Exam AZ-700 topic 2 question 51 discussion

Should be YNY Y - You need to add User Defined Route to the Firewall Appliance from the subnets (https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal) N - The firewall is not a VPN Gateway, and we do not have any connection with On-Premises here (https://learn.microsoft.com/en-us/answers/questions/516530/how-to-set-up-a-multi-spoke-virtual-network-in-azu) Y - Azure Firewall can filter by web categories (https://learn.microsoft.com/en-us/azure/firewall/web-categories)

The Firewall SKU states standard. Wouldn't Premium be required for filtering by category? Meaning YNN?

YNY 1- Yes because the route priority for the same adress prefix is 1. UDR 2. BGP 3. System-route here the 3rd option will take place because we have a vnet peering between Vnet1 and Vnet2 so to "force" traffic between them to reach each other via FW, you need to assign UDR to both subnets. 2- No because FW is an NVA not a VNG 3- yes Azure Firewall standard can handle web content filtering

YNY 1: SN1 required RT to change 0.0.0.0/0 to Virtual Appliance of FW otherwise it will go out the Wire Service. SN2 required RT to change 0.0.0.0/0 to point to Firewall somehow otherwise it will also go out its wire service. Not sure if this would be a Virtual Appliance or Internal IP route without trying it. 2: N: Route table in 1 will get it to the Firewall interface, otherwise it doesn't know it exists and will go out the wire service of its own subnet. 3: Seems so, Standard can do web site category filtering. = Y 700 is all we need right?

NNY 1. No, not a routing table, but a UDR would be needed (at least for VM2) 2. No, that wont help for that. Again a UDR 3. Yes. https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku

YNY 1- Y - because - routing table is required- You need to create routing table, add a router - next hop type select VNA and put the firewall local ip - in this case the private IP 2- N Because there is no VPN GWY but alos you need one vNET2 to tick use REMOTE GWY and one vNET1 tick allow GWY Transit 3- YES as per this link https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku check the table at bottom

Think it should be NNN 1) Question is about gateway nor UDR 3) Firewall is standard, only premium has categories

question ask for a routing table, not for a udr, be aware ....NNY

Answer should be YNY, see @_fvt comment.

YNN - Yes - routing table is required- Create a routing table, add a router - next hop type select Virtual Appliance and put the firewall1 local ip (https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route) No - Vnet1 and Vnet2 is not used for Virtual network gateway or route server, the remote gateway setting will be greyed out if you try to configure the settings in the Peering. No - Network rule is prioritised before application rules thus application rules like website blocking will not be enforced(https://learn.microsoft.com/en-us/training/modules/design-implement-network-security-monitoring/6-azure-firewall#:~:text=Outbound%20connectivity%20using%20network%20rules%20and%20application%20rules)

it should be YNY