ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-700 All Questions

View all questions & answers for the AZ-700 exam
Go to Exam

Exam AZ-700 topic 2 question 47 discussion

Actual exam question from Microsoft's AZ-700
Question #: 47
Topic #: 2
[All AZ-700 Questions]

SIMULATION
-




Username and password
-

Use the following login credentials as needed:

To enter your username, place your cursor in the Sign in box and click on the username below.

To enter your password, place your cursor in the Enter password box and click on the password below.

Azure Username: [email protected]

Azure Password: xxxxxxxxxx
-

If the Azure portal does not load successfully in the browser, press CTRL-K to reload the
portal in a new browser tab.

The following information is for technical support purposes only:

Lab Instance: 12345678
-

You need to ensure that only hosts on VNET1 can access the storage123456789 storage account. The solution must ensure that access occurs over the Azure backbone network.

To complete this task, sign in to the Azure portal.

Show Suggested Answer Hide Answer
Suggested Answer:
by MrIMG at April 23, 2023, 4:07 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
aBAN
Highly Voted 1 year, 10 months ago
The question says 'only hosts on VNET1' -> private endpoint. with service endpoint storage can be accessed access over the internet.
upvoted 7 times
Lazylinux
1 year, 5 months ago
Totally INCORRECT - please read before you write so u can understanding what you writing!! Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 4 times
DC095
6 months ago
So, two issues with your response. While yes traffic does traverse the azure backbone via service endpoints traffic is still ingresses via the azure Paas service public interface. Using a private endpoint will re-write cname record for the azure storage instance to resolve to the fqdn of the private endpoint, which removes all access to the instance over the public interface. Second, without service endpoint policies in place. A service endpoint applies to traffic bound for all instances of an azure paas service and not just a singular instance.
upvoted 3 times
...
...
Sergovladi
3 months, 3 weeks ago
Incorrect! The task says "You need to ensure that only hosts on VNET1 can access the storage". This can be achieve only via Service Endpoint because Private Endpoint can allow you to configure further access to the storage from on-premises, and etc.
upvoted 1 times
...
RabbitB
10 months, 3 weeks ago
Great!
upvoted 1 times
...
ubdubdoo
1 year, 10 months ago
private endpoints seem correct: https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
upvoted 1 times
...
...
MrIMG
Highly Voted 2 years ago
You can also use Service Endpoints: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=azure-portal#grant-access-from-a-virtual-network + You need Service Endpoints Policies: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview
upvoted 5 times
Ben_88
1 year, 10 months ago
The only condition is that the traffic stays in the backbone (not specifically in the vnet) so yeah service endpoint fits too
upvoted 2 times
...
JohnAvlakiotis
1 year, 11 months ago
This should be the only solution as it states that the access should happen over the Azure backbone. Service Endpoint is the correct option.
upvoted 2 times
CristianM99
1 year, 9 months ago
Actually Private endpoints traffic also is in the azure backbone. The difference is the interface created in the VNET to receive the traffic. So I think both services endpoints and private endpoints are correct answers
upvoted 1 times
...
...
...
tc0369
Most Recent 1 month, 2 weeks ago
1.create storage service endpoint at vnet subnet; 2.from storage account, restrict access from selected vnet (security+networking -> networking)
upvoted 1 times
...
cda26aa
12 months ago
I think in this case the answer is Private Endpoint because you want to restrict access to that specific storage instance
upvoted 2 times
...
SilverFox22
1 year ago
I asked this to ChatGPT and it selected Private Endpoint. To summarize: With a service endpoint, you are allowing access from any subnet within your VNET or any virtual network that's been granted access. It doesn't restrict to a specific subnet or set of IPs within your VNET. Given your requirement to restrict access to only hosts on VNET1 and to ensure access over the Azure backbone network, a Private Endpoint is the correct choice.
upvoted 1 times
...
mjk666
1 year, 1 month ago
whenever we face a dilemma like this, I would go for the cheaper option, hence Service Endpoint
upvoted 1 times
...
Lazylinux
1 year, 5 months ago
I would NORMALLY go for Service Endpoint 3 reasons 1- SP enables private IP addresses in Vnet to reach the endpoint if resource/azure service without needing public IP done via Azure backbone network 2- SP allows you to chose all Subnets in Vnet whereas Private Endpoint you are restricted to one Subnet and hence not ALL subnets in Vnet are allowed! 3- You can use SP policy to further restrict access to the Vnet in question ONLY Of course this ONLY effective if you first DISABLED public Access at the networking option of the storage account and once that is done then by default the FW at storage level will BLOCK all traffic unless explicitly allowed via SP or Private endpoint https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 2 times
Lazylinux
1 year, 5 months ago
Following Further - reached words limit HOWEVER if you are following Microsoft WAY then answer is Private Endpoint and confusingly i will be going this way in the exam based on this paragraph from MS link above Note: Microsoft recommends use of Azure Private Link and private endpoints for secure and private access to services hosted on the Azure platform. Azure Private Link provisions a network interface into a virtual network of your choosing for Azure services such as Azure Storage or Azure SQL
upvoted 1 times
...
...
cschefer
1 year, 7 months ago
Can i use Storage Account Firewall to permit access only to VNET1?
upvoted 1 times
...
jakubklapka
1 year, 7 months ago
I got this one today, Service Endpoint would be sufficent as others mentioned. But in my exam I've actually created Private Endpoint into VNET1 as part of previous task (all lab tasks are in one environment.) and also, I had peering from VNET1 to some others as part of different task. So in my case, Service Endpoint won't do it, because other vnets could access the storage via peering and private endpoint. In this setup, it would need intricate setup of NSGs and Private Endpoint policies. At the end, I figured, that MS just didn't think through that combination (as other tasks were quite easy) and I've created Service Enpoint.
upvoted 1 times
IE17
1 year, 7 months ago
Please correct me if I am wrong, the provided answer here is correct which was creating private endpoint to storage acct. Thanks
upvoted 1 times
IE17
1 year, 7 months ago
i mean inside the storage creation
upvoted 1 times
...
...
...
magnem66
1 year, 7 months ago
Wouldn't you need to use a Service Endpoint as Private Endpoints are applied to a subnet.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago