AZ-303 Exam - Question 132

Question

HOTSPOT -You have an Azure subscription that contains the resources shown in the following table. You need to deploy a load-balancing solution for two Azure web apps named App1 and App2 to meet the following requirements:✑ App1 must support command injection protection. ✑ App2 must be able to use a static public IP address. ✑ App1 must have a Service Level Agreement (SLA) of 99. 99 percent. Which resource should you use as the load-balancing solution for each app? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:.

Examice · Accepted Answer

Box 1: AGW1 -Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. Box 2: ELB1 -Public IP addresses allow Internet resources to communicate inbound to Azure resources. Public IP addresses also enable Azure resources to communicate outbound to Internet and public-facing Azure services with an IP address assigned to the resource. Note: In Azure Resource Manager, a public IP address is a resource that has its own properties. Some of the resources you can associate a public IP address resource with are:✑ Virtual machine network interfaces✑ Internet-facing load balancers✑ VPN gateways✑ Application gatewaysReference:https://docs. microsoft. com/en-us/azure/application-gateway/waf-overview https://docs. microsoft. com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm.

Stephan99 · Answer

Answers are correct.
Source IP affinity. 
    This distribution mode is also known as session affinity or client IP affinity. 
    To map traffic to the available servers, the mode uses a two-tuple hash (from the source IP address and destination IP address) or three-tuple hash (from the source IP address, destination IP address, and protocol type). 
    The hash ensures that requests from a specific client are always sent to the same virtual machine behind the load balancer.

HDZ78 · Answer

So follow my train of thought for a moment:
- Load balancers have a knockout criterium, they only support VM's and VMSS's: https://docs.microsoft.com/en-us/azure/load-balancer/backend-pool-management
- AGW's have a max. SLA of 99.95%: https://azure.microsoft.com/en-in/support/legal/sla/application-gateway/v1_2/
- AFD also supports WAF + SLA 99.99%: https://azure.microsoft.com/en-in/support/legal/sla/frontdoor/v1_0/
- AGWv2 supports static public IP as of 2019: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant

For App2 the answer is AGW2 since it is the only one compatible.
For App1 the answer should be AFD+WAF in a real world situation, but given the answers I would go for AGW1 since it specifically mentions having the WAF enabled.

HenryNguyen · Answer

App1 -> AGW1 has WAF support injection 
App2 -> AGW2 v2 support static IP ( ILB work in layer 4 and does not support webapp )

gpalsule · Answer

Tried in lab ... Box 1 -AGW1 and Box 2 - AGW2

azurecert2021 · Answer

question has typo App1 must have a Service Level Agreement (SLA) of 99.95 percent not 99.99

tteesstt · Answer

"You need to deploy a load-balancing solution for two ((((((((((((Azure web apps)))))))))))) named App1 and App2 to meet the following requirements:"

You cannot use Azure Web App with Internal/External Load Balancer.

RGP4d33 · Answer

Guys: It's actually an easier justification.
Answer 1 YES it's the WAF enabled one (no other one fits).

BUT ... regarding second one, the ApplicationGatewy coud not have a public endpoint: it could be a OutBound Gateway ... thus, could not be the correct answer... In the other way, the ELB the only one with a waranty of having a public external IP address, thus provided answer (ELB) for second one is the best one.

walkwolf3 · Answer

App1: AGW1
App2: AGW2

Only AGW or AFD could load balance Web(HTTP/HTTPs) type traffic

https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/images/load-balancing-decision-tree.png

[Removed] · Answer

Correct answer:
 - AppGW1 - WAF offers protection from SQL injection
https://docs.microsoft.com/en-us/azure/application-gateway/features#web-application-firewall
 - AppGW2 - gateway Standard_v2 SKU supports static VIP type exclusively
https://docs.microsoft.com/en-us/azure/application-gateway/features#static-vip

LB is not option for WebApp- check flowchart:
https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview#decision-tree-for-load-balancing-in-azure

Blimpy · Answer

im going to throw a curveball here:
the answer is AGW2 for both apps.. it fits all the requirements AND multiple apps can be behind an 1 Application Gateway

the reason is it asking for 99.99% is because it expects to be zone redundant - AGW2 is v2 to support Availability Zones

AGW2 (v2 sku) also supports static IP Address and WAF is built in

arunpaul · Answer

AGW2 (v2 sku) is zone redundant eligible for 99.99% SLA. So the solution that meets both SQL injection protection and high availability for App1 is AGW2. Both AGW_v2 and LB offers static Ip; but LB works at OSI layer 4 which is a faster solution than AGWs that works at OSi layer 7; Obviously the for App2 LB is the preferred choice

venkynalla · Answer

For AGW1, I could not find SLA of 99.99%. The MAX is 99.95 with 2 or more medium or large instances.
Load Balancer does not support Azure Web App. So answer to second question is AGW2, which support Azure Web App and can have a static VIP.

QiangQiang · Answer

I believe there is a typo in the question. It should be like this:
✑ App1 must support command injection protection.
✑ App2 must be able to use a static IP address.
✑ App2 must have a Service Level Agreement (SLA) of 99.99 percent.
Then all makes sense. App1-AGW1, App2-AGW_V2

syu31svc · Answer

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion

https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview

Load Balanced Endpoint using Azure Standard Load Balancer, serving two or more Healthy Virtual Machine Instances, will be available 99.99% of the time. You can assign public IP address.

https://azure.microsoft.com/en-us/support/legal/sla/load-balancer/v1_0/

https://docs.microsoft.com/en-us/azure/load-balancer/quickstart-load-balancer-standard-public-portal?tabs=option-1-create-load-balancer-standard

Answer is correct

plmmsg · Answer

The second answer should be APGW2.

Stephan99 · Answer

Answers are correct.
Box2: Source IP affinity. 
    This distribution mode is also known as session affinity or client IP affinity. 
    To map traffic to the available servers, the mode uses a two-tuple hash (from the source IP address and destination IP address) or three-tuple hash (from the source IP address, destination IP address, and protocol type). 
    The hash ensures that requests from a specific client are always sent to the same virtual machine behind the load balancer.
https://docs.microsoft.com/en-us/learn/modules/improve-app-scalability-resiliency-with-load-balancer/3-public-load-balancer

MichaelCWWong · Answer

There's no Azure product named "External Load Balancer" but "Public Load Balancer"

dandirindan · Answer

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant, v2 have static ip and app2 should be agw2, but im not sure about app1 since agw1 supports waf and injection support i think the answers should be app1-agw01, app2-agw02

nooranikhan · Answer

The point here is Azure web apps! Not a normal web application

demonite · Answer

App1 AGW2
App2 can be AGW2 or LB1 no specifics on costs so.

rsaintt · Answer

App1 SLA 99,99 : https://azure.microsoft.com/en-us/support/legal/sla/load-balancer/v1_0/
App2 standart_v2: supports  VIP Address: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-autoscaling-zone-redundant#differences-from-v1-sku

erickim007 · Answer

Both should be APGW2
APGW2 support WAF with 99.99% SLA

APGW2 support static VIP. Static IP address not supported in V1.

ILB, and Public LB out because they are web app.

babyhu · Answer

this one explains when to use what, so for attack protection, use WAF, for Source IP Affinity, use Load balancer. a Public IP needs ELB. https://devblogs.microsoft.com/premier-developer/azure-load-balancing-solutions-a-guide-to-help-you-choose-the-correct-option/

AZ_Apprentice · Answer

Check the flow chart from the below link. The answer for App2 cannot be ELB. I believe it is AGW2,
https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

Kronos · Answer

Only the first answer is correct.  The question asks "what should you use as the load balancing solution for EACH APP"?  All the answers DO load balancing but to differentiate an Application Gateway vs Load Balancers---AG is a WEB traffic load balancer while LB distributes load across a group of resources or SERVERS.  Therefore LBs are not the answer.  Both ELB and AG can have public IP addresses AGW2 just fulfills the needed requirement for App2.  So the correct answers are AGW1 for App1 and AGW2 for App2.

AmitRoy · Answer

This is ambiguous.
1. Command injection can be protected by App GW.
2. Static IP can be provided by LB and APP GW v2.
3. LB with Avaibility Zone ensures 99.99% SLA. App GW ensures 99.95% SLA.
So for App2, none of the options fit. Any other idea?

Cloud_Genie · Answer

If command injection protection is needed, why are you guys not choosing AGW1? AGW1 has WAF enabled while AGW2 doesn't. So shouldn't we choose AGW1? Thanks!!

nooranikhan · Answer

How do you allow Azure webapps to be loadbalanced? There is no other option except for APP GATEWAY

erickim007 · Answer

The answer should be both APGW2.
For 1, because of SLA & also APGW2 comes with WAF configuration which we can enable to support injection protection.
For 2, web app and likely we would not use LB. APGW2 provides static IP not V1.

JustinWilliamAndrew · Answer

It did not say WAF v2 SKUs only Standard V2 SKU.  So AGW2 has no WAF

Thisismynickname001 · Answer

The question asks for a solution to two Azure web apps. Load Balancer does not support Azure web app.

HarryZ · Answer

Does Application Gateway support static IP?
Yes, the Application Gateway v2 SKU supports static public IP addresses and static internal IPs. The v1 SKU supports static internal IPs.

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq

so the 2nd question is application gateway standard-v2

jmay · Answer

App1: needs injection prevention, so it needs a WAF. So AGW1 is adequate.
App2: Needs static IP, which is supported by both standard_v2 Application Gateway and ELB. But it further specifies 99.99% availability, so it can only be ELB as standard_v2 AGW has only 99.95% availability.
Given answers are correct.

AZ-303 Exam - Question 132

Discussion