Technical Lab: Plan and configure subnetting for services, including virtual network gateways, private endpoints, service endpoints, firewalls, application gateways, VNet-integrated platform services, and Azure Bastion
Questionsβ
Question 1 β Multiple Choiceβ
A network team needs to deploy an Azure Application Gateway v2 in an existing VNet. The administrator reserved a /27 subnet for this purpose. During capacity planning, questions arise about the appropriate minimum sizing.
What is the correct behavior of Application Gateway v2 regarding subnet size?
A) A /27 subnet is sufficient for any scale, as Application Gateway v2 reserves at most 10 private IP addresses.
B) Application Gateway v2 can consume more than one IP address per instance during scaling operations, making small subnets an operational risk.
C) Application Gateway v2 requires a dedicated subnet, but size is irrelevant because IPs are allocated dynamically only when there is active traffic.
D) A /27 subnet is sufficient because Application Gateway v2 uses only a single fixed private IP, regardless of the number of instances.
Question 2 β Technical Scenarioβ
An architect is designing connectivity for a hybrid environment. They need to deploy a VPN Gateway in the main VNet. When creating the subnet for the gateway, they use the name vpn-gateway-subnet and associate a Network Security Group (NSG) to restrict management traffic.
After deployment, the gateway fails to provision. What is the most likely cause of the problem?
A) The selected VPN Gateway SKU is not compatible with subnets that have an associated NSG.
B) The gateway subnet must be named GatewaySubnet and cannot have an associated NSG.
C) The gateway failed because the subnet doesn't have a defined route to the gateway's public IP address.
D) The NSG blocked port 443 necessary for the Azure control plane provisioning process.
Question 3 β True or Falseβ
Statement: A Private Endpoint and a Service Endpoint can coexist in the same subnet, and both allow resources within the VNet to access PaaS services without traffic passing through the public internet. However, only the Private Endpoint assigns a private IP address from the subnet to the destination service, making it also accessible from networks connected via VPN or ExpressRoute without additional routing configuration.
Is this statement true or false?
Question 4 β Technical Scenarioβ
A team deployed Azure Bastion in a VNet for secure VM access. The administrator created a subnet called AzureBastionSubnet with a /29 prefix and deployed Bastion with the Basic SKU. A few days later, the team decides to enable features like IP-based connection and tunneling. When trying to update the SKU to Standard, the operation fails.
What is the root cause of the problem?
A) The Bastion Standard SKU is not compatible with subnets created after initial deployment with Basic SKU.
B) The AzureBastionSubnet subnet with /29 prefix doesn't meet the minimum size required for Standard SKU, which requires at least /26.
C) Azure Bastion doesn't allow SKU updates after deployment; the resource must be recreated with the desired SKU.
D) The IP-based connection feature requires a separate and dedicated subnet, independent of the AzureBastionSubnet.
Question 5 β Multiple Choiceβ
An organization uses an Azure Storage PaaS service configured with Service Endpoint on the app-subnet subnet. The security team requires the Storage Account to reject any request originating outside this subnet, including access from administrators via the Azure portal with unauthorized public IPs.
Which Storage Account configuration correctly implements this requirement?
A) Enable the Storage Account firewall with the "Allow access from selected networks" option and add only the app-subnet with Service Endpoint enabled.
B) Configure a Private Endpoint on the app-subnet and disable public access to the Storage Account, maintaining the Service Endpoint for data traffic.
C) Enable the Storage Account firewall with the "Allow access from All networks" option and use NSG on the app-subnet to block outbound traffic to the internet.
D) Configure a Service Endpoint policy on the Storage Account to restrict access only to the subscription where the app-subnet is located.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Application Gateway v2 operates with autoscaling and can provision multiple instances simultaneously. Each instance consumes a private IP address from the subnet, and during scaling operations, old and new instances coexist temporarily. Microsoft recommends a subnet with at least /24 for production environments, precisely to accommodate scaling peaks without IP address exhaustion.
The main misconception represented by the distractors is treating Application Gateway v2 as a resource with fixed and predictable IP consumption. Alternative A underestimates actual consumption; C ignores that IPs are reserved during instance provisioning, not only during active traffic; D describes non-existent behavior.
Answer Key β Question 2β
Answer: B
Azure requires that the subnet intended for any type of virtual gateway (VPN or ExpressRoute) be named exactly GatewaySubnet, with this precise name. Additionally, associating an NSG to this subnet is explicitly unsupported and can cause provisioning failure or unpredictable behavior, as the Azure control plane needs unrestricted access to this subnet to manage the gateway.
The distractors explore real misconceptions: alternative A reverses causality, as the problem isn't SKU-related; C introduces a non-existent routing requirement for provisioning; D speculates about a specific port, but the real problem is the structural incompatibility between NSG and GatewaySubnet.
Answer Key β Question 3β
Answer: True
The statement is correct in all its aspects. Service Endpoints and Private Endpoints can coexist in the same subnet without conflict. Both keep traffic off the public internet, but through different mechanisms: the Service Endpoint optimizes the outbound route to Microsoft's backbone without changing the service's destination address; the Private Endpoint injects a private IP from the subnet into the PaaS service, making it a resource with real presence in the VNet.
This IP representation difference is what allows the Private Endpoint to be reachable via VPN and ExpressRoute without additional routing configuration, since the destination address is an RFC 1918 IP already known by VNet routes. The Service Endpoint, in turn, is not accessible by default from remotely connected networks without specific additional configurations.
Answer Key β Question 4β
Answer: B
Azure Bastion with Standard SKU requires the AzureBastionSubnet to have a minimum prefix of /26, which provides 64 IP addresses. The Basic SKU tolerates smaller subnets (minimum /26 is also recommended, but /27 may work in limited scenarios). When trying to scale to Standard SKU, Azure validates the subnet size and blocks the operation if the requirement isn't met.
Alternative C is a relevant distractor because many Azure resources indeed don't allow in-place SKU updates, making this option plausible. However, Bastion Standard supports upgrade, provided subnet prerequisites are met. Alternatives A and D describe restrictions that don't exist in product documentation.
Answer Key β Question 5β
Answer: A
The combination of Storage Account firewall in "Allow access from selected networks" mode with the specific subnet that has Service Endpoint enabled is exactly the mechanism designed for this scenario. When a Service Endpoint is active, the Storage Account can identify the request origin as that subnet and can accept or reject based on it. Access from unlisted public IPs, including administrators via portal, are blocked.
Alternative B describes a valid security approach, but technically incorrect for the statement: mixing Private Endpoint with active Service Endpoint for the same service creates ambiguity and usually results in implicit Service Endpoint deactivation. Alternative C doesn't meet the requirement because it allows access from any network at the Storage Account level. Alternative D describes Service Endpoint Policies, which restrict which PaaS resources can be accessed from the subnet, not the reverse direction of who can access the Storage Account.