VMware Certified Advanced Professional - Network Virtualization Design Practice Exam 2025: Latest Questions

A network virtualization architect is starting an NSX design engagement. The customer provides a list of desired features (micro-segmentation, load balancing, and VPN) but no measurable outcomes. What is the BEST next step in a design methodology to reduce rework later?

A customer requires strict separation between multiple application environments (Dev, Test, Prod) while minimizing IP address changes during migrations. Which NSX construct MOST directly enables this segmentation without requiring different VLANs per environment?

A security team wants to enforce least-privilege east-west traffic controls and prefers policies that automatically follow workloads when they move hosts or clusters. Which approach BEST satisfies this requirement in an NSX design?

A customer plans to connect an on-prem NSX environment to multiple external routers. They need predictable route exchange and the ability to influence path selection using standard routing attributes. Which routing protocol should the design primarily use at the edge?

A customer wants to implement micro-segmentation for a three-tier application. The application scales horizontally and IP addresses change frequently. Which grouping strategy is MOST resilient and aligns with best practices?

A design includes multiple Tier-1 gateways for different tenants. The customer requires centralized north-south egress control and a single point for advertising tenant routes to the physical network. Which design choice BEST meets these requirements?

A customer must meet a compliance requirement to prove that only approved services are allowed between application tiers, and changes must be auditable. Which design element BEST supports ongoing compliance evidence?

A customer reports intermittent connectivity between two workloads on different overlay segments. The design uses a Tier-1 gateway with stateful services enabled. You want to propose a troubleshooting approach that minimizes guesswork and aligns with NSX operational best practices. What should be checked FIRST?

A financial institution requires that security policy enforcement continues even if an edge node fails, and they want to avoid asymmetric flows that could break stateful inspection. Which design is MOST appropriate?

A global enterprise needs multi-site connectivity with consistent security policy across sites. They also require that a site can continue operating locally if the inter-site link fails, and that east-west traffic between workloads in the same site does not hairpin to another location. Which high-level design BEST fits these requirements?

During an NSX design workshop, stakeholders ask for a document that maps business requirements to design decisions and explicitly states what is out of scope to prevent scope creep. Which design artifact best satisfies this request?

A customer wants to enforce consistent east-west security for workloads regardless of which ESXi host they run on, without relying on VLAN-based segmentation. Which NSX capability most directly enables this requirement?

An organization wants to simplify day-2 operations by using dynamic membership for security policies based on VM names and tags instead of IP addresses. Which NSX design approach best meets this goal?

A customer requires that internet-bound traffic from multiple application segments egress through different upstream providers while keeping a single NSX Tier-0 for simplicity. Which design best aligns with NSX routing capabilities?

A regulated environment requires tamper-resistant security logging and the ability to correlate NSX firewall events with workload identity over time. Which design choice best supports this requirement?

A design includes multiple NSX Edges in an Edge cluster to provide north-south connectivity. The customer is concerned about asymmetric routing for stateful services when failures occur. Which design consideration best addresses this?

An enterprise integrates NSX with a third-party firewall for advanced north-south inspection. They want to minimize blast radius and simplify troubleshooting when the service insertion path is unhealthy. Which design is most appropriate?

A customer reports intermittent loss of connectivity between VMs on the same segment across different hosts after a physical network change. You suspect an MTU mismatch impacting overlay encapsulation. Which design-time control most effectively prevents this class of issue?

A security team mandates that only approved administrators can create or modify NSX security policies, while network operators can manage routing and segments. The organization also requires strong separation of duties with least privilege. Which design best meets this requirement?

A global organization requires a design that supports multi-site application mobility with consistent security policy, while keeping failure domains isolated so that a control-plane issue at one site does not impact another site. Which architecture best satisfies these requirements?

An enterprise is building an NSX design for multiple application tiers. The security team requires that the effective security policy for any given VM be quickly understandable during audits, with minimal rule duplication across apps. Which design approach best meets this requirement?

A customer wants to onboard several independent business units into the same NSX environment. Each unit requires isolated networking and security administration, but the platform team must retain control over global infrastructure objects (transport zones, uplinks, and edge clusters). Which design best supports these requirements?

During design validation, an architect notices that application owners frequently request temporary access (e.g., 24-hour exceptions) between specific workloads for troubleshooting. The security team requires strict governance and an auditable workflow, but does not want to grant broad NSX admin privileges to app teams. What is the most appropriate design recommendation?

A design includes two datacenters with active-active application delivery. The requirement states: if one site fails, the remaining site must continue to provide north-south connectivity for existing sessions with minimal disruption. Which design element most directly supports this requirement at the NSX Edge layer?

A customer integrates NSX with a third-party SIEM. During a security incident, the SOC reports missing east-west traffic visibility for certain workloads, despite DFW rules being enforced correctly. Which design consideration most likely addresses this gap?