What should you recommend to prevent users outside the Litware on-premises network from accessing the analytical data store?
What should you recommend to prevent users outside the Litware on-premises network from accessing the analytical data store?
To prevent users outside the Litware on-premises network from accessing the analytical data store, a server-level firewall IP rule should be used. This allows for specific IP addresses, such as those from the company's on-premises network, to access the database while blocking all others. Virtual network rules are not applicable since there is no implementation of Azure ExpressRoute or a VPN to connect the on-premises network to Azure. Therefore, a server-level IP firewall rule is the appropriate choice for managing network access in this scenario.
I think that corrcet response should be D because this "Litware does not plan to implement Azure ExpressRoute or a VPN between the on-premises network and Azure"
The answer should be A which is implementing VNet for SQL database server level. VNet is not "Azure ExpressRoute or a VPN between the on-premises and Azure".
Azure is a Paas and there is no way to implement vNet for a SQL database unless you're using a Private Link, which is not mentioned in the question. So the answer should be D.
D should be the clear answer. IP firewall rules: Use this feature to explicitly allow connections from a specific IP address, for example from on-premises machines Virtual Network firewall rules: Use this feature to allow traffic from a specific Virtual Network within the Azure boundary https://docs.microsoft.com/en-us/azure/sql-database/sql-database-networkaccess-overview
As long as there is no VPN between On prim and azure , you should go for IP rule based , it should applied to Server so Answer is D
The Correct answer is D : "A SERVER LEVEL IP FIREWALL RULE"
Agree, it should be Server Level IP rule, https://docs.microsoft.com/en-us/azure/sql-database/sql-database-networkaccess-overview
Don't read the above comments and get confused, given answer is correct, A. a server-level virtual network rule
No it's not. How would you peer you virtual network with the on premise network? You need someway to tie them together. Virtual network rule only makes sense if you have some gateway in azure as well. Or EspressRoute
The answer is correct. According to the scenario: "Ensure that the analytical data store is accessible only to the company's on-premises network and Azure services." For users outside on-premise, they should only access data through other Azure services. In that case, VNET rule should be better choice. It's difficult to use server level firewall rule to manage network access from other Azure services by IP addresses.
To use vNet for on premise users, you need some kind of VPN solution - to join on premise network with Azure network. And as clear stated , no VPN here. So Server level firewall that will whitelist on premise address space will do.
usinga server-level firewall IP rule, we can only restrict or allow specific IP. to ensure org only access we need vnet firewall
usinga server-level firewall IP rule, we can only restrict or allow specific IP. to ensure org only access we need vnet firewall
No it isn't. Just allow access from 0.0.0.0 to allow all Azure services.
Azure Synapse only supports server-level IP firewall rules. It doesn't support database-level IP firewall rules. https://docs.microsoft.com/en-us/azure/azure-sql/database/firewall-configure
Azure Synapse does support server-level IP firewall. The link provided by you is common for both Azure SQL and Synapse.
I mean it does support database-level IP firewall rule
Important This article does not apply to Azure SQL Managed Instance. For information about network configuration, see Connect your application to Azure SQL Managed Instance. >>>>>>>>>>> Azure Synapse only supports server-level IP firewall rules. It doesn't support database-level IP firewall rules.
Important This article does not apply to Azure SQL Managed Instance. For information about network configuration, see Connect your application to Azure SQL Managed Instance. >>>>>>>>>>> Azure Synapse only supports server-level IP firewall rules. It doesn't support database-level IP firewall rules.
I mean it does support database-level IP firewall rule
Important This article does not apply to Azure SQL Managed Instance. For information about network configuration, see Connect your application to Azure SQL Managed Instance. >>>>>>>>>>> Azure Synapse only supports server-level IP firewall rules. It doesn't support database-level IP firewall rules.
Important This article does not apply to Azure SQL Managed Instance. For information about network configuration, see Connect your application to Azure SQL Managed Instance. >>>>>>>>>>> Azure Synapse only supports server-level IP firewall rules. It doesn't support database-level IP firewall rules.
Vpn and Vnet are two different things, The former is a gateway to establish a secure and encrypted connection whereas Vnet is a logical isolation of the Azure cloud dedicated to your subscription and completely private. If 'outside users' implies the user over the public domain then Vnet is the right approach.
How users from on-premises would connect to the database with server-level virtual network rule? Nowhere in the documentation it is said that VNet is a valid configuration to give the on-premises network access to the database? -> D is the answer
D. a server-level firewall IP rule
The answer is correct according to https://docs.microsoft.com/en-us/azure/azure-sql/database/vnet-service-endpoint-rule-overview. In particular there is one point that says: On the firewall, IP address ranges do apply to the following networking items, but virtual network rules do not: Site-to-Site (S2S) virtual private network (VPN) On-premises via ExpressRoute And the brief clearly said not to use Express Route and VPN
Ans : D "By default, Azure service resources secured to virtual networks aren't reachable from on-premises networks. If you want to allow traffic from on-premises, you must also allow public (typically, NAT) IP addresses from your on-premises or ExpressRoute. You can add these IP addresses through the IP firewall configuration for Azure service resources." ref: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
Virtual network rules are one firewall security feature that controls whether the server for your databases and elastic pools in Azure SQL Database or for your databases in Azure Synapse accepts communications that are sent from particular subnets in virtual networks A is correct
but the requirement states that the company does not plan to implement a virtual network, D is correct