Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
A company has an Azure SQL Database with a private endpoint connection. The database is accessed from on-premises via ExpressRoute and from other Azure virtual networks (VNets) via VNet peering. The security team wants to ensure that all queries from both on-premises and peered VNets go through the private endpoint and NEVER use the public endpoint, even as a fallback. Which additional configuration is required to enforce this?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Configure a Network Security Group (NSG) on the subnet hosting the private endpoint to deny outbound traffic to the public endpoint's IP addresses.
This is incorrect because NSGs cannot block traffic destined to the public endpoint from within the VNet if the client chooses to resolve the public endpoint. Furthermore, NSGs do not control traffic from on-premises.
B
Distractor review
Enable Azure SQL Auditing and configure a log analytics workspace to monitor for public endpoint calls, then manually block them.
This is a detective measure, not a preventative one. It does not enforce that only private endpoint connections are used; it only alerts after the fact.
C
Best answer
Disable public network access on the Azure SQL server.
Correct. Disabling public network access on the SQL server blocks all traffic from the public internet, leaving only the private endpoint as the entry point. This ensures all traffic from on-premises and peered VNets must use the private endpoint.
D
Distractor review
Configure a service endpoint for Azure SQL on the VNet and associate a firewall rule allowing only the VNet traffic.
Service endpoints provide secure routing but still allow the server's public endpoint to be used if the private endpoint is not enforced. This does not enforce exclusive use of the private endpoint.
Common exam trap
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Related practice questions
Related AZ-500 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?
Question 2
A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?
Question 3
A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?
Question 4
A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?
Question 5
A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?
Question 6
A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?
FAQ
Questions learners often ask
What does this AZ-500 question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: Disable public network access on the Azure SQL server. — To ensure that all traffic to the Azure SQL Database goes exclusively through the private endpoint, you must disable public network access on the SQL server. This blocks all incoming connections from the public internet, including the public endpoint. With public network access disabled, only connections from approved private endpoints are accepted. Configuring only a firewall rule (option D) or a service endpoint (option C) would still allow the public endpoint to be used, and using a log analyzer (option B) does not prevent the public endpoint from being used.
What should I do if I get this AZ-500 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.