ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-720 All Questions

View all questions & answers for the AZ-720 exam
Go to Exam

Exam AZ-720 topic 2 question 16 discussion

Actual exam question from Microsoft's AZ-720
Question #: 16
Topic #: 2
[All AZ-720 Questions]

HOTSPOT -
A company creates an Azure resource group named RG1. RG1 has an Azure SQL Database logical server named sqlsvr1 that hosts the following resources:

An administrator grants a user named User1 the Reader RBAC role in RG1. The administrator grants User2 the Contributor role in sqlsvr1.
User1 reports that they can connect to SQLDB1 from the IP address 155.127.95.212. User1 cannot connect to SQLDB2. User2 can connect to both SQLDB1 and SQLDB2 from the IP address 121.19.27.18. Both users can successfully connect to SQLDB1 and SQLDB2 from VM1.
You are helping the administrator troubleshoot the issue. You run the following PowerShell command:
Get-AzSqlServerFirewallRule -ResourceGroupName 'RG1' -ServerName 'sqlsvr1'
The following output displays:

ResourceGroupName: RG1 -

ServerName: sqlsvr1 -

StartIpAddress: 0.0.0.0 -

EndIpAddress: 0.0.0.0 -

FirewallRuleName: Rule01 -

ResourceGroupName: RG1 -

ServerName: sqlsvr1 -

StartIpAddress: 72.225.0.0 -

EndIpAddress: 72.225.255.255 -

FirewallRuleName: Rule02 -
You need to identify the cause for the reported issue and resolve User1’s issues. The solution must satisfy the principle of least privilege.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point. A company manages a solution that uses Azure Functions.

Show Suggested Answer Hide Answer
Suggested Answer:
by cris_exam at April 23, 2023, 6:19 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
terawatt
1 year, 11 months ago
Use the Set-AzSqlServerFirewallRule cmdlet to modify the existing firewall rule or create a new firewall rule on sqlsvr1 to allow User1's IP address. Given the principle of least privilege, you should not give more access than necessary. Therefore, create a new rule that only allows User1's IP address, rather than modifying an existing rule to include a broader range.
upvoted 1 times
terawatt
1 year, 11 months ago
In my understanding creating or modifying SQL users and permissions using Transact-SQL won't resolve the connectivity issue, but feel free to prove me wrong.
upvoted 1 times
...
...
cris_exam
2 years, 2 months ago
I believe given answers appear to be correct. The Server Level FW allows access to both DBs, however since only DB1 can successfully be accessed by both users from different IPs but DB2 has issues when being accessed from IP 155.127.95.212 (regardless of user if you ask me - the RBAC role extra info seems to be just to throw us off), I think the issue is on Database level FW. More can be read here: https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql#use-transact-sql-to-manage-ip-firewall-rules ttps://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql#database-level-ip-firewall-rules "If you specify an IP address range in the database-level IP firewall rule that's outside the range in the server-level IP firewall rule, only those clients that have IP addresses in the database-level range can access the database."
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel