Exam AZ-305 topic 4 question 78 discussion

D is the answer. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#what-is-the-difference-between-azure-front-door-and-azure-application-gateway- While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a non-regional service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit.

D. Azure Front Door Premium Azure Front Door Premium now supports Private Link, which enables private connectivity from a virtual network to a service running in Azure. This feature can be used to connect to services across regions privately, so this should work for your use case where VM2 is in East US and VM3 is in West US. Here is how it could work: Azure Front Door Premium could be set up with Private Link to create a private endpoint in a regional network. This network can route traffic to VM2 and VM3 through the private link over the Microsoft backbone network, without exposure to the public internet. When one VM fails, Azure Front Door can automatically route the traffic to the other VM, maintaining the availability of your application.

For those saying Front door (with private endpoint), why has vnet peering been created in that case? A cross regional lb can work here, even with a public frontend, (you will also need stand lb in each region with public front-end but private IPs can go in backend pool). This will work fine for https traffic (no level 7 routing is required or stated in the scenario). Reference: • Load Balancer is a high-performance, ultra-low-latency Layer 4 load-balancing service (inbound and outbound) for all UDP and TCP protocols. It's built to handle millions of requests per second while ensuring your solution is highly available. Load Balancer is zone redundant, ensuring high availability across availability zones. It supports both a regional deployment topology and a cross-region topology. From <https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview>

I think it's simply a load-balancing scenario.

I did choose D initially but I think C is a very good option. In fact in a real world scenario if I was Architecting to just load balance basic 443 traffic within my internal network across region and have no need for URL based routing, or WAF or other bells and whistles I get from Azure Front Door, using a private link creates an unnecessarily complicated implementation. CRLB keeps it quite simple.

FrontDoor, Region LB7

Maybe I'm missing something, but why can't Application Gateway be deployed in VNet1, alongside VM1? VM1 can talk to App Gateway and the backends of the App Gateway are not limited to be in same region, they can even reside outside of Azure. VNet1 is peered to both other VNets so Application Gateway should be able to reach the private IPs of VM2 and VM3.

Given answer D is correct Azure Front Door Premium with Private Link configuration should meet the requirements

Global LB (cross region LB) could do this same load balancing just the same, but I think this is a slightly old question when cross region LB was still in preview, which is no longer the case. Still, AFD is capable as per below to have an internal LB as backend (Endpoints), so, let's say that AFD could very well be the answer here. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#can-i-deploy-azure-load-balancer-behind-front-door-

The answer is D. While both front door and the Cross-Region load balancer are used for cross-region load balancing. Front door allows the use of Private IP's, nd the Cross-region load balancer does not, as per documentation: https://learn.microsoft.com/en-us/azure/load-balancer/cross-region-overview#regional-redundancy . Also, as of the time of writing this answer, the Cross-Region load balancer is still in preview and should not be the first choice for production loads.

Based on the limitation with C: as per below as well as in preview the more appropriate choice is likely D: https://learn.microsoft.com/en-us/azure/load-balancer/cross-region-overview#regional-redundancy

This link says that Azure Front Door premium can use private IPs. https://learn.microsoft.com/en-us/azure/frontdoor/private-link

D. Azure Front Door Premium

Can Azure Front Door load balance or route traffic within a virtual network? Azure Front Door Standard, Premium and (classic) tier requires a public IP or publicly resolvable DNS name to route traffic to backend resources. Azure resources such as Application Gateways or Azure Load Balancers can enable routing to resources within a virtual network. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#can-azure-front-door-load-balance-or-route-traffic-within-a-virtual-network-

Front Door requires public IPs while the case explicitly says the VMs are accessible only on private IPs. Front Door: Backend pools can be composed of Storage, Web App, Kubernetes instances, or any other custom hostname that has public connectivity. Azure Front Door requires that the backends are defined either via a public IP or a publicly resolvable DNS hostname. Members of backend pools can be across zones, regions, or even outside of Azure as long as they have public connectivity.

https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq

D - Looks to be the best answer https://learn.microsoft.com/en-us/azure/frontdoor/health-probes b - Application load balancer is only for in-region connectivity. - incorrect