You administer an Azure solution that uses a virtual network named fabVNet. FabVNet has a
single subnet named Subnet-1.
You discover a high volume of network traffic among four virtual machines (VMs) that are
part of Subnet-1.
You need to isolate the network traffic among the four VMs. You want to achieve this goal
with the least amount of downtime and impact on users.
What should you do?
A.
Create a new subnet in the existing virtual network and move the four VMs to the new
subnet.
B.
Create a site-to-site virtual network and move the four VMs to your datacenter.
C.
Create a new virtual network and move the VMs to the new network.
D.
Create an availability set and associate the four VMs with that availability set.
Explanation:
http://msdn.microsoft.com/en-us/library/azure/dn133798.aspx
Actually it’s A
Why not B ?
“You want to achieve this goal with the least amount of downtime and imact on users”. That’s why not B. And the cost of that wouldn’t make sense. By moving them to a separate subnet in the same VNet you *can* isolate them. I say *can* because you’d still have to configure the Windows firewall to block/allow traffic on the machines in the new subnet. More info here anyway – https://azure.microsoft.com/en-gb/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/
“Option 1: Subnets within a Single Virtual Network
Currently, Windows Azure provides routing across subnets within a single virtual network, but does not provide any type of network ACL capability with respect to internal DIP addresses. So in order to restrict access to machines within a single virtual network, those machines must leverage Windows Firewall with Advanced Security”