Exam AZ-303 topic 3 question 4 discussion

Answers are correct. Source IP affinity. This distribution mode is also known as session affinity or client IP affinity. To map traffic to the available servers, the mode uses a two-tuple hash (from the source IP address and destination IP address) or three-tuple hash (from the source IP address, destination IP address, and protocol type). The hash ensures that requests from a specific client are always sent to the same virtual machine behind the load balancer.

So follow my train of thought for a moment: - Load balancers have a knockout criterium, they only support VM's and VMSS's: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management - AGW's have a max. SLA of 99.95%: https://azure.microsoft.com/en-in/support/legal/sla/application-gateway/v1_2/ - AFD also supports WAF + SLA 99.99%: https://azure.microsoft.com/en-in/support/legal/sla/frontdoor/v1_0/ - AGWv2 supports static public IP as of 2019: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant For App2 the answer is AGW2 since it is the only one compatible. For App1 the answer should be AFD+WAF in a real world situation, but given the answers I would go for AGW1 since it specifically mentions having the WAF enabled.

Correct answer: - AppGW1 - WAF offers protection from SQL injection https://docs.microsoft.com/en-us/azure/application-gateway/features#web-application-firewall - AppGW2 - gateway Standard_v2 SKU supports static VIP type exclusively https://docs.microsoft.com/en-us/azure/application-gateway/features#static-vip LB is not option for WebApp- check flowchart: https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview#decision-tree-for-load-balancing-in-azure

The second answer should be APGW2.

App1: needs injection prevention, so it needs a WAF. So AGW1 is adequate. App2: Needs static IP, which is supported by both standard_v2 Application Gateway and ELB. But it further specifies 99.99% availability, so it can only be ELB as standard_v2 AGW has only 99.95% availability. Given answers are correct.

Does Application Gateway support static IP? Yes, the Application Gateway v2 SKU supports static public IP addresses and static internal IPs. The v1 SKU supports static internal IPs. https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq so the 2nd question is application gateway standard-v2

App1: AGW1 App2: AGW2 Only AGW or AFD could load balance Web(HTTP/HTTPs) type traffic https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/images/load-balancing-decision-tree.png

The question asks for a solution to two Azure web apps. Load Balancer does not support Azure web app.

Guys: It's actually an easier justification. Answer 1 YES it's the WAF enabled one (no other one fits). BUT ... regarding second one, the ApplicationGatewy coud not have a public endpoint: it could be a OutBound Gateway ... thus, could not be the correct answer... In the other way, the ELB the only one with a waranty of having a public external IP address, thus provided answer (ELB) for second one is the best one.

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview Load Balanced Endpoint using Azure Standard Load Balancer, serving two or more Healthy Virtual Machine Instances, will be available 99.99% of the time. You can assign public IP address. https://azure.microsoft.com/en-us/support/legal/sla/load-balancer/v1_0/ https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-balancer-standard Answer is correct

"You need to deploy a load-balancing solution for two ((((((((((((Azure web apps)))))))))))) named App1 and App2 to meet the following requirements:" You cannot use Azure Web App with Internal/External Load Balancer.

Only the first answer is correct. The question asks "what should you use as the load balancing solution for EACH APP"? All the answers DO load balancing but to differentiate an Application Gateway vs Load Balancers---AG is a WEB traffic load balancer while LB distributes load across a group of resources or SERVERS. Therefore LBs are not the answer. Both ELB and AG can have public IP addresses AGW2 just fulfills the needed requirement for App2. So the correct answers are AGW1 for App1 and AGW2 for App2.

Tried in lab ... Box 1 -AGW1 and Box 2 - AGW2

Check the flow chart from the below link. The answer for App2 cannot be ELB. I believe it is AGW2, https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

this one explains when to use what, so for attack protection, use WAF, for Source IP Affinity, use Load balancer. a Public IP needs ELB. https://devblogs.microsoft.com/premier-developer/azure-load-balancing-solutions-a-guide-to-help-you-choose-the-correct-option/

It did not say WAF v2 SKUs only Standard V2 SKU. So AGW2 has no WAF

The answer should be both APGW2. For 1, because of SLA & also APGW2 comes with WAF configuration which we can enable to support injection protection. For 2, web app and likely we would not use LB. APGW2 provides static IP not V1.