Your organization uses Azure SQL Database for a sensitive financial application. You need to implement a defense-in-depth strategy to protect the database. The requirements are: (1) All connections to the database must be encrypted in transit. (2) Only specific Azure services and on-premises IP ranges should be allowed to connect. (3) Database administrators should be able to view the database schema but not the actual data. (4) Auditing must be enabled for all data access. What combination of features should you implement?
All requirements are met.
Why this answer
Option D is correct because: (1) Enforce TLS 1.2 ensures encryption in transit. (2) Firewall rules restrict access by IP. (3) Dynamic Data Masking hides sensitive data from admins. (4) Auditing logs data access. Option A is wrong because Always Encrypted encrypts data at rest and in use but does not restrict network access. Option B is wrong because VNet service endpoints provide network isolation but do not enforce TLS.
Option C is wrong because Azure AD authentication does not restrict network access or mask data.