Free Microsoft Azure AZ-700 Actual Exam Questions - Question 11 Discussion
You need to configure FW1 to filter traffic that originates from VNet1 and targets the FQDN of
SQLDB1 Which type of rule should you use?
B, since only application rules let you filter traffic by FQDN directly.
It’s B. Application rules are designed to filter based on FQDNs, which fits perfectly since you need to filter traffic targeting SQLDB1 by its domain name. Network rules generally filter by IPs and ports, so they won’t work well here for FQDN filtering. Plus, DNAT is for inbound translation, not filtering outbound traffic by domain. Infrastructure rules aren’t related to this scenario either. So even if the SKU isn’t specified, the question’s focus on FQDN strongly points to application rules.
Since the goal is filtering by FQDN, DNAT (C) and infrastructure (A) rules don’t really apply here—they’re for different purposes. Does the question give any hints about firewall capabilities to confirm app rules?
C imo, DNAT rules are mainly for inbound traffic translation, not filtering based on FQDN. Since the goal is to filter outgoing traffic from VNet1 to SQLDB1's FQDN, DNAT doesn’t fit here.
It’s D. Application rules are great for FQDN, but they require the Premium SKU, which isn’t mentioned here. Network rules can filter traffic between VNets and support IP-based filtering, so they’re more generally applicable. Since the question doesn’t specify the SKU, safer to go with network rules for filtering here. Plus, DNAT (C) is for inbound NAT scenarios, and infrastructure rules (A) don’t fit this case at all.
Makes sense to pick B here since application rules are designed for FQDN filtering, unlike network rules which focus on IPs. So, I’d go with B.
Option B, since application rules handle FQDN filtering better than network rules.
B