Exam DP-300 topic 2 question 23 discussion

To ensure that you can back up db1 to storage1 and meet the requirements, you should generate a shared access signature (SAS) on storage1. A SAS is a URI that grants restricted access rights to storage objects. By using a SAS URI, you can delegate access to resources in your storage account, such as a container or a blob, without exposing your account key. Option B is incorrect because creating an access policy does not provide block blob storage or maximize security. Option C is incorrect because rotating the storage keys does not address the requirements for using block blob storage and maximizing security. Option D is incorrect because enabling infrastructure encryption does not address the requirement for using block blob storage.

Correct answer is A

chat gpt answer: Summary: Create a private container in your Azure Storage account. Generate a SAS token for secure access to the container. Use the SAS URL in the BACKUP DATABASE command to store the backup in Azure blob storage. Enable Transparent Data Encryption (TDE) on the database for security.

The answer A is correct

Enable infrastructure encryption is the correct answer because we are backing up the database to Azure storage account from ON prem and Question is about what should you do on storage account in this specific situation, when creating storage account, in advanced tab, we have option to "Enable infrastructure encryption" for more secure purpose. "Shared ACCESS Signature" DOESNOT even come in picture when backing up database from ON PREM server to Azure storage account.

1. The correct answer cannot be A. SAS is used to give temporal and granular access to resources in the storage account, which is not the case here, rather the opposite. 2. When infrastructure encryption is enabled for a storage account or an encryption scope, data is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. 3. One of the requirements for the operation here is to maximize security. Therefore, the correct answer is D.

Correct answer A

The source SQL Server instance certificate from a database protected by Transparent Data Encryption (TDE) needs to be migrated to the target SQL Server on Azure Virtual Machine before migrating data. To learn more, see Move a TDE Protected Database to Another SQL Server. Tip If your database contains sensitive data that is protected by Always Encrypted, migration process using Azure Data Studio with DMS will automatically migrate your Always Encrypted keys to your target SQL Server on Azure Virtual Machine. https://learn.microsoft.com/en-us/azure/dms/tutorial-sql-server-to-virtual-machine-online-ads Answer D

The problem did not say the database have sensitive data

Enable infrastructure encryption. is not even mentioned in the link provided - https://learn.microsoft.com/en-us/azure/dms/tutorial-sql-server-to-virtual-machine-online-ads. Correct answer is A: Generate SAS which give you limited access to the backup file