Exam AZ-500 topic 4 question 100 discussion

A: Correct, only allows access from VM1 to KV. B: Incorrect, there is no VM option at the creation of the Endpoint; https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource C: Incorrect, only VM1 is allowed, rest of the Vnet is disallowed. D: This overrules FW rules created, but is not the question.

Since VM1 is connected to a virtual network (VNet1), leveraging that virtual network for access control is more secure and scalable. The IP Address or CIDR option is more suitable for scenarios where you need to allow access from external, on-premises networks or specific static IPs, which is not the case for VM1. Adding VNet1 under the virtual networks section allows for private, secure access from resources in the same virtual network. This aligns with best practices for Azure Key Vault security and avoids exposing Vault1 to public IPs.

None of the above. Poorly worded question. A - This will only work if VM1 has a public IP assigned to it. You can't just add information to a test question that's not there so you have to assume default VM settings which is a private IP provide by the VNET. B - A private endpoint provides a private IP address for the service. This would allow any VM in the VNet to talk to the KV which doesn't satisfy the requirement C - This would also allow any VM in the VNET to talk to the KV. The configuration provided shows only 1 VM so technically it would satisfy the requirements, but no self respecting security pro would call that a correct way to do it D - The VM is not a trusted Microsoft service so that wouldn't get you anywhere either I'm not 100% it would work but I'd probably try starting with B and adding a NSG that says only VM1 can reach that IP.

B grants access to VNet (too wide) and does not prevent direct access C grants access to VNet (too wide) D is not related to the problem at all

I think this is defenately will use Private endpoint. Let me explain why, questions says VM1 connected to vnet1 , we need to give access only from vm1 not for entire vnet. Many people confuse with option A, no it is not . In the firewall and virtual networks settings you can not choose specific vm which is connected to vnet1. However, private endpoint grants access only for one private ip address from the virtual network that is why here answer is A.

Tricky question, must be A. as we only need to allow connection from VM1, and nobody else so connection will need to be over Pip(Public IP)

Tested in lab Cannot be A. Private IPs (NET) cannot be added to Firewalls and virtual networks tab (permitted only public IPs) Message Invalid value found at properties.networkAcls.ipRules[0].value: 10.44.2.4/32 belongs to forbidden range 10.0.0.0–10.255.255.255 (private IP addresses) Cannot be C. It's working but all VNET traffic is permitted.

I think both A and B can do the work. A = VM1 > Vault1 by IP address B = VM1 >VNet > Private Endpoint > Vault1. But B is more secure for sure. I will go for B.

Many people say that it is A (VM's IP). They are not saying if that VM has static or dynamic IP. In networking, we have private link option to allow specifically that VM.

From the Firewalls and virtual networks tab, add the IP address of VM1.

Only VM1 - Not the VNET

Answer is: B I asked ChatGPT and here is the answer: "To allow access to Vault1 only from VM1, you should do the following in the Networking settings of Vault1: B. From the Private endpoint connections tab, create a private endpoint for VM1. Creating a private endpoint for VM1 will enable private and secure communication between VM1 and Vault1. This approach ensures that only VM1, which has a private endpoint, can access the resources in Vault1. This is a more secure method than simply allowing an IP address or a virtual network because it leverages Azure Private Link to establish a secure connection. Options A, C, and D do not provide the same level of security and access control as using a private endpoint. Option A allows access based on an IP address, which can be less secure. Option C adds the entire virtual network, potentially allowing more resources than just VM1 to access Vault1. Option D allows trusted Microsoft services to bypass the firewall, but it doesn't restrict access to VM1 specifically."

Agreed, it very clearly says only VM1 in the question making A correct.

The question is very specific, and says ONLY from VM1, we don't know if there are more machines on VNET1, but if we add VNET1, any machine from VNT!could access it and it would defeat the purpose of the question. "You need to allow access to Vault1 ONLY from VM1". I'm going with A

C is correct

Why not add the IP address of VM in the FW section of Key Vault? I would only select C if we assume the VM has an assigned dynamic IP. If we do not make this assumption, "A" would be my option as you would give higher restrictive access to the Key Vault, as you would not allow any other, future added, resource access to the Key Vault.

C is correct