Microsoft Certified: Azure Network Engineer Associate Practice Exam 2025: Latest Questions

You have a virtual network (VNet) with three subnets: Web, App, and Data. You must ensure that only the Web subnet can access the App subnet on TCP 443. No other subnet-to-subnet traffic should be allowed to the App subnet. What should you implement?

You need name resolution between an on-premises DNS namespace (corp.contoso.com) and Azure VMs in a VNet. The VNets are connected to on-premises using a site-to-site VPN. You want Azure VMs to resolve on-premises records without deploying DNS servers in Azure. What should you use?

You deploy Azure Firewall in a hub VNet. Spoke VNets are peered to the hub. You want to force all outbound internet traffic from the spokes through the firewall. What is the MOST appropriate configuration?

Two VNets are globally peered. VM1 in VNet1 can reach VM2 in VNet2 by IP address, but name resolution for VM2 fails from VM1. Both VNets use Azure-provided DNS. What is the most likely cause?

You have an on-premises network connected to Azure via ExpressRoute. You need to provide private access from on-premises to Azure PaaS services such as Azure Storage and Azure SQL Database without traversing the public internet. What should you configure?

You deploy an internal Standard Load Balancer with two backend VMs in the same subnet. Clients in another subnet report intermittent failures. You confirm the VMs respond to direct traffic. Which configuration is REQUIRED to ensure the load balancer only sends traffic to healthy instances?

You are designing connectivity for a mission-critical workload that requires SLA-backed private connectivity from on-premises to Azure with predictable latency. You also want encrypted traffic over the provider network. Which solution best meets the requirements?

Your organization uses a hub-and-spoke topology. You need to allow spoke VNets to use a centralized VPN gateway in the hub VNet to reach on-premises. Which peering settings must be configured?

You have two NVA appliances in a hub VNet that should inspect traffic from multiple spokes. You must provide high availability so that if one NVA fails, traffic automatically uses the other without changing UDRs in spokes. Which design should you implement?

Users report they cannot connect from on-premises to a VM in Azure over a site-to-site VPN. The VPN connection status shows 'Connected'. You need to determine whether traffic is reaching the VM NIC and which NSG/route is affecting it. Which Azure tool provides the MOST direct, per-VM diagnostics for this scenario?

You have a hub-and-spoke topology. Spoke VNet A contains Azure Firewall in the hub, and Spoke VNet B hosts application subnets. You need to allow Spoke VNet B subnets to send all internet-bound traffic through the Azure Firewall with minimal administrative effort. What should you configure?

You need name resolution for Azure private endpoints from an on-premises DNS server. The on-premises DNS server must resolve records in privatelink zones without hosting those zones on-premises. What should you implement?

You have two VNets peered within the same region. Virtual machines in VNet1 cannot connect to a private endpoint in VNet2, but they can connect to other VMs in VNet2. DNS resolution from VNet1 returns a public IP for the service. What is the most likely fix?

You are deploying a highly available VPN connection from on-premises to Azure using an active-active Azure VPN gateway. On-premises uses BGP. You need the solution to survive an Azure zone failure with minimal disruption. What should you recommend?

You need to provide inbound HTTP/HTTPS access to multiple web apps hosted on separate VM scale sets in the same VNet. Requirements: path-based routing, end-to-end TLS, and Web Application Firewall (WAF) protection. Which Azure service should you use?

A virtual machine in SubnetA cannot reach a VM in SubnetB within the same VNet. NSGs appear correct. You need to identify whether a route table is overriding system routes. What is the best tool in Azure to verify the effective next hop for the traffic?

You are using Azure Virtual WAN with a secured virtual hub (Azure Firewall managed in the hub). A spoke VNet is connected to the hub. You need to ensure all traffic from the spoke to the internet is inspected by the hub firewall. Which configuration is required?

Your organization must prevent accidental exposure of virtual machines to the public internet. You need an Azure Policy that blocks creation of public IP addresses on NICs and load balancers in a subscription. What should you use?

You have an on-premises network connected to Azure via ExpressRoute. You also have a site-to-site VPN connection configured as a failover path. Requirement: ExpressRoute must be preferred when available, and VPN should only be used if ExpressRoute is down. What should you configure?

You are troubleshooting intermittent packet loss between two Azure VMs in different subnets. The VMs are behind an NVA that performs routing between subnets. You suspect asymmetric routing. You need to verify the actual route taken from each VM to the other and confirm whether traffic returns through the same NVA. Which approach is best?

You have a hub-and-spoke topology. The hub VNet contains an Azure Firewall and a VPN gateway. Spoke VNets are peered to the hub. You need to allow the on-premises network to reach resources in all spokes. The solution must be simple to manage and avoid adding UDRs in every spoke subnet. What should you do?

A VM in a subnet has a user-defined route (0.0.0.0/0) pointing to a virtual appliance. You suspect the VM is still sending internet-bound traffic directly to the internet. You need to verify which next hop Azure is selecting for a specific destination IP. What should you use?

You deploy an Azure Standard Load Balancer with a public frontend and a backend pool of VMs. Health probes are successful, but inbound connections from the internet intermittently fail. You must follow Azure best practices for Standard Load Balancer. Which configuration is required for inbound connectivity to work reliably?

You need to publish an internal HTTP/HTTPS application to users in multiple VNets. The application must be protected with WAF and must support end-to-end TLS encryption to the backend. The solution must be regional (not global). What should you deploy?

Your company uses Azure Virtual WAN with a secured virtual hub (Azure Firewall in the hub). You connect multiple branch sites using VPN and also peer several VNets to the virtual hub. You need to ensure all inter-VNet and branch-to-VNet traffic is inspected by the hub firewall without managing UDRs in each spoke VNet. What should you configure?