Exam AZ-305 topic 4 question 78 discussion

D is the answer. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#what-is-the-difference-between-azure-front-door-and-azure-application-gateway- While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a non-regional service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit.

D. Azure Front Door Premium Azure Front Door Premium now supports Private Link, which enables private connectivity from a virtual network to a service running in Azure. This feature can be used to connect to services across regions privately, so this should work for your use case where VM2 is in East US and VM3 is in West US. Here is how it could work: Azure Front Door Premium could be set up with Private Link to create a private endpoint in a regional network. This network can route traffic to VM2 and VM3 through the private link over the Microsoft backbone network, without exposure to the public internet. When one VM fails, Azure Front Door can automatically route the traffic to the other VM, maintaining the availability of your application.

I did choose D initially but I think C is a very good option. In fact in a real world scenario if I was Architecting to just load balance basic 443 traffic within my internal network across region and have no need for URL based routing, or WAF or other bells and whistles I get from Azure Front Door, using a private link creates an unnecessarily complicated implementation. CRLB keeps it quite simple.

D is correct

FrontDoor, Region LB7

Maybe I'm missing something, but why can't Application Gateway be deployed in VNet1, alongside VM1? VM1 can talk to App Gateway and the backends of the App Gateway are not limited to be in same region, they can even reside outside of Azure. VNet1 is peered to both other VNets so Application Gateway should be able to reach the private IPs of VM2 and VM3.

Given answer D is correct Azure Front Door Premium with Private Link configuration should meet the requirements

Global LB (cross region LB) could do this same load balancing just the same, but I think this is a slightly old question when cross region LB was still in preview, which is no longer the case. Still, AFD is capable as per below to have an internal LB as backend (Endpoints), so, let's say that AFD could very well be the answer here. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#can-i-deploy-azure-load-balancer-behind-front-door-

The answer is D. While both front door and the Cross-Region load balancer are used for cross-region load balancing. Front door allows the use of Private IP's, nd the Cross-region load balancer does not, as per documentation: https://learn.microsoft.com/en-us/azure/load-balancer/cross-region-overview#regional-redundancy . Also, as of the time of writing this answer, the Cross-Region load balancer is still in preview and should not be the first choice for production loads.

Based on the limitation with C: as per below as well as in preview the more appropriate choice is likely D: https://learn.microsoft.com/en-us/azure/load-balancer/cross-region-overview#regional-redundancy

This link says that Azure Front Door premium can use private IPs. https://learn.microsoft.com/en-us/azure/frontdoor/private-link

D. Azure Front Door Premium

Can Azure Front Door load balance or route traffic within a virtual network? Azure Front Door Standard, Premium and (classic) tier requires a public IP or publicly resolvable DNS name to route traffic to backend resources. Azure resources such as Application Gateways or Azure Load Balancers can enable routing to resources within a virtual network. https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#can-azure-front-door-load-balance-or-route-traffic-within-a-virtual-network-

Front Door requires public IPs while the case explicitly says the VMs are accessible only on private IPs. Front Door: Backend pools can be composed of Storage, Web App, Kubernetes instances, or any other custom hostname that has public connectivity. Azure Front Door requires that the backends are defined either via a public IP or a publicly resolvable DNS hostname. Members of backend pools can be across zones, regions, or even outside of Azure as long as they have public connectivity.

https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq

D - Looks to be the best answer https://learn.microsoft.com/en-us/azure/frontdoor/health-probes b - Application load balancer is only for in-region connectivity. - incorrect

VMs are in different regions so only FrontDoor