Technical Lab: Create and configure an ExpressRoute gateway
Questionsβ
Question 1 β Multiple Choiceβ
When planning an ExpressRoute gateway for a solution that requires high availability connectivity with automatic failover between two distinct ExpressRoute circuits, which gateway SKU is the minimum requirement to support the ExpressRoute FastPath feature?
A) Standard
B) HighPerformance
C) UltraPerformance
D) ErGw3AZ
Question 2 β Technical Scenarioβ
A network team configured an ExpressRoute gateway of type ErGw1AZ in a Virtual Network. After deployment, the team tries to enable coexistence with a VPN Gateway in the same VNet to allow failover via site-to-site VPN. The operation fails with an incompatibility error.
GatewaySubnet: 10.0.255.0/27
ErGw1AZ deployed in GatewaySubnet
VPN Gateway (VpnGw1) β fails to deploy
What is the most likely root cause of the failure?
A) The ErGw1AZ SKU does not support coexistence with any type of VPN Gateway
B) The GatewaySubnet with /27 prefix is insufficient for coexistence of two gateways
C) The VpnGw1 SKU is incompatible with any availability zone gateway
D) It's not possible to coexist ExpressRoute gateway and VPN Gateway in the same VNet in any scenario
Question 3 β True or Falseβ
An ExpressRoute gateway deployed with a zonal SKU, such as ErGw1AZ, automatically guarantees that the Virtual Network will have continuous connectivity even if an entire Availability Zone becomes unavailable, without any additional routing or BGP configuration.
Question 4 β Technical Scenarioβ
An architect needs to connect a VNet to two ExpressRoute circuits simultaneously: a primary 1 Gbps circuit and a secondary 200 Mbps circuit used as backup. The goal is to ensure that traffic automatically returns to the primary circuit after recovery from a failure. The gateway is already deployed with HighPerformance SKU.
Which statement correctly describes the expected behavior and necessary action?
A) Azure performs automatic failback to the primary circuit without any additional BGP attribute configuration
B) It's necessary to configure the AS Path Prepending attribute on the secondary circuit to ensure the primary is preferred and that failback occurs deterministically
C) The HighPerformance SKU does not support connection to two circuits simultaneously and must be upgraded to UltraPerformance
D) Automatic failback is managed by Microsoft Entra Conditional Access integrated with ExpressRoute
Question 5 β Multiple Choiceβ
When creating an ExpressRoute gateway, the resource must be deployed in a subnet with specific name and size requirements. Which of the statements below correctly describes the mandatory requirements for this subnet?
A) The name must be ExpressRouteSubnet and the minimum prefix is /28
B) The name must be GatewaySubnet and the minimum recommended prefix for production is /27
C) The name can be anything, as long as it's delegated to the Microsoft.Network/expressRouteGateways service
D) The name must be GatewaySubnet and the minimum mandatory prefix is /24 for availability zone SKUs
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
ExpressRoute FastPath was designed to improve data path performance by bypassing the gateway in the forwarding plane, reducing latency and increasing throughput. This feature is only available on UltraPerformance and ErGw3AZ SKUs. However, since the question asks for the minimum requirement among the presented alternatives, UltraPerformance is the correct answer in the context of the provided list.
The Standard and HighPerformance SKUs do not support FastPath. The most common conceptual error is confusing zonal high availability (function of the AZ suffix) with FastPath capability, which is determined by the performance category of the SKU, not by its zone resilience.
Answer Key β Question 2β
Answer: B
For two gateways to coexist in the same GatewaySubnet, Microsoft requires this subnet to have at least a /27 prefix (32 addresses). A /27 prefix is already at the minimum limit, but the documentation recommends /27 or larger. The critical point here is that the coexistence of ExpressRoute gateway and VPN Gateway in the same VNet is supported by the platform, but requires proper planning of the GatewaySubnet addressing space.
Alternative A is false because coexistence is supported. Alternative D is the most dangerous distractor: coexistence is a documented and valid scenario, used precisely for hybrid failover.
Answer Key β Question 3β
False
A zonal SKU like ErGw1AZ distributes gateway instances across Availability Zones, increasing the resilience of the gateway infrastructure itself. However, this does not eliminate the need for proper BGP routing configuration and redundancy on the connectivity provider side (dual ExpressRoute circuit). If the physical circuit or BGP session fails, the gateway zone doesn't solve the problem. Zonal resilience protects against datacenter failures, not against circuit or BGP session failures.
Answer Key β Question 4β
Answer: B
Azure does not perform automatic failback based on circuit priority. Routing in ExpressRoute is based on BGP, and the preference between paths must be influenced by attributes like AS Path Prepending (to influence incoming traffic from the on-premises perspective) or Local Preference (configured on the client on-premises side). Without this configuration, after primary circuit recovery, BGP may continue using the secondary if metrics are equivalent.
Alternative A is the most frequent misconception: assuming Azure automatically chooses the "best" circuit. Alternative D is clearly incorrect since Microsoft Entra Conditional Access is an identity service and has no relation to network routing.
Answer Key β Question 5β
Answer: B
The ExpressRoute gateway and also the VPN Gateway mandatorily require the subnet to be named exactly GatewaySubnet. This name is reserved by the Azure platform and cannot be changed. The /27 prefix is not the absolute minimum (the technical minimum accepted is /29), but Microsoft explicitly recommends /27 or larger for production environments, as smaller prefixes leave insufficient margin for operations like SKU upgrade or adding instances.
Alternative D represents a misconception about zonal SKU requirements: there is no /24 requirement for any ExpressRoute gateway SKU. Alternative C confuses the behavior of subnet delegation, which is a different mechanism used by other services like Azure Container Instances and does not apply to virtual network gateways.