Microsoft Azure Architect Design (AZ-301) Practice Exam

Network Security Groups (NSGs) are the most appropriate choice for preventing two virtual machines from accessing the Internet in Azure. NSGs are used to implement access control policies based on a set of rules that allow or deny traffic to and from Azure resources. By configuring NSGs to restrict outbound Internet traffic, you can ensure that the virtual machines remain isolated from external networks, effectively protecting the sensitive data they store.

NSGs can be assigned to individual network interfaces, subnets, or only to specific resources, providing granular control over the traffic flow. This capability is crucial for maintaining security, especially when handling sensitive information, as it minimizes the exposure of the virtual machine’s data to potential online threats.

The other options do not provide the same level of direct control or are not specifically designed to restrict Internet access. For instance, Source Network Address Translation (SNAT) is related to the management of outgoing connections rather than implementing direct access controls. Azure Virtual Network Integration facilitates the connection between cloud services and an Azure virtual network but does not inherently limit Internet access, and Azure ExpressRoute is used for creating private connections to Azure that bypass the public Internet, which, while secure, does not prevent virtual machines from accessing the Internet if configured so.