Exam AZ-300 topic 1 question 26 discussion

BOX 1 wrong?

So after reading onlyfunmails comments answer will be both box = never.

https://www.exam-answer.com/microsoft/az-104/question34

The CORRECT selection is NEVER, NEVER and here is why. since 10.2.9.0/24 part of 10.2.0.0/16 is not checked and 10.2.0.0/24 is allowed to access this storage account where 10.2.9.0/24 is not in 10.2.0.0/24 ! ,The endpoint is enable though, it is enable to 10.2.0.0/24, but not to 10.2.9.0/24. So, the endpoint is not enable to 10.2.9.0/24. A subnet mask of 24 bits basically means that the first 3 numbers of the IP are FIXED! Thus, the 10.2.0 will never change and the remaining number gives 256 subnet addresses. Then, an IP starting by 10.2.9 does not belong to the subnet that is allowed. For fun try it on the portal, when configuring this option it forces you to select subnets, which means that, in order to provide access, they should be explicitly shown on the configuration screen.

The correct answer is: Never, Never

10.2.9.0/24 is not in the allowed subnet list. the first one = never

Never, Never. You enable Service Endpoint at Subnet Level and 10.2.9.0/24 is at another Subnet.

I think the answer is correct. The firewall configuration is limiting the access to that specific VNet. The service endpoint in prod subnet is changing the routing via MS internal backbone rather than going outside, but that does not define the access, just where the traffic is routed.

I think given ans is correct based on the provided IP subnets: first subnet : 10.2.0.0/16 which covers 10.2.9.0/24 subnets. also with Service Endpoint enabled. that will bypass the firewall.

Regarding the Endpoint, just look at https://azure.microsoft.com/en-in/blog/virtual-network-service-endpoints-and-firewalls-for-azure-storage-now-generally-available/ and realise how the arrow departs from the subnet towards the storage account. Therefore, connection is allowed on a subnet basis and 10.2.9 is not a subnet that is allowed.

The CORRECT selection is NEVER, NEVER and here is why. A subnet mask of 24 bits basically means that the first 3 numbers of the IP are FIXED! Thus, the 10.2.0 will never change and the remaining number gives 256 subnet addresses. Then, an IP starting by 10.2.9 does not belong to the subnet that is allowed. For fun try it on the portal, when configuring this option it forces you to select subnets, which means that, in order to provide access, they should be explicitly shown on the configuration screen.

This question appeared in my AZ-104 exam

NEVER NEVER

I had this very question in an exam (AZ104) - looks like a typo, but the wording is so ambiguous its impossible to tell....

Both option is NEVER

Te correct answer is: Never, Never. Please, modify it.

If you lab it address range for the vnet will not actually appear. It is never never because not until you add service end point to the subnet or add new subnet to the network and firewall settings of the storage it will not be enable.