Exam AZ-700 topic 2 question 17 discussion

You cannot assign more than one nat gw to a subnet. 6 subnets are required (3 in vnet1 and 3 in vnet2). Then assign zonal nat gateways to each subnet

I would say 2 subnets, because the subnets are regional resources, hence they exists in all zones and 6 NAT gateways (Virtual NAT refers to virtual NAT gateway: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview), because the NAT gateway is zonal, so you have to deploy a NAT gateway in each zone to have the full redundancy. (https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview#virtual-network-nat-basics)

answers given are correct! this is a tricky, questions, it is not asking to span the subnet among regions but among availability zones! look here: Virtual networks and subnets span all availability zones in a region. You don't need to divide them by availability zones to accommodate zonal resources. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zones

Each virtual network (VNet1 and VNet2) should have at least one subnet per application. Azure Virtual Network NAT (NAT gateway) operates at the subnet level, and for each subnet, you can associate a NAT gateway. You don’t need a separate subnet for each availability zone, because the subnets themselves span all availability zones. Therefore: You need one subnet for VNet1 for App1. You need one subnet for VNet2 for App2. To ensure availability in case two zones fail, you need to deploy one NAT gateway per virtual network. Azure NAT gateways are zone-redundant by default, meaning that a single NAT gateway can span multiple zones and provide high availability across all the zones in a region. You need one NAT gateway for VNet1 (App1). You need one NAT gateway for VNet2 (App2). Total: 2 NAT gateways (1 per VNet).

This is a quote from the guide "NAT gateway can provide outbound connectivity for virtual machines from other availability zones different from itself. The virtual machine’s subnet needs to be configured to the NAT gateway resource to provide outbound connectivity." In this case, there are two different availability zones. Each zone has a NAT gateway mapping VMs (subnets) from both zones (resiliency; availability). Thus, if one zone gateway fails, the other zone NAT provides outbound connectivity for VMs in the down zone.

In my opinion, we may also deploy one subnet spanning 3 zones, and one nonzonal NAT gateway per application. So in total 2 subnets and 2 nonzonal NAT Gateways. Quote from Azure: If no zone is selected at the time that the NAT gateway resource is deployed, the NAT gateway is placed in no zone by default. When NAT gateway is placed in no zone, Azure places the resource in a zone for you. There isn't visibility into which zone Azure chooses for your NAT gateway. After NAT gateway is deployed, zonal configurations can't be changed. No zone NAT gateway resources, while still zonal resources can be associated to public IP addresses from a zone, no zone, or that are zone-redundant.

A] 3 subnets in VNet1, one for each availability zone. Same for VNet2. So total is 6. B] 1 NAT gateway for VNet1 that is zone-redundant, covering all three subnets/zones. Same for VNet2. So 2 in total.

The optimal solution : 6 subnets & 3 NAT Gateways (vnet1 & vnet 2 are in the same region). 1. NAT Gateway has high availability only into one zone 2. If the zone that goes down is also the zone in which NAT gateway has been deployed then all outgoing traffic from virtual machines across all zones will be blocked. 3. A subnet cannot have more than one NAT gateway attached to it and it is not possible to set up multiple NAT gateways on a single subnet. https://azure.microsoft.com/en-us/blog/ensure-zone-resilient-outbound-connectivity-with-nat-gateway/ Scenario 3: Deploy zonal NAT gateways with zonally configured VMSS for optimal zone resiliency What is the optimal solution then for creating a secure, resilient, and scalable outbound setup? The solution is to deploy a VMSS in each availability zone, configure each to their own respective subnet and then attach each subnet to a zonal NAT gateway resource In our case: select 6 subnets & 6 VNAT

In Azure, subnets are not inherently zone-redundant. While Azure NAT Gateway can be deployed across availability zones for redundancy, subnets themselves do not automatically span multiple zones unless explicitly configured to do so. Therefore, to ensure that an outage of 2 zones does not impact the workload, you would need to create subnets that are zone-redundant by spanning them across multiple availability zones within the region. In this scenario, with three availability zones, it would be advisable to create at least 3 subnets per virtual network (VNet1 and VNet2) to achieve zone redundancy and ensure high availability for the workloads hosted in each subnet1 6 subnets/ 2 NAT GW

As fas I can see, the given answer is correct. See below. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview#virtual-networks-and-availability-zone "Virtual networks and subnets span all availability zones in a region. You don't need to divide them by availability zones to accommodate zonal resources. For example, if you configure a zonal VM, you don't have to take into consideration the virtual network when selecting the availability zone for the VM. The same is true for other zonal resources."

1 subnet for all VMs hosting App1 in VNet1. 1 subnet for all VMs hosting App2 in VNet2. Subnets are zone-redundant. They consist of 3 zones and an outage of 2 does not impact the workload. 1 NAT GW instance per VNet that stretch all VMs per 1 subnet. Awnser is correct.

I think it will be 2 NATs as these Virtual Networks are not peered and they will have their own NATs. No of subnets wont change the no of NATs needed because the subnets share the address space from the network they are in.

We cannot associate multiple NAT Gatways to single subnet. But Can a single NAT Gateway be applied to multiple subnets within a single VNet?? If yes then the answer is = 6 Subnets + 2 NAT Gatways.

according to this reference documentation, we must create a subnet for our resources in each availability zone, therefore, we must have 6 subets and 6 nat gateway to guarantee resilience. There would be 3 Nat gateways on vnet 1 and 3 nat gateways on vnet 2. https://learn.microsoft.com/pt-br/azure/architecture/networking/guide/well-architected-network-address-translation-gateway#reliability

The minimum number of subnets required is 6, and the minimum number of Virtual Network NAT instances required is 3. Here is the reasoning: To meet the requirement that a failure of two zones must not affect the availability of either App1 or App2, we need to place the virtual machines for each app in at least two different zones. This means that we need a total of 6 zones, 3 for each app. To meet the requirement that a failure of two zones must not affect the outbound connectivity of either App1 or App2, we need to place a Virtual Network NAT instance in each zone. This means that we need a total of 3 NAT instances. Therefore, the minimum number of subnets required is 6, and the minimum number of Virtual Network NAT instances required is 3. Answer: Minimum number of subnets: 6 Minimum number of Virtual Network NAT instances: 3

NAT GW is a zonal resource To have complete availability configure 6+6

Correct answer must be 6 subnets 6 NAT Gateways https://azure.microsoft.com/en-us/blog/ensure-zone-resilient-outbound-connectivity-with-nat-gateway/