You have an Azure subscription that contains an Azure SQL Database logic server named SQL1 and an Azure virtual machine named VM1. VM1 uses a private IP address only.
The Firewall and virtual networks settings for SQL1 are shown in the following exhibit.
You need to ensure that VM1 can connect to SQL1. The solution must use the principle of least privilege.
What should you do?
The principle of least privilege requires restricting access as much as possible while still allowing necessary functionality. This rules out setting 'Allow Azure services and resources to access this server' to Yes since it would permit access from all Azure resources, which wouldn’t adhere to the principle of least privilege. Setting the Connection Policy to Proxy doesn't address the need for defining specific allowed access. Creating a new firewall rule would need a specific IP address, but VM1 uses a private IP address, making it less feasible. Therefore, adding an existing virtual network ensures that only the specific subnet containing VM1 can access the SQL server, aligning perfectly with the principle of least privilege.
The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted into SQL Database. This approach is fine for stable IP addresses that are outside the Azure private network. However, virtual machines (VMs) within the Azure private network are configured with dynamic IP addresses. Dynamic IP addresses can change when your VM is restarted and in turn invalidate the IP-based firewall rule. It would be folly to specify a dynamic IP address in a firewall rule, in a production environment. You can work around this limitation by obtaining a static IP address for your VM. For details, see Create a virtual machine with a static public IP address using the Azure portal. However, the static IP approach can become difficult to manage, and it's costly when done at scale. Virtual network rules are easier alternative to establish and to manage access from a specific subnet that contains your VMs.
C is the correct answer. In the answer D. You can add public IPs but in this case VM1 use private ip only.
Best idea would be private endpoint, but here we need setting under "Public access" and then select there "Add a virtual network rule" and select your vnet there
C is the answer. https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview?view=azuresql You can also allow private access to the database from virtual networks via: - Virtual network firewall rules: Use this feature to allow traffic from a specific virtual network within the Azure boundary
C. Add an existing virtual network.
i am not 100% about it but i think it should be add a virtual network
I forgot what I chose, but this was On exam 4/27 with the new exam experience. No Sim or lab.
Tested in lab The setting allows connection from VMs. VM is a trusted service for SQL database. When Allow Azure services and resources to access this server is enabled, your server allows communications from all resources inside the Azure boundary, that may or may not be part of your subscription. https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview?view=azuresql
That does not meet the principle of least privilege.
B is the correct answer as per the above article.
FW rule with a singleton IP address representing the VM private IP
D. Create a new firewall rule.
You should authorize the Machine not the VNET. The question specifically says Least Privilege therefore the VNET may allow many machines to connect.
C. Add an existing virtual network.
Allow Azure services and resources to access this server not enabled, you need to create individual firewall rule entries to add IP addresses. D is right. B does NOT provide LEAST PRIV
FW rules only apply to Public IP. VM1 only has Private IP. C is the answer.
In Exam20/07/2024 Answer is C
Cant be D, as per bellow. so C. D. Create a new firewall rule. (Cant be as it clearly says VM only has Private IP no PIP)
In exam 4th November
C. Add an existing virtual network