CCNA Data App Strategy Questions

22 questions · Data App Strategy topic · All types, answers revealed

1
MCQhard

You are the security architect for Contoso Ltd., a company that runs a critical e-commerce application on Azure Kubernetes Service (AKS). The application consists of multiple microservices that communicate over HTTP. The application uses Azure SQL Database for transactional data and Azure Redis Cache for session state. Recently, a security audit revealed that several microservices are vulnerable to SQL injection attacks because they construct SQL queries by concatenating user input. Additionally, the Redis cache is exposed to the internet with no firewall rules, and the connection string is stored in plain text in the application configuration file. The development team is concerned about performance and wants to minimize changes to the codebase. You need to design a strategy to mitigate these vulnerabilities with minimal code changes. Which of the following is the best course of action?

A.Deploy Azure Web Application Firewall (WAF) on Application Gateway to protect against SQL injection, configure Azure Redis Cache with a private endpoint and disable public network access, and use Azure Key Vault with a managed identity to inject the Redis connection string into the application.
B.Enable Azure Web Application Firewall (WAF) on an Application Gateway in front of AKS to block SQL injection, move Redis to a private endpoint with a firewall rule, and use Azure Key Vault with a managed identity to inject the Redis connection string.
C.Move all SQL queries to stored procedures, enable Redis persistence with AOF, and store the connection string in a Kubernetes secret.
D.Refactor the microservices to use parameterized SQL queries, configure Azure Redis Cache firewall to allow only AKS node IPs, and store the connection string in Azure Key Vault with a managed identity.
AnswerA

WAF blocks SQL injection without code changes, private endpoint secures Redis, Key Vault with managed identity protects secrets.

Why this answer

Option A is correct because it addresses all three vulnerabilities with minimal code changes: Azure WAF on Application Gateway provides network-layer SQL injection protection without modifying application code; configuring Azure Redis Cache with a private endpoint and disabling public network access secures the cache without code changes; and using Azure Key Vault with a managed identity injects the Redis connection string securely at runtime, eliminating plain-text storage without altering the application's configuration loading logic.

Exam trap

The trap here is that candidates often choose a technically correct but code-heavy solution (like parameterized queries) over a network-layer defense (WAF) that achieves the same goal with minimal code changes, failing to prioritize the 'minimal code changes' constraint in the question.

How to eliminate wrong answers

Option B is wrong because it suggests moving Redis to a private endpoint 'with a firewall rule' — private endpoints inherently disable public network access and do not use firewall rules; the phrase 'firewall rule' indicates a misunderstanding of private endpoint behavior. Option C is wrong because moving SQL queries to stored procedures requires significant codebase refactoring, contradicting the requirement for minimal code changes, and storing the connection string in a Kubernetes secret still stores it in plain text within the cluster's etcd, failing to address the plain-text vulnerability. Option D is wrong because refactoring microservices to use parameterized SQL queries requires extensive code changes, violating the minimal code changes constraint, and configuring Redis firewall to allow only AKS node IPs still leaves the cache exposed to the internet if the firewall is misconfigured or if node IPs change.

2
MCQmedium

A company is migrating on-premises applications to Azure. They need to ensure that applications can use their existing Active Directory credentials for authentication. Which Azure service should they use?

A.Azure AD Domain Services
B.Azure Active Directory
C.Azure AD Connect
D.Azure AD B2C
AnswerA

Provides LDAP, Kerberos, NTLM.

Why this answer

Azure AD Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, and Kerberos/NTLM authentication. This allows legacy on-premises applications that rely on Active Directory credentials to authenticate without needing to deploy and manage domain controllers in Azure. It bridges the gap by synchronizing identities from Azure AD and exposing traditional AD features over a virtual network.

Exam trap

The trap here is confusing Azure AD (a modern identity platform) with Azure AD DS (a managed domain service that provides legacy AD protocols), leading candidates to pick Azure Active Directory because they think it handles all authentication scenarios.

How to eliminate wrong answers

Option B (Azure Active Directory) is wrong because it is a cloud-based identity and access management service that uses modern protocols like OAuth 2.0 and OpenID Connect, not LDAP, Kerberos, or NTLM, so it cannot directly authenticate legacy applications expecting an on-premises AD domain controller. Option C (Azure AD Connect) is wrong because it is a synchronization tool that replicates on-premises AD objects to Azure AD; it does not provide authentication services itself. Option D (Azure AD B2C) is wrong because it is designed for customer-facing identity management with social logins and custom policies, not for enterprise applications needing existing AD credential validation.

3
Drag & Dropmedium

Order the steps to respond to a Microsoft Defender for Cloud security alert.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Alert response involves reviewing, assessing, remediating, and then closing the alert.

4
MCQhard

A company is planning to use Azure Logic Apps to integrate multiple SaaS applications. The workflow will process sensitive customer data and must comply with data residency requirements, ensuring that data does not leave a specific Azure region. The solution must minimize latency. What is the recommended deployment strategy?

A.Use Azure API Management to route traffic to Logic Apps in the required region.
B.Deploy Logic Apps using the Standard plan in the required region.
C.Deploy Logic Apps using the Consumption plan in the required region.
D.Provision an Integration Service Environment (ISE) in the required region and deploy Logic Apps into it.
AnswerD

ISE provides dedicated storage and compute, ensuring data stays within the region.

Why this answer

Option D is correct because an Integration Service Environment (ISE) is a dedicated, isolated instance of the Azure Logic Apps runtime that runs in your own virtual network, ensuring data never leaves the specified Azure region. This meets strict data residency requirements while minimizing latency by keeping all processing within the same regional boundary. The ISE also provides dedicated compute resources, avoiding multi-tenant contention and reducing network hops.

Exam trap

Microsoft often tests the misconception that any Logic Apps plan deployed in a region automatically guarantees data residency, but only the ISE provides the isolated, single-tenant runtime required to prevent data from leaving the region.

How to eliminate wrong answers

Option A is wrong because Azure API Management is a gateway for API routing and does not enforce data residency or provide isolated compute for Logic Apps; it would add an extra hop, increasing latency. Option B is wrong because the Standard plan for Logic Apps runs in a multi-tenant environment, meaning data may traverse regional boundaries or shared infrastructure, violating strict data residency requirements. Option C is wrong because the Consumption plan is also multi-tenant and serverless, with no guarantee that data processing stays within a single region, and it introduces higher latency due to cold starts and shared resources.

5
Matchingmedium

Match each identity security concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Policy engine to enforce access controls

Just-in-time privileged role activation

Detect and remediate identity risks

Azure AD identity for Azure resources

Identity for applications in Azure AD

Why these pairings

These are fundamental identity concepts in Azure AD.

6
MCQeasy

A company deploys Azure App Service with a custom domain and SSL certificate. They want to enforce HTTPS only. Which configuration setting should they enable?

A.HTTPS Only
B.Client Certificates
C.Minimum TLS Version
D.Custom Domain
AnswerA

Enforces HTTPS redirect.

Why this answer

The 'HTTPS Only' setting in Azure App Service enforces that all incoming requests are redirected from HTTP to HTTPS, ensuring encrypted communication. This is achieved by returning a 301 redirect for any HTTP request, which aligns with the requirement to enforce HTTPS only.

Exam trap

The trap here is that candidates may confuse 'HTTPS Only' with 'Minimum TLS Version', thinking that setting a high TLS version also enforces HTTPS, but the latter only restricts the TLS protocol version without redirecting HTTP traffic.

How to eliminate wrong answers

Option B is wrong because 'Client Certificates' enables mutual TLS authentication, requiring clients to present a certificate, but does not enforce HTTPS-only traffic. Option C is wrong because 'Minimum TLS Version' controls the lowest TLS version allowed for incoming connections, but does not redirect HTTP to HTTPS. Option D is wrong because 'Custom Domain' is used to map a custom domain name to the app service, not to enforce HTTPS-only traffic.

7
Multi-Selectmedium

A company uses Azure Storage for sensitive data. They need to ensure that data is encrypted at rest and that encryption keys are managed by the customer (Customer-Managed Keys). Which THREE actions are required?

Select 3 answers
A.Enable double encryption
B.Create an Azure Key Vault to store the customer-managed key
C.Assign RBAC role to storage account to access Key Vault
D.Enable Azure Information Protection
E.Enable Storage Service Encryption (SSE) with customer-managed keys
AnswersB, C, E

Key Vault required for CMK.

