Crucial Exams

Microsoft Azure Security Engineer Associate AZ-500 Practice Question

You deployed an Azure Key Vault named KV1 and set the firewall default action to Deny. You need to allow (1) requests that originate from the subnet AppSubnet in the virtual network VNet1 and (2) Azure Disk Encryption operations that protect your virtual machines. Which network configuration satisfies both requirements without granting broader access?

  • Create a private endpoint for KV1 in VNet1 and disable public network access for the vault.

  • Enable the Microsoft.KeyVault service endpoint on AppSubnet, create a virtual-network rule for that subnet, and enable the option that allows trusted Microsoft services to bypass the firewall.

  • Enable a Microsoft.KeyVault service endpoint on VNet1 and change the firewall default action to Allow (no additional rules).

  • Add an IP firewall rule for the address range of AppSubnet and enable network policies on the subnet's private endpoint.

Microsoft Azure Security Engineer Associate AZ-500
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot