Exam AZ-104 topic 5 question 29 discussion

Correct Answer: D There is no overlap between the VNets: VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255 VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255 Note: If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can't be connected. You can connect virtual networks (VNets) by using the VNet-to-VNet connection type. Virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the same Active Directory tenant. Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists. Also, No need to have the same Azure AD. They just need to have a Virtual network gateway to communicate using Public IP where it is secured using SSTP or IKEv2

on exam 1/4/2025

Virtual network gateway

D is correct

Question is outdated. We can create a peering between VNets in different subs and tenants following the steps provided in the article link below: https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-portal

no overlapping of IP here. vpn peering should work on different subscription however since not on the choices can do virtual network gateways. https://learn.microsoft.com/en-us/azure/virtual-network/create-peering-different-subscriptions?tabs=create-peering-portal "A virtual network peering can't be created between two virtual networks deployed through the classic deployment model. If you need to connect virtual networks that were both created through the classic deployment model, you can use an Azure VPN Gateway to connect the virtual networks."

Answer D is correct. Vnet Peering is unavailable because those subscriptions are under different tenants. That means the only way to connect is to use Vnet-toVnet connection type.

They could have just peered the two vNets as we can peer vNets in 2 different subscriptions. Can I enable virtual network peering if my virtual networks belong to subscriptions within different Microsoft Entra tenants? Yes. It's possible to establish virtual network peering (whether local or global) if your subscriptions belong to different Microsoft Entra tenants. You can do this via the Azure portal, PowerShell, or the Azure CLI. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq

To connect VNet1 to VNet2, you need to create a site-to-site VPN connection between the two virtual networks. The first step to accomplish this is to provision virtual network gateways in both subscriptions. Therefore, the correct answer is: D. Provision virtual network gateways. Once the virtual network gateways are provisioned, you can configure the VPN connection between them to enable traffic to flow between VNet1 and VNet2. Moving VM1 to Subscription2 or modifying the IP address space of VNet2 is not required to establish the VPN connection between the two virtual networks. Similarly, moving VNet1 to Subscription2 is not required, but you may need to create a peering connection between the virtual networks after the VPN connection is established to enable communication between the virtual machines.

Correct Answer: D

D is correct

C. Modify the IP address space of VNet2. B/C you have 10.10.0.0/24 , no space for GatewaySubnet only after modifying address space, you can create Gw Subnet and then add gw for VNet-VNet

D is correct Create a virtual network ***( That is the Gateway Subnet)*** Create a VPN gateway, A resource that provides a virtual VPN appliance for the VNet. It is responsible for routing traffic from the on-premises network to the VNet

Answer is correct: (the VNets IP ranges are confusing many of you) VNet1: 10.0.0.0/16 - CIDR IP Range 10.0.0.0 - 10.0.255.255 VNet2: 10.10.0.0/24 - CIDR IP Range 10.10.0.0 - 10.0.0.255 As we see the VNet2 range is not part of the VNet1 IP range, So there is no overlap between these two VNets. and therefore no need to modify the IP address space of VNet2

Answer is correct. "D" . It is a VNET to VNET connection where there is no IP overlap exists.

Got to think this question is out of date. I wouldn't do any of the provided options. A global VNET peer achieves the required outcome, without the need for additional infrastructure.