Microsoft Certified: Azure Fundamentals (AZ-900) Practice Exam

The service that sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet is the VPN Gateway. This service enables secure communication by establishing a Virtual Private Network (VPN) connection, which encrypts the data traffic between the resources in Azure and the on-premises environment. This is particularly important for ensuring that sensitive information is protected while traversing a public network, mitigating risks associated with data breaches or unauthorized access.

A Public Load Balancer primarily deals with distributing network traffic across multiple virtual machines or services but does not handle encryption or secure connections. An Internal Load Balancer is used to balance traffic within a private network and does not facilitate communication with on-premises networks or the public Internet. Network Security Groups, while they provide a way to control the flow of traffic and enhance security within Azure environments, do not themselves establish VPN connections or encrypt traffic. Thus, the VPN Gateway is the correct service for creating secure, encrypted tunnels for data transfer between Azure and on-premises locations.