ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 5 question 49 discussion

Actual exam question from Microsoft's AZ-500
Question #: 49
Topic #: 5
[All AZ-500 Questions]

HOTSPOT -
You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table.

You set the Key Vault access policy to Enable access to Azure Disk Encryption for volume encryption.
KeyVault1 is configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by wooyourdaddy at Dec. 15, 2021, 2:37 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
wooyourdaddy
Highly Voted 3 years, 5 months ago
Selected: 1. Yes 2. No 3. Yes Selected Networks for VNET1 and the exemption to allow access to the key vault, VM1 has access, VM2 doesn't. The last option, VM2 should be able to still user the ADE, the exemption only applies to the access to the key vault.
upvoted 51 times
wooyourdaddy
3 years, 5 months ago
Further to my post, below the table to confirm / validate the 3rd answer: quote 'You set the Key Vault access policy to Enable access to Azure Disk Encryption for volume encryption.'
upvoted 6 times
...
geuser
2 years, 7 months ago
I agree. ADE is a trusted MS service and can bypass Firewall so VM2 can use the KV
upvoted 1 times
...
AzureJobsTillRetire
2 years, 4 months ago
Those two IP addresses seem to, not 100% sure though, come from the same region, and that ticks the box.
upvoted 1 times
...
...
JakeCallham
Highly Voted 2 years, 8 months ago
I highly disagree with the answers i see here 1 No, the vm1 has access, but we don't what access policies are set for accessing keys or secrets. 2 No, vm2 doesn't have network access and we don't know what access policies are set 3 No vm2 still doesn't have network access.
upvoted 22 times
TheProfessor
1 year, 7 months ago
Agreed.
upvoted 1 times
...
Kelly8023
2 years, 8 months ago
Agree, No No No
upvoted 2 times
...
koreshio
2 years, 7 months ago
yes, this seems the best explanation and answer
upvoted 1 times
...
Jhill777
2 years, 6 months ago
Same. Everybody talking about "access" when it clearly says users can "manage" all keys and secrets. I'm going no, no, no.
upvoted 5 times
...
Load full discussion...
...
Hot_156
Most Recent 3 months, 1 week ago
N N Y Because we just know one change was applied to the key vault access policy and it is for the Azure disk encryption, "You set the key-vault access policy to Enable access to Azure Disk Encryption for volume encryption." there is not information about the policies set for the VMs/Users
upvoted 1 times
Hot_156
2 months, 3 weeks ago
Well, the question is based on if the user can or cannot, so I will change my answer for the first one. Y N Y
upvoted 1 times
Hot_156
2 months, 3 weeks ago
I have to laugh because of all the issues with this question. Y - They ask if users can or cannot manage access from that VM. They can, if they have the permissions N - No access for that VNet N - Even though "Allow trusted Microsoft services..." is set to Yes, the VNet2 is not allowed on the firewall.
upvoted 2 times
...
...
...
Strive_for_greatness_kc
1 year, 4 months ago
The question is about network, there is no indication about the access policies defined for user, why people assume that users have or do not have managing access to the key. So here is my point : 1. Yes VM1 is in VNET1 which have network access to the KV 2. No VM2 is in VNET2 which does not have network access to the KV 3. Yes VM2 does not have access but AllowTrusted Microsoft Services to Bypass Firewall is enabled so the VM2 can use ADE.
upvoted 6 times
...
[Removed]
1 year, 5 months ago
https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services Azure Disk Encryption volume encryption service Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables Azure Disk Encryption. Proves 3 is Yes
upvoted 1 times
...
wardy1983
1 year, 6 months ago
Explanation: 1. Yes 2. No 3. Yes Selected Networks for VNET1 and the exemption to allow access to the key vault, VM1 has access, VM2 doesn't. The last option, VM2 should be able to still user the ADE, the exemption only applies to the access to the key vault.
upvoted 2 times
...
Caius
1 year, 6 months ago
I think its yyy because users from the vms can manage the keyvault through the azure Portal
upvoted 2 times
pentium75
10 months ago
but not from VM2 which is not allowed in the KV network access settings
upvoted 1 times
...
...
nox2447
1 year, 7 months ago
Should be N N Y: Sure VMs can access the vault on the network side, but the question talks about "manage" which we cannot assume from the question. Last one is Y: "You set the Key Vault access policy to Enable access to Azure Disk Encryption for volume encryption."
upvoted 1 times
pentium75
10 months ago
They can "manage" with whatever permission they have. The settings provided in the question do NOT prevent managing.
upvoted 1 times
...
...
heatfan900
1 year, 8 months ago
Y, N, N VM 1 is in VNET 1 which is allowed to access KV1. VM 2 is not allowed, therefore, can manage keys or secrets or use the KV for ADE purposes.
upvoted 1 times
heatfan900
1 year, 8 months ago
I stand correct on question 3: Y,N,Y FROM MICORSOFT: No, the key vault firewall does not block a VM from encrypting a disk with Azure Disk Encryption (ADE), as long as you enable access to Microsoft Trusted Services in the key vault networking settings1. This allows the VM to communicate with the key vault and retrieve the encryption keys and secrets.
upvoted 2 times
AzureAdventure
1 year, 8 months ago
Do you have a ref link to this?
upvoted 1 times
...
...
...
heatfan900
1 year, 9 months ago
It is Y, N, N. Are you guys not reading the part which clearly states that the BYPASS OPTION does NOT replace the need to outline EXPLICIT PERMISSIONS in the Access Policy. VNET2 has no access to the KEY VAULT, and that includes ADE.
upvoted 2 times
golitech
3 months, 3 weeks ago
chill, the access is already given when you set ADE in key vault. answer is YNY
upvoted 1 times
...
...
zellck
2 years ago
YNY is the answer. https://learn.microsoft.com/en-us/azure/key-vault/general/network-security#key-vault-firewall-enabled-trusted-services-only https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services Here's a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled. - Azure Disk Encryption volume encryption service Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables Azure Disk Encryption.
upvoted 6 times
ITTesters
2 years ago
If the user has rights within KV then YNY, otherwise; NNY.
upvoted 1 times
...
...
tutonata
2 years, 2 months ago
N N Y When Allowed trusted MS services is set to on then access is granted. It doesn't matter which vNet the VM is in. Check list of trusted MS services and ADE is listed there so it 'bypasses' the FW. https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services
upvoted 2 times
billo79152718
2 years, 1 month ago
But it also states that it need explicit permission. So I will go with No on BOX3.
upvoted 1 times
...
...
majstor86
2 years, 2 months ago
NO NO YES
upvoted 2 times
...
chikorita
2 years, 3 months ago
i think the correct answer is NNY 1st and 2nd box: Users inside VMs CANNOT manage Keys even tho VM1 has connectivity to KV, to manage keys permissions needs to be set explicitly 3rd box YES cuz ADE is trsuted MS service so even if the IPs or VNETs are not whitelisted, VM can STILL access KV
upvoted 2 times
...
ltjones12
2 years, 5 months ago
@arseyam, I don't think that virtual machines are part of the azure trusted services list. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#exceptions
upvoted 1 times
...
mung
2 years, 5 months ago
It looks like the question has been changed based on the comment I would go NNN
upvoted 1 times
...
Stubentiger
2 years, 6 months ago
Trusted Services: ADE is included https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel