Exam AZ-303 topic 2 question 44 discussion

the answer is correct. during nsg configuration, we would need to choose service tag, and then select azure front door. application security group could work by adding front door into the group, and allow the group to access the vnet. but this isn't a very good solution as it needs to define more steps

On exam 5/15/2021

In the exam on 12-03-2022. Total 50 questions including case study. "Litware Acquired Fabricam" case study.

Question appeared On AZ-303 exam on 08/12/2021 - 49 questions, 4Q - Fabrikan case study

New SKU Front Door Premium provides a more recommended way to lock down your application via Private Endpoint. Learn more about Private Endpoint https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-

(A) Azure private link will work if the VMs do not have the public Ip addresses But in the question, VMs have public IP addresses now, we are required to protect them. So the (C) is the only correct answer.

Given answer is correct along with provided explanation

I had this question in the exam that i took on July 14th 2021

answer is correct when referencing https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq

Clearly using the service tags, https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door-

Answer C is incorrect. Service Tag is not regional, as documentation refers: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview#:~:text=No-,AzureFrontDoor.Frontend%20%20AzureFrontDoor,No,-AzureInformationProtection

Correct Answer is: A The best way to lock down your application to accept traffic only from your specific Front Door instance is to publish your application via Private Endpoint. Network traffic between Front Door and the application traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet. Link: https://docs.microsoft.com/en-us/azure/frontdoor/standard-premium/faq#:~:text=How%20do,public%20internet

URL above copied by mistake. Correct URL: https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview

C is correct. You can use service tags to define network access controls on NSG. One of the available service tags is AzureFrontDoor.Frontend. https://www.examtopics.com/exams/microsoft/az-303/view/16/

Since it has asked for "virtual machines will ONLY accept traffic routed from Azure Front Door", Service tag solution makes much more sense. FD does not suport a static IP yet.

@andyR, it's indicated in this article that service tag for azure front door needs to be added to NSG To lock down your application to accept traffic only from your specific Front Door https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq so given answer is correct.

You can use service tags to define network access controls on network security groups or Azure Firewall. Use service tags in place of specific IP addresses when you create security rules. By specifying the service tag name, such as ApiManagement, in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview