Create User-Defined Route for Traffic to On-Premises Database Server

User-Defined Route for Traffic to On-Premises Database Server

Q: An app uses a virtual network with two subnets. One subnet is used for the application server. The other subnet is used for a database server. A network virtual appliance (NVA) is used as a firewall.Traffic destined for one specific address prefix is routed to the NVA and then to an on-premises database server that stores sensitive data. A Border GatewayProtocol (BGP) route is used for the traffic to the on-premises database server.You need to recommend a method for creating the user-defined route.Which two options should you recommend? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.

For the virtual network configuration, use a VPN.For the next hop type, use a virtual network gateway.

Prev Question Next Question

Question

An app uses a virtual network with two subnets. One subnet is used for the application server. The other subnet is used for a database server. A network virtual appliance (NVA) is used as a firewall.

Traffic destined for one specific address prefix is routed to the NVA and then to an on-premises database server that stores sensitive data. A Border Gateway

Protocol (BGP) route is used for the traffic to the on-premises database server.

You need to recommend a method for creating the user-defined route.

Which two options should you recommend? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers

A. For the virtual network configuration, use a VPN.

B. For the next hop type, use a virtual network peering.

C. For the virtual network configuration, use Azure ExpressRoute.

D. For the next hop type, use a virtual network gateway.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

You can create custom, or user-defined, routes in Azure to override Azure's default system routes, or to add additional routes to a subnet's route table. You can specify the following next hop types when creating a user-defined route:

-> Virtual appliance: A virtual appliance is a virtual machine that typically runs a network application, such as a firewall.

-> Virtual network gateway: Specify when you want traffic destined for specific address prefixes routed to a virtual network gateway. The virtual network gateway must be created with type VPN. You cannot specify a virtual network gateway created as type ExpressRoute in a user-defined route because with

ExpressRoute, you must use BGP for custom routes.

-> None: Specify when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination.

-> Virtual network: Specify when you want to override the default routing within a virtual network.

-> Internet: Specify when you want to explicitly route traffic destined to an address prefix to the Internet, or if you want traffic destined for Azure services with public IP addresses kept within the Azure backbone network.

Incorrect Answers:

B: You cannot specify VNet peering or VirtualNetworkServiceEndpoint as the next hop type in user-defined routes. Routes with the VNet peering or VirtualNetworkServiceEndpoint next hop types are only created by Azure, when you configure a virtual network peering, or a service endpoint.

C: You cannot specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

Based on the scenario described in the question, you need to route traffic destined for a specific address prefix to an on-premises database server via a network virtual appliance (NVA) acting as a firewall. To achieve this, you need to create a user-defined route in Azure.

There are different options to implement user-defined routes in Azure, but not all options are suitable for this scenario. Let's analyze each answer and determine whether it is a valid solution or not:

A. For the virtual network configuration, use a VPN. Using a VPN connection to connect the virtual network to the on-premises network is a valid solution. However, this answer does not provide a method for creating the user-defined route, which is the main objective of the question. Therefore, option A is not a complete solution.

B. For the next hop type, use a virtual network peering. Virtual network peering allows two virtual networks to communicate with each other directly. However, this solution does not address the requirement to route traffic to an on-premises database server via a network virtual appliance (NVA). Therefore, option B is not a suitable solution.

C. For the virtual network configuration, use Azure ExpressRoute. Azure ExpressRoute provides a dedicated, private connection between Azure and an on-premises datacenter. This solution can be used to route traffic to an on-premises database server via an NVA. However, this answer does not provide a method for creating the user-defined route, which is the main objective of the question. Therefore, option C is not a complete solution.

D. For the next hop type, use a virtual network gateway. A virtual network gateway can be used to establish a VPN or ExpressRoute connection between Azure and an on-premises datacenter. This solution can be used to route traffic to an on-premises database server via an NVA. You can create a user-defined route with the next hop type set to "Virtual network gateway" and the next hop address set to the IP address of the NVA. This will ensure that traffic destined for the specific address prefix is routed to the NVA and then to the on-premises database server. Therefore, option D is a valid solution and the correct answer.

In summary, the recommended solution is to use a virtual network gateway and create a user-defined route with the next hop type set to "Virtual network gateway" and the next hop address set to the IP address of the NVA.

Prev Question Next Question