Question 652 of 846
Design and implement data storagehardMultiple ChoiceObjective-mapped

Quick Answer

The correct combination is to enable Azure Storage encryption with customer-managed keys stored in Azure Key Vault and configure a firewall with a service endpoint for Azure Synapse Analytics. This works because customer-managed keys (CMK) give you full control over the encryption key lifecycle, ensuring data at rest is encrypted with keys you manage and rotate, while the firewall with a service endpoint restricts network access exclusively to Azure Synapse, blocking all other Azure services and public endpoints. On the DP-203 exam, this scenario tests your understanding of layered security controls—encryption governance via Key Vault and network isolation via service endpoints—and often appears as a trap where candidates mistakenly choose a private endpoint instead of a service endpoint, forgetting that private endpoints require additional DNS configuration and are not the simplest way to restrict access to a single Azure service. A reliable memory tip is “CMK for key control, service endpoint for service isolation”—if the requirement is to block all services except Synapse, a service endpoint is the direct, exam-preferred choice.

DP-203 Design and implement data storage Practice Question

This DP-203 practice question tests your understanding of design and implement data storage. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are designing a data storage solution for an Azure Data Lake Storage Gen2 account that will store sensitive customer data. The solution must enforce that all data is encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, you need to prevent data from being accessed by any Azure service except Azure Synapse Analytics. Which combination of configurations should you implement?

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable Azure Storage encryption with customer-managed keys stored in Azure Key Vault and configure a firewall with a service endpoint for Azure Synapse Analytics

Option A is correct because it combines two essential controls: Azure Storage encryption with customer-managed keys (CMK) stored in Azure Key Vault ensures data is encrypted at rest using keys you control, and a firewall with a service endpoint for Azure Synapse Analytics restricts network access so that only traffic from Azure Synapse Analytics can reach the storage account. This meets both the encryption and access restriction requirements.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable Azure Storage encryption with customer-managed keys stored in Azure Key Vault and configure a firewall with a service endpoint for Azure Synapse Analytics

    Why this is correct

    This combination provides CMK encryption and restricts network access to Azure Synapse Analytics only.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Enable Azure Storage encryption with customer-managed keys and use a shared access signature (SAS) token for Azure Synapse Analytics

    Why it's wrong here

    SAS tokens do not prevent other services from accessing the data if they have the token.

  • Enable Azure Storage encryption with customer-managed keys and assign an Azure Policy denying public network access

    Why it's wrong here

    Azure Policy can deny public access but does not restrict access to a specific service like Azure Synapse Analytics.

  • Enable Azure Storage encryption with Microsoft-managed keys and configure a private endpoint

    Why it's wrong here

    Microsoft-managed keys do not meet the requirement for customer-managed keys, and private endpoints do not restrict access to a specific service.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse service endpoints with private endpoints or SAS tokens, thinking any network restriction or key management approach will suffice, but the question specifically requires both CMK and service-specific access control, which only a service endpoint for Azure Synapse Analytics combined with a firewall provides.

Detailed technical explanation

How to think about this question

Azure Storage encryption with CMK uses Azure Key Vault to store the key, and the storage account uses the key to encrypt the data at rest via envelope encryption. A service endpoint for Azure Synapse Analytics extends the virtual network identity to the storage account, allowing you to restrict access to only traffic originating from Azure Synapse Analytics within the same region, while a firewall rule blocks all other traffic. Under the hood, the service endpoint uses the source IP of the Synapse workspace's managed virtual network, and the storage firewall evaluates this against the allowed service list.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DP-203 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DP-203 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DP-203 question test?

Design and implement data storage — This question tests Design and implement data storage — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Enable Azure Storage encryption with customer-managed keys stored in Azure Key Vault and configure a firewall with a service endpoint for Azure Synapse Analytics — Option A is correct because it combines two essential controls: Azure Storage encryption with customer-managed keys (CMK) stored in Azure Key Vault ensures data is encrypted at rest using keys you control, and a firewall with a service endpoint for Azure Synapse Analytics restricts network access so that only traffic from Azure Synapse Analytics can reach the storage account. This meets both the encryption and access restriction requirements.

What should I do if I get this DP-203 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DP-203 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-203 exam.