AZ-104 Show IP Route Output Practice Questions

Explanation: Azure routing uses longest-prefix match. For destination 10.1.1.5, both routes match, but 10.1.1.0/24 is more specific than 10.0.0.0/8. Therefore the virtual network gateway next hop is chosen. This is a common troubleshooting point when broader routes are unexpectedly shadowed by narrower ones or when administrators assume creation order matters. Why others are wrong: Creation order does not determine route selection in Azure. The Internet system route is not preferred when a more specific UDR exists for the destination. Azure does not ignore overlapping route entries; instead, it evaluates matches and applies the most specific prefix.

Explanation: Effective routes are used to inspect the active routing information for a specific VM NIC. They show what Azure will actually use after combining system routes, user-defined routes, and gateway-learned routes. When the problem is an unexpected next hop or a route conflict, this view is more useful than a simple connectivity test because it exposes the exact routing entries that influence packet forwarding. That makes it the right choice here. Why others are wrong: B focuses on NSG decisions, not route selection. C is useful for capturing packets but not for reviewing route tables. D verifies end-to-end connectivity, but it does not provide the detailed route list needed for this troubleshooting task.

Explanation: Diagnostic settings are used to route platform logs and metrics from an Azure resource to destinations such as Log Analytics, Storage, or Event Hubs. For Key Vault, this is the standard way to centralize audit activity and make it searchable later. Because the admin wants both logs and metrics in a Log Analytics workspace, diagnostic settings are the correct configuration on the vault itself. Why others are wrong: Azure Policy can require that diagnostic settings exist, but it does not perform the export. A network security group only filters network traffic and has no role in logging. An action group is for alert delivery, not for collecting or forwarding vault telemetry.

Explanation: Resource Health alerts are the correct monitoring feature when the administrator needs to know that Azure itself has marked a resource as unavailable or degraded. This is different from workload telemetry, because the issue may be in the platform rather than in the application. A Resource Health alert ensures the operations team is notified about platform-level impact even when normal metrics do not reveal the problem. Why others are wrong: Transaction metrics do not reliably signal that Azure has marked the account unhealthy. Diagnostic settings are useful for log collection, but they do not create a health-state alert by themselves. Azure Policy cannot detect runtime availability issues. Resource Health is the feature specifically intended for platform-declared resource availability changes.

Explanation: The 0.0.0.0/0 UDR is forcing all internet traffic to the virtual appliance, which prevents the NAT gateway from being used. NAT gateway applies to outbound internet traffic when a more specific user-defined route does not override it. Removing the default route and retaining only specific private-prefix routes is the correct way to let internet traffic egress through NAT while still steering internal destinations as needed. Why others are wrong: Adding another NAT gateway is not a supported fix and does not address route precedence. NSGs filter traffic but do not decide the next hop. Gateway route propagation only controls whether routes learned from a gateway are added to the effective route table; it does not override a manually configured 0.0.0.0/0 route.