Technical Lab: Design and implement ExpressRoute to meet requirements, including cross-region connectivity, redundancy, and disaster recovery
Questionsβ
Question 1 β Multiple Choiceβ
A company has two Azure regions: East US and West Europe. It has a single ExpressRoute circuit connected to East US. The network team needs virtual networks in West Europe to also reach the on-premises environment via this same circuit, without provisioning a second circuit.
Which ExpressRoute feature enables this cross-region connectivity using a single circuit?
A) ExpressRoute Global Reach
B) ExpressRoute Premium add-on
C) VNet Peering between regions combined with the existing gateway
D) ExpressRoute FastPath enabled on the West Europe gateway
Question 2 β Technical Scenarioβ
An architect is designing the disaster recovery solution for a critical ExpressRoute connection. The requirement is: complete tolerance to failure of a single connectivity provider, maintaining on-premises to Azure traffic without interruption.
Which topology meets the requirement?
A) One ExpressRoute circuit with two redundant physical links on the same connectivity provider, with both gateways in active-active mode
B) Two ExpressRoute circuits on different connectivity providers, each with its own ExpressRoute gateway in separate VNets
C) Two ExpressRoute circuits on different connectivity providers, connected to the same ExpressRoute gateway configured in active-active mode
D) One primary ExpressRoute circuit with a Site-to-Site VPN connection as backup path, using the same gateway
Question 3 β True or Falseβ
ExpressRoute Global Reach allows two distinct on-premises networks, each connected to Azure through its own ExpressRoute circuit, to exchange traffic directly with each other through Microsoft's backbone, without this traffic needing to traverse any Azure virtual network.
True or False?
Question 4 β Technical Scenarioβ
An organization configured the following environment:
Circuit A: SΓ£o Paulo -> ExpressRoute Provider X -> Azure Brazil South
Circuit B: SΓ£o Paulo -> ExpressRoute Provider Y -> Azure Brazil South
ExpressRoute Gateway: HighPerformance SKU, active-active mode
Both circuits connected to the same gateway
BGP: AS Path prepending not configured
After a few days, the team notices that all outbound traffic from Azure to on-premises flows exclusively through Circuit A, ignoring Circuit B.
What is the most likely cause of this behavior?
A) Active-active mode on the gateway only applies to inbound traffic to Azure, not outbound
B) The HighPerformance gateway doesn't support load balancing between two distinct circuits
C) BGP is preferring Circuit A due to attributes like AS Path or LOCAL_PREF advertised by Provider X, resulting in asymmetric route preference
D) ExpressRoute doesn't perform load balancing between two circuits in Azure regions outside the US and Europe
Question 5 β Multiple Choiceβ
When designing ExpressRoute circuit redundancy, what is the fundamental difference between configuring two ExpressRoute circuits and configuring a single circuit with provider-level redundancy (dual links)?
| Dimension | Two circuits | Single circuit, dual links |
|---|---|---|
| Protection scope | ? | ? |
| Relative cost | Higher | Lower |
| Protection against provider failure | ? | ? |
A) Two circuits protect against logical configuration failure; dual links protect against physical cable failure
B) Two circuits offer protection against connectivity provider failure itself; dual links protect only against failure of a single physical link within the same provider
C) Both topologies offer the same level of protection, differing only in implementation cost
D) Dual links offer greater protection because they use independent physical paths managed by Microsoft, while two circuits depend on distinct SLA agreements
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The ExpressRoute Premium add-on expands the geographic reach of an ExpressRoute circuit beyond the origin geopolitical region, allowing VNets in remote regions, such as West Europe, to be associated with a circuit provisioned in another region, such as East US.
The central conceptual error of the distractors:
- A (Global Reach) connects on-premises networks to each other, it doesn't extend VNet reach to a remote circuit.
- C (VNet Peering) allows West Europe traffic to use the route, but without the Premium add-on the circuit won't accept the cross-region VNet association.
- D (FastPath) optimizes data path latency by bypassing the gateway for certain flows, but doesn't solve the circuit's geographic scope problem.
Choosing option A would be a particularly dangerous mistake in production: Global Reach would solve a different problem and wouldn't establish the desired VNet connectivity.
Answer Key β Question 2β
Answer: C
The central requirement is tolerance to single provider failure. This requires circuits on different providers. Connecting them to the same gateway in active-active mode ensures the Azure gateway remains operational regardless of which circuit is active.
Analysis of distractors:
- A uses two links on the same provider: a systemic provider failure brings down both simultaneously, violating the requirement.
- B places gateways in separate VNets, which fragments connectivity and adds unnecessary complexity without benefit for the stated requirement.
- D is a valid DR alternative, but Site-to-Site VPN has significantly inferior bandwidth and latency compared to ExpressRoute, which may be inadequate for critical workloads. Additionally, "backup" implies failover, not continuous tolerance.
Answer Key β Question 3β
Answer: True
ExpressRoute Global Reach creates a routing path directly between two distinct ExpressRoute circuits, traversing exclusively Microsoft's global backbone. Traffic between on-premises environments doesn't need to be routed through any Azure VNet or processed by any virtual gateway.
This behavior is non-intuitive because most hybrid connectivity scenarios must pass through VNets. Global Reach is the explicit exception to this rule, and understanding this boundary is essential for designing branch-to-branch interconnection topologies via Azure without overloading gateways.
Answer Key β Question 4β
Answer: C
The described behavior is asymmetric routing caused by BGP preference. When two circuits advertise the same prefixes to Azure, the gateway's BGP selects the preferred route based on attributes like LOCAL_PREF (influences outbound traffic from Azure) and AS Path length. If Provider X advertises a route with higher LOCAL_PREF or shorter AS Path, Azure will always prefer Circuit A for outbound traffic.
Analysis of distractors:
- A is false: active-active mode distributes gateway connections, but BGP still determines which circuit is preferred for each advertised prefix.
- B is false: the HighPerformance SKU supports multiple circuits normally.
- D is false: BGP behavior is global and doesn't depend on Azure's geographic region.
The solution would be to adjust BGP attributes, such as AS Path prepending on Circuit A or configuring equivalent LOCAL_PREF on both, to force symmetric distribution.
Answer Key β Question 5β
Answer: B
The fundamental difference lies in the protection scope:
- Two circuits on different providers protect against total connectivity provider failure, including systemic failures, bankruptcies, prolonged scheduled maintenance, or incidents in the provider's infrastructure.
- Single circuit with dual links protects only against failure of a single cable or port within the same provider's infrastructure. A systemic provider failure affects both links simultaneously.
Analysis of distractors:
- A inverts the logic: protection against physical cable failure is precisely the role of dual links, not two circuits.
- C is technically incorrect and dangerous: equating the two topologies in terms of protection would lead to undersizing the DR plan.
- D is false: dual links are managed by the provider, not Microsoft, and distinct SLAs are precisely an advantage of two circuits, not a disadvantage.