Why this answer

Option B is correct because customer-managed keys (CMK) for Azure Storage encryption must be stored in an Azure Key Vault, which provides a secure, centralized repository for managing cryptographic keys. Without a Key Vault, the customer cannot control or rotate the encryption keys used by Storage Service Encryption (SSE).

Exam trap

The trap here is that candidates may confuse optional features like double encryption or Azure Information Protection with mandatory prerequisites for customer-managed keys, when in fact only Key Vault creation, RBAC assignment, and enabling SSE with CMK are required.

8
Multi-Selecteasy

A company is designing a secure DevOps pipeline for deploying Azure App Service applications. They need to ensure that secrets are not exposed in source code. Which TWO practices should they implement?

Select 2 answers
A.Use Azure Key Vault references in App Service application settings
B.Implement Git pre-commit hooks to scan for secrets
C.Store secrets in Azure DevOps library variable groups
D.Use Azure Policy to audit for secret exposure
E.Use Azure Key Vault variables in Azure DevOps release pipelines
AnswersA, E

Secrets retrieved at runtime from Key Vault.

Why this answer

Option A is correct because Azure Key Vault references allow App Service to securely retrieve secrets (e.g., connection strings, API keys) at runtime without storing them in source code or configuration files. The reference syntax @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) is resolved by the App Service platform, ensuring secrets are never exposed in the repository or build artifacts.

Exam trap

The trap here is that candidates confuse Azure DevOps library variable groups (which can be linked to Key Vault) with the direct use of Key Vault references in App Service settings, but the question specifically asks for practices that prevent secret exposure in source code, and variable groups still store the secret reference in the pipeline definition, which can be exposed in logs or YAML files.

9
Multi-Selecthard

A multinational corporation is designing a data classification strategy for Microsoft 365. They have the following requirements: (1) Documents containing financial data must be labeled as 'Confidential' automatically. (2) Labels must be applied based on content patterns, such as credit card numbers. (3) The solution must work across Exchange Online, SharePoint Online, and OneDrive for Business. Which two components are essential?

Select 2 answers
A.Azure Information Protection (AIP) unified labeling client
B.Sensitivity labels in Microsoft Purview Information Protection
C.Data Loss Prevention (DLP) policies in Microsoft 365 Security & Compliance Center
D.Retention policies in Microsoft 365 Compliance Center
E.Auto-labeling policies in Microsoft Purview Compliance Portal
AnswersB, E

Sensitivity labels are the core classification mechanism.

Why this answer

Sensitivity labels in Microsoft Purview Information Protection are the core technology for classifying and protecting data based on content patterns. They support automatic labeling via auto-labeling policies that scan for sensitive data types (e.g., credit card numbers) and can apply labels across Exchange Online, SharePoint Online, and OneDrive for Business. This directly meets all three requirements: automatic labeling, pattern-based detection, and cross-workload coverage.

Exam trap

Microsoft often tests the distinction between DLP policies (which enforce actions on sensitive data) and auto-labeling policies (which apply sensitivity labels based on content patterns), causing candidates to mistakenly select DLP policies when the requirement is for automatic labeling.

10
MCQmedium

A company is designing a microservices architecture on Azure Kubernetes Service (AKS). They need to secure communication between services using mutual TLS (mTLS). Which solution should they implement?

A.Azure Application Gateway
B.Azure Firewall
C.Azure API Management
D.Istio service mesh
AnswerD

Provides mTLS for microservices.

Why this answer

Istio service mesh is the correct solution because it provides a dedicated infrastructure layer for managing service-to-service communication, including automatic mutual TLS (mTLS) between microservices. Istio injects Envoy sidecar proxies into each pod, which handle encryption, authentication, and authorization without requiring application code changes. This enables zero-trust network security within the AKS cluster.

Exam trap

The trap here is that candidates often confuse ingress/egress security appliances (like Application Gateway or API Management) with internal service-to-service security, assuming a gateway can handle mTLS for east-west traffic when it is designed only for north-south traffic.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a Layer 7 load balancer and web application firewall (WAF) that operates at the ingress edge, not within the cluster for east-west traffic; it cannot enforce mTLS between individual microservices. Option B is wrong because Azure Firewall is a stateful network firewall that filters traffic at the network and application layers but does not provide service-level identity or mTLS capabilities for pod-to-pod communication. Option C is wrong because Azure API Management is an API gateway for managing external APIs and does not handle internal service-to-service mTLS within the AKS cluster; it lacks sidecar proxy injection and service mesh features.

11
Multi-Selecthard

A company is designing a data classification strategy for their Azure environment. They need to identify sensitive data stored in Azure SQL Database. Which TWO solutions should they consider?

Select 2 answers
A.Azure Information Protection
B.Azure SQL Data Discovery & Classification
C.Azure Purview
D.SQL Vulnerability Assessment
E.Azure Policy
AnswersB, D

Built-in classification for SQL DB.

Why this answer

Azure SQL Data Discovery & Classification is correct because it is a native feature of Azure SQL Database that automatically discovers, classifies, and labels sensitive columns (e.g., credit card numbers, PII) directly within the database engine. It provides a built-in dashboard for auditing and monitoring classification status, making it the primary tool for identifying sensitive data stored in Azure SQL Database.

Exam trap

The trap here is that candidates often confuse Azure Information Protection (AIP) with Azure SQL Data Discovery & Classification, assuming AIP can classify database columns, when in fact AIP is designed for unstructured data like documents and emails, not structured SQL data.

12
Drag & Dropmedium

Order the steps to perform a disaster recovery failover of an Azure VM to a secondary region using Azure Site Recovery.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Failover involves selecting VM, recovery point, initiating, and committing.

13
MCQeasy

A company uses Azure SQL Database and needs to implement column-level encryption for a column containing social security numbers (SSNs). The encryption must use a customer-managed key stored in Azure Key Vault. The application queries this column using parameterized queries. Which technology should be used?

A.Dynamic Data Masking (DDM)
B.Row-Level Security (RLS)
C.Transparent Data Encryption (TDE) with customer-managed keys
D.Always Encrypted with secure enclaves
AnswerD

Always Encrypted provides column-level encryption and supports rich queries with secure enclaves.

Why this answer

Always Encrypted with secure enclaves is the correct choice because it enables client-side encryption of specific columns (like SSNs) using a customer-managed key stored in Azure Key Vault, while still allowing rich computations (e.g., equality, pattern matching) on the encrypted data within a secure enclave. This meets the requirement for column-level encryption with customer-managed keys and supports parameterized queries without exposing plaintext to the database engine.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with column-level encryption, mistakenly believing TDE protects data from the database engine or privileged users, whereas TDE only protects data at rest on disk and does not prevent in-memory exposure.

How to eliminate wrong answers

Option A is wrong because Dynamic Data Masking (DDM) only obfuscates data at query results time for unauthorized users, but does not encrypt the data at rest or in transit, and the underlying plaintext remains accessible to the database engine. Option B is wrong because Row-Level Security (RLS) controls access to rows based on user predicates but does not encrypt individual columns or protect data from the database engine itself. Option C is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest, not individual columns, and does not prevent the database engine or privileged users from seeing plaintext data in memory or during query execution.

14
Matchingmedium

Match each Zero Trust principle to its implementation in Azure.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use Conditional Access and MFA

Implement Just-In-Time (JIT) and PIM

Segment networks and use micro-perimeters

Monitor with Azure Sentinel and Defender

Use playbooks and automated remediation

Why these pairings

These align with the Microsoft Zero Trust model.

15
MCQhard

A company uses Azure Policy to audit storage accounts for secure transfer (HTTPS) enforcement. The policy is set to 'AuditIfNotExists' but compliance shows 0% non-compliant storage accounts even though some accounts have secure transfer disabled. What is the most likely cause?

A.The policy is in 'audit' mode and does not evaluate
B.The policy should use 'Audit' or 'Deny' effect instead of 'AuditIfNotExists'
C.The storage accounts are in a different region
D.The policy assignment scope does not include the non-compliant accounts
AnswerB

AuditIfNotExists is for existence of a resource, not property.

Why this answer

The 'AuditIfNotExists' effect is designed to audit resources that do not have a specific extension or sub-resource (e.g., a diagnostic setting or an agent). For a policy that needs to check a property of the storage account itself (like secure transfer enabled), the correct effect is 'Audit' (or 'Deny'). 'AuditIfNotExists' will never flag a storage account as non-compliant for missing the secure transfer property because it is looking for the absence of a child resource, not a property misconfiguration.

