A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?
Trap 1: Set route tables on spoke subnets with a 0.0.0.0/0 route to the…
Incorrect. This routes all outbound traffic to the internet, not through the hub NVA, and does not enforce inspection for inter-spoke traffic.
Trap 2: Configure Azure Firewall in the hub with forced tunneling to…
Incorrect. Forced tunneling sends outbound traffic to on-premises, but it does not route inter-spoke traffic through the hub NVA.
Trap 3: Use VNet peering with gateway transit enabled
Incorrect. Gateway transit allows spokes to use the hub's VPN/ExpressRoute gateway, but it does not force inter-spoke traffic through the NVA without additional UDRs.
- A
Set route tables on spoke subnets with a 0.0.0.0/0 route to the Internet
Why wrong: Incorrect. This routes all outbound traffic to the internet, not through the hub NVA, and does not enforce inspection for inter-spoke traffic.
- B
Configure Azure Firewall in the hub with forced tunneling to on-premises
Why wrong: Incorrect. Forced tunneling sends outbound traffic to on-premises, but it does not route inter-spoke traffic through the hub NVA.
- C
Create user-defined routes (UDRs) in each spoke subnet that force traffic to go through the hub NVA
Correct. UDRs allow precise control of traffic routing; adding a route for the spoke address spaces with next hop as the NVA IP enforces inspection.
- D
Use VNet peering with gateway transit enabled
Why wrong: Incorrect. Gateway transit allows spokes to use the hub's VPN/ExpressRoute gateway, but it does not force inter-spoke traffic through the NVA without additional UDRs.