Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You manage an Azure route-based VPN gateway (VpnGw2 SKU) connected to an on-premises hardware VPN device. Governance mandates IPsec/IKE Phase 2 integrity as SHA256, encryption as AES256, and Diffie-Hellman Group 14. You must enforce these parameters from Azure without disrupting the existing tunnel. What should you do first?
Change the gateway to active-active mode and re-establish the tunnel.
Create and apply a custom IPsec/IKE policy on the current site-to-site VPN connection.
Enable policy-based traffic selectors on the VPN connection.
Convert the connection to ExpressRoute for private connectivity.
To control the cryptographic parameters negotiated during tunnel establishment, Azure allows you to attach a custom IPsec/IKE policy to a site-to-site connection when the gateway is route-based. Creating and applying the policy lets you specify exact Phase 1 and Phase 2 algorithms, including AES256 encryption, SHA256 integrity, and DH Group 14. Policy-based traffic selectors influence which prefixes are advertised, but do not change cryptographic suites. Moving to active-active has no effect on algorithm selection, and switching to ExpressRoute eliminates the VPN altogether instead of securing it. Therefore, the correct first step is to define and assign a custom IPsec/IKE policy on the existing connection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IPsec/IKE policy in Azure?
Open an interactive chat with Bash
What is the difference between route-based and policy-based VPN gateways?
Open an interactive chat with Bash
What happens when you enable policy-based traffic selectors on a VPN connection?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure networking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .