You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements. What should you recommend as part of the landing zone deployment?
To meet the requirement of routing internet-bound traffic from landing zones through Azure Firewall, forced tunneling remains the most appropriate solution. UDRs and service chaining could be used to manage traffic within peered networks or direct traffic through specific virtual appliances within the hub and spoke architecture, but they would still complement rather than replace the need for forced tunneling to control outbound traffic.
Forced tunneling allows you to route all internet-bound traffic from the landing zones through a central point, such as an Azure Firewall in a dedicated subscription. This centralizes control and monitoring of outbound traffic
Answer is B
In a forced-tunneling scenario, all internet-bound traffic that originates on Azure virtual machines (VMs) is routed, or forced, to go through an inspection and auditing appliance. Unauthorized internet access can potentially lead to information disclosure or other types of security breaches without the traffic inspection or audit.
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/eslz-network-topology-and-connectivity
Why service chaining is incorrect:
Service chaining refers to a process where multiple network services (like firewalls, load balancers, intrusion detection systems, etc.) are connected in a sequence, with traffic flowing through each service in the chain. It's more relevant when you're implementing complex security or traffic processing sequences across multiple services.
In the context of your requirements, the goal is specifically to route all internet-bound traffic from the landing zones through Azure Firewall in a dedicated subscription. This needs a direct control mechanism that enforces secure routing (i.e., forced tunneling) rather than the sequential processing of services.
So ill go with B, forced tunneling (due to the requierment stated)
Forced tunneling is specifically about redirecting internet-bound traffic to on-premises for inspection and compliance reasons, which is often a requirement for landing zones in enterprises with stringent security policies.
Local network gateways (A) are not optimal for internet routing, and service chaining (C) adds unnecessary complexity and cost in this scenario.
Therefore, the correct answer is B. forced tunneling
Definitely not forced tunneling. Forced tunneling routes traffic from the firewall to a specified next hop device. This question is about the traffic being routed to the firewall from all vents. Service chaining is correct.
When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you may have a default route advertised via BGP or using User Defined Route (UDR) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. To support this configuration, you must create Azure Firewall with Forced Tunnel configuration enabled.
C should be the correct answer instead.
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#service-chaining
Service chaining enables you to direct traffic from one virtual network to a virtual appliance or gateway in a peered network through user-defined routes.
To enable service chaining, configure user-defined routes that point to virtual machines in peered virtual networks as the next hop IP address. User-defined routes could also point to virtual network gateways to enable service chaining.
Chatgpt explanation for using Forced tunneling:
According to the requirements for the landing zone architecture, all internet-bound traffic from landing zones should be routed through Azure Firewall in a dedicated Azure subscription. To meet this requirement, you can use forced tunneling which is a feature of Azure VPN gateways. Forced tunneling sends all traffic through the VPN tunnel, regardless of the destination address. This ensures that all traffic is subjected to the security provided by the VPN gateway. Service chaining is not the correct option because it is used to direct traffic from one virtual network to a virtual appliance, or virtual network gateway, in a peered virtual network, through another virtual appliance or virtual network gateway. It is not used for routing internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription. Forced tunneling is used to direct traffic from a virtual network to an on-premises location. However, it can also be used to route internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.
The key is that traffic needs to be directed to an Azure FW to achieve the sought outcome. For this specific case a FW with Forced tunneling is the way to go according to the below links:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=cli
https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling
This section is not available anymore. Please use the main Exam Page.SC-100 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
PlumpyTumbler
Highly Voted 2 years, 7 months agoariania
7 months, 2 weeks agoksksilva2022
Highly Voted 2 years, 5 months agoASP0505
Most Recent 4 weeks, 1 day agobesoaus
10 months agoariania
7 months, 2 weeks agoariania
7 months, 2 weeks agosubratasen
1 year, 1 month agocris_exam
1 year, 2 months agoJonny_Cage
1 year, 2 months agoXtraWest
1 year, 3 months agoArockia
1 year, 3 months agoMurtuza
1 year, 3 months agocyber_sa
1 year, 6 months agoslobav
1 year, 7 months agotheplaceholder
1 year, 7 months agoTanidanindo
1 year, 7 months agozellck
1 year, 11 months agozellck
1 year, 11 months agozellck
1 year, 11 months agoKallMeDan
1 year, 12 months agoDomza
3 months, 2 weeks agoOK2020
2 years, 1 month ago