Exam AZ-700 topic 3 question 28 discussion

YNN. Route 0.0.0.0/0 is advertised to NVA from on-prem. VM2 learns route 10.0.0.0/16 from on-prem. VM1 and VM2 are in different subnets, but same virtual network, there is a system route that is a better match than the one in the route table.

YNY UDRs exist for a reason: to override the default behavior of Azure routing - It is correct that there is a default route that would allow VM1 to communicate with VM2 - that route is superseded by the UDR - Someone has intentionally decided that all outbound traffic from the frontend subnet should pass through the NVA (firewall). It is important to know that the other routes exist and in what order they are used 1) User-defined 2) BGP 3) system/default Just remember that if they show you a route table, it is a UDR and is always in-use. If you want to see the full list of routes, find it by looking at Effective Routes from the portal.

YNN, the last is N , tested on lab For context, if Vnet1 has subnet 192.168.0.0/16, so it need to have entry 192.168.0.0 point to NVA on RT. So, the traffic matched is Vnet range

Just a comment: what is the use of Route 2 if 0.0.0.0/0 is routed to the NVA

YNY https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default-route When you override the 0.0.0.0/0 address prefix, not only does outbound traffic from the subnet flow through the virtual network gateway or virtual appliance, but the following changes also occur with Azure's default routing

YNN is my answer for 3rd it is on same vnet and there is no overriding route in the NVA and hence default route will take place i.e. internal GWY and hence direct traffic

My 2 cents are: YNY The third question is No, because VM1 and VM2 are in different subnets and Route1 means that the traffic between the subnets of Vnet1 goes through NVA1. Only if VM1 and VM2 are in the same subnet => the traffic between them flows directly. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#routing-example

YNN, VM1 will get to VM2 without NVA because they are in the same Vnet.

My answer is Yes, No, No. I think Q1 and Q2 are obvious. but Q3 is not. UDR will overwrite the system route but only if you create a specific route not the default route 0.0.0.0/0. The default route 0.0.0.0/0 would not overwrite the system route, so next Hop is the internal GW from the subnet and not the nva. To verify this theory i've created a UDR that routes traffic from the subnet of VM1 to the subnet of VM2 over the NVA. Traffic from VM1 will go over the nva to VM2 even if they are in the same VNet.

YNY When you create a route table and associate it to a subnet, the table's routes are combined with the subnet's default routes. If there are conflicting route assignments, user-defined routes will override the default routes. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Default routes of the one subnet are the address space of the its virtual network and virtual networks peered. In the worst case, when both routes (UDR and System Route) UDR has higher priority. Answer is YNY

YNN https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#how-azure-selects-a-route "When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm[...]If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority: 1.User-defined route 2.BGP route 3.System route In our case, we do not take the default route

YNN. 1-Route 0.0.0.0/0 is advertised to NVA from on-prem and it doesn't have routing table. 2-VM2 has no routing table hence it will go via the 0.0.0.0/0 advertised via BGP from the on premises router that has more priority that system route 0.0.0.0/0 to internet via Azure network 3-VM1 and VM2 are in different subnets, but same virtual network, there is a system route in every subnet/VM interface that has the network and mask of the entire VNET where the subnet is, therefore as it has the prefix length bigger than the default route it will prefer going directly from VM to VM.

YNY Azure automatically added this route for all subnets within Virtual-network-1, because 10.0.0.0/16 is the only address range defined in the address space for the virtual network. If the user-defined route in route ID2 weren't created, traffic sent to any address between 10.0.0.1 and 10.0.255.254 would be routed within the virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. Azure automatically changed the state from Active to Invalid, when ID2, a user-defined route, was added, since it has the same prefix as the default route, and user-defined routes override default routes. The state of this route is still Active for Subnet2, because the route table that user-defined route, ID2 is in, isn't associated to Subnet2. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#routing-example

Given Answers are incorrect. Correct Answers Q1: Yes. Why? Because On-Prem router advertises 0.0.0.0/0 route to the NVA through a Express Route. We are not told NVA has any other route. Q2: Yes. Why? Because VM2 is on backend subnet (192.168.2.0/24) it has no UDR. But NVA1 is advertising all the routes on its table (that includes what it learned from On-Prem) to the all of VNet1. NVA1 knows how to get to 10.0.0/16 network via On-Prem router. Q3:No. Why? Because VM1 & VM2 are in VNET1. Azure by default knows how to route traffic between its subnets without needing a UDR's.

YNN. Read the link in its entirety ! Especially the implementation example. The very same routes are being displayed. Route ID1 is not invalidated by route ID12 because the prefix is longer than 0.0.0.0/0

Tested in lab, is YNN