Technical Lab: Choose an Appropriate Tier
Questionsβ
Question 1 β Multiple Choiceβ
A network team needs to publish an internal application accessible only by employees via site-to-site VPN. The requirement is to minimize operational costs, and the expected traffic is low volume, without the need for high availability guaranteed by SLA. Which Azure Load Balancer tier meets this scenario?
A) Standard Load Balancer, as it's the only one that supports balancing rules with backends in different virtual networks.
B) Basic Load Balancer, as it meets low-volume scenarios without required SLA and with reduced cost.
C) Gateway Load Balancer, as it integrates network virtual appliances and reduces latency in internal environments.
D) Standard Load Balancer with Regional SKU, as it's necessary for any scenario involving site-to-site VPN.
Question 2 β Technical Scenarioβ
An architect is designing the connectivity of a solution with the following requirements:
- Connection between on-premises network and Azure with guaranteed bandwidth of 10 Gbps
- Predictable and consistent latency
- Traffic must not pass through the public internet
He evaluates two options:
Option A: VPN Gateway SKU VpnGw5
Option B: ExpressRoute with 10 Gbps circuit
After reviewing the requirements, the architect chooses Option B. What is the most accurate technical justification for this choice?
A) VPN Gateway VpnGw5 doesn't support bandwidth above 1 Gbps aggregate.
B) ExpressRoute offers private connectivity without traffic through the public internet, with dedicated bandwidth and predictable latency, characteristics that VPN Gateway doesn't structurally guarantee.
C) VPN Gateway is not compatible with site-to-site connections above 1 Gbps in any available SKU.
D) ExpressRoute is mandatory whenever the connection involves more than one on-premises environment.
Question 3 β True or Falseβ
Statement: Azure Firewall Premium can be used in place of Azure Firewall Standard without any configuration changes, as all Standard features are included in Premium and existing policies are fully compatible between both tiers.
True or False?
Question 4 β Technical Scenarioβ
A company deploys an environment with multiple regional hubs connected via Virtual WAN. The security team requires inspection of east-west traffic between spoke VNets and also north-south traffic to the internet. The network team questions which Virtual WAN tier should be used.
Consider the configuration excerpt below:
Virtual WAN Type: Basic
Secured Virtual Hub: Not supported
Routing Intent: Not available
What would be the direct consequence of maintaining the Basic type in this scenario?
A) Traffic between spokes will work normally, but Azure Firewall cannot be integrated to the hub.
B) Basic type supports Secured Virtual Hub, but doesn't allow configuring Routing Intent for east-west traffic.
C) Basic type doesn't support Secured Virtual Hub nor Routing Intent, making it impossible to centralize traffic inspection through Azure Firewall in the hub.
D) Basic type supports north-south traffic inspection, but requires a separate NVA for east-west traffic.
Question 5 β Multiple Choiceβ
When designing a private DNS solution in Azure, an engineer needs to ensure name resolution between multiple VNets in different regions, without depending on custom DNS servers. Which combination of tier and configuration meets this requirement?
A) Azure DNS Public Zone linked to each VNet, with manual A records for each resource.
B) Azure Private DNS Zone with resolution links for each participating VNet, leveraging Azure's default resolver.
C) Azure DNS Resolver in Basic tier, configured with forwarding rules between regions.
D) Azure Private DNS Zone with a single registration link in a hub VNet, assuming peering automatically propagates resolution to the spokes.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The Basic Load Balancer was designed exactly for development, test, or internal low-volume workload scenarios where there's no formal SLA requirement. It has no additional cost and meets the described need.
The main misconception represented by the distractors is assuming that any production scenario, even internal and low-volume, requires the Standard SKU. Standard is mandatory when there's a need for 99.99% SLA, Availability Zone integration, or backends in distinct VNets. Gateway Load Balancer serves to chain network virtual appliances, not for simple internal balancing. Choosing Standard without necessity only increases operational cost without real benefit.
Answer Key β Question 2β
Answer: B
ExpressRoute establishes private connectivity through a connectivity provider, without traffic traversing the public internet. Additionally, it offers dedicated bandwidth with SLA and predictable latency, structural characteristics that VPN Gateway cannot guarantee, as it operates over the public internet with IPsec encryption.
Distractor A is partially true in intention, but technically incorrect: VpnGw5 supports up to approximately 10 Gbps in VNet-to-VNet mode, however the determining point is not just bandwidth, but the absence of internet traffic and latency guarantee. Distractor C is false. Distractor D confuses a topology requirement with a product tier requirement.
Answer Key β Question 3β
Answer: False
Although Azure Firewall Premium includes all Standard features, the migration is not transparent. Premium introduces features like TLS inspection, IDPS, and URL categorization that require additional configurations. More importantly: Azure Firewall Standard policies are not automatically promoted to Premium without review. Depending on IDPS and TLS inspection configuration, existing rules may have different behavior or require adjustments to avoid improper blocking of legitimate traffic.
The conceptual error here is treating higher tiers as transparent substitutes for lower ones. In network security products, adding active inspection can alter observed behavior in traffic even without intentional policy changes.
Answer Key β Question 4β
Answer: C
The Virtual WAN Basic type only supports site-to-site VPN connectivity and doesn't allow creating Secured Virtual Hub (hub with integrated Azure Firewall) nor configuring Routing Intent, which is the mechanism responsible for directing all traffic through the centralized firewall in the hub.
Without these capabilities, it's impossible to centralize east-west and north-south inspection through Azure Firewall in the hub, which is exactly the scenario requirement. Virtual WAN Standard type is necessary to enable this architecture. Distractors A, B, and D attribute partial capabilities to Basic type that it simply doesn't have, representing a common misconception of those who confuse the limitations between the two types.
Answer Key β Question 5β
Answer: B
The Azure Private DNS Zone with resolution links for each participating VNet is the correct approach. Each linked VNet can resolve private zone records using Azure's internal DNS resolver (address 168.63.129.16), without the need for custom DNS servers.
Distractor D represents a very common misconception: VNet peering does not automatically propagate Private DNS Zone resolution. Each VNet needs its own resolution link with the private zone. Distractor A uses public DNS, which doesn't serve for private resolution between VNets. Distractor C mentions Azure DNS Private Resolver, which is a valid solution for hybrid and conditional forwarding scenarios, but adds unnecessary complexity and cost when the requirement can be met with Private DNS Zone resolution links.