50 VMware Certified Advanced Professional - Network Virtualization Design Practice Questions: Question Bank 2025

During an NSX design workshop, stakeholders request that the logical networking design can be expanded to additional sites in the future with minimal rework. Which design methodology deliverable best helps ensure this requirement is traceable through the design process?

An organization wants to reduce the risk of asymmetric routing issues for north-south traffic while allowing active-active egress from two Edge nodes. Which NSX routing design best aligns with this goal?

A security architect requires that only a small set of administrators can create or modify distributed firewall rules, while helpdesk staff can view security posture and troubleshoot flows. Which NSX design approach best meets this requirement?

An application team reports intermittent connectivity issues to a service hosted behind a load balancer. The design must enable faster troubleshooting without granting them administrative access. Which NSX capability should be included in the design to support this requirement?

A customer is migrating from a traditional three-tier network and wants to maintain existing VLAN-backed networks for some legacy workloads while using overlay segments for new applications. Which design best supports this mixed environment with clear operational boundaries?

A regulated environment requires that security policies follow workloads even when they move between clusters and that auditing can prove consistent enforcement across the environment. Which security design approach best meets this requirement?

A design calls for integrating NSX with an external security analytics platform that consumes network flow records to detect anomalies. What is the most appropriate design consideration to ensure the integration does not negatively impact performance or operations?

In a design review, a customer asks how to minimize blast radius when a misconfigured firewall rule is introduced. Which design recommendation best reduces impact while maintaining operational agility?

A multi-tenant private cloud requires strong isolation between tenants while still allowing shared services (DNS, NTP, patch repositories) to be consumed securely. Which design pattern best satisfies these requirements in NSX?

A customer reports that, after a planned failover test, some north-south traffic experiences blackholing for several minutes even though routing converges quickly. The design includes redundant upstream routers and multiple Edge nodes. Which design change most likely addresses this symptom?

During an NSX design workshop, a stakeholder insists that the design be evaluated against explicit business outcomes (e.g., reduced provisioning time and improved isolation) before any technology choices are made. Which design methodology step best addresses this requirement?

An organization wants to enforce strict separation of duties: network administrators manage routing and connectivity, while security administrators manage micro-segmentation policy. Which NSX design approach best supports this operating model?

A customer requires that all east-west traffic between application tiers be inspected and controlled, while minimizing reliance on physical network changes. Which NSX capability is primarily designed to meet this requirement?

A multi-tenant private cloud needs tenant isolation with overlapping IP address spaces and per-tenant north-south connectivity through shared physical uplinks. Which NSX design best satisfies this requirement?

A security team mandates that firewall rules must be resilient to IP changes and workload mobility. They also want policies expressed using application context (e.g., 'web-to-app'). Which design choice best meets this requirement?

A customer plans to insert a third-party IDS/IPS for specific regulated workloads only, without forcing all traffic through the service. What is the most appropriate NSX design approach?

A design includes multiple sites with independent vCenters. The customer wants a single operational view for security policy and consistent segmentation intent across sites, while allowing local teams to manage their compute resources. Which NSX design consideration best aligns with this requirement?

After deploying NSX, an application team reports intermittent connectivity between two VMs on different segments. The physical network team confirms the underlay is stable. Which design-time troubleshooting artifact is most useful to validate the expected forwarding path and identify where policy or routing may drop traffic?

A financial institution requires demonstrable compliance evidence that micro-segmentation rules are consistently enforced and that changes are auditable with clear approvals. Which design feature combination best supports this requirement?

A customer needs a design that supports rapid recovery and minimal service disruption if the NSX management plane becomes unavailable, while ensuring data plane forwarding continues. Which design decision most directly improves resilience of NSX operations under management-plane impairment?

A network virtualization design engagement is starting. The customer has conflicting statements about required east-west segmentation and application ownership. Which design methodology step should the architect perform NEXT to reduce risk before proposing an NSX architecture?

A customer wants an NSX design where developers can self-service creation of segments for new applications, but security must enforce consistent guardrails and naming. Which approach best supports this goal?

A customer is migrating from VLAN-backed networks to overlay segments. They ask which NSX component provides the logical switching function for overlay connectivity between hosts.

A customer requires that only specific application tiers can communicate, and the policy should remain effective even if VMs are moved to different clusters or if IP addresses change. Which design choice best meets this requirement?

An enterprise wants to design NSX north-south connectivity to two upstream routers using BGP. They require fast convergence and no dependency on static routes, and they want to avoid asymmetric routing between edge nodes. Which design best aligns with these requirements?

A customer has strict compliance requirements: firewall rules must be reviewed and approved, changes must be traceable to a request, and the security team must not have the ability to modify transport or routing configuration. Which NSX design element most directly supports this separation of duties?

A customer reports intermittent loss of connectivity from some VMs on an overlay segment to a physical VLAN-backed database network. The issue only occurs for traffic to a subset of physical hosts. The architect suspects an MTU mismatch along the path. Which design recommendation best prevents this class of issues?

A global organization requires a consistent security posture across two data centers with local autonomy for operations. They want centralized policy definition and the ability to continue local enforcement if the inter-site link is down. Which NSX design best fits?

A customer needs to publish a single application VIP that is reachable from the internet. They require high availability and want inbound connections to continue even if one edge node fails. Which NSX design choice is most appropriate?

During design validation, a customer requires that a compromised workload cannot evade east-west controls by communicating over IPv6, even though most apps are IPv4. Which security design action best addresses this requirement?

During an NSX design workshop, stakeholders request a network virtualization solution that can be rolled out in phases while continuously validating requirements and risks. Which design methodology best supports iterative validation and phased implementation for this outcome?

A customer wants to minimize the number of firewall rules they manage while still enforcing least privilege between application tiers. Which NSX feature is the best fit to reduce rule sprawl while keeping policy aligned to workload identity?

An architect is selecting a design that limits east-west traffic hairpinning and provides stateful firewalling close to workloads across the environment. Which NSX capability directly supports this goal?

A design requires secure administrative access to NSX management interfaces and the ability to separate management traffic from tenant/overlay data traffic. What is the recommended high-level approach?

A company uses an external PKI and requires certificate-based trust for NSX components to meet internal compliance standards. Which design decision best supports this requirement without weakening security posture?

A customer plans to use NSX Federation to support multi-site operations. They require local survivability if inter-site connectivity is lost while still maintaining consistent security policy intent across sites. Which design principle best meets this requirement?

After deploying an overlay-backed segment, workloads on different ESXi hosts can communicate, but workloads on the same host cannot communicate. The physical fabric shows no packet loss. Which design-related misconfiguration is the MOST likely cause?

A customer must demonstrate that security policy is consistently enforced even when VMs are moved between clusters and their IP addresses change. Which design choice provides the strongest control and auditability?

A regulated environment requires micro-segmentation with strict separation of duties: security teams must own policy definition while virtualization teams manage infrastructure. Which design best supports this operational model in NSX?

A customer reports intermittent packet drops only for overlay traffic during peak utilization. Monitoring suggests bursts are exceeding available bandwidth on specific physical uplinks. The design currently uses equal-cost paths across multiple uplinks. What design adjustment most directly improves resiliency and predictable performance for overlay traffic without removing multipathing?

A network virtualization design must support audit requirements that mandate all administrative actions be attributable to a specific individual and centrally retained for one year. Which design choice best satisfies this requirement in NSX operations?

A customer wants to minimize east-west latency for workloads that heavily communicate within the same cluster. Which NSX design principle most directly achieves this goal?

During requirements gathering, an architect is asked to produce a document that maps business drivers to measurable, testable outcomes (e.g., RTO/RPO, isolation requirements, and operational constraints). What is the most appropriate artifact to create?

A multi-tenant environment requires strong separation between tenants while allowing a shared services segment (e.g., DNS, NTP) to be reachable from all tenants without exposing tenant-to-tenant routing. Which design best meets these requirements?

A security team requires that only specific workloads can communicate to a database tier, and the policy must remain effective even if VMs move between clusters or change IP addresses. Which approach should the architect recommend?

A customer plans to deploy NSX Edge appliances for north-south routing and requires resilience during maintenance events. They want to upgrade or reboot one edge node without interrupting active connections where possible. Which design best supports this requirement?

An organization must demonstrate that segmentation policies are consistently enforced across clusters and that unauthorized rule changes are detectable. Which combination of design elements most directly supports these compliance goals?

After a migration to overlay segments, users report intermittent connectivity to an external application. Monitoring shows occasional packet drops on the physical network due to MTU issues. What is the best design remediation?

A global enterprise requires a consistent micro-segmentation policy model across multiple sites, but each site has different application owners and must be able to stage policy changes independently without impacting other sites. What NSX design approach best meets this requirement?

A design includes integrating NSX with third-party network monitoring tools. The customer wants to quickly identify whether packet loss is occurring in the underlay, the overlay tunnel, or due to distributed firewall policy. Which design recommendation most improves time-to-resolution?