Exam AZ-500 topic 7 question 1 discussion

It's B guys. All VMs can access KV1 through private endpoint in VNET1/Subnet1. All VNETs are peered, so all the traffic traverse Microsoft backbone network without any exposure to public Internet. The private endpoint can be reached from the same virtual network, regionally peered VNets, globally peered VNets and on premises using private VPN or ExpressRoute connections. https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Requirements: * You need to recommend which virtual machines to use to host App1.The solution must meet the technical requirements for KeyVault1. * KeyVault1 traffic must NOT travel over the internet. VM1 (West US) - VNET1/Subnet1 - None VM2 (West US) - VNET2/Subnet1 - NSG2 (West US) VM4 (West US) - VNET3/Subnet1 - NSG4 (West US) KeyVault1 (West US) VNET1/Subnet1 They all are in the same region / subnet1 / NSG2 & NSG4 allow access.

This question is tricky! Traffic between Peered Vnets on different regions will go through Microsoft backbone BUT they don't support transitive routing by default! This means that VM3 or VM4 won't be able to reach KeyVault1 without a defined UDR. This doesn't mean the traffic will go through the internet, but those VMs won't be able to reach the KeyVault. Because of this, THE ANSWER SHOULD BE VM1 and VM2.

To support the answer. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. ( as required in the question ) Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only. Network traffic between peered virtual networks is private. Traffic between the virtual networks is kept on the Microsoft backbone network. No public Internet, gateways, or encryption is required in the communication between the virtual networks. Answer = B

App1 must only retrieve a secret from KeyVault, this is not Azure Disk Encryption where KV would have to be in same region. All VNETs are peered, so they all can use the Private Endpoint, which would meet the security requirement.

Given answer is correct imo. The key here is that they are asking us for recommendations, and not to list all the possible options. While it is possible to use keyvaults in different region here, it is recommended to have them all on the same one.

Watch out: vm1,2 and 3 need ADE. So the app and the vault should best be deployed on US West so answer seems correct VM1,2 and 4

VM1: Located in West US, connected to VNET1/Subnet1. It has direct access to KeyVault1 without internet travel. VM2: Located in West US, connected to VNET1/Subnet2. It has access to KeyVault1 via VNET1 without internet travel. VM3: Located in Central US, connected to VNET2/Subnet1. With the peering between VNET2 and VNET1, VM3 can access KeyVault1 without traffic going over the internet, despite being in a different region. VM4: Located in West US, connected to VNET3/Subnet1. With the peering between VNET3 and VNET1, VM4 can access KeyVault1 without internet travel. Considering the peering between VNET1, VNET2, and VNET3, and the requirement that KeyVault1 traffic must not travel over the internet, all VMs (VM1, VM2, VM3, and VM4) can securely access KeyVault1 without their traffic traversing the internet. The answer to the question, taking into account all the peerings and the requirement for KeyVault1, would be: B. VM1, VM2, VM3, and VM4

Answers are correct: D. VM1, VM2, and VM4 only Key Requirement: AKV needs to be on Private Endpoint. VM3 Is in Central US, but AKV2 is in Central US without PE. Hence, VM3 is not applicable here. VM1, VM2, and VM4 and AKV1&3 are matched with location and AKV1&3 have PE.

RECOMMEND IS THE KEY WORD. FROM MICROSOFT: No, VMs do not have to use a key vault in the same region. However, it is recommended to do so for better performance and lower latency. According to the Azure Key Vault Overview1, you can use a key vault that is in the same region and tenant as the VMs to be encrypted. However, this is not a strict requirement, as the article also states that you can use a key vault that is in a different region or tenant, but you need to grant permissions to the VMs to access the key vault. The article also mentions that the contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets2. Therefore, using a key vault in the same region as your VMs can help you avoid cross-region network traffic and potential network failures.

"KeyVault1 traffic must NOT travel over the internet", how do you achieve this if App1 is deployed on different regions..

To reach the keyvault1 private endpoint, you have to be able to resolve keyvault1.privatelink.vaultcore.azure.net into the private IP address of the endpoint. At the private endpoint creation a private dns zone is created and linked to the VNET in which the endpoint is created, VNET1 in this case. Since there is no mention of private dns zone in the study case, I guess that the private dns zone is not linked to any other VNET's and that the privalink dns record is only resolvable from VNET1 ? The answer in this case should be C (VM1 and VM2).

B is the answer. https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#details Private Link service can be accessed from approved private endpoints in any public region. The private endpoint can be reached from the same virtual network and regionally peered virtual networks. The private endpoint can be reached from globally peered virtual networks and on premises using private VPN or ExpressRoute connections.

In exam 24/03/2023 (there was also two more questions on this case study, don't know why they are not here)

We're talking about App1 hosting. There is a mention of an ASG. It doesn't make any sense to host an App on different OS (bad practice when it comes to manageability/servicing, ...) So we need: keyvault access for ADE, an ASG (obivously). That leaves us with VM1 and VM2 (same region for keyvault requirement for ADE, same vNet requirement for the ASG). For those reasons I say answer C. Now we could argue that App1 doesn't have to use the ASG, that all VMs can be encrypted using different keyvaults, etc... but that doesn't make sense to me.

B. VM1, VM2, VM3, and VM4

Guys I think the question is about what VMs "should" we use, not "what possible" to use. I think I will go with B then. What do you think about this pargraph from the link? "Our recommendation is to use a vault per application per environment (development, pre-production, and production), per region. This helps you not share secrets across environments and regions. It will also reduce the threat in case of a breach." https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices