A company is designing a secure hybrid network architecture. They have an on-premises network connected to Azure via ExpressRoute and a site-to-site VPN as backup. They want to ensure that traffic from Azure to on-premises always uses ExpressRoute when available, but automatically fails over to VPN if ExpressRoute goes down. Which configuration should they implement?
Higher local preference makes ExpressRoute routes preferred; if ExpressRoute fails, VPN routes will be used.
Why this answer
Option D is correct because BGP local preference is an attribute used to influence outbound traffic from an AS. By assigning a higher local preference (e.g., 200) to routes learned via ExpressRoute, Azure will prefer those routes over VPN routes (which default to local preference 100). This ensures that traffic from Azure to on-premises uses ExpressRoute when available, and automatically fails over to the VPN if the ExpressRoute BGP session drops, as the VPN routes will then be selected.
Exam trap
The trap here is that candidates often confuse BGP weight (Cisco-proprietary, local to a router) with local preference (standard, AS-wide), and incorrectly assume that lowering weight on the VPN would achieve the same result as raising local preference on ExpressRoute, but Azure does not support Cisco weight and local preference is the correct attribute for influencing outbound traffic from Azure to on-premises.
How to eliminate wrong answers
Option A is wrong because BGP weight is a Cisco-proprietary attribute that influences inbound traffic on a single router, not outbound traffic from Azure; Azure does not use Cisco weight, and lowering VPN weight would not reliably force ExpressRoute preference. Option B is wrong because active-active mode with ECMP would load-balance traffic across both connections simultaneously, not provide a primary/backup failover where ExpressRoute is always preferred. Option C is wrong because disabling BGP on the VPN connection and using static routes with a higher metric would work for simple failover, but it prevents dynamic route propagation and failover detection; BGP provides faster convergence and automatic route withdrawal, which is critical for reliable failover.