Microsoft Azure Architect Design (AZ-304) Practice Test

When deploying multiple VMs for an application across different regions, which storage solution should be configured for encryption?

• A. A centralized Azure Storage account
• B. Azure Files with tiered storage
• C. Managed disks with BitLocker
• D. Azure Blob Storage with SAS tokens

The correct answer is: Managed disks with BitLocker

The recommended approach for encrypting storage in a scenario involving multiple VMs deployed across different regions is the use of managed disks with BitLocker. Managed disks provide a highly available and scalable way to manage disks in Azure. When you enable encryption for managed disks using BitLocker, it ensures that your data at rest is secure. This means that even if someone were to gain unauthorized access to the physical storage medium, they would not be able to read the stored data without the proper encryption keys. BitLocker provides strong encryption capabilities and integrates seamlessly with Azure's built-in key management options, such as Azure Key Vault. This makes it easier to manage encryption keys securely while maintaining compliance with various regulations regarding data protection. A centralized Azure Storage account, Azure Files with tiered storage, or Azure Blob Storage with SAS tokens, while they each have their merits, do not provide the same level of sophisticated disk encryption for individual VM usage as managed disks with BitLocker. Additionally, Azure Blob Storage does offer encryption-at-rest, but it's not as granular or integrated with VM-specific scenarios as managed disks using BitLocker.