Technical Lab: Associate a route table with a subnet
Questionsβ
Question 1 β Multiple Choiceβ
A network team needs to ensure that all traffic originating from an application subnet is inspected by a Network Virtual Appliance (NVA) before reaching the internet. The system default route (0.0.0.0/0) is still active on the subnet.
What is the correct approach to enforce this behavior?
A) Create a route in the route table with prefix 0.0.0.0/0 and next hop type Internet, associating the route table with the application subnet.
B) Create a route in the route table with prefix 0.0.0.0/0 and next hop type Virtual Appliance pointing to the NVA's private IP, associating the route table with the application subnet.
C) Create a route in the route table with prefix 0.0.0.0/0 and next hop type VNet Gateway, associating the route table with the NVA subnet.
D) Create a route in the route table with prefix 10.0.0.0/8 and next hop type Virtual Appliance, associating the route table with the application subnet.
Question 2 β Technical Scenarioβ
An administrator created a route table with the following custom route and associated it with subnet app-subnet:
Destination prefix : 10.1.0.0/16
Next hop type : Virtual Appliance
Next hop address : 10.0.1.4
After the association, VMs in app-subnet lose connectivity to other subnets within the same VNet (10.0.0.0/16), but the expected behavior was to inspect only traffic destined for 10.1.0.0/16.
What is the most likely cause of the problem?
A) The route table was associated with the wrong subnet; it should be associated with the NVA subnet.
B) The Virtual Appliance next hop is not supported for traffic within the same VNet.
C) The system routes for the VNet address space were replaced by a more specific route in the route table, and the NVA is not forwarding traffic correctly.
D) Azure does not allow route tables to contain routes whose prefix belongs to another VNet's address space.
Question 3 β True or Falseβ
A route table can be associated with multiple subnets within the same VNet or in different VNets, as long as they are in the same region and subscription.
Question 4 β Technical Scenarioβ
An engineer associates a route table with the GatewaySubnet of a VNet to control traffic between the on-premises network and spoke subnets. After the association, the ExpressRoute circuit stops propagating routes correctly to VNet resources.
What is the technical explanation for this behavior?
A) Route tables associated with GatewaySubnet override routes learned via BGP, which can interrupt route propagation from the gateway to subnets.
B) Azure automatically blocks any route table associated with GatewaySubnet if there is an active ExpressRoute circuit.
C) The GatewaySubnet requires that the route table must contain a 0.0.0.0/0 route to work with ExpressRoute.
D) Route tables cannot be created in the same region as an ExpressRoute gateway.
Question 5 β Multiple Choiceβ
Consider two subnets in a VNet: subnet-A with an associated route table containing a route for 192.168.0.0/24 via NVA, and subnet-B with no associated route table.
A VM in subnet-B tries to communicate with 192.168.0.0/24. Which route will be used?
A) The route defined in subnet-A's route table, as it is automatically propagated to all subnets in the VNet.
B) The system default route, as subnet-B has no associated route table and route tables are not shared between subnets.
C) No route, as Azure blocks traffic to external prefixes when there is no route table associated with the source subnet.
D) The most specific route learned via BGP from the VNet gateway, regardless of subnet-A's route table.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Overriding the system default route requires a user-defined route (UDR) with the same prefix (0.0.0.0/0). Azure applies the most specific route, and a UDR takes precedence over system routes with the same prefix. The Virtual Appliance next hop redirects traffic to the NVA's private IP before any egress.
Alternative A keeps traffic going directly to the internet without inspection. Alternative C would use the VPN/ExpressRoute gateway as egress, which doesn't meet the objective. Alternative D limits inspection to RFC1918 space and doesn't cover internet traffic, leaving 0.0.0.0/0 intact as a system route.
Answer Key β Question 2β
Answer: C
When a UDR is associated with a subnet, it doesn't operate in isolation: Azure evaluates all available routes and selects the most specific one. If the NVA in the 10.1.0.0/16 route is not configured to forward packets beyond inspecting them (i.e., IP forwarding disabled, or missing internal routes), traffic destined for 10.1.0.0/16 will be silently dropped, causing connectivity loss perceived as comprehensive.
Alternative A confuses the direction of association: the route table should be on the source subnet of traffic to be redirected. Alternative B is incorrect: Virtual Appliance is a valid next hop for intra-VNet traffic. Alternative D is false; Azure allows routes to any IPv4 prefix, including other VNets.
Answer Key β Question 3β
Answer: True
A route table is a resource with regional and subscription scope. It can be associated with any number of subnets within the same region, including in different VNets, as long as they are all in the same subscription. Association is done at the subnet level, and each subnet accepts at most one route table. The same route table object being reused across multiple subnets is a valid and common pattern for centralizing routing policies.
The non-obvious point here is that the limitation is one route table per subnet, not one subnet per route table.
Answer Key β Question 4β
Answer: A
The GatewaySubnet has special behavior: Azure does not recommend associating route tables with it precisely because UDRs can override routes learned dynamically via BGP (used by ExpressRoute and VPN Gateway). When a UDR with a conflicting prefix is applied, the gateway may stop announcing or correctly processing routes received from the on-premises BGP peer.
Alternative B is incorrect: Azure does not automatically block the association, making the error silent and difficult to diagnose. Alternative C is false: there is no requirement for a 0.0.0.0/0 route for ExpressRoute functionality. Alternative D is technically invalid as a general statement.
Answer Key β Question 5β
Answer: B
Route tables are individually associated with subnets and are not propagated between them. subnet-B uses exclusively Azure's default system routes, which include routes for the VNet address space, routes learned via gateway (if enabled), and the default route to internet. No UDR from another subnet influences subnet-B's routing.
Alternative A represents a common misconception: imagining that UDRs work like VNet-wide policies. Alternative C is incorrect: Azure does not block traffic to external prefixes due to absence of a route table; it simply uses system routes. Alternative D may be partially true if the gateway is propagating BGP routes, but this is independent of subnet-A's route table and is not the direct cause of the described behavior.