Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 402

HOTSPOT -

You have an on-premises data center and an Azure subscription. The data center contains two VPN devices. The subscription contains an Azure virtual network named VNet1. VNet1 contains a gateway subnet.

You need to create a site-to-site VPN. The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes.

What is the minimum number of public IP addresses, virtual network gateways, and local network gateways required in Azure? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: 4 -

    Two public IP addresses in the on-premises data center, and two public IP addresses in the VNET.

    The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

    Box 2: 2 -

    Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.

    Box 3: 2 -

    Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks

    Reference:

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

Discussion
mlantonis

Correct Answer: The questions asks how many are required in Azure, so the on-premise ones should not be counted. Box 1: 2 2 public IP addresses in the on-premises data center, and 2 public IP addresses in the VNET for the active-active. The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below. Box 2: 1 Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections. Box 3: 1 Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks

darsy2001

you are mixing active-active with active-standby in your explanation

ConanBarb

Yes, but actually there are two configurations to talk about. The Azure VPN GW config and the on-prem VPN Devices config. You can have Azure GW config in A-A (requiring 1 GW Vnet and 2 PIPs), and the on-prem VPN Devices in Active-Passive (requiring only one public ip and thus 1 Local Network Gateway) Active-Passive for on-prem could have explained why Mlantonis answers 1 on box 3. But doesnät rhyme with his own motivation " active-active VPN gateways for both Azure and on-premises network"

Harshul

It Should be 4-2-1

Harshul

Sorry, It Should be 4-1-2

alex_p

Agree with you. FOR IP Addresses: 2 for the VPN gateways and 2 for the local network gateways which are also configured in Azure - 2+2! FOR VPN Gateways: 1 only - You specify inside the VPN Gateway that it is ACTIVE-ACTIVE FOR LOCAL VPN Gateways: 2 - The local Gateways must be confired separately. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

jeffdoc

For the IP ADDRESS part, it mentions number of IPs "required in Azure". That would only mean 2 (one for each VPN gateway). The other 2 public IPs on the on-prem/local gateways won't be required (as resources) on Azure per se although part of the configuration.

yangxs

I totally agree with you that "The questions asks how many are required in Azure, so the on-premise ones should not be counted." Base on this box 3 should be 0 since it is not in Azure, but there is no such choice. They should make the question/answer more clear.

Ashfaque_9x

Local Network Gateway in S2S VPN is created at the Azure end.

Woshian

”The solution must ensure that if a single instance of an Azure VPN gateway fails, or a single on-premises VPN device fails, the failure will not cause an interruption that is longer than two minutes. “ How does this be considered ?

Darkren4eveR

2 2 2 Appear in the Microsoft Exam Test Prep

albertozgz

" longer than two minutes", Thus, we dont need Active - Active, we are in "Multiple on-premises VPN devices", thus 2-2-2 is the correct

rigonet

As you can read at https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable: "For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For unplanned issues, the connection recovery will be longer, about 1 to 3 minutes in the worst case." So, with active/passive the connection recovery can take up to 3 minutes. We need and active/active scenario. · 2 Public IPs · 2 Virtual Gateways · 2 Local Gateways

Hyrydar

Hey fellow study buddies, there can be only ONE virtual network gateway in a Virtual network. But when you create one, it spuns two instances in an active-standby configuration.

joergsi

How could this be, if I have 2 times 2 Gateways I would need 4 public IP-Addresses, correct?

tyohaina

But not in Azure. The question specifies, how many of these are required in AZURE.

skydivex

with that logic, how do you explain "local network gateways required in Azure"? When local network gateway refers to the on-premise network..... the correct answer is 4-2-2..... you need 4 public IP to setup redundant S2S VPN.

ConanBarb

The "local network gateway" IS an azure resource (the on-prem VPN thing is called "VPN Device" in Microsoft Azure terminology) (Hence correct answer is: 2-1-2) You can try to create a "Local NW GW" yourself in Portal "Create a local network gateway to represent the on-premises site that you want to connect to a virtual network. The local network gateway specifies the public IP address of the VPN device and IP address ranges located on the on-premises site. Later, create a VPN gateway connection between the virtual network gateway for the virtual network, and the local network gateway for the on-premises site." And if you try to create a VPN Gateway Standard in Active-Active mode you will see that only one VNet is required. The A-A config takes care of the rest. Hence the following _in Azure_: 2 Public IPs (assuming Active-Active, which comes from <2 minutes requirement) 1 VNet (see config of VPN GW in Azure) 2 Local Gateways (as you have 2 "VPN Devices" on-prem)

holytoni

Yes you're right. 1 x virtual network gateway resource in azure always represents two actual virtual gateways. In an active active solution both are up at the same time. In active passive only one. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#step-2---create-the-vpn-gateway-for-testvnet1-with-active-active-mode Therefore the right solution is 2-1-2.

Netspud

I agree mostly, 2,2,2. Details are here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable But the questions state failure of a single azure or local gateway. So we need to use "Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks". As best I can tell (because it is not explicit), we only need two public IP's on the premises gateways. The reason for this being Azure will "dial out" or "connect" to the premises gateways, thus Azure not needing public IPs to create the circuit. This should also be OK for the other requirements too.

