Exam AZ-305 topic 4 question 9 discussion

A: No rate limited B: Does not have Private Endpoint integration C: Does not make sense, and does not rate limited D: OK, rate limited + PE integration

D is correct answer!

Azure App Gateway with WAF does support Rate-limiting (From - https://learn.microsoft.com/en-us/training/modules/introduction-azure-web-application-firewall/3-how-azure-web-application-firewall-works) Azure Web Application Firewall custom rules support rate limiting to control access based on matching conditions and the rates of incoming requests. This custom rule enables you to detect abnormally high levels of traffic and block some types of application layer denial of service attacks. Rate limiting also protects you against clients that have accidentally been misconfigured to send large volumes of requests in a short time period. The custom rule is defined by the rate limit counting duration (either one minute or five-minute intervals) and the rate limit threshold (the maximum number of requests allowed in the rate limit duration).

API Management supports private endpoints for secure inbound client connections to your API Management instance. Each secure connection uses a private IP address from your virtual network and Azure Private Link. https://learn.microsoft.com/en-us/azure/api-management/virtual-network-concepts B is correct

At first, I though the answer is B since APIM Standard tier supports private endpoints as well. However it uses a service endpoint which is still a publicly routable IP address. Hence, we are left with the APIM Premium tier which is a bit more expensive but satisfies the requirements

Azure API Management (Standard tier) can expose a private IP through service endpoints when deployed in the same virtual network as the AKS cluster.

D is correct

One option is to deploy APIM (API Management) inside the cluster VNet. The AKS cluster and the applications that consume the microservices might reside within the same VNet, hence there is no reason to expose the cluster publicly as all API traffic will remain within the VNet. For these scenarios, you can deploy API Management into the cluster VNet. API Management Premium tier supports VNet deployment.

MS Copilot says: Azure API Management Premium tier with virtual network connection would work, it offers more features than you need and at a higher cost. The Standard tier with service endpoints is a better fit for your requirements, balancing cost and functionality effectively.

Microservices are meant to be accessible from the virtual network so just a service endpoint is enough. No need for a premium tier.

Why D? There's no mention of this microservice application being an API.

This question appeared in the exam, August 2024. I gave this same answer listed here. I scored 870

I think the answer should be Azure App Gateway with Azure Web Application Firewall (WAF). Beacuse the API managemnt is Charged HOURLY basis. App Gw supports rate limiting: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/rate-limiting-overview

The best option to meet the requirements you mentioned would be to use Azure API Management with a virtual network connection. This can be achieved with the Premium tier of Azure API Management. This will allow you to restrict ingress access to a single private IP address and protect it using mutual TLS authentication. Additionally, Azure API Management provides rate limiting capabilities and can be deployed within a virtual network to minimize costs. So, the correct answer is D. Azure API Management Premium tier with virtual network connection.

D. Azure API Management Premium tier with a virtual network connection Azure API Management Premium tier supports virtual network integration, which allows you to restrict ingress access to the microservices to a single private IP address within the virtual network. This tier also supports mutual TLS authentication, rate-limiting policies, and provides a solution for exposing the microservices to the consumer apps while minimizing costs.

D is correct answer!

D. Azure API Management Premium tier with virtual network connection