Exam AZ-700 topic 5 question 13 discussion

B. a service endpoint policy A service endpoint policy can be used to control the access to Azure Storage accounts from virtual networks. By creating a service endpoint policy, you can specify which storage accounts are allowed to be accessed from the virtual network, while blocking access to other storage accounts. In this case, you can create a service endpoint policy that allows access to storage1 and associate it with the virtual network containing VM1 and VM2. This will ensure that VM1 and VM2 can only connect to storage1 and will be prevented from accessing any other storage accounts. Additionally, to ensure that storage1 is accessible from the internet, you can configure the storage account's networking settings to allow public access. This can be done by enabling the appropriate settings such as allowing public access to blobs or enabling a public endpoint. Using a network security group (NSG) would not provide the required granular control over specific storage accounts. A private link or private endpoint would enable private access to the storage account but would not allow access from the internet, which is a requirement in this scenario. Therefore, the best option is to use a service endpoint policy.

Answer appears to be correct. B. a service endpoint policy Virtual Network (VNet) service endpoint policies allow you to filter egress virtual network traffic to Azure Storage accounts over service endpoint, and allow data exfiltration to only specific Azure Storage accounts. Endpoint policies provide granular access control for virtual network traffic to Azure Storage when connecting over service endpoint. Source: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

Default By default all traffic goes against the public endpoint of the storage account. Source IP of the traffic is the Public IP of the VM. Service Endpoints Traffic is still directed against the public endpoint of the storage account but the source IP has changed to the private IP of the VM. In fact, the traffic is also using the VNET and Subnet as source in the network dataframe. Private Endpoints The PaaS service now gets a virtual network interface inside the subnet and traffic from the VM to the storage account is now directed against the private IP address.

I believe the answer is D - Private Endpoint. Options A (network security group), B (service endpoint policy), and C (private link) are also Azure networking features, but they may not provide the same level of isolation and control over the specific access requirements described in the scenario. Private endpoint is specifically designed to enable private connectivity to Azure services over a private IP address. By using private endpoints for storage1, you can ensure that VM1 and VM2 can connect to storage1 using the private endpoint while preventing them from accessing other storage accounts.

B is Honey For sure B as if NSG is used can only be used with AZ service tags and that will include all storage accounts and cannot differentiate and hence either allow to all storage account or deny all Where as SE policy you can use a resource in SCOPE of SINGLE account in this case 1 storage account or in RG or subscription based then you associate a subnet to the resource in this case the subnet 1 where VMs reside

The answer is A. NSG only can filter whether the VMs can access the storage accounts via the service tag, but can't filter which storage account can be accessed.

I believe the answer is A. NSG Storage accounts are accessible from the internet by default so all we need to worry about is restricting the VMs access to all other storage accounts. This is only doable with an NSG from the options listed.