While preparing for the AZ-104: Microsoft Azure Administrator exam, many candidates struggle with hybrid network connectivity configuration. In the enterprise world, this decision often hinges on balancing secure access requirements with network topology constraints. Let’s drill into a simulated hybrid connectivity scenario.
The Architecture Drill (Simulated Question) #
Scenario #
Tailspin Electronics, a multinational manufacturing company, manages its legacy applications in an Azure subscription containing a virtual network named VNetCore and a virtual network gateway named GWCore, currently configured in policy-based mode. Tailspin’s IT team needs to enable secure point-to-site VPN connections so that remote employees can connect from their laptops directly to the VNetCore resources. This setup must allow seamless and secure access without degrading current site-to-site connectivity.
Key Requirements #
Ensure that remote users can establish point-to-site VPN connections to VNetCore from their personal computers, leveraging the existing virtual network gateway.
The Options #
- A) Add service endpoints to VNetCore
- B) Reset the existing virtual network gateway GWCore
- C) Replace the policy-based gateway with a route-based virtual network gateway
- D) Create a new connection on GWCore for the point-to-site connection
- E) Delete the existing gateway GWCore
- F) Assign a public IP address space directly to VNetCore
Correct Answer #
C) Replace the policy-based gateway with a route-based virtual network gateway
D) Create a new connection on GWCore for the point-to-site connection
The Architect’s Analysis #
Correct Answer #
Option C and Option D.
Step-by-Step Winning Logic #
Tailspin Electronics’ existing gateway is policy-based, which does not support point-to-site VPN connections. The Microsoft Cloud Adoption Framework emphasizes using route-based VPN gateways for hybrid connectivity scenarios requiring flexibility and modern VPN protocols. By replacing the policy-based gateway with a route-based gateway (Option C), Tailspin enables support for point-to-site VPN connections. Then, creating a new connection on the gateway (Option D) establishes the actual VPN endpoint for remote user access.
This design decision touches key pillars of the Well-Architected Framework:
- Reliability: A route-based gateway enables consistent VPN connectivity.
- Security: Supports secure IKEv2 and OpenVPN protocols for remote user authentication.
- Operational Excellence: Simplifies VPN management and scaling.
The Traps (Distractor Analysis) #
- Why not A? Adding service endpoints extends PaaS service access control but does not enable VPN connectivity from remote devices.
- Why not B? Resetting the gateway does not change its VPN type or capabilities.
- Why not E? Deleting the gateway removes connectivity entirely, which is counterproductive.
- Why not F? Virtual networks cannot be assigned public IP address ranges directly; public IPs are associated with resources like gateways, not VNets.
The Architect Blueprint #
- Mermaid Diagram showing the solution architecture.
- Diagram Note: Remote users connect via a point-to-site VPN to the route-based VPN gateway, which also maintains site-to-site connectivity into the virtual network.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A | Low | None | Enhances service-level security controls | Does not enable VPN |
| B | Low | None | Simple operation | Does not change VPN type |
| C | Medium (Gateway re-creation) | Standard VPN Gateway charges | Enables point-to-site VPN support | Requires downtime during swap |
| D | Low to Medium | Minor, based on connection | Creates actual VPN endpoint | Needs correct configuration |
| E | High | Saves gateway cost | Removes existing connectivity | Disrupts all VPN traffic |
| F | Low | None | N/A | Not supported; nonfunctional |
Tailspin should plan maintenance windows to replace the gateway with a route-based SKU (e.g., VpnGw1) and then enable the point-to-site connection.
Real-World Practitioner Insight #
Exam Rule #
“For the AZ-104 exam, always select a route-based virtual network gateway when you require point-to-site VPN or advanced hybrid connectivity patterns.”
Real World #
Many enterprises maintain legacy policy-based gateways due to historical reasons but quickly learn to replace these with route-based gateways to enable modern connectivity options and align with corporate governance policies on secure remote access.