AZ-800 - Microsoft Azure Networking Solutions Private Link and Endpoints Questions and Answers

Question 1

An organization wants to provide secure access to an Azure SQL Database from a virtual machine (VM) located in an Azure Virtual Network (VNet). The security policy mandates that the database must not be accessible over the public internet and all traffic must remain on the Microsoft backbone network. Which Azure networking component should be implemented?

Accepted Answer

An Azure Private Endpoint for the SQL Database.

Answer

An Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link, like Azure SQL Database. It uses a private IP address from your VNet, effectively bringing the service into your VNet and ensuring traffic never traverses the public internet.

Question 2

A software company has developed a multi-tenant application running on virtual machines behind a Standard Load Balancer. They need to provide dedicated, private access to this application for a partner company that operates in a separate Azure tenant. Which Azure service is designed to expose this application privately to the partner without using VNet peering or VPNs?

Accepted Answer

Azure Private Link Service

Answer

Azure Private Link Service is the correct solution. It allows you to expose a service running behind a Standard Load Balancer to consumers in other VNets, subscriptions, or even different Azure AD tenants. The consumer can then create a private endpoint in their VNet to connect to the service securely over the Microsoft backbone.

Question 3

When you configure a private endpoint for an Azure Storage Account, what is the primary role of an Azure Private DNS Zone?

Accepted Answer

To override public DNS resolution and resolve the storage account's FQDN to its private IP address within the VNet.

Answer

For a private endpoint to work seamlessly, clients in the VNet must resolve the service's public FQDN (e.g., `mystorage.blob.core.windows.net`) to the private IP address of the private endpoint. An Azure Private DNS Zone (e.g., `privatelink.blob.core.windows.net`) linked to the VNet is used to host the 'A' record that maps the FQDN to the private IP, overriding the public DNS CNAME record.

Question 4

An administrator needs to provide access to an Azure Storage account from an on-premises network connected via ExpressRoute. They are evaluating both Service Endpoints and Private Endpoints. Which of the following is a key advantage of using a Private Endpoint in this scenario?

Accepted Answer

A Private Endpoint enables access from on-premises networks, whereas a Service Endpoint does not.

Answer

A primary advantage of Private Endpoints is their ability to be accessed from on-premises networks through ExpressRoute or VPN tunnels, as well as from peered VNets. Service Endpoints only secure traffic from within a specific Azure VNet and do not provide a path for on-premises access.

Question 5

When an Azure Private Endpoint is created within a consumer's virtual network, which specific resource is provisioned in that VNet to facilitate the private connection?

Accepted Answer

A network interface (NIC)

Answer

A private endpoint is fundamentally a network interface (NIC) that is created within a subnet of the consumer's virtual network. This NIC is assigned a private IP address from that subnet's address space and acts as the entry point for traffic destined for the privately-linked Azure service.

AZ-800 - Microsoft Azure Networking Solutions Practice Test

AZ-800 - Microsoft Azure Networking Solutions Practice Test

AZ-800 - Microsoft Azure Networking Solutions Private Link and Endpoints Questions and Answers