Microsoft AZ-104 Online Practice Questions and Exam Preparation

Microsoft AZ-104 Online Questions & Answers

• Question 371:

  You have an Azure Kubernetes Service (AKS) cluster that uses Azure CNI.

  You need to ensure that pods can resolve and reach an Azure Storage account that is exposed through a Private Endpoint in the same virtual network.

  A. Create a Private DNS zone for privatelink.blob.core.windows.net and link it to the virtual network
  B. Enable kubenet networking
  C. Create an NSG rule to allow outbound TCP 443 to the Internet
  D. Enable Azure Firewall forced tunneling
  A. Create a Private DNS zone for privatelink.blob.core.windows.net and link it to the virtual network

  ---

  Explanation

  ----------------------------------------------------------------------------------------------------

  Create a Private DNS zone for privatelink.blob.core.windows.net and link it to the virtual network

  ----------------------------------------------------------------------------------------------------

  The AKS cluster uses **Azure CNI** and must resolve/reach a Storage account exposed via a **Private Endpoint** in the same VNet. For Private Endpoints, name resolution must return the **private IP** of the endpoint. The standard pattern is:

  1) Create the matching **Private DNS zone** (for Blob: `privatelink.blob.core.windows.net`) 2) Link it to the VNet so resources in that VNet (including AKS nodes/pods via CNI) resolve the storage FQDN to the private endpoint IP.

  Why the other selections are not correct:

  - Enable kubenet networking: Changing the AKS network plugin is not the DNS fix and is not a typical in-place toggle for an existing cluster.

  - Create an NSG rule to allow outbound TCP 443 to the Internet: Private Endpoint traffic is private; the issue here is DNS resolution to the private endpoint, not Internet egress.

  - Enable Azure Firewall forced tunneling: This is unrelated to Private Endpoint DNS resolution and can complicate routing.

  ----------------------------------------------------------------------------------------------------

  References:

  1. Private Endpoint DNS integration / Private DNS zone patterns https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns Date Modified: Unable to locate date modified Date Accessed: 01/25/2026 2. AKS networking concepts (Azure CNI and VNet integration) https://learn.microsoft.com/en-us/azure/aks/concepts-network Date Modified: Unable to locate date modified Date Accessed: 01/25/2026

  ---------------------------------------------------------------------------------------------------- Microsoft Exam Tips:

  - Private Endpoint questions often reduce to **DNS**: create the `privatelink.*` private DNS zone and link it to the VNet.

  - If pods must resolve private endpoints, ensure the **VNet DNS path** used by AKS nodes/pods can reach the Private DNS zone.

  ---------------------------------------------------------------------------------------------------- Summary:

  Private Endpoint + AKS Azure CNI: ensure correct Private DNS zone and VNet link for name resolution.

  ---------------------------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15?0%) | |__ 4.2 Configure secure access to virtual networks | |__ 4.2.5 Configure private endpoints for Azure PaaS | |__ 4.3 Configure name resolution and load balancing | |__ 4.3.1 Configure Azure DNS

• Question 372:

  You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.

  

  Adatum.com has the following configurations:

  Users may join devices to Azure AD is set to User1.

  Additional local administrators on Azure AD joined devices is set to None.

  You deploy Windows 10 to a computer named Computer. User1 joins Computer1 to adatum.com.

  You need to identify which users are added to the local Administrators group on Computer1.

  A. User1 only
  B. User1, User2, and User3 only
  C. User1 and User2 only
  D. User1, User2, User3, and User4
  E. User2 only
  C. User1 and User2 only

  ---

  Explanation

  --------------------------------------------------------------------------------

  User1 and User2 only

  --------------------------------------------------------------------------------

  For Microsoft Entra (Azure AD) joined devices:

  - The user who joins the device (User1) is added as a local administrator on that device.

  - Global Administrators (User2) are local administrators on all Microsoft Entra joined devices by default.

  Because "Additional local administrators on Azure AD joined devices" is set to None, no extra roles/users are added beyond the defaults. Therefore, the local Administrators group includes User1 and User2 only. (1)

  Why the other options are not correct:

  - User1 only: misses the default inclusion of Global Administrators. (1)

  - User1, User2, and User3 only: "Cloud device administrator" is not automatically a local admin unless configured in the "Additional local administrators" setting. (1)

  - User1, User2, User3, and User4: same issue-those roles are not added when the setting is None. (1)

  - User2 only: misses the device joiner (User1). (1)

  -------------------------------------------------------------------------------- References:

  1. Microsoft. (2025, June 27). Assign local administrators on Microsoft Entra joined devices. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin Last modified: 06/27/2025 Date accessed: 01/25/2026

  -------------------------------------------------------------------------------- Microsoft Exam Tips:

  - Memorize the default: device joiner becomes local admin; Global Admins are local admins unless you change device settings.

  -------------------------------------------------------------------------------- Summary:

  Covers Microsoft Entra joined device defaults and the "Additional local administrators" setting.

  -------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  1.0 Manage Azure identities and governance (20?5%) | |__ 1.2 Manage access to Azure resources | |__ 1.2.3 Interpret access assignments

• Question 373:

  DRAG DROP

  You have a Windows 11 device named Device and an Azure subscription that contains the resources shown in the following table.

  

  Device1 has Azure PowerShell and Azure Command-Line Interface (CLI) installed.

  From Device1, you need to establish a Remote Desktop connection to VM1.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  Box 1: Upgrade Bastion1 to the Standard SKU.

  Box 2: From Bastion1, select Native Client Support.

  Box 3: From Azure CLI on Device1, run az network bastion rdp.

  Why:

  Scenario: VM1 has NO public IP and is reachable only through VNET1. You must RDP to VM1 from Device1. Device1 has Azure CLI and PowerShell.

  Why these selections are correct (and why order matters):

  1) Upgrade Bastion1 to the Standard SKU.

  - Azure Bastion “native client” (RDP/SSH from your local client via Azure CLI) is an advanced feature that requires the Standard SKU. Basic SKU doesn’t support native client features.

  2) From Bastion1, select Native Client Support.

  - Native client connectivity must be enabled/configured on the Bastion resource for RDP/SSH via local clients.

  3) From Azure CLI on Device1, run az network bastion rdp.

  - This uses the local Windows RDP client (MSTSC) via Azure CLI to establish the RDP session through Bastion to the private VM.

  Why the other actions are not correct:

  - On Device1, run mstsc.exe.

  - Direct MSTSC won’t work because VM1 has no public IP and you’re not establishing a Bastion-native-client tunnel/connection.

  - From Bastion1, enable Kerberos authentication.

  - Not required for standard Bastion native client RDP connectivity.

  - From VM1, enable just-in-time (JIT) VM access.

  - JIT is for controlling inbound access via Defender for Cloud and NSG rules; it doesn’t solve the “no public IP” requirement by itself.

  Microsoft Exam Tips:

  - If you see “Bastion Basic” + “native client/az network bastion rdp”, expect an “upgrade to Standard” step.

  - If a VM has no public IP, don’t pick direct RDP (mstsc) unless there’s a tunneling/native-client step.

  Summary:

  Used Azure Bastion Standard “native client” to RDP to a private VM via Azure CLI.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15–20%) |_ 4.2 Configure secure access to virtual networks |_ 4.2.3 Implement Azure Bastion

• Question 374:

  You have an Azure App Services web app named App1.

  You plan to deploy App1 by using Web Deploy.

  You need to ensure that the developers of App1 can use their Azure Active Directory (Azure AD) credentials to deploy content to App1.

  The solution must use the principle of least privilege.

  What should you do?

  A. Configure app-level credentials for FTPS.
  B. Assign the Website Contributor role to the developers.
  C. Assign the Owner role to the developers.
  D. Configure user-level credentials for FTPS.
  B. Assign the Website Contributor role to the developers.

  ---

  Assign the Website Contributor role to the developers.

