Microsoft Certified: Azure Network Engineer Associate Intermediate Practice Exam: Medium Difficulty 2025

Your organization has deployed a hub-and-spoke network topology in Azure with three spoke VNets connected to a central hub VNet. The hub VNet contains an Azure Firewall. You need to ensure that all traffic between spoke VNets is inspected by the Azure Firewall, while maintaining connectivity to on-premises networks through an ExpressRoute circuit in the hub. What should you configure?

You are designing routing for an Azure environment where a Virtual Network Gateway (VPN) is deployed in a VNet. The on-premises network advertises 50 routes via BGP, and you have 15 custom routes configured in a route table associated with a subnet. The subnet hosts Azure Virtual Machines that need to communicate with both on-premises resources and Azure PaaS services. What is the order of route precedence that Azure will use when determining the path for outbound traffic from these VMs?

Your company requires that all Azure SQL Database instances be accessible only through private IP addresses from on-premises and Azure VNets, with no public internet access allowed. The databases are used by multiple applications across different VNets in the same region. You need to implement a solution that minimizes administrative overhead and network complexity. What should you implement?

You manage an Azure environment with multiple VNets across different regions. You need to implement a centralized solution to monitor and log all network traffic flowing through Azure Virtual Network Gateways and Azure Firewall instances. The solution must provide traffic analytics, threat detection capabilities, and long-term retention for compliance. Which combination of Azure services should you implement?

Your organization has an Azure VNet with an address space of 10.0.0.0/16. You are deploying Azure Bastion to provide secure RDP and SSH access to VMs without exposing them to the public internet. The VNet already has several subnets in use. What subnet configuration is required for Azure Bastion?

You are implementing Azure Route Server in a hub VNet to enable dynamic routing between Network Virtual Appliances (NVAs) and Azure Virtual Network Gateways. The NVAs are deployed in an active-active configuration for high availability. What configuration steps are required to establish BGP peering between Azure Route Server and the NVAs?

Your company operates a production environment in Azure with strict compliance requirements. You need to implement a solution that prevents data exfiltration by ensuring that Azure Storage accounts can only be accessed from specific approved Azure VNets and deny all other access, including access from other Azure services. The solution must also allow Azure Backup service to back up VMs to a Recovery Services Vault. What should you configure?

You are troubleshooting connectivity issues between two Azure VNets that are connected via VNet peering. VNet A (10.1.0.0/16) and VNet B (10.2.0.0/16) have peering established, and both have 'Allow forwarded traffic' enabled. A VM in VNet A can ping a VM in VNet B, but web applications on the VM in VNet A cannot connect to a web service running on port 8080 in VNet B. What should you check first to resolve this issue?

Your organization is deploying a multi-region application architecture with Azure Front Door to provide global load balancing and Azure Application Gateway in each region for local load balancing. The application processes sensitive financial data and requires end-to-end SSL/TLS encryption. How should you configure SSL/TLS to ensure encryption from the client to the backend servers?

You are designing network connectivity for a hybrid cloud environment where Azure VNets need to communicate with on-premises networks. The organization requires active-active connectivity with automatic failover, route-based VPN for flexibility, and BGP for dynamic routing. The solution must support at least 2 Gbps of aggregate throughput. Which Azure Virtual Network Gateway configuration should you implement?