Exam SC-100 topic 2 question 20 discussion

When using Azure-provided PaaS services (e.g., Azure Storage, Azure Cosmos DB, or Azure Web App, use the PrivateLink connectivity option to ensure all data exchanges are over the private IP space and the traffic never leaves the Microsoft network.

"The solution must follow the Zero Trust model." Isn't Zero Trust requires mutual authentication ? The solution proposed is based on trusting the internal network which is not Zero-Trust.

This answer is only correct if the Web App is meant to be internal facing, thus the key question here is why would an 'eCommerce' website be made internal??? Do they intend for only internal stakeholders to access the web-app? If that's not the case then the best option would be B

The way the recommendation is worded, is awful. YES, private endpoints (PE) could very well be a good idea, but not implementing PEs to both webapp and DB, but only to the DB and integrating the webapp to the VNET for outbound access - but NOT webapp PE. Let me explain: For this design to work well, the webapp should just be integrated with a VNET and then the DB configured with a PE, preferably in the same VNET for good performance and easier setup, then YES, this way would be more secure then leaving them publicly accessible. But the way the recommendation is worded, lets to understand that both webapp and DB would have private endpoints configured, which would NOT work, as PE only receives traffic, it cannot initiate, hence the webapp would not be able to communicate using it's PE private IP to reach the PE of DB, but the webapp will initiate traffic from the public outbound IPs and this connection will fail because DB PE will not accept a public connection.

I think people are getting confused between the old infrastructure and the new. The question relates to the new infrastructure in Azure, so the solution is WAF. Private endpoints aren't related to this infrastructure.

got this in exam 6oct23. passed with 896 marks. I answered A

Question in the exam today 19/05/2023

https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint "Private endpoint is only used for incoming traffic to your app" NO

A is the answer. https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint You can use private endpoint for your App Service apps to allow clients located in your private network to securely access the app over Azure Private Link. The private endpoint uses an IP address from your Azure virtual network address space. Network traffic between a client on your private network and the app traverses over the virtual network and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.

ChatGPT: A. Yes, creating private endpoints for the web app and the database layer is a recommended solution to secure the connection between the two layers and meet the Zero Trust model. Private endpoints allow you to access your Azure PaaS services over a private IP address within your virtual network. By creating private endpoints for both the web app and the MongoDB database, traffic between them can be routed through the private network, making it more secure by preventing access from the public internet. This approach is recommended because it limits access to only the virtual network where the web app and database are deployed, and it helps to minimize the surface area of potential attacks. By implementing private endpoints, you can ensure that data is transmitted securely between the two layers and reduce the risk of data breaches. Therefore, creating private endpoints for the web app and the database layer meets the goal of securing the connection between the two layers and follows the Zero Trust model.

I think this is incorrect. Private Endpoint would not be the solution here. The App service does need VNet Integration, not private endpoint in order to reach the cosmos DB via its private address. I think a lot of people just shout yes once they hear private endpoint and don't even understand what it is

In addition to the private endpoint for the Cosmos DB, the Cosmos DB needs to have its "publicNetworkAccess" flag set to "Disabled" to prevent public network access to the Cosmos DB account when it is created, before its private endpoint is created. Also, (Just creating the private endpoint could be considered an incomplete solution.) https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation

The answer is correct.

Private endpoint is correct. A is the correct answer

yes seems correct from NETWORK - zero trust principle point of view

I think this is right. It's always best to use official Microsoft documentation for answers. Other companies and blogs are not the source of truth. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints

YES, correct