Question 1

CASE STUDY (Questions 51-55)

Contoso Financial is a global investment bank.

Current Infrastructure:
- On-premises datacenters in New York, London, and Tokyo.
- Azure regions used: US East, Europe West, Japan East.
- Each on-premises datacenter is connected to its local Azure region via a 10 Gbps ExpressRoute circuit.
- Azure architecture uses a Hub-and-Spoke topology in each region.

Business Requirements:
- The network architecture must support global failover. If the US East region fails, the New York datacenter must be able to route traffic to the Europe West Azure region.
- All outbound internet traffic from Azure VMs must be inspected by a centralized firewall.
- Azure PaaS services (SQL, Storage) must not be accessible from the public internet.
- Network management overhead must be minimized as the company plans to add 50 more spoke VNets per region next year.

Question 2 of 5:
To meet the requirement for centralized outbound internet inspection, you deploy Azure Firewall in the Hub VNet.

The security team mandates that the firewall must be able to inspect the payload of encrypted HTTPS traffic to detect malware, and it must use signature-based detection to block known malicious traffic.

Which TWO features of Azure Firewall must you utilize? (Select TWO)

Accepted Answer

Identify the features required for 'payload of encrypted HTTPS' (TLS Inspection) and 'signature-based detection' (IDPS). Both require Azure Firewall Premium.

Question 2

What mistakes do candidates make on this AZ-305 question?

Accepted Answer

Confusing Threat Intelligence (IP/Domain blocking) with IDPS (deep packet signature inspection).

How to approach this question

Full Answer

Common mistakes

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 3

More questions from this exam