Technical Lab: Plan and configure subnet delegation
Questionsβ
Question 1 β Multiple Choiceβ
A platform team needs to deploy Azure SQL Managed Instance instances in an existing virtual network. The responsible architect states that it's necessary to create a dedicated subnet and apply subnet delegation before provisioning.
What is the direct technical consequence of applying subnet delegation to a subnet?
A) The subnet starts accepting only resources of the type indicated in the delegation, blocking any other Azure resource, including virtual machines.
B) Azure obtains permission to create and manage auxiliary network resources in the subnet on behalf of the delegated service, such as routes and network security rules.
C) The subnet is isolated from the main virtual network and starts functioning as an independent network segment with its own address space.
D) The Network Security Group associated with the subnet is automatically removed to avoid conflicts with the delegated service policies.
Question 2 β Technical Scenarioβ
An engineer configures subnet delegation for the Microsoft.Web/serverFarms service in a subnet called snet-appservice. After configuration, they try to add a virtual machine to the same subnet and receive the following error:
The subnet 'snet-appservice' is delegated to service 'Microsoft.Web/serverFarms'.
Resources of type 'Microsoft.Compute/virtualMachines' cannot be deployed into this subnet.
Which statement correctly describes the observed behavior?
A) The error occurs because the subnet's Network Security Group has a denial rule for VM management traffic.
B) The error occurs because subnet delegation for Microsoft.Web/serverFarms converts the subnet into a managed service subnet, where only the delegated service can inject network interfaces.
C) The error occurs because the subnet doesn't have sufficient address space to simultaneously host App Service resources and virtual machines.
D) The error occurs because the delegation was applied before the App Service Plan was created, making the configuration invalid.
Question 3 β True or Falseβ
A subnet can have subnet delegation configured and, at the same time, have a Network Security Group (NSG) and a User Defined Route (UDR) associated, without this preventing the delegation from functioning.
True or False?
Question 4 β Technical Scenarioβ
A team needs to deploy the Azure Container Instances (ACI) service in virtual network integration mode. The architect proposes the following configuration for the subnet:
Subnet: snet-aci
Address space: 10.1.2.0/26
Delegation: Microsoft.ContainerInstance/containerGroups
NSG: nsg-aci (associated)
Service endpoint: Microsoft.Storage
After provisioning the first container groups, the team observes that new deployments fail with IP address allocation errors.
What is the most likely cause of the problem?
A) The associated NSG is blocking internal DHCP requests used by ACI to allocate addresses.
B) The service endpoint for Microsoft.Storage conflicts with the delegation and prevents IP reservation for new container groups.
C) The /26 space provides only 59 usable addresses and, with the overhead of IPs reserved by Azure and the delegated service, the space was exhausted.
D) The Microsoft.ContainerInstance/containerGroups delegation requires the subnet to use a /24 block as minimum size.
Question 5 β Multiple Choiceβ
In an environment with multiple subnets in the same virtual network, a team needs to delegate different subnets to distinct services: one for Microsoft.Sql/managedInstances and another for Microsoft.Web/serverFarms.
Which statement correctly describes the expected behavior in this scenario?
A) It's not possible to have two subnets with different delegations in the same virtual network, as each VNet accepts only one active delegated service at a time.
B) Each subnet can have at most one active delegation, but different subnets within the same VNet can be delegated to distinct services without conflict.
C) The two delegated subnets automatically start sharing a route table managed by Azure, which can cause route overlap.
D) Delegating two subnets in the same VNet to different services requires each one to be in an address space with /24 prefix or larger.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Explaining what subnet delegation is requires distinguishing what effectively changes in the control plane. When a subnet is delegated to a service, Azure grants permission for that service to inject managed network resources directly into the subnet, such as virtual network interfaces, specific system routes, and automatic NSG rules, as needed for its operation.
Alternative A is the most common distractor: subnet delegation does not technically prevent coexistence of other resources in all cases. Some delegated services allow coexistence (for example, Microsoft.Web/serverFarms allows other resources in certain contexts), while others impose exclusivity. The behavior depends on the service, not a universal rule of delegation itself.
Alternative C describes network isolation, which doesn't occur through delegation. Alternative D is false: NSGs are not automatically removed by delegation, although some delegated services may create or modify rules within the existing NSG.
Answer Key β Question 2β
Answer: B
The presented error is the default behavior of Azure when a subnet delegated to Microsoft.Web/serverFarms (used by App Service VNet integration) receives a deployment attempt of an incompatible resource. Delegation for this service reserves the subnet for injection of network interfaces managed by App Service, making it exclusive for this purpose.
Alternative A describes an NSG problem, but the displayed error is issued by Azure Resource Manager at deployment validation time, before any network rule verification. Alternative C confuses address exhaustion with resource type restriction. Alternative D is technically invalid: the creation order between delegation and App Service Plan doesn't affect configuration validity.
Answer Key β Question 3β
Answer: True
Subnet delegation is compatible with NSGs and UDRs associated with the same subnet. Delegation doesn't replace or remove these network controls. In practice, many delegated services require NSGs and UDRs to be present and correctly configured for the service to function.
The non-obvious point here is that some delegated services, like Microsoft.Sql/managedInstances, require specific UDRs and NSGs as a deployment prerequisite. The absence of these controls can prevent provisioning. Therefore, coexistence is not only allowed but often mandatory.
Answer Key β Question 4β
Answer: C
A /26 subnet has 64 total addresses. Azure reserves 5 addresses in every subnet (network, broadcast, and three for internal use), resulting in 59 usable addresses. Delegated services like ACI consume IP addresses per deployed container group. In environments with multiple container groups, this space can be quickly exhausted, causing allocation failures.
Alternative A is incorrect because NSGs don't interfere with IP address allocation. Alternative B is incorrect: service endpoints and subnet delegation coexist without direct conflict in IP allocation. Alternative D is a plausible distractor, but ACI doesn't impose a minimum size of /24 as a mandatory delegation requirement. The real problem is addressing capacity, not prefix validation.
Answer Key β Question 5β
Answer: B
The subnet delegation model operates at subnet scope, not virtual network scope. A VNet can contain multiple subnets, each with its own independent delegation. Each subnet, however, accepts only one active delegation at a time, which prevents the same subnet from being shared by two distinct delegated services.
Alternative A represents the most frequent misconception: confusing delegation scope (subnet) with a VNet limit. Alternative C is false because route tables managed by delegated services are applied per subnet and don't automatically propagate between distinct subnets. Alternative D imposes a prefix size restriction that doesn't exist as a general delegation rule. Some services have their own size requirements, but this is service-specific, not a universal rule of the delegation functionality.