An administrator is deploying a site-to-site VPN gateway in the Azure portal. The deployment fails validation because the gateway does not have a public-facing address to terminate the tunnel. What must be created and associated with the VPN gateway?

A load balancer frontend IP configuration in front of the gateway subnet.

A load balancer is not used to terminate Azure VPN gateway tunnels and does not satisfy the gateway public address requirement.

A NAT gateway attached to GatewaySubnet.

A NAT gateway is for outbound internet translation from subnets, not for creating a VPN tunnel endpoint.

A private endpoint for the virtual network gateway resource.

Private endpoints do not apply to VPN gateways and cannot replace the public endpoint required for S2S connectivity.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: A public IP address resource associated with the VPN gateway. — A site-to-site VPN gateway needs a public IP address resource so the on-premises device has a public endpoint to connect to. The gateway itself is placed in the dedicated GatewaySubnet, and the public IP is associated during deployment. If that resource is missing, validation fails because Azure cannot expose the tunnel endpoint properly. This is a foundational VPN gateway requirement, separate from tunnel policy or routing details. Why others are wrong: A load balancer does not terminate the VPN tunnel and is not part of the gateway deployment pattern. NAT gateway is unrelated because it only manages outbound SNAT for subnets. Private endpoints are used for private access to supported services, not for VPN gateway termination. The correct fix is specifically the gateway public IP resource.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.