Free VMware 6V0-22.25 Practice Test Questions 2026

Total 63 Questions |

Last Updated On : 8-Jul-2026


VMware Avi Load 30.x Administrator

Installing, Configuring, and Setup

In which situation would the Advanced Setup mode of the Create Virtual Service wizard be required?



A. Adding the Virtual Service name to DNS


B. Specifying the Virtual Service as HTTPS


C. Specifying analytics settings


D. Adding servers





C.
  Specifying analytics settings

Explanation:
The Create Virtual Service wizard in NSX Advanced Load Balancer (Avi) has Basic and Advanced modes. Basic mode covers essential settings (IP, port, protocol, default pool). Advanced mode is required for granular configurations such as analytics settings (e.g., logging thresholds, metrics collection). Basic mode cannot configure analytics detail level or log filtering.

Correct Option:

C. Specifying analytics settings –
Correct. Analytics settings (e.g., request/response logging, log throttling, capture filters) are only available in Advanced mode. Basic mode does not expose these options, which are critical for fine-grained monitoring and troubleshooting.

Incorrect Options:

A. Adding the Virtual Service name to DNS –
Incorrect. Basic mode allows you to specify the Virtual Service name and can optionally publish it to DNS (if DNS integration is configured). This does not require Advanced mode.

B. Specifying the Virtual Service as HTTPS –
Incorrect. Selecting HTTPS and configuring SSL certificates can be done in Basic mode. Basic mode allows choosing between HTTP and HTTPS as the application profile without requiring Advanced setup.

D. Adding servers –
Incorrect. Adding servers to a pool is part of pool configuration, which is accessible in Basic mode. You can create a new pool and add server IPs during Basic setup without switching to Advanced mode.

Reference:
VMware NSX Advanced Load Balancer Documentation: "Virtual Service – Basic vs Advanced Mode" – specifies that analytics settings are only available in Advanced mode. Also covered in NSX ALB Administration Guide and vDefend Load Balancing Configuration Guide, section on VS creation wizard modes.

Which Network Security Policy action is valid?



A. Send Local Response


B. Continue


C. Redirect


D. Rate Limit





D.
  Rate Limit

Explanation:
In VMware vDefend (NSX) Network Security Policies (formerly Distributed Firewall policies), each policy can contain rules with specific actions. Common rule actions are Allow, Drop, Reject, and (in newer versions) Rate Limit. Rate Limit is a valid action that throttles traffic matching the rule instead of fully allowing or blocking it, useful for protecting against abuse or excessive bandwidth consumption.

Correct Option:

D. Rate Limit –
Correct. Rate Limit is a valid action in vDefend Network Security Policy (Distributed Firewall). It limits the number of packets or bandwidth per flow or source, helping mitigate DDoS attacks, brute force attempts, or noisy applications without completely dropping traffic.

Incorrect Options:

A. Send Local Response –
Incorrect. There is no rule action named "Send Local Response" in vDefend Distributed Firewall. Local responses (e.g., TCP RST or ICMP unreachable) are part of the Reject action, not a separate action.

B. Continue –
Incorrect. "Continue" is not a standard rule action in vDefend firewall policies. It may be confused with "Continue" in other firewall products (e.g., open source iptables). vDefend actions are Allow, Drop, Reject, and Rate Limit.

C. Redirect –
Incorrect. Redirect is not a firewall rule action. Traffic redirection to service chains (e.g., third-party firewalls) is achieved via service insertion policies or security policies with redirection enabled, but "Redirect" is not a standalone rule action.

Reference:
VMware NSX Documentation: "Distributed Firewall Rule Actions" – lists Allow, Drop, Reject, and Rate Limit as valid actions. Also covered in VMware vDefend Security Configuration Guide and NSX-T 4.x Firewall Administration Guide, section on rule actions.

The Server RTT in the End-to-End Timing graph has increased significantly while Client RTT and App Response times have remained unchanged. What is the most likely explanation for the issue?



