AZ-500 · Question #456
AZ-500 Question #456: Real Exam Question with Answer & Explanation
The correct answer is A: From the Firewalls and virtual networks tab, add the IP address of VM1.. To restrict Azure Key Vault access exclusively to a specific virtual machine, its public IP address should be whitelisted in the Key Vault's networking firewall settings.
Question
You have an Azure subscription that contains an Azure key vault named Vault1 and a virtual machine named VM1. VM1 is connected to a virtual network named VNet1. You need to allow access to Vault1 only from VM1. What should you do in the Networking settings of Vault1?
Options
- AFrom the Firewalls and virtual networks tab, add the IP address of VM1.
- BFrom the Private endpoint connections tab, create a private endpoint for VM1.
- CFrom the Firewalls and virtual networks tab, add VNet1.
- DFrom the Firewalls and virtual networks tab, set Allow trusted Microsoft services to bypass this
Explanation
To restrict Azure Key Vault access exclusively to a specific virtual machine, its public IP address should be whitelisted in the Key Vault's networking firewall settings.
Common mistakes.
- B. Creating a private endpoint provides secure, private connectivity for VM1 to Vault1, but it establishes a new private IP in VNet1 for Vault1 and is a different mechanism than directly allowing an existing IP through a firewall.
- C. Adding VNet1 to the 'Firewalls and virtual networks' tab would allow any resource within VNet1 to access the Key Vault, violating the 'only from VM1' requirement.
- D. Setting 'Allow trusted Microsoft services to bypass this firewall' would grant access to a broad category of Azure services, not specifically limit access to VM1, thus failing the 'only from VM1' requirement.
Concept tested. Azure Key Vault networking security (IP firewalls)
Reference. https://learn.microsoft.com/en-us/azure/key-vault/general/network-security
Community Discussion
No community discussion yet for this question.