Microsoft Certified: Azure Fundamentals (AZ-900) Practice Exam

Which solution does NOT meet the goal of filtering traffic based on IP addresses and protocols?

• A. Deploying and configuring Azure Firewall
• B. Deploying and configuring Web Application Firewall (WAF)
• C. Deploying and configuring a Network Security Group (NSG)
• D. Using Azure DDoS Protection

The correct answer is: Deploying and configuring Web Application Firewall (WAF)

The Web Application Firewall (WAF) is specifically designed to protect web applications by filtering, monitoring, and analyzing HTTP traffic. It focuses primarily on application-layer security, defending against common attacks such as SQL injection and cross-site scripting (XSS). WAFs generally operate at a higher level in the OSI model, meaning they are not intended for low-level IP and protocol filtering. Therefore, while WAF provides critical protection for web applications, it does not serve the purpose of filtering traffic based on IP addresses and protocols, which is essential for managing network security at lower levels. In contrast, Azure Firewall, Network Security Groups (NSGs), and Azure DDoS Protection do engage with IP addresses and protocols. Azure Firewall allows for both inbound and outbound traffic filtering based on IP addresses and protocols, making it suitable for policies that manage network traffic. Network Security Groups provide even more granular control over traffic to resources within a virtual network, allowing users to define rules based on specific IP address ranges and protocols as needed. Azure DDoS Protection helps to mitigate denial of service attacks but also ensures that legitimate traffic can flow based on the configurations tied to the network resources. Thus, filtering traffic based on IP addresses and protocols is well within the capabilities of Azure