Technical Lab: Diagnose and resolve routing issues
Questionsβ
Question 1 β Multiple Choiceβ
A network team configured a User-Defined Route (UDR) in a subnet associating the prefix 0.0.0.0/0 with the next hop pointing to a Network Virtual Appliance (NVA). After the configuration, VMs in this subnet lost connectivity to Azure Storage using the public endpoint.
What is the most likely cause of the problem?
A) Azure Storage does not support routing via NVA and requires direct connection through the internet.
B) The UDR replaced the default system route, forcing Storage traffic to pass through the NVA, which may not be configured to allow this flow.
C) The UDR with prefix 0.0.0.0/0 is invalid and was ignored by Azure, causing default routing failure.
D) The problem is the absence of a Service Endpoint which is mandatory whenever UDRs are used in the subnet.
Question 2 β Technical Scenarioβ
An engineer is diagnosing connectivity between two VMs in distinct VNets connected via VNet Peering. The source VM can ping the destination VM, but cannot reach on-premises resources accessible by the destination VNet, which has a configured VPN Gateway.
The topology is summarized below:
VNet-A (source)
βββ Peering with VNet-Hub
βββ VPN Gateway β On-premises
The peering between VNet-A and VNet-Hub was created, but on-premises traffic does not flow. What is the most likely cause?
A) VNet Peering does not support transitive routing; it is necessary to create a direct peering between VNet-A and the on-premises network.
B) The Use Remote Gateways option is not enabled in the peering on the VNet-A side, and/or Allow Gateway Transit is not enabled on the VNet-Hub side.
C) The VNet-Hub VPN Gateway needs to be recreated to accept traffic from peered VNets.
D) It is necessary to add a UDR in VNet-A with the on-premises prefix pointing to the public IP of the VNet-Hub VPN Gateway.
Question 3 β True or Falseβ
When two routes with the same destination prefix are present in the effective routing table of a NIC, one originating from a UDR and another propagated by BGP via VPN Gateway, Azure always prefers the BGP route because it is considered more specific.
True or False?
Question 4 β Technical Scenarioβ
A VM in a subnet with the following effective route table cannot reach the address 10.2.5.10:
| Destination prefix | Source type | Next Hop |
|---|---|---|
10.0.0.0/8 | BGP | VPN Gateway |
10.2.0.0/16 | UDR | NVA (10.0.1.4) |
10.2.5.0/25 | BGP | VPN Gateway |
0.0.0.0/0 | Default | Internet |
The NVA is operational, but the destination 10.2.5.10 is unreachable. What is the correct diagnosis?
A) The BGP route 10.0.0.0/8 is absorbing traffic before any more specific route is evaluated.
B) The UDR 10.2.0.0/16 takes precedence over the BGP route 10.2.5.0/25 and is diverting traffic to the NVA, which may not be forwarding correctly to this destination.
C) Azure ignores BGP routes when a UDR of any prefix is present in the subnet, making 10.2.5.0/25 inactive.
D) The default route 0.0.0.0/0 takes precedence over all others because it is the least specific, absorbing traffic destined for 10.2.5.10.
Question 5 β Multiple Choiceβ
An administrator uses Network Watcher Next Hop to diagnose which path traffic from a VM is being sent. The tool returns the next hop type as None.
What does this result indicate?
A) Traffic is being routed by the default system route towards the internet.
B) The VM does not have a network interface correctly configured in Azure Resource Manager.
C) There is no valid route for the specified destination in the NIC's effective route table, which means Azure will drop the packets.
D) The Next Hop None indicates that the destination is in the same subnet as the VM and no external routing is necessary.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
When a UDR with prefix 0.0.0.0/0 is applied, it replaces the default system route that normally forwards internet traffic directly. All outbound traffic, including traffic destined for Azure Storage public endpoint, is now directed to the NVA. If the NVA does not have rules allowing this flow or is not configured to forward HTTPS traffic to Storage, connectivity is interrupted.
Alternative D represents a frequent misconception: Service Endpoints and UDRs are independent. Service Endpoints optimize the path to PaaS services, but their absence does not cause failure due to an existing UDR. Alternative C is false because UDRs with 0.0.0.0/0 are perfectly valid in Azure.
Answer Key β Question 2β
Answer: B
VNet Peering in Azure is not transitive by default. For traffic from VNet-A to reach on-premises resources via the VNet-Hub gateway, two peering options need to be enabled together:
- Allow Gateway Transit: enabled in the peering on the VNet-Hub side, allowing the gateway to be shared.
- Use Remote Gateways: enabled in the peering on the VNet-A side, instructing it to use the remote gateway.
Alternative A confuses "transitive routing via peering" with the need for direct peering with on-premises, which does not exist as a concept in Azure. Alternative D represents a classic misconception: a UDR pointing to the gateway's public IP would break routing, as VNet-to-VNet traffic never uses the gateway's public IP.
Answer Key β Question 3β
Answer: False
Azure applies a well-defined hierarchy of precedence between route types. When there is conflict on the same prefix, the order of preference is:
- UDR
- BGP
- Default system routes
Therefore, UDR always wins over BGP route, regardless of prefix specificity. The statement reverses this logic, attributing to the BGP route a precedence it does not have. This behavior is relevant in scenarios where a UDR is intentionally created to replace a route learned via BGP from an on-premises gateway.
Answer Key β Question 4β
Answer: B
Azure selects routes by longest prefix match first. For destination 10.2.5.10, the candidate prefixes are 10.2.0.0/16 (UDR) and 10.2.5.0/25 (BGP). The /25 prefix is more specific and, under normal conditions, would be preferred. However, when there is conflict between a UDR and a BGP route on the same prefix, the UDR wins. In this scenario, the UDR has a different prefix (/16) and BGP has /25. The longest prefix match selects /25 (BGP). However, if the UDR /16 is being applied instead of the BGP route /25 due to some propagation or configuration issue, traffic goes to the NVA without correct forwarding.
Alternative C represents the most dangerous conceptual error: UDRs do not disable all BGP routes in the subnet; they coexist, and longest prefix match determines which applies per destination.
Answer Key β Question 5β
Answer: C
The next hop type None returned by Network Watcher Next Hop indicates that Azure found no valid route for the queried destination. The resulting behavior is silent packet dropping, without generating ICMP destination unreachable message to the source.
This result is common when: the destination prefix is not covered by any route in the NIC's effective table, or when a route with next hop None was explicitly configured in a UDR to block traffic to a specific prefix (black hole route). Alternative D describes the behavior of local subnet traffic, which does not pass through the router and therefore is not evaluated by Next Hop as None, but rather as a local system route.