ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 4.4: Network SolutionsDomain 4NetworkingWAFSecurity
This question is part of a case study — click to read the full scenario(Case 51)

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure.
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS.
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs.
Requirements:

  1. Encrypt all cross-region traffic.
  2. Inspect all internet-bound traffic from spokes.
  3. Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA.
  4. Ensure web apps in spokes are protected from SQL injection.
  5. Resolve on-premises DNS from Azure and vice versa.

QUESTION: To meet Requirement 2 (Inspect all internet-bound traffic from spokes), you deploy Azure Firewall in the Hub VNets. How must you configure the Spoke VNets to ensure traffic is routed to the firewall?

View full case study page →

AZ-305 · Question 54 · Domain 4.4: Network Solutions

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure.
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS.
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs.
Requirements:

  1. Encrypt all cross-region traffic.
  2. Inspect all internet-bound traffic from spokes.
  3. Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA.
  4. Ensure web apps in spokes are protected from SQL injection.
  5. Resolve on-premises DNS from Azure and vice versa.

QUESTION: Which service should you deploy to meet Requirement 4 (Ensure web apps in spokes are protected from SQL injection)?

Answer options:

A.

Azure Firewall Premium

B.

Azure Web Application Firewall (WAF) on Azure Application Gateway

C.

Azure DDoS Protection Standard

D.

Microsoft Defender for Cloud

How to approach this question

Match 'SQL injection' to the service designed to protect against OWASP Top 10 web vulnerabilities.

Full Answer

B.Azure Web Application Firewall (WAF) on Azure Application Gateway✓ Correct
Azure Web Application Firewall (WAF) on Azure Application Gateway
Requirement 4 asks to protect web applications from SQL injection. SQL injection is a Layer 7 (application layer) attack. The Azure Web Application Firewall (WAF) is purpose-built to protect web apps from common exploits and vulnerabilities, including the OWASP Top 10 (SQL injection, Cross-Site Scripting, etc.). WAF can be deployed on Azure Application Gateway (for regional apps) or Azure Front Door (for global apps).

Common mistakes

Choosing Azure Firewall. While Azure Firewall is great for outbound and east-west traffic, WAF is the specialized tool for inbound web application protection.
53All questions55

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd has 50 subscriptions across 3 business units. Each business unit manages its own IT o...EasyQ02You are designing a monitoring solution for a hybrid environment. The environment consists of 200...MediumQ03Your company uses Microsoft Sentinel integrated with a Log Analytics workspace. The workspace ing...HardQ04You are designing an application monitoring strategy using Application Insights. The application ...MediumQ05A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently ...Hard
View all 55 questions →