  To allow developers to deploy to an Azure App Service using their Microsoft Entra ID identities while adhering to least privilege, you assign an appropriate RBAC role at the scope of the web app. The "Website Contributor" role is intended for managing websites (App Services) and supports typical deployment and management actions without granting full Owner permissions.

  Why the other options are not correct:

  - Configure app-level credentials for FTPS: uses deployment credentials, not Entra ID-based RBAC, and does not align with the requirement to use Azure AD credentials.

  - Assign the Owner role: violates least privilege by granting full control including role assignments.

  - Configure user-level credentials for FTPS: still not Entra ID-based RBAC and is broader/less controlled than role assignment.

  Exam Tips:

  - Least privilege on App Service often maps to a specialized built-in role rather than Contributor/Owner.

  - Distinguish "deployment credentials" (publish profile/FTPS) from "RBAC via Entra ID."

  Summary:

  Covers App Service access control for deployment using Azure RBAC and least privilege.

  AZ-104 Exam Objective Hierarchy:

  1.0 Manage Azure identities and governance | |__ 1.2 Manage access to Azure resources | |__ 1.2.1 Manage built-in Azure roles

• Question 375:

  Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is being deployed and configured for on-premises to Azure connectivity.

  Several virtual machines exhibit network connectivity issues.

  You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.

  Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  --------------------------------------------------------------------------------

  No

  --------------------------------------------------------------------------------

  Traffic Analytics (in Network Watcher) is primarily used to visualize and analyze traffic patterns using NSG flow logs at scale (trends, top talkers, geos, etc.). While it can surface flow-log data, the scenario requirement is explicitly to determine whether packets are being allowed or denied to specific VMs as part of troubleshooting. The most direct Network Watcher tool for that "allowed vs denied" determination is IP flow verify / NSG rule evaluation, not Traffic Analytics dashboards.

  Therefore, this solution does not meet the stated goal. (1)(2)

  Why "Yes" is not correct:

  - The proposed feature is not the most direct method for the "allowed/denied" troubleshooting requirement described; Traffic Analytics is oriented toward aggregated insights and visualization, not immediate rule-path verification per flow. (1)(2)

  -------------------------------------------------------------------------------- References:

  1. Microsoft. (n.d.). Azure Network Watcher Traffic Analytics queries (NSG flow logs). Microsoft Learn. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-query Last modified: Unable to locate in tool output Date accessed: 01/25/2026

  2. Microsoft. (n.d.). IP flow verify (Network Watcher). Microsoft Learn.

  Last modified: Unable to locate in tool output Date accessed: 01/25/2026

  -------------------------------------------------------------------------------- Microsoft Exam Tips:

  - AZ-104 loves "pick the right troubleshooting blade": IP flow verify/NSG effective security rules vs Traffic Analytics vs Connection Monitor.

  - If the question says "allowed or denied," think NSG evaluation tools first.

  -------------------------------------------------------------------------------- Summary:

  Covers Network Watcher troubleshooting: choosing the appropriate tool for allow/deny verification.

  -------------------------------------------------------------------------------- AZ-104 Exam Objective Hierarchy:

  5 Monitor and maintain Azure resources (10?5%) | |__ 5.1 Monitor resources in Azure | |__ 5.1.6 Use Azure Network Watcher and Connection Monitor

• Question 376:

  HOTSPOT

  You have a sync group named Sync1 that has a cloud endpoint. The cloud endpoint includes a file named File1.txt.

  Your on-premises network contains servers that run Windows Server 2016. The servers are configured as shown in the following table.

  

  You add Share1 as an endpoint for Sync1. One hour later, you add Share2 as an endpoint for Sync1.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  On the cloud endpoint, File1.txt is overwritten by File1.txt from Share1:

  No

  On Server1, File1.txt is overwritten by File1.txt from the cloud endpoint:

  No

  File1.txt from Share1 replicates to Share2:

  Yes

  Azure File Sync is designed to synchronize changes between a **cloud endpoint (Azure file share)** and multiple **server endpoints** in a sync group.

  Key concept: **No “blind overwrite” on conflicts**

  - When the same file exists (same name/path) on multiple endpoints, Azure File Sync is designed to avoid simply overwriting one with the other. In conflict scenarios, Azure File Sync keeps both versions by creating a conflict file (instead of overwriting).

  Therefore:

  1) Cloud endpoint overwritten by Share1’s File1.txt --> **No**

  - Because File1.txt already exists in the cloud endpoint. Sync behavior avoids a simple overwrite in a conflict scenario.

  2) Server1 overwritten by cloud endpoint’s File1.txt --> **No**

  - Same reasoning: presence of the same file name/path means you don’t assume “cloud overwrites server” either.

  3) File1.txt from Share1 replicates to Share2 --> **Yes**

  - Once Share1 is in the sync group, its content syncs via the cloud endpoint to other server endpoints (like Share2) after Share2 is added.

  References (APA):

  1. Microsoft Learn. (n.d.). Create a server endpoint for Azure File Sync. https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-server-endpoint-create

  - Last updated: Unable to locate on page. Date accessed: 01/27/2026.

  2. Microsoft Learn. (n.d.). Azure Files FAQ. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-faq

  - Last updated: Unable to locate on page. Date accessed: 01/27/2026.

  Microsoft Exam Tips:

  - Azure File Sync = **sync group** with **1 cloud endpoint** + **one or more server endpoints**.

  - If two endpoints have the “same file same path,” don’t assume overwrite; think **conflict handling / both versions preserved**.

  - “Does it appear on the other server endpoint?” Usually **Yes**, once it’s synced to the cloud endpoint and the other endpoint is part of the same sync group.

  Summary:

  This question tested Azure File Sync multi-endpoint behavior: conflict handling (not simple overwrites) and propagation of files across server endpoints within the same sync group.

  AZ-104 Exam Objective Hierarchy:

  2.0 Implement and manage storage (15–20%) |__ 2.3 Configure Azure Files and Azure Blob Storage |__ 2.3.1 Create and configure a file share in Azure Storage account

• Question 377:

  You have an Azure DNS zone named adatum.com.

  You need to delegate a subdomain named research.adatum.com to a different DNS server in Azure.

  What should you do?

  A. Create an NS record named research in the adatum.com zone.
  B. Create an PTR record named research in the adatum.com zone.
  C. Modify the SOA record of adatum.com.
  D. Create an A record named *.research in the adatum.com zone.
  A. Create an NS record named research in the adatum.com zone.

  ---

  Create an NS record named research in the adatum.com zone.

  To "delegate a subdomain" (research.adatum.com) to a different DNS server, you create an "NS record set" in the "parent zone" (adatum.com) for the subdomain label ("research"). The NS record set contains the name server hostnames of the DNS zone that will host the subdomain in Azure (or the target DNS servers).

  Why the other selections are not correct:

  - Create a PTR record named research in the adatum.com zone: PTR is for reverse lookup (IP --> name), not subdomain delegation.

  - Modify the SOA record of adatum.com: SOA defines authoritative zone parameters; it does not delegate a subdomain.

  - Create an A record named *.research: An A record maps a name to an IP; delegation requires NS records, not A records.

  Microsoft Exam Tips:

  - Delegation = "NS record set" in the parent zone for the child/subdomain label.

  - SOA changes do not delegate; PTR is reverse DNS only.

  Summary:

  Delegate a subdomain by creating an NS record set in the parent DNS zone.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking | |__ 4.3 Configure name resolution and load balancing | |__ 4.3.1 Configure Azure DNS

• Question 378:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have an Azure subscription that contains the following resources:

  1. A virtual network that has a subnet named Subnet1 2. Two network security groups (NSGs) named NSG-VM1 and NSG-Subnet1 3. A virtual machine named VM1 that has the required Windows Server configurations to allow Remote Desktop connections

  NSG-Subnet1 has the default inbound security rules only.

  NSG-VM1 has the default inbound security rules and the following custom inbound security rule:

  1. Priority: 100 2. Source: Any 3. Source port range: * 4. Destination: * 5. Destination port range: 3389 6. Protocol: UDP 7. Action: Allow

  VM1 has a public IP address and is connected to Subnet1. NSG-VM1 is associated to the network interface of VM1. NSG-Subnet1 is associated to Subnet1.

