A financial services company is designing a network architecture in Azure to host a new algorithmic trading platform. A key requirement is to ensure that traffic from the application servers in one subnet (AppSubnet) is always inspected by a Network Virtual Appliance (NVA) before reaching the database servers in another subnet (DataSubnet) within the same VNet. Which of the following is the most effective way to enforce this traffic flow without altering the VNet's address space?
A retail company is expanding its e-commerce platform, which is hosted entirely in Azure. They have multiple VNets across several Azure regions (East US, West Europe, Southeast Asia). The security team requires a centralized method to manage and apply consistent firewall rules and security policies across all VNets, including those in a hub-and-spoke topology. Which Azure service is specifically designed to meet this requirement for centralized policy management and deployment of secured virtual hubs?
A media company uses Azure Application Gateway v2 to protect its web applications. To enhance security, a Web Application Firewall (WAF) policy has been implemented in Prevention mode. During a recent feature launch, legitimate users reported that their search queries containing special characters (e.g., 'O'Malley') are being blocked. A review of the WAF logs confirms that rule 942100 (SQL Injection Attack) from the OWASP 3.1 ruleset is being triggered. What is the most precise and secure method to resolve this issue while minimizing the attack surface?
A manufacturing firm is migrating a legacy application to Azure. The application's backend consists of several virtual machines that do not have public IP addresses and must not be exposed to the internet. However, these VMs need to initiate outbound connections to the internet to download software updates from specific vendor websites. You need to provide a secure and scalable solution for this outbound connectivity. Which Azure service should you implement? (Select TWO that apply)
A healthcare provider is deploying an Azure SQL Database. Due to strict compliance requirements (HIPAA), all network traffic to the database must originate from their private virtual network and must never traverse the public internet. They also need to ensure that their on-premises data analysis tools can connect to the Azure SQL Database securely over an existing ExpressRoute connection. Which Azure networking feature should be implemented to meet these requirements?
An organization is deploying a multi-tier application in a single VNet with three subnets: Web, App, and Data. The security policy states that the Web subnet can communicate with the App subnet, and the App subnet can communicate with the Data subnet. However, direct communication from the Web subnet to the Data subnet must be explicitly blocked. Which is the most efficient way to implement this policy using Application Security Groups (ASGs)?
You are designing a hybrid connectivity solution for a company with a main office in New York and a branch office in London. Both offices need to connect to Azure resources located in the East US and UK South regions, respectively. A key requirement is that the on-premises network in London must be able to communicate directly with the on-premises network in New York over the Microsoft backbone to avoid traversing the public internet. Which ExpressRoute feature is specifically designed to enable this on-premises to on-premises connectivity?
True or False: When configuring a VNet peering between two virtual networks in different Azure regions (Global VNet Peering), the data transfer costs are the same as for peering within the same region.
An administrator is troubleshooting a connectivity issue where a virtual machine (VM1) in VNetA cannot connect to another virtual machine (VM2) in VNetB on port 3389. The VNets are peered. Using Azure Network Watcher, the administrator runs an IP Flow Verify test from VM1 to VM2. The result indicates 'Access Denied'. What are the TWO most likely causes for this result? (Select TWO)
A university provides a custom application to its students, hosted on virtual machines in Azure. The application must be accessible from anywhere on the internet. To ensure high availability and optimal performance, instances of the application are deployed in two Azure regions: East US and West Europe. You need to configure a solution that directs users to the geographically closest region. If the application in the closest region becomes unavailable, users must be automatically redirected to the other healthy region. Which Azure service is the best fit for these requirements?