Exam AZ-700 All QuestionsBrowse all questions from this exam
Go to Exam
Question 53

HOTSPOT -

You have two Azure virtual networks named VNet1 and VNet2 in an Azure region that has three availability zones.

You deploy 12 virtual machines to each virtual network, deploying four virtual machines per zone. The virtual machines in VNet1 host an app named App1. The virtual machines in VNet2 host an app named App2.

You plan to use Azure Virtual Network NAT to implement outbound connectivity for App1 and App2.

You need to identify the minimum number of subnets and Virtual Network NAT instances required to meet the following requirements:

✑ A failure of two zones must NOT affect the availability of either App1 or App2.

✑ A failure of two zones must NOT affect the outbound connectivity of either App1 or App2.

What should you identify? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Reference:

    https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview

Discussion
pinchocr

You cannot assign more than one nat gw to a subnet. 6 subnets are required (3 in vnet1 and 3 in vnet2). Then assign zonal nat gateways to each subnet

Komy

Not right. Even though you can not assign multiple NAT GW to th same subnet - however - Multiple subnets within the same virtual network can use the same NAT gateway. so we can create 2 Subnets(1 per each VNET) and 2 NAT GW (1 per eeach Vnet/subnet).. and because NAT GW is zonal, we will have to multiply that by 3 = 6 NAT GW 2 subnets/ 6 NAT GW

Komy

Correction: Reviewing the below architecture, answer should be: 6 Subnets / 6 NAT GW https://docs.microsoft.com/en-us/azure/architecture/networking/guide/well-architected-network-address-translation-gateway

john6732

This is correct: Availability zone isolation cannot be provided, unless each subnet only has resources within a specific zone. Instead, deploy a subnet for each of the availability zones where VMs are deployed, align the zonal VMs with matching zonal NAT gateways, and build separate zonal stacks. For example, a virtual machine in availability zone 1 is on a subnet with other resources that are also only in availability zone 1. A NAT gateway is configured in availability zone 1 to serve that subnet.

sapien45

I concur, but best is to prove your point with official Azure Litteraure https://learn.microsoft.com/en-us/azure/architecture/networking/guide/well-architected-network-address-translation-gateway

Jorex

I would say 2 subnets, because the subnets are regional resources, hence they exists in all zones and 6 NAT gateways (Virtual NAT refers to virtual NAT gateway: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview), because the NAT gateway is zonal, so you have to deploy a NAT gateway in each zone to have the full redundancy. (https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview#virtual-network-nat-basics)

Arkadeep

1 subnet can have only 1 nat gateway, so 6 subnets are required for 6 nat gateway.

Sanaz90

Multiple NAT gateways can’t be attached to a single subnet.

Goofer

See - https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-availability-zones#zonal-nat-gateway-resource-for-each-zone-in-a-region-to-create-zone-resiliency

khanda

You cant attach multiple NAT gateways to a single subnet.

michealnghe

Correct answer must be 6 subnets 6 NAT Gateways https://azure.microsoft.com/en-us/blog/ensure-zone-resilient-outbound-connectivity-with-nat-gateway/

DumpMaster69

1 subnet for all VMs hosting App1 in VNet1. 1 subnet for all VMs hosting App2 in VNet2. Subnets are zone-redundant. They consist of 3 zones and an outage of 2 does not impact the workload. 1 NAT GW instance per VNet that stretch all VMs per 1 subnet. Awnser is correct.

charrua86

according to this reference documentation, we must create a subnet for our resources in each availability zone, therefore, we must have 6 subets and 6 nat gateway to guarantee resilience. There would be 3 Nat gateways on vnet 1 and 3 nat gateways on vnet 2. https://learn.microsoft.com/pt-br/azure/architecture/networking/guide/well-architected-network-address-translation-gateway#reliability

occupatissimo

NAT GW is a zonal resource To have complete availability configure 6+6

MightyMonarch74

Correct answer should be 6 subnets with 6 NAT GW, using a zonal NAT gateway resource for each zone in a region as per https://docs.microsoft.com/en-us/azure/architecture/networking/guide/well-architected-network-address-translation-gateway

mein17

We cannot associate multiple NAT Gatways to single subnet. But Can a single NAT Gateway be applied to multiple subnets within a single VNet?? If yes then the answer is = 6 Subnets + 2 NAT Gatways.

mein17

If No. Then 6 Subnets + 6 NAT Gateways.

mein17

NAT gateway can provide outbound connectivity for virtual machines from other availability zones different from itself. The virtual machine’s subnet needs to be configured to the NAT gateway resource to provide outbound connectivity. Additionally, multiple subnets can be configured to the same NAT gateway resource. While virtual machines in subnets from different availability zones can all be configured to a single zonal NAT gateway resource, this configuration doesn't provide the most effective method for ensuring zone-resiliency against zonal outages.

mein17

So if we consider the most effective method then 6 Subnets + 6 NAT Gateways would be the most fulfilling answer for this question.

