ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 4.4: Network SolutionsDomain 4Network ArchitectureAzure FirewallHub and Spoke

AZ-305 · Question 51 · Domain 4.4: Network Solutions

CASE STUDY: Contoso Manufacturing

Overview: Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 VMware VMs across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $50 million, with plans to migrate 70% of workloads to Azure within 2 years.

Business Requirements: The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually.

Technical Constraints: Some legacy applications cannot be modified and must run on Windows Server 2012 R2. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions.

Question:
To meet the security and compliance requirements, Contoso wants to ensure that all outbound internet traffic from their Azure Virtual Networks is inspected and filtered centrally.

Which network architecture should you implement?

Answer options:

A.

A Hub-and-Spoke topology with Azure Firewall in the hub and User Defined Routes (UDRs) in the spokes forcing traffic to the firewall.

B.

A Hub-and-Spoke topology with Network Security Groups (NSGs) applied to every spoke subnet.

C.

A full mesh topology with Azure Application Gateway in every VNet.

D.

Azure Virtual WAN with a standard VPN Gateway.

How to approach this question

Identify the standard Azure pattern for centralized outbound traffic inspection.

Full Answer

A.A Hub-and-Spoke topology with Azure Firewall in the hub and User Defined Routes (UDRs) in the spokes forcing traffic to the firewall.✓ Correct
To achieve centralized inspection of outbound internet traffic, the best practice is to use a Hub-and-Spoke network topology. You deploy an Azure Firewall in the central Hub VNet. In the Spoke VNets, you configure User Defined Routes (UDRs) with a route of 0.0.0.0/0 (all internet traffic) pointing to the private IP address of the Azure Firewall as the next hop. This ensures all traffic is inspected, logged, and filtered according to corporate policy.

Common mistakes

Relying solely on NSGs. NSGs are distributed and lack advanced Layer 7 inspection capabilities required by enterprise security teams.
50All questions52

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 2

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Fabrikam Inc. is a global financial services company with 200 Azure subscriptions managed via a c...HardQ02A healthcare organization has 500 on-premises Windows Server VMs and 300 Azure VMs. They are impl...HardQ03You are designing a security monitoring solution using Microsoft Sentinel. The compliance depar...EasyQ04Your company has a microservices application deployed across multiple Azure App Service instances...MediumQ05A defense contractor is migrating to Microsoft 365 and Azure. They have a strict security policy ...Hard
View all 55 questions →