Domain 4.4: Network Solutions

A multinational corporation is redesigning its global network architecture. They have 50 branch offices worldwide and 3 major on-premises data centers. They use Azure heavily, with 100+ Virtual Networks spread across 4 Azure regions. They require a networking solution that: - Provides any-to-any connectivity (branch-to-branch, branch-to-Azure, Azure-to-Azure). - Automates the routing between all these endpoints. - Minimizes the operational overhead of managing complex route tables and peering connections. Which network architecture should you recommend?

You are designing the hybrid connectivity between an on-premises data center and Azure. The business requires a dedicated, private connection that does not traverse the public internet. The connection must support up to 10 Gbps throughput. Additionally, if this primary connection fails, there must be an automatic backup connection, though the backup connection can traverse the internet and operate at a lower bandwidth. Which THREE components should you include in your design? (Select THREE)

You have an Azure Virtual Network (VNet) containing several Virtual Machines. The VMs need to access an Azure Storage account to read configuration files. The security team mandates that traffic between the VNet and the Storage account must NOT traverse the public internet. Furthermore, the VMs must only be able to access this specific Storage account, and access to any other Azure Storage accounts must be blocked at the network level. Which feature should you implement?

**CASE STUDY: Contoso Manufacturing** **Overview:** Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 VMware VMs across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $50 million, with plans to migrate 70% of workloads to Azure within 2 years. **Business Requirements:** The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. **Technical Constraints:** Some legacy applications cannot be modified and must run on Windows Server 2012 R2. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. **Question:** To meet the security and compliance requirements, Contoso wants to ensure that all outbound internet traffic from their Azure Virtual Networks is inspected and filtered centrally. Which network architecture should you implement?

**CASE STUDY: Contoso Manufacturing** **Overview:** Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 VMware VMs across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $50 million, with plans to migrate 70% of workloads to Azure within 2 years. **Business Requirements:** The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. **Technical Constraints:** Some legacy applications cannot be modified and must run on Windows Server 2012 R2. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. **Question:** To meet the 10 Gbps throughput and <20ms latency requirement for the hybrid connection between the on-premises data centers and Azure, which connectivity solution MUST Contoso implement?

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure. Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS. Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs. Requirements: 1) Encrypt all cross-region traffic. 2) Inspect all internet-bound traffic from spokes. 3) Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA. 4) Ensure web apps in spokes are protected from SQL injection. 5) Resolve on-premises DNS from Azure and vice versa. QUESTION: To meet Requirement 2 (Inspect all internet-bound traffic from spokes), you deploy Azure Firewall in the Hub VNets. How must you configure the Spoke VNets to ensure traffic is routed to the firewall?

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure. Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS. Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs. Requirements: 1) Encrypt all cross-region traffic. 2) Inspect all internet-bound traffic from spokes. 3) Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA. 4) Ensure web apps in spokes are protected from SQL injection. 5) Resolve on-premises DNS from Azure and vice versa. QUESTION: Which solution should you recommend to meet Requirement 3 (Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA)?

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure. Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS. Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs. Requirements: 1) Encrypt all cross-region traffic. 2) Inspect all internet-bound traffic from spokes. 3) Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA. 4) Ensure web apps in spokes are protected from SQL injection. 5) Resolve on-premises DNS from Azure and vice versa. QUESTION: To enhance Requirement 2, the security team now requires that the Azure Firewall inspects the payload of outbound HTTPS traffic to block malicious file downloads. Which Firewall SKU and feature must you use?

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure. Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS. Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs. Requirements: 1) Encrypt all cross-region traffic. 2) Inspect all internet-bound traffic from spokes. 3) Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA. 4) Ensure web apps in spokes are protected from SQL injection. 5) Resolve on-premises DNS from Azure and vice versa. QUESTION: Which service should you deploy to meet Requirement 4 (Ensure web apps in spokes are protected from SQL injection)?

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure. Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS. Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs. Requirements: 1) Encrypt all cross-region traffic. 2) Inspect all internet-bound traffic from spokes. 3) Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA. 4) Ensure web apps in spokes are protected from SQL injection. 5) Resolve on-premises DNS from Azure and vice versa. QUESTION: Which fully managed PaaS service should you deploy in the Hub VNet to meet Requirement 5 (Resolve on-premises DNS from Azure and vice versa) without managing IaaS virtual machines?

CASE STUDY: Contoso Ltd is a global financial services firm with 10,000 employees. They have a primary on-premises data center in London and a secondary in New York. They are migrating to Azure and require a hub-and-spoke network topology. Requirements: 1) Secure connectivity between on-premises and Azure with at least 5 Gbps throughput and redundancy. 2) Centralized inspection of all outbound internet traffic from spoke VNets. 3) Spoke VNets must communicate with each other securely. 4) PaaS services (Storage, SQL) must be accessed privately without traversing the public internet. 5) Web applications in spokes require WAF protection and global load balancing. Question 1 of 5: To meet Requirement 1 (Secure connectivity with at least 5 Gbps throughput and redundancy), which hybrid connectivity solution should you recommend?

CASE STUDY: Contoso Ltd is a global financial services firm with 10,000 employees. They have a primary on-premises data center in London and a secondary in New York. They are migrating to Azure and require a hub-and-spoke network topology. Requirements: 1) Secure connectivity between on-premises and Azure with at least 5 Gbps throughput and redundancy. 2) Centralized inspection of all outbound internet traffic from spoke VNets. 3) Spoke VNets must communicate with each other securely. 4) PaaS services (Storage, SQL) must be accessed privately without traversing the public internet. 5) Web applications in spokes require WAF protection and global load balancing. Question 2 of 5: To meet Requirement 2 (Centralized inspection of all outbound internet traffic), what should you deploy in the Hub VNet?

CASE STUDY: Contoso Ltd is a global financial services firm with 10,000 employees. They have a primary on-premises data center in London and a secondary in New York. They are migrating to Azure and require a hub-and-spoke network topology. Requirements: 1) Secure connectivity between on-premises and Azure with at least 5 Gbps throughput and redundancy. 2) Centralized inspection of all outbound internet traffic from spoke VNets. 3) Spoke VNets must communicate with each other securely. 4) PaaS services (Storage, SQL) must be accessed privately without traversing the public internet. 5) Web applications in spokes require WAF protection and global load balancing. Question 3 of 5: To meet Requirement 3 (Spoke VNets must communicate with each other securely), how should you configure the routing?

CASE STUDY: Contoso Ltd is a global financial services firm with 10,000 employees. They have a primary on-premises data center in London and a secondary in New York. They are migrating to Azure and require a hub-and-spoke network topology. Requirements: 1) Secure connectivity between on-premises and Azure with at least 5 Gbps throughput and redundancy. 2) Centralized inspection of all outbound internet traffic from spoke VNets. 3) Spoke VNets must communicate with each other securely. 4) PaaS services (Storage, SQL) must be accessed privately without traversing the public internet. 5) Web applications in spokes require WAF protection and global load balancing. Question 4 of 5: To meet Requirement 4 (PaaS services accessed privately without traversing the public internet), which technology should you implement?

CASE STUDY: Contoso Ltd is a global financial services firm with 10,000 employees. They have a primary on-premises data center in London and a secondary in New York. They are migrating to Azure and require a hub-and-spoke network topology. Requirements: 1) Secure connectivity between on-premises and Azure with at least 5 Gbps throughput and redundancy. 2) Centralized inspection of all outbound internet traffic from spoke VNets. 3) Spoke VNets must communicate with each other securely. 4) PaaS services (Storage, SQL) must be accessed privately without traversing the public internet. 5) Web applications in spokes require WAF protection and global load balancing. Question 5 of 5: To meet Requirement 5 (WAF protection and global load balancing for web apps), which service should you deploy?

CASE STUDY: Contoso migrating 500 servers to Azure. RTO 2h, RPO 15m, GDPR compliance, 10Gbps ExpressRoute required. QUESTION: You need to design the global routing architecture for Contoso's web applications to ensure high availability and WAF protection. Which service should you recommend?

You are designing a hub-and-spoke network topology. You need to ensure that all outbound internet traffic from the spoke VNets is forced through an Azure Firewall located in the hub VNet. What should you configure?

An enterprise needs to connect their on-premises datacenter to Azure. Requirements: 10 Gbps dedicated bandwidth, no traffic over the public internet, and the ability to route traffic directly between two different on-premises sites via the Microsoft backbone. Which TWO services are required? (Select TWO)

You need to access an Azure Storage account from an on-premises network over an ExpressRoute private peering connection. The storage account must not be accessible from the public internet. What should you configure?

A global company has 100 branch offices. They need a managed networking service that provides any-to-any connectivity between branches, Azure VNets, and remote users, with built-in routing and firewall capabilities. Which service should you recommend?