Exam AZ-500 topic 6 question 15 discussion

1- Yes To restrict inbound traffic to SQL1, you must modify an access rule in NSG1 as the NSG controls the traffic. 2- To enable VM1 to access storage1 by using the Microsoft backbone network, you must enable a service endpoint on the Default subnet. Yes: Service endpoints provide secure and direct connectivity to Azure services over the Microsoft Azure backbone network. Enabling a service endpoint for Microsoft.Storage on the Default subnet would ensure that traffic from VM1 to storage1 stays on the Microsoft backbone network. 3- You can deploy an App Service Environment to the Default subnet. No: Typically, an App Service Environment requires a dedicated subnet without any other resources deployed to it. The Default subnet may already contain other resources, and it's not dedicated solely to the App Service Environment. https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration

Y/Y/N 1- Y 2- Y, S2S VPN is between VNet1 and the remote network, hence, we need Service Endpoint for the connection between VM1 and Storage1 as the VPN connection is not related to our connection here. 3 - N - Regarding third point, check this link: https://learn.microsoft.com/en-us/azure/app-service/environment/creation App Service Environment is a single-tenant deployment of Azure App Service. You use it with an Azure virtual network. You need one subnet for a deployment of App Service Environment, and this subnet can't be used for anything else.

How do we know that the Default Subnet has 0 resources in it?

and as always stupid wording in the questions... 'you must' - no, you do not must enable by modifying NSG as you can also create a rule directly on SQL, and you do not must enable service endpoint as you may create private endpoint instead... ... in some questions single word usage is totally changing the answer - i wonder if this is one of these questions?

YES / YES / NO 1: SQL1 is in SQL subnet which has NSG1 assigned, to clearly yes. 2: The wording indicates the SQL subnet "contains [only] SQL1", the GatewaySubnet cannot be used by anything but the gateway, so VM1 must be on the Default subnet. A service endpoint will enable VM1 to access storage1 over the Microsoft backbone network. It will bypass the "forced tunneling" because it creates a more specific route. 3: No, since VM1 is already in that subnet (see 2).

Answer: Yes Explanation: Since NSG1 is associated with the SQL subnet, modifying an access rule in NSG1 would be required to restrict inbound traffic to SQL1. To enable VM1 to access storage1 by using the Microsoft backbone network, you must enable a service endpoint on the Default subnet. Answer: No Explanation: VM1 is on VNet1, and enabling a service endpoint on the subnet where VM1 resides (not necessarily the Default subnet) would be required. There is no indication that VM1 is on the Default subnet. You can deploy an App Service Environment to the Default subnet. Answer: No Explanation: App Service Environments require a dedicated subnet that is not shared with other resources and has specific configurations. The Default subnet does not meet these requirements. Conclusion: Statement 1: Yes Statement 2: No Statement 3: No

1. Y 2. Y 3. N

Regarding 1: The default of an NSG is to block all incoming traffic. So, no need to restrict from outside requests. But it has an allow rule for traffic inside vnet. If you need to restrict the inter-vnet traffic you have to change the rule. So now everyone can decide what the question in mentioning about.

Y/Y/N Service endpoints provide optimal routing for Azure traffic. Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network.24 avr. 2023

ans: YYN

y= YOU RESTRICT ACCESS TO SQL VIA ITS NSG n = THERE IS NO NEED TO CREATE A SERVICE ENDPOINT SEEING AS ALL RESOURCES ARE NOT ONLY ON THE SAME SUBNET BUT THERE IS A VPN TUNNEL VIA ON-PREM AND AZURE n = THERE ARE THREE SUBNETS. ONE FOR SQL, THE OTHER FOR THE VPN GATEWAY N THE OTHER FOR VM 1 WHICH IS THE DEFAULT SUBNET. ASE MUST BE DEPLOYED ONTO ITS OWN SUBNET IN THE VNET OF YOUR CHOOSING.

given answer is correct

this is a tricky question, we dont have info about where is the vm, we can supose that is on default subnet but could be on sql subnet, so, if we think that vm is on default subnet: 1, should be yes, but we have a lot of ways to configure inbound trafic, "must" maybe is a key word here 2, if we select yes here, like Yesvanth said the next one must be 3, no im going with YYN too

Given answer is correct. #2 - Service Endpoint and S2S connection cannot co-exist. So it is NO

I think it's YYN. If option 2 is Y. The the third must be N.