Table of Contents
Which Azure PaaS Services Support Integrated Resource Firewalls?
Prepare for your AZ-500 exam by understanding which Azure resources, like Azure SQL and Storage Accounts, include a built-in resource firewall. Learn how this feature secures PaaS services by controlling access from specific IP addresses and virtual networks.
Question
The following resources support Azure resource firewall: (choose the best answer)
A. Azure SQL and Storage Accounts
B. Azure SQL and Azure VMs
C. Azure VMs and Storage Accounts
D. Storage Accounts
Answer
A. Azure SQL and Storage Accounts
Explanation
The correct answer is A. Azure SQL and Azure Storage Accounts are prominent Platform as a Service (PaaS) offerings that feature a built-in resource firewall to control network access.
Azure SQL Servers and Databases, as well as Azure Storage Accounts support resource firewall. Several other Azure PaaS services also support resource firewall.
Azure Resource Firewall Explained
A resource firewall is a security feature integrated directly into specific Azure PaaS services. It allows administrators to create allow lists of IP addresses, IP address ranges, or Azure Virtual Network subnets that are permitted to access the service’s public endpoint. This provides a critical layer of network security by ensuring that traffic can only originate from trusted locations.
Azure SQL Firewall
The firewall for Azure SQL Database and Azure Synapse Analytics is configured at the logical server level. It protects the server and all its databases from unauthorized network access. You can configure two main types of rules:
- Server-level IP firewall rules: These rules apply to the entire SQL server and grant access to clients based on their originating IP address.
- Database-level IP firewall rules: These rules are specific to individual databases and are useful for providing more granular access control.
- Virtual Network rules: These allow traffic from specific subnets within an Azure Virtual Network using service endpoints, enabling private connectivity without traversing the public internet.
Azure Storage Account Firewall
The firewall for Azure Storage Accounts provides similar functionality, allowing you to secure access to your blobs, files, queues, and tables. Key features include:
- Allowing access from specific public IP addresses or ranges.
- Granting access from specific Azure Virtual Networks using service endpoints.
- Enabling access for trusted Microsoft services, such as Azure Backup or Azure Data Factory, to bypass the firewall rules.
Why Other Options Are Incorrect
Azure Virtual Machines (VMs) are an Infrastructure as a Service (IaaS) offering. They do not have an integrated “resource firewall” in the same way PaaS services do. Instead, network traffic to and from VMs is controlled at the network layer using Network Security Groups (NSGs), which are applied to a VM’s network interface or its subnet. While NSGs function as a firewall, the term “resource firewall” in Azure context specifically refers to the built-in feature on PaaS services. Therefore, options involving Azure VMs (B and C) are incorrect. Option D is incorrect because it is not the best and most complete answer.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.