Exam AZ-500 topic 5 question 49 discussion

Selected: 1. Yes 2. No 3. Yes Selected Networks for VNET1 and the exemption to allow access to the key vault, VM1 has access, VM2 doesn't. The last option, VM2 should be able to still user the ADE, the exemption only applies to the access to the key vault.

I highly disagree with the answers i see here 1 No, the vm1 has access, but we don't what access policies are set for accessing keys or secrets. 2 No, vm2 doesn't have network access and we don't know what access policies are set 3 No vm2 still doesn't have network access.

N N Y Because we just know one change was applied to the key vault access policy and it is for the Azure disk encryption, "You set the key-vault access policy to Enable access to Azure Disk Encryption for volume encryption." there is not information about the policies set for the VMs/Users

The question is about network, there is no indication about the access policies defined for user, why people assume that users have or do not have managing access to the key. So here is my point : 1. Yes VM1 is in VNET1 which have network access to the KV 2. No VM2 is in VNET2 which does not have network access to the KV 3. Yes VM2 does not have access but AllowTrusted Microsoft Services to Bypass Firewall is enabled so the VM2 can use ADE.

Explanation: 1. Yes 2. No 3. Yes Selected Networks for VNET1 and the exemption to allow access to the key vault, VM1 has access, VM2 doesn't. The last option, VM2 should be able to still user the ADE, the exemption only applies to the access to the key vault.

I think its yyy because users from the vms can manage the keyvault through the azure Portal

Should be N N Y: Sure VMs can access the vault on the network side, but the question talks about "manage" which we cannot assume from the question. Last one is Y: "You set the Key Vault access policy to Enable access to Azure Disk Encryption for volume encryption."

Y, N, N VM 1 is in VNET 1 which is allowed to access KV1. VM 2 is not allowed, therefore, can manage keys or secrets or use the KV for ADE purposes.

It is Y, N, N. Are you guys not reading the part which clearly states that the BYPASS OPTION does NOT replace the need to outline EXPLICIT PERMISSIONS in the Access Policy. VNET2 has no access to the KEY VAULT, and that includes ADE.

YNY is the answer. https://learn.microsoft.com/en-us/azure/key-vault/general/network-security#key-vault-firewall-enabled-trusted-services-only https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services Here's a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled. - Azure Disk Encryption volume encryption service Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables Azure Disk Encryption.

N N Y When Allowed trusted MS services is set to on then access is granted. It doesn't matter which vNet the VM is in. Check list of trusted MS services and ADE is listed there so it 'bypasses' the FW. https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services

NO NO YES

i think the correct answer is NNY 1st and 2nd box: Users inside VMs CANNOT manage Keys even tho VM1 has connectivity to KV, to manage keys permissions needs to be set explicitly 3rd box YES cuz ADE is trsuted MS service so even if the IPs or VNETs are not whitelisted, VM can STILL access KV

@arseyam, I don't think that virtual machines are part of the azure trusted services list. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#exceptions

It looks like the question has been changed based on the comment I would go NNN

Trusted Services: ADE is included https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services

On exam 31st October. I selected the answers : 1.yes 2.no and 3.yes