Exam AZ-500 topic 4 question 89 discussion

Yes: Rt1 will route from Subnet1-1 to any IP (0.0.0.0/0) including Subnet2-1 to the FW (10.1.3.4) Yes: Rt3 will route from Subnet2-1 to Subnet1-1 (10.1.1.0/24) to the FW (10.1.3.4) No: There is no configured route from Subnet3-1 to the internet via FW, thus it will go directly to the internet bypassing the FW

it's YYN

NYN 1st inter VNET Connection will take priority over default route. 2 nd yes, as there is /24 route to the subnet forwarding to NVA(Firewall) 3rd there is no default route looking towards NVA (Firewall)

First one should be NO Link: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Explanation: Yes: Rt1 will route from Subnet1-1 to any IP (0.0.0.0/0) including Subnet2-1 to the FW (10.1.3.4) Yes: Rt3 will route from Subnet2-1 to Subnet1-1 (10.1.1.0/24) to the FW (10.1.3.4) No: There is no configured route from Subnet3-1 to the internet via FW, thus it will go directly to the internet bypassing the FW

NYN When determining which route to choose, Azure, or any router using the longest prefix match algorithm, will select the route that provides the "longest" match with the destination IP address.

Answer: YYN Explanation of 1st question only(cuz here is many confussion): Routing VM1 -> Subnet1 -> Vnet -> Subnet2 -> VM2 In Azure, route tables are managed by Azure itself, and you typically don't interact directly with the underlying routing tables. Azure handles the routing between subnets within a VNet based on the VNet's configuration. Routing VM1 -> Subnet1 -> RT1 -> FW1 -> ... Where in Azure, routing tables are applied to subnets within a virtual network.

Y, Y, N ALL TRAFFIC FOR 1-1 GOES THROUGH THE FIREWALL VIA 0.0.0.0/0 SO THAT IS A NO BRAINER. TRAFFIC FROM 2-1 TO 1-1 IS ROUTED TO GO THROUGH THE FW AS PER THE NEXT HOP LISTED. TRAFFIC FROM 3-1 TO THE INTERNET IS NOT AS THE ONLY TRAFFIC ROUTED TO THE FW AS A NEXT FROM 3-1 TRAFFIC GOING TO 10.2.1/24 SUBNET.

Firewall is in VNet1. Peerings are like: • VNET1 (10.1.0.0/16) <=> VNET2(10.2.0.0/16) <=> VNET3(10.3.0.0/16) So, 1. NO, traffic from Subnet1-1 to Subnet2-1 will not go through FW1. The IP address prefix is too low. VNET1 is 10.1.0.0/16 so it will have systemroute of 10.1.0.0/16 => LOCAL applied to all it's subnets. Routing table priority in such topologies is from smallest to highest prefixes ranges, leading to traffic between the subnets1-* in same VNet1 not going through FW1, except if a UDR higher than /16 is created. 2. YES, traffic from Subnet2-1 to Subnet1-1 is routed through FW1: Subnet2-1 well have the Subnet1-1 (10.1.1.0/24) included in it's UDR prefix with the FW as next hop. Even the answer from Subnet1-1 would be OK as Subnet2-1 is not in VNet1 so the UDR applied on Subnet1-1 would make it's job and route traffic to FW1. 3. NO, traffic from Subnet3-1 to internet is not routed through FW1: It's UDR prefix is wrong (must've been 0.0.0.0/16); And even with this, VNet3 is not directly peered with VNet1. As peerings are not transitive, the routed traffic from subnets in VNet3 to the FW1 in VNet1 would never reach FW1.

NYN RT1 has 0.0.0.0/0 to Firewall.Which means any traffic to internet or peered Vnets will go over firewall.Subnet1-1 and Subnet1-2 are on the same Vnet.So subnet to subnet will not go over the firewall unless you specify in RT1 Subnet1-2(10.1.2.0.24) to firewall RT3 has Subnet1-1(10.1.1.0/24) to firewall. This means traffic from subnet2-1 to subnet1-1 will go over the firewall RT4 has Subnet2-1(10.2.1.0/24) to firewall.This means traffic from Subnet3-1 to Subnet2-1 will go over the firewall. It does not have 0.0.0.0/0 to firewall, therefor internet will not go over the firewall.

I would say Yes, Yes, Yes Box 3: virtual machines created in a virtual network without explicit outbound connectivity defined are assigned a default outbound public IP address.

Y,N,N; Y; traffic matches Rt1 N; Rt3, IP address prefix does not match subnet IP range. N; Rt4, IP address prefix does not match subnet IP range.

YYN is the answer. https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal-policy

Great, it seems we are all on the same page...LOL!

it's NYN N. this is a system route, subnet to subnet, there is no specific user RT applied here to override the system default Y. there is a specific user RT to override the system default N. there is no peering between VNET1 and VNET3 to allow subnet 3-1 to reach the firewall as a a NH -> firewall -> to the internet. + there is no user RT applied to the subnet 3-1

YES YES YES

N. VNET1 has two networks in the 10.1.0.0/16 range, no routing through the firewall should be needed on the same subnet. Y, routed through FW1 (different subnet) Y, internet 0/0.0.0.0 (any host/any network) through FW1