Exam AZ-500 topic 6 question 2 discussion

1. From VM2 you can create a container in storage1? No 2. From VM1 you can upload data to the blob storage of storage1? Yes 3. From VM2, you can upload data to the blob storage of storage1? No Let's break down the reasoning: NSG rule: The outbound rule in the NSG denies all traffic to storage accounts (destination: Storage). This rule applies to both VM1 and VM2 as they are both in the VNets (VNet1/Subnet1 and VNet1/Subnet2) associated with the NSG. Private endpoint: The private endpoint (Private1) allows VM1 in Subnet1 to access the blob storage (target sub-resource: blob) of storage1. This creates a private connection that bypasses the NSG rule for VM1. However, VM2 is not in Subnet1 and doesn't have access through the private endpoint. Therefore, VM1 can leverage the private endpoint to access storage1 while VM2 is restricted by the NSG rule.

Correct is: Yes, Yes, Yes Excat same question appears here on a AZ-700 Exam: https://www.examtopics.com/discussions/microsoft/view/64022-exam-az-700-topic-4-question-5-discussion/

YNN. 1. Deny access from vm by nsg. But you can access azure portal to create a container. 2. At first, Deny from nsg. 3. Same

YES-YES-YES 1. Creating a container in the storage account is a management plane action which is executed by Azure Resource Manager, it has nothing to do with the "Storage" service tag 2. We are using the private endpoint which is not blocked by the NSG 3. We are in a VNet with a private endpoint so we are using that (and it is not blocked by the NSG)

To support the answer provided by JaridB. https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal By default, network policies are disabled for a subnet in a virtual network. To use network policies like user-defined routes and network security group support, network policy support must be enabled for the subnet. This setting only applies to private endpoints in the subnet and affects all private endpoints in the subnet. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview To access more subresources within the same Azure service, more private endpoints with corresponding targets are required. In the case of Azure Storage, for instance, you would need separate private endpoints to access the file and blob subresources. Private endpoints support network policies. Network policies enable support for Network Security Groups (NSG), User Defined Routes (UDR), and Application Security Groups (ASG). Answer = N-Y-N

This is what I am think about the question. 425 No, No, No,(If there is not access mentioned) If vms have an access then No,Yes,No I would answer like this but there is nowhere question says whether VMS has access on storage account or not. This makes sense to choose all No, no, No because as I mentioned there is not point that talks about access, if think there access for all vms we can choose No, Yes, No in this case. The reason for choosing No, yes, No is as following. No, because the NSG gets applied. Yes, because the private endpoint of storage account and the VM1 are in the same Subnet. The NSG doesn’t get applied. No, because the NSG gets applied. BR

When I navigate to the NIC of the PVT Endpoint I get this Select a network interface below to see the effective security rules and associated network security groups. Scope Network interface (e.nic.4d04ad28-7810-457a-8e4c-6005b421ef7d) Associated NSGs: No associated NSGs found. Failed to retrieve effective security rules because network interface 'e.nic.4d04ad28-7810-457a-8e4c-6005b421ef7d' is not attached to a virtual machine. Tested in the lab created a VM in subnet 1 of the VNET and created the pvtendpoint in the subnet2 of the same VNET was able to connect to only the storage account on which the pvtendpoint was configured. The NSG was blocking access to all other storage accounts. The only way a pvtendpoint can be used in an NSG is when you assign it to a ASG and then you can play with it to stop it from being accessed. A good explanation of this concept can be found on the link https://www.youtube.com/watch?v=iL7_HocfbDM&ab_channel=AdamStuart

Should be N N N No where it's mentioned about the permission/access policy. All the information is just for network layer, but asking questions for data layer.

N N N Access policies are not mentioned. We have to assume there are no RBAC roles assigned to Managed Identity of VM1 or VM2 / access is not granted using Vault Access Permissions.

From VM2, you can create a container in Storage1: No. The NSG outbound rule denies any outbound traffic to the destination "Storage" (which includes "storage1"). Therefore, VM2 will not be able to create a container in Storage1. From VM1, you can upload data to the blob storage of storage1: Yes. The private endpoint "Private1" is configured for blob storage access in "storage1" and is in Subnet1. The NSG outbound rule does not apply to VM1 as it is in Subnet1, so VM1 can upload data to the blob storage of storage1 through Private1. From VM2, you can upload data to the blob storage of Storage1: No. The NSG outbound rule denies any outbound traffic to the destination "Storage" (which includes "storage1"). Therefore, VM2 will not be able to upload data to the blob storage of Storage1.

Yes, Yes, Yes

Correct answer is YYY The NSG rule has a service tag for Destination, a service tag is a list of public ip addresses. The connection to the private endpoint will no be blocked by this rule. VM1 and VM2 can connect to the private endpoint because intra-vnet traffic is allowed by default.

NSG rules applied to the subnet hosting the private endpoint are not applied to the private endpoint". So VM1can connect to storage1 without any NSG filtering. For VM2 as the subnet to subnet communication in a VNET is open by default, then VM2 has access to the storage1 through the Private Endpoint.

but the private endpoint is not applied to subnet 2

Private Endpoints ignore the NSG so Yes/Yes/Yes.

what is the correct answer?