roshingrg

The minimum number of subnets required is 6, and the minimum number of Virtual Network NAT instances required is 3. Here is the reasoning: To meet the requirement that a failure of two zones must not affect the availability of either App1 or App2, we need to place the virtual machines for each app in at least two different zones. This means that we need a total of 6 zones, 3 for each app. To meet the requirement that a failure of two zones must not affect the outbound connectivity of either App1 or App2, we need to place a Virtual Network NAT instance in each zone. This means that we need a total of 3 NAT instances. Therefore, the minimum number of subnets required is 6, and the minimum number of Virtual Network NAT instances required is 3. Answer: Minimum number of subnets: 6 Minimum number of Virtual Network NAT instances: 3

roshingrg

The number of NAT instances that can be deployed in a single region is 1, 2, 6, or 12. Therefore, the minimum number of NAT instances required in this case is 2. The answer would then be: Minimum number of subnets: 6 Minimum number of Virtual Network NAT instances: 2 I apologize for the error in my previous response.

DGriff

This is a quote from the guide "NAT gateway can provide outbound connectivity for virtual machines from other availability zones different from itself. The virtual machine’s subnet needs to be configured to the NAT gateway resource to provide outbound connectivity." In this case, there are two different availability zones. Each zone has a NAT gateway mapping VMs (subnets) from both zones (resiliency; availability). Thus, if one zone gateway fails, the other zone NAT provides outbound connectivity for VMs in the down zone.

AlainChk

In my opinion, we may also deploy one subnet spanning 3 zones, and one nonzonal NAT gateway per application. So in total 2 subnets and 2 nonzonal NAT Gateways. Quote from Azure: If no zone is selected at the time that the NAT gateway resource is deployed, the NAT gateway is placed in no zone by default. When NAT gateway is placed in no zone, Azure places the resource in a zone for you. There isn't visibility into which zone Azure chooses for your NAT gateway. After NAT gateway is deployed, zonal configurations can't be changed. No zone NAT gateway resources, while still zonal resources can be associated to public IP addresses from a zone, no zone, or that are zone-redundant.

p7vpki7qz

A] 3 subnets in VNet1, one for each availability zone. Same for VNet2. So total is 6. B] 1 NAT gateway for VNet1 that is zone-redundant, covering all three subnets/zones. Same for VNet2. So 2 in total.

RemmyT

The optimal solution : 6 subnets & 3 NAT Gateways (vnet1 & vnet 2 are in the same region). 1. NAT Gateway has high availability only into one zone 2. If the zone that goes down is also the zone in which NAT gateway has been deployed then all outgoing traffic from virtual machines across all zones will be blocked. 3. A subnet cannot have more than one NAT gateway attached to it and it is not possible to set up multiple NAT gateways on a single subnet. https://azure.microsoft.com/en-us/blog/ensure-zone-resilient-outbound-connectivity-with-nat-gateway/ Scenario 3: Deploy zonal NAT gateways with zonally configured VMSS for optimal zone resiliency What is the optimal solution then for creating a secure, resilient, and scalable outbound setup? The solution is to deploy a VMSS in each availability zone, configure each to their own respective subnet and then attach each subnet to a zonal NAT gateway resource In our case: select 6 subnets & 6 VNAT

RemmyT

A NAT GW can be associated only to subnets from one vnet. Error when trying to associate a subnet from VNet2: The NAT gateway NAT-GW-Z1 cannot be associated with this subnet because it is associated with a subnet in the virtual network VNet1. So the answers is : 6 subnets & 6 NAT GW

Dholkawala

In Azure, subnets are not inherently zone-redundant. While Azure NAT Gateway can be deployed across availability zones for redundancy, subnets themselves do not automatically span multiple zones unless explicitly configured to do so. Therefore, to ensure that an outage of 2 zones does not impact the workload, you would need to create subnets that are zone-redundant by spanning them across multiple availability zones within the region. In this scenario, with three availability zones, it would be advisable to create at least 3 subnets per virtual network (VNet1 and VNet2) to achieve zone redundancy and ensure high availability for the workloads hosted in each subnet1 6 subnets/ 2 NAT GW

NSF2

As fas I can see, the given answer is correct. See below. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zone "Virtual networks and subnets span all availability zones in a region. You don't need to divide them by availability zones to accommodate zonal resources. For example, if you configure a zonal VM, you don't have to take into consideration the virtual network when selecting the availability zone for the VM. The same is true for other zonal resources."

groox

I think it will be 2 NATs as these Virtual Networks are not peered and they will have their own NATs. No of subnets wont change the no of NATs needed because the subnets share the address space from the network they are in.

AzureLearner01

NAT gateway resources are highly available in one availability zone and span multiple fault domains. NAT gateway can be deployed to "no zone" in which Azure automatically selects a zone to place NAT gateway. NAT gateway can also be isolated to a specific zone by a user. Availability zone isolation cannot be provided, unless each subnet only has resources within a specific zone. Instead, deploy a subnet for each of the availability zones where VMs are deployed, align the zonal VMs with matching zonal NAT gateways, and build separate zonal stacks. For example, a virtual machine in availability zone 1 is on a subnet with other resources that are also only in availability zone 1. A NAT gateway is configured in availability zone 1 to serve that subnet. See the diagram at https://learn.microsoft.com/en-us/azure/architecture/networking/guide/well-architected-network-address-translation-gateway