ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 4.4: Network SolutionsDomain 4NetworkingHub and SpokeRouting

AZ-305 · Question 51 · Domain 4.4: Network Solutions

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure.
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS.
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs.
Requirements:

  1. Encrypt all cross-region traffic.
  2. Inspect all internet-bound traffic from spokes.
  3. Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA.
  4. Ensure web apps in spokes are protected from SQL injection.
  5. Resolve on-premises DNS from Azure and vice versa.

QUESTION: To meet Requirement 2 (Inspect all internet-bound traffic from spokes), you deploy Azure Firewall in the Hub VNets. How must you configure the Spoke VNets to ensure traffic is routed to the firewall?

Answer options:

A.

Enable BGP on the Spoke VNets to learn the default route from the Hub.

B.

Create a User Defined Route (UDR) with a prefix of 0.0.0.0/0 pointing to the Azure Firewall private IP, and assign it to the Spoke subnets.

C.

Configure Azure Virtual WAN to automatically inject the route.

D.

Configure a Network Security Group (NSG) on the Spoke subnets to forward traffic to the Firewall.

How to approach this question

Understand how forced tunneling works in a Hub-Spoke topology. You must override the default Azure internet route using a UDR.

Full Answer

B.Create a User Defined Route (UDR) with a prefix of 0.0.0.0/0 pointing to the Azure Firewall private IP, and assign it to the Spoke subnets.✓ Correct
Create a User Defined Route (UDR) with a prefix of 0.0.0.0/0 pointing to the Azure Firewall private IP, and assign it to the Spoke subnets.
In a traditional Hub and Spoke network topology, Azure automatically routes internet-bound traffic (0.0.0.0/0) directly out to the internet from the Spoke VNets. To meet the requirement of inspecting this traffic, you must force it to the Azure Firewall in the Hub VNet. This is achieved by creating a Route Table with a User Defined Route (UDR). The UDR specifies that the next hop for 0.0.0.0/0 is the private IP address of the Azure Firewall (a Virtual Appliance). You then associate this Route Table with the subnets in the Spoke VNets.

Common mistakes

Confusing NSGs with Route Tables. NSGs block traffic; Route Tables direct traffic.
50All questions52

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd has 50 subscriptions across 3 business units. Each business unit manages its own IT o...EasyQ02You are designing a monitoring solution for a hybrid environment. The environment consists of 200...MediumQ03Your company uses Microsoft Sentinel integrated with a Log Analytics workspace. The workspace ing...HardQ04You are designing an application monitoring strategy using Application Insights. The application ...MediumQ05A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently ...Hard
View all 55 questions →