Exam AZ-500 topic 5 question 55 discussion

The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted into SQL Database. This approach is fine for stable IP addresses that are outside the Azure private network. However, virtual machines (VMs) within the Azure private network are configured with dynamic IP addresses. Dynamic IP addresses can change when your VM is restarted and in turn invalidate the IP-based firewall rule. It would be folly to specify a dynamic IP address in a firewall rule, in a production environment. You can work around this limitation by obtaining a static IP address for your VM. For details, see Create a virtual machine with a static public IP address using the Azure portal. However, the static IP approach can become difficult to manage, and it's costly when done at scale. Virtual network rules are easier alternative to establish and to manage access from a specific subnet that contains your VMs.

C is the correct answer. In the answer D. You can add public IPs but in this case VM1 use private ip only.

You cannot use D to create a firewall rule because VM needs a public IP. The next best thing if D is not possible is C - add an existent VNET...

In Exam20/07/2024 Answer is C

Cant be D, as per bellow. so C. D. Create a new firewall rule. (Cant be as it clearly says VM only has Private IP no PIP)

In exam 4th November

D. Create a new firewall rule.

You should authorize the Machine not the VNET. The question specifically says Least Privilege therefore the VNET may allow many machines to connect.

C. Add an existing virtual network.

Allow Azure services and resources to access this server not enabled, you need to create individual firewall rule entries to add IP addresses. D is right. B does NOT provide LEAST PRIV

C. Add an existing virtual network

C is the answer. https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview?view=azuresql You can also allow private access to the database from virtual networks via: - Virtual network firewall rules: Use this feature to allow traffic from a specific virtual network within the Azure boundary

I forgot what I chose, but this was On exam 4/27 with the new exam experience. No Sim or lab.

Tested in lab The setting allows connection from VMs. VM is a trusted service for SQL database. When Allow Azure services and resources to access this server is enabled, your server allows communications from all resources inside the Azure boundary, that may or may not be part of your subscription. https://learn.microsoft.com/en-us/azure/azure-sql/database/network-access-controls-overview?view=azuresql

Best idea would be private endpoint, but here we need setting under "Public access" and then select there "Add a virtual network rule" and select your vnet there

FW rule with a singleton IP address representing the VM private IP

C. Add an existing virtual network.