Domain 4.4: Design network solutions

CASE STUDY: Global Enterprise Network Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 servers across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $10 million, with plans to migrate 70% of workloads to Azure within 2 years. The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. Some legacy applications cannot be modified and must run on Windows Server 2012. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. QUESTION 1 OF 5: Contoso needs to connect their 5 global data centers to Azure and provide any-to-any connectivity (e.g., Data Center 1 can talk to Data Center 2 via the Azure backbone). They also need to connect 20 different Azure VNets across 3 regions. They want a managed service that minimizes routing complexity. Which network topology should you recommend?

CASE STUDY: Global Enterprise Network Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 servers across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $10 million, with plans to migrate 70% of workloads to Azure within 2 years. The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. Some legacy applications cannot be modified and must run on Windows Server 2012. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. QUESTION 2 OF 5: To meet the 10 Gbps throughput and <20ms latency requirement for connecting the primary on-premises data center to Azure, you recommend Azure ExpressRoute. However, the business requires a highly available connectivity architecture. If the ExpressRoute circuit fails, traffic must automatically fail over to a backup connection, even if it operates at a lower bandwidth. Which TWO actions should you take to design this failover? (Select TWO)

CASE STUDY: Global Enterprise Network Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 servers across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $10 million, with plans to migrate 70% of workloads to Azure within 2 years. The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. Some legacy applications cannot be modified and must run on Windows Server 2012. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. QUESTION 3 OF 5: To meet the strict ISO 27001 and SOC 2 compliance requirements, the CISO mandates that all outbound internet traffic from Azure VMs must be inspected. The inspection engine must be able to decrypt outbound HTTPS traffic, inspect the payload for malware, and block access to known malicious domains using an Intrusion Detection and Prevention System (IDPS). Which Azure service should you deploy in the hub virtual network?

CASE STUDY: Global Enterprise Network Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 servers across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $10 million, with plans to migrate 70% of workloads to Azure within 2 years. The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. Some legacy applications cannot be modified and must run on Windows Server 2012. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. QUESTION 4 OF 5: Contoso deploys an Azure SQL Database to store sensitive EU customer data. To meet GDPR and internal security policies, the database must not be accessible via the public internet. Furthermore, on-premises servers connected via ExpressRoute must be able to connect to the database using a private IP address from the Azure Virtual Network space. Which feature should you configure for the Azure SQL Database?

CASE STUDY: Global Enterprise Network Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 servers across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $10 million, with plans to migrate 70% of workloads to Azure within 2 years. The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. Some legacy applications cannot be modified and must run on Windows Server 2012. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. QUESTION 5 OF 5: Contoso has a Hub VNet and two Spoke VNets (Spoke A and Spoke B) in the West Europe region. The VNets are peered (Hub-to-Spoke A, and Hub-to-Spoke B). A Network Virtual Appliance (NVA) firewall is deployed in the Hub VNet. You need to ensure that when a VM in Spoke A tries to communicate with a VM in Spoke B, the traffic is forced through the NVA in the Hub VNet for inspection. What must you configure?

CASE STUDY (Questions 51-55) Contoso Financial is a global investment bank. Current Infrastructure: - On-premises datacenters in New York, London, and Tokyo. - Azure regions used: US East, Europe West, Japan East. - Each on-premises datacenter is connected to its local Azure region via a 10 Gbps ExpressRoute circuit. - Azure architecture uses a Hub-and-Spoke topology in each region. Business Requirements: - The network architecture must support global failover. If the US East region fails, the New York datacenter must be able to route traffic to the Europe West Azure region. - All outbound internet traffic from Azure VMs must be inspected by a centralized firewall. - Azure PaaS services (SQL, Storage) must not be accessible from the public internet. - Network management overhead must be minimized as the company plans to add 50 more spoke VNets per region next year. Question 1 of 5: To meet the global failover requirement, the New York datacenter must be able to communicate with the Europe West Azure region if US East fails. Which ExpressRoute feature or architecture should you implement?

CASE STUDY (Questions 51-55) Contoso Financial is a global investment bank. Current Infrastructure: - On-premises datacenters in New York, London, and Tokyo. - Azure regions used: US East, Europe West, Japan East. - Each on-premises datacenter is connected to its local Azure region via a 10 Gbps ExpressRoute circuit. - Azure architecture uses a Hub-and-Spoke topology in each region. Business Requirements: - The network architecture must support global failover. If the US East region fails, the New York datacenter must be able to route traffic to the Europe West Azure region. - All outbound internet traffic from Azure VMs must be inspected by a centralized firewall. - Azure PaaS services (SQL, Storage) must not be accessible from the public internet. - Network management overhead must be minimized as the company plans to add 50 more spoke VNets per region next year. Question 2 of 5: To meet the requirement for centralized outbound internet inspection, you deploy Azure Firewall in the Hub VNet. The security team mandates that the firewall must be able to inspect the payload of encrypted HTTPS traffic to detect malware, and it must use signature-based detection to block known malicious traffic. Which TWO features of Azure Firewall must you utilize? (Select TWO)

