Exam AZ-700 All QuestionsBrowse all questions from this exam
Go to Exam
Question 136

HOTSPOT -

You configure a route table named RT1 that has the routes shown in the following table.

You have an Azure virtual network named Vnet1 that has the subnets shown in the following table.

You have the resources shown in the following table.

Vnet1 connects to an ExpressRoute circuit. The on-premises router advertises the following routes:

✑ 0.0.0.0/0

✑ 10.0.0.0/16

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Yes -

    NVA1 with IP (NVA-network virtual appliance) 192.168.0.4 is on the DMZ subnet. It will use route 10.0.0.0/16 to the on-premises network.

    Box 2: No -

    VM2 has IP address 192.168.2.4 and is on the BackEnd subnet. VM2 will not use the RT1 route table, and will not reach the on-premises network through NVA1.

    Box 3: Yes -

    VM1 with IP address 192.168.1.4 is on the FrontEnd subnet, and will use the RT1 routing table. It will use Route2 and Next Hop IP address 192.168.0.4, IP address of NVA1, to reach VM2.

Discussion
Cristoicach91

YNN. Route 0.0.0.0/0 is advertised to NVA from on-prem. VM2 learns route 10.0.0.0/16 from on-prem. VM1 and VM2 are in different subnets, but same virtual network, there is a system route that is a better match than the one in the route table.

Chriscrown

YNY .. Box 3 is yes as it is using the UDR ( RT1) which points to the NVA as its default gateway. UDR gets higher priority. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

mav3r1ck

Agree. If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: - User-defined route - BGP route - System route

Lrrr_FromOmicronPersei8

Well no, you get a longer prefix system-generated route with a next-hop type VnetLocal, therefore YNN.

TJ001

VNET route is more specific address than 0/0 UDR .. so I will go with YNN

sapien45

Perfect Answer. Both below answers are based on not reading : ONLY if If multiple routes contain the SAME address prefix, UDR prevails

prabhjot

The last ands is N ( as RT will over ride the System route) as RT is applied on the VM1 via the subnet

jellybiscuit

YNY UDRs exist for a reason: to override the default behavior of Azure routing - It is correct that there is a default route that would allow VM1 to communicate with VM2 - that route is superseded by the UDR - Someone has intentionally decided that all outbound traffic from the frontend subnet should pass through the NVA (firewall). It is important to know that the other routes exist and in what order they are used 1) User-defined 2) BGP 3) system/default Just remember that if they show you a route table, it is a UDR and is always in-use. If you want to see the full list of routes, find it by looking at Effective Routes from the portal.

Prutser2

not always, there is still the mechanism of the longest match, for instance in box 3, even though there is a UDR, the longest match is still the route that dictates that subnets within the same vnet can flow.

mickeysonix

Thought similar, but Azure uses the longest prefix match algorithm and only after that it uses UDRs. So VNet2 has a system defined route of longer prefix than BGP ones and UDRs and therefore traffic is direct.

eVo3000

YNN https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route "When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm[...]If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 1.User-defined route 2.BGP route 3.System route In our case, we do not take the default route

GBAU

Important omission to the above details from that page: Note System routes for traffic related to virtual network, virtual network peerings, or virtual network service endpoints, are preferred routes, even if BGP routes are more specific.

andry79

Tested in lab, is YNN

crypto700

YNN, VM1 will get to VM2 without NVA because they are in the same Vnet.

