allow only approved URL categories for outbound internet access from a set of VMs, while also scanning traffic for threats. Which NSX capability best addresses this requirement?

A workload connected to an overlay segment can ping its default gateway on a Tier-1, but cannot reach an external network through the Tier-0. Other workloads on different segments can reach the external network. Which is the most likely misconfiguration for this specific segment?

An administrator wants to verify why a Distributed Firewall rule is not matching traffic between two VMs. Which NSX-T tool is best suited to simulate the flow and show the rule hit/decision path without generating real traffic?

A customer must provide tenant isolation with overlapping IP addresses across multiple tenants, each with independent north-south connectivity and separate security policies. Which NSX-T design best supports this requirement?

An administrator needs to allow ICMP (ping) between two application tiers while keeping all other traffic blocked by default. Which NSX-T feature best matches this requirement with least operational overhead?

A host transport node has been added to a transport zone, but VMs connected to an overlay segment on that host cannot communicate with VMs on other hosts. The Geneve/VXLAN tunnel status is down. Which item should be verified first as a common prerequisite for overlay tunnels?

Which NSX-T component is responsible for maintaining the control-plane state and programming forwarding information to transport nodes?

A company needs to stretch a VLAN from the physical network into NSX-T so legacy workloads can be migrated without changing IP addresses. Which NSX-T capability is designed for this use case?

An administrator created an IP-based group for dynamic membership, but the Distributed Firewall rules using that group are not matching traffic as expected. The IP list includes addresses that are assigned to VMs via DHCP and can change. What is the best practice to ensure the group membership stays accurate?

A workload connected to a Tier-1 routed segment cannot reach external networks. Internal east-west connectivity within the same segment works. The Tier-1 is connected to a Tier-0. Which configuration issue is the MOST likely cause?

An administrator enables DHCP Service on a Tier-1 gateway and configures a DHCP profile. Clients on one segment receive leases, but clients on another segment connected to the same Tier-1 do not. Which setting is most commonly missing on the segment where leases fail?

After deploying an NSX Edge transport node, the administrator notices that one uplink shows as down and north-south traffic is intermittently failing. The physical switch ports are configured as an LACP LAG. What is the most appropriate action in NSX to align with the physical configuration?

A customer requires strict separation of duties: network admins manage gateway routing and north-south security, while app admins manage micro-segmentation policies for workloads. Which NSX-T approach best supports this requirement?

A multi-site environment uses NSX Federation. After a planned outage, one site becomes isolated from the Global Manager. Local workloads continue to run, but policy changes made at the Global Manager are not reflected at the isolated site. What is the expected behavior and best next step?

A team must allow traffic between an on-premises VLAN-backed network and a set of NSX overlay segments. They want to avoid routing changes on the physical network and prefer to extend L2 reachability for a subset of VLANs only. Which NSX component best meets this requirement?

An administrator needs to publish an internal web application through NSX Advanced Load Balancer (Avi). The application must remain reachable even if one service engine fails, and the team wants the simplest resilient design. Which approach is recommended?

During initial validation, an engineer wants to confirm that NSX transport node uplinks are correctly mapped to the intended physical NICs and that the team/pNIC status is up. Which is the most direct place to verify this in NSX Manager?

A customer requires east-west microsegmentation where policy follows a workload across vCenter clusters, and they want to avoid maintaining IP-based rules. Which NSX policy construct best satisfies this requirement?

After deploying a new overlay segment, VMs on different ESXi hosts cannot communicate. VMs on the same host can communicate. The fabric uses Geneve, and the overlay segment is attached to the correct Tier-1. Which issue most directly explains this symptom?

A security team wants to enforce that only approved subnets can initiate VPN connections into the environment. The solution must be applied at the NSX edge perimeter and should be centrally managed with other north-south controls. What is the best NSX feature to use?

A Tier-0 is configured for ECMP to two upstream routers. One upstream router is replaced and receives a new IP address. After the change, north-south traffic intermittently fails for some sessions. Which action is most appropriate to restore stable routing while maintaining ECMP?

An organization plans to deploy NSX Federation to provide consistent security policy across two sites. They want to ensure that a site outage does not prevent ongoing policy enforcement locally, and they accept that new policy changes may be delayed during an outage. Which statement best describes the expected behavior?

A multi-tenant environment uses multiple Tier-1 gateways connected to a shared Tier-0. The security team requires that each tenant's north-south traffic must be forced through a tenant-specific third-party firewall appliance, without allowing tenants to bypass inspection. Which design best meets this requirement in NSX?

After migrating a workload to a different cluster, the VM loses connectivity to overlay segments only; VLAN-backed segments remain reachable. The ESXi host shows as a transport node, but overlay tunnels are not established. Which is the most likely root cause?