Azure Administrator Associate · 18% of the exam

Implement and manage virtual networking: free practice questions

5 sample questions from our 45-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Azure exam.

1. You are creating a new Azure Virtual Network in the East US region. You need to assign an address space that accommodates at least 500 hosts across 4 subnets, while keeping the address space as small as possible. Which address space should you assign to the VNet?

  • A. 10.0.0.0/24
  • B. 10.0.0.0/23✓ Correct
  • C. 10.0.0.0/22
  • D. 10.0.0.0/16
Explanation

A /23 provides 512 addresses (510 usable hosts), which is the smallest block that can accommodate 500+ hosts across 4 subnets. Each subnet would have approximately 128 addresses, and Azure reserves 5 addresses per subnet, leaving enough room. A /24 provides only 256 addresses (251 usable after Azure reservations per subnet), which is insufficient for 500 hosts. A /22 provides 1024 addresses — sufficient but larger than necessary, violating the 'as small as possible' requirement. A /16 provides 65,536 addresses, which is vastly oversized for this requirement.

2. A solutions architect must design a network topology for an organization with the following requirements: (1) On-premises network (192.168.0.0/16) must connect to Azure Hub-VNet (10.0.0.0/16) over a site-to-site VPN. (2) Multiple spoke VNets must access on-premises resources through the hub's VPN Gateway. (3) Spoke VNets must NOT be able to communicate directly with each other. Which TWO configuration steps are required to allow spoke VNets to reach on-premises via the hub VPN Gateway? (Select TWO.)

  • A. Configure the hub-to-spoke VNet peering with 'Allow gateway transit' enabled on the hub side.✓ Correct
  • B. Configure the hub-to-spoke VNet peering with 'Use remote gateway' enabled on each spoke side.✓ Correct
  • C. Deploy a separate VPN Gateway in each spoke VNet.
  • D. Enable VNet-to-VNet connectivity between each spoke VNet and the hub VNet as an alternative to peering.
  • E. Create a user-defined route in each spoke subnet pointing to the on-premises prefix with next hop as the VPN Gateway's public IP.
  • F. Configure BGP on the VPN Gateway to advertise spoke VNet address spaces to on-premises.
Explanation

To allow spoke VNets to use the hub's VPN Gateway (gateway transit), two peering settings must be configured: (1) 'Allow gateway transit' must be enabled on the hub-to-spoke peering (hub side), which allows the hub to share its gateway with spokes, and (2) 'Use remote gateway' must be enabled on the spoke-to-hub peering (spoke side), which tells the spoke to use the remote (hub) gateway for routing. Both settings together enable transitive connectivity to on-premises. Deploying a separate VPN Gateway in each spoke (option C) is costly, defeats the hub-spoke purpose, and is not required. VNet-to-VNet connectivity (option D) is a different connectivity model and doesn't solve gateway transit. A UDR pointing to the VPN Gateway's public IP (option E) is incorrect — the next hop for a UDR to use a VPN Gateway would reference the gateway's private IP or use 'Virtual Network Gateway' next hop type, and even then, gateway transit settings handle this automatically. BGP (option F) is about route advertisement to on-premises, not about enabling spoke-to-gateway connectivity.

3. You manage an Azure subscription with the following NSG rules applied to a VM's NIC: Inbound rule 100: Allow, Source Any, Destination Any, Port 443. Inbound rule 200: Deny, Source Any, Destination Any, Port 443. Inbound rule 65000: Allow, Source VirtualNetwork, Destination VirtualNetwork, All ports. A client on the internet attempts to connect to the VM on port 443. What is the result?

  • A. The connection is denied because rule 200 explicitly denies port 443.
  • B. The connection is allowed because rule 100 has a lower priority number and is evaluated first.✓ Correct
  • C. The connection is denied because the default rule 65000 does not cover internet traffic.
  • D. The connection is allowed because the default inbound rule allows all traffic from any source.
Explanation

NSG rules are evaluated in ascending priority order (lowest number = highest priority). Rule 100 (Allow, port 443) is evaluated before rule 200 (Deny, port 443). Since rule 100 matches first, the traffic is allowed and evaluation stops — rule 200 is never reached (option B is correct). — Option A is incorrect: rule 200 would only apply if no earlier rule matched; rule 100 takes precedence. Option C is incorrect: while rule 65000 does not cover internet traffic, the evaluation never reaches it because rule 100 already allows the traffic. Option D is incorrect: the actual Azure default rule for inbound is 65500 'DenyAllInBound', which denies all traffic not matched by prior rules — there is no default rule that allows all inbound traffic from any source.

4. Your organization runs a public-facing web application on Azure VMs behind an Azure Load Balancer (Standard SKU). The security team requires that the Load Balancer only forwards traffic to healthy VMs and that unhealthy VMs are automatically removed from rotation. You notice that after a VM's web service crashes, the Load Balancer continues to send traffic to it for several minutes. Which Load Balancer feature controls how quickly an unhealthy instance is removed from rotation?

  • A. Idle timeout setting on the load-balancing rule
  • B. The health probe interval and unhealthy threshold configuration✓ Correct
  • C. Enabling Floating IP on the load-balancing rule
  • D. Configuring a Network Security Group to block traffic to the failed VM
Explanation

The health probe interval (how often the probe checks) combined with the unhealthy threshold (how many consecutive failures before marking unhealthy) directly controls the detection latency before a VM is removed from rotation (option B). Reducing the probe interval and/or threshold reduces the window during which traffic is sent to a failed instance. — Option A is incorrect: idle timeout governs how long TCP connections are kept alive when idle; it has no effect on health detection or VM removal. Option C is incorrect: Floating IP (also known as Direct Server Return) changes how the destination IP is presented to the backend VM; it has nothing to do with health monitoring. Option D is incorrect: an NSG blocking traffic to the failed VM would prevent legitimate traffic from reaching it but does not interact with the Load Balancer's health probe mechanism and could cause unintended connectivity issues.

5. A security architect must ensure that an Azure web application hosted on App Service is accessible only from within the company's Azure VNet and on-premises network (connected via ExpressRoute), with no public internet exposure. The solution must ensure the App Service's fully qualified domain name (FQDN) resolves to a private IP address for clients inside the VNet. Which solution should the architect implement?

  • A. Configure App Service access restrictions to allow only the VNet's address space and on-premises IP ranges
  • B. Enable VNet Integration on the App Service to inject it into a subnet and disable the public endpoint
  • C. Deploy a Private Endpoint for the App Service in the VNet, disable the public network access on the App Service, and create a private DNS zone 'privatelink.azurewebsites.net' linked to the VNet✓ Correct
  • D. Deploy Azure API Management in internal mode within the VNet and configure it to proxy requests to the App Service's public endpoint
Explanation

A Private Endpoint assigns the App Service a private IP address from the VNet's address space. Disabling public network access on the App Service ensures no internet traffic can reach it. The private DNS zone 'privatelink.azurewebsites.net' linked to the VNet ensures the App Service FQDN resolves to the private IP for clients inside the VNet (and on-premises if DNS forwarding is configured). This fully satisfies all requirements. Access restrictions (Option A) still allow the App Service's public endpoint to exist — it just filters traffic; the FQDN still resolves to a public IP, and determined attackers or accidental exposure remains a risk. VNet Integration (Option B) allows outbound traffic from App Service into the VNet; it does not make the App Service accessible on a private IP from the VNet, nor does it disable the public endpoint for inbound traffic. Azure API Management in internal mode (Option D) could limit access to the VNet but the App Service itself remains publicly accessible, and the FQDN would still resolve to a public IP — this does not meet the private IP resolution requirement.

40 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free