Exam AZ-500 topic 3 question 31 discussion

Given answer is correct because they did not select any private network for storage access and VM1 has access via Public IP address.

In this case the answer would be NO NO NO since service endpoints are configured on the Subnets so traffic between the VM and the storage account is all internal (using private ip not public) Trusted Microsoft Services does not include Virtual Machines. Tricky question!

Y-N-N When I use service endpoints, it means that i restrict specific subnets inside the VNET to connect to that storage account. (only the selected ones are allowed) I can add a firewall rule, as the VM's public IP to connect to that storage account. Public IP can co-exist with service endpoints.

NO,NO,NO "With service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic switches from using public IPv4 addresses to using private IPv4 addresses. Existing Azure service firewall rules using Azure public IP addresses will stop working with this switch." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

In the exam 19/07/2024

NO, NO, NO Tested and confirmed. I'm afraid the given answer in incorrect. "With service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic switches from using public IPv4 addresses to using private IPv4 addresses. Existing Azure service firewall rules using Azure public IP addresses will stop working with this switch. Please ensure Azure service firewall rules allow for this switch before setting up service endpoints. You may also experience temporary interruption to service traffic from this subnet while configuring service endpoints." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

After reviewing the current configuration setup, I believe the answer is indeed Y,N,N. Ticking "Allow Azure Services on the trusted services list to access this storage account" does not create service endpoints, but allows Azure Services like Azure Backup to access the storage account. A private endpoint that would link directly into the vnet is not configured, hence no service endpoint connection gets established. Check this link: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-for-resources-registered-in-your-subscription to see what counts as a trusted azure service.

From my research on this: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#manage-exceptions By design, access to a storage account from trusted services takes the highest precedence over other network access restrictions. That said, Compute is not part of the trusted services that are allowed to access storage account based on that setting. Yes, with a virtual network with service endpoints the communication is over private IP, but those have to be listed in the exception. So, No for all from me.

Box 1: Yes - The public IP of VM1 is allowed through the firewall. Box 2: No - The allowed virtual network list is empty so VM2 cannot access storageacc1 directly. The public IP address of VM2 is not in the allowed IP list so VM2 cannot access storageacc1 over the Internet. Box 3: No - The allowed virtual network list is empty so VM3 cannot access storageacc1 directly. VM3 does not have a public IP address so it cannot access storageacc1 over the Internet.

Y,N,N Just want to talk about First one other 2 all are okey with N. Just think even service end point is enable not allowed, still public Ip is allowed. VM1 will behave like any laptop in this case outside of azure. Definitely you cannot use PRivate Ip, but public Ip will make it work for Blob

The correct answer is No, No, No. By enable service endpoint, the source IP for the VM becomes the private IP space from its VNET and not the public IP. The storage account the allows access of the allowed subnet. Ref https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

YES NO NO

YES NO NO

Answers are correct

Replicated the scenario in lab and got No, No, No. "This request is not authorized to perform this operation. This storage account's 'Firewalls & virtual networks' settings may be blocking access to storage services. Try adding your client IP address to the firewall exceptions, or by allowing access from 'all networks' instead of 'selected networks'. " For #1 I then tested adding the private subnet and I was then able to access the storage. Removed the subnet and was blocked again. Definite answer: No, No, No.

yes,no,no

Answers are N,N,N Tested in lab env, for 1. VM uses private IP when service endpoint is configured in subnet, hence you get authorization error, even though public IP of VM is defined and whitelisted under Storage Firewall.