SC-100 Question #45: Real Exam Question with Answer & Explanation

Question

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance. You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance. Solution: You recommend access restrictions to allow traffic from the backend IP address of the Front Door instance. Does this meet the goal?

Options

• AYes
• BNo

Explanation

{"question_number": 5, "correct_answer": "B", "explanation": "The answer is No - using the backend IP address of the Front Door instance is not a reliable solution. Azure Front Door is a globally distributed anycast service that uses a large and dynamic range of IP addresses across many points of presence worldwide. There is no single static 'backend IP address' to whitelist. Restricting App Service access based on a specific IP address would either fail to capture all legitimate Front Door traffic or require maintaining an unmanageable list of IPs. The correct approach is to use the AzureFrontDoor.Backend service tag, or to validate the X-Azure-FDID request header to confirm traffic originated from a specific Front Door instance.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.