Exam AZ-500 topic 7 question 6 discussion

N,Y,Y Service endpoint is enabled for VNet1/Subnet1 so VM1 connects thou MS backbone to Cosmos DB instead of using Internet. Service endpoint is disabled for VNet1/Subnet2 so VM2 using its public IP address to connect to the Cosmos DB. There is no service endpoint for VNet2 then VM3 using its public IP address to connect to the Cosmos DB.

for all of them YES, since VM1 has a public IP and the Cosmos DB firewall allows internet access, VM1 can access Cosmos DB over the internet. The fact that vnet1/subnet1 has a service endpoint for Cosmos DB does not restrict access from the public internet. the same for the rest

NO, YES, YES VM1 cant access Cosmos DB over the internet cause its subnet is forced to use the private endpoint VM2 and VM3 can access Cosmos DB over the internet cause their Public IPs are in the allowed range specified in the firewall.

In the documentation https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal?source=recommendations After prodecude how to configure a private endpoint, there is additional step to disable public access to Azure SQL server. Assuming this was not done by administrator, I would answer YYY

I assume that the correct answer depends on the interpretation of CAN. My ans would be: N,Y,Y If a service endpoint is enabled that the traffic would be routed through the Microsoft backbone. This mean that when VM1 will try to connect to the cosmos with the MSFT network and not with its public IP address. It is still technically possible for the VM1 to use its pubic ip address but the fact that the service endpoint is in place would make the traffic follow the backbone direction. Using the public ip is possible if the service endpoint is removed, this would change the question and I guess that it is not supposed to. VM2 has no service endpoint enabled and the public ip is in the correct range, so YES. VM2 has no service endpoint and the public ip is in the correct range, so YES.

In first question, it says, VM1 "CAN" access via internet. since its public ip range has been whitelisted, it CAN be accessed via internet even if subnet1 is removed from selected networks in 2nd question, public ip is whitelisted in selected networks, hence it is accessible via internet in 3rd Question, public IP is whitelisted hence db is accessible via intetnet. Answer is YYY

That's a tough question. VM1 "can" access the Internet, because it's not prohibited, but with this policy VM1 accesses with a private IP address...

"Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. The rule addition provides improved security by fully removing public internet access to resources and allowing traffic only from your virtual network." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

YYY, the FW was whitelisted and the you can access to the resource (CosmosDB) via internet.

ALL PUBLIC IPs of the VMs will have access to the COSMOS DB via the INTERNET, based on FIREWALL POLICY, the VIRTUAL NETWORK FILTERING shows VNET/SUBNET1 has an SERVICE ENDPOINT which means it will route via the MICROSOFT BACKBONE and not the INTERNET. VNET1/SUBNET2 does not so it will route via the INTERNET and VNET2/SUBNET is not listed at all so it will also route via the INTERNET. n, y, y

All of them CAN. Even VM1 CAN but it won't

Yes, No, Yes is correct