A. One or more pool servers are experiencing very high CPU utilization


B. A database server used by the application is experiencing a performance issue


C. The Service Engine where the Virtual Service is placed has become overloaded


D. A networking issue has developed between the Service Engine and one or more pool servers





D.
  A networking issue has developed between the Service Engine and one or more pool servers

Explanation:
In VMware NSX Advanced Load Balancer (Avi), the End-to-End Timing graph breaks down latency into Client RTT, Server RTT, and App Response Time. Client RTT measures latency between client and Service Engine. Server RTT measures latency between Service Engine and pool server. App Response Time measures server processing time. If Server RTT increases while Client RTT and App Response Time stay the same, the most likely cause is network latency between the Service Engine and the pool servers.

Correct Option:

D. A networking issue has developed between the Service Engine and one or more pool servers –
Correct. Server RTT specifically measures network round-trip time from SE to backend server. An increase with no change in Client RTT or App Response time points directly to network path degradation (packet loss, congestion, routing change) between SE and the pool.

Incorrect Options:

A. One or more pool servers are experiencing very high CPU utilization –
Incorrect. High CPU on pool servers would increase App Response Time (server processing time), not Server RTT. Server RTT measures network latency, not server processing.

B. A database server used by the application is experiencing a performance issue –
Incorrect. Database performance issues would manifest as increased App Response Time (server processing), not increased network latency (Server RTT).

C. The Service Engine where the Virtual Service is placed has become overloaded –
Incorrect. An overloaded Service Engine would likely increase Client RTT (as SE struggles to handle incoming packets) and potentially increase overall response times, not exclusively Server RTT.

Reference:
VMware NSX Advanced Load Balancer Documentation: "End-to-End Timing Metrics" – defines Client RTT, Server RTT, and App Response Time. Also covered in NSX ALB Troubleshooting Guide and vDefend Load Balancing Monitoring Guide, section on latency analysis.

Which method does not identify why a server has been marked down by a Health Monitor?



A. Pool > Server > Health Score icon


B. Virtual Service > Logs


C. Pool > Server > Analytics screen


D. Pool > Events > Server_Down event





B.
  Virtual Service > Logs

Explanation:
In VMware NSX Advanced Load Balancer (Avi), when a health monitor marks a server as down, administrators can investigate the root cause through several interfaces. The Virtual Service > Logs typically contains request-level logs, not detailed health monitor failure reasons. Health monitor failure details are found in pool analytics, events, and server health score explanations.

Correct Option:

B. Virtual Service > Logs –
Correct. Virtual Service logs capture per-request details (e.g., HTTP requests, errors, response times). They do not show why a health monitor marked a server down. Health monitor failures are system-level events, not per-request logs, and are not recorded here.

Incorrect Options (these DO help identify why a server was marked down):

A. Pool > Server > Health Score icon –
Can identify. Clicking the Health Score icon next to a server shows health monitor results, including which monitor failed and the failure reason (e.g., timeout, connection refused).

C. Pool > Server > Analytics screen –
Can identify. The server analytics screen includes a Health Monitor tab showing detailed probe results, failure timestamps, and error messages.

D. Pool > Events > Server_Down event –
Can identify. The Events page filters for Server_Down events, which include descriptions (e.g., "Health monitor TCP failed: connection timeout").

Reference:
VMware NSX Advanced Load Balancer Documentation: "Health Monitor Failure Investigation" – lists Pool Analytics, Health Score icon, and Events as sources. Virtual Service logs are not used for health monitor diagnostics. Also covered in NSX ALB Administration Guide and vDefend Load Balancing Troubleshooting Guide.

Which High Availability mode should be used for an application that cannot be SNATed?



A. Legacy Active-Standby


B. Elastic Active-Active


C. Elastic Active-Standby


D. SNAT is determined by the application profile, not HA mode





A.
  Legacy Active-Standby

Explanation:
Some legacy or strict applications require that client traffic originate from a consistent, predictable source IP address. When Source NAT (SNAT) cannot be used (e.g., applications that log source IPs for security or licensing), the load balancer must avoid SNAT. Legacy Active‑Standby HA mode allows the Virtual Service to be placed on a single active Service Engine without SNAT, preserving the original client IP.

Correct Option:

A. Legacy Active-Standby –
Correct. In Legacy Active‑Standby mode, a Virtual Service runs on one active Service Engine. The standby engine is idle. This configuration can use Direct Server Return (DSR) or non‑SNAT options, preserving client IP visibility. Elastic HA modes often force SNAT for multi‑engine distribution.

Incorrect Options:

B. Elastic Active-Active –
Incorrect. Elastic Active‑Active distributes Virtual Service across multiple active Service Engines. To maintain sessions correctly, SNAT is typically required. The application would see multiple source IPs, which violates the “cannot be SNATed” requirement.

C. Elastic Active-Standby –
Incorrect. Elastic Active‑Standby still uses a buffer engine and may require SNAT for distribution and failover consistency. For applications that cannot be SNATed, Legacy Active‑Standby is preferred.

D. SNAT is determined by the application profile, not HA mode –
Incorrect. While application profiles influence SNAT settings (e.g., HTTP profile can preserve client IP via X-Forwarded-For), the HA mode impacts whether SNAT is mandatory. Elastic HA generally requires SNAT; Legacy Active‑Standby does not.

Reference:
VMware NSX Advanced Load Balancer Documentation: "HA Modes and SNAT Requirements" – specifies Legacy Active‑Standby for applications that cannot be SNATed. Also covered in NSX ALB Configuration Guide and vDefend Load Balancing Design Guide, section on source IP preservation.

Doing HTTP to HTTPS redirect in an HTTP Policy is:



A. Not recommended


B. Less efficient than DataScript


C. More flexible than the HTTP profile


D. Incompatible with WAF





C.
  More flexible than the HTTP profile

Explanation:
In NSX Advanced Load Balancer (Avi), HTTP to HTTPS redirection can be achieved via HTTP Policies, DataScripts, or the HTTP Application Profile. Using an HTTP Policy is recommended and provides greater flexibility compared to the HTTP Profile method. HTTP Policies allow condition-based redirects (e.g., specific hostnames, URI paths, request headers) and multiple actions, while the HTTP Profile forces a global redirect.

Correct Option:

C. More flexible than the HTTP profile –
Correct. HTTP Policies support granular conditions (e.g., redirect only for certain domains, URLs, or user agents). The HTTP Profile redirect method is global (all HTTP traffic to HTTPS). HTTP Policies also allow logging, changing response codes, and integration with other policy rules.

Incorrect Options:

A. Not recommended –
Incorrect. HTTP Policies are the recommended method for HTTP to HTTPS redirects because they are flexible, maintainable, and performant. DataScripts and HTTP Profile methods are also valid but not more recommended than HTTP Policies.

B. Less efficient than DataScript –
Incorrect. HTTP Policies are evaluated in the fast path by the Service Engine with high efficiency. DataScripts are interpreted and slightly slower. HTTP Policies are generally more efficient than DataScripts for simple redirects.

D. Incompatible with WAF –
Incorrect. HTTP Policies coexist with WAF policies. A Virtual Service can have both an HTTP Policy (for redirects) and a WAF Policy (for security inspection). The redirect occurs before or after WAF inspection depending on configuration.

Reference:
VMware NSX Advanced Load Balancer Documentation: "HTTP to HTTPS Redirect – Methods Comparison" – states HTTP Policies are more flexible than HTTP Profile redirect. Also covered in NSX ALB Configuration Guide and vDefend Load Balancing Security Guide, section on HTTP policy configuration.

An application had an outage during an Avi upgrade. The Service Engine Group assigned to the Virtual Service is using the default configuration. What is the likely reason for this outage?



