Question 639 of 1,170
Implement and Manage Virtual NetworkinghardMultiple ChoiceObjective-mapped

Quick Answer

The correct first step is to add a new non-overlapping address space to VNet-B, create replacement subnets there, and migrate workloads gradually. This is necessary because Azure VNet peering requires that the address spaces of peered virtual networks do not overlap; VNet-A’s 10.20.0.0/16 fully contains VNet-B’s 10.20.128.0/17, creating a direct conflict that prevents peering. Since VNet-B cannot be rebuilt from scratch, the only viable solution is to introduce a new, non-overlapping range—such as 10.30.0.0/16—and move workloads into it before removing the overlapping address space, ensuring zero disruption to active workloads. On the AZ-104 exam, this scenario tests your understanding of VNet peering prerequisites and the practical steps for resolving overlapping address spaces without rebuilding; a common trap is assuming you can simply delete the overlapping range first, which would break existing subnets. Memory tip: “Add before you remove—migrate, then peer.”

AZ-104 Implement and Manage Virtual Networking Practice Question

This AZ-104 practice question tests your understanding of implement and manage virtual networking. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company has VNet-A with address space 10.20.0.0/16 and active workloads in several subnets. The team must peer VNet-A with VNet-B, but VNet-B currently uses 10.20.128.0/17 and cannot be rebuilt from scratch. What should the administrator do first to make peering possible without interrupting current workloads?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "first"

    Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

Question 1hardmultiple choice
Review the full subnetting walkthrough →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Add a new non-overlapping address space to VNet-B, create replacement subnets there, and migrate workloads gradually.

Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. VNet-A uses 10.20.0.0/16, which fully contains VNet-B's 10.20.128.0/17, creating an overlap. Since VNet-B cannot be rebuilt, the correct first step is to add a new non-overlapping address space (e.g., 10.30.0.0/16) to VNet-B, create subnets in that new range, migrate workloads gradually, and then remove the overlapping address space before establishing the peering. This ensures no IP conflicts and avoids disrupting existing workloads.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create the peering now and let Azure automatically route overlapping prefixes.

    Why it's wrong here

    Azure peering does not support overlapping address spaces, even if routing is otherwise correct.

  • Add a new non-overlapping address space to VNet-B, create replacement subnets there, and migrate workloads gradually.

    Why this is correct

    A second non-overlapping range lets you prepare new subnets and move workloads before removing the conflicting range.

    Clue confirmation

    The clue word "first" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Attach a route table to VNet-B so traffic to VNet-A is forced through a firewall appliance.

    Why it's wrong here

    Route tables do not solve overlapping IP ranges or make peering between conflicting VNets possible.

  • Create a private endpoint between the two VNets so Azure ignores the overlap during connectivity checks.

    Why it's wrong here

    Private endpoints are for PaaS resource access, not for enabling direct VNet-to-VNet peering.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates assume Azure can handle overlapping address spaces through routing tricks (like route tables or firewalls), but Azure VNet peering strictly prohibits any address overlap and will reject the peering request outright, forcing you to resolve the conflict by adding a non-overlapping address space and migrating workloads.

Detailed technical explanation

How to think about this question

Azure VNet peering uses a flat routing model where each VNet's system routes are exchanged; overlapping address spaces cause routing conflicts because traffic destined to an overlapping prefix could be routed to either VNet, breaking connectivity. The address space validation occurs at the time of peering creation, and Azure does not support overlapping address spaces even with advanced routing configurations like forced tunneling or network virtual appliances. In real-world scenarios, you might use VNet-to-VNet VPN with NAT to handle overlaps, but that is not a peering solution and requires additional configuration.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Add a new non-overlapping address space to VNet-B, create replacement subnets there, and migrate workloads gradually. — Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. VNet-A uses 10.20.0.0/16, which fully contains VNet-B's 10.20.128.0/17, creating an overlap. Since VNet-B cannot be rebuilt, the correct first step is to add a new non-overlapping address space (e.g., 10.30.0.0/16) to VNet-B, create subnets in that new range, migrate workloads gradually, and then remove the overlapping address space before establishing the peering. This ensures no IP conflicts and avoids disrupting existing workloads.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "first". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. An administrator creates a new spoke virtual network with address space 10.100.1.0/24 and tries to peer it to an existing hub virtual network that already uses 10.100.0.0/16. The peering fails. The business wants private connectivity between the hub and spoke. What action should the administrator take first?

medium
  • A.Add a route table to the spoke and point the default route to the hub.
  • B.Change the spoke VNet to a non-overlapping address range before attempting peering again.
  • C.Enable gateway transit on the hub and use the remote gateway from the spoke.
  • D.Deploy a private DNS zone and link it to both VNets.

Why B: VNet peering requires that the address spaces of the peered virtual networks do not overlap. The hub already uses 10.100.0.0/16, which includes the spoke's 10.100.1.0/24 range, causing a conflict. Changing the spoke to a non-overlapping address range, such as 10.200.1.0/24, resolves this and allows the peering to succeed.

Variation 2. A company created a new spoke virtual network with the address space 10.40.1.0/24. The existing hub virtual network already uses 10.40.0.0/16. The administrator must peer the two VNets so resources can communicate normally. What must be changed before peering can succeed?

medium
  • A.Create a route table on the spoke subnet before adding the peering.
  • B.Change the spoke VNet address space to a range that does not overlap the hub.
  • C.Enable gateway transit on the hub peering to permit overlapping spaces.
  • D.Add an NSG rule that allows traffic between the hub and spoke address spaces.

Why B: Azure Virtual Network peering requires that the address spaces of the peered VNets do not overlap. The hub VNet uses 10.40.0.0/16, which includes the spoke's 10.40.1.0/24 range. Overlapping address spaces prevent successful peering because Azure cannot route traffic correctly between overlapping IP ranges. Therefore, the spoke VNet address space must be changed to a non-overlapping range before peering can succeed.

Keep practising

More AZ-104 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.