Answer: a server-level firewall IP rule

## Detailed Explanation To restrict access to the analytical data store so that only users from the Litware on-premises network can access it, the optimal solution is **a server-level firewall IP rule**. ### Why Option C is Correct: **Server-Level Firewall IP Rule** provides comprehensive protection at the server level, meaning all databases and resources managed by that server inherit the same access restrictions. This approach: - **Blocks all external access** by default and only permits connections from specified IP addresses - **Applies to all databases** on the server, including system databases like master and any future analytical databases - **Uses public endpoints** which aligns with the scenario since Litware does not plan to implement Azure ExpressRoute or VPN connectivity - **Provides centralized management** - a single rule controls access to all server resources - **Follows Azure SQL Database security best practices** for scenarios where multiple databases share the same access requirements ### Why Other Options Are Less Suitable: **Option A (Server-level virtual network rule)**: This requires Azure Virtual Network integration, which contradicts the scenario since Litware explicitly states they don't plan to implement VPN or ExpressRoute connectivity between on-premises and Azure. **Option B (Database-level virtual network rule)**: Similar to Option A, this requires virtual network connectivity that isn't planned, and it only protects individual databases rather than the entire server. **Option D (Database-level firewall IP rule)**: While this follows the principle of least privilege, it's insufficient because: - It only protects individual databases - System databases (like master) would remain exposed - Multiple rules would be needed for different databases - Management overhead increases with each additional database ### Key Considerations: The scenario emphasizes preventing external access entirely, which makes server-level protection more appropriate than database-level granularity. Since there's no virtual network connectivity planned, IP-based firewall rules at the server level provide the most effective and comprehensive security solution.

Author: LeetQuiz Editorial Team