Technical Lab: Design and Implement User-Defined Routes (UDRs)
Questionsβ
Question 1 β Multiple Choiceβ
A network team needs to ensure that all traffic leaving an application subnet towards the internet must pass through a Network Virtual Appliance (NVA) before exiting. The NVA is deployed in a separate subnet within the same VNet.
Which combination of configurations is necessary and sufficient to achieve this objective?
A) Create a UDR in the NVA subnet with the prefix 0.0.0.0/0 pointing to the internet, and associate it with the NVA subnet.
B) Create a UDR in the application subnet with the prefix 0.0.0.0/0 pointing to the NVA's private IP as Virtual Appliance, and associate it with the application subnet.
C) Create a UDR in the application subnet with the prefix 0.0.0.0/0 pointing to the NVA's public IP as Internet, and associate it with the application subnet.
D) Create a UDR in the application subnet with the prefix 0.0.0.0/0 pointing to the NVA's private IP as VNet Local, and enable it in the VNet settings.
Question 2 β Technical Scenarioβ
An administrator configured the following UDR on a subnet:
Destination prefix: 10.2.0.0/16
Next hop type: VirtualNetworkGateway
The local VNet uses the 10.1.0.0/16 address space and is connected via VNet Peering to a remote VNet in the 10.2.0.0/16 space. The VPN gateway is provisioned in the local VNet.
After applying the UDR, VMs in the subnet lose connectivity with the 10.2.0.0/16 VNet. What is the most likely cause?
A) The next hop type VirtualNetworkGateway is invalid for manual routes in UDRs and must be replaced with VirtualAppliance.
B) Peering between VNets does not propagate routes when a UDR is present on the subnet, and the created route overrides the peering's system route without providing a functional path to 10.2.0.0/16.
C) The subnet does not have permission to use VirtualNetworkGateway as next hop because this type is reserved for gateway subnets.
D) The prefix 10.2.0.0/16 is more specific than the peering's system route, so Azure ignores both routes and drops the traffic.
Question 3 β True or Falseβ
Statement: It is possible to create a UDR with next hop type VirtualNetworkGateway to force traffic back to a local VPN gateway, even when the target subnet is not the gateway subnet (GatewaySubnet).
True or False?
Question 4 β Technical Scenarioβ
An organization has the following hub-and-spoke topology:
- Hub VNet: contains an NVA at IP
10.0.1.4and a VPN Gateway - Spoke VNet A:
10.1.0.0/16, with peering to the hub - Spoke VNet B:
10.2.0.0/16, with peering to the hub
The requirement is that traffic from Spoke A to Spoke B passes through the NVA in the hub. The administrator created the following UDR and associated it with Spoke A's subnet:
Destination: 10.2.0.0/16
Next hop: VirtualAppliance
Next hop IP: 10.0.1.4
Traffic from Spoke A reaches the NVA, but does not reach Spoke B. What additional configuration is missing?
A) Enable IP Forwarding on the NVA's network interface.
B) Create a UDR in Spoke B with destination 10.1.0.0/16 pointing to the NVA, and associate it with Spoke B's subnet.
C) Add a static route in the hub's VPN gateway pointing to 10.2.0.0/16.
D) Enable the Use Remote Gateway option in Spoke A's peering to the hub.
Question 5 β Multiple Choiceβ
When evaluating how Azure selects the route to be applied when multiple entries overlap in the effective route table of a NIC, which statement correctly describes Azure's behavior?
A) System routes always have priority over UDRs, regardless of prefix length.
B) Azure applies the route with the longest prefix (most specific) that matches the destination; if there's a tie in length, UDRs take precedence over BGP-learned routes, which in turn take precedence over system routes.
C) Azure applies the route with the longest matching prefix to the destination; in case of a tie, system routes take precedence over UDRs.
D) BGP always overrides UDRs because dynamic routes are considered more up-to-date by Azure's control plane.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The UDR must be associated with the traffic source subnet (application subnet), not the NVA subnet. The prefix 0.0.0.0/0 captures all traffic without a more specific destination, and the correct next hop type to forward traffic to an appliance within the VNet is Virtual Appliance, using the NVA's private IP.
The main conceptual error in the distractors is confusing where the route should be applied (source subnet vs. appliance subnet) and which next hop type to use. Using the public IP with the Internet type bypasses the NVA completely. Using the VNet Local type is not a valid next hop type for this scenario.
Answer Key β Question 2β
Answer: B
UDRs override system routes, including routes automatically generated by VNet Peering. By creating a manual route with destination 10.2.0.0/16 and next hop VirtualNetworkGateway, the administrator replaced the peering's system route with a route that points to the VPN gateway, a path that has no direct connectivity to the remote VNet via peering.
The type VirtualNetworkGateway is valid in UDRs (eliminating alternative A). This type is not exclusive to the GatewaySubnet (eliminating alternative C). The longest prefix match logic doesn't drop both routes; it simply applies the most specific one, which in this case is the incorrect UDR (eliminating alternative D).
Answer Key β Question 3β
Answer: True
The next hop type VirtualNetworkGateway can be used in UDRs applied to any subnet, not just the GatewaySubnet. This allows forcing traffic from regular subnets toward the VPN gateway, a pattern used, for example, to redirect traffic between spokes via gateway in hub-and-spoke topologies without NVA.
The common confusion is believing that this hop type is exclusive to the GatewaySubnet. The real restriction is the inverse: the GatewaySubnet is the only subnet where UDRs should not be applied with routes that could break gateway functionality.
Answer Key β Question 4β
Answer: A
Traffic reaches the NVA because the UDR in Spoke A is correct. The problem is that the NVA, when receiving a packet destined for 10.2.0.0/16, needs to forward it, but by default Azure drops packets whose destination IP doesn't match the receiving NIC's IP. Enabling IP Forwarding on the NVA's network interface in the Azure portal (or via OS configuration on the NVA) resolves this behavior.
Alternative B describes a configuration necessary for return traffic (Spoke B to Spoke A), but it's not the cause of the described problem. Alternative D (Use Remote Gateway) affects how gateway routes are propagated to the spoke, unrelated to forwarding by the NVA.
Answer Key β Question 5β
Answer: B
Azure uses longest prefix match as the primary route selection criterion. When two prefixes have the same length, the precedence is: UDRs > BGP routes > system routes. This behavior ensures that administrator-defined routes can always override automatic behaviors when necessary.
Alternative A reverses the correct priority. Alternative C gets the tiebreaker order wrong. Alternative D represents a common misconception: BGP provides dynamic flexibility, but is deliberately subordinated to UDRs so that the administrator maintains explicit control over network routing.