A company is implementing a Zero Trust network strategy using Azure Virtual Network Manager (AVNM). They need to ensure that all traffic between virtual networks is encrypted and inspected by a firewall. Which configuration should they use?
Hub-and-spoke with firewall ensures traffic is routed through the firewall for inspection.
Why this answer
In a Zero Trust network strategy, all traffic must be encrypted and inspected regardless of source. A hub-and-spoke topology with a firewall appliance in the hub forces all inter-VNet traffic through the firewall, enabling deep packet inspection and encryption enforcement. Azure Virtual Network Manager (AVNM) can deploy this topology and route traffic via the hub, ensuring no direct VNet-to-VNet communication bypasses inspection.
Exam trap
The trap here is that candidates often assume VNet peering with NSGs is sufficient for Zero Trust, but NSGs cannot inspect or encrypt traffic, and peering itself does not enforce inspection—only a hub-and-spoke topology with a firewall appliance can meet both encryption and inspection requirements.
How to eliminate wrong answers
Option A is wrong because VNet peering creates direct, unencrypted-by-default connectivity between VNets, and network security groups (NSGs) only provide stateful filtering at Layers 3-4, not encryption or deep packet inspection. Option B is wrong because a mesh topology with direct connectivity between VNets allows traffic to bypass any central inspection point, violating the Zero Trust requirement that all traffic must be inspected. Option D is wrong because service endpoints provide private connectivity to Azure PaaS services over the Microsoft backbone, but they do not encrypt or inspect traffic between VNets.