Microsoft Azure Security Engineer Associate AZ-500 Practice Question
Your company stores secrets in an Azure Key Vault that currently allows traffic only from selected networks. An Azure Function app is deployed in a dedicated App Service plan and is integrated with the subnet AppSubnet in VNet CorpNet. You must permit the function app to retrieve secrets while keeping all other Azure services blocked. What should you configure on the Key Vault?
Set Public network access to Enabled and configure the function app to use its system-assigned managed identity.
Add the function app's outbound IP addresses as firewall IP address rules.
Turn on the Allow trusted Microsoft services to bypass the firewall setting.
Enable a service endpoint for Microsoft.KeyVault on AppSubnet and add AppSubnet as a virtual network rule.
The most restrictive option is to grant access only to the subnet that hosts the function app. First, enable the Microsoft.KeyVault virtual network service endpoint on AppSubnet, then add that subnet to the Key Vault's virtual network rules. Traffic from resources in the subnet is routed to the vault over the Azure backbone, and all other sources, including other Microsoft services, remain blocked.
Allowing trusted Microsoft services would open access for many Azure platforms you do not use. Relying on the function app's outbound IP addresses is fragile because those addresses can change and does not prevent other services using the same public IP range. Enabling public network access defeats the requirement to block other Azure services, even if a managed identity is used.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Key Vault service endpoint?
Open an interactive chat with Bash
How does virtual network integration work with Azure Function apps?
Open an interactive chat with Bash
Why are outbound IP addresses unreliable for security configurations?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .