Nutanix NCP-NS Sample Questions & Practice Test

Nutanix Certified Professional - Network Security (NCP-NS) is a route for candidates who work with Nutanix network and security concepts, Flow policies, segmentation, access boundaries, connectivity, and troubleshooting.

Use this page to preview the kind of network-security reasoning an NCP-NS practice route should test. The questions below are original IT Mastery sample questions, not official Nutanix exam questions.

What this route should test

• interpreting connectivity, segmentation, policy, and access-control symptoms
• distinguishing network reachability problems from security-policy blocks
• applying least-privilege segmentation without breaking required application flows
• using evidence before changing broad network or security rules

Sample Exam Questions

Question 1

Topic: segmentation

What is the main benefit of workload segmentation?

• A. It removes the need for monitoring
• B. It guarantees all applications run faster
• C. It limits allowed communication paths so a compromise or misconfiguration is less likely to spread broadly
• D. It replaces backups

Best answer: C

Explanation: Segmentation constrains communication between workloads. It supports least privilege and reduces blast radius when a workload is compromised or misconfigured.

Question 2

Topic: policy design

A three-tier application needs web servers to talk to app servers, and app servers to talk to database servers. What is the safest policy approach?

• A. Allow only the required tier-to-tier flows and deny unrelated lateral traffic
• B. Allow every workload to communicate with every other workload
• C. Disable logging for the application
• D. Put all tiers in one unrestricted group forever

Best answer: A

Explanation: Least-privilege policy permits required flows while blocking unrelated lateral paths. Broad allow rules weaken segmentation.

Question 3

Topic: troubleshooting

A new security policy was applied and the application stopped working. What should be checked first?

• A. The dashboard color scheme
• B. The length of the VM names
• C. Whether backup jobs are old
• D. Required application flows, policy match logic, affected groups, deny events, and recent policy changes

Best answer: D

Explanation: If failure follows a policy change, validate intended flows, group membership, rule order or match behavior, deny evidence, and change history.

Question 4

Topic: flow visibility

Why is traffic-flow visibility useful before creating policies?

• A. It removes the need for documentation
• B. It shows actual application communication patterns so rules can be based on evidence
• C. It guarantees every future release has the same traffic
• D. It disables all unauthorized access automatically

Best answer: B

Explanation: Observed traffic helps build accurate policies. It does not remove documentation or future validation needs.

Question 5

Topic: identity and access

Which practice supports safer network-security administration?

• A. Sharing one global administrator account
• B. Giving every user unrestricted policy rights
• C. Role-based access, individual accounts, change review, and audit visibility
• D. Turning off authentication for administrators

Best answer: C

Explanation: Network-security changes are high impact. Role-based access, accountable identities, review, and logs reduce operational risk.

Question 6

Topic: policy rollout

How should a high-impact segmentation policy be introduced?

• A. Immediately across every workload with no monitoring
• B. After confirming scope, observing flows, testing with a limited group, monitoring impact, and documenting rollback
• C. Only by renaming VMs
• D. By deleting all existing logs first

Best answer: B

Explanation: Safer rollout uses scoping, observed flows, controlled testing, monitoring, and rollback planning. Broad untested enforcement can cause outages.

Question 7

Topic: reachability

A workload cannot reach an external endpoint. Which evidence is most relevant?

• A. VM attachment, IP settings, routes, DNS, policy decisions, upstream controls, and destination availability
• B. The number of characters in the administrator’s name
• C. Whether a different VM has a snapshot
• D. The physical color of a rack

Best answer: A

Explanation: Reachability depends on attachment, addressing, routing, name resolution, policies, upstream controls, and the destination. Those facts should guide troubleshooting.

Question 8

Topic: east-west traffic

What does east-west traffic usually mean in a data-center or cloud-platform security discussion?

• A. Traffic from a user laptop to a SaaS billing portal only
• B. Traffic between workloads inside the environment
• C. Traffic that always bypasses policy controls
• D. Traffic that only uses email protocols

Best answer: B

Explanation: East-west traffic is workload-to-workload traffic inside an environment. It is a central concern for segmentation and lateral-movement control.

Question 9

Topic: rule review

What is a warning sign in a policy review?

• A. Rules are tied to documented application flows
• B. Changes have owners and dates
• C. There is test evidence for recent changes
• D. A broad allow-any rule covers many unrelated workloads without a clear business reason

Best answer: D

Explanation: Broad allow-any rules are often excessive. They should be challenged unless there is a documented, limited, and justified need.

Question 10

Topic: security operations

Why should blocked-traffic events be reviewed before weakening a policy?

• A. They can show whether the block is an expected denial, a missing required flow, or suspicious activity
• B. They are never useful
• C. They prove all policies are wrong
• D. They replace application testing

Best answer: A

Explanation: Block events provide context. The right response depends on whether the block is intended, an application requirement, or a security signal.

Question 11

Topic: group membership

A policy is correct, but one VM is still blocked unexpectedly. What should be checked?

• A. Whether the VM’s owner likes the policy name
• B. Group membership, labels or categories, rule match criteria, and inherited policy effects
• C. Whether the VM icon is blue
• D. Whether unrelated snapshots exist

Best answer: B

Explanation: Unexpected blocking can come from incorrect group membership, labels, match criteria, or inherited policy effects. The policy itself may not be the only issue.

Question 12

Topic: change control

What should a change record for a security-policy update include?

• A. Only the administrator’s favorite command
• B. A blank note if the change was urgent
• C. Intended flows, affected objects, risk, validation plan, rollback path, owner, and approval or review context
• D. A list of unrelated VM names only

Best answer: C

Explanation: Security-policy changes should be traceable and reversible. A useful record explains scope, intent, risk, validation, rollback, owner, and review context.

Quick readiness checklist

NCP-NS practice update

Use this page to preview NCP-NS sample questions and confirm the exam fit. If you want IT Mastery practice updates for this route, use the Notify me form above.