Question 12 - Microsoft Azure AZ-700 Real Exam Questions [March 2026 Update]

Q: 12

You have an Azure subscription that contains the following resources: A virtual network named Vnet1 Two subnets named subnet1 and AzureFirewallSubnet A public Azure Firewall named FW1 A route table named RT1 that is associated to Subnet1 A rule routing of 0.0.0.0/0 to FW1 in RT1 After deploying 10 servers that run Windows Server to Subnet1, you discover that none of the virtual machines were activated. You need to ensure that the virtual machines can be activated. What should you do?

Options

Correct Answer:

Explanation

The route table RT1 is configured with a rule that forces all outbound traffic (0.0.0.0/0) from Subnet1 through the Azure Firewall FW1. This includes traffic required for Windows Server activation, which must reach the Azure Key Management Service (KMS). The KMS service uses the special public IP address 168.63.129.16. By forcing this traffic to the firewall, the connection to the KMS server fails. To fix this, a more specific User-Defined Route (UDR) must be added to RT1 for the KMS host IP (168.63.129.16/32) with a next hop type of Internet. This route will take precedence over the general 0.0.0.0/0 route, allowing activation traffic to bypass the firewall and follow the correct Azure platform path.

Why Incorrect

A. Application security groups are used within Network Security Group (NSG) rules to filter traffic, but they do not correct the underlying traffic routing issue.

B. An Azure Standard Load Balancer is used for distributing traffic or providing outbound NAT, neither of which resolves the misrouting of KMS traffic to the firewall.

C. A DNAT rule is used to translate inbound traffic to the firewall's public IP into traffic for a private IP. The activation issue is with outbound traffic from the VMs.

References

1. Microsoft Learn

"What is IP address 168.63.129.16?": This document explicitly states

"The public IP address 168.63.129.16 is used in all public clouds and all national clouds. This special public IP address is owned by Microsoft and doesn't change... Enables communication with the Windows activation endpoint for Windows virtual machines." This confirms the IP address and its purpose for activation.

2. Microsoft Learn

"Azure Firewall FAQ": In the section on Forced Tunneling

it states

"For Windows Activation to work

you must add a route for the Windows Activation host IP addresses to bypass the firewall." This directly supports the solution of adding a specific route to bypass the firewall for activation.

3. Microsoft Learn

"Virtual network traffic routing": Under the "User-defined" section

this document explains how Azure selects routes. "When multiple routes exist in a route table

Azure selects a route based on the longest prefix match." A route for 168.63.129.16/32 is more specific than 0.0.0.0/0 and will be selected for traffic to the KMS server.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE