ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-720 All Questions

View all questions & answers for the AZ-720 exam
Go to Exam

Exam AZ-720 topic 5 question 51 discussion

Actual exam question from Microsoft's AZ-720
Question #: 12
Topic #: 5
[All AZ-720 Questions]

A company has a virtual machine (VM) named VM1 in a virtual network. The company also uses Azure Firewall Standard.

An administrator creates application rules to filter outbound traffic from VM1 and configure fully qualified domain names (FQDN) on the application rules.

The administrator discovers that outbound traffic from VM1 to the FQDNs are not being filtered by the firewall.

You need to resolve the issue with filtering.

What should you do first?

  • A. Create a CNAME type DNS record that references the firewall
  • B. Upgrade to the Azure Firewall Premium SKU.
  • C. Configure the firewall for a negative cache.
  • D. Configure VM1 to use Azure Firewall as its DNS server.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by cris_exam at April 22, 2023, 5:02 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
terawatt
1 year, 11 months ago
Selected Answer: D
Option D: "Configure VM1 to use Azure Firewall as its DNS server" is the correct choice. By setting Azure Firewall as the DNS server for the virtual machines, it ensures that the Firewall and the VMs are using the same DNS resolution, preventing any inconsistencies in the application of the firewall's rules. Without this configuration, the DNS resolution used by the Firewall to interpret FQDN-based rules may differ from that used by the VMs, causing traffic that should be blocked by the Firewall's rules to inadvertently pass through. Thus, setting the Azure Firewall as the DNS server for the VMs is a crucial step for the correct application of FQDN-based rules.
upvoted 1 times
...
cris_exam
2 years, 2 months ago
Selected Answer: D
D is correct. It's not that clear even from the official article but yes, in order for the app FQDN rules to work fine, the VMs that need to be filtered need to have the AZFW set as DNS. Usually this is done by setting the DNS on VNET level but if that is not intended, then yeah, only on VM NIC level. https://learn.microsoft.com/en-us/azure/firewall-manager/fqdn-filtering-network-rules
upvoted 1 times
cris_exam
2 years, 2 months ago
Found a better part of another doc that confirms the answer. https://learn.microsoft.com/en-us/azure/firewall/dns-settings#dns-proxy "If you enable FQDN filtering in network rules, and you don't configure client virtual machines to use the firewall as a DNS proxy, then DNS requests from these clients might travel to a DNS server at a different time or return a different response compared to that of the firewall. It’s recommended to configure client virtual machines to use the Azure Firewall as their DNS proxy. This puts Azure Firewall in the path of the client requests to avoid inconsistency."
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel