Exam AZ-700 topic 2 question 33 discussion

Azure Firewall is the best response Communication through an NVA If you need connectivity between spokes, consider deploying Azure Firewall or another NVA in the hub. Then create routes to forward traffic from a spoke to the firewall or NVA, which can then route to the second spoke. In this scenario, you must configure the peering connections to allow forwarded traffic. You can also use a VPN gateway to route traffic between spokes, although this choice affects latency and throughput. For configuration details, see Configure VPN gateway transit for virtual network peering. https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Forgot to vote. Wish you could edit your posts... Source: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#spoke-network-communications

Azure Firewall can be used to support transitive routing via User Defined Routes (UDRs), but it introduces latency and cost, and may not maximize throughput.

D - Azure Firewall Ref: https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke?tabs=cli#spoke-connections-through-azure-firewall-or-nva

Azure Firewall adds latency due to packet inspection or processing of traffic filtering

Azure Route Server simplifies dynamic routing between your network virtual appliance (NVA) and your virtual network. It allows for transitive routing between spokes, which is essential for your requirement of supporting transitive routing

A and C are obviously wrong B. Azure Route Server is purpose built for creating transitive routes. https://learn.microsoft.com/en-us/azure/route-server/route-server-faq D. Azure Firewall is not designed for routing purposes

isnt the answer A

Why do some say the answer is A OR B

Agree answer is D here is more https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Explanation There are two main ways to allow spoke virtual networks to communicate with each other: Communication via an NVA like a firewall and router. This method incurs a hop between the two spokes. Communication by using virtual network peering or Virtual Network Manager direct connectivity between spokes. This approach doesn't cause a hop between the two spokes and is recommended for minimizing latency. Communication through an NVA. If you need connectivity between spokes, consider deploying Azure Firewall or another NVA in the hub. Then create routes to forward traffic from a spoke to the firewall or NVA, which can then route to the second spoke. In this scenario, you must configure the peering connections to allow forwarded traffic. Reference: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#spoke-networkcommunications

I think to maximize throughput NVA is the best choice.

First requirement is "Support transitive routing between spokes". Both VPN GW and Azure Firewall can accomplish this. Second requirement is "Maximize network throughput". Azure firewall has a higher throughput than VPN GW. VPN GW throughput reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways Azure Firewall throuhput reference: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#:~:text=Azure%20Firewall's%20initial%20throughput%20capacity,100%20Gbps%20for%20Premium%20SKU.

Given answer is correct hub and spoke topology is 1 VPN + vnet with option use current VPN GW, other vnets with peering option and using remote GW. Route server would not work without VPN GW, Firewall is for security approach

This is a trick question as you'd never use Azure Firewall to accomplish this unless you need the other features of it. The question doesn't mention any of these additional features of Azure Firewall as a requirement. However, there are no other suitable answers so clearly what they are testing on here is your knowledge of if Azure Firewalls can be used at all. Answer is D

D. Azure Firewall There are two main ways to allow spoke virtual networks to communicate with each other: Communication via an NVA like a firewall and router. This method incurs a hop between the two spokes. Communication by using virtual network peering or Virtual Network Manager direct connectivity between spokes. This approach doesn't cause a hop between the two spokes and is recommended for minimizing latency. Communication through an NVA If you need connectivity between spokes, consider deploying Azure Firewall or another NVA in the hub. Then create routes to forward traffic from a spoke to the firewall or NVA, which can then route to the second spoke. In this scenario, you must configure the peering connections to allow forwarded traffic. Source: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#spoke-network-communications

Azure Firewall is the best response Communication through an NVA If you need connectivity between spokes, consider deploying Azure Firewall or another NVA in the hub. Then create routes to forward traffic from a spoke to the firewall or NVA, which can then route to the second spoke. In this scenario, you must configure the peering connections to allow forwarded traffic. You can also use a VPN gateway to route traffic between spokes, although this choice affects latency and throughput. For configuration details, see Configure VPN gateway transit for virtual network peering. https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli