ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 3 question 53 discussion

Actual exam question from Microsoft's AZ-500
Question #: 53
Topic #: 3
[All AZ-500 Questions]

HOTSPOT -
You have an Azure subscription that contains a storage account named storage1 and several virtual machines. The storage account and virtual machines are in the same Azure region. The network configurations of the virtual machines are shown in the following table.

The virtual network subnets have service endpoints defined as shown in the following table.

You configure the following Firewall and virtual networks settings for storage1:
✑ Allow access from: Selected networks
✑ Virtual networks: VNET3\Subnet3
Firewall `" Address range: 52.233.129.0/24

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
VNet1 has a service endpoint configure for Azure Storage. However, the Azure storage does not allow access from VNet1 or the public IP address of VM1.

Box 2: Yes -
VNet2 does not have a service endpoint configured. However, the Azure storage allows access from the public IP address of VM2.

Box 3: No -
Azure storage allows access from VNet3. However, VNet3 does not have a service endpoint for Azure storage. The Azure storage also does not allow access from the public IP of VM3.
by gcpbrig01 at March 14, 2021, 12:44 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Elazari
Highly Voted 3 years, 7 months ago
No, Yes, Yes (TESTED) VM 1 cannot connect to the storage account, service point to the storage it's not enough - should be in the selected networks too. VM2 can connect to the storage - no service endpoint = using his public IP, his public IP in the firewall allowed network. VM3 can connect to the storage - at the moment you register the subnet to the storage selected network, you have also to enable a service end point to the storage.
upvoted 49 times
palanto
3 years, 4 months ago
Hi Elazari, Thanks for testing the scenario at lab. Need clarification in your 3rd point, ("you have also to enable a service end point to the storage."), Looks you have enabled Service endpoint Vnet3/subnet3 to storage, However this is not the given requirement. Should we consider the answer as 'NO' for 3rd question (VM3 can connect to Storage1?)
upvoted 7 times
somenick
2 years, 6 months ago
No, Yes, No (Really tested) Here is how I tested: Step 1) Storage1 without any network exceptions - all blocked. Result: VM3 can't access storage Step 2) I added subnet3 to the whitelist on Storage1. Storage service endpoint is added to the subnet3 automatically. Result: VM3 can access Storage1. Step 3) I removed Storage endpoint from subnet3 and added KeyVault endpoint instead as described in the question. Result: VM3 can't access Storage1
upvoted 14 times
...
...
j410aksl
3 years, 7 months ago
Weird that Azure would go against its own documentation: "IP network rules can't be used in the following cases: To restrict access to clients in same Azure region as the storage account. IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests. To restrict access to clients in a paired region which are in a VNet that has a service endpoint. To restrict access to Azure services deployed in the same region as the storage account. Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you can't restrict access to specific Azure services based on their public outbound IP address range." https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
upvoted 3 times
BP_lobster
3 years ago
The test was likely run with VM2 outside the Azure Region that our storage account sat within. Will try to remember to verify this after the exam/post my results below.
upvoted 1 times
...
...
mung
2 years, 5 months ago
Guys don't fall for this answer. I'm pretty sure that this guy set the lab with incorrect setting. It looks like he configured the Service EP with Storage not with keyvault. It have to be N,Y,N. Without Service EP set to Storage, you can't connect to the storage
upvoted 24 times
mung
2 years, 5 months ago
IP is not even in range lol.
upvoted 1 times
pentium75
9 months ago
Well, yeah. You could connect with Service EP if the subnet was listed (it is but the EP is missing), OR you could connect without Service EP (to the public endpoint but that doesn't work because the IP is not listed).
upvoted 1 times
...
...
...
gc12345
3 years, 2 months ago
VM3 can connect to the storage - at the moment you register the subnet to the storage selected network, ---Correct . service EP configured for key vault at VNET3 .so its not affect storage access.
upvoted 4 times
...
...
gcpbrig01
Highly Voted 4 years, 1 month ago
