Exam SC-100 topic 3 question 15 discussion

Why Not D. UDR User Defined Routes (UDR). Route tables can contain UDRs used by Azure networking to control the flow of packets within a VNet. These route tables can be applied to subnets. One of the newest features in Azure is the ability to apply a route table to the GatewaySubnet, providing the ability to forward all traffic coming into the Azure VNet from a hybrid connection to a virtual appliance.

I would go for B because there is an expressroute, so part of the trafic is going internally. For accepting internet traffic to the api's I'd go for firewall as well. It can work with only one public ip.

Based on the network diagram and the requirements stated (minimizing the number of public IP addresses allowed to access the on-premises network while enabling communication between on-premises servers and Azure web apps), the best recommendation would be: D. Azure Application Gateway v2 with user-defined routes (UDRs) Explanation: Azure Application Gateway v2: It provides web traffic load balancing, which enables you to manage traffic to your web applications. This solution also allows you to enforce security policies, including Web Application Firewall (WAF), to protect your applications from common threats. User-defined routes (UDRs): These allow you to customize the routing of traffic within your virtual network. By setting up UDRs, you can control the flow of traffic from the Azure resources to the on-premises network, ensuring that the traffic is routed securely through specific paths (e.g., via the ExpressRoute) without exposing additional public IP addresses. This combination allows you to tightly control the ingress and egress traffic, ensuring that only specific, necessary connections are made while minimizing exposure of the on-premises network to the public internet.

Correct answer is C. Those selecting "B" missing the load balancing requirment in the exhibit. Azure firewall dont have load balancing capability.

Using geo-redundant storage (GRS) ensures that your data is replicated in a secondary region far enough away from the primary location to avoid being affected by the same disaster. In the context of ransomware, this means that even if one location is compromised, the backups in another location remain unaffected, which greatly increases resiliency.

D. Azure Application Gateway v2 with user-defined routes (UDRs) This option allows you to control the traffic flow at the network routing level, hence minimizing the number of public IP addresses that can access your on-premises network, which aligns with the requirement to minimize public IP exposure. Azure Application Gateway can be integrated with ASE to manage traffic to the apps and control network routing via UDRs effectively.

The only answer that makes sense here is AZ-FW because we are talking about traffic between applications residing in Azure and that on-premises, not users from the internet.

Azure Application Gateway acts as a reverse proxy and load balancer, allowing traffic to be routed between the web apps and the on-premises application server. User-defined routes (UDRs) enable you to define custom routing tables for the Azure virtual network

B is the answer. https://learn.microsoft.com/en-us/azure/app-service/environment/firewall-integration#configuring-azure-firewall-with-your-ase

Azure firewall for routing and egress reasons

if you also have outgoing traffic that going via the "X" only a firewall makes sense

https://learn.microsoft.com/en-us/azure/app-service/environment/firewall-integration

I voted for B. The on-premise firewall does not work for ExpressRoute connection. The on-prem app server is open to the public internet through the Azure network. To protect the app server, Azure Firewall with policy rule sets is needed to filter all types of traffic, while WAF works only for web requests. In short, the Azure network needs a firewall.

I voted for C because we are handling HTTP/s traffic : https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

For me correct answer is B: For inbound non-HTTP(S) connections, traffic should be targeting the public IP address of the Azure Firewall (if coming from the public Internet), or it will be sent through the Azure Firewall by UDRs (if coming from other Azure VNets or on-premises networks). All outbound flows from Azure VMs will be forwarded to the Azure Firewall by UDRs. Ref: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway#firewall-and-application-gateway-in-parallel

If FW is used how will you loadbalance between backend webapps?

A possible solution to ensure that the web apps can communicate with the on-premises application server while minimizing the number of public IP addresses that are allowed to access the on-premises network is to use Azure Firewall with policy rule sets. Azure Firewall is a cloud-based network security service that protects your Azure virtual network resources. You can use Azure Firewall to filter traffic to and from the on-premises network and the web apps in Azure. By using policy rule sets, you can define rules that specify which public IP addresses are allowed to access the on-premises network. This will help minimize the number of public IP addresses that are allowed to access the on-premises network. Other options, such as Azure Traffic Manager with priority traffic-routing methods, Azure Front Door with Azure Web Application Firewall (WAF), and Azure Application Gateway v2 with user-defined routes (UDRs), may not be as suitable for this scenario because they do not provide the same level of control over access to the on-premises network. I go for answer B.