Exam AZ-301 topic 6 question 8 discussion

1. From VM1 traffic destined to the Azure Key Management Service will be routed to the network virtual appliance. > If "Azure Key Management Service" refers to an "Azure Key Vault" which is missing on the picture, then the default behaviour would be to reach it via public IP/internet. However there is no clear hint in the picture. Still I would answer "Yes" 2. From VM1, traffic destined to the Azure file share will be routed to the internet. > This won't be routed through the internet, as there is a service endpoint. This adds an additional route that will have a longer prefix and therefor directly route traffic to it. So answer is "No" 3. From VM1, traffic destined to the Azure SQL database will be routed to the internet. > I think we can assume SQL DB having a public IP (picture shows no private link). Now VM1 looks up it's local routing table, doesn't find a match and forwards it to it's default gateway. Now the UDR kicks in and forwards it to the NVA. From here on I'd say we can only guess. The text gives us no clue about a specific route so I'd assume a default route pointing to the internet as well. So I would answer "Yes".

VNet Endpoints are added to the route table as system routes. Azure selects routes in the following order: 1. User-Defined route 2. BGP route 3. System route So the answers are correct.

Yes No No

100% Sure ans is - (tried and tested) Yes No Yes (SQL request will go to NVA) When you override the 0.0.0.0/0 address prefix, in addition to outbound traffic from the subnet flowing through the virtual network gateway or virtual appliance Azure sends all traffic to the next hop type specified in the route, including traffic destined for public IP addresses of Azure services. When you create a user-defined or BGP route with a Virtual network gateway or Virtual appliance next hop type however, all traffic, including traffic sent to public IP addresses of Azure services you haven't enabled service endpoints for, is sent to the next hop type specified in the route. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

given answer is correct.

Here is ExpressRoute. so for last 2 options NO. First - Yes

As mentioned in the question, 0.0.0.0/0 address prefix with a custom route goes to the NVA. so traffic stays on the Azure backbone.

If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. Azure SQL and Azure File are Azure services, so traffic is not routed through the internet, but directly through the Azure backbone. You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route.

Answers are correct, as all the request routed to virtual appliance and nothing to internet.

There is no internet access anywhere, all traffic is routed through NVA, as per 0.0.0.0/0 in the UDR. Express Route it doesn't flow through internet, is and isolated connection straight away to Azure.

Given answers correct. 'You can define a route with 0.0.0.0/0 as the address prefix and a next hop type of virtual appliance, enabling the appliance to inspect the traffic and determine whether to forward or drop the traffic. '

give answers correct

All answers are correct, refer this: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

I think User Defined Routes come before any other, including Service Endpoints

should be no routing to the storage account - its end point should be on same subnet as per diagram, so no need to use default route 0.0.0.0

i agree for answer 1 & 3 but not for 2. If there is a service endpoint, you contact directly the Azure File. It has priority over the 0.0.0.0/0 in the same udr. "VirtualNetworkServiceEndpoint: The public IP addresses for certain services are added to the route table by Azure when you enable a service endpoint to the service. Service endpoints are enabled for individual subnets within a virtual network, so the route is only added to the route table of a subnet a service endpoint is enabled for."

Is there a UDR from VM1 to the Azure SQL DB? The drawing looks like there's only a UDR to Azure Files. So, wouldn't the 3rd statement (VM1 to Azure SQL DB) be 'Yes' (routed to the Internet)?