AZ-104 · Question #230
AZ-104 Question #230: Real Exam Question with Answer & Explanation
ExpressRoute Routing Configuration — Explanation The Core Problem ADatum needs two-circuit routing with regional preference and automatic failover: ER1 (New York) → primary for East US PaaS traffic ER2 (Los Angeles) → primary for West US PaaS traffic Both circuits must fail
Question
Case Study 4 - ADatum Overview ADatum Corporation is a financial company that has two main offices in New York and Los Angeles. ADatum has a subsidiary named Fabrikam, Inc. that shares the Los Angeles office. ADatum is conducting an initial deployment of Azure services to host new line-of-business applications and is preparing to migrate its existing on-premises workloads to Azure. ADatum uses Microsoft Exchange Online for email. Existing Environment On-Premises Environment The on-premises workloads run on virtual machines hosted in a VMware vSphere 6 infrastructure. All the virtual machines are members of an Active Directory forest named adatum.com and run Windows Server 2016. The New York office uses an IP address space of 10.0.0.0/16. The Los Angeles office uses an IP address space of 10.10.0.0/16. The offices connect by using a VPN provided by an ISP. Each office has one Azure ExpressRoute circuit that provides access to Azure services and Microsoft Online Services. Routing is implemented by using Microsoft peering. The New York office has a virtual machine named VM1 that has the vSphere console installed. Azure Environment You provision the Azure infrastructure by using the Azure portal. The infrastructure contains the resources shown in the following table. AG1 has two backend pools named Pool11 and Pool12. AG2 has two backend pools named Pool21 and Pool22. Requirements Planned Changes ADatum plans to migrate the virtual machines from the New York office to the East US Azure region by using Azure Site Recovery. Infrastructure Requirements ADatum identifies the following infrastructure requirements: A new web app named App1 that will access third-parties for credit card processing must be deployed. A newly developed API must be implemented as an Azure function named App2. App2 will use a blob storage trigger. App2 must process new blobs immediately. The Azure infrastructure and the on-premises infrastructure must be prepared for the migration of the VMware virtual machines to Azure. The sizes of the Azure virtual machines that will be used to migrate the on-premises workloads must be identified. All migrated and newly deployed Azure virtual machines must be joined to the adatum.com domain. AG1 must load balance incoming traffic in the following manner: AG2 must load balance incoming traffic in the following manner: ER1 must route traffic between the New York office and platform as a service (PaaS) services in the East US Azure region, as long as ER1 is available. ER1 must route traffic between the Los Angeles office and the PaaS services in the West US region, as long as ER2 is available. ER1 and ER2 must be configured to fail over automatically. Application Requirements App2 must be available to connect directly to the private IP addresses of the Azure virtual machines. App2 will be deployed directly to an Azure virtual network. Inbound and outbound communications to App1 must be controlled by using NSGs. Pricing Requirements ADatum identifies the following pricing requirements: The cost of App1 and App2 must be minimized The transactional charges of Azure Storage accounts must be minimized Drag and Drop Question You need to configure the Azure ExpressRoute circuits. How should you configure Azure ExpressRoute routing? To answer, drag the appropriate configurations to the correct locations. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:
Explanation
ExpressRoute Routing Configuration — Explanation
The Core Problem
ADatum needs two-circuit routing with regional preference and automatic failover:
- ER1 (New York) → primary for East US PaaS traffic
- ER2 (Los Angeles) → primary for West US PaaS traffic
- Both circuits must fail over automatically when the other is unavailable
Two BGP mechanisms are needed — one for each traffic direction.
Correct Arrangement & Why
Slot 1 — AS Path Prepending (private AS numbers)
"Use BGP to prepend the private AS numbers to the advertised prefixes."
Direction: On-premises → Azure (outbound from customer)
This controls how Microsoft routes return traffic back to ADatum's on-premises network. When ADatum advertises its prefixes to Microsoft over both circuits, prepending extra private AS numbers on the non-preferred circuit makes that AS path artificially longer. BGP always prefers shorter paths, so Microsoft will route return traffic via the primary circuit.
- ER1 advertises NY prefixes to Microsoft without prepending → preferred (shorter path)
- ER2 advertises the same NY prefixes with AS prepending → backup (longer path)
When ER1 fails, Microsoft automatically falls back to ER2 since it's the only remaining path — this is how automatic failover is achieved.
Note on terminology: The available option says "prepend" and the correct answer says "append" — these refer to the same BGP AS Path Prepending technique. "Prepend" is the standard industry term (you prepend your AS number to the front of the AS_PATH attribute). This appears to be a terminology inconsistency in the question itself.
Slot 2 — BGP Communities + Local Preference
"Use BGP communities to configure BGP's Local Preference."
Direction: Azure → On-premises (inbound from customer's perspective, i.e., choosing which circuit to use to reach PaaS)
Microsoft tags its advertised PaaS prefixes with BGP communities indicating the Azure region (e.g., East US, West US). ADatum's edge routers read these communities and set Local Preference accordingly:
- Routes tagged with East US community received on ER1 → high Local Preference → NY office uses ER1
- Routes tagged with West US community received on ER2 → high Local Preference → LA office uses ER2
When a circuit fails, BGP withdraws those routes and the router automatically uses the remaining circuit — automatic failover again.
Why the Third Option Is Wrong
"Use BGP to append the public AS numbers to the advertised prefixes."
With Microsoft peering, public AS numbers are used in the BGP session itself (you use a public ASN or a Microsoft-assigned one). Appending public AS numbers to advertised prefixes is not a valid or supported technique for influencing route preference in this context — and could cause routing policy violations. Private AS numbers used in prepending are stripped at Microsoft's edge and don't propagate into the public internet.
Common Mistakes
| Mistake | Why It's Wrong |
|---|---|
| Using only Local Preference | Controls only outbound direction; doesn't influence how Microsoft sends return traffic |
| Using only AS prepending | Controls only return path; you still need to control which circuit your own routers prefer for reaching PaaS |
| Confusing "prepend/append" terminology | Both mean AS Path Prepending in this context — the question has inconsistent wording |
| Using public AS numbers for prepending | Public ASNs are not used for path manipulation in customer-to-Microsoft peering scenarios |
Summary
| Mechanism | Controls | Used For |
|---|---|---|
| AS Path Prepending | How Microsoft chooses the return path | Making ER1/ER2 the backup for return traffic |
| BGP Communities + Local Preference | How ADatum's routers choose the outbound path | Preferring the regional circuit for reaching PaaS |
Both together give you full bidirectional regional routing with automatic failover.
Topics
Community Discussion
No community discussion yet for this question.