DP-300 Question #386: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have an Azure subscription that contains a resource group named RG1. RG1 contains an Azure SQL Server named Server1 in the West US Azure region. You need to ensure that any Azure services deployed to RG1 can access Server1. How should you complete the Azure Command-Line Interface (CLI) command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

To allow any Azure services to access an Azure SQL Server, you must create a server-level firewall rule with a start and end IP address of 0.0.0.0.

Approach. The scenario requires ensuring that 'any Azure services' deployed to RG1 can access Server1. This is a common requirement for Azure SQL Servers. To achieve this via the Azure CLI, you need to:

1. Select the correct subcommand: The command az sql server needs to be followed by the firewall-rule subcommand to manage server-level firewall rules for the SQL Server. The full command structure for creating a firewall rule is az sql server firewall-rule create.

   • firewall-rule is the appropriate choice as we are defining an inbound access rule.

2. Define the rule to allow Azure services: Azure SQL Database servers have a special firewall rule that, when configured, allows connections from any Azure service within any Azure region. This is achieved by setting both the start and end IP addresses of the rule to 0.0.0.0.

   • Therefore, --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 is the correct selection for the rule definition. The name AllowAzureServices is already provided in the command, which is a common practice for this specific rule.

Common mistakes.

• common_mistake. 1. Choosing ipv6-firewall-rule or an IPv6 range: The question implies standard Azure services connectivity, which by default uses IPv4 and the special 0.0.0.0 rule. IPv6 is not specified as a requirement.

1. Choosing outbound-firewall-rule: This is for controlling traffic from the SQL server, not to it. The requirement is about allowing Azure services to access the SQL server.
2. Choosing vnet-rule: VNet rules are used for controlling access from specific Azure virtual networks and subnets using Service Endpoints. While this is a valid way to secure access, the question asks for 'any Azure services deployed to RG1', implying the broader 'Allow Azure services' option rather than a specific VNet configuration.
3. Choosing a specific public IPv4 range (e.g., 13.86.217.0): This would only allow access from that specific IP range, not 'any Azure services'.

Concept tested. Azure SQL Database server-level firewall rules, specifically the configuration to allow access from all Azure services by setting the IP range to 0.0.0.0. This tests knowledge of Azure SQL security and CLI commands for managing connectivity.

Reference. https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-create-and-configure?view=azuresql&tabs=azure-cli

No community discussion yet for this question.