CASE STUDY (Questions 51-55) Contoso Financial is a global investment bank. Current Infrastructure: - On-premises datacenters in New York, London, and Tokyo. - Azure regions used: US East, Europe West, Japan East. - Each on-premises datacenter is connected to its local Azure region via a 10 Gbps ExpressRoute circuit. - Azure architecture uses a Hub-and-Spoke topology in each region. Business Requirements: - The network architecture must support global failover. If the US East region fails, the New York datacenter must be able to route traffic to the Europe West Azure region. - All outbound internet traffic from Azure VMs must be inspected by a centralized firewall. - Azure PaaS services (SQL, Storage) must not be accessible from the public internet. - Network management overhead must be minimized as the company plans to add 50 more spoke VNets per region next year. Question 3 of 5: To meet the requirement that Azure PaaS services (SQL, Storage) must not be accessible from the public internet, you need to design the connectivity model. Crucially, on-premises applications in New York must be able to connect directly to the Azure SQL Databases over the ExpressRoute circuit using private IP addresses. Which solution should you implement?

CASE STUDY (Questions 51-55) Contoso Financial is a global investment bank. Current Infrastructure: - On-premises datacenters in New York, London, and Tokyo. - Azure regions used: US East, Europe West, Japan East. - Each on-premises datacenter is connected to its local Azure region via a 10 Gbps ExpressRoute circuit. - Azure architecture uses a Hub-and-Spoke topology in each region. Business Requirements: - The network architecture must support global failover. If the US East region fails, the New York datacenter must be able to route traffic to the Europe West Azure region. - All outbound internet traffic from Azure VMs must be inspected by a centralized firewall. - Azure PaaS services (SQL, Storage) must not be accessible from the public internet. - Network management overhead must be minimized as the company plans to add 50 more spoke VNets per region next year. Question 4 of 5: The company currently uses traditional Hub-and-Spoke VNets. To meet the requirement to minimize network management overhead when adding 50 more spoke VNets per region, the Lead Architect suggests replacing the traditional Hub VNets with a managed service that automates spoke connectivity, routing, and integrates Azure Firewall. Which service is the architect recommending?

CASE STUDY (Questions 51-55) Contoso Financial is a global investment bank. Current Infrastructure: - On-premises datacenters in New York, London, and Tokyo. - Azure regions used: US East, Europe West, Japan East. - Each on-premises datacenter is connected to its local Azure region via a 10 Gbps ExpressRoute circuit. - Azure architecture uses a Hub-and-Spoke topology in each region. Business Requirements: - The network architecture must support global failover. If the US East region fails, the New York datacenter must be able to route traffic to the Europe West Azure region. - All outbound internet traffic from Azure VMs must be inspected by a centralized firewall. - Azure PaaS services (SQL, Storage) must not be accessible from the public internet. - Network management overhead must be minimized as the company plans to add 50 more spoke VNets per region next year. Question 5 of 5: Assuming the company stays with a traditional Hub-and-Spoke topology (not Virtual WAN), you must ensure that ALL outbound internet traffic from the Spoke VNets is forced through the Azure Firewall located in the Hub VNet. Which THREE actions must you perform to configure this forced tunneling? (Select THREE)

CASE STUDY: Tailspin Toys Tailspin Toys is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 servers across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $50 million, with plans to migrate 70% of workloads to Azure within 2 years. Business Requirements: The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. Technical Constraints: Some legacy applications cannot be modified and must run on Windows Server 2012. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. You need to design the hybrid network connectivity between the on-premises data centers and Azure to meet the technical constraints. Which connectivity solution should you recommend?

You are designing the network architecture for a large enterprise. The enterprise has an on-premises datacenter connected to Azure via ExpressRoute. In Azure, they have 50 'spoke' Virtual Networks. You need to ensure that all traffic between the spoke VNets, and all traffic from the spoke VNets to the Internet, is inspected by a centralized firewall. Which network topology and routing configuration should you recommend?

A global enterprise has branch offices in 20 different countries. They need to connect all branch offices to Azure, connect the branch offices to each other, and connect them to 100 different Azure Virtual Networks spread across 5 Azure regions. The solution must minimize routing complexity and administrative overhead. Which Azure networking service should you recommend?

You are designing the security architecture for an Azure Storage Account. The Storage Account must only be accessible from a specific subnet within your Azure Virtual Network. Furthermore, the traffic must not traverse the public internet, and the Storage Account must be assigned a private IP address from your VNet so it can be accessed via an ExpressRoute connection from on-premises. Which TWO components are required to meet these requirements? (Select TWO)

Your company has two major on-premises datacenters: one in New York and one in London. Both datacenters are connected to Azure via their own dedicated ExpressRoute circuits. You want to enable servers in the New York datacenter to communicate directly with servers in the London datacenter using the Microsoft global backbone network, bypassing the public internet. Which feature should you enable?