A. There was a global internet outage


B. The Virtual Service was not scaled out


C. Firewall rules were not configured for the failover Service Engine


D. This is by design since Service Engine upgrades are disruptive





B.
  The Virtual Service was not scaled out

Explanation:
During an NSX Advanced Load Balancer (Avi) upgrade, Service Engines (SEs) are rebooted or upgraded individually to maintain availability. However, a Virtual Service that has not been scaled out (i.e., only one active SE) will experience downtime when that SE is upgraded because no other SE can take over its traffic. Scaling out ensures multiple SEs handle the Virtual Service, enabling hitless upgrades.

Correct Option:

B. The Virtual Service was not scaled out –
Correct. If a Virtual Service is placed on a single Service Engine (scale-out count = 1), upgrading that SE forces all traffic to stop until the SE completes its upgrade. Default SE Group configuration may limit scale-out to 1. Scaling out to at least 2 SEs allows seamless failover during upgrades.

Incorrect Options:

A. There was a global internet outage –
Incorrect. The question specifies an “Avi upgrade” context. A global internet outage would be unrelated to the upgrade and would not be the likely reason tied to Avi’s upgrade process.

C. Firewall rules were not configured for the failover Service Engine –
Incorrect. If the Virtual Service was not scaled out, there is no failover SE. Firewall rules are important for multi‑SE deployments, but the root cause here is lack of scale‑out, not firewall misconfiguration.

D. This is by design since Service Engine upgrades are disruptive –
Incorrect. Avi upgrades are designed to be non‑disruptive when the Virtual Service is scaled out (at least 2 SEs, active-active or N+M). Downtime is not “by design”; it is avoidable by proper scale‑out configuration.

Reference:
VMware NSX Advanced Load Balancer Documentation: "Upgrade Impact – Virtual Service Scale-Out" – states that VS without scale-out experiences downtime during SE upgrade. Also covered in NSX ALB Upgrade Guide and vDefend Load Balancing High Availability Guide, section on upgrade best practices.

Which SSL cipher type provides the best security?



A. EC without PFS


B. EC with PFS


C. RSA without PFS


D. RSA with PFS





B.
  EC with PFS

Explanation:
In SSL/TLS cipher suites, security is determined by key exchange algorithm and forward secrecy. Perfect Forward Secrecy (PFS) ensures that past session keys cannot be derived if the server's private key is compromised. Elliptic Curve (EC) cryptography provides equivalent security to RSA with smaller key sizes and better performance. Combining EC with PFS (e.g., ECDHE) offers the strongest security.

Correct Option:

B. EC with PFS –
Correct. EC with PFS (e.g., ECDHE-ECDSA or ECDHE-RSA) provides both the performance benefits of elliptic curve cryptography and the forward secrecy of ephemeral key exchange. This combination is recommended by security standards (NIST, IETF) for the highest level of TLS security.

Incorrect Options:

A. EC without PFS –
Incorrect. Without PFS, a compromised private key exposes all past session keys. While EC is strong, lack of PFS makes it weaker than EC with PFS. Security is significantly reduced.

C. RSA without PFS –
Incorrect. RSA key exchange without PFS (RSA-based static ciphers) does not provide forward secrecy. If the private key is compromised, all recorded sessions can be decrypted. RSA is also computationally more expensive than EC.

D. RSA with PFS –
Incorrect. RSA with PFS (e.g., DHE-RSA) provides forward secrecy but uses Diffie-Hellman with large RSA signatures, which is slower and less efficient than EC. While secure, EC with PFS is superior due to better performance and smaller key sizes.

Reference:
VMware NSX Advanced Load Balancer Documentation: "SSL/TLS Cipher Strength – Best Practices" – recommends EC with PFS (ECDHE) as the highest security tier. Also covered in NSX ALB SSL/TLS Configuration Guide and IETF/OWASP TLS recommendations.

Page 2 out of 8 Pages
Next
123
6V0-22.25 Practice Test Home