A subnet has a user-defined route for 0.0.0.0/0 that sends all outbound traffic to a network virtual appliance for inspection. The business now attaches a NAT gateway to the subnet and wants internet-bound traffic to use the NAT gateway's public IP, while traffic to private corporate prefixes should still go to the appliance. What should the administrator change?
A NAT gateway provides outbound internet translation when the subnet uses the default internet route. If a 0.0.0.0/0 UDR sends traffic to an appliance, that route wins and the NAT gateway is bypassed. To meet both requirements, keep specific routes for corporate/private prefixes toward the appliance and let internet-bound traffic follow the system route, where the NAT gateway can provide stable outbound IPs.
Why this answer
The 0.0.0.0/0 user-defined route (UDR) sends all outbound traffic to the network virtual appliance (NVA). A NAT gateway provides outbound connectivity with a public IP, but it only takes effect when there is no explicit 0.0.0.0/0 route overriding it. By removing the 0.0.0.0/0 UDR and adding only specific private-prefix routes (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) pointing to the NVA, internet-bound traffic will use the NAT gateway (via its default route), while corporate traffic is still forced through the appliance.
Exam trap
The trap here is that candidates assume a NAT gateway automatically overrides any existing default route, but in Azure, a user-defined route (UDR) for 0.0.0.0/0 takes precedence over the NAT gateway's implicit default, so the UDR must be removed or made less specific to allow the NAT gateway to handle internet-bound traffic.
How to eliminate wrong answers
Option A is wrong because a NAT gateway does not override a UDR; the most specific route wins, and a 0.0.0.0/0 UDR will take precedence over the NAT gateway's implicit default, causing all traffic to still go to the NVA. Option C is wrong because disabling source NAT (SNAT) on the NVA would break its ability to forward traffic to the internet (if it were used), but the goal is to bypass the NVA for internet traffic entirely, not to modify its SNAT behavior. Option D is wrong because a private endpoint is used for inbound access to Azure PaaS services from a virtual network, not for outbound internet traffic; it does not provide a public IP or route internet-bound packets.