ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 4.4: Network SolutionsDomain 4.4Azure FirewallRouting
This question is part of a case study — click to read the full scenario(Case 51)

CASE STUDY: Contoso Ltd is a global financial services firm with 10,000 employees. They have a primary on-premises data center in London and a secondary in New York. They are migrating to Azure and require a hub-and-spoke network topology. Requirements: 1) Secure connectivity between on-premises and Azure with at least 5 Gbps throughput and redundancy. 2) Centralized inspection of all outbound internet traffic from spoke VNets. 3) Spoke VNets must communicate with each other securely. 4) PaaS services (Storage, SQL) must be accessed privately without traversing the public internet. 5) Web applications in spokes require WAF protection and global load balancing.

Question 1 of 5: To meet Requirement 1 (Secure connectivity with at least 5 Gbps throughput and redundancy), which hybrid connectivity solution should you recommend?

View full case study page →

AZ-305 · Question 52 · Domain 4.4: Network Solutions

CASE STUDY: Contoso Ltd is a global financial services firm with 10,000 employees. They have a primary on-premises data center in London and a secondary in New York. They are migrating to Azure and require a hub-and-spoke network topology. Requirements: 1) Secure connectivity between on-premises and Azure with at least 5 Gbps throughput and redundancy. 2) Centralized inspection of all outbound internet traffic from spoke VNets. 3) Spoke VNets must communicate with each other securely. 4) PaaS services (Storage, SQL) must be accessed privately without traversing the public internet. 5) Web applications in spokes require WAF protection and global load balancing.

Question 2 of 5: To meet Requirement 2 (Centralized inspection of all outbound internet traffic), what should you deploy in the Hub VNet?

Answer options:

A.

Network Security Groups (NSGs) on every spoke subnet.

B.

Azure Firewall and User Defined Routes (UDRs) in the spokes.

C.

Azure Application Gateway.

D.

Azure Bastion.

How to approach this question

Identify the centralized security appliance and the routing mechanism to force traffic to it.

Full Answer

B.Azure Firewall and User Defined Routes (UDRs) in the spokes.✓ Correct
Azure Firewall and User Defined Routes (UDRs) in the spokes.
To centrally inspect outbound traffic, you deploy Azure Firewall in the Hub VNet and use User Defined Routes (UDRs) on the spoke subnets to route all internet-bound traffic (0.0.0.0/0) to the Firewall.

Common mistakes

Forgetting that UDRs are required to override the default Azure route to the internet.
51All questions53

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 6

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd is a global manufacturing company with 50,000 employees. They operate a mix of on-pre...MediumQ02A financial institution has 500 Windows Server VMs on-premises and 200 VMs in Azure. They need to...HardQ03An enterprise uses Azure Sentinel and Log Analytics. They ingest 500 GB of logs daily. The IT bud...HardQ04You are designing a monitoring strategy for a new Azure deployment consisting of App Service, Azu...EasyQ05A healthcare company uses Microsoft Entra ID (Azure AD). They need to implement a security policy...Medium
View all 55 questions →