Technical Lab: Select and Configure a Tunnel Type
Questionsβ
Question 1 β Multiple Choiceβ
A company needs to establish site-to-site connectivity between its on-premises network and Azure. The local VPN device is a certified router that supports IKEv2, and the security requirement demands Perfect Forward Secrecy (PFS). The Azure VPN gateway was provisioned with the VpnGw2 SKU.
Which tunnel type should be selected to meet these requirements?
A) IKEv1 with aggressive mode, as it offers faster negotiation and is compatible with PFS
B) IKEv2, as it natively supports PFS and is compatible with the VpnGw2 SKU
C) OpenVPN, as it is the only protocol that guarantees PFS in Azure VPN Gateway
D) SSTP, as it is the default protocol for site-to-site connections with PFS support
Question 2 β Technical Scenarioβ
An administrator configured a point-to-site (P2S) connection on Azure VPN Gateway using the SSTP tunnel type. Users with Windows 10 can connect normally, but users with macOS and Linux report that the native VPN client cannot establish the connection.
What is the most likely cause of this behavior?
A) SSTP requires the root certificate to be manually imported on each non-Windows client, a step that was omitted
B) SSTP is a Microsoft proprietary protocol with native support only on Windows clients, being incompatible with macOS and Linux
C) The gateway is configured with Basic SKU, which blocks connections from non-Microsoft operating systems
D) The selected authentication method is incompatible with macOS and Linux clients when combined with SSTP
Question 3 β True or Falseβ
In a VNet-to-VNet connection in Azure, it is possible to use the IKEv2 tunnel type regardless of whether the VNets are in the same region or different regions, as long as both gateways are RouteBased type.
Question 4 β Technical Scenarioβ
A network team needs to connect remote employees to Azure using Azure VPN Gateway with authentication via Microsoft Entra ID (without using certificates). After reviewing the documentation, the administrator realizes that only one tunnel type supports this authentication method in the P2S context.
Which configuration represents the correct approach?
Gateway Type: VPN
VPN Type: RouteBased
Tunnel Type: ?
Authentication: Microsoft Entra ID
SKU: VpnGw1 or higher
A) IKEv2, as it is the default protocol for federated authentication with Microsoft Entra ID
B) SSTP, as it supports token-based authentication OAuth2 from Microsoft Entra ID
C) OpenVPN, as it is the only P2S tunnel type compatible with Microsoft Entra ID authentication
D) IKEv1, as it maintains compatibility with the SAML authentication flow of Microsoft Entra ID
Question 5 β Multiple Choiceβ
When comparing the tunnel types available for point-to-site connections in Azure VPN Gateway, which statement correctly describes a relevant functional difference between IKEv2 and OpenVPN?
A) IKEv2 supports authentication via Microsoft Entra ID, while OpenVPN supports only certificate authentication
B) OpenVPN operates at the transport layer (TCP/UDP) and traverses NAT and firewalls more easily than IKEv2, which depends on specific IP protocols
C) IKEv2 is the only protocol that allows simultaneous connections from Windows, macOS, and Linux clients on the same gateway
D) OpenVPN requires a higher gateway SKU than IKEv2 to operate in production environments
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
IKEv2 is the recommended protocol for site-to-site connections when the on-premises device supports this standard. It offers native support for Perfect Forward Secrecy (PFS), more robust negotiation, and is compatible with all VpnGw SKUs (including VpnGw2). IKEv1 should not be preferred when IKEv2 is available, as IKEv1's aggressive mode presents known vulnerabilities. SSTP is exclusive to point-to-site connections, making it technically invalid for site-to-site. OpenVPN is also used primarily in P2S and is not the default choice for site-to-site with certified devices.
The central conceptual error in the distractors is confusing the scope of protocol usage: SSTP and OpenVPN are intended for P2S, not for S2S.
Answer Key β Question 2β
Answer: B
SSTP (Secure Socket Tunneling Protocol) is a protocol developed by Microsoft that uses the HTTPS channel (port 443). Its native support is present only on Windows systems. macOS and Linux clients do not have native SSTP support, which requires using IKEv2 or OpenVPN for these operating systems. Alternative A is plausible, but the problem is not a missing certificate: even with the correct certificate, the operating system simply does not implement the protocol. Alternative C is incorrect as the Basic SKU limits gateway resources but does not block specific OSes by policy. Alternative D introduces a false correlation between authentication method and OS compatibility.
Choosing SSTP as the only tunnel type in a multi-platform environment is a common planning error in AZ-700.
Answer Key β Question 3β
Answer: True
VNet-to-VNet connections in Azure use the same VPN Gateway mechanisms as site-to-site connections. When both gateways are RouteBased type, the IKEv2 protocol is supported regardless of the VNets' geographical location. The RouteBased type is a prerequisite for IKEv2; PolicyBased gateways support only IKEv1 and have additional restrictions (such as supporting only a single connection). The statement is true because Azure does not impose region restrictions for using IKEv2 in VNet-to-VNet when the gateways are RouteBased.
A common misconception is assuming that connections between distinct regions require different protocol configurations, which is not the case here.
Answer Key β Question 4β
Answer: C
OpenVPN is the only P2S tunnel type in Azure VPN Gateway that supports authentication via Microsoft Entra ID. This support uses the OAuth 2.0 flow to authenticate users directly with the managed identity in Entra ID, without requiring certificates per client. IKEv2 supports certificate or RADIUS authentication, but not native authentication with Microsoft Entra ID. SSTP supports only certificate authentication. IKEv1 is outside the scope of modern P2S and does not offer integration with Entra ID.
The practical consequence of choosing IKEv2 in this scenario would be the inability to configure authentication without certificates, increasing operational complexity and eliminating the benefits of corporate SSO.
Answer Key β Question 5β
Answer: B
OpenVPN operates over TCP or UDP at the transport layer, which gives it the ability to traverse NAT and restrictive firewalls easily, as it can use port 443 (TCP), indistinguishable from HTTPS traffic. IKEv2, on the other hand, depends on UDP 500 and 4500 and the ESP protocol (IP protocol 50), which can be blocked in more restrictive network environments. Alternative A reverses reality: it is OpenVPN that supports authentication via Microsoft Entra ID, not IKEv2. Alternative C is false: both protocols support Windows, macOS, and Linux. Alternative D is incorrect: there is no specific higher SKU requirement for OpenVPN compared to IKEv2.
The NAT traversal difference between OpenVPN and IKEv2 is a real decision criterion in architectures with corporate firewall restrictions.