Network Connectivity Design — Azure Administrator (AZ-104)
Private line and VPN solve different problems at different costs
The scenario describes a financial firm needing consistent sub-10ms latency for a hybrid workload with a compliance requirement for traffic isolation. Candidates select VPN Gateway because it establishes a secure tunnel. What the exam tests is whether you recognize that VPN Gateway traverses the public internet and cannot guarantee latency or provide the physical isolation that frameworks like PCI-DSS demand. ExpressRoute delivers a dedicated private circuit — the compliance and latency constraints together eliminate VPN as a valid answer.
What This Pattern Tests
Network connectivity questions test whether you match the connectivity model to the topology requirement. Few connections need simple peering. Many connections need a central hub. On-premises connectivity needs VPN or dedicated links depending on bandwidth and latency requirements.
Decision Axis
Topology complexity and bandwidth requirements determine the connectivity approach.
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether to route inter-spoke traffic via hub-spoke VNet peering plus spoke-subnet UDRs pointing to the hub NVA, or to provision direct full-mesh peering between all spoke VNets.
Whether full-mesh VNet peering or hub-spoke VNet peering with UDRs better satisfies all-to-all connectivity for a growing VNet fleet when the dominant constraint is cost scaling.
Domain Coverage
Difficulty Breakdown