Exam AZ-103 topic 4 question 8 discussion

Correct answer: B and D A. In this scenario, you must configure the peering connections to allow forwarded traffic. D. Routes will be necessary in order to route traffic from and to VNET1/VNET3 thru VM2 appliance. Wrong Answers: A. On the peering connections, use remote gateways. This will make spoke VNETs able to use a remote gateway say, in VNET2, but the question doesn't present such scenario. C. On the peering connections, allow gateway transit. This would be necessary in order to allow spoke VNETs use a gateway present in VNET2, which is not. The question doesn't present such scenario. E. Create a route filter. Route filters are used when configuring ExpressRoute circuits. "A route filter is essentially a white list of all the BGP community values. Once a route filter resource is defined and attached to an ExpressRoute circuit, all prefixes that map to the BGP community values are advertised to your network." Source: https://docs.microsoft.com/bs-latn-ba/azure/expressroute/how-to-routefilter-powershell?view=azurermps-6.9.0

Correct Answer is BD Spoke connectivity If you require connectivity between spokes, consider deploying Azure Firewall or an NVA for routing in the hub, and using UDRs in the spoke to forward traffic to the hub. The deployment steps below include an optional step that sets up this configuration. In this scenario, you must configure the peering connections to allow forwarded traffic. https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke

I remember doing a lab similar to this. So far as I can recall the answer should be B and D if you are using peering.

Answer is C&D C: With Gateway transit enabled on VNet peering, you can create a transit VNet that contains your VPN gateway, Network Virtual Appliance, and other shared services. When you use VNA as a gateway you need to add the routes to other vnets because they need to know how to reach the other network from the VNA

As per question hub and spoke is on azure side not on on prem side so i choose A. On the peering connections, use remote gateways. C. On the peering connections, allow gateway transit.

B and D. https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?toc=%2fazure%2fvirtual-network%2ftoc.json#spoke-connectivity

BD or AC?

a,c are correct - refer https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network

I found the following link from Microsoft Learn. Under topic “Consideration” >> “Spoke connectivity”, the scenario is almost the same as this question. If based on this document, the answer “B” and “D” should be the right correct. *** In this scenario, you must configure the peering connections to allow forwarded traffic. *** *** *** If you require connectivity between spokes, consider deploying Azure Firewall or an NVA for routing in the hub, and using UDRs in the spoke to forward traffic to the hub. *** UDR = user define route.

The answer is B & D, for sure. The answer given would be used if there was a VPN site-to-site connection between vnet2 and a on-premises network. This would allow the other networks to reach the on-premises. But for this question, only B & D are the correct steps.

You can also configure spokes to use the hub gateway to communicate with remote networks. To allow gateway traffic to flow from spoke to hub, and connect to remote networks, you must: Configure the peering connection in the hub to allow gateway transit. Configure the peering connection in each spoke to use remote gateways. Configure all peering connections to allow forwarded traffic. https://docs.microsoft.com/nl-nl/azure/architecture/reference-architectures/hybrid-networking/hub-spoke#architecture so why is B not an option ?

ans is B & D (Straight answer see blow) https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke#recommendations

A and C: https://docs.microsoft.com/nl-nl/azure/architecture/reference-architectures/hybrid-networking/hub-spoke#virtual-network-peering

solution: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

B&D are correct. If there was no NVA then it would be A&C but since an NVA is present in VNET 2 and set up as the router, we just create a route to that NVA and allow forwarded traffic

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints notes under requirements and constraints that " You can use remote gateways or allow gateway transit in globally peered virtual networks and locally peered virtual networks." out of all the answers these two appear valid. imho.

I go for A,B & C Source: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke Configure the peering connection in the hub to allow gateway transit. Configure the peering connection in each spoke to use remote gateways. Configure all peering connections to allow forwarded traffic. When I only have 2 options I think A & C is correct answer