Technical Lab: Design a site-to-site VPN connection, including for high availability
Questionsβ
Question 1 β Multiple Choiceβ
An organization needs to connect its on-premises headquarters to Azure through a site-to-site VPN. The networking team identified that the on-premises VPN device supports BGP and that the volume of exchanged routes will be high. When configuring the Azure VPN Gateway, which combination of parameters is mandatory to enable dynamic routing via BGP?
A) Basic SKU and assignment of a private ASN to the gateway, with static public IP.
B) Any SKU other than Basic, assignment of an ASN to the gateway and explicit enablement of BGP on the connection.
C) VpnGw1 or higher SKU, mandatory use of static routing and disabling BGP on the Local Network Gateway.
D) Standard SKU, use of static routing on local routes and enabling BGP only on the on-premises device.
Question 2 β Technical Scenarioβ
An architect configured a site-to-site VPN with Active-Active on the Azure VPN Gateway and two IPsec tunnels to the on-premises device. After deployment, he observes that when one of the tunnels fails, traffic continues flowing without interruption, but notices that only one of the gateway's public IP addresses is being used by both tunnels.
Examine the configuration below:
Azure VPN Gateway:
Mode: Active-Active
Public IP 1: 52.10.1.1
Public IP 2: 52.10.1.2
On-premises VPN device:
Tunnel 1: peer 52.10.1.1
Tunnel 2: peer 52.10.1.1
What is the problem with this configuration?
A) Active-Active mode requires both tunnels to use the same gateway public IP for internal load balancing.
B) Both tunnels are pointing to the same gateway public IP, which eliminates real redundancy between gateway instances.
C) The on-premises device should use a single tunnel in Active-Active mode, as the second tunnel is automatically managed by Azure.
D) The secondary public IP is only used on gateways with VpnGw5 or higher SKU, so the configuration is correct for lower SKUs.
Question 3 β True or Falseβ
An Azure VPN Gateway configured in Active-Standby mode guarantees connectivity continuity during planned gateway updates without any perceptible traffic interruption, as the failover to the standby instance occurs completely transparently and instantaneously.
Question 4 β Technical Scenarioβ
An infrastructure team needs to connect three on-premises branches to Azure, each with its own VPN device. The requirement is that the branches can communicate with each other through Azure, without the need for direct links between them. The architect proposes using an Azure VPN Gateway in a hub VNet with individual site-to-site connections to each branch.
What configuration is necessary for traffic between branches to flow through the Azure VPN Gateway?
A) Enable BGP on the gateway and connections, and configure branches to advertise their routes via BGP to the gateway.
B) Enable the Transit routing feature directly on the hub VNet property, without need for BGP.
C) Create a static route in each branch's route table pointing to other branches via the gateway's public IP.
D) Configure all three connections as Active-Active and enable VNet Peering between the branch VNets.
Question 5 β Multiple Choiceβ
When designing a high availability solution for site-to-site VPN, an architect considers combining an Azure VPN Gateway in Active-Active mode with a second on-premises VPN device. What is the main benefit of this topology compared to using Active-Active with only one on-premises device?
A) Completely eliminates downtime during Azure VPN Gateway firmware updates.
B) Allows using the gateway's Basic SKU, reducing costs without loss of redundancy.
C) Removes the on-premises device as a single point of failure, ensuring redundancy on both sides of the connection.
D) Automatically enables routing between VNets without need for additional BGP configuration.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The Basic SKU of Azure VPN Gateway does not support BGP, so any SKU that enables BGP must be different from Basic (e.g.: VpnGw1, VpnGw2 etc.). Additionally, it's necessary to assign an ASN (Autonomous System Number) to the gateway and explicitly enable BGP both on the gateway and on the connection with the Local Network Gateway. Without this explicit enablement on the connection, BGP is not activated even if the gateway supports the feature.
Alternative A is wrong by citing the Basic SKU. Alternative C contradicts the BGP objective by requiring static routing. Alternative D makes the same mistake as C and ignores that BGP needs to be configured on the Azure side as well, not only on the on-premises device.
Answer Key β Question 2β
Answer: B
In Active-Active mode, the Azure VPN Gateway provisions two active instances, each with its own public IP. For redundancy to be real, the on-premises device must establish an IPsec tunnel with each of the public IPs separately. In the presented configuration, both tunnels point to 52.10.1.1, which means all connectivity depends on the instance associated with that IP. If that instance fails, both tunnels drop simultaneously.
Alternative A inverts the Active-Active logic. Alternative C describes non-existent behavior; the second tunnel is not automatically managed by Azure. Alternative D is false; the use of two public IPs is independent of the specific SKU.
Answer Key β Question 3β
Answer: False
In Active-Standby mode, during planned gateway updates, the failover to the standby instance is not instantaneous nor transparent. Microsoft documents that IKEv2-based connections may have interruption of approximately 10 seconds and IKEv1 connections may suffer interruptions of up to 90 seconds. Failover occurs and connectivity is restored, but there is an observable unavailability window. This is relevant for applications that don't tolerate any interruption, in which case Active-Active mode is the appropriate choice.
Answer Key β Question 4β
Answer: A
The Azure VPN Gateway, by default, does not act as a transit router between site-to-site connections. For traffic from one branch to reach another passing through the gateway, it's necessary to enable BGP on the gateway and on each connection, and configure each on-premises device to advertise its local routes via BGP. With this, the gateway learns the routes from all branches and can correctly forward traffic between them.
Alternative B describes a non-existent feature; there is no property called "Transit routing" configurable directly on the VNet. Alternative C is operationally unfeasible and doesn't solve routing at the Azure plane. Alternative D confuses Active-Active, which is a high availability mechanism, with routing between connections, which are independent concepts.
Answer Key β Question 5β
Answer: C
In a topology with Active-Active and only one on-premises device, the Azure gateway has high availability, but the local device remains a single point of failure. By adding a second on-premises device, each establishes tunnels with both gateway public IPs, resulting in four tunnels total. This ensures end-to-end redundancy: a failure in any isolated component (gateway instance or on-premises device) doesn't interrupt connectivity.
Alternative A is incorrect; gateway updates can still cause brief interruptions regardless of the on-premises topology. Alternative B is false; the Basic SKU doesn't support Active-Active. Alternative D attributes to Active-Active a benefit for routing between VNets that is not intrinsic to this mode.