50 Microsoft Certified: Azure Network Engineer Associate Practice Questions: Question Bank 2025

You have a hub-and-spoke Azure virtual network topology. The hub contains an Azure Firewall. You need to ensure that all internet-bound traffic from spoke VNets is inspected by the firewall. What should you configure in each spoke VNet?

You need to allow inbound traffic from the internet to a web app hosted on multiple VMs in a single region. The solution must provide layer 7 (HTTP/HTTPS) routing and TLS termination. What should you use?

You have an Azure VPN gateway with a site-to-site VPN to your on-premises network. You need to advertise an additional on-premises subnet to Azure without changing Azure VNet address space. Which object should you update in Azure?

You need private connectivity from an Azure VNet to an Azure Storage account so that traffic does not traverse the public internet. You also want to restrict access to only that VNet. What should you configure?

You have two VNets peered across regions. VNet1 contains a VPN gateway that connects to on-premises. You need VMs in VNet2 to reach on-premises using the VPN gateway in VNet1. What should you configure?

You need to connect 20 branch offices to Azure using site-to-site VPN. Requirements: centralized management, automated deployment of new branch connections, and the ability to route between branches through Azure. What should you deploy?

A VM in SubnetA cannot reach a VM in SubnetB within the same VNet. Both subnets have NSGs. Effective security rules show an inbound deny on the destination VM for port 3389. You confirm that a custom allow rule exists but traffic is still denied. What is the most likely cause?

You are designing outbound connectivity for a subnet hosting containerized workloads. Requirements: predictable SNAT, high availability, and minimal management overhead. The workloads do not need inbound connections. What should you use?

You have an Azure ExpressRoute circuit with private peering. You need to provide connectivity from on-premises to Microsoft 365 services using the same circuit. What should you configure?

You deploy Azure Firewall in a hub VNet. Spoke VMs use a UDR to send 0.0.0.0/0 to the firewall. Spoke VMs can access the internet, but return traffic from the internet is intermittently dropped. You suspect asymmetric routing due to multiple egress paths. What is the best solution?

You manage a hub-and-spoke virtual network topology. Multiple spokes must resolve names for private endpoints in the hub. You want a managed solution with automatic registration for Azure VMs and minimal custom DNS infrastructure. What should you deploy?

You have an Azure VPN Gateway connected to an on-premises VPN device. Users report intermittent drops during business hours. You need to identify whether the issue is on the Azure side or the on-premises side using built-in tooling. What should you use first?

A workload in a subnet must only be reachable from a specific set of public IP addresses on the internet. You want to enforce this at the subnet boundary using a native, simple control. What should you configure?

You need to connect three on-premises branch sites to Azure. Each branch requires private connectivity and the ability to communicate with the other branches through Azure. You want to minimize configuration on branch devices and centrally manage routing. Which design is most appropriate?

You have two VNets (VNetA and VNetB) peered together. A network virtual appliance (NVA) in VNetA must inspect traffic originating from VNetB destined to the internet. You created a route table in VNetB that sends 0.0.0.0/0 to the NVA in VNetA, but traffic still exits directly to the internet. What is the most likely missing configuration?

A web application is deployed across two Azure regions. You need global HTTP(S) load balancing with SSL offload at the edge, path-based routing, and automatic failover to the healthy region. Which service should you use?

Your organization uses a central Azure Firewall in a hub VNet. All spoke VNets must send internet-bound traffic through the firewall. You also need to ensure that traffic between spokes (east-west) is inspected by the firewall. What should you implement?

You need to validate that a VM in Subnet1 can reach a private endpoint in Subnet2 on TCP 443. The path includes an NSG on each subnet. You want to quickly determine which NSG rule is allowing or denying the traffic. Which Network Watcher capability should you use?

You have an on-premises network connected to Azure using ExpressRoute. You also have an Azure VPN Gateway configured as a backup path. You must ensure that when ExpressRoute is available it is preferred, but VPN automatically takes over during an ExpressRoute outage, without manual route changes. What should you configure?

You are designing connectivity for a regulated environment. Requirements: (1) Private connectivity from on-premises to Azure, (2) Traffic must stay on the Microsoft backbone as much as possible, (3) Azure PaaS services must be reachable privately without exposing public endpoints. Which combination best meets the requirements?

You have an Azure VPN gateway configured as route-based. You need to connect to a third-party VPN device that supports only policy-based VPNs. What should you use to meet the requirement with the least operational complexity?

You need to ensure that only specific subnets in a spoke VNet can send traffic to the internet through a central Azure Firewall in the hub VNet. Other subnets in the same spoke must continue to use Azure's default internet egress. Which design should you implement?

Your company uses ExpressRoute with private peering to reach Azure VNets. You need to design connectivity so that on-premises routes are dynamically advertised to Azure, and Azure VNet prefixes are dynamically advertised to on-premises. What should you configure?

You have an internal Standard Load Balancer with two backend VMs. Health probes show both instances healthy, but clients in the same VNet intermittently fail to connect to the frontend IP on TCP 443. You discover the VMs are configured with Windows Firewall rules allowing 443 only from the client subnet, not from the Azure Load Balancer. What is the most likely cause?

You have a hub-and-spoke topology using Azure Virtual WAN. A spoke VNet must communicate with another spoke VNet through the vHub, but traffic is not flowing. You confirm both VNets are connected to the same vHub. What is the most common configuration required to enable spoke-to-spoke connectivity?

You need to provide name resolution for VMs in multiple VNets and from on-premises over a site-to-site VPN. The solution must support split-brain DNS for the same zone name (public vs internal) and avoid deploying and managing DNS servers on VMs. What should you use?

A security team requires inspection of all outbound HTTP/HTTPS traffic from a set of subnets, including logging of FQDNs and URL categories, and the ability to allow/deny by FQDN. Which Azure service best meets these requirements?

You need to quickly verify whether a VM’s effective routes include a user-defined route that forces traffic to an NVA. Which Azure tool should you use?

You are designing inbound traffic for a globally distributed web application. Requirements: terminate TLS close to users, provide WAF protection, and route requests to the closest healthy regional backend with automatic failover. Which solution best meets the requirements?

You have an Azure Firewall in a hub VNet. Spoke VNets use UDRs to send 0.0.0.0/0 to the firewall. After deployment, some spokes lose access to Microsoft Storage accounts that have public endpoints. You must restore access without allowing general internet breakout bypassing the firewall. What is the best solution?

You deploy an Azure VPN gateway (route-based) and establish a site-to-site IPsec connection to an on-premises network. The tunnel shows Connected, but a VM in the VNet cannot reach an on-premises server. You confirm the on-premises firewall allows the traffic. What is the most likely Azure-side configuration issue?

You need to enforce that all outbound internet traffic from a subnet is inspected by a third-party virtual appliance (NVA) in a hub VNet. What is the recommended Azure feature to control the next hop for outbound traffic from that subnet?

You are configuring private access to an Azure Storage account from a VNet. The security team requires that the Storage account is not reachable over the public internet, and access must be limited to specific VNets. Which solution meets the requirement?

You need to troubleshoot why a VM cannot reach a private endpoint in the same VNet. Which Azure tool helps you verify the effective routes for the VM’s NIC and determine the next hop?

You have a hub-and-spoke topology. Spoke VNets are peered to the hub VNet. You must ensure that spokes can route traffic to each other through an NVA in the hub, and you want to prevent direct spoke-to-spoke routing over peering. What should you configure?

You deploy Azure Firewall in a hub VNet and configure a UDR (0.0.0.0/0) from a spoke subnet to the firewall. Outbound internet access works, but inbound replies to a published service behind a Standard Load Balancer fail intermittently. You suspect asymmetric routing. What is the most appropriate Azure design change to help prevent asymmetric routing for workloads that require inbound and outbound through the firewall?

Your organization uses ExpressRoute with private peering. They also require Microsoft 365 traffic to take the shortest path to Microsoft’s network instead of hairpinning through on-premises. Which ExpressRoute feature should you implement?

You need name resolution for private endpoints across multiple VNets. You create a private DNS zone for privatelink.blob.core.windows.net and link it to VNet-A. VMs in VNet-B (peered to VNet-A) cannot resolve the private endpoint name to the private IP. What should you do?

You manage an NVA cluster that performs packet inspection for multiple VNets. You require automatic failover and the ability for routes to dynamically point to the active NVA instance without manually updating UDRs during failover. Which design best meets the requirement?

You have an ExpressRoute circuit connected to a hub VNet (Hub-VNet) that is peered with multiple spokes. You must ensure spoke VNets can reach on-premises networks over ExpressRoute, but you must prevent spokes from advertising their VNet prefixes back to on-premises. What should you implement?

You have a hub-and-spoke topology. You need to ensure all inbound internet traffic to workloads in multiple spoke VNets is inspected by a centralized Azure Firewall in the hub. The workloads should not have public IPs. What should you deploy in each spoke?

You create a virtual network gateway (VPN) in Azure and a site-to-site VPN to an on-premises device. The VPN connects successfully, but you cannot reach any Azure VMs from on-premises. The VMs are in a subnet that has a custom route table assigned. What is the MOST likely cause?

You need to provide name resolution for an on-premises DNS zone from Azure VNets without deploying DNS servers in Azure. You also need Azure resources to resolve private DNS zones that contain private endpoints. What should you use?

You have an Azure Application Gateway (WAF v2) in a subnet. Clients report intermittent 502 errors after you moved a backend pool from a single VM to a VM scale set behind an internal load balancer. Health probes show 'Unhealthy'. Which change is MOST likely to fix the issue?

You need to ensure that only Azure services (like Storage and Key Vault) can be reached from a subnet, and all other internet destinations are blocked. You must not use a firewall appliance. What should you configure?

You are designing connectivity for two Azure regions. You need private, high-throughput, low-latency connectivity between VNets in different regions using the Microsoft backbone. Which solution should you use?

You have two ExpressRoute circuits from different providers terminating in the same Azure region. You need to improve resiliency for connectivity to multiple VNets and reduce dependency on a single circuit. What should you implement?

A VM in a spoke VNet cannot reach a private endpoint in another spoke VNet. Both spokes are peered to a hub VNet. NSGs allow the traffic. You suspect a routing issue. What is the BEST next step to validate the effective routes for the VM's NIC?

You use Azure Firewall in a hub VNet and force-tunnel all internet-bound traffic from multiple spokes to the firewall. During peak load, some outbound connections from a spoke intermittently fail, and diagnostics indicate SNAT port exhaustion. What is the BEST mitigation?

You need to distribute user traffic across multiple Azure regions based on the lowest network latency, and you must support both HTTP(S) and non-HTTP TCP workloads. Which service should you use?