Your on-premises network contains an e-commerce web application that was developed using Angular and Node.js. This web application utilizes a MongoDB database for data storage. You plan to migrate this web application to Azure, and the solution architecture team has proposed an Azure landing zone architecture. Your task is to provide recommendations to secure the connection between the web application and the MongoDB database, ensuring adherence to the Zero Trust model.

Solution: You recommend implementing Azure Application Gateway with Azure Web Application Firewall (WAF).

Does this solution meet the goal?

Note: In the context of securing Azure deployments, consider how to restrict public access to web apps using Azure Private Endpoints. As an Azure administrator or architect, you might be asked: 'How can we safely deploy internal business applications to Azure App Services?' Such applications generally:

• Are not accessible from the public internet.
• Are accessible from within the on-premises corporate network.
• Are accessible via an authorized VPN client from outside the corporate network.

For scenarios like this, Azure Private Links can be utilized, enabling private and secure access to Azure PaaS services over Azure Private Endpoints, along with Site-to-Site VPN, Point-to-Site VPN, or ExpressRoute. Azure Private Endpoint is a read-only network interface service that connects to Azure PaaS Services and allows you to integrate deployed sites into your virtual network, thus restricting access at the network level. It assigns one of your Azure VNet's private IP addresses to Azure App Services. This is known as a Private Link resource and is applicable for services like Azure Storage, Azure Cosmos DB, SQL, App Services Web App, among others. When you use Azure-provided PaaS services (e.g., Azure Storage, Azure Cosmos DB, or Azure Web App), the PrivateLink connectivity option ensures that all data exchanges remain within the private IP space, and the traffic never leaves the Microsoft network.