Exam AZ-700 topic 3 question 40 discussion

I think it must be 1, both vnets are peered so we don't need to add an IP from each vnet.

peered so one IP can access both networks

A is the answer This is really typical silly MS question nothing but confusing!! If vNET networks are period than both networks can communicate free with each other via th Microsoft Backbone NOT gateway and they only way to control resource access from one Vnet to another is via NSG. The only time you will need a Gateway is when you have on-Prem access requirements from Peered vNETS than ONLY one vNET can have gateway and other uses it as transit point to on-prem. Also all subnets within the same vNET can communicate free with each other So having 1 VM inspect and route traffic between all the subnets on both the virtual networks DOES NOT MAKE SENSE but anyway it requires 1 IP but if the vNETs were NOT peered than the VM acts as router and in that case 2 IPs

agree with Jonav94

https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#can-azure-firewall-forward-and-filter-network-traffic-between-subnets-in-the-same-virtual-network-or-peered-virtual-networks Can Azure Firewall forward and filter network traffic between subnets in the same virtual network or peered virtual networks? Yes. However, configuring the UDRs to redirect traffic between subnets in the same VNET requires additional attention. While using the VNET address range as a target prefix for the UDR is sufficient, this also routes all traffic from one machine to another machine in the same subnet through the Azure Firewall instance. To avoid this, include a route for the subnet in the UDR with a next hop type of VNET. Managing these routes might be cumbersome and prone to error. The recommended method for internal network segmentation is to use Network Security Groups, which don't require UDRs.