A subnet is associated with a NAT gateway, but its route table also contains a 0.0.0.0/0 route to a virtual appliance at 10.2.0.4. The business wants all outbound internet traffic from the VMs to use one static public IP, and inspection by the appliance is no longer required. What should the administrator change?

Add a public IP address directly to each virtual machine NIC.

Per-VM public IPs do not provide a single shared outbound address for the entire subnet.

Enable service endpoints for the subnet.

Service endpoints improve access to supported Azure services, but they do not provide a subnet-wide public outbound IP.

Change the NAT gateway to a zone-redundant SKU.

NAT gateway does not use a zone-redundant SKU to solve routing precedence or outbound IP selection.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Remove the 0.0.0.0/0 user-defined route from the subnet. — A NAT gateway provides a stable outbound public IP for traffic that reaches the internet, but a user-defined route to a virtual appliance takes precedence for that destination. If 0.0.0.0/0 points to the appliance, the NAT gateway will not be used for general internet traffic. Since inspection is no longer required, the correct fix is to remove the overriding default route so the subnet can use the NAT gateway as intended. Why others are wrong: Adding public IPs to each VM defeats the goal of one shared outbound address. Service endpoints are for private access to Azure PaaS services, not internet egress. NAT gateway behavior is not controlled by a special SKU change; the blocking issue here is the UDR that overrides outbound path selection.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.