Free Practice Questions for VMware 6V0-22.25 Exam

Avi Virtual Services need a valid traffic-forwarding path. A default pool, pool group, or valid scripted pool-selection logic is required so the Service Engine can determine where to send matching application traffic. Broadcom’s DataScript documentation includes pool functions such as forwarding a request to the default pool and selecting pools by script, which shows that DataScript pool handling depends on valid pool references. If a DataScript is attached without an appropriate default pool or pool-selection path, the Service Engine cannot correctly process traffic for that Virtual Service, which can result in the Virtual Service being marked down. A wrong health monitor marks pool members down, not necessarily the Virtual Service itself. A local response or redirect policy can still respond without forwarding to a pool.

The backend web servers accept only TLS connections on port 443, but the configured monitor is an HTTP health monitor. A plain HTTP monitor sends unencrypted HTTP checks, which the TLS-only backend servers will reject or fail to answer correctly. Broadcom’s Avi documentation provides a specific HTTPS Health Monitor type for monitoring servers over SSL/TLS. Using an HTTPS monitor allows the Service Engine to perform the health check using TLS and then validate the HTTP response over the encrypted connection. Changing the Virtual Service to a secure HTTP application profile is unnecessary because the Virtual Service is intentionally operating as L4. Enabling SSL in the pool is not the most precise fix for the failed health monitor. Therefore, the correct change is to configure a Health Monitor of Type HTTPS .

Avi Load Balancer Network Security Policies operate at the network security layer and are used to control whether traffic is accepted, discarded, denied, or rate-limited before higher-level HTTP processing occurs. Broadcom’s Avi documentation specifically describes Network Security Policy behavior as determining whether a connection should be accepted, discarded, or rate-limited. Because of this, Rate Limit is a valid Network Security Policy action. “Send Local Response” and “Redirect” are HTTP-layer actions that belong to HTTP policies, not Network Security Policies. “Continue” is commonly associated with policy flow processing in other policy types but is not the correct Network Security Policy action in this question. Therefore, the valid action from the listed options is Rate Limit .

Avi Load Balancer supports presenting both RSA and EC certificates on the same SSL/TLS Virtual Service. When both are available, certificate selection can influence SSL performance. EC certificates generally provide strong security with lower computational overhead than RSA, especially compared with larger RSA keys. VMware Avi documentation includes guidance for EC versus RSA Certificate Priority , which exists specifically because certificate ordering and preference matter when both certificate types are configured. Disabling SSL session reuse would usually hurt performance, not improve it. Scaling out to another Service Engine can improve capacity, but it does not specifically optimize SSL cryptographic efficiency. Disabling PFS would reduce security, so it violates the question’s requirement. Therefore, preferring EC before RSA is the correct performance improvement without compromising security.

Avi Load Balancer health score is a composite metric that considers several dimensions, including performance, resources, anomalies, and security. VMware Avi documentation for the Analytics Profile states that constrained resources increase the resource penalty score, and examples include CPU, memory, or disk utilization of a Service Engine or a server. In this scenario, users are not experiencing application issues, so the performance score may remain normal. However, the Service Engine hosting the Virtual Service has high memory utilization, which is explicitly a resource constraint. Because resource constraints are reflected as a resource penalty, the Virtual Service health score can be affected even when users have not yet noticed symptoms. Therefore, the correct impact is that the Resource Penalty will be increased.

Avi Load Balancer health score includes multiple penalty categories, including security penalties. VMware Avi documentation for SSL certificate expiration explains that a certificate approaching expiry can reduce the Virtual Service health score. Specifically, when a certificate is within 30 days of expiration, Avi applies a 20-point security penalty to the Virtual Service, which caps the maximum health score at 80. This exactly matches the question’s stated Security Penalty of -20 . CPU utilization on the Service Engine would align more closely with a resource or performance impact, not a certificate-related security penalty. A health monitor protocol mismatch could mark servers down, but it does not correspond to the documented -20 SSL certificate security penalty.

Avi health monitors determine whether a pool server should receive traffic. For web applications, an HTTP or HTTPS health monitor can send a request to a specific URI and validate the response body or status code. VMware Avi documentation describes health monitor failures such as payload mismatch, where a server is marked down when the expected response content is not returned. The most reliable design is to make the application expose a health-check URI that performs its own dependency validation, including a database query, and returns the expected response only when the application and database path are functional. This confirms the actual application dependency rather than merely checking TCP reachability or the database independently. Therefore, the correct approach is to use an HTTP health monitor against a dependency-aware URI.

The TCP Proxy Profile controls TCP behavior for a Virtual Service when Avi terminates the client TCP connection and opens a separate server-side TCP connection. VMware Avi documentation states that the TCP proxy terminates client connections, processes traffic, and then establishes a connection to the destination server. The Custom TCP Proxy Profile mode is used when administrators need to manually configure TCP proxy settings rather than use predefined system defaults. A valid reason to use this mode is to change TCP timeout behavior, including the idle duration timeout. Rate limiting is generally handled by policy or security controls, disabling SNAT is configured through network service or preserve-client-IP-related settings, and exposing destination port to the application is not the standard reason for selecting TCP Proxy Custom mode in this question.

An HTTPS client shows an untrusted certificate warning when the presented certificate cannot be validated by the client. Common causes include an expired certificate, a self-signed certificate, or a certificate signed by an internal certificate authority that the client does not trust. Avi documentation distinguishes between RSA and EC certificates as certificate algorithm types that can both be used by Virtual Services. A certificate being RSA instead of EC does not inherently make it untrusted. RSA certificates are still valid and supported when issued by a trusted CA, within their validity period, and matching the requested hostname. Therefore, the certificate algorithm alone is not a cause of an untrusted certificate error. The answer that would not cause the issue is B.