Answers are correct. Virtual network service end point configuration should always be done with network access configuration for the same virtual network from the service end-here storage. Either that or allow the public IP address of the VM that wants to connect to the storage account in the firewall section of the storage account.
upvoted 28 times
rgullini
4 years ago
Agree with you. Answers are correct
upvoted 2 times
...
intimidator
3 years, 8 months ago
Isn't a new Service endpoint created automatically once you whitelist a subnet on the Storage account firewall?
upvoted 3 times
...
hmghmg
4 years ago
Yes, but not on the same Azure region. The answer is: NO,NO,NO
upvoted 4 times
[Removed]
3 years, 9 months ago
It's stated on the HOTSPOT : The storage account and virtual machines are in the same Azure region.
upvoted 4 times
...
...
rgullini
4 years ago
To access from a VNET to a storage account without using the public IP space, you need both: a rule and a service endpoint Point 1: There is a SERVICE endpoint configured for VNET1. However, the rule does not allow the internal nor the Public IP Point 2: No endpoint so public IP is used which is allowed by the rule Point 3: Rule allows the VNET3 but there is no Service Endpoint. The public IP is not allowed https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal Section: Grant access from a virtual network
upvoted 21 times
...
...
flafernan
Most Recent 1 year, 5 months ago
NO, YES, NO a) After configuring a “service endpoint” in a VNET, directing to Azure Storage for example, access will still not be possible, as it will be necessary to configure Azure Storage, allowing access from the VNET, that is, there must be permissions on both sides. b) In a second example in which a permission is created in Storage that allows access to an IP range 10.20.30.0/24, and a VNET that is in that same range (10.20.30.52), even if the VNET does not have service configured endpoint, access will be possible, as its IP is already on a Storage whitelist. c) In a third example where the storage already allows a VNET, but the service endpoint is not configured, access will not be possible. Access must be configured at two ends. The exception is what was mentioned in letter “b)”, as the storage allows the IP range in which the VNET belongs.
upvoted 7 times
...
[Removed]
1 year, 5 months ago
No Yes Yes, as soon as you add a VNET you get the following message The following networks don’t have service endpoints enabled for 'Microsoft.Storage'. Enabling access will take up to 15 minutes to complete. After starting this operation, it is safe to leave and return later if you do not wish to wait. So there is no way you can add a VNET in the firewall list and not have a service endpoint enabled the question itself is wrong if they are not showing the service end point this has been tested in lab.
upvoted 3 times
[Removed]
1 year, 4 months ago
Correcting answer its NO YES NO, if I delete the service end point after adding the VNET the access will go away
upvoted 1 times
...
...
wardy1983
1 year, 6 months ago
Box 1: No - VNet1 has a service endpoint configure for Azure Storage. However, the Azure storage does not allow access from VNet1 or the public IP address of VM1. Box 2: Yes - VNet2 does not have a service endpoint configured. However, the Azure storage allows access from the public IP address of VM2. Box 3: yes VM3 can connect to the storage - at the moment you register the subnet to the storage selected network, you have also to enable a service end point to the storage.
upvoted 2 times
...
foobar1985
1 year, 7 months ago
Formula: ( $is_Service_enpoint_in_VNET && $is_VNET_in_Selcted_network ) || $is_PIP_in_Firewall_range BOX1: NO. (TRUE && FALSE) || FALSE -> FALSE BOX2: YES. (FALSE && FALSE) || TURE -> TURE BOX3: NO. (TURE && FALSE) || FALSE
upvoted 3 times
...
heatfan900
1 year, 8 months ago
n, n, y VM1 is not in the ALLOWED VNET list and their PUBLIC IP is not allowed either VM2 is not in the ALLOWED VNET list but their PUBLIC IP falls within the range of allowed VM3 is in the ALLOWED VNET and its PUBLIC IP is not required to connect to the SA. The explanation here is wrong. The SERVICE ENDPOINT is configured from the NETWORK SETTINGS on the SA. If the SA can see the VNET/SUBNET and is allowing it then the VNET/SUBNET then it can obviously connect to it.
upvoted 2 times
heatfan900
1 year, 8 months ago
I meant n, y, y
upvoted 1 times
...
...
_fvt
1 year, 9 months ago
