Microsoft Certified: Azure Network Engineer Associate Advanced Practice Exam: Hard Questions 2025

You are designing a hub-and-spoke topology. The hub VNet contains an Azure Firewall and a VPN gateway. You must ensure: (1) all spoke-to-spoke and spoke-to-on-prem traffic is forced through Azure Firewall, (2) spokes remain independently manageable, and (3) the design scales to dozens of spokes without requiring UDR changes every time a spoke is added. What should you implement?

A workload in a spoke subnet intermittently loses connectivity to a private endpoint in another spoke. NSGs allow the traffic, and DNS resolution returns the correct private IP. Packet capture shows SYN packets leaving the source VM, but no response returns. The destination private endpoint is in a subnet that has a UDR sending 0.0.0.0/0 to an Azure Firewall in the hub. The hub firewall logs show no matching entries for the attempted connection. What is the most likely root cause?

Your company uses ExpressRoute with private peering to a hub VNet. Spokes are peered to the hub. You must ensure that all spokes can reach on-premises, but on-premises must NOT be able to initiate connections to any spoke except one shared-services spoke. You cannot use third-party NVAs. What is the best solution?

You operate two Azure regions (Region A and Region B) connected to on-premises using BGP over ExpressRoute. You deploy an Azure VPN gateway in Region B as an emergency failover path to on-premises. Requirement: in normal operation, spokes in Region B must prefer ExpressRoute; during ExpressRoute outage, traffic should automatically fail over to VPN without manual UDR edits. What should you configure?

A virtual appliance (NVA) in a hub VNet provides IDS/IPS. You insert it as the next hop for multiple spoke subnets using UDRs. After deployment, some spokes lose access to Azure Storage public endpoints, but access to on-premises still works. The NVA has a single NIC and is deployed in a subnet that does not have a default route. What is the most likely fix in Azure networking configuration (not on the NVA OS)?

You must route traffic from multiple spokes through Azure Firewall in the hub, but also allow a specific spoke subnet to reach Microsoft Entra ID endpoints directly for authentication even when a 0.0.0.0/0 UDR sends Internet-bound traffic to the firewall. You want the most maintainable solution and to avoid managing large IP allowlists. What should you do?

You suspect intermittent packet loss between two subnets in the same VNet. NSGs are configured with multiple rules, and you need to confirm which NSG rule is effectively allowing/denying a given 5-tuple flow. You also need a time-bound capture of connection attempts without deploying agents on VMs. What is the best approach?

A security team requires that outbound Internet access from a subnet is allowed only to a small set of destinations and that all other outbound traffic is denied by default. They also require TLS inspection for those destinations, but only for that subnet. The environment already uses Azure Firewall in the hub for general egress control. What is the best solution?

A PaaS application in a spoke VNet must access an Azure SQL Database using private connectivity. Requirement: exfiltration must be prevented so the app can reach only the specific SQL server privately; public network access to SQL must remain disabled. The security team also wants to ensure DNS cannot be manipulated by workload owners to bypass the private endpoint. What is the best design?

You deploy Azure Private Link for an Azure Storage account consumed by multiple VNets across subscriptions. After implementation, some clients still intermittently resolve the storage account FQDN to the public endpoint and fail because public network access is disabled. You discover that those VNets use custom DNS servers and conditional forwarders. What is the most reliable fix that preserves centralized DNS management?