ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 12 question 2 discussion

Actual exam question from Microsoft's SC-100
Question #: 2
Topic #: 13
[All SC-100 Questions]

HOTSPOT -
You need to recommend a solution to meet the requirements for connections to ClaimsDB.
What should you recommend using for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: A private endpoint -
Scenario: An Azure SQL database named ClaimsDB that contains a table named ClaimDetails
Requirements. ClaimsApp Deployment.
Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:
✑ ClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.
Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

✑ ClaimsApp will access data in ClaimsDB.
✑ ClaimsDB must be accessible only from Azure virtual networks.
✑ The app services permission for ClaimsApp must be assigned to ClaimsDB.
Web app private connectivity to Azure SQL Database.
Architecture:


Workflow -
1. Using Azure App Service regional VNet Integration, the web app connects to Azure through an AppSvcSubnet delegated subnet in an Azure Virtual Network.
2. In this example, the Virtual Network only routes traffic and is otherwise empty, but other subnets and workloads could also run in the Virtual Network.
3. The App Service and Private Link subnets could be in separate peered Virtual Networks, for example as part of a hub-and-spoke network configuration.
4. Azure Private Link sets up a private endpoint for the Azure SQL Database in the PrivateLinkSubnet of the Virtual Network.
5. The web app connects to the SQL Database private endpoint through the PrivateLinkSubnet of the Virtual Network.
The database firewall allows only traffic coming from the PrivateLinkSubnet to connect, making the database inaccessible from the public internet.

Box 2: A managed identity -
Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. Using a managed identity, you can authenticate to any service that supports Azure AD authentication without managing credentials.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/private-web-app/private-web-app https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status
by pangchn at Sept. 11, 2022, 11:52 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
JakeCallham
Highly Voted 1 year, 2 months ago
Yes the best way to connect to a sql db from a web app is managed identity with token retrieval. Either by system assigned or user assigned. You will have to create a user in sys.principal table with an SID of the system assigned or user assigned client id. This value is send when a connection is made to the db. One could even supply this value in the configuration settings of the web app by setting AZURE_CLIENT_ID. The other part is a private endpoint, this way you will create a private ip for the sql instance and any settings on the db will not open up the sql to public. I have dealt with this scenario for a couple of projects and these are the correct answers.
upvoted 26 times
...
zellck
Highly Voted 7 months, 3 weeks ago
1. private endpoint 2. managed identity https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview?view=azuresql Private Link allows you to connect to various PaaS services in Azure via a private endpoint. A private endpoint is a private IP address within a specific VNet and subnet. https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Azure Active Directory (Azure AD) for applications to use when connecting to resources that support Azure AD authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.
upvoted 6 times
...
ConanBarb
Most Recent 3 months, 2 weeks ago
I venture to claim that a Service Endpoint is a better and more correct choice that Private Endpoint here. Please prove me wrong Both options fulfill the requirements: * ClaimsApp will access data in ClaimsDB. * ClaimsDB must be accessible only from Azure virtual networks. Service Endpoint will make it possible to firewall ClaimsDB to accept only from the Vnets if Litewire. The Private Endpoint alternative will also give some other benefits such as giving the target service (the ClaimsDB) a private IP and thus making it possible to lock down ClaimsApp (through NSGs for example) so that it cannot use any other DB of the same type (not inherently possible with Service Endpoints), which is a protection against data exfiltration for example. However those benefits are not among the stated requirements. And its usually best to choose the simplest and cheapest option in exams if there is no evidence for the more complex or costly one.
upvoted 2 times
...
slobav
3 months, 3 weeks ago
Box1: private endpoint Box2 : managed identity https://www.youtube.com/watch?v=r-P-2lGzPFQ&list=PLQ2ktTy9rklhzzkSEZvDZT4QSIVUQZD-Y&index=9 Question 115
upvoted 1 times
...
tester18128075
9 months, 2 weeks ago
private endpoint nor correct, it will allow the connection from on-prem network as well. The requirement clearly states it should be only from VNET. Hence the answer should be Service endpoint and managed identity
upvoted 2 times
KallMeDan
8 months, 2 weeks ago
You can restrict access for on-premise network from accessing the private endpoint by deploying an NSG in the subnet in which the private endpoint exists.
upvoted 2 times
...
...
roky008
10 months ago
Box1: private endpoint https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview Box2 : managed identity
upvoted 3 times
...
roky008
10 months ago
Box1: managed identity Box2 : private endpoint https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview
upvoted 1 times
roky008
10 months ago
I made a mistake the right choice is : Box1: private endpoint https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview Box2 : managed identity
upvoted 2 times
...
...
pangchn
1 year, 4 months ago
Given answer looks good to me
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago