ExpertMedium1 markMultiple Choice
Domain 4.2: Design an application architectureDomain 4Application ArchitectureAPI ManagementSecurity
AZ-305 · Question 44 · Domain 4.2: Design an application architecture
A financial services company exposes several REST APIs to external partners.
They are implementing Azure API Management (APIM) to secure and manage these APIs. The security team requires the following:
- External partners must be limited to 1,000 API calls per hour to prevent abuse.
- The backend API servers must only accept traffic originating from the APIM instance.
Which TWO actions should you take to meet these requirements? (Select TWO)
A financial services company exposes several REST APIs to external partners.
They are implementing Azure API Management (APIM) to secure and manage these APIs. The security team requires the following:
- External partners must be limited to 1,000 API calls per hour to prevent abuse.
- The backend API servers must only accept traffic originating from the APIM instance.
Which TWO actions should you take to meet these requirements? (Select TWO)
Answer options:
A.
Configure a rate-limit-by-key policy in APIM.
B.
Configure Network Security Groups (NSGs) on the backend VNet to only allow traffic from the APIM subnet/IP.
C.
Configure a validate-jwt policy in APIM.
D.
Deploy Azure Front Door in front of the backend APIs.
E.
Configure CORS policies on the backend APIs.
How to approach this question
Address the two requirements: Rate limiting (APIM policy) and Network isolation (NSGs).
Full Answer
To prevent abuse, you use Azure API Management policies. The `rate-limit` or `rate-limit-by-key` policy allows you to restrict the number of calls per time period (e.g., 1,000 per hour). To ensure backend APIs are not accessed directly (bypassing APIM), you must secure the backend network. If the backend is in a VNet, you configure Network Security Groups (NSGs) to only allow inbound traffic from the APIM instance's IP address or subnet.
Common mistakes
Assuming APIM automatically secures the backend network. You must explicitly configure NSGs or IP restrictions on the backend to enforce the isolation.
Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 1
55 questions · hints · full answers · grading
More questions from this exam
Q01Contoso Ltd is a global financial institution with 80 Azure subscriptions spread across 4 managem...MediumQ02Fabrikam Inc. operates a hybrid cloud environment with 500 on-premises VMware virtual machines ru...HardQ03A startup company has a single Azure subscription with a monthly budget of $5,000.
The CFO want...EasyQ04You are designing an Azure Sentinel architecture for a Managed Security Service Provider (MSSP). ...MediumQ05A healthcare enterprise is migrating its infrastructure to Azure. They have strict compliance req...Hard