Microsoft Certified: Azure Network Engineer Associate Practice Exam 2025: Latest Questions

You create two subnets (SubnetA and SubnetB) in the same Azure virtual network. A VM in SubnetA cannot reach a VM in SubnetB. Both VMs are running and have no custom route tables associated. What is the MOST likely cause?

You have an Azure VM that must have a stable public IPv4 address because it is allowlisted by a partner. Which configuration meets the requirement?

You need to provide outbound internet connectivity for all VMs in a subnet without using individual public IPs. The solution must use a fixed set of public IP addresses for egress. What should you deploy?

You need private connectivity from an on-premises network to Azure PaaS services using RFC1918 addresses without exposing the services to the public internet. Which feature should you use?

You have a hub-and-spoke topology. A spoke VNet uses a custom route table with a 0.0.0.0/0 route to a network virtual appliance (NVA) in the hub (next hop: Virtual appliance). After applying the route, VMs in the spoke lose connectivity to a Storage account that uses a private endpoint in the spoke. What is the MOST likely cause and fix?

Your company peers VNetA to VNetB. VMs in VNetA cannot reach VMs in VNetB using the remote VNet address space. DNS is working and NSGs allow traffic. You verify the peering exists in both directions. What setting is MOST likely missing?

You deploy Azure Firewall in a hub VNet. Spoke subnets have a default route (0.0.0.0/0) to the Azure Firewall private IP. Some internet-bound connections fail intermittently, especially for protocols with many concurrent sessions. What configuration should you implement to improve outbound scalability and reduce SNAT port exhaustion?

You need to ensure that only traffic from specific source subnets can access a VM on TCP 443. You also need to log allowed and denied flows for auditing. What is the BEST solution?

You have on-premises DNS servers and a hub-and-spoke topology. Multiple spokes use private endpoints for Azure SQL Database. From on-premises, clients resolve the SQL server name to the public IP instead of the private endpoint IP. You want name resolution to return the private endpoint IP from on-premises while keeping centralized DNS management. What should you implement?

You have two ExpressRoute circuits from different providers. You connect them to the same ExpressRoute gateway in a hub VNet. The requirement is to prefer Circuit1 for all on-premises to Azure traffic and fail over to Circuit2 automatically if Circuit1 is unavailable. No manual route changes are allowed during failover. What should you configure?

You deploy an Azure VPN gateway (route-based) to connect an on-premises site to an Azure VNet. The IPsec tunnel comes up, but on-premises hosts cannot reach Azure VMs. Azure VMs also cannot reach on-premises. You verify that NSGs allow the traffic. What is the MOST likely missing configuration on the Azure side?

You have two subnets in the same VNet: SubnetA and SubnetB. You need to restrict access to a VM in SubnetA so that only RDP traffic from SubnetB is allowed. What should you use?

You need to allow traffic from an Azure virtual machine to reach Azure Storage accounts without traversing the public internet. You do not need private IPs for the Storage accounts, but you want the shortest path within Azure. What should you configure?

A hub VNet contains an Azure Firewall. Two spoke VNets are peered with the hub. You configure UDRs in each spoke to send 0.0.0.0/0 to the Azure Firewall in the hub. SpokeA cannot reach the internet, but SpokeB can. Both VNets are in the same region, and the firewall rules are identical for both spokes. What is the MOST likely cause?

You deploy an internal Standard Load Balancer with two backend VMs. A client VM in a different subnet of the same VNet cannot reach the load balancer frontend IP on TCP 443. Health probes show the backend is healthy. NSGs allow the traffic. What is the BEST next troubleshooting step?

You have an Azure Virtual WAN hub with a VPN site connection to on-premises. You need to advertise a set of custom routes from the Virtual WAN hub to the on-premises VPN device. What should you configure in Virtual WAN?

A company uses Azure Private Endpoints for Azure SQL Database. Clients in a VNet intermittently resolve the SQL server name to the public IP instead of the private endpoint IP. The private endpoint exists and is approved. What is the MOST likely cause?

You need to monitor and alert on malicious outbound traffic patterns from workloads in a VNet. You want a managed solution that provides centralized policy, application/network rules, threat intelligence-based filtering, and logging to a SIEM. What should you deploy?

You must connect two on-premises datacenters to Azure using ExpressRoute. The datacenters require automatic failover between two circuits and dynamic route exchange. You also need to ensure Azure advertises Azure and VNet prefixes to on-premises reliably. What configuration BEST meets the requirement?

You have a hub-and-spoke topology. All internet-bound traffic from spokes must be inspected by an NVA in the hub. You also must prevent spokes from communicating directly with each other, while still allowing each spoke to reach shared services in the hub. What is the BEST design approach?

You are configuring a site-to-site VPN connection from an on-premises router to an Azure VPN gateway. The on-premises firewall team requires that all IPSec/IKE traffic use a single public IP on the Azure side, and they want to minimize required inbound ports. Which Azure VPN gateway configuration best meets this requirement?

You deploy an Azure Standard Load Balancer with two backend VMs. The health probe is configured for TCP port 443, but the application listens on port 8443. Users report intermittent failures, and the backend pool shows one VM as unhealthy. What is the most likely cause?

Your company uses Azure Private DNS zones for name resolution of private endpoints. A new team creates a private endpoint for an Azure Storage account, but VMs in the same virtual network cannot resolve the storage account name to the private IP address. The private endpoint is approved and shows as connected. What should you verify first?

You have a hub-and-spoke topology. A network virtual appliance (NVA) in the hub must inspect all outbound Internet traffic from spoke VNets. You implement UDRs in each spoke to send 0.0.0.0/0 to the NVA. However, Internet-bound traffic from spoke VMs still goes directly to the Internet. Which configuration is required to ensure forced tunneling through the hub NVA?

You deploy an Azure Firewall in a secured hub. A spoke subnet has a UDR sending 0.0.0.0/0 to the Azure Firewall. VM users can reach the Internet, but outbound traffic is not being logged in Azure Firewall logs. The firewall policy has a rule allowing the traffic. What is the most likely reason?