SC-100 Certification Practice Question #260

Question

You have an Azure subscription. The subscription contains multiple Azure App Service web apps that are distributed across multiple Azure regions and are accessed via the internet.

You need to ensure that all incoming requests to the apps are inspected for threats based on the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP). The solution must meet the following requirements:

•	Support the use of Microsoft-managed X.509 certificates.
•	Route users to the geographically closest app.
•	Minimize administrative effort.

What should you use?

Accepted Answer

Only Azure Front Door satisfies all three requirements simultaneously. Front Door's WAF Default Rule Set is built on the OWASP CRS for threat inspection; its anycast architecture automatically routes each user to the closest Front Door PoP/origin; and it offers Front Door-managed (Microsoft-managed) X.509/TLS certificates, removing certificate lifecycle management to minimize admin effort. Application Gateway with WAF (D) also runs OWASP CRS but is a regional resource and cannot perform global geographic routing, so it fails the "closest app" requirement. Azure Firewall (A/C) is a network firewall with no WAF/OWASP inspection or geo-routing. The "A" votes are unsupported gut calls — DaddyHV even selected A while arguing entirely for Front Door B — so the Suggested Answer, Most Voted, and MS Learn all converge on B.

More SC-100 practice questions