Exam AZ-700 topic 4 question 12 discussion

Correct Answer - B & D

Correct

Azure SQL is not part of Azure Storage. So you need to configure B first, with higher priority, to allow outbound, then create A deny rule with lower priority

BD Two different types of resources : Azure SQL & Storage. NSG attached to subnets with the virtual machines. Rules: Azure SQL Source : Service Tag [Virtual Network], Destination : Service Tag [Sql.EastUS], Destination port ranges : *, Protocol : Any, Action : Allow, Priority: 100 Storages Source : Service Tag [Virtual Network], Destination : Service Tag [Storage], Destination port ranges : *, Protocol : Any, Action : Deny, Priority: 500

Storage has nothing to do with SQL. For me the correct answer will be BC. We all agree B is correct. C because the Azure IP DNS resolution (168.63.129.16) is part of that range.

Have to admit this question is typical MS question i.e. as dumb as can get here is why • Not much information is given about the vNET • Yes you can chose AB and answer is correct in terms of meeting the requirement for SQL i.e. stop access to all SQL instances except East USA, however A Deny rule needs to be of lower priority than the E-US rule to avoid blocking access to all SQL instances – example E-US rule priority 100 and block SQL 110 . However this solution doesn’t restrict the VMs from accessing the storage as per requirement • Yes you can chose BD, where B meets the requirement for e-US SQL and D meets the condition to block access to storage, however it doesn’t meet the requirement to prevent access to SQL resources in general If comes in the exam I would RELUCTANTLY chose BD

I don't get it. Default outbound rule for NSG is "allow all". For this case for SQL access requirement we would need answers A + B. For storage access prevention we would also need answer D. If we would assume that outbound default NSG rule is "deny all" we would need allow rule for Sql.East and an allow rule for storage. So, in none of the scenarios we have a perfect answer option when just choosing 2 answers

A would work but question only mentions working with VNET1. It does not specifically mention other VNET's. D is more specific.

B & D Explanation: Rule B allows traffic from the virtual machines in Vnet1 to the Azure SQL resources in the East US Azure region. Rule D denies traffic from the virtual machines in Vnet1 to any Azure Storage resources. Rule A is incorrect because it allows traffic from the virtual machines in Vnet1 to any destination that contains "Sql". Rule C is incorrect because it denies traffic from the virtual machines in Vnet1 to the Azure instance metadata service, which is not related to the given requirements.

Because Storage is NOT the same as SQL. There are completely different TAGs to SQL and STORAGE.SQL is database, Storage is Storage.

shoud be A and B. Storage Tags is different from SQL( that is a database actually ). Also take a look that there is a TAG specifically for SQL which is a completely different resource than a Storage.