ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 4.4: Network SolutionsDomain 4NetworkingDNSHybrid
This question is part of a case study — click to read the full scenario(Case 51)

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure.
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS.
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs.
Requirements:

  1. Encrypt all cross-region traffic.
  2. Inspect all internet-bound traffic from spokes.
  3. Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA.
  4. Ensure web apps in spokes are protected from SQL injection.
  5. Resolve on-premises DNS from Azure and vice versa.

QUESTION: To meet Requirement 2 (Inspect all internet-bound traffic from spokes), you deploy Azure Firewall in the Hub VNets. How must you configure the Spoke VNets to ensure traffic is routed to the firewall?

View full case study page →

AZ-305 · Question 55 · Domain 4.4: Network Solutions

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure.
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS.
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs.
Requirements:

  1. Encrypt all cross-region traffic.
  2. Inspect all internet-bound traffic from spokes.
  3. Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA.
  4. Ensure web apps in spokes are protected from SQL injection.
  5. Resolve on-premises DNS from Azure and vice versa.

QUESTION: Which fully managed PaaS service should you deploy in the Hub VNet to meet Requirement 5 (Resolve on-premises DNS from Azure and vice versa) without managing IaaS virtual machines?

Answer options:

A.

Azure Private DNS Zones

B.

Windows Server DNS on Azure VMs

C.

Azure DNS Private Resolver

D.

Azure Traffic Manager

How to approach this question

Identify the PaaS service that acts as a bridge between Azure Private DNS and on-premises DNS.

Full Answer

C.Azure DNS Private Resolver✓ Correct
To resolve DNS names across a hybrid environment (Azure to on-premises and on-premises to Azure), you need a DNS forwarder. Historically, this required deploying IaaS Virtual Machines running DNS server software. Azure DNS Private Resolver is a fully managed PaaS service that replaces those VMs. It provides inbound endpoints (allowing on-premises to query Azure Private DNS) and outbound endpoints (allowing Azure to forward queries to on-premises DNS servers).

Common mistakes

Choosing Azure Private DNS Zones. A Private DNS zone holds the records, but it cannot actively forward queries across a VPN/ExpressRoute on its own; it requires the Resolver.
54All questions

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd has 50 subscriptions across 3 business units. Each business unit manages its own IT o...EasyQ02You are designing a monitoring solution for a hybrid environment. The environment consists of 200...MediumQ03Your company uses Microsoft Sentinel integrated with a Log Analytics workspace. The workspace ing...HardQ04You are designing an application monitoring strategy using Application Insights. The application ...MediumQ05A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently ...Hard
View all 55 questions →