N-N-N. Explanation is correct: Box 1: No - VNet1 has a service endpoint configure for Azure Storage. However, the Azure storage does not allow access from VNet1 or the public IP address of VM1. Incorrect: Box 2: No, you cannot filter access with public IP of Azure services deployed in the same region as the storage account. (https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range) Explanation is correct: Box 3: No - Azure storage allows access from VNet3. However, VNet3 does not have a service endpoint for Azure storage. The Azure storage also does not allow access from the public IP of VM3.
upvoted 2 times
_fvt
1 year, 8 months ago
N-N-Y. Managed to test it in LAB. The change concerns the Box 3: answer is Yes. When you select VNET3\Subnet3, "(Service endpoint required)" will be added after the name of the selected Subnet, and show a disclaimer about the time required to enable the service endpoint.. So the service Endpoint is automatically created when you select subnet which needs it.
upvoted 2 times
...
_fvt
1 year, 9 months ago
("Services deployed in the same region as the storage account use private Azure IP addresses for communication. So, you can't restrict access to specific Azure services based on their public outbound IP address range.")
upvoted 1 times
...
_fvt
1 year, 9 months ago
For the box 3 I am unsure as https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range says: "IP network rules have no effect on requests that originate from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests." So maybe that will works...
upvoted 1 times
...
...
zellck
1 year, 12 months ago
NNY is the answer. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range You can't use IP network rules in the following cases: - To restrict access to Azure services deployed in the same region as the storage account. Services deployed in the same region as the storage account use private Azure IP addresses for communication. So, you can't restrict access to specific Azure services based on their public outbound IP address range.
upvoted 3 times
...
ITTesters
2 years ago
NNY; first; subnet is not added to allowed virtual networks second; Public ip range is on the allowed list, but is blocked due being in the same region (https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range) third; the case starts with only a keyvault endpoint, but when adding Subnet3 to the allowed virtual networks, an service endpoint needs to be added to the subnet, after you click "enable" you can continue to add the subnet to the allow list.
upvoted 3 times
...
mssii
2 years, 1 month ago
Service endpoints are not mandatory to route traffic You can configure storage accounts to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant. You can enable a Service endpoint for Azure Storage within the VNet. The service endpoint routes traffic from the VNet through an optimal path to the Azure Storage service. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
upvoted 1 times
...
majstor86
2 years, 2 months ago
NO YES NO
upvoted 3 times
...
samimshaikh
2 years, 3 months ago
Tested in LAB: The following networks don’t have service endpoints enabled for 'Microsoft. Storage'. Enabling access will take up to 15 minutes to complete. After starting this operation, it is safe to leave and return later if you do not wish to wait. NYY
upvoted 2 times
...
Muaamar_Alsayyad
2 years, 6 months ago
N - service endpoint configured but Subnet1 is not added to selected network Y - through public IP N - subnet3 added to slected networks but servide endpoint is not configured
upvoted 3 times
arseyam
2 years, 6 months ago
Service endpoints are used to create a shorter route to direct traffic through Microsoft network not through the internet. You still need to whitelist the IP address of the source machine to access the storage account so the real reason 1 & 3 are No is because of the non IP whitelisting in the storage account firewall.
upvoted 1 times
bugimachi
2 years, 5 months ago
No, this is wrong. When enable service endpoints, you will still need to allow the originating VNet to access the storage account, but whitelisting the IP is definitely not required.
upvoted 1 times
...
...
...
Pasmo
2 years, 8 months ago
Correct Answer: No Yes No
upvoted 2 times
...
randomaccount123
2 years, 9 months ago
I originally thought it was NYN. However I've just realized it says the storage account and VM are in the same region, therefore the firewall don't actually take affect. So its actually NNN.
upvoted 3 times
...
Amit3
2 years, 9 months ago
Answer should N,Y,N because for VNet3 there is no service end-point configured. We need to answer based on information given in questions, without making any assumptions.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago