C. VNET1 only
No idea why people are saying option E as the question clearly states that "You need to deploy an Azure firewall named AF1 to RG1 in the West US", so RG1 in the West US region means the correct answer is C(VNET1).
The key point is deploying the firewall within RG1, not just the regions where the VNets reside. The question is asking to deploy in RG1. You cannot just go any where and take a d at other places even if you can.
Should be E - Vnet 1 and Vnet 4.
As all resources, the resource group is just a logical grouping and the real limitations do come from the region. An Azure Firewall can be used with peered networks, but as the question does not mention peering the firewall cannot be applied to networks in another region.
"You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central firewall virtual network. Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues across regions. For best performance, deploy one firewall per region."
I also just tried it out, I cannot connect an Azure Firewall to a VNET which is in another region.
Are there any firewall resource group restrictions?
Yes. The firewall, VNet, and the public IP address all must be in the same resource group.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
The firewall and VNet must be in the same resource group.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
The firewall and VNet must be in the same resource group.
The public IP address can be in any resource group.
The firewall, VNet, and the public IP address all must be in the same subscription.
Nothing about same region.
Guys, read the question carefully. The answer is VNET1 & VNET4 (Answer E). Asked Gemini and tested it in my Lab, both say it's VNET1 and VNET4 - the Ressource Group does not matter in this case, it is the Region, where you deploy the Firewall.
- The firewall and VNet must be in the same resource group.
- The public IP address can be in any resource group.
- The firewall, VNet, and the public IP address all must be in the same subscription.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
Are there any firewall resource group restrictions?
Yes.
The firewall and VNet must be in the same resource group.
The public IP address can be in any resource group.
The firewall, VNet, and the public IP address all must be in the same subscription.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
An Azure Firewall can protect a VNet in the same resource group, but it cannot directly protect a VNet in a different resource group. This is because an Azure Firewall is deployed in a VNet and filters traffic entering and exiting that VNet. It cannot interact with resources in other resource groups.
If you need to protect a VNet in a different resource group, you can use one of the following workarounds:
VNet peering
Azure Virtual WAN
VPN
Google Bard
No, the Azure Firewall itself cannot belong to a different resource group than the resource group it protects. Azure Firewall requires tight integration with the resources it secures, including virtual networks and subnets. This integration isn't possible if the firewall resides in a separate resource group.
Azure Firewall needs to be deployed in the same resource group as the resources it protects for several reasons:
Policy enforcement: Azure Firewall applies its network security policies to resources within the same resource group. Placing it in a different group weakens its ability to effectively secure those resources.
Resource association: Certain features of Azure Firewall, like IP Groups and Application Rules, require direct association with resources within the same resource group.
Management and access control: Managing and controlling access to Azure Firewall is easier when it's within the same resource group as the resources it protects.
E is not correct, I have tested this in my LAB. When you try to create an Azure Firewall in RG1, you cannot select the VNET in RG2. It will actually tell you "Azure Firewall cannot be used with a VNET from a different resource group".
Therefore, the correct answer is C - VNET1 only as it is deployed in RG1.
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
C: seems most relevant here as per comments here and the links provided confirming restrictions implementing Azure Firewall
https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#are-there-any-firewall-resource-group-restrictions
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Ashfaque_9x
Highly Voted 1 year, 11 months agoIrism
1 year, 11 months agostormtraining
4 months, 3 weeks agozellck
1 year, 10 months agoWeepingMaplte
6 months, 4 weeks agorpalanivel83
1 year, 11 months agopramodk78
1 year, 11 months agogarmatey
1 year, 7 months agoMuffay
Highly Voted 1 year, 11 months agoRougePotatoe
1 year, 10 months agoSanaz90
2 months agoDonny_575
Most Recent 4 days, 20 hours ago2d153f5
1 week, 4 days ago95d0718
3 weeks, 4 days agojamesf
1 month, 1 week agoSeMo0o0o0o
2 months, 1 week agoitismadu
2 months, 3 weeks agomoadabdou
7 months, 3 weeks agomoadabdou
8 months, 1 week agoAmir1909
8 months, 3 weeks agornd3131
10 months, 3 weeks agoArthur_zw
10 months, 3 weeks ago[Removed]
11 months, 3 weeks agoRandomNickname
1 year, 5 months agoRwj
1 year, 6 months agoSIAMIANJI
1 year, 7 months ago