C. VNET1 only
No idea why people are saying option E as the question clearly states that "You need to deploy an Azure firewall named AF1 to RG1 in the West US", so RG1 in the West US region means the correct answer is C(VNET1).
The key point is deploying the firewall within RG1, not just the regions where the VNets reside. The question is asking to deploy in RG1. You cannot just go any where and take a d at other places even if you can.
Should be E - Vnet 1 and Vnet 4.
As all resources, the resource group is just a logical grouping and the real limitations do come from the region. An Azure Firewall can be used with peered networks, but as the question does not mention peering the firewall cannot be applied to networks in another region.
"You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central firewall virtual network. Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues across regions. For best performance, deploy one firewall per region."
I also just tried it out, I cannot connect an Azure Firewall to a VNET which is in another region.
Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
AF1 is deployed inRG1 in the West US Region. Given this setup, the question asks on which VNnet "can" AF1 be deployed. The only restriction a firewall has is that the VNet is protects must be in the same region. There is no restriction on the RG in which the firewall is associated with.
I agree the correct answer should be C even though VNET4 is in West US.
According to this article the Azure Firewall and Virtual Network must be in the same resource group, but the Public IP can be in a different resource group.
Are there any Azure firewall resource group restrictions?
Yes:
The Azure Firewall and virtual network must be in the same resource group.
The public IP address can be in a different resource group.
All resources (Azure firewall, virtual network, public IP) must be in the same subscription.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
"Are there any firewall resource group restrictions?
Yes.
- The firewall and VNet must be in the same resource group.
- The public IP address can be in any resource group.
- The firewall, VNet, and the public IP address all must be in the same subscription."
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
The firewall and VNet must be in the same resource group.
The public IP address can be in any resource group.
The firewall, VNet, and the public IP address all must be in the same subscription.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
Answer = C
The firewall and VNet must be in the same resource group.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
The firewall and VNet must be in the same resource group.
The public IP address can be in any resource group.
The firewall, VNet, and the public IP address all must be in the same subscription.
Nothing about same region.
Guys, read the question carefully. The answer is VNET1 & VNET4 (Answer E). Asked Gemini and tested it in my Lab, both say it's VNET1 and VNET4 - the Ressource Group does not matter in this case, it is the Region, where you deploy the Firewall.
- The firewall and VNet must be in the same resource group.
- The public IP address can be in any resource group.
- The firewall, VNet, and the public IP address all must be in the same subscription.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
Are there any firewall resource group restrictions?
Yes.
The firewall and VNet must be in the same resource group.
The public IP address can be in any resource group.
The firewall, VNet, and the public IP address all must be in the same subscription.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
An Azure Firewall can protect a VNet in the same resource group, but it cannot directly protect a VNet in a different resource group. This is because an Azure Firewall is deployed in a VNet and filters traffic entering and exiting that VNet. It cannot interact with resources in other resource groups.
If you need to protect a VNet in a different resource group, you can use one of the following workarounds:
VNet peering
Azure Virtual WAN
VPN
This section is not available anymore. Please use the main Exam Page.AZ-104 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Ashfaque_9x
Highly Voted 2 years, 5 months agoIrism
2 years, 5 months agostormtraining
11 months, 2 weeks agozellck
2 years, 4 months agoWeepingMaplte
1 year, 1 month agorpalanivel83
2 years, 5 months agopramodk78
2 years, 5 months agogarmatey
2 years, 2 months agoMuffay
Highly Voted 2 years, 5 months agoRougePotatoe
2 years, 4 months agoSanaz90
8 months, 3 weeks ago70ec7c1
Most Recent 1 month, 4 weeks agot79homasdw
2 months agopdossantos
2 months, 1 week agoWALL47
5 months, 2 weeks ago1d07c8e
5 months, 3 weeks agoDonny_575
6 months, 3 weeks ago2d153f5
7 months ago95d0718
7 months, 2 weeks agojamesf
8 months ago[Removed]
9 months agoitismadu
9 months, 2 weeks agomoadabdou
1 year, 2 months agomoadabdou
1 year, 3 months agoAmir1909
1 year, 3 months agornd3131
1 year, 5 months ago