Designing and Implementing Microsoft Azure Networking Solutions — Question 46

You have an Azure subscription that contains the following resources:

• A virtual network named Vnet1
• Two subnets named subnet1 and AzureFirewallSubnet
• A public Azure Firewall named FW1
• A route table named RT1 that is associated to Subnet1
• A rule routing of 0.0.0.0/0 to FW1 in RT1

After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated.

You need to ensure that the virtual machines can be activated.

What should you do?

Answer options

• A. Add an internet route to RT1 for the Azure Key Management Service (KMS).
• B. On FW1, create an outbound service tag rule for Azure Cloud.
• C. Deploy a NAT gateway.
• D. On FW1, configure a DNAT rule for TCP port 1688.

Correct answer: B

Explanation

The correct answer is B because creating an outbound service tag rule for Azure Cloud on FW1 allows the virtual machines to reach Azure services necessary for activation. The other options either do not enable the required connectivity or are not relevant to the activation process, such as NAT gateway or DNAT rules which are not needed for KMS activation.