A subnet uses a route table with gateway route propagation disabled so internet-bound traffic can be forced through a network virtual appliance. After the change, VMs in the subnet can no longer reach servers in the on-premises network 172.16.0.0/16 over the VPN gateway. What should the administrator add to the route table?

A user-defined route for 172.16.0.0/16 with next hop type Internet.

Sending on-premises traffic to the Internet would not reach the private VPN network and would break the intended hybrid path.

An NSG allow rule for TCP 172.16.0.0/16.

NSGs operate on ports and protocols, not destination route selection, so they cannot restore the missing hybrid route.

A service endpoint for the on-premises network range.

Service endpoints are only for supported Azure services and do not apply to arbitrary on-premises prefixes over a VPN gateway.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: A user-defined route for 172.16.0.0/16 with next hop type Virtual network gateway. — Disabling gateway route propagation removes automatically learned routes, including routes to on-premises networks connected through the VPN gateway. To restore access to 172.16.0.0/16 while preserving the forced-tunneling design, the administrator should add a specific UDR for that prefix with next hop type Virtual network gateway. This reintroduces the hybrid route without changing the rest of the traffic flow. Why others are wrong: B sends the traffic to the wrong next hop and would not reach the private on-premises network. C confuses security filtering with routing; an NSG allow rule does not create connectivity. D is unrelated to on-premises networks and cannot be used for arbitrary private address ranges behind a VPN gateway.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.