Exam AZ-700 topic 1 question 13 discussion

D. Set IPsec / IKE policy to Custom. In order to ensure that the on-premises network can connect to the route-based virtual network gateway, you need to set the IPsec / IKE policy to Custom. The default policy settings for a virtual network gateway are not compatible with policy-based VPN devices. By setting the IPsec / IKE policy to Custom, you can configure the policy to match the requirements of the on-premises VPN devices. Option A, "Set Connection Mode to ResponderOnly," is not a valid option for a route-based VPN gateway. Option B, "Set BGP to Enabled," is not necessary to enable connectivity between a route-based gateway and a policy-based VPN device. Option C, "Set Use Azure Private IP Address to Enabled," is not relevant to this scenario. This setting is used to specify whether the virtual network gateway should use a private or public IP address for the VPN connection.

correct answer is D. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

Correct answerd is D. BGP is not mandatory to have a S2S VPN.

correct answer is D. BGP will trade routes, not the algorithm to setup the VPN. Also, as per documentation (https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#why) is an optional feature to use as Route-Based. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#why

Correct answer is D

I assumed D for this. BGP is not required to configure a VPN connection.

Its D --- The configuration option is part of the custom IPsec/IKE connection policy. If you enable the policy-based traffic selector option, you must specify the complete policy (IPsec/IKE encryption and integrity algorithms, key strengths, and SA lifetimes). The configuration option is part of the custom IPsec/IKE connection policy. If you enable the policy-based traffic selector option, you must specify the complete policy (IPsec/IKE encryption and integrity algorithms, key strengths, and SA lifetimes).

If you set the IPsec/IKE config to default, under most of the circumstances, azure VPN GW will automatically match the on prem Firewall's IPsec Phase 1 and phase 2 configuration(modern FW like fortigate,sonicwall). But if you are using cisco ASA then it's a different story. You would need to configure the phase manually

I am not sure any of the 4 answers are correct. Mainly because this is ENABLED - "Use policy based traffic selector " ...if the onPrem device(s) is route based then this is not needed ?

En examen 20/01/2023

route-based also mean static routes and all others routing protocols, when policy based, based on configured networks that should be routed for this specific VPN. From network perspective route-based use ROUTING TABLE to make route decision, this includes all directly connected networks and mentioned static routes. Making an assumption that BGP=Route-based as a must - is wrong imho however you can configure route-based to communicated with multiple policy base devices. Please notice POLICY BASE DEVICES for on prem, not DEVICE [one], there are multiple in question.

route-based also mean static routes and all others routing protocols, when policy based, based on configured networks that should be routed for this specific VPN. From network perspective route-based use ROUTING TABLE to make route decision, this includes all directly connected networks and mentioned static routes. Making an assumption that BGP=Route-based as a must - is wrong imho.

Not have to set BGP if onpremise is act/stanby

correct answer is D. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

I don't think any of these answers is correct. In order to talk to on premises there is another button that must be enabled not visible on this screenshot. Use custom traffic selectors and it needs to be enabled. I have verified this works by configuring it at my customer's location with 3 separate sites.

The correct answer is D, you can not have Policy based VPN one end and Route Based VPN on the other. Both ends need to match on the type of VPN being used.

Previously, when working with policy-based VPNs, you were limited to using the policy-based VPN gateway Basic SKU and could only connect to 1 on-premises VPN/firewall device. Now, using custom IPsec/IKE policy, you can use a route-based VPN gateway and connect to multiple policy-based VPN/firewall devices. To make a policy-based VPN connection using a route-based VPN gateway, configure the route-based VPN gateway to use prefix-based traffic selectors with the option "PolicyBasedTrafficSelectors". as per https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps