A VM in VNet-Prod must connect to Azure SQL Database over a private IP address. The SQL server must not be reachable through its public endpoint, and the VM should resolve the server name automatically without manual DNS entries. Which three actions are required? Select three.

Enable a service endpoint for Microsoft.Sql on the subnet instead of using a private endpoint.

A service endpoint extends identity to the public service endpoint and does not create a private IP.

Leave public network access enabled and add the VNet as an allowed firewall rule.

That permits access over the public endpoint, which conflicts with the private-IP-only requirement.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Create a private endpoint for the Azure SQL server in VNet-Prod. — To make Azure SQL reachable on a private IP, you need a private endpoint in the VNet. The SQL private DNS zone then maps the standard database name to that private endpoint. Linking the zone to the VNet makes the resolution automatic for clients in that network. Together these steps provide private connectivity, automatic name resolution, and removal of the public exposure path. Why others are wrong: A service endpoint still uses the public service endpoint and therefore does not satisfy private-IP access. Leaving public network access enabled would preserve the public path, which the scenario explicitly forbids. The question is intentionally about private endpoint plumbing, not just permitting a subnet through a firewall.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.