Exam AI-102 topic 1 question 52 discussion

Create Private Endpoint Use Azure Roles

1. Create a private endpoint 2. Use Azure roles https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint#why-use-a-private-endpoint-for-secure-access Private Endpoints for Azure Cognitive Search allow a client on a virtual network to securely access data in a search index over a Private Link. The private endpoint uses an IP address from the virtual network address space for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. https://learn.microsoft.com/en-us/azure/search/search-security-rbac?tabs=config-svc-portal%2Croles-portal%2Ctest-portal%2Ccustom-role-portal%2Cdisable-keys-portal#grant-access-to-a-single-index In some scenarios, you may want to limit application's access to a single resource, such as an index. The portal doesn't currently support role assignments at this level of granularity, but it can be done with PowerShell or the Azure CLI.

API keys control access to the entire service, but do not restrict specific queries. So answer is to use RBAC which is 'Use Azure Roles' for second question

Create a private endpoint is CORRECT because it allows you to securely connect to your Azure AI Search resource over a private network. This effectively isolates the resource from the public internet, ensuring that it is only accessible from within your private network. Use Azure roles is CORRECT because Azure role-based access control (RBAC) allows you to define granular permissions for users, groups, and applications. By assigning specific roles to each app, you can control the access to specific queries and operations on the Azure AI Search resource.

1. Create a private endpoint 2. Use Azure roles

https://learn.microsoft.com/en-us/azure/search/keyless-connections?tabs=csharp%2Cazure-cli

Azure Cognitive Search primarily relies on API keys for authentication and authorization. By generating different API keys, you can control and restrict the access each app has to specific queries. Azure Roles are not used directly for query-level permissions in Azure Cognitive Search. So, the complete solution would be: Prevent access to Search1 from the internet: Configure a Private Endpoint for Search1 Limit the access of each app to specific queries: Use key authentication

Create private endpoint use key auth - basically using query key will restrict the queries to data itself and will not retrieve system level info..

1. Create a private endpoint 2. Use Azure roles

1. Create a private endpoint 2. Use Azure roles

you can configure IP firewall and only allow the apps in. Implementing private endpoint requires the apps to be on the same vnet or a s2s vpn which adds complexity. https://learn.microsoft.com/en-us/azure/search/service-configure-firewall https://learn.microsoft.com/en-us/azure/search/search-security-api-keys?tabs=rest-use%2Cportal-find%2Cportal-query IP Firewall Use Key authentication.

Create a private endpoint & Use key authentication.

- Private endpoint - Azure Roles There is only one Cognitive Search instance; keys will not control access at the correct level of granularity.

Create Private Endpoint Use Key authentication. Azure roles, specifically Azure Role-Based Access Control (RBAC), are designed to manage who has access to Azure resources and what they can do with those resources. While RBAC is effective for controlling access at the resource level (e.g., who can manage the search service, indexes, or data sources), it does not provide the granularity needed to limit access to specific queries within Azure Cognitive Search.

Final Answer: 1. Create a private endpoint 2. Use Azure roles

In this article, learn how to secure an Azure AI Search service so that it can't be accessed over a public internet connection: https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint

prevent Azure services to be accessed from internet? ==>create private endpoint of that service limit the service to a specific queries?-->using Azure roles