A company is deploying a web application on Azure App Service. They need to guarantee that all traffic from the internet goes through a Web Application Firewall (WAF) before reaching the app. The solution must be cost-effective for a single application. Which Azure service should they place in front of the App Service?

Azure Front Door with WAF policy.

Azure Front Door is a global load balancer and application delivery network. It includes WAF, but it is designed for multi-region deployments and can be more expensive for a single-region application. Application Gateway is more appropriate here.

Azure Firewall with application rules.

Azure Firewall is a stateful firewall that can filter traffic based on FQDN (application rules), but it does not include a Web Application Firewall (WAF) to protect against OWASP top 10 vulnerabilities. It is not a substitute for a WAF.

Azure Traffic Manager.

Azure Traffic Manager is a DNS-based traffic load balancer. It does not have WAF capabilities and cannot inspect HTTP traffic. It simply routes DNS requests to different endpoints.

What does this AZ-305 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Azure Application Gateway with WAF. — Azure Application Gateway is a regional web traffic load balancer with built-in WAF capability. It is ideal for a single application in one region, providing Layer 7 routing, SSL termination, and WAF at a lower cost than a global solution. Azure Front Door is a global load balancer with WAF, but it is designed for multi-region deployments and comes with additional costs. Azure Firewall does not provide WAF features; it is a stateful firewall. Traffic Manager is a DNS-level load balancer without WAF.

What should I do if I get this AZ-305 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.