Which two actions should you perform?

You need to implement network security to meet the security requirements and the performance requirements.

Which two actions should you perform? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

A. Deploy two Azure Firewall instances and Azure Firewall Manager.

B. Filter traffic by using outbound rules.

C. Filter traffic by using infrastructure rules.

D. Filter traffic by using inbound rules.

E. Deploy a network security group (NSG) and two application security groups.

F. Deploy an Azure Firewall instance and Azure Firewall Manager.

View Answer

Answer: EF

Explanation:

The security requirements outlined in the case study specify the need to explicitly allow traffic between the Windows Virtual Desktop session hosts and Microsoft 365, as well as between the Windows Virtual Desktop session hosts and the Windows Virtual Desktop infrastructure. The performance requirements emphasize minimizing administrative effort to manage network security and employing the principle of least privilege.

Considering these requirements, the two actions that should be performed are:

E. Deploy a network security group (NSG) and two application security groups.

F. Deploy an Azure Firewall instance and Azure Firewall Manager.

Here’s the rationale for each option:

A. Deploying two Azure Firewall instances and Azure Firewall Manager might be redundant and could potentially increase administrative effort and complexity without providing a clear benefit over a single instance, which is generally sufficient for most scenarios. Additionally, the principle of least privilege would not necessarily require two separate instances.

B. Filtering traffic using outbound rules is essential for controlling access to the internet and external services, but the requirements do not mention restricting outbound traffic. The focus is on allowing specific inbound traffic, so outbound rules are not directly related to the given requirements.

C. Filtering traffic using infrastructure rules is not a defined term in Azure network security. Infrastructure rules are not a specific type of rule that can be applied in Azure.

D. Filtering traffic using inbound rules would be part of the NSG configuration, but on its own, it does not constitute a complete solution for the specified security requirements.

E. Deploying a network security group (NSG) allows you to control access to and from Azure resources. Application security groups can be used within NSGs to apply the rules to a specific group of virtual machines, such as the Windows Virtual Desktop session hosts. This setup can help to minimize the administrative effort by grouping similar types of traffic and applying security rules to them, adhering to the principle of least privilege.

F. Deploying an Azure Firewall instance provides a managed, cloud-based network security service that protects Azure Virtual Network resources. Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters. With Azure Firewall and Azure Firewall Manager, you can manage and log all traffic in a centralized way, applying threat intelligence and filtering rules as needed, thus meeting the security requirements.

Therefore, the recommended actions to meet the security and performance requirements would be options E and F.