ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 6 question 12 discussion

Actual exam question from Microsoft's AZ-500
Question #: 12
Topic #: 6
[All AZ-500 Questions]

DRAG DROP
-

You have an on-premises datacenter.

You have an Azure subscription that contains a virtual machine named VM1. VM1 is connected to a virtual network named VNet1. VNet1 is connected to the on-premises datacenter by using a Site-to-Site (S2S) VPN.

You plan to create an Azure storage account named storage1 and deploy an Azure web app named App1.

You need to ensure that network communication to each resource meets the following requirements:

• Connections to App1 must be allowed only from corporate network NAT addresses.
• Connections from VNet1 to storage1 must use the Microsoft backbone network.
• The solution must minimize costs.

What should you configure for each resource? To answer, drag the appropriate components to the correct resources. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by vxl at June 16, 2023, 11:16 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Yesvanth1
Highly Voted 1 year, 10 months ago
The solution must minimize costs: Private Endpoint & Private Link costs more. So: 1) Service Endpoint, 2) Access Restriction Rules.
upvoted 21 times
basak
1 year, 7 months ago
service endpoint use backbone while private endpoint bring resource locally inside vnet. private endpoint cost more
upvoted 6 times
...
...
vxl
Highly Voted 1 year, 10 months ago
1: Service Endpoint 2: Access restriction rules
upvoted 17 times
...
golitech
Most Recent 2 months, 3 weeks ago
1: Service Endpoint 2: Access restriction rules App1 (Azure Web App): To allow connections only from corporate network NAT addresses, use Access Restrictions for App1. This feature enables you to specify the IP address ranges that can access the web app, allowing only requests from corporate NAT addresses. Storage1 (Azure Storage Account): To ensure that traffic from VNet1 to Storage1 uses the Microsoft backbone network, use Service Endpoints. This ensures private routing to Azure Storage over the Azure backbone network, avoiding the public internet. Cost Efficiency: Service Endpoints and Access Restrictions both help minimize costs since they don’t require the use of more complex, higher-cost solutions like Private Endpoints or Private Link.
upvoted 1 times
...
pentium75
8 months, 3 weeks ago
First is Service Endpoint, it meets the requirement and is cheaper than Private Endpoint. But what do they mean with "corporate NAT addresses"? Though you can use NAT with Site-to-Site VPN, it's not the typical scenario. If "corporate NAT addresses" they mean the public IPs of the on-premises firewalls, "access restriction" would be the ideal solution. It does not say that access must be over VPN.
upvoted 1 times
...
ITFranz
9 months, 3 weeks ago
To support the answer for App1. https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, an implicit deny all exists at the end of the list. Answer = 1) Service Endpoint, 2) Access Restriction Rules.
upvoted 1 times
...
JaridB
11 months, 2 weeks ago
Provide answers are correct 1. Service Endpoint 2. Access Restriction Rules
upvoted 1 times
...
epomatti
1 year, 3 months ago
"Access Restriction Rules" are for Public IP addresses. There is no integration with network or on-premises. Additionally, in App Services, VNET integration is only for outbound connections. https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli
upvoted 1 times
...
wardy1983
1 year, 5 months ago
storage1: Private endpointApp1: Private link https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
upvoted 2 times
...
_punky_
1 year, 6 months ago
To sum those answers up: Private endpoint needs to be created to establish to be able communicate with the service where you pay by in and out bound data. Also this service needs to have an IP in subnet. Not every service can be accessed by private link. Access to only single resource(only created endpoint to single service). Service endpoint has no costs and all services can be accessed via service endpoint - also to office services. Leveraging private IP to access AZ services by using public IP through AZ backbone. Acess to all resources. 1: Service endpoint 2: Access restriction rules App1: Access Restriction Rules - No where does it state that you are required to connect via MS backbone, and you also need to only restrict on-prem NAT addresses. Using the Access Restriction Rules on the Webapp achieves exactly that for free which also minimizes cost.(Copied from previous ans from Shachar_Nativ)
upvoted 5 times
ITFranz
1 year, 4 months ago
Pricing and limits There's no extra charge for using service endpoints. The current pricing model for Azure services (Azure Storage, Azure SQL Database, etc.) applies as-is today. There's no limit on the total number of service endpoints in a virtual network. Certain Azure services, such as Azure Storage Accounts, may enforce limits on the number of subnets used for securing the resource. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-services-to-virtual-networks
upvoted 1 times
...
...
LekkerZomer
1 year, 7 months ago
How is traffic being sent when using Private Link? Traffic is sent privately using Microsoft backbone. So there you have it. Answer is right, vote me up :-) https://learn.microsoft.com/en-us/azure/private-link/private-link-faq
upvoted 1 times
...
Shachar_Nativ
1 year, 7 months ago
Storage1: Private Endpoint - Although Service Endpoint is cheaper, it is required to connect via MS backbone. Private Endpoint achieves that by connecting the VM's Private IP to the Storage's Private IP, while Service Endpoint connects VM's Private IP to the Storage's Public IP in a nutshell. App1: Access Restriction Rules - No where does it state that you are required to connect via MS backbone, and you also need to only restrict on-prem NAT addresses. Using the Access Restriction Rules on the Webapp achieves exactly that for free which also minimizes cost.
upvoted 1 times
pentium75
8 months, 3 weeks ago
"Service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 1 times
...
...
c12
1 year, 10 months ago
storage1: Private endpoint App1: Private link https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
upvoted 7 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago