Technical Lab: Implement Azure Extended Network
Questionsβ
Question 1 β Multiple Choiceβ
An infrastructure team needs to gradually migrate on-premises servers to Azure without changing the IP addresses of the virtual machines that will be moved. The on-premises environment uses the 192.168.10.0/24 range and applications depend on direct IP communication between servers that will remain on-premises and those that will be migrated.
What is the main function of Azure Extended Network in this scenario?
A) Create a site-to-site VPN for routing between distinct subnets in Azure and on-premises, enabling automatic NAT of IP addresses.
B) Extend the on-premises subnet to Azure, allowing VMs in Azure to operate with IP addresses from the same range as the local subnet without changing their IP configurations.
C) Replicate the on-premises switch routing table to Azure Route Server, synchronizing BGP prefixes between both environments.
D) Provision an application gateway in Azure that intercepts traffic and replaces source IPs before forwarding packets to migrated VMs.
Question 2 β Technical Scenarioβ
An engineer configured Azure Extended Network between an on-premises datacenter and a VNet in Azure. After configuration, VMs in Azure with extended IPs can communicate with on-premises servers, but return traffic originated on-premises does not reach the VMs in Azure correctly.
Log analysis indicates that routing in the on-premises environment is sending traffic destined for the extended subnet directly to the local default gateway, without forwarding it through the tunnel.
What is the most likely cause of this behavior and how to fix it?
A) The VXLAN tunnel between appliances was not established correctly; the solution is to restart the network extension service on both sides.
B) The extended subnet was not added to VNet peering; it's necessary to enable gateway transit in peering for traffic to be routed correctly.
C) On-premises routing does not have a static route or BGP pointing the extended subnet prefix to the Azure Extended Network appliance on the local side; the route needs to be added to the on-premises network equipment.
D) The Network Security Group (NSG) applied to the VNet subnet is blocking return traffic; just add an inbound rule allowing the on-premises prefix.
Question 3 β True or Falseβ
Azure Extended Network uses VXLAN encapsulation to transport Layer 2 traffic between the on-premises environment and Azure, and requires both sides of the extension to run a dedicated VM appliance that acts as the tunnel endpoint.
True or False?
Question 4 β Technical Scenarioβ
An organization successfully deployed Azure Extended Network. The responsible architect now needs to ensure high availability for the Azure Extended Network appliance on the Azure side, since a failure of this VM would interrupt all communication for the extended subnet.
Considering the limitations and deployment model of Azure Extended Network, which approach is technically correct to increase appliance resilience in Azure?
A) Deploy two Azure Extended Network appliances in Azure in an availability set and configure an internal Azure Load Balancer in front of them to distribute VXLAN traffic.
B) Enable Azure Site Recovery on the appliance VM to ensure automatic failover to another region in case of failure.
C) Deploy a second Azure Extended Network appliance in Azure and configure the on-premises appliance to point to both endpoints, using the failover mechanism supported by the solution.
D) Convert the appliance to a Virtual Machine Scale Set with autoscaling based on CPU metrics to ensure continuous availability.
Question 5 β Multiple Choiceβ
When planning the deployment of Azure Extended Network, an architect needs to choose the connectivity mechanism between the on-premises environment and Azure. The solution documentation specifies underlying connectivity requirements.
Which of the options below correctly represents the connectivity prerequisite required by Azure Extended Network?
A) Requires exclusively Azure ExpressRoute with private peering enabled, since VXLAN traffic cannot travel over IPsec-encrypted connections.
B) Requires connectivity between the on-premises environment and Azure through site-to-site VPN or ExpressRoute, with appliances communicating over this already established connectivity.
C) Requires a direct network peering connection (Direct Peering) between the on-premises router and Microsoft Edge, without the need for a VPN gateway.
D) Can operate directly over the public internet without any prior dedicated connectivity, since VXLAN encapsulation provides sufficient isolation and security.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Azure Extended Network was designed exactly for the lift-and-shift migration scenario where IP address preservation is a requirement. The solution extends the Layer 2 subnet from the on-premises environment into a VNet in Azure, making VMs in Azure behave as if they were connected directly to the same local network segment, without needing IP reconfiguration.
Alternatives A and C describe Layer 3 routing solutions (VPN and BGP), which would require address changes or NAT. Alternative D describes an Application Gateway, which operates at Layer 7 and doesn't solve the IP identity problem for VMs.
The central conceptual error in the distractors is confusing Layer 2 extension with Layer 3 routing: these are approaches with distinct purposes and consequences.
Answer Key β Question 2β
Answer: C
The described problem is a classic case of asymmetric routing. Traffic originated from Azure VMs reaches on-premises correctly through the tunnel, but the return fails because the on-premises network equipment doesn't know that the extended subnet prefix now has a path through the local Azure Extended Network appliance. Without a static route (or BGP announcement) pointing that prefix to the appliance, return traffic follows the local default gateway and never enters the tunnel.
Alternative A is plausible but incorrect: the tunnel already works in one direction, which rules out VXLAN establishment failure. Alternative B confuses VNet peering with the on-premises routing problem. Alternative D could be a secondary cause, but an NSG would block traffic arriving at the VM, not on-premises routing, and the described symptom occurs before Azure.
Answer Key β Question 3β
Answer: True
Azure Extended Network uses VXLAN as the encapsulation mechanism to transport Layer 2 frames over the existing Layer 3 infrastructure between on-premises and Azure. The solution requires deploying a VM appliance on each side of the extension: one in the on-premises environment (Windows Server with Extended Network role enabled via Windows Admin Center) and one in Azure. Each appliance acts as a Virtual Tunnel Endpoint (VTEP) for the VXLAN tunnel.
This detail is relevant for capacity planning and high availability, since appliance failure on either side interrupts all extended Layer 2 communication, making the resilience of these VMs a critical design point.
Answer Key β Question 4β
Answer: C
Azure Extended Network supports deploying a second appliance in Azure as a failover mechanism. The on-premises appliance can be configured with two destination endpoints: primary and secondary. In case of primary appliance failure in Azure, traffic is redirected to the secondary.
Alternative A is incorrect because the VXLAN protocol used by Azure Extended Network was not designed to operate behind a standard Load Balancer: load balancing stateful connections with VXLAN presents flow symmetry problems. Alternative B addresses regional disaster recovery, not local high availability, and introduces latency and complexity inappropriate for the scenario. Alternative D is inadequate because a Scale Set adds instances dynamically without coordination with the on-premises appliance, which would break the solution's point-to-point tunnel model.
Answer Key β Question 5β
Answer: B
Azure Extended Network doesn't establish connectivity on its own: it depends on already functional underlying network connectivity between on-premises and Azure, either through site-to-site VPN or ExpressRoute. The extension's VXLAN tunnel is transported over this existing connectivity. Appliances on both sides need to reach each other at the IP layer for Layer 2 encapsulation to work.
Alternative A is wrong because the solution also supports VPN, not just ExpressRoute. Alternative C describes Direct Peering from Microsoft Azure Peering Service, which is a different connectivity model and not the solution's requirement. Alternative D is the most dangerous distractor: although VXLAN encapsulates traffic, the solution documentation requires dedicated connectivity and doesn't support direct operation over public internet, both for security reasons and latency and reliability concerns for extended Layer 2 traffic.