Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
Contoso runs multiple workloads in Azure using a hub-and-spoke virtual network topology. All Internet-bound traffic from the spoke VNets currently exits directly through the default system routes. The security team now requires central egress filtering, threat-intelligence-based blocking, and outbound TLS traffic inspection, together with built-in high availability and centralized policy management through Azure Firewall Manager. Which solution should you recommend to meet these requirements with minimal operational overhead?
Enable Azure DDoS Protection Standard on every spoke VNet and continue using the default system routes for outbound traffic.
Create network security groups with egress deny rules for known malicious IP ranges and associate them with all subnets in the spoke VNets.
Deploy a third-party network virtual appliance (NVA) firewall in every spoke VNet and route outbound traffic through the local appliance.
Deploy Azure Firewall Premium in the hub VNet as a secured virtual hub and configure user-defined routes from each spoke VNet to send all Internet traffic through the firewall.
Azure Firewall Premium natively supports Layer 7 application and TLS inspection, threat-intelligence-based filtering, and URL/FQDN filtering for outbound traffic. When it is deployed in the hub VNet (or as a secured virtual hub) and the spokes use user-defined routes that force-tunnel Internet traffic to the hub, the organization gains a single, centrally managed egress point. Azure Firewall is a fully managed, highly available service and integrates directly with Azure Firewall Manager for centralized policy administration.
Enabling Azure DDoS Protection Standard only guards against volumetric attacks; it does not provide egress filtering, threat-intelligence policies, or TLS inspection. Network security groups operate at layers 3-4, cannot inspect TLS, and lack threat-intelligence feeds, so they do not satisfy the requirements. Deploying third-party NVA firewalls in every spoke would meet most security needs but would increase operational complexity and cost while not providing the requested centralized management via Azure Firewall Manager.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure Firewall Premium and why is it recommended for this scenario?
Open an interactive chat with Bash
What is the difference between system routes and user-defined routes (UDRs) in Azure networking?
Open an interactive chat with Bash
How does Azure Firewall integrate with Azure Firewall Manager for centralized management?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design infrastructure solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .