VMware Certified Advanced Professional - Network Virtualization Design Advanced Practice Exam: Hard Questions 2025

An enterprise is designing a dual-region (active/active) platform using NSX for workload mobility. Each region has its own vCenter/compute cluster and its own upstream physical fabric. Requirements: (1) Workloads must keep the same IP when moved between regions, (2) East-west traffic should be locally forwarded within the region whenever possible, (3) No L2 extension through the physical WAN is allowed, (4) Failure of a single region must not cause a routing reconvergence storm in the other. Which design best satisfies these constraints?

During a design review, the network team mandates that the underlay must remain strictly routed (no multicast, no flood-and-learn) and that operations must be able to predict failure impact of losing any single leaf. The virtualization team requires maximum east-west throughput and wants to minimize control-plane complexity. Which NSX transport/forwarding design is the most appropriate given these constraints?

A financial services customer must design NSX so that a security incident in a single application environment cannot affect other environments, even if an NSX administrator account is compromised for that environment. They also require centralized governance and auditing across all environments. Which design best addresses administrative isolation while meeting governance requirements?

A customer is designing NSX north-south connectivity with these requirements: (1) Multiple active uplinks with fast failover, (2) No dynamic routing permitted on the physical edge, only static routes, (3) Minimize operational risk during edge node replacement, (4) Support for multiple tenant VRFs. Which Tier-0 and uplink design is most appropriate?

A high-performance trading platform requires extremely low east-west latency between workloads on the same host and across hosts. The design must include micro-segmentation and avoid hairpinning through centralized appliances for most traffic. Which NSX design choice best aligns with these requirements while maintaining security at scale?

A design includes NSX load balancing for multiple application tiers. The customer demands that (1) service insertion must not require changing application IPs, (2) traffic for a given VIP must continue during an Edge Node failure without manual intervention, and (3) operational teams must be able to drain an Edge Node for maintenance with minimal impact. Which design most directly satisfies these requirements?

A regulated customer requires micro-segmentation with these constraints: (1) Rules must be readable and auditable by application owners, (2) IP-based rules are not allowed due to frequent scaling and ephemeral workloads, (3) A default-deny model must be phased in without causing an outage, and (4) Enforcement must cover both east-west and north-south at appropriate points. Which approach best meets these design requirements?

A customer must demonstrate compliance that only approved management stations can reach NSX management interfaces, and that lateral movement from compromised workloads cannot reach management components. They also require break-glass access during outages. Which design best meets these requirements?

After a partial migration to NSX, an application intermittently fails when calling a legacy service located on a VLAN-backed segment. Packet captures show asymmetric return paths: requests go from overlay to VLAN via a Tier-1, but responses return via a different upstream router path. The customer prohibits changing the legacy service IP or default gateway. Which design change most directly addresses the asymmetry while preserving the legacy gateway requirement?

A production NSX environment experiences sporadic connectivity loss only for workloads on one transport node. Symptoms: (1) Neighbor workloads on the same segment but different hosts are unreachable, (2) North-south traffic from the affected workload sometimes works, (3) Host shows intermittent tunnel endpoint reachability alerts. The underlay team confirms IP connectivity is stable. Which design-time troubleshooting hypothesis is most plausible and what design adjustment best prevents recurrence?