You want to centralize network security for multiple Azure virtual networks (VNets) in your organization using Azure Firewall. Which architecture best supports this goal while minimizing management overhead?
Think about a hub-and-spoke model to centralize security controls.
Option A describes the hub-and-spoke architecture where a single Azure Firewall is deployed in a hub VNet. Spoke VNets route traffic through the firewall, enabling centralized security management and reducing overhead.
You configure an Azure Firewall network rule to allow outbound HTTPS traffic to a specific IP range. Which of the following rule configurations correctly allows TCP traffic on port 443 to IP range 192.168.1.0/24?
Remember HTTPS uses TCP port 443 and the destination IP should be the allowed range.
Option B correctly specifies TCP protocol, any source IP, destination IP range 192.168.1.0/24, and destination port 443 for HTTPS traffic.
You enable Threat Intelligence-based filtering on Azure Firewall with the mode set to 'Alert'. What is the expected behavior when traffic matches a known malicious IP or domain?
Consider what 'Alert' mode means for threat intelligence in Azure Firewall.
In 'Alert' mode, Azure Firewall allows traffic but logs alerts for traffic matching known malicious IPs or domains, enabling monitoring without blocking.
Which Azure service must you configure to collect and analyze Azure Firewall logs for traffic and threat intelligence alerts?
Think about where logs are stored and analyzed in Azure.
Azure Firewall logs are sent to Azure Monitor Logs via a Log Analytics Workspace for collection and analysis.
You want to ensure your Azure Firewall deployment is highly available and resilient to zone failures. Which configuration meets this requirement?
Consider Azure Firewall's built-in zone redundancy feature.
Enabling zone redundancy deploys Azure Firewall instances across multiple availability zones, providing high availability and resilience to zone failures.