Technical Lab: Plan and configure shared or dedicated subnets
Questionsβ
Question 1 β Multiple Choiceβ
An architecture team needs to host an Azure Application Gateway v2 and a set of application virtual machines within the same Virtual Network. The requirement is that the Application Gateway does not share a subnet with any other resource.
What is the main technical reason that justifies this requirement for isolation in a dedicated subnet?
A) Application Gateway v2 requires a minimum /24 CIDR block, which would make addressing unfeasible in shared subnets.
B) Subnets shared with Application Gateway cause failure in the Virtual Network's internal DNS resolution.
C) Application Gateway v2 deploys managed instances that need exclusive IP addresses in the subnet, and NSGs with incompatible rules from other resources can break its operation.
D) Azure Policy prevents by default the coexistence of PaaS and IaaS resources in the same subnet.
Question 2 β Technical Scenarioβ
An engineer configures the following subnet to host an Azure Kubernetes Service (AKS) with CNI plugin:
VNet: 10.0.0.0/16
Subnet: 10.0.1.0/24 (254 usable addresses)
Planned nodes: 10
Pods per node: 30
After deployment, the cluster enters a partial failure state with IP allocation errors for pods. What is the most likely cause of the problem?
A) AKS with Azure CNI reserves 5 IP addresses per node for internal operations, exhausting the available space before the pods.
B) With Azure CNI, each pod receives an IP directly from the VNet subnet, and 10 nodes with 30 pods each require at least 300 addresses, exceeding the /24 capacity.
C) Subnets smaller than /23 are blocked by Azure for use with AKS in production mode.
D) The AKS CNI plugin reserves a /28 block per node for system IPs, reducing the space available for pods.
Question 3 β True or Falseβ
A Network Security Group (NSG) associated with a subnet containing an Azure Bastion correctly blocks external threats if configured to deny all inbound traffic on port 443, except from trusted public internet sources.
True or False?
Question 4 β Technical Scenarioβ
A company needs its Azure SQL Managed Instance to be accessible only from within the corporate Virtual Network, without exposing any public endpoint. The responsible engineer creates a common subnet with /25 and attempts the deployment. The operation fails.
Error: Subnet is not delegated to Microsoft.Sql/managedInstances
After adding the correct delegation, the deployment fails again with another error related to subnet size. What is the combination of requirements that the engineer failed to meet?
A) The delegation must be for Microsoft.Network/virtualNetworks and the minimum CIDR is /27.
B) The delegation for Microsoft.Sql/managedInstances is necessary, and the minimum recommended CIDR is /27 for general-purpose instances.
C) The delegation for Microsoft.Sql/managedInstances is necessary, and the minimum CIDR is /24 to ensure sufficient addresses for internal service operations.
D) The subnet needs delegation and an associated VPN Gateway to isolate Managed Instance traffic.
Question 5 β Multiple Choiceβ
In a hub-and-spoke architecture, the security team requires an Azure Firewall to be provisioned in the hub. The team discusses whether to use a shared subnet with other network resources or create a dedicated one.
Which statement correctly describes the expected behavior of the Azure Firewall subnet?
A) Azure Firewall can share a subnet with Azure VPN Gateway, as long as the NSG allows traffic between them on port 443.
B) The subnet must be mandatorily named AzureFirewallSubnet, cannot contain any other resource and does not support NSG associated with it.
C) The Azure Firewall subnet accepts an associated NSG, but requires that the default inbound rule AllowAzureLoadBalancerInBound be maintained.
D) Azure Firewall can be deployed in any subnet with at least /26, as long as there are no conflicting User Defined Routes already configured.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
Azure Application Gateway v2 operates with a set of managed instances by Azure that are dynamically allocated in the designated subnet. Each instance needs its own IP address, and the service requires that NSGs applied to the subnet follow specific rules, such as allowing traffic from the GatewayManager tag and the AzureLoadBalancer. If the subnet is shared with other resources, the NSG rules needed for those resources can conflict with the rules required by Application Gateway, causing silent failures or health probe blocks.
Alternative A is partially true in terms of size recommendation, but it is not the technical reason that prevents sharing. Alternatives B and D do not correspond to any real documented behavior of the service.
Answer Key β Question 2β
Answer: B
With Azure CNI (advanced networking mode), each pod receives an IP address directly from the VNet subnet address space, unlike kubenet, where pods use a separate internal address space. With 10 nodes and 30 pods per node, at least 300 IPs are needed just for pods, in addition to the IPs of the nodes themselves and the 5 addresses reserved by Azure in every subnet. A /24 offers only 251 usable addresses, which is insufficient.
Alternative A describes a real Azure reservation (5 IPs per subnet, not per node), but this is not the determining factor for exhaustion. Alternative C is false; there is no minimum size restriction per environment in the portal. Alternative D describes fictional behavior.
Answer Key β Question 3β
Answer: False
Azure Bastion requires a dedicated subnet called AzureBastionSubnet and has specific NSG requirements that include allowing inbound traffic on ports 443 and 8080 from the internet (Internet tag), in addition to inbound traffic from GatewayManager on port 443 and from AzureLoadBalancer. Blocking port 443 from the public internet destroys Bastion functionality, as this is exactly the port through which users connect to the service via browser. The idea of "denying 443 from untrusted sources" seems secure, but Bastion does not operate with fixed and predictable source IPs for end users, making this control incompatible with its operation.
Answer Key β Question 4β
Answer: C
Azure SQL Managed Instance requires two mandatory and combined requirements for subnet deployment:
- Subnet delegation to
Microsoft.Sql/managedInstances, which ensures that the Azure control plane can manage the service's network resources. - Minimum size of /24, as Managed Instance uses a large number of internal IP addresses for replicas, maintenance operations, inter-node communication, and support infrastructure. A /25 offers only 123 usable addresses, insufficient for the service's internal operations.
Alternative B points to /27 as minimum, which would be adequate for other delegated services, but is incorrect for SQL Managed Instance. Alternative A mentions a wrong namespace delegation. Alternative D introduces a non-existent requirement (VPN Gateway).
Answer Key β Question 5β
Answer: B
Azure Firewall has three rigid requirements for its subnet:
- The name must be exactly
AzureFirewallSubnet(case-sensitive). - No other resource can be deployed in the same subnet.
- NSGs are not supported on the Azure Firewall subnet. The service itself operates as the central point for traffic inspection and filtering, making an additional NSG redundant and potentially conflicting.
Alternative A is false because Azure Firewall cannot share a subnet with any resource, including VPN Gateway. Alternative C contradicts the rule that NSGs are not supported. Alternative D omits the mandatory naming and subnet exclusivity requirements, which are non-negotiable.