Lazylinux

YNN is my answer for 3rd it is on same vnet and there is no overriding route in the NVA and hence default route will take place i.e. internal GWY and hence direct traffic

AzureLearner01

My answer is Yes, No, No. I think Q1 and Q2 are obvious. but Q3 is not. UDR will overwrite the system route but only if you create a specific route not the default route 0.0.0.0/0. The default route 0.0.0.0/0 would not overwrite the system route, so next Hop is the internal GW from the subnet and not the nva. To verify this theory i've created a UDR that routes traffic from the subnet of VM1 to the subnet of VM2 over the NVA. Traffic from VM1 will go over the nva to VM2 even if they are in the same VNet.

jotajotajeje

YNN. 1-Route 0.0.0.0/0 is advertised to NVA from on-prem and it doesn't have routing table. 2-VM2 has no routing table hence it will go via the 0.0.0.0/0 advertised via BGP from the on premises router that has more priority that system route 0.0.0.0/0 to internet via Azure network 3-VM1 and VM2 are in different subnets, but same virtual network, there is a system route in every subnet/VM interface that has the network and mask of the entire VNET where the subnet is, therefore as it has the prefix length bigger than the default route it will prefer going directly from VM to VM.

ejml

Default routes of the one subnet are the address space of the its virtual network and virtual networks peered. In the worst case, when both routes (UDR and System Route) UDR has higher priority. Answer is YNY

JWYANG

YNY Azure automatically added this route for all subnets within Virtual-network-1, because 10.0.0.0/16 is the only address range defined in the address space for the virtual network. If the user-defined route in route ID2 weren't created, traffic sent to any address between 10.0.0.1 and 10.0.255.254 would be routed within the virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. Azure automatically changed the state from Active to Invalid, when ID2, a user-defined route, was added, since it has the same prefix as the default route, and user-defined routes override default routes. The state of this route is still Active for Subnet2, because the route table that user-defined route, ID2 is in, isn't associated to Subnet2. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#routing-example

mickeysonix

Thought similar, but Azure uses the longest prefix match algorithm and only after that it uses UDRs. So VNet2 has a system defined route of longer prefix than BGP ones and UDRs and therefore traffic is direct.

sapien45

YNN. Read the link in its entirety ! Especially the implementation example. The very same routes are being displayed. Route ID1 is not invalidated by route ID12 because the prefix is longer than 0.0.0.0/0

Fule

I will go with YNY, "Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. You can't create system routes, nor can you remove system routes, but you can override some system routes with custom routes." so basically means custom routes is a better match than the system, which is somehow logical, you want to manipulate with system routes in some scenario. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Kafura

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#:~:text=When%20you%20create%20a%20route%20table%20and%20associate%20it%20to%20a%20subnet%2C%20the%20table%27s%20routes%20are%20combined%20with%20the%20subnet%27s%20default%20routes.%20If%20there%20are%20conflicting%20route%20assignments%2C%20user%2Ddefined%20routes%20will%20override%20the%20default%20routes.

AlainChk

Just a comment: what is the use of Route 2 if 0.0.0.0/0 is routed to the NVA

LieJ0n

YNY https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default-route When you override the 0.0.0.0/0 address prefix, not only does outbound traffic from the subnet flow through the virtual network gateway or virtual appliance, but the following changes also occur with Azure's default routing

azure_dori

My 2 cents are: YNY The third question is No, because VM1 and VM2 are in different subnets and Route1 means that the traffic between the subnets of Vnet1 goes through NVA1. Only if VM1 and VM2 are in the same subnet => the traffic between them flows directly. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#routing-example

azure_dori

I mean "The third question is" Yes, of course. Sorry for the typo.

Hajji

YNY When you create a route table and associate it to a subnet, the table's routes are combined with the subnet's default routes. If there are conflicting route assignments, user-defined routes will override the default routes. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

DeepMoon

Given Answers are incorrect. Correct Answers Q1: Yes. Why? Because On-Prem router advertises 0.0.0.0/0 route to the NVA through a Express Route. We are not told NVA has any other route. Q2: Yes. Why? Because VM2 is on backend subnet (192.168.2.0/24) it has no UDR. But NVA1 is advertising all the routes on its table (that includes what it learned from On-Prem) to the all of VNet1. NVA1 knows how to get to 10.0.0/16 network via On-Prem router. Q3:No. Why? Because VM1 & VM2 are in VNET1. Azure by default knows how to route traffic between its subnets without needing a UDR's.