ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam DP-203 All Questions

View all questions & answers for the DP-203 exam
Go to Exam

Exam DP-203 topic 3 question 2 discussion

Actual exam question from Microsoft's DP-203
Question #: 2
Topic #: 3
[All DP-203 Questions]

HOTSPOT -
You have an Azure subscription that contains a logical Microsoft SQL server named Server1. Server1 hosts an Azure Synapse Analytics SQL dedicated pool named Pool1.
You need to recommend a Transparent Data Encryption (TDE) solution for Server1. The solution must meet the following requirements:
✑ Track the usage of encryption keys.
Maintain the access of client apps to Pool1 in the event of an Azure datacenter outage that affects the availability of the encryption keys.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: TDE with customer-managed keys
Customer-managed keys are stored in the Azure Key Vault. You can monitor how and when your key vaults are accessed, and by whom. You can do this by enabling logging for Azure Key Vault, which saves information in an Azure storage account that you provide.
Box 2: Create and configure Azure key vaults in two Azure regions
The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets.
Reference:
https://docs.microsoft.com/en-us/azure/synapse-analytics/security/workspaces-encryption https://docs.microsoft.com/en-us/azure/key-vault/general/logging
by Rob77 at May 17, 2021, 3:57 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Francesco1985
Highly Voted 3 years, 3 months ago
Guys the aswers are correct: https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview
upvoted 64 times
Slena
3 years ago
Agreed. "Link each server with two key vaults that reside in different regions and hold the same key material, to ensure high availability of encrypted databases. Mark only the key from the key vault in the same region as a TDE protector. System will automatically switch to the key vault in the remote region if there is an outage affecting the key vault in the same region." https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview
upvoted 5 times
...
...
bhavesh_wadhwani
Highly Voted 3 years ago
First answer is correct. 2nd box answer should be " Implement the client apps by using .NET framework data provider" as key vault is by default replicated in two or more regions for HA.
upvoted 7 times
bhavesh_wadhwani
3 years ago
Link from Microsoft docs : https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance#:~:text=The%20contents%20of%20your%20key%20vault%20are%20replicated%20within%20the%20region%20and%20to%20a%20secondary%20region%20at%20least%20150%20miles%20away%2C%20but%20within%20the%20same%20geography%20to%20maintain%20high%20durability%20of%20your%20keys%20and%20secrets
upvoted 1 times
...
...
Dusica
Most Recent 5 months, 3 weeks ago
why not platform managed key?
upvoted 1 times
...
kkk5566
1 year, 1 month ago
correct
upvoted 1 times
...
pavankr
1 year, 3 months ago
why "two" azure regions? the requirement never mentioned how many regions?
upvoted 3 times
...
Deeksha1234
2 years, 2 months ago
correct answer
upvoted 1 times
...
SabaJamal2010AtGmail
2 years, 9 months ago
Both answers Correct 1) Transparent Data Encryption with customer-managed key 2) key vault in 2 regions
upvoted 2 times
...
Skeinofi
2 years, 9 months ago
Correct. Recommendations when configuring customer-managed TDE: Recommendations when configuring AKV: - Enable auditing and reporting on all encryption keys: Key vault provides logs that are easy to inject into other security information and event management tools. Operations Management Suite Log Analytics is one example of a service that is already integrated. - Link each server with two key vaults that reside in different regions and hold the same key material, to ensure high availability of encrypted databases. Mark the key from one of the key vaults as the TDE protector. System will automatically switch to the key vault in the second region with the same key material, if there's an outage affecting the key vault in the first region.
upvoted 1 times
...
kimalto452
3 years ago
Transparent Data Encryption with customer-managed key https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview
upvoted 1 times
...
terajuana
3 years, 4 months ago
TDE doesn't use client managed keys answer therefore is 1) always encrypted 2) key vault in 2 regions
upvoted 1 times
Alekx42
3 years, 4 months ago
Moreover, always encrypted is NOT TDE option. The question asks to enable TDE.
upvoted 3 times
Reel
1 year, 11 months ago
you need to create key vault separately on two regions and then linked it together "Even in cases when there's no configured geo-redundancy for server, it's highly recommended to configure the server to use two different key vaults in two different regions with the same key material." https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql#high-availability-with-customer-managed-tde
upvoted 1 times
...
...
Alekx42
3 years, 4 months ago
TDE can be configured with Customer Managed keys: https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?tabs=azure-portal#customer-managed-transparent-data-encryption---bring-your-own-key Key vault is configured in multiple regions by microsoft itself. I also double-checked by creating a key vault and there are no geo-redundancy options. Also see here: https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance
upvoted 5 times
...
...
Alekx42
3 years, 4 months ago
The first answer is correct. You need to enable TDE with customer keys in order to track the key usage in Azure key vault. The second answer seems wrong, as pointed out by Rob77. AKV does have replication it 2 additional regions by default. So I guess that it makes more sense to use a Microsoft .NET framwork data provider https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/data-providers
upvoted 2 times
terajuana
3 years, 4 months ago
TDE doesn't operate with customer keys but always encrypted does
upvoted 1 times
...
...
Rob77
3 years, 4 months ago
second answer does not seem to be correct - AKV is already replicated within the region locally (and also 2 pair regions). Therefore if the datacentre fails (or even whole region) the traffic will be redirected. https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance
upvoted 3 times
corebit
2 years, 9 months ago
"The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets." https://docs.microsoft.com/en-us/azure/key-vault/general/disaster-recovery-guidance
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago