Your organization needs to implement a hub-and-spoke network topology in Azure with centralized security controls. What components are essential for this architecture?

  1. Hub load balancer and spoke databases with synchronous replication
  2. Hub App Service, spoke storage accounts, and Azure Front Door
  3. Hub VNet with centralized firewall, spoke VNets connected via peering, and route tables for traffic routing ✓
  4. Hub VNet gateway and spoke VNets with direct internet connectivity

Correct answer: Hub VNet with centralized firewall, spoke VNets connected via peering, and route tables for traffic routing

Option C is correct because a hub-and-spoke topology in Azure requires a central hub Virtual Network hosting a shared Azure Firewall or NVA for centralized security inspection, spoke VNets connected to the hub via VNet peering, and User Defined Routes (route tables) to force spoke traffic through the hub firewall rather than allowing direct spoke-to-spoke or spoke-to-internet paths. Option A is incorrect because placing load balancers and databases in this configuration does not create centralized security controls, and synchronous cross-VNet database replication is not a topological component. Option B is incorrect because App Service and storage accounts are application-layer services, not the network infrastructure components that define hub-and-spoke topology. Option D is incorrect because spoke VNets with direct internet connectivity would bypass the centralized security controls that are the primary reason for choosing hub-and-spoke.

Topic: · hub-and-spoke, azure networking, azure firewall, vnet peering

Practice Microsoft Azure Solutions Architect (AZ-305) Questions Free