Technical Lab: Select an Appropriate Azure Firewall SKU
Questionsβ
Question 1 β Multiple Choiceβ
A financial services company needs to deploy a centralized firewall in a hub-and-spoke topology on Azure. The requirements identified are:
- TLS traffic inspection (TLS inspection)
- URL filtering with categories (URL filtering with web categories)
- Integration with Microsoft Threat Intelligence in alert and block mode
- Support for at least 30 Gbps of peak throughput
Which Azure Firewall SKU meets all these requirements?
A) Azure Firewall Basic, as it supports Threat Intelligence and URL filtering by default.
B) Azure Firewall Standard, as it includes all the listed functionalities from the standard tier.
C) Azure Firewall Premium, as TLS inspection and URL filtering with categories are exclusive features of this tier.
D) Azure Firewall Standard with an associated Premium tier Firewall Manager policy, which unlocks advanced functionalities without additional SKU cost.
Question 2 β Technical Scenarioβ
An organization has been using Azure Firewall Standard in production for two years. The security team has identified the need to inspect encrypted HTTPS traffic leaving internal VMs toward the internet, to detect data exfiltration and malware in encrypted connections.
The architect evaluates whether it's possible to enable this functionality without replacing the existing firewall.
What is the correct conclusion?
A) It's possible to enable TLS inspection on Azure Firewall Standard via Azure Firewall Policy, without the need to migrate to another SKU.
B) TLS inspection is not available in any Azure Firewall SKU; this feature requires deploying a third-party Network Virtual Appliance (NVA).
C) Migration to Azure Firewall Premium is necessary, as TLS inspection is an exclusive feature of this SKU and cannot be enabled on Standard.
D) It's possible to enable partial TLS inspection on Standard by associating an Application Gateway with WAF in front of the Azure Firewall, without changing SKUs.
Question 3 β True or Falseβ
Azure Firewall Basic supports deployment in hub-and-spoke topologies managed by Azure Virtual WAN and can be associated with Firewall Manager policies, being suitable for medium-sized corporate environments with throughput requirements above 10 Gbps.
True or False?
Question 4 β Technical Scenarioβ
A startup with modest infrastructure on Azure needs basic firewall protection to filter network traffic across two development VNets. The requirements are simple:
- Basic network and application rules
- Threat Intelligence in alert mode (not blocking)
- Reduced operational cost
- No need for high availability with availability zones
The team considers the following options:
Option 1: Azure Firewall Basic
Option 2: Azure Firewall Standard with minimum auto-scaling
Option 3: Azure Firewall Premium with associated Basic policy
Which option represents the best alignment between cost and functional requirement?
A) Option 2, as Standard offers more flexibility for future growth without significant additional cost compared to Basic.
B) Option 3, as using a Basic policy on a Premium SKU reduces Premium costs to Basic level.
C) Option 1, as Azure Firewall Basic was designed exactly for scenarios of lower complexity and cost, covering network rules, application rules, and Threat Intelligence in alert mode.
D) Option 2, as Azure Firewall Basic doesn't support application rules, only network rules.
Question 5 β Multiple Choiceβ
When comparing the three Azure Firewall SKUs regarding their IDPS (Intrusion Detection and Prevention System) capabilities, which statement is correct?
A) IDPS is available in Standard and Premium SKUs, operating only in detection mode in Standard and in detection and prevention mode in Premium.
B) IDPS is an exclusive feature of Azure Firewall Premium and is not available in Basic and Standard SKUs.
C) IDPS is available in all Azure Firewall SKUs, but the number of threat signatures available increases progressively from Basic to Premium.
D) IDPS in Azure Firewall Premium operates only in alert mode by default and requires manual configuration to enable blocking mode by threat category.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
TLS inspection and URL filtering with web categories are exclusive features of Azure Firewall Premium. Standard offers FQDN filtering and Threat Intelligence, but doesn't support TLS traffic decryption and re-inspection or granular URL categorization. The 30 Gbps throughput requirement is also covered by Premium, which supports up to 100 Gbps with scaling.
Alternative A is wrong: Basic supports Threat Intelligence only in alert mode and doesn't have URL filtering with categories. Alternative B is wrong because Standard doesn't include TLS inspection. Alternative D represents a common misconception: the Firewall Manager policy tier doesn't elevate the firewall SKU capabilities; advanced functionalities depend on the firewall resource SKU, not the associated policy.
Answer Key β Question 2β
Answer: C
TLS inspection is a feature architecturally tied to Azure Firewall Premium. It requires the firewall to act as an intermediary proxy in TLS connections, demanding processing and certification capabilities that are not present in Standard. There's no partial enablement mechanism or via policy that grants this functionality to Standard.
Alternative A is wrong because no policy configuration unlocks TLS inspection in Standard. Alternative B is incorrect: TLS inspection is natively supported by Premium, without needing NVA. Alternative D describes a technically possible architecture, but it doesn't equate to TLS inspection in the firewall itself: Application Gateway with WAF inspects inbound traffic, not outbound traffic initiated by internal VMs.
Answer Key β Question 3β
Answer: False
Azure Firewall Basic has important limitations that make it unsuitable for the described scenarios. First, it doesn't support deployment in topologies managed by Azure Virtual WAN. Second, the Basic maximum throughput is 250 Mbps, well below the hypothetical 10 Gbps requirement mentioned in the statement. Basic was designed for small environments with simple requirements, not for medium-sized corporate environments.
The non-obvious point here is the Virtual WAN integration limitation: many professionals assume that any Azure Firewall SKU can be used in any topology, but Basic has explicit deployment restrictions that exclude it from hub-and-spoke scenarios with Virtual WAN.
Answer Key β Question 4β
Answer: C
Azure Firewall Basic was created specifically for scenarios of lower complexity and cost. It supports network rules, application rules, and Threat Intelligence in alert mode, covering all listed requirements. Its pricing model is significantly lower than Standard, making it the most efficient choice for the described context.
Alternative A overestimates the cost difference and ignores that Basic already covers the described functional requirements. Alternative B is incorrect: associating a Basic policy with a Premium SKU doesn't reduce the firewall cost; billing is for the deployed firewall resource, regardless of the policy tier. Alternative D is wrong: Azure Firewall Basic fully supports application rules, being this one of its documented capabilities.
Answer Key β Question 5β
Answer: B
IDPS is an exclusive feature of Azure Firewall Premium. It allows detecting and blocking malicious traffic patterns based on a set of signatures managed by Microsoft, operating in alert mode, alert and block mode, or disabled by threat category. Basic and Standard SKUs don't offer IDPS in any form.
Alternative A is wrong because Standard doesn't have IDPS in any mode. Alternative C is wrong for the same reason: there's no signature graduation between SKUs, as only Premium has IDPS. Alternative D correctly describes the IDPS configuration behavior in Premium regarding operation modes, but errs in stating that alert mode is the default: the default behavior depends on policy configuration, and the mode can be defined by threat category individually. Alternative B is the only technically accurate statement about the feature availability.