Q: 9
Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to
the West Europe Azure region. The web apps will be accessed only by customers in Europe and the
United States.
You need to recommend a solution to prevent malicious bots from scanning the web apps for
vulnerabilities. The solution must minimize the attach surface.
What should you include in the recommendation?
Options
Discussion
Makes sense to pick B. Only Azure Application Gateway WAF offers direct bot protection, not just geo filtering like D.
D is wrong, B. WAF gives you bot protection and targeted rules for this use case.
I don’t think it’s B. D could make sense since Traffic Manager and application security groups can restrict access based on geographic routing and segmentation, which might help reduce the overall attack surface. Not sure if it blocks bots directly but for geo-limiting plus reducing exposure, D seems reasonable here. Anyone else see a strong case for B outside of just bot filtering?
Wouldn't C (NSGs) only handle basic network traffic, not actual bot filtering?
Saw similar on a practice test, pretty sure B is expected. Check the official docs or Microsoft Learn modules too.
Yeah, for stopping bots from scanning web apps, B fits best. Azure Application Gateway WAF has built-in bot protection rules and lets you create custom rules for geo restrictions too. That actually addresses both blocking bots and limiting access by region, so pretty sure B is the most complete answer here. Anyone disagree?
I kinda see why D could work since Traffic Manager can route based on geography and ASGs help segment, so maybe that’s seen as reducing surface area? Doesn’t really block bots specifically but fits if they just want geo-filtering. Not 100% though, someone correct me?
B tbh. Azure Application Gateway WAF includes built-in bot protection and custom rules, so it actually scans HTTP requests for malicious activity at the app layer. D is really just for routing and grouping, not for blocking or filtering bots directly. Pretty sure B is what Microsoft wants here, but open to other takes if anyone's got real-world issues with this approach.
Why not just use B since Application Gateway WAF is meant for bot protection? D doesn’t block bots, just routes traffic.
Probably B. App Gateway WAF can handle bot protection at the app layer, which matches what they're asking-especially since you want to control access at HTTP/S and block known bad bots, not just filter IPs. NSGs and Firewalls are more about network traffic, not app vulnerabilities. If anyone thinks another option fits better for bots specifically, let me know.
Be respectful. No spam.