Netspud

CHANGE MY MIND Although after seeing this: https://azure.microsoft.com/en-gb/blog/vnet-peering-and-vpn-gateways/, which even for a vnet to vnet vpn requires 2 ips (for a single ipsec gateway). I am going to switch to 4,2,2

Gadzee

4,2,2 Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and two connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network. All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously,

hm67

What is the minimum number of public IP addresses, virtual network gateways, and local network gateways "required in Azure"? Only 2 in Azure.

magichappens

I also got these answers in my exam prep but I don´t get it. As you only need to deploy one virtual network gateway instance this is very misleading. You even can´t deploy more that one per virtual network if I am not mistaken.

magichappens

Just got the question again in MeasureUp and this time they changed it. So correct answer is: - 2 Public IP´s - 2 Local network gateways - 1 Virtual network gateway And that finally makes sense to me. However I am struggling with MeasureUp question quality as this is misleading exam preperations.

sardonique

Mlantonis where are you! we need your wisdom!

oopspruu

Correct answer should be 2 - 1 - 2 The question is asking about resources to create in "Azure". The public IP for On-prem VPN devices is not an azure resource. So 2 Public IPs in Azure, 1 Virtual Network Gateway (You are only allowed 2 total per vNET: 1 VPN, 1 ExpressRoute. You cannot have 2 of same type), 2 Local Gateways in Azure to represent both VPN devices on-prem.

1uke

My answer is: 1 Public IP in Azure (assigned to the Azure VNet Gateway) 1 Azure VNet Gateway (active/stand-by, the single PIP is zonally redundant and will 'float' between the two Gateway appliances. 2 Local Network Gateways (one representing each of 2 the onsite VPN devices)

alexvv89

Totally agree with 1uke. Public IP Addresses - You would need a minimum of one public IP address for the Azure VPN Gateway to be reachable over the internet. Azure VPN Gateway instances are deployed in an active-passive configuration to provide high availability without needing additional public IPs. Azure automatically handles the failover. Virtual Network Gateways: You need a single Azure VPN Gateway deployed into your Gateway subnet in VNet1. Azure VPN Gateways are already set up for high availability. In Azure, the VPN Gateway is deployed in pairs, with each instance having its own public IP address. Azure takes care of automatic failover, so you don't need to provision multiple VPN Gateways yourself for high availability. Local Network Gateways: Azure Local Network Gateway objects define the settings for your on-premises VPN devices. Given that you have two VPN devices, you would need two Local Network Gateway objects, each one pointing to one of the on-premises VPN devices.

SgtDumitru

2 public IP addresses for the Azure virtual network gateways (active and standby). Each virtual network gateway requires a unique public IP address. 2 Azure virtual network gateways in the same virtual network (VNet1). One gateway will be the active gateway, and the other will be the standby gateway. 2 on-premises VPN devices (routers or VPN appliances). Configure two local network gateways in Azure, each representing one on-premises VPN device. Associate the corresponding local network gateway with the active or standby virtual network gateway.

LGWJ12

2 2 1 Explanation Using two public IP addresses ensures that you have two separate endpoints for your VPN tunnels, allowing for redundancy and failover. Having two virtual network gateways in Azure (each associated with a different public IP address) provides redundancy in case one of the gateways or its associated resources fails. This minimizes the potential for downtime. A single local network gateway represents your on-premises VPN devices and doesn't need redundancy in this scenario. So, the correct options are: Public IP Addresses: 2 Virtual Network Gateways: 2 Local Network Gateway: 1

adilkhan

2,2,2 Public IP Addresses: For high availability, you need two public IP addresses to associate with two VPN gateways. Virtual Network Gateways: For redundancy, you need two virtual network gateways in an active-active configuration. Local Network Gateways: For high availability, you need to configure two local network gateways, one for each on-premises VPN device. Given this configuration, the mini

learnazureportal

I go for 2-2-1 2 public IP addresses (one for each Azure VPN gateway) 2 Virtual network gateways (for active-active configuration) 1 Local network gateway (representing your on-premises data center network)

WeepingMaplte

4,2,2 if you follow the instructions: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell

WeepingMaplte

Sorry it is 2,2,2. Virtual Gateway is 2. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell#1-create-the-public-ip-addresses-and-gateway-ip-configurations

tashakori

2 2 2 Is right answer

MatAlves

"A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway" You can only have ONE VNG (which will need to be in active-standby mode) 1 - Azure IP for the VNG 2 - LGs with non-azure ip addresses.

Alandt

GitHub Copilot public IP addresses: 2 Explanation: You need two public IP addresses in Azure, one for each VPN gateway instance. virtual network gateways: 1 Explanation: You only need one virtual network gateway in Azure. This gateway will have two instances for redundancy. local network gateways: 2 Explanation: You need two local network gateways in Azure, one for each on-premises VPN device.

Azused

In an Azure VPN gateway we can create connections with on-premises by active - active Hence the answer is 4 PIP, 1 Azure Virtual Network Gateway, 2 Local network gateway "Here you create and set up the Azure VPN gateway in an active-active configuration, and create two local network gateways and two connections for your two on-premises VPN devices as described above. The result is a full mesh connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network." https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

Azused

*2 PIP

clg003

2 2 2 SInce they want them up in less than 2 minutes it has to be active active bec all active passive setups can be down for 3 minutes. Since there are two on prem VPN devices you need to go with Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

DWILK

Why can't you just deploy a zone redundant IP for the Azure VPN gateway and also make the Azure VPN gateway zone redundant?

Learner2022

Should be 4 2 2 https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable