A web workload in a subnet must use a NAT gateway for outbound internet traffic so the source IP is stable. The subnet currently has a route table with a 0.0.0.0/0 user-defined route to a virtual appliance. What should the administrator change?

Add an NSG outbound allow rule for TCP 80 and TCP 443.

NSGs control allow or deny decisions, but they do not choose the outbound next hop for internet traffic.

Create a private endpoint for the web workload.

Private endpoints are for private access to PaaS services, not for outbound internet source IP control from a subnet.

Enable VNet peering to a hub network with a firewall.

Peering can extend connectivity, but it does not by itself make the subnet use a NAT gateway for outbound internet traffic.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Remove or replace the 0.0.0.0/0 UDR to the virtual appliance and associate the NAT gateway with the subnet. — A NAT gateway works at the subnet level and gives outbound internet connections a stable public source IP, but it does not override a custom default route. The 0.0.0.0/0 UDR sends traffic to the virtual appliance instead of the internet path that NAT gateway uses. To meet the requirement, the administrator must remove or change that UDR and associate the NAT gateway with the subnet. Why others are wrong: NSG rules cannot select a next hop or change egress public IP behavior. Private endpoints are for private service access, not internet egress. VNet peering also does not control outbound translation from a subnet. The key issue is the default route, which must be corrected before NAT gateway can take effect.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.