Technical Lab: Create and configure a virtual network gateway
Questionsβ
Question 1 β Multiple Choiceβ
When provisioning a Virtual Network Gateway for an ExpressRoute connection, an architect notices that the aggregate throughput of private connections is approaching the limit supported by the current SKU. He decides to upgrade to a higher SKU.
What is the direct and mandatory consequence of this SKU upgrade process on an existing Virtual Network Gateway?
A) The gateway is recreated internally, causing connectivity interruption from a few minutes to several tens of minutes, depending on the destination SKU.
B) The upgrade is applied in hot-swap mode, without any interruption, as gateways use redundant instances by default.
C) The upgrade requires all associated connections to be deleted and manually recreated after completion.
D) The process is transparent only for gateways in Active-Active mode, but causes complete recreation in Active-Passive mode.
Question 2 β Technical Scenarioβ
A company configured a VPN Gateway with VpnGw1 SKU in Active-Passive mode to connect its on-premises network to Azure via Site-to-Site (S2S). During a scheduled maintenance window, Azure performed an update on the active gateway node. The network team recorded a connectivity drop of approximately 90 seconds.
After maintenance, the manager questions whether this behavior was expected or indicates a configuration failure.
What is the correct explanation for what occurred?
A) The behavior indicates configuration failure. In Active-Passive mode, failover should be imperceptible, as the passive instance takes over immediately without renegotiating tunnels.
B) The behavior is expected. In Active-Passive mode, failover involves promoting the passive instance and renegotiating IKE tunnels, which causes a brief interruption.
C) The behavior indicates that the on-premises VPN device doesn't support IKEv2. Migration to IKEv1 would eliminate the unavailability window.
D) The behavior is expected only when the gateway uses dynamic IP address. Migration to static IP would eliminate interruption during failover events.
Question 3 β True or Falseβ
A Virtual Network Gateway of type VPN and one of type ExpressRoute can coexist in the same GatewaySubnet, provided the subnet has a prefix equal to or greater than /27 to accommodate both resources simultaneously.
Question 4 β Technical Scenarioβ
A team is implementing Point-to-Site (P2S) connectivity with certificate authentication to allow remote developers to access resources in a VNet. After completing the configuration, developers report that they can successfully connect the VPN client, but cannot resolve DNS names of virtual machines within the VNet.
The relevant gateway configuration snippet is as follows:
Address pool: 172.16.10.0/24
Tunnel type: OpenVPN (SSL)
Auth type: Azure Certificate
DNS servers: (not configured)
Custom routes: (not configured)
What is the root cause of the name resolution problem?
A) The OpenVPN tunnel type doesn't support VNet internal DNS resolution; it's necessary to migrate to IKEv2.
B) No DNS server was specified in the P2S gateway configuration. Clients connected via P2S don't automatically inherit DNS servers from the VNet.
C) The cause is the P2S address pool (172.16.10.0/24) overlapping with the VNet address space, corrupting DNS routes.
D) Client certificates don't transmit DNS information during handshake. It's necessary to migrate to Microsoft Entra ID authentication for DNS to work correctly.
Question 5 β Multiple Choiceβ
When designing a high-availability hybrid connectivity solution, an engineer needs to ensure that the VPN Gateway remains functional even during an availability zone failure in the Azure region. He evaluates the available SKUs.
Which combination of SKU and configuration mandatorily meets this requirement?
A) SKU VpnGw2 in Active-Active mode with two Standard type public IP addresses.
B) SKU VpnGw2AZ with Standard type public IP addresses allocated in different zones, in Active-Active mode.
C) SKU VpnGw1 in Active-Passive mode with Standard type public IP address and redundancy configured via Azure Traffic Manager.
D) Any VpnGw SKU is resilient to zone failures by default, as Azure automatically distributes instances across available zones.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: A
The SKU upgrade process on a Virtual Network Gateway is not transparent. Internally, Azure recreates the gateway with the new SKU, which causes connectivity interruption. Duration typically varies between a few minutes and about 30 to 45 minutes, depending on the source and destination SKU.
The main misconception represented by distractors B and D is assuming that gateway instance redundancy (Active-Active or Active-Passive) protects against structural reconfiguration operations of the resource itself. This redundancy protects against runtime failures, not against lifecycle operations like SKU upgrade. Alternative C is incorrect because existing connections are preserved after upgrade; it's not necessary to recreate them manually.
Planning a maintenance window with prior communication is mandatory for this type of operation in production environments.
Answer Key β Question 2β
Answer: B
In Active-Passive mode, the gateway operates with two nodes: one active processing traffic and one passive on standby. When the active node is interrupted by maintenance or failure, the passive node needs to be promoted and IKE tunnels (both IKEv1 and IKEv2) need to be renegotiated with the on-premises device. This process typically takes between 60 and 90 seconds, making the reported behavior expected and documented.
Alternatives A, C, and D represent frequent misconceptions. Alternative A confuses Active-Active mode (where failover is faster because both nodes already maintain active tunnels) with Active-Passive. Alternatives C and D introduce technical causes unrelated to the gateway failover mechanism. If the requirement is to minimize this window, the correct solution is to migrate to Active-Active mode.
Answer Key β Question 3β
Answer: False
It's not possible to have two Virtual Network Gateways in the same VNet pointing to the same GatewaySubnet when they are of different types (VPN and ExpressRoute) sharing this subnet resource simultaneously as separate instances. In reality, the supported model is the coexistence of connections VPN and ExpressRoute on distinct gateways within the same VNet, each created as a separate resource, but both associated with the GatewaySubnet. The minimum recommended size of the GatewaySubnet to support this coexistence is /27, but the error in the statement is describing as if two gateways could "coexist in the same GatewaySubnet" as if it were only a matter of prefix size. Each gateway is an independent resource that requires individual deployment; the subnet hosts them, but provisioning is separate and the statement incorrectly suggests a capacity condition as the only requirement.
Answer Key β Question 4β
Answer: B
Clients connected via Point-to-Site receive an IP address from the P2S pool configured on the gateway, but do not automatically inherit DNS configurations from the VNet. The gateway needs to have DNS servers explicitly defined in the P2S configuration for these addresses to be distributed to clients via tunnel DHCP options.
Alternative A is incorrect because OpenVPN fully supports DNS resolution; tunnel type is not the limiting factor. Alternative C is incorrect because the P2S pool (172.16.10.0/24) operates in separate space and doesn't directly interfere with name resolution unless there's route overlap with DNS resources, which is not described. Alternative D is technically unfounded: the authentication method has no relation to the ability to distribute DNS configurations.
The fix is simple: add the internal VNet DNS server IP address (or Azure DNS, 168.63.129.16) to the DNS section of the gateway's P2S configuration.
Answer Key β Question 5β
Answer: B
To ensure resilience to availability zone failures, it's mandatory to use SKUs with the AZ suffix (like VpnGw2AZ, VpnGw3AZ). These SKUs deploy gateway instances in physically separated availability zones. Additionally, associated public IP addresses must be Standard type and must be allocated in distinct zones for end-to-end effective resilience.
Alternative A uses a SKU without the AZ suffix, which doesn't offer zone protection even in Active-Active mode. Active-Active mode with regular SKU protects against instance failure within a single zone, not against entire zone failure. Alternative C is incorrect because Traffic Manager operates at the DNS layer and doesn't replace gateway infrastructure resilience. Alternative D is incorrect: automatic distribution across zones doesn't occur with regular SKUs; it's exclusive to SKUs with the AZ suffix.