  You need to be able to establish Remote Desktop connections from the internet to VM1.

  Solution: You add an inbound security rule to NSG-Subnet1 that allows connections from the internet source to the VirtualNetwork destination for port range 3389 and uses the UDP protocol.

  Does this meet the goal?

  A. Yes
  B. No
  B. No

  ---

  Explanation

  ----------------------------------------------------------------------------------------------------

  No

  ----------------------------------------------------------------------------------------------------

  The goal is to establish Remote Desktop (RDP) connectivity from the Internet to VM1.

  The proposed solution does NOT meet the goal for two independent reasons:

  1) Wrong protocol for RDP

  - RDP requires TCP port 3389. Microsoft's troubleshooting guidance explicitly references the Remote Desktop firewall rule as "(TCP port 3389)". :contentReference[oaicite:0]{index=0}

  - The solution allows UDP 3389, so it will not enable RDP.

  2) Even if the subnet rule were correct, NIC/subnet evaluation still applies

  - Azure evaluates inbound traffic against NSG rules applied to both the subnet and the NIC (if both exist). For inbound traffic, the evaluation order is subnet NSG first, then NIC NSG; traffic must be allowed by BOTH to reach the VM. :contentReference[oaicite:1]{index=1}

  - In this scenario, NSG-VM1 (NIC NSG) does not have an Allow rule for TCP 3389, and the default DenyAllInbound would block new inbound RDP connections. :contentReference[oaicite:2]{index=2}

  Therefore, the solution does not satisfy the requirement to establish RDP from the Internet to VM1.

  ----------------------------------------------------------------------------------------------------

  References:

  1. Detailed troubleshooting steps for RDP to a Windows VM in Azure | Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/detailed-troubleshoot-rdp Date Modified: 2024-07-22 :contentReference[oaicite:3]{index=3} Date Access: 01/23/2026

  2. Azure network security groups overview | Microsoft Learn https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview Date Modified: 2025-07-15 :contentReference[oaicite:4]{index=4} Date Access: 01/23/2026

  3. How network security groups filter network traffic | Microsoft Learn https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works Date Modified: 2025-07-29 :contentReference[oaicite:5]{index=5} Date Access: 01/23/2026

  ----------------------------------------------------------------------------------------------------

  Microsoft Exam Tips:

  - RDP uses TCP/3389. If you see UDP/3389 in an NSG rule, treat it as a red flag for "RDP from Internet" scenarios. :contentReference[oaicite:6]{index=6}

  - When both a subnet NSG and NIC NSG exist, inbound traffic must be allowed by both. Don't "fix" only one layer and assume it works. :contentReference[oaicite:7]{index=7}

  - Best practice: avoid exposing RDP directly to the Internet; prefer Azure Bastion or tightly restrict Source to your public IP and use Just-In-Time access where applicable.

  ----------------------------------------------------------------------------------------------------

  Summary:

  This question tested NSG rule evaluation (subnet vs NIC) and the correct protocol/port requirements for RDP connectivity from the Internet.

  ----------------------------------------------------------------------------------------------------

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15?0%) |__ 4.2 Configure secure access to virtual networks |__ 4.2.1 Create and configure network security groups (NSGs) and application security groups |__ 4.2.2 Evaluate effective security rules in NSGs

• Question 379:

  HOTSPOT

  You plan to deploy an Azure container instance by using the following Azure Resource Manager template.

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the template.

  

  

  ---

  Internet users: can connect to the container from any device

  If Internet Information Services (IIS) in the container fail: the container will restart automatically

  From the ARM template:

  - The container group has ipAddress.type = "Public" and exposes TCP port 80.

  => Any internet client that can reach the public IP on port 80 can connect (OS does not matter).

  - restartPolicy = "OnFailure" => If the container exits due to a failure, Azure Container Instances will automatically restart it.

  So:

  1) Public IP + port 80 => “can connect to the container from any device”

  2) OnFailure => “the container will restart automatically”

  Exam Tips:

  - “Public” IP in ACI means internet reachable (subject to NSGs/filters if present-none shown here).

  - restartPolicy meanings to memorize:

  - Always: always restart

  - OnFailure: restart only on failure exit

  - Never: do not restart

  Summary:

  - Azure Container Instances connectivity (public IP + exposed ports) and restartPolicy behavior.

  AZ-104 Exam Objective Hierarchy:

  3.0 Deploy and manage Azure compute resources (20–25%) |__ 3.3 Create and manage container workloads |__ 3.3.1 Configure Azure Container Instances

• Question 380:

  You have an Azure subscription that contains three virtual networks named VNet1, VNet2, VNet3.

  VNet2 contains a virtual appliance named VM2 that operates as a router.

  1. You are configuring the virtual networks in a hub and spoke topology that uses VNet2 as the hub network.

  2. You plan to configure peering between VNet1 and VNet2 and between VNet2 and VNet3.

  3. You need to provide connectivity between VNet1 and VNet3 through VNet2.

  Which two configurations should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. On the peering connections, allow forwarded traffic.
  B. On the peering connections, allow gateway transit.
  C. Create route tables and assign the table to subnets.
  D. Create a route filter.
  E. On the peering connections, use remote gateways.
  A. On the peering connections, allow forwarded traffic.
  C. Create route tables and assign the table to subnets.

  ---

  Explanation

  -----------------------------------------------------------------------

  On the peering connections, allow forwarded traffic.

  Create route tables and assign the table to subnets.

  -----------------------------------------------------------------------

  You want VNet1 and VNet3 to communicate **through VNet2**, where VM2 is acting as a router/NVA in a hub-and-spoke topology.

  - **Allow forwarded traffic** on the VNet peerings is required so traffic that is forwarded by the NVA (VM2) is permitted across the peering relationships (it is not strictly "direct" traffic originating/terminating in the hub VNet only).

  - **Create route tables (UDRs) and associate them to the spoke subnets** so traffic destined for the other spoke's address space is sent to the NVA (VM2) as the next hop, rather than using system routes.

  Why the other selections are incorrect:

  - Allow gateway transit: This is used to share a **VPN gateway** across peering, not to route via an NVA VM.

  - Create a route filter: Route filters are used with ExpressRoute Microsoft peering scenarios and are not used for hub-spoke NVA routing.

  - Use remote gateways: This is paired with gateway transit for VPN gateway sharing; it does not by itself implement NVA-based spoke-to-spoke routing.

  -----------------------------------------------------------------------

  References:

  1. Virtual network peering properties (ARM/Bicep) ?allowForwardedTraffic https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworks/virtualnetworkpeerings Date Modified: Unable to locate date modified Date Accessed: 01/25/2026

  2. Route tables template reference (nextHopType VirtualAppliance and nextHopIpAddress) https://learn.microsoft.com/en-us/azure/templates/microsoft.network/routetables Date Modified: Unable to locate date modified Date Accessed: 01/25/2026

  3. Hub-spoke topology with NVA guidance (conceptual routing requirements) https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke?tabs=cli Date Modified: Unable to locate date modified Date Accessed: 01/25/2026

  -----------------------------------------------------------------------

  Microsoft Exam Tips:

  - Spoke-to-spoke via hub **NVA** typically requires:

  1) UDRs pointing to the NVA (VirtualAppliance next hop) 2) Peering configured to allow forwarded traffic

  - Gateway transit/remote gateways are for VPN gateway sharing, not NVA routing.

  Summary:

  To route VNet1 VNet3 through an NVA in VNet2, enable forwarded traffic on peering and use UDRs to steer traffic to the NVA.

  AZ-104 Exam Objective Hierarchy:

  4.0 Implement and manage virtual networking (15?0%) |__ 4.1 Configure and manage virtual networks in Azure |__ 4.1.2 Create and configure virtual network peering |__ 4.1.4 Configure user-defined network routes