How well do you know Key security features in Azure SQL DB Question Title * 1. Does Azure SQL Database provide any default RBAC for managing Azure SQL DB or you have to create custom roles for managing Azure SQL DB Yes , Azure SQL provides dedicated RBAC roles. No , Azure SQL provides dedicated RBAC roles. OK Question Title * 2. You are hosting a service that resides in its VNET (VNET A ) and you have configured SQL Azure with a custom VNET (VNET B). How can a service residing in VNET A can reach SQL service thats in the VNET B. Identify the optimal response. No its not possible to reach to VNET B , because the SQL Endpoint will only respond to the request from the network thats connected. Yes , the client residing in any VNET can reach the SQL Service. Provided the VNET are peered. Add the both VNETs to the SQL Azure approved VNETs. OK Question Title * 3. You are mentoring a new developers , she is tasked to get all the IP ranges of all the SQL Azure Database , so she can add it to NSG security rule set . She is having trouble getting all the SQL DB IP address and keeping it updated regularly. How will you advise the developer. Write a python script thats always scan new changes to Microsoft Azure DC IP file. Host the information in a NoSQL DB and every week upload the file and do a diff. If there are any differences , then update the NSG Rules. Put that script into a cron job. So its runs without any human intervention and it can scale massively. It will reduce to chances of error significantly. Use Network watcher , take a full dump of all the NSG rules every week in JSON Format. Extract the IP ranges from the weekly Microsoft IP Range update. Compare and then build a simple javascript , that will send email notification if there are changes. But doing this we will reduce the time it takes toupdate. One of the best way to address is to adopt Service Tags , there are dedicated Tags for SQL and it removes all the complexity related to writing scripts and zero changes every week. Azure will ensure the service tags are upto date. OK Question Title * 4. If you enable "Allow access to Azure Services" - What will be the impact. Service from all Azure services to the SQL Azure DB will be allowed. Service from all Azure services to the SQL Azure DB will not be allowed. OK Question Title * 5. If you dont enable "Allow all Azure Services', will there be any impact on the native Azure services that are trying to access the service. No impact in terms of any Azure service accessing the SQL Azure DB. Number of native azure service will have challenges connecting to the SQL Azure DB. OK Question Title * 6. Your customers developer are complaining they are not able to access to SQL Azure through the SQL Server Management Studio. How will you troubleshoot the issue. Login in the Azure portal , navigate to the SQL Azure Database and check if the developers machine IP address is part of the allowed IP list if not add it to firewall rules and check if the developer is able to access the SQL database. Advise the customer to deploy VPN Gateway to Azure , so they can connect SQL Management studio with SQL Azure DB SQL Management studio will only work with Express route and its mandatory to connect SQL Management studio with SQL Azure DB OK Question Title * 7. You are the senior cloud solution architect and your client compliance officer is looking for single and trusted source for all the Compliance and Trust information related to Azure and Azure SQL in particular , where will you direct him. https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx www.microsoft.com OK Question Title * 8. What is the key purpose of the Threat detection in the SQL Azure. Enables threat detection Identifies anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. OK Question Title * 9. You customer is a startup and currently they are building a V1 of their product. They are using SQL Azure as their backend database and currently they are using outlook.com as their email id. They configured AD and wants to integrate their outlook.com address as admin for the SQL Azure DB. What will be your recommendation to them. . Due to the strong security model , you cannot associate users from Microsoft Accounts , the usershould reside in your organization. You recommend them to get company domain and proper email based on their domain. There are no issues using outlook.com or any Microsoft accounts. We will be able to configure the user with Azure AD. OK Question Title * 10. Your customers want to bring their own Custom Keys to encrypt the data ,log files , backup. Is it possible to do that in SQL Azure as of today. Yes , SQL Azure DB allows custom keys Currently SQL Azure DB only allows Key to be stored in Azure Key vault Yes , SQL Azure DB allows custom keys , but the feature set in Preview. If its not a must to have for production deployment , then the recommendation is to start with Azure Key Vault . OK Question Title * 11. You are working with field marketing company and they have lot of temp students , that will be working with the company on short duration project. Your customer has good amount of data and they dont want to expose all the sensitive data to the temp students. What will be your recommendation onhiding the sensitive data. Build a custom database and then export the data to the custom database, remove all the sensitive fields and then share the data with the temp students Build custom Views, that will only select non-sensitive fields and share with the temp students. Use Dynamic Data Masking to hide the sensitive data. OK Question Title * 12. Your customer is checking with you , if its possible to enable MFA to login into the SQL Azure. Based on your understanding , can you confirm or deny if MFA is available for SQL Azure Db. Yes , it is available No , it's not available OK DONE