Crucial Exams

Microsoft Azure Security Engineer Associate AZ-500 Practice Question

You deploy an Azure SQL Managed Instance named prod-mi to the ProdData subnet of a virtual network that uses the address space 10.20.0.0/16.

The networking team will implement forced tunneling so that all outbound traffic from ProdData is sent to the on-premises firewall across an existing site-to-site VPN. They plan to associate the following user-defined route (UDR) with the ProdData subnet:

Destination prefix: 0.0.0.0/0
Next hop type: Virtual network gateway

You must ensure that:

  • prod-mi continues to receive required platform management and patching traffic from Azure.
  • All other outbound Internet traffic from the subnet continues to be forced through the on-premises firewall.

Which change should you recommend?

  • Create an outbound NSG rule that permits TCP 443 to the AzureCloud service tag and give it the highest priority.

  • Enable a setting named AllowOutboundOnlyInternetTraffic on prod-mi.

  • Move prod-mi to a newly delegated subnet because forced tunneling is unsupported on delegated subnets.

  • Add a user-defined route to ProdData with destination SqlManagement (Service Tag) and next hop type Internet.

Microsoft Azure Security Engineer Associate AZ-500
Secure networking
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot