You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.
What should you recommend as part of the landing zone deployment?
You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.
What should you recommend as part of the landing zone deployment?
To route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription, the best solution is forced tunneling. Forced tunneling allows internet-bound traffic to be redirected to a designated network appliance for inspection and security, ensuring compliance with enterprise security policies. This approach ensures that all traffic is securely audited and inspected before accessing the internet, which aligns with the requirement to route traffic through Azure Firewall.
https://docs.microsoft.com/en-us/learn/modules/configure-vnet-peering/5-determine-service-chaining-uses
When you refer to https://learn.microsoft.com/en-us/training/modules/configure-vnet-peering/5-determine-service-chaining-uses answer is there :)
adding a UDR/s to force 0.0.0.0/0 (internet traffic or all traffic) to NVAs (or in our case AZFW) is what Service Chaining means.
The key is that traffic needs to be directed to an Azure FW to achieve the sought outcome. For this specific case a FW with Forced tunneling is the way to go according to the below links: https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=cli https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling
got this in exam 6oct23. passed with 896 marks. I answered C
Agreed with AnonymousJhb. The requirements talks about using Azure Firewall and that tips the scale for me. The requirements stated "Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription." Kinda clear cut in my opinion.
Definitely not forced tunneling. Forced tunneling routes traffic from the firewall to a specified next hop device. This question is about the traffic being routed to the firewall from all vents. Service chaining is correct.
Chatgpt explanation for using Forced tunneling: According to the requirements for the landing zone architecture, all internet-bound traffic from landing zones should be routed through Azure Firewall in a dedicated Azure subscription. To meet this requirement, you can use forced tunneling which is a feature of Azure VPN gateways. Forced tunneling sends all traffic through the VPN tunnel, regardless of the destination address. This ensures that all traffic is subjected to the security provided by the VPN gateway. Service chaining is not the correct option because it is used to direct traffic from one virtual network to a virtual appliance, or virtual network gateway, in a peered virtual network, through another virtual appliance or virtual network gateway. It is not used for routing internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription. Forced tunneling is used to direct traffic from a virtual network to an on-premises location. However, it can also be used to route internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.
Answer is B In a forced-tunneling scenario, all internet-bound traffic that originates on Azure virtual machines (VMs) is routed, or forced, to go through an inspection and auditing appliance. Unauthorized internet access can potentially lead to information disclosure or other types of security breaches without the traffic inspection or audit. https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/eslz-network-topology-and-connectivity
Answer:C ; Service chaining
Forced tunneling is specifically about redirecting internet-bound traffic to on-premises for inspection and compliance reasons, which is often a requirement for landing zones in enterprises with stringent security policies.
service chaining
Local network gateways (A) are not optimal for internet routing, and service chaining (C) adds unnecessary complexity and cost in this scenario. Therefore, the correct answer is B. forced tunneling
service chaining is the correct answer
Selected Answer: C https://www.youtube.com/watch?v=YJqZjdzC9xE&list=PLQ2ktTy9rklhzzkSEZvDZT4QSIVUQZD-Y&index=7 Question 96
forced tunneling for me
B is the answer. https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling
When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you may have a default route advertised via BGP or using User Defined Route (UDR) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. To support this configuration, you must create Azure Firewall with Forced Tunnel configuration enabled.
C should be the correct answer instead. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#service-chaining Service chaining enables you to direct traffic from one virtual network to a virtual appliance or gateway in a peered network through user-defined routes. To enable service chaining, configure user-defined routes that point to virtual machines in peered virtual networks as the next hop IP address. User-defined routes could also point to virtual network gateways to enable service chaining.