ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 4.4: Network SolutionsDomain 4NetworkingAzure FirewallSecurity
This question is part of a case study — click to read the full scenario(Case 51)

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure.
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS.
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs.
Requirements:

  1. Encrypt all cross-region traffic.
  2. Inspect all internet-bound traffic from spokes.
  3. Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA.
  4. Ensure web apps in spokes are protected from SQL injection.
  5. Resolve on-premises DNS from Azure and vice versa.

QUESTION: To meet Requirement 2 (Inspect all internet-bound traffic from spokes), you deploy Azure Firewall in the Hub VNets. How must you configure the Spoke VNets to ensure traffic is routed to the firewall?

View full case study page →

AZ-305 · Question 53 · Domain 4.4: Network Solutions

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure.
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS.
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs.
Requirements:

  1. Encrypt all cross-region traffic.
  2. Inspect all internet-bound traffic from spokes.
  3. Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA.
  4. Ensure web apps in spokes are protected from SQL injection.
  5. Resolve on-premises DNS from Azure and vice versa.

QUESTION: To enhance Requirement 2, the security team now requires that the Azure Firewall inspects the payload of outbound HTTPS traffic to block malicious file downloads. Which Firewall SKU and feature must you use?

Answer options:

A.

Azure Firewall Standard with Threat Intelligence

B.

Azure Firewall Premium with TLS Inspection

C.

Azure Web Application Firewall (WAF)

D.

Network Security Groups (NSGs) with Application Security Groups (ASGs)

How to approach this question

Identify the Firewall SKU that supports decrypting HTTPS traffic (TLS Inspection).

Full Answer

B.Azure Firewall Premium with TLS Inspection✓ Correct
Azure Firewall Premium with TLS Inspection
To inspect the actual payload of encrypted HTTPS traffic (e.g., to scan for malware in a downloaded file), the firewall must perform TLS Inspection (man-in-the-middle decryption). This advanced capability is only available in the Azure Firewall Premium SKU. The Standard SKU can only filter based on the SNI header (domain name) or IP address, but cannot see inside the encrypted payload.

Common mistakes

Choosing WAF. WAF protects your web apps from incoming attacks. The scenario asks to inspect outbound traffic (VMs browsing the internet).
52All questions54

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd has 50 subscriptions across 3 business units. Each business unit manages its own IT o...EasyQ02You are designing a monitoring solution for a hybrid environment. The environment consists of 200...MediumQ03Your company uses Microsoft Sentinel integrated with a Log Analytics workspace. The workspace ing...HardQ04You are designing an application monitoring strategy using Application Insights. The application ...MediumQ05A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently ...Hard
View all 55 questions →