Filtering Traffic Between Web Servers and Application Servers

D

Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.

You can filter network traffic inbound to and outbound from a virtual network subnet with a network security group.

To filter traffic between the web servers and application servers in a subnet by using application security groups, you should provision a network security group (NSG). Therefore, the correct answer is option D.

A network security group (NSG) is an Azure resource that provides network security for virtual networks. It contains a set of security rules that allow or deny inbound and outbound network traffic based on source and destination IP address, port, and protocol. NSGs can be associated with subnets or network interfaces to control the network traffic flowing in and out of virtual machines.

Application security groups (ASGs) are used to group virtual machines and provide a more natural way of grouping them based on the application they are running rather than their IP address or subnet. By using ASGs, you can group virtual machines regardless of their location within a virtual network or across multiple virtual networks.

To filter traffic between the web servers and application servers by using application security groups, you can create two application security groups: one for the web servers and one for the application servers. Then, you can create NSG rules that allow traffic between the two ASGs and deny traffic to all other virtual machines within the subnet.

Option A, Azure Firewall, is a managed, cloud-based network security service that provides advanced firewall capabilities for your Azure virtual network. Azure Firewall can be used to filter network traffic between Azure virtual networks or between Azure virtual networks and the internet.

Option B, a user-defined route, is a custom route that overrides the default routing table used by Azure. User-defined routes can be used to control traffic flow within a virtual network or between virtual networks.

Option C, Azure Private Link, is a service that allows you to access Azure services and your own private services over a private endpoint within your virtual network. Azure Private Link provides secure and private connectivity to services without the need for a public IP address.