You are designing a virtual network architecture for a large organization that requires isolation between business units while maintaining controlled communication. How should you structure the network?

  1. Multiple VNets with VNet peering and Network Virtual Appliance (NVA) for controlled routing ✓
  2. Single VNet with multiple subnets and network security groups
  3. Single VNet with separate resource groups for each business unit
  4. Multiple VNets with ExpressRoute connections only

Correct answer: Multiple VNets with VNet peering and Network Virtual Appliance (NVA) for controlled routing

Option A is correct because using multiple VNets with VNet peering and a Network Virtual Appliance (NVA) provides both isolation between business units (each in its own VNet) and controlled, inspectable routing through the NVA, which can enforce firewall rules and segmentation policies. Option B is incorrect because a single VNet with subnets and NSGs provides only network-layer filtering, not true isolation; subnets in the same VNet share the same address space and routing domain, making strong isolation harder to enforce. Option C is incorrect because separate resource groups within a single VNet are an administrative concept only and do not affect network traffic flow or provide any network isolation between business units. Option D is incorrect because ExpressRoute is a dedicated private connectivity solution to on-premises networks, not a mechanism for controlling intra-Azure VNet-to-VNet routing or enforcing traffic inspection between business units.

Topic: · vnet peering, network virtual appliance, azure networking, network isolation

Practice Microsoft Azure Solutions Architect (AZ-305) Questions Free