Question 25
Domain 7: Ensuring Data Security and ComplianceDatabricks must connect to an internal operational database without exposing that database broadly to the public internet. Which pattern is preferred?
Correct answer: D
Explanation
Private network connectivity keeps the operational database off the public internet while still allowing Databricks to reach it. Tightly scoped egress rules limit outbound access to only the required destination, matching the principle of least privilege and reducing exposure compared with public access.
Why each option is right or wrong
A. Open the source database to 0.0.0.0/0 and rotate passwords weekly
Opening to all internet addresses creates unnecessary exposure; password rotation does not replace network isolation.
B. Email a CSV export every hour instead of creating connectivity
CSV email exports are a brittle data-transfer workaround, not secure application connectivity.
C. Store the database password in a notebook and connect over public IPs
Hardcoding credentials and using public IP connectivity both weaken security controls.
D. Use private network connectivity and tightly scoped egress rules instead of public access
The preferred pattern is to keep the database reachable only over a private path and restrict outbound traffic to the specific database endpoint, because exposing an internal operational database to the public internet would defeat network segmentation and least-privilege controls. In practice, this means using private connectivity such as VPC/VNet peering, PrivateLink/Private Endpoint, or equivalent private routing, with firewall/security-group egress rules limited to the database host, port, and CIDR rather than allowing broad internet access.