50 Microsoft Certified: Azure Network Engineer Associate Practice Questions: Question Bank 2025

You have an Azure virtual network (VNet) with two subnets: Web and App. You need to ensure that only HTTPS traffic from the Internet can reach the Web subnet and that the App subnet cannot be reached directly from the Internet. Which solution should you use?

You are connecting an on-premises network to an Azure VNet using a site-to-site VPN. You need to use Border Gateway Protocol (BGP) to exchange routes dynamically. Which two Azure resources must be configured to support BGP on the Azure side?

You need to provide private connectivity from an Azure VNet to an Azure Storage account so that traffic does not traverse the public internet. You also want the Storage account to remain accessible from on-premises over an ExpressRoute circuit with private peering. Which solution should you use?

A VNet contains a subnet named Backend. You need to deploy an Azure Bastion host to provide secure RDP/SSH to VMs. What is a requirement for the subnet that hosts Azure Bastion?

You have a hub-and-spoke topology. A network virtual appliance (NVA) in the hub must inspect all traffic between two spoke VNets. The spokes are peered to the hub VNet. What should you configure to ensure spoke-to-spoke traffic is forced through the NVA?

Your organization requires that all outbound internet traffic from a subnet uses a single static public IP address. Virtual machines in the subnet must not have public IPs. Which solution meets the requirement?

You deployed a private endpoint for an Azure SQL Database. From a VM in the same VNet, connections to the database FQDN resolve to a public IP and fail because public network access is disabled. What is the most likely cause?

You have an ExpressRoute circuit connected to a hub VNet. Spoke VNets are peered to the hub. On-premises networks must reach resources in the spokes over ExpressRoute. The design must minimize manual route management. What should you implement?

You need to publish an internal HTTP application running on VMs in a spoke VNet to users on the internet. Requirements: terminate TLS at the edge, protect against OWASP threats, and keep the application private (no public IPs on the VMs). Which solution should you choose?

Your company uses a third-party virtual appliance in an Azure VNet to route traffic between subnets. You add a user-defined route in SubnetA pointing 0.0.0.0/0 to the appliance (virtual appliance next hop). After the change, VMs in SubnetA lose outbound connectivity. The appliance VM has a single NIC and IP forwarding is not enabled. What should you do to restore connectivity while keeping the forced tunneling design?

You need to allow outbound internet access from VMs in a subnet, but you must use a single, predictable public IP address and avoid inbound exposure. What should you deploy?

You have a hub-and-spoke topology. A spoke VNet peering is configured with "Use remote gateways" enabled, and the hub peering is configured with "Allow gateway transit" enabled. Spoke-to-on-premises connectivity via the hub VPN gateway still fails. What is the MOST likely missing requirement?

You want to enforce that all outbound internet traffic from multiple spoke VNets is inspected by a hub Azure Firewall. What is the recommended way to configure the spokes?

A security team wants to detect and block outbound connections to malicious domains from Azure VMs without installing agents on the VMs. Which Azure service best meets this requirement?

You need private connectivity from a VNet to an Azure Storage account so that traffic stays on the Microsoft backbone and the storage account can block public network access. Which feature should you use?

You deploy an Azure Private Endpoint for an Azure SQL Database. Clients in the VNet still resolve the SQL server name to a public IP address. What should you configure to ensure correct name resolution?

You need to provide private access from on-premises networks to Azure PaaS services over ExpressRoute. You must ensure the service is reachable via a private IP and does not traverse the public internet. What should you deploy?

You have an existing site-to-site VPN with BGP between on-premises and Azure. After adding a second on-premises VPN device for redundancy, routes flap and connectivity is intermittent. You notice both devices are configured with the same BGP peer IP address. What should you change to stabilize routing?

You must publish an internal web application to users on the internet. Requirements: protect against OWASP threats, provide SSL termination, and ensure the app servers remain private (no public IPs). What is the best Azure solution?

A company uses Azure Virtual WAN with a secured virtual hub (Azure Firewall managed by vWAN). They need to send traffic from Spoke VNet A to Spoke VNet B through the secured hub firewall for inspection. Connectivity works, but inspection is not happening. What configuration is MOST likely missing?

You need to ensure that a virtual machine in Azure can reach the internet, but inbound connections from the internet must be blocked. You want to implement this with minimal configuration. What should you use?

You deploy an Azure Load Balancer (Standard) for a pair of VMs. Health probes show both backends as down even though the applications are running. The VMs are in the same subnet and no custom routes exist. What is the most likely cause?

You need private connectivity from a VNet to Azure Storage without exposing the storage account to the public internet. You also want name resolution to return a private IP for the storage endpoint from on-premises via VPN. What should you implement?

You have VNet A and VNet B peered. A user-defined route (0.0.0.0/0) in VNet A points to a Network Virtual Appliance (NVA). You want traffic from VNet B to the internet to also use the NVA in VNet A. What must you configure on the peering settings?

You manage multiple subscriptions and want to centrally troubleshoot connectivity issues between VNets, VPN gateways, and ExpressRoute circuits. You need a single view of topology and the ability to run connection troubleshoot. What should you use?

You need to design DNS resolution so that VMs in an Azure VNet can resolve records in an on-premises DNS zone, and on-premises clients can resolve records in an Azure private DNS zone used by Private Endpoints. Connectivity is via ExpressRoute. What is the recommended approach?

You have a hub-and-spoke topology. You deploy Azure Firewall in the hub and want all spoke subnets to send 0.0.0.0/0 traffic to the firewall. Some spokes have their own VPN gateways and must continue to send traffic to on-premises via their local gateway for specific on-prem prefixes. What is the best solution?

A company uses Private Endpoints for Azure SQL Database. Developers report that from on-premises, the SQL server name resolves to the public IP instead of the private IP. From Azure VMs in the VNet, it resolves correctly to the private IP. Connectivity between on-premises and Azure is via VPN. What is the most likely fix?

You deploy two active-active NVAs in a subnet behind an internal Standard Load Balancer for east-west traffic inspection. Some return traffic bypasses the NVAs, causing asymmetric routing and dropped sessions. What is the best Azure feature to enable on the NVA NICs to preserve symmetric flows through the same instance?

Your security team requires that only approved fully qualified domain names (FQDNs) can be accessed from multiple VNets, and all outbound traffic must be logged centrally. The solution must support non-HTTP(S) traffic where possible and integrate with threat intelligence. What should you deploy?

You need to restrict administrative access to Azure virtual machines so that management traffic stays on Azure’s backbone network and does not traverse the public internet. Which solution should you use?

You deploy an Azure Firewall and configure multiple network rules. You want to log all firewall events to query them with Kusto Query Language (KQL) and create alert rules. Which destination should you configure for diagnostic settings?

You create a private endpoint for an Azure Storage account. A VM in the same virtual network can resolve the Storage account name to the private IP address and access it. A VM in a peered virtual network resolves the name to the public IP address. What should you do?

A virtual network has multiple subnets. You must ensure that outbound internet traffic from workloads in one specific subnet always uses the same set of public IP addresses. Which solution should you implement?

You have a hub-and-spoke topology. The hub contains an NVA that should inspect all traffic between two spoke VNets. VNet peering is already configured. What should you configure to ensure traffic between spokes is forced through the NVA?

You need to provide private connectivity from an on-premises network to Azure PaaS services using private endpoints. On-premises DNS servers must resolve the Azure service FQDNs to private IP addresses. Which approach should you implement?

Your organization uses a secured virtual hub (Azure Virtual WAN) with an Azure Firewall in the hub. You need to ensure branch-to-branch (site-to-site VPN to site-to-site VPN) traffic is inspected by the firewall. Which feature should you configure?

You have an Azure Application Gateway v2 deployed in a subnet. You also deploy an Azure Firewall in a different subnet. You want to force all outbound traffic from the Application Gateway subnet to the internet through the firewall. What should you configure?

You deploy two virtual network gateways for active-active VPN from Azure to a single on-premises VPN device. After configuration, only one tunnel passes traffic reliably. You want both tunnels to be used concurrently for higher throughput. Which requirement is most likely missing on the on-premises side?

You have an Azure Storage account accessed through a private endpoint. You must ensure that data exfiltration to other Storage accounts (including in other tenants) is blocked, while allowing access to this specific Storage account from selected VNets. Which capability should you use?

You have a virtual network with multiple subnets. You must ensure that a VM in SubnetA can initiate RDP connections to a VM in SubnetB, but SubnetB must not initiate RDP connections to SubnetA. Which Azure feature should you use?

You need to privately access an Azure Storage account from a virtual network without using public IPs. DNS must resolve the storage account name to a private IP inside the VNet. What should you deploy?

You have two virtual networks in the same region. You need to enable communication between them over the Microsoft backbone with the lowest latency and without encryption overhead. What should you use?

You have a hub-and-spoke topology. The hub VNet contains Azure Firewall. Spoke VNets are peered to the hub. You must ensure all internet-bound traffic from the spokes is inspected by Azure Firewall. What should you configure on each spoke subnet?

You deploy an Azure Standard Load Balancer with a backend pool of two VMs. Clients can reach the load balancer frontend IP, but connections frequently fail. You suspect health probes are not succeeding. Which configuration issue is most likely causing the backend to be marked unhealthy?

Your organization uses Azure Private DNS zones for multiple Private Endpoints. You create a new Private Endpoint for an Azure SQL server in VNet1, but VMs in VNet1 still resolve the SQL FQDN to a public IP. You confirm the Private Endpoint is approved. What is the most likely cause?

You have an ExpressRoute circuit connected to an on-premises network. You want to advertise an on-premises default route (0.0.0.0/0) to Azure so that Azure workloads can send all internet-bound traffic to on-premises (forced tunneling) over ExpressRoute. Which approach should you use?

You need to publish two HTTPS applications hosted on different backend pools in the same VNet. Both applications must share a single public IP address and be routed based on hostname (app1.contoso.com and app2.contoso.com). Which Azure service and feature should you use?

You have a hub VNet with an Azure VPN gateway and multiple spoke VNets peered to the hub. You require transitive routing so that spokes can reach an on-premises network through the hub gateway. Spokes must not become gateways. Which peering settings must you configure?

You deploy Azure Firewall in a hub VNet. You configure a route table on a spoke subnet with 0.0.0.0/0 next hop to the firewall private IP. Users report intermittent outbound connectivity failures to some internet sites. Azure Firewall metrics show SNAT port exhaustion during peak hours. What should you do to remediate with the least architectural change?