Ask Downloads
Domain 2 β€” Module 8 of 8 100%
14 of 28 overall
Domain 2: Secure storage, databases, and networking Free ⏱ ~9 min read

Choosing the Right Network Boundary: A Decision Tree

A synthesis module for Domain 2 β€” when to use NSGs, Application Security Groups, Private Endpoints, Service Endpoints, Azure Firewall (Basic/Standard/Premium), vWAN secured hub, AVNM security admin rules, S2S/P2S VPN, or Microsoft Entra Private Access β€” with a decision tree that maps SC-500 scenarios to the right network construct.

One decision tree to bind them

Simple explanation

Domain 2 covered nine network constructs. The exam tests whether you can pick the right one β€” or the right combination β€” for a given scenario. This module condenses that into a decision tree and a scenario matrix.

Quick mental model:

  • Inside a VNet, between subnets β†’ NSGs (with ASGs for labelled grouping)
  • Across many VNets, tenant-wide invariants β†’ AVNM security admin rules
  • VNet ↔ Azure PaaS service privately β†’ Private Endpoint + private DNS
  • VNet ↔ Internet (or VNet ↔ VNet via hub) with inspection β†’ Azure Firewall
  • Hub-and-spoke / multi-region with central inspection β†’ vWAN Secured Virtual Hub
  • Branch site ↔ Azure β†’ S2S VPN (cheap) or ExpressRoute (private circuit)
  • Remote user ↔ Azure network β†’ P2S VPN with Entra auth (still tunnel) OR Entra Private Access (ZTNA β€” preferred)
  • Publishing your service privately to consumer tenants β†’ Private Link Service

The scenario-to-construct matrix

Domain 2 decision matrix β€” scenario hint β†’ primary construct + common layered combinations
Scenario hintPrimary constructOften combined with
'Block management ports tenant-wide regardless of subnet teams'AVNM Security Admin rule (Deny intent)NSGs for subnet-level granularity
'3-tier app, label-based segmentation, single VNet'NSGs + ASGsService tags for Microsoft service ranges
'Storage / KV / SQL with no public endpoint, reachable only from VNet'Private Endpoint + private DNS zone linked to VNetDisable public network access on the resource
'Central outbound inspection with TLS decryption and URL category filtering'Azure Firewall PremiumvWAN Secured Hub or hub VNet; routing intent
'Three regions, hub-and-spoke, central inspection per region'vWAN with Secured Virtual Hubs in each regionRouting intent; Firewall Manager hierarchical policy
'Branch offices connect to Azure over the internet'S2S VPNBGP, Active-Active for HA, hub Firewall for inspection
'Branch offices connect to Azure over a dedicated private circuit'ExpressRoute (with private peering)vWAN hub or VNet gateway
'Remote staff need to reach internal app servers β€” no inbound VPN endpoint, identity-aware per-app'Microsoft Entra Private Access (ZTNA)Conditional Access policies per published app
'Publish our SaaS to customer tenants privately, no internet exposure'Private Link Service (behind Standard LB)Customers create Private Endpoints to our PLS
'Diagnose why VM A can't reach VM B'Network Watcher Connection TroubleshootEffective Security Rules, NSG Flow Logs
'Inspect known-bad IP outbound traffic and block it'Azure Firewall threat intelligence (Standard+, Deny mode)Sentinel ingestion of Firewall logs for SOC correlation

Three high-leverage layering patterns

1. β€œModern PaaS lockdown”

The pattern for any PaaS resource that shouldn’t be on the internet:

  1. Disable public network access on the resource (Storage / KV / SQL / Cosmos / etc.)
  2. Private Endpoint in the consumer VNet, sub-resource as appropriate
  3. Private DNS zone linked to the consumer VNet (and peered VNets that need to resolve)
  4. Identity-layer auth with managed identity + Azure RBAC data-plane roles
  5. NSGs on the consumer subnet restricting outbound to the PE CIDR + required Azure services
  6. Defender plan for the service (Defender for Storage / KV / Databases / etc.) for threat detection

Five layers. The SC-500 right answer for β€œhighest-assurance access to PaaS service” is usually all of them.

2. β€œCentral egress inspection at scale”

For tenant-scale outbound inspection:

  1. vWAN Secured Virtual Hubs per region, with integrated Azure Firewall Premium
  2. Routing intent: private + internet β†’ Firewall
  3. Firewall Manager hierarchical policies (base + child)
  4. NSGs on application subnets with default-deny outbound to Internet service tag (defence in depth)
  5. Diagnostic settings to Sentinel workspace for SOC visibility

3. β€œModern remote access”

For replacing P2S VPN with Zero Trust:

  1. Microsoft Entra Private Access with connectors in each application’s VNet (HA pair)
  2. Conditional Access policies per published app (require compliant device + phishing-resistant MFA + low sign-in risk)
  3. Global Secure Access client deployed to remote-user devices via Intune
  4. Decommission classical P2S VPN once parity reached β€” remove inbound exposure

Combination trap questions

The SC-500 exam likes β€œwhich TWO of these would best fit” or β€œwhat’s the BEST combination” questions for network scenarios. Patterns to recognise:

  • PE + DNS zone β€” always combine; PE without DNS is the most common trap
  • AVNM Security Admin + NSG β€” central rules + local fine-grained
  • Azure Firewall + NSG outbound deny default β€” defence in depth at hub and subnet
  • EPA + Conditional Access per app β€” identity layer always combined with the network layer
  • Defender plan + workload-specific control β€” Defender for Storage on top of PE+RBAC; Defender for SQL on top of Entra-only auth
When MORE constructs is the wrong answer

Sometimes the trap is over-engineering. Scenarios that read β€˜simple cost-sensitive small org’ typically reward simpler constructs:

  • NSGs only (no Firewall) for L3/L4 segmentation
  • Service Endpoints (legacy but cheaper than PE) for low-assurance PaaS access
  • Azure Firewall Standard or Basic (not Premium) when TLS inspection isn’t needed
  • P2S VPN with Entra auth (not full EPA rollout) for a small remote team

The exam rewards β€˜right-sized for the scenario’. If the scenario emphasises cost-sensitivity, simplicity, or small scale, the simpler answer is the right answer β€” even if it isn’t the most secure on paper.

Key terms

Question

When to use NSGs vs AVNM Security Admin rules?

Click or press Enter to reveal answer

Answer

NSGs: subnet/NIC scope, per-VNet, local-team control, normal Allow/Deny composition. AVNM Security Admin rules: multi-VNet scope, central tenant control, AlwaysAllow/Deny intents OVERRIDE NSGs. Use AVNM for tenant-wide invariants; use NSGs for subnet-specific allow lists. They compose β€” AVNM evaluated first, then NSGs.

Click to flip back
Question

When to use Private Endpoint vs Service Endpoint?

Click or press Enter to reveal answer

Answer

Private Endpoint: PaaS resource gets a private IP in your VNet; public endpoint can be disabled; backbone-only traffic; modern default. Service Endpoint: PaaS resource stays on its public endpoint but firewall allowlists your subnet via service tag; legacy pattern. PE is the SC-500 preferred answer for new deployments.

Click to flip back
Question

When to use Azure Firewall Premium vs Standard?

Click or press Enter to reveal answer

Answer

Premium: TLS inspection (decrypt outbound TLS), full URL filtering with web categories, full IDPS. Required for regulated content inspection. Standard: Microsoft threat intel, FQDN filtering for HTTP/HTTPS/MSSQL, limited IDPS. Sufficient for most mainstream enterprise scenarios. Basic: cost-optimised for small/dev β€” limited features.

Click to flip back
Question

When to use Entra Private Access vs P2S VPN?

Click or press Enter to reveal answer

Answer

EPA (preferred): per-application identity-based access, no inbound VPN endpoint, Conditional Access per-app. P2S VPN: network-tunnel access (user joins the network), inbound VPN concentrator on public IP, Conditional Access at sign-in (not per-app). EPA is the modern Zero Trust replacement; P2S VPN is legacy compatibility.

Click to flip back

Knowledge check

Knowledge Check

Asha at Aurora Health Service is locking down a new Azure SQL Managed Instance: must be reachable only from the hospital VNet, no internet exposure, with Entra-only auth and threat protection. Which combination of SC-500 constructs is correct?
Knowledge Check

Ravi at Maple Genomics is connecting 25 remote researchers to internal Foundry apps. The CISO wants Zero Trust β€” no inbound VPN endpoint, identity-aware per-application enforcement, Conditional Access. Which construct?
Knowledge Check

Esme at Northwind Bank wants to enforce 'no inbound traffic from the public internet to TCP/3389 or TCP/22 to ANY Azure subnet, ever, tenant-wide, regardless of NSG rules that subnet teams configure'. Which construct fits?

Domain 2 wrap-up

You’ve covered:

  • Storage account security + Defender for Storage
  • Azure SQL platform hardening + Defender for Databases
  • NSGs + ASGs + Azure Virtual Network Manager
  • Azure Virtual WAN + Secured Virtual Hub
  • VPN + Microsoft Entra Private Access
  • Private Endpoints + Private Link
  • Azure Firewall + Network Watcher
  • This synthesis decision module

Together with Domain 1 (identity, governance, Key Vault), Domain 3 (compute + AI security), and Domain 4 (posture and monitoring), that’s the full SC-500 study guide.

Good luck on the exam. If anything here helped, come say hi on YouTube β€” and if you’re hitting practice mode, the $9 practice exam ships in a follow-up release with 200 original scenario-driven questions across all four domains.