Security And Governance Boundary — Azure Administrator (AZ-104)

Should network-isolation for the storage account be enforced at the NIC or subnet layer (NSG) or at the storage account layer (storage firewall virtual network rule backed by a service endpoint)?

Whether to configure customer-managed keys (CMK) backed by a Key Vault with RBAC authorization enabled, versus enabling only platform-managed SSE (satisfies encryption-at-rest generally but cedes key ownership) or using vault access policies (satisfies CMK but fails the RBAC authorization mandate).

Choose the credential type that is simultaneously time-bounded and scoped to a single container with write-only permission, rejecting options that grant broader account-level access or require persistent identity enrollment.

Whether to configure the storage account encryption key source as customer-managed (Key Vault integration with RBAC authorization) versus accepting the platform default of Microsoft-managed encryption, which satisfies generic 'encrypted at rest' language but not the organization's key-lifecycle-control and key-access auditability requirements.

Whether network isolation is enforced at the NIC layer via an NSG (leaves the storage account's public endpoint reachable from outside the VNet) or at the storage-account layer via a Private Endpoint with public-network-access disabled (removes the public endpoint entirely), where only the latter satisfies the 'no public endpoint exposure' constraint.

Select Encryption at Host (platform-enforced, covers OS disk, data disks, and temp disk) over Azure Disk Encryption (guest-enforced, excludes temp disk and requires guest-OS changes) when the compliance mandate explicitly includes temporary storage and forbids guest-level configuration.

Select the App Service network control that enforces inbound-only VNet isolation without disabling deployment slot swaps — Private Endpoints (inbound) versus VNet Integration (outbound only).

Choose Encryption at Host (platform-layer server-side encryption covering OS disk, data disks, and temp disk with no guest-OS agent required) over Azure Disk Encryption (guest-layer BitLocker/dm-crypt covering OS and data disks only, requiring in-guest extension installation) to satisfy a compliance mandate that explicitly includes temporary storage and prohibits guest-OS changes.

Which inbound network isolation control satisfies the private-VNet restriction for an App Service without overengineering the hosting tier or breaking slot-swap governance?

Choose Encryption at Host (platform-layer, covers OS disk, data disks, and temp disk, no guest agent required) over Azure Disk Encryption (guest-layer, excludes temp disk, requires per-instance OS agent) to satisfy a compliance mandate that is both temp-disk-inclusive and zero-guest-OS-change.

Select Private Endpoints over Service Endpoints when the constraint requires instance-level isolation of a single PaaS resource, not merely service-category backbone routing.

Whether to use Private Endpoints (resource-instance-level private IP, public endpoint disabled) or Service Endpoints (service-category-level backbone routing) when the constraint requires isolating a single PaaS instance and preventing data-exfiltration to sibling resources.

Whether to apply a subnet-scoped NSG inbound rule alone or introduce Application Security Groups — use NSG alone when all subnet members share uniform security requirements; use ASGs only when VM-level role differentiation is needed inside a mixed-workload subnet.