Technical Lab: Select an appropriate virtual network gateway SKU for site-to-site VPN requirements
Questionsβ
Question 1 β Multiple Choiceβ
A company needs to implement a site-to-site VPN connection between its on-premises network and Azure. The requirements are: support for dynamic routing (BGP), aggregate bandwidth of up to 650 Mbps, and cost optimization. The environment does not require high availability with availability zones.
Which VPN Gateway SKU meets all these requirements at the lowest cost?
A) Basic
B) VpnGw1
C) VpnGw2
D) VpnGw1AZ
Question 2 β Technical Scenarioβ
A network architect is reviewing the configuration below for an already provisioned VPN Gateway:
Gateway Type : Vpn
VPN Type : PolicyBased
SKU : Basic
Connections : 1 site-to-site connection configured
The team now requires adding a second site-to-site connection for a new business partner. When attempting to create the connection, the operation fails.
What is the most likely cause of the failure?
A) The Basic SKU does not support the Vpn gateway type; it's necessary to use ExpressRoute.
B) The PolicyBased type on Basic SKU supports only a single site-to-site connection.
C) The Basic SKU has been discontinued and does not accept new connections.
D) It's necessary to recreate the gateway with VPN Type RouteBased before adding any connection.
Question 3 β True or Falseβ
A VPN Gateway with VpnGw1AZ SKU offers the same aggregate throughput values and maximum number of site-to-site tunnels as the VpnGw1 SKU, differing exclusively by supporting deployment in Azure Availability Zones.
Question 4 β Technical Scenarioβ
An organization needs a site-to-site VPN Gateway with the following mandatory requirements:
- BGP support
- Active-active connections support
- At least 30 site-to-site tunnels
- Minimum aggregate throughput of 1 Gbps
An engineer proposes the VpnGw2 SKU as the solution. Does this choice meet all requirements?
A) Yes, VpnGw2 supports BGP, active-active, 30 tunnels and offers up to 1.25 Gbps of throughput.
B) No, because VpnGw2 SKU does not support active-active configuration.
C) No, because VpnGw2 SKU supports a maximum of 10 site-to-site tunnels.
D) Yes, but only if the VPN Type is configured as PolicyBased.
Question 5 β Multiple Choiceβ
When comparing SKUs from the VpnGw1 to VpnGw5 family with SKUs from the VpnGw1AZ to VpnGw5AZ family, which statement correctly describes a relevant functional difference for designing a resilient solution?
A) AZ family SKUs support BGP, while non-AZ SKUs do not support it.
B) AZ family SKUs allow the gateway to be deployed with zone redundancy, protecting against datacenter failures within a region.
C) AZ family SKUs offer superior throughput compared to equivalent non-AZ SKUs.
D) Non-AZ SKUs do not support active-active connections, while AZ SKUs support them.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The VpnGw1 SKU supports dynamic routing with BGP, offers aggregate throughput of up to 650 Mbps, and does not include the additional cost of zone redundancy from AZ SKUs. The Basic SKU does not support BGP, eliminating it immediately. The VpnGw2 would technically meet requirements, but offers capacity above what's needed (1.25 Gbps) at higher cost, violating the cost optimization criterion. The VpnGw1AZ would meet functional requirements, but the statement explicitly mentions no availability zone requirement, making it an unnecessary expense. The correct choice is always the simplest SKU that satisfies all requirements without excess.
Answer Key β Question 2β
Answer: B
The Basic SKU with PolicyBased VPN Type is limited to exactly one site-to-site connection. This is a design restriction of the PolicyBased type, which uses static traffic policy lists and was not designed for multiple simultaneous connections. Alternative A is incorrect because the Basic SKU does support the Vpn gateway type. Alternative C is incorrect: Basic can still be provisioned, although it's not recommended for new projects. Alternative D confuses the solution with the cause: migrating to RouteBased would be the solution, but it's not the cause of the current failure. Identifying this PolicyBased limitation is critical when sizing gateways for environments with multiple partners.
Answer Key β Question 3β
Answer: True
AZ family SKUs (like VpnGw1AZ) are functionally equivalent to their non-AZ counterparts in terms of maximum throughput, number of supported site-to-site tunnels, and support for BGP and active-active. The only difference is that AZ SKUs allow deployment in Azure Availability Zones, ensuring resilience against physical datacenter failures within a region. This distinction is important: choosing an AZ SKU by assuming it offers more capacity is a common misconception that can incorrectly influence design.
Answer Key β Question 4β
Answer: A
The VpnGw2 SKU supports BGP, active-active configuration, up to 30 site-to-site tunnels, and offers aggregate throughput of up to 1.25 Gbps, satisfying all defined requirements. Alternative B is incorrect: active-active is supported from VpnGw1 onwards. Alternative C confuses the Basic SKU tunnel limit (10 tunnels) with VpnGw2. Alternative D is a distractor that reverses the logic: BGP and active-active require RouteBased type, not PolicyBased. Knowledge of limits per SKU is directly tested in sizing scenarios, where SKU errors impact cost and availability.
Answer Key β Question 5β
Answer: B
AZ family SKUs allow the VPN Gateway to be deployed with availability zone redundancy, which protects connectivity against isolated physical datacenter failures within the same Azure region. The other alternatives represent common misconceptions: BGP and active-active are supported by both families from VpnGw1 onwards, without distinction between AZ and non-AZ (eliminating A and D). Throughput is identical between VpnGw1 and VpnGw1AZ, for example, ruling out C. The decision to use or not use an AZ SKU should be guided exclusively by the requirement for zone failure resilience, not by throughput capacity or routing functionalities.