Exam AZ-104 topic 2 question 68 discussion

The correct answer is B. a service tag. In order to ensure that the virtual machines can access Vault1 while also using the principle of least privilege and minimizing administrative effort, you should configure a service tag as the destination of the outbound security rule for NSG1. Service tags represent a group of IP addresses associated with Azure PaaS and SaaS services. By specifying a service tag as the destination of the outbound security rule, you can allow the virtual machines to access Vault1 without having to manually specify the IP addresses of Vault1. This reduces administrative effort and ensures that the virtual machines are only able to access Vault1, rather than any other internet destination.

B - Service Tag is correct. https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags "AzureKeyVault" tag can be used in outbound NSGs.

it says " least privilege" but B will give access to all vaults, not only vault1. I don't like this question. I would rather answer C and create a private endpoint to vault1 but one will say the question does not say there is a private endpoint, and it says least administrative task.... Those days, Who wants to favor less admin task compare to least permissions??

B is corerct

B. a service tag Service tags in Azure simplify the security definition for Azure services, allowing you to define network access controls on NSG rules without having to know the specific IP addresses. Specifically, you can use the "AzureKeyVault" service tag to enable virtual machines to access Azure Key Vault services like Vault1, securely and efficiently. This approach directly aligns with the principle of least privilege by restricting outbound traffic specifically to the Azure Key Vault service, thereby minimizing broader internet access and reducing administrative complexity.

B is correct

similar as question 32 on https://www.examtopics.com/exams/microsoft/az-104/view/51/

This question was on my exam on 22 Sep 2023. scored 900 i answered B

To ensure that the virtual machines can access Vault1 while adhering to the principle of least privilege and minimizing administrative effort, you should use Azure's built-in service tags. These service tags represent a group of IP address prefixes from a given Azure service. When you want to allow communication between Azure services and resources, using service tags reduces the complexity of IP address management. For your requirement, Azure provides a service tag specifically for Azure Key Vault: AzureKeyVault. By using this service tag, you ensure that your virtual machines can only access Azure Key Vault in the East US region and not other unrelated internet resources. Therefore, the correct answer is: B. a service tag.

B most voted.

Una etiqueta de servicio representa un grupo de prefijos de direcciones IP de un servicio de Azure determinado. Microsoft administra los prefijos de direcciones que la etiqueta de servicio incluye y actualiza automáticamente dicha etiqueta a medida que las direcciones cambian, lo que minimiza la complejidad de las actualizaciones frecuentes en las reglas de seguridad de red. Puede usar etiquetas de servicio para definir controles de acceso a la red en grupos de seguridad de red, Azure Firewall y rutas definidas por el usuario. Use etiquetas de servicio en lugar de direcciones IP específicas cuando cree reglas de seguridad y rutas.

Service tag is the least work. MSFT answers are ALWAYS the least administrative effort answers, and there will usually be only one choice that stands out.

B - Service Tag is correct. https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags "AzureKeyVault" tag can be used in outbound NSGs.

B is the answer. A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints. Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from AzureCloud or other available service tags of specific Azure services.

B is the answer. https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints. Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from AzureCloud or other available service tags of specific Azure services.

B - Service Tag is correct. https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags "AzureKeyVault" tag can be used in outbound NSGs.

To ensure that the virtual machines can access Vault1 while minimizing administrative effort and using the principle of least privilege, you should configure a service tag as the destination of the outbound security rule for NSG1.