Remote administrators work from home laptops and need secure access to Azure VMs in a virtual network. There is no branch office device to configure, and each administrator should connect individually using Azure-side VPN authentication. Which option should be implemented?

VNet peering between the administrators' home networks and Azure.

Home networks are not Azure VNets, so peering is not a practical or valid connection method here.

An ExpressRoute circuit from each administrator's home internet connection.

ExpressRoute is a private enterprise connection model and is not used for individual home users.

A service endpoint enabled on the VM subnet.

Service endpoints are for access to supported Azure PaaS services, not for remote user connectivity to VMs.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: A point-to-site VPN connection to an Azure VPN gateway. — Point-to-site VPN is the right fit when individual users need encrypted access to Azure from their own computers and there is no branch device to terminate a site-to-site tunnel. The Azure VPN gateway provides the endpoint in the VNet, and each admin connects as a client over the internet. This gives secure, user-based access to the VMs without requiring additional on-premises networking hardware. Why others are wrong: VNet peering connects Azure virtual networks, not home networks. ExpressRoute is a private WAN connectivity service and is not practical for individual remote administrators. Service endpoints are for PaaS access from Azure subnets and do not provide remote desktop or SSH connectivity into VMs. The requirement is remote client VPN access, which is exactly what point-to-site was built for.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.