HOTSPOT
-
You have an Azure Cognitive Search resource named Search1 that is used by multiple apps.
You need to secure Search1. The solution must meet the following requirements:
• Prevent access to Search1 from the internet.
• Limit the access of each app to specific queries.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Create Private Endpoint Use Azure Roles
1. Create a private endpoint 2. Use Azure roles https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint#why-use-a-private-endpoint-for-secure-access Private Endpoints for Azure Cognitive Search allow a client on a virtual network to securely access data in a search index over a Private Link. The private endpoint uses an IP address from the virtual network address space for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. https://learn.microsoft.com/en-us/azure/search/search-security-rbac?tabs=config-svc-portal%2Croles-portal%2Ctest-portal%2Ccustom-role-portal%2Cdisable-keys-portal#grant-access-to-a-single-index In some scenarios, you may want to limit application's access to a single resource, such as an index. The portal doesn't currently support role assignments at this level of granularity, but it can be done with PowerShell or the Azure CLI.
Gotten this in Jul 2023 exam.
thanks for explanation
Folks, the correct answer is - Create a Private Endpoint for Preventing access from Internet. - Use Azure Roles to limit access.
Create Private Endpoint Use Key authentication. Azure roles, specifically Azure Role-Based Access Control (RBAC), are designed to manage who has access to Azure resources and what they can do with those resources. While RBAC is effective for controlling access at the resource level (e.g., who can manage the search service, indexes, or data sources), it does not provide the granularity needed to limit access to specific queries within Azure Cognitive Search.
Create a private endpoint & Use key authentication.
1. Create a private endpoint 2. Use Azure roles
Create private endpoint use key auth - basically using query key will restrict the queries to data itself and will not retrieve system level info..
Should be 1. Create Private Endpoint 2. Use Azure Roles
prevent Azure services to be accessed from internet? ==>create private endpoint of that service limit the service to a specific queries?-->using Azure roles
In this article, learn how to secure an Azure AI Search service so that it can't be accessed over a public internet connection: https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint
Final Answer: 1. Create a private endpoint 2. Use Azure roles
- Private endpoint - Azure Roles There is only one Cognitive Search instance; keys will not control access at the correct level of granularity.
you can configure IP firewall and only allow the apps in. Implementing private endpoint requires the apps to be on the same vnet or a s2s vpn which adds complexity. https://learn.microsoft.com/en-us/azure/search/service-configure-firewall https://learn.microsoft.com/en-us/azure/search/search-security-api-keys?tabs=rest-use%2Cportal-find%2Cportal-query IP Firewall Use Key authentication.
1. Create a private endpoint 2. Use Azure roles
Azure Cognitive Search primarily relies on API keys for authentication and authorization. By generating different API keys, you can control and restrict the access each app has to specific queries. Azure Roles are not used directly for query-level permissions in Azure Cognitive Search. So, the complete solution would be: Prevent access to Search1 from the internet: Configure a Private Endpoint for Search1 Limit the access of each app to specific queries: Use key authentication
https://learn.microsoft.com/en-us/azure/search/keyless-connections?tabs=csharp%2Cazure-cli
1. Create a private endpoint 2. Use Azure roles