Exam AZ-305 topic 4 question 72 discussion

The Virtual WAN meets the first 3 requirements, and the secured virtual hub has the Azure Firewall Manager, which can do the FQDN filtering. https://learn.microsoft.com/en-us/azure/firewall-manager/secured-virtual-hub https://learn.microsoft.com/en-us/azure/firewall/fqdn-filtering-network-rules

Option A, Azure Virtual WAN with a secured virtual hub, is the best recommendation for this scenario as it allows for automatic connection of mobile users to the closest Azure region, connection of offices to their local Azure region via ExpressRoute circuits, support for transitive routing, and filtering of network traffic between virtual networks by using FQDNs. Option B, virtual network peering and application security groups, does not provide automatic connection of mobile users to the closest Azure region or support for transitive routing. Option C, virtual network gateways and network security groups (NSGs), does not provide automatic connection of mobile users to the closest Azure region or support for transitive routing, and filtering network traffic between virtual networks by using FQDNs is more challenging. Option D, Azure Route Server and Azure Network Function Manager, does not provide automatic connection of mobile users to the closest Azure region or support for filtering network traffic between virtual networks by using FQDNs.

A is correct

I would say A is correct and as per below Virtual WAN: It represents the virtual overlay of the Azure Virtual Network and other Resources. it is networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. HUB: You create a virtual hub in the Virtual WAN Resources . This is Microsoft Managed virtual network. You connect the various endpoints to the HUB – Azure virtual Network, Site-to-Site Some of the main features include: Remember there are two service tiers, Basic and STD Basic: ONLY S2S VPN

Azure Virtual WAN

The recommendation that meets the requirements specified would be: A. Azure Virtual WAN with a secured virtual hub Azure Virtual WAN allows for transitive routing between virtual networks and on-premises networks, and the automatic connection to the closest Azure region for Point-to-Site (P2S) VPN connections. The offices in each region can connect to their local Azure region using ExpressRoute circuits that can be integrated into the Virtual WAN. A Secured Virtual Hub is an Azure Virtual WAN Hub with associated security and routing policies. It is a Microsoft-managed resource that lets you easily create hub-and-spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a Secured Virtual Hub. The Secured Virtual Hub allows for Azure Firewall, which can filter the network traffic between virtual networks using Fully Qualified Domain Names (FQDNs).

Virtual WAN

A is the answer. https://learn.microsoft.com/en-us/azure/firewall-manager/secured-virtual-hub A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection. You can use a secured virtual hub to filter traffic between virtual networks (V2V), virtual networks and branch offices (B2V) and traffic to the Internet (B2I/V2I).

Correct Answer A

A. Azure Virtual WAN with a secured virtual hub

A. Azure Virtual WAN with a secured virtual hub.

Not sure if this is relevant: Virtual Networks connected to the Secure Virtual Hub can send traffic to public, destinations on the Internet, using the Secure Hub as a central point of Internet access. This traffic can be filtered locally using Azure Firewall FQDN rules, or sent to a third-party security service for inspection. https://learn.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology#path-7

Only A can filter by FQDN

A is correct

B & C incorrect: they work at 4th network level Request is for FQDN filtering

According to https://learn.microsoft.com/en-us/azure/architecture/networking/hub-spoke-vwan-architecture#architecture, which shako shared, I think the answer needs to be A. This supports requirement 1 & 2 (P2S/ExpressRoute) per "Standard Virtual WAN supports any-to-any connectivity (Site-to-Site VPN, VNet, ExpressRoute, Point-to-site endpoints) in a single hub as well as across hubs." Requirement 2 "Virtual network peering is a nontransitive relationship between two virtual networks. While using Azure Virtual WAN, virtual network peering is managed by Microsoft. Each connection added to a hub will also configure virtual network peering. With the help Virtual WAN, all spokes will have a transitive relationship." Finally, requirement 4, "A virtual hub can be created as a secured virtual hub or converted to a secure one anytime after creation. For additional information, see Secure your virtual hub using Azure Firewall Manager." Azure Firewall Manager will allow the FQDN filtering.

B should be the right one to include FQDN filtering requirement