Question 1

CASE STUDY: Contoso Ltd is a global financial services company migrating to Azure. 
Current environment: 3 on-premises datacenters (New York, London, Tokyo) connected via MPLS. 
Azure footprint: 1 Hub VNet in East US, 1 Hub in UK South. 50 Spoke VNets peered to the Hubs. 
Requirements: 
1) Encrypt all cross-region traffic. 
2) Inspect all internet-bound traffic from spokes. 
3) Connect Tokyo datacenter to Azure with guaranteed 10 Gbps and SLA. 
4) Ensure web apps in spokes are protected from SQL injection. 
5) Resolve on-premises DNS from Azure and vice versa.

QUESTION: To meet Requirement 2 (Inspect all internet-bound traffic from spokes), you deploy Azure Firewall in the Hub VNets. How must you configure the Spoke VNets to ensure traffic is routed to the firewall?

Accepted Answer

Understand how forced tunneling works in a Hub-Spoke topology. You must override the default Azure internet route using a UDR.

Question 2

What mistakes do candidates make on this AZ-305 question?

Accepted Answer

Confusing NSGs with Route Tables. NSGs block traffic; Route Tables direct traffic.

How to approach this question

Full Answer

Common mistakes

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

More questions from this exam