Exam SC-100 topic 4 question 34 discussion

For enabling security administrators to control access to the apps, the best choice would be: B. Private Endpoints Here's why: B. Private Endpoints: They provide secure and direct access to Azure services over a private endpoint in your virtual network. This allows fine-grained access control through network security groups or Azure Firewall. Thus, security administrators can effectively control which servers or clients within the VNet can access the apps. To enable security administrators to control access to the apps, the best choice among the given options would be: A. App Service Static IP address restrictions Here's why: A. App Service Static IP address restrictions: This feature allows administrators to define a list of IP addresses that are allowed or denied access to the App Service. It's a direct and effective way to control access at the application level, ensuring that only specific servers on Site1 can access the apps.

IMO 1. Private Endpoint - "You can use private endpoint for your App Service apps to allow clients located in your private network to securely access the app over Azure Private Link". See vpn use case at link below https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint PrivateLink describes the established connectivity channel between the Private Endpoint and the destination app, which is not the feature we're trying to leverage. Service Endpoints are a virtual networking trick to allow private communication from your vnet via the Azure private backbone to a Microsoft provided Azure Cloud Service (despite the DNS resolved IP address for the service remaining a public IP). An example of one of these services could be Azure Storage. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview 2. App service static IP address restrictions https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli

Apps are accessed via public internet connections, which is for service endpoints.

One of the requirements says: Security administrators for VNet1 must be able to control which servers can access the apps. If you select "App Service Static IP address restrictions" how VNET admins will be able to control it? It is down to App service admins, isn't it? If this needs to be managed by VNET admins I am thinking of NSG groups... Just thinking

Box1: Private LInk., Box 2 App Service Static IP Address. Limitations of Service Endpoints Firstly, it is key to remember that traffic to a Service Endpoint is still leaving your virtual network, and the Azure PaaS resource is still being accessed on its public address. Service Endpoints cannot be used by traffic originating on-premises, through VPN or Express Route, only for traffic coming from your Azure Virtual Network. If you want to allow your on-premises resources access, then you would need to whitelist their public IPs as well.

Private Link https://learn.microsoft.com/en-us/azure/private-link/private-link-overview#key-benefits App service static IP address restrictions https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli

Dont confuse yourself with private end points and private links. The question has nothing to do with extending your private end points to a given business. When the word business its mentioned then private link comes to play

1- Prívate endpoint 2-App service static IP address restrictions

1. service endpoints use public network, so although private endpoint costs .01/hour this will not use public IPs. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview 2. App service static IP address restrictions. https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips

The Azure Private Link Service takes this a step further, allowing you to extend your Private Endpoints to business partners or customers. This service requires an approval process as an added layer of security to prevent unintended access to your internal resources.

The most secure way for on-premises servers to access app services in Azure is by using Azure Private Endpoint. This feature allows you to securely connect to your app from on-premises networks that connect to the virtual network using a VPN or ExpressRoute private peering. It also eliminates public network access to your app, thus reducing the risk of data exfiltration from your virtual network

"The apps are accessed by using public internet connections" so I would go with Private Link. and App Service Status IP address restrictions.

1- Prívate endpoint 2-App service static IP address restrictions

Why not private endpoint for 1. ? https://learn.microsoft.com/en-us/azure/app-service/overview-private-endpoint