Secure Networking

You must ensure that traffic from a subnet to an Azure Storage account never traverses the public internet and that the storage account is reachable by a private IP inside your virtual network. What should you deploy?

• A An Azure Firewall application rule
• B A service endpoint for Microsoft.Storage
• C A private endpoint for the storage account ✓
• D A network security group allow rule

Answer: A private endpoint projects the storage account into your virtual network with a private IP, so traffic stays on the Microsoft backbone and the resource is reachable privately. Service endpoints keep traffic on the backbone but the resource still uses a public endpoint.

A subnet hosts web servers that must accept inbound HTTPS from the internet but must not accept inbound RDP. Which control most directly enforces this at the subnet level?

• A Microsoft Defender for Cloud just-in-time access
• B A network security group with appropriate inbound rules ✓
• C Azure DDoS Protection
• D A route table with a default route

Answer: A network security group filters inbound and outbound traffic by port, protocol, and address, so you can allow TCP 443 and deny TCP 3389. Route tables control next hops, not whether traffic is permitted.

You need a managed firewall that provides fully qualified domain name filtering for outbound traffic, threat intelligence-based filtering, and centralized policy across a hub-and-spoke topology. Which service should you use?

• A Azure Front Door
• B Azure Firewall ✓
• C Azure Application Gateway
• D Network security groups

Answer: Azure Firewall is a stateful, managed network firewall offering FQDN application rules, threat intelligence filtering, and centralized policy, well suited to a hub-and-spoke design. NSGs cannot filter by FQDN or apply threat intelligence.

Your web application must be protected against SQL injection and cross-site scripting at the HTTP layer. Which Azure capability provides this?

• A A network security group application security group
• B A Web Application Firewall on Application Gateway or Front Door ✓
• C Azure Bastion
• D A service endpoint policy

Answer: The Web Application Firewall, available on Application Gateway and Azure Front Door, inspects HTTP traffic and blocks common web attacks such as SQL injection and cross-site scripting using managed rule sets. NSGs operate at the network layer, not the application layer.

You want to administer Azure VMs over RDP and SSH without exposing public IP addresses or opening inbound 3389/22 from the internet. Which service should you deploy?

• A Azure Bastion ✓
• B An Azure Firewall DNAT rule
• C A jump box with a public IP
• D A point-to-site VPN gateway

Answer: Azure Bastion provides secure RDP and SSH connectivity to VMs directly through the Azure portal over TLS, so the VMs need no public IPs and no inbound 3389/22 rules. A jump box with a public IP reintroduces the exposure you are trying to avoid.

Which Azure feature provides automatic mitigation of volumetric, protocol, and resource-layer attacks against your public IP resources with tuned telemetry and cost protection?

• A Azure DDoS Protection (Network Protection tier) ✓
• B A user-defined route
• C A network security group with rate limiting
• D Azure Traffic Manager

Answer: Azure DDoS Protection Network Protection provides always-on monitoring and automatic mitigation of network-layer DDoS attacks, plus telemetry and cost protection for scaled resources. NSGs cannot perform DDoS mitigation.