Exam trap

The trap here is that candidates confuse 'AuditIfNotExists' with 'Audit', assuming both can check resource properties, but 'AuditIfNotExists' is specifically for auditing the absence of a sub-resource or extension, not the resource's own configuration.

How to eliminate wrong answers

Option A is wrong because 'audit' mode is not a valid Azure Policy mode; policies use 'audit' effect, not a mode, and all policies evaluate resources within their scope regardless of effect. Option C is wrong because Azure Policy evaluates all storage accounts in the assigned scope regardless of region; region does not affect policy evaluation. Option D is wrong because if the policy assignment scope did not include the non-compliant accounts, those accounts would simply not be evaluated, but the question states compliance shows 0% non-compliant, implying the accounts are in scope yet not flagged, which points to an effect mismatch.

16
MCQmedium

A company uses Azure App Service to host a web application that stores sensitive data in Azure SQL Database. The security team requires that data at rest in the database be encrypted using a customer-managed key stored in Azure Key Vault. The key must be rotated automatically every 90 days. What is the recommended approach to meet these requirements?

A.Encrypt sensitive columns using cell-level encryption with keys stored in Azure Key Vault and rotate keys manually every 90 days.
B.Enable Transparent Data Encryption (TDE) with service-managed keys in Azure SQL Database.
C.Enable TDE with customer-managed keys in Azure Key Vault and set a key rotation policy in Key Vault to rotate the key every 90 days.
D.Use Always Encrypted with column master keys stored in Azure Key Vault and configure key rotation in the application code.
AnswerC

TDE with customer-managed keys supports automatic rotation via Key Vault lifecycle policies.

Why this answer

Option C is correct because Transparent Data Encryption (TDE) with customer-managed keys (CMK) in Azure Key Vault meets the requirement for encrypting data at rest in Azure SQL Database using a key controlled by the customer. Azure Key Vault supports automatic key rotation policies that can be set to rotate the key every 90 days, satisfying the rotation requirement without manual intervention or application code changes.

Exam trap

The trap here is confusing data-at-rest encryption (TDE) with column-level encryption (Always Encrypted or cell-level encryption), leading candidates to pick options that encrypt only specific columns or require application changes, rather than the simpler, database-wide TDE approach with automatic key rotation in Key Vault.

How to eliminate wrong answers

Option A is wrong because cell-level encryption (e.g., Always Encrypted) encrypts individual columns, not the entire database at rest, and requires manual key rotation or application code changes, not automatic rotation via Key Vault policy. Option B is wrong because TDE with service-managed keys uses keys managed by Microsoft, not customer-managed keys, so it fails the requirement for customer-controlled keys. Option D is wrong because Always Encrypted encrypts data at the column level and requires application code changes for key rotation, whereas the requirement specifies data at rest in the database (TDE) and automatic rotation without application modifications.

17
MCQeasy

A company is designing an application architecture using Azure Kubernetes Service (AKS) and Azure Cosmos DB. The application requires that secrets (database connection strings) be injected into pods securely without storing them in the container image. The solution must minimize management overhead. What is the recommended approach?

A.Store secrets in a Kubernetes ConfigMap and reference them in the deployment YAML.
B.Use Azure Key Vault Provider for Secrets Store CSI Driver to mount secrets as volumes in pods.
C.Define secrets in a Kubernetes Secret object and reference them in the pod spec.
D.Hardcode the connection string in an environment variable in the deployment manifest.
AnswerB

This provides secure, managed secret injection with automatic rotation.

Why this answer

Option B is correct because the Azure Key Vault Provider for Secrets Store CSI Driver integrates directly with AKS to securely inject secrets from Azure Key Vault into pods as mounted volumes or environment variables, without storing them in container images or Kubernetes objects. This approach minimizes management overhead by leveraging Azure-managed Key Vault for secret lifecycle management and avoids the operational burden of manually managing Kubernetes Secrets.

Exam trap

The trap here is that candidates often assume Kubernetes Secrets are inherently secure because they are base64-encoded, but the exam tests the understanding that Secrets are only obfuscated, not encrypted by default, and that a managed external secrets store like Azure Key Vault is the recommended pattern for production-grade secret management with minimal overhead.

How to eliminate wrong answers

Option A is wrong because ConfigMaps are designed for non-sensitive configuration data (e.g., plain text), not secrets; storing database connection strings in a ConfigMap would expose them in plain text and violate security best practices. Option C is wrong because Kubernetes Secret objects are base64-encoded, not encrypted by default, and require additional encryption configuration (e.g., encryption at rest with KMS) and manual management, increasing overhead and risk compared to a dedicated secrets store. Option D is wrong because hardcoding connection strings in environment variables in the deployment manifest exposes secrets in plain text within the YAML file, version control, and cluster logs, completely violating security principles.

18
MCQhard

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that secrets can be automatically rotated when they are close to expiration. Which solution should they implement?

A.Use Azure DevOps release pipeline to rotate secrets
B.Use Azure Automation with a schedule to check expiration and rotate
C.Use Key Vault event grid subscription to trigger an Azure Function for rotation
D.Use Azure Logic Apps with a recurrence trigger to rotate secrets
AnswerC

Event-driven rotation on secret expiration.

Why this answer

Option C is correct because Azure Key Vault can emit events via Event Grid when a secret is near expiration, and an Azure Function subscribed to that event can perform the rotation logic immediately. This event-driven approach ensures near-real-time rotation without polling, aligning with the requirement for automatic rotation close to expiration.

Exam trap

The trap here is that candidates often choose polling-based solutions (Azure Automation or Logic Apps with recurrence) because they seem simpler, but the exam expects event-driven architecture using Event Grid for real-time, efficient rotation without polling overhead.

How to eliminate wrong answers

Option A is wrong because Azure DevOps release pipelines are designed for CI/CD deployment, not for automated secret rotation; they lack native integration with Key Vault expiration events and would require manual or scheduled triggers. Option B is wrong because Azure Automation with a schedule uses polling, which introduces latency and inefficiency compared to event-driven rotation; it also requires custom runbook logic to check expiration dates. Option D is wrong because Azure Logic Apps with a recurrence trigger also relies on polling, which is less efficient and may miss exact expiration timing; while Logic Apps can integrate with Key Vault, the event-driven Event Grid subscription is the recommended pattern for automatic rotation.

19
MCQmedium

A company is designing a data protection strategy for Azure SQL Database. They need to ensure that backups are retained for 7 years to meet regulatory compliance. Which Azure feature should they use?

A.Geo-redundant backup storage
B.Long-Term Retention (LTR)
C.Point-in-Time Restore
D.Active Geo-Replication
AnswerB

LTR retains backups for up to 10 years.

Why this answer

Long-Term Retention (LTR) for Azure SQL Database allows you to retain full database backups for up to 10 years, which meets the 7-year regulatory compliance requirement. LTR is specifically designed for archival and compliance scenarios, storing backups in separate containers with configurable retention policies based on weekly, monthly, or yearly intervals.

Exam trap

The trap here is that candidates confuse Point-in-Time Restore (PITR) with Long-Term Retention (LTR), mistakenly thinking PITR can be configured for years-long retention, when in fact PITR is limited to a maximum of 35 days and LTR is the only feature that supports multi-year archival retention.

How to eliminate wrong answers

Option A is wrong because Geo-redundant backup storage (RA-GRS) provides geographic redundancy for automated backups but does not extend the retention period beyond the default 7-35 days for point-in-time restore backups. Option C is wrong because Point-in-Time Restore (PITR) enables recovery to any point within the retention window (default 7 days, configurable up to 35 days), but it cannot retain backups for years. Option D is wrong because Active Geo-Replication is a continuous replication feature for disaster recovery and read-scale, not a backup retention mechanism; it does not provide long-term archival storage.

20
Multi-Selecteasy

A company stores sensitive data in Azure Blob Storage. They want to prevent data exfiltration by blocking public access and restricting network access to only their on-premises data center via VPN. Which two features should they use?

Select 2 answers
A.Enable firewall and add on-premises IP range
B.Disable public access and use RBAC
C.Disable public access and configure a service endpoint with a firewall rule for the VPN subnet
D.Disable public access and configure a private endpoint
AnswersC, D

Service endpoint restricts to subnet, firewall blocks other traffic.

Why this answer

Option C is correct because disabling public access ensures the storage account is not reachable from the internet, and configuring a service endpoint with a firewall rule for the VPN subnet restricts traffic to only the on-premises data center traffic arriving via the VPN. Service endpoints provide an optimized route over the Azure backbone, and the firewall rule explicitly allows the VPN subnet's IP range, preventing data exfiltration from unauthorized networks.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private endpoints are required for VPN access, but service endpoints are simpler and sufficient when the goal is to restrict access to a specific subnet (the VPN gateway subnet) rather than assigning a private IP.

21
MCQmedium

A security administrator applies the Azure Policy definition shown in the exhibit to a management group containing multiple subscriptions. After the policy is assigned, a development team reports they cannot create a new storage account in their subscription. What is the most likely cause?

A.The storage account was created using an older API version that does not support Azure Policy enforcement.
B.The storage account was created in a region that does not support the premium tier.
C.The storage account was assigned a network security group (NSG) that blocks inbound HTTPS traffic.
D.The storage account was created with the 'Secure transfer required' setting disabled.
AnswerD

The policy denies storage accounts where 'supportsHttpsTrafficOnly' is false, meaning secure transfer is not enabled.

Why this answer

The Azure Policy definition in the exhibit likely includes an effect (e.g., 'Deny') that requires the 'Secure transfer required' setting to be enabled on storage accounts. When the development team attempts to create a storage account with this setting disabled, the policy denies the request, preventing the creation. This is the most direct cause because Azure Policy enforces compliance rules at resource creation time, and disabling secure transfer violates the policy's condition.

Exam trap

The trap here is that candidates may confuse post-creation network controls (like NSGs) with pre-creation policy enforcement, or assume API version or regional limitations are the cause, when the actual denial stems from a specific property mismatch in the policy rule.

How to eliminate wrong answers

Option A is wrong because Azure Policy enforcement is independent of the API version used; older API versions still trigger policy evaluation, and the policy would deny the request regardless. Option B is wrong because the premium tier support per region is a service availability constraint, not a policy-driven denial; the policy would not block creation based on region unless explicitly configured, and the exhibit shows no such condition. Option C is wrong because network security groups (NSGs) are applied to network interfaces or subnets, not to storage accounts directly; blocking HTTPS traffic would affect connectivity after creation, not prevent the creation itself.

22
MCQeasy

A company wants to protect their Azure App Service web application from common web vulnerabilities like SQL injection and XSS. Which Azure service should they enable?

A.Azure DDoS Protection
B.Azure Firewall
C.Azure Front Door with WAF
D.Azure Web Application Firewall (WAF) on Application Gateway
AnswerD

Protects against SQL injection, XSS, etc.

Why this answer

Azure Web Application Firewall (WAF) on Application Gateway is the correct choice because it provides centralized, inbound protection for web applications against common exploits such as SQL injection and cross-site scripting (XSS). WAF inspects HTTP/HTTPS traffic at the application layer (Layer 7) using OWASP Core Rule Sets (CRS) to block malicious payloads before they reach the App Service. This service is specifically designed to defend web workloads, unlike network-layer or generic firewall solutions.

Exam trap

The trap here is that candidates often confuse Azure Front Door with WAF (a global, CDN-based WAF) with Azure Application Gateway WAF (a regional, load-balancer-based WAF), but for protecting a single Azure App Service within a region, the Application Gateway WAF is the direct and intended service, while Front Door is typically used for multi-region or global scenarios.

How to eliminate wrong answers

Option A is wrong because Azure DDoS Protection operates at the network and transport layers (Layers 3 and 4) to mitigate volumetric attacks, not application-layer threats like SQL injection or XSS. Option B is wrong because Azure Firewall is a stateful, network-layer firewall (Layer 3/4) that filters traffic based on IP addresses, ports, and protocols, and it lacks the deep packet inspection (DPI) and rule sets needed to detect application-layer attacks. Option C is wrong because Azure Front Door with WAF does provide WAF capabilities, but the question specifically asks for a service to protect an Azure App Service web application; while Front Door can front App Services, the most direct and commonly deployed service for this purpose is WAF on Application Gateway, which is explicitly listed as the correct answer and is the standard pattern for regional web application protection.

Ready to test yourself?

Try a timed practice session using